Learn Effective Cyber Security Techniques at SANS Austin 2018. Save $400 thru 10/3.


Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

Slow but Steady Improvement in Security Analytics Usage: Results of the SANS 2015 Analytics and Intelligence Survey

Reduced Average Time to Detection; Still Can't Understand and Baseline "Normal" Behavior; Lack People, Skills and Dedicated Resources

  • Bethesda, MD

Organizations are making slow but steady progress toward gathering more data, using threat intelligence sources and implementing analytics platforms, according to results of a new survey to be released by SANS Institute on November 11, 2015. Organizations are also more realistic about their levels of automation and their lack of visibility into breaches.

"It's apparent that security analytics is providing real value in security organizations today," says Dave Shackleford, SANS Analyst and author of the survey report. "Overall, detection and response times are improving, and many teams feel like they are building more effective security event management and intelligence programs with analytics capabilities."

In 2014, for those organizations that experienced breaches, 50% indicated the average time to detection for an impacted system was one week or less. This year, 67% were able to make that target.

Although 83% also believe that they have improved visibility into events and breaches, 26% still can't identify what "normal" behavior looks like, but this has improved by 10% of respondents from 2014. Respondents point not only to a lack of automation and integration, but also to a lack of analytics skills as big impediments holding them back from realizing the full potential of their analytics and intelligence programs.

Shackleford adds, "The biggest challenge security teams face when implementing security analytics tools continues to be finding the skill sets and personnel to implement, manage and tune these systems."

In the survey, 59% of respondents said that lack of skills and dedicated resources were key impediments to discovering and following up on incidents and breaches. Lack of centralized reporting and remediation controls represented the second toughest impediment, selected by 35% of respondents.

Full results will be shared during a two-part webcast series on Wednesday and Thursday, November 11 and 12, 2015, at 1 PM EDT.

The first webcast, on Wednesday, November 11, will focus on the current level of maturity organization have in their analytics systems and how much their capabilities have grown since 2014.

The second webcast, on Thursday, November 12, will discuss how analytics needs to mature and what improvements survey respondents plan to make in the future.

The webcast series is sponsored by AlienVault, DomainTools, LogRhythm, LookingGlass Cyber Solutions, SAS, and ThreatStream, and hosted by SANS. Register to attend both webcasts at: www.sans.org/u/9Br and www.sans.org/u/9Bw

Those who register for the webcast will also receive access to the published results paper developed by SANS Analyst and analytics and intelligence expert, Dave Shackleford.

Tweet This

3rd Annual SANS #SecurityAnalytics & Intel Survey Results in 2 Parts: 11/11, www.sans.org/u/9At; 11/12, www.sans.org/u/9Ay #infosec

Survey Results: So much #SecurityAnalytics & Intel Info, we need 2 Parts: 11/11, www.sans.org/u/9At, 11/12, www.sans.org/u/9Ay

NOV 11: #SecurityAnalytics Maturation Curve: SANS Security Analytics & Intel Survey Results PT 1, www.sans.org/u/9At #infosec

NOV 12: Moving up the #Analytics Maturation Curve: SANS Security Analytics & Intel Survey Results PT 2, www.sans.org/u/9Ay #infosec

SANS Media Contact

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals at governments and commercial institutions world-wide. Renowned SANS instructors teach over 60 different courses at more than 200 live cyber security training events as well as online. GIAC, an affiliate of the SANS Institute, validates a practitioner's qualifications via over 30 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers master's degrees in cyber security. SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; it also operates the Internet's early warning system--the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to help the entire information security community. (https://www.sans.org)