Slow but Steady Improvement in Security Analytics Usage: Results of the SANS 2015 Analytics and Intelligence Survey

Bethesda, Md. – Organizations are making slow but steady progress toward gathering more data, using threat intelligence sources and implementing analytics platforms, according to results of a new survey to be released by SANS Institute on November 11, 2015. Organizations are also more realistic about their levels of automation and their lack of visibility into breaches.

"It's apparent that security analytics is providing real value in security organizations today," says Dave Shackleford, SANS Analyst and author of the survey report. "Overall, detection and response times are improving, and many teams feel like they are building more effective security event management and intelligence programs with analytics capabilities."

In 2014, for those organizations that experienced breaches, 50% indicated the average time to detection for an impacted system was one week or less. This year, 67% were able to make that target.

Although 83% also believe that they have improved visibility into events and breaches, 26% still can't identify what "normal" behavior looks like, but this has improved by 10% of respondents from 2014. Respondents point not only to a lack of automation and integration, but also to a lack of analytics skills as big impediments holding them back from realizing the full potential of their analytics and intelligence programs.

Shackleford adds, "The biggest challenge security teams face when implementing security analytics tools continues to be finding the skill sets and personnel to implement, manage and tune these systems."

In the survey, 59% of respondents said that lack of skills and dedicated resources were key impediments to discovering and following up on incidents and breaches. Lack of centralized reporting and remediation controls represented the second toughest impediment, selected by 35% of respondents.

Full results will be shared during a two-part webcast series on Wednesday and Thursday, November 11 and 12, 2015, at 1 PM EDT.

The first webcast, on Wednesday, November 11, will focus on the current level of maturity organization have in their analytics systems and how much their capabilities have grown since 2014.

The second webcast, on Thursday, November 12, will discuss how analytics needs to mature and what improvements survey respondents plan to make in the future.

The webcast series is sponsored by AlienVault, DomainTools, LogRhythm, LookingGlass Cyber Solutions, SAS, and ThreatStream, and hosted by SANS. Register to attend both webcasts at: and

Those who register for the webcast will also receive access to the published results paper developed by SANS Analyst and analytics and intelligence expert, Dave Shackleford.

Tweet This

3rd Annual SANS #SecurityAnalytics & Intel Survey Results in 2 Parts: 11/11,; 11/12, #infosec

Survey Results: So much #SecurityAnalytics & Intel Info, we need 2 Parts: 11/11,, 11/12,

NOV 11: #SecurityAnalytics Maturation Curve: SANS Security Analytics & Intel Survey Results PT 1, #infosec

NOV 12: Moving up the #Analytics Maturation Curve: SANS Security Analytics & Intel Survey Results PT 2, #infosec

SANS Media Contact

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals in government and commercial institutions world-wide. Renowned SANS instructors teach more than 60 courses at in-person and virtual cyber security training events and on demand. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers a master’s degree, graduate certificates, and an undergraduate certificate in cyber security. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their ‘human’ cybersecurity risk. SANS also delivers a wide variety of free resources to the InfoSec community including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community. (