The State of Security Observability Report: 2023 Key Findings

We’ve been surveying the Observability field for years at Observe via our State of Observability Report, but this year is our first survey to focus on Security Observability. We talked to 500 security professionals to understand their current approach to security and how it’s intersecting with observability. Our survey filtered participants by titles that indicate security specialist roles, such as CISO, Incident Response Manager, Information Security Analyst, or Director of Cyber Security. 

We have a number of customers using our platform for security functionality, and we’re excited to be building better tools for improving your security visibility. You can download the full report here for more data and analysis, but below are some highlights from the inaugural State of Security Observability Report.

What and why is Security Observability?

You’ve heard of security and observability, but maybe not security observability. Security observability is a technique of using logs, metrics, and traces to infer risk, monitor threats, and alert on breaches. It is a critical technique for security professionals to embrace. Organizations have been using log data to identify known and unknown attacks since the beginning of the Internet, but each generational shift in volume and velocity has broken the old tools. Even if the thing still works, nobody outside of the biggest governments and banks can afford it, so the increased volume of data needs a new tool. Security observability starts as a way to bring your SecOps forward to a world with an architecture that separates storage from compute. Cheap backend, low-friction ingest for any type of data, pay-as-you-go searching, those are the baselines of modern observability, and security teams need them too.

Many organizations have relied upon costly SIEMs, however smaller organizations without dedicated professionals and dedicated tools need a better solution than SIEM. Because security operations aren’t performed by separate teams in those organizations, security data and tooling cannot be in a separate system from operations data. Instead, security issues should be treated as operational issues, as risks of system failure. Organizations of all sizes can use their observability platforms to help support security needs. That’s why we wanted to survey organizations to understand how they’re approaching their security needs now, what the challenges are, and how observability can help.

Today, SIEM is the weapon of choice

Currently, 95% of respondents are using SIEM, with strong adoption of many of the features that analysts roll up under that market definition. SIEM as a service isn’t quite up to half way against self-hosted or even home-grown, but it’s still making a very strong showing. Cloud SIEM allows customers to outsource the significant challenges of scaling and protecting the security analysis platform, and that’s clearly a very attractive proposition. 

Use of Security Observability, which for most of the industry means “SIEM”, is clearly helping customers improve the quality of their security posture. That said, almost all customers intend to change their mix of security products this year, and nearly half of those customers intend to replace their SIEM product this year.

Cloud SIEMs are winning the normalization war…

Over half of the data that goes into Security Observability systems needs to be transformed before it can be used, a process known as normalization. But normalized to what? The security marketplace has been trying to answer that at least since the Distributed Management Task Force was started in 1992. In the SIEM specific world, every major vendor has their own offering, a field of more than a dozen abstraction standards. Nearly 50% of our survey respondents are using Microsoft’s ASIM for this purpose; second place goes to Amazon’s OCSF and third place is IBM’s QRadar. Coupled with the result that cloud native SIEMs are a popular option in today’s market, this seems to indicate a lot of data manipulation to the standards of cloud SIEM vendors.

That said, the percentage of security data transformed to a schema is only half, almost a perfectly normal distribution. The rest isn’t transformed. Perhaps it’s already shaped for schema, but user interviews indicate that many threat hunting customers prefer to work with raw. This could be read as a statement of how useful the out-of-the-box content in a SIEM really is; since that content is always based on the built-in abstraction standard, it’s not going to work well with half of the data that’s presented.

Agents are still necessary in the Cloud

Even though our entire respondent base is over halfway to cloud native, it would seem that the cloud infrastructure doesn’t provide sufficient operations or security observability on its own and agents must be used. This includes use of host agents (by 57% and 51% of organizations for observability and security respectively), container agents (42% and 44%), and sidecar agents (29% and 28%) are used equally and heavily across operations and security.

Security and operations are already colliding 

Another ray of good news within this market survey: consolidation of security and operations data. Call it an Observability Data Lake or call it something else, but respondents give strong signal that unifying this data is job one and reducing its cost is job two. 

84% of respondents indicate their organization combines security and data operations into a single analytics tool. This is significantly less common amongst older organizations, where 19% of organizations that have been in business over 10 years do not have this consolidated. A full 42% report this consolidation is complete, while another 40% are planning continued or new investment in the next quarter. That said, it does not appear this budget is always new: Four-in-ten plan to lower security infrastructure spend through tool or vendor reduction, and nearly half plan to lower security headcount spend.

Interestingly, those with hundreds / thousands of incidents per month are more likely to plan this reduction (56%), as well as those that allocate over half of their IT budget to security (51%). Organizations most likely to cut headcount include those with hundreds/dozens of incidents per month (62%), those with engineering teams of over 100 (61%), those with over half of their IT budget to security (60%), those using over 6 tools to investigate an incident (58%), and those with revenues of over $100.1M (57%). That seems to indicate there is a ceiling of maximum security return on investment being reached, or perhaps maximum noise to signal ratio being endured.

Integrating security products is a people problem

Organizations are having to use multiple layered teams and tools to resolve incidents. More than half of respondents say 51-100% of their incidents require escalation beyond the first responder. Few incidents are resolved without going through at least two teams of people, 80% of organizations have two or more tiers of responders. While automation has been a security goal for a very long time, the current reality remains heavily people-powered. The challenge this poses is made more acute by the fact that organizations have to use multiple tools to solve incidents, 85% say they are using two or more tools to investigate. Given the number of incidents organizations are combating and the time they have to respond to them they can ill afford to spend time context switching between tools. 

 

---

Is your organization interested in one tool to support operations and security use cases? Sign up for the free trial of Observe today to see what The Observability Cloud can do for you.