We have been noting significant corporate dissatisfaction about the state of security operations (SecOps) lately. For as much money as enterprises spend on security products, security operation teams still cannot detect breaches, are falling prey to both new and recycled attacks, and are staggering under the labor demands of compliance and simply running the security infrastructure. It is astounding that J.P. Morgan Chase expected to spend $500m on cybersecurity in 2016, according to The Wall Street Journal. That makes the financial institution one of the world's largest security companies, and we have also seen high security expense estimates for Bank of America, Citibank and Wells Fargo.
Security operations are failing. Security information and event management (SIEM) processes are overwhelmed with noisy high-maintenance products that make it challenging to find cybercriminals sneaking through the network. The failure of promising user behavior analytics (UBA) to gain market traction may disrupt SecOps requirements for both SIEM and UBA.
The 451 Take
SecOps needs SIEM to manage the security plant and needs UBA to detect security incidents in a timely fashion. Neither category is going away anytime soon. However, the monolithic nature of SIEM inhibits innovation and organizational gaps between security and IT inhibits gaining integrated views of the business necessary to detect attacks. We are observing high levels of enterprise dissatisfaction about the returns from SIEM and UBA systems. SecOps will react by innovating for compliance, daily security management and advanced threat detection.
Security operations are failing. Security information and event management (SIEM) processes are overwhelmed with noisy high-maintenance products that make it challenging to find cybercriminals sneaking through the network. The failure of promising user behavior analytics (UBA) to gain market traction may disrupt SecOps requirements for both SIEM and UBA.
The 451 Take
SecOps needs SIEM to manage the security plant and needs UBA to detect security incidents in a timely fashion. Neither category is going away anytime soon. However, the monolithic nature of SIEM inhibits innovation and organizational gaps between security and IT inhibits gaining integrated views of the business necessary to detect attacks. We are observing high levels of enterprise dissatisfaction about the returns from SIEM and UBA systems. SecOps will react by innovating for compliance, daily security management and advanced threat detection.
Why did the UBA bubble burst?
We measured the UBA market at $463m in 2016, estimating a 25% CAGR on the road to becoming a $1.13bn security segment in 2020. It is clear that the market is undergoing growing pains, as evidenced by lackluster revenue generation, the sales of Niara and Seculert, and the product strategy pivots of Exabeam and Securonix. E8 Security ($12m) and PatternEx ($8m) were two UBA firms that landed noteworthy investments in 2016, leading us to believe that UBA vendors in need of capital will find grim valuations unless they change their approach.
- UBA vendors initially focused on SIEM's shortcomings, so naturally SIEM fixed their analytic issues. UBA relies primarily on SIEM data to feed analytic engines, a significant strategic blunder. The deal flow has been reduced now that IBM Q1 and Splunk have competing UBA products.
- UBA brings questions to SecOps personnel when what they really need are answers. Too often UBA products shy away from making decisions in favor of presenting SecOps with an investigation 'to do' list prioritized by risk scores. SecOps is too busy fixing things and doesn't have enough people to respond to more problems called out by UBA.
- Fuzzy math returns: UBA simply coughs up weak responses to must-have benefits. For all of the rocket scientists tackling the security problem with statistical models, UBA vendors struggle to concisely state what they detect that no other technologies can find.
Still, we remain bullish on user behavior analytics, mostly because we are seeing signs that vendors are innovating. Exabeam and Securonix have reacted to market conditions by offering their own SIEM capabilities, Gurucul embraces multiple data lakes to broaden the types of data its analytic teams have access to, and E8 Security ingests endpoint data directly from Carbon Black and Tanium. However, those committed to the present path are going to find tough sledding in 2017, and a few of our UBA provider friends will be gone by this time next year.
But wait, SecOps isn't happy with SIEM, either!
If SIEM defeated the UBA uprising, then we consider that to be a pyrrhic victory. Enterprises commonly pay 3-4x acquisition expenses in annual operating expenses. Thus, if a SIEM cost $1m to buy, it is not uncommon to see $3-4m in operating costs. The fact that some enterprises are developing their own SIEM systems with Elastic or Hadoop (from Cloudera or Hortonworks) data repositories is an eye-opening statement that they are looking to alternative SIEMs to meet SecOps needs.
Where can SIEM and UBA go from here?
Challenge 1: Building the compliance foundation
The foundation of the SIEM market is driven by the needs of compliance auditors. This typically translates into storing everything so that several months down the road auditors will have the data necessary to investigate a breach. The popularity of low-cost Elastic and Hadoop storage with flexible search tools will start to disrupt the foundation of the SIEM market. Look for pricing models to encourage data consumption and products to include basic compliance reports to drive costs out of compliance audits.
Enterprises have too much invested in SIEMs, including custom scripts and developer operations, for a practical rip-and-replace strategy. Look for SecOps to use new SIEM architectures for new applications and cloud deployments, placing legacy SIEMs into low-growth maintenance mode. This is the crux of initiatives from firms such as AlienVault, Exabeam and Securonix.
Challenge 2: Shepherding the security infrastructure to get through the day
Security products generate reams of alerts and log entries, far more than most security operation teams can reasonably manage. If a skilled level-three practitioner takes just 15 minutes to clear an alert, then that person can only handle about 30 alerts per day. Given that data-loss-prevention (DLP) offerings can pump out thousands of alerts per day, SecOps needs analytics help just to keep up with the highest-priority alerts.
To meet this challenge, we are starting to see more adaptive search capabilities, some using natural language, as well as customized retention of searches in scripts. Analytics can reduce alert volume. For example, analytics may determine that a DLP violation, failed user access attempt, firewall IP reputation warning and privilege escalation alert are all the same incident, saving SecOps time. We are also noting automated checking that elements of the security infrastructure are constantly delivering information to the SIEM – no more devices going rogue for weeks before discovery.
HPE, IBM, LogRhythm, Splunk, Sqrrl and Sumo Logic are players to keep an eye on for applying analytics and automation to assist security operation teams in managing the heavy-lifting burden of responding to alerts. We have already heard of UBA products reducing incident-response loads by an order of magnitude just by automatically collecting data and presenting a timeline of activity.
Challenge 3: Elevate the security profile by detecting and responding to advanced threats
The SIEM paradox is that the data collected from security offerings cannot help detect the most dangerous threats: those thriving in the infrastructure. SecOps needs to include real-time operational data such as performance information and configuration changes to be able to mitigate damage from attacks.
The mindset has to change from a myopic security position to active participation throughout the business. Think about how antivirus (AV) vendors discover new attacks – a honeypot or customer observes unauthorized changes in software configurations or performance degrades unexpectedly. At that point, an investigation process commences and the infected endpoint is automatically restored so that the AV vendor can continue to do its business.
SecOps should strive for a similar approach. Work with IT operations to gain access to real-time information to examine through a security lens, return intelligence back to IT since you're inspecting everything, and develop a playbook of graduated responses to keep the business on its feet while security processes play out. This is the area that UBA has to aspire to reach – relying on SIEM data that exists for compliance and management of security offerings is not going to help detect advanced threats or maintain infrastructure performance.
Graduated responses will become mandatory in the new SecOps world. There seems to be an irrational fear of automated responses when it comes to analytic approaches. However, the largest security segments all require automated responses – AV cleans up known attacks, firewalls block unauthorized traffic, identity and access management denies access. SecOps will need to have choices in responding to security incidents. Thus, a graduated response is essential where SecOps may specify actions such as continuous authentication to ensure that a human is driving a session, trigger a vulnerability and configuration scan to gather information on endpoint changes, and transparently encrypt data if there is an unacceptable risk of an infected endpoint. Additionally, an API allowing security operation teams to implement their own automated response mechanism is critical.
Rapid7, SAS Institute and Splunk do a marvelous job of balancing the needs of security and IT operations personnel so this can get done. Of the UBA providers, we feel that E8 Security and Gurucul are well-positioned to reach into multiple security, IT and network data lakes to enhance SecOps in highly differentiated approaches.
Our contention is that different products, or at least abstractions, are required to meet challenges 1 through 3. Security operations is far from a one-size-fits-all proposition. Isolating major SecOps challenges opens the door for innovation and promises to make for a disruptive year.
But wait, SecOps isn't happy with SIEM, either!
If SIEM defeated the UBA uprising, then we consider that to be a pyrrhic victory. Enterprises commonly pay 3-4x acquisition expenses in annual operating expenses. Thus, if a SIEM cost $1m to buy, it is not uncommon to see $3-4m in operating costs. The fact that some enterprises are developing their own SIEM systems with Elastic or Hadoop (from Cloudera or Hortonworks) data repositories is an eye-opening statement that they are looking to alternative SIEMs to meet SecOps needs.
- Many SIEM specialists have built their business on anti-consumptive pricing models. That is pricing not by services delivered but by the amount of data under management. Thus, as enterprises strain to meet compliance mandates for new applications, they find the costs of using already-deployed SIEM products to be prohibitive.
- Customization tools are much harder to use after a product is purchased. Enterprises that are sold on the simplicity of writing queries and scripts find that they need to hire expensive developers to get the most out of their SIEM investment.
- SIEMs are not contributing enough to detecting attacks and securing the infrastructure. Most of the data managed by a SIEM is firewall and directory junk – high volume, but low value. Security offerings produce events demonstrating how well the product is working – e.g., 'I saw this, I did that' – but can offer only indirect insight into securing the business.
Where can SIEM and UBA go from here?
Challenge 1: Building the compliance foundation
The foundation of the SIEM market is driven by the needs of compliance auditors. This typically translates into storing everything so that several months down the road auditors will have the data necessary to investigate a breach. The popularity of low-cost Elastic and Hadoop storage with flexible search tools will start to disrupt the foundation of the SIEM market. Look for pricing models to encourage data consumption and products to include basic compliance reports to drive costs out of compliance audits.
Enterprises have too much invested in SIEMs, including custom scripts and developer operations, for a practical rip-and-replace strategy. Look for SecOps to use new SIEM architectures for new applications and cloud deployments, placing legacy SIEMs into low-growth maintenance mode. This is the crux of initiatives from firms such as AlienVault, Exabeam and Securonix.
Challenge 2: Shepherding the security infrastructure to get through the day
Security products generate reams of alerts and log entries, far more than most security operation teams can reasonably manage. If a skilled level-three practitioner takes just 15 minutes to clear an alert, then that person can only handle about 30 alerts per day. Given that data-loss-prevention (DLP) offerings can pump out thousands of alerts per day, SecOps needs analytics help just to keep up with the highest-priority alerts.
To meet this challenge, we are starting to see more adaptive search capabilities, some using natural language, as well as customized retention of searches in scripts. Analytics can reduce alert volume. For example, analytics may determine that a DLP violation, failed user access attempt, firewall IP reputation warning and privilege escalation alert are all the same incident, saving SecOps time. We are also noting automated checking that elements of the security infrastructure are constantly delivering information to the SIEM – no more devices going rogue for weeks before discovery.
HPE, IBM, LogRhythm, Splunk, Sqrrl and Sumo Logic are players to keep an eye on for applying analytics and automation to assist security operation teams in managing the heavy-lifting burden of responding to alerts. We have already heard of UBA products reducing incident-response loads by an order of magnitude just by automatically collecting data and presenting a timeline of activity.
Challenge 3: Elevate the security profile by detecting and responding to advanced threats
The SIEM paradox is that the data collected from security offerings cannot help detect the most dangerous threats: those thriving in the infrastructure. SecOps needs to include real-time operational data such as performance information and configuration changes to be able to mitigate damage from attacks.
The mindset has to change from a myopic security position to active participation throughout the business. Think about how antivirus (AV) vendors discover new attacks – a honeypot or customer observes unauthorized changes in software configurations or performance degrades unexpectedly. At that point, an investigation process commences and the infected endpoint is automatically restored so that the AV vendor can continue to do its business.
SecOps should strive for a similar approach. Work with IT operations to gain access to real-time information to examine through a security lens, return intelligence back to IT since you're inspecting everything, and develop a playbook of graduated responses to keep the business on its feet while security processes play out. This is the area that UBA has to aspire to reach – relying on SIEM data that exists for compliance and management of security offerings is not going to help detect advanced threats or maintain infrastructure performance.
Graduated responses will become mandatory in the new SecOps world. There seems to be an irrational fear of automated responses when it comes to analytic approaches. However, the largest security segments all require automated responses – AV cleans up known attacks, firewalls block unauthorized traffic, identity and access management denies access. SecOps will need to have choices in responding to security incidents. Thus, a graduated response is essential where SecOps may specify actions such as continuous authentication to ensure that a human is driving a session, trigger a vulnerability and configuration scan to gather information on endpoint changes, and transparently encrypt data if there is an unacceptable risk of an infected endpoint. Additionally, an API allowing security operation teams to implement their own automated response mechanism is critical.
Rapid7, SAS Institute and Splunk do a marvelous job of balancing the needs of security and IT operations personnel so this can get done. Of the UBA providers, we feel that E8 Security and Gurucul are well-positioned to reach into multiple security, IT and network data lakes to enhance SecOps in highly differentiated approaches.
Our contention is that different products, or at least abstractions, are required to meet challenges 1 through 3. Security operations is far from a one-size-fits-all proposition. Isolating major SecOps challenges opens the door for innovation and promises to make for a disruptive year.
Eric Ogren
Senior Analyst, Security
Eric Ogren is a Senior Analyst with the Information Security team. Eric has extensive experience in software development, technology marketing, and as a security industry analyst. Prior to joining 451 Research, Eric held marketing leadership positions with security vendors such as RSA Security and OKENA, and technology vendors such as Digital Equipment, where his experience contributed to pragmatic perspectives for security clients on emerging market trends, company and product strategies, differentiated vendor messaging and positioning, and meeting enterprise solution purchase criteria.
Carl Brooks
Analyst, Service Providers
Carl Brooks is an Analyst for 451 Research's Service Providers Channel, covering cloud computing and the next generation of IT infrastructure. Previously, he spent several years researching and reporting on the emerging cloud market for TechTarget. Carl has also spent more than 10 years supporting small and medium-sized businesses as an IT consultant, network and systems integrator, and IT outsourcer.
Keith Dawson
Principal Analyst
Keith Dawson is a principal analyst in 451 Research's Customer Experience & Commerce practice, primarily covering marketing technology. Keith has been covering the intersection of communications and enterprise software for 25 years, mainly looking at how to influence and optimize the customer experience.