2021 State of Security Operations by Forrester

Executive Summary

To stop modern attacks, organizations need more integration, more visibility and more automation — analysts are struggling underwater trying to keep up with the immense volume of alerts that they receive every day. Today, analysts note that they struggle to triage and investigate threats quickly, with manual processes slowing down alert triage for a striking 74% of the survey participants. Because teams face a deluge of security alerts — 11,047 alerts a day on average — many teams ignore low-priority alerts, leaving over a quarter of alerts completely untouched.

Worse yet, almost two-thirds of security teams still rely on legacy endpoint security solutions, like antivirus tools and endpoint protection platforms, which limit their ability to gather rich endpoint data for detection, investigation, and response. Security operations decision-makers recognize that they must further embrace automation to relieve their analysts and allow for more strategic work to be focused on, rather than the day-to-day tactical management. Many organizations have begun to enlist automation to assist with pieces of the security workflow, and are working to increase their level of automation over the next two years.

Palo Alto Networks commissioned Forrester Consulting to explore today’s cybersecurity challenges and opportunities. Forrester conducted an online survey with 418 global security operations decision-makers who have responsibility over detection and response purchasing to understand the state of current security operations. We found that while few organizations have reached SOC maturity, 70% of respondents have begun their automation journey and 44% expect to use more automation in the next one to two years.

KEY FINDINGS

• ›  Security operations teams are still struggling to address the high volume of alerts. Less than half of decision-makers note that their organization is able to address most or all of the alerts they receive in a day. Teams struggle to quickly triage and investigate threats; and because they face a deluge of security alerts, many teams are forced to ignore low-priority alerts, leaving organizations vulnerable.
• ›  Almost half of all firms report struggling to hire and retain qualified staff. Because so much of threat detection, investigation, and response is still done manually, security operations teams are dealing with high rates of analyst burnout. Many teams are beginning to automate pieces of their workflows to alleviate this.
• ›  Nearlythree-quartersofdecision-makershavebeguntheirSOC automation journey. With full SOC automation being a long-term goal, 70% of surveyed organizations have begun their automation journey, and 44% expect to be using more automation in the next one to two years. Those who have adopted more automation report having a happier security operations team and a lower likelihood of technical challenges, such as poor visibility into security tools and a lack of tool integration.