Security has a dark data problem; generative AI can help

Our Information Security, Security Analytics & SecOps 2023 study explores the key attributes that enterprise security buyers expect when selecting tools to support their security operations capabilities, the technologies they can layer upon that investment, and the level of potential benefits they see in applying AI technologies to security analysis.

The Take

Dark data is, in essence, the collection of data that is not used to derive insight or benefit decision-making. Security operations (SecOps) teams acknowledge that — for the data that is collected, and that their tools analyze and deliver alerts on — less than half of these alerts are investigated, on average. That doesn’t even account for the data that is not easily gathered via existing tools, or the fact that security operations capabilities are inconsistent between organizations, with scale or company size being a key factor. For example, 72% of organizations have a security operations center (SOC) capability in place, and this drops to 48% at the smallest companies.

The automation of what was once specific domain knowledge is cited as a key benefit of extended detection and response (XDR) offerings — a growth technology in information security and typically a key enabling tool for SecOps. The integration of generative AI capabilities into SecOps suites may be an even more transformative change driving the same goal: automation and simplification to the benefit of SOC analysts.

Only 8% of security leaders think generative AI will not affect their enterprise’s security operations, against 34% who believe it will have a significant impact and another 35% who believe it will have a moderate impact on augmenting SOC analysts’ capabilities, as well as simplifying the inquiries (and sometimes scripts) that are part of threat hunting.

Those who believe this will result in a savings of labor costs, however, are not accurately gauging the problems faced by SecOps at most enterprises. At present, the possibilities of generative AI in SecOps more resemble a life preserver being thrown to operations teams deluged by alerts they know they should be investigating but can’t.

Summary of findings

AI and its subcategory, machine learning, are the most-cited technologies integrated with security information and event monitoring and analytics tools in enterprise security, cited by 45% of respondents to this survey. AI has taken the top spot in citations from “threat intelligence,” the most-cited technology last year. Thirty-seven (37%) are able to leverage user/entity behavioral analytics on top of their analytics tool, a technology that frequently leverages machine-learning techniques to identify potential anomalous behavior.

The integration of threat intelligence remains important, with 69% of respondents saying that the ability to map threat intelligence to internal context found in logs is a key attribute when selecting a tool to support security operations. It follows only the primary purpose of such platforms, the quality of alerting and reports, which was cited by 76% of respondents as being very important in the selection of a SecOps tool.

Rounding out the top three most-cited attributes considered when selecting a SecOps tool is the ability to cover IT architectures beyond on-premises, which means cloud-based assets, cited by 65% of respondents. About 60% want the ability to integrate some automation of response to tool-generated SecOps alerts via security orchestration, automation and response. Finally, ease of setup and the ability to quickly produce results is very important to 58% of survey respondents.

When it comes to XDR, a growth technology, higher-quality alerts for triage (59%) and the ability to improve security operations capabilities (53%) are the most-cited motivations for implementation. Approximately 40% note that the ability to leverage new telemetry sources that are a key benefit of XDR.

Data protection and security — two sides of the same coin?

Data protection and security — two sides of the same coin?


Want insights on Infosec trends delivered to your inbox? Join the 451 Alliance.