8 Key Takeaways from Observe’s 2023 State of Security Observability Report

By: Jack Coates, Senior Director of Product Management at Observe

You’ve heard of security and observability, but maybe not security observability.

Security observability uses logs, metrics, and traces to infer risk, monitor threats, and alert on breaches. The fundamentals of modern observability — cheap backend, low-friction ingest for any type of data, pay-as-you-go searching — are now crucial for security teams as well.

Organizations have been using log data to identify known and unknown attacks since the beginning of the Internet, but each generational shift in volume and velocity has broken the old tools. Security observability starts as a way to bring your SecOps forward to a world with an architecture that separates storage from compute.

To better understand the convergence of security and observability, Observe recently surveyed 500 full-time security decision-makers and practitioners— 40% of whom were either CISOs or CSOs — to compile the 2023 State of Security Observability report.

Here are eight key takeaways from the survey:

SECURITY OBSERVABILITY IS A PRIORITY - Security observability is not just a buzzword. 99% of respondents say their organizations are prioritizing it, demonstrating the need for a new approach. Organizations of all sizes can use their observability platforms to help support security needs.

ORGANIZATIONS NEED HELP INTEGRATING OBSERVABILITY TOOLS - The report found that 84% of organizations combine security and data operations into a single analytics tool. However, more than half of the security-relevant data that goes into observability systems needs to be transformed before it can be used.

SIEM IS MORE COMPLEX THAN IT SEEMS - The vast majority (95%) of respondents use Security Information and Event Management (SIEM) tools in some way. SIEM has been positioned as a content and integration-rich entry point that gives access to dozens of rules and add-ons specific to the other products that your organization runs on. The reality is each integration has versioning and configuration requirements, each rule only works with properly abstracted data, and each alert expects that the customer can decide if it’s important or not. This requires continual maintenance from skilled users or costly professional services time.

SMALLER ORGANIZATIONS STRUGGLE WITH SECURITY TOOLS - Smaller organizations struggle with limited resources in the security tools market, hindering effective adoption. They’re forced to wait for their SIEM vendor to make updates to the solution in order to stay current with new trends.

AGENTS ARE NECESSARY - Cloud infrastructure doesn’t provide sufficient operations or security observability on its own, and agents must be used. Host agents are used by 57% of organizations for observability and 51% for security, along with container agents (42% for observability and 44% for security) and sidecar agents (29% for observability and 28% for security).

ORGANIZATIONS STRUGGLE WITH TOOL SPRAWL - Tool sprawl remains an issue with organizations — half of security incidents require escalation, and tool sprawl presents itself as an obstacle. Only 11% of respondents reported staying in a single pane of glass, with 18% using six or more tools to investigate issues. This indicates that organizations need an all-in-one platform to deal with incidents more efficiently.

VALUE IN HAVING SKILLED TEAMS - The report shows that organizations value having skilled teams to find and respond to unknown threats. About 73% have in-house Incident Response (IR) teams and Security Operations Centers (SOC). Interestingly, newer tools like SOAR, UEBA, and EDR, expected to replace SIEM, haven't taken over as anticipated. Instead, organizations still heavily depend on SIEM for their security needs.

MORE ORGANIZATIONS BECOME CLOUD-NATIVE - Cloud conversion has crossed the hallway mark, and 74% of organizations have built their current systems to be mostly or entirely cloud-native. As more organizations become cloud-native, they will need tools and infrastructure that can keep up with complex and ephemeral cloud-native environments.