Survey Highlights Security Gaps – From Inadequate Staffing to Excessive False Positives to Risk Elevated by Cloud Migration

Survey Highlights Security Gaps – From Inadequate Staffing to Excessive False Positives to Risk Elevated by Cloud Migration

Based on the results of a recent survey, it’s clear that organizations of all sizes are exposed by gaps in their security coverage. They are understaffed, are distracted by false positives, have unprotected endpoints, and are migrating to the cloud without adequate security systems in place.

In this post, I’ll share the results of our survey and offer suggestions for how to fill the gaps.

Who Has a SOC, and Is It Adequately Staffed?

In Q4 of 2019, Lastline conducted a survey of organizations throughout the US on their ability to detect cyberthreats. The survey was conducted in the US only and included organizations of all sizes, as shown in Figure 1.

Figure 1: Survey participants by the number of employees in the organization.

The first thing that we looked at was the fraction of these companies that have their own Security Operations Center (SOC). What’s immediately clear is that the portion of companies that have their own SOC, their own in-house security team, rises with the size of the company (see Figure 2).

Figure 2: Percent of organizations with their own SOC, by company size.

When you look at smaller companies, the A and B groups with less than 3,000 employees, the percentage of those that have their own SOC and security teams is really low, around 20-25 percent. And for companies with more than 3,000 employees, it immediately jumps to over 60%, going as high as 100% for the largest companies.

What is also interesting is the average number of SOC analysts of those companies who have a SOC. What we found is that the number of analysts actually remains fairly small until an organization gets above 10,000 employees (see Figure 3).

Figure 3: Average number of SOC analysts by size of organization.

You see more companies, as they are in this 3,000, 5,000, 10,000 range, have SOCs, but they don’t have a lot of analysts. They have between 5 and 10. Only then, as companies grow very large, do they have their own SOCs with a larger number of those analysts.

What is particularly interesting is the mid-size companies (groups C and D, between 3,000 and 10,000 employees). Between 60 and 80 percent have SOCs, but their analyst resources are fairly limited. They most likely care about automation, false positive reductions, and other ways to reduce the workload on their limited team because they have so few resources. This can be a real challenge. They have a large company to secure with only a few people to do it.

False Positives Come From a Variety of Systems

We asked about the fraction of events that are false positives, and we found a very broad variance. The numbers for false positives are all over the map. The average is about 50 percent, which is substantial. Even if you just have 30 percent false positives, you waste time investigating benign activity. If it goes up to 80 percent or more, as was reported by some organizations, you really waste a lot of time.

What is interesting is that there was no correlation between company size and false positives.. We’ve seen people struggle with false positives across the entire spectrum of organizations.

When we ask them what the main sources were, here’s what they told us.

Figure 4: Sources of false positives.

Nearly half are coming from IDS/IPS and nextgen firewalls, which often have IDS capabilities as well. They’re saying that those legacy network security solutions are the main drivers of their false positives and false positives are substantial across the board.

The Flip Side of False Positives – False Negatives

Next we asked about false negatives or the fear of breaches. We asked the companies how often they experienced incidents that could result in a breach.

Here, the trend is pronounced. We see that as the company size grows (as we go down the table) in Figure 5, the number of breaches or incidents they have grows from nothing, “I don’t even remember,” or a few a year (on the left) to one per day or multiple per day (on the right of the figure).

This may not seem very surprising. But I think the size of the increase as company size increases is important and interesting. You see this pronounced jump where A and Bs don’t have a big problem, while larger companies (D, E and F) see a much higher frequency of incidents. Once you go above 5,000 employees, companies are seeing one incident per day or multiple per day.

Is the Primary Point of Entry – Endpoints – Covered?

Let’s now look at visibility. The question was, how good is your coverage? How much do you see?

We asked about the percentage of endpoint devices that are currently covered by an endpoint solution, like AV or EDR. That is, how confident are you that you have all your devices covered?

The responses fell into three buckets. One group, about a third of the responses, said that have between 50 and 90 percent of endpoints covered. The second group is interesting. This was a freeform percentage where respondents could fill in any number. And 25 percent replied with exactly “90 percent.”

Then, another large group, almost 40 percent, said between 90 and 100 percent of endpoints are covered. Actually, 25 percent of respondents said that they have 100 percent coverage, which personally I don’t entirely believe, but that’s their feeling.

Figure 6: What percent of endpoint are being covered?

Overall, it’s clear that everyone has some endpoint coverage. Nobody said they had less than 50 percent. People feel, “We have coverage.” This is across the spectrum of company size with only a slight decline for larger companies.

The overall average was around 85 percent so there’s this gap. There’s this 15 percent gap. And organizations understand that they don’t have complete endpoint coverage, which presents an opening for criminals.

Organizations are Actively Moving Critical Applications to the Cloud

Finally, it’s clear that the move to the cloud is real. We asked if their organization already uses public cloud for anything. And 69 percent said, yes, they use either Azure, AWS, or GCP in the pubic cloud. Of those 69 percent who are in the public cloud, two thirds are already running critical applications there.

Figure 7: Percent of organizations using the public cloud and, of those, how many are running critical applications there.

Combining these two results means that nearly half of all the customers are running critical applications in the public cloud.
You might ask, “What about these remaining 33 percent who are already in the cloud but are not yet using critical applications there?” Half of those want to move there this year, in 2020. So, the share of organizations running critical applications in the public cloud is continuing to grow.

This expands the attack surface for any organization, and they cannot expect their on-premises security solutions to automatically work in the cloud. Indeed, most do not. So, again, there’s a gap; a need for improved security.


This survey illustrated where the gaps are and where organizations are vulnerable.

False positives clearly matter. Many organizations are tired of the false positives generated by their IDPS system, among others, and are considering disabling it. Organizations of all sizes understand that their endpoint solutions do not cover everything especially considering the increasing presence of IoT and BYOD. Finally, the cloud transformation is real and is increasing risk, especially as organizations move critical applications there.

Lastline’s NDR platform, Lastline Defender, fills these gaps by analyzing all network activity, on premises, in the cloud, and in hybrid environments, to detect malicious activity. If an endpoint isn’t protected, we’ll detect the malicious network movement. If cloud applications are inadequately secured, well detect threat activity. And due to our deep history in understanding malicious behavior thanks to our Deep Content Inspection™, we can distinguish between malicious and benign network anomalies, minimizing false positives.

Dr. Christopher Kruegel

Dr. Christopher Kruegel

Currently on leave from his position as Professor of Computer Science at UC Santa Barbara, Christopher Kruegel’s research interests focus on computer and communications security, with an emphasis on malware analysis and detection, web security, and intrusion detection. Christopher previously served on the faculty of the Technical University Vienna, Austria. He has published more than 100 peer-reviewed papers in top computer security conferences and has been the recipient of the NSF CAREER Award, MIT Technology Review TR35 Award for young innovators, IBM Faculty Award, and several best paper awards. He regularly serves on program committees of leading computer security conferences. Christopher was the Program Committee Chair of the Usenix Workshop on Large Scale Exploits and Emergent Threats (LEET, 2011), the International Symposium on Recent Advances in Intrusion Detection (RAID, 2007), and the ACM Workshop on Recurring Malcode (WORM, 2007). He was also the head of a working group that advised the European Commission (EC) on defenses to mitigate future threats against the Internet and Europe's cyber-infrastructure.
Dr. Christopher Kruegel