The unified security

platform era is here

Survey shows security and IT leaders believe a unified security platform delivers
better protection and improves posture more than point security solutions.
 2

3 4 7 10 14 17
Executive summary The challenging Rethinking the AI’s growing How a unified Conclusion:
state of security best-of-breed presence security platform Security’s
approach improves security ideal state
posture
 3

Executive summary and down the security stack. Silos of poorly

integrated tools and information make it
need a streamlined set of solutions that work
together to deliver integrated, defence-in- One takeaway is clear:
increasingly difficult for SecOps teams to share, depth protection and coordinated detection
process and analyse data. Too many standalone and response. This approach, delivered through
The modern enterprise is digitally driven,
tools makes it virtually impossible to achieve platforms that unite data and capabilities
To improve their security posture,
globally distributed and accessible from virtually
visibility across the entire digital estate, which currently ‘stuck’ in other tools, provides security organisations must move away
everywhere. But there’s a downside to the
accelerated pace of digital transformation and impedes rapid threat detection, investigation teams the unified approach they need. from best-of-breed, point
the surge in AI investment: increased exposure to and response. security solutions and adopt a
New Foundry and Microsoft research highlights
cyber risk.
Unfortunately, overly complex IT and security how that unification is helping security teams
platform approach that delivers
environments are good news for bad actors. increase their efficiency, reduce core metrics the end-to-end integration and
To keep pace in this challenging environment,
many organisations have adopted a best- Silos make it easier for adversaries to work in the like MTTR/MTTA and improve overall security visibility SecOps teams require for
of-breed approach to their security tooling, shadows, navigating across systems to get to posture. This eBook highlights the research comprehensive threat prevention,
their target payload. findings, providing insights and guidance for
reasoning that the best solution for addressing detection and response.
a specific need would give them the best SecOps teams looking to reduce vulnerabilities
protection. The unintended effect of this SecOps teams need to evolve their tool strategy and build a more proactive security posture
strategy, however, is growing complexity up to keep pace. While there will never be just one across the enterprise.
all-encompassing security tool, organisations
 4

The challenging state and their understanding of enterprise

security continue to evolve. And they’re

of security selling their tooling and expertise to other

threat actor groups, resulting in a more well-
Number of security incidents in the past year
resourced and skilled adversary at all levels.”
Average: 13.2 Median: 8.5
Managing cybersecurity has always been
difficult. But the mass adoption of cloud and These adversaries have effectively developed
expansion of the digital estate has made it their own software supply chains on the dark
exponentially more so. Adversaries are deploying web to sell sophisticated tools including
ransomware as a service – and unauthorised
38%
increasingly sophisticated techniques that
make it harder than ever for SecOps teams to access to businesses. Companies of all sizes are
defend against malicious attacks. Advanced feeling the effects. The Foundry study of security
technologies such as artificial intelligence (AI) decision-makers found that organisations
and machine learning (ML) help bad actors averaged 13 security incidents or breaches
create more effective and elusive malware to over the past year, with nearly one-quarter of
respondents (24%) reporting 20 or more.
20%
launch ransomware, phishing attacks and zero-
day exploits. Nation-state threats are growing 14% 13%
as well, with rogue groups deploying large Amid this steady stream of threats, security
language models to gather intelligence or create leaders remain resolute. Most survey
automated scripts for carrying out attacks at respondents (84%) have a moderate or high level 5% 4%
unprecedented scale. of confidence in their current security posture. 3%
Just 16% gave their security capabilities low
1% 1%
“Over the last few years, nation-states marks. When asked about the effectiveness
have really increased the sophistication of their existing security tools specifically for
of attacks,” says Sherrod DeGrippo, Director, prevention, detection and response, more than None 1-5 6-10 11-20 21-30 31-40 41-50 51-99 100 or more
Threat Intelligence at Microsoft. “Their skills one-third expressed a high level of confidence.
 5

Current confidence in security posture

How would you characterise your organisation’s current security posture on a scale of 1-10? Confidence in current security tools to do the following

Total

18% 47% 35%

When asked about the
Response
effectiveness of their
16% existing security tools,
28% 18% 46% 37% many are confident. But
the survey also shows that
Detection
this confidence does not
mean respondents are
20% 42% 38% comfortable with their
current state of defence.
56% Prevention

Low Medium High

Low = 1-6 Medium = 7 or 8 High = 9 or 10

 6

But this confidence does not mean CISOs are

comfortable maintaining their current state of
defence. Survey respondents cited ransomware
Biggest external security threats
as their biggest concern, followed by:

Weighted top three rankings indexed to 100

• Cloud compromises
• Advanced persistent threats (APTs)
139 135
• Malware
• Phishing attacks
• Insider threats 102 99
• Supply chain compromises
86
Clearly the increasingly complex digital business 73
65
environment is fuelling the threat landscape and
putting more pressure on SecOps teams.

“The last few years have been pretty eye-opening

from a security standpoint, with the shift to
remote work pushing a lot of organisations
to adopt new policies and new tools,” says
DeGrippo. “It made clear that there’s a lot of
Ransomware Cloud Advanced Malware Phishing Insider Supply chain
work to do and a lot of room for improvement, attacks compromises persistent attacks threats compromises
even for organisations that feel confident in their threats (APTs)
security posture.”
 7

More tools,
more complexity: On average, enterprises use around 14 different security tools
Rethinking the best- Number of security tools Change versus previous year

of-breed approach 37%

To combat ongoing threats, SecOps teams

continue to diligently build out their tool sets.
Survey respondents report using more than 25%
14 security tools on average, with 21% using
more than 20. More than one-third (35%) have 19% 35%
increased the number of tools over the past year.

12% 47%
There are tradeoffs to this expanding ecosystem
of tools. The two biggest challenges to
improving their security posture, according to 5%
3% 18%
survey respondents: 1%
• Complexity of the current environment
• Poor visibility across the landscape
1-5 6-10 11-20 21-30 31-40 41-50 51-99
These challenges speak directly to rapidly
Average: 14.2 Median: 15.5 Increased Decreased Stayed the same
expanding IT environments and the growing set
of security tools used to protect them.
 8

The pain points are particularly acute for More tools don’t equal
organisations that have adopted a best-of-
improved security

29
breed strategy. Nearly one-third (29%) of survey
Biggest challenges to achieving a successful security posture

%
respondents say they’re using a best-of-breed
approach to security, 26% a suite solution and
Weighted top three rankings indexed to 100 44% are a mix of both. Those using a best-of-
breed approach exclusively are, on average,
153 using more tools than other respondents and are
more likely to have increased the number of tools
138 over the past year.
of respondents use a best-of-breed
108 While CISOs may find it easy to justify using
approach exclusively
specific tools for specific tasks – especially when
it comes to protecting valuable digital assets –
82 Those with more tools report a
75 73 72 more tools do not lead to improved defences,
according to the survey. The reality is that a higher average number of security
best-of-breed approach may be exacerbating
incidents (15.3 incidents, versus 10.5
the cybersecurity challenge: Respondents with
a higher number of tools also reported a higher
incidents for organisations with
average number of security incidents (15.3 fewer tools)
incidents, versus 10.5 incidents for organisations
with fewer tools).

Complexity Incomplete Volume of Lack of Insufficient Lack of Inadequate

of the current visibility to assess alerts/Size of budget staff executive tools
environment security posture incident queue support
 9

“It’s impossible to have complete visibility if

SecOps teams are not all working with the same
tools into a single incident. An EDR solution
simply isn’t enough anymore. And legacy SIEMs
Point solutions made more
sense when organisations were
A seat at the table
data, or the same tools,” says Rob Lefferts, slow down detection until its too late. You need
CVP, Modern Threat Protection at Microsoft. all your systems and tools to work together to primarily defending against
Cybersecurity and risk management have become
“And without that visibility, it’s hard to be fully detect in real time,” says Lefferts. commodity-based and single a board-level concern, so it’s no surprise that many
confident in your policies and your approach.” domain threats. But today’s CSOs and CISOs have earned a seat at the executive
multistage attacks mean table. The survey found that 39% have a direct
Some security teams are looking to reverse this
trend to reduce complexity and the additional
security teams need to connect reporting line to the CEO and 16% report to the
board of directors.
risk it introduces. events across multiple tools into
a single incident. You need all Given the size of the respondent organisations (500
• Most respondents (58%) say suppliers your systems and tools to work or more employees), it’s worth noting that 35% do
consolidation is a priority over the next
12 months
together to detect in real time.” not have a CSO/CISO role. Those responsibilities
likely fall to a chief technology officer or a
• For respondents with more than 10 security VP-level executive.
tools, the percentage rises to 79%
• Notably, 91% of respondents using a best- Rob Lefferts Regardless of the reporting structure, respondents
use a variety of methods to communicate security
of-breed approach say they are prioritising CVP, Modern Threat Protection,
issues to executive leadership, led by regular security
supplier consolidation Microsoft
briefings (81%) and incident response reports (64%)
“Point solutions made more sense when
organisations were primarily defending against Regular security briefings are critical for keeping
commodity-based and single domain threats. senior leadership up to date on threats and
But today’s multistage attacks mean security vulnerabilities, to ensure that cybersecurity – and
teams need to connect events across multiple supporting investments – remains top of mind at
the board level.
 10

AI’s growing presence The survey shows how organisations are

counterpunching with their own AI investments.
Two-thirds of respondents (66%) used AI for
Stage of deploying AI for SecOps
AI is already proving itself as a game-changer their security operations, and another 22% are
for SecOps teams. Deployed strategically, it can experimenting with the technology, either in
While only slightly more than one-quarter have fully deployed
reduce complexity and improve defences by pilots or proofs of concept.
AI for security operations, almost all have begun the journey
removing barriers that inhibit rapid detection
and response. SecOps teams are deploying AI in two primary
ways. First, to help analysts improve efficiency 28%
Unfortunately, SecOps teams aren’t the only by automatically correlating alerts into incidents,
ones deploying AI technology. Malicious actors prioritising based on severity, enriching
have also hopped on the AI train, using the investigations and helping through generative
technology to create more deceptive phishing AI (genAI) solutions. Automated, step-by-step
guidance turns complex, multistage incidents 18%
and other social engineering campaigns while
into manageable investigations for analysts 16%
increasing the speed and scale of their attacks.
of every level. Second, they’re embedding AI 12%
into security tool defences – enabling things
However, a unified platform infused with AI could 10%
help defenders tip the scales in their favour.
like the automatic disruption of in-progress 8%
“AI enables SecOps teams not just to be more
attacks, deploying decoys to mislead attackers 6%
and automating routine remediation such as
responsive to an incident, but also allows them
to proactively address their security posture to
password resets. 1% 1% 1%
reduce vulnerabilities,” says Lefferts.
Full Maintenance Scaling up Early Pilot Proof of Research Considering, Re-evaluating Not
deployment and deployment concept and but not yet current AI considering
optimisation exploration started strategy at this time
 11

Respondents are using AI for a variety of tasks,

led by network security monitoring, threat
detection and incident response. AI’s broad
State of AI implementation for SecOps
reach is due in large part to its ability to process
huge volumes of data and respond to alerts Significant AI
much faster than humans can.
Network security monitoring 68% 18% 14% adoption in key
security functions,
“AI can be particularly helpful post-breach,”
Threat detection 63% 18% 18% yet gaps remain
says Lefferts. “While it’s obviously best to stop
an attack before it happens, attackers only Incident response 55% 26% 18%
have to be right once. Breaches are inevitable,
so it’s critical to be able to stop an in-progress Vulnerability management 53% 25% 21%
attack. AI can help enable real-time attack Implemented
disruption capabilities by accurately detecting User behaviour analytics 50% 22% 27%
an attack in the environment and taking action Planned
to stop its progress.” Data loss prevention 49% 10% 42%
No plans
Respondents also see the potential benefits of Endpoint protection 45% 18% 37%
using genAI to improve detection and response
times. GenAI uses large language models to
generate a variety of content and, in a security
Fraud detection 43% 22% 35%
setting, can create incident reports and perform
other tasks much faster than humans.
Access and identity management 42% 20% 38%
SIEM 41% 27% 32%
 12

For example, genAI can save a significant amount

of time investigating an incident because
of its ability to summarise huge volumes of
Benefits of GenAI in security
alerts, malicious scripts and activity logs. It can
assemble all the information in a timeline and
Generative AI promises enhanced detection and faster response provide a summary analysis of the likely cause
and impact.
130 130
“GenAI is an amazing utility for getting analysts
110 105 104 101 98 up to speed faster, so they can go straight into
94
87 triage and remediation instead of having to do a
74 68
bunch of time-consuming prep work and back-
and-forth communications with other admins
and experts on the team to add context,” says
Lefferts. “Rather than taking a couple hours
or even days, you now have the summary in
30 seconds, in plain language, to jump-start
your investigation.”

Other established and emerging AI and

Improved Faster Increased Ability to Cost Better Improved Reduced Enhanced Enhanced Upskilling
machine learning capabilities can help improve
threat response efficiency predict savings scalability accuracy in manual ability to decision- junior
detection times in security and prevent of security identifying workload for analyze large making talent an organisation’s overall security posture. For
operations future threats solutions security security staff volumes example, the ability to analyse threat intelligence
incidents of data from trillions of signals across the globe can help
Weighted top five rankings indexed to 100 teams identify the types of vulnerabilities that
 13

attackers are prioritising and take steps to close

any existing gaps [see ‘A need for feeds’]. This A need for feeds The ability to quickly discern information about
an attacker, the infrastructure they use, and their
type of attack path analysis, done at scale, gives typical targets – paired with recommendations
SecOps teams a clearer picture of how multiple Security suppliers have made significant for remediation – allow SecOps teams to
vulnerabilities can be chained together to access progress in gathering and analysing threats. For proactively reduce risk.
sensitive information. example, Microsoft’s Unified Security Operations
platform is powered by threat intelligence
It also amplifies efficiency. With genAI drawn from 78 trillion threat signals processed
capabilities integrated into a unified security daily – and the knowledge of more than 10,000 Top security content sources for keeping updated on threats
platform, incident summaries are available in an multidisciplinary experts to enhance detections,
instant, helping analysts triage and begin their alerts and investigations with powerful context
investigations faster. SecOps teams can use
Peer networks 67%
about the global threat landscape.
genAI to create complex tasks, such as analysing
malicious scripts or crafting Kusto Query
Security webinars 55%
This type of actionable threat intelligence is a
Language (KQL) queries to hunt across data,
simply by asking a question in natural language.
critical component of modern cybersecurity. Industry reports 53%
However, fewer than half of the survey
respondents say they take advantage of In-product threat intelligence 47%
“As AI continues to evolve, it will become even in-product threat intelligence (47%) or threat
more useful in helping SecOps teams think like intelligence feeds (43%) to keep current on the Security news websites 44%
their attackers, which is the key to improving latest security threats.
defences,” says DeGrippo. Threat intelligence feeds 43%
Real-time intelligence on threat actors, tooling
and vulnerabilities is essential for helping SecOps
Podcasts 33%
teams detect, triage and respond to them faster
and with more clarity.
In-person security conferences 33%
 14

How a unified security teams close critical security gaps and streamline
their operations by improving three core

platform improves capabilities: Exposure management, incident

detection and response and resiliency.
security posture
Continuously manage
Addressing such a long list of challenges, from
threat exposure
complexity and integration issues to more
The ability to centralise and view their
sophisticated threats, requires security leaders
organisation’s exposure to threats through
to constantly assess and refine their approach.
a contextual, comprehensive and risk-based
They need solutions that work together to
lens empowers SecOps teams to understand,
protect their organisation’s entire multicloud,
measure, manage and improve their security
multiplatform environment by blocking attacks
posture. Exposure management extends security
and finding and removing adversaries that
capabilities beyond traditional detection and
manage to breach the perimeter.
response by combining continuous monitoring
with prioritised guidance for mitigations to limit
A unified security operations platform brings
exposure across devices, identity, applications,
SIEM, SOAR, XDR, threat intel, cloud security and
data and multicloud infrastructure.
other foundation SOC tooling together to help
SecOps teams streamline threat protection by
Exposure management connects the dots
providing a comprehensive, end-to-end view
among isolated security findings. The ability
of threats across the digital estate. A unified
to model advanced attack paths, for example,
platform, with a consistent data model and a
helps SecOps teams understand how attackers
healthy dose of AI and automation, helps SecOps
think and take advantage of vulnerabilities.
 15

Simulated attack scenarios identify weaknesses Quickly respond to and to centralise and automate detection and Integrating exposure management tools
a bad actor could exploit, with visualisations that response is critical to limiting the attackers’ with incident data facilitates post-incident
automatically disrupt in-progress
make it easy to explore multiple paths and choke progress and minimising potential damage.” guidance to prevent repeat attacks. Advanced
points to see how potential threats might unfold. attacks hunting using query-based tools lets teams
Attack path modelling allows for more effective After disruption has been triggered, security proactively inspect events across the network
threat prioritisation and lets teams take steps to A unified platform enables SecOps teams to teams will be notified and receive a summary of to locate threat indicators and entities.
prevent attacks from reaching critical assets. coordinate defences to more quickly detect the incident with recommendations on actions Flexible access to data across the entire
and defend against attacks across identities, to take to fully remediate the threat, reduce the environment enables unconstrained hunting for
But this can’t be done in silos. Simply analysing endpoints, cloud apps, email, documents, likelihood of a similar attack in the future and both known and potential threats.
how a cloud environment could be breached networks and infrastructure with full visibility even have the option of generating a customised
may not address the full threat. The attacker across the kill chain. report that can be shared with senior leadership Creating this type of closed-loop feedback
could use an on-premises identity stolen off an or other stakeholders. mechanism allows for continuous learning and
unmanaged device to log onto the cloud service, XDR-powered capabilities such as automatic improvement, culled not only from in-house
attack disruption can detect and deter
for example. Successful attack path modelling
in-progress advanced persistent threats like
Increase resiliency by reducing incidents, but also threat intelligence from
requires integrating data from all touchpoints to solution providers such as Microsoft, which
get a full view of the digital landscape. ransomware, business email compromise and the risk of repeat attacks tracks trillions of signals to help security teams
adversary-in-the-middle attacks. Built-in and identify common vulnerabilities and better
customisable playbooks reduce MTTR rates by By using XDR capabilities to analyse an attacker’s
“Exposure management brings everyone understand adversaries and their methods.
automating established responses. Automation techniques and map them to security posture
together, centralising processes and policies
can reduce SecOps workloads even further by controls across workloads and infrastructure,
and uses real-world data to drive accurate “Proactively reducing exposure is not something
providing self-healing functions for menial tasks SecOps teams can limit their organisation’s
decision making,” says Lefferts. “This approach that many organisations, especially smaller
such as device clean-up. vulnerability to future attacks. By connecting
shines a light on the things you need to prioritise companies, can prioritise as much as they’d like,”
the dots and providing step-by-step guidance,
and the steps you need to take to improve your says DeGrippo. “The additional hygiene you get
“There’s a huge benefit in moving from highly SecOps teams will be able to be less reactive to
security posture.” from this capability can have a big impact on
manual processes that come into play during threats by proactively finding and addressing
your security posture.”
or after an attack involving security admins, vulnerabilities across the entire security kill chain.
analysts and architects,” says Lefferts. “The ability
 16

How organisations That’s where AI comes in. AI and automation are

the top way organisations are addressing staffing
Success will come not just from AI technologies
becoming more user friendly, but also from

are addressing challenges, cited by 56% of respondents. Training

existing staff was a close second, followed by
people learning how to use AI more effectively.
Better training for existing staff is critical
Top five approaches to addressing
security staff shortages
staffing challenges improving recruitment processes. to helping them understand and work with
advanced technologies. And the prospect of
There’s little doubt that AI and automation will offloading manual, repetitive tasks to AI and Using AI and automation

The cybersecurity skills shortage has been a play a starring role in augmenting human skills, automation so they can focus on higher-value
persistent challenge for CISOs and their teams. even for organisations that aren’t experiencing a activities should serve as an incentive. 56%
But the Foundry survey shows some light at the security staffing shortage.
end of the tunnel. Most respondents (62%) say “Our goal is to help analysts spend less Training existing staff

they have no open positions, with staff resources “Security is so complex that no matter how many time manually correlating alerts so they can
allocated evenly across detection, response people you hire, they can’t possibly manage remediate more quickly,” says Lefferts. “Or even 53%
and prevention roles. the scale and velocity of the current threat better, taking what they learn from incidents
environment without AI and automation,” says and applying those learnings to improve the Improving recruitment processes

Those that are looking to hire, however, have Rob Lefferts, CVP, Modern Threat Protection at organisation’s security posture.”
an average of 6.5 open positions. Respondents Microsoft. “We simply need to reduce the overall 49%
cite high competition for talent as the number of alerts and queues the security teams
biggest challenge in filling security roles, well personally manage on a day-to-day basis.” Offering competitive compensation packages
ahead of other challenges including a lack of
qualified candidates and budget constraints. AI deployment in the security operations 46%
This indicates that even if CISOs have the budget centre won’t come without challenges.
to fill open positions, they may have trouble CISOs understand that AI represents a Outsourcing
finding suitable candidates. significant cultural shift for SecOps teams.
45%
 17

Making the transition New platforms may not align with their skill
sets. Others will need training to learn how to Conclusion: The ideal state of security operations ultimately
increases confidence among security, IT and

Consolidating tool sets around a unified security

work with AI tools. Have a plan for reskilling
existing team members and give everyone
Security’s ideal state business leaders in their organisation’s security
posture. It also bolsters their ability to prepare
platform is a significant undertaking, both ample time to ramp up before going live. The for and adapt to whatever comes next.
technologically and culturally. Consider taking good news is that a unified platform will enable The modern threat landscape continues to grow
these steps to aid the transition: and encourage new levels of collaboration. in both volume and sophistication. But throwing
more technology at the challenge is not the
1. Start with a few small but key areas. 3. Don’t forget the end-user experience. answer. As the Foundry survey demonstrates,
Some quick wins will help prove the value of Moving to a unified security platform is not forward-thinking security leaders are looking
consolidation. For some organisations, this just about improving defences – it’s also to streamline their tools to reduce complexity,
could mean consolidating EDR solutions. about enhancing the employee experience. while strategically deploying AI to improve
Others may layer in a new security information Reducing friction across endpoint devices, the intelligence, speed and scale of their
and event management (SIEM) system apps, identities and networks will make it easier security operations.
alongside their existing platform. This allows for employees to access the systems and
teams to customise and refine the new data they need to get their work done more While there is no ‘end state’ for security teams in
environment without disrupting existing effectively. And, as SecOps teams understand the ongoing battle against cyberthreats, there
operations, before fully switching over. At every all too well, eliminating friction reduces the is an ideal state they can aspire to: One in which
step of the transition, make sure the necessary chances that employees will take shortcuts a unified security platform provides end-to-
integrations are in place to deliver the required to bypass overly restrictive or burdensome end visibility across multicloud, multiplatform
end-to-end visibility. security policies. environments. A unified platform delivers
dynamic, real-time protection and increases
2. Lean in on change management. Security 4. Remain focused on the ultimate objective. responsiveness to known and unknown threats.
teams are peppered with engineers and Properly deployed and managed, a unified And it leverages AI and automation to free up
architects who have built their careers security platform will create a more resilient, SecOps teams to focus on increasing resilience
around specific, solutions-based expertise. better-protected organisation. That’s a goal instead of simply responding to threats.
everyone can align with.
 18

About Microsoft About the research

Unified SecOps
Foundry conducted an online study to
understand the current state of threat
protection, where organisations and security
professionals are focusing with their current
practices and where they see opportunities for
The Microsoft unified security operations While other security suppliers may claim to using AI in security operations.
platform brings the foundational tools a security offer a unified security operations platform,
operations centre (SOC) needs into a single only Microsoft delivers a true SecOps platform The study, commissioned by Microsoft, was
experience, with a consistent data model, that fully integrates all the capabilities of the conducted in June 2024. The 156 respondents
unified capabilities and broad protection. This industry’s leading cloud-native SIEM, broadest comprised senior-level IT decision-makers
unification helps SOCs close critical security native XDR and unified posture management with a primary role in security management,
gaps and streamline their operations, delivering solution, all with embedded generative AI, in a at organisations with 500 or more employees.
better overall protection, reduced response single experience.
times and efficiency improvements.

AI-powered Unified SecOps Platform | Microsoft Security

© 2024 Microsoft Corporation. All rights reserved. This document is provided ’as-is’. Information and views expressed in this document, including URL and
other internet website references, may change without notice. You bear the risk of using it. This document does not provide you with any legal rights to any
intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes.