RSA, The Security Division of EMC, has released the results of a new Threat Detection Effectiveness Survey that compiled insight from more than 160 respondents globally. The survey was designed to allow participants to self-assess how effective their organisations are at detecting and investigating cyber-threats. The research provides valuable global insight into what technologies organisations use, what data they gather to support this effort, and their satisfaction with their current toolsets. Additionally respondents were asked what new technologies they plan to invest in and how they plan to evolve their strategies going forward.
A key insight from the survey was that respondents expressed deep dissatisfaction with their current threat detection and investigation capabilities. Only 24% percent of organisations surveyed indicated that they were satisfied with their ability to detect and investigate threats. Only 8% of those organisations feel they can detect threats very quickly with only 11% that can investigate threats very quickly. Speed in threat detection and investigation is a critical factor in reducing attacker dwell time and subsequently minimising damage and loss from cyber-attacks.
Amit Yoran, President, RSA, said, “This survey reinforces our greatest fear that organisations are not currently taking, and in many cases are not planning to take, the necessary steps to protect themselves from advanced threats. They are not collecting the right data, not integrating the data they collect, and focusing on old-school prevention technologies. Today’s reality dictates that they need to plug gaps in visibility, take a more consistent approach to deploying the technologies that matter most, and accelerate the shift away from preventative strategies.”
There is a staggering imbalance between organisations that collect perimeter data (88%), and data from modern IT infrastructures (Cloud-based infrastructure 27%, Network Packet 49%, Identity Management 55%, and Endpoint 59%). Yet, organisations who have incorporated these data sources into their detection strategies find them extremely valuable: organisations collecting network packet data ascribed 66% more value to that data for detecting and investigating threats than those that didn’t, and those collecting endpoint data ascribed 57% more value to that data than those that didn’t.
Data integration is also an issue. A quarter of respondents aren’t integrating any data, and only 21% make all their data accessible from a single source. The prevalence of siloed data prevents correlation across data sources, slows investigations, and limits visibility into the full scope of an attack. Only 10% of respondents rated their ability to connect attacker activity across the data sources they collect as “very well”.
Respondents didn’t consider any of their current detection and investigation technologies particularly effective, giving them an average rating of “somewhat effective.” While SIEM is deployed by more than two-thirds of respondents, more effective tools like network packet capture, endpoint forensics, and user behavioural analytics lack the necessary adoption
Finally, an encouraging finding was the increasing importance of identity data to aid detection and investigation. While only slightly more than half of organisations collect data from identity and access systems currently, those that do ascribed 77% more value to that data for detection than those that do not. Further, user behavioural analytics, which can help organisations simplify detection based on spotting patterns of anomalous activity, is the most popular planned technology investment, with 33% of respondents planning to adopt this technology within the next 12 months.