RSA, The Security Division of EMC (NYSE: EMC), released the results of a new Threat Detection Effectiveness Survey that compiled insight from more than 160 organizations globally. The survey was designed to allow participants to self-assess how effective their organizations are at detecting and investigating cyber threats. The research provides valuable global insight into what technologies organizations use, what data they gather to support this effort and their satisfaction with their current toolsets. Additionally organizations were asked what new technologies they plan to invest in and how they plan to evolve their strategies going forward. The key finding of the survey is that organizations are still relying on a fragmented foundation of data and technologies for detection and investigation fails to achieve the outcomes they expect from their security monitoring program.
Respondents expressed deep dissatisfaction with their current threat detection and investigation capabilities. Almost 80 percent of organizations surveyed said they were not satisfied with their ability to detect and investigate threats. Speed in this area is a widely recognized as a critical factor in minimizing damage and loss from cyber attacks. As many as 90 percent said they cannot detect threats quickly and 88 percent admit they are not able to investigate threats quickly. The inability to quickly detect threats is a key factor in why organizations are experiencing data breaches where attackers are able to remain on the networks for long periods of time before being discovered.
Respondents didn’t consider any of their current detection and investigation technologies particularly effective, giving them an average rating of “somewhat effective.” Organizations continue to demonstrate an overreliance on SIEM, which, while used by more than two-thirds of participants, is inconsistently augmented with technologies such as network packet capture, advanced anti-malware and endpoint tools that could appreciably improve threat detection and investigation capabilities.
The data that organizations currently collect does not provide adequate visibility. Less than half of organizations surveyed are collecting network packet data or network flow data, which provides reliable insight into advanced attacks, and only 59% collect endpoint data that can be used to find points of compromise. Yet, organizations who have incorporated these data sources into their detection strategies find them extremely valuable: organizations collecting network packet data ascribed 66% more value to that data for detecting and investigating threats than those that didn’t, and those collecting endpoint data ascribed 57% more value to that data than those that didn’t.
Data integration is also an issue. A quarter of respondents aren’t integrating any data, and only 21% make all their data accessible from a single source. The prevalence of siloed data prevents correlation across data sources, slows investigations and limits visibility into the full scope of an attack. Only 10% of respondents feel they can connect attacker activity “very well” across the data sources they collect.
Finally, an encouraging finding was the increasing importance of identity data to aid detection and investigation. While only slightly more than half of organizations collect data from identity and access systems currently, those that do ascribed 77% more value to that data for detection than those that do not. Further, behavioral analytics, which can help organizations simplify detection based on spotting patterns of anomalous activity, is the most popular planned technology investment, with 33% of respondents planning to adopt this technology within the next 12 months.
Methodology
RSA’s quantitative global survey was conducted online in January and February 2016. All qualified respondents self-reported all data. There were more than160 unique organizations who participated with 44 percent being under 1,000 employees, 31 percent had 1-10,000 employees and 25 percent over 10,000 employees. The respondents represented 22 different industry sectors with 58 percent from the Americas, 26 percent from Europe and the Middle East, and 15 percent from Asia Pacific and Japan.