The Security Division of EMC, RSA, has released the results of a new Threat Detection Effectiveness Survey that compiles insights from more than 160 respondents globally. The survey was designed to allow participants to self-access how effective their organizations are at detecting and investigating cyber threats.
The research provides valuable global insight into the technologies organizations use, the data they gather to support this effort, and their satisfaction with their current toolsets. Respondents were also asked which new technologies they plan to invest in and how they plan to evolve their strategies going forward.
A key insight from the survey was that respondents express deep dissatisfaction with their current threat detection and investigation capabilities. A very low 24% of the organisations surveyed indicated that they were satisfied with their ability to detect and investigate threats. Only 8 percent of those feel they can detect threats very quickly, with only 111 percent that can investigate threats very quickly. The speed in threat detection and investigation is a critical factor in reducer the time the attacker is present and minimising the damage and losses sustained from cyber attacks.
There is a huge imbalance between organizations that collect perimeter data (88%), and data from modern IT infrastructures (cloud-based infrastructure 27%, network packet 49%, identity management 55%, and endpoint 59%). Yet, companies that have incorporated these date sources into their detection strategies find them extremely valuables: those collecting network packet data ascribed 66% more value to that data for detecting and investigating threats than those that didn’t, and those collecting endpoint data ascribed 57% more value to the data compared to those that didn’t.
Data integration is also a problem. A quarter of respondents aren’t integrating any data, and only 21% make all their data accessible from a single source. The prevalence of siloed data prevents correlation across data sources, slows down investigations, and limits visibility into the full scope of an attack. Onl 10% of respondents rated their ability to connect attacker activity across the data sources they collect as “very well”.
Respondents didn’t consider any of their current detection and investigation technologies particularly effective, giving them an average rating of “somewhat effective.” While SIEM is deployed by more than two-thirds of respondents, more effective tools, such as network packet capture, endpoint forensics, and user behavioural analytics, lack the necessary adoption.
An encouraging find was the increasing importance of identity data to aid detection and investigation. While slightly more than half of organisations collect data from identity and access systems currently, those that do attributed 77% more value to that data for detection than those that do not.Furthermore, user behavioural analytics, which can help organizations simplify detection based on spotting patters of anomalous activity, is the most popular planned technology investment, with 33% of respondents planning to adopt this technology within the next 12 months.
“What the survey especially highlights for us operating in the southern African region is that legacy security technologies and strategies that are prevalent in many of our region’s businesses need to radically and quickly be modernised in order to prevent the sophisticated cyber attacks that have become today’s reality,” adds Anton Jacobsz, managing director at Networks Unlimited, the company that distributes RSA solutions throughout southern Africa.