Threat Detection and Response

The State of Threat Detection 2019

Since we released our 2nd annual State of Threat Detection Report, headlines depicting the latest data breach or ransomware incident have dominated news cycles. Unfortunately, these kinds of headlines have become our status quo as threats rapidly evolve and proliferate. In order to keep ahead of the latest threats, organizations need a strong security posture that allows them to evolve ahead of threats. To find out the challenges that are currently standing in between organizations and holistic security, we surveyed hundreds of security professionals across the globe and compiled the results. You can view the findings from your peers in our 2019 State of Threat Detection Report.

Automation and Visibility Are the Leading Challenges
We found that the leading challenges currently facing organizations are a lack of automation, followed closely by a lack of visibility. As we have discussed in previous blogs, forming a holistic cyber defense relies heavily upon establishing visibility across the entire cyber terrain. However, our survey found that 33% of respondents lack visibility across their entire terrain, and an additional 16% did not know their current level of visibility. This means that roughly half of our total respondents (49%) can’t possibly understand the risk to their organization because you can’t defend what you don’t know and can’t detect. In fact, only 12% strongly agreed that they had full terrain visibility. Organizations are essentially exposed to much higher levels of risk and face the increased likelihood that an adversary is lurking within their network undetected.

At the same time, many organizations’ exploitable attack surfaces are expanding. When asked if their cyber terrain has expanded over the past year, 69% of respondents said that it has grown. The leading causes contributing to this terrain growth were additional cloud applications, higher levels of network traffic, and a higher number of endpoints. BYOD devices, enterprise IoT and mergers and acquisitions were also named as contributing factors to terrain growth. Meanwhile, legacy systems and cloud applications were named as the leading barriers to achieving visibility.

Growing Security Stacks Not Delivering Results
As new threats have emerged over time, many organizations have purchased different cybersecurity products to solve single problems, often from different vendors, as part of their overarching security infrastructure. This strategy results in duplicative capabilities, a lack of interoperability and further reduced visibility – all of which add complexity without providing any added security benefits.

This is evidenced by the extremely low number of organizations using their full security stack to its full capabilities. In our survey, 61.5% of participants told us that they were not using half or more of their security stack to its full capability, and only 6.5% felt that they were using their full stack to its full capability. This also gives us a hint as to why a lack of automation ranked as the number one cybersecurity challenge currently facing organizations. Because of these inefficiencies in the security stack, each product is generating alerts – often at a rate that is humanly impossible to keep pace with. As a result, only a fraction of alerts are investigated and analysts quickly succumb to fatigue as they are barraged by an unmanageable torrent of alerts. Ultimately, this allows adversaries to stay undetected for longer periods of time, operate with more impunity and lowers the overall cost of their attack.

To solve this problem, organizations need to evaluate their stack and capabilities against a risk-based framework such as MITRE ATT&CKTM and DODCAR in the federal space. Consolidating within a cooperative cybersecurity framework allows for a single management platform to monitor, manage, and orchestrate solutions across the entire distributed network. An integrated platform can automate the processing and analysis of threat information from multiple sources and can quickly identify and mitigate network security threats. The identification, isolation, and analysis of suspicious files can be automated. All of this, if done manually, is extremely labor-intensive and time-consuming. By scaling down unnecessary, redundant security devices and integrating what remains within a single unified system, organizations can make their cybersecurity solutions more effective than ever.

Threat Intelligence and Threat Hunting Remain Underutilized
Streamlining the security stack is an important step towards reducing attacker dwell time and hardening defenses. However, that’s one of several steps. To more proactively prepare for modern adversaries, organizations will also need to increase focus and investment into threat hunting and threat intelligence capabilities. Threat hunting is an imperative for today’s organizations, allowing analysts to hunt for unknown threats. However, our survey found that less than half of organizations – only 46% – are currently capable of leveraging tailored threat intelligence and threat hunting activities.

Effective threat intelligence needs to be able to provide security teams not only the proper indications and warnings, but also the capability to inform and shape your cyber defense. Unfortunately, roughly one-third of organizations with threat intelligence were not so confident or not at all confident in the countermeasures created from sources of threat intelligence. This goes to show that organizations do not just need threat intelligence, they need threat intelligence that is specifically tailored to their organization’s security architecture and threat landscape.

In order to effectively threat hunt, organizations need the right tools, and most importantly, the right data. Automation can help do much of the groundwork, collecting rich metadata from network sensors, endpoints, and cloud environments and conducting cross-session analysis as well as multi-faceted and malware behavior analysis. These are critical for post-breach detection and threat hunting of the unknown. However, many organizations lack this, with roughly 41% of respondents saying they do not currently have tailored threat intelligence but would like it.

Although automation and machine assistance are indispensable in providing needed information and context for the hunt, the effectiveness will ultimately be determined by how much time and skill the analyst conducting the hunt possesses. This is because threat hunting is a heavily human labor-intensive activity – when organizations who do not currently threat hunt were asked why, an overwhelming majority pointed to a lack of time (49%) and skills (41%). Only 9% of organizations responded that they do not think threat hunting is necessary.

Conclusion
The combination of these challenges – a lack of automation, a lack of visibility, unmanageable security stacks, a lack of tailored threat intelligence, and a lack of time or skill to conduct threat hunting – means security teams are often overburdened and not equipped to deal with the realities of modern threats.

Organizations can’t stop their terrain from growing but they can control what they add to their security stacks for their overly burdened security teams. To do this, organizations should be evaluating their security stack capabilities against risk-based frameworks to determine what capabilities they need and which capabilities are redundant. This will help them to gain control of their architecture and establish more complete levels of visibility that will in turn aid in threat intelligence and threat hunting activities.

If you would like to learn more about our 2019 State of Threat Detection research and how organizations can use this research to strengthen their security postures, be sure to register for our upcoming 2019 State of Threat Detection Webinar, taking place on August 27.

Browse our blog