There is a deep dissatisfaction with the current threat detection and investigation capabilities among organizations, according to a new survey on threat detection effectiveness.
The "Threat Detection Effectiveness Survey" released by RSA reveals that only 24% percent of organizations surveyed indicated that they were satisfied with their ability to detect and investigate threats.
Only 8% of those organizations feel they can detect threats very quickly with only 11% that can investigate threats very quickly. Speed in threat detection and investigation is a critical factor in reducing attacker dwell time and subsequently minimizing damage and loss from cyber attacks.
Staggering imbalance
There is a staggering imbalance between organizations that collect perimeter data (88%), and data from modern IT infrastructures (Cloud-based infrastructure 27%, Network Packet 49%, Identity Management 55%, and Endpoint 59%).
Yet, organizations who have incorporated these data sources into their detection strategies find them extremely valuable: organizations collecting network packet data ascribed 66% more value to that data for detecting and investigating threats than those that didn’t, and those collecting endpoint data ascribed 57% more value to that data than those that didn’t.
Data integration is also an issue. A quarter of respondents aren’t integrating any data, and only 21% make all their data accessible from a single source. The prevalence of siloed data prevents correlation across data sources, slows investigations, and limits visibility into the full scope of an attack.Only 10% of respondents rated their ability to connect attacker activity across the data sources they collect as “very well”.
Respondents didn’t consider any of their current detection and investigation technologies particularly effective, giving them an average rating of “somewhat effective.” While SIEM is deployed by more than two-thirds of respondents, more effective tools like network packet capture, endpoint forensics, and user behavioral analytics lack the necessary adoption
Increasing importance of identity data
Finally, an encouraging finding was the increasing importance of identity data to aid detection and investigation. While only slightly more than half of organizations collect data from identity and access systems currently, those that do ascribed 77% more value to that data for detection than those that do not.
Further, user behavioral analytics, which can help organizations simplify detection based on spotting patterns of anomalous activity, is the most popular planned technology investment, with 33% of respondents planning to adopt this technology within the next 12 months.
Real-time behavior analytics engine
RSA's new RSA Security Analytics now offers a real-time behavior analytics engine that is designed to identify specific anomalous activities and behaviors and creates incidents for investigation, without the need for data scientists.
Leveraging deep packet-level visibility and data science techniques to spot behaviors such as compromised systems and the use of covert channel communications, security teams can detect sophisticated threats faster.
RSA Security Analytics is also engineered to make it easier for organizations of any maturity to more rapidly differentiate normal behavior patterns from beaconing domains, Command and Control (C2) activities, and other high-risk anomalies. For example, by combining the log data of Windows operating systems and insight into the ways Windows logins may be manipulated to facilitate privilege escalation, the analytics engine in RSA Security Analytics is designed to be able to spot attempts at lateral movement and finds malicious actors.