Ninety per cent of organisations cannot detect cyber threats quickly and 88 per cent admit they are not able to investigate threats quickly, according to a new survey.

Almost 80 per cent of organisations are not satisfied with their ability to detect and investigate threats, added the Threat Detection Effectiveness Survey by RSA, the Security Division of security solutions provider EMC, highlighting that speed in this area is a widely recognized as a critical factor in minimizing damage and loss from cyber attacks.

The survey was designed to allow participants to self-assess how effective their organisations are at detecting and investigating cyber threats. The research provides valuable global insight into what technologies organisations use, what data they gather to support this effort and their satisfaction with their current toolsets.

Additionally organisations were asked what new technologies they plan to invest in and how they plan to evolve their strategies going forward. The key finding of the survey is that organisations are still relying on a fragmented foundation of data and technologies for detection and investigation fails to achieve the outcomes they expect from their security monitoring programme.

The inability to quickly detect threats is a key factor in why organisations are experiencing data breaches where attackers are able to remain on the networks for long periods of time before being discovered.

Respondents didn’t consider any of their current detection and investigation technologies particularly effective, giving them an average rating of “somewhat effective.”

Organisations continue to demonstrate an overreliance on SIEM, which, while used by more than two-thirds of participants, is inconsistently augmented with technologies such as network packet capture, advanced anti-malware and endpoint tools that could appreciably improve threat detection and investigation capabilities, the survey said.

The data that organisations currently collect does not provide adequate visibility.  Less than half of organisations surveyed are collecting network packet data or network flow data, which provides reliable insight into advanced attacks, and only 59 per cent collect endpoint data that can be used to find points of compromise.

Yet, organisations who have incorporated these data sources into their detection strategies find them extremely valuable: organisations collecting network packet data ascribed 66 per cent more value to that data for detecting and investigating threats than those that didn’t, and those collecting endpoint data ascribed 57 per cent more value to that data than those that didn’t.

A quarter of respondents aren’t integrating any data, and only 21 per cent make all their data accessible from a single source, the survey said.

The prevalence of siloed data prevents correlation across data sources, slows investigations and limits visibility into the full scope of an attack. Only 10 per cent of respondents feel they can connect attacker activity “very well” across the data sources they collect.

Finally, an encouraging finding was the increasing importance of identity data to aid detection and investigation. While only slightly more than half of organisations collect data from identity and access systems currently, those that do ascribed 77 per cent more value to that data for detection than those that do not.

Further, behavioural analytics, which can help organisations simplify detection based on spotting patterns of anomalous activity, is the most popular planned technology investment, with 33 per cent of respondents planning to adopt this technology within the next 12 months.

“This survey reinforces our greatest fear that organisations are not currently taking, and in many cases are not planning to take, the necessary steps to protect themselves from advanced threats. They are not collecting the right data, not integrating the data they collect, and focusing on old-school prevention technologies,” said Amit Yoran, president, RSA.

“Today’s reality dictates that they need to plug gaps in visibility, take a more consistent approach to deploying the technologies that matter most, and accelerate the shift away from preventative strategies.” – TradeArabia News Service