Organisations Are Identifying Cyber Threats More Effectively

Uploaded on 2018-10-10 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW

The SANS Institute Threat Hunting Survey report concludes that organisations are beginning to find cyber threats more effectively.

However, whilst techniques, tools and the scope of threat hunting is expanding, the practice is still relatively poorly defined amongst IT professionals. Most organisations are still reacting to alerts and incidents, instead of proactively seeking out intruders.

Moving from reactive to proactive

The survey of 600 IT professionals globally reveals a change in mindset from the respondents of the 2017 survey — where many respondents indicated that their threat hunting methods centered completely on reactive indicators, instead of proactively seeking out threats, and identifying and counteracting adversaries who may already be in their environment.

The 2018 survey found that 43% of respondents now perform continuous and more accurate threat hunting operations, compared to just 35% in 2017.

According to SANS authors Rob M Lee and Rob T. Lee, this is a strong indicator that threat hunting is growing in scope and need. However, the survey also reveals that most organisations that are hunting, tend to be larger enterprises or those that have been heavily targeted in the past. At the same time, 37% of respondents are still only performing threat hunting if triggered by an event or an alarm.

“Threat hunting is part of nonstandard security operations. It’s a good combination of threat intelligence and hypothesis generation based on likely and probable locations of intrusions into a network. Once an organisation begins consuming threat intelligence, natural hunting begins to take place,” said Robert M. Lee, SANS certified instructor and co-author of the report.

Rob T. Lee, co-author and curriculum lead for digital forensic and incident response training, SANS Institute added: “One of the most notable highlights of the 2018 survey is that it demonstrates a more accurate use of threat hunting in many organisations. This change in threat hunting practices has increased since the last survey in 2017, which showed many organisations typically were hunting incorrectly through traditional intrusion detection. In this year’s survey, many more organisations were using proper threat intelligence to help identify the best locations inside an organisation’s network to look for anomalistic behaviours that are direct indicators of threats.”

The change in mindset regarding security is cause for hope.

As more organisations perform threat hunting, dwell time will shorten even more in the coming years. The survey indicates that dwell time currently averages above 90 days, but “as recently as 2013, the average dwell time was over six months. The decline since then shows that the adoption of threat hunting and stronger analytical techniques have had a significant impact on reducing the overall dwell time of adversaries across most networks.”

Other findings include:

• Tech versus people: Organisations are prioritising buying tools over developing a well-versed staff with the analytical skills to run effective threat hunting programs. 41% of respondents said technology was the most important area for threat hunting spend; just 30% said staff. This is interesting, as the majority of breaches are caused by human error. And, one of the main points to come out of Information Age’s Cyber Security Month, has related to the importance of security awareness training for all employees.

Automated threat hunting doesn’t exist, so while technology can help identify mistakes and achieve speed, it’s the skills of the human that will be able to minimise disruption and damage to the network.

• Weapon of choice: The top three skills valued in threat hunting team members included log analysis (83%), threat analysis and the use of threat intelligence (73%), and a knowledge of baseline network activity (72%). Threat intelligence and hunting must go hand in hand to work effectively. Intelligence is key to effective threat hunting and focusing on people and training are paramount for that effectiveness.

• Looking to the future: When asked what improvements would be required to improve threat hunting tools and capabilities, the most frequent responses were better investigative functions (59%), and more staff with investigative skills (also 59%). Both of the top options relate to the effectiveness and efficiency of staff, as well as an increasing need for skilled personnel.

Information Age:

You Might Also Read:

How to Measure Cybersecurity Success

« Reputational Damage & The Human Factor In Social Media
A Self-Flying AI-Powered Drone That Can Track You »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

AlgoSec

AlgoSec

The AlgoSec platform enables the world’s most complex organizations to gain visibility, reduce risk and process changes at zero-touch across the hybrid network.

QA Systems

QA Systems

QA Systems provides software testing solutions for safety and business critical sectors and software safety and security standards.

Robert Bosch Centre for Cyber-Physical Systems (RBCCPS)

Robert Bosch Centre for Cyber-Physical Systems (RBCCPS)

RBCCPS is an interdisciplinary research and academic centre within the Indian Institute of Science focused on research in cyber-physical systems.

High Sec Labs (HSL)

High Sec Labs (HSL)

High Sec Labs develops high-quality, cyber-defense solutions in the field of network and peripheral isolation.

AntemetA

AntemetA

AntemetA specializes in network infrastructure, security and cloud computing, helping companies transform their Information Systems.

Compnet

Compnet

Compnet is a service company that assists customers in integrating complete ICT systems including network infrastructure and security solutions.

North European Cybersecurity Cluster (NECC)

North European Cybersecurity Cluster (NECC)

NECC promotes information security and cybersecurity-related cooperation and collaboration in the Northern European region in order to enhance integration into the European Digital Single Market.

Rogers Cybersecure Catalyst

Rogers Cybersecure Catalyst

Rogers Cybersecure Catalyst helps Canadians and Canadian companies seize the opportunities and tackle the challenges of cybersecurity.

LogicHub

LogicHub

LogicHub is built on the principle that every decision process for threat detection and response can and should be automated.

CyberNet Albania

CyberNet Albania

Cybernet Albania has been providing IT support and services to small businesses since 2016. We strive to eliminate your IT issues before they cause downtime and impact your operations.

CornerStone

CornerStone

CornerStone is an award winning, independent risk, cyber and security consulting firm providing a range of Risk Management, Security Design and Implementation Management Services.

Encova Insurance

Encova Insurance

Encova’s cyber liability coverage protects you and your customers in case of a security breach in your company's data.

Novacoast

Novacoast

Novacoast helps organizations find, create & implement solutions for a powerful security posture through advisory, engineering, development & managed services.

SecurityStudio

SecurityStudio

SecurityStudio is a continuous cybersecurity risk management platform that allows decision-makers to quickly identify the most immediate threats and make confident risk informed decisions.

Atlas Cloud

Atlas Cloud

Atlas Cloud is a UK-wide provider of managed services based in Newcastle. Our ‘research-led’ approach to IT services helps leaders make better decisions about IT for their businesses.

Amiosec

Amiosec

Amiosec is a British cyber innovation business specialising in delivering simple-to-use solutions to the complex problems of the modern world.