“This survey looks at the threat intelligence and threat hunting challenges facing organizations," says Larry Ponemon, Founder of the Ponemon Institute. “It provides some interesting insights into how decision makers and practitioners perceive the emerging and undervalued roles of analyst teams
ORLANDO, Fla. (PRWEB) August 12, 2021
A new Ponemon Survey “The State of Threat Hunting and the Role of the Analyst” indicates that lack of awareness and gaps in knowledge are a weak link for cyber security leadership who are responsible for strategic planning of Cyber Security defenses, leaving organizations exposed to risks. With 2021 already claiming high-profile victims such as Colonial Pipeline and JBS, along with the world’s first bank announcing a $1 billion cybersecurity budget, there is an urgent need for CISOs to rethink their strategy and look for alternative ways to empower their teams.
The inaugural Ponemon survey queried almost 1800 cyber security leaders and practitioners about their views specifically on external threat hunting and the people involved in this emerging and increasingly necessary technique organizations are adopting to build their defensive capabilities. “This survey looks at the threat intelligence and threat hunting challenges facing organizations with emphasis on the role of the analyst," explained Larry Ponemon, Founder of the Ponemon Institute. “It provides some interesting insights into how decision makers and practitioners perceive the emerging and undervalued roles of analyst teams and threat hunting.”
In the new findings, half of the attacks on organizations that caused severe business disruption were by repeat offenders - and 61% of those victims said they were unable to remediate these compromises, leaving critical systems and data at risk. The survey reveals organizations acknowledge they are suffering, not just from disruptive cyber-attacks, but from repeat offenders, and for many victim organizations, complete remediation has not been possible.
Only 35% of respondents said they were leveraging their security analysts effectively, indicating a lack of maturity with regards to threat hunting. Threat hunting, particularly external threat hunting, has empowered more sophisticated security organizations to identify and block impending attacks, augment threat detection, and achieve comprehensive remediation. Yet, the majority of respondents indicate that their organizations are not allocating enough resources to realize the full potential of their analyst teams and threat hunting. Survey results indicate that the average 2021 budget for the respondents’ organizations for IT operations is $117 million. An average of 19% of this is allocated to IT security and of that an average of 22% is allocated to analyst activities and threat intelligence.
“IT and Cyber Security leadership often rely heavily on machine learning and automation as a way to achieve efficiency, viewing threat hunting as a tactical, reactionary function," commented David Monnier, Team Cymru Fellow. "However, from our experience, organizations that manage to get ahead of threats, both internally and throughout their third-party ecosystems, have dedicated a meaningful proportion of the budget to making external threat hunting a strategic priority.”
Josh Picolet, Head of Team Cymru’s Intelligence Analysis Team, adds, “When building an effective security program, I always recommend CISOs balance automated analytics with human analysis and give their analysts the intelligence necessary to conduct adversary and supply chain infrastructure mapping. Using internal telemetry with Internet traffic telemetry results in longer lasting network defense outcomes.”
Respondents had varied views on what threat hunting was or how it was leveraged. Only 24% defined threat hunting as looking outside their enterprise borders to monitor adversaries and identify impending attacks. Most viewed threat hunting as a reactive method of internal threat detection, looking for malicious activity that has already taken hold. Given that 70% of respondents said they had a high degree of difficulty gaining an attacker’s perspective on their organizations, the fact that so many organizations take an internal-only threat hunting approach makes sense.
Sixty-two percent of organizations are increasing investment in analysts and threat intelligence “to improve prevention and detection.” However, responses indicate that they are doing so with a very tactical and reactionary perception of what an analyst team should be.
The top three intelligence data types that respondents said they had were dark web data (47%), domain registration data (42%) and endpoint telemetry (42%). Sixty-one percent acknowledged that threat intelligence could not keep up with the changes in how threat actors attack their organizations. Additionally, despite the knowledge that traditional threat intelligence sources provide stale information, only 31% of respondents said that raw Internet traffic telemetry is important in their ability to plan preventive measures, detect threats and resolve security incidents.
This finding hints at the possibility that most organizations are building out their analyst teams and intelligence capabilities with a view to chasing more alerts and conducting post incident investigations, as opposed to achieving a proactive security posture.
“If this statistic is an accurate representation, it is disappointing,” stated Monnier. “As organizations build out their analyst teams and intelligence capabilities, they will see a far greater return on investment if they give that group the visibility it needs to trace, map and monitor adversary infrastructure and its interactions with enterprise or third-party assets.”
The full report can be downloaded here.
About Team Cymru
Since 2005, Team Cymru’s mission has been to save and improve human lives by working with public and private sector analyst teams, enabling them to track and take down threat actors, criminals, terrorists and human traffickers around the globe. The company delivers comprehensive visibility into global cyber threat activity and is a key source of intelligence for many cyber security and threat intelligence vendors. Its Community Services division provides no-cost threat detection, DDoS mitigation and threat intelligence to network operators, hosting providers and more than 130 CSIRT teams across 86+ countries. Enterprise security teams rely on its Pure Signal™ platform for on-demand access to global internet traffic telemetry, which allows them to see what’s happening virtually anywhere across the internet with a clarity similar to that of their own internal network telemetry. With this visibility, they close detection gaps, accelerate incident response, and get ahead of critical, recurring threats – mapping and monitoring threat infrastructures around the world and blocking attacks before they are launched. For more information visit https://team-cymru.com/