Detecting and responding to cyber-threats quickly can mean the difference between a cybersecurity annoyance and a costly data breach. This makes threat detection and response a critical business requirement.
Given this, you’d think that threat detection and response would be well resourced with highly-tuned processes running as efficiently as a Swiss watch. Unfortunately, this is far from true. According to ESG research, threat detection and response is fraught with numerous issues. Here is a list of the top 5 threat detection and response challenges, according to 372 enterprise cybersecurity and IT professionals:
- 36% say that the cybersecurity team at their organization spends most of its time addressing high priority or emergency issues and not enough time on strategy or process improvement. In other words, security operations center (SOC) teams are in constant firefighting mode. This creates a self-perpetuating cycle where nothing ever improves, leading to employee burnout and high attrition rates.
- 30% say that their organization has added new network/cloud-based hosts, applications, and users, making it difficult for the cybersecurity team to keep up with the scale of the infrastructure. This is a classic case of an expanding attack surface and since just about every organization is moving workloads to the public cloud, embracing SaaS applications, and deploying IoT devices, attack surface growth will continue unabated.
- 30% say there are one or several “blind spots” on their networks–the old “you can’t manage what you can’t measure” issue with a cybersecurity twist.
- 26% say that threat detection and response is anchored by manual processes that hinder their ability to keep up. Yup, and they always will.
- 24% say that their organization doesn’t have the tools and processes to operationalize threat intelligence, making it difficult to compare on-premises security incidents with what’s happening “in the wild.” Without current knowledge about cyber-adversary tactics, techniques, and procedures (TTPs), organizations can’t really know who is attacking them, how these attacks are conducted, and why they are targets. Think of this as addressing the cybersecurity symptoms and not the disease.
This is a dire situation – addressing these challenges should be a high priority for all organizations. Yes, there are technology needs here (like security monitoring and threat intelligence analytics), but I’m reminded of the famous Bruce Schneier quote, “security is a process, not a product.”
CISOs should heed Bruce’s advice and assess the current state of the organization’s threat detection and response processes. The data reveals that many of these processes are manual, which is certainly a problem. Beyond this, however, are these processes formalized and documented? Do they follow best practice guidelines (ex., the NIST guidelines for incident handling). Are there runbooks associated with these processes? Are their ongoing efforts to automate well-established processes?
Of course, these assessments will reveal people and technology needs, but addressing threat detection and response process needs is a good place to start. Oh, and since this is a business-critical area, CISOs should keep executive management and the board informed about needs, changes, and metrics used to gauge threat detection and response improvement.