One in three (32%) security professionals lack effective intelligence to detect and action cyber threats, according to a new survey* from Anomali. The results also revealed that almost a quarter (24%) believe they are at least one year behind the average threat actor, with half of this sample admitting they are trailing by two to five years. This confirms that many organisations are not adequately mitigating cyber risks, despite detection and response being cited as the top security priority by a leading research organisation this year.
The survey also signals that organisations struggle to detect malicious activity at the earliest stage of a breach, or learning from past exposures, which leaves numerous vulnerabilities undiscovered.
- Almost one in five (17%) of respondents haven’t invested in any threat detection tools such as SIEM, paid or open threat feeds, or User and Entity Behaviour Analytics (UEBA)
- Two-thirds of respondents maintain fewer than 200 days of log data online for analysis/forensics, despite hackers often lurking undetected for this length of time
- 80% of security professionals do not consult historical logs on a daily basis to investigate past exposure to threats
- Only 13% compare historical logs with threat feeds/indicators of compromise daily
Successful cyber attacks are not “smash and grab” type of events. Rather, cyber criminals typically lurk undetected inside enterprises’ IT systems for 200 days or more before discovery. During this time attackers gain access inside the network, escalate privileges, search for high value information, and ultimately exfiltrate data or perform other malicious activities. This ‘200 day problem’ is an ever-present danger, as a US governmental agency discovered last year that malware existed undetected in its network for close to a year. But survey respondents rarely examine historical records to discover whether a threat actor has entered their system. Just 20% consult past logs daily, 20% weekly, 14% monthly and 22% said never or don’t even know how often. This results in multiple missed opportunities to help prevent a breach.
“The ‘200 day problem’ arises from the fact that logs are produced in such massive quantities that typically only 30 days are retained and running searches over long time ranges can take hours or even days to complete,” says Jamie Stone, Vice President, EMEA at Anomali. “Detecting a compromise at the earliest stage possible can identify suspicious or malicious traffic before it penetrates the network or causes harm. It’s imperative to invest in technologies security teams can use to centralise and automate threat detection, not just daily but against historical data as well.”
To achieve this, organisations must seek to combine streams of siloed intelligence and understand the importance of logging historical data for future analysis. It is more than likely that a bad actor will re-visit an organisation in case a new vulnerability can be found, or a new strain of threat has been developed that they want to try out. However, the survey additionally discovered that 46% of respondents do not use, or don’t know if they use a threat intelligence platform, which can analyse data in real-time and draw upon retrospective data. The primary reasons cited for not using one were lack of resources (18%) and budget (17%).
“Organisations must wake up to the daily reality of cyber-attacks and start viewing security as a business enabler that can support and add value to the business as it transforms and innovates. It’s all too common that IT purchase decisions are driven solely by budget rather than need. Implementing the bare minimum is not an option, bolstering cyber security postures must be prioritised. Solutions such as a threat intelligence platform will enable organisations to proactively detect and respond to the modern cyber adversary,” continued Mr Stone.
A threat intelligence platform (TIP) allows organisations to access all their intelligence feeds from one centralised solution, integrate intelligence with internal security tools, and automate the detection and response to active security threats. A TIP also enables organisations to collaborate with peers in their industry or across sectors and geographies to share threat information and help inoculate each other from new attacks.
*The results are based on a survey of 153 attendees, representing a range of industries, conducted by Anomali at InfoSecurity Europe, June 2017.
 Gartner Says Detection and Response is Top Security Priority for Organisations in 2017
 Inside the Cyber Attack that Shocked the US Government, Wired, October 2016