Top 5 Enterprise Security Threat Detection And Response Challenges
Analyst Report Identifies Gaps In Cyber Priorities, Process And People
Organizations must detect and respond quickly to cyber threats. Not only is cyber security necessary to protect employees and sensitive company data, a successful attack will have financial ramifications and damage to the organization’s reputation. With security resources spread thin, is incident detection and response getting the focus it deserves?
“You’d think that threat detection and response would be well resourced with highly-tuned processes running as efficiently as a Swiss watch,” said ESG senior principal analyst and founder of the firm’s cybersecurity service Jon Oltsik. “Unfortunately, this is far from true.”
According to ESG research, threat detection and response is fraught with numerous issues. Feedback and insight from 372 enterprise cyber security and IT professionals highlighted the top 5 threat detection and response challenges:
- The interrupt-driven security team (36%) – if the cyber team is busy chasing emergencies and high-priority requests, they will quickly fall behind on new threat vectors and bad actor tactics. “Security operations center (SOC) teams are in constant firefighting mode,” said ESG’s Oltsik. “This creates a self-perpetuating cycle where nothing ever improves, leading to employee burnout and high attrition rates.” Allocating people’s time to develop a security strategy that shifts the team from reacting to improving processes should be made a priority for the organization.
- The ever-expanding attack surface (30%) – Moving beyond mobile devices, organizations have embraced cloud services, SaaS applications, remote workers, and the deployment of IoT devices. This expansion of the security perimeter requires increased infrastructure and processes to keep pace with the scale of the organization. Equally important is the ability for the CISO to identify key stakeholders in the organization and build relationships such that security is part of the business expansion rather than an afterthought.
- The presence of network blind spots (30%) – Advancements in software and services means that a department can stand-up a new services without any IT involvement. Unfortunately, these network blind spots also lead to a lack of visibility for the security team, which increases risk that cannot be monitored or measured. Similar to the expanding attack surface, CISOs must identify allies in the organization, including finance and procurement, who can involve security in risk assessment of new projects that did otherwise would have been missed.
- Manual processes in a fast-paced, automated world (26%) – Bad actors are scaling their attacks through the use of automation and stealth tactics to fool servers and users into giving up sensitive information. Organizations find themselves lacking the resources and innovative approaches used by attackers. “Threat detection and response is anchored by manual processes that hinder their ability to keep up,” said Oltsik.
- Threat intelligence is not operationalized (24%) – Without the tools and processes to operationalize threat intelligence, it is difficult for security teams to compare attacks on the organization’s perimeter with what is happening across their industry and their geography. “Without current knowledge about cyber-adversary tactics, techniques, and procedures (TTPs), organizations can’t really know who is attacking them, how these attacks are conducted, and why they are targets,” said ESG analyst Oltsik.
Chances are that no organization is only facing one of these challenges. And there’s no magic bullet or software product purchase that will make any of these challenges simply go away. The solution consists of a strategy, process, people and time.
Understanding where the organization is currently at related to threat detection and response capability requires an assessment. Whether performing the gap analysis within the NIST Cyber Security Framework or bringing in external resources to provide an objective review, the results provide insight to prioritize controls and optimize processes.
Assessment tools and frameworks are a great place to start documenting threat detection and response procedures and identifying technology tools. As a business-critical function, CISOs will need to articulate security requirements to internal organization stakeholders, including the executive team and board of directors. Instead of providing a list of technical requirements, take the time to learn the language of the business and describe desirable outcomes.