Elnur - stock.adobe.com

Over 90% of organisations find threat hunting a challenge

Understaffed security teams and high levels of background noise are making basic security operations tasks a chore for defenders, according to a report

Executing essential cyber security operations tasks during the threat hunting process is an increasingly challenging proposition to the vast majority of organisations, with 93% of those polled for a Sophos report saying they find basic security operations a chore.

In the report, The state of cybersecurity 2023: The business impact of adversaries on defenders, Sophos said these findings were likely the result of the ongoing cyber security skills shortage, which is creating a domino effect in security operations – a lack of skilled personnel makes investigating alerts take longer, which reduces the security team’s capacity and increases the organisation’s exposure to higher levels of risk.

Among the most prominent issues were: identifying meaningful signals from background noise, which 71% said they had difficulty with; prioritising which signals or alerts to investigate, also cited by 71%; obtaining enough data to identify if a signal is malicious or benign, again cited by 71%; remediating malicious alerts or incidents in a timely manner, again cited by 71%; identifying the root cause of an incident, cited by 75%; and keeping accurate records of investigations, cited by 68%.

Those that struggled with such tasks were most likely to be organisations with revenues of less than $10m (£8m), which are more likely to lack the necessary skillsets, followed by organisations with revenues of more than $5bn, where organisational and system complexity likely play a more prominent role.

The danger inherent in this situation, according to Sophos commercial field chief technology officer John Shier, is that defenders risk getting things wrong. “Only one-fifth of respondents considered vulnerabilities and remote services a top cyber security risk for 2023, yet the ground truth is that these are routinely exploited by active adversaries,” he said.

“This cascade of operational issues means that these organisations aren’t seeing the full picture and are potentially acting on incorrect information. There’s nothing worse than being confidently wrong. Having external audits and monitoring helps eliminate blind spots.”

Sophos said its data revealed the existence of a “two speed” cyber security system, with adversaries moving rapidly and executing effectively, while defenders are broadly overwhelmed by the factors discussed above. Defenders additionally lack confidence in their processes and believe cyber threats are too advanced to deal with alone.

Read more about security management and services

These problems not only contribute to considerably higher costs arising from cyber incidents, but also reduce the organisation’s capacity to invest in wider IT programme delivery – in other words, the urgent and unpredictable nature of the cyber security world is soaking up resources that would otherwise be funnelled into digital transformation efforts.

And of course, all of this is causing more stress among IT leaders, with well over half of respondents saying they had been kept up at night worrying about a cyber attack.

“Today’s threats require a timely and coordinated response,” said Shier. “Unfortunately, too many organisations are stuck in reactive mode. Not only is this having an impact on core business priorities, but it also has a sizeable human toll. Eliminating the guesswork and applying defensive controls based on actionable intelligence will let IT teams focus on enabling the business instead of trying to douse the eternal flame of active attacks.”

Sophos said it recommends organisations implement scalable incident response processes, more adaptive defences, and a “virtuous cycle” preparing tech and human expertise to “accelerate the defender flywheel”. Buying into third-party owned and managed services is, it believes, the way to do so.

Sophos’ report was compiled by Vanson Bourne from research carried out in January and February this year. The researchers questioned 3,000 leaders with responsibility for IT and/or security at organisations with headcounts ranging from 100 to 5,000. A total of 200 respondents were located in the UK, and 500 in the US.

Data was also drawn from respondents in Australia, Austria, Brazil, France, Germany, India, Italy, Japan, Singapore, South Africa, Spain and Switzerland.

Read more on Data breach incident management and recovery

Data Center
Data Management