It's that time of year once again: The SANS Institute — the most trusted resource for cybersecurity research — has conducted its sixth annual Threat Hunting Survey, sponsored by Rapid7. The goal of this survey is to better understand the current threat hunting landscape and the benefits provided to an organization's security posture as a result of threat hunting.
This year's survey, “A SANS 2021 Survey: Threat Hunting in Uncertain Times," has a unique focus, one that's taken into consideration the impact of COVID-19 and how it's affected organizations' threat hunting. The findings indicate that the global pandemic has had a relatively mixed impact on the organizations surveyed, with many respondents unsure of what type of impact it's had — and will have — on their threat hunting efforts.
Here's a preview of the survey's findings and its takeaways for organizations navigating today's cybersecurity landscape.
Fewer organizations are performing threat hunting in 2021
According to the survey results, 12.6% fewer organizations are performing threat hunting in 2021 when compared to those surveyed in 2020. This is concerning, as threat hunting is an ever-evolving field, and organizations that don't dedicate resources to it won't be able to keep pace with the changes in tactics and techniques needed to find threat actors.
But what caused this dip? It seems to be a combination of organizations reducing their external spend with third parties and their overall internal staff in response to COVID-19. That said, this reduction cannot be fully accounted for by the pandemic.
Despite this decrease, there is good news: 93.1% of respondents indicated they have dedicated threat hunting staff, and the majority of respondents plan to increase spending on staffing and tools for threat hunting in the near future. Over the year to come, we'll likely see an extended detection and response (XDR) approach leveraging tools like InsightIDR playing a key role in these efforts.
The threat hunting toolbox is evolving
The tools organizations are using to conduct threat hunting are evolving — but have they advanced enough to keep up with the modern cybersecurity landscape?
The output of threat hunting depends on three factors: visibility, skills, and threat intelligence. To achieve this output, threat hunters need the right tools. After asking respondents about their organizations' tool chests, SANS found that over 75% of respondents are using a tool set that includes EDRs, SIEMs, and IDS/IPS.
It should come as no surprise that these tools are at the top – these are essential to establishing visibility. What is interesting, however, is the second-place spot taken by customizable tools, followed by threat intelligence platforms. This indicates there's room for improvement for solutions vendors regarding threat hunting – and users are looking for deep insights.
Tools like Rapid7's cloud SIEM solution that cut through the noise and surface the threats that really matter are key in today's complex IT environments.
Overall security posture has improved — but there's room to grow
The improvements seen in organizations' overall security posture as a result of threat hunting continue to show steady numbers. According to the study, organizations have seen anywhere from a 10-25% improvement in their security posture from threat hunting over the last year. In addition, 72.3% of respondents claimed threat hunting had a positive improvement on their organization over time.
These are brilliant results to see, and they reinforce the positive impact threat hunting can have, even in the face of today's extraordinary challenges.
That said, while there are clear benefits to threat hunting, there are some barriers to success for organizations, namely:
- Over half (51.3%) of all respondents indicated the primary barrier for them as threat hunters is a lack of skilled staff and training.
- This was closely followed (43%) by an even split of challenges between the limitations of tools or technologies and a lack of defined processes.
Organizations can start addressing these challenges in a variety of ways, including adopting best-in-class detection and response tooling and owning documentation, education, and maintenance at scale. These are manageable barriers that will come down with time, and despite a global pandemic, the overall outlook is good, as the general trend to more threat hunting appears to sustain with this year's survey.
Hopefully, these numbers continue to increase next year, and more organizations will reap the benefits of threat hunting.
To take a deeper dive into the survey's findings, download the full report: A SANS 2021 Survey: Threat Hunting in Uncertain Times.
Learn more about how Rapid7's Incident Detection and Response solutions can help you protect your organization and boost your ability to swiftly thwart attackers.