SANS Institute survey of 286 worldwide experts
The SANS Institute, the world’s leading provider of cyber security training and certification, publishes the results of the “SANS 2021 Survey’s: Threat Hunting in Uncertain Times “. For the past six years, SANS has been conducting the Threat Hunting survey to investigate how cybersecurity experts are working in their companies to detect and identify threats faster.
Most of the experts surveyed this year see their threat detection methods and techniques as not yet mature and acknowledge that they need to make further progress in this function within their security program. When it comes to growing your threat hunting activities, the tools you have at your disposal and the ability to systematically measure improvements are the most important indicators of your success. When it comes to the visibility of their environments, almost all respondents state that automated alerting tools based on the usual endpoint detection, SIEM and traditional network detection tools continue to be the technologies of choice for threat hunting. Threat hunters still prefer their own in-house developed tools to get a better insight into their environments. A central challenge is still to gain a complete insight into your own IT infrastructure with security telemetry tools. The results also show that the higher-level IT security teams also benefit from this: through continuous security monitoring, threats are better detected and there are fewer false alarms.
However, due to the COVID-19 pandemic, threat hunting activities have suffered. The vast majority of respondents (73%) said that they are currently engaged in threat hunting, another 27 percent said that they are not currently engaged in threat hunting, but would like to do so in the next 12 months. in 2020, the survey showed that 85 percent of respondents are actively engaged in threat hunting (which means a decrease of 12% compared to the current survey). In 2019, 79 percent of respondents conducted a threat hunt. Thus, the values of 2021 are the worst so far, which is due to the COVID-19 pandemic.
The most important results at a glance:
- 11 Percent of organizations have found an impact on their threat hunting team or methodology in the past year.
- In 2021, 12 percent fewer companies will carry out threat hunting than in 2020.
- 75 Percent of respondents prefer endpoint, SIEM and traditional network detection tools for threat hunting.
- Companies see a 10 to 25 percent improvement in their overall security situation as a result of threat hunting.
- 51 Percent of companies track their threat hunting activities manually.
- 51 Percent see the lack of qualified employees and training as the main obstacle to the success of a threat hunting team.
Mathias Fuchs, study author and instructor at the SANS Institute
“Threat hunting continues to grow in companies of all sizes and is becoming more and more professionalized. This trend continues even during the changed way of working due to COVID-19 measures,” explains Mathias Fuchs, study author and instructor at the SANS Institute. “However, there is still a high demand for specialists and further training in this area. Companies want and need to invest here in order to master the growing threat situation.“
In general, however, a positive trend can be noted. Three quarters of the respondents not only define the requirements for threat hunting, but also measure its effectiveness. This percentage means that many of the respondents have all the elements of a structured improvement process. The companies that measured the effectiveness of threat hunting last year were able to improve their overall security situation by 10 to 25 percent compared to the previous 12 months. This represents a valuable counterbalance to the increased risks that the COVID-related changes are bringing to people’s workplaces.