Threat Hunting: Summaries of 5 Recent Cybersecurity Studies

Threat Hunting: Summaries of 5 Recent Cybersecurity Studies

One of the few things more prolific than the threats in cybersecurity might be the studies and surveys. From our vantage point, this is a positive sign and indication the industry is increasingly open to sharing information for a good cause.

We review many of these studies for insights into trends. As such, we occasionally review those we think will be of interest to our community, summarize the findings, and provide links for further reading.

Below are the summaries of five recent cybersecurity studies.

1) Threat Hunting on the Rise

More than 80% of cybersecurity professionals say the volume of threats has doubled, according to a survey by Crowd Research Partners. At that rate, the pace of emerging threats is on course to overwhelm existing cybersecurity resources in many enterprises. To even the odds, some forward-thinking organizations are implementing threat hunting technologies.

“Threat hunting is a term that is generally used to describe the practice among security organizations to proactively search for and weed out threats on their network instead of waiting to discover them after an attack has materialized,” according to Jai Vijayan, in a news analysis about the study for Dark Reading. “It is a practice based on the premise that organizations simply cannot prevent every single intrusion from happening on a network, and therefore the focus needs to be equally on finding the ones that do slip through the defenses.”

The report found threat hunting can significantly reduce the time to detect, investigate and respond to a threat. However, most organizations are still quite reactive in their approach:

“An average of 43% of respondents’ time is spent reacting to security threats, while an average of 22% of respondents said that their time is spent proactively seeking threats.”

Additional points of interest from this survey include:

  • 44% of threats go undetected by automated security tools
  • 79% agree or somewhat agree that threat hunting will be top priority in 2017
  • 70% say the detection of hidden, unknown, and emerging threats is a top SOC challenge

“Threats already exist inside the firewall,” as our own CEO is known to say. “Security must layer in new methods of detection aimed at the east-west traffic to mitigate threats and reduce complexity, dwell time and time to containment.”

2) Enterprises Drowning in Cybersecurity Alerts

An independent survey of 150 professionals responsible in some way, shape or form for enterprise security noted they are drowning in alerts. There are literally more alerts than they can process. As a result, 54% say they simply ignore some alerts, even those “worthy of further investigation.”

The findings were reported by Kelly Sheridan, an associate editor with Dark Reading: Half of Security Pros Ignore Some Important Alerts. She notes that contributing factors entail the talent shortage in cybersecurity and the fact that organizations have invested in a multitude of tools over time – and each one of these tools has its own alert mechanisms:

“Each of these tools focuses on a different aspect of security. Businesses that previously needed only a few security systems can now have up to 50 or 70, all of which work independently and address different functions: endpoint security, mobile, cloud, web app security. The tools each provide a piece of the puzzle, but it’s still up to the security expert to decide how events are related and initiate a response.”

We believe better integration of the right security tools – not necessarily just adding more tools – is a better course of action. Better integration will provide context around these alerts so security professionals can focus on the one alert that matters in a sea of flashing red icons.

Other notable statistics from this study include:

  • 35% say the “most-time consuming task” is gathering data about alerts
  • 39% say process and technology “to automate security operations is a priority”
  • 35% plan to acquire threat detection technologies


3) The Cost of Ransomware Downtime

Don’t pay the ransom! The rationale of that long-standing philosophy is simple: paying the ransom rewards bad behavior.

That idea is being reconsidered when it comes to ransomware which “grew into a $1 billion industry” in 2016, according to Maria Korolov, writing for This is because sometimes the cost of downtime for mission critical systems can cost a business far more in lost revenue.

A recent in-person survey of 170 security professionals at the 2017 RSA security conference quantified this cost.

“Fifty-nine percent of respondents said the biggest business impact of a ransomware attack was the cost of downtime due to lack of access to systems for customers and employees,” according to reporting by Jeff Goldman for eSecurity Planet. “Twenty-nine percent said they would lose between $5,000 and $20,000 a day due to downtime from a ransomware attack, and 27 percent said the cost could be more than $20,000 a day.”

The same study put numbers around the duration of an outage caused by ransomware:

  • 52% said less than eight hours
  • 11% said more than eight hours
  • 17% said one day (24 hours)
  • 20% said 2-3 days

As for paying the ransom, the vast majority (79%) said they’d refuse.

See these related posts:
Cyberthreat Evolution Shifts Emphasis to Proactive Detection and Prevention
Cybersecurity: The Best Defense is a Good Offense
Salary Survey: What’s a CISO Worth in 2017?

4) People are Still the Weakest Security Link

It’s often said that people are an organization’s most valuable asset, but they may also be the biggest cybersecurity risk. That’s according to an annual poll of the Information Security Community, a sizeable professional cybersecurity group on LinkedIn.

The results of the survey were reported by Help Net Security in a piece entitled People are still the biggest security threat to any organization. The study found:

  • 74% of organizations feel vulnerable to insider threats
  • 56% say insider attacks have become more frequent in the last 12 months
  • 30% of organizations experienced insider attacks

What is it that makes the insider threat so challenging? According to Help Net Security:

“Most survey respondents (67 percent) indicate that because insiders already have credentialed access to their networks and services, they are much more difficult to detect and deter than external threats. But only 42 percent of organizations say they are regularly monitoring user behavior while 21 percent do none at all.”

The majority of respondents (68%) expressed confidence in an ability to “recover from an attack in a week or less.” However, this comes at a steep premium: 75% said the costs could add up to $500,000 or more.

5) Cybersecurity Skills Gap Translates into Real Vulnerabilities

For many employment openings, businesses commonly received dozens and even hundreds of applications in response. That’s not true in cybersecurity, according to a survey by ISACA, an education and standards organization for IT professionals.

Just “59 percent of surveyed organizations say they receive at least five applications for each cybersecurity opening, and only 13 percent receive 20 or more,” the organization said in a statement.

“Compounding the problem, ISACA’s State of Cyber Security 2017 found that 37 percent of respondents say fewer than 1 in 4 candidates have the qualifications employers need to keep companies secure.” To that end, most organizations tend to value hands-on experience (55%) and security certifications (69%) over formal education.

Among the recommendation ISACA suggests to remedy the matter, is grooming employees with technical skills in adjacent IT positions and then moving them to cybersecurity jobs.

* * *

What cybersecurity studies have captured your attention lately? Tweet us a link @BricataLLC or join us on LinkedIn.

If you enjoyed this post, you might also like:
Cliff Notes to 3 Notable Cybersecurity Studies

Photo credit: Pixabay (CC0 1.0)

Share this post:
Share on LinkedInTweet about this on TwitterShare on RedditShare on Google+Share on FacebookEmail this to someone
Back to Blog