Three years after Target missed alerts warning them about a massive data breach, the amount of threat information coming in from security systems is still overwhelming for many companies, according to new reports, due to a lack of expertise and integration issues.
Seventy percent of security pros said that their companies have problems taking actions based on threat intelligence because there is too much of it, or it is too complex, according to a report by Ponemon Research released on Monday. In particular, 69 percent said that their companies lacked staff expertise. As a result, only 46 percent said that incident responders used threat data when deciding how to respond to threats, and only 27 percent said that they were effective in using the data.
"There's too much data to really make sense of if you have a limited resource staff of security operations center analysts or threat analysts," said Travis Farral, director of security strategy at Anomali, which sponsored the report. "It can be overwhelming to sit and figure out which of these 100,000 things to look at first."
It takes a special kind of person to be able to do this, he added.
"There are starting to be a few training classes out there for this, but the skill set is different from the typical person who does analysis to find out if something happened or not," he said.
According to the report, 52 percent of respondents believe their companies need a qualified threat analyst to maximize the value of threat intelligence.
In addition to lack of expertise, it's also difficult to integrate the various technologies involved.
"You've got logs in different formats, firewalls in one format, endpoint logs that are in a completely different format, and you try to merge in threat intelligence data which is typically specific IPs or domains or hashes of malware," Farral said. "It's not necessarily straightforward to try to bring everything together in one place - and having to go to 50 different browser windows is overwhelming."
In fact, while 62 percent of respondents said that SIEM integration was necessary to maximize the value of threat intelligence data, 64 percent said that the integration of a threat intelligence platform with other security technologies or tools is a difficult and time-consuming task.
Another survey, released this morning, showed that 72 percent of organizations have tools in place to defend against advanced persistent threats, 79 percent scan for malware, 52 percent do penetration testing, and 44 percent do cyber forensics. In addition, 66 percent have a cyber security plan that fully covers all on-premise environments and devices, and another 25 percent have partial coverage, while 61 percent fully cover cloud-based environments and devices and 29 percent have partial coverage.
Sign up for CIO Asia eNewsletters.