SlashNext Survey Finds Only 1 in 8 Organizations Report Real-Time Operationalization of Threat Intelligence Feeds to Block Live Web Threats
August 2019 by SlashNext
SlashNext announced the results of a survey of cybersecurity professionals working for large organizations with security operations centers (SOCs). The findings showed these professionals face multiple challenges when attempting to institute faster operationalization of phishing threat intelligence feeds in order to protect employees from short-lived Web threats. The survey also found that even large companies with multi-layer security controls and multiple threat feeds lack safeguards to adequately protect their employees from fast-moving phishing attacks that employ links to malicious sites.
In the SlashNext 2019 Enterprise Fast Phishing Survey, over half of survey respondents (56%) correctly noted that phishing URLs typically remain active for a very short time, under an hour to just several hours. This speaks to security professional’s awareness of the threats they face and the need for both proactive and real-time threat detection as well as fast operationalization of that threat intelligence to block active Web threats. In a contrasting finding, when it comes to the top three anti-phishing security stack improvements still needed, “More timely phishing threat intelligence/block lists” was the least popular choice while the most common improvement reported was a “Better way to detect traffic to previously unknown phishing URLs”. The other two most commonly cited anti-phishing improvements needed were “More effective email phishing detection” and “Better automation across anti-phishing defenses”.
When it comes to how quickly Web threats can be blocked, the survey focused on three elements: speed of operationalization for third-party threat feeds; frequency of blocking updates, and; barriers to achieving real-time implementation. Only 12% of respondents reported real-time operationalization of threat feeds for blocking, while 19% report it took between 5-30 minutes and another 20% claim 30-60 minutes to operationalize. Nearly half (49%) report operationalization times of more than an hour. When it comes to block list update frequency, only 23% report continuous or real-time updates. A quarter (25%) reported update frequency intervals of five minutes to an hour, while over half (53%) reported update intervals longer than an hour.
As for the top barriers to faster and more frequent block list updates, the top three barriers cited were: process/policy limitations for implementation, systems limitations for ingestion, and systems limitations for implementation. Close behind were budget/resource constraints and cross-functional / internal political challenges. The report shows while IT security pros are largely aware of the short-lived nature of phishing threats, they have multiple systems limitations to overcome to implement faster, more effective blocking. In addition to update frequency, organizations also need to carefully evaluate the freshness and accuracy of third-party threat intel feeds, which can leave organizations vulnerable if they are updating their defenses with out-of-date threat intelligence.
“It has become a race against time to implement timely threat intelligence quickly enough to protect employees from fast-moving phishing threats,” said Atif Mushtaq, CEO, SlashNext. “Only 13% of respondents reported real-time operationalization of threat feeds for blocking, so most organizations are exposed and need real-time phishing threat intelligence and greater automation to close the gaps in their phishing defenses.”
This survey shows that researching URLs in suspected phishing incidents is a costly and time-intensive process. Nearly half of respondents (47%) reported URL research times of 6-10 minutes or more per incident, while 24% said they averaged just 3-5 minutes per incident. Only 19% reported URL research being a fully-automated, real-time process. In larger organizations with several hundred to several thousand suspicious emails reported every day, this task can easily consume dozens of hours per day and multiple full-time resources. This is costly and presents challenges to organizations facing a chronic shortage of trained cybersecurity resources. Clearly, this is an area where time and costs could be reduced through greater automation, as is becoming more common through the use of Security, Orchestration, Automation, and Response (SOAR) platforms and phishing IR playbooks.
In terms of which systems and methods are used to research suspicious URLs, respondents favored commercial phishing URL databases and URL scanning services (50%) over free alternatives (44%). However, most organizations report using both commercial and free resources. As for systems used, SOARs were more commonly used (47%) than SIEMs (32%) for this purpose.
Other key findings from the SlashNext 2019 Enterprise Fast Phishing Survey include:
When determining if a suspicious URL is malicious, the top three challenges cited by security professionals are URL redirection / forwarding, identifying previously unknown suspicious URLs, and lack of definitive, accurate verdicts from their security systems and/or URL checking resources.
There are a wide variety of systems used as the first system to ingest a third-party phishing threat intelligence feed. The most common was a Threat Intelligence Platform (TIP) at 23%, followed by DNS or Web Proxy (22%), SOAR (16%), NextGen Firewall (16%), SIEM (15%), custom or other (9%).
Credential stealing sites (fake login pages) were cited as the most dangerous phishing type for an enterprise, followed by malware sites hosting rogue browser extensions and apps at 17%. But other types of phishing sites also ranked high, with scareware and sites hosting weaponized docs coming in at 16%.
A report from Aberdeen Group described just how quick users are to open, click, and act on suspicious links. “Research continues to show that phishing attacks are fast, and getting faster,” said Derek Brink, vice president and research fellow, Aberdeen. “Manual blocking and browser-based protections are simply too slow to be effective on the front-end, while security awareness and training for users remains a vital last line of defense. Successfully detecting and defending against the malicious emails and URLs of phishing attacks in the time required clearly calls for a high-speed, highly automated approach.”
The SlashNext 2019 Enterprise Phishing Survey was conducted by Survata, an independent research firm based in San Francisco. The survey was taken by 300 security decision-makers in large firms in the U.S. in July 2019.