Q2 2023 Threat Landscape Report: All Roads Lead to Supply Chain Infiltrations
by George Glass, Laurie Iacono, Keith Wojcieszek
Tue, Sep 26, 2023
The Kroll Detection and Response Maturity Model highlights the gap between organizations’ perceptions of their detection maturity status and their actual cybersecurity practices.
Kroll’s Detection and Response Maturity Model (“Model”) provides a structured framework for understanding how key detection and response components contribute to an organization’s overall maturity, considering capabilities, resources, insurance and overall preparedness. The Model highlighted a significant ROI for mature organizations, as well as considerable discrepancies between perceived and actual maturity.
Use the interactive model below to explore how revenue, region and key industries fall within the maturity curve:
A hallmark of a mature cybersecurity program is the ability to rapidly and accurately detect a threat and confidently respond to it in a manner that minimizes its potential impact. However, believing you are cyber mature and actually being cyber mature is very different.
To find the right answer, we leveraged data uncovered in our The State of Cyber Defense 2023: The False-Positive of Trust, which included answers from 1,000 global security decision-makers. Layering those responses with Kroll’s frontline threat intelligence, we examined the perceptions and realities of threat detection and response in today’s landscape to develop the Model. This Model will help security leaders benchmark their programs, prioritize investments and increase resilience.
Our framework established three categories: Novice, Explorer and Trailblazer. Novices have low cyber maturity, Explorers showed average maturity and Trailblazers demonstrated the highest maturity.
Novice | Explorer | Trailblazer |
---|---|---|
They are likely to be using simpler collection and monitoring tools to detect cyberattacks and may not have any actions for responding to high-severity threats or use threat monitoring and investigation as their only defenses. They only have a few elements in their cybersecurity program. | They may have access to limited threat intelligence and can create some custom use cases/rules to alert them of known cyberattacks and use multiple tools to detect high-severity threats. They have multiple elements in their cybersecurity program. | They are likely leveraging various sources of threat intelligence to continuously improve detection rules, proactively hunt for unknown behavior to detect cyberattacks, or some may be able detect threats in real-time. They have many actions to respond to high-severity threats, including remediation and digital forensics. They are likely to have a large toolkit in their cybersecurity program. |
As demonstrated in figure 2, there is a considerable difference between businesses that think they are cyber mature compared to those that are actually cyber mature.
Organizations in the Trailblazer group are less likely to report that they are “very mature” (13%) compared to Explorer or Novice organizations. Furthermore, 43% of those placed in the Novice group feel that their detection and response measures are very mature with no improvement required. Such stance by security leadership would represent a significant blocker ahead of potential improvements to cyber resilience and the overall ROI of security investments.
The number of security incidents is significantly lower for Trailblazer organizations, compared with the other two groups (figure 3). This, combined with the high cost of a data breach, demonstrates that moving from Novice or Explorer level to Trailblazer status could save organizations millions of dollars a year (figure 4).
Figure 3
Figure 4
A robust detection and response strategy is comprised of the following elements listed from most basic to most advanced.
Just 3% of organizations’ cybersecurity programs include all the threat detection and response elements required to support full maturity. Worryingly, 20% of organizations only have the basic cybersecurity monitoring with no further processes in place.
Added to this, businesses who self-reported as having a high level of cyber maturity are also more likely to only have cybersecurity monitoring in place. This further illustrates the disparity between what business think is true cyber maturity and actual cyber maturity.
When looking at how organizations detect cyberattacks, most organizations are only taking what we’d deem the “least mature” actions, so there is evidently room for improvement.
As the number of zero-day and critical vulnerabilities being exploited grows significantly and attackers rapidly adapt tactics to circumvent basic controls, the low maturity in threat detection highlights the urgent need for more robust detection engineering. Merging threat intelligence with real-life incident investigations can provide a considerable boost to detection capabilities, as demonstrated in our detection-as-code webinar.
Our report The State of Cyber Defense 2023: The False-Positive of Trust revealed that security teams generally trust employees to avoid falling victim to a cyberattack (66%) above the accuracy of cybersecurity alerts and the effectiveness of security tools. However, when looking at the data through the lens of cyber maturity, the statistics are flipped.
For Trailblazers, employees are trusted the least (54%) and the effectiveness of cybersecurity tools is trusted the most (69%).
The full report covers:
For access to the full results, complete the form to download the report.
Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.
Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.
Validate your cyber defenses against real-world threats. Kroll’s world-class penetration testing services bring together front-line threat intelligence, thousands of hours of cyber security assessments completed each year and a team of certified cyber experts — the foundation for our sophisticated and scalable approach.
Red team security services from Kroll go beyond traditional penetration testing, leveraging our frontline threat intelligence and the adversarial mindset used by threat actors to push the limits of your information security controls.
Kroll’s ransomware preparedness assessment helps your organization avoid ransomware attacks by examining 14 crucial security areas and attack vectors.
Threat intelligence are fueled by frontline incident response intel and elite analysts to effectively hunt and respond to threats.
by George Glass, Laurie Iacono, Keith Wojcieszek
by Rafael De Lima, Michael Cowley
by Marc Brawner, Mark Nicholls