The evolution of enterprise threat handling: Detailed insights from SANS 2024 Survey

The SANS survey highlights threat hunting’s evolution with increased formalisation and strategic integration to enhance cyber security effectiveness.
Hunting for threats.
Hunting for threats.

In an era where cyber security is a paramount strategic priority for enterprises, SANS Institute's 2024 Threat Hunting Survey provides an in-depth exploration of how threat hunting practices are evolving to address the complexities of a rapidly changing threat landscape. Celebrating its ninth year, for this annual survey, SANS canvassed organisations worldwide to assess their threat hunting activities over the previous year and gather insights on potential future trends.

Increased formalisation and methodology adoption


A significant highlight from this year's findings is the marked increase in organisations that have formally established their threat hunting methodologies, with the number rising from 35% in the previous year to 51% in 2024. This uptrend represents a strategic shift towards standardising processes aimed at improving threat detection and enhancing incident response capabilities. The trend towards formalisation not only reflects a maturing industry but also shows that enterprises are recognising and implementing structured threat hunting as a critical component of their cyber security defences. This structured approach is increasingly seen as essential for developing a proactive defence mechanism that can effectively counteract the sophistication of modern cyber threats.

Challenges and solutions in skilling and tools


While progress is evident, the survey continues to highlight enduring challenges, notably the shortage of skilled cyber security professionals and ongoing issues with the quality of data and tools. The gap in skilled personnel, although reduced from 73% in 2023 to 50% in 2024, remains a significant obstacle for many organisations. To counter these challenges, an increasing number of organisations have taken the initiative to conduct their own bespoke research, aiming to develop customised threat intelligence solutions that cater specifically to their unique operational needs. This shift demonstrates a proactive strategy in building internal competencies and adapting to tool limitations, thereby enhancing overall threat intelligence capabilities.

Outsourcing trends and their implications


Further insights from the survey reveal a growing trend towards outsourcing threat hunting tasks, with 37% of organisations now leveraging external services for this function. While outsourcing can provide rapid scalability and access to specialised expertise, it also introduces potential risks, including misalignment with an organisation’s unique systems and the broader threat landscape, as well as challenges related to data governance and control. This reliance on external providers underscores the need for enterprises to maintain a balanced approach, ensuring that outsourced services are seamlessly integrated with internal security objectives and align with corporate strategies to avoid gaps in security coverage.

Measuring success and strategic alignment


Encouragingly, there is a significant uptick in the number of enterprises measuring the effectiveness of their threat hunting efforts 64% in 2024 compared to 34% in the previous year. This increasing focus on metrics highlights a broader acknowledgment of the importance of quantifiable outcomes in refining security postures and aligning cyber security efforts with business objectives. Although most organisations report positive outcomes from their threat hunting initiatives, the survey points to a continuous need for refining these strategies to optimise their effectiveness and ensure they deliver measurable improvements in security.

Continuous evolution and integration


As cyber threats evolve, so must the strategies to combat them. The SANS survey points to a trend of frequent reviews and updates to threat hunting methodologies, with many organisations adjusting their approaches as needed or on a regular basis. This adaptability is crucial for keeping pace with adversaries and effectively managing the complexities of modern enterprise environments.

The 2024 SANS Threat Hunting Survey underscores the indispensable role of enterprise threat hunting within the contemporary cyber security ecosystem. As organisations grow increasingly aware of the benefits of proactive threat detection and tailored intelligence, the integration of sophisticated threat hunting strategies into broader cyber security frameworks is not only recommended, but essential. By employing skilled personnel, adopting standardised methodologies and committing to continuous improvement, enterprises are better equipped to anticipate, respond to and mitigate emerging threats, thus safeguarding their operations against the unpredictable and chaotic nature of the cyber world.

If you would like to learn more about the threat hunting survey’s findings, download the report here and watch the webcast here.

And if you are interested in learning more about threat hunting or increasing your DFIR skills, sign up for a free demo of the SANS Threat Hunting courses, FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics and FOR608: Enterprise-Class Incident Response & Threat Hunting.

For more information about SANS Institute and courses offered, please visit our website here.


Share