RSA Research Reveals Blind Spots in Threat Detection

Only 24% of organizations are satisfied with their detection and investigation capabilities


  • Speed is an issue: Only 8% of organizations feel they can detect threats very quickly and only 11% feel that can investigate threats very quickly
  • Staggering imbalance between collection of perimeter data and data from modern IT infrastructures (Identity Management, Endpoint, and Network Packet)
  • Most organizations fail to integrate the data they collect, limiting visibility into scope of attacks
  • Encouraging data shows acknowledgement of the importance of identity information for detection, and planned investment in user behavioral analytics


Today, RSA, The Security Division of EMC (NYSE: EMC), released the results of a new Threat Detection Effectiveness Survey that compiled insight from more than 160 respondents globally. The survey was designed to allow participants to self-assess how effective their organizations are at detecting and investigating cyber threats. The research provides valuable global insight into what technologies organizations use, what data they gather to support this effort, and their satisfaction with their current toolsets.  Additionally respondents were asked what new technologies they plan to invest in and how they plan to evolve their strategies going forward.

A key insight from the survey was that respondents expressed deep dissatisfaction with their current threat detection and investigation capabilities. Only 24% percent of organizations surveyed indicated that they were satisfied with their ability to detect and investigate threats. . Only 8% of those organizations feel they can detect threats very quickly with only 11% that can investigate threats very quickly.  Speed in threat detection and investigation is a critical factor in reducing attacker dwell time and subsequently minimizing damage and loss from cyber attacks

There is a staggering imbalance between organizations that collect perimeter data (88%), and data from modern IT infrastructures (Cloud-based infrastructure 27%, Network Packet 49%, Identity Management 55%, and Endpoint 59%). Yet, organizations who have incorporated these data sources into their detection strategies find them extremely valuable: organizations collecting network packet data ascribed 66% more value to that data for detecting and investigating threats than those that didn’t, and those collecting endpoint data ascribed 57% more value to that data than those that didn’t.

Data integration is also an issue. A quarter of respondents aren’t integrating any data, and only 21% make all their data accessible from a single source. The prevalence of siloed data prevents correlation across data sources, slows investigations, and limits visibility into the full scope of an attack. Only 10% of respondents rated their ability to connect attacker activity across the data sources they collect as “very well”.

Respondents didn’t consider any of their current detection and investigation technologies particularly effective, giving them an average rating of “somewhat effective.”  While SIEM is deployed by more than two-thirds of respondents, more effective tools like network packet capture, endpoint forensics, and user behavioral analytics lack the necessary adoption

Finally, an encouraging finding was the increasing importance of identity data to aid detection and investigation. While only slightly more than half of organizations collect data from identity and access systems currently, those that do ascribed 77% more value to that data for detection than those that do not. Further, user behavioral analytics, which can help organizations simplify detection based on spotting patterns of anomalous activity, is the most popular planned technology investment, with 33% of respondents planning to adopt this technology within the next 12 months.


Amit Yoran, President, RSA 

“This survey reinforces our greatest fear that organizations are not currently taking, and in many cases are not planning to take, the necessary steps to protect themselves from advanced threats. They are not collecting the right data, not integrating the data they collect, and focusing on old-school prevention technologies. Today’s reality dictates that they need to plug gaps in visibility, take a more consistent approach to deploying the technologies that matter most, and accelerate the shift away from preventative strategies.”


RSA’s quantitative global survey was conducted online in December 2015 through February 2016.  All qualified respondents self-reported all data. There were more than160 respondents who participated from organizations with 44 percent being under 1,000 employees, 31 percent had 1-10,000 employees and 25 percent over 10,000 employees.  The respondents represented 22 different industry sectors with 58 percent from the Americas, 26 percent from Europe and the Middle East, and 15 percent from Asia Pacific and Japan.



RSA provides more than 30,000 customers around the world with the essential security capabilities to protect their most valuable assets from cyber threats. With RSA’s award-winning products, organizations effectively detect, investigate, and respond to advanced attacks; confirm and manage identities; and ultimately, reduce IP theft, fraud, and cybercrime. For more information, go to

RSA and EMC are either registered trademarks or trademarks of EMC Corporation in the United States and/or other countries. All other company and product names may be trademarks of their respective owners.

This release contains “forward-looking statements” as defined under the Federal Securities Laws. Actual results could differ materially from those projected in the forward-looking statements as a result of certain risk factors, including but not limited to: (i) risks associated with the proposed acquisition of EMC by Denali Holdings, Inc., the parent company of Dell, Inc., including, among others, assumptions related to the ability to close the acquisition, the expected closing date and its anticipated costs and benefits; (ii) adverse changes in general economic or market conditions; (iii) delays or reductions in information technology spending; (iv) the relative and varying rates of product price and component cost declines and the volume and mixture of product and services revenues; (v) competitive factors, including but not limited to pricing pressures and new product introductions; (vi) component and product quality and availability; (vii) fluctuations in VMware, Inc.’s operating results and risks associated with trading of VMware stock; (viii) the transition to new products, the uncertainty of customer acceptance of new product offerings and rapid technological and market change; (ix) risks associated with managing the growth of our business, including risks associated with acquisitions and investments and the challenges and costs of integration, restructuring and achieving anticipated synergies; (x) the ability to attract and retain highly qualified employees; (xi) insufficient, excess or obsolete inventory; (xii) fluctuating currency exchange rates; (xiii) threats and other disruptions to our secure data centers or networks; (xiv) our ability to protect our proprietary technology; (xv) war or acts of terrorism; and (xvi) other one-time events and other important factors disclosed previously and from time to time in the filings of EMC, the parent company of RSA, with the U.S. Securities and Exchange Commission. EMC and RSA disclaim any obligation to update any such forward-looking statements after the date of this release.