Do employees overly rely on threat hunting teams to protect their inboxes?

According to new survey-based research report, it takes organizations an average of just over 83 hours to discover and mitigate email threats that successfully sneak past email gateways and security solutions. (Sean Gallup/Getty Images)

The longer an email sits in an inbox, the more time there is for an employee to engage with it in a manner that causes damage. And according to new survey-based research report, it takes organizations an average of just over 83 hours to discover and mitigate email threats that successfully sneak past email gateways and security solutions.

The study, conducted by Barracuda Networks, also determined who’s primarily responsible for catching email threats after they are delivered. According to a company blog post, 67.6% of the email threat incidents encountered by the survey-takers were found by their internal threat hunting teams, while 24% were reported by users who uncovered them, and 8.1% were discovered through community-sourced threat intelligence.

Ideally, the 83-hours response time needs to shrink, as does the burden placed on threat hunting teams, said Mike Flouton, vice president of product at Barracuda Networks, describing some of the key takeaways from the report.

“Employees are getting better at reporting email threats that have made their way into their inbox, but we still have a ways to go,” said Flouton. Twenty-four percent feels a little bit lower than it should be probably – because when we have people proactively threat hunting, it takes longer to find [threats], whereas a user might spot something almost immediately and report it. So I’d like to see that percentage of user reported [threats] go up over time.”

Eyal Benishti, CEO of Ironscales, agreed that there is too great of an onus placed on threat hunters to protect inboxes, calling it “an unnecessary use of time for what are valuable resources.”

“Threat hunting should be as automated as possible, allowing threat hunters to focus their time on a very specific subset of new and unique threats,” Benishti continued.

Plus, as attackers get increasingly sophisticated, each campaign can take up a significant portion of threat hunters’ time. “They figure out the techniques that threat hunters use to look for emails and they try to actively obfuscate those” through techniques such as steganography or typosquatting, Flouton explained.

Meanwhile, the clock is ticking as dangerous phishing emails potentially lie in wait in an employee’s inbox.

“We say [it takes] 82 seconds from when an email threat hits the inboxes at a company until their first end-user clicks on it,” said Benishti, citing statistics from Verizon Data Breach Investigations Report.

Barracuda surveyed roughly 3,500 organizations for its study, and learned that an average organization with 1,100 users will encounter around 15 email security incidents per month, while an average of 10 employees will suffer the impact of a successful phishing attack. Meanwhile, three percent of employees will click on a malicious email link.

So if employees are going to pick up some of the slack and ease the burden on threat hunting teams, that means continuing to improve workers’ security awareness training so that they know how to quickly identify and report email-based threats that land in their inboxes. Indeed, an analysis of Barracuda’s survey study found that organizations that train users will see a 73% improvement in the accuracy of user-reported email after just two training campaigns.

In addition to training, another strong post-delivery approach “is to employ AI/ML analysis and remediation of each and every email that arrives in the inbox itself with a behavioral analysis approach,” said Benishti. “The blocking approach employed by SEGs [secure email gateways] will never be able to keep up.”

The Barracuda study also found that following a remediated incident, 29 percent of surveyed organizations regularly update their block lists in order to restrict messages coming from flagged senders or geographies. But only five percent of respondents said that their companies update their web security settings in order to block access to malicious sites for entire organizations.

“This small number is due to the lack of integration between incident response and web security at most of organizations,” the Barracuda blog post states. SC Media asked Flouton why such a disconnect exists.

“It could be different resources, it could be different teams – an email security team versus a web security team – and maybe they don’t collaborate as much as they should,” Flouton responded. “There might be an organizational silo in place… [or] disparate technologies from different vendors that don’t integrate together – and then you’re having to do a copy and paste of malicious addresses from one solution into another. And you have to be familiar with both solutions and different user interfaces, and it adds friction to the process.”