In the last few years, security practitioners have become quite vocal over their belief that the perimeter is dead.
You need not look very far to see the evidence of this: Breaches hit the headlines on a weekly basis, and more and more vendors are switching their tag lines from impervious defence towards faster detection and response.
A recent Threat Detection Effectiveness Survey conducted by RSA sought to examine how well businesses actually believe this, however, and the results show an alarming amount of conflict between what businesses believe, and what they do.
Up front, 80 percent of the respondents were dissatisfied with their detection and response capabilities.
More specifically, an alarming 92 percent of them felt that they couldn't detect threats quickly enough, and 89 percent didn't think they could adequately investigate those threats either.
This should come as no surprise, however, when put into context of how businesses had been spending on IT security.
The old adage "you get what you pay for" rings especially true here, and respondents admit that overall, 47 percent of their annual security investments went into preventative measures.
In contrast, detection and response made up just 25 percent and 28 percent respectively. Countries in Asia Pacific and Japan (APJ) fared the worst globally, with 53 percent of their budgets going to toward preventative measures and just 23 and 24 percent to detection and response respectively.
The solution isn't necessarily for companies to spend more in detection and response, however. Diving deeper into what companies use, it became clear that the tools used for detection and response weren't always providing value.
Two thirds of respondents used SIEM (security information and event management) tools for detection, despite the fact that they have been shown in Verizon's 2014 Data Breach Investigations Report to be effective in capturing advanced threats less than 1% of the time.
Additionally, although businesses are aware that visibility is key to improving detection and response, organisations aren't making proper use of data that is already sitting on their networks.
For identity and access systems, which are frequently attacked, only 55% of organisations report collecting data. Data from the actual endpoint, where sensitive information typically resides, is only collected by 59% of respondents.
Worryingly, only 23% of organisations even collate the data, once collected, into a single source. That means that data, if it's managed to be collected, sits in separate silos making it difficult to analyse for patterns or behaviours.
For example, an access control system may log several days of repeated attempts to gain access from a certain IP range and later, data may be detected egressing from an end point to a particular IP address.
As two disparate systems, the correlation between the two incidents would have to be found manually, if an analyst knows what to look for.
However, if the data were combined and fed into a simple analytics engine, it would immediately provide clues as to how long attackers had been trying to gain access, when they eventually succeeded, and likely what was taken.
With APJ companies falling behind the global average, they are likely to represent softer targets. The good news is that even if they haven't yet taken action, they are the most likely to in the future.
In the next 12 months, APJ countries are expected to shift their spend in detection from 23 percent to between 30 and 36 percent, the largest shift globally.