More IT Professionals are Operating Under the Assumption of Compromise
More organizations are operating under the assumption that their network has already been compromised, or will be, according to a survey conducted by the SANS Institute on the behalf of Guidance Software. Fifty-six percent of those surveyed assume that they have been breached or will be soon compared with 47 percent last year. However, organizations are not taking a proactive approach to detecting threats or achieving greater visibility into their networks.
SANS surveyed 1,827 IT professionals in the United States for the 2nd annual SANS Endpoint Security Survey, to explore how IT professionals monitor, assess, protect and investigate their endpoints, including servers. A majority of respondents were security analysts (33 percent), followed by security managers or chief information security officers (16 percent), and IT managers or CIOs (13 percent).
The survey results underscore that despite the increased assumption of compromise, visibility into endpoints remains an issue. Highlighting the need for detection at the endpoint, this year, 55 percent of respondents say that up to 30 percent of their incidents should have been detected by perimeter security measures but weren’t. Furthermore, organizations admit that stealthy attacks are not the ones bypassing their defenses—39 percent reported that less than 10 percent of their adversaries were advanced or used stealth advanced exploit and hiding techniques.
“Relying solely on perimeter detection is insufficient to detect and root out threats. In fact, it appears that the lack of visibility into threats is increasing as organizations become overly dependent on perimeter defenses,” said Jake Williams, Instructor and Course Author at the SANS Institute. “Furthermore, many organizations are not proactively hunting for threats on their networks, which is a risky approach since they are not working under the assumption of compromise. Instead, many are simply waiting for alerts from defenses attackers have long since bypassed.”
Other key findings from the survey include:
- Prevention—Thirty-four percent did not know what percentage of threats are detected through proactive discovery. This a double-fold increase from last year’s survey. Additionally, 25 percent indicated that they do not know what threats should have been blocked by firewalls, routers and other edge detection solutions.
- Detection—Fifty-five percent of respondents say 30 percent of incidents should have been detected by perimeter security measures but weren’t, and almost a quarter of respondents were notified of a compromise by a third party.
- Automation—For a majority of participants, false positive rates are unacceptably high, with 52 percent of organizations suffering false positive rates in excess of 20 percent. Automation levels continue to lag behind what respondents want. Respondents’ projections of achieving automation in 24 months remained relatively stable compared to last year.
- Response—A majority (83 percent) need results from endpoint queries in an hour or less and 28 percent want that data in five minutes or less. The ability to quickly conduct investigations is a top priority.
- Remediation—Wipe and reimage remains the most popular technique for remediating compromised endpoints according to 79 percent of respondents.
Top Challenges to Incident Recovery: In addition to learning about respondents’ opinions about outsourcing or insourcing security response actions, the survey also measured the top five challenges to incident recovery. They were:
- Assessing the impact
- Determining the scope of a threat across multiple endpoints
- Determining when the incident is fully remediated
- Hunting for compromised endpoints
- Determining what company confidential and/or regulated data was at risk because of compromised endpoints
“Cybercriminals are constantly looking for new ways to bypass security measures and no organization is immune from attack,” said Ken Basore, Chief Information Officer for Guidance Software. “Organizations must embrace an aggressive approach – constantly searching for threats inside their network. In order to be vigilant, organizations must gain visibility into endpoints to determine what sensitive data is stored on them and be able to create a sustainable model of protection.”
The complete survey results will be presented by the SANS Institute on a webcast, on May 6, 2015 at 1:00 pm Eastern / 10:00 am Pacific. To register for the webcast, please visit HERE
About Guidance Software, Inc.
Guidance Software is recognized worldwide as the industry leader in endpoint investigation solutions for security incident response, e-discovery and forensic analysis. Its EnCase® Enterprise platform, deployed on an estimated 25 million endpoints, is used by more than 70 percent of the Fortune 100, more than 45 percent of the Fortune 500, and numerous government agencies to conduct digital investigations of servers, laptops, desktops and mobile devices. Built on the EnCase Enterprise platform are market-leading IT security, IT help desk, and electronic discovery solutions, EnCase® Cybersecurity, EnCase® Analytics, EnCase® Remote Recovery + and EnCase® eDiscovery. For more information about Guidance Software, please visit www.guidancesoftware.com.
EnCase®, EnScript®, FastBloc®, EnCE®, EnCEP®, Guidance Software™, LinkedReview™, EnPoint™ and Tableau™ are registered trademarks or trademarks owned by Guidance Software in the United States and other jurisdictions and may not be used without prior written permission. All other trademarks and copyrights are the property of their respective owners.