Embed Size (px)
DESCRIPTION
Citation preview
MarketFocusIn-depth analysis from Lumension June 2014
6 pages of
original research
This new survey of SC Magazine readers, commissioned by Lumension, examines the largest and most devastating form of cyber attack: malware.
Malware The omnipresent risk
S tories about malware attacks on corporate networks have become legendary. Whether it is the spear phishing attack on security vendor RSA in 2011, the
2013 attack on Target executed through its small-business partner with access to the company’s point-of-sale net-work, or the infamous Blaster worm of 2003, malware has been responsible for some of the largest and most devastat-ing cyber attacks of the past 30 years.
Despite the ubiquity of malware and the relatively high profile it holds as a method of entering corporate net-works, it remains today a very popular form of cyber at-tack. Yet based on a survey of IT, security and corporate executives conducted by SC Magazine for security vendor Lumension, a majority of the 343 respondents said they did not believe their organization was equipped to ad-
dress targeted threats that often leverage social engineer-ing tactics and advanced malware, nor did they believe they were subjects of targeted attacks.
The survey, conducted in April 2014, breaks out re-sponses based on company size, revenue, the company’s own assessment as to whether it was equipped to address threats, and if the company had experienced an attack. One of the challenges of analyzing data about attacks is that many of the companies that said they have not expe-rienced an attack might not know that they have indeed been breached, says Chris Merritt, director of solutions marketing at Lumension.
Merritt notes that IT and security professionals should operate on the assumption that their network already has been compromised. That belief is echoed by Richard
2 • www.lumension.com
Malware: The omnipresent riskThis new survey of SC Magazine readers, commissioned by Lumension, offers in-depth analysis that examines the largest and most devastating form of cyber attack: malware. The scourge has likely already infiltrated your network, whether you are aware of it or not, so getting senior management on board with mitigation plans is key.
MarketFocus
How do you currently defend against targeted attacks?
Firewalls 76%Intrusion prevention/detection systems
Security information and event management (SIEM) solutions
Advanced anti-malware solutions
Network analysis and visibility
Wireless security solutions
Identity and access management (IAM) solutions
62%
50%
49%
45%
41%
35%
Network access control (NAC) for endpoints 31%Mobile security solutions 28%Virtualization and cloud security solutions 27%Unified threat management (UTM) appliances 24%NAC for server side 15% Other 4%All of these 15%
Clarke, the first chairman of the federal government’s Counterterror-ism Security Group, former member of the National Security Council, and now chairman of Arlington, Va.-based Good Harbor Consulting. Speaking in 2012 at a Seattle meet-ing of security professionals, Clarke asked how many in attendance were aware their networks had been breached. A few hands went up. Next he asked how many had been breached but didn’t know it, then prompting that everyone else in the audience should raise their hands.
“The majority of respondents indicate that their organization has not been a victim of a targeted attack,” Merritt says. “When broken down by organiza-tion, [the data shows] smaller size companies overwhelm-ingly indicate they have not been victims of a targeted attack.” However, he notes that small companies are be-ing targeted more often these days as jumping-off points to larger firms. He cites the Target breach as such an example where attackers used the SMB business partner to gain access to the Target network.
“Most respondents felt their organizations were best equipped to manage targeted attacks across internet mal-ware, physical access and server side risk,” he says. “Sur-prisingly all respondents suggested that their organizations are not as prepared for attacks that use externally driven approaches and exploitation of the third-party vulnerabili-
ties. Equally surprising was the strong indication by large companies that they are not well equipped to address attacks by way of physical access.”
Merritt notes that only 15 percent of the companies surveyed by SC Magazine said they are not equipped to defend against a targeted
attack or are not in the process of becoming so equipped.Assuming one’s network has never been breached over-
looks the stark omnipresence of malware, Merritt says. The challenge for the security professional is to get manage-ment’s recognition that a breach probably has already hap-
pened and efforts need to be made to identify and remediate the attacks. Without the support and buy-in from key stakeholders, such as the board of directors, legal, finance, risk and human resources, it is difficult for the IT and security teams to identify and mitigate breaches.
Security is a moving target
Michael Andrini, information systems director at Provincetown, Mass.-based Seamen’s Bank, says that if a breach occurs, the com-pany and IT staff often believe they did something wrong or perhaps failed to take some action. “There are always [security] issues out
there,” he says. “Security is a moving target.” For that reason, he notes, senior management needs to recognize that security is ongoing and the upgrades done to the net-work infrastructure or software the previous month don’t mean that everything is safe and secure.
A common statement IT staffs hear from senior man-
www.lumension.com • 3
Have high-profile targeted attacks impacted your security planning?
YES66%
UNSURE12%
NO22%
If not, what are some of the impediments to making this happen?
Lack of budget
Other projects taking priority
Lack of executive-level understanding
Lack of executive-level support
Lack of understanding of the need for protection
Other
42%
39%
29%
25%
14%
21%
72% of large businesses
reported that a third party reported their breaches
to them.
agement is: “You did updates last month. Why isn’t everything fixed?,” Andrini says. But, he underscores, the key to effective security is consistency and vigilance. The challenge senior management faces is that they have more to consider than just information security. “They make decisions based on what they know or [the information] they are given,” he says. Problems occur when that infor-
mation is incomplete.Even if today’s anti-virus
and anti-malware software is able to stop 80 percent of the attacks, as many vendors claim, is 80 percent acceptable? Is 99 percent acceptable?, he asks. The world is changing and at-tackers are not using viruses and trojans as much as they
did in the past, so signature-based defensive software is be-coming less reliable. New approaches are required to ensure corporate networks are safe from outside attacks.
Andrini suggests companies test their employees us-ing social engineering techniques. Even if the employees know the tests are coming, he says, it often makes them more aware when they read their email. If employees start sending questionable emails to the IT team to confirm the mail’s safety and authenticity, that could be a big win for the security effort. Little rewards for identifying question-able emails with a little bit of fear works, he says.
The survey cited several best practices being employed by respondents to defend against malware and advanced persistent threats (APTs). They include:
• created or strengthened vulnerability management programs to ensure that all systems have the latest patches;
• created or strengthened end-user security awareness training;
• updated policies and procedures to ensure that strong passwords and other security best practices are followed;
• created or bettered incident response plans to ac-count for addressing the various stages of an APT attack; and
• removed local admin rights. Each of these practices is being employed now by more
than half of the respondents, with patch management top-ping the list with a 70 percent share.
According to the survey, when asked what is hinder-ing security implementations, lack of budget accounted for a hefty 42 percent of the responses, with the largest number of budget-strapped IT executives in business with less than $100 million in revenue and 1,000 to 20,000 employees. The next highest response – “Other projects at the company taking priority,” at 39 percent – was the most common response at larger companies with revenue greater than $1 billion.
Mike Rothman, president and analyst at the market research firm Securosis, says that companies should not
4 • www.lumension.com
Have you experienced a targeted attack?
YES38%
NO62%
Do you believe you’re still at risk of getting hit by a targeted attack?
YES84%
NO9%
UNSURE7%
66% of companies surveyed
said high-profile targeted attacks have impacted their security planning.
be focusing so much on prevention but rather should put greater emphasis on detection and investigation. While perimeter security, anti-virus software and other preven-tion tools are useful, many of the more sophisticated malware and APT attacks will get past these defenses, he says. Analyzing log files to find the root cause of a breach is a more efficient and effective use of time.
“The reality is that bad guys are going to get in,” he says. “There’s not much most companies can do if the at-tacker is persistent and well-funded.”
Of the survey participants who acknowledged that they have been attacked, 19 percent said social engineering was the root cause, while just seven percent said either ad-vanced malware or exploiting software vulnerabilities was the cause. Nearly half, 48 percent, said it was a combina-tion of these three attack vectors. Some 12 percent cited “other” reasons as the cause while seven percent were unable to identify the attack vector.
Of those who acknowledged attacks, 65 percent said they were able to detect the attack in less than one week, while another 15 percent said it took up to a month. Only five per-cent said it took more than six months to identify the attack.
However, Rothman says the best way to stop attacks is to start with the basics: strong patch management, con-
figuration management and eliminating holes in the fire-wall. Rather than worrying about an APT, he says, worry about defending against basic attacks. If a network is un-able to stop a common but destructive piece of malware, he notes, that should be a top priority. Defending against sophisticated attacks should be considered once the secu-rity team is able to ensure that easy-to-breach vulnerabili-ties are identified and mitigated.
While focusing on the basics of data security, companies need to recognize that security is a four-step process, he says. The first three steps are data gathering, monitoring and forensics. The final step is to repeat the process often.
Gathering data from log files and other sources will pro-vide an extensive view of network activity, both good and bad, he says. Security information and event management (SIEM) software is generally expensive to buy and to use, but it provides a comprehensive view of the network, he says. For companies that cannot afford SIEM systems, it is important to recognize the value of SIEM and then build
www.lumension.com • 5
88% of SMBs responded that their breaches were identified by outside sources.
Do you know how attackers were able to breach your network?
Social engineering
Advanced malware
Exploiting software vulnerabilities
A combination of all of the above
Other
Unsure
19%
7%
48%
12%
7%
7%
How long did it take you to detect all aspects of a targeted attack and mitigate it?
Between one and seven days
Between one and
three weeks
Between
30-90 days
Between
90-180 days
More than six months
We still wonder if we fully eradicated the threat
57%
19%
10%
2%
5%
7%
a security environment to provide the best data collection possible with available resources.
Monitoring the network for breaches – as well as monitor-ing the network after the breach remediation is completed
to ensure that attack was in-deed stopped – is the second step. The third step is doing a forensic analysis to ensure that the source of the breach is identified and fixed. Once all breach remediation is completed, he says, the en-tire process begins again.
Determining the size of the data security budget and staffing depends on the company’s corporate priorities and resources, Rothman adds. A company that manufactures bolts or assembles components probably would spend less than a company that develops intellectual property, he says. However, even the bolt manufacturer has intellectual property to protect, such as its customer lists.
As well, understanding what the log files are telling the security team is critical. Just because a log file shows hun-dreds of pings against a network, that does not mean the network is under attack, he says. “Reconnaissance happens against every public [IP] address,” he says. Often these pings are systems looking for open ports and misconfigured firewalls and routers. The good news is that generally these log entries do not indicate successful breaches but rather knocks on the proverbial front door. The bad news, he says, is there are lots of holes in different places.
“We see that a focus on the basics could add the biggest impact to [the] targeted threat security strategy,” says Mer-ritt. “In fact, for smaller companies, just making improve-ments in vulnerability management and incident response planning could go a long way in strengthening defenses.”
Stepping stones
The challenge SMBs have is they often have neither the money nor the expertise to configure their network devices properly. As a result, attackers are exploiting these net-works and using them as stepping stones to other networks.
But SMBs are not the only ones with security challeng-es, he says. For larger companies, the survey confirms that many are using their disposable income for projects other than security.
Using a medical equipment manufacturer as an exam-ple, Rothman says if the company has $2 million to spend
on a new tool that can save lives or spend that same $2 million on cyber security, it likely will spend the money on its primary business operation. Business choices, he says, often reduce the priority of cyber security.
Just more than one half of respondents, 51 percent, said they currently include advanced threat detection and re-sponse technologies as part of their cyber defenses. Some 19 percent said they do not have such defenses and 20 percent said they were considering these defenses.
However, when broken down by company size, nearly two of three, or 63 percent, currently have these defenses if they have more than 20,000 employees. However, that number shrinks to just 38 percent, just greater than one in three, when a company has fewer than 1,000 employees.
The features most requested by responders for advanced threat detection include the ability to integrate with other existing security solutions (70 percent), intelligence about
6 • www.lumension.com
Which of the following methods used to launch APTs do you believe your company is BEST equipped for?
Internet-borne malware infections
Malware infections by physical means
Server-side risks
Externally driven exploits
Third-party application vulnerabilities
None of the above
43%
20%
18%
5%
36%
All of the above 20%
Unsure 6%
43%
“The reality is that bad guys are
going to get in.”
– Mike Rothman, president and analyst,
Securosis
attackers’ activity on the network (68 percent), intelligence about the attack’s source and its behavior (61 percent), and security event analysis to help with remediation and con-tainment (61 percent).
While the results of the survey indicate that the majority of respondents believe that their companies have not been a victim of a targeted attack, Merritt says that the IT staffs at many companies likely have not yet realized they have been breached. This is especially likely for SMBs, he says, which often lack the resources or bandwidth to discover a breach has taken place.
According to the “2013 Verizon Data Breach Investigations Report,” some 70 percent of all data breaches were identified by a third party that contacted the victim. This represents an improvement over the 92 percent identified by third parties in 2012. But the percentage is relatively flat going back five years, according to the Verizon report. Breaking down the numbers further, 72 percent of large businesses reported that a third party reported their breaches to them while SMBs reported that 88 percent of their breaches were identified by outside sources.
“Increasing awareness on advanced targeted attacks and high-profile attacks are waking up the enterprise,” Merritt says. “An increasing number of companies either [have] changed their security strategy or are in the process of do-ing so.”
Rothman says that companies can improve their mal-ware risk profile considerably if they controlled the egress of data off their networks. Because the “endpoint” might not longer be on the company’s physical network – mobile devices and business partners that connect to corporate networks are changing what has been the network’s tra-ditional perimeter – companies need to do a better job of sanitizing network traffic, he says. Forcing data through virtual private network (VPN) chokepoints might slow some transactions, but it allows the company to examine the incoming and outgoing traffic to make sure that confi-dential data isn’t leaving and malware isn’t coming in.
Companies also need to do a better job of log manage-ment beyond just the firewall and intrusion protection sys-tem (IPS) log files, he adds. If an attacker is able to steal
the valid credentials of an employee, the attack effectively changes from an outsider attack to an insider attack. Just because someone using a trusted employee’s credentials is generating the data transfer, it does not necessarily mean the transfer is legitimate, he notes.
An attack that uses legitimate credentials often is much more damaging to the victim company than attacks that do not have valid credentials, he says. The obstacle SMBs
face – a challenge borne out by the results of this survey – is that smaller companies with fewer resources are less likely to realize they have been attacked and less likely to be able to respond.
Having the most expansive anti-malware defenses is not necessarily the ultimate defense against attacks, Rothman says. He likens many of the malware attacks today to per-petrators looking for low-hanging fruit. Many of today’s networks do not have sufficient defenses to keep out even the most basic attacks due to misconfiguration of perimeter defenses, out-of-date anti-virus or anti-malware software, unpatched applications and other basic defenses.
Companies that have taken the basic defensive steps significantly improve their ability to repel attackers. He likens these attacks to a hungry bear in the woods. If a bear comes across several potential victims in the woods, the survivor does not necessarily have to be the fastest runner, but rather needs to make sure they are not the slowest. Similarly, companies need to make sure their networks are not the most vulnerable, as those will be compromised first. n
This piece was written by Stephen Lawton. This malware defenses survey was prepared for SC Magazine by C.A. Walker Research Solutions and it was sponsored by Lumension. Questions were emailed out to SC Magazine subscribers and Lumension clients between April 15 and April 25, 2014. Results were tallied from 343 responses, with a margin of error +/- .05 at the 95 percent confidence level, and were not weighted. “Large” compa-nies are defined as 1,000 employees or more and “Small” companies as less than 1,000 employees.
www.lumension.com • 7
Do you CURRENTLY incorporate advanced threat detection or threat
intelligence solutions?
YES51%
CONSIDERING THESE NOW
29%
NO19%
Lumension Security, a global leader in operational endpoint security, develops, integrates and markets security software solutions that help businesses protect their vital information and manage critical risk across network and endpoint assets. Lumension enables more than 5,100 customers worldwide to achieve optimal security and IT success by delivering a proven and award-winning solution portfolio that includes vulnerability management, endpoint protection, data protection, and reporting and compliance offerings. Lumension is known for providing world-class customer support and services 24/7, 365 days a year.
For more information, visit www.lumension.com
This supplement was commissioned by Lumension and produced by SC Magazine, a Haymarket Media, Inc. brand.
