Survey: Security Analytics and Intelligence

1

Survey: Security Analytics and Intelligence

A look at the impact of security threats and the use of security analytics and intelligence to mitigate those threats

© 2013, SolarWinds Worldwide, LLC. All rights reserved.

Conducted by SANS InstituteJune/July 2013

22

Introduction

» SolarWinds, in conjunction with SANS, recently conducted a survey on Security Analytics and Intelligence with participation from over 600 IT professionals

» This presentation provides insight into IT budgets for security, difficulties faced in identifying attacks and breaches, and more

The Agenda

• Participants: Whom did we survey?

• Results: What did they say?

• Key Take Away: What does the survey mean to you?

• Recommendations: What can you do?

SANS & SOLARWINDS IT SECURITY SURVEY 2013

33

Whom Did We Survey?

Gov

ernm

ent/

Mili

tary

Fina

ncia

l Ser

vice

s/Ba

...

Oth

er

Educ

ation

Hig

h Te

ch

Hea

lth

care

/Pha

rmac

e...

Tele

com

mun

icati

ons

Ca...

Man

ufac

turi

ng

Ener

gy/U

tiliti

es

Reta

il

Engi

neer

ing/

Cons

truc

...

Hos

ting

Serv

ice

Prov

...

19.0%17.2%

15.6%

8.7% 8.7% 8.2%7.0%

5.9%5.1%

2.9%

0.9% 0.9%

Participants: Industry wise


45% of the survey taker organizations were from Federal, BFSI and Healthcare

4

IT Budget Spent on IT Security

• 45% of the survey takers were spending less than 20% of their IT budget on information security management, compliance and response

• About 30% spent less than 10% on information security management, compliance and response

IT Pro’s RoleUnknown; 40.0%

Less than 5%; 21.3%

6% to 10%; 16.0%

11% to 20%; 7.9%

21% to 30%; 7.3%31% to 40%; 2.0%

41% to 50%; 1.2%51% to 60%; 0.9%

Greater than 60%; 1.7%

Other; 1.6%


5

Threat Detection and Response


6

Difficulty in Detecting Threats

No

attac

ks (t

hat w

e ...

2 to

5

Unk

now

n 1

6 to

10

11 to

20

21 to

50

51 to

100

Mor

e th

an 1

00

33.4%

23.5%21.1%

7.8%5.7%

3.0% 2.8% 1.3% 1.3%

Difficulty in detecting threats In the past two years,45% of the respondent

companies had 1 or more attacks that were difficult

to detect.


7

Time Taken to Detect the Impact of the Attacks

• 30% of the organizations took up to a week to detect the impact• 14% of them took about 1-3 months

Within the same day

One week or lessA month or

lessThree months

or less

Five months or less

10 months or less

More than 10 months

Unknown


8

Time Taken for Attack Remediation

• 35% of companies took up to a week to remediate after the initial knowledge of an attack• About 11% of the companies took 1-3 months

Within the same day

One week or less

A month or less

Three months or less

Five months or less

10 months or less

More than 10 months

Unknown


9

Data Collection and Correlation


10

Top 3 Impediments to Discovering and Following Up on Attacks

39%

21%19%


11

Types of Operational and Security Data Collected for Security Analytics

Top 3 Types of Data Currently Collected:• Log data from network

devices, servers and applications

• Monitoring data from firewalls, vulnerability scanners, IDS/IPS

• Access data

Log data from network (routers/switches) and servers, applications and/or endpoints

Monitoring data provided through firewalls, network-based vulnerability scanners, IDS/IPS, UTMs, etc.

Access data from applications and access control systems

Unstructured data-at-rest and RAM data from endpoints (servers and end-user devices)

Security assessment data from endpoint (aka from NAC/MDM scans), application and server monitoring tools

Assessment and exception data (not on the whitelist of approved behaviors) taken from mobile/BYOD endpoints (aka from NAC/MDM scans)

Monitoring and exception data pertaining to internal virtual and cloud environments

Monitoring and exception data pertaining to public cloud usage

Other

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

Unknown Don't plan to collect Plan to collect within 12 months Currently collect

Top 3 Within 12 Months:• Security assessment data

from endpoint, application and server monitoring tools

• Monitoring and exception data from internal virtual and cloud environments

• Access data from applications and access control systems

12

How Satisfied are Organizations with their Security Tools?


13

Alarming Factor!!

59% of the organizations don’t know whether they are collecting security data in real time or not.


http://www.solarwinds.com/log-event-manager/real-time-log-correlation.aspx

14

Correlation of Event Logs

• 30% of the organizations did not have any automated correlation of log data• 45% of the organizations manually scripted searches based on hunches• 39% of them had no third party intelligence tools

Other

Hadoop or other free or distributed data analysis tools

Unstructured data analysis tools with NoSQL and other methods.

Advanced intelligence/threat profiling database

No automated correlation of logs, just manual scanning for exceptions by experts

Manual and manually-scripted searches based on evidence and hunches

Use of SIEM technologies and systems

Dedicated log management platform used for IT security and operations

0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%


15

More on Correlation

38% of the respondent

organizations did not have log

correlation for external threat

intelligence tools

And guess what???44% of the organizations are doing only up to 25% of their inquiries to detect threats in real time.


About 36% of the organizations never had any automated pattern recognition

16

Satisfaction with Current Analytics and Intelligence Capabilities

• About 59% of the organizations are not satisfied with their library of appropriate queries and reports

• 56% of the organizations are not satisfied with their relevant event context intelligence• 56% of them have no visibility into actionable security events

Producing or having a library of appropriate queries/meaningful reports

Relevant event context (intelligence) to observe “abnormal behavior”

Training/intelligence expertise

Integration of other monitoring systems into collection processes (normalization/standards for data storage and

translation)

Costs for tools, maintenance and personnel

Visibility into actionable security events across disparate systems and users

Ability to alert based on exceptions to what is “normal” and approved

Reduction of false positives and/or false negatives

Performance and response time issues

Other

Storage capacity and access of data in needed formats

1.25 1.30 1.35 1.40 1.45 1.50 1.55 1.60 1.65 1.70 1.75


17

Primary Use Cases for Evaluation of Security Tools

0%

5%

10%

15%

20%

25%

External malware

Advanced Persistent threats

Compliance monitoring


24% - External malware

13% - Advanced persistent threats

11% - Compliance monitoring

18

Top 3 Future Investments in Security


Se

cu

rity

in

form

ati

on

ma

na

ge

me

nt

t...

Pe

rso

nn

el/

tra

inin

g t

o d

ete

ct

pa

tt..

.

Vu

lne

rab

ilit

y m

an

ag

em

en

t

Ne

two

rk p

rote

cti

on

s (

UT

M,

IDS

/IP

S,.

..

En

dp

oin

t v

isib

ilit

y

Ap

pli

ca

tio

n p

rote

cti

on

s a

nd

vis

ibi.

..

Inte

llig

en

ce

pro

du

cts

or

se

rvic

es

An

aly

tic

s e

ng

ine

s

Oth

er

0%

10%

20%

30%

40%

50%

60%

70%

Top 3 Future Investments in Security:1. SIEM Tools2. Training3. Vulnerability

Management

19

For truly effective security and threat management, organizations need to:

Collect and correlate appropriate log and event data across all relevant sources throughout the IT infrastructure

Handle larger volumes of log data efficiently

Establish a baseline of “normal” behavior in order to identify anomalies

Identify threats and attacks in real time

Reduce the time between detection and response

Implement the right tools for advanced analytics and intelligence

Key Takeaways


20

» Event correlation for event context and actionable intelligence

» Real-time analysis for immediate threat detection and mitigation

» Advanced IT search to simplify event forensics and expedite root cause analysis

» Built-in reporting to streamline security and compliance

How Can SIEM Solutions Help You?


65% of the organizations want to make their security

investments on SIEM systems

21

SolarWinds Log & Event Manager

Log Collection, Analysis, and Real-Time Correlation

Collects log & event data from tens of thousands of devices & performs true real-time, in-memory correlation

Powerful Active Response technology enables you to quickly & automatically take action against threats

Advanced IT Search employs highly effective data visualization tools – word clouds, tree maps, & more

Quickly generates compliance reports for PCI DSS, GLBA, SOX, NERC CIP, HIPAA, & more

Built-in correlation rules, reports, & responses for out-of-the-box visibility and proactive threat protection


http://www.solarwinds.com/register/index.aspx?

http://demo.solarwinds.com/flashdemo/lem?

22

Thank You!


Technology

Survey: Security Analytics and Intelligence