The Cost of Time to Identify and Contain Advanced Threats in Financial Services & Retail A Study of...
-
Upload
arbor-networks -
Category
Technology
-
view
352 -
download
3
Transcript of The Cost of Time to Identify and Contain Advanced Threats in Financial Services & Retail A Study of...
Sponsored by Arbor Networks Dr. Larry Ponemon
The Cost of Time to Identify and Contain Advanced Threats in Financial Services & Retail
A Study of North America & EMEA
Attackers Are Winning The Races Pr
ofic
ienc
y
Time
Efficiency Gap
Defender Dwell Time Increasing, Attacker Timeline Decreasing
Time
Prof
icie
ncy
Time
DESIRED STATE
May 21, 2015 Ponemon Institute Private and Confidential
Goals for the study: • Understand the challenges these particular verticals [Financial Services and Retail]
face when it comes to identifying advanced threats and preventing attacks before they cause damage
• Compare the strategies of these two industries as both get a lot of media attention when they experience a breach or a cyber attack because they handle some of the most sensitive data and have so many ripples of stakeholders
• We are thrilled to have sponsored the Ponemon Institute study which was conducted with an extensive sample pool
Ponemon Institute LLC
The Institute is dedicated to advancing responsible information management practices that positively affect privacy, data protection and information security in business and government.
The Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations.
Ponemon Institute is a full member of CASRO (Council of American Survey Research organizations). Dr. Ponemon serves as CASRO’s chairman of Government & Public Affairs Committee of the Board.
The Institute has assembled more than 65+ leading multinational corporations called the RIM Council, which focuses the development and execution of ethical principles for the collection and use of personal data about people and households.
The majority of active participants are privacy or information security leaders.
May 21, 2015 3 Ponemon Institute Private and Confidential
Sample Response
May 21, 2015 Ponemon Institute Private and Confidential 4
NA + EMEA NA + EMEA Survey response Retail Finserv Sampling frame 17,000 20,504 Total returns 749 931 Rejected or screened surveys 74 87 Final sample (16 countries) 675 844 Response rate 4.0% 4.1%
Retail
Executive/VP
Director
Manager
Supervisor
Technician
Associate/staff
Consultant/contractor
Finserv
Executive/VP
Director
Manager
Supervisor
Technician
Associate/staff
Consultant/contractor
Most promising technologies in the Cyber Kill Chain Three responses
May 21, 2015 Ponemon Institute Private and Confidential 6
5%
13%
22%
36%
41%
49%
63%
71%
0% 10% 20% 30% 40% 50% 60% 70% 80%
Technologies that minimize insider threats(including negligence)
Technologies that simplify the reporting ofthreats
Technologies that secure endpoints includingmobile-connected devices
Technologies that secure the perimeter
Technologies that provide intelligence about attackers’ motivation and weak spots
Technologies that secure information assets
Technologies that isolate or sandbox malwareinfections
Technologies that provide intelligence aboutnetworks and traffic
Steps taken to minimize or contain the impact of the AT
May 21, 2015 Ponemon Institute Private and Confidential 7
21%
43%
44%
45%
48%
0% 10% 20% 30% 40% 50% 60%
Conducted specialized training for IT securityteam
Established threat sharing with other companiesor government entities
Installed controls to quickly detect and blockinfiltration
Implemented incident response procedures
Installed controls to prevent infiltration
Effectiveness in containing ATs 1 = low to 10 = high
May 21, 2015 Ponemon Institute Private and Confidential 8
5%
8%
25%
36%
27%
0%
5%
10%
15%
20%
25%
30%
35%
40%
1 or 2 3 or 4 5 or 6 7 or 8 9 or 10
Attributions about security technologies
May 21, 2015 Ponemon Institute Private and Confidential 9
48%
49%
49%
54%
57%
60%
0% 10% 20% 30% 40% 50% 60% 70%
Security technologies and personnel areeffective in containing denial of service attacks
Security technologies and personnel areeffective in containing advance threats
Security technologies and personnel areeffective in quickly detecting denial of service
attacks
The greatest threats are denial of serviceattacks
Security technologies and personnel areeffective in quickly detecting advance threats
The greatest threats to my organization aretargeted advanced attacks
Strongly agree and agree responses combined
Steps taken to minimize or contain the impact of the DDoS attack More than one response
May 21, 2015 Ponemon Institute Private and Confidential 10
1%
19%
45%
46%
47%
51%
0% 10% 20% 30% 40% 50% 60%
Other
Conducted specialized training for IT securityteam
Established threat sharing with other companiesor government entities
Installed controls to prevent infiltration
Implemented incident response procedures
Installed controls to quickly detect and blockinfiltration
2015 IT security budget components
May 21, 2015 Ponemon Institute Private and Confidential 11
40 37
20
3
-
5
10
15
20
25
30
35
40
45
Technologies In-house personnel Managed (third party)services
Other cash outlays
Allocation of 100 points
Most promising technologies in the Cyber Kill Chain Three responses
May 21, 2015 Ponemon Institute Private and Confidential 13
5%
13%
26%
40%
42%
55%
55%
64%
0% 10% 20% 30% 40% 50% 60% 70%
Technologies that minimize insider threats(including negligence)
Technologies that simplify the reporting ofthreats
Technologies that secure endpoints includingmobile-connected devices
Technologies that provide intelligence about attackers’ motivation and weak spots
Technologies that secure the perimeter
Technologies that secure information assets
Technologies that isolate or sandbox malwareinfections
Technologies that provide intelligence aboutnetworks and traffic
Steps taken to minimize or contain the impact of the AT
May 21, 2015 Ponemon Institute Private and Confidential 14
1%
13%
17%
34%
37%
42%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
Other
Conducted specialized training for IT securityteam
Established threat sharing with other companiesor government entities
Implemented incident response procedures
Installed controls to quickly detect and blockinfiltration
Installed controls to prevent infiltration
Effectiveness in containing ATs 1 = low to 10 = high
May 21, 2015 Ponemon Institute Private and Confidential 15
11% 12%
33% 33%
11%
0%
5%
10%
15%
20%
25%
30%
35%
40%
1 or 2 3 or 4 5 or 6 7 or 8 9 or 10
Attributions about security technologies
May 21, 2015 Ponemon Institute Private and Confidential 16
38%
39%
39%
43%
53%
61%
0% 10% 20% 30% 40% 50% 60% 70%
Security technologies and personnel areeffective in containing advance threats
Security technologies and personnel areeffective in containing denial of service attacks
Security technologies and personnel areeffective in quickly detecting denial of service
attacks
Security technologies and personnel areeffective in quickly detecting advance threats
The greatest threats are denial of serviceattacks
The greatest threats to my organization aretargeted advanced attacks
Strongly agree and agree responses combined
Steps taken to minimize or contain the impact of the DDoS attack More than one response
May 21, 2015 Ponemon Institute Private and Confidential 17
12%
13%
33%
38%
41%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
Conducted specialized training for IT securityteam
Established threat sharing with other companiesor government entities
Implemented incident response procedures
Installed controls to quickly detect and blockinfiltration
Installed controls to prevent infiltration
2015 IT security budget components
May 21, 2015 Ponemon Institute Private and Confidential 18
37
34
24
4
-
5
10
15
20
25
30
35
40
In-house personnel Technologies Managed (third party)services
Other cash outlays
Allocation of 100 points
Effectiveness in containing ATs and DDoS attacks 1 = lowest ability to 10 = highest ability percentage of respondents who rated their ability 7+
May 21, 2015 Ponemon Institute Private and Confidential 20
44%
31%
63% 64%
0%
10%
20%
30%
40%
50%
60%
70%
Effectiveness in containing ATs Effectiveness in containing DDoS attacks
Retail Financial services
Time-dependent metrics used to determine incident response effectiveness
May 21, 2015 Ponemon Institute Private and Confidential 21
53% 58%
5%
40%
62% 66%
5%
28%
0%
10%
20%
30%
40%
50%
60%
70%
MTTI MTTC Other We don’t utilize time-dependent operational
metrics
Retail Financial services
Time it takes to detect and contain ATs Extrapolated days
May 21, 2015 Ponemon Institute Private and Confidential 22
12.7
26.1
27.2
98.1
18.0
38.5
39.2
196.5
0 50 100 150 200 250
Average MTTC experienced for denial of service
Average MTTC experienced for advancedthreats
Average MTTI experienced for denial of service
Average MTTI experienced for advanced threats
Retail Financial services
Will MTTI and MTTC improve in the next 12 months? Yes response
May 21, 2015 Ponemon Institute Private and Confidential 23
29% 32%
42% 40%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
Do you expect MTTI to decrease (improve)over the next 12 months?
Do you expect MTTC to decrease (improve)over the next 12 months?
Retail Financial services
Steps taken to reduce the time it takes to detect attacks
May 21, 2015 Ponemon Institute Private and Confidential 24
1%
40%
60%
56%
55%
74%
1%
33%
40%
41%
50%
60%
0% 10% 20% 30% 40% 50% 60% 70% 80%
Other
Introduce hunting team to look for attacks
Implement new forensic security tools
Increase security operations staff
Improve triage process
Integrate threat intelligence into IR function
Retail Financial services
Caveats
There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys. •Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument. •Sampling frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals who are IT or IT security practitioners in various organizations in the United States. We also acknowledge that the results may be biased by external events such as media coverage. We also acknowledge bias caused by compensating subjects to complete this research within a specified time period. •Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide accurate responses.
May 21, 2015 Ponemon Institute Private and Confidential 25
Moving Beyond Detect And Respond
• Use Better Indicators of Attack • See Inside Your Entire Network • Threat Hunting to Find Attacks That Matter, Detect Unknowns. • Contain Attacks Faster By Seeing Compromised Infrastructure
Page 28
Questions?
Ponemon Institute
Toll Free: 800.887.3118 Michigan HQ: 2308 US 31 N. Traverse City, MI 49686 USA
Arbor Networks: [email protected]
Ponemon Institute Private and Confidential