BALBIX 2017 ENTERPRISE SECURITY SURVEY
Our goal with the Enterprise Security Survey was to gain a holistic understanding of the security challenges that were top-of-mind for CIOs and CISOs at the beginning of 2017. We set out asking participants from over hundreds of enterprises (including 250 of the Fortune 500), to identify key areas of security concern as well as the projects they have planned to address these issues. We received a tremendous response from 104 participants, with CIOs and CISOs representing the majority of respondents (57%), followed by security practitioners and other IT leaders (26%) , and c-suite level executives and their colleagues (17%). After analyzing the results, we found three key areas of security enterprises are focused on.
2 | BALBIX ENTERPRISE SECURITY SURVEY
Table of contents INTRODUCTION MITIGATING A GROWING ATTACK SURFACE - WEB AND PHISHING
- IDENTITY AND ACCESS - INSIDER THREAT - UNMANAGED DEVICES, NEW APPLICATIONS - EMERGING AREAS • THIRD PARTY RISK • IOT • SHORTAGE OF SKILLED SECURITY PERSONNEL
PREVENTING ATTACK PROPAGATION
- SEGMENTATION - IDS AND FIREWALL - DATA LOSS - EMERGING AREAS • SSL VISIBILITY • CLOUD SECURITY
MEASURING BREACH RISK - VULNERABILITY MANAGEMENT
- GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE - VISIBILITY AND RISK - EMERGING AREAS • PENETRATION TESTING • CYBER INSURANCE • OPTIMIZATION OF SECURITY SPEND
CONCLUSION
BALBIX ENTERPRISE SECURITY SURVEY | 3
SECURITY FOCUS: THREE KEY AREAS OF CONCERN
Our Findings
1. Mitigating a Growing Attack Surface Enterprises continue to experience attacks through both traditional methods, such as web and email, and emerging new threats including unmanaged devices, IoT and malicious insiders. As a result, the attack surface is rapidly expanding and security teams are struggling to identify gaps and plug risks.
2. Preventing Attack Propagation Given the vast and evolving attack surface, most of our respondents believe that preventing an enterprise breach, whether through a compromised laptop or via a cloud web application, is next to impossible. Understanding that an attack can be halted and damage averted if an adversary is restricted from lateral movement to access critical assets and exfiltrate data, enterprises are scrambling to employ methods that prevent propagation within the network.
3. Measuring Breach Risk Traditionally, enterprises have focused on methods such as vulnerability assessment to measure and mitigate security breach risk. Given the limitations of VA and other testing methods, enterprises increasingly struggle with GRC and accurately assessing risk in their efforts to identify and prioritize key breach scenarios. Not surprisingly, we found significant interest in cyber insurance to reduce overall financial risk.
4 | BALBIX ENTERPRISE SECURITY SURVEY
Nearly 100% of respondents are worried about their rapidly expanding attack surface
87% are concerned
about attack propagation through lateral movement in their network
61% already have or
are planning to obtain cyber insurance
MITIGATING A GROWING ATTACK SURFACE The key goal of enterprise security is to mitigate the attack surface. However, defining the attack surface has become increasingly difficult. Historically, the enterprise perimeter was the attack surface and everything behind the firewall was safe. With Internet connected laptops, smart phones and IoT, as well as server workloads running in private and public clouds, the concept of perimeter has vanished. Now, any device that has direct connectivity to the Internet can be considered on the perimeter, and thus can be attacked by an adversary. In our survey, we found several recurring areas of focus for blocking the initial point of attack.
Nearly 37% are uneasy when it comes to identity and access
25% are concerned
about attacks on the web and phishing
19% of respondents have issues with unmanaged devices Another 19% are worried about insider threats
BALBIX ENTERPRISE SECURITY SURVEY | 5
WEB AND PHISHING
Phishing continues to be a key entry point for malware
Despite spending millions of dollars on security solutions, users are continuously targeted and exploited by social engineering attacks leveraging email and web. Controls that are based on signatures, such as anti-virus, are ineffective in blocking newer manifestations of malware, which is often unique to the organization and rapidly evolving. To reduce risk, enterprises seek to implement effective malware prevention tools. In addition, respondents also expressed interest in both better user training and tighter endpoint controls —often a conflicting goal with BYOD. One area of emerging interest was in leveraging user behavior analysis to better evaluate risk on a per user basis with the goal of creating dynamic security policies that adapt to the risk scenario.
IDENTITY AND ACCESS 75% are worried about secure access to SaaS applications
Projects seeking to improve identity and access management were a top priority for enterprises. Credential exposure is low-hanging fruit for an attacker and therefore represents a key area of vulnerability. A large number of attacks leverage poor password hygiene such as weak passwords and password sharing between enterprise and high-risk internet services. Preventing the use of stolen or guessed credentials from launching attacks on critical enterprise services was a key concern. Many critical enterprise services still rely upon single factor authentication and leave themselves acutely susceptible to a breach. Two factor authentication was likewise a key area of focus. Respondents also indicated marked interest in an authentication mechanism that adapts to the risk profile of the user; in particular, presenting remote users with more stringent authentication requirements.
6 | BALBIX ENTERPRISE SECURITY SURVEY
INSIDER THREAT Insider attack was a topic of great interest to respondents. Enterprises are understandably worried about rogue employees launching internal attacks as well as accessing sensitive data restricted to authorized accounts. Top security projects in this area include privileged user monitoring as well as stricter insider controls. Not surprisingly, respondents identified a challenge with restricting or controlling insider activity causing user resistance and harming productivity. One new area of interest was leveraging user behavior analysis to identify and limit damage from risky insider activity—such as through behavior based authentication and authorization—without impacting legitimate operations.
84% of respondents are concerned about malicious insider risk
UNMANAGED DEVICES, NEW APPLICATIONS Enterprise networks were once much more homogeneous in terms of types of devices joining the network, frequency of such devices, and deployed applications. Almost all devices on the network were limited to managed laptops, desktops and servers. Similarly, most applications were well understood, IT sanctioned apps. Today, the number of unmanaged devices and applications connected to an enterprise network is exploding, mostly owing to BYOD, Mobile, IoT and the enterprise’s own increased technology deployment rate. This trend represents a significant security risk. As a result, enterprises want automated and continuous discovery and tracking of unmanaged devices and applications as they appear on their network. Enterprises are also evaluating network access control as a mechanism to identify and limit access to unmanaged devices.
BALBIX ENTERPRISE SECURITY SURVEY | 7
81% identified automatic Inventory of devices and applications as active concerns
EMERGING AREAS 89% want to minimize risk from 3rd party vendors
62% expressed concerns with security of IoT devices
Third Party Risk Target breach has brought third party risk to the forefront of security concerns. For example, a vendor connecting to the corporate network or using a web based service for submitting invoices introduces yet another attack vector into the enterprise. Given the limited control an enterprise has over the security posture of third party entities, analyzing and mitigating this type of risk is exceedingly challenging. Nearly all respondents identified this type of breach risk as a critical area of focus.
IoT In the wake of the game-changing Mirai botnet attack, evaluating the security of IoT devices has become an emerging concern. Because IoT devices exist outside the radar range of enterprise monitoring and management, they are an attractive dark spot for an attacker to hijack. With an exponential growth in IoT predicted over next five years, this type of attack vector is making a foothold as a major area of risk. Shortage of Skilled Security Personnel Many of our respondents noted the challenges in finding, hiring and retaining the requisite number of trained cyber security personnel to adequately defend their enterprises. The ongoing rapid scale up of security teams appears to be surfacing operational and organizational challenges. A common struggle, expressed particularly by non-Fortune 500 participants, is that the need to adopt new technologies outpaces the ability of their IT and security teams. Leaders are seeking new approaches and solutions that offer increased efficacy while requiring fewer human cycles.
8 | BALBIX ENTERPRISE SECURITY SURVEY
A typical enterprise has a hyper-dimensional attack surface comprising of hundreds to thousands of device types and software. This infrastructure can be attacked in a mind-boggling number of ways, making computing security risk across the enterprise a formidable challenge.
BALBIX ENTERPRISE SECURITY SURVEY | 9
PREVENTING ATTACK PROPAGATION After an attacker has managed to gain an initial foothold into the enterprise the search is on for objects to exploit. While the discovery phase can last weeks to months, identifying and blocking the attacker using legacy tools such as firewall and IDS is often an exercise in futility. Survey respondents identified preventing lateral movement of an attacker within the network a key area of focus.
Almost 44% of respondents are worried about segmentation
30% have concerns about IDS and firewall
26% indicate
interest in data loss protection
10 | BALBIX ENTERPRISE SECURITY SURVEY
SEGMENTATION Network segmentation is a key area of concern for enterprises wishing to reduce an attacker’s movement within their network. Respondents were especially focused on improving visibility and control. Ensuring visibility involves examining traffic flow within the enterprise and identifying potential malicious network activity. Enterprises are specifically monitoring inter-and-intra-zone traffic to identify malicious behavior, with the intent of instituting a control piece to segment the network and prevent lateral movement. Currently, many enterprises are evaluating different network segmentation solutions. However, there is great concern that existing approaches are difficult to implement due to potential disruption to users and applications, and possibly unscalable. Furthermore, most existing solutions fail to account for real-time user or device risk. Despite current limitations, segmentation remains an area of active focus in the next year.
IDS and Firewall Traditional network security components, IDS and Firewall, are likewise often deployed to halt the threat of lateral movement. Due to the nature of these legacy products, they can typically only be deployed at specific partitions within the network and are unable to provide visibility and protection at the granular level. Oftentimes, compliance is delivered via a driver that requires configuration of these controls as compensating mechanisms. As a result, enterprises are increasingly wary of the effectiveness of these tools in stopping real attacks.
BALBIX ENTERPRISE SECURITY SURVEY | 11
87% are concerned about attack propagation through lateral movement in the network
DATA LOSS Enterprises all over the globe are worried about loss of sensitive data either as exfiltration by an attacker or a malicious insider. Recent publicized events have sparked renewed interest in evaluating data loss protection solutions and digital rights management. Traditionally, deploying DLP and rights management has proved challenging due to significant user impact. In addition, these technologies have often relied on static rules that are easy to break or circumvent. Now we are seeing renewed interest in leveraging advanced tools such as behavior analysis and artificial intelligence to identify real threats of data exfiltration without impacting users or apps.
EMERGING AREAS SSL Visibility Traditional network security components, IDS and Firewall, are often deployed to stop the threat of lateral movement. However due to the nature of these legacy products, they can typically only be deployed at specific junctures of the network and cannot provide visibility and protection at the granular level. Oftentimes, compliance is a driver requiring some of these controls as compensating mechanisms. However, enterprises are increasingly wary of the effectiveness of these tools in stopping real attacks.
88% are looking at ways to make public cloud hosted enterprise apps secure
Cloud Security With cloud based workloads expected to explode over the next five years, there is a significant worry about attackers gaining entry to the enterprise cloud infrastructure in AWS or Azure and exfiltrating data. Traditional network security tools are not easily deployed in the public cloud, making cloud security an even pressing challenge.
12 | BALBIX ENTERPRISE SECURITY SURVEY
Enterprises are justifiably worried about loss of sensitive data either as exfiltration by an attacker or by an employee. These concerns are fueling renewed interest in advanced tools such as behavior analysis and artificial intelligence that can identify real threats of data exfiltration without impacting users or apps.
BALBIX ENTERPRISE SECURITY SURVEY | 13
MEASURING BREACH RISK Given the everincreasing size of the attack surface and the various methods of compromise, enterprises are struggling to assess the true risk of a breach. Many respondents felt that there was a growing gap between perceived enterprise risk, as reported by GRC, and actual on-net breach risk. Traditional areas of risk measurement such as vulnerability testing are being revisited to increase effectiveness. There is a renewed focus on penetration testing as it provides a deeper analysis of breach risk to the enterprise. Respondents also indicated significant interest in cyber insurance and improved governance, risk and compliance management.
Almost 44% of respondents are worried about visibility and risk
39% voice concern
about governance, risk and compliance
17% cite vulnerability management
14 | BALBIX ENTERPRISE SECURITY SURVEY
VULNERABILITY MANAGEMENT More than ever before, enterprises are questioning the effectiveness of traditional vulnerability testing. While vulnerability testing typically generates a plethora of system patch alerts, its limitations at assessing your entire attack surface are clear. As you are aware, system vulnerabilities are not equal—some have a higher likelihood of breach due to factors that include risky user behavior or traffic volume. It goes without saying that addressing vulnerabilities in systems that can be accessed to propagate an attack to sensitive network areas should take highest priority. Traditional vulnerability management solutions cannot adequately measure device impact, leaving your security team unable to reliably identify and respond to critical data. Lacking actionable insights, your high priority assets remain vulnerable and your security team subject to alert fatigue.
GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE Enterprises continue to heavily invest in improved GRC initiatives. Key compliance programs include SOC2 and NIST as well as simplifying compliance implementation and verification. Given ever-increasing cyber risk and the spike in the number of major breaches over the last few years, enterprises are renewing their focus on GRC platforms and initiatives with a goal of both better risk measurement and reduction.
BALBIX ENTERPRISE SECURITY SURVEY | 15
66% are concerned with regulatory compliance
81% want visibility across all devices, applications, users and risk factors across the enterprise
VISIBILITY & RISK The rapidly expanding attack surface coupled with an alarming increase of attack vectors has made gaining network visibility a daunting task for your security team. The proliferation of deployed security products produce a massive amount of alerts bombarding the SOC, making discerning real threats a huge challenge. As a result, incident response teams have exploded in size, with much of their effort wasted on chasing false positives while real threats remain undetected. In our survey, respondents expressed a pressing need to improve the effectiveness of their traditional SIEM and log management tools. More importantly, enterprises also indicate that along with complete visibility they require automatic and continuous risk analysis that can offer actionable insights.
EMERGING AREAS More than 50% are conducting monthly or quarterly penetration tests
Penetration Testing Increasingly, enterprises are conducting monthly and quarterly penetration tests. While vulnerability testing provides a device centric risk context, pentesting provides a breach centric view. Two major weaknesses inherent in pentesting present are a high probability of human error, and lack of comprehensive coverage, given that only a portion of the entire network is sampled. In addition, pen-testing is not continuous, offering only point-in-time analysis. Respondents indicated a strong interest in automated and continuous pen-testing fueled by artificial intelligence to provide comprehensive breach risk assessment for their entire enterprise.
16 | BALBIX ENTERPRISE SECURITY SURVEY
Cyber Insurance Enterprises across the board report high interest in cyber insurance to protect against potential impact of a breach. One of the challenges identified with obtaining cost effective cyber insurance was a lack of methodology to measure security risk. A typical enterprise has a hyper-dimensional attack surface comprising of hundreds to thousands of device types and software. This infrastructure can be attacked in a mind-boggling number of ways, making computing security risk across the enterprise a formidable challenge. In order to provide a holistic risk profile for the entire enterprise, risk calculation must be automated, continuous and comprehensive. Optimization of Security Spend Alongside an increase in overall concerns about cyber security and attention from the board and C-suite, most companies surveyed have increased their security spend to address emerging attack vectors. That said, a majority of respondents wish to avoid investing in products that do not meaningfully reduce their organizations’ breach risk. Smaller organizations are particularly concerned about misallocating resources. Participants expect that ROI of security spend will increasingly figure into dialogs between security teams and corporate leadership in the months and years to come.
BALBIX ENTERPRISE SECURITY SURVEY | 17
61% already have or are planning to get Cyber insurance
65% are concerned about misspending on security products that do not work
CONCLUSION The Facts are Clear. Your enterprise is facing unprecedented and growing risk from numerous attack vectors and increasingly sophisticated adversaries. Concurrently, your attack surface is expanding at an exponential rate, leaving your security team drowning in a deluge of alerts and reactive measures. To make matters worse, there are few reliable options for uncovering the areas of greatest breach risk to your enterprise, making meaningfully prioritizing mitigation efforts next to impossible. Stop Reacting and Start Predicting. Chasing and plugging security holes is not only futile, but an inefficient use of valuable enterprise resources. What you need is a proactive approach to security that can automatically and continuously calculate and assess the breach risk for your enterprise across all attack vectors and provide actionable insights to your security team. Okay Balbix: Optimize. With Balbix, your security team gains the risk visibility they need to prioritize efforts, and effectively evaluate applied security products. Best of all, by leveraging the power of AI and advanced machine learning, building a self-defending and self-healing enterprise network is now within reach. Let’s Talk. We at Balbix are working towards transforming your security practice from reactive to predictive and would love to engage with you on this journey.
Reduce Risk and Gain Resilience with Balbix.
CONTACT US FOR A FREE DEMO
18 | BALBIX ENTERPRISE SECURITY SURVEY
Copyright ©2017 Balbix, Inc. All rights Reserved. Balbix 3031 Tisch Way, Suite 800 San Jose, CA 95128 info@balbix.com 866 936 3180 www.balbix.com Design by M2Communications, Aalborg, Denmark
BALBIX ENTERPRISE SECURITY SURVEY | 19
Predict. Prioritize. Prevent.