Analyzing the Attack Surface 2016 Trends Report How IT organizations are using automated tools to identify, analyze and prioritize vulnerabilities and misconfigurations OCTOBER 2016
Prepared for SkyboxÂŽ Security by Jon Friedman, CyberEdge
Contents 1
Overview and Executive Summary
2
Key Findings
3
Current Practices
5
Collecting and Discovering Data
8
Analyzing and Prioritizing Vulnerabilities and Misconfigurations
13
Remediation and Provisioning
14
Tasks Becoming Easier or More Difficult
16
Priorities Going Forward
18
Conclusions
20
Appendix: The Survey Population
22
About Skybox Security
Overview and Executive Summary Enterprises today are under more pressure than ever to safeguard against attacks. They need to craft a comprehensive map of their ever-changing network, identify vulnerabilities and track down and correct misconfigurations in security and network devices, both in physical and virtual environments. This is an extremely challenging assignment. The IT organization must locate tens-of-thousands of vulnerabilities and misconfigurations concealed on its network, analyze and prioritize those vulnerabilities and misconfigurations and remediate the most critical. Clearly, automated tools are needed to perform these activities at scale. But what types of tools are needed most? How automated are IT security groups today? How satisfied are they with their capabilities and what are their priorities in terms of improving them? This survey was designed to answer those questions while providing insight to the priorities of security practitioners. It includes responses from 275 IT professionals around the world who work at companies with 500 or more employees. The report presents data about topics such as:
>> Current practices: How is data on vulnerabilities and misconfigurations being used today?
>> Collecting and discovering data: What types of automated tools are used to collect and discover data?
>> Analyzing and prioritizing data: How satisfied are organizations with their current ability to analyze and prioritize vulnerabilities and misconfigurations?
>> Remediation and provisioning: Which remediation processes are most (and least) automated?
>> Priorities going forward: What areas related to managing vulnerabilities and misconfigurations are the highest priority for automation?
Skybox Security | Analyzing the Attack Surface
1
Key Findings Some of the key findings of the survey include the following:
>> In general, organizations tend to be most automated in, and most satisfied with, their ability to push patches to servers and endpoints.
>> The areas where organizations were least automated and least confident were related to (a) collecting data about cloud–based systems and applications and (b) analyzing and remediating firewall rules that violate policies and regulations, making those the areas with the most room for improvement in the immediate future.
>> Remediation and provisioning processes (with the exception of pushing patches) were significantly less automated than other tasks covered in the survey.
>> Organizations using an attack surface visibility tool were significantly more likely to be satisfied with their capabilities to analyze and prioritize data. Having an attack surface visibility tool had a particularly strong impact on an organization’s satisfaction with its ability to address compliance issues and regulatory requirements.
>> The areas where improving automation is the highest priority in the immediate future are managing the remediation of vulnerabilities, analyzing and prioritizing vulnerabilities and managing the remediation of misconfigurations and rule violations.
Skybox Security | Analyzing the Attack Surface
2
Current Practices How Data on Vulnerabilities and Misconfigurations is Used Today Skybox Recommendation
Respondents were asked if they are currently using data on vulnerabilities and misconfigurations to help perform specific tasks, and if they are using this data continuously, frequently, occasionally or never. The majority of organizations use data about vulnerabilities and misconfigurations for all of the tasks shown in the graph below. This type of data is used continuously or, frequently, most often to prioritize vulnerabilities (by 76 percent of the respondents), to prioritize and track remediation (71 percent), to comply with regulations (69 percent) and to support incident response (69 percent). At the other end of the spectrum, just over half (56 percent) are using this data continuously or frequently to optimize and clean up firewall rules, making that the task area with the most room for improvement.
FIGURE 1: How often does your organization use data about vulnerabilities and misconfigured devices to:
Optimize and clean up firewall rules
Use Continuously
56%
Identify unmanaged or rogue devices
Every organization needs to take a data– driven approach to prioritizing vulnerabilities and tracking remediation efforts. The lack of a comprehensive, continuously updated mechanism can lead to vulnerabilities remaining open or man hours misspent tracking lowpriority vulnerabilities and remediations.
Use Frequently 62%
Ensure network segmentation Perform changes to devices/firewalls
63% 63%
Assess risk posture of assets
67%
Support incident response
69%
Comply with regulations
69%
Prioritize and track remediation
71%
Prioritize vulnerabilites
Use Continuously
76% 0%
20%
40%
60%
80%
Use Frequently
100%
FIGURE 1: Data use about vulnerabilities and misconfigured devices ŠSkybox Security www.skyboxsecurity.com
Skybox Security | Analyzing the Attack Surface
3
Current Practices Where Organizations Have Formal Programs and Dedicated Staff The survey asked whether the respondents’ companies had formal or informal programs for incident response, vulnerability management, risk and compliance assessment and threat analysis. It also asked if the organizations had full-time or part-time staff dedicated to these areas. At least two-thirds of the organizations had formal programs in the first three areas. The commitment to threat analysis was somewhat less: only 52 percent had formal programs, and 10 percent had no program. Almost all organizations had staff dedicated to these activities, but they were about evenly split between full-time staff and part-time assignments.
FIGURE 2: Does your organization have programs and dedicated staff to manage:
14%
49%
38%
Skybox Recommendation Manpower shortages in cybersecurity and the lack of an adequate budget can make it difficult to deploy a dedicated staff for the critical activities outlined in Figure 2. In such an environment, the use of automated tools is of critical importance. Survey results show that organizations using automated tools have increased satisfaction when it comes to performing these tasks.
Threat analysis 52%
49%
Risk and compliance assessment
38%
10%
39%
12% 23%
71%
27% 4%
69%
48%
44%
Incident response
10%
47%
43%
Vulnerability management
6%
8%
29% 4%
67%
PROGRAM Formal Informal None DEDICATED STAFF Full-time Part-time None
0%
20%
40%
PROGRAM Formal Informal
Skybox Security | Analyzing the Attack Surface
60%
80%
DEDICATED STAFF None
Full-time Part-time
None
100%
FIGURE 2: Does your organization have programs and dedicated staff to manage ŠSkybox Security www.skyboxsecurity.com
4
Collecting and Discovering Data Satisfaction With Ability to Collect and Discover Data The survey asked whether respondents were very satisfied, somewhat satisfied, somewhat dissatisfied or very dissatisfied with their organization’s ability to collect or discover data for several purposes. The respondents were most satisfied with their ability to collect data about vulnerabilities (81 percent somewhat or very satisfied with their ability to find vulnerabilities on hosts and servers, 75 percent with finding vulnerabilities on endpoints). In contrast, the respondents were least confident about their data collection capabilities relative to cloud-based systems and applications: 26 percent were somewhat or very dissatisfied and another 14 percent answered “don’t know.” This suggests that managing security data related to cloud computing is likely to be a priority in the coming year.
FIGURE 3: How satisfied are you with your organization’s ability to collect or discover timely data about:
Vulnerabilities on PCs, laptops and workstations
Changes to network access policies
Configurations that violate policies or regulations
Security controls: virtual systems and apps
100%
80%
Too many organizations are dissatisfied with their ability to collect the information needed to safeguard operations and meet regulatory requirements. This is particularly true of cloud environments. As regulations becomes ever-more burdensome, and the consequences of not meeting those requirements becomes more painful, organizations should investigate the use of tools that automate configuration, vulnerability and policy management operations. Very dissatisfied
18% 81%
Somewhat dissatisfied
21% 75%
25%
24%
24%
26%
26%
73%
72%
71%
70%
70%
60%
27%
26%
Don’t know Somewhat satisfied
69%
60%
Very satisfied
Very dissatisfied
40%
Somewhat dissatisfied Don’t know
20%
0%
Skybox Recommendation
Somewhat satisfied Very satisfied Vulnerabilities on hosts and servers
Misconfigurations on servers and network devices
Skybox Security | Analyzing the Attack Surface
Firewall rules that violate policies or regulations
Changes to device configurations
Security controls: cloud-based systems and apps
FIGURE 3: Satisfaction with organization’s ability to collect or discover timely data ©Skybox Security www.skyboxsecurity.com
5
Collecting and Discovering Data Automation of Data Collection and Discovery The areas where respondents were most satisfied about their ability to collect and discover data are the same areas where they have the most automated tools. Ninetytwo percent had an automated tool for detecting vulnerabilities on hosts and servers and 85 percent had one for detecting vulnerabilities on endpoints. Cloud computing was once again a bit of an outlier: only 54 percent of respondents had an automated tool in that area. Perhaps surprisingly, neither dissatisfaction nor the current level of automation was correlated with the intention to make changes; the percent of organizations planning to deploy a new tool or upgrade an existing one was fairly constant across all of the areas.
Skybox Recommendation Automated tools can be used not just for detecting vulnerabilities but also for assessing security controls, as well as detecting policy violations and misconfigurations.
FIGURE 4: Does your organization use automated tools or plan to deploy or upgrade a new tool to:
Assess security controls on cloud-based systems and apps
29%
Assess security controls on virtual systems and apps
29%
54% 67% 28%
Identify configurations that violate policies
66% 32%
Detect firewall rules that violate policies
68%
Identify misconfigurations on servers and network devices
28% 68%
Detect vulnerabilities on PCs, laptops and workstations
27%
Using an automated tool
85% 28%
Detect vulnerabilities on hosts and servers
92% 0%
20% Using an automated tool
Skybox Security | Analyzing the Attack Surface
40%
60%
80%
Plan to deploy or upgrade a tool
100%
Plan to deploy or upgrade a tool FIGURE 4: Use automated tools or plan to deploy or upgrade a new tool ŠSkybox Security www.skyboxsecurity.com
6
Collecting and Discovering Data Increased Satisfaction for Organizations Using an Attack Surface Visibility Tool The survey included a question about whether the organization used an attack surface visibility tool. Such a tool provides a comprehensive graphic representation of an organization’s network topology, network connections and vulnerabilities. Organizations using attack surface visibility reported significantly higher satisfaction with their ability to collect and discover data.
Skybox Recommendation
In four of the five areas of activity, organizations with an attack surface visibility tool rated themselves “very satisfied” or “somewhat satisfied” with their security data collection capabilities at least 20 percent more often than those without a similar tool. This difference was most pronounced in the satisfaction scores for organizations looking to ensure configurations don’t violate policies or regulations. Eighty-nine percent of those that do use attack surface visibility tools report being satisfied with their ability to deploy appropriate configurations. This was a 30 point improvement over those that don’t use such tools.
Organizations can reduce the pain associated with security management by deploying an attack surface visibility tool.
Having an advanced tool results in a significant increase in satisfaction.
FIGURE 5: How satisfied are you with your organization’s ability to collect or discover timely data about:
VERY OR SOMEWHAT SATISFIED Configurations that violate policies or regulations
59% 89% 64%
Firewall rules that violate policies or regulations
86%
Misconfigurations on servers and network devices
65% 87% 70%
Vulnerabilities on PCs, laptops and workstations
Using an attack surface visibility tool
87% 74%
Vulnerabilities on hosts and servers
94% 0%
20%
Using an attack surface visibility tool
Skybox Security | Analyzing the Attack Surface
40%
60%
80%
Not using an attack surface visibility tool
100%
Not using an attack surface visibility tool FIGURE 5: Satisfaction with organizations ability to collect or discover timely data ©Skybox Security www.skyboxsecurity.com
7
Analyzing and Prioritizing Vulnerabilities and Misconfigurations Of course, once data has been collected it must be analyzed, and vulnerabilities need to be prioritized so IT organizations know what to address first.
Factors Used to Prioritize Vulnerabilities and Misconfigurations The survey asked about factors used to prioritize vulnerabilities and configurations. The highest-priority factors were the criticality of assets to be protected (rated as the first, second or third priority 64 percent of the time) and exposure to attack by outsiders (59 percent), followed by compliance requirements and CVSS scores (both 48 percent).
Skybox Recommendation
In contrast, most respondents seemed perfectly ready to ignore input from top management (17 percent).
Older vulnerabilities are likely to have exploits “in the wild,” while newer, zero–day vulnerabilities must be quickly identified and remediated before exploits become available.
FIGURE 6: Rank the factors your organization uses to prioritize vulnerabilities and misconfigurations:
Security processes need to deal with both old and new vulnerabilities.
Rated in Top 3 Factors
Input from top management
17%
Exposure to attack by rogue insiders
26%
Age of the vulnerability or misconfiguration
29%
CVSS scores
48%
Compliance requirements (PCI, HIPAA, etc.)
48%
Exposure to attack by outsiders
59%
Asset criticality
64%
0%
20%
Skybox Security | Analyzing the Attack Surface
40%
60%
80%
FIGURE 6: Data use about vulnerabilities and misconfigured devices ©Skybox Security www.skyboxsecurity.com
8
Analyzing and Prioritizing Vulnerabilities and Misconfigurations Automation of Analysis and Prioritization The survey asked where organizations were using automated tools to help with tasks related to analysis and prioritization. The tools most often in use were reported to be SIEM tools (84 percent), firewall management tools (83 percent), attack detection tools (81 percent) and vulnerability management tools (76 percent). In contrast, the least common tools were threat intelligence tools (62 percent), forensics tools (57 percent) and attack surface visualization tools (47 percent). As with data collection and discovery, plans to upgrade or deploy a tool do not seem to be correlated with whether the organization is satisfied or currently has a tool in that category.
Skybox Recommendation Organizations should investigate newer types of tools for visualization, forensics and threat intelligence. They are an ever–more important adjunct to existing SIEM and management tools.
FIGURE 7: Does your organization use the following tools to analyze and prioritize vulnerabilities and security risks, or plan to deploy a new tool or upgrade a current tool:
23%
Attack surface visualization product
47% 19%
Forensics tool
57%
Threat intelligence tool
30% 62% 24%
Incident management tool
68% 28%
Vulnerability management tool
76% 27%
Attack detection tool
81% 27%
Firewall management tool
83%
Using a tool
29%
SIEM tool
84% 0%
20% Using a tool
Skybox Security | Analyzing the Attack Surface
40%
60%
80%
Plan to deploy or upgrade a tool
100%
deploy or FIGURE 7:Plan Doestoyour organization use following tools to analyze upgrade a tool and prioritize vulnerabilities and security risks or plan to deploy a new tool or upgrade a current tool ŠSkybox Security www.skyboxsecurity.com
9
Analyzing and Prioritizing Vulnerabilities and Misconfigurations Satisfaction With Analyzing and Prioritizing Respondents were most satisfied with their organization’s ability to analyze and prioritize vulnerabilities on hosts, severs and endpoints, with 76 percent somewhat or very satisfied and only 19 percent somewhat or very dissatisfied. Dissatisfaction was significantly higher in three other areas: ability to analyze and prioritize misconfigurations on servers and network devices (30 percent somewhat or very dissatisfied), policy violations in system and data access rules (31 percent) and policy violations in firewall rules (32 percent).
FIGURE 8: How satisfied are you with your organization’s ability to analyze and prioritize vulnerabilities and misconfigurations?
Skybox Recommendation The penalties for not meeting regulatory requirements are becoming tougher. Dealing with security misconfigurations and deploying appropriate policy rules is now an imperative — for security as well as legal reasons.
100%
V
So
19%
80%
D
30%
So
31%
60%
V
32%
76% 64%
63%
62%
40% Very dissatisfied Somewhat dissatisfied
20%
Don’t know Somewhat satisfied
0%
FIG org and and
Very satisfied Vulnerabilities on hosts, servers and endpoints
Misconfigurations on servers and network devices
Skybox Security | Analyzing the Attack Surface
Systems and data access rules that violate policies or regulations
Firewall rules that violate policies or regulations
©S ww
10
Analyzing and Prioritizing Vulnerabilities and Misconfigurations Increased Satisfaction for More Automated Organizations Organizations that were more automated had significantly higher levels of satisfaction about their capabilities to analyze and prioritize security data. For example, organizations that had somewhat or very automated processes for provisioning firewalls and security devices were, for most tasks, at least 30 percent more likely to be very or somewhat satisfied with their capabilities. The same general results applied to organizations that had somewhat or very automated processes for remediating misconfigurations on servers.
FIGURE 9: How satisfied are you with your organization’s ability to analyze and prioritize:
Skybox Recommendation With a direct correlation between deployment of automated tools and increased satisfaction in meeting critical security needs, all organizations should investigate tools that automate critical security functions.
VERY OR SOMEWHAT SATISFIED Firewall rules that violate policies or regulations
49%
System and data access rules that violate policies or regulations
48%
81%
Processes for Provisioning Firewalls and Security Devices
84%
Misconfigurations on servers and network devices
Somewhat or very automated
53% 83% 69%
Vulnerabilities on hosts, servers and endpoints
91% 0%
20%
40%
60%
80%
100%
PROCESSES FOR PROVISIONING FIREWALLS AND SECURITY DEVICES FIGURE 10: How satisfied are youSomewhat with yourororganization’s ability to analyze prioritize: manual very automated Primarilyand or completely
Primarily or completely automated FIGURE 9: Satisfaction with organizations ability to analyze and prioritize ©Skybox Security www.skyboxsecurity.com
VERY OR SOMEWHAT SATISFIED Firewall rules that violate policies or regulations
52%
System and data access rules that violate policies or regulations
52%
Processes for Remediating Misconfigurations on Servers
78% 79%
Misconfigurations on servers and network devices
56%
Somewhat or very automated
80% 74%
Vulnerabilities on hosts, servers and endpoints
87% 0%
20%
40%
60%
80%
PROCESSES FOR REMEDIATING MISCONFIGURATIONS ON SERVERS Skybox Security | Analyzing the Attack Surface Somewhat or very automated Primarily or completely manual
100%
Primarily or completely automated FIGURE 10: Satisfaction with organizations ability to analyze and prioritize 11 ©Skybox Security www.skyboxsecurity.com
Analyzing and Prioritizing Vulnerabilities and Misconfigurations Increased Satisfaction for Organizations Using an Attack Surface Visibility Tool Organizations with an attack surface visibility tool were also much more likely to be satisfied with their ability to analyze and prioritize vulnerabilities and misconfigurations. In three of the four areas they were at least 27 percent more likely to be very or somewhat satisfied compared to organizations without that type of tool. This chart also indicates that attack surface visibility tools are especially valued for their ability to address compliance issues and regulatory requirements. Organizations with these tools were a whopping 33 percent more likely than those without them to be very or somewhat satisfied with their ability to analyze and prioritize system and data access rules that violate policies or regulations. The increased likelihood of satisfaction is a similar 32 percent for analyzing and prioritizing firewall rules that violate policies.
Skybox Recommendation Organizations needing to easily deploy and enforce policies and regulations while dealing with misconfigurations and vulnerabilities should investigate the use of attack surface visibility tools to gain full awareness of their security posture.
FIGURE 11: How satisfied are you with your organization’s ability to analyze and prioritize the following vulnerabilities and misconfigurations?
51%
Firewall rules that violate policies or regulations
83%
System and data access rules that violate policies or regulations
52% 85%
Misconfigurations on servers and network devices
55%
Using an attack surface visibility tool
82% 74%
Vulnerabilities on hosts, servers and endpoints
87% 0%
20%
Using an attack surface visibility tool
Skybox Security | Analyzing the Attack Surface
40%
60%
80%
Not using an attack surface visibility tool
100%
Not using an attack surface visibility tool FIGURE 11: Satisfaction with organizations ability to analyze and prioritize vulnerabilities and misconfigurations ŠSkybox Security www.skyboxsecurity.com
12
Remediation and Provisioning Automation of Remediation and Provisioning IT groups not only want to analyze and prioritize vulnerabilities and misconfigurations quickly and accurately, they also need to respond rapidly by remediating the most important. However, the survey revealed that automation tends to be much lower for tasks related to remediation and provisioning. Respondents indicated that a large majority of organizations are somewhat or very automated for pushing patches to PCs, laptops and workstations (81 percent) and for pushing patches to servers (74 percent). However, in all of the other areas, including remediating misconfigurations and provisioning firewalls, less than half were somewhat or very automated. Forty-four to 53 percent were either primarily or completely manual for those tasks. In fact, given the central role that firewalls play in cybersecurity, it is rather surprising that the process for remediating firewall rules that violate policies is primarily or completely manual at more than half of the organizations (53 percent).
Skybox Recommendation The automation of pushing patches is not enough. Organizations need to switch from cumbersome, time– consuming manual processes to a more automated approach for their remediation and provisioning efforts.
FIGURE 12: How automated are your organization’s processes for the following tasks: Pushing patches to servers
100%
80%
Provisioning firewalls and security devices
Provisioning firewall rules
Remediating firewall rules that violate policies Completely manual
15%
Primarily manual
21%
Don’t know
81%
60%
44% 74%
40%
47%
48%
49%
Somewhat automated Very automated
48% 53%
47%
46%
45%
43%
41%
38%
Completely manual Primarily manual
20%
Don’t know Somewhat automated
0%
Pushing patches to PCs, laptops and workstations
Very automated Remediating misconfigurations on servers
Skybox Security | Analyzing the Attack Surface
Remediating misconfigurations on network devices
Remediating systems and data access rules
FIGURE 12: are your or processes?
©Skybox S www.skyb
13
Tasks Becoming Easier or More Difficult Are Improvements Outpacing Challenges? The survey asked whether the organization’s ability to perform specific tasks had become easier, stayed the same or become more difficult over the past year. This is one way of assessing whether improvements made in the last 12 months (such as better tools and increased staffing) were outpacing or falling behind challenges (such as more threats and more applications to protect). The trend seems to be positive: in every area 23-27 percent of the respondents said “easier” and only 12-17 percent said “more difficult.”
Skybox Recommendation Organizations should take note that some of their peers have seen improvements in their ability to perform critical security functions as a result of recent advances in technology.
FIGURE 13: Over the past year, has organization’s ability to perform tasks become easier, stayed the same or become more difficult?
100%
Has become easier
Has stayed the same Has become more difficult
80% 26%
25%
26%
27%
23%
23%
60%
40%
Has become easier
20%
Has stayed the same 17%
0%
Clean up firewall rules
16%
Detect misconfigurations and vulnerabilities on firewalls
15%
Perform rule reviews and certifications on firewalls
Skybox Security | Analyzing the Attack Surface
13%
Optimize firewalls for best performance
13% Audit firewalls
12%
Analyze proposed firewall rule changes
Has become more FIGURE 13: O difficult
organization tasks becom same or bec
©Skybox S www.skybo
14
Tasks Becoming Easier or More Difficult Skybox Recommendation
As shown in the chart below, 30-35 percent of organizations using an attack surface visibility tool reported better results over the past year, while only 17-22 percent of those without such a tool described the tasks as becoming easier.
Attack surface visibility tools should be utilized to improve security operations. Survey results show that users of such tools show significant improvement in the ease with which they improve operations.
FIGURE 14: Over the past year, has your organization’s ability to perform tasks become easier, stayed the same or become more difficult?
18%
Analyze proposed firewall rule changes
30% 22%
Audit firewalls
32% 17%
Optimize firewalls for best performance
30%
Perform rule reviews and certifications on firewalls
19% 32%
Detect misconfigurations and vulnerabilities on firewalls
HAS BECOME EASIER
17%
Using an attack surface visibility tool
35% 21%
Clean up firewal rules
Not using an attack surface visibility tool
33% 0%
10%
20%
30%
HAS BECOME EASIER Using an attack surface Not using an attack surface visibility tool visibility tool
Skybox Security | Analyzing the Attack Surface
40%
FIGURE 14: Over the past year has your organization’s ability to perform tasks become easier, stayed the sam or more difficult ©Skybox Security www.skyboxsecurity.com
15
Priorities Going Forward Priorities to Improve Automation The survey asked whether improving automation in specific areas was a very high priority, a high priority, a medium priority or a low priority. The tasks which are going to get the most attention in the near future are managing the remediation of vulnerabilities (high or very high priority for 69 percent), analyzing and prioritizing vulnerabilities (65 percent) and managing the remediation of misconfigurations and rule violations (63 percent).
Skybox Recommendation The various functions are of near–equal priority. A tool that assists operations in all these critical functions should be utilized.
FIGURE 15: How high a priority is it to your organization to improve automation in the following areas:
100% Don’t know Low priority
80%
60%
Medium priority 69%
High priority 65% 63%
59%
Very high priority 57%
55%
40%
Don’t know Low priority Medium priority
20%
High priority 0%
Very high priority Managing the remediation of vulnerabilities
Analyzing and Managing the Analyzing data Analyzing and Collecting priortizing about prioritizing data about remediation of vulnerabilities misconfigurations vulnerabilities misconfigurations misconfigurations and firewall rule and rules that and rule violations violate policy violations
Skybox Security | Analyzing the Attack Surface
FIGURE 15: H it to your org automation
©Skybox Se www.skybo
16
Priorities Going Forward Value of Security Analytics Tools A final question asked whether obtaining a security analytics tool with certain capabilities would have very high value, high value, moderate value or low value. Organizations that already had such tools were excluded from the results. The capabilities most valued were the ability to collect and correlate vulnerability data from many tools (high or very high value for 63 percent), modeling attack paths to identify how attackers can reach important assets (62 percent) and a dashboard showing location and systems with the highest risk (61 percent).
FIGURE 16: How valuable would it be for your organization to have a security analytics tool with these capabilities: Attack path modeling to identify where attackers can chain multiple vulnerabilities to access important assets Already have a tool: 24%
15%
20%
Just as the various security operations are of near equal priority, so are the capabilities required from security analytics tools. Organizations should utilize a multi–function analytics tool to improve their security posture.
Analytics engine to automatically prioritize vulnerabilities and generate alerts
Ability to correlate threat intelligence with vulnerabilities found in the enterprise 19%
Skybox Recommendation
19%
20%
100%
Of those that don’t already have a tool
36%
38%
39%
40%
42%
41%
80%
60%
63%
62%
61%
60%
59%
58%
40%
Low value Moderate value
20%
High value 0%
Very high value Ability to collect and correlate vulnerability data from many tools Very high value
Dashboard showing locations and systems with highest risk
High value
Skybox Security | Analyzing the Attack Surface
Advanced threat reporting so managers can identify patterns in vulnerabilities
Moderate value
Low value
FIGURE 16: How valuable wou be for your organization to hav a security analytics tool with these capabilities ©Skybox Security www.skyboxsecurity.com
17
Conclusions Enterprises today are still struggling to uncover Indicators of Exposure (IOEs) and analyze, prioritize and correct vulnerabilities and misconfigurations. At the same time, the survey results suggest progress. Significantly more respondents said that the ability to perform key tasks has become easier in the last 12 months than said the tasks have become more difficult. The data also shows a clear correlation between automated processes and satisfaction. Those task areas where the most organizations used automated tools were also the areas where the most organizations were satisfied with their ability to perform the tasks, and the fewest were dissatisfied. For example, a near-perfect 92 percent of organizations use an automated tool to detect vulnerabilities on hosts and servers, while only 54 percent use an automated tool to assess security controls on cloud-based systems and apps. This correlates with satisfaction: 81 percent are somewhat or very satisfied with their capabilities in the former area and only 60 percent in the latter.
Attack Surface Visualization The survey took a close look at the value of using an attack surface visibility tool, and found it to be significant. For tasks involving collecting and discovering security data, organizations with an attack surface visibility tool tended to be somewhat or very satisfied 20-30 percent more often than their peers without such a tool. For tasks related to analyzing and prioritizing data, organizations with an attack surface visibility tool were satisfied from 13 percent to 33 percent more often. Organizations emphasizing compliance and policy enforcement should be especially alert to opportunities to deploy an attack surface visibility tool. The survey data showed that organizations using an attack surface visibility tool were significantly more likely to be satisfied with their capabilities to analyze and prioritize data.
Skybox Security | Analyzing the Attack Surface
18
Conclusions Areas of Improvement The data also points to areas that need improvement, particularly for tasks involving remediation and provisioning. Around half of the organizations (between 44 percent and 53 percent) have processes that are primarily or completely manual for activities such as remediating misconfigurations on servers, provisioning firewall rules, remediating systems and data access rules and remediating firewall rules that violate policies. There were also weak spots in other areas; for tasks involving data collection, respondents were least satisfied with the ability to collect data about security controls on virtual systems and with security controls on cloud-based systems and applications. Automated tools are needed to improve performance in these areas. This survey provides data on what processes for detecting, prioritizing and remediating vulnerabilities and misconfigurations are most and least automated today.
Current and Future Role of Automation The extent of automation of processes related to vulnerabilities and misconfigurations, and satisfaction with current capabilities, tend to go together. For the most part, both are highest for tasks related to collecting and discovering data, a bit lower for tasks related to analyzing and prioritizing data and lowest for remediation tasks (except for pushing patches, which is highly automated). This pattern suggests that many organizations can profit from investing in tools to automate aspects of remediation (and provisioning rules to devices and firewalls), although automation in other areas will also increase satisfaction.
Skybox Security | Analyzing the Attack Surface
19
Appendix: The Survey Population This report incorporates data collected from IT professionals at 275 enterprises and government agencies with 500 or more employees. Respondents were only surveyed if they answered “yes” to the question: “Are you knowledgeable about how your organization collects, analyzes and uses information about vulnerabilities and/ or misconfigured network security devices?” Of the companies surveyed, 17 percent had 500-999 employees, 27 percent had 1,000-4,999, 16 percent had 5,000-9,999 and 40 percent had 10,000 or more employees. A majority of the respondents were located in North or South America (167), but 76 resided in Europe, 20 in the Middle East and Africa and 12 in Asia and the Pacific region. The organizations surveyed belong to a wide range of industries, led by financial services, IT services, healthcare and pharmaceutical, as well government organizations. Respondents were drawn from a variety of security, management and specialist roles.
FIGURE 17: Respondent companies by employee size
FIGURE 18: Respondent companies by region
Region
Employees
500-999 17%
Middle East/ Africa Asia/ Pacific
10,000+ 40%
1,000-4,999 27% 5,0009,999 16%
Skybox Security | Analyzing the Attack Surface
20
Europe 76
12 Americas 167
20
FIGURE 19: Primary industry Financial services, banking and insurance
68%
IT service provider or integrator Healthcare and pharmaceutical
20% 20%
National government
19%
Energy and utilities
18%
Technology
16%
Manufacturing
16%
Regional government
13%
Telecommunications
13%
Education
13%
Retail and consumer services
10% 49%
Other
20%
0%
40%
FIGURE 20: Primary role
60%
80%
Respondents
FIGURE 19: Primary industry ŠSkybox Security www.skyboxsecurity.com
Security architecture
52%
Security operations/ incident response Security monitoring/ analytics
36% 26%
Desktop or system administration
25%
Network operations
22%
CISO/VP of security
21%
Risk/compliance management
21%
CIO/VP of IT
15%
Firewall administrator
10% 47%
Other
0%
10%
20%
30% Respondents
Skybox Security | Analyzing the Attack Surface
40%
50%
60%
FIGURE 20: Primary role ŠSkybox Security www.skyboxsecurity.com
21
About Skybox Security Skybox arms security leaders with a powerful set of integrated security solutions that give unprecedented visibility of the attack surface and key Indicators of Exposure (IOEs), such as exploitable attack vectors, hot spots of vulnerabilities, network security misconfigurations and risky access rules. By extracting actionable intelligence from data using modeling, simulation and analytics, Skybox gives leaders the insight needed to quickly make decisions about how to best address threat exposures that put their organization at risk, increasing operational efficiency by as much as 90 percent. Our award-winning solutions are used by the world’s most security-conscious enterprises and government agencies for vulnerability management, threat intelligence management and security policy management, including Forbes Global 2000 enterprises.
www.skyboxsecurity.com | info@skyboxsecurity.com | +1 408 441 8060 Copyright Š 2016 Skybox Security, Inc. All rights reserved. Skybox is a trademark of Skybox Security Inc. All other registered or unregistered trademarks are the sole property of their respective owners.