The Shifting State of Endpoint Risk: Key Strategies to Implement in 2011
May 18, 2015
The Shifting State of Endpoint Risk: Key Strategies to Implement in 2011
Today’s Agenda
2011 Trends in the Threat Landscape
State of Endpoint Risk 2011:Survey Results
Summary and Recommendations
Q&A
Today’s Panelists
3
Dr. Larry PonemonFounderPonemon Institute
Paul HenrySecurity & Forensics AnalystMCP+I, MCSE, CCSA, CCSE, CFSA, CFSO, CISSP,-ISSAP, CISM, CISA, CIFI, CCE
4
2011 Threat Trends
1. State-sponsored cyber crime will become a regular occurrence
2. Social media goes deeper – increasing threats
3. Security will finally arrive for virtualization
4. Wikileaks will not go away
5. Mobile devices will come under greater attack
6. VoIP will be used as a covert channel in data breaches
7. Medicare fraud via ID theft will see explosive growth
View Paul’s entire blog at: http://blog.lumension.com/?p=3507
State of Endpoint Risk 2011Survey Results
Ponemon Institute LLC
• The Institute is dedicated to advancing responsible information management practices that positively affect privacy and data protection in business and government.
• The Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations.
• Ponemon Institute is a full member of CASRO (Council of American Survey Research Organizations. Dr. Ponemon serves as CASRO’s chairman of Government & Public Affairs Committee of the Board.
• The Institute has assembled more than 50 leading multinational corporations called the RIM Council, which focuses the development and execution of ethical principles for the collection and use of personal data about people and households.
6
Project Summary
• The purpose of this study is to determine how effective organizations are in the protection of their endpoints and what they perceive are the biggest obstacles to reducing risk.
• Our study involves 564 respondents located in the United States who are deeply involved in their organization’s IT function.
» 51 percent are managers or hold higher positions in their organizations.
» 50 percent report directly to the chief information officer (CIO).
» 21 percent report to the chief information security officer (CISO).
» 28 percent work in IT security.» 22 percent are in IT operations.» 21 percent are in IT management.
Survey response Freq. Pct%
Total sampling frame 11,896 100.0%
Bounce-backs 1,875 15.8%
Total survey responses 782 6.6%
Rejected surveys 65 0.5%
Final sample 717 6.0%
Final sample after screening 564 4.7%
7
Industry distribution of the 564 respondents
19%
13%
11%
8%7%
6%
5%
5%
5%
4%
4%
4%
3%3% 3%
Financial services
Public Sector
Health & pharmaceuticals
Services
Retailing
Technology & software
Research & education
Industrial
Transportation
Communications
Consumer products
Hospitality
Defense
Entertainment and media
Other
8
Attributions About Endpoint Security
We have ample resources to minimize IT endpoint risk throughout our organization.
Our endpoint security operations are well managed.
Existing blacklisting technologies (anti-virus/anti-malware) are effective in managing endpoint security risks.
IT executives are supportive of our organization’s endpoint security operations.
Our IT endpoint risk management procedures and policies are well documented.
New whitelisting technologies make it easier to efficiently manage endpoint security risks.
Our IT and security personnel are qualified to execute endpoint security operations.
0% 20% 40% 60% 80% 100%
37%
38%
39%
41%
41%
42%
51%
63%
62%
61%
59%
59%
58%
49%
Agree Disagree
9
Agree = strongly agree and agree combined. Disagree = unsure, disagree and strongly disagree combined.
Is your IT network more secure now than it was a year ago?
Yes No Unsure0%
5%
10%
15%
20%
25%
30%
35%
40%36% 36%
28%
The study finds that the majority of respondents believe their organizations’ endpoints are vulnerable to attacks. 64 percent of respondents say their organizations’ IT networks are not more secure than last year percent or are unsure (36 percent + 28 percent).
10
Which of the following incidents happened during the past year?
Denial of service attack
Targeted cyber attacks
Cyber attack on mobile platform
Loss of sensitive data by a third-party
Spyware network intrusion
Botnet attack
Loss of sensitive data by an malicious insider
Loss of sensitive data by a negligent insider
Theft of desktops, laptops or other devices
Virus or malware network intrusion
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
11%
26%
37%
45%
46%
56%
61%
89%
95%
98%
Organizations face a variety of incidents that threaten the security of the endpoint. During the past year, 98 percent have had virus or malware network intrusions, 95 percent have had desktops and laptops or other devices stolen. Eighty-nine percent have lost sensitive data because of a negligent insider and 61 percent lost sensitive data because of a malicious insider.
11
Which incidents are you seeing frequently in your IT network?
Other
Rootkits
Clickjacking
Existing software vulnerability > 3 months
Spyware
Existing software vulnerability < 3 months
Zero day attacks
SQL injection
Botnet attacks
Web-borne malware attacks
General malware
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
21%
23%
25%
26%
27%
30%
34%
38%
64%
75%
92%
The most frequently encountered IT network incidents are general malware attacks (92 percent of respondents), web-borne malware attacks (75 percent of respondents), botnet attacks (64 percent of respondents) and SQL injections (38 percent of respondents).
12
Have your malware incidents increased over the past year?
Yes, major increase
Yes, but only slight increase
No, they stayed the same
No, they have decreased
Not sure0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
43%
22%
15%
9%11%
43 percent of respondents say there has been a major increase in malware attacks and 22 percent say there has been a slight increase over the past year. Only 9 percent of respondents believe malware attacks have decreased over the past year.
13
How many malware incidents does your org deal with monthly?
< 5 5 to 10 10 to 25 25 to 50 > 500%
5%
10%
15%
20%
25%
30%
35%
40%
6%
11%
21%
27%
35%
35 percent of respondents say they have had more than 50 malware attempt incidents each month. Another 27 percent believe their organizations encounter between 25 to 50 malware attacks each month. On average, that means that there can be one or more malware attacks per day.
14
Where is the greatest rise of potential IT risk? (Top 3 choices)
Our data centers
Removable devices and/or media
Within operating systems
Network infrastructure environment
Smart phones (Blackberry, iPhone, Android)
Cloud computing infrastructure and providers
Virtual computing environments
Our server environment
Insider risk
Across 3rd party applications
PC desktop/laptop
Mobile/remote employees
0% 10% 20% 30% 40% 50% 60%
9%
10%
11%
11%
14%
18%
20%
32%
37%
39%
48%
50%
Only 11 percent say the network infrastructure environment (gateway to endpoint) and vulnerabilities within their operating systems are driving greater potential IT risks. 10 percent say removable devices such as USB sticks and/or media such as CDs and data centers are contributing to IT risks.
15
Which one incident represents your biggest headache?
Spywar
e
Botne
t atta
cks
Clickja
ckin
g
Existin
g so
ftwar
e vu
lner
abilit
y < 3
mon
ths
Existin
g so
ftwar
e vu
lner
abilit
y > 3
mon
ths
SQL in
jecti
on
Zero
day a
ttack
s0%
10%
20%
30%
40%
2%5%
8%11%
16%
23%
35%
The top three incidents that present the most difficult challenges for respondents are zero day attacks (35 percent), SQL injections (23 percent) and the exploit of existing software vulnerabilities greater than three months old (16 percent).
16
Which are the greatest IT security risks next year? (Top 3 concerns)
Lack of coordination between security & operations
Increasing sophistication of cyber attacks
Application risk & vulnerabilities
Insufficient IT budget & resources
Cloud computing
Negligent insiders
Increasing number of cyber attacks
0% 10% 20% 30% 40% 50% 60% 70%
36%
40%
46%
47%
49%
50%
61%
The below chart lists in descending order what respondents perceive as the seven most serious security risks their organizations will face in the near future. Respondents predict the top three IT security risks in the next 12 months will be:
17
Which endpoint technologies does your org use?
Device control (USB, removable media)
Application whitelisting (endpoint)
Data loss prevention (DLP)
Endpoint management & security platforms
Application control firewall
Configuration management
Network access control (NAC)
Vulnerability assessment
Patch & remediation management
File or disk encryption
Intrusion detection
Endpoint firewall
Anti-virus & anti-malware
0% 20% 40% 60% 80% 100% 120%
26%
29%
33%
40%
47%
49%
49%
51%
53%
56%
57%
60%
98%
Nearly everyone (98 percent) has anti-virus and anti-malware technologies in place followed by endpoint firewalls (60 percent) and intrusion detection systems
18
Which endpoint technologies are most effective?
Intrusion detection
Data loss prevention (DLP)
Patch & remediation management
Configuration management
Application whitelisting (endpoint)
Network access control (NAC)
File or disk encryption
Application control firewall
Anti-virus & anti-malware
Device control (USB, removable media)
Endpoint firewall
Endpoint management & security platforms
Vulnerability assessment
0% 10% 20% 30% 40% 50% 60% 70% 80%
19%
23%
38%
39%
44%
46%
51%
52%
57%
57%
59%
61%
70%
Respondents reveal what we refer to as the gap between the technologies used and the technologies considered most effective.
19
Is your IT organization’s operating cost increasing?
Yes 48%
No 41%
Unsure 11%
20
What are the main cost drivers to increasing IT OPEX?
Incr
easin
g he
lp d
esk c
alls
Reim
agin
g of
end
poin
ts
IT st
aff b
andw
idth
cons
umpt
ion
Lost
empl
oyee
pro
ducti
vity
0%
10%
20%
30%
40%
50%
60%
70%
31%35%
40%
64%
The two main cost drivers are lost employee productivity (64 percent) and IT staff bandwidth consumption (40 percent). With respect to bandwidth, this has become a critical issue as IT and end-users access Internet sites that provide rich content such as videos.
21
Does your org have application installation and usage policies?
Yes, we only allow IT sanctioned applications to be used and have the means to enforce this policy
Yes, we only allow IT sanctioned applications to be used but we cannot enforce this policy
No, we allow any applications to be used
0% 10% 20% 30% 40%
29%
38%
33%
They are, however, leaving their endpoints vulnerable by allowing the indiscriminate use of applications or not enforcing policies governing the appropriate use of applications. As shown below, 38 percent of respondents have policies regarding application installation and usage but do not enforce them and one-third of organizations allow any applications to be used.
22
Endpoint apps - what are the greatest challenges? (Top 3 choices)
Identifying and managing application usage
Scanning and cleaning applications for malware
Ability to “sandbox” applications and analyze their behavior
License metering and reporting
Discovering what applications that are trafficking on the IT network
Restricting what applications enter the IT network through the gateway
Ensuring that vulnerable applications are patched
Discovering what applications are residing on the network
Preventing applications from being installed or executing on our endpoints
0% 10% 20% 30% 40% 50% 60%
17%
20%
23%
30%
32%
34%
42%
47%
55%
The top 3 challenges with respect to their endpoint applications are: preventing applications from being installed or executing on their endpoints (55 percent), discovering what applications are residing on the network (47 percent) and ensuring that vulnerable applications are patched (42 percent).
23
What application management capabilities does your org have?
Ability to discover all applications in use on the IT network
Ability to block use of specific applications across roles, departments, groups
Ability to restrict application executable files from running on endpoints
Ability to force encryption of files and content types (SSN, bank acct no., etc.) onto removable devices (USB, CD, DVD etc.)
Ability to filter, restrict, and encrypt content based on context (SSN, bank acct no., etc.)
Ability to limit access to specific applications functionality (read access, write access, file transfer)
Ability to detect virus and promptly clean infected systems
0% 10% 20% 30% 40% 50% 60% 70% 80%
33%
35%
36%
41%
43%
49%
71%
Respondents say they have the following capabilities in place or plan to implement in the next 12 months:
24
Which Web 2.0 challenges are of greatest concern?
Impact on IT network resources
Increasing risk of data loss/theft
Impact to user productivity
Increasing malware introduction
Increasing risk of inadvertent exposure of confidential data
Ability to identify applications in use across the IT network
0% 10% 20% 30% 40% 50% 60% 70%
20%
39%
42%
48%
51%
59%
The concern respondents have about negligent and malicious insiders is reflected in their response to how Web 2.0/social media will affect their information risk environment. The top Web 2.0/social media challenges facing respondents’ organizations are: ability for IT to identify applications in use across the IT network (59 percent), ability to manage the risk of inadvertent exposure of data (51 percent) and increasing malware (48 percent).
25
Are any of these applications forbidden by policy or blocked?
Yes 49%
No 45%
Unsure 6%Web applications Pct%
Mozilla Firefox 2%
Apple apps 8%
VMware 14%
Apple/Mac OS 15%
WinZip 19%
Oracle applications 39%
Microsoft OS/applications 44%
Google Docs 46%
Adobe 54%
3rd party applications outside of Microsoft 58%
When it comes to IT security, which applications concern you the most in terms of increasing vulnerabilities and IT risk?
26
Do you have a dedicated team for patch/vulnerability management?
Yes Not yet, but we are planning to create one
No0%
10%
20%
30%
40%
50%
60%
33%
15%
52%
Twenty-six percent have not changed their priorities regarding patch/vulnerability management. Fifty-two percent say they do not have a dedicated team for patch/vulnerability management. One-third of respondents say they do have a dedicated team and 15 percent are planning to create one.
27
Summary of Findings
•Current approaches to endpoint security are ineffective and costly.
•Organizations do not feel more secure than they did last year. » This is mainly due to the use of ineffective technology solutions when better,
more effective/efficient technologies exist but are not heavily implemented.
• IT operating expenses are increasing and a main driver of those costs is tied directly to an increase in malware incidents. » 59 percent of respondents consider malware a significant factor in those cost
drivers.
•Malware is on the rise with attack vectors focused more on third-party and web-based applications.
28
Q&A
Global Headquarters8660 East Hartford Drive
Suite 300
Scottsdale, AZ 85255
1.888.725.7828