2014 targeted attacks study the new art of war · 2014-04-25 · target and neiman marcus… the...
TRANSCRIPT
2014 Targeted Attacks StudyTHE NEW ART OF WARHow to Detect, Predict and Eliminate Advanced Targeted Threats
INSIDE:Survey ResultsAnalysisExpert Commentary
It’s no exaggeration to say that organizations now find themselves in a whole new war.
From the hacktivists who deploy powerful, multi-layered distributed-denial-of-service attacks to nation states that
pilfer competitive information, as well as organized crime rings that siphon payment card data from the likes of
Target and Neiman Marcus… the threat landscape has evolved dramatically.
There is a new breed of warrior, and its arsenal includes new, polymorphic tools capable of committing undetected
breaches.
So it’s time for security organizations to practice a whole new art of war – one that recognizes that conventional
security approaches are not working. It’s time to match advanced threats with advanced tools and training capable
of detecting new strains of malware and leveraging big data analytics to predict and prevent fraud.
This survey report offers information to help form your battle plan.
The 2014 Targeted Attacks Study looks at the specific threats organizations face today; the business impact of
targeted attacks; where traditional security approaches are failing; and what advanced tools organizations are
investing in over the year ahead.
Review the results and analysis in the pages ahead, and put them in your own context. What are the common
threats you face? Where should you bolster your traditional defenses? What are you doing to protect your own
employees from targeted attacks?
There’s much to think about here, and I welcome your feedback on the survey results and analysis.
Write to me with your thoughts, please.
Best,
Tom Field
Vice President, Editorial
Information Security Media Group
Tom Field Vice President, Editorial
New War Requires New Strategies, TacticsFrom the Editor
Introduction ......................................................................
Hard Numbers .................................................................
What is the Survey About? ........................................
Hot Topics ..........................................................................
2014 Targeted Attacks Study: The New Art of War
Sponsored by
Proofpoint Inc. (NASDAQ:PFPT) is a leading security-as-a-service provider that focuses on
cloud-based solutions for threat protection, compliance, archiving & governance, and secure
communications. Organizations around the world depend on Proofpoint’s expertise, patented
technologies and on-demand delivery system to protect against phishing, malware and spam,
safeguard privacy, encrypt sensitive information, and archive and govern messages and critical
enterprise information. More information is available at www.proofpoint.com.
Table of Contents
Survey Results
2
4
5
6
7
9
13
16
18
20
30
The Damage .....................................................................
The Weak Spots ..............................................................
The Defenses ...................................................................
Self-Assessment ..............................................................
Awareness & Training ................................................
2014 Agenda .....................................................................
Resources ..........................................................................
© 2014 Information Security Media Group4
Among the statistics that jump out from the survey results:
Hard Numbers
of respondents say that their organizations suffered a targeted attack in the past year.
say their biggest challenge to thwarting these attacks is the increased sophistication of threats.
expect to receive the same or more budget to defend against advanced threats in the year ahead.
45%
54%
82%
© 2014 Information Security Media Group5
Advanced threats are increasingly sophisticated, and employees at all levels, in all industry sectors, are subject to targeted attacks ranging from spear-phishing to blended threats.
How prepared is your organization to detect these advanced threats and
respond effectively to targeted attacks – before irreparable damage is
done?
This is the key question driving this study. This report analyzes the
survey results to show you:
» The extent of damage caused by targeted attacks;
» The current state of organizations preparedness to mitigate
advanced threats;
» The top-of-mind technology investments for 2014.
The survey was developed by the editorial staff of Information Security
Media Group, with the assistance of members of ISMG’s boards of
advisers, which include leading information security, mobility and IT
experts.
The online survey was conducted during Winter 2014. Respondents
included more than 200 chief information security officers, chief
information officers, directors of IT and other senior leaders who work
primarily within the U.S. financial services industry.
What Is the Survey About?
© 2014 Information Security Media Group6
Hot Topics
This study provides information on the following critical aspects of an organization’s vulnerabilities and defenses when faced with targeted attacks:
» The Damage – What are the most common forms of targeted attacks, what is their business impact and
who within organizations are the most frequent targets?
» The Weak Spots – Whom are the chief adversaries to organizations? How big of a concern is mobility? Is
response time an issue?
» The Defenses – Which security solutions have organizations already deployed, and what are their biggest
barriers to successful defense?
» Self-Assessment – How do organizations grade their current abilities to detect and prevent traditional
and evolving attacks?
» Awareness & Training – What are organizations doing as it relates to their employee resources to
protect themselves?
» 2014 Agenda – What are the top organizational spending priorities to combat targeted attacks in 2014?
Each of these topics will be analyzed in the following sections.
© 2014 Information Security Media Group7
Targeted Attacks: The Damage
The results of the 2014 Targeted Attacks Study offer the proverbial good news/bad news.
The good news is: Most organizations are doing the right things when
it comes to preparing to defend against advanced threats. A majority
has an internal Computer Security Incident Response Team (CSIRT) and
has invested in traditional security solutions such as antivirus, intrusion
prevention and encryption.
The bad news: Too many of these organizations’ employees are leaving
their organizations open to the ravages of targeted attacks such as spear
phishing, malvertising and Trojans - threats that succeed only when
people enable them to succeed. Among the points we explore in this
section:
» 45 percent of respondents know they experienced a cyber-
attack in the past year (11 percent are unsure);
» 3 most common forms of attack: Spear phishing, Trojans and
malvertising.
Key Findings:
Has your organization been the victim of targeted attacks
during the past year?
45%
45
10
Yes
No
I don’t know
As stated earlier, more than half of the survey participants (55 percent)
either experienced a targeted attack in the past year, or don’t know. The
latter 1o percent pose a troubling statistic that indicates a lack of insight
through processes and tools to detect a compromise.
And even more concerning: This 1o percent is not an anomaly. In other
recent research conducted by ISMG, similar percentages of respondents
have pleaded ignorance about whether their organizations have been
breached.
If yes, which type of targeted attack has your organization
suffered?
0 10 20 30 40 50
8
44%
22
24
15
15
24
Spear phishing
Trojan
I don’t know
Malvertising
Advanced persistent threat
Blended threat
Credential stealing
Nearly half of the study respondents find themselves victims of spear phishing.
© 2014 Information Security Media Group8
Targeted, indeed. Nearly half of the study respondents find themselves
victims of spear phishing, where fraudsters target specific individuals
within organizations – typically those who have special access to
accounts or critical data. The goal is to steal credentials and access.
Why cast a broad net across an enterprise when you can find this
information in the hands – and devices – of a trusted few?
Other top forms of attack: Trojans and malvertising, suffered by nearly
one-quarter of respondents, and the advanced persistent threat and
blended attacks.
Knowing what types of attacks plague organizations begs the question:
What’s the damage?
What damage has your organization suffered from targeted
attacks over the past year?
10
32
43%
16
18
Employee downtime/business disruption
System downtime
Financial impact
Loss/compromise of data
Privacy data breach
0 10 20 30 40 50
If time and brand are as valuable as money, then targeted attacks are
proving costly to organizations in more ways than pure dollars and
cents.
When asked to list their losses, respondents put employee downtime
and system downtime atop their lists.
Next, we do see the financial impact taking its toll (lost business,
regulatory penalties, legal fees, etc.), followed closely by loss/
compromise of data and a privacy breach, where applicable.
Together, these responses demonstrate the multiple layers of damage
a single breach can cause. Ask Target and Neiman Marcus to tally their
expenses and brand impact for their widely-publicized incidents, and
they would present you with a lengthy list.
Who at your company (by title) has been targeted by an
advanced threat in the past year?
0 5 10 15 20 25 30 35 40
33
39%
24
33
Administrative staff
Engineering/technical
Executive
Financial
Any discussion of targeted attacks must include a review of the targets.
Attackers go after specific individuals within organizations. According
to this study’s respondents, administrative staff takes the hit 39 percent
of the time. And that makes sense. These are the gatekeepers who often
have access to critical executives and their accounts.
Other top targets: Senior executives, as well as technical staff (who
enjoy privileged access to systems). Employees in the finance industry
also are frequent targets for the obvious reasons (that’s where the
money is).
These figures should not be interpreted to say that any group is
immune to a targeted attack. All employees are susceptible. But, as with
information systems, some employees are more high-risk than others
and should be treated – and trained – accordingly.
Next: a look at specific weak spots within organizations.
© 2014 Information Security Media Group9
Now that we’ve reviewed the types of attacks and targets, let’s look at where and how organizations are vulnerable to targeted attacks, as well as how they assess their response capabilities. Some key points to know:
» 57 percent of respondents say hacktivists are their biggest
adversaries;
» 78 percent express concern about targeted attacks being
delivered via mobile devices.
Let’s review more of what respondents reveal about themselves.
Key Findings:
We start by reviewing prospective adversaries:
Which prospective adversaries do you believe pose the biggest
current advanced threat to your organization?
0 10 20 30 40 50 60
41
57%
29
39
Hacktivists
Insiders
Organized crime
Nation states
It could be that respondents are still smarting from 2013’s large-scale
DDoS attacks against leading banking institutions. Or perhaps they are
fearful of being targeted by the Syrian Electronic Army. Whatever the
Targeted Attacks: The Weak Spots
© 2014 Information Security Media Group10
case, hacktivists have a grip on the security psyche, and 57 percent of
respondents say these are their top adversaries.
Next on the list: the insider threat (given greater visibility by the NSA’s
Snowden leaks), followed very closely by organized crime (which we
see in many of the financial attacks) and then the nation state threats,
which drew a lot of attention in 2013 with APT1 related discoveries.
How concerned are you about targeted attacks via mobile
devices that have access to your critical resources?
0 10 20 30 40 50 60 70 80
14
8
14
63%Somewhat concerned: We're aware of our vulnerabilities
Not at all concerned: We feel we've mitigated our risks
Very concerned: We have already seen such attacks
I don't know: This isn't an area we've considered adequately
From smart phones to tablets, mobile devices are ubiquitous in
organizations today. And whether these mobile devices are employer-
supplied or employee-owned is immaterial. Fraudsters are taking
advantage of them to access network resources.
How concerned are security leaders?
Some 78 percent are either somewhat or very concerned about these
attacks, either because they know their own weaknesses or they already
have seen attacks.
Given the rise of mobile malware – criminals go where the crowds go –
these security concerns are likely to be validated in 2014.
Next, for the sake of context, we review the number of incidents
organizations encounter, as well as how efficiently and effectively they
remediate them.
How many incidents as a result of targeted attacks did your
team handle in the past year?
3
15
69%
4
8
Fewer than 5
5-10
11-30
31-60
More than 60
0 10 20 30 40 50 60 70 80
How many targeted-attack incidents are we talking about, typically, over
the course of a year?
A sizeable majority of respondents – 69 percent – say they see fewer
than five targeted attacks per year, while about 15 percent see five to 10
attacks.
As for the time to remediate these attacks once discovered …
© 2014 Information Security Media Group11
What is the average time to remediate a specific incident?
9
22
28%
16
16
1 hour
More than 3 hours
2 hours
30 minutes
3 hours
0 5 10 15 20 25 30
More than one-quarter of respondents say they can remediate a specific
incident within one hour, while 22 percent say it takes them more than
three hours – plenty of time for damage to be done.
And more important, than the speed of response after detection is the
time-to-detect. The next question offers a baseline from which to gauge.
Using letter grades, how do you assess your organization’s
current ability to detect advanced threats and
prevent targeted attacks?
1
49
11%
5
34
A - Superior
B - Above average
C - Average
D - Below average
F - Failing
0 10 20 30 40 50
Knowing how organizations perceive their threats and adversaries, and
with an idea of how many incidents they typically face, how do they
view their own ability to detect advanced threats and prevent targeted
attacks?
Essentially, the self-assessment rounds out to a B minus. Fifty percent say
they are above average, while 34 percent give themselves a C.
In a field where anything less than an A is costly, this self-assessment
speaks volumes about organizations’ confidence to deal with advanced
threats and targeted attacks.
The next section looks at organizations’ current defenses.
Whether these mobile devices are employer-supplied or employee-owned is immaterial. Fraudsters are taking advantage of them to access network resources.
© 2014 Information Security Media Group12
he survey results mirror what we’ve been hearing from enterprises. If you
look at 2013 Verizon’s 2013 Data Breach Investigations Report, it basically said that 95 percent of
targeted threats started with a spear phishing message.
This whole concept of social engineering being used to make these
compromises successful is really focused on tricking the end-user;
that is a key factor in an organization’s security architecture being
vulnerable.
If you look at what has happened over the last couple years, ever since
the Advanced Persistent Threats became popular in media and a lot of
research was published on how these attackers operate, it’s become very
interesting to see those same techniques also being used by attackers
that conduct massive longlining campaigns as a part of financial crime
threats.
Over a period of time, traditional solutions have been able to use
reputation and signature-based techniques to stop things like spam,
credential phishing, traditional phishing, and infected attachments. But
with all types of attackers adopting newer techniques that work around
traditional security controls, I see this whole trend of longline attacks,
watering hole attacks, and advanced threats increasing. Attackers of all
types have been able to use a combination of polymorphic malware,
highly rotated email lures, compromised websites, advanced exploit kits,
and traffic distribution systems to bypass traditional security.
In addition to that, APT adversaries have far more sophisticated
techniques. They have many more tools that they understand and
know how to use, along with the know-how to write custom code,
and financial-backing to purchase expensive zero-day exploits. For
organizations that need to face this type of adversary, it’s a matter of
“when” and not “if,” the attackers will penetrate defenses. This drives
the need for organizations to focus on early detection capabilities.
By Amar Doshi, Proofpoint
T
Analysis The Attacks and Attackers
© 2014 Information Security Media Group13
We’ve seen the threats and weak spots that organizations must deal with. Now let’s take a look at organizations’ current defenses. Here’s where we gain insight into what organizations are doing right … and why their defenses still are failing them far too often.
Some key takeaways:
» 64 percent of respondents say their organizations have a
computer security incident response team;
» 54 percent say their organization’s defenses are inhibited by the
increasing sophistication of attacks.
Key Findings:
Organizations are doing a lot of things right, starting with their current
investments in security solutions.
Which of these security solutions does your organization
currently employ to detect advanced threats and prevent
targeted attacks?
0 20 40 60 80 100
61
58
51
23
25
39
50
75
74
93%
70
69
Anti-virus software
Encryption
Anti-malware protection
Secure e-mail gateway
Intrusion prevention systems
Patch management
Secure web gateway
Black/whitelisting
Next-generation firewall
Data loss prevention
Next-generation threat protection
SIEM solution
By any measure, organizations have made smart investments to counter
traditional threats. Nearly all have deployed antivirus software, and
almost three-quarters have some form of anti-malware protection.
Among the other top defenses are encryption, secure e-mail and web
gateways, intrusion prevention systems and next-generation firewalls.
Patch management also rates high, and half are performing some level
of black/whitelisting.
Continuing with the theme of what organizations are doing right …
Targeted Attacks: The Defenses
By any measure, organizations have made smart investments to counter traditional threats.
© 2014 Information Security Media Group14
Does your organization have its own internal computer
security incident response team (CSIRT)?
64%
26
10
Yes
No
I don’t know
In terms of incident response, organizations clearly take this role
seriously. Some 63 percent have their own internal computer security
incident response team.
So, with such defenses deployed and with a formal response team in
place, where are organizations falling short? What factors are inhibiting
their abilities to detect and prevent targeted attacks?
Which factors most inhibit your organization’s ability to detect
advanced threats and prevent targeted attacks?
17
16
14
11
44
54%
31
26
Increased sophistication of attacks
Lack of end-user awareness
Inadequate technology solutions to detect threats
Lack of budget
Incident response team lacks sufficient skills
Insufficient threat intelligence
Inadequate technology solutions to mitigate threats once discovered
Lack of support from senior leadership
0 10 20 30 40 50 60
No surprise that the increased sophistication of attacks is an issue for
54 percent of respondents. This has been the major obstacle for security
leaders globally. As observers frequently point out: Every time a security
team builds a 20-foot wall, the fraudsters come back with a 21-foot
ladder.
But when we look at 44 percent of respondents decrying the lack of
end-user awareness, some real insight begins to emerge as to why
so many of these targeted attacks succeed. It’s individuals that allow
targeted attacks to succeed by clicking on malicious links or opening
infected attachments.
It’s often said in security circles: “People are the weakest link,” and
that’s an underlying theme to these survey results.
We’ll address the training issue in some depth later in the report,
reviewing what organizations are and are not doing.
Meanwhile, other key inhibiting factors include:
» Inadequate technology solutions;
» Lack of budget;
» Incident response teams that lack sufficient skills.
Next we’ll take a look at how organizations self-assess – with actual
letter grades – their abilities to detect and prevent targeted attacks.
© 2014 Information Security Media Group15
So often it is said in security circles: “People are the weakest link,” and that’s an underlying theme to these survey results.
© 2014 Information Security Media Group16
Self-Assessments: Do Security Organizations Make the Grade?
It can be argued that every survey is a self-assessment. But in this study, we asked respondents to assign letter grades to various aspects of their defenses.
The good news: The respondents don’t assess themselves as failing.
There are no F’s.
The bad news: There also aren’t any A’s. And it’s important to realize
that when we’re talking about information security - can you really
settle for less?
Let’s review the letter grades.
Using letter grades, how do you assess your organization’s
ability to assess how a targeted attack was delivered?
0 5 10 15 20 25 30 35 40
3
1
11%
38
8
40
A - Superior
B - Above average
C - Average
D - Below average
F - Failing
I - Incomplete
Call it a C+. Some 40 percent of respondents rate themselves average in
this capacity, while 38 percent say above average.
The downside of being below average: If organizations don’t know how
targeted attacks are delivered, it gets difficult to investigate effectively,
confidently contain the full-extent of the organization’s exposure,
and typically makes planning for future defense to prevent a repeat a
struggle.
In other words, this is a weak baseline.
How do you assess your organization’s ability to determine
which systems have been compromised by a targeted attack?
0 10 20 30 40 50
2
1
9%
45
6
36
A - Superior
B - Above average
C - Average
D - Below average
F - Failing
I - Incomplete
Closer to a solid B. Some 45 percent of respondents rate themselves
above average, while 35 percent are just a notch below.
Given earlier results about response times and remediation, security
leaders have some confidence in their ability to trace an attack once
detected.
But there is a difference between known threats – those that have a
recognized signature – versus the unknown or polymorphic threats. The
next few charts reflect that difference.
© 2014 Information Security Media Group17
How do your assess your organization’s ability to protect its
endpoints and servers from known, signature-based threats?
0 10 20 30 40 50
0
1
49
14%
3
32
A - Superior
B - Above average
C - Average
D - Below average
F - Failing
I - Incomplete
Another B. Some 49 percent of respondents see their capability as above
average, while 32 percent say just average.
But these numbers change when we look at the flip side.
How do you assess your organization’s ability to protect its
endpoints and servers from emerging threats for which no
signature is known (i.e., zero-day attacks)?
0 10 20 30 40 50
3
1
4%
38
9
43
A - Superior
B - Above average
C - Average
D - Below average
F - Failing
I - Incomplete
Many organizations struggle here. Conventional security solutions
simply are not equipped to deal with unknown threats or those that
can change within your systems – nor are many security professionals,
by the way.
Here, 43 percent of respondents say they are just average, while 38
percent give themselves a B.
How do you assess your organization’s ability to determine
what - if any - data has been exfiltrated in a targeted attack?
0 10 20 30 40 50
4
1
6%
37
8
42
A - Superior
B - Above average
C - Average
D - Below average
F - Failing
I - Incomplete
And here’s the heart of the breach. It’s one thing for intruders to gain
entrance; quite another for them to escape with data. How well are
organizations catching data that leaves?
Not so well. Some 42 percent say they are average at best; 36 percent
give themselves a B.
These self-assessments offer insight into why organizations are suffering
such damage from targeted attacks – at least in terms of technical
controls.
In our next section, we return to the theme of the human factor and
examine awareness & training programs to determine the gaps.
© 2014 Information Security Media Group18
Awareness and training comes up as a deficiency in virtually every security survey. It’s something organizations all pay great lip service to, yet few do it truly well.
Two key points to set up our discussion of awareness and training in
the content of detecting and preventing targeted attacks:
» 50 percent of respondents offer only informal training as needed;
» 39 percent do not test their own employees to see if the training
is effective.
Key Findings:
How do you assess your organization’s current advanced
threat awareness & training programs for employees?
0 5 10 15 20 25 30 35 40
5
2
6%
37
11
38
A - Superior
B - Above average
C - Average
D - Below average
F - Failing
I - Incomplete
This grade results in a draw between a B and a C. While 38 percent
of respondents rate their programs as average, 37 percent settle for a
B. More telling: Nearly twice as many respondents (11 percent) grade
themselves a D as opposed to an A (6 percent).
So, where is training going wrong – at least in the respondents’ eyes?
Let’s start with organizations’ current offerings.
What type of advanced threat awareness & training do you
currently offer?
0 10 20 30 40 50 60 70 80
7
50
63%
38
37
Annual refresher course for all employees
Informal training as needed
Role-based training for all employees
One-time training when employees are hired
No training
The truth is: The advanced threat awareness programs seem no more
robust than traditional training programs – which consistently prove
ineffective.
As you see from the chart, 63 percent offer an annual refresher course
for all employees; 50 percent offer informal programs as needed. And
only 36 percent say they offer one-time training during the onboarding
process, when employees are hired.
Seven percent say they offer no training at all.
So, here is the fundamental flaw: The majority of organizations are
currently doing the bare minimum, at best, to enhance the weakest link
of their security.
Awareness and Training
© 2014 Information Security Media Group19
Now, it’s become common for many organizations to test the efficacy of
security training by phishing their own employees, or plying some other
form of social engineering.
So, this study asked:
As part of your awareness & training, do you ever …
0 5 10 15 20 25 30 35 40
14
34
40%
15
31
We do not test our own employees
Attempt social engineering via telephone or text message
Phish your own employees
I don't know
Bait them with removable hard drives or discs
The good news is that more than one-third attempt social engineering
via telephone or text message. Nearly as many attempt to phish their
own staff.
But 39 percent do not attempt any self-testing at all, which only
perpetuates that gap that allows targeted attacks to succeed against
unwary employees.
If you are looking for a place to immediately enhance your
organization’s security posture, then awareness and training might be it.
Organizations are starved for regular, updated, relevant programs.
This topic will be revisited within the 2014 agenda in this report’s next
section.
Analysis: The Value of Self-Assessments By Amar Doshi, Proofpoint
In terms of these self-assessments,
some respondents are being easy
on themselves, and some are being
harder.
And I think that the inconsistency is not because [respondents]
mean to be easy or hard; I just think that the threat landscape is
changing, and what they’re experiencing as a company is changing.
The way I look at these results is: There are no A’s. And if you
talk to most people in the information security industry, they
understand that information security is constantly evolving. The
threat landscape is evolving, vendors are evolving, and the ways to
combat threats are evolving. So I think that with these new types
of threats and adversaries, different kinds of motives, and trailing
security control upgrades, the results are not unexpected. But I
do think that the good thing is they are looking at their network,
at their data, and their solutions and saying, “We need to do
something more, and we’re not at A yet.”
© 2014 Information Security Media Group20
We’ve seen the extent and damage of targeted attacks, and we know how they are able to infiltrate organizations.
So, how will security leaders tackle these issues in 2014? Some
encouraging news:
» 82 percent of respondents expect the same or increased budgets
this year;
» 60 percent plan to invest those funds in new technology
solutions.
What else is on the 2014 agenda?
Key Findings:
How do you expect your organization’s advanced threat risks
to change in 2014?
0 10 20 30 40 50 60 70 80
8
7
12
73%Risks will increase
No change
I don't know
Risks will decrease
No surprise here. In fact, anyone who said otherwise would be suspect.
About 85 percent of respondents expect current advanced threat risks to
maintain their current pace or – more commonly – increase.
But that increase is met by an increase in resources, as well.
How do you expect your organization’s budget to detect
advanced threats and prevent targeted attacks to change in
2014?
0 5 10 15 20 25 30 35
1
29
35%
17
18
Funding will remain the same
Increase of 1 to 5 percent
I don't know
Increase of more than 5 percent
Decrease
It’s more than a little encouraging seeing that 82 percent of respondents
expect their budgets to maintain current levels or increase by more
than 5 percent. This shows the level of commitment organizations now
have to responding to cyberthreats.
But added resources mean nothing if they aren’t invested properly. So,
what are they key investments organizations plan to make in 2014?
Survey results answer that question in three ways …
2014 Agenda
© 2014 Information Security Media Group21
First …
Where do you expect your organization to make its biggest
investments in detecting advanced threats and preventing
targeted attacks in 2014?
0 10 20 30 40 50 60 70 80
22
19
61%
59
31
36
Awareness and training for staff
New technology solutions
Third-party threat intelligence
Awareness and training for customers
Additional staff
Outsourced solutions
As a necessary follow-up to the previous section, 61 percent of
respondents plan to invest in employee training and awareness
programs. Done effectively, that will help address a large issue. Done
ineffectively … no difference.
Some 60 percent plan to invest in new technology solutions – details
of which we will review shortly. And 36 percent plan to purchase new
third-party threat intelligence, while 22 percent say they will hire new
staff.
So, to review planned investments in traditional security solutions …
Which of these traditional security solutions do you expect
your organization to purchase in 2014?
0 10 20 30 40 50
32
29
27
17
22
27
44
43
47%
43
36
Anti-virus software
Anti-malware protection
Encryption
Intrusion prevention systems
Next-generation firewall
Secure e-mail gateway
Patch management
Secure web gateway
Data loss prevention
Black/whitelisting
SIEM solution
Again, anti-virus software and anti-malware protection top the list,
followed closely by encryption and intrusion prevention systems.
Essentially, organizations expect to do a fair amount of re-investment in
security solutions they already have deployed.
© 2014 Information Security Media Group22
But that’s not the end of the story for 2014 planned investments.
Which of these advanced threat security solutions do you
expect your organization to purchase in 2014?
22
28%
17
Anomaly detection
Cloud-based sandboxing
Big data analytics
0 5 10 15 20 25 30
Here’s where we get into new tools and new approaches to tackling
advanced threats and targeted attacks.
Among the more advanced security solutions being eyed for
investments:
» Anomaly detection, favored by 28 percent of respondents;
» Cloud-based sandboxing, named by 21 percent;
» Big data analytics, referenced by 17 percent.
Combined, these tools take detection and prevention to a new level and
should allow organizations to grow their defenses in better scale to the
evolving threats.
Analysis: Security Investment Strategies By Amar Doshi, Proofpoint
Great to hear that they are looking
at the right tools. With the evolving
threat landscape, information security
teams are definitely going to have
to invest in themselves – increasing
their awareness of the threats, of the
solutions that are out there, and how
to respond to these kinds of threats
and incidents.
Budgets for security are being maintained or increased, as we saw
in the survey, and at the executive level there is a lot of awareness
about not having the right security controls in place. Breaches
like those at Target, Neiman Marcus and Adobe have made
security a Board-level conversation, and the pace of re-tooling and
implementation will continue to increase.
However, it’s important that when organizations look at new tools,
they are looking at it from the perspective of, “Are these going to
provide me with the right end-user and threat insight that can
make it very easy for information security teams to get visibility
on what is going on in their organization?” That can be a key
difference between getting a highly technical but useless tool, as
opposed to a much more contextual and effective tool.
© 2014 Information Security Media Group23
The 2014 Targeted Attacks Agenda: The New Art of War
It is clear that advanced threats and targeted attacks require an equally advanced security posture.
You can say that the New Art of War is the ability to predict and
outsmart the enemy, not just overpower it. This approach requires new
thinking and new tools – the ability to pre-emptively discover and take
action on advanced threats across the entire extended enterprise, from
corporate desktops to personally owned mobile devices.
So, among the agenda items for security leaders in 2014:
Know Your Enemy – It is as important to
know the types of attacks you face – spear-
phishing, Trojans or malvertising – as well as
the attackers, whether they are hacktivists,
organized crime rings or malicious insiders.
Some of this information can be gleaned from
big data analytics. Some can be purchased from
third-parties. Whatever your approach, do not
short-change yourself of this knowledge.
© 2014 Information Security Media Group24
Know Your Capabilities – The survey results
show that most organizations have invested
thoroughly in traditional security defenses, such
as anti-virus and firewalls. But if traditional
defenses were enough, then targeted attacks
would not be such an issue. It’s time for
investments in next-generation technologies,
such as anomaly detection, cloud-based
sandboxing and big data analytics.
Know Your People – The very nature of targeted
attacks is to strike through an organization’s
weakest link, which is typically an individual
who can be socially engineered to make a
mistake that leads to a data breach. It’s time
to acknowledge that traditional awareness and
training programs are failing. Employees need
regular, role-specific training programs that
keep them abreast of evolving threats and offer
tips on how to respond to suspicious activity.
And this training must be tested for its efficacy.
As Sun Tzu said in his original Art of War, “Invincibility is a matter of
defense.” No organization ever wants to fool itself into thinking it is
breach-proof. But by investing more into the strategy and tactics of
defense, security leaders can go far in deterring today’s advanced threats
and targeted attacks.
It is as important to know the types of attacks you face, as well as the attackers, whether they are hacktivists, organized crime rings or malicious insiders.
© 2014 Information Security Media Group25
EDITOR’S NOTE: This is an excerpt of a panel discussion conducted in
association with the companion webinar, 2014 Targeted Attacks Study -
The Results.
TOM FIELD: What do you see that organizations seem to be most
overlooking in terms of responding to threats and attacks?
PROOFPOINT: I think it goes back a little bit to some of the end-user
aspects. When organizations get attacked, there’s really this kind of
immediate incident response kneejerk reaction, they have a process they
have to follow. And oftentimes it’s, “OK, well, what malware hit this
user’s computer, and how do I get it off?” Some companies, especially
the larger organizations, will have teams that have the bandwidth and
the skill set to go back and figure out who was the attacker and why
did this happen. What companies are doing wrong is putting a lot more
stress on basically malware forensics as it pertains to being able to do
incident response, and they’re overlooking the aspects of what’s going
on from a grander scheme of things across the user base. Who is being
targeted and how often, and who’s clicking, and really what can I do
about that?
If organizations made technology investments into solutions that could
provide them with some insight that they don’t have today, I feel like
it would allow them to be way more strategic and effective in their
incident response and in providing risk mitigation to the organization.
Top Advanced Threats
FIELD: As you look into 2014, what do you see as the advanced threats
that really should be top concerns for all organizations?
PROOFPOINT: We’re going to see typical attacks become more and more
of a nuisance just in terms of volume because attacks like the Target
attack, for example, which started as a typical longline threat for, most
likely, individual-based financial crime but turned out to be something
that had the attackers get a very big payday. And they learned their
techniques from observing what’s going on in all the reports on APTs
and what the other attackers are doing from an espionage and sabotage
perspective.
So with the ability of these attackers to do mass customization of what
they’re sending to companies, very easily compromise websites and
leverage them in their campaigns, use polymorphic malware, use traffic
distribution systems which can really figure out when to show malware
to what person based on where they’re located and what device they’re
accessing from … I think the level of sophistication is going to lead to an
increase in volume of successful threats.
Key Security Solutions
FIELD: Given the sophistication of the attacks, what are some of the
key security solutions that organizations really need to invest in to help
mitigate these threats?
PROOFPOINT: Well, I think it’s exactly what organizations mentioned in
the survey. I think they’re exactly on the right track. Traditional security
solutions [are] absolutely required, must be maintained, must be kept up
to date. That’s the baseline.
Once you’ve done that, you need to start to think about how do you
invest in technologies and techniques that leverage big data to really
Targeted Attacks Survey Results: What they Mean to You
Who is being targeted and how often, and who’s clicking, and really what can I do about that?
by Amar Doshi, Director, Product Marketing, Proofpoint
© 2014 Information Security Media Group26
If organizations made technology investments that could provide them with insight that they don’t have today, [they’d] be way more strategic and effective in their incident response.
© 2014 Information Security Media Group27
churn through massive amounts of information about a company and
find out predictively what could be bad, what looks suspicious. Because
the sooner you’re able to figure that something looks suspicious, the
sooner you’re able to actually do some more analysis, and likely the
faster it is that you’ll be able to confirm if something is malicious.
Hand in hand with that, you have to have advanced malware detection
techniques. Solutions like anti-malware that only look at signatures
aren’t going to cut it because malware today is getting much more
sophisticated in terms of how it is programmed to evade detection.
So with all this sophistication, you really have to have a highly-scalable,
cloud-based infrastructure that can churn through this kind of malware
sandboxing and can find the intelligence that you can get from many
different enterprises across the globe because, as history has shown
us, whenever there are these advanced attacks, attackers repeat what
they’ve done in the past. Attackers attack multiple companies at the
same time. So, there is definitely a lot of cross-pollination of information
that can occur in the cloud.
If organizations are going to have remote users accessing corporate
resources and email from their own personal devices, and from
locations off the corporate VPN, it gets even more tricky. InfoSec teams
will need to make sure they are doing everything they can to measure
the risk, respond to it quickly, understand where the risk is coming
from, and ensure that the impact ultimately to the business and to the
end user is minimized.
Awareness & Training
FIELD: Let’s discuss awareness and training. It’s clear from our
responses this is a challenge for organizations. In your experience,
what’s the right frequency of training? And more important, what
makes training most effective with users?
PROOFPOINT: Companies I’ve spoken with have talked about training
with the opinion along similar lines of the survey that, yeah, you know,
we do it maybe once a year or we do it at the time of onboarding. It’s
recommended to do training more often than once a year, definitely not
only at the time of onboarding.
© 2014 Information Security Media Group28
But I think there are creative ways to do very interesting user training.
You know, phish users and use that as a training mechanism. One has
to take a step back and really analyze data for what’s going on in the
company when you provide training. What’s the immediate impact after
that training and the half-life for that training?
What we’ve seen is that there’s no company that is really good at
providing training. So I think enterprises have to know that no matter
how much training they’re going to provide, you’re going to see people
get compromised. To you as a company, what is the level of training
that you need to provide your users, based on their specific usage
patterns and their specific training and their specific backgrounds of
where they come from? There’s no right answer; it’s very dependent
upon the organization and the organization behavior.
How to Show Business Value
FIELD: We’ve seen in our survey that organizations for the most part
are going to have at least the same budget for 2014, but in many cases
a bigger budget. How are security leaders going to demonstrate true
business value from the security investments they make in 2014?
PROOFPOINT: It’s really all around visibility and insight. I think most
security leaders have understood and have through their personal
experience agreed to the fact that companies are going to get
compromised. Attackers are going to get inside your walls. So once
you’ve said that, then the challenge is, “OK, well, do I have all the
information that I need to fight this invisible attacker and actually
respond to these incidents in a manner which can really limit the
amount of damage that can be caused?”
I think if you talk to most infosec leaders, they will argue that they’ve
been fighting this battle with these invisible attackers with very limited
data and their hands tied behind their back. I think with expanding
budgets, hopefully those hands are not tied anymore, and it ultimately
does boil down to really understanding what’s going on in the
organization, what are users doing, what are staff members doing, what
are C-level executives doing, who’s being targeted, how often?
Getting increased visibility and insight on your company and on your
security posture and effectiveness is going to be key in ensuring true
business value in 2014.
There’s no company that is really good at providing training.
© 2014 Information Security Media Group29
WEBINAR
REGISTER NOW
2014 Targeted Attacks Study Results WebinarRegister for this session to get the eye-opening results of the 2014 Targeted Attacks Study, as well as:
» Analysis of where organizations are strongest
and weakest in responding to advanced threats;
» Insight into where organizations are investing
their security resources in 2014;
» Examples of leading-edge security solutions that can
help defend against today’s sophisticated attacks.
http://www.bankinfosecurity.com/webinars/2014-targeted-attacks-study-results-w-393
© 2014 Information Security Media Group30
Targeted Attacks Resources
Articles
Spear Phishing: How to Fight BackWhy Community Institutions Are at Greater Risk for Attack
Spear-phishing attacks aimed at bank employees are on the rise, and community banks and credit unions are particularly
vulnerable. Learn why experts say authentication is failing to address the problem.
http://www.bankinfosecurity.com/spear-phishing-how-to-fight-back-a-6094
Defending Against Targeted AttacksKevin Epstein of Proofpoint on New Strategies, Solutions
More than merely a phishing incident, a targeted attack is part of an advanced persistent threat. How can organizations
defend against these attacks? Kevin Epstein of Proofpoint offers insight.
http://www.bankinfosecurity.com/interviews/defending-against-targeted-attacks-i-1804
What Breaches Can Teach UsForensics Investigator on How to Improve Security
What can organizations do to improve security after a network attack? Post-breach investigations help security leaders trace
steps and strengthen weak points, says investigator Erin Nealy Cox.
http://www.bankinfosecurity.com/interviews/compromising-data-for-profit-i-1867
3 Cybersecurity Game ChangersISACA’s Rolf von Roessing on Transforming Security
What are the top three cybersecurity game changers, and what negative impact can they have on organizations if security
leaders do not manage them properly? Rolf von Roessing of ISACA shares insight.
http://www.bankinfosecurity.com/interviews/3-cybersecurity-game-changers-i-2003
Using Big Data to Prevent FraudWhy More Institutions Will Turn to Analytics in 2014
The financial services industry will begin making significant strides in 2014 toward using data analytics to fight fraud, experts
predict. The value of using big data to help prevent or detect fraud is becoming clearer, helping institutions make a business
case for data analytics.
http://www.bankinfosecurity.com/using-big-data-to-prevent-fraud-a-6251
© 2014 Information Security Media Group31
White Papers
Defense Against the Dark Arts Finding and Stopping Advanced Threats
Today’s most-damaging targeted attacks don’t occur by happenstance. They are carefully planned and executed by a new
breed of professional adversaries. Their methods are stealthier and more sophisticated than anything we’ve seen in the prior
decade. If you don’t take appropriate precautions, your organization could make headlines for all the wrong reasons.
http://www.proofpoint.com/id/Defense-Against-the-Dark-Arts-wp/index.php
Longline Phishing: A New Class of Advanced Phishing Attacks Email-borne Threats, Cloud Computing, Big Data, and the Rise of Industrial Phishing Attacks
Longlining is a new class of email attack aimed at delivering links to malicious sites. With IP addresses, subject lines and
content that are constantly changing, they’re hard to identify and defend against.
http://www.proofpoint.com/id/longline-phishing-whitepaper-industrial-phishing-2013/index.php?id=11
CIO Series: Why Sandboxing is a Necessary but Insufficient Defense against Targeted Attacks
Sandboxing is all about protecting users from their email by isolating and checking potential malicious messages before they
can do any damage. It’s a great first step, but it’s no longer enough. We explain why.
http://go.proofpoint.com/rs/proofpoint/images/proofpoint-cio-sandboxing-defense-against-targeted-attacks-wp.pdf
CIO Series: How Big Data Can Help Enterprises Build Better Security DefensesEveryone’s talking about Big Data and its myriad applications. The good news is that one of those can be to analyze incoming
traffic and use patterns to help protect businesses from potential threats. This paper covers key points every CIO should
know.
http://go.proofpoint.com/rs/proofpoint/images/proofpoint-cio-how-big-data-help-build-better-security-defense-wp.pdf
The Human FactorHow Attacks Exploit People as the Weakest Link in Security
This wide-ranging study provides new insight into the ways attackers exploit end-users’ human failings to circumvent
IT security. The study challenges current conventional wisdom about short-term phishing and single points of risk with
research showing that thousands of users can be unwittingly complicit in attacks that take place over months in multiple
locations.
www.proofpoint.com/humanfactor
902 Carnegie Center • Princeton, NJ • 08540 • www.ismgcorp.com
About ISMG
Headquartered in Princeton, New Jersey, Information Security Media Group, Corp. (ISMG) is a media company focusing on Information Technology Risk Management for vertical industries. The company provides news, training, education and other related content for risk management professionals in their respective industries.
This information is used by ISMG’s subscribers in a variety of ways —researching for a specific information security compliance issue, learning from their peers in the industry, gaining insights into compliance related regulatory guidance and simply keeping up with the Information Technology Risk Management landscape.
Contact
(800) 944-0401 [email protected]