Network security— are businesses meeting the challenge?

Identifying Challenges in Network Security

July, 2014 © 2014 Ipsos. All rights reserved. Contains Ipsos' Confidential and Proprietary information and may not be disclosed or reproduced without the prior written consent of Ipsos.

Prepared for:

Contents

Methodology 3

Key Findings 4

Current Corporate Landscape 7

Areas of Concern 11

Types of Threats 16

Appendix 25

3

Page

Background & Methodology

Burson Marsteller and HP want to explore the main challenges on managing network security and where companies are lacking in security products/practices.

205 completed interviews were collected via an online survey

Qualified respondents were located in the United States and met the following criteria:

Work full time in a MIS/IS/IT/Networking/Technology-related job function in a company with:

─ 100+ employees

─ At least $1 million in annual revenue

Must make decisions or provide input into decisions made for technology solutions used within the organization

Respondents were questioned on corporate IT security initiatives, specific concerns regarding network security and the nature of attacks and threats as well as their source.

Field dates: June 30 – July 15, 2014

4

5

Key Findings

Key Findings

6

• On average, firms are spending approximately $2.6 million annually in network security and over 60% expect to spend more in the next 12 months.

Close to a quarter of security investment is dedicated to IPS, NGFW and APT/Malware.

Over 3 in 4 will concentrate on cloud and upgrading hardware and software. Companies who spend $500K or more annually on network security are focusing on breach detection and

compliance about 20% more than those who spend less.

IT professionals value security effectiveness over price when purchasing an IPS.

• Network security appears to be a growing concern among IT professionals.

External threats are a top concern (71% very concerned) as well as data center (65%) and endpoint security (63%).

Roughly 7 in 10 claim social media is a type of abuse happening on their corporate network while over half are “very concerned” with file sharing.

About a third have recently seen more attacks/threats from user activity within their network. Nearly 70% are a malware infected host.

• Phishing is a top attack experienced once a week or more where customer data is attacked the most.

Over 3 in 4 IT professionals experience untargeted spam once a week or more.

China is stated most often as a country of origin for attacks, followed by Russia and the USA.

Key Findings, Cont’d

7

• While 3 in 4 of all companies are aware of phishing, companies that spend $500K or more on security see roughly 20% higher risk of social engineering attacks, attacks targeted to company and DDoS attacks vs. those who spend less.

Although threats are present, those who are not investing as much in network security may be missing these attacks. Those who spend more have recently seen more attacks/threats from user activity.

• IT professionals are very open to receiving guidance from analyst firms.

Roughly half are looking for guidance on how to manage and plan for SDN implementation.

8

Current Corporate Landscape

Total (n=205)

Less than $100M (n=123)

A

$100M or more (n=82)*

B

Less than $500K (n=95)*

C

$500K or more (n=105)

D

Annual Revenue Annual Network Security Spend

2% 2% 2% 3%

18% 18% 19% 18% 19%

16% 16% 17% 17% 16%

19% 19% 19% 19% 19%

20% 20% 20% 21% 20%

24% 24% 23% 25% 23% IPS (Intrusion PreventionSystem)NGFW (Next GenerationFirewall)APT/Malware

URL Filtering

VPN

On average, investment is evenly distributed among the various areas of network security, with IPS rising to the top.

9

Amount of Network Security Investment Dedication – Mean % of Investment

Q4. What percentage of IT investment within your organization is dedicated to the following areas of network security? Please provide your best estimate. Your answers must sum to 100%. A/B, C/D = Significantly higher with 95% confidence; a/b, c/d = Significantly higher with 90% confidence *Small base

Over 3 in 5 IT professionals expect both network security costs and budgets to increase over the next 12 months.

10

Network Security Costs vs. Budget Expectations for Future

D3. Over the next 12 months, do you expect network security costs to…(Decrease, Remain the same, Increase, Not sure) D4. Over the next 12 months, does your company expect to increase or decrease the budget on network security? (Decrease, Remain the same, Increase, Not sure)

1% 1%

34% 36%

64% 62%

Increase

Remain the same

Decrease

Network Security Costs Network Security Budget

Total Respondents (n=205)

Embracing cloud or virtualization is a top corporate IT security initiative. Firms that spend $500K or more annually on network security are also significantly more likely to have breach detection and compliance as a corporate initiative.

11

Current Corporate IT Security Initiatives

Q1. What are your current corporate IT security initiatives? A/B, C/D = Significantly higher with 95% confidence; a/b, c/d = Significantly higher with 90% confidence *Small base

48%

67%

70%

74%

75%

77%

82%

Roll out Bring Your Own Device (BYOD)

Ensure compliance

Breach detection

Update/migrate software

Upgrade hardware

Increase security posture

Embrace cloud or virtualization

All Respondents (n=205)

Annual Revenue Annual Network Security Spend

Less than $100M $100M or more Less than $500K $500K or more

(n=123) (n=82)* (n=95)* (n=105)

A B C D

% % % %

82 82 78 87

73 83 75 81

77 71 75 75

77 68 74 72

67 74 62 77 C

65 71 57 77 C

50 45 46 49

12

Areas of Concern

Social media and non-productive employee web browsing are top types of abuse happening on corporate networks.

13

Types of Corporate Network Abuse

Q10. What types of abuse are happening on your corporate network? A/B, C/D = Significantly higher with 95% confidence; a/b, c/d = Significantly higher with 90% confidence *Small base

28%

41%

50%

51%

56%

64%

69%

Employees going to adult-only websites

Elicit file sharing

Non-corporate apps running on the corporatenetwork

Using mobile applications on company Wi-Fi

Streaming music or video

Non-productive employee web browsing

Social media

All Respondents (n=205)

Annual Revenue Annual Network Security Spend

Less than $100M $100M or more Less than $500K $500K or more

(n=123) (n=82)* (n=95)* (n=105)

A B C D % % % %

67 73 71 68

61 70 63 67

51 63 a 56 58

50 52 49 53

51 49 49 50

40 43 38 46

26 30 21 35 C

IT professionals are most concerned with external threats in regards to security. Data center and endpoint security comprise a second tier of concern. Although 2 in 5 are concerned with BYOD, it falls to the bottom of the list.

14

Areas of Security Concern – Top Box

Q2. Please indicate to what extent you are concerned with each of the following areas in regards to security. (Very concerned, Somewhat concerned, A little concerned, Not at all concerned) A/B, C/D = Significantly higher with 95% confidence; a/b, c/d = Significantly higher with 90% confidence *Small base

43%

43%

46%

47%

63%

65%

71%

Bring Your Own Device(BYOD)

Reputation of a site

Internal threats

Software

Endpoint security

Data center security

External threats

All Respondents (n=205)

Annual Revenue Annual Network Security Spend

Less than $100M $100M or more Less than $500K $500K or more

(n=123) (n=82)* (n=95)* (n=105)

A B C D

% % % %

74 67 73 70

68 60 62 69

63 65 58 70 c

46 49 44 50

46 48 46 48

43 44 38 49

45 40 42 42

More than half of IT professionals are “very concerned” with file sharing.

15

Security Concern with Applications – Top Box

Q11. Now, please indicate to what extent you are concerned with the following activities in terms of security. (Very concerned, Somewhat concerned, A little concerned, Not at all concerned) A/B, C/D = Significantly higher with 95% confidence; a/b, c/d = Significantly higher with 90% confidence *Small base

37%

38%

43%

45%

48%

54%

Adult websites

Business applications

Social media

Non-work related applications

Cloud-based applications

File sharing

All Respondents (n=205)

Annual Revenue Annual Network Security Spend

Less than $100M $100M or more Less than $500K $500K or more

(n=123) (n=82)* (n=95)* (n=105)

A B C D

% % % %

55 52 54 56

46 51 46 50

46 44 44 48

41 46 38 49

38 37 35 41

33 41 34 38

Manageability rises to the top as a key concern for migrating to SDN, followed by being in the early stages of planning and an attacker compromising the SDN controller.

16

Concerns for Migrating to SDN

Q14. What are your concerns, if any, for migrating to SDN (Software Defined Networking)? A/B, C/D = Significantly higher with 95% confidence; a/b, c/d = Significantly higher with 90% confidence *Small base

7%

18%

24%

44%

45%

54%

None of the above

Don't see a business need

Not sure which applications to migrate to SDN

Attacker compromising our SDN controller

Early stages of planning our SDNimplementation

Manageability

All Respondents (n=205)

Annual Revenue Annual Network Security Spend

Less than $100M $100M or more Less than $500K $500K or more

(n=123) (n=82)* (n=95)* (n=105)

A B C D

% % % %

53 55 52 57

47 41 42 50

46 43 41 49

28 18 29 20

20 15 20 15

7 9 5 8

17

Types of Threats

China is stated most often as a country of origin for attacks, followed by Russia and the USA.

18

Country of Origin for Attacks

Q15. From which country do you believe the attacks most often come from? Please include as many responses as you think are necessary. (Open End)

Nearly 3 in 4 IT professionals have experienced phishing within their organization. Those who spend more on security tend to experience more types of attacks than those who spend less.

19

Types of Attacks Experienced

Q16. Which type of attacks have you experienced within your organization? A/B, C/D = Significantly higher with 95% confidence; a/b, c/d = Significantly higher with 90% confidence *Small base

1%

21%

33%

33%

41%

59%

60%

72%

Other

Attack fromvendor/partner site

DDoS

Targeted to company

Social engineering

Concealed maliciousapplications

Untargeted spam

Phishing

All Respondents (n=205)

Annual Revenue Annual Network Security Spend

Less than $100M $100M or more Less than $500K $500K or more

(n=123) (n=82)* (n=95)* (n=105)

A B C D % % % %

68 77 71 73

60 61 66 57

57 62 55 62

37 48 34 50 C

29 38 25 40 C

29 38 23 42 C

23 20 17 27 c

0 2 a 2 0

Customer data is cited most often as the type of data attacked, followed by financial information.

20

Types of Data Attacked

Q13. What types of data do you see being attacked? A/B, C/D = Significantly higher with 95% confidence; a/b, c/d = Significantly higher with 90% confidence *Small base

49%

59%

63%

67%

Employee data

Corporate intellectualproperty

Financial information

Customer data

All Respondents (n=205)

Annual Revenue Annual Network Security Spend

Less than $100M $100M or more Less than $500K $500K or more

(n=123) (n=82)* (n=95)* (n=105)

A B C D

% % % %

69 63 67 70

63 63 59 68

55 65 54 65

52 45 51 50

Over 3 in 4 IT professionals experience untargeted spam in their organization once a week or more.

21

Frequency of Attacks – Once a week or more

Q18. On average, how often do you experience each type of attack? Please select one for each type of attack. (Hourly, Daily, Several times a week, Once a week, Several times a month, Once a month, Several times a year, Once a year, Once every 2 years, Never) A/B, C/D = Significantly higher with 95% confidence; a/b, c/d = Significantly higher with 90% confidence *Small base

35%

40%

42%

51%

54%

69%

77%

Attack fromvendor/partner site

DDoS

Targeted to company

Social engineering

Concealed MaliciousApplications

Phishing

Untargeted spam

All Respondents (n=205)

Annual Revenue Annual Network Security Spend

Less than $100M $100M or more Less than $500K $500K or more

(n=123) (n=82)* (n=95)* (n=105)

A B C D

% % % %

79 74 76 78

68 71 63 76 C

55 52 43 64 C

50 52 43 58 C

40 46 32 52 C

40 41 34 49 C

35 34 25 44 C

21% 24% 18% 18% 26%

42% 44%

39% 51% D 33%

35% 31% 41%

29% 41% c

More attacks/threatsfrom user activity

No change inattacks/threats from useractivity

Less attacks/threats fromuser activity

Total (n=205)

Less than $100M (n=123)

A

$100M or more (n=82)*

B

Less than $500K (n=95)*

C

$500K or more (n=105)

D

Annual Revenue Annual Network Security Spend

Over a third of IT professionals have recently seen more attacks/threats from user activity, while 2 in 5 state they have not seen a change. Those who spend more annually in network security have seen more attacks relative to those who spend less.

22

Recent Change in Attacks

Q7. Have you recently seen a change in the number of attacks or threats stemming from user activity within your network? A/B, C/D = Significantly higher with 95% confidence; a/b, c/d = Significantly higher with 90% confidence *Small base

69% 61%

54%

43%

Nature of Attacks

63% 57%

51%

39% 38%

Top Threats Relative to Attacks

Of those who have recently seen more attacks stemming from user activity, around 7 out of 10 are a malware infected host, around 6 out of 10 are malicious communication with the command and control site and over half are taking advantage of software vulnerability. Top threats relative to these new attacks are primarily within the data center, mobile, and branch networks.

23

Attacks Stemming from User Activity

Base: Those who have recently seen more attacks stemming from user activity Q8. You mentioned you have recently seen more attacks or threats stemming from user activity within your network. What is the nature of these attacks? Q9. What are the top threats you are seeing relative to these new attacks? Is it within… A/B, C/D = Significantly higher with 95% confidence; a/b, c/d = Significantly higher with 90% confidence *Small base

Malware infected host Malicious communication with the command and

control site

Taking advantage of software vulnerability

Network scan

(n=72)*

(n=72)*

Data center Mobile Branch networks Campus offices Satellite offices

Nearly 3 in 5 IT professionals are concerned with Application DDoS. Brute force attacks tend to be more of a concern among companies with higher revenue or spend more on security. On the other hand, companies who spend less on security are not as concerned about DDoS.

24

Type of DDoS Attack Concerns

Q12. What types of DDoS (Distributed Denial of Service) attacks are a concern for you and your organization? A/B, C/D = Significantly higher with 95% confidence; a/b, c/d = Significantly higher with 90% confidence *Small base

8%

35%

48%

49%

58%

I'm not concerned about DDoS

Slow DDoS attack

Volumetric DDoS

Brute force attack

Application DDoS

All Respondents (n=205)

Annual Revenue Annual Network Security Spend

Less than $100M $100M or more Less than $500K $500K or more

(n=123) (n=82)* (n=95)* (n=105)

A B C D

% % % %

52 66 a 53 62

43 59 A 40 58 C

49 46 41 54 c

39 29 35 36

10 5 14 D 2

3 in 5 IT professionals use IPS or NGFW to identify their “patient zero.”

25

Techniques Used to Identify “Patient Zero”

Q17. What are the techniques used for identifying your “patient zero” (i.e. the first case of the virus or breach)? A/B, C/D = Significantly higher with 95% confidence; a/b, c/d = Significantly higher with 90% confidence *Small base

11%

28%

38%

42%

60%

None of these

SIEM

Off premise cloudsourced information

Sandboxing technology

IPS or NGFW

All Respondents (n=205)

Annual Revenue Annual Network Security Spend

Less than $100M $100M or more Less than $500K $500K or more

(n=123) (n=82)* (n=95)* (n=105)

A B C D

% % % %

59 61 53 69 C

39 46 38 47

38 38 36 41

26 30 18 38 C

13 7 16 D 6

26

Appendix

3%

27% 32% 21% 17%

<$50K $51K-$200K

>$200K-< $1M

>$1M-< $5M

>$5M

0%

20%

40%

60%

80%

100%

Annual Network Security Spend

2%

3%

3%

5%

9%

12%

16%

48%

Other

Retail

Construction

Public Administration

Transportation/Communications/Utilities

Finance/Insurance/Real Estate

Manufacturing

Services

Industry

27

15%

19%

19%

16%

10%

21%

10,000 or more

5,000-9,999

2,500-4,999

1,000-2,499

500-999

100-499

Average = 5,100 employees

13% 15%

33% 40%

$1M-$4.9M $5M-$9.9M $10M-$99M $100M+

0%

20%

40%

60%

80%

100%

Annual Revenue

%

Manager 21

Director 43

VP-Level 35

Average = $79.5 million

Total Respondents (n=205)

Average = $2.6 million

Number of Employees

Role within Organization

Demographics – IT Professionals

Total (n=205)

Less than $100M (n=123)

A

$100M or more (n=82)*

B

Less than $500K (n=95)*

C

$500K or more (n=105)

D

Annual Revenue Annual Network Security Spend

3% 2% 4% 4% 2%

16% 17% 14% 15% 16%

19% 20% 17% 18% 20%

27% 26% 28% 25% 28%

36% 35% 38% 39% 35% Managing your team

Protecting your corporateassets

Maintenance/runningreports

Managing security fire drills

Other

On average, IT professionals spend over one-third of their time managing their team. About another third of their time is spent protecting corporate assets.

28

Amount of Time Dedicated to Various Tasks – Mean % of Time

Q3. What percentage of your time is dedicated to the following areas? Please provide your best estimate. Your answers must sum to 100%. A/B, C/D = Significantly higher with 95% confidence; a/b, c/d = Significantly higher with 90% confidence *Small base

IT professionals value security effectiveness in an IPS more than price, regardless of company size.

29

Features Desired in an IPS

Q5. What are the features you look for in purchasing an IPS (Intrusion Prevention System)? A/B, C/D = Significantly higher with 95% confidence; a/b, c/d = Significantly higher with 90% confidence *Small base

45%

57%

79%

85%

94%

Simplicity

Price

Networkreliability

Performance

Securityeffectiveness

All Respondents (n=205)

Annual Revenue Annual Network Security Spend

Less than $100M $100M or more Less than $500K $500K or more

(n=123) (n=82)* (n=95)* (n=105)

A B C D

% % % %

92 96 93 95

86 84 82 88

79 79 79 81

56 59 59 55

46 43 48 40

Total (n=205)

Less than $100M (n=123)

A

$100M or more (n=82)*

B

Less than $500K (n=95)*

C

$500K or more (n=105)

D

Annual Revenue Annual Network Security Spend

3% 3% 2% 2% 4%

20% 25% B 13%

23% 18%

31% 26% 38% a

27% 33%

46% 46% 46% 47% 45%

Mostly consolidating intoNGFW devices

Acts as real timeenforcement for allnetwork threats

Standalone NGIPS blockingin and outbound threats

Little consolidations withNGFW devices

About half feel that NGIPS will be mostly consolidated into NGFW devices over the next few years. There is also a strong desire for it to become a real time enforcement for all network threats (about a third).

30

Future Role of NGIPS

Q6. What role do you think Next Generation Intrusion Prevention Systems (NGIPS) will play over the next few years? A/B, C/D = Significantly higher with 95% confidence; a/b, c/d = Significantly higher with 90% confidence *Small base

Analyst firms rise to the top as a source of information on network security vendors, followed by Network World.

31

Sources of Vendor Information

Q19. Where do you go to find out information on network security vendors? A/B, C/D = Significantly higher with 95% confidence; a/b, c/d = Significantly higher with 90% confidence *Small base

5%

20%

23%

27%

28%

30%

53%

64%

Other

Dark Reading

SC Magazine

Krebs on Security

Slashdot

NSS

Network World

Analyst firms

All Respondents (n=205)

Annual Revenue Annual Network Security Spend

Less than $100M $100M or more Less than $500K $500K or more

(n=123) (n=82)* (n=95)* (n=105)

A B C D % % % %

61 70 60 68

52 55 58 50

28 33 19 41 C

27 30 27 30

24 32 25 30

24 21 21 25

20 20 20 21

3 7 6 3

Thank you