network security—are businesses meeting the challenge?
TRANSCRIPT
Network security— are businesses meeting the challenge?
Identifying Challenges in Network Security
July, 2014 © 2014 Ipsos. All rights reserved. Contains Ipsos' Confidential and Proprietary information and may not be disclosed or reproduced without the prior written consent of Ipsos.
Prepared for:
Contents
Methodology 3
Key Findings 4
Current Corporate Landscape 7
Areas of Concern 11
Types of Threats 16
Appendix 25
3
Page
Background & Methodology
Burson Marsteller and HP want to explore the main challenges on managing network security and where companies are lacking in security products/practices.
205 completed interviews were collected via an online survey
Qualified respondents were located in the United States and met the following criteria:
Work full time in a MIS/IS/IT/Networking/Technology-related job function in a company with:
─ 100+ employees
─ At least $1 million in annual revenue
Must make decisions or provide input into decisions made for technology solutions used within the organization
Respondents were questioned on corporate IT security initiatives, specific concerns regarding network security and the nature of attacks and threats as well as their source.
Field dates: June 30 – July 15, 2014
4
5
Key Findings
Key Findings
6
• On average, firms are spending approximately $2.6 million annually in network security and over 60% expect to spend more in the next 12 months.
Close to a quarter of security investment is dedicated to IPS, NGFW and APT/Malware.
Over 3 in 4 will concentrate on cloud and upgrading hardware and software. Companies who spend $500K or more annually on network security are focusing on breach detection and
compliance about 20% more than those who spend less.
IT professionals value security effectiveness over price when purchasing an IPS.
• Network security appears to be a growing concern among IT professionals.
External threats are a top concern (71% very concerned) as well as data center (65%) and endpoint security (63%).
Roughly 7 in 10 claim social media is a type of abuse happening on their corporate network while over half are “very concerned” with file sharing.
About a third have recently seen more attacks/threats from user activity within their network. Nearly 70% are a malware infected host.
• Phishing is a top attack experienced once a week or more where customer data is attacked the most.
Over 3 in 4 IT professionals experience untargeted spam once a week or more.
China is stated most often as a country of origin for attacks, followed by Russia and the USA.
Key Findings, Cont’d
7
• While 3 in 4 of all companies are aware of phishing, companies that spend $500K or more on security see roughly 20% higher risk of social engineering attacks, attacks targeted to company and DDoS attacks vs. those who spend less.
Although threats are present, those who are not investing as much in network security may be missing these attacks. Those who spend more have recently seen more attacks/threats from user activity.
• IT professionals are very open to receiving guidance from analyst firms.
Roughly half are looking for guidance on how to manage and plan for SDN implementation.
8
Current Corporate Landscape
Total (n=205)
Less than $100M (n=123)
A
$100M or more (n=82)*
B
Less than $500K (n=95)*
C
$500K or more (n=105)
D
Annual Revenue Annual Network Security Spend
2% 2% 2% 3%
18% 18% 19% 18% 19%
16% 16% 17% 17% 16%
19% 19% 19% 19% 19%
20% 20% 20% 21% 20%
24% 24% 23% 25% 23% IPS (Intrusion PreventionSystem)NGFW (Next GenerationFirewall)APT/Malware
URL Filtering
VPN
On average, investment is evenly distributed among the various areas of network security, with IPS rising to the top.
9
Amount of Network Security Investment Dedication – Mean % of Investment
Q4. What percentage of IT investment within your organization is dedicated to the following areas of network security? Please provide your best estimate. Your answers must sum to 100%. A/B, C/D = Significantly higher with 95% confidence; a/b, c/d = Significantly higher with 90% confidence *Small base
Over 3 in 5 IT professionals expect both network security costs and budgets to increase over the next 12 months.
10
Network Security Costs vs. Budget Expectations for Future
D3. Over the next 12 months, do you expect network security costs to…(Decrease, Remain the same, Increase, Not sure) D4. Over the next 12 months, does your company expect to increase or decrease the budget on network security? (Decrease, Remain the same, Increase, Not sure)
1% 1%
34% 36%
64% 62%
Increase
Remain the same
Decrease
Network Security Costs Network Security Budget
Total Respondents (n=205)
Embracing cloud or virtualization is a top corporate IT security initiative. Firms that spend $500K or more annually on network security are also significantly more likely to have breach detection and compliance as a corporate initiative.
11
Current Corporate IT Security Initiatives
Q1. What are your current corporate IT security initiatives? A/B, C/D = Significantly higher with 95% confidence; a/b, c/d = Significantly higher with 90% confidence *Small base
48%
67%
70%
74%
75%
77%
82%
Roll out Bring Your Own Device (BYOD)
Ensure compliance
Breach detection
Update/migrate software
Upgrade hardware
Increase security posture
Embrace cloud or virtualization
All Respondents (n=205)
Annual Revenue Annual Network Security Spend
Less than $100M $100M or more Less than $500K $500K or more
(n=123) (n=82)* (n=95)* (n=105)
A B C D
% % % %
82 82 78 87
73 83 75 81
77 71 75 75
77 68 74 72
67 74 62 77 C
65 71 57 77 C
50 45 46 49
12
Areas of Concern
Social media and non-productive employee web browsing are top types of abuse happening on corporate networks.
13
Types of Corporate Network Abuse
Q10. What types of abuse are happening on your corporate network? A/B, C/D = Significantly higher with 95% confidence; a/b, c/d = Significantly higher with 90% confidence *Small base
28%
41%
50%
51%
56%
64%
69%
Employees going to adult-only websites
Elicit file sharing
Non-corporate apps running on the corporatenetwork
Using mobile applications on company Wi-Fi
Streaming music or video
Non-productive employee web browsing
Social media
All Respondents (n=205)
Annual Revenue Annual Network Security Spend
Less than $100M $100M or more Less than $500K $500K or more
(n=123) (n=82)* (n=95)* (n=105)
A B C D % % % %
67 73 71 68
61 70 63 67
51 63 a 56 58
50 52 49 53
51 49 49 50
40 43 38 46
26 30 21 35 C
IT professionals are most concerned with external threats in regards to security. Data center and endpoint security comprise a second tier of concern. Although 2 in 5 are concerned with BYOD, it falls to the bottom of the list.
14
Areas of Security Concern – Top Box
Q2. Please indicate to what extent you are concerned with each of the following areas in regards to security. (Very concerned, Somewhat concerned, A little concerned, Not at all concerned) A/B, C/D = Significantly higher with 95% confidence; a/b, c/d = Significantly higher with 90% confidence *Small base
43%
43%
46%
47%
63%
65%
71%
Bring Your Own Device(BYOD)
Reputation of a site
Internal threats
Software
Endpoint security
Data center security
External threats
All Respondents (n=205)
Annual Revenue Annual Network Security Spend
Less than $100M $100M or more Less than $500K $500K or more
(n=123) (n=82)* (n=95)* (n=105)
A B C D
% % % %
74 67 73 70
68 60 62 69
63 65 58 70 c
46 49 44 50
46 48 46 48
43 44 38 49
45 40 42 42
More than half of IT professionals are “very concerned” with file sharing.
15
Security Concern with Applications – Top Box
Q11. Now, please indicate to what extent you are concerned with the following activities in terms of security. (Very concerned, Somewhat concerned, A little concerned, Not at all concerned) A/B, C/D = Significantly higher with 95% confidence; a/b, c/d = Significantly higher with 90% confidence *Small base
37%
38%
43%
45%
48%
54%
Adult websites
Business applications
Social media
Non-work related applications
Cloud-based applications
File sharing
All Respondents (n=205)
Annual Revenue Annual Network Security Spend
Less than $100M $100M or more Less than $500K $500K or more
(n=123) (n=82)* (n=95)* (n=105)
A B C D
% % % %
55 52 54 56
46 51 46 50
46 44 44 48
41 46 38 49
38 37 35 41
33 41 34 38
Manageability rises to the top as a key concern for migrating to SDN, followed by being in the early stages of planning and an attacker compromising the SDN controller.
16
Concerns for Migrating to SDN
Q14. What are your concerns, if any, for migrating to SDN (Software Defined Networking)? A/B, C/D = Significantly higher with 95% confidence; a/b, c/d = Significantly higher with 90% confidence *Small base
7%
18%
24%
44%
45%
54%
None of the above
Don't see a business need
Not sure which applications to migrate to SDN
Attacker compromising our SDN controller
Early stages of planning our SDNimplementation
Manageability
All Respondents (n=205)
Annual Revenue Annual Network Security Spend
Less than $100M $100M or more Less than $500K $500K or more
(n=123) (n=82)* (n=95)* (n=105)
A B C D
% % % %
53 55 52 57
47 41 42 50
46 43 41 49
28 18 29 20
20 15 20 15
7 9 5 8
17
Types of Threats
China is stated most often as a country of origin for attacks, followed by Russia and the USA.
18
Country of Origin for Attacks
Q15. From which country do you believe the attacks most often come from? Please include as many responses as you think are necessary. (Open End)
Nearly 3 in 4 IT professionals have experienced phishing within their organization. Those who spend more on security tend to experience more types of attacks than those who spend less.
19
Types of Attacks Experienced
Q16. Which type of attacks have you experienced within your organization? A/B, C/D = Significantly higher with 95% confidence; a/b, c/d = Significantly higher with 90% confidence *Small base
1%
21%
33%
33%
41%
59%
60%
72%
Other
Attack fromvendor/partner site
DDoS
Targeted to company
Social engineering
Concealed maliciousapplications
Untargeted spam
Phishing
All Respondents (n=205)
Annual Revenue Annual Network Security Spend
Less than $100M $100M or more Less than $500K $500K or more
(n=123) (n=82)* (n=95)* (n=105)
A B C D % % % %
68 77 71 73
60 61 66 57
57 62 55 62
37 48 34 50 C
29 38 25 40 C
29 38 23 42 C
23 20 17 27 c
0 2 a 2 0
Customer data is cited most often as the type of data attacked, followed by financial information.
20
Types of Data Attacked
Q13. What types of data do you see being attacked? A/B, C/D = Significantly higher with 95% confidence; a/b, c/d = Significantly higher with 90% confidence *Small base
49%
59%
63%
67%
Employee data
Corporate intellectualproperty
Financial information
Customer data
All Respondents (n=205)
Annual Revenue Annual Network Security Spend
Less than $100M $100M or more Less than $500K $500K or more
(n=123) (n=82)* (n=95)* (n=105)
A B C D
% % % %
69 63 67 70
63 63 59 68
55 65 54 65
52 45 51 50
Over 3 in 4 IT professionals experience untargeted spam in their organization once a week or more.
21
Frequency of Attacks – Once a week or more
Q18. On average, how often do you experience each type of attack? Please select one for each type of attack. (Hourly, Daily, Several times a week, Once a week, Several times a month, Once a month, Several times a year, Once a year, Once every 2 years, Never) A/B, C/D = Significantly higher with 95% confidence; a/b, c/d = Significantly higher with 90% confidence *Small base
35%
40%
42%
51%
54%
69%
77%
Attack fromvendor/partner site
DDoS
Targeted to company
Social engineering
Concealed MaliciousApplications
Phishing
Untargeted spam
All Respondents (n=205)
Annual Revenue Annual Network Security Spend
Less than $100M $100M or more Less than $500K $500K or more
(n=123) (n=82)* (n=95)* (n=105)
A B C D
% % % %
79 74 76 78
68 71 63 76 C
55 52 43 64 C
50 52 43 58 C
40 46 32 52 C
40 41 34 49 C
35 34 25 44 C
21% 24% 18% 18% 26%
42% 44%
39% 51% D 33%
35% 31% 41%
29% 41% c
More attacks/threatsfrom user activity
No change inattacks/threats from useractivity
Less attacks/threats fromuser activity
Total (n=205)
Less than $100M (n=123)
A
$100M or more (n=82)*
B
Less than $500K (n=95)*
C
$500K or more (n=105)
D
Annual Revenue Annual Network Security Spend
Over a third of IT professionals have recently seen more attacks/threats from user activity, while 2 in 5 state they have not seen a change. Those who spend more annually in network security have seen more attacks relative to those who spend less.
22
Recent Change in Attacks
Q7. Have you recently seen a change in the number of attacks or threats stemming from user activity within your network? A/B, C/D = Significantly higher with 95% confidence; a/b, c/d = Significantly higher with 90% confidence *Small base
69% 61%
54%
43%
Nature of Attacks
63% 57%
51%
39% 38%
Top Threats Relative to Attacks
Of those who have recently seen more attacks stemming from user activity, around 7 out of 10 are a malware infected host, around 6 out of 10 are malicious communication with the command and control site and over half are taking advantage of software vulnerability. Top threats relative to these new attacks are primarily within the data center, mobile, and branch networks.
23
Attacks Stemming from User Activity
Base: Those who have recently seen more attacks stemming from user activity Q8. You mentioned you have recently seen more attacks or threats stemming from user activity within your network. What is the nature of these attacks? Q9. What are the top threats you are seeing relative to these new attacks? Is it within… A/B, C/D = Significantly higher with 95% confidence; a/b, c/d = Significantly higher with 90% confidence *Small base
Malware infected host Malicious communication with the command and
control site
Taking advantage of software vulnerability
Network scan
(n=72)*
(n=72)*
Data center Mobile Branch networks Campus offices Satellite offices
Nearly 3 in 5 IT professionals are concerned with Application DDoS. Brute force attacks tend to be more of a concern among companies with higher revenue or spend more on security. On the other hand, companies who spend less on security are not as concerned about DDoS.
24
Type of DDoS Attack Concerns
Q12. What types of DDoS (Distributed Denial of Service) attacks are a concern for you and your organization? A/B, C/D = Significantly higher with 95% confidence; a/b, c/d = Significantly higher with 90% confidence *Small base
8%
35%
48%
49%
58%
I'm not concerned about DDoS
Slow DDoS attack
Volumetric DDoS
Brute force attack
Application DDoS
All Respondents (n=205)
Annual Revenue Annual Network Security Spend
Less than $100M $100M or more Less than $500K $500K or more
(n=123) (n=82)* (n=95)* (n=105)
A B C D
% % % %
52 66 a 53 62
43 59 A 40 58 C
49 46 41 54 c
39 29 35 36
10 5 14 D 2
3 in 5 IT professionals use IPS or NGFW to identify their “patient zero.”
25
Techniques Used to Identify “Patient Zero”
Q17. What are the techniques used for identifying your “patient zero” (i.e. the first case of the virus or breach)? A/B, C/D = Significantly higher with 95% confidence; a/b, c/d = Significantly higher with 90% confidence *Small base
11%
28%
38%
42%
60%
None of these
SIEM
Off premise cloudsourced information
Sandboxing technology
IPS or NGFW
All Respondents (n=205)
Annual Revenue Annual Network Security Spend
Less than $100M $100M or more Less than $500K $500K or more
(n=123) (n=82)* (n=95)* (n=105)
A B C D
% % % %
59 61 53 69 C
39 46 38 47
38 38 36 41
26 30 18 38 C
13 7 16 D 6
26
Appendix
3%
27% 32% 21% 17%
<$50K $51K-$200K
>$200K-< $1M
>$1M-< $5M
>$5M
0%
20%
40%
60%
80%
100%
Annual Network Security Spend
2%
3%
3%
5%
9%
12%
16%
48%
Other
Retail
Construction
Public Administration
Transportation/Communications/Utilities
Finance/Insurance/Real Estate
Manufacturing
Services
Industry
27
15%
19%
19%
16%
10%
21%
10,000 or more
5,000-9,999
2,500-4,999
1,000-2,499
500-999
100-499
Average = 5,100 employees
13% 15%
33% 40%
$1M-$4.9M $5M-$9.9M $10M-$99M $100M+
0%
20%
40%
60%
80%
100%
Annual Revenue
%
Manager 21
Director 43
VP-Level 35
Average = $79.5 million
Total Respondents (n=205)
Average = $2.6 million
Number of Employees
Role within Organization
Demographics – IT Professionals
Total (n=205)
Less than $100M (n=123)
A
$100M or more (n=82)*
B
Less than $500K (n=95)*
C
$500K or more (n=105)
D
Annual Revenue Annual Network Security Spend
3% 2% 4% 4% 2%
16% 17% 14% 15% 16%
19% 20% 17% 18% 20%
27% 26% 28% 25% 28%
36% 35% 38% 39% 35% Managing your team
Protecting your corporateassets
Maintenance/runningreports
Managing security fire drills
Other
On average, IT professionals spend over one-third of their time managing their team. About another third of their time is spent protecting corporate assets.
28
Amount of Time Dedicated to Various Tasks – Mean % of Time
Q3. What percentage of your time is dedicated to the following areas? Please provide your best estimate. Your answers must sum to 100%. A/B, C/D = Significantly higher with 95% confidence; a/b, c/d = Significantly higher with 90% confidence *Small base
IT professionals value security effectiveness in an IPS more than price, regardless of company size.
29
Features Desired in an IPS
Q5. What are the features you look for in purchasing an IPS (Intrusion Prevention System)? A/B, C/D = Significantly higher with 95% confidence; a/b, c/d = Significantly higher with 90% confidence *Small base
45%
57%
79%
85%
94%
Simplicity
Price
Networkreliability
Performance
Securityeffectiveness
All Respondents (n=205)
Annual Revenue Annual Network Security Spend
Less than $100M $100M or more Less than $500K $500K or more
(n=123) (n=82)* (n=95)* (n=105)
A B C D
% % % %
92 96 93 95
86 84 82 88
79 79 79 81
56 59 59 55
46 43 48 40
Total (n=205)
Less than $100M (n=123)
A
$100M or more (n=82)*
B
Less than $500K (n=95)*
C
$500K or more (n=105)
D
Annual Revenue Annual Network Security Spend
3% 3% 2% 2% 4%
20% 25% B 13%
23% 18%
31% 26% 38% a
27% 33%
46% 46% 46% 47% 45%
Mostly consolidating intoNGFW devices
Acts as real timeenforcement for allnetwork threats
Standalone NGIPS blockingin and outbound threats
Little consolidations withNGFW devices
About half feel that NGIPS will be mostly consolidated into NGFW devices over the next few years. There is also a strong desire for it to become a real time enforcement for all network threats (about a third).
30
Future Role of NGIPS
Q6. What role do you think Next Generation Intrusion Prevention Systems (NGIPS) will play over the next few years? A/B, C/D = Significantly higher with 95% confidence; a/b, c/d = Significantly higher with 90% confidence *Small base
Analyst firms rise to the top as a source of information on network security vendors, followed by Network World.
31
Sources of Vendor Information
Q19. Where do you go to find out information on network security vendors? A/B, C/D = Significantly higher with 95% confidence; a/b, c/d = Significantly higher with 90% confidence *Small base
5%
20%
23%
27%
28%
30%
53%
64%
Other
Dark Reading
SC Magazine
Krebs on Security
Slashdot
NSS
Network World
Analyst firms
All Respondents (n=205)
Annual Revenue Annual Network Security Spend
Less than $100M $100M or more Less than $500K $500K or more
(n=123) (n=82)* (n=95)* (n=105)
A B C D % % % %
61 70 60 68
52 55 58 50
28 33 19 41 C
27 30 27 30
24 32 25 30
24 21 21 25
20 20 20 21
3 7 6 3
Thank you