Tripwire: IT Professionals Overconfident in Their Ability to Detect Breaches, Reveals Survey
In today’s ever-evolving world, the PC is no longer the sole endpoint found on organizations’ networks. It is joined by the likes of servers and point-of-sale terminals (PoS), endpoint devices which are contributing to a growing complexity of modern IT environments. Such change demands that IT professionals rethink their organizations’ endpoint security strategies.
This necessity has not been lost on Eric Ogren, Senior Security Analyst at 451 Research.
“If you gave 100 people a blank slate and asked them to design an endpoint security plan, how many would think of trying to identify and block all known threats?,” asks Ogren in a recent post for Tripwire. “You probably wouldn’t start there, and you probably recognize that a perimeter is just a concept. You might start by observing what defines a normal configuration for each user so you can recognize sudden unexpected changes and have a reference point to return to normal.”
The ability to detect configuration changes is crucial for spotting breaches and targeted attacks. It is therefore not surprising that many organizations have invested in automated tools and vulnerability scanners capable of detecting alterations. What is surprising, however, is the fact that most IT professionals are confident these solutions can detect a configuration change in a short period of time despite not knowing enough about the tools’ actual detection rates.
This is the overall finding of an extensive study recently conducted by Dimensional Research on behalf of Tripwire. The survey evaluated the confidence of 763 IT professionals from retail, energy, financial services, and public sector organizations in the United States regarding the efficacy of seven key security controls that must be in place to quickly detect a cyber attack in progress.
Those seven controls, which include PCI DSS, SOX, NERC CIP, MAS TRM, NIST 800-53 and IRS 1075, recommend accurate hardware inventory, accurate software inventory, continuous configuration management and hardening, comprehensive vulnerability management, patch management, log management, and identity and access management as parts of an ongoing endpoint security strategy.
When asked if they know how long it takes for their automated tools to alert the organization about an authorized configuration change on an endpoint device, a majority (60 percent) of respondents stated that they had only a vague idea, no idea, or did not use those kinds of solutions to discover configuration alterations. This figure is approximately the same (62 percent) as the percentage of those who are unsure about the alerts generated by vulnerability scanning systems.
However, when they were asked about how long it takes for those tools to detect a configuration change, most respondents said that it would take only minutes or hours for automated tools and vulnerability scanning systems to detect such changes (71 percent and 87 percent, respectively). In reality, it usually takes months for security professionals to detect an advanced persistent threat or targeted attack on their network, as revealed by Mandiant’s M-Trends 2015 report and Verizon’s 2015 Data Breach Investigations Report.
Along those lines, nearly half (48 percent) of respondents working for federal government organizations said not all detected vulnerabilities are remediated within 15 to 30 days.
Additionally, only 23 percent of the IT professionals surveyed said that 90 percent of the hardware assets on their organizations’ networks are automatically discovered.