Security Pros Confident in Attack Detection

Thursday, February 11, 2016 @ 06:02 PM gHale

Security professionals have high levels of confidence in their ability to detect a data breach even though they were unsure how long it would take automated tools to discover key indicators of compromise, a new study found.

When asked how long it would take automated tools to detect unauthorized configuration changes to an endpoint on their organizations’ networks, 67 percent only had a general idea, were unsure or did not use automated tools.

Tracking ICS Threats Difficult
Attacks Grow in Oil and Gas
New Attack Divulges Password Length
Companies Know DDoS Attackers

However, when asked how long it would take to detect a configuration change to an endpoint on their organizations’ networks, 71 percent believed it would happen within minutes or hours. Configuration changes are a hallmark of malicious covert activity.

The study — conducted by Dimensional Research for security provider, Tripwire, Inc. and included 763 IT professionals from retail, energy, financial services and public sector organizations in the U.S. — also found:
• Forty-eight percent of energy and health care respondents said they had the lowest percentage of successful patches in a typical patch cycle, with a success rate of less than 80 percent.
• Nearly two-thirds (62 percent) of respondents were unsure how long it would take for automated tools to generate an alert if they detected an unauthorized device on the network, while 87 percent believed it would happen within hours.
• Nearly half (48 percent) of respondents working for federal government organizations said not all detected vulnerabilities end up remediated within 15 to 30 days.
• Forty-two percent of midmarket organizations do not detect all attempts to access files on local systems or network-accessible file shares by users who do not have the appropriate privileges.
• Sixty-one percent of respondents working in the financial services sector said their automated tools do not pick up all the information necessary to identify the locations, departments and other critical details about unauthorized configuration changes to endpoint devices.
• Only 23 percent of respondents said 90 percent of the hardware assets on their organizations’ networks are automatically discovered.

“All of these results fall into the ‘we can do that, but I’m not sure how long it takes’ category,” said Tim Erlin, director of IT security and risk strategy for Tripwire. “It’s good news that most organizations are investing in basic security controls; however, IT managers and executives, who don’t have visibility into the time it takes to identify unauthorized changes and devices, are missing key information that’s necessary to defend themselves against cyber attacks.”

The study focused on seven key security controls required by a wide variety of security regulations, including PCI DSS, SOX, NERC CIP, MAS TRM, NIST 800-53 and IRS 1075. These controls also align with US-CERT recommendations and international guidance such as the Australian Signals Directorate’s Strategies to Mitigate Targeted Cyber Intrusions.

These regulations and frameworks recommend:
• Accurate hardware inventory
• Accurate software inventory
• Continuous configuration management and hardening
• Comprehensive vulnerability management
• Patch management
• Log management
• Identity and access management

When implemented across the organization, these controls deliver specific, actionable information necessary to defend against pervasive and dangerous cyber attacks.

Click here for more information on the Tripwire study.