Tim Wilson, editor-in-chief of Dark Reading, talks about the key results of his recent survey of IT executives regarding their chief concerns, plans, and practices around information security, and which of the results surprised him the most.
Q: Tim, I know that Dark Reading and InformationWeek just completed their annual Strategic Security Survey which asks IT people about their security breaches, spending, and technology plans. What were the key results? Compare what you learned to the results from last year's survey??
Tim Wilson: Dark Reading and InformationWeek recently completed the annual InformationWeek Strategic Security survey, which polls IT executives on their chief concerns, plans, and practices around information security. The responses were interesting and very much in line with what we hear from Dark Reading readers.
In a nutshell -- and we can't give away too much data before it's published -- the survey shows that the IT security situation isn't improving in most enterprises. While data breach incidence was fairly flat from 2014 to 2015, enterprises are experiencing a marked rise in certain kinds of attacks, particularly denial of service attacks, which increased by more than 12% over the past year. And these attacks are taking a toll -- almost 40% of respondents said their business applications and services have been rendered unavailable because of online attacks in the past year.
From an IT perspective, these ongoing threats continue to make an impact on IT strategy and spending. The portion of IT spending that goes to security increased again this year, and most organizations are now spending more than 11% of their IT budgets on security today. Seven percent said they are spending more than 25% of their IT budgets on security. It's becoming a bigger piece of the IT pie every year.
Q: Which results surprised you the most -- and why?
Wilson: Interestingly, new threats and sophisticated attacks weren't listed as the biggest security-related challenges faced by the IT organization. Some 44% of respondents said that the increasing complexity of security is a chief challenge. I believe a large part of this is the complexity around all of the different security technologies and solutions out there -- there are so many products and vendors, and many of them are designed to solve only one problem. I think their concern about complexity also has to do with the increasingly multi-pronged nature of the attacks -- malware is increasingly polymorphic, changing its behavior depending on what systems it infects and automatically evolving to avoid signature-based defenses.
Another 37% of respondents listed "enforcing security policies" as a top challenge, which is a surprisingly high figure. This indicates that enterprises know how they want to protect their data, but don't have the technology they need to enforce the data protection policies they set. A lot of the problem stems from increasing use of technologies and services that are outside of IT's control: employee-owned mobile devices, third-party cloud services, and the external supply chain are all good examples.
I was also surprised that almost half (49%) of respondents listed end-user awareness training as one of the most valuable security practices they have – end-user training ranked even higher than vulnerability analysis, incident response, or strong passwords. This is an interesting response because there is a school of security experts who says that end-user training is essentially a waste of time and that end users will never learn how to protect themselves. But IT executives continue to rate it as one of their most valuable practices.
Q: You mentioned that you've had some conversations with CISOs recently. What are those security professionals telling you about their greatest concerns these days?
Wilson: I conducted a panel of top CISOs at the recent RSA shows in San Francisco, and had the chance to spend some time with executives who have managed security at enterprises, such as GM, Visa, WorldBank, and Mayo Clinic. One of the things that impressed me was that, unlike most security pros, they did not discuss technology first. They are wrestling more with business and administrative issues, such as staffing, budgets, and how to communicate the security message to the CEO and other top executives who are not particularly security-savvy.
After spending some time with these executives, I now see that there is an important bridge that needs to be expanded between today's security threats and defenses -- the kinds of things that Dark Reading writes about every day -- and the question of business risk. The cyber threat is probably the most unpredictable risk that enterprises face today -- you can calculate the dangers and potential costs associated with hurricanes or tornadoes based on past history, but there are no accurate actuarial tables that predict the likelihood or potential cost of a data breach. This makes businesses very nervous because it has a huge potential impact on the bottom line -- yet it can't be predicted accurately. So IT is looking for ways to measure and illustrate the risk of data breaches and ways to use those metrics to help the business make smart security investment decisions.
Q: What solutions are they putting in place to alleviate some of those concerns?
Wilson: At the highest level, I think many enterprises are moving from security management to risk management. Some large enterprises now have a chief risk officer. Security strategies are now built around risk management rather than threat prevention. The reality is that no enterprise can stop every hacker. So it's a question of how much to spend on security (costs) vs. how much risk you can realistically eliminate (benefits).
Some companies are now actively choosing not to implement certain security practices or technologies -- they are accepting a certain level of risk because they feel the benefits will be greater if they spend the money on something that's more core to their business. I don't think there's anything wrong with that. IT security is not about preventing every attack. It's about understanding the risks and likelihood of attack and making intelligent decisions on what you can do to prevent them. Just as a business might see a certain financial risk as acceptable, more businesses are identifying some security risks as acceptable. They may get burned, they may not. But you can't protect against everything when security is only 11-15% of your IT budget.
On a more tactical level, enterprises are investing more and more in technologies that help identify and measure risk. For example, threat intelligence services promise to help the enterprise identify and plan for threats emanating from external attackers. These services help correlate internal incidents and vulnerabilities with the likelihood of an external attack. Similarly, many enterprises are investing in security analytics tools that help analyze security logs and devices to root out indicators of sophisticated attacks. Enterprises are looking to make better use of the data they already have to detect multi-phased exploits and reduce the risk of a breach. This focus on forensics and security data analytics has been growing for the past several years and I expect it to continue in the next few years.
Margee Abrams, CISSP, director of security services at Neustar, discusses the key results of Neustar's recent 2015 North American Denial of Service Attacks & Impact Report, why security is no longer an IT-only issue, and the reason Neustar decided to become a Black Hat USA 2015 sponsor.
Q: Margee, Neustar just recently received a Vendor of Excellence award from PACE (Professional Association of Customer Engagement). Tell me what you did to deserve that honor. For readers who don't know, what does Neustar do for the customer contact industry?
Margee Abrams: We are honored that our commitment to helping businesses comply with the Telephone Consumer Protection Act (TCPA) has earned us the "Vendor of Excellence" award from the Professional Association of Customer Engagement (PACE).
In 1991, the United States Federal Communications Commission (FCC) implemented the TCPA to protect consumer privacy by restricting the use of autodialers to call wireless phone numbers. The regulation was later interpreted to include SMS messaging provisions. As technology progresses, the policy will most likely undergo further amendments which could be a driving factor behind more multi–million-dollar lawsuits. Neustar emerged as the industry leader by helping companies optimize business efficiency and reduce the likelihood of calling a phone number that no longer belongs to the individual who provided consent. Neustar helps companies identify whether phone numbers are still associated with the intended consumer. This strategy increases right-party contacts, decreases wrong-party contacts, focuses resources to the highest-quality phone numbers, and increases our clients' revenue per call, all the while reducing the risk of consumer privacy violations.
Q: Your 2015 North American Denial of Service (DDoS) Attacks & Impact Report interviewed 510 North American companies with nearly one-third earning over $1B in annual revenue. What were some of the key findings?
Abrams: Our annual U.S. and EMEA DDoS Attacks & Impact Report continues to highlight and forecast DDoS trends. This year, some of the key findings were these:
While those numbers are sobering, it is clear that DDoS threats have become a serious consideration in most organizations. Neustar was encouraged to see the rapid adoption of a hybrid approach as a means to stymie DDoS attacks. Hybrid is the defense of choice by 94% of companies that would lose more than $100,000 per hour during peak business times.
Q:Which findings surprised you the most -- and why?
Abrams: It was interesting to see how companies have increased an alignment of DDoS impacts to areas outside of IT. In other words, security is no longer an IT-only issue. From the CMO to the CIO, we're seeing more executives take an increased interest in their company's Web security and performance measures. As breaches and hacks become more widespread and public, all areas of the business recognize the need to align and adjust their responses accordingly. This clearly demonstrates that organizations are compelled to have cross-organizational discussions to mitigate business risks due to these attacks.
Q: Neustar is presenting a Sponsored Workshop at Black Hat USA 2015. One session is about Using Geo-Intelligence to Thwart Cyber Threats, and the other is on the Many Roles DNS Plays in Security Battles. Why is making a sponsorship investment in Black Hat worth making?
Abrams: Neustar is proud of our continued relationship and support of Black Hat and the forum that it provides. Black Hat provides a platform where security professionals across the globe can come together to discuss issues, trends, and opportunities. As the landscape of the Internet continues to evolve, Neustar continues to advance a leadership role in protecting online infrastructures, and important forums such as Black Hat allow the entire community to communicate and learn from one another.
Charles Leaver, CEO of Ziften, chats about who benefits most from his latest technology which extends network visibility down to the endpoint, and also what will be some of the takeaways for attendees at Ziften's workshop at Black Hat USA 2015.
Q: Charles, your new technology, ZFlow, is described as "greatly enhancing the visibility available to enterprise cyber defenders by extending network visibility down to the endpoint." What exactly does that mean ... and who would benefit most from that new solution?
Charles Leaver: The problem has been that conventional network security only has visibility into what can be observed on the wire and is blind to what's occurring on the endpoint. While deep packet inspection provides more insight into application network activity, it is still only an educated guess as to what endpoint activity may be associated with observed network data flows. Clever malware techniques can deceive and evade even the best network security, relying on its invisibility within the endpoint. Traditional endpoint security suites, while monitoring endpoint network operations, provide no assistance in either reporting or correlating endpoint observation context with network observation context. Cyber attackers abuse this blind spot to conceal their activities, evade detection, exploit the network, and victimize the targeted enterprise.
Ziften ZFlow produces network flow intelligence in the IETF-defined Internet Protocol Flow Information Export (IPFIX) protocol, combining standard IANA-defined fields like source, destination, timestamp, packets, etc., with custom extended fields formatted as IPFIX Information Elements. These extended fields illuminate the endpoint activity associated with the observed network traffic, thus extending network visibility down to the endpoint. ZFlow data can be exported to industry standard flow analyzers and visualization tools for analysis and correlation with traditional network flow data already being collected. Ziften is actively working to support these extensions with network security partners eager to utilize the vastly enhanced visibility ZFlow provides to enterprise security teams.
The bottom line is that we see Ziften ZFlow as enabling a dramatic fusion of network visibility with endpoint context. Any organization seeking to have a complete picture of their environment to help fight against cyber attackers will benefit from ZFlow.
Q: Ziften was recently named the "Top Endpoint Threat Detection Vendor" on the Cybersecurity 500. Why do you think you won that honor?
Leaver: Cybersecurity Ventures researchers look into a variety of criteria when they rank solution providers, including market category, problems solved, feedback from customers, and management pedigree. The feedback we received was they were particularly impressed with our security DNA, well-rounded product strategy, and the integrations we have built with other leading vendors on the Cybersecurity 500, such as Splunk, ServiceNow, AlienVault, Lancope, and others. From day one, our strategy has been to add value into the existing security eco-system by both ingesting data such as threat feeds, and also sharing our unique endpoint visibility with products that can benefit from our data. We do this through our Open Visibility platform. Too many of the security products out there today exist in silos or only share data with a small set of partners. We aim to help our customers get even more from any related security product they have in place by enhancing their current visibility with our endpoint intelligence.
Q: You'll be presenting a Sponsored Workshop at Black Hat USA 2015. What will some of the takeaways be for attendees?
Leaver: Ryan Holeman, our director of security solutions, is presenting an interactive workshop entitled "Endpoints, Threat Feeds, FPs, and You." Ryan is a veteran presenter at Black Hat and other security conferences. Threat feeds are a "must have" in the world of enterprise security, but with the flood of emerging vendors and open source projects providing these feeds, it has become a daunting task to discover which feeds are best for meeting an organization's needs. Once customers choose their collection of feeds, they are still left without any direction on how to use them.
In this workshop, Ryan will show attendees techniques to enhance both their threat feed data as well as their enterprise network logs. These enhancement techniques will enable attendees to gather more context and attribution on their network sources, enrich their threat feed data for improved correlation, reduce false positives on network threat feed alerts, and reduce investigation time when performing incident response.
Beginners should walk away with a solid understanding of network threat feeds and how they can use them effectively in their environment. Experienced veterans will leave this workshop with new tricks and techniques for using their preexisting feeds. The hands-on exercises presented in this workshop are optional and can be done with any CSV parser.
Q: What advantages are you expecting of being a Black Hat sponsor?
Leaver: We are sending a large group of employees to the conference, and I'd summarize what we hope to accomplish as showcasing our solution to prospective clients and educating attendees with the current state-of-the-threat landscape as it relates to endpoints. We find attending the sessions to be an excellent way to hear from other's experiences and best practices. The workshop we are sponsoring is meant to provide much-needed guidance to attendees struggling with getting the most out of their threat feeds, which is a hot topic these days. We are also looking forward to showcasing our product at the Ziften booth. Many vendors seem to make the same claims and showing our product-solving, real-world problems is the best way for people to cut through the noise and see the unique value that the Ziften solution provides.