Tripwire has published the results of an extensive study conducted by Dimensional Research on behalf of Tripwire. The study evaluated the confidence of IT professionals regarding the efficacy of seven key security controls that must be in place to quickly detect a cyber attack in progress. Study respondents included 763 IT professionals from retail, energy, financial services and public sector organizations in the U.S. The majority of the respondents displayed high levels of confidence in their ability to detect a data breach even though they were unsure how long it would take automated tools to discover key indicators of compromise. For example, when asked how long it would take automated tools to detect unauthorized configuration changes to an endpoint on their organizations’ networks, 67 percent only had a general idea, were unsure or did not use automated tools. However, when asked how long it would take to detect a configuration change to an endpoint on their organizations’ networks, 71 percent believed it would happen within minutes or hours. Configuration changes are a hallmark of malicious covert activity.
Additional study findings include:
- Forty-eight percent of energy and health care respondents said they had the lowest percentage of successful patches in a typical patch cycle, with a success rate of less than 80 percent.
- Nearly two-thirds (62 percent) of respondents were unsure how long it would take for automated tools to generate an alert if they detected an unauthorized device on the network, while 87 percent believed it would happen within hours.
- Nearly half (48 percent) of respondents working for federal government organizations said not all detected vulnerabilities are remediated within 15 to 30 days.
- Forty-two percent of midmarket organizations do not detect all attempts to access files on local systems or network-accessible file shares by users who do not have the appropriate privileges.
- Sixty-one percent of respondents working in the financial services sector said their automated tools do not pick up all the information necessary to identify the locations, departments and other critical details about unauthorized configuration changes to endpoint devices.
- Only 23 percent of respondents said that 90 percent of the hardware assets on their organizations’ networks are automatically discovered.
“All of these results fall into the ‘we can do that, but I’m not sure how long it takes’ category,” said Tim Erlin, director of IT security and risk strategy for Tripwire. “It’s good news that most organizations are investing in basic security controls; however, IT managers and executives, who don’t have visibility into the time it takes to identify unauthorized changes and devices, are missing key information that’s necessary to defend themselves against cyber attacks.”
The study is based on seven key security controls required by a wide variety of security regulations, including PCI DSS, SOX, NERC CIP, MAS TRM, NIST 800-53 and IRS 1075. These controls also align with US-CERT recommendations and international guidance such as the Australian Signals Directorate’s Strategies to Mitigate Targeted Cyber Intrusions.
These regulations and frameworks recommend:
- Accurate hardware inventory.
- Accurate software inventory.
- Continuous configuration management and hardening.
- Comprehensive vulnerability management.
- Patch management.
- Log management.
- Identity and access management.
When implemented across the organization, these controls deliver specific, actionable information that is necessary to defend against the most pervasive and dangerous cyber attacks, including nation-state sponsored attacks. It is vital for organizations to identify indications of compromise quickly so that appropriate action can be taken before any damage is done. According to Mandiant’s M-Trends 2015 report, the average time required to detect an advanced persistent threat on a corporate network is 205 days. In addition, Verizon’s 2015 Data Breach Investigations Report revealed that two-thirds of targeted attacks generally took months to detect.