Insider Threat Detection Including review of 2017 SolarWinds Federal Cybersecurity Survey

Transcription

1 Insider Threat Detection Including review of 2017 SolarWinds Federal Cybersecurity Survey CyberMaryland Conference 2017 Bob Andersen, Sr. Manager Federal Sales Engineering (office)

2 SolarWinds 2017 Federal Cybersecurity Survey SolarWinds contracted Market Connections to conduct a fourth annual blind online survey among 200 federal government IT decision makers and influencers in July 2017 The objectives were to determine challenges, quantify sources and types of threats, and explore successful cybersecurity strategies

3 IT SECURITY OBSTACLES, THREATS AND BREACHES 3 Sources of Security Threats Careless/untrained insiders and foreign governments are noted as the largest sources of security threats at federal agencies. Significantly more defense than civilian respondents indicate malicious insiders is a security threat at their agency. Careless/untrained insiders Foreign governments General hacking community Hacktivists Malicious insiders Terrorists For profit crime Industrial spies Unsure of these threats Other None of the above 2% 1% 2% 12% 17% 20% 29% 34% 38% By Agency Type Defense Civilian 40% 21% 48% 54% Note: Multiple responses allowed 0% 10% 20% 30% 40% 50% 60% = statistically significant difference What are the greatest sources of IT security threats to your agency? (select all that apply)

4 IT SECURITY OBSTACLES, THREATS AND BREACHES 4 Sources of Security Threats Trend There has been no significant reduction in the various sources of security threats. Since 2014, respondents indicate significant increases in threats from both careless/untrained and malicious insiders Careless/untrained insiders 42% 53% 48% 54% Foreign governments 34% 38% 48% 48% General hacking community 47% 46% 46% 38% Hacktivists 26% 30% 38% 34% Malicious insiders 17% 23% 22% 29% Terrorists 21% 18% 24% 20% For profit crime 11% 14% 18% 17% Industrial spies 6% 10% 16% 12% Note: Multiple responses allowed = top 3 sources = statistically significant difference What are the greatest sources of IT security threats to your agency? (select all that apply)

5 2015 CYBERSECURITY SURVEY: INSIDER BREACH CAUSES AND DETECTION DIFFICULTIES 5 Insider Threat Detection Difficulties The volume of network activity is noted most often as what makes insider threat detection and prevention most difficult. One third also note the lack of IT staff training, the use of cloud services and pressure to change configuration quickly versus securely. Volume of network activity Lack of IT staff training Growing use of cloud services Use of mobile devices Cost of sophisticated tools Growing adoption of BYOD Inadequate monitoring of storage devices Inadequate visibility into users network activity Complexity of monitoring tools Inadequate change control practices Functionality of and access to critical systems Other Note: Multiple responses allowed = statistically significant difference 3% In today s environment, what makes insider threat detection and prevention more difficult? 40% 35% 35% 34% 30% 27% 27% 26% 24% 24% 23% 22% 19% Volume of network activity Inadequate configuration management of IT assets Inadequate monitoring of storage devices 0% 10% 20% 30% 40% 50% IT/ Security Staff Defense IT/Security Manager/ Director 29% 44% Civilian 17% 28% 18% 32% 2015 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.

6 2015 CYBERSECURITY SURVEY: INSIDER BREACH CAUSES AND DETECTION DIFFICULTIES 6 Accidental Insider Breach Causes The most common causes of accidental insider IT security breaches are phishing attacks, followed by data copied to an insecure device and accidentally deleting, corrupting or modifying critical data. Phishing attacks Data copied to insecure device Accidentally deleting, corrupting or Using personal devices that are against Poor password management Incorrect use of approved personal devices Not applying security updates Incorrect disposal of hardware Insecure configuration of IT assets Note: Multiple responses allowed = statistically significant difference Device loss Other 4% 24% 28% 33% 31% 37% 37% 36% 41% 44% 49% 0% 10% 20% 30% 40% 50% 60% What are the most common causes of accidental insider IT security breaches caused by the untrained or careless employee? Insecure configuration of IT assets IT/ Security Staff IT/Security Manager/ Director 17% 36% Defense Civilian Device loss 26% 43% 2015 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.

7 IT SECURITY OBSTACLES, THREATS AND BREACHES 7 Change in Security Threats In the past 12 months, half of respondents have seen SPAM and malware increase at their agency. Decreased No Change Increased SPAM 16% 32% 52% Malware 14% 35% 50% Social engineering 12% 45% 43% Ransomware 9% 54% 37% External hacking 14% 49% 37% Denial of service 11% 60% 29% Insider data leakage/theft 16% 59% 25% Physical security attacks 18% 58% 23% Mobile device theft 10% 68% 22% APT 12% 74% 14% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% In the past 12 months, has your agency seen any changes in the following types of cyber security threats?

8 RISK MANAGEMENT 8 Managing Risk Respondents most often indicate tools to monitor and report risk and IT modernization have contributed to successfully managing risk. Still, one third note IT modernization has posed more of a challenge. 3% 5% 8% 10% 19% 30% 28% 34% 20% 34% 26% 22% 46% 43% 38% 34% DK/NA Had no effect Posed more of a challenge Contributed to success Tools to monitor and report risk IT modernization Network optimization Data center optimization How have the items below challenged or contributed to your agency s ability to manage risk as part of its overall security posture in the past 12 months?

9 Combating the Insider Threat Survey Indicated Four Pillars Needed Have a documented security policy Have security controls in place that are regularly exercised Implement a security in depth multi vendor toolset Embrace analytics, automation, and artificial intelligence to detect vulnerabilities and changes in your security posture

10 RISK MANAGEMENT 10 Security Product Effectiveness Over two thirds indicate the effectiveness is high for Smart Card/CAC to foster network and application security. Smart Card / Common Access Card Identity and access management tools Endpoint security software Network admission control (NAC) solutions Patch management software Configuration management software Web application security tools File integrity monitoring software SIEM software Messaging security software Don't use Low Moderate High 3% 4% 26% 68% 2% 4% 3% 6% 4% 7% 4% 8% 4% 8% 2% 11% 38% 56% 44% 48% 44% 46% 44% 45% 47% 42% 49% 38% 8% 9% 48% 36% 6% 7% 51% 36% 8% 14% 48% 32% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% The following are tools and practices that foster network and application security. Please indicate the effectiveness for each.

11 AGENCY ASSESSMENT 11 Agency Assessment Evidence of IT Controls More than three quarters describe their agency s ability to provide managers and auditors with evidence of appropriate IT controls as either excellent or good. Excellent We have documented policies, procedures and technology in place to validate controls via scheduled reports. Good We have updated policies, procedures and technology. Reports are generated on a regular basis. 27% 52% Excellent/ Good 79% Fair We have outdated policies, procedures and technology in place. Reports are generated on an ad hoc basis. 18% Poor We lack the necessary tools & documentation to provide evidence of IT controls. 2% 0% 10% 20% 30% 40% 50% 60% How would you describe your agency s ability to provide managers and auditors with evidence of appropriate IT controls?

12 RISK MANAGEMENT 12 Impediments of Detection and Remediation Half of respondents note a shortage of funding and resources is the greatest impediment to detection and remediation of security issues at their agency. Note: Multiple responses allowed Shortage of funding and resources Shortage of skills Insufficient user awareness training Inability to link response systems to root out the cause Lack of visibility into the network traffic and logs Insufficient collection of operational & security related data to detect threats Difficulty seeing into cloud based applications and processes Lack of central reporting and remediation controls Other Which of the following are the greatest impediments to detection and remediation of security issues at your agency? (select all that apply) 4% 20% 20% 18% 22% 21% 31% 30% 38% 50% 0% 10% 20% 30% 40% 50% 60%

13 Security and Network Management Tools Can Help Security and network management tools can help with compliance Configuration management software centralizes change management and reporting Log and event management (SIEM) software uses logs for security and compliance Patch management software centralizes updates and reduces vulnerability Device tracking, IP management, and switch port management for compliance enforcement Network management software for continuous monitoring, audit documentation, and reporting Configuration Management Network Management IP Address Management Log and Event Management Patch Management User Device Tracking More information: government/solution/cyber security 13

14 When Combating the Insider Threats Meeting compliance standards does not mean you are secure Careless or untrained insiders are the largest source of federal security threats High performing agencies with excellent IT controls experience: Fewer cyberthreats Faster response time to threats Positive results from IT modernization initiatives Continuous review of your IT controls improves your security posture SolarWinds has tools to help

15 Get a full copy of the 2017 Survey at the SolarWinds booth Download the full 2017 survey results online at: resources/survey/solarwinds federal cybersecurity survey summary report 2017 Download the full 2015 survey results online at: resources/survey/solarwinds federal cybersecurity survey summary report

16 Contact Us Let us know how we can help you Watch a short demo video: Download a free trial: Visit our Federal website: Call the SolarWinds Federal sales team: federal sales: federalsales@solarwinds.com our Government Distributor DLT : solarwinds@dlt.com Follow us on LinkedIn : government 16

17 SolarWinds,SolarWinds&Design,Orion, and Thwack are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.