Tripwire State of Cyber Hygiene Report

Similar documents
Tripwire State of Container Security Report

THE TRIPWIRE NERC SOLUTION SUITE

TRIPWIRE VULNERABILITY RISK METRICS CONNECTING SECURITY TO THE BUSINESS

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

TRIPWIRE VIA PLATFORM PROTECTING YOUR DATA WITH INTEGRATED SECURITY CONTROLS

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

THE CYBERSECURITY LITERACY CONFIDENCE GAP

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

CLOUD WORKLOAD SECURITY

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Gaps in Resources, Risk and Visibility Weaken Cybersecurity Posture

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

ForeScout Extended Module for Splunk

AZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES. To Secure Azure and Hybrid Cloud Environments

Poor PAM processes and policies leave the crown jewels susceptible to security breaches Global Survey of IT Security Professionals

Skybox Security Vulnerability Management Survey 2012

Using Threat Analytics to Protect Privileged Access and Prevent Breaches

MITIGATE CYBER ATTACK RISK

How to Develop Key Performance Indicators for Security

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

the SWIFT Customer Security

Best Practices in Securing a Multicloud World

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

CYBERSECURITY RESILIENCE

K12 Cybersecurity Roadmap

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

Microsoft Security Management

MOBILE SECURITY 2017 SPOTLIGHT REPORT. Information Security PRESENTED BY. Group Partner

Privileged Account Security: A Balanced Approach to Securing Unix Environments

Critical Hygiene for Preventing Major Breaches

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

INTRODUCTION. We would like to thank HelpSystems for supporting this unique research. We hope you will enjoy the report.

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

74% 2014 SIEM Efficiency Report. Hunting out IT changes with SIEM

CyberArk Privileged Threat Analytics

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

A Measurement Companion to the CIS Critical Security Controls (Version 6) October

Cyber Hygiene: Uncool but necessary. Automate Endpoint Patching to Mitigate Security Risks

WHITE PAPERS. INSURANCE INDUSTRY (White Paper)

FOR FINANCIAL SERVICES ORGANIZATIONS

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

SOLUTION BRIEF Virtual CISO

BULLETPROOF365 SECURING YOUR IT. Bulletproof365.com

Closing the Hybrid Cloud Security Gap with Cavirin

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

Discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

Vulnerability Management

IT Needs More Control

ARC VIEW. Critical Industries Need Continuous ICS Security Monitoring. Keywords. Summary. By Sid Snitkin

VANGUARD WHITE PAPER VANGUARD INSURANCE INDUSTRY WHITEPAPER

Back to Basics: Basic CIS Controls

BULLETPROOF365 SECURING YOUR IT. Bulletproof365.com

Five Essential Capabilities for Airtight Cloud Security

ALIENVAULT USM FOR AWS SOLUTION GUIDE

Total Security Management PCI DSS Compliance Guide

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Cyber Security Program

CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE SIMON CRUMPLIN, FOUNDER & CEO

Combatting advanced threats with endpoint security intelligence

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

CIS Controls Measures and Metrics for Version 7

Sustainable Security Operations

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045

HOSTED SECURITY SERVICES

How to Underpin Security Transformation With Complete Visibility of Your Attack Surface

SIEM: Five Requirements that Solve the Bigger Business Issues

Insider Threat Detection Including review of 2017 SolarWinds Federal Cybersecurity Survey

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

Industrial Defender ASM. for Automation Systems Management

WHITEPAPER HEALTHCARE S KEY TO DEFEATING CYBERATTACKS

10 FOCUS AREAS FOR BREACH PREVENTION

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

7 Steps to Complete Privileged Account Management. September 5, 2017 Fabricio Simao Country Manager

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

CYBERSECURITY RISK LOWERING CHECKLIST

Security in India: Enabling a New Connected Era

2018 GLOBAL CHANNEL PARTNER SURVEY THYCOTIC CHANNEL PARTNER SURVEY REPORT

SIEMLESS THREAT MANAGEMENT

Mastering The Endpoint

HALO IN ACTION COMPLIANCE DON T LET LEGACY SECURITY TOOLS HOLD UP PCI COMPLIANCE IN THE CLOUD. Automated PCI compliance anytime, anywhere.

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

CIS Controls Measures and Metrics for Version 7

Completing your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Vulnerability Management Trends In APAC

8 Must Have. Features for Risk-Based Vulnerability Management and More

mhealth SECURITY: STATS AND SOLUTIONS

Transformation in Technology Barbara Duck Chief Information Officer. Investor Day 2018

What It Takes to be a CISO in 2017

Best Practices for PCI DSS Version 3.2 Network Security Compliance

Cyber Security. June 2015

Transforming Security from Defense in Depth to Comprehensive Security Assurance

Automating the Top 20 CIS Critical Security Controls

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Transcription:

RESEARCH Tripwire State of Cyber Hygiene Report August 2018 FOUNDATIONAL CONTROLS FOR SECURITY, COMPLIANCE & IT OPERATIONS

When a high-profile cyberattack grabs the headlines, your first instinct may be to funnel resources into purchasing a shiny new tool to defend your organization. But often, that s not what s really needed. Real-world breaches and security incidents prove over and over again that many of the most widespread issues still stem from a lack of basic cyber hygiene. Therefore, organizations can t overlook the fundamentals such as addressing known vulnerabilities, ensuring secure configuration, and monitoring systems for change. You can start to build up cyber hygiene by following established best practices such as the Critical Security Controls, a prioritized set of steps maintained by The Center for Internet Security (CIS). There are 20 CIS Controls, but implementing just the top six establishes what CIS calls cyber hygiene. This report illustrates how organizations are implementing these top six controls, if at all. To gather this data, Tripwire partnered with Dimensional Research, sending a survey to independent sources of IT security professionals. The survey was completed by 306 participants in July 2018, all of whom are responsible for IT security at companies with more than 100 employees. Key survey findings: Incomplete visibility is common Many organizations still struggle to maintain the adequate visibility into their environments needed to address potential issues quickly. Results showed that organizations need to improve visibility into the devices and software on their networks, logs from critical systems, and configuration changes. Vulnerability scans aren t as extensive as they should be Almost all participants use vulnerability scanning, but only half run comprehensive, authenticated scans. Only 59 percent are scanning weekly or more, as recommended by CIS. Hardening benchmarks are a missed opportunity Sixty percent of participants are not using hardening benchmarks like CIS or DISA to establish a secure baseline. While many security teams implement good basic protections around administrative privileges, these lowhanging-fruit controls should be in place at more organizations. Demographics A total of 306 qualified participants completed the survey. All participants had responsibility for IT security as a significant part of their job at organizations with more than 100 employees. Company Size 31% 29% 40% 100 1,000 employees 1,000 5,000 employees More than 5,000 employees Industry Manufacturing FInancial Services or Insurance Technology Software Education Healthcare Services Technology Other Telecommunications Government Retail Energy and Utilities Media and advertising Food and beverage Other n-profit Transportation 0% 4% 8% 12% 16% 20% Job Level 38% 40% 22% Team Manager Executive Individual Contributor

Control 1: Inventory and Control of Hardware Assets CIS Control 1 advises organizations to keep an accurate network inventory. This provides visibility into devices that could pose security threats or that shouldn t be on your network at all. Results: Few organizations can say they have inventory of all the devices on their network. Only 29 percent track more than 90 percent of devices, and a third track less than 70 percent. In large organizations, that leaves a significant amount of attack surface unaccounted for (Fig. 4). This year, more organizations say they re detecting new devices on their network within minutes (43 percent) than participants in a 2015 survey (32 percent). That still leaves a majority (57 percent) who take hours, weeks, months or longer. It should be every organization s goal to detect new devices within minutes, as that s all an attacker may need to inflict damage (Fig. 5). Teams are taking longer to address unauthorized devices than they did in 2015, evidenced by a decrease in minutes responses and an increase in months responses (Fig. 6). You need to know your attack surface in order to protect your systems. While tracking each and every device is challenging in dynamic environments, a small percentage of untracked devices could be a significant chunk of the attack surface in a large organization. This control must be continually revisited as you mature your security operations. Many of these requirements can be met with free tools and managed with simple spreadsheet software. But as your organization grows and implements more controls, these requirements become more complex and tightly integrated with the entire suite of CIS security controls. 1% 10% 20% 30% 29% 11% ne of it Less than 50 percent 50-70 percent 70-90 percent More than 90 percent All of it Fig. 4 Approximately how many of the devices connected to your organization s network do you have tracked in an asset inventory? 2018 2015 43% 32% 18% 6% 1% 32% 41% 20% 6% 1% Months or longer Fig. 5 How long does it take to detect new devices added to the organization s network? 2018 2015 38% 37% 18% 5% 3% 47% 42% 9% 1% 1% Months or longer Fig. 6 How long does it take to isolate/remove an unauthorized device for your organization s network?

Control 2: Inventory and Control of Software Assets In keeping with Control 1 s hardware inventory, Control 2 focuses on inventorying software. By implementing this control, organizations can weed out malware and software that should not be running on their network. Results: Organizations have an even harder time tracking software than hardware on their network. Only 21 percent track more 90 percent of their software, while 56 percent track less than 70 percent (Fig. 7). Along the same lines as hardware detection, organizations should aim to detect new software on the network within minutes. Less participants said they can detect unauthorized software within minutes this year (14 percent) than in 2015 (21 percent). More this year said it took weeks (12 percent) and months or longer (12 percent) (Fig. 8). Little more than a third (36%) are not using application whitelisting, leaving the door open for problematic software to be downloaded onto the network (Fig. 10). Many of the tools organizations leverage to meet Control 1 also support Control 2. This being the case, there s no reason not to treat these two controls as one when you re developing your strategy to implement them. Several of these requirements can be accomplished with open-source or built-in tools. That being said, as your organization grows, you will also outgrow the capabilities of these free tools. Software is much more dynamic than hardware and can therefore be harder to track. Utilizing application whitelisting can be one of the most effective ways to satisfy these controls, but it can also be disruptive. Organizations interested in the benefits of whitelisting without the disruption should consider tools that do what s called non-blocking whitelisting. 5% 25% 26% 25% 17% 4% ne of it Less than 50 percent 50-70 percent 70-90 percent More than 90 percent All of it Fig. 7 Approximately how much of the software on your organization s network do you have tracked in an asset inventory? 2018 2015 14% 32% 29% 12% 12% 3% 21% 40% 29% 8% 2% Months or longer Fig. 8 How long does it take to detect unauthorized software added to the organization s network? 13% 33% 31% 13% 9% Months or Longer Fig. 9 How long does it take to address unauthorized software on your organization s network?

64% 36% 89% 11% Control 3: Continuous Vulnerability Management High-impact security breaches often stem from known vulnerabilities. In this area of the report, we explore how organizations are assessing and addressing vulnerabilities in their environments. Almost all participants are running vulnerability scans. However, only 50 percent are running authenticated scans, which are the most comprehensive (Fig. 12). Fig. 10 Does your security program utilize application whitelisting? Port scans Authenticated scans 50% Automated vulnerability scans 76% 84% Fig. 12 What kind of vulnerability scanning do you do? Choose all that apply. 30% 29% 23% 18% Daily Weekly Monthly Quarterly or less often Fig. 11 Does your organization run vulnerability scans? Forty-one percent of participants are running scans monthly, quarterly or less often when weekly or more is recommended (Fig. 13). Most (56 percent) are able to deploy a patch within a week, but about a quarter are still taking about a month or longer (Fig. 14). Among organizations that have implemented DevOps, 46 percent aren t scanning for vulnerabilities throughout the continuous integration and deployment (CI/CD) pipeline (Fig. 15). A robust, vulnerability management program powered by the correct tools will empower your organization to take control of its own security and manage risks presented by both internal and external threats. Utilizing remote and credentialed scans gives you a holistic view of your network that allows you to better understand threats before they become a problem. When you review and compare your results, you will quickly know what has changed and what risks those changes introduce. Vulnerability management programs, when properly implemented, expose a plethora of faults and flaws in even the most secure enterprises networks. Don t be alarmed; simply apply risk-ratings and break the work into smaller, more manageable portions. Fig. 13 How often do you run vulnerability scans?

Control 4: Controlled Use of Administrative Privileges Attackers are going to go after administrative accounts. With admin access, there s no need to burn costly zerodays and create a bunch of noise in the environment. Know what the attackers are after so you can create appropriate controls and implement detection mechanisms. This section explores how well administrative privileges are managed and protected by organizations. Results: Only 47 percent use dedicated workstations for administrative activities. It s recommended that tasks requiring administrative access be done on dedicated workstations that are segmented from the primary network and not to be allowed Internet access (Fig. 17). 9% 47% 18% 18% 6% 2%1% Immediately Within 7 days Within 2 weeks Within a month Within 3 months Within 6 months Within a year More than a year Fig. 14 In general, how long does it take to deploy a security patch in your environment? A third of organizations do not require changed default passwords, 41 percent still don t use multifactor authentication for accessing administrative accounts, and 43 percent do not require unique passwords for each system (Fig. 18). Administrative credentials are as valuable than the data you re trying to protect. Organizations should provide the same level of care with them as with their most sensitive data. 45% 55% We haven t adopted DevOps/NA We have implemented DevOps 54% 46% We scan for vulnerabilities Compliance frameworks and hardening benchmarks provide guidance on best practices for handling all employee credentials, not just those of administrators. Investigate how these best practices can be applied to your unique environment. We don t scan for vulnerabilities Fig. 15 If your organization has implemented DevOps, do you scan for vulnerabilities throughout the CI/CD (continuous integration/continuous deployment) pipeline? Make sure not to overlook common sense efforts like changing default passwords and using multi-factor authentication. If using passwords unique to each system, you may need a privileged identity management system.

Control 5: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers Most software and operating systems are configured in an open and insecure state. Systems should be configured to a defined, ideal and secure state, following cybersecurity best practices and your organization s own policies. Results: Only 40 percent have taken advantage of hardening benchmarks like CIS or DISA to establish a secure baseline (Fig. 19). More than a third (38 percent) still struggle to enforce configuration settings (Fig. 21). 88% 12% Fig. 16 Do you ensure use of dedicated administrative accounts for elevated activities? 47% 53% Fig. 17 Does your IT staff use dedicated workstations for all tasks requiring administrative access? Only 18 percent are detecting configuration changes in minutes. Similar to the detection of new hardware and software on the network, detecting configuration changes ideally would not take hours or longer (Fig. 23). Misconfigurations are the underlying reason for many successful breaches, and improper configuration changes can cause operational disruption. Just about every security framework and compliance regulation related to security calls for secure configuration management. Hardening benchmarks like CIS or DISA can be leveraged to establish secure configurations, and file integrity monitoring (FIM) tools can monitor configuration files and report on changes in real time. 5% Change default passwords Use multifactor authentication Use passwords that are unique to each system ne of these 59% 57% 69% Fig. 18 Which of the following does your organization require in order to access administrative accounts? Choose all that apply. Configuration management becomes increasingly difficult in complex technology environments consisting of numerous systems, asset owners and applications all with differing configuration states and business requirements. Enterprises stand to benefit from technology that automates the assessment, monitoring, and management of configurations across all systems to ensure ongoing security and compliance.

CIS Control 6: Maintenance, Monitoring and Analysis of Audit Logs Security logging and analysis can help IT teams determine the location of attackers, identify malicious software and track activities on victim machines. Results: More than half (54 percent) of organizations are not collecting logs from critical systems into a central location. Centralized logging is conducive to effective event monitoring and analysis (Fig. 26). Logs should be used to identify abnormal activity on a daily basis, but 44 percent are only reviewing logs weekly, monthly, quarterly or less. Nine percent never review logs at all (Fig. 27). A quarter of participants said they are not efficient at all in log analysis, and 73 percent noted room for improvement (Fig. 28). An attacker may create a ton of noise on an endpoint while leaving little trace on the network or vice-versa. You need to collect logs from as many systems as possible to get an accurate picture of what is going on. Both CIS and DISA hardening guides provide guidance on how to enable logging on endpoints as well as how to get it off to a centralized server. Ensure appropriate logs are being aggregated to a central log management system for analysis and review. This isn t necessarily every single log in your environment; you can use log aggregators to filter out the disinteresting events and only send valuable events up to a more expensive logging server or SIEM. 40% 60% Fig. 19 Have you used hardening benchmarks (like CIS or DISA) to establish a secure baseline? 62% 38% Fig. 21 Do you deploy system configuration management tools that will automatically enforce and redeploy configuration settings to systems? 81% 65% 19% n = use hardening benchmarks and have cloud Fig. 20 Do you use hardening benchmarks (like CIS or DISA) in your cloud environments? 35% n = use tools to enforce configuration settings and have cloud Fig. 22 Do you deploy tools that automatically enforce and redeploy configuration settings for your cloud environments?

12% 35% 24% 10% 4% 15% 7% 59% 34% Months or Longer We cannot detect configuration changes Some, but not all devices, all devices Fig. 23 About how long does it take to detect configuration changes to hardware and software on your organization s network? Choose the answer that most closely applies. Fig. 25 Have you ensured that local logging has been enabled on all systems and networking devices? 18% 46% 29% 6% 3% 8% 46% 46% Months or Longer Fig. 24 How long does it take to remediate a configuration change? Some logs from critical systems, but not all, logs from all critical systems Fig. 26 Are you collecting logs from all critical systems into a central location?

26% 25% 13% 6% 23% 73% Daily Weekly Monthly Quarterly or less frequently Only when our SIEM or analytical tool alerts us Fig. 27 How often do you review logs for anomalies or abnormal events? 3% 24% Summary/Conclusion There is no silver bullet in cybersecurity. A combination of security solutions is required to provide suitable threat prevention, detection and mitigation. Implementing cyber hygiene provides organizations with the foundational breadth necessary to manage risk in a changing landscape. Basic cyber hygiene helps you deepen your understanding of your organization s attack surface in order to minimize it as much as possible and monitor it for suspicious activity. New tools and technologies enter the information security market all the time, but it s clear that many of them simply don t meet organization s actual needs. Focusing on the basics that produce demonstrable results may not make headlines. But the fundamentals of finding and patching vulnerabilities, ensuring systems are securely configured, and monitoring them for change go a long way in maintaining a strong security posture. Fairly efficient, but we could do better t efficient Learn more about implementing critical security controls at www.tripwire.com. Very efficient, we have no room to improve Fig. 28 How efficient is your organization at identifying actionable events and decreasing event noise?

Tripwire is a leading provider of security, compliance and IT operations solutions for enterprises, industrial organizations, service providers and government agencies. Tripwire solutions are based on high-fidelity asset visibility and deep endpoint intelligence combined with business context; together these solutions integrate and automate security and IT operations. Tripwire s portfolio of enterprise-class solutions includes configuration and policy management, file integrity monitoring, vulnerability management, log management, and reporting and analytics. Learn more at tripwire.com The State of Security: Security News, Trends and Insights at tripwire.com/blog Follow us on Twitter @TripwireInc» Watch us at youtube.com/tripwireinc 2018 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. All other product and company names are property of their respective owners. All rights reserved. BRDMSCH1a 1808

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback