Pedal to the Metal: Mitigating New Threats Faster with Rapid Intel and Automation Date: November 14, 2016 Underwritten by:
Introduction Agencies deal with a greater volume and velocity of cyber threats than ever before. To achieve actionable cyber awareness and drive continuity of vital operations, Federal cyber leaders must speed cyber response times for threat prevention, detection, and mitigation for known, and more importantly, unknown threats. Protecting against modern cyber attacks requires an intelligent threat protection infrastructure that not only aggregates threat data, but also learns and strengthens defenses in real time. To protect against threats, agencies need to create new protections in minutes, not hours or days. MeriTalk surveyed 150 Federal security operations professionals to understand how agencies are minimizing damage by deploying more automated solutions that leverage product and external threat feed intelligence. Because during a cyberattack, minutes even seconds are crucial. 2
Executive Summary Stuck in Manual Only 61% of Feds say their agency is automatically distributing info against malicious behaviors across different enforcement points in their organization Fewer than half guard newer or critical attack vectors Losing the Race Agencies ingest an average of 25 external threat feeds daily and most cannot act on that information for hours or days Only 15% can create new protections against newly discovered malicious behaviors within minutes Also, only 17% can reprogram their defenses against newly discovered malicious behaviors by distributing new protections within minutes (the lifetime of an attack) and prevent a breach How Can Feds Push the Pedal to the Metal? Embrace an automated approach to swift threat detection and analysis, enabling the creation of new protections faster, including the threat mitigation process, as just 41% say they would invest in this area today Improve threat intelligence correlation from all sources and the path to actionable cyber awareness If agencies improved threat intelligence monitoring, correlation, and automation of protections, Feds estimate they could save 27% of their cybersecurity budget or more than $5B annually 3
Pedal to the Metal Federal security operations professionals say they can address threats faster and save one-quarter of cyber budgets if they improve threat intelligence monitoring, correlation, and automation By improving monitoring, correlation, and automation, Feds say they could save 27% of their cybersecurity budget or more than $5 billion a year* The question: Automation is key. How can agencies rev it up? *Based on the $19 billion cybersecurity budget for 2017 Take Away: Time to Rev the Engine 4
Too Many Stuck in the Slow Lane Feds are flooded with threat data, but when faced with an unknown threat, can t create and distribute new protections fast enough Just 15% can create new protections within a few minutes (over a third still take days to take any action) Just 17% can distribute new protections within a few minutes Take Away: Every Minute Counts 5
Foggy Windows While most Feds focus on traditional entry points (mail server, internet gateway, Web), fewer than half guard against emerging and critical attack vectors, increasingly used as attack entry points* Data center north/south (41%) Data center east/west (39%) Demilitarized zone (DMZ) (39%) SaaS enforcement points (33%) Mobile endpoints (29%) *Respondents asked to select all that apply Take Away: A Road Full of Unseen Threats 6
Running Diagnostics 55% of Feds say their agency is currently not automatically correlating information from different locations about a threat campaign 30% do so manually & 25% don t do it at all Take Away: Not Yet Ready to Race 7
Under the Hood Many agencies don t use advanced security solutions to detect and analyze unknown content, i.e. potential new threats, on their networks Percentage who use the following to address unknown content or files:* Anti-zero-day/APT sandboxing 20% SaaS security Network A/V IPS 28% 34% 37% URL filtering Endpoint security (like A/V) 45% 50% Email security 65% Firewall 76% *Respondents asked to select all that apply Take Away: Missing Opportunities 8
Not Quite A Well Oiled Machine Less than half 47% of Feds can automatically correlate specific threat behavior to behavior seen in a host on their network, or elsewhere globally Additionally, only 45% of Feds say their agency can look for it backwards and forward in time *Respondents asked to select all that apply Take Away: In Need of Rewiring 9
Stuck at Go Despite a deluge of threat data, Feds aren t able to leverage and share insights quickly enough to protect against new threats Security operations teams ingest an average of 25 external threat feeds daily Most Common External Threat Feeds:* 1. Industry related 2. Purchased 3. Only for malware 4. Generic Almost half (47%) of purchased feeds are still only consumed via email 72% say it takes a few hours to a few days to assess if a unique threat is present and determine whether action is required 81% say it takes a few hours to a few days to create actionable changes in their organization s security posture to reflect and protect against a new threat that they received from external sources *Respondents asked to select all that apply Take Away: Actionable Awareness Needed 10
See Around the Bend 71% of Feds use automated analysis/reports to focus on targeted attacks; fewer than half take advantage of the following capabilities that, together, improve threat analysis and the ability to anticipate future threats:* Dynamic analysis (48%) Static analysis (32%) Machine learning (19%) Analyze threats Predict threat behavior Anticipate future threats The question: Without critical advanced threat analysis capabilities, can Feds reprogram their network defense fast enough to protect advanced threats? Take Away: Advanced Capabilities Deliver New Visibility *Respondents asked to select all that apply 11
Crowded Pit Crew Security operations teams are allocating skilled and limited resources on tasks that can be automated At least 20% of Feds noted 12 or more members of their agency s SOC team have the following tasks as their primary responsibilities:* Creating custom signatures for security technologies on your network Correlating isolated network events which may be related to part of a campaign Taking threat intelligence from various feeds and making it actionable Correlating different behaviors to associate them with one or more threat campaigns Additionally, more than a third pay to contract out parts, if not all, of these processes Take Away: Agencies Need Expertise & Automation *Of those who complete the following tasks in-house 12
Wish List Most agencies don t need more data they need the ability to make faster decisions from the data they have What are the most important investments to fight and win against advanced threats?* Actionable cyber awareness Correlation of global and government-specific threat knowledge Automation of mitigation process More threat feeds 30% 29% 28% 28% 41% More people for threat analysis 45% Automation of signature creation/distribution Visibility of behaviors across vectors *Respondents asked to select the top three investment areas Take Away: Rethink the Rule Book 13
Recommendations Revamp Driver Mentalities: A culture that s too focused on status quo cybersecurity puts agencies at great risk. Agencies need comprehensive threat anomaly detection and mitigation, across all potential attack vectors into their networks. Monitor Bumper to Bumper: Agencies must be able to correlate isolated tactical behaviors as a sign of a bigger attack pattern. They must also isolate network segments, reducing attack effectiveness. Automate to Improve Proactive Cyber Stance: To prevent new attacks, agencies need to: Analyze and accurately predict the next step in the attack (location and behavior) Leverage techniques together, including machine learning, dynamic, and static analysis Swiftly create new protections and reprogram enforcement points faster than the attack can spread in their networks 14
Methodology and Demographics MeriTalk, on behalf of Palo Alto Networks, conducted an online survey of 150 Federal employees that work with their security operations team in September 2016. The report has a margin of error of ±7.97% at a 95% confidence level Job Title: Agency Type: 10% 17% 21% 13% 15% 13% 11% CISO or Deputy CISO Security Operations Director/Supervisor Security Operations Manager Security Operations Engineer Security Operations Analyst Other Security Operations employee Other security operations support* 57% Civilian agency 43% DoD or Intel agency 100% of respondents say they are familiar with their agency s cybersecurity threat intelligence and processes/capabilities, whether outsourced or done internally *Qualifying titles include: Network Specialist, Systems Engineer, and Enterprise Operations Chief 15
Thank You Sarah Masuda smasuda@meritalk.com 703-883-9000 ext. 126