Gaps in Resources, Risk and Visibility Weaken Cybersecurity Posture

Similar documents
8 Must Have. Features for Risk-Based Vulnerability Management and More

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

ForeScout Extended Module for Splunk

ForeScout ControlFabric TM Architecture

Cyber Resilience. Think18. Felicity March IBM Corporation

Modern Database Architectures Demand Modern Data Security Measures

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Securing Digital Transformation

PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY

SECURITY AUTOMATION BEST PRACTICES. A Guide to Making Your Security Team Successful with Automation

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Tripwire State of Cyber Hygiene Report

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

Introducing Cyber Observer

Endpoint Security Can Be Much More Effective and Less Costly. Here s How

Security Automation Best Practices

whitepaper How to Measure, Report On, and Actually Reduce Vulnerability Risk

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

SECURITY AUTOMATION BEST PRACTICES. A Guide on Making Your Security Team Successful with Automation SECURITY AUTOMATION BEST PRACTICES - 1

THALES DATA THREAT REPORT

Transforming Security from Defense in Depth to Comprehensive Security Assurance

HOSTED SECURITY SERVICES

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Integrated Access Management Solutions. Access Televentures

Sustainable Security Operations

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Fundamental Shift: A LOOK INSIDE THE RISING ROLE OF IT IN PHYSICAL ACCESS CONTROL

RSA NetWitness Suite Respond in Minutes, Not Months

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

MOBILE SECURITY 2017 SPOTLIGHT REPORT. Information Security PRESENTED BY. Group Partner

A Government Health Agency Trusts Tenable to Protect Patient Data and Manage Expanding Attack Surface

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Cyber Resilience - Protecting your Business 1

Cyber Hygiene: Uncool but necessary. Automate Endpoint Patching to Mitigate Security Risks

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Think Oslo 2018 Where Technology Meets Humanity. Oslo. Felicity March Cyber Resilience - Europe

SECOPS: NAVIGATE THE NEW LANDSCAPE FOR PREVENTION, DETECTION AND RESPONSE

State of Cloud Survey GERMANY FINDINGS

IT Security: Managing a New Reality

A Practical Guide to Efficient Security Response

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Sales Presentation Case 2018 Dell EMC

Overcoming IT Challenges in the Education Segment Leveraging Cloud and On-Premise Resources for Maximum Impact

10 FOCUS AREAS FOR BREACH PREVENTION

2017 Trends in Security Metrics and Security Assurance Measurement Report A Survey of IT Security Professionals

Building a Threat Intelligence Program

STAY ONE STEP AHEAD OF THE CRIMINAL MIND. F-Secure Rapid Detection & Response

KEDAYAM A KAAPAGAM MANAGED SECURITY SERVICES. Kaapagam Technologies Sdn. Bhd. ( T)

Best Practices in Securing a Multicloud World

CYBERSECURITY RESILIENCE

Healthcare HIPAA and Cybersecurity Update

THE ACCENTURE CYBER DEFENSE SOLUTION

National State Auditors Association Vulnerability Management: An Audit Primer September 20, 2018

SIEM: Five Requirements that Solve the Bigger Business Issues

RiskSense Attack Surface Validation for IoT Systems

BREACHES HAPPEN: BE PREPARED. Endpoint Detection & Response

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS

2018 GLOBAL CHANNEL PARTNER SURVEY THYCOTIC CHANNEL PARTNER SURVEY REPORT

The 2017 State of Endpoint Security Risk

align security instill confidence

AKAMAI CLOUD SECURITY SOLUTIONS

Think Like an Attacker

THREAT HUNTING REPORT

THALES DATA THREAT REPORT

SOLUTION BRIEF. RiskSense Platform. RiskSense Platform the industry s most comprehensive, intelligent platform for managing cyber risk.

Tips for Effective Patch Management. A Wanstor Guide

The State of Cybersecurity and Digital Trust 2016

IBM Security Systems. IBM X-Force 2012 & CISO Survey. Cyber Security Threat Landscape IBM Corporation IBM Corporation

THE CYBERSECURITY LITERACY CONFIDENCE GAP

Technical Review Managing Risk, Complexity, and Cost with SanerNow Endpoint Security and Management Platform

with Advanced Protection

RSA Solution Brief. The RSA Solution for Cloud Security and Compliance

Evolving the Security Strategy for Growth. Eric Schlesinger Global Director and CISO Polaris Alpha

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

THE REAL ROOT CAUSES OF BREACHES. Security and IT Pros at Odds Over AppSec

THE FOUR PILLARS OF MODERN VULNERABILITY MANAGEMENT

Run the business. Not the risks.

Survey Results: Virtual Insecurity

Toward an Automated Future

How to master hybrid IT. Get the speed and agility you want, with the visibility and control you need

Machine-Powered Learning for People-Centered Security

WHITEPAPER END-TO-END VISIBILITY: THE FOUNDATION OF BUSINESSDRIVEN SECURITY DETECTING AND RESPONDING TO THE THREATS THAT MATTER MOST TO THE BUSINESS

Automating the Top 20 CIS Critical Security Controls

RSA Cybersecurity Poverty Index

Mastering The Endpoint

MITIGATE CYBER ATTACK RISK

The Four Pillars of Modern Vulnerability Management

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

RSA INCIDENT RESPONSE SERVICES

Managed Enterprise Phishing Protection. Comprehensive protection delivered 24/7 by anti-phishing experts

What can we lose not implementing proper security in our IT environment? Aleksandar Pavlovic Security Account Manager Cisco

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Combating Cyber Risk in the Supply Chain

Closing the Hybrid Cloud Security Gap with Cavirin

Transcription:

February 2019 Challenging State of Vulnerability Management Today: Gaps in Resources, Risk and Visibility Weaken Cybersecurity Posture In the last two years, businesses and governments have seen data breaches like Equifax and Marriott impact 100s of millions of accounts each, as well as critical intellectual property (IP) and core operations. A global survey of 600+ cybersecurity leaders and professionals by Ponemon Institute shows that 67% of organizations are not confident that they can avoid a data breach, and what the primary security and IT challenges that are causing this. The survey also provides fundamental recommendations that can reduce breach risk through innovating and improving a vulnerability management program.

Table of Contents Executive Summary 3 Methodology 4 Maintaining Security Posture is Hard Vulnerabilities Make it Harder 5 SecOps Resources Can t Keep Up with Volume of Vulnerabilities 6 Many IT Components of the Business Aren t Covered 7 Can t Get Cyber- (or Business) Risk for IT Assets 8 Communications Silo with C-suite on Cyber-Risk 9 No Easy Answers, But Some Good Ones 10 Recommendations 11

Executive Summary Too many organizations are struggling to maintain or improve their security posture, as exemplified by their lack of confidence in avoiding a breach and inability keep up with even basic patching and vulnerability management. In a recent research project, Ponemon Institute found that only 1 in 3 organizations are confident that they can avoid a data breach, and that 63% are unable to act on the large number of alerts and actions generated by their vulnerability management program. Some of the common challenges that organizations face include not enough staff to cover the volume of alerts, vulnerability management solutions that complicate the ability to patch in a timely manner, not enough visibility across their full set of assets and attack vectors, and a lack of understanding of actual cyber-risk and inability to prioritize mitigating actions. The goal of this research was to better understand the barriers to an effective vulnerability and risk management program and how they can be overcome. The Challenging State of Vulnerability Management was sponsored by Balbix and performed by Ponemon Institute, which surveyed 613 IT and IT security leaders and professionals who are involved with vulnerability management within their organizations. To provide a path towards a stronger cybersecurity posture, the study investigated the characteristics and requirements of both mainstream and highperforming security organizations that have and operate vulnerability management programs. Providing insights into both core challenges and major gaps that mid-size to large organizations are seeing today as well as recommendations for best practices and new capabilities to explore this report presents tangible guidance for improving vulnerability management programs and better avoiding data breaches. Recommendations include discovering your full attack surface, understanding your cyber-risk and the risk of each asset if it were breached, using cyber-risk to prioritize what gets fixed (to offset the massive volume of incoming alerts), and making SecOps more productive by automating all these activities and creating tickets to get them executed. 3 THE CHALLENGING STATE OF VULNERABILITY MANAGEMENT TODAY: GAP IN RESOURCES, RISK AND VISIBILITY = WEAKER CYBERSECURITY POSTURE

600 cybersecurity professionals Methodology 15+ vertical industries Balbix commissioned the Ponemon Institute to survey over 600 cybersecurity professionals across 15+ vertical industries. 72% of respondents worked at companies with more than 1,000 employees. Founded in 2002, the Ponemon Institute is a research center specializing in data protection and information security policy. 72 % of respondents worked at companies with more than 1,000 employees 4 THE CHALLENGING STATE OF VULNERABILITY MANAGEMENT TODAY: GAP IN RESOURCES, RISK AND VISIBILITY = WEAKER CYBERSECURITY POSTURE

Per survey respondents, security teams key challenges with vulnerability management include: Maintaining Security Posture is Hard Vulnerabilities Make it Harder 68 % feel that staffing is not adequate for a strong cybersecurity posture 15 % say their patching efforts are highly effective Too many organizations are struggling to maintain or improve their security posture. The attack surface of a modern enterprise is massive. A typical enterprise has a bewildering variety of assets: infrastructure, applications, managed and unmanaged endpoints (fixed and mobile), IoT and cloud services. There are practically unlimited permutations and combinations in which things can go wrong. Users can be phished. Weak passwords, software vulnerabilities, misconfigurations and numerous other vectors can be leveraged to compromise some internet-facing enterprise asset and gain an initial foothold inside your network. Once in, the adversary can usually move across the enterprise rapidly to locate and compromise some important asset and you have a major breach. This complexity is clearly exemplified in security leaders lack of confidence in avoiding a data breach. As shown in Figure 1, only 10 percent of the 600+ survey respondents are very confident that they can avoid a data breach and maintain a strong security posture. 50% 40% 30% 20% 10% 0% Figure 1. How confident are you that your organization can avoid a data breach? 10 % VERY CONFIDENT 23 % CONFIDENT 23 % SOMEWHAT CONFIDENT 44 % NOT CONFIDENT One good example of the difficulty in maintaining (or improving) one s security posture is the challenge to keep up with even basic software vulnerability management and patching a fundamental but key component of security posture. 5 THE CHALLENGING STATE OF VULNERABILITY MANAGEMENT TODAY: GAP IN RESOURCES, RISK AND VISIBILITY = WEAKER CYBERSECURITY POSTURE

SecOps Resources Can t Keep Up with Volume of Vulnerabilities A key research finding is that security teams cannot properly resource the management of vulnerabilities both identifying and patching to confidently avoid a data breach. While this complaint is common throughout most practices within cybersecurity teams, and IT organizations in general, it has become acute in vulnerability management because of the sheer volume of alerts for unpatched systems. This challenge has gotten continually harder monthover-month and year-over-year due to the number of systems and applications being regularly added for business growth as well as the ongoing digitization of business processes. Thus, patching is taking an increasing amount of the security and IT teams time budget every month. To make things [much] harder, vulnerability management solutions have not evolved to counter the growing number of alerts generated with each scan, and don t have the technology to help teams prioritize which patches to address immediately and which to postpone resulting in a roulette-like approach to picking which patches to address. 67 % 63 % of respondents with ineffective vulnerability feel they do not have the time and resources to mitigate all vulnerabilities in order to avoid a data breach programs (59% of total) say inability to act on the large number of resulting alerts and actions is problematic Even with this significant percent of time pool committed, and the noted 63% inability to act on open alerts, security teams are not running their vulnerability management scans frequently enough! Ponemon survey research finds that only 31% of respondents are scanning more than once a month, half are only scanning quarterly or have no formal schedule at all, and less than half use up-to-date software patching to avoid data breaches. 12 % SCAN DAILY 19 % SCAN WEEKLY 16 % SCAN MONTHLY 53 % SCAN QUARTERLY OR AD-HOC Just over two-thirds of all respondents admit being quite behind (once a month or less frequently) on fixing known software vulnerabilities. And less than half consider up-to-date patching as a proactive approach to avoiding breaches. These statistics are telling, as this type of attack vector is often the easiest way for an adversary to get in, as sample exploit code for such attacks is widely available for anyone to download and weaponize. What this means is that in enterprises operating this way, an Equifax-like breach is just one bad click away. 6 THE CHALLENGING STATE OF VULNERABILITY MANAGEMENT TODAY: GAP IN RESOURCES, RISK AND VISIBILITY = WEAKER CYBERSECURITY POSTURE

Many IT Components of the Business Aren t Covered 60 % report not enough visibility across all IT asset types (especially unmanaged assets) as a big challenge 65 % want vulnerability management tools to automatically discover unmanaged assets While alert volumes and limited SecOps staff resources are a major challenge to operating a successful vulnerability management (VM) function, another key issue is visibility across the full range of an organization s vulnerable IT assets. Traditional VM tools scan a fairly limited set of assets usually corporate-owned or managed IT infrastructure (servers, storage, network), internally hosted applications, and endpoints (notebooks/ desktops). While most VM tools support public cloudbased instances of infrastructure and hosted apps, there is a large percent of corporate IT assets that are not seen, analyzed or reported on: Bring your own devices (BYOD) such as mobile phones, tablets and increasingly notebooks IoT assets Industrial equipment (ICS) Transient assets Assets used by third-parties (e.g. resellers, supply chain partners, consultants, etc.) Surprisingly, many VM tools don t even discover or scan unmanaged assets. Additionally, the scope of scans with most VM tools has to be set up manually by security teams, often consulting out-of-date inventory databases of static IP addresses and dynamic IP ranges. The net result is that current VM tools have not kept pace in bringing automatic discovery, visibility and vulnerability assessment to the growing spectrum of IT components in today s business strategy thus impeding vulnerability management programs ability to ensure their organizations security posture and cyber-resilience. 7 THE CHALLENGING STATE OF VULNERABILITY MANAGEMENT TODAY: GAP IN RESOURCES, RISK AND VISIBILITY = WEAKER CYBERSECURITY POSTURE

Can t Get Cyber- (or Business) Risk for IT Assets 61 % say they don t have adequate context on the business impact if a vulnerable asset got breached 56 % are concerned about their inability to predict where or which assets would be compromised Another subtler, but very fundamental, challenge that survey respondents note is their lack of understanding of the cyber- and business risk of each of the tens or hundreds of thousands of IT assets that access their network. As noted earlier, the current level of alerts created by vulnerability management tools and scans in not achievable by the majority of security and IT ops teams. With additional context information beyond general vulnerability ratings like CVSS scores, SecOps teams would be able to much more efficiently and effectively address the most critical vulnerabilities found on their wide portfolio of IT assets. The most important information is about the actual risk of an asset if it were breached both cyberrisk and business risk. Core to understanding both types of risk is context i.e. what is the role of the asset, what data does it use or store, what else is it connected to, etc. Current VM tools do not provide context for any or all of the thousands of assets they regularly scan and create alerts for. As a result, the majority of security teams don t incorporate risk into their vulnerability management activities, and don t get either the increased resiliency/better security posture or a manageable scope of work. Only 40% of organizations even attempt to incorporate business risk into its vulnerability management activities Another result of this lack of context and ability to establish the risk level of each IT asset is the inability to predict what assets are most likely to be breached, which is a key concern for both SecOps teams and CISOs alike. Without appropriate business context and understanding of business risk, security teams can spend their scarce vulnerability management resources on software vulnerabilities that have low risk while leaving critical vulnerabilities (which carry great risk) open for long period of times, providing wide-open doors for their adversaries to use. This painful lack of risk understanding and vulnerability prioritization is a major reason behind the poor security posture of many organizations. 8 THE CHALLENGING STATE OF VULNERABILITY MANAGEMENT TODAY: GAP IN RESOURCES, RISK AND VISIBILITY = WEAKER CYBERSECURITY POSTURE

Communications Silo with C-suite on Cyber-risk 39 % say their leaders recognize the criticality of effective vulnerability management in avoiding data breaches 71 % feel that their executives and senior management do not communicate their risk goals clearly to security team Only 9% feel that security teams are highly effective in communicating security risks to C-suite and boards C-suite and IT security functions operate in a communications silo. Communication and collaboration between senior management and the IT security leadership is affected by the fact that the majority of organizations have senior leaders that don t recognize or understand how vulnerable they are, and the importance of vulnerability management. Only 39 percent of respondents say their organizations leaders recognize that effective vulnerability management is critical to avoiding a data breach or other security incident. Both the C-suite and the IT security function are not effective in jointly communicating risk management priorities and cybersecurity threats. Only 29 percent of respondents say their organization s executives and senior management clearly communicate their business risk management priorities to the IT security leadership. Additionally, IT security teams are often not effective at communicating cybersecurity risks to senior management. On a scale of 1 = not effective to 10 = highly effective, only 21 percent of respondents (7+ on the 10-point scale) say their communications are highly effective. 1 2 3 4 5 6 7 8 21% Only 21% of respondents say their communications are highly effective Those that are effective cite the best way to communicate cybersecurity risks is to make technical information understandable, up-to-date and helpful in making decisions. 65% We present technical information in a way that is understandable 63% We keep our leaders up-to-date on cybersecurity risks and don t wait until the organization has had a data breach or security incident 63% HIGHLY EFFECTIVE 9 10 The information we present is not ambiguous and is helpful to making decisions 9 THE CHALLENGING STATE OF VULNERABILITY MANAGEMENT TODAY: GAP IN RESOURCES, RISK AND VISIBILITY = WEAKER CYBERSECURITY POSTURE

What capabilities would most improve your vulnerability management program: No Easy Answers, But Some Good Ones 70 % want to automatically discover unmanaged assets 56 % want to receive a riskbased and prioritized list of actions As this research has shown, maintaining and improving your security posture is a very challenging initiative, and the current state of most vulnerability management and patching programs makes it that much more difficult. Respondents especially those rated as high performing organizations understand the vulnerability management challenges cited in this research and what incremental capabilities could best answer them. When asked what would most improve their vulnerability management program and tools, high performing responders cited the ability to: 64 % analyze vulnerabilities in IoT, BYOD and third-party systems 60 % analyze both unpatched systems and other attack vectors 52 % receive prescriptive fixes per recommended action 10 THE CHALLENGING STATE OF VULNERABILITY MANAGEMENT TODAY: GAP IN RESOURCES, RISK AND VISIBILITY = WEAKER CYBERSECURITY POSTURE

Recommendations Now it s your turn. The volume of data breaches is already extremely high and will only grow further in size, frequency and impact. Organizations can t continue to rely on the legacy vulnerability management systems, scope of analysis and manual processes they have in place today. Security, SecOps and vulnerability teams can learn from organizations that effectively avoid breaches and start adding new capabilities and processes to address the challenges widely called out in this research. Here are four fundamental recommendations for your vulnerability management program to better avoid a data breach and transform your company s security posture: 1 Fully discover your attack surface everything that touches your network, and every way it might get attacked Make it a goal to automatically discover all internal, cloud and third-party IT assets that touch your network and could be an entry point to your organization. This is a much broader set than just your servers, applications, managed IT infrastructure and cloud assets it also includes BYOD (mobile, notebook), IoT assets, industrial control systems (ICS) and very importantly, third-party assets from supply chain/ reseller/alliance and other business partners. Any asset from any of these asset classes could be one click or connection away from starting a major data breach if not discovered/analyzed/monitored continuously. Just as important as seeing all your connected assets is monitoring them across all potential attack vectors (250 and counting, including phishing, malware, password hygiene/sharing/non-encrypted, etc.). Traditional vulnerability management focuses primarily on one key, but only one, attack vector unpatched systems, leaving attackers with many other ways to penetrate your network and execute a breach. 2 Understand your overall cyber-risk and the specific business risk of each asset if it were breached As noted in the Ponemon research, the majority of organizations (60%) haven t incorporated cyber-risk into their vulnerability management program. By adding the capability to assess the cyber-risk of every asset touching your network and their interaction with users and each other you can extrapolate and determine the total cyber-risk of your enterprise, as well as assess and improve your cybersecurity posture. 11 THE CHALLENGING STATE OF VULNERABILITY MANAGEMENT TODAY: GAP IN RESOURCES, RISK AND VISIBILITY = WEAKER CYBERSECURITY POSTURE

3 Use risk-based analysis to prioritize which fixes SecOps and IT teams should work on, postpone and ignore Also noted in the Ponemon research is a major gap between incoming alerts and SecOps/IT team resources to work through them. 63% of respondents cite their inability to act on the large number of alerts and actions coming from their vulnerability management systems. By understanding your device- and organization-level cyber-risk (as noted above), you can use risk to prioritize the huge, growing set of alerts provided by your vulnerability management system. The output of that process should be a clear and prioritized list of what issues to fix in what order (e.g. unpatched software, password issues, misconfigurations, etc.), ideally with instructions on how to fix them. This is much more granular and guided than simply being told after a vulnerability scan (or penetration test) to patch 1000s of servers due to a recent vulnerability or new threat discovery. Rather, this is a clear set of guidance on what actions to take to minimize breach risk, regardless of how many resources are on your team, because they are prioritized asset-by-asset based on business risk. 4 Make SecOps and IT more productive by automating the discovery of asset inventory and vulnerabilities, as well as the creation of prioritized fixes and resulting tickets Automation is viewed as one of the key technical objectives of current cybersecurity programs, and has created new market categories like security orchestration, automation and response (SOAR). Wrt improving vulnerability management programs, each of the processes noted above can be achieved only if it is automated. This is due to the immense volume of data to be analyzed to deliver the resulting information, be it discovery and status of tens of 1000s of assets or comparative risk assessment of all your assets to produce a prioritized list of actions. Automation of ticket creation and integration into existing workflows is also required to achieve the needed volume of mitigation actions. When assessing new tools and technologies to achieve this level of automation, carefully assess how they do or don t utilize AI and machine learning to enable the level of processing required. Putting aside that marketing and AI-washing, understand how the tool is able to automatically find and examine the data needed to actually automate a process and deliver the tangible outcome noted in the recommendations above. 12 THE CHALLENGING STATE OF VULNERABILITY MANAGEMENT TODAY: GAP IN RESOURCES, RISK AND VISIBILITY = WEAKER CYBERSECURITY POSTURE

3031 Tisch Way, Ste. 800 San Jose, CA 95128 866.936.3180 info@balbix.com www.balbix.com 2019 BALBIX, INC. ALL RIGHTS RESERVED

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback