Skybox Security Vulnerability Management Survey 2012 Notice: This document contains a summary of the responses to a June 2012 survey of 100 medium to large enterprise organizations about their Vulnerability Management practices. The survey was sponsored by Skybox Security and conducted by Osterman Research. For more information about the survey, please contact info@skyboxsecurity.com. Copyright 2012 Skybox Security. All rights reserved. 1
Survey Overview Research Overview Skybox Security conducted a survey of enterprise IT and security personnel who were knowledgeable about their organizations vulnerability management programs and activities. The goals of the survey were to determine: Challenges organizations face in deploying and managing a vulnerability management program The priority of an organization s vulnerability management program against other security management challenges The frequency and coverage of vulnerability scanning in medium and large enterprise organizations Details of the Survey A total of 100 surveys were completed in June 2012 with individuals from the Osterman Research survey panel The mean number of employees at the organizations surveyed was 17,019; the mean number of email users was 14,972. The medians were 2,900 and 2,500, respectively. Data was segmented into medium-sized organizations from 250 1,499 employees (36 surveys) and large organizations with 1,500 or more employees (64 surveys). Key vertical industries represented include manufacturing (16% of respondents), finance (13%), government and defense (11%), healthcare (8%), and retail (8%). The largest organization responding had 350,000 employees, and the smallest had 250 The majority of the surveys were conducted with respondents in North America 2
Executive Summary of Findings The majority of organizations have an established vulnerability management program Over 90% of firms have a vulnerability management program Primary goals are to reduce security risk, and to prevent/respond to security threats Over 90% of firms consider vulnerability management a priority Despite this, many organizations don t feel that they are secure 49% think their network is somewhat, pretty, or extremely vulnerable to security threats 49% have experienced a cyberattack in the past 6 months There s a disconnect between the frequency and the breadth of vulnerability scanning and the amount that the respondents felt was needed 49% of respondents feel their organizations don t scan as often or as in-depth as they would like A significant percentage of organizations only scan their networks once per month (or less) A significant percentage of organizations only can half their networks Reasons why organizations don t scan more broadly or frequently Resources unable to expand data analysis or patching activity Network disruptions and non-scannable hosts 3
Key Findings The majority of organizations have an established vulnerability management program Despite this, many organizations don t feel that they are secure Disconnect between frequency/breadth of scanning versus what respondents think is needed Reasons why organizations don t scan more broadly or frequently 4
Over 90% of firms have a vulnerability management program, and consider it a priority Does your organization have an established vulnerability management program? No 8% Overall, how important a priority is vulnerability management in your organization? 7% 2% 11% Yes 92% 42% 38% Extremely high priority It s a priority Somewhat of a priority A fairly low priority A very low priority 5
Vulnerability Management programs are focused on reducing risk and preventing threats On a scale of 1 to 5, where 5 is extremely important, to what extent is each of the following a goal of your vulnerability management program or activities? To reduce our security risk level 4.29 To proactively prevent threats before they happen 4.18 To respond to new threats 4.06 To provide an accurate assessment of our security status 3.94 To meet compliance requirements 3.73 To prioritize and minimize patching costs 3.46 6
Key Findings The majority of organizations have an established vulnerability management program Despite this, many organizations don t feel that they are secure Disconnect between frequency/breadth of scanning versus what respondents think is needed Reasons why organizations don t scan more broadly or frequently 7
Almost 50% of firms feel that they are NOT secure How vulnerable do you think your network is to security threats? 5% 0% 9% 47% 39% Extremely vulnerable Pretty vulnerable Somewhat vulnerable Not too vulnerable Not vulnerable at all 8
Many have experienced a cyber-attack in the past six months leading to outage, unauthorized access, or damage During the past 6 months has your organization experienced any cyber-attacks leading to any of the following? Service down 62% Misuse or unauthorized access to information 38% Data breach of customer or confidential records 23% Damage to information systems or data 21% Damage to brand (e.g. hactivism) 9% Minor Web DoS attack 0% None 8% 9
Key Findings The majority of organizations have an established vulnerability management program Despite this, many organizations don t feel that they are secure Disconnect between frequency/breadth of scanning versus what respondents think is needed Reasons why organizations don t scan more broadly or frequently 10
Scanning Frequency How often does your organization scan each zone of your network? A significant percentage of organizations scan their zones monthly or less: 40% 35% 30% 25% 20% 15% 10% 5% 0% 40% 35% 30% 25% 20% 15% 10% 5% 0% 24% DMZ Scanning Frequency 37% 22% 18% Daily Weekly Monthly Less often Internal Network/Hosts Scanning Frequency 35% 23% 26% 16% Daily Weekly Monthly Less often Internal network/hosts and data centers get the top priority in terms of scanning frequency: Internal network/hosts Desktops/laptops/mobile Scanning Frequency - % of Orgs Scanning Monthly or Less Partner zones External resources Internal network/hosts Data centers DMZ External resources Partner zones DMZ Data centers Desktops/laptops/mobile Scanning Frequency - % of Organizations Scanning Daily 12% 39% 36% 36% 18% 42% 55% 52% 24% 24% 35% 35% 11
Frequency by Size of Organization* 50% 40% 30% 20% 10% 0% 50% 40% 30% 20% 10% 0% Scanning Frequency DMZ Large vs Medium Organizations Daily Weekly Monthly Less often Scanning Frequency - Internal Network/Hosts Large vs Medium Organizations Daily Weekly Monthly Less often Large Medium Large Medium How often does your organization scan each zone of your network? Large organizations tend to scan more frequently Daily Scanning Frequency Large Medium Internal network/hosts 40% 27% Data centers 38% 31% DMZ 30% 13% Desktops/laptops/mobile 27% 22% External resources 24% 7% Partner zones 16% 4% Internal network/hosts and data centers get scanned the most frequently. *Large organizations are defined as those with > 1500 employees; Medium organizations are those with 250-1499 employees 12
Scanning Coverage What portion of each part of the environment does your organization typically scan? DMZ Scanning Completeness A significant percentage of organizations scan less than 50% of their zones 76-100% of hosts 47% Scanning Coverage - % of Orgs Scanning 50% or less 51-75% of hosts 13% External resources Partner zones 58% 57% 25-50% of hosts 19% DMZ Internal network/hosts 39% 37% < 25% of hosts 21% Desktops/laptops/mobile Data centers 36% 33% 76-100% of hosts 51-75% of hosts 25-50% of hosts < 25% of hosts 0% 10% 20% 30% 40% 50% Internal Network/Hosts Scanning Completeness 16% 20% 27% 37% Data centers and DMZ get scanned the most completely Scanning Coverage - % of Organizations Scanning 76%+ Data centers DMZ Desktops/laptops/mobile Internal network/hosts Partner zones External resources 22% 18% 38% 37% 48% 47% 0% 10% 20% 30% 40% 13
Coverage by Size of Organization* 70% 60% 50% 40% 30% 20% 10% 0% 50% 40% 30% 20% 10% 0% 27% 16% < 25% of hosts Scanning Coverage - DMZ 11% 33% 25-50% of hosts 27% 21% 14% 16% < 25% of hosts 25-50% of hosts 14% 12% 51-75% of hosts 31% 18% 51-75% of hosts 59% 27% 76-100% of hosts Scanning Coverage - Internal Network/Hosts osts 39% 33% 76-100% of hosts Large Medium Large Medium What portion of each part of the environment does your organization typically scan? Large organizations tend scan a larger portion of their environments Percentage of Orgs Scanning 76%+ Large Medium DMZ 59% 27% Data centers 55% 36% Desktops/laptops/mobile 40% 31% Internal network/hosts 39% 33% Partner zones 26% 16% External resources 25% 6% DMZ and data centers get the most scanning coverage *Large organizations are defined as those with > 1500 employees; Medium organizations are those with 250-1499 employees 14
Comparing Scan Frequency to Coverage* Scanning Frequency versus Coverage Internal Network/Hosts ALL FIRMS Daily Weekly Monthly Less often < 25% 25-50% 51-75% 76-100% Scanning frequency and coverage are roughly correlated: Organizations that scan frequently tend to scan more broadly Organizations that scan less broadly tend to scan less frequently as well This relationship holds true for both Large and Medium sized organizations. *Size/color of the circles indicates the number of respondents 15
Key Findings The majority of organizations have an established vulnerability management program Despite this, many organizations don t feel that they are secure Disconnect between frequency/breadth of scanning versus what respondents think is needed Reasons why organizations don t scan more broadly or frequently 16
49% of respondents don t think their organization scans as often or as in-depth as they would like If your organization does not conduct vulnerability scanning as often or as in-depth as you would like, what are the reasons? Don t have the resources to analyze more frequent scan data 57% Concerns about the disruptions caused by active scanning 57% IT does not have the resources to do broader patching 33% Some hosts not scannable due to their use, OS, or configuration 33% Unable to gain credentialed access to scan portions of network 29% The cost of licenses is prohibitive 27% We just don t need to scan more 4% Top areas of concern Resources unable to expand data analysis or patching activity Network disruptions and non-scannable hosts 17
Why don t organizations scan more often or more in-depth (large versus medium organizations)? If your organization does not conduct vulnerability scanning as often or as in-depth as you would like, what are the reasons? Concerns about the disruptions caused by active scanning 59% 62% Don t have the resources to analyze more frequent scan data 56% 62% IT does not have the resources to do broader patching 15% 41% Some hosts not scannable due to their use, OS, or configuration Unable to gain credentialed access to scan portions of network 23% 23% 32% 38% Large Medium The cost of licenses is prohibitive 24% 31% We just don t need to scan more 0% 8% 0% 10% 20% 30% 40% 50% 60% 70% Differences in areas of concern: Large organizations IT resources Network access/scannability Medium organizations Scanner license costs 18
Some Comments From Respondents What Works We're moving to more regular scanning (a lighter scan) but more often. The ongoing process has enabled us to easily address critical issues proactively. What Doesn t Concerned about reduced productivity (system slowdowns) from scanning as frequently as we ideally should. It is an asset, but also gives too much that doesn't matter. It s great knowing we have X number of vulnerabilities on Y systems but without a way to tie into our reporting structure it's difficult to get them resolved in a timely manner. It will increase in scope and need in the face of all the new threats. 19
Mission accomplished? After you finish running a vulnerability scan, what is your typical reaction? After Running A Scan, What Is Your Typical Reaction? Pat yourself on the back Google vulnerability scanners to search for a new vendor Punch a co-worker Punch your monitor 18% 16% 16% 58% Hide the results 10% Update your resume 4% Vulnerability management can make a difference in the cyber-security fight, but to reach higher levels of impact, security management challenges must be addressed 20
About Skybox Security Pioneer in Security Risk Management We help enterprises find, prioritize, and drive remediation of network security risks such as vulnerabilities and misconfigurations Portfolio of automated tools are used daily for continuous network visibility, expert security analytics, and to help prevent cyber attacks Proven in Challenging Networks 300 Global 2000 customers Financial Services, Government, Defense, Energy & Utilities, Retail, Service Providers, Manufacturing, Tech 85% growth in 2011 21
Skybox Product Portfolio Firewall Assurance Automated firewall analysis and audits Change Manager Complete firewall change workflow Network Assurance Network compliance and access path analysis Risk Control Prioritize vulnerabilities and attack scenarios Threat Manager Workflow to address new threats 22
Unique Skybox Advantages Complete Portfolio - Addresses broad range of security risk management challenges Non-Intrusive Modeling and simulation technology delivers daily assessments without disruption Advanced Analytics Network path analysis, network and security modeling, multi-step attack simulation, risk KPI metrics Enterprise Class Performance and Scalability- Daily risk management effective in large-scale and complex environments Extensive Integration Consistent feature set supports 72 network devices and security management systems Email info@skyboxsecurity.com for more information about Skybox Security solutions 23
Copyright 2012 Skybox Security, Inc. All rights reserved. No part of this document may be reproduced in any form by any means, nor may it be distributed without the permission of Skybox Security, Inc., nor may it be resold or distributed by any entity other than Skybox Security, Inc., without prior written authorization of Skybox Security, Inc. Skybox Security, Inc. does not provide legal advice. Nothing in this document constitutes legal advice, nor shall this document or any software product or other offering referenced herein serve as a substitute for the reader s compliance with any laws (including but not limited to any act, statue, regulation, rule, directive, administrative order, executive order, etc. (collectively, Laws )) referenced in this document. If necessary, the reader should consult with competent legal counsel regarding any Laws referenced herein. Skybox Security, Inc. makes no representation or warranty regarding the completeness or accuracy of the information contained in this document. THIS DOCUMENT IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL. 24