Skybox Security Vulnerability Management Survey 2012

Similar documents
Reinvent Your 2013 Security Management Strategy

North American Market for Electronic Content Archiving

A Practical Guide to Efficient Security Response

IBM Proventia Management SiteProtector Sample Reports

Managed Security Services - Endpoint Managed Security on Cloud

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

Vulnerability Assessments and Penetration Testing

Tripwire State of Cyber Hygiene Report

THE CYBERSECURITY LITERACY CONFIDENCE GAP

locuz.com SOC Services

See What You ve Been Missing

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

SECURITY THAT FOLLOWS YOUR FILES ANYWHERE

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Automated Firewall Change Management Securing change management workflow to ensure continuous compliance and reduce risk

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Are we breached? Deloitte's Cyber Threat Hunting

CYBERSECURITY RESILIENCE

How NSFOCUS Protected the G20 Summit. Guy Rosefelt on the Strategy, Staff and Tools Needed to Ensure Cybersecurity

Transforming Security from Defense in Depth to Comprehensive Security Assurance

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

VANGUARD WHITE PAPER VANGUARD INSURANCE INDUSTRY WHITEPAPER

WHITE PAPERS. INSURANCE INDUSTRY (White Paper)

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

Background FAST FACTS

Nebraska CERT Conference

Server Security Procedure

Building a Threat Intelligence Program

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

Network Security: Firewall, VPN, IDS/IPS, SIEM

Configuring Intradyn Archiving Solutions For Use With Zimbra Mail Server

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

Evaluating Cybersecurity Coverage A Maturity Model. Presented to: ISACA Charlotte Chapter Vision for IT Audit 2020 Symposium

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

SOLUTION BRIEF FPO. Imperva Simplifies and Automates PCI DSS Compliance

Combating Cyber Risk in the Supply Chain

Addressing Vulnerabilities By Integrating Your Incident Response Plans. Brian Coates Enaxis Consulting

IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

Business continuity management and cyber resiliency

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

NETWORKING &SECURITY SOLUTIONSPORTFOLIO

Overview. Business value

Securing Your Most Sensitive Data

RiskSense Attack Surface Validation for IoT Systems

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

RSA IT Security Risk Management

Gaps in Resources, Risk and Visibility Weaken Cybersecurity Posture

Why Reducing File Size Should Be a Top Priority in Your Organization

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

Supporting The Zero Trust Model Of Information Security: The Important Role Of Today s Intrusion Prevention Systems

2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

White Paper. How to Write an MSSP RFP

HP Fortify Software Security Center

Bringing Cybersecurity to the Boardroom Bret Arsenault

Background FAST FACTS

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

CA ERwin Data Profiler

Securing BYOD With Network Access Control, a Case Study

PROFESSIONAL SERVICES (Solution Brief)

THE STATE OF MEDIA SECURITY HOW MEDIA COMPANIES ARE SECURING THEIR ONLINE PROPERTIES

Skybox Product Tour. Installation and Starting Your Product Tour Tour Login Credentials: User Name: skyboxview Password: skyboxview

10 FOCUS AREAS FOR BREACH PREVENTION

Tripwire State of Container Security Report

A Government Health Agency Trusts Tenable to Protect Patient Data and Manage Expanding Attack Surface

The McGill University Health Centre (MUHC)

Endpoint Security for DeltaV Systems

Internet Scanner 7.0 Service Pack 2 Frequently Asked Questions

Forecast to Industry Program Executive Office Mission Assurance/NetOps

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Virus Outbreak

Enhancing Security With SQL Server How to balance the risks and rewards of using big data

Clarity on Cyber Security. Media conference 29 May 2018

Figure 11-1: Organizational Issues. Managing the Security Function. Chapter 11. Figure 11-1: Organizational Issues. Figure 11-1: Organizational Issues

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

IT Monitoring Tool Gaps are Impacting the Business A survey of IT Professionals and Executives

SIEM: Five Requirements that Solve the Bigger Business Issues

Vulnerability Management. June Risk Advisory

PCI Time-Based Requirements as a Starting Point for Business-As-Usual Process Monitoring

IBM Security technology and services for GDPR programs GIULIA CALIARI SECURITY ARCHITECT

IBM Security Network Protection Solutions

Vulnerability Management Trends In APAC

Medical Devices and Cyber Issues JANUARY 23, American Hospital Association and BDO USA, LLP. All rights reserved.

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Security in India: Enabling a New Connected Era

CCISO Blueprint v1. EC-Council

Best Practices for PCI DSS Version 3.2 Network Security Compliance

IBM Managed Security Services - Vulnerability Scanning

HIPAA Compliance Assessment Module

Insurance Industry - PCI DSS

Teradata and Protegrity High-Value Protection for High-Value Data

align security instill confidence

Forensic analysis with leading technology: the intelligent connection Fraud Investigation & Dispute Services

Defining Computer Security Incident Response Teams

Transcription:

Skybox Security Vulnerability Management Survey 2012 Notice: This document contains a summary of the responses to a June 2012 survey of 100 medium to large enterprise organizations about their Vulnerability Management practices. The survey was sponsored by Skybox Security and conducted by Osterman Research. For more information about the survey, please contact info@skyboxsecurity.com. Copyright 2012 Skybox Security. All rights reserved. 1

Survey Overview Research Overview Skybox Security conducted a survey of enterprise IT and security personnel who were knowledgeable about their organizations vulnerability management programs and activities. The goals of the survey were to determine: Challenges organizations face in deploying and managing a vulnerability management program The priority of an organization s vulnerability management program against other security management challenges The frequency and coverage of vulnerability scanning in medium and large enterprise organizations Details of the Survey A total of 100 surveys were completed in June 2012 with individuals from the Osterman Research survey panel The mean number of employees at the organizations surveyed was 17,019; the mean number of email users was 14,972. The medians were 2,900 and 2,500, respectively. Data was segmented into medium-sized organizations from 250 1,499 employees (36 surveys) and large organizations with 1,500 or more employees (64 surveys). Key vertical industries represented include manufacturing (16% of respondents), finance (13%), government and defense (11%), healthcare (8%), and retail (8%). The largest organization responding had 350,000 employees, and the smallest had 250 The majority of the surveys were conducted with respondents in North America 2

Executive Summary of Findings The majority of organizations have an established vulnerability management program Over 90% of firms have a vulnerability management program Primary goals are to reduce security risk, and to prevent/respond to security threats Over 90% of firms consider vulnerability management a priority Despite this, many organizations don t feel that they are secure 49% think their network is somewhat, pretty, or extremely vulnerable to security threats 49% have experienced a cyberattack in the past 6 months There s a disconnect between the frequency and the breadth of vulnerability scanning and the amount that the respondents felt was needed 49% of respondents feel their organizations don t scan as often or as in-depth as they would like A significant percentage of organizations only scan their networks once per month (or less) A significant percentage of organizations only can half their networks Reasons why organizations don t scan more broadly or frequently Resources unable to expand data analysis or patching activity Network disruptions and non-scannable hosts 3

Key Findings The majority of organizations have an established vulnerability management program Despite this, many organizations don t feel that they are secure Disconnect between frequency/breadth of scanning versus what respondents think is needed Reasons why organizations don t scan more broadly or frequently 4

Over 90% of firms have a vulnerability management program, and consider it a priority Does your organization have an established vulnerability management program? No 8% Overall, how important a priority is vulnerability management in your organization? 7% 2% 11% Yes 92% 42% 38% Extremely high priority It s a priority Somewhat of a priority A fairly low priority A very low priority 5

Vulnerability Management programs are focused on reducing risk and preventing threats On a scale of 1 to 5, where 5 is extremely important, to what extent is each of the following a goal of your vulnerability management program or activities? To reduce our security risk level 4.29 To proactively prevent threats before they happen 4.18 To respond to new threats 4.06 To provide an accurate assessment of our security status 3.94 To meet compliance requirements 3.73 To prioritize and minimize patching costs 3.46 6

Key Findings The majority of organizations have an established vulnerability management program Despite this, many organizations don t feel that they are secure Disconnect between frequency/breadth of scanning versus what respondents think is needed Reasons why organizations don t scan more broadly or frequently 7

Almost 50% of firms feel that they are NOT secure How vulnerable do you think your network is to security threats? 5% 0% 9% 47% 39% Extremely vulnerable Pretty vulnerable Somewhat vulnerable Not too vulnerable Not vulnerable at all 8

Many have experienced a cyber-attack in the past six months leading to outage, unauthorized access, or damage During the past 6 months has your organization experienced any cyber-attacks leading to any of the following? Service down 62% Misuse or unauthorized access to information 38% Data breach of customer or confidential records 23% Damage to information systems or data 21% Damage to brand (e.g. hactivism) 9% Minor Web DoS attack 0% None 8% 9

Key Findings The majority of organizations have an established vulnerability management program Despite this, many organizations don t feel that they are secure Disconnect between frequency/breadth of scanning versus what respondents think is needed Reasons why organizations don t scan more broadly or frequently 10

Scanning Frequency How often does your organization scan each zone of your network? A significant percentage of organizations scan their zones monthly or less: 40% 35% 30% 25% 20% 15% 10% 5% 0% 40% 35% 30% 25% 20% 15% 10% 5% 0% 24% DMZ Scanning Frequency 37% 22% 18% Daily Weekly Monthly Less often Internal Network/Hosts Scanning Frequency 35% 23% 26% 16% Daily Weekly Monthly Less often Internal network/hosts and data centers get the top priority in terms of scanning frequency: Internal network/hosts Desktops/laptops/mobile Scanning Frequency - % of Orgs Scanning Monthly or Less Partner zones External resources Internal network/hosts Data centers DMZ External resources Partner zones DMZ Data centers Desktops/laptops/mobile Scanning Frequency - % of Organizations Scanning Daily 12% 39% 36% 36% 18% 42% 55% 52% 24% 24% 35% 35% 11

Frequency by Size of Organization* 50% 40% 30% 20% 10% 0% 50% 40% 30% 20% 10% 0% Scanning Frequency DMZ Large vs Medium Organizations Daily Weekly Monthly Less often Scanning Frequency - Internal Network/Hosts Large vs Medium Organizations Daily Weekly Monthly Less often Large Medium Large Medium How often does your organization scan each zone of your network? Large organizations tend to scan more frequently Daily Scanning Frequency Large Medium Internal network/hosts 40% 27% Data centers 38% 31% DMZ 30% 13% Desktops/laptops/mobile 27% 22% External resources 24% 7% Partner zones 16% 4% Internal network/hosts and data centers get scanned the most frequently. *Large organizations are defined as those with > 1500 employees; Medium organizations are those with 250-1499 employees 12

Scanning Coverage What portion of each part of the environment does your organization typically scan? DMZ Scanning Completeness A significant percentage of organizations scan less than 50% of their zones 76-100% of hosts 47% Scanning Coverage - % of Orgs Scanning 50% or less 51-75% of hosts 13% External resources Partner zones 58% 57% 25-50% of hosts 19% DMZ Internal network/hosts 39% 37% < 25% of hosts 21% Desktops/laptops/mobile Data centers 36% 33% 76-100% of hosts 51-75% of hosts 25-50% of hosts < 25% of hosts 0% 10% 20% 30% 40% 50% Internal Network/Hosts Scanning Completeness 16% 20% 27% 37% Data centers and DMZ get scanned the most completely Scanning Coverage - % of Organizations Scanning 76%+ Data centers DMZ Desktops/laptops/mobile Internal network/hosts Partner zones External resources 22% 18% 38% 37% 48% 47% 0% 10% 20% 30% 40% 13

Coverage by Size of Organization* 70% 60% 50% 40% 30% 20% 10% 0% 50% 40% 30% 20% 10% 0% 27% 16% < 25% of hosts Scanning Coverage - DMZ 11% 33% 25-50% of hosts 27% 21% 14% 16% < 25% of hosts 25-50% of hosts 14% 12% 51-75% of hosts 31% 18% 51-75% of hosts 59% 27% 76-100% of hosts Scanning Coverage - Internal Network/Hosts osts 39% 33% 76-100% of hosts Large Medium Large Medium What portion of each part of the environment does your organization typically scan? Large organizations tend scan a larger portion of their environments Percentage of Orgs Scanning 76%+ Large Medium DMZ 59% 27% Data centers 55% 36% Desktops/laptops/mobile 40% 31% Internal network/hosts 39% 33% Partner zones 26% 16% External resources 25% 6% DMZ and data centers get the most scanning coverage *Large organizations are defined as those with > 1500 employees; Medium organizations are those with 250-1499 employees 14

Comparing Scan Frequency to Coverage* Scanning Frequency versus Coverage Internal Network/Hosts ALL FIRMS Daily Weekly Monthly Less often < 25% 25-50% 51-75% 76-100% Scanning frequency and coverage are roughly correlated: Organizations that scan frequently tend to scan more broadly Organizations that scan less broadly tend to scan less frequently as well This relationship holds true for both Large and Medium sized organizations. *Size/color of the circles indicates the number of respondents 15

Key Findings The majority of organizations have an established vulnerability management program Despite this, many organizations don t feel that they are secure Disconnect between frequency/breadth of scanning versus what respondents think is needed Reasons why organizations don t scan more broadly or frequently 16

49% of respondents don t think their organization scans as often or as in-depth as they would like If your organization does not conduct vulnerability scanning as often or as in-depth as you would like, what are the reasons? Don t have the resources to analyze more frequent scan data 57% Concerns about the disruptions caused by active scanning 57% IT does not have the resources to do broader patching 33% Some hosts not scannable due to their use, OS, or configuration 33% Unable to gain credentialed access to scan portions of network 29% The cost of licenses is prohibitive 27% We just don t need to scan more 4% Top areas of concern Resources unable to expand data analysis or patching activity Network disruptions and non-scannable hosts 17

Why don t organizations scan more often or more in-depth (large versus medium organizations)? If your organization does not conduct vulnerability scanning as often or as in-depth as you would like, what are the reasons? Concerns about the disruptions caused by active scanning 59% 62% Don t have the resources to analyze more frequent scan data 56% 62% IT does not have the resources to do broader patching 15% 41% Some hosts not scannable due to their use, OS, or configuration Unable to gain credentialed access to scan portions of network 23% 23% 32% 38% Large Medium The cost of licenses is prohibitive 24% 31% We just don t need to scan more 0% 8% 0% 10% 20% 30% 40% 50% 60% 70% Differences in areas of concern: Large organizations IT resources Network access/scannability Medium organizations Scanner license costs 18

Some Comments From Respondents What Works We're moving to more regular scanning (a lighter scan) but more often. The ongoing process has enabled us to easily address critical issues proactively. What Doesn t Concerned about reduced productivity (system slowdowns) from scanning as frequently as we ideally should. It is an asset, but also gives too much that doesn't matter. It s great knowing we have X number of vulnerabilities on Y systems but without a way to tie into our reporting structure it's difficult to get them resolved in a timely manner. It will increase in scope and need in the face of all the new threats. 19

Mission accomplished? After you finish running a vulnerability scan, what is your typical reaction? After Running A Scan, What Is Your Typical Reaction? Pat yourself on the back Google vulnerability scanners to search for a new vendor Punch a co-worker Punch your monitor 18% 16% 16% 58% Hide the results 10% Update your resume 4% Vulnerability management can make a difference in the cyber-security fight, but to reach higher levels of impact, security management challenges must be addressed 20

About Skybox Security Pioneer in Security Risk Management We help enterprises find, prioritize, and drive remediation of network security risks such as vulnerabilities and misconfigurations Portfolio of automated tools are used daily for continuous network visibility, expert security analytics, and to help prevent cyber attacks Proven in Challenging Networks 300 Global 2000 customers Financial Services, Government, Defense, Energy & Utilities, Retail, Service Providers, Manufacturing, Tech 85% growth in 2011 21

Skybox Product Portfolio Firewall Assurance Automated firewall analysis and audits Change Manager Complete firewall change workflow Network Assurance Network compliance and access path analysis Risk Control Prioritize vulnerabilities and attack scenarios Threat Manager Workflow to address new threats 22

Unique Skybox Advantages Complete Portfolio - Addresses broad range of security risk management challenges Non-Intrusive Modeling and simulation technology delivers daily assessments without disruption Advanced Analytics Network path analysis, network and security modeling, multi-step attack simulation, risk KPI metrics Enterprise Class Performance and Scalability- Daily risk management effective in large-scale and complex environments Extensive Integration Consistent feature set supports 72 network devices and security management systems Email info@skyboxsecurity.com for more information about Skybox Security solutions 23

Copyright 2012 Skybox Security, Inc. All rights reserved. No part of this document may be reproduced in any form by any means, nor may it be distributed without the permission of Skybox Security, Inc., nor may it be resold or distributed by any entity other than Skybox Security, Inc., without prior written authorization of Skybox Security, Inc. Skybox Security, Inc. does not provide legal advice. Nothing in this document constitutes legal advice, nor shall this document or any software product or other offering referenced herein serve as a substitute for the reader s compliance with any laws (including but not limited to any act, statue, regulation, rule, directive, administrative order, executive order, etc. (collectively, Laws )) referenced in this document. If necessary, the reader should consult with competent legal counsel regarding any Laws referenced herein. Skybox Security, Inc. makes no representation or warranty regarding the completeness or accuracy of the information contained in this document. THIS DOCUMENT IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL. 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback