November 4, Underwritten by:

Transcription

1 November 4, 2015 Underwritten by:

2 Introduction More and more Internet-enabled devices are connecting to Federal networks. Are endpoint security strategies maturing as the definition of an endpoint expands? Are Feds paying enough attention to this important link in the cyberattack life cycle? To find out, MeriTalk examined endpoint security strategies and efforts across the Federal government, surveying 100 Federal IT managers and 100 non-it Federal employees. What is an endpoint? Any Internet-capable hardware device that can connect to a network, from servers to mobile devices (laptops, smartphones, etc.) to customerinterface devices (POS, ATMs, Kiosks, etc.) to Machine-to-Machine devices (ICS/SCADA, connected medical devices, building automation, security systems, etc.) and other sensors. 2

3 Executive Summary Federal agencies are struggling to identify and protect endpoints: Federal IT managers estimate 44% of the endpoints that access agency networks are at risk Barely half of agencies have taken critical steps to secure endpoints, including scanning for vulnerable/infected endpoints; even fewer employ real-time patching for high priority vulnerability disclosures Agency-wide security is suffering: Nearly one-third of Federal IT managers say they have experienced endpoint breaches due to APT or zero-day attacks Of the devices on networks, 30% have been infected with some type of malware Agencies must improve overall collaboration and integration: Just over half of Federal IT managers (54%) say their current policies and standards are very effective, practical, or enforceable And, less than half say their agency s endpoint security policies and standards are very well integrated into their overall IT security strategy 3

4 Endpoint Epidemic Gaps in endpoint protection leave Feds vulnerable 44% of the endpoints that access agency networks are at risk* 19% Unknown of endpoint audits do not include Known all network connected devices** Take Away: Unprotected & Unknown Endpoints Add Risk *Included unknown endpoints and known endpoints that are not secure **Includes those who do not conduct any endpoint audits and those who are unsure 4

5 Advanced Threats Attacking The Impact: Nearly one-third of Federal IT managers say they have experienced endpoint breaches due to APT or zero-day attacks of IT Managers believe they need to improve their policies in preventing unknown (i.e. zeroday) threats 65% and need to integrate with other security tools (network security, threat intelligence) to get a more comprehensive security view of their network Take Away: Agencies Are Not Prepared 5

6 Mobility Investments* Feds have invested in mobility and mobile endpoint security; majority feel investments have been effective 90% of Federal employees say they use at least one mobile device for work** Since the launch of the Digital Government Strategy, Feds have invested an average of $373/per employee or $1.6B government-wide Top Tech Investments ü Laptops ü Automatic software updates ü Backup/restore ü Secure remote connection ü Smartphones On average, 74% say these investments have been effective Top Management Investments ü Mobile Device Management ü Mobile Management ü Enterprise Mobility Management ü Mobile Security Management ü Mobile Application Management On average, 60% say these investments have been effective Take Away: False Confidence? *2014 Mobile Work Exchange, Mobility Progress Report **2014 Mobile Work Exchange, Mobilometer Tracker Report 6

7 Concern #1: Unsecured, Unsegmented Federal IT managers say agencies are missing opportunities to proactively defend endpoints* 59% 80% Don t micro or virtually segment endpoints (collectively) into their own zone(s) from the rest of the network Don t employ real-time patching for high priority vulnerability disclosures 44% Don t scan for vulnerable/infected endpoints *Federal IT managers asked to select all that apply Take Away: So Much for Zero Trust 7

8 Concern #2: Unsafe/Unknown Files Most Feds do not work to specifically identify dubious files from endpoints Just 28% have identified dubious files from endpoints Take Away: Consider All Attack Vectors 8

9 Concern #3: Users, Apps, Network Traffic Half of Federal IT managers say their agency isn t taking key steps to validate users and apps 48% 51% Don t audit users, apps, and network traffic Have not implemented network access controls Take Away: Verify and Verify 9

10 Concern #4: Personal Devices Fewer than half of Federal IT managers say their agency requires registration much less inspection of personal devices 40% 41% Say their agency requires employees to register personal devices used for work Say their agency requires inspections of personal devices Take Away: Prevention is the Best Medicine 10

11 Behind the Times Even as new endpoint types emerge, agencies struggle to lock down traditional endpoints Step 1: Define Tomorrow s Endpoints One third of Federal IT managers say they have a 10-year-old or older formal definition of an endpoint Step 2: Defend Today s Endpoints Federal IT managers say 30% of the devices on their network have been infected with some type of malware Take Away: Step One Define. Step Two Defend. 11

12 Policies Role in Preventing Endpoint Attacks 89% of Federal IT managers say their agency s policies need to improve Just over half of Federal IT managers (54%) say their current policies and standards are very effective, practical, or enforceable Take Away: Agencies Need a Policy Physical 12

13 Bring Your Own Disease? One of the most significant origins of endpoint challenges come from Federal employees using personal devices for work purposes In agencies that do have BYOD policies, Feds are failing to * Apply their network security policies to mobile devices (61% do not) Require device encryption (60% do not) Enroll devices with the IT department (52% do not) Ban public Wi-Fi (50% do not) Require anti-malware or anti-virus software (47% do not) Additionally, 45% of Federal employees who use personal devices for work have either not reviewed their BYOD policy or don't believe they have one *IT managers asked to select all that apply Take Away: Unmanaged Devices = Unmanaged Disease 13

14 Are Employees Patient Zero? Employees are not prepared for advanced targeting and attacks that use their endpoint devices as a vector 61% of Federal employees who use personal mobile phones for work have downloaded personal applications to that phone Over half admit risky behavior with the personal mobile devices they use for work, including: 39% who say they ve ed work documents to their personal account or uploaded them to a cloud application such as Box or Dropbox 30% who say they ve opened an or text from a stranger on a device they use for work 24% who say they log into their agency s network using public Wi-Fi at least weekly Take Away: Bad Behavior is Contagious 14

15 Working Together for a Cure Federal employees recognize the need for consequences to protect government networks and data When asked what would help employees comply with cyber policies*: 78% of Federal employees suggested removing teleworking privileges for employees that do not comply 78% also suggested removing network access 79% using personal devices for work say they d be willing to have them inspected by their IT department for malware* Collaboration à Compliance: Less than half of Federal IT managers say their agency s endpoint security policies and standards are very well integrated into their overall IT security strategy *According to non-it Federal employees Take Away: Take an Integrated View of Security 15

16 Using Available Frameworks and Programs Federal IT managers say NIST and CDM efforts will help 56% of Federal IT managers believe the NIST cyber security framework has helped their agency establish a plan for improving current endpoint security measures 54% say it has helped determine the current level of endpoint security 42% say it has allowed them to set goals for endpoint security that are in sync with the agency environment 80% also believe CDM Phase II will have a positive impact on their agency s endpoint security Take Away: New Methods Could Change the Outcome 16

17 Recommendations Identify Vulnerabilities: Detect all connected devices; uniformly apply security controls and policies Establish Proper Prevention: Patch endpoints regularly; implement exploit and malware prevention that can thwart zero day threats; correlate malicious endpoint behavior with network security; require end-user training; and segment like endpoints to quarantine risk Vaccinate: Be proactive when dealing with endpoint threats and incorporate endpoint efforts into your agency s broader cyber security strategy. Apply what you're learning from the endpoint into your overall network security strategy for a robust zero-trust approach 17

18 Methodology and Demographics MeriTalk, on behalf of Palo Alto Networks, conducted an online survey of 100 Federal IT managers and 100 Federal employees in September Each dataset has a margin of error of ±9.78% at a 95% confidence level IT job titles: 9% Deputy CIO/CTO/CISO 52% IT Director/Supervisor 14% IT Systems Engineer 8% Data Center Manager 3% Network Manager 1% Cyber Security Manager 13% Other IT Manager Agency type: 62% Federal: Civilian 38% Federal: DoD or Intel 100% of IT respondents are familiar with their agency s endpoint security efforts, including mobile device security Non-IT job titles: 21% Clerical/Administrative 14% Customer/Citizen Service 10% Executive Leadership 13% Finance/Accounting 6% Human Resources 10% Program/Project Management 6% Public Relations/Communications 4% Research Development 16% Other Agency type: 60% Federal: Civilian 40% Federal: DoD or Intel 18

19 Thank You Olivia Cho ext. 135