Reducing the Threat Window

Transcription

1 INFONETICS RESEARCH WHITE PAPER The Importance of Security Orchestration and Automation January Campbell Technology Parkway Suite 200 Campbell California t f Silicon Valley, CA Boston, MA London, UK

2 Table of Contents INTRODUCTION 1 ENTERPRISES INVESTING HEAVILY IN THREAT MITIGATION 1 THE THREAT WINDOW IS STILL WIDE OPEN 3 INVESTING TO CLOSE THE THREAT WINDOW 4 THE NEED FOR ORCHESTRATION AND AUTOMATION 6 WHITE PAPER AUTHOR 7 ABOUT INFONETICS RESEARCH 7 REPORT REPRINTS AND CUSTOM RESEARCH 7 List of Exhibits Exhibit 1 Enterprise Threat Mitigation Spending Plans 2 Exhibit 2 POS Intrusion Timespan 3 Exhibit 3 Security Investment Drivers 4 Exhibit 4 Security Investment Barriers 5

3 INTRODUCTION A constant stream of high-profile data thefts has everyone on high alert. More than 2,000 disclosed breaches totally almost a billion individual personal records were stolen in 2013, and with major announced breaches from huge brands like JP Morgan Chase and ebay dominating the news in 2014, it seems that hackers are finding more success than ever. The Target breach of 2013 in particular paints a very interesting picture of the current state of threat mitigation at large enterprises, particularly the need to shrink the exposure window when a threat event does occur. ENTERPRISES INVESTING HEAVILY IN THREAT MITIGATION Security isn t a simple problem that can be easily solved by spending more money. Target has a significant IT security budget and a wide range of controls in place, but they still managed to get taken to the tune of 40M credit card numbers and 70M customer records. The average enterprise also has a wide range of security solutions in place; data from a recent Infonetics research survey of 123 IT security decision-makers shows that buyers are purchase a wide range of threat mitigation platforms, and many have plans to increase their investment in those platforms. This chart shows two important things; companies have a wide range of security controls in place (often more than a dozen disparate solutions from 5 or more vendors), and they re only adding more. 1

4 Exhibit 1 Enterprise Threat Mitigation Spending Plans Web security 59% 36% 2% 4% Security client software 56% 39% 2% 2% Messaging security 53% 44% 1% 2% Security Technologies Data loss prevention Advanced threat protection Firewall/UTM/ next gen firewall SIEM/log management and analysis Network access control/management 53% 51% 46% 46% 45% 39% 4% 4% 40% 5% 4% 47% 3% 3% 41% 2% 11% 48% 2% 5% Vulnerability management/ assessment 43% 49% 3% 5% DDoS mitigation 37% 49% 6% 8% IPS 37% 53% 2% 9% Sandboxing/virtual execution 35% 50% 3% 11% 0% 20% 40% 60% 80% 100% Percent of Respondents Increase Keep flat Decrease Not investing/ Don't know Source: Next Generation Threat Prevention Strategies and Vendor Leadership Spending increases are based on the notion that we re in an escalating threat environment with a wide range of new advanced persistent threats, and buyers are looking for protection against data theft and accidental data loss. So are they wrong in spending on new threat mitigation technologies knowing that a large company like Target had firewalls, anti-malware software, and even advanced threat detection solutions like FireEye in place? Not exactly. 2

5 THE THREAT WINDOW IS STILL WIDE OPEN The practical problem many companies face is how to effectively deal with an attack once it happens, because the attacks will happen. The Target attack started with malware installed on POS (point of sale) terminals; the network was first breached on November 12, 2013, and they tested and installed the malware between the 15th and the 30th, when Symantec and FireEye products identified malicious activities and triggered alerts. Attackers even had time to upgrade the malware, and started stealing data on December 2, which triggered another FireEye alert. That s nearly a month between the network breach and exfiltration, with multiple alerts raised, and malware is continuing to run. On December 12, the Department of Justice notified Target of the breach, and Target confirmed the breach and removed most of the malware by the 15th, over one month after the first alerts were triggered. Target, although it is among the most publicly known victims of cybercrime, isn t alone; the Verizon report looked at 169 POS intrusion events in 2013, and the chart below shows the timeline for compromise, exfiltration, and discovery. The data couldn t be more clear: in 88% of these events, data was stolen within minutes of compromises that weren t discovered for many more weeks. Exhibit 2 POS Intrusion Timespan Source: Verizon Data Breach Incident Report 3

6 INVESTING TO CLOSE THE THREAT WINDOW Looking at more data from the same survey, we see that enterprises recognize the key problems: they want to protect against advanced malware and make sure data isn t stolen or accidentally leaked. Many respondents also understand that decreasing the time to discovery and resolution are a key part of their security strategy: almost ¾ of respondents rate these issues as strong drivers for investing in new security solutions. Exhibit 3 Security Investment Drivers Protect against advanced malware 80% Protect against theft of data/financial loss 80% Protect against advanced persistent threats 78% Reduce security complexity 75% Decrease time to threat resolution 74% Factors Decrease time to threat discovery Protect against denial of service attacks Upgrade performance of security infrastructure Protect network from employees browsing the Web/using social networking sites Prevent accidental leakage of confidential data 74% 73% 73% 72% 71% Reduce operational costs 70% Regulatory requirement/ demonstrate compliance 67% Add sandboxing/virtual execution technology 63% 0% 20% 40% 60% 80% 100% Percent of Respondents Rating 6 or 7 Source: Next Generation Threat Prevention Strategies and Vendor Leadership 4

7 Many IT professionals are having trouble coming to grips with exactly how to shrink the gap between threat exposure and discovery/mitigation. Even though many companies are going through a process of rationalizing and consolidating security platforms, it s unreasonable to assume that the average company will have 1 security solution, from 1 vendor, with 1 policy and management interface ever. Even if companies cut the number of threat mitigation platforms they used in half, they d still likely be managing 4-6 different platforms from multiple vendors. One obvious route to take then, is to look for third-party security orchestration and automation solutions that are able the take in feeds from their individual platforms, understand the data, then feed back configuration and policy changes to firewalls, IPS platforms, DDoS mitigation systems, security clients, and advanced threat protection platforms with minimal (or no) human intervention. Though these tools exist, and while many companies understand that closing the exposure gap is a key part of the security investment strategy, based on the survey data we gathered, less than 30% see the lack of automation tools as an investment barrier. Exhibit 4 Security Investment Barriers Cost 38% Poor management platforms 35% Performance 35% Barriers Products/services don t provide complete protection Security infrastructure complexity Available platforms don t provide adequate protection Lack of innovation from security vendors Can t decide between buying products and services 35% 33% 32% 31% 28% Lack of automation tools 28% Lack of integration/coordination between security solutions 28% Difficult to deploy 28% Difficult to manage 27% 0% 10% 20% 30% 40% Percent of Respondents Rating 6 or 7 Source: Next Generation Threat Prevention Strategies and Vendor Leadership 5

8 THE NEED FOR ORCHESTRATION AND AUTOMATION In most cyber-attacks, just as in the Target case, it is safe to assume there were multiple security controls in place that threw up red flags prior to discovery. There are many security products on the market that can help distill and correlate events (SIEM solutions), and SIEM solutions are commonly used in enterprises to discover such events. What s missing in most cases is a central console for orchestrating all the diverse security platforms enterprises have installed, allowing them to talk to each other and change behavior, configurations, or access policies in response to correlated events, and then to take the final, and much more difficult, step of automating the orchestration process in cases where the decision to act is simple. What should have been the next step in Target s process when FireEye threw up each alert, and why instead did the process stop at the alert? Might that alert could have automatically triggered a chain of events that could have significantly shortened the window the attackers had to steal data? As an IT industry, we re very good at building solutions that can identify and, in some cases, automatically block individual events. But to significantly reduce the threat window, vendors need to help their enterprise customers deploy orchestration and automation solutions. Complex multi-vendor threat mitigation deployments are here to stay, and security teams could be much more effectively used if they didn t have to spend so much of their time dealing with manual configuration and analysis tasks. 6

9 WHITE PAPER AUTHOR Jeff Wilson Principal Analyst, Security Infonetics Research Commissioned by CSG Invotas to educate the industry about the need for security orchestration and automation tools, this paper was written autonomously by analyst Jeff Wilson based on Infonetics independent research. ABOUT INFONETICS RESEARCH Infonetics Research is an international market research and consulting analyst firm serving the communications industry since A leader in defining and tracking emerging and established technologies in all world regions, Infonetics helps clients plan, strategize, and compete more effectively. REPORT REPRINTS AND CUSTOM RESEARCH To learn about distributing excerpts from Infonetics reports or custom research, please contact: North America (West) and Asia Pacific Larry Howard, Vice President, larry@infonetics.com, North America (East, Midwest, Texas), Latin America, and EMEA Scott Coyne, Senior Account Director, scott@infonetics.com, Greater China, Southeast Asia, and India 大 中 华 区 及 东 南 亚 地 区 Jeffrey Song, Market Analyst 市 场 分 析 师 及 客 户 经 理 jeffrey@infonetics.com,