The Challenge of Preventing Browser-Borne Malware

Transcription

1 The Challenge of Preventing Browser-Borne Malware Sponsored by Spikes Security Independently conducted by Ponemon Institute LLC Publication Date: February 2015 Ponemon Institute Research Report

2 Part 1. Introduction The Challenge of Preventing Browser-Borne Malware Ponemon Institute, February 2015 We are pleased to present the findings of The Challenge of Preventing Browser-Borne Malware study sponsored by Spikes Security. The purpose of this research is to focus on how organizations can improve their ability to defend against web-borne malware. In this study, we define web-borne malware as malware that attacks and infiltrates a user s insecure browser. The recent JPMorgan Chase data breach that affected 76 million households and 7 million small businesses is an example of hackers targeting an employee s web habits. We surveyed 645 IT and IT security practitioners who are familiar and involved in their company s efforts to detect and contain malware. Survey participants were from U.S. businesses with an average of more than 14,000 employees. All of the organizations represented in this research have built a multilayer defense-in-depth architecture in an effort to prevent these types of attacks. Despite having such technologies in place, over the past 12 months, these organizations experienced an average of 51 security breaches because of a failure in malware detection technology. The findings also reveal the average cost to respond to and remediate just one security breach because of a failure in malware detection technology is approximately $62,000. This means organizations could have spent an average of $3.2 million to remediate a security breach caused by web-borne malware. Following are the key takeaways from this research: The threat of web-borne malware is growing. Almost all respondents agree that their existing security tools are not capable of completely detecting web-borne malware and the insecure web browser is a primary attack vector. Further, the findings are evidence of the need for a more effective solution to stop web-borne malware. A barrier to the detection and containment of malware is a lack of resources. Seventyseven percent of respondents say it is certain or very likely their organizations have been infected by web-borne malware that was undetected. Users insecure web browsers cause the majority of total malware infections. The web browser is a common attack vector that can severely impact their organization s security posture. On average, a user s insecure web browser is the cause of 55 percent of the total malware infections. Sandboxes and content analysis engines help, but do not solve the problem. Some 38 percent of respondents say web-borne malware was still able to bypass this solution. What would organizations pay to stop malware? According to the findings, organizations would allocate an average of 33 percent of their total security budget to stop web-borne attacks by 50 percent. To stop all attacks (100 percent), they would allocate an average of 50 percent of the budget. Dependency on traditional detection methods deters organizations from adopting new solutions. Sixty-five percent of respondents say overcoming psychological dependency upon traditional detection methods would be a main barrier to adopting a browser isolation technique that rendered traditional web-borne malware detection and containment methods obsolete and unnecessary. Ponemon Institute Research Report Page 1

3 Part 2. Key findings In this section we provide an analysis of the key findings. We have organized the results of the research according to the following themes: The challenge with detection and containment of web-borne malware The cost of not detecting and containing web-borne malware The threat of web-borne malware is growing. Figure 1 reveals the challenges organizations face in dealing with web-borne malware. Almost all respondents agree that their existing security tools are not capable of completely detecting web-borne malware and the insecure web browser is a primary attack vector. Further, the findings are evidence of the need for a more effective solution to stop web-borne malware. Figure 1. Reasons why detection and containment of web-borne malware is a challenge Strongly agree and agree responses Even with my organization s security tools, webborne malware can be completely undetectable 81% The insecure web browser is a primary attack vector 81% Traditional detection-based technologies are becoming ineffective in stopping these attacks 74% Browser-borne malware is a more significant threat today than 12 months ago 69% Web-borne malware is more serious that other types of malware infections 63% Commercial browsers such as Chrome, Explorer, Firefox, Safari, and others contain effective security tools for blocking web-borne malware 31% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% Ponemon Institute Research Report Page 2

4 A barrier to the detection and containment of malware is a lack of resources. As shown in Figure 2, 77 percent of respondents say it is certain or very likely their organizations have been infected by web-borne malware that was undetected. Figure 2. How likely is it that your organization is or has been infected by web-borne malware without being detected? 60% 53% 50% 40% 30% 24% 20% 10% 0% Figure 3 reveals the main reasons respondents self reported that they are not fully capable of detecting and containing web-borne malware. According to 51 percent of respondents, they are not receiving the resources or budget they need to effectively detect and contain this threat and 49 percent of respondents say defending against web-borne malware is not a security priority. As a result, the majority of respondents (52 percent) rate their ability to detect and contain web-borne malware as very weak or weak. Figure 3. Main reasons organizations can not fully detect and contain web-borne malware More than one response permitted 12% Certain Very likely Likely Not likely No chance 9% 2% Lack of resources or budget 51% Not considered a security-related priority 49% Do not have ample expert personnel 35% Lack of enabling technologies 33% Other 5% 0% 10% 20% 30% 40% 50% 60% Ponemon Institute Research Report Page 3

5 Users insecure web browsers cause the majority of total malware infections. The web browser is a common attack vector that can severely impact their organization s security posture. On average, a user s insecure web browser is the cause of 55 percent of the total malware infections, as shown in Figure 4. Figure 4. What percent of total malware did a user s insecure web browser cause in the past 12 months? Extrapolated value = 55 percent 30% 25% 26% 24% 20% 18% 15% 10% 12% 15% 5% 5% 0% Less than 10% 10 to 25% 26 to 50% 51 to 75% 76 to 100% Don t know Ponemon Institute Research Report Page 4

6 Sandboxes and content analysis engines help, but do not solve the problem. Some 38 percent of respondents say web-borne malware was still able to bypass this solution, shown in Figure 5. In contrast, 50 percent say the web-borne malware was able to bypass their organization s layered firewall defense. Forty-six percent say the organization s anti-virus solution was not a deterrent and 41 percent say web-borne malware was able to bypass intrusion detection systems. This suggests an effective solution is still required to ensure that no browser-borne malware is able to penetrate the network, breach desktop browsers or gain access to sensitive internal resources. Figure 5. How frequently did web-borne malware bypass organizations technologies? Yes, frequently and yes, not frequently responses combined Layered firewall defenses 50% Anti-virus (AV) solutions 46% Intrusion detection systems (IDS) 41% Sandbox/content analysis engine 38% 0% 10% 20% 30% 40% 50% 60% Ponemon Institute Research Report Page 5

7 The cost of not detecting and containing web-borne malware Web-borne malware is a multi-million dollar problem. Organizations in this study experienced an average of 51 security breaches because of a failure in their malware detection technology as shown in Figure 6. The findings reveal the average cost to respond to and remediate just one security breach because of a failure in malware detection technology is approximately $62,000. This means organizations could have spent $3.2 million on dealing with a security breach caused by web-borne malware. Figure 6. In the past 12 months, how many security breaches did your organization experience due to a failure in malware detection technology? Extrapolated value = 51 25% 23% 20% 15% 10% 15% 12% 10% 16% 9% 11% 5% 4% 0% None Less than 5 5 to to to to to to 500 Ponemon Institute Research Report Page 6

8 Respondents are aware that attacks involving the web browser can have a severe impact on their organization s security posture. Applications are considered the attack vector that has the greatest impact on the security posture, however web browsers are a close second (tied with mobile devices & platforms), as shown in Figure 7. In terms of budget, mobile devices & platforms are receiving the most funding, followed by applications and then the web browser. Figure 7. Seven attack vectors that can affect security posture and the budget allocated to each vector Sum of risk allocation = 100 points Applications Mobile devices & platforms Web browser Malicious insiders Operating systems Servers & routers Storage & backup Allocated security risk Allocated security budget What would organizations pay to stop malware? According to Figure 8, organizations would allocate an average of 33 percent of their total security budget to stop web-borne attacks by 50 percent. To stop all attacks (100 percent), they would allocate an average of 50 percent of the budget. The average annual IT security budget is approximately $7.8 million and 39 percent of the budget is spent on defense-and-depth security tools such as web gateways, IPS, and antivirus. Figure 8. What organizations would pay to stop malware? 80% 70% 60% 50% 40% 30% 20% 10% 0% 2% 8% 0% 0% 18% 15% 15% 3% 3% 5% 29% 21% 1 to 5% 6 to 10% 11 to 20% 21 to 30% 31 to 40% 41 to 50% More than 50% 13% 68% Stop web-borne malware infections by 50 percent Stop web-borne malware infections by 100 percent Ponemon Institute Research Report Page 7

9 Dependency on traditional detection methods deters organizations from adopting new solutions. According to Figure 9, 65 percent of respondents say overcoming psychological dependency upon traditional detection methods would be a main barrier to adopting a browser isolation technique that rendered traditional web-borne malware detection and containment methods obsolete and unnecessary. This is followed by concerns over diminished user productivity (50 percent), system performance issues (44 percent) or complexity and difficulty to operate (41 percent). Figure 9. Barriers to adopting a browser isolation technique that makes traditional webborne malware detection and containment methods obsolete and unnecessary More than one response permitted Overcoming psychological dependency upon traditional detection methods 65% Diminished user productivity 50% System performance issues Too complex and/or difficult to operate 41% 44% Too costly 33% Insufficient scalability 16% Other 2% 0% 10% 20% 30% 40% 50% 60% 70% Ponemon Institute Research Report Page 8

10 Part 3. Methods A sampling frame composed of 18,330 IT and IT security practitioners located in the United States and familiar and involved in their company s efforts to detect and contain malware were selected for participation in this survey. As shown in the Table 1, 701 respondents completed the survey. Screening removed 56 surveys. The final sample was 645 surveys (or a 3.5 percent response rate). Table 1. Sample response Freq Total sampling frame 18, % Total returns % Rejected and screened surveys % Final sample % Pie chart 1 reports the current position or organizational level of respondents. By design, 55 percent of respondents reported their current position is at or above the supervisory level. Pie Chart 1. Current position or organizational level 5% 2% 2% 1% 16% 38% 20% Senior Executive Vice President Director Manager Supervisor Technician Staff Contractor 16% According to Pie Chart 2, more than half of the respondents (56 percent) report to the chief information officer. Another 21 percent responded they report to the chief information security officer. Pie Chart 2. Primary Person respondent or IT security leader reports to 8% 3% 2% 1% Chief Information Officer (CIO) 9% Chief Information Security Officer (CISO) Chief Risk Officer (CRO) 56% Compliance Officer Chief Security Officer (CSO) 21% Chief Financial Officer (CFO) General Counsel Ponemon Institute Research Report Page 9

11 Pie Chart 3 reports that 30 percent of respondents described their current role in IT security is security operations, 18 percent indicated security architecture and another 15 percent identified forensics as their current role. Pie Chart 3. Current role in IT security 5% 4% 9% 11% 8% 15% 18% 30% Security operations Security architecture Forensics Audit & compliance Network engineering Senior leadership (CISO) Security analytics Other Pie Chart 4 reports the primary industry classification of respondents organizations. This chart identifies financial services (18 percent) as the largest segment, followed by public sector (11 percent) and health and pharmaceuticals (10 percent). Pie Chart 4. Primary industry concentration 6% 7% 7% 2% 2% 2% 4% 3% 3% 8% 8% 9% 18% 10% 11% Financial services Public sector Health & pharmaceutical Retail Industrial Services Consumer products Technology & Software Energy & utilities Communications Education & research Entertainment & media Hospitality Transportation Other Ponemon Institute Research Report Page 10

12 According to Pie Chart 5, 46 percent of the respondents are from organizations with a global headcount of over 1,000 employees. Pie Chart 5. Worldwide headcount of the organization Extrapolated value = 14,410 11% 7% 23% Less than 500 people 500 to 1,000 people 16% 1,001 to 5,000 people 5,001 to 25,000 people 21% 25,001 to 75,000 people More than 75,000 people 22% Part 4. Caveats There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys. Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals located in the United States, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument. Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals who are IT or IT security practitioners. We also acknowledge that the results may be biased by external events such as media coverage. We also acknowledge bias caused by compensating subjects to complete this research within a holdout period. Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide accurate response. Ponemon Institute Research Report Page 11

13 Appendix: Detailed Survey Results The following tables provide the percentage frequency of responses to all survey questions on a consolidated (global) basis across four regional clusters. All survey responses were captured in December Survey response Freq Total sampling frame % Total returns % Rejected or screened surveys % Final sample % Part 1. Screening questions S1. What best describes your level of involvement with the detection and containment of your organization s malware? Significant involvement 46% Some involvement 54% Nominal or no involvement (stop) 0% S2. Are you responsible for selecting, purchasing and/or using tools designed to stop browser-borne malware? Yes, full responsibility 34% Yes, some responsibility 66% No, not responsible (stop) 0% S3. Has your organization built a multilayer defense-in-depth architecture (i.e., secure web gateway, intrusion prevention, anti-virus, etc.)? Yes 100% No (stop) 0% Part 2. Attributions Q1. The insecure web browser is a primary attack vector. Strongly agree 40% Agree 41% Unsure 16% Disagree 3% Strongly disagree 0% Q2. Browser-borne malware is a more significant threat today than 12 months ago. Strongly agree 33% Agree 36% Unsure 21% Disagree 8% Strongly disagree 2% Ponemon Institute Research Report Page 12

14 Q3. Traditional detection-based technologies are becoming ineffective in stopping these attacks. Strongly agree 35% Agree 39% Unsure 19% Disagree 6% Strongly disagree 1% Q4. Web-borne malware is more serious than other types of malware infections Strongly agree 27% Agree 36% Unsure 15% Disagree 17% Strongly disagree 5% Q5. Commercial browsers such as Chrome, Explorer, Firefox, Safari, and others contain effective security tools for blocking web-borne malware. Strongly agree 13% Agree 18% Unsure 17% Disagree 39% Strongly disagree 13% Q6. Even with my organization s security tools, web-borne malware can be completely undetectable. Strongly agree 39% Agree 42% Unsure 10% Disagree 6% Strongly disagree 3% Part 3. General questions Q7. How likely is it that your organization is or has been infected by webborne malware without being detected? Certain 53% Very likely 24% Likely 12% Not likely 9% No chance 2% Q8a. Please rate your organization s ability to detect and contain webborne malware? Please use the following 10-point scale. 1 or 2 (weak) 17% 3 or 4 35% 5 or 6 15% 7 or 8 18% 9 or 10 (strong) 9% Total 94% Extrapolated value 4.5 Ponemon Institute Research Report Page 13

15 Q8b. If your rating is below 5, what are the main reasons why your organization is not fully capable of detecting and containing web-borne malware? Lack of resources or budget 51% Lack of enabling technologies 33% Do not have ample expert personnel 35% Not considered a security-related priority 49% Other (please specify) 5% Total 173% Q9. Over the past 12 months, what percent of your organization s total malware infections did a user s insecure web browser cause? Less than 10% 5% 10 to 25% 12% 26 to 50% 15% 51 to 75% 18% 76 to 100% 26% Don t know 24% Extrapolated value 55% Q10. Over the past 12 months, what percent of your organization s IT security funding was spent on the detection and containment of all malware? Less than 10% 21% 10 to 25% 23% 26 to 50% 20% 51 to 75% 7% 76 to 100% 5% Don't know 24% Extrapolated value 29% Q11. The following table contains 7 common attack vectors that can severely impact your organization s security posture. Please allocate the security risk inherent in each one of the 7 attack vectors as experienced Points by your organization. Note that the sum of your risk allocation must equal 100 points. Web browser 21 Operating systems 8 Applications 28 Servers & routers 6 Storage & backup 4 Malicious insiders 12 Mobile devices & platforms 21 Total points 100 Ponemon Institute Research Report Page 14

16 Q12. Please allocate the security budget or spending level for each one of the 7 attack vectors as experienced by your organization. Note that Points the sum of your allocation must equal 100 points. Web browser 17 Operating systems 12 Applications 18 Servers & routers 10 Storage & backup 8 Malicious insiders 15 Mobile devices & platforms 20 Total points 100 Q13. Has web-borne malware been able to bypass your organization s anti-virus (AV) solutions? Yes, frequently 13% Yes, not frequently 33% Yes, rarely 28% No 21% Unsure 5% Q14. Has web-borne malware been able to bypass your organization s intrusion detection systems (IDS)? Yes, frequently 11% Yes, not frequently 30% Yes, rarely 31% No 23% Unsure 5% Q15. Has web-borne malware been able to bypass your organization s layered firewall defenses? Yes, frequently 20% Yes, not frequently 30% Yes, rarely 19% No 27% Unsure 4% Q16. Has web-borne malware been able to bypass your organization s sandbox/content analysis engine? Yes, frequently 9% Yes, not frequently 29% Yes, rarely 18% No 29% Unsure 15% Ponemon Institute Research Report Page 15

17 Q17. What dollar range best describes your organization s annual IT security budget? Less than $100,000 2% $100,000 to $500,000 5% $500,001 to $1,000,000 10% $1,000,001 to 2,500,000 19% $2,500,001 to $5,000,000 24% $5,000,001 to $10,000,000 19% $10,001,000 to $25,000,000 15% $25,000,001 to $50,000,000 5% Greater than $50,000,000 1% Extrapolated value 7,799,300 Q18. What percentage of your organization s annual IT security budget is dedicated to defense-and-depth security tools (such as web gateways, IPS, AV, etc.)? Less than 1% 0% 1 to 5% 0% 6 to 10% 4% 11 to 20% 5% 21 to 30% 8% 31 to 40% 33% 41 to 50% 35% More than 50% 15% Extrapolated value 39% Q19. What percentage of your organization s annual IT security budget is dedicated to incident response security tools (i.e., tools that identify and resolve security breaches)? Less than 1% 0% 1 to 5% 0% 6 to 10% 25% 11 to 20% 31% 21 to 30% 32% 31 to 40% 8% 41 to 50% 4% More than 50% 0% Extrapolated value 19% Part 4. Concept questions Q20. As a percentage of your organization s total security budget, how much would your company pay to stop web-borne malware infections by 50 percent? Less than 1% 0% 1 to 5% 2% 6 to 10% 8% 11 to 20% 18% 21 to 30% 15% 31 to 40% 15% 41 to 50% 29% More than 50% 13% Extrapolated value 33% Ponemon Institute Research Report Page 16

18 Q21. As a percentage of your organization s total security budget, how much would your company pay to stop web-borne malware infections by 100 percent? Less than 1% 0% 1 to 5% 0% 6 to 10% 0% 11 to 20% 3% 21 to 30% 3% 31 to 40% 5% 41 to 50% 21% More than 50% 68% Extrapolated value 50% Q22. Are you aware of any security product that ensures browser-borne malware is no longer able to penetrate your network, breach desktop browsers or gain access to sensitive internal resources? Yes 21% No, but I m interested in learning more about this solution 56% No 23% Q23. Are you aware of any security product that ensures malware associated with original web content stays isolated outside the network, without affecting users normal browsing experiences including access to audio, video, text, and graphics? Yes 20% No, but I m interested in learning more about this solution 55% No 25% Q24. If yes to Q18 and/or Q19, please provide the name(s) of the vendor(s) that provides this solution. [Contextual response requested] Q25. Assuming your organization was able to validate a browser isolation technique that rendered traditional Web-borne malware detection and containment methods obsolete and unnecessary. What would be the main barriers to product adoption? Please select all that apply. Too costly 33% Too complex and/or difficult to operate 41% Overcoming psychological dependency upon traditional detection methods 65% Insufficient scalability 16% Diminished user productivity 50% System performance issues 44% Other (please specify) 2% Total 251% Ponemon Institute Research Report Page 17

19 Q26. In your organization, who influences and/or decides what security technology to purchase? Top three choices CIO/CTO 71% CISO 70% COO CFO 30% Security architect 45% Security engineer 25% IT manager/director 26% Service provider /outside consultant 33% Total 300% Q27. Over the past 12 months, how many security breaches did your organization experience because of a failure in malware detection technology? Your best estimate is much appreciated. None 15% Less than 5 23% 5 to 10 12% 11 to 25 10% 26 to 50 16% 51 to 100 9% 101 to % 251 to 500 4% More than 500 0% Extrapolated value 50.6 Q28. What is the cost to respond to and remediate just one security breach because of a failure in malware detection technology? Please note that your cost estimate should consider direct cash outlays, direct labor expenditures, indirect labor costs and overhead costs. Less than $100 1% $100 to $500 5% $501 to $1,000 8% $1,001 to $2,500 12% $2,501 to $5,000 18% $5,001 to $10,000 20% $10,001 to $25,000 12% $25,001 to $50,000 7% $50,001 to $100,000 8% $100,001 to $500,000 5% $500,001 to 1,000,000 3% Greater than $1,000,000 1% Extrapolated value 61,686 Ponemon Institute Research Report Page 18

20 Part 5. Your role and organization D1. What organizational level best describes your current position? Senior Executive 2% Vice President 1% Director 16% Manager 20% Supervisor 16% Technician 38% Staff 5% Contractor 2% Other (please specify) 0% D2. Check the Primary Person you or your IT security leader reports to within the organization. CEO/Executive Committee 0% Chief Financial Officer (CFO) 2% General Counsel 1% Chief Information Officer (CIO) 56% Chief Information Security Officer (CISO) 21% Compliance Officer 8% Human Resources VP 0% Chief Security Officer (CSO) 3% Chief Risk Officer (CRO) 9% Other (please specify 0% D3. What best describes your role in IT security? Senior leadership (CISO) 8% Security architecture 18% Forensics 15% Audit & compliance 11% Network engineering 9% Security operations 30% Security analytics 5% Other (please specify) 4% Ponemon Institute Research Report Page 19

21 D4. What industry best describes your organization s primary industry concentration? Agriculture & food services 1% Communications 3% Consumer products 7% Defense & aerospace 1% Education & research 3% Energy & utilities 6% Entertainment & media 2% Financial services 18% Health & pharmaceutical 10% Hospitality 2% Industrial 8% Public sector 11% Retail 9% Services 8% Technology & Software 7% Transportation 2% Other (please specify) 2% D5. What is the worldwide headcount of your organization? Less than 500 people 23% 500 to 1,000 people 21% 1,001 to 5,000 people 22% 5,001 to 25,000 people 16% 25,001 to 75,000 people 11% More than 75,000 people 7% Extrapolated value 14,410 For more information about this study, please contact Ponemon Institute by sending an to research@ponemon.org or calling our toll free line at Ponemon Institute Advancing Responsible Information Management Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations. As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or company identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions. Ponemon Institute Research Report Page 20