Advanced Threats in Retail Companies: A Study of North America & EMEA

Transcription

1 Advanced Threats in Companies: A Study of North America & EMEA Sponsored by Arbor Networks Independently conducted by Ponemon Institute LLC Publication Date: May 2015 Ponemon Institute Research Report

2 Part 1. Introduction Advanced Threats in Companies A Study of North America & EMEA 1 Ponemon Institute, May 2015 Ponemon Institute is pleased to present the results of Advanced Threats in Companies: A Study of North America & EMEA sponsored by Arbor Networks. In the wake of mega breaches experienced by retail companies, has the industry improved its ability to prevent or stop advanced threats (ATs)? Are they able to evaluate and measure the effectiveness of their incident response? Are they making the appropriate investments in technologies and expertise to avoid an AT or DDoS attack? In this research, we define ATs as a type of cyber attack designed to evade an organization s present technical and process countermeasures. For example, ATs are those that are specifically designed to bypass firewalls, intrusion detection systems and anti-malware programs. We surveyed 675 IT and IT security practitioners in North America and in 14 countries in Europe, Middle East & Africa (EMEA). To ensure a knowledgeable and quality response, only IT practitioners who are familiar with their companies defense against cybersecurity attacks and have responsibility in directing cybersecurity activities within their company were selected to participate in this study. As shown in Figure 1, respondents worry much more about ATs than DDoS attacks. Respondents also say ATs occur more frequently than DDoS attacks and it is much more difficult to detect and contain ATs than DDoS attacks, as discussed in this report. Following are key findings that reveal why retail companies are vulnerable to ATs: Rely on gut feel to determine if the company had a targeted AT. Only about one-third of companies represented in this study use incident response to contain the impact of ATs and DDoS attacks. Time to detect an attack is too long. It takes on average approximately 197 days to detect an AT. Only 29 percent expect this to improve over the next 12 months. More investment is needed in security operations staff and forensic tools to be able to investigate security incidents in a timely and effective manner. Those companies using the cyber kill chain approach to dealing with ATs are not allocating enough resources to those phases, such as reconnaissance, where it is most difficult to stop ATs. 1 North America includes Canada and the United States. EMEA countries include Denmark, France, Germany, Italy, Netherlands, Poland, Saudi Arabia, South Africa, Spain, Sweden, Switzerland, Turkey, United Arab Emirates and United Kingdom. Ponemon Institute Research Report Page 1

3 Part 2. Key findings The topics covered in this research include: Advanced threats and denial of service attacks in retail companies How companies deal with cyber attack incidents The Cyber Kill Chain and dealing with advanced threats Budget for advanced threats Industry differences: retail companies vs. financial services Advanced threats and denial of service attacks in retail companies Companies have an average of almost one serious cyber attack per month. In the context of this research, cyber attacks refer to all computer-based assaults on an organization s IT infrastructure, applications, databases and source data. Cyber attacks typically involve malicious software or code that seeks to infiltrate networks or infect endpoint devices. Attack methods may also involve malicious or criminal insiders. Based on the definition above, respondents believe their organization experienced almost eight cyber attacks in the past 12 months. Seventy-four percent of respondents say they were considered an AT and 50 percent of respondents say it was a denial of service (DDoS) attacks. As shown in Figure 2, although most respondents believe one or more of the attacks could have been an AT, it is mostly gut feel (38 percent of respondents) they rely upon. Forensic evidence (23 percent of respondents) and known signature of the attacker (21 percent of respondents) are also used to determine if it was an AT. In the case of DDoS, 31 percent of respondents say it was from forensic evidence informed be degradation of application or system performance followed by shared threat intelligence by customer or partner due to a lack of available internal resources (28 percent). Figure 2. How did you know the attack was an AT or DDoS? Gut feel Forensic evidence informed by degradation of application or system performance Known signature of the attacker Shared threat intelligence by customer or partner due to lack of available internal resources 24% 23% 21% 17% 16% 28% 31% 38% Other 2% 1% 0% 5% 10% 15% 20% 25% 30% 35% 40% How did you know that the attack was an AT? How did you know that the attack was a DDoS? Ponemon Institute Research Report Page 2

4 Companies have difficulty detecting and containing ATs and DDoS attacks. According to Figure 3, respondents agree they are more likely to have security technologies and personnel that are effective in quickly detecting advance threats than DDoS (44 percent vs. 39 percent). However, they are equally poor at containing these cyber attacks (38 percent and 39 percent, respectively). Figure 3. Perceptions about ATs and DDoS Strongly agree and agree response combine Security technologies and personnel are effective in quickly detecting advance threats 44% Security technologies and personnel are effective in quickly detecting denial of service attacks 39% Security technologies and personnel are effective in containing denial of service attacks 39% Security technologies and personnel are effective in containing advance threats 38% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% Ponemon Institute Research Report Page 3

5 To deal with both types of attacks, most companies installed controls to prevent infiltration. When asked what steps their companies took to minimize or contain the impact of the AT and DDoS attacks, the most common was to install controls to prevent infiltration (42 percent and 41 percent of respondents) and installed controls to quickly detect and block infiltration (37 percent and 38 percent of respondents, respectively), as shown in Figure 4. Figure 4. Steps taken to minimize the impact of ATs and DDoS attacks More than one response permitted Installed controls to prevent infiltration Installed controls to quickly detect and block infiltration Implemented incident response procedures 42% 41% 37% 38% 34% 33% Established threat sharing with other companies or government entities Conducted specialized training for IT security team 17% 13% 13% 12% Other 1% 0% Steps taken to minimize or contain the impact of the AT 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% Steps taken to minimize or contain the impact of the DDoS attacked Ponemon Institute Research Report Page 4

6 How companies deal with cyber attack incidents How security incidents are investigated. In the context of this study, a security incident is an event that potentially results in adverse consequences to an organization s network or enterprise system. It also includes events that constitute violations of security policies, standardized procedures, or acceptable use policies by employees and other insiders. On average, SecOps and/or CSIRT teams in the companies represented in this study investigate 81 security incidents each month. The average number of employees in a company responsible for participating in responses to cybersecurity incidents is 11. According to Figure 5, the events most often considered a security incident are targeted attacks that result in the theft of customer data (99 percent of respondents), denial of service attacks (98 percent of respondents), targeted attacks that result in the theft of high-value intellectual properties (89 percent of respondents) and reported wrongdoing by employees (83 percent of respondents). Figure 5. What is considered a security incident Targeted attack that results in the theft of customer data Denial of service attack Targeted attack that results in the theft of highvalue intellectual properties Reported wrongdoing by employee Lost or stolen device Reported wrongdoing by third party 99% 98% 89% 83% 75% 69% Other 1% 0% 20% 40% 60% 80% 100% 120% Ponemon Institute Research Report Page 5

7 The majority of organizations use Mean Time to Identify (MTTI) and Mean Time to Contain (MTTC) metrics to determine the effectiveness of their organization s incident response process. Fifty-three percent of respondents use MTTI to measure the time it takes to detect that an incident has occurred. As shown in Figure 6, the findings reveal that the average time it takes to respond to an AT attack is almost 200 days. In contrast, the average MTTI for denial of services is approximately 39 days. Fifty-eight percent of respondents say they use the MTTC metric to understand how good they are at containing an attack. Again, it takes longer to deal with an advanced threat. The average MTTC for ATs is approximately 39 days. In contrast, the average MTTC for denial of services is approximately 18 days. Figure 6. The average time to detect and resolve an AT and DDoS Extrapolated value (days) MTTI for advanced threats MTTI for denial of service MTTC for advanced threats MTTC for denial of service Ponemon Institute Research Report Page 6

8 Steps to improve the time to detect and contain an attack are similar. Thirty-two percent of respondents anticipate MTTC will improve in the next 12 months. To achieve this improvement, 57 percent are integrating threat intelligence into the incident response function and 49 percent of respondents are improving their triage process Only 29 percent of respondents anticipate that MTTI will improve in the next 12 months. To achieve this improvement, 60 percent of respondents are integrating threat intelligence into the incident response process and 50 percent are improving their triage process, as revealed in Figure 7. Figure 7. Steps to improve MTTI & MTTC More than one response permitted Integrate threat intelligence into IR function 60% 57% Improve triage process 50% 49% Increase security operations staff Implement new forensic security tools Introduce hunting team to look for attacks 41% 41% 40% 41% 33% 35% Other 1% 0% 0% 10% 20% 30% 40% 50% 60% 70% Steps to improve MTTI Steps to improve MTTC Ponemon Institute Research Report Page 7

9 Cyber Kill Chain and dealing with advanced threats Cyber Kill Chain is a term familiar to a majority of respondents. Seventy-six percent of respondents understand the cyber kill chain, which refers to a life cycle approach that allows information security professionals to proactively remediate and mitigate advanced threats as part of the organization s intelligence-driven defense process. This process is organized into the following 7 phases: 1. Reconnaissance - Research, identification and selection of targets. 2. Weaponization - Coupling a remote access trojan with an exploit into a deliverable payload, typically by means of an automated tool (weaponizer). 3. Delivery - Transmission of the weapon to the targeted environment. 4. Exploitation - After the weapon is delivered to a victim s host, exploitation triggers the nefarious code. 5. Installation - Installation of a remote access trojan or backdoor on the victim s system allowing the adversary to maintain persistence inside the environment. 6. Command & control (C2) - Typically, compromised hosts must beacon outbound to an Internet controller server to establish a C2 channel. Once the C2 channel establishes, intruders have hands on the keyboard access inside the target environment. 7. Actions on objectives - After progressing through the first six phases, the intruders take actions to achieve their original objectives such as data exfiltration. Reconnaissance is the most difficult phase to stop or minimize ATs. The majority of respondents believe it is impossible, very difficult or difficult to deal with ATs in every phase of the kill chain. However, reconnaissance or the research, identification and section of targets, according to 87 percent of respondents, is the most challenging (Figure 8). Installation of a remote access Trojan or backdoor on the victim system allowing the adversary to maintain persistence inside the environment is the next most difficult phase. Figure 8. Ability to stop or minimize advance threats in each phase of the Cyber Kill Chain Impossible, very difficult and difficult response combined Reconnaissance 87% Installation Actions on Objectives Exploitation Weaponization Delivery Command & Control (C2) 79% 77% 71% 69% 68% 67% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Ponemon Institute Research Report Page 8

10 How much money is allocated for each phase of the Cyber Kill Chain? As shown in Figure 9, while the reconnaissance phase is the most difficult in dealing with ATs, it is also the phase that receives the least amount of resources (2 percent of the total security resources). Twenty percent of total IT security resources are applied to the exploitation phase when after the weapon is delivered to a victim s host, exploitation triggers the nefarious code. Nineteen percent is allocated to actions on objectives. Figure 9. Percentage of total IT total security resources for each cyber kill chain phase Exploitation Actions on Objectives 19% 20% Installation Command & Control (C2) Weaponization Delivery 16% 15% 14% 14% Reconnaissance 2% 0% 5% 10% 15% 20% 25% Extrapolated value Ponemon Institute Research Report Page 9

11 How capable are companies in stopping or minimizing ATs in each phase of the Cyber Kill Chain? As described above, the most difficult or impossible phase in which to stop ATs is the reconnaissance phase. As a result, only six percent of respondents rate their ability to stop or minimize ATs as high (7+ on a scale of 1 = lowest ability and 10 = the highest ability), as shown in Figure 10. In contrast 70 percent of respondents say their ability is highest in the exploitation phase, which receives the most resources. However, 62 percent rate their ability as very high in the delivery phase, which does not receive as much of the available resources. Figure 10. Ability to stop or minimize advanced threats in each phase On a scale of 1 = lowest ability to 10 = highest ability percentage of respondents who rated their ability 7+ Exploitation 70% Delivery Installation Command & Control (C2) 58% 58% 62% Actions on Objectives Weaponization 47% 51% Reconnaissance 6% 0% 10% 20% 30% 40% 50% 60% 70% 80% Ponemon Institute Research Report Page 10

12 The most promising technology to stop ATs is intelligence about network traffic, according to 64 percent of respondents. As shown in Figure 11, 55 percent of respondents say technologies that secure information assets and that isolate or sandbox malware infections are effective. Considered the least effective in the Cyber Kill Chain are the technologies that simplify the reporting of threats and those that minimize insider threats (including negligence). Figure 11. The most promising technologies to stop or minimize ATs Three responses permitted Technologies that provide intelligence about networks and traffic Technologies that isolate or sandbox malware infections Technologies that secure information assets 55% 55% 64% Technologies that secure the perimeter Technologies that provide intelligence about attackers motivation and weak spots Technologies that secure endpoints including mobile-connected devices 26% 42% 40% Technologies that simplify the reporting of threats 13% Technologies that minimize insider threats (including negligence) 5% 0% 10% 20% 30% 40% 50% 60% 70% Ponemon Institute Research Report Page 11

13 Budget for advanced threats defense Personnel and technologies receive the most budget. Respondents were asked to allocate 100 points to indicate the relative proportion of each area to the 2015 IT security budget for their organization. Thirty-seven points were allocated to in-house personnel followed by 34 points for technologies. This is followed by managed (third party) services (24 points) followed by cash outlays (4 points). Figure 12. Allocation of resources to defend against ATs Extrapolated value in days In-house personnel Technologies Managed (third party) services 4 Other cash outlays According to Table 1, the average total IT budget is approximately $81 million. Eight percent or approximately $6.5 million is allocated to IT security activities and investments. For those companies planning to use the cyber kill chain, approximately $1.4 million will be spent or 22 percent of the IT security budget. Table 1. The average budget for IT, IT security and Cyber Kill Chain Extrapolated value 2015 IT budget $81,250, IT security activities and investments (8 percent) $6,500, Cyber Kill Chain Activities (22 percent of the IT security budget) $1,430,000 Ponemon Institute Research Report Page 12

14 Industry differences: retail companies vs. financial services This research was conducted in both the financial and retail industry sectors. In the retail sector, 675 IT and IT security practitioners participated. These findings are presented in a companion report, Advanced Threats in the Industry: A Study of North America & EMEA IT Security Practitioners. Industry differences emerged that reveal how much more effective financial services companies are in managing and reducing the impact of ATs and DDoS attacks. Financial services are more confident in their ability to contain ATs and DDoS attacks. As shown in Figure 13, financial services are more confident than retail companies in containing both ATs and DDoS attacks. is more confident in containing ATs than DDoS attacks. Figure 13. Effectiveness in containing ATs and DDoS attacks On a scale of 1 = lowest ability to 10 = highest ability percentage of respondents who rated their ability 7+ 70% 63% 64% 60% 50% 44% 40% 30% 31% 20% 10% 0% Effectiveness in containing ATs Effectiveness in containing DDoS attacks Financial services Ponemon Institute Research Report Page 13

15 Financial services are more likely to measure the time it takes to detect and contain an AT. As shown in Figure 14, more financial services companies use time-dependent metrics. Forty percent of retail companies are not using these metrics to determine their effectiveness in responding to incidents. If they do use these measures, they are most likely to measure the time it takes to contain an attack. Figure 14. Time-dependent metrics used to determine incident response effectiveness 70% 60% 50% 40% 30% 20% 53% 62% 58% 66% 40% 28% 10% 5% 5% 0% MTTI MTTC Other We don t utilize timedependent operational metrics Financial services Financial services are faster to detect and contain an incident. It takes almost twice as long for retail companies to detect if an incident has occurred (196.5 days for retail companies vs for financial services, according to Figure 15. Financial services companies in this study are also faster to contain both ATs and DDoS attacks. Figure 15. Time it takes to detect and contain an AT Extrapolated value (days) Average MTTI experienced for advanced threats Average MTTI experienced for denial of service Average MTTC experienced for advanced threats Average MTTC experienced for denial of service Financial services Ponemon Institute Research Report Page 14

16 Financial services are more optimistic they can reduce the time to detect and contain attacks. According to Figure 16, in the next 12 months respondents in financial services are far more optimistic that they will improve their ability to detect and contain incidents. New Figure 16. Will MTTI and MTTC improve in the next 12 months? Yes response 45% 40% 35% 30% 25% 20% 15% 10% 5% 0% 29% 42% Do you expect MTTI to decrease (improve) over the next 12 months? 32% 40% Do you expect MTTC to decrease (improve) over the next 12 months? Financial services The use of threat intelligence will be used to improve detection. To achieve a reduction in the time to detect an attack, both retail and financial services will integrate intelligence into the incident response time, as revealed in Figure 17. Financial services are more likely to hire security operations staff and introduce new forensic security tools. Figure 17. Steps taken to reduce the time it takes to detect attacks Integrate threat intelligence into IR function Improve triage process Increase security operations staff Implement new forensic security tools Introduce hunting team to look for attacks Other 1% 1% 41% 40% 33% 40% 60% 50% 55% 56% 60% 74% 0% 10% 20% 30% 40% 50% 60% 70% 80% Financial services Ponemon Institute Research Report Page 15

17 Threat intelligence is the number one step to reduce the time to contain attacks. In general, financial services companies are more likely to take steps to reduce the time to contain attacks, According to Figure 18, 73 percent of respondents in financial services will integrate threat intelligence into the incident response function and 57 percent of respondents in retail companies say they will do so. Again, financial services are more likely to implement new forensic security tools and hire more staff. Figure 18. Steps taken to reduce the time to contain attacks Integrate threat intelligence into IR function Improve triage process 57% 49% 53% 73% Implement new forensic security tools 41% 60% Increase security operations staff Introduce hunting team to look for attacks 41% 35% 41% 53% Other 0% 2% 0% 10% 20% 30% 40% 50% 60% 70% 80% Financial services Ponemon Institute Research Report Page 16

18 Part 3. Methods The sampling frame is composed of 17,000 IT and IT security practitioners in North America and in 14 countries in EMEA who are familiar with their companies defense against cybersecurity attacks and have responsibility in directing cybersecurity activities within their company. As shown in Table 2, 749 respondents completed the survey. Screening removed 74 surveys. The final sample was 675 surveys (or a 4.0 percent response rate). Table 2. Sample response Freq Pct% Total sampling frame 17, % Total returns % Rejected or screened surveys % Final sample % Pie Chart 1 reports the current position or organizational level of the respondents. More than half of respondents (54 percent) reported their current position as supervisory or above. Pie Chart 1. Current position or organizational level 3% 3% 7% 16% Executive/VP 36% 19% Director Manager Supervisor Technician Associate/staff Other 16% Pie Chart 2 identifies the primary person the respondent or their supervisor reports to. Sixty percent of respondents report to the chief information officer and 16 percent report to the chief information security officer. Pie Chart 2. The primary person you or your supervisor reports to 8% 4% 2% 2% Chief Information Officer 8% Chief Information Security Officer Chief Technology Officer 16% 60% Compliance Officer Chief Risk Officer Business owner Other Ponemon Institute Research Report Page 17

19 Pie Chart 3 reports the primary retail industry focus of respondents organizations. This chart identifies conventional retailer (37 percent) as the largest segment, followed by internet retailer (34 percent) and a combination (19 percent). Pie Chart 3. Primary retail industry focus 6% 3% 1% Conventional retailer 19% 37% Internet retailer Combination tech Franchises Other 34% According to Pie Chart 4, the majority of respondents (89 percent) are from organizations with a global headcount of 1,000 or more employees. Pie Chart 4. Worldwide headcount of the organization 20% 5% 6% 13% < to 1,000 1,001 to 5,000 20% 5,001 to 25,000 25,001 to 75,000 > 75,000 37% Ponemon Institute Research Report Page 18

20 Part 4. Caveats There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys. Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument. Sampling frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals who are IT or IT security practitioners located in various organizations in North American and EMEA. We also acknowledge that the results may be biased by external events such as media coverage. We also acknowledge bias caused by compensating subjects to complete this research within a specified time period. Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide accurate responses. Ponemon Institute Research Report Page 19

21 Appendix: Detailed Survey Results The following tables provide the frequency or percentage frequency of responses to all survey questions contained in this study. All survey responses were captured in February Survey response Sampling frame 17,000 Total returns 749 Rejected or screened surveys 74 Final sample: Overall (n = 1519) North America (n = 808) and EMEA (n = 711) 675 Response rate 4.0% Screening Questions S1. How familiar are you with your organization s defense against cyber security attacks? Very familiar 39% Familiar 28% Somewhat familiar 33% No knowledge (Stop) 0% S2. Do you have any responsibility in directing cyber security activities within your organization? Yes, full responsibility 27% Yes, some responsibility 57% Yes, minimum responsibility 16% No responsibility (Stop) 0% Part 1. Attributions: Please rate the following statements using the five-point scale provided below each item. Q1a. My organization has security technologies and personnel that are effective in quickly detecting advance threats. Strongly agree 16% Agree 28% Unsure 26% Disagree 21% Strongly disagree 10% Q1b. My organization has security technologies and personnel that are effective in quickly detecting denial of service attacks. Strongly agree 14% Agree 25% Unsure 30% Disagree 22% Strongly disagree 9% Ponemon Institute Research Report Page 20

22 Q1c. My organization has security technologies and personnel that are effective in containing advance threats. Strongly agree 13% Agree 25% Unsure 32% Disagree 21% Strongly disagree 9% Q1d. My organization has security technologies and personnel that are effective in containing denial of service attacks. Strongly agree 15% Agree 24% Unsure 31% Disagree 19% Strongly disagree 11% Q1e. The greatest threats to my organization are targeted advanced attacks. Strongly agree 27% Agree 35% Unsure 26% Disagree 6% Strongly disagree 7% Q1f. The greatest threats to my organization are denial of service attacks. Strongly agree 25% Agree 28% Unsure 31% Disagree 10% Strongly disagree 6% Part 2. Incident Experience Q2. How many cyber attacks (see definition) has your organization experienced over the past 12 months? None (skip to Q11) 6% 1 to 2 6% 3 to 4 12% 5 to 6 22% 7 to 8 16% 9 to 10 19% More than 10 20% Extrapolated value 7.73 Q3. Do you consider any of the above attacks an advanced threat (AT)? Yes 74% No (skip to Q7) 26% Ponemon Institute Research Report Page 21

23 Q4. How did you know that the attack was an AT? Forensic evidence 23% Shared threat intelligence 16% Known signature of the attacker 21% Gut feel 38% Other (please specify) 2% Q5. What steps did your organization take to minimize or contain the impact of the AT? Implemented incident response procedures 34% Conducted specialized training for IT security team 13% Installed controls to prevent infiltration 42% Installed controls to quickly detect and block infiltration 37% Established threat sharing with other companies or government entities 17% Other (please specify) 1% Total 143% Q6. Using the following 10-point scale from 1 = low to 10 = high, please rate your organization s effectiveness in containing ATs? 1 or 2 11% 3 or 4 12% 5 or 6 33% 7 or 8 33% 9 or 10 11% Extrapolated value 5.94 Q7. Do you consider any of the cyber attacks (indicated in Q2) a denial of service (DDoS)? Yes 50% No (skip to Q11) 50% Q8. How did you know that the attack was a DDoS? Forensic evidence informed by degradation of application or system performance 31% Shared threat intelligence by customer or partner due to lack of available internal resources 28% Known signature of the attacker 17% Gut feel 24% Other (please specify) 1% Ponemon Institute Research Report Page 22

24 Q9. What steps did your organization take to minimize or contain the impact of the DDoS attack? Implemented incident response procedures 33% Conducted specialized training for IT security team 12% Installed controls to prevent infiltration 41% Installed controls to quickly detect and block infiltration 38% Established threat sharing with other companies or government entities 13% Other (please specify) 0% Total 138% Q10. Using the following 10-point scale from 1 = low to 10 = high, please rate your organization s effectiveness in containing DDoS attacks? 1 or 2 13% 3 or 4 21% 5 or 6 35% 7 or 8 13% 9 or 10 18% Extrapolated value 5.52 Q11. What is the full-time equivalent headcount of employees in your organization who are responsible for cyber security incident investigation, analysis and management? Less than 5 25% 5 to 10 30% 11 to 15 21% 16 to 20 16% 21 to 25 7% 26 to 30 0% More than 30 0% Extrapolated value Q12. From the list below, please select all the events or issues that your organization would consider a security incident? Lost or stolen device 75% Reported wrongdoing by employee 83% Reported wrongdoing by third party 69% Targeted attack that results in the theft of customer data 99% Targeted attack that results in the theft of high-value intellectual properties 89% Denial of service attack 98% Other (please specify) 1% None of the above 0% Total 514% Ponemon Institute Research Report Page 23

25 Q13. Approximately, how many security incidents are investigated by your organization s SecOps and/or CSIRT team each month? Less than 10 5% 10 to 25 18% 26 to 50 33% 51 to % 101 to % 251 to 500 5% More than 500 1% Extrapolated value Q14. What organizational group or team is responsible for incident investigation, analysis and management? Security operations team (SecOps) 48% Cyber security incident response team (CSIRT) 37% Both (shared responsibility) 11% Other (please specify) 4% Q15. What time-dependent metrics does your organization use to determine the effectiveness of your organization s incident response process? MTTI 53% MTTC 58% Other (please specify) 5% We don t utilize time-dependent operational metrics (skip to Q20) 40% Q16. Approximately, what is an average MTTI experienced by your organization in recent incidents? Your best guess is welcome. Q16a. For advanced threats: Less than 30 minutes 0% 31 to 60 minutes 0% 1 to 4 hours 0% 5 to 8 hours 1% 1 to 2 days 2% 3 to 7 days 5% 1 to 4 weeks 15% 1 to 3 months 19% 4 to 6 months 19% 7 to 12 months 19% 1 to 2 years 14% More than two years 6% Extrapolated days Ponemon Institute Research Report Page 24

26 Q16b. For denial of services: Less than 30 minutes 3% 31 to 60 minutes 6% 1 to 4 hours 5% 5 to 8 hours 16% 1 to 2 days 16% 3 to 7 days 17% 1 to 4 weeks 15% 1 to 3 months 9% 4 to 6 months 8% 7 to 12 months 5% 1 to 2 years 1% More than two years 0% Extrapolated days Q17a. Do you expect MTTI to decrease (improve) over the next 12 months? Yes 29% No 71% Q17b. If yes, in percentage terms, how much of a decrease in MTTI do you anticipate? Less than 5% 7% 5% to 10% 33% 11% to 25% 35% 26% to 50% 17% 51% to 75% 7% 76% to 100% 0% Extrapolated value 20% Q17c. If yes, what steps is your organization taking to reduce MTTI? Increase security operations staff 41% Improve triage process 50% Introduce hunting team to look for attacks 33% Integrate threat intelligence into IR function 60% Implement new forensic security tools 40% Other (please specify) 1% Total 224% Ponemon Institute Research Report Page 25

27 Q18. Approximately, what is an average MTTC experienced by your organization in recent incidents? Your best guess is welcome. Q18a. For advanced threats: Less than 30 minutes 2% 31 to 60 minutes 5% 1 to 4 hours 5% 5 to 8 hours 11% 1 to 2 days 17% 3 to 7 days 14% 1 to 4 weeks 20% 1 to 3 months 14% 4 to 6 months 10% 7 to 12 months 3% 1 to 2 years 0% More than two years 0% Extrapolated value Q18b. For denial of services: Less than 30 minutes 5% 31 to 60 minutes 8% 1 to 4 hours 9% 5 to 8 hours 24% 1 to 2 days 20% 3 to 7 days 11% 1 to 4 weeks 8% 1 to 3 months 8% 4 to 6 months 6% 7 to 12 months 0% 1 to 2 years 0% More than two years 0% Extrapolated value Q19a. Do you expect MTTC to decrease (improve) over the next 12 months? Yes 32% No 68% Q19b. If yes, in percentage terms, how much of a decrease in MTTC do you anticipate? Less than 5% 23% 5% to 10% 41% 11% to 25% 25% 26% to 50% 9% 51% to 75% 2% 76% to 100% 0% Extrapolated value 13% Ponemon Institute Research Report Page 26

28 Q19c. If yes, what steps is your organization taking to reduce MTTC? Increase security operations staff 41% Improve triage process 49% Introduce hunting team to look for attacks 35% Integrate threat intelligence into IR function 57% Implement new forensic security tools 41% Other (please specify) 0% Total 222% Part 3. Cyber Kill Chain Q20. How familiar are you with the term Cyber Kill Chain? Very familiar 31% Familiar 29% Not familiar 16% No knowledge (skip to Q29) 24% Q21a. In your opinion, how difficult is it to stop or minimize advanced threats during the Reconnaissance phase of the kill chain? Impossible 31% Very difficult 29% Difficult 27% Not difficult 11% Easy 2% Q21b. Approximately, what percent of your organization s total security resources will go to stopping or minimizing advanced threats during the Reconnaissance phase of the cyber kill chain? 0% 64% 1% to 5% 19% 6% to 10% 13% 11% to 20% 3% 21% to 30% 1% 31% to 50% 0% 51% to 75% 0% 76% to 100% 0% Extrapolated value 2% Q21c. Using the 10-point scale, please rate your organization's ability to stop or minimize advance threats during the Reconnaissance phase of the kill chain. 1 or 2 (low) 62% 3 or 4 21% 5 or 6 10% 7 or 8 4% 9 or 10 (high) 2% Extrapolated value 2.76 Ponemon Institute Research Report Page 27

29 Q22a. In your opinion, how difficult is it to stop or minimize advance threats during the Weaponization phase of the kill chain? Impossible 12% Very difficult 32% Difficult 25% Not difficult 28% Easy 4% Q22b. Approximately, what percent of your organization s total security resources will go to stopping or minimizing advanced threats during the Weaponization phase of the cyber kill chain? 0% 4% 1% to 5% 16% 6% to 10% 26% 11% to 20% 33% 21% to 30% 14% 31% to 50% 5% 51% to 75% 1% 76% to 100% 0% Extrapolated value 14% Q22c. Using the 10-point scale, please rate your organization's ability to stop or minimize advance threats during the Weaponization phase of the kill chain. 1 or 2 (low) 13% 3 or 4 10% 5 or 6 29% 7 or 8 35% 9 or 10 (high) 12% Extrapolated value 6.00 Q23a. In your opinion, how difficult is it to stop or minimize advance threats during the Delivery phase of the kill chain? Impossible 5% Very difficult 26% Difficult 37% Not difficult 30% Easy 3% Ponemon Institute Research Report Page 28

30 Q23b. Approximately, what percent of your organization s total security resources will go to stopping or minimizing advanced threats during the Delivery phase of the cyber kill chain? 0% 4% 2% to 5% 16% 6% to 10% 26% 11% to 20% 33% 21% to 30% 12% 31% to 50% 5% 51% to 75% 1% 76% to 100% 0% Total 98% Extrapolated value 14% Q23c. Using the 10-point scale, please rate your organization's ability to stop or minimize advance threats during the Delivery phase of the kill chain. 1 or 2 (low) 6% 3 or 4 8% 5 or 6 24% 7 or 8 35% 9 or 10 (high) 27% Extrapolated value 6.92 Q24a. In your opinion, how difficult is it to stop or minimize advance threats during the Exploitation phase of the kill chain? Impossible 8% Very difficult 30% Difficult 33% Not difficult 29% Easy 0% Q24b. Approximately, what percent of your organization s total security resources will go to stopping or minimizing advanced threats during the Exploitation phase of the cyber kill chain? 0% 0% 1% to 5% 7% 6% to 10% 12% 11% to 20% 34% 21% to 30% 33% 31% to 50% 12% 51% to 75% 1% 76% to 100% 0% Extrapolated value 20% Ponemon Institute Research Report Page 29

31 Q24c. Using the 10-point scale, please rate your organization's ability to stop or minimize advance threats during the Exploitation phase of the kill chain. 1 or 2 (low) 1% 3 or 4 6% 5 or 6 22% 7 or 8 34% 9 or 10 (high) 36% Extrapolated value 7.44 Q25a. In your opinion, how difficult is it to stop or minimize advance threats during the Installation phase of the kill chain? Impossible 10% Very difficult 34% Difficult 35% Not difficult 18% Easy 2% Q25b. Approximately, what percent of your organization s total security resources will go to stopping or minimizing advanced threats during the Installation phase of the cyber kill chain? 0% 5% 1% to 5% 23% 6% to 10% 15% 11% to 20% 24% 21% to 30% 22% 31% to 50% 11% 51% to 75% 1% 76% to 100% 0% Extrapolated value 16% Q25c. Using the 10-point scale, please rate your organization's ability to stop or minimize advance threats during the Installation phase of the kill chain. 1 or 2 (low) 3% 3 or 4 11% 5 or 6 28% 7 or 8 40% 9 or 10 (high) 18% Extrapolated value 6.68 Q26a. In your opinion, how difficult is it to stop or minimize advance threats during the Command & Control (C2) phase of the kill chain? Impossible 1% Very difficult 25% Difficult 41% Not difficult 33% Easy 1% Ponemon Institute Research Report Page 30

32 Q26b. Approximately, what percent of your organization s total security resources will go to stopping or minimizing advanced threats during the Command & Control (C2) phase of the cyber kill chain? 0% 0% 1% to 5% 18% 6% to 10% 34% 11% to 20% 21% 21% to 30% 17% 31% to 50% 9% 51% to 75% 1% 76% to 100% 0% Extrapolated value 15% Q26c. Using the 10-point scale, please rate your organization's ability to stop or minimize advance threats during the Command & Control (C2) phase of the kill chain. 1 or 2 (low) 3% 3 or 4 11% 5 or 6 28% 7 or 8 40% 9 or 10 (high) 18% Extrapolated value 6.68 Q27a. In your opinion, how difficult is it to stop or minimize advance threats during the Actions on Objectives phase of the kill chain? Impossible 0% Very difficult 36% Difficult 41% Not difficult 22% Easy 1% Q27b. Approximately, what percent of your organization s total security resources will go to stopping or minimizing advanced threats during the Actions on Objectives phase of the cyber kill chain? 0% 0% 1% to 5% 10% 6% to 10% 18% 11% to 20% 32% 21% to 30% 27% 31% to 50% 11% 51% to 75% 1% 76% to 100% 0% Extrapolated value 19% Ponemon Institute Research Report Page 31

33 Q27c. Using the 10-point scale, please rate your organization's ability to stop or minimize advance threats during the Actions on Objectives phase of the kill chain. 1 or 2 (low) 6% 3 or 4 12% 5 or 6 31% 7 or 8 38% 9 or 10 (high) 13% Extrapolated value 6.29 Q28. What are the most promising technologies to stopping or minimizing advance threats during the seven phases of the kill chain? Please choose only your top three choices. Technologies that secure the perimeter 42% Technologies that provide intelligence about networks and traffic 64% Technologies that provide intelligence about attackers motivation and weak spots 40% Technologies that simplify the reporting of threats 13% Technologies that secure endpoints including mobile-connected devices 26% Technologies that minimize insider threats (including negligence) 5% Technologies that secure information assets 55% Technologies that isolate or sandbox malware infections 55% Total 300% Part 4. Budget Questions Q29. Approximately, what is the dollar range that best describes your organization s IT budget for 2015? < $1 million 0% $1 to 5 million 5% $6 to $10 million 14% $11 to $50 million 24% $51 to $100 million 34% $101 to $250 million 19% $251 to $500 million 3% > $500 million 1% Extrapolated value ($millions) Q30. Approximately, what percentage of the 2015 IT budget will go to IT security activities and investments? 0% 0% 1% to 5% 50% 6% to 10% 20% 11% to 20% 27% 21% to 30% 3% 31% to 50% 0% 51% to 75% 0% 76% to 100% 0% Extrapolated value 8% Ponemon Institute Research Report Page 32

34 Q31. Approximately, what percentage of the 2015 IT security budget will go to kill chain-related activities? 0% 10% 1% to 5% 7% 6% to 10% 9% 11% to 20% 27% 21% to 30% 25% 31% to 50% 14% 51% to 75% 6% 76% to 100% 1% Extrapolated value 22% Q32. The following table contains 4 budget or spending areas. Please allocate points to indicate the relative proportion of each area to the 2015 IT security budget for your organization. Note that the sum of your allocation must equal 100 points. Technologies 34 In-house personnel 37 Managed (third party) services 24 Other cash outlays 4 Total 100 Part 5. Role & Organizational Characteristics D1. What best describes your position or organizational level? Executive/VP 3% Director 16% Manager 19% Supervisor 16% Technician 36% Associate/staff 7% Consultant/contractor 2% Other (please specify) 1% D2. Check the primary person you or your supervisor reports to within your organization. Business owner 2% CEO/President 1% Chief Financial Officer 0% Chief Information Officer 60% Compliance Officer 8% Chief Privacy Officer 0% Director of Internal Audit 0% General Counsel 0% Chief Technology Officer 8% Human Resources VP 0% Chief Information Security Officer 16% Chief Risk Officer 4% Other (please specify) 1% Ponemon Institute Research Report Page 33

35 D3 (retail). What best describes your company s primary retail industry focus? Conventional retailer (stores) 37% Franchises 3% Internet retailer (websites) 34% Combination 19% tech 6% Other (please specify) 1% D3 (financial services). What best describes your company s primary FS industry focus? Banking 0% Investment management 0% Brokerage 0% Insurance 0% Payments 0% Financial tech 0% General services 0% Other (please specify) 0% Total 0% 0% D4. What is the worldwide headcount of your organization? < 500 5% 500 to 1,000 6% 1,001 to 5,000 13% 5,001 to 25,000 37% 25,001 to 75,000 20% > 75,000 20% Ponemon Institute Advancing Responsible Information Management Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations. As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or company identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions. Ponemon Institute Research Report Page 34