Reducing the Security Threat Window

Transcription

1 I N F O N E T I C S R E S E A R C H S P E C I A L R E P O R T Reducing the Security Threat Window Infonetics Research Special Report Written by Analyst Jeff Wilson July 2014

2 Contents Businesses Are Increasing Their Investments in Security But It s Not an Easy Problem to Solve 1 Exhibit 1: Enterprise Threat Mitigation Spending Plans 2 The Wide Open Threat Window 3 Exhibit 2: Timespan of Events within POS Intrusions 3 What s Needed: Orchestration and Automation 4 About Infonetics Research 5 i

3 There were more than 2,000 disclosed breaches totaling over 800 million individual personal records stolen in Businesses Are Increasing Their Investments in Security... A constant stream of high-profile data thefts has everyone on high alert. In 2013 alone, there were more than 2,000 disclosed breaches totaling over 800 million individual personal records stolen and those were just the disclosed breaches. The Target breach in particular paints a very interesting picture of the current state of threat mitigation at large businesses....but It s Not an Easy Problem to Solve Security isn t a simple problem that can be easily solved by spending more money. Target has a significant IT security budget and a wide range of controls in place, but they still managed to get taken to the tune of 40 million credit card numbers and 70 million customer records. The average enterprise also has a wide range of security solutions in place, and as we can see from the following chart, many plan to increase their spending on a wide range of security technologies. 1

4 Exhibit 1: Enterprise Threat Mitigation Spending Plans Web security Data loss prevention Firewall/UTM/ next gen firewall Security Technologies Security client software Network access control/management Messaging security Vulnerability management/ assessment DDoS mitigation IPS 0% 20% 40% 60% 80% 100% Percent of Respondents Increase Keep flat Decrease Not investing Don t know Source: Infonetics Research, On-Premise, Hosted, and Hybrid Security Strategies and Vendor Leadership: North American Enterprise Survey, August 2013 These spending increases are based on the notion that we re in an escalating threat environment with a wide range of new advanced persistent threats, and buyers are looking for protection against data theft and accidental data loss. So are they wrong in spending on new threat mitigation technologies knowing that a large company like Target had firewalls, anti-malware software, and even advanced threat detection solutions like FireEye in place? Not exactly. 2

5 The real practical problem many companies face is how to effectively deal with an attack once it happens. The Wide Open Threat Window The real practical problem many companies face is how to effectively deal with an attack once it happens, because the attacks will happen. The Target attack started with malware installed on POS (point of sale) terminals; the network was first breached on November 12th in 2013, and the attackers tested and installed the malware between the 15th and the 30th, when both Symantec and FireEye products identified malicious activities and triggered alerts. Attackers even had the time to upgrade the malware, and started stealing data on December 2nd, which triggered another FireEye alert. That s nearly a month between the network breach and exfiltration, with multiple alerts, yet the malware was still running. On December 12th the Department of Justice notified Target of the breach, and by the 15th Target confirmed the breach and removed most of the malware more than a month after the first alerts were triggered. Target isn t alone though. A Verizon report looked at 169 POS intrusion events in 2013, and the chart below shows the timeline for compromise, exfiltration, and discovery. The data couldn t be more clear: in 88% of these events, data was stolen within minutes of compromises that weren t discovered for weeks. Exhibit 2: Timespan of Events within POS Intrusions Compromise n=169 51% 36% 1% 1% Exfiltration n=169 11% 1% 0% 0% 1% 88% 1% 1% Discovery n=178 11% 0% 0% 0% 0% 0% 0% 1% 85% 13% 1% 0% Seconds Minutes Hours Days Weeks Months Years Never Seconds Minutes Hours Days Weeks Months Years Never Seconds Minutes Hours Days Weeks Months Years Never Source: Verizon Data Breach Incident Report,

6 Enterprise IT departments have the brainpower to do a great job but are short on resources. Orchestration and automation solutions will help them respond faster and focus on the hard problems that require human intelligence. What s Needed: Orchestration and Automation It is reasonable to assume that in most of the above cases, just as in the Target case, there were multiple security controls that threw up red flags prior to discovery. There are many products on the market that can help distill and correlate events (SIEM solutions), and it s likely that many companies used their SIEM solutions to discover the event. But what s missing in most cases is a central console for orchestrating all the security platforms enterprises have installed allowing them to talk to each other and change behavior, configurations, or access policies in response to correlated events and then to take the final (and much more difficult) step of automating the orchestration process in cases where the choices to act are simple. What was the next step in the process chain at Target when FireEye threw up each alert, and why did it stop at the alert? Is it possible that the alert could have automatically triggered a chain of events that could have significantly shortened the window the attackers had to steal data? As an industry, we re very good at building solutions that can identify and in some cases automatically block individual security threat events. Enterprise IT departments have the brainpower to do a great job reducing the threat window but are short on resources. Orchestration and automation solutions will help them respond faster and focus on the hard problems that require human intelligence. 4

7 I N F O N E T I C S R E S E A R C H S P E C I A L R E P O R T Report Author Jeff Wilson Principal Analyst, Security Infonetics Research jeff@infonetics.com About Infonetics Research Infonetics Research is an international market research and consulting analyst firm serving the communications industry since A leader in defining and tracking emerging and established technologies in all world regions, Infonetics helps clients plan, strategize, and compete more effectively. Sales North America (West), Asia Pacific Larry Howard, Vice President, larry@infonetics.com, North America (East, Midwest, Texas), Latin America and EMEA Scott Coyne, Senior Account Director, scott@infonetics.com, Greater China, Southeast Asia, and India 中 国 大 陆 和 台 湾 地 区 : 宋 后 清, 市 场 分 析 师 Jeffrey Song, Market Analyst, jeffrey@infonetics.com, TECHNOLOGY PARKWAY SUITE 200 CAMPBELL, CALIFORNIA TEL FAX SILICON VALLEY BOSTON METRO LONDON AMSTERDAM SHANGHAI TOKYO