SURVEY REPORT SPON. Identifying Critical Gaps in Database Security. Published April An Osterman Research Survey Report.

Transcription

1 SURVEY REPORT Gaps in Database An Osterman Research Survey Report sponsored by Published April 2016 SPON sponsored by Osterman Research, Inc. P.O. Box 1058 Black Diamond, Washington USA Tel: Tel: twitter.com/mosterman

2 EXECUTIVE SUMMARY Osterman Research conducted a survey with members of its survey panel to determine how well positioned organizations are to address issues surrounding database security, their ability to prevent data breaches, and their preparedness to address the security of critical data assets and databases, among other issues. The survey was conducted during February and March 2016 with 209 members of the Osterman Research survey panel responding and identifying as a qualified respondent. In order to qualify for the survey, respondents were required to confirm general knowledge about databases and database security practices in their organization, and their organization had to have at least 300 employees. The mean number of employees at the organizations surveyed was 22,142. The research for this report was underwritten by DB Networks. KEY TAKEAWAYS Here are the key takeaways from the research conducted for this report: Only 19% of organizations currently have what they consider to be excellent visibility into their data and database assets. Many organizations have limited insight into the existence of all databases in the company. Because unknown and unmanaged databases may contain sensitive information and compromises of them may render peer databases susceptible to attack, this lack of visibility makes organizations significantly more vulnerable to data breaches. Forty-seven percent of those surveyed have not assigned an individual and/or a team to oversee database security. The ramifications of this are significant. Unmanaged and unpatched database systems pose a large attack surface that can be exploited by cyber criminals. In the context of data breaches, respondents are most concerned about the threat of compromised credentials as the primary cause of a data breach. Many high profile database breaches have resulted from the abuse of legitimate logon credentials. Once an attacker has obtained the proper credentials, they can pose as a privileged insider and breach databases. At that point they can potentially access sensitive assets and set up a channel to exfiltrate an entire data set to an off-site server. Only 62% of the organizations surveyed have the mechanisms and controls in place that would allow them to continuously monitor their organization s databases in real time. This lack of continuous monitoring can make infiltration by cyber criminals easier and more effective because of the excessive dwell time that the average intruder enjoys. Our research revealed that a data breach caused by the use of compromised or abused credentials could not be immediately discovered. This is a critical problem given that the Mean Time to Identify (MTTI or dwell time) a breach can be measured in months, not hours or days. This gives intruders the opportunity to spend significant amounts of time exploring the types and locations of an organization s data assets, identifying the high value targets for exfiltration, and stealing them in ways that are less likely to be detected. SURVEY FINDINGS VISIBILITY INTO DATA ASSETS Our research found that 81% of organizations currently do not have what they consider to be excellent visibility into their data and database assets, as shown in Figure 1. However, the vast 2016 Osterman Research, Inc. 1

3 majority more than three in five believes that their organization has good visibility into these assets, while nearly one in five has only limited or little/no visibility. Figure 1 Level of Visibility Into Data and Database Assets 2016 Osterman Research, Inc. 2

4 LACK OF SPECIFIC RESPONSIBILITY FOR DATABASE SECURITY As shown in Figure 2, (47%) of organizations do not have an individual and/or a team that is directly responsible for database security (a small number of survey respondents were not sure if their organization had such an individual or team). This demonstrates that many organizations are not treating data and database security as importantly as they should be. Figure 2 Is there an individual and/or team directly responsible for database security in your organization? (Among survey respondents who could answer the question definitively) We wanted to determine if there were significant differences among the organization sizes that had versus had not assigned specific responsibility for database security to an individual and/or a team. We discovered that 30% of organizations with 1,000 or more employees had not assigned database security to an individual or team, rendering them significantly more vulnerable to threat infiltration and data breaches Osterman Research, Inc. 3

5 SIGNIFICANT CONCERN OVER DATA BREACHES As shown in Figure 3, when asked what database security issues concern you, compromised credentials was the top concern. Of nearly as much concern was the potential for the organization to experience a major data breach, as well as the inability to identify data breaches before they have occurred. Figure 3 Concerns About Key Data-Related Issues Percent Responding Concerned or Very Concerned 2016 Osterman Research, Inc. 4

6 MANY DO NOT HAVE DATA BREACH DETECTION TOOLS IN PLACE One of the more serious and troubling issues we uncovered in our research is shown in Figure 4: 39% of organizations surveyed lack the necessary tools to allow them to identify a database breach resulting from compromised or abused credentials. Figure 4 Does your organization have the tools to become aware of a database breach if it would happen using legitimate, but compromised/abused credentials? 2016 Osterman Research, Inc. 5

7 RELATIVELY LOW CERTAINTY ABOUT KEY DATABASE ISSUES Respondents were asked to rate their degree of certainty about a variety of key issues related to their database assets. As shown in Figure 5, 59% of survey respondents lack a high degree of certainty about which applications, users and clients are access their databases. Figure 5 Certainty About Key Database Issues 2016 Osterman Research, Inc. 6

8 MANY ORGANIZATIONS CANNOT READILY DETECT DATA BREACHES Our research also revealed that a data breach resulting from compromised or abused credentials could not be discovered quickly. As shown in Figure 6, while 21% of survey respondents indicated that they could discover such a data breach almost immediately, most could not. Figure 6 Speed With Which a Data Breach Using Compromised/Abused Credentials Would be Discovered 2016 Osterman Research, Inc. 7

9 MANY DO NOT HAVE REAL-TIME DATABASE SECURITY MONITORING As shown in Figure 7, 38% of the organizations surveyed do not have the mechanisms and controls in place that would allow them to continuously monitor their organizations databases in real time. Figure 7 Does your organization have mechanisms and satisfactory controls to continuously monitor your organization s databases in real time? 2016 Osterman Research, Inc. 8

10 GROWING EMPHASIS ON DATABASE SECURITY is becoming increasingly important over time. As shown in Figure 8, perimeter security receives a significant or a great deal of emphasis by 70% of the organizations surveyed, and this will increase to 77% over the next 12 months. However, while database security receives somewhat less emphasis than perimeter security today, the proportion of organizations giving it a significant or a great deal of emphasis will increase at a much faster pace over the next 12 months. The emphasis paid to database security is closing the gap versus the emphasis paid to perimeter security. Figure 8 Emphasis Placed on Perimeter and Database, 2016 and 2017 Percent Responding Significant Emphasis or a Great Deal of Emphasis 2016 Osterman Research, Inc. 9

11 FREQUENCY OF DATABASE ACTIVITY ASSESSMENTS Our research revealed that only 20% of organizations surveyed conduct database activity assessments on a more or less continuous basis, as shown in Figure 9. In fact, slightly more than one-half of respondents conduct these assessments very infrequently only once per quarter or less often; 6% of organizations never conduct these assessments. Figure 9 Frequency of Database Activity Assessments 2016 Osterman Research, Inc. 10

12 DATA BREACHES WOULD CAUSE SERIOUS PROBLEMS Fifty-eight percent of those surveyed believe that the breach of data from a critical corporate database would cause serious or catastrophic problems for their organizations, as shown in Figure 10. Only one in 25 survey respondents believe that the impact of data breach from a critical database would cause only minimal problems, while another 38% believe the issue would cause problems that the organization could manage. Figure 10 Perceived Damage from the Breach of a Critical Database OBSERVATIONS ABOUT THE DATA Osterman Research offers a few high-level observations about the data presented in this survey report: Successful organizations run on, and are dependent on, the creation and consumption of information. But information is valuable to an organization only if decision makers and others that need it know where it is, what s in it, what is shareable and by whom it is shareable in other words, the need is for managed information, and information that is protected from data breaches and other potential infiltrations as a result of hacking, malware and insider theft. Most organizations are struggling with the problem of too much electronic data how much of it there is, what it contains, who has access to it, where it is currently stored, and how long it should be kept. In other words, how to govern it more effectively. The sheer volume of information, combined with the speed of its accumulation and the lack of effective management is at the root of the problem. This surplus of electronically stored information is, in reality, driving up the cost of storage, raising the cost and risk of ediscovery and regulatory compliance, negatively impacting employee productivity, and raising the prospect of intellectual property theft and breaches of sensitive and confidential corporate data Osterman Research, Inc. 11

13 To get a better handle on this data management problem, organizations should take a long, hard look at the main problem: a lack of any effective enterprise-wide information governance. After recognizing the importance of this issue, organizations can then take action, such as creating an enterprise-wide information strategy, developing use policies and an information retention schedule, and adopting information management automation. These will enable the organization to systematically find, categorize, manage and defensibly dispose of data stored in its databases in a timely, cost-effective manner. Organizations need to conduct a thorough audit to understand where all of their data is located, who has access to this data, the specific legal and regulatory obligations to which this data is subject, the identity of the data stakeholders, and other relevant information. This is essential in order to build a map of sorts that will help decision makers understand the security risks they face and how to prioritize their resources in closing the security gaps that exist. Organizations must monitor the risk levels associated with their data assets, corporate systems and other tools that users may employ in response to regulatory requirements, advice from legal counsel, recent data breaches, cybercriminal activity and other factors. For example, a database might contain non-sensitive data that can safely be accessed using only a username and password. However, a change in an organization s offerings or a new industry regulation may mean that sensitive data will be added to the database, thereby increasing the risk of inappropriate access of that content store. If organizations cannot identify a successful security compromise, decision makers may never know that a particular event took place until it s too late. As a result, while decision makers have correctly acknowledged the security compromises of which they are aware, those about which they are not aware pose a more significant problem. It is likely that the actual rate of successful infiltrations or other leakage events is much higher than discussed in this report because of poor organizational systems for tracking successful threats Osterman Research, Inc. All rights reserved. No part of this document may be reproduced in any form by any means, nor may it be distributed without the permission of Osterman Research, Inc., nor may it be resold or distributed by any entity other than Osterman Research, Inc., without prior written authorization of Osterman Research, Inc. Osterman Research, Inc. does not provide legal advice. Nothing in this document constitutes legal advice, nor shall this document or any software product or other offering referenced herein serve as a substitute for the reader s compliance with any laws (including but not limited to any act, statue, regulation, rule, directive, administrative order, executive order, etc. (collectively, Laws )) referenced in this document. If necessary, the reader should consult with competent legal counsel regarding any Laws referenced herein. Osterman Research, Inc. makes no representation or warranty regarding the completeness or accuracy of the information contained in this document. THIS DOCUMENT IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL Osterman Research, Inc. 12