SolarWinds Federal Cybersecurity Survey Summary Report

SolarWinds Federal Cybersecurity Survey Summary Report March 26, 2014 2014 Market Connections, Inc.

BACKGROUND AND APPROACH 2 Background and Approach SolarWinds and Market Connections worked together to design and conduct a blind online cybersecurity survey among 200 federal government IT decision makers and influencers in January and February 2014. Throughout the report, notable significant differences are reported. Statistical analyses were conducted for continuous monitoring status, agency type and job function. There were no significant differences detected by job function. Due to rounding, graphs may not add up to 100%.

RESPONDENT CLASSIFICATIONS 3 Organizations Represented If a respondent did not work for any of the specific organization types noted below, the survey was terminated. Organizations Represented Federal, Civilian or Independent Government Agency Department of Defense or Military Service Federal Judicial Branch Intelligence Agency Federal Legislature 3% 2% 40% 56% Sample Organizations Represented (In Alphabetical Order) Air Force Army Department of Agriculture (USDA) Department of Commerce (DOC) Department of Defense (DOD) Department of Energy (DOE) Department of Homeland Security (DHS) Department of Labor (DOL) Department of State (DOS) Department of the Interior (DOI) Department of Transportation (DOT) Department of Treasury (TREAS) Department of Veteran Affairs (VA) Federal Aviation Administration (FAA) Judicial/Courts Marine Corps National Aeronautics and Space Administration (NASA) Navy Social Security Administration (SSA) US Postal Service (USPS) 0% 10% 20% 30% 40% 50% 60% Which of the following best describes your current employer? What agency do you work for?

RESPONDENT CLASSIFICATIONS 4 Decision Making Involvement All respondents are knowledgeable or involved in decisions and recommendations regarding IT operations and management and IT security solutions and services. On a team that makes decisions regarding IT security and/or IT operations and management solutions 5 Manage or implement security and/or IT operations and management solutions 4 Evaluate or recommend firms offering IT security and/or IT operations and management solutions 40% Develop technical requirements for IT security and/or IT operations and management solutions 33% Make the final decision regarding IT security and/or IT operations and management solutions or contractors Other involvement in IT security and/or IT operations and management solutions Note: Multiple responses allowed 8% 0% 10% 20% 30% 40% 50% 60% How are you involved in your organization s decisions or recommendations regarding IT operations and management and IT security solutions and services? (select all that apply)

RESPONDENT CLASSIFICATIONS 5 Job Function and Tenure A variety of job functions and tenures are represented in the sample, with most being IT/IS staff and working at their agency for over 20 years. Job Function Tenure IT/IS staff 33% 20+ Years 30% IT director/manager 26% 15-20 Years Security/IA staff 15% 10-14 Years Security/IA director or manager 5% 5-9 Years 2 CIO/CTO 5% Includes: 3-4 Years IT Procurement CSO/CISO 2% Program Manager 1-2 Years 2% Other <1 Year 0% 10% 20% 30% 40% 0% 10% 20% 30% 40% Which of the following best describes your current job title/function? How long have you been working at your current agency?

CONTINUOUS MONITORING IMPLEMENTATION 6 Continuous Monitoring Plan Two-thirds report having implemented at least one continuous monitoring solution. The majority of those who have not started planning report it is due to budget constraints. Supporting Requirements Reasons for Not Planning We have implemented at least one continuous monitoring solution 63% Budget constraints 86% We are planning to implement continuous monitoring 20% Lack of manpower 43% Competing priorities and other initiatives 29% We have not started planning 4% Non-users 37% Lack of top-level direction and leadership 0% Don t know 13% Other 0% 20% 40% 60% 80% 100% N=7 0% 20% 40% 60% 80% 100% How well equipped is your agency to support federal government (ex. OMB mandate, DISA STIG, etc.) continuous monitoring requirements? What are the reasons that you have not started planning to implement continuous monitoring? (select all that apply)

CONTINUOUS MONITORING IMPLEMENTATION 7 Return on Investment Nearly half of respondents have measured the return on investment of continuous monitoring and report it is paying off nicely. Of those planning to implement continuous monitoring, the majority plan to measure its return on investment once implemented. Have Measured Return on Investment Plan to Measure ROI Once Implemented Yes, it s paying off nicely 49% Yes Yes, and we re disappointed in the results 9% 3 59% No No, but we feel we re getting our money s worth 38% 10% Unsure at this time No, but we feel we aren t getting a payoff from the technology 4% 0% 10% 20% 30% 40% 50% 60% N=125 N=39 Have you measured the return on your investment in using continuous monitoring? Once implemented, do you plan to measure the return on your investment in using continuous monitoring?

CONTINUOUS MONITORING IMPLEMENTATION 8 Continuous Monitoring Benefits The majority perceive more timely awareness of real-time vulnerabilities as the top benefit to comprehensive continuous monitoring. Automated Score Card report on compliance by functional area Increased technical collaboration with various functional areas More timely awareness of real-time vulnerabilities Note: Multiple responses allowed Keeping up with the newest vulnerabilities Keeping up with the latest compliance requirements Increased visibility into current IT configurations More timely visibility into results of compliance efforts Automated compliance reports Reduced labor costs Reduction in Data Calls Other Not sure What do you perceive as the top three benefits to comprehensive continuous monitoring? (select three) 2% 5% 1 1 16% 26% 33% 3 3 47% Keeping up with the newest vulnerabilities 69% Defense 0% 20% 40% 60% 80% = statistically significant difference Civilian 56% 40%

CYBERSECURITY OBSTACLES, THREATS, & EVENTS 9 Cybersecurity Readiness The majority describe their agency s overall cybersecurity readiness as good or excellent. A significantly greater proportion of defense agency respondents as well as respondents that use continuous monitoring rate their readiness as excellent. Excellent we have the appropriate tools, processes and policies in place 44% Good some tools, processes or polices are in place and/or some may need updating Poor we are lacking the necessary tools, process Not sure 2% 5% Continuous Monitoring User Non- User Excellent 54% 28% Good 44% 60% Poor 2% 9% 50% Defense Civilian Excellent 54% 37% 0% 10% 20% 30% 40% 50% 60% = statistically significant difference How would you describe your agency s overall cybersecurity readiness?

CYBERSECURITY OBSTACLES, THREATS, & EVENTS 10 IT Security Obstacles Respondents most often consider budget constraints as the single most significant high-level obstacle to maintain or improve IT security. Budget constraints 40% Competing priorities and other initiatives Complexity of internal environment 19% Lack of manpower 8% Lack of top-level direction and leadership Lack of training for personnel Lack of clear standards Lack of technical solutions available at my agency Other 6% 5% 4% 2% 4% 0% 10% 20% 30% 40% 50% What is the single most significant high-level obstacle to maintain or improve IT security at your agency?

CYBERSECURITY OBSTACLES, THREATS, & EVENTS 11 Tool Implementation Frustrations The majority report lack of budget is the biggest frustration an IT manager faces in implementing cyber security tools. Difficult to update due to evolving compliance requirements Lack of executive buy-in on importance of compliance Note: Multiple responses allowed Lack of budget Organizational issues or turf battles Expensive to maintain Expensive to upgrade High cost of training Difficult to implement and/or operate Hidden operations costs Difficult to update for emerging threats Insufficient or inflexible reporting Agency does not enforce compliance Other What are the biggest frustrations an IT manager in your agency faces in implementing cyber security tools? (select all that apply) 2% 9% 12% 18% 20% 23% 26% 26% 29% 29% 32% 42% Lack of executive buy-in on importance of compliance Continuous Monitoring User 63% Non- User 29% 0% 10% 20% 30% 40% 50% 60% 70% = statistically significant difference

CYBERSECURITY OBSTACLES, THREATS, & EVENTS 12 Cybersecurity Threats External hacking and malware are the overall top cybersecurity threats plaguing agencies. External hacking 50% Malware 46% Social engineering 37% SPAM 36% Insider data leakage/theft 29% Denial of service 25% Mobile device theft 20% Physical security attacks APT Other No cyber threats plague my agency Unsure if cyber threats plague my agency 6% 3% 6% 9% 18% External hacking Continuous Monitoring User Non- User 57% 37% Insider data leakage/theft Mobile device theft Physical security attacks Defense Civilian 4 2 12% 25% 25% 13% Note: Multiple responses allowed What types of cybersecurity threats are plaguing your agency? (select all that apply) 0% 10% 20% 30% 40% 50% 60% = statistically significant difference

CYBERSECURITY OBSTACLES, THREATS, & EVENTS 13 Security Threat Sources The general hacking community and careless/untrained insiders are the largest sources of security threats at agencies. General hacking community 47% Careless/untrained insiders 42% Foreign governments 34% Hacktivists 26% Terrorists 2 Malicious insiders For-profit crime Industrial spies Other None of the above plague my agency Unsure if these threats plague my agency 3% 4% 6% 9% 1 Defense Civilian General hacking community 35% 55% Careless/untrained insiders 53% 35% Foreign governments 48% 24% Terrorists 3 13% Malicious insiders 26% 10% Note: Multiple responses allowed What are the largest sources of security threats to your agency? (select all that apply) 0% 10% 20% 30% 40% 50% = statistically significant difference

CYBERSECURITY OBSTACLES, THREATS, & EVENTS Security Investment Priorities Firewall configuration and security continuous monitoring are the top essential priorities for investing resources in the next 12 months. Not sure 1 Not a priority 2 Low priority 3 Medium priority 4 & 5 High or essential priority 14 AVG Intrusion detection and prevention 2% 3% 78% 4.19 Firewall configuration and security continuous monitoring 4% 3% 19% 74% 4.19 Improving general network defenses e.g., firewalls, secure gateways 3% 3% 2 73% 4.10 Server security and compliance continuous monitoring 4% 3% 22% 7 4.11 Identity and access management 2% 6% 2 7 4.02 Network configuration security compliance continuous monitoring 0% 4% 5% 22% 70% 4.10 Database security 5% 4% 24% 68% 4.02 Improving system defenses e.g. anti-virus, HIPS 3% 6% 24% 68% 4.04 Vulnerability management 4% 4% 25% 67% 4.00 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% For each of the following security practices and/or technologies, please indicate your organization s priority level for investing resources in the next 12 months.

CYBERSECURITY OBSTACLES, THREATS, & EVENTS 15 Security Investment Priorities (Continued) Not sure 1 Not a priority 2 Low priority 3 Medium priority 4 & 5 High or essential priority Security information and event management 4% 7% 25% 65% AVG Implementing technologies and processes to monitor information system activity Secure document sharing 4% 7% 5% 3% 1 25% 23% 64% 60% 3.88 3.93 Technologies and processes to monitor and block use of removable media (USB, etc.) Secure remote systems administration Patch management Implementing technologies and processes to monitor user activity Improving mobile device security (mobile policy enforcement, etc.) 5% 3% 3% 3% 4% 6% 4% 3% 5% 5% 12% 12% 10% 23% 25% 33% 27% 25% 58% 58% 58% 58% 52% 3.73 3.70 3.72 3.81 3.70 3.55 Log management 7% 2% 10% 34% 49% 3.58 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% For each of the following security practices and/or technologies, please indicate your organization s priority level for investing resources in the next 12 months.

CYBERSECURITY OBSTACLES, THREATS, & EVENTS 16 Security Investment Priorities (Continued) Continuous monitoring users indicate that most practices and technologies are of essential priority investments significantly more than non-users. 5 - Essential Continuous Monitoring User Non-User Firewall configuration and security continuous monitoring 53% 33% Intrusion detection and prevention 52% 3 Improving system defenses e.g. anti-virus, HIPS 46% 32% Network configuration security compliance continuous monitoring 46% 3 Database security 44% Vulnerability management 4 25% Technologies and processes to monitor and block use of removable media (USB, etc.) 37% 23% Secure remote systems administration 36% 20% Security information and event management 34% 20% Patch management 33% 19% = statistically significant difference For each of the following security practices and/or technologies, please indicate your organization s priority level for investing resources in the next 12 months.

CYBERSECURITY OBSTACLES, THREATS, & EVENTS 17 Security Event Detection Respondents report most often that inappropriate internet access by insiders can be detected within minutes. Within minutes Within hours Within one day More than one day No ability to detect Don t know/unsure Inappropriate internet access by insiders 40% 19% 16% 13% 4% 10% Rogue device on network 37% 27% 13% 10% 2% 12% Misuse/abuse of credentials 32% 23% 13% 3% External data breach 3 23% 15% Compromised account 27% 25% 18% 12% 3% New malware variant 25% 29% 20% 12% Firewall rules out of compliance 25% 22% 24% 13% 16% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% How long does it typically take your organization to detect and/or analyze to the following types of security events or compliance issues?

CYBERSECURITY OBSTACLES, THREATS, & EVENTS 18 Security Event Detection (Continued) Inappropriate sharing of documents is reported least as being able to be detected within minutes. Within minutes Within hours Within one day More than one day No ability to detect Don t know/unsure Spear-phishing 23% 30% 16% 12% 3% Network device configurations out of compliance 20% 28% 2 2% 13% Windows system configurations out of compliance 18% 30% 20% 20% 4% 10% Non-Windows system configurations out of compliance 25% 16% 19% 5% 19% Data leakage 24% 20% 15% 5% 20% Inappropriate sharing of documents 22% 1 22% 18% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% How long does it typically take your organization to detect and/or analyze to the following types of security events or compliance issues?

CYBERSECURITY OBSTACLES, THREATS, & EVENTS 19 Security Event Detection (Continued) Continuous monitoring users indicate detecting and analyzing most security events or compliance issues within minutes significantly more than non-users. Within Minutes Continuous Monitoring User Non-User Inappropriate internet access by insiders 46% 29% Rogue device on network 46% 23% Misuse/abuse of credentials 37% 23% Compromised account 34% 15% Firewall rules out of compliance 30% 16% Windows system configurations out of compliance 23% 8% Data leakage 22% 8% How long does it typically take your organization to detect and/or analyze to the following types of security events or compliance issues? = statistically significant difference

RESEARCH TO INFORM YOUR BUSINESS DECISIONS 20 Contact Information Laurie Morrow, Director of Research Services Market Connections, Inc. 14555 Avion Parkway, Suite 125 Chantilly, VA 20151 703.378.2025, ext. 101 LaurieM@marketconnectionsinc.com Lisa M. Sherwin Wulf, Federal Marketing Leader SolarWinds 703.234.5386 Lisa.SherwinWulf@solarwinds.com www.solarwinds.com/federal @SolarWinds_Gov