1、THREAT 2017 REPORT MONITORING, DETECTION also lay traps to develop our own learnings THREAT MONITORING, DETECTION & RESPONSE REPORT25 Q: Who are the primary consumers of threat intelligence in your organization? USERS OF THREAT INTELLIGENCE Our survey investigated the uses of threat intelligence. As

2、 would be expected, the IT security team is the primary consumer (70%), with the incident response and SOC teams being significant consumers of data (43% and 38% respectively). What is interesting is the breadth of usage extending to executive management and legal. IT security team Incident response

3、 team 70% 43% Security operations center (SOC) 38% Automated threat intelligence 28% Insider threat team 23% Risk and compliance groups 21% Middle management, business owners 21% Legal department 13% Workforce in general 10% Executive leadership (Board of Directors, C-level staff) 25% THREAT MONITOR

4、ING, DETECTION & RESPONSE REPORT26 Q: Has the occurrence of security breaches changed as a result of using threat intelligence solutions? THREAT INTELLIGENCE IMPACT One of our most significant areas of investigation was to identify the benefits of the use of threat intelligence. As we found, about h

5、alf (49%) of respondents reported a reduction in breaches although to varying degrees. No Improvement Not sure Some reduction in breaches Significant reduction in breaches 17% 17% 32% 34% t and move the following slices to the top: 17% “Signifcant reduction in breaches” and 32% “Some reduction in br

6、eaches”. THREAT MONITORING, DETECTION & RESPONSE REPORT27 PRIORITIZATION OF SECURITY EVENTS In threat management, an important question is how security events are brought to the attention of the IT/security team. Here we see a significant difference between all respondents, and those that declare th

7、emselves to be superior/above average in their ability to respond to detected threats. In particular, the latter group has more reliance on the use of intelligence services providers, conducting proprietary searches and UEBA (User and Entity Behavior Analytics). For example, endpoint monitoring is u

8、sed in 60% of all organizations as the leading mechanism of informing security teams, whereas threat intelligence services providers are used in a larger percentage (68%) for teams self-declaring as having superior or above-average practices. User reports 60%60% Endpoint monitoring software alerts P

9、erimeter defenses (IPS/IDS/Firewall) alerts 57% Error messages or application alerts 46% Alerts from other analytics platforms (besides SIEM) 43% Automated alert from our SIEM 34% Third party reporting on behavior coming from our network 31% Searching manually through our SIEM 27% Detected through t

10、hird-party vendor partner 26% | Retrospective review of logs or SIEM-related data (largely manual) 24% | Conducting searches with our security analytics platform (not SIEM) 21% | Intelligence services provider alerts 19% | UEBA 10% Q: How are security events brought to the attention of the IT/securi

11、ty team? THREAT MONITORING, DETECTION & RESPONSE REPORT28 INSIDER THREAT THREAT MONITORING, DETECTION & RESPONSE REPORT29 Q: How confident are you in your organizations insider threat security posture? INSIDER THREAT CONFIDENCE Only 30% of organizations feel very to extremely confident about their i

12、nsider threat security posture. This leaves a majority of organizations in a situation that requires improved insider threat policies, training and platforms to boost insider threat confidence. 44% Extremely confident Not at all confident Moderately confident Slightly confident 19%Very confident 20%

13、 7% 10% THREAT MONITORING, DETECTION & RESPONSE REPORT30 Q: What type of insider threats are you most concerned about? NATURE OF INSIDER THREATS As with our prior studies, we investigated the types of insider threats that our survey participants were concerned about. Several types of insider threats

14、 - inadvertent data breaches (64%), malicious data breaches (60%) and compromised credentials (60%) had a similar level of prominence. 64% Compromised credentials (e.g., outside infiltrators compromising an insider and using them or their credentials to cause harm) 60%60% Negligent data breach or co

15、mpromise (e.g., user willfully ignoring policy, but not malicious) 010101 010101 010101 010PASSWORD10 57% Malicious data breach or compromise (e.g., user willfully causing harm) Inadvertent data breach or compromise (e.g., careless user causing accidental breach) THR

16、EAT MONITORING, DETECTION & RESPONSE REPORT31 Q: Do you think insider attacks have generally become more frequent over the last 12 months? GROWTH OF INSIDER THREATS We asked survey participants about the growth of insider threats. The majority of respondents indicated that such threats were on the r

17、ise (a majority of 51% agreeing with this). When asked about the reasons for this increase, the main reasons were related to a growth in the number of devices with access to sensitive data (55%), data leaving the traditional network perimeter on mobile devices (51%) and lack of employee training (50

18、%). 27% NO 22% NOT SURE 51% YES Q: What do you believe are the main reasons why insider attacks are on the rise? 50% Lack of employee training/ awareness Insufficient data protection strategies or solutions Increasing number of devices with access to sensitive data 55% 51% 50% Data increasingly leav

19、ing the network perimeter via mobile devices and Web access Technology is becoming more complex 43% | More employees, contractors, partners accessing the network 42% | Increasing use of cloud apps and infrastructure 31% | Increasing amount of sensitive data 27% | Increased public knowledge or visibi

20、lity of insider threats that were previously undisclosed 24% | I dont think insider attacks are on the rise 8% | Not sure/other 8% THREAT MONITORING, DETECTION & RESPONSE REPORT32 Q: How does your organization combat insider threats today? COMBATING INSIDER THREATS When asked about the main practice

21、s and tools used by security teams to combat insider threats, user training was identified as the main tactic (57%) closely followed by user activity/behavior monitoring (51%). This is consistent with the assessment that careless insiders are one of the main causes of data loss. User training User a

22、ctivity/behavior monitoring Information security governance program Database activity monitoring Native security features of underlying OS Secondary authentication Custom tools and applications developed in house UEBA SIEM correlation Specialized 3rd party applications and devices Managed security s

23、ervice provider We do not use anything Deception based security 57% 51% 36% 30% 26% 21% 21% 17% 17% 17% 12% 4% THREAT MONITORING, DETECTION & RESPONSE REPORT33 Q: What user groups pose the largest security risk to your organization? RISKY USERS In this years survey, regular employees take the number

24、 one spot of users posing the biggest insider threat (50%). This is followed by privileged IT users, such as administrators with access to sensitive information (47%) and contractors, service providers and temporary users (also 47%). 50%47% Regular employeesPrivileged IT users/adminsContractors, ser

25、vice providers, temporary workers 47% 42% Privileged business users 31% Business partners 29% Executive managers 13% Customers 9% Other IT staff 1% None THREAT MONITORING, DETECTION & RESPONSE REPORT34 Q: How difficult is it to detect and prevent insider attacks compared to external cyber attacks? I

26、NTERNAL VS EXTERNAL ATTACKS Similar to our previous surveys, the majority of respondents (61%) find it more difficult to detect and prevent an insider attack versus an external cyber attack. More difficult than detecting and preventing external cyber attacks About as difficult as detecting and preve

27、nting external cyber attacks Less difficult as detecting and preventing external cyber attacks 61%33% 6% THREAT MONITORING, DETECTION & RESPONSE REPORT35 Q: How long would it take your organization to recover from an insider attack, on average? SPEED OF RECOVERY Expected recovery from insider attack

28、s is taking longer than in previous years. Most frequently, 24% of organizations feel they could recover from an attack within one week. However, the share of organizations that can recover within a day or less has declined to 35% from 45% in previous surveys. 8% Within minutesWithin one day 9% With

29、in one month 5% Within three months 1% Longer than three months No ability to recover 2% | Not sure / Cant disclose 24% 10% Within hours 17% Within one week 24% THREAT MONITORING, DETECTION & RESPONSE REPORT36 METHODOLOGY & DEMOGRAPHICS THREAT MONITORING, DETECTION & RESPONSE REPORT37 METHODOLOGY &

30、DEMOGRAPHICS The 2017 Threat Monitoring, Detection and Response Report is based on the results of a comprehensive online survey of over 400 cybersecurity professionals to gain more insight into the latest security threats faced by organizations and the solutions to detect, remediate, and prevent the

31、m. The respondents range from technical executives to managers and IT security practitioners. They represent organizations of varying sizes across many industries. Their answers provide a comprehensive perspective on the state of threat monitoring, detection and response today. CAREER LEVEL 22%16%13

32、%13%13%8%2%2%11% Manager / Supervisor Specialist Consultant Director CTO, CIO, CISCO, CMO, CFO, COO Owner / CEO / President Vice President Project Manager Other DEPARTMENT IT Security IT Operations Engineering Product Management Marketing Operations Compliance Sales Other INDUSTRY Technology, Softwa

33、re & Internet Government Professional Services Financial Services Manufacturing Education & Research Healthcare, Pharmaceuticals, & Biotech Telecommunications Non-Profit Other COMPANY SIZE Fewer than 10 10-99 100-499 500-999 1,000-4,999 5,000-10,000 Over 10,000 44%21%5%4%4%3% 3% 3%13% 15%19%17%7%18%

34、6%18% 27%9%12%11%7%19%6%3% 3% 3% THREAT MONITORING, DETECTION & RESPONSE REPORT38 SPONSORS OVERVIEW THREAT MONITORING, DETECTION & RESPONSE REPORT39 SPONSORS OVERVIEW BluVector | www.bluvector.io BluVector helps security teams respond to malicious threats up to 80% faster than current approaches. As

35、 a leader in Network Security Monitoring & Analytics, BluVector applies supervised machine learning and automation so security teams can detect and respond to advanced security threats at digital speed. AlienVault | AlienVault has simplified the way organizations detect and respond to todays ever ev

36、olving threat landscape. Our unique and award-winning approach combines our all-in-one platform, AlienVault Unified Security Management, with the power of AlienVaults Open Threat Exchange, making effective and affordable threat detection attainable for resource-constrained IT teams. Bitglass | Bitgl

37、ass Cloud Access Security Broker (CASB) solution provides enterprises with end-to-end data protection from the cloud to the device. It deploys in minutes and works across apps like Office 365, Salesforce, and AWS. Bitglass also protects data on mobile devices without the hassles of MDM. ControlScan

38、| ControlScan managed security and compliance solutions help secure networks, protect payment card data and streamline the path to authentic PCI compliance. We deliver on our “Weve Got Your Back” promise by combining deep-seated expertise with superior technologies for log monitoring and management,

39、 advanced endpoint security, unified threat management, file integrity monitoring and more. THREAT MONITORING, DETECTION & RESPONSE REPORT40 EventTracker | EventTracker enables infosec teams to be more productive and effective by cutting through the big data noise of security monitoring and deliveri

40、ng actionable security intelligence. EventTracker combines an award-winning unified security management platform, threat intelligence, and a 24/7 SOC to catch more threats and accelerate appropriate responses and automate remediation. Dtex | Dtex provides unique endpoint data and analytics to detect

41、 data breaches, insider threats, and outsider infiltration. It pinpoints threats by combining patterns of known bad behavior with advanced user behavior intelligence. Dtex provides visibility into everything users do on their work devices on and off the corporate network without compromising privacy

42、. DomainTools | DomainTools helps security analysts turn threat data into threat intelligence. We take indicators from your network and connect them with nearly every active domain on the Internet. Fortune 1000 companies, global government agencies, and leading security solution vendors use the Doma

43、inTools platform as a critical ingredient in their threat investigation and mitigation work. Delta Risk | Delta Risk LLC provides cyber security and risk management services to government and commercial clients worldwide. Founded in 2007, Delta Risk offers managed security services, advisory and tra

44、ining, and incident response services to improve cyber security operational capability and protect business operations. Delta Risk is a Chertoff Group company. SPONSORS OVERVIEW THREAT MONITORING, DETECTION & RESPONSE REPORT41 SoftActivity | SoftActivity provides user monitoring software to thousand

45、s of organizations since 2003. View user activity and screens of remote computers in real time with our Activity Monitor. Record user sessions on terminal servers. Supervisors can view reports in the on-premise web console: used programs, websites, screen copies, attendance, files and communications

46、 history. ObserveIT | ObserveIT helps 1,500+ customers identify and eliminate insider threat by combining the most comprehensive view of user activity on all endpoints, applications, and files with preconfigured insider threat indicators. The solution drastically decreases the risk of an insider thr

47、eat incident, ensures organizations remain compliant, decreases time spent on investigating incidents, and prevents data loss. Tenable | Tenable transforms security technology through comprehensive solutions providing continuous visibility and critical context, enabling decisive actions to protect o

48、rganizations of all sizes. Tenable eliminates blind spots, prioritizes threats and reduces exposure and loss. Exabeam | Exabeam is the leading provider of security intelligence solutions, trusted by the most demanding companies in the world to protect sensitive information against theft and breach.

49、The Exabeam Security Intelligence Platform uniquely combines unlimited data collection, advanced analytics, and automated incident response into a modern platform for security management. SPONSORS OVERVIEW for more info or to schedule a demo.V Bitglass is the only agentless real-time cloud access security broker - total data protection, any app, any device. Read more about Machine Learning at www.bluvector.io or call us at 571-565-2100 to req