Download - Survey: Security Analytics and Intelligence
1
Survey: Security Analytics and Intelligence
A look at the impact of security threats and the use of security analytics and intelligence to mitigate those threats
© 2013, SolarWinds Worldwide, LLC. All rights reserved.
Conducted by SANS InstituteJune/July 2013
22
Introduction
» SolarWinds, in conjunction with SANS, recently conducted a survey on Security Analytics and Intelligence with participation from over 600 IT professionals
» This presentation provides insight into IT budgets for security, difficulties faced in identifying attacks and breaches, and more
The Agenda
• Participants: Whom did we survey?
• Results: What did they say?
• Key Take Away: What does the survey mean to you?
• Recommendations: What can you do?
SANS & SOLARWINDS IT SECURITY SURVEY 2013
33
Whom Did We Survey?
Gov
ernm
ent/
Mili
tary
Fina
ncia
l Ser
vice
s/Ba
...
Oth
er
Educ
ation
Hig
h Te
ch
Hea
lth
care
/Pha
rmac
e...
Tele
com
mun
icati
ons
Ca...
Man
ufac
turi
ng
Ener
gy/U
tiliti
es
Reta
il
Engi
neer
ing/
Cons
truc
...
Hos
ting
Serv
ice
Prov
...
19.0%17.2%
15.6%
8.7% 8.7% 8.2%7.0%
5.9%5.1%
2.9%
0.9% 0.9%
Participants: Industry wise
SANS & SOLARWINDS IT SECURITY SURVEY 2013
45% of the survey taker organizations were from Federal, BFSI and Healthcare
4
IT Budget Spent on IT Security
• 45% of the survey takers were spending less than 20% of their IT budget on information security management, compliance and response
• About 30% spent less than 10% on information security management, compliance and response
IT Pro’s RoleUnknown; 40.0%
Less than 5%; 21.3%
6% to 10%; 16.0%
11% to 20%; 7.9%
21% to 30%; 7.3%31% to 40%; 2.0%
41% to 50%; 1.2%51% to 60%; 0.9%
Greater than 60%; 1.7%
Other; 1.6%
SANS & SOLARWINDS IT SECURITY SURVEY 2013
5
Threat Detection and Response
SANS & SOLARWINDS IT SECURITY SURVEY 2013
6
Difficulty in Detecting Threats
No
attac
ks (t
hat w
e ...
2 to
5
Unk
now
n 1
6 to
10
11 to
20
21 to
50
51 to
100
Mor
e th
an 1
00
33.4%
23.5%21.1%
7.8%5.7%
3.0% 2.8% 1.3% 1.3%
Difficulty in detecting threats In the past two years,45% of the respondent
companies had 1 or more attacks that were difficult
to detect.
SANS & SOLARWINDS IT SECURITY SURVEY 2013
7
Time Taken to Detect the Impact of the Attacks
• 30% of the organizations took up to a week to detect the impact• 14% of them took about 1-3 months
Within the same day
One week or lessA month or
lessThree months
or less
Five months or less
10 months or less
More than 10 months
Unknown
SANS & SOLARWINDS IT SECURITY SURVEY 2013
8
Time Taken for Attack Remediation
• 35% of companies took up to a week to remediate after the initial knowledge of an attack• About 11% of the companies took 1-3 months
Within the same day
One week or less
A month or less
Three months or less
Five months or less
10 months or less
More than 10 months
Unknown
SANS & SOLARWINDS IT SECURITY SURVEY 2013
9
Data Collection and Correlation
SANS & SOLARWINDS IT SECURITY SURVEY 2013
10
Top 3 Impediments to Discovering and Following Up on Attacks
39%
21%19%
SANS & SOLARWINDS IT SECURITY SURVEY 2013
11
Types of Operational and Security Data Collected for Security Analytics
Top 3 Types of Data Currently Collected:• Log data from network
devices, servers and applications
• Monitoring data from firewalls, vulnerability scanners, IDS/IPS
• Access data
Log data from network (routers/switches) and servers, applications and/or endpoints
Monitoring data provided through firewalls, network-based vulnerability scanners, IDS/IPS, UTMs, etc.
Access data from applications and access control systems
Unstructured data-at-rest and RAM data from endpoints (servers and end-user devices)
Security assessment data from endpoint (aka from NAC/MDM scans), application and server monitoring tools
Assessment and exception data (not on the whitelist of approved behaviors) taken from mobile/BYOD endpoints (aka from NAC/MDM scans)
Monitoring and exception data pertaining to internal virtual and cloud environments
Monitoring and exception data pertaining to public cloud usage
Other
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Unknown Don't plan to collect Plan to collect within 12 months Currently collect
Top 3 Within 12 Months:• Security assessment data
from endpoint, application and server monitoring tools
• Monitoring and exception data from internal virtual and cloud environments
• Access data from applications and access control systems
12
How Satisfied are Organizations with their Security Tools?
SANS & SOLARWINDS IT SECURITY SURVEY 2013
13
Alarming Factor!!
59% of the organizations don’t know whether they are collecting security data in real time or not.
SANS & SOLARWINDS IT SECURITY SURVEY 2013
14
Correlation of Event Logs
• 30% of the organizations did not have any automated correlation of log data• 45% of the organizations manually scripted searches based on hunches• 39% of them had no third party intelligence tools
Other
Hadoop or other free or distributed data analysis tools
Unstructured data analysis tools with NoSQL and other methods.
Advanced intelligence/threat profiling database
No automated correlation of logs, just manual scanning for exceptions by experts
Manual and manually-scripted searches based on evidence and hunches
Use of SIEM technologies and systems
Dedicated log management platform used for IT security and operations
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
SANS & SOLARWINDS IT SECURITY SURVEY 2013
15
More on Correlation
38% of the respondent
organizations did not have log
correlation for external threat
intelligence tools
And guess what???44% of the organizations are doing only up to 25% of their inquiries to detect threats in real time.
SANS & SOLARWINDS IT SECURITY SURVEY 2013
About 36% of the organizations never had any automated pattern recognition
16
Satisfaction with Current Analytics and Intelligence Capabilities
• About 59% of the organizations are not satisfied with their library of appropriate queries and reports
• 56% of the organizations are not satisfied with their relevant event context intelligence• 56% of them have no visibility into actionable security events
Producing or having a library of appropriate queries/meaningful reports
Relevant event context (intelligence) to observe “abnormal behavior”
Training/intelligence expertise
Integration of other monitoring systems into collection processes (normalization/standards for data storage and
translation)
Costs for tools, maintenance and personnel
Visibility into actionable security events across disparate systems and users
Ability to alert based on exceptions to what is “normal” and approved
Reduction of false positives and/or false negatives
Performance and response time issues
Other
Storage capacity and access of data in needed formats
1.25 1.30 1.35 1.40 1.45 1.50 1.55 1.60 1.65 1.70 1.75
SANS & SOLARWINDS IT SECURITY SURVEY 2013
17
Primary Use Cases for Evaluation of Security Tools
0%
5%
10%
15%
20%
25%
External malware
Advanced Persistent threats
Compliance monitoring
SANS & SOLARWINDS IT SECURITY SURVEY 2013
24% - External malware
13% - Advanced persistent threats
11% - Compliance monitoring
18
Top 3 Future Investments in Security
SANS & SOLARWINDS IT SECURITY SURVEY 2013
Se
cu
rity
in
form
ati
on
ma
na
ge
me
nt
t...
Pe
rso
nn
el/
tra
inin
g t
o d
ete
ct
pa
tt..
.
Vu
lne
rab
ilit
y m
an
ag
em
en
t
Ne
two
rk p
rote
cti
on
s (
UT
M,
IDS
/IP
S,.
..
En
dp
oin
t v
isib
ilit
y
Ap
pli
ca
tio
n p
rote
cti
on
s a
nd
vis
ibi.
..
Inte
llig
en
ce
pro
du
cts
or
se
rvic
es
An
aly
tic
s e
ng
ine
s
Oth
er
0%
10%
20%
30%
40%
50%
60%
70%
Top 3 Future Investments in Security:1. SIEM Tools2. Training3. Vulnerability
Management
19
For truly effective security and threat management, organizations need to:
Collect and correlate appropriate log and event data across all relevant sources throughout the IT infrastructure
Handle larger volumes of log data efficiently
Establish a baseline of “normal” behavior in order to identify anomalies
Identify threats and attacks in real time
Reduce the time between detection and response
Implement the right tools for advanced analytics and intelligence
Key Takeaways
SANS & SOLARWINDS IT SECURITY SURVEY 2013
20
» Event correlation for event context and actionable intelligence
» Real-time analysis for immediate threat detection and mitigation
» Advanced IT search to simplify event forensics and expedite root cause analysis
» Built-in reporting to streamline security and compliance
How Can SIEM Solutions Help You?
SANS & SOLARWINDS IT SECURITY SURVEY 2013
65% of the organizations want to make their security
investments on SIEM systems
21
SolarWinds Log & Event Manager
Log Collection, Analysis, and Real-Time Correlation
Collects log & event data from tens of thousands of devices & performs true real-time, in-memory correlation
Powerful Active Response technology enables you to quickly & automatically take action against threats
Advanced IT Search employs highly effective data visualization tools – word clouds, tree maps, & more
Quickly generates compliance reports for PCI DSS, GLBA, SOX, NERC CIP, HIPAA, & more
Built-in correlation rules, reports, & responses for out-of-the-box visibility and proactive threat protection
SANS & SOLARWINDS IT SECURITY SURVEY 2013
22
Thank You!
SANS & SOLARWINDS IT SECURITY SURVEY 2013