2014 endpointvisibility survey
TRANSCRIPT
-
8/12/2019 2014 EndpointVisibility Survey
1/23
A SANS Analyst Survey
Written by Jacob Williams
March 2014
Sponsored by
Guidance Software
The Case for Endpoint Visibility
2014 SANS In
-
8/12/2019 2014 EndpointVisibility Survey
2/23
The year 2013 witnessed a seemingly unending parade of headline-grabbing, high-
profile data breaches, many of which started out as the result of compromised
endpoints. For example, Targets high-profile breach announced in December 2013
was reportedly the result of compromised point-of-sale (POS) systems.1The successful
attacks in early 2013 against Apple, Facebook and Twitter featured well-executed attac
on endpoints stemming from a watering hole tactic that made use of a compromised
website frequented by developers of apps for Apples iOS devices.2
With the numerous breaches focused on endpoints, we set out to determine how
organizations are monitoring, assessing, protecting and investigating their endpoints,
as well as remediating breaches upon detection, by conducting the first SANS Endpoin
Security Survey.
The survey was offered online during December 2013 and January 2014, and 948 IT
professionals working in a variety of industries completed it. From the results, we learne
More than half of respondents say theyve already been compromisedor
will be.Just over 47% of respondents were operating under the assumption
theyve been compromised, with another 5% in the Other category, many of
whom say they operate under the assumption that if they have not already been
compromised, they eventually will be.
Most compromises are unsophisticated.Most respondents (52%) indicated
that the vast majority of their compromises are perpetrated by unsophisticated
attackers, which seems at odds with media reports, where every attack seems to
the work of advanced persistent threat (APT) groups using stealth techniques.
More endpoint data is necessary for eective threat hunting.A significant
segment of respondents, exceeding 40% in several categories, is not collecting as
much data as desired for use in detecting and remediating threats.
Lack of automation causes remediation lag.A lack of automation slows the
process of incident response and remediation, with the largest segment of
respondents (54%) automating one-tenth or less of their response processes.
Most remediation is performed manually.Only 7% of participants reported
using automated workflows for remediating endpoints, compared to the 77% wh
reported the use of the more manual wipe-and-reimage tactic.
SANS ANALYST PROGRAM
The Case for Endpoint Visib1
Introduction
1 Target: Breach Caused by Malware, BankInfoSecurity, 12/24/2013, www.bankinfosecurity.com/-a-6316/op-1
2 Hackers Who Attacked Twitter, Facebook, Apple May Have Hundreds More Victims, Huffington Post, 2/20/2013,www.huffingtonpost.com/2013/02/20/apple-hacked-facebook-twitter_n_2726061.html
-
8/12/2019 2014 EndpointVisibility Survey
3/23
Introduction (CONTINUED)
SANS ANALYST PROGRAM
The Case for Endpoint Visib2
As organizations develop strategies for detecting and remediating threats, they should
look to augmenting endpoint visibility with tools that provide the capability to look at
broader set of endpoint assets. Tools that can detect which endpoints contain regulate
data, such as personally identifiable information (PII), are particularly important.
In addition, there exists a considerable opportunity for organizations to increase
productivity and accelerate recovery from incidents by automating the response and
remediation process. Compromises unfold quickly, and organizations that respond
quickly in remediating threats may prevent the theft of confidential data or reduce the
scope of the damage.
The full results of the inaugural SANS Endpoint Security Survey are summarized in this
whitepaper to help information security professionals track trends in endpoint protectio
and identify how their organizations capabilities compare with the survey base.
-
8/12/2019 2014 EndpointVisibility Survey
4/23
Survey Respondents
SANS ANALYST PROGRAM
The Case for Endpoint Visib3
The results of the survey are representative of a large cross-section of organizations,
not just those with sizable (or minimal) budgets for endpoint security. One-third (33%)
of respondents represented organizations of more than 10,000 employees, while
organizations with fewer than 1,000 employees comprised just over one-third (34%) of
all responses, as shown in Figure 1.
Survey respondents also came from a large cross-section of industries; almost one-fifth
(19%) of responses were from financial, banking and insurance professionals (the larges
group). Government was also well represented in the survey, accounting for another
13% of responses. Other industry groups contributing significantly to the survey results
included high tech, education, health care/pharmaceutical, telecommunications and
manufacturing. This cross-section of responses demonstrates a broad interest in endpoi
protection. The diversity of respondents is also a measure of the quality of data in the
survey. No one industry controls the majority of the responses, as shown in Figure 2.
Percentage of
respondents in
organizations with
fewer than 1,000
employees
34%
How many people work at your organization,
either as employees or consultants?
Figure 1. Organization Size of Respondents
What is your organizations primary industry?
Figure 2. Industries of Survey Respondents
-
8/12/2019 2014 EndpointVisibility Survey
5/23
Survey Respondents (CONTINUED)
SANS ANALYST PROGRAM
The Case for Endpoint Visib4
As any manager will confirm, people in staff positions may have different concerns and
goals than consultants. We asked respondents to identify their roles and whether they
were consultants or staff; more than four-fifths (82%) of respondents said they were on
staff at the organization they represent.
When asked about their primary work role, the largest group of respondents
encompassed security administrators and security analysts. However, a surprising
number of respondents are in management roles; more than one-third (37%)
of respondents work in IT management (e.g., CIO or related duties) or security
management (e.g., CISO or similar responsibilities). These results indicate that the
survey topic speaks to the strategic concerns of management while also addressing the
technical concerns of those in the trenches. Figure 3 shows the distribution of response
Please indicate your primary role in your organization.
Figure 3. Primary Work Roles of Respondents
Percentage of
respondents working
in IT or security
management
37%
-
8/12/2019 2014 EndpointVisibility Survey
6/23
All information security professionals know that systems canbe compromised, so we
asked survey respondents how their organizations currently perceive their endpoint
security hygiene. Those operating under the assumption that their endpoints are
clean may prioritize security of internal assets differently from those operating under
the assumption that at least some systems may be compromised, employing fewer
rigors to defense in depth of their endpoints. Those operating from an assumption of
compromise are likely to invest effort in detection and engage in proactive searches
for compromised endpoints. To these organizations, not finding the compromise today
doesnt mean it isnt there; it simply means that detection has fallen short.
The numbers are split nearly down the middle, with 47% responding affirmatively
that they are operating under the assumption of compromise and 48% responding
negatively. However, our analysis of the details behind the Other responses (5%) tells
an interesting story: Overwhelmingly, such responses indicate that respondents believ
that some of their systems are compromised. (Responses such as No, but we should
be! and Well, not all of them paint the picture that many professionals understand
the need to operate under the assumption of compromise; whether they do so is
another issue altogether.) Perhaps the most notable response in this category is Its
likely, however I only know what I can see. This response, like several others, speaks to
the significant challenges of detecting compromises in todays operating environment
Figure 4 shows the almost even division of Yes and No responses.
SANS ANALYST PROGRAM
The Case for Endpoint Visib5
Assuming the Worst as a Start
Are you operating under the assumption
that your systems have been compromised?
Figure 4. Assumption of Compromise
Percentage of
respondents operating
under the assumption
their systems have been
compromised
47%
-
8/12/2019 2014 EndpointVisibility Survey
7/23
Assuming the Worst as a Start (CONTINUED)
SANS ANALYST PROGRAM
The Case for Endpoint Visib6
Evading Detection at the Perimeter
Survey respondents were asked what percentage of incidents over the last 24 months
were the result of threats that should have been blocked by a perimeter security device
as shown in Figure 5.
This is admittedly difficult to quantify, particularly for organizations without good
endpoint visibility or a mature incident response (IR) process. Therefore, its no surprise
that slightly more than one-fifth (21%) of respondents answered, I dont know.
However, for those who were able to quantify the numbers, the results were very tellin
Although the largest category of respondents (36%) who could identify such incidents
was the group believing that, at most, 10% of these incidents should have been
blocked at the edgeindicating these respondents find perimeter devices effective in
generala more instructive analysis is to consider whereperimeter protection is failing
To evaluate this, we considered the respondents who believed that the vast majority o
their attackers should have been blocked at the perimeter. Respondents claiming that
31% or more of such perimeter protection failures took place account for a staggering
one-fifth (21%) of respondents.
What percentage of the incidents in your organization over the
last 24 months were the result of threats that should have been blocked
by a perimeter security device (e.g., rewall or UTM)?
Figure 5. Incidents That Should Have Been Blocked by a Perimeter Security Device
-
8/12/2019 2014 EndpointVisibility Survey
8/23
Assuming the Worst as a Start (CONTINUED)
SANS ANALYST PROGRAM
The Case for Endpoint Visib7
Stealth Techniques Not So Pervasive
We also asked respondents what portion of those attacks that evaded perimeter detectio
was considered to be the work of advanced adversaries using stealth techniques.
However, this question has its own built-in bias: Organizations may feel that they get
a free pass on a breach if the attack was advanced or that because the attacker used
stealth techniques, a compromise was inevitable and there was nothing that could
be done to detect it. For this reason, organizations may report mundane attacks as
advanced and stealthy.3As such, it was expected that the numbers in these responses
would be elevated somewhat over reality.
The results, however, were both surprising and telling. Almost one-fourth (24%) of
participants had no gauge of their adversaries skill. However, more than half (52%) of
respondents believed that 20% or less of attacks bypassing perimeter protections used
stealth techniques, as shown in Figure 6.
Combine this data with that from the last question, and a clear picture emerges:
Attackers are bypassing perimeter protections at will and do not need to use stealth
techniques to do so. This should be a serious point of concern for organizations that
have placed all of their security eggs in the perimeter protection basket. According to
Verizons 2013 Data Breach Investigations Report, more than 95% of those attacks tied
to state-affiliated espionage or intelligence activities used phishing as an initial infectio
vector.4Although some phishing attacks can be detected and blocked at the perimete
the best chance for detecting those that get through successfully is through enhanced
endpoint instrumentation.
What percentage of threats that initially evaded perimeter detection would
you categorize as advanced adversaries using stealth techniques?
Figure 6. Use of Stealth Techniques to Evade Perimeter Detection
3 The Truth Behind the Shady RAT, SymantecSecurity Responseblog, 4/11/2011,www.symantec.com/connect/blogs/truth-behind-shady-rat
4 2013 Data Breach Investigations Report, p. 36,www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2013_en_xg.pdf
Although some
phishing attacks
can be detected
and blocked at the
perimeter, the best
chance for detecting
those that get
through successfully
is through
enhanced endpoint
instrumentation.
http://www.symantec.com/connect/blogs/truth-behind-shady-rathttp://www.symantec.com/connect/blogs/truth-behind-shady-rathttp://www.symantec.com/connect/blogs/truth-behind-shady-rathttp://www.symantec.com/connect/blogs/truth-behind-shady-rathttp://www.symantec.com/connect/blogs/truth-behind-shady-rathttp://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2013_en_xg.pdfhttp://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2013_en_xg.pdfhttp://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2013_en_xg.pdfhttp://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2013_en_xg.pdfhttp://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2013_en_xg.pdfhttp://www.symantec.com/connect/blogs/truth-behind-shady-rat -
8/12/2019 2014 EndpointVisibility Survey
9/23
Assuming the Worst as a Start (CONTINUED)
SANS ANALYST PROGRAM
The Case for Endpoint Visib8
Time to Respond Is Limited
When we asked survey participants about the acceptable delay in receiving data from
queried endpoints, the results couldnt be any clearer: Speed matters. More than four-
fifths (83%) of respondents said they needed results from their endpoint queries in less
than an hour, as shown in Figure 7.
A subset of that group (26% of all respondents) wanted the data in less than five
minutes, underscoring the need to pre-position any needed software agents on
endpoints. Without agents already in place, obtaining results from all endpoints in less
than an hour is simply impossible.
To provide maximum value in detecting and responding to incidents,
what is the acceptable delay between requesting data
and receiving it from all queried endpoints?
Figure 7. Maximum Acceptable Delay
Percentage of
respondents wanting
endpoint data in less
than 5 minutes
26%
Without agents
already in place,
obtaining results
from all endpoints in
less than an hour is
simply impossible.
-
8/12/2019 2014 EndpointVisibility Survey
10/23
Assuming the Worst as a Start (CONTINUED)
SANS ANALYST PROGRAM
The Case for Endpoint Visib9
Response Costs
Reducing the time spent per endpoint on IR, even marginally, has multiplicative
effects on overall cost savings. Organizations should consider how much time they
are spending per endpoint (compared to the median result) and whether they wish to
reduce such costs.
In our survey, 17% of respondents reported spending 610% of their security budgets
on IR, 12% spend 1125% of their budgets on it and 7% spend more than 25% of their
budgets on response, as shown in Figure 8.
The cost of IR is closely tied to the number of man-hours required to remediate the
threat. To quantify this, we asked survey participants how many hours they spend per
endpointwhen responding to an incident. Although this number is also subject to a
number of variables, if not pure guesswork, we believe that the nature of the question
brings these estimates closer to truth.
How much of your IT security budget
is spent on incident response?
Figure 8. Percentage of IT Security Budget Spent on IR
Percentage of
respondents spending
1125% of their
security budgets on IR
12%
-
8/12/2019 2014 EndpointVisibility Survey
11/23
Assuming the Worst as a Start (CONTINUED)
SANS ANALYST PROGRAM
The Case for Endpoint Visib10
More than one-fourth (27%) of respondents reported that they spend more than four
hours per compromised endpoint in incident response time, while 28% spend betwee
two and four hours and another 45% spend no more than two hours per endpoint, as
shown in Figure 9.
Assuming a modest cost of $50 per man-hour (which could be even higher if outside
consultants are used), investigative costs can easily top $200 for each infected endpoin
being investigated. Such numbers underscore the case for more automation in endpoi
assessment, remediation and follow-through. One way to lower the time expended pe
compromised endpoint is to move away from wipe-and-reimage remediation strategie
and focus on more targeted remediation.
On average, how many hours do you spend per
compromised endpoint when responding to an incident?
Figure 9. Number of Hours Spent per Compromised Endpoint on IR
To lower the time expended
per compromised endpoint,
move away from wipe-
and-reimage remediation
strategies and focus on
more targeted remediation.
-
8/12/2019 2014 EndpointVisibility Survey
12/23
SANS ANALYST PROGRAM
The Case for Endpoint Visib11
Automation and Remediation Still Challenging
As the number of
network-based
attacks continues to
grow, organizations
must increase
automation to
merely keep pace,
assuming their
current staffing levels
remain constant.
Any organization seeking to lower IR costs should increase the level of automation in the
processes. Automation would include tools for scanning endpoints, correlating response
data, detecting compromises, remediating threats and managing workflow.
Only 16% of respondents currently automate 51% or more of their IR tasks, whereas 70%
of respondents automate less than one-fifth of their IR tasks. IR efforts rely greatly on
manual processes, as shown in Figure 10.
When asked what percentage of their IR processes they expected to have automated in
the next 24 months, respondents answers varied significantly. The number of responden
who expect to have more than half of their processes automated by early 2016 was 34%
more than double todays number. The number of respondents expecting to have less
than 20% of their IR automated by then is half that of today, indicating a significant trend
toward automation.
Comparing the cost of qualified incident responders to the cost of automating their task
the choice for organizations wishing to lower their IR costs is obvious. As the number of
network-based attacks continues to grow, organizations must increase automation to
merely keep pace, assuming their current staffing levels remain constant.
What percentage of your incident response process is currently automated
through the use of purpose-built tools for remediation workow?
What do you expect this percentage to be in 24 months?
Figure 10. Automation of IR Workflow
-
8/12/2019 2014 EndpointVisibility Survey
13/23
-
8/12/2019 2014 EndpointVisibility Survey
14/23
Automation and Remediation Still Challenging (CONTINUED)
SANS ANALYST PROGRAM
The Case for Endpoint Visib13
Obstacles to Recovery
Interestingly, the possibility of losing data during a wipe-and-reimage barely makes it in
a list of the five greatest challenges to incident recovery. The four challenges at the top o
that listeach noted by more than 40% of respondentscould all be addressed throug
improved endpoint visibility:
Assessing the impact
Determining the scope of compromise across multiple endpoints
Determining the scope of compromise on a single endpoint
Hunting for compromised endpoints.
Losing data during a wipe-and-reimage is a great challenge to slightly more than one-
third (35%) of respondents, while even fewer respondents (33%) consider remediation o
compromised endpoints noteworthy, as shown in Figure 12.
Which of the following are the greatest challenges in recovering from an incident?
Select those that most apply.
Figure 12. Greatest Challenges in Recovering from Incidents
-
8/12/2019 2014 EndpointVisibility Survey
15/23
When we asked respondents about their risk and compliance concerns, the most
indicated categories (each with 55% or more) were workstations, web servers and
Windows endpoints, respectively. Cloud, OS X and Linux endpoints were also a concern
for some organizations, each of them being reported by more than 10% of respondent
as shown in Figure 13.
Notable write-in candidates for this category were mobile devices and so-called
bring-your-own-device (BYOD) policies. Organizations seeking to increase visibility
in a cost-effective manner should deploy first where it matters most: the Windows
desktop. However, an endpoint-monitoring solution that allows analysts to access da
across the heterogeneous operating platforms (often, Linux or UNIX derivatives) at th
heart of the enterprise should increase efficiency for those organizations operating o
multiple platforms.
SANS ANALYST PROGRAM
The Case for Endpoint Visib14
Detecting Endpoint Threats
55% of respondents indicated
workstations, web servers,
and Windows endpoints are
their biggest risk and security
concerns. Cloud, OS X and
Linux endpoints were selected
by just more than 10%.
What endpoints are of most concern to you from a risk and security perspective?
Figure 13. Endpoints Rated by Risk
-
8/12/2019 2014 EndpointVisibility Survey
16/23
Detecting Endpoint Threats (CONTINUED)
SANS ANALYST PROGRAM
The Case for Endpoint Visib15
Threat Detection Still Network Focused
We also asked participants where visibility matters most for threat detection, with class
IT favorites IDS/IPS, firewalls and log data being the top finishers, as shown in Figure
14. Several participants indicated in supplemental comments that they use security
information event management (SIEM) tools.
What is most startling about these responses is that only 23% of respondents felt
endpoint visibilitywithout regard to the endpoints roleto be the most important
point of detection. This indicates that organizations are still taking a network-centric
view of threats by using firewalls or IDS/IPS tools to detect them. Wouldnt data from th
endpoints themselves provide better opportunities for detection?
The network perimeter, formerly a finite boundary, has become fuzzy thanks to change
such as the explosive growth in the use of mobile devices and the adoption of BYOD
policies to manage them, as well as increased use of resources by remote workers using
VPN and other technologies. The disappearing perimeter makes a strong case for
increased endpoint-detection capabilities, where threat detection operates the same
regardless of the physical location of the endpoint.
The disappearing
perimeter makes
a strong case
for increased
endpoint-detection
capabilities, where
threat detection
operates the same
regardless of the
physical location of
the endpoint.
Where does visibility into threats matter most for
detecting threats in your organization?
Figure 14. Where Threat Visibility Matters Most
Percentage of
respondents who rated
endpoints as the most
important point of
detection
23%
-
8/12/2019 2014 EndpointVisibility Survey
17/23
Detecting Endpoint Threats (CONTINUED)
SANS ANALYST PROGRAM
The Case for Endpoint Visib16
(They Cant Get No) Satisfaction
When it comes to well-established defenses such as antivirus and firewalls, some of the
most telling numbers in the survey results are the rates of dissatisfaction with them.
Almost one-fifth (17%) of respondents are unhappy with the results from file scanning
using antivirus tools. Even more startling are the responses from those using SIEM tools
of these respondents, almost 14% report that they are not satisfied, as shown in Figure
The highest rates of overall satisfaction from our respondents were noted with border
firewalls (86%), file scanning antivirus (80%), web proxies (61%) and host-based
firewalls (59%), respectively. Although web proxies and firewalls are clearly useful (and
necessary) for perimeter protection, a true defense in depth requires that endpoints b
independently protected even when the perimeter is breached.
What type of endpoint/perimeter protection are you using in your organization?
How satised are you with each?
Figure 15. Satisfaction with Endpoint and Perimeter Defenses
... a true defense
in depth requires
that endpoints
be independently
protected even when
the perimeter is
breached.
-
8/12/2019 2014 EndpointVisibility Survey
18/23
Detecting Endpoint Threats (CONTINUED)
SANS ANALYST PROGRAM
The Case for Endpoint Visib17
That requires detecting a breach, which is an area where our respondents reported
general satisfaction with the methods they use for threat detection. Classic network-
centric detection through antivirus, firewalls or IDS/IPS tools is still at the top of this list
Unsurprisingly, respondents reported greater satisfaction with analyzing data in a SIEM
system than they did with manual review of endpoint logs, as shown in Figure 16.
A recent focus in enterprise defense is to instrument the network to increase visibility
through the use of full packet capture or network flow analysis. However, respondents
were not satisfied with these network-centric methods of threat detection, highlightin
the need for additional capabilities that are focused on endpoints rather than the
network.
How satised are you with the various detection capabilities you use?
Figure 16. Satisfaction with Detection Capabilities
-
8/12/2019 2014 EndpointVisibility Survey
19/23
Detecting Endpoint Threats (CONTINUED)
SANS ANALYST PROGRAM
The Case for Endpoint Visib18
Detecting Compromised Endpoints
Although endpoint visibility may not seem as important to respondents as perimeter
visibility is, our next question indicates that 70% of them collect security data from
endpoints. Theyre collecting data including user logins, applications, artifacts of
malware, listening network ports, unauthorized network interfaces and running
processes, as shown in Figure 17.
These categories were the expected front-runners when it comes to ease of analysis
and acquisition, yet those categories where the majority of respondents considered a
data type useful, but were not collecting it, were most interesting. These can include
network protocol cache entries, route tables, browser history artifacts and PII stored on
endpoints where it is not authorized. As an example of the latter, artifacts of regulated,
but unencrypted, data may be found in a paging file, even if the application processing
them never itself writes the data to disk.
Elsewhere, the existence of prefetch or link files may point to execution and file
access, but these are difficult to access without endpoint visibility solutions. The fact
that respondents would like this data, but are not currently collecting it, suggests the
challenges to obtaining it may be more than technical issues.
Which of the following do you collect from endpoints for the purposes of correlation
in the detection and remediation of threats?
Figure 17. Methods Used in Endpoint Data Collection
That AV alerts are
used to detect more
compromises than
SIEM or manual
review of endpoint
logs tells us that
endpoint data review
has a lot of catching
up to do.
-
8/12/2019 2014 EndpointVisibility Survey
20/23
Detecting Endpoint Threats (CONTINUED)
SANS ANALYST PROGRAM
The Case for Endpoint Visib19
When evaluating tools for endpoint visibility, decision makers should consider the tools
capability to collect such critical information as the presence of illicit PII on an endpoint
which may indicate the latters use as a staging area for exfiltrated data, thereby providin
the first detection of a network compromise. Organizations without the capability to
detect such behavior should carefully evaluate their investigation strategies.
IDS and perimeter firewalls were also two of the top three methods selected for
protecting endpoints, again showing how organizations are still using network-based
devices for the detection of endpoint compromises.
These network-detection methods merely point to the compromised endpoint without
providing any assistance in cleanup or mitigation through endpoint instrumentation.
Figure 18 shows the distribution of threat detection successes, according to respondent
To get closer to the endpoint, respondents are using either SIEM (42%) or manual revie
of endpoint logs (38%) for detection. Both of these detection methods take the analyst
closer to the compromisethe endpoint itself has the most artifacts relating to the
compromise. That AV alerts are used to detect more compromises than SIEM or manua
review of endpoint logs tells us that endpoint data review has a lot of catching up to
do. When reviewing endpoint artifacts, context is everything; although an antivirus
alert signals a hostile executable, it does so without analyzing the context. Zero-day
payloadsby definitioncan escape signature-based antivirus, but context from, say,
reputation assessment could be used to uncloak the intruder.
How did you detect that these threats had compromised your organization?
Choose all that apply.
Figure 18. Methods Used to Detect Compromises
-
8/12/2019 2014 EndpointVisibility Survey
21/23
Detecting Endpoint Threats (CONTINUED)
SANS ANALYST PROGRAM
The Case for Endpoint Visib20
By making better use of endpoint data such as browser history, prefetch files and DNS
cache entries, we paint a more complete picture of the machine state.
Merely identifying the technology responsible for threat discovery doesnt tell the
whole story, however. Analysts may detect threats reactively, by responding to an alert
or proactively, by actively interrogating their endpoints, looking for anomalies. Our
respondents overwhelmingly rely on reactive detection, as shown in Figure 19.
Only 17% of respondents reported finding more than half of their threats throughactive discovery, while 53% of respondents found more than half of their threats by
responding to alerts. Reactive detection is not necessarily inferior, but organizations
should consider what steps they can take to increase the number of alerts found
through proactive scanning. This often involves adding instrumentation at the
endpoint, where attacks are targeted.
What percentage of your threats are detected through proactive discovery
(actively interrogating endpoints) versus reactive (responding to IDS/AV/SIEM alerts)?
Figure 19. Proactive Versus Reactive Threat Detection
Percentage of
respondents learning
of more than 50% of
threats by responding
to alerts
53%
-
8/12/2019 2014 EndpointVisibility Survey
22/23
As the threat landscape continues to expand, organizations will allocate ever-
increasing resources to endpoint protection. When, despite best efforts, endpoints are
compromised, organizations must then be ready to react to minimize data loss and
remediation costs.
The results of the first SANS Endpoint Security Survey point to a lack of visibility on
endpoints, with organizations relying on a number of network-centric methods. Given
the number of participants threats that bypassed perimeter protection devices, its no
wonder that greater visibility at the endpoint is called for. Additionally, participants
require rapid responses when requesting data from their endpoints; answers within
an hour may not be enough, as over three-fifths (61%) of respondents require them in
less than 30 minutes. Finally, the survey highlighted a strong need for automation and
proactive discovery of threats in the network.
Organizations that wish to protect their assets from compromise should look to protecthe actual target of attacks: the endpoints that hold the sensitive data. Best-in-breed
organizations should seek to increase automation and endpoint visibility, pre-deployin
instrumentation assets where appropriate to minimize response delays.
SANS ANALYST PROGRAM
The Case for Endpoint Visib21
Conclusions
-
8/12/2019 2014 EndpointVisibility Survey
23/23
About the Author
Sponsor
Jacob Williamsis the chief scientist at CSRgroup computer security consultants and has more than a
decade of experience in secure network design, penetration testing, incident response, forensics and
malware reverse engineering. Before joining CSRgroup, he worked with various government agencies
in information security roles. Jake is a two-time victor at the annual DC3 Digital Forensics Challenge.
SANS would like to thank this papers sponsor: