2014 endpointvisibility survey

8/12/2019 2014 EndpointVisibility Survey

1/23

A SANS Analyst Survey

Written by Jacob Williams

March 2014

Sponsored by

Guidance Software

The Case for Endpoint Visibility

2014 SANS In


2/23

The year 2013 witnessed a seemingly unending parade of headline-grabbing, high-

profile data breaches, many of which started out as the result of compromised

endpoints. For example, Targets high-profile breach announced in December 2013

was reportedly the result of compromised point-of-sale (POS) systems.1The successful

attacks in early 2013 against Apple, Facebook and Twitter featured well-executed attac

on endpoints stemming from a watering hole tactic that made use of a compromised

website frequented by developers of apps for Apples iOS devices.2

With the numerous breaches focused on endpoints, we set out to determine how

organizations are monitoring, assessing, protecting and investigating their endpoints,

as well as remediating breaches upon detection, by conducting the first SANS Endpoin

Security Survey.

The survey was offered online during December 2013 and January 2014, and 948 IT

professionals working in a variety of industries completed it. From the results, we learne

More than half of respondents say theyve already been compromisedor

will be.Just over 47% of respondents were operating under the assumption

theyve been compromised, with another 5% in the Other category, many of

whom say they operate under the assumption that if they have not already been

compromised, they eventually will be.

Most compromises are unsophisticated.Most respondents (52%) indicated

that the vast majority of their compromises are perpetrated by unsophisticated

attackers, which seems at odds with media reports, where every attack seems to

the work of advanced persistent threat (APT) groups using stealth techniques.

More endpoint data is necessary for eective threat hunting.A significant

segment of respondents, exceeding 40% in several categories, is not collecting as

much data as desired for use in detecting and remediating threats.

Lack of automation causes remediation lag.A lack of automation slows the

process of incident response and remediation, with the largest segment of

respondents (54%) automating one-tenth or less of their response processes.

Most remediation is performed manually.Only 7% of participants reported

using automated workflows for remediating endpoints, compared to the 77% wh

reported the use of the more manual wipe-and-reimage tactic.

SANS ANALYST PROGRAM

The Case for Endpoint Visib1

Introduction

1 Target: Breach Caused by Malware, BankInfoSecurity, 12/24/2013, www.bankinfosecurity.com/-a-6316/op-1

2 Hackers Who Attacked Twitter, Facebook, Apple May Have Hundreds More Victims, Huffington Post, 2/20/2013,www.huffingtonpost.com/2013/02/20/apple-hacked-facebook-twitter_n_2726061.html


3/23

Introduction (CONTINUED)



As organizations develop strategies for detecting and remediating threats, they should

look to augmenting endpoint visibility with tools that provide the capability to look at

broader set of endpoint assets. Tools that can detect which endpoints contain regulate

data, such as personally identifiable information (PII), are particularly important.

In addition, there exists a considerable opportunity for organizations to increase

productivity and accelerate recovery from incidents by automating the response and

remediation process. Compromises unfold quickly, and organizations that respond

quickly in remediating threats may prevent the theft of confidential data or reduce the

scope of the damage.

The full results of the inaugural SANS Endpoint Security Survey are summarized in this

whitepaper to help information security professionals track trends in endpoint protectio

and identify how their organizations capabilities compare with the survey base.


4/23

Survey Respondents



The results of the survey are representative of a large cross-section of organizations,

not just those with sizable (or minimal) budgets for endpoint security. One-third (33%)

of respondents represented organizations of more than 10,000 employees, while

organizations with fewer than 1,000 employees comprised just over one-third (34%) of

all responses, as shown in Figure 1.

Survey respondents also came from a large cross-section of industries; almost one-fifth

(19%) of responses were from financial, banking and insurance professionals (the larges

group). Government was also well represented in the survey, accounting for another

13% of responses. Other industry groups contributing significantly to the survey results

included high tech, education, health care/pharmaceutical, telecommunications and

manufacturing. This cross-section of responses demonstrates a broad interest in endpoi

protection. The diversity of respondents is also a measure of the quality of data in the

survey. No one industry controls the majority of the responses, as shown in Figure 2.

Percentage of

respondents in

organizations with

fewer than 1,000

employees

34%

How many people work at your organization,

either as employees or consultants?

Figure 1. Organization Size of Respondents

What is your organizations primary industry?

Figure 2. Industries of Survey Respondents


5/23

Survey Respondents (CONTINUED)



As any manager will confirm, people in staff positions may have different concerns and

goals than consultants. We asked respondents to identify their roles and whether they

were consultants or staff; more than four-fifths (82%) of respondents said they were on

staff at the organization they represent.

When asked about their primary work role, the largest group of respondents

encompassed security administrators and security analysts. However, a surprising

number of respondents are in management roles; more than one-third (37%)

of respondents work in IT management (e.g., CIO or related duties) or security

management (e.g., CISO or similar responsibilities). These results indicate that the

survey topic speaks to the strategic concerns of management while also addressing the

technical concerns of those in the trenches. Figure 3 shows the distribution of response

Please indicate your primary role in your organization.

Figure 3. Primary Work Roles of Respondents

Percentage of

respondents working

in IT or security

management

37%


6/23

All information security professionals know that systems canbe compromised, so we

asked survey respondents how their organizations currently perceive their endpoint

security hygiene. Those operating under the assumption that their endpoints are

clean may prioritize security of internal assets differently from those operating under

the assumption that at least some systems may be compromised, employing fewer

rigors to defense in depth of their endpoints. Those operating from an assumption of

compromise are likely to invest effort in detection and engage in proactive searches

for compromised endpoints. To these organizations, not finding the compromise today

doesnt mean it isnt there; it simply means that detection has fallen short.

The numbers are split nearly down the middle, with 47% responding affirmatively

that they are operating under the assumption of compromise and 48% responding

negatively. However, our analysis of the details behind the Other responses (5%) tells

an interesting story: Overwhelmingly, such responses indicate that respondents believ

that some of their systems are compromised. (Responses such as No, but we should

be! and Well, not all of them paint the picture that many professionals understand

the need to operate under the assumption of compromise; whether they do so is

another issue altogether.) Perhaps the most notable response in this category is Its

likely, however I only know what I can see. This response, like several others, speaks to

the significant challenges of detecting compromises in todays operating environment

Figure 4 shows the almost even division of Yes and No responses.



Assuming the Worst as a Start

Are you operating under the assumption

that your systems have been compromised?

Figure 4. Assumption of Compromise

Percentage of

respondents operating

under the assumption

their systems have been

compromised

47%


7/23

Assuming the Worst as a Start (CONTINUED)



Evading Detection at the Perimeter

Survey respondents were asked what percentage of incidents over the last 24 months

were the result of threats that should have been blocked by a perimeter security device

as shown in Figure 5.

This is admittedly difficult to quantify, particularly for organizations without good

endpoint visibility or a mature incident response (IR) process. Therefore, its no surprise

that slightly more than one-fifth (21%) of respondents answered, I dont know.

However, for those who were able to quantify the numbers, the results were very tellin

Although the largest category of respondents (36%) who could identify such incidents

was the group believing that, at most, 10% of these incidents should have been

blocked at the edgeindicating these respondents find perimeter devices effective in

generala more instructive analysis is to consider whereperimeter protection is failing

To evaluate this, we considered the respondents who believed that the vast majority o

their attackers should have been blocked at the perimeter. Respondents claiming that

31% or more of such perimeter protection failures took place account for a staggering

one-fifth (21%) of respondents.

What percentage of the incidents in your organization over the

last 24 months were the result of threats that should have been blocked

by a perimeter security device (e.g., rewall or UTM)?

Figure 5. Incidents That Should Have Been Blocked by a Perimeter Security Device


8/23




Stealth Techniques Not So Pervasive

We also asked respondents what portion of those attacks that evaded perimeter detectio

was considered to be the work of advanced adversaries using stealth techniques.

However, this question has its own built-in bias: Organizations may feel that they get

a free pass on a breach if the attack was advanced or that because the attacker used

stealth techniques, a compromise was inevitable and there was nothing that could

be done to detect it. For this reason, organizations may report mundane attacks as

advanced and stealthy.3As such, it was expected that the numbers in these responses

would be elevated somewhat over reality.

The results, however, were both surprising and telling. Almost one-fourth (24%) of

participants had no gauge of their adversaries skill. However, more than half (52%) of

respondents believed that 20% or less of attacks bypassing perimeter protections used

stealth techniques, as shown in Figure 6.

Combine this data with that from the last question, and a clear picture emerges:

Attackers are bypassing perimeter protections at will and do not need to use stealth

techniques to do so. This should be a serious point of concern for organizations that

have placed all of their security eggs in the perimeter protection basket. According to

Verizons 2013 Data Breach Investigations Report, more than 95% of those attacks tied

to state-affiliated espionage or intelligence activities used phishing as an initial infectio

vector.4Although some phishing attacks can be detected and blocked at the perimete

the best chance for detecting those that get through successfully is through enhanced

endpoint instrumentation.

What percentage of threats that initially evaded perimeter detection would

you categorize as advanced adversaries using stealth techniques?

Figure 6. Use of Stealth Techniques to Evade Perimeter Detection

3 The Truth Behind the Shady RAT, SymantecSecurity Responseblog, 4/11/2011,www.symantec.com/connect/blogs/truth-behind-shady-rat

4 2013 Data Breach Investigations Report, p. 36,www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2013_en_xg.pdf

Although some

phishing attacks

can be detected

and blocked at the

perimeter, the best

chance for detecting

those that get

through successfully

is through

enhanced endpoint

instrumentation.
http://www.symantec.com/connect/blogs/truth-behind-shady-rathttp://www.symantec.com/connect/blogs/truth-behind-shady-rathttp://www.symantec.com/connect/blogs/truth-behind-shady-rathttp://www.symantec.com/connect/blogs/truth-behind-shady-rathttp://www.symantec.com/connect/blogs/truth-behind-shady-rathttp://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2013_en_xg.pdfhttp://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2013_en_xg.pdfhttp://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2013_en_xg.pdfhttp://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2013_en_xg.pdfhttp://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2013_en_xg.pdfhttp://www.symantec.com/connect/blogs/truth-behind-shady-rat


9/23




Time to Respond Is Limited

When we asked survey participants about the acceptable delay in receiving data from

queried endpoints, the results couldnt be any clearer: Speed matters. More than four-

fifths (83%) of respondents said they needed results from their endpoint queries in less

than an hour, as shown in Figure 7.

A subset of that group (26% of all respondents) wanted the data in less than five

minutes, underscoring the need to pre-position any needed software agents on

endpoints. Without agents already in place, obtaining results from all endpoints in less

than an hour is simply impossible.

To provide maximum value in detecting and responding to incidents,

what is the acceptable delay between requesting data

and receiving it from all queried endpoints?

Figure 7. Maximum Acceptable Delay

Percentage of

respondents wanting

endpoint data in less

than 5 minutes

26%

Without agents

already in place,

obtaining results

from all endpoints in

less than an hour is

simply impossible.


10/23




Response Costs

Reducing the time spent per endpoint on IR, even marginally, has multiplicative

effects on overall cost savings. Organizations should consider how much time they

are spending per endpoint (compared to the median result) and whether they wish to

reduce such costs.

In our survey, 17% of respondents reported spending 610% of their security budgets

on IR, 12% spend 1125% of their budgets on it and 7% spend more than 25% of their

budgets on response, as shown in Figure 8.

The cost of IR is closely tied to the number of man-hours required to remediate the

threat. To quantify this, we asked survey participants how many hours they spend per

endpointwhen responding to an incident. Although this number is also subject to a

number of variables, if not pure guesswork, we believe that the nature of the question

brings these estimates closer to truth.

How much of your IT security budget

is spent on incident response?

Figure 8. Percentage of IT Security Budget Spent on IR

Percentage of

respondents spending

1125% of their

security budgets on IR

12%


11/23




More than one-fourth (27%) of respondents reported that they spend more than four

hours per compromised endpoint in incident response time, while 28% spend betwee

two and four hours and another 45% spend no more than two hours per endpoint, as

shown in Figure 9.

Assuming a modest cost of $50 per man-hour (which could be even higher if outside

consultants are used), investigative costs can easily top $200 for each infected endpoin

being investigated. Such numbers underscore the case for more automation in endpoi

assessment, remediation and follow-through. One way to lower the time expended pe

compromised endpoint is to move away from wipe-and-reimage remediation strategie

and focus on more targeted remediation.

On average, how many hours do you spend per

compromised endpoint when responding to an incident?

Figure 9. Number of Hours Spent per Compromised Endpoint on IR

To lower the time expended

per compromised endpoint,

move away from wipe-

and-reimage remediation

strategies and focus on

more targeted remediation.


12/23



Automation and Remediation Still Challenging

As the number of

network-based

attacks continues to

grow, organizations

must increase

automation to

merely keep pace,

assuming their

current staffing levels

remain constant.

Any organization seeking to lower IR costs should increase the level of automation in the

processes. Automation would include tools for scanning endpoints, correlating response

data, detecting compromises, remediating threats and managing workflow.

Only 16% of respondents currently automate 51% or more of their IR tasks, whereas 70%

of respondents automate less than one-fifth of their IR tasks. IR efforts rely greatly on

manual processes, as shown in Figure 10.

When asked what percentage of their IR processes they expected to have automated in

the next 24 months, respondents answers varied significantly. The number of responden

who expect to have more than half of their processes automated by early 2016 was 34%

more than double todays number. The number of respondents expecting to have less

than 20% of their IR automated by then is half that of today, indicating a significant trend

toward automation.

Comparing the cost of qualified incident responders to the cost of automating their task

the choice for organizations wishing to lower their IR costs is obvious. As the number of

network-based attacks continues to grow, organizations must increase automation to

merely keep pace, assuming their current staffing levels remain constant.

What percentage of your incident response process is currently automated

through the use of purpose-built tools for remediation workow?

What do you expect this percentage to be in 24 months?

Figure 10. Automation of IR Workflow


13/23


14/23

Automation and Remediation Still Challenging (CONTINUED)



Obstacles to Recovery

Interestingly, the possibility of losing data during a wipe-and-reimage barely makes it in

a list of the five greatest challenges to incident recovery. The four challenges at the top o

that listeach noted by more than 40% of respondentscould all be addressed throug

improved endpoint visibility:

Assessing the impact

Determining the scope of compromise across multiple endpoints

Determining the scope of compromise on a single endpoint

Hunting for compromised endpoints.

Losing data during a wipe-and-reimage is a great challenge to slightly more than one-

third (35%) of respondents, while even fewer respondents (33%) consider remediation o

compromised endpoints noteworthy, as shown in Figure 12.

Which of the following are the greatest challenges in recovering from an incident?

Select those that most apply.

Figure 12. Greatest Challenges in Recovering from Incidents


15/23

When we asked respondents about their risk and compliance concerns, the most

indicated categories (each with 55% or more) were workstations, web servers and

Windows endpoints, respectively. Cloud, OS X and Linux endpoints were also a concern

for some organizations, each of them being reported by more than 10% of respondent

as shown in Figure 13.

Notable write-in candidates for this category were mobile devices and so-called

bring-your-own-device (BYOD) policies. Organizations seeking to increase visibility

in a cost-effective manner should deploy first where it matters most: the Windows

desktop. However, an endpoint-monitoring solution that allows analysts to access da

across the heterogeneous operating platforms (often, Linux or UNIX derivatives) at th

heart of the enterprise should increase efficiency for those organizations operating o

multiple platforms.



Detecting Endpoint Threats

55% of respondents indicated

workstations, web servers,

and Windows endpoints are

their biggest risk and security

concerns. Cloud, OS X and

Linux endpoints were selected

by just more than 10%.

What endpoints are of most concern to you from a risk and security perspective?

Figure 13. Endpoints Rated by Risk


16/23

Detecting Endpoint Threats (CONTINUED)



Threat Detection Still Network Focused

We also asked participants where visibility matters most for threat detection, with class

IT favorites IDS/IPS, firewalls and log data being the top finishers, as shown in Figure

14. Several participants indicated in supplemental comments that they use security

information event management (SIEM) tools.

What is most startling about these responses is that only 23% of respondents felt

endpoint visibilitywithout regard to the endpoints roleto be the most important

point of detection. This indicates that organizations are still taking a network-centric

view of threats by using firewalls or IDS/IPS tools to detect them. Wouldnt data from th

endpoints themselves provide better opportunities for detection?

The network perimeter, formerly a finite boundary, has become fuzzy thanks to change

such as the explosive growth in the use of mobile devices and the adoption of BYOD

policies to manage them, as well as increased use of resources by remote workers using

VPN and other technologies. The disappearing perimeter makes a strong case for

increased endpoint-detection capabilities, where threat detection operates the same

regardless of the physical location of the endpoint.

The disappearing

perimeter makes

a strong case

for increased

endpoint-detection

capabilities, where

threat detection

operates the same

regardless of the

physical location of

the endpoint.

Where does visibility into threats matter most for

detecting threats in your organization?

Figure 14. Where Threat Visibility Matters Most

Percentage of

respondents who rated

endpoints as the most

important point of

detection

23%


17/23




(They Cant Get No) Satisfaction

When it comes to well-established defenses such as antivirus and firewalls, some of the

most telling numbers in the survey results are the rates of dissatisfaction with them.

Almost one-fifth (17%) of respondents are unhappy with the results from file scanning

using antivirus tools. Even more startling are the responses from those using SIEM tools

of these respondents, almost 14% report that they are not satisfied, as shown in Figure

The highest rates of overall satisfaction from our respondents were noted with border

firewalls (86%), file scanning antivirus (80%), web proxies (61%) and host-based

firewalls (59%), respectively. Although web proxies and firewalls are clearly useful (and

necessary) for perimeter protection, a true defense in depth requires that endpoints b

independently protected even when the perimeter is breached.

What type of endpoint/perimeter protection are you using in your organization?

How satised are you with each?

Figure 15. Satisfaction with Endpoint and Perimeter Defenses

... a true defense

in depth requires

that endpoints

be independently

protected even when

the perimeter is

breached.


18/23




That requires detecting a breach, which is an area where our respondents reported

general satisfaction with the methods they use for threat detection. Classic network-

centric detection through antivirus, firewalls or IDS/IPS tools is still at the top of this list

Unsurprisingly, respondents reported greater satisfaction with analyzing data in a SIEM

system than they did with manual review of endpoint logs, as shown in Figure 16.

A recent focus in enterprise defense is to instrument the network to increase visibility

through the use of full packet capture or network flow analysis. However, respondents

were not satisfied with these network-centric methods of threat detection, highlightin

the need for additional capabilities that are focused on endpoints rather than the

network.

How satised are you with the various detection capabilities you use?

Figure 16. Satisfaction with Detection Capabilities


19/23




Detecting Compromised Endpoints

Although endpoint visibility may not seem as important to respondents as perimeter

visibility is, our next question indicates that 70% of them collect security data from

endpoints. Theyre collecting data including user logins, applications, artifacts of

malware, listening network ports, unauthorized network interfaces and running

processes, as shown in Figure 17.

These categories were the expected front-runners when it comes to ease of analysis

and acquisition, yet those categories where the majority of respondents considered a

data type useful, but were not collecting it, were most interesting. These can include

network protocol cache entries, route tables, browser history artifacts and PII stored on

endpoints where it is not authorized. As an example of the latter, artifacts of regulated,

but unencrypted, data may be found in a paging file, even if the application processing

them never itself writes the data to disk.

Elsewhere, the existence of prefetch or link files may point to execution and file

access, but these are difficult to access without endpoint visibility solutions. The fact

that respondents would like this data, but are not currently collecting it, suggests the

challenges to obtaining it may be more than technical issues.

Which of the following do you collect from endpoints for the purposes of correlation

in the detection and remediation of threats?

Figure 17. Methods Used in Endpoint Data Collection

That AV alerts are

used to detect more

compromises than

SIEM or manual

review of endpoint

logs tells us that

endpoint data review

has a lot of catching

up to do.


20/23




When evaluating tools for endpoint visibility, decision makers should consider the tools

capability to collect such critical information as the presence of illicit PII on an endpoint

which may indicate the latters use as a staging area for exfiltrated data, thereby providin

the first detection of a network compromise. Organizations without the capability to

detect such behavior should carefully evaluate their investigation strategies.

IDS and perimeter firewalls were also two of the top three methods selected for

protecting endpoints, again showing how organizations are still using network-based

devices for the detection of endpoint compromises.

These network-detection methods merely point to the compromised endpoint without

providing any assistance in cleanup or mitigation through endpoint instrumentation.

Figure 18 shows the distribution of threat detection successes, according to respondent

To get closer to the endpoint, respondents are using either SIEM (42%) or manual revie

of endpoint logs (38%) for detection. Both of these detection methods take the analyst

closer to the compromisethe endpoint itself has the most artifacts relating to the

compromise. That AV alerts are used to detect more compromises than SIEM or manua

review of endpoint logs tells us that endpoint data review has a lot of catching up to

do. When reviewing endpoint artifacts, context is everything; although an antivirus

alert signals a hostile executable, it does so without analyzing the context. Zero-day

payloadsby definitioncan escape signature-based antivirus, but context from, say,

reputation assessment could be used to uncloak the intruder.

How did you detect that these threats had compromised your organization?

Choose all that apply.

Figure 18. Methods Used to Detect Compromises


21/23




By making better use of endpoint data such as browser history, prefetch files and DNS

cache entries, we paint a more complete picture of the machine state.

Merely identifying the technology responsible for threat discovery doesnt tell the

whole story, however. Analysts may detect threats reactively, by responding to an alert

or proactively, by actively interrogating their endpoints, looking for anomalies. Our

respondents overwhelmingly rely on reactive detection, as shown in Figure 19.

Only 17% of respondents reported finding more than half of their threats throughactive discovery, while 53% of respondents found more than half of their threats by

responding to alerts. Reactive detection is not necessarily inferior, but organizations

should consider what steps they can take to increase the number of alerts found

through proactive scanning. This often involves adding instrumentation at the

endpoint, where attacks are targeted.

What percentage of your threats are detected through proactive discovery

(actively interrogating endpoints) versus reactive (responding to IDS/AV/SIEM alerts)?

Figure 19. Proactive Versus Reactive Threat Detection

Percentage of

respondents learning

of more than 50% of

threats by responding

to alerts

53%


22/23

As the threat landscape continues to expand, organizations will allocate ever-

increasing resources to endpoint protection. When, despite best efforts, endpoints are

compromised, organizations must then be ready to react to minimize data loss and

remediation costs.

The results of the first SANS Endpoint Security Survey point to a lack of visibility on

endpoints, with organizations relying on a number of network-centric methods. Given

the number of participants threats that bypassed perimeter protection devices, its no

wonder that greater visibility at the endpoint is called for. Additionally, participants

require rapid responses when requesting data from their endpoints; answers within

an hour may not be enough, as over three-fifths (61%) of respondents require them in

less than 30 minutes. Finally, the survey highlighted a strong need for automation and

proactive discovery of threats in the network.

Organizations that wish to protect their assets from compromise should look to protecthe actual target of attacks: the endpoints that hold the sensitive data. Best-in-breed

organizations should seek to increase automation and endpoint visibility, pre-deployin

instrumentation assets where appropriate to minimize response delays.



Conclusions


23/23

About the Author

Sponsor

Jacob Williamsis the chief scientist at CSRgroup computer security consultants and has more than a

decade of experience in secure network design, penetration testing, incident response, forensics and

malware reverse engineering. Before joining CSRgroup, he worked with various government agencies

in information security roles. Jake is a two-time victor at the annual DC3 Digital Forensics Challenge.

SANS would like to thank this papers sponsor:

2014 endpointvisibility survey

Documents

2014 citizen survey

survey & ranking 2014

healthy youth survey 2014 survey coordinator training

dci survey 2014

healthy youth survey 2014 survey coordinator training

asia pacific network information centre (apnic) survey...

amcc survey 2014

2014 salary survey

2014 survey results

2014 nigeria banking industry customer satisfaction...

survey & sampling 2014

ceo survey 2014

millennial survey 2014

cis2014_harmonised survey questionnaire_v13 · web...

2014 nutrition survey

military family support programming survey 2014 - survey...

ec.europa.eu · web viewthe community innovation survey...

survey results 2014

christmas survey 2014 deutsche trotzen schlechter ... ›...

gmc survey 2014