The Cost of Time to Identify and Contain Advanced Threats in Financial Services & Retail A Study of...

Sponsored by Arbor Networks Dr. Larry Ponemon

The Cost of Time to Identify and Contain Advanced Threats in Financial Services & Retail

A Study of North America & EMEA

Attackers Are Winning The Races Pr

ofic

ienc

y

Time

Efficiency Gap

Defender Dwell Time Increasing, Attacker Timeline Decreasing

Time

Prof

icie

ncy

Time

DESIRED STATE

May 21, 2015 Ponemon Institute Private and Confidential

Goals for the study: • Understand the challenges these particular verticals [Financial Services and Retail]

face when it comes to identifying advanced threats and preventing attacks before they cause damage

• Compare the strategies of these two industries as both get a lot of media attention when they experience a breach or a cyber attack because they handle some of the most sensitive data and have so many ripples of stakeholders

• We are thrilled to have sponsored the Ponemon Institute study which was conducted with an extensive sample pool

Ponemon Institute LLC

The Institute is dedicated to advancing responsible information management practices that positively affect privacy, data protection and information security in business and government.

The Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations.

Ponemon Institute is a full member of CASRO (Council of American Survey Research organizations). Dr. Ponemon serves as CASRO’s chairman of Government & Public Affairs Committee of the Board.

The Institute has assembled more than 65+ leading multinational corporations called the RIM Council, which focuses the development and execution of ethical principles for the collection and use of personal data about people and households.

The majority of active participants are privacy or information security leaders.

May 21, 2015 3 Ponemon Institute Private and Confidential

Sample Response

May 21, 2015 Ponemon Institute Private and Confidential 4

NA + EMEA NA + EMEA Survey response Retail Finserv Sampling frame 17,000 20,504 Total returns 749 931 Rejected or screened surveys 74 87 Final sample (16 countries) 675 844 Response rate 4.0% 4.1%

Retail

Executive/VP

Director

Manager

Supervisor

Technician

Associate/staff

Consultant/contractor

Finserv

Executive/VP

Director

Manager

Supervisor

Technician

Associate/staff

Consultant/contractor

Page 5

Financial services

Ponemon Institute Private and Confidential

Most promising technologies in the Cyber Kill Chain Three responses


5%

13%

22%

36%

41%

49%

63%

71%

0% 10% 20% 30% 40% 50% 60% 70% 80%

Technologies that minimize insider threats(including negligence)

Technologies that simplify the reporting ofthreats

Technologies that secure endpoints includingmobile-connected devices

Technologies that secure the perimeter

Technologies that provide intelligence about attackers’ motivation and weak spots

Technologies that secure information assets

Technologies that isolate or sandbox malwareinfections

Technologies that provide intelligence aboutnetworks and traffic

Steps taken to minimize or contain the impact of the AT


21%

43%

44%

45%

48%

0% 10% 20% 30% 40% 50% 60%

Conducted specialized training for IT securityteam

Established threat sharing with other companiesor government entities

Installed controls to quickly detect and blockinfiltration

Implemented incident response procedures

Installed controls to prevent infiltration

Effectiveness in containing ATs 1 = low to 10 = high


5%

8%

25%

36%

27%

0%

5%

10%

15%

20%

25%

30%

35%

40%

1 or 2 3 or 4 5 or 6 7 or 8 9 or 10

Attributions about security technologies


48%

49%

49%

54%

57%

60%

0% 10% 20% 30% 40% 50% 60% 70%

Security technologies and personnel areeffective in containing denial of service attacks

Security technologies and personnel areeffective in containing advance threats

Security technologies and personnel areeffective in quickly detecting denial of service

attacks

The greatest threats are denial of serviceattacks

Security technologies and personnel areeffective in quickly detecting advance threats

The greatest threats to my organization aretargeted advanced attacks

Strongly agree and agree responses combined

Steps taken to minimize or contain the impact of the DDoS attack More than one response


1%

19%

45%

46%

47%

51%

0% 10% 20% 30% 40% 50% 60%

Other






2015 IT security budget components


40 37

20

3

-

5

10

15

20

25

30

35

40

45

Technologies In-house personnel Managed (third party)services

Other cash outlays

Allocation of 100 points

Page 12

Retail


Most promising technologies in the Cyber Kill Chain Three responses


5%

13%

26%

40%

42%

55%

55%

64%

0% 10% 20% 30% 40% 50% 60% 70%

Technologies that minimize insider threats(including negligence)

Technologies that simplify the reporting ofthreats

Technologies that secure endpoints includingmobile-connected devices

Technologies that provide intelligence about attackers’ motivation and weak spots

Technologies that secure the perimeter

Technologies that secure information assets

Technologies that isolate or sandbox malwareinfections

Technologies that provide intelligence aboutnetworks and traffic

Steps taken to minimize or contain the impact of the AT


1%

13%

17%

34%

37%

42%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

Other






Effectiveness in containing ATs 1 = low to 10 = high


11% 12%

33% 33%

11%

0%

5%

10%

15%

20%

25%

30%

35%

40%

1 or 2 3 or 4 5 or 6 7 or 8 9 or 10

Attributions about security technologies


38%

39%

39%

43%

53%

61%

0% 10% 20% 30% 40% 50% 60% 70%

Security technologies and personnel areeffective in containing advance threats

Security technologies and personnel areeffective in containing denial of service attacks

Security technologies and personnel areeffective in quickly detecting denial of service

attacks

Security technologies and personnel areeffective in quickly detecting advance threats

The greatest threats are denial of serviceattacks

The greatest threats to my organization aretargeted advanced attacks

Strongly agree and agree responses combined

Steps taken to minimize or contain the impact of the DDoS attack More than one response


12%

13%

33%

38%

41%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%






2015 IT security budget components


37

34

24

4

-

5

10

15

20

25

30

35

40

In-house personnel Technologies Managed (third party)services

Other cash outlays

Allocation of 100 points

Page 19

Industry differences


Effectiveness in containing ATs and DDoS attacks 1 = lowest ability to 10 = highest ability percentage of respondents who rated their ability 7+


44%

31%

63% 64%

0%

10%

20%

30%

40%

50%

60%

70%

Effectiveness in containing ATs Effectiveness in containing DDoS attacks

Retail Financial services

Time-dependent metrics used to determine incident response effectiveness


53% 58%

5%

40%

62% 66%

5%

28%

0%

10%

20%

30%

40%

50%

60%

70%

MTTI MTTC Other We don’t utilize time-dependent operational

metrics


Time it takes to detect and contain ATs Extrapolated days


12.7

26.1

27.2

98.1

18.0

38.5

39.2

196.5

0 50 100 150 200 250

Average MTTC experienced for denial of service

Average MTTC experienced for advancedthreats

Average MTTI experienced for denial of service

Average MTTI experienced for advanced threats


Will MTTI and MTTC improve in the next 12 months? Yes response


29% 32%

42% 40%

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

Do you expect MTTI to decrease (improve)over the next 12 months?

Do you expect MTTC to decrease (improve)over the next 12 months?


Steps taken to reduce the time it takes to detect attacks


1%

40%

60%

56%

55%

74%

1%

33%

40%

41%

50%

60%

0% 10% 20% 30% 40% 50% 60% 70% 80%

Other

Introduce hunting team to look for attacks

Implement new forensic security tools

Increase security operations staff

Improve triage process

Integrate threat intelligence into IR function


Caveats

There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys. •Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument. •Sampling frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals who are IT or IT security practitioners in various organizations in the United States. We also acknowledge that the results may be biased by external events such as media coverage. We also acknowledge bias caused by compensating subjects to complete this research within a specified time period. •Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide accurate responses.


Time Is The Currency That Matters

Moving Beyond Detect And Respond

• Use Better Indicators of Attack • See Inside Your Entire Network • Threat Hunting to Find Attacks That Matter, Detect Unknowns. • Contain Attacks Faster By Seeing Compromised Infrastructure

Page 28

Questions?

Ponemon Institute

Toll Free: 800.887.3118 Michigan HQ: 2308 US 31 N. Traverse City, MI 49686 USA

[email protected]

Arbor Networks: [email protected]


mailto:[email protected]

mailto:[email protected]

Date post:	02-Aug-2015
Category:	Technology
Upload:	arbor-networks
View:	352 times
Download:	3 times

The Cost of Time to Identify and Contain Advanced Threats in Financial Services & Retail A Study of...

Technology