A majority of organizations are operating under the assumption that their network has already been compromised, or will be, according to a survey conducted by the SANS Institute on behalf of Guidance Software.
When the limitations of perimeter security are exposed, endpoints and critical servers rife with sensitive information are rendered vulnerable. With many high profile breaches in 2013 occurring on endpoints, interest in improving endpoint security is top-of-mind for many information security professionals.
In the first-ever SANS Endpoint Security Survey, SANS surveyed 948 IT Security professionals in the United States to determine how they monitor, assess, protect and investigate their endpoints, including servers. The largest group of respondents encompassed security administrators and security analysts. More than one-third of those respondents (34 percent) work in IT management (e.g., CIO or related duties) or security management (e.g., CISO or similar responsibilities). The overall results of the survey indicate that the topic speaks to the strategic concerns of management while also addressing the technical concerns of those in the trenches.
The survey results demonstrated that more and more attacks are bypassing perimeter security, despite the fact that the respondents do not consider the attacks to be sophisticated. Survey respondents indicated the desire for more visibility into more types of data and processes across organizational endpoints as intruders evade perimeter defenses. A large majority of respondents want delivery of relevant data collected from endpoints in under an hour. Finally, while currently post-attack remediation of endpoints is largely manual, more than half of respondents recognize the need for automated incident response and remediation, and plan to implement such within two years.
Key findings from the survey include:
- Prevention: 47 percent of respondents are operating under the assumption they’ve been compromised; with another 5 percent saying they operate under the assumption that if they have not already been compromised, they eventually will be.
- Detection: Although 70 percent are collecting data from endpoints, only 16 percent find more than half of their threats through active discovery or hunting. Over 48 percent felt that greater visibility into sensitive information like personally identifiable information or ARP cache entries on unauthorized endpoints would be extremely useful.
- Response: Delays to breach response times are clearly unacceptable, as 83 percent of the respondents said they needed results from endpoint queries in an hour or less. More than 26 percent indicated that they wanted the data in five minutes or less, underscoring the importance of conducting timely digital investigations
- Remediation: The vast majority (77 percent) rely on slow and expensive “wiping and reimaging.” Furthermore, 54 percent of the respondents have automated less than 10 percent of their workflow to manage the remediation process. Recognizing this issue, over 60 percent of those who have not yet automated, indicate that they plan to do so in the next 24 months.
“The survey results demonstrate clearly that organizations are failing to close the loop between their network and endpoint protections and intelligence,” says Deb Radcliff, executive editor of the SANS Analyst Program, which produced the report. “Further, they’re using mostly manual processes to uncover compromises and assess impact, both of which are costly in terms of IT manpower and loss of productivity while critical servers and end-user machines are returned to a trusted state.”
Some of the biggest challenges to incident recovery were connected to lack of visibility and ability to assess damage to endpoints and the network. The top five challenges were:
- Assessing the impact
- Determining the scope of a threat across multiple endpoints
- Determining the scope of compromise on a single endpoint
- Hunting for compromised endpoints
- Losing data inadvertently during a wipe / reimage.