Tip:
Highlight text to annotate it
X
Welcome, everyone, to this web cast. I'm Tom Cross. I'm the director of security research
here at Lancope. This web cast is going to go over the results of a very interesting
study that we commissioned on computer security internet response teams. Here at Lancope,
of course, we make a product that collects NetFlow from routers and switches, and one
of the ways that people use our product is to investigate security incidents on their
networks. We wanted to understand that subject a little bit better. We're hearing a lot of
news, particularly over the past few weeks, about major security breaches at retailers,
for example. How well prepared are organizations to deal with these kinds of security incidents?
What's happening out there in terms of incident response preparedness?
If order to understand the subject we turned to the Ponemon Institute. The Ponemon Institute
is really a highly regarded in the security and privacy world for going out and collecting
really reliable data about business practices around security and privacy. We felt that
they were the right choice for an organization to go out and try to answer some of these
questions with us. We're very privileged to have Larry Ponemon on the webinar today. He's
the chairman of the Ponemon Institute. He's going to talk with me about the results of
the survey that we did and some of the data that we collected. Larry, welcome to the web
cast. Thank you very much, Tom. It's a pleasure
to co-present with you today and I think we have some very interesting material to share
with our audience. I know that you're dealing with the snowstorm in Atlanta. My heart's
with you, buddy, because I live in northern Michigan and we just hated it so much this
winter that we abandoned everything and now we're in New Mexico.
We have a few brave co-workers who seemed to have spent the night in the office last
night because they couldn't get home. It's quite an interesting 24 hours.
Anyway, I'm very glad you're healthy and you're on the call today and hopefully in a nice
warm place. Again, for those people that don't know who Ponemon Institute is and we're not
Pokémon Institute. Ponemon Institute is a research company and we're very boring. We
are linearly focused on three topics: Privacy, data protection, and information security.
We've been in existence for now 13 years, and we've managed to build an infrastructure
and affiliate network in 26 countries around the globe that allow us to do global research
or research in all global regions of the world. We're very, very pleased with having the opportunity
to work with great companies like Lancope and others. Hopefully, we'll get to see many
of you at RSA, the RSA conference in San Francisco, next month.
With that being said, let's go to our next slide. In the next slide, we basically are
looking at some survey sample statistics. I'm a research wonk, and Tom, you're the brilliant
guy. Obviously, you're going to wow the audience with your knowledge. I'll just talk a little
bit about some of our survey results. This is a US study and a UK study. In total,
we had over 20,000 folks who we called our sampling frame. These are people in IT and
IT security with bona fide credentials. You probably know Ponemon Institute manages sampling
frames or panels that focus primarily on folks in the privacy data protection or information
security field. We basically use screening criteria so that
these are people who are involved, actively involved, in their company's CSIRT activities.
In total, we have a good-sized sample of 674 completed and reliable surveys, which is a
good response rate of 3.3 percent to our total sampling frame. The US component is 357 practitioners
and the UK is 317 qualified respondents. It was really cool. We actually had a lot
of similarity between the US and the UK, and we made a decision rather than show these
results separately to consolidate those. There're just very, very few instances in our sample
where there are marked differences or statistically significant differences. When we look at these
results, put on your thinking cap folks, we're talking about both US and UK and a total of
674 completed surveys. Our next slide. This beautifully colored pie
chart shows the distribution of our respondents by their job title. You'll notice the largest
slice of this very nice pie, 34 percent, are people who are in the category called technician.
These are rank and file folks. These are people who are very knowledgeable and they are hands-on.
They're managing the security infrastructure for their company.
Then, we go from that extreme which red senior, we look at the top of the list, senior executive
and vice president. We do have some people who are very senior, and these people represent
a very small percentage of the total sample. We also have a fair number of directors, managers,
and supervisors. If you did the math and you added up the percentages of folks who at or
above the supervisory level it's more than 50 percent, which suggests that we have a
highly experienced group of respondents. This is one of our quality measures.
Go to the next slide, please. We have two pie charts. The first pie chart off to the
left side of the screen is the organizational size, which we measure in head count. Why
do we measure it in head count? When you ask people how large is your company, if you're
a financial guy or an accounting person you probably know the size of your organization
in terms of revenue. If you're a security person or an IT person, you're going to get
a more accurate response when you ask them about the head count of the organization.
We use head count as a surrogate of organizational size in the study. We really have quite a
nice mix ranging from companies with less than 500 people, so that would fall into the
SMB, the small to medium size business; the companies with more than 75,000 people which
is a big monster company. We even have some companies in the six figures and beyond.
The next graph shows the distribution by industry. Like many Ponemon studies, we like doing a
study that cuts across different industry categories. I'm very pleased that it does.
That's good news, but on the negative side, the bad news, is it's hard to then do segment
analysis by industry except where we have large segments. If you look at the pie chart
financial services is clearly the largest segment at 20 percent, public sector at 14
percent, and then it drops to 10 percent for health, pharmaceutical, and this also includes
biotech. Let's go to our next slide.
Go ahead, Larry. Tom if you would take the slide.
Sure. This slide just summarizes the salient finding from the report, and it gives you
some guideposts for the rest of the data that we're going to be talking about. We learned
some interesting things from the survey. The first thing we learned is that investment
is critical for effective cyber incident response programs. We'll show you this.
We learned that our respondents felt that having a more robust incident response program
would have a big impact on their ability to protect their organization, but that they
weren't getting the level of investment they thought that they needed in that area. We
had a number of questions that we asked that measured how well prepared organizations are
from different perspectives. Many of those results were not as good as we had hoped.
Basically, the results showed that there are some deficiencies in the level of preparedness
that our respondents' organizations have. A big takeaway is that management is largely
unaware of the cyber threats that their organizations faces. Obviously, when you end up on the front
page because of a breach your executives are in the loop. It seems that in general, executives
are not in the loop, and it may part of the reason that this area is not getting the level
of investment as it probably needs to get. We also talk about how to fix that problem.
One of the things that's necessary are metrics. Management ... so it's said that you can't
manage something if you can't measure it. We asked people what metrics they're using
and we have some interesting data about that. In addition, we asked what tools the incident
responders need. What they told us is that they need network audit trails, which is pretty
close and near and dear to our hearts at Lancope. Let's take a look at some of these surveys
results that we got. Thanks, Tom. That was really a good backdrop.
Basically, we wanted to know this is not the precise question but approximately, do you
anticipate a material security breach in the future. If I'm reading this correctly, 31
percent said no, so 1 minus 31 percent or 69 percent say yes, which is probably not
a great finding because it's the vast majority they're expecting a security breach.
Now we also break it apart in terms of yes in more than one year, yes within the next
year, and yes within the next six months. Probably the scariest response here is yes
within the next three months. That represents 30 percent. What's your reaction to this result
Tom? I think it helps emphasize the fact that organizations
do perceive that they are going to have security breaches in the future. I'm actually most
surprised about the 30 percent that didn't think that that would happen. I'd like to
meet some of those folks who have such an effective computer security program that they
never have a security breach in their environment. This helps underline the fact that most people
do in fact experience these breaches and they expect to experience incidents in the future.
I think, not to seem too negative, but there's this ignorance is bliss concept where if we
don't know there's a problem we assume there is no problem. That's probably the wishful
thinking people who are saying that that's 30 percent or 31 percent. We see that all
the time. People and companies are not necessarily putting their best foot forward. They're basically
managing from the rear, and the end result is they get caught. That 31 percent either
is a halo effect or that ignorance is bliss. Yeah, I think you're right. I think that to
a certain degree, if your security practice is so ineffective that you're not detecting
the things that are happening in your environment, then you may, in fact, believe that you don't
have a problem. That could be showing up to a certain extent in these results.
Thanks, Tom. This slide is actually pretty cool as well. It says how can your organization
most effectively mitigate future security breaches. Sixty-eight percent, by the way,
it's obviously there's more than once choice because it adds up to more than 100 percent,
is better incident response capabilities. Number 2 is threat intelligence or IP reputation
services. Number 3 is improved vulnerability audits and assessments at 44 percent, and
improved patch management, which has plagued us, the security industry, for decades. It
doesn't get solved, and then higher quality professional staffing. These seem to be the
big five. Again, at the top of that list incident response capabilities, very important. Tom,
what do you think? I was excited by this result because it validated
that a lot of people are of the same mind that I am. I wasn't sure what they were going
to pick. Were they going to say that they needed better patch management or better prevention?
Actually, what they're saying is they need better incident response capabilities. To
a certain extent, that could be counterintuitive because you think about incident response
as something that you do after a breach happens in order to clean it up.
If you want to prevent security incidents from happening you'd think, you'd want to
invest in preventative approaches and preventative technologies. I think the reality is more
complicated than that. Investigating breaches, you learn what the weak points in your infrastructure
are and you can feed that knowledge back into how your organization protects itself.
When we're talking about some of these sophisticated hacks that are happening, today these attackers
understand how to evade a lot of the preventative technologies that we have. It actually is
the case that its response capabilities do help protect the organization from attack.
I think that this result helps demonstrate that IT professionals realize that. They do
think that better incident response capabilities are really where their organizations need
to be focusing their efforts right now from a security program standpoint.
Tom, we have a comment or a question. Do you want to do that, or should we take that at
the end? I think, actually, Larry, let's take those
at the end so that we can make sure that we have time to get through all of our data points,
then we'll go back in and grab some of these questions if that's all right.
That's great. I appreciate that. I think that makes good sense. Now in this very colorful
slide, this looks like New Mexico colors, by the way. Good choice. You have a fully
functional CSIRT and 66 percent say yes, which is I think a good result. It's a positive
result. Thirty-four percent say no. Keep in mind that some of the companies that were
responded to this question are smaller sized companies. While we didn't find a significant
correlation, I would imagine that some of the numbers are smaller companies or companies
that don't have a mature security program. Does this result surprise you at all?
Not necessarily. It goes to show you that some people don't even have an incidence response
program. I think you should have a program regardless of how big you are. The size of
your organization really doesn't factor into whether or not you're going to be targeted.
Size of your organization does play a role in how much resources or how many people you
devote to the problem. You should have some preparedness or security incident response
regardless of how big you are. That's great, and I agree with you completely.
Small doesn't necessarily mean that's a license to be incompetent. We're just small, so we
don't really need the bull's eye on our back. That's not true. We know that a lot of small
companies is a good entre point, good in the sense that the bad guys easier to break in
to a small organization and use the business relationship to larger organizations as a
flow-through, if you will, for different types of attacks. We've actually seen some of that
over the last I'm going to say over the last couple of years.
This slide, there are actually two pieces of information that are related. First question
is, what percentage of your security budget is spent on incident response preparedness?
If you look at the graph, 50 percent say less than 10 percent. I'm not trying to say that's
a good result or a bad result, but my gut feel tells me we're probably not spending
enough resources on the incidence response if it is, in fact, such an important feature
as we just documented in a previous question. That's kind of on the negative side.
On the maybe, positive side is an increasing, or is funding decreasing, or it staying at
about the same level? The number one response is staying at about the same level, that's
45 percent. More importantly, look at the increase at 34 percent that's increasing,
18 percent decreasing. Basically, what this tells me is more organizations recognize that
it requires more funding, and so for many companies it's either staying the same or
increasing. Only for a very small number of companies is it decreasing. If it's decreasing,
you probably wonder why, why would that be happening? It's very unlikely that have over
spent on this. Maybe it's cost constraints. What do you think, Tom?
I had a negative reaction to this slide, all this data that we collected on whether the
amount of money was increasing or decreasing. I think this is concerning. I think there're
a couple of reasons for that. If you think over the past couple of years what's been
happening I think it's clear that the kinds of computer security incidents that people
are experiencing are still ... they are a regular of major breaches, the sophistication
of the incidents we're seeing has gone up. Also, just in general, IT continues to be
a larger and more [simple 00:18:57] part of people's businesses. When you take those two
factors and you put them together, I would think that most organizations would be investing
more in incident response but it seems that it seems that they aren't. Most organizations
are not changing their investment level there, and some are actually decreasing the incident
response capabilities that they have. If you contrast that with the first five where our
survey respondents said that better incident response was the best thing that you could
do to mitigate future your breaches like those things are in contrast as far as I'm concerned.
It seems that there's a disconnect here between what our respondents are saying should be
done and what our respondents say is actually happening.
Thank you very much, Tom. I agree with that completely. If we go to our next slide, I
think we have some other interesting results. Here, we're trying to understand how many
employees are dedicated to incident response. The gold standard would be having people who
are fully dedicated. Basically, it becomes a real full-time job, and then in some organizations
people wear more than one hat. They're not necessarily part-time employees, but they're
part-time on the incident response front. What we basically see here on the full-time
side, 45 percent. The numbers say that there's really no one who's full-time because it's
in the zero category. That means 55 percent basically have one or more, but very, very
few organizations have more than 10 or even more than six people who are full-time fully
dedicated. Probably not too surprising for a smaller
sized company or a mid-market company, but if these results hold true for companies with
more than 75,000 employees this could represent a problem. You basically do see the distribution
between the full-time and the part-time. Where on the part-time side, 44 percent the most
common response is between two and five people. Tom, what's your take on this?
My concern is that, and obviously, if you're a small organization you're not going to have
people devoted to incidence response all the time. These results are pretty strong. I think
that what happens, in fact, and I've seen this this happen is that the people who are
responsible for dealing with the computer security incident have some "day job" that
they are also responsible for that is really what they're supposed to do. At any given
time, they have milestones they're attempting to reach with that, regular responsibility
they have tasks that they're supposed to complete. It happens. It's unpredictable. They're asked
to set aside that regular responsibility and go focus on the incident. The problem is that
the people who need the other things that they are producing still need those things
to be produced, so there's this conflict of interest between their regular responsibility
and the need to respond to the incident. What happens is that some triage often occurs
with respect to these incidents, but then some of the follow through can take a long
time? We actually see that in some of our metrics that the full investigation and resolution
of these incidents can take many weeks. I think that part of it is that this competition
between someone's day job and their incident response responsibility. The problem is that
if you have an ongoing incident in your environment and you haven't contained it, but people are
going back to their day jobs and not continuing to pursue that containment, then there could
be follow-on damage that happens to the organization until the incident is fully contained. I've
seen that unfold before. Obviously, everyone cannot afford to have
some sort of full-time staff. It's important for people to be cognizant of the fact that
there's some conflict here and to try to manage people that are responsible for incident response
in such a way that they have leeway to focus on incidents when that's what they need to
be doing. That's great, Tom. Thank you for your insight.
Going to the next slide, this is generally a positive result. If we try to determine
how much job, related experience do folks on the incident response team have? What we
basically find is the number one and 54 percent or so in terms of the most experienced category,
of more than 10 years. Then, 36 percent between six and 10 years, and then we get the lower
levels of experience. It does show that people who are, in fact,
are they even part-timers or full-timers to incidence response really do have quite a
bit of relevant experience. It's self-reported. Someone might say, "It's relevant because
I did X, Y, and Z. I was a cryptology expert in the Navy," or whatever. It doesn't necessarily
have to mean incidence response, specific experience, but definitely IT security expertise.
I think this is one of the best positive results in the survey. Clearly, people are taking
some of the most skilled IT professionals in their organization and making them responsible
for this. That does indicate that they are taking it seriously. We're happy to see that
result. Now here's another result about the infamous
consultant, the third party consultant. Do you use a third party consultant as part of
your response team or plan? Basically, we find that consultants are used and 42 percent,
then we're looking at the pie chart to the right, so 42 percent fall into the category
of primarily if these consultants are used to augment the skill set of the incident response
team. It's not replacing the incidence response team, but it's augmenting. It's basically
in addition to in-house experts. Let's see, if you look athlete green at the
very top. A primary first responder to incidence response would only be a small fraction. I
think, is that 10 percent? The print is a little small. I apologize.
I need to make my window bigger as well. No, I know. I think I'm getting old here.
I used to be able to read that. They're going to revoke my pilot's license, I think, because
of my eyesight. The primary data point is 10 percent. It's
42 percent for augment the skill, and 31 percent for augment the capacity.
Great, I appreciate that. Then, the graph, which I can read on the other side here of
the page, is what do, we use these consultants for. Number 1 would be forensics and investigative,
and then followed by legal or law firm, followed by global auditor consulting firms. These
would be firms like an Accenture, or a Deloitte, or my old firm PWC. Risk management, which
is only 9 percent, and then regional and/or local consultants, smaller probably niche
consultants that are considered local or regional. Any surprises here?
No, but this data point set does is they've helped explain to people who don't understand
what they should be doing what the role of third party consultants actually is. I've
heard people ask, "Why don't you outsource that entirely?" There're a lot of reasons
why you don't that, one of which is that you need people involved who actually understand
your business and understand your infrastructure, and your third party consultants are not going
to know that. At the same time, it's important to have,
I think, relationships with third party consultants set up before an incident happens. One of
the reasons for that is the need to augment your capacity. If you have a serious security
incident and you need to contain it, and it's taking a long time to understand and contain
the incident, you may want people to be working that 24 by seven. That often happens.
The reality is that human beings aren't designed to function that way. I've seen the incident
response scenarios where the incidence response team is making coffee at 4:00 a.m. for several
days trying to get the incident under control and people end up making mistakes. When you're
dealing with something like this, all the details are really important. If you have
a way to augment your staff's capacity, you can bring people in to shift other people
out and give people a chance to get a rest, and that's really important in handling a
major security incident. In addition, third party consultants can offer
some skill augmentation. For example, if you got hit with a sophisticated targeted attack
and there's custom malware. I've actually seen many organizations over the past few
years who have a full-time on staff malware analyst because of the need to look at sophisticated
malware that's coming into their environment that's targeted them that many people can't
afford that or can't retain that skill set. It's things like that that you can turn to
professional forensics auditors. Another thing that comes up is if you're interested
in pursuing a law enforcement investigation or if potentially criminal charges against
somebody, then there are certain skills that people have with respect to maintaining the
integrity of evidence. That is really useful to be able to bring in from an outside firm.
There's a lot of good uses for third party consultants, but it's important to understand
how to use them correctly. I think that this leads the way, I guess. If you're wondering
what you should be doing I think our survey respondents know the right answers.
Thanks again, Tom. Moving to our next graph. How frequently do you assess the readiness
of your incident response team? If I'm reading correctly, unfortunately, I can't read this,
at 29 percent not on a regular schedule, which is probably not a good result. Twenty-one
percent say on an ongoing basis, whatever that means, and then 18 percent say this is
kind of a depressing category, readiness is not assessed at all. What's your reaction
to some of these data points, Tom? I think it goes back to you cannot figure
out what you need to do when it happens because everyone's going to be stressed out by the
situation. The ability to get all the right people in the right places, and get people
authorized to do what they need to do is very challenging to sort out in the midst of an
incident. I think people needs to understand beforehand what it is that they're supposed
to do. You need to have a fire drill. The fact is that if you're regularly having
fire drills, then people maintain that awareness of what they're supposed to do when a real
incident occurs. These results are actually fairly healthy. Frankly, there seemed to be
a lot of people that are doing some amount of assessment. That's good. Certainly, a huge
chunk of our respondents are either not assessing at all, or they're not assessing on a regular
schedule. The reality is that there may be unforeseen problems that arise when they actually
end up in an incident because they haven't gone through this process.
Thanks, Tom. Now, do you have a PR and analyst relationship plan in place in the event of
a breach? PR means public relations. The idea is that if you have a problem like this and
if it's external, it could be damaging a reputation and brand. You would think part of a team
would be someone who in fact has these skills and knows how to communicate because we've
disastrous communication issues. People go back, I remember TJX, and they had
a massive security breach, lots of data, millions and tens of millions of records exposed. They
had three different people who were from the company who were commenting on the data breach
with media. There were three different stories. It just reduced credibility completely because
of that. Having that expertise, I think, is important.
Of course, 75 percent of our respondents said they do not have a public relations and/or
analyst relationship plan as part of their incident response readiness. Are you surprised
by this? Oh yeah. It would be wonderful if we could
go to hundreds of organizations and do a thorough audit on incident response readiness. The
reality is that with this survey what we're trying to do is come up questions that provide
data points that give us a sense of where people are at.
I think that this is a pretty key indicator that tells me that people are not as prepared
as they should be. If you consider some of the things have been going on over the past
couple of months, if you worked for one of these major retailers that had one of these
security incidents, obviously, you're doing a lot of interaction with the press.
Like I said, on the previous slide, it's very different to sort out and plan for dealing
with this beforehand or rather in the moment because people are very spun up about what's
happening. The reality is that you're going to be much more effective if you thought through
the process in advance. You know who needs to be involved in the decision-making process,
and you have put some thought into when you're going to do certain things.
When are you going to make the decision to disclose information to the public? What information
specifically are you going to disclose? It's good to have agreement about those things
before so you're not arguing about them in the midst of a crisis.
When I look at this statistic, this tells me that only a small number of our respondents
have actually sat down and thought through all that. That to me is an indicator that
they haven't put enough thought into how they're going to deal with security incidents when
they occur. Frankly, that could mean that there are other deficiencies in their preparedness.
This data point to me was particularly important. Thanks, Tom. I'm getting the cue for our producer
that we might be running out of time, so I'm going to talk now fast.
Okay. We have enough time to get through our other data points.
For those folks that aren't submitting questions, if we can't get to your question today we
promise to get to you maybe through email or some telepathy or some other way of getting
back to you because I think we have some good questions here.
Anyway, on this slide, very quickly, we asked the question, does the organization have a
multidisciplinary insider threat management program because you need different skill sets
sometimes to accomplish, to deal with these issues. Fifty-four percent actually said no.
Tom, what do you think? Sometimes the incident that you're investigating
it's not caused by an external hacker. It was caused by malicious action by someone
that works in your organization. Everyone needs to have an insider threat management
program. Really, the problem with them is that people
see it as a computer security issue and they expect IT to deal with it. You can see that
in this set of answers that many of respondents have an insider threat management program,
but it's in the IT department. The fact is that that's not a realistic way of handling
that particular problem. An insider threat is not a technical problem.
It involves someone who works for your organization and effectively of dealing with that it involves
a collaboration between IT, human resources, legal and the management in order to be able
to effectively identify potential threats and to be able to investigate them effectively.
There's some great resources out there about insider threat. I know Lancope have some webinars
about insider threat. I don't want to dwell on the topic but I think this was an interesting
data point and that it validated my concern that a lot of organizations are looking at
that as truly an IT problem and not thinking about it as a multidisciplinary problem that
needs coordination across their organization. Very cool response. Thank you and ditto. I
agree completely with what you said. On this slide, we asked the question, are you sharing
threat intelligence and the idea that the companies team up or industry groups team
up and they start sharing important data. The most common response at 45 percent and
if you do the math this basically you could have more than one respond but the number
respond is information neither received nor shared. Well, that's not a happy camper result.
With all the talk about threat intelligence sharing that's been going on it's surprising
to see that most organizations are just not doing it all and if they are doing it maybe
they are receiving information. They got a threat feed, which is something that Lancope
helps but they are not sharing information that they discovered in their investigations
out to other people. Only 12 percent of our respondents said that they were actually working
with peers. I think this is really good information. I don't know what to do. If you are experiencing
particularly targeted, sophisticated incidents the
Tom you are breaking up. Tom can you hear me? Folks I want to apologize. I know that
because of weather Tom is doing the call from a cell phone from his home I think Tom we
lost you. What I'll do is wait a couple of seconds and then I'll be a surrogate for Tom
but a very poor surrogate because Tom is really the guy with all the knowledge. I'm just again
a research guy. Tom are you back? Okay, well let's look at the slide here. Frequency of
cyber threat briefings. Here we basically see that the number one
category where who are we briefing is IT. The IT management or the CIO organization
but I think what's most interesting about this slide is go all the way to the bottom
you'll see board of directors at 12 percent and executive management at 20 percent. In
other words, the vast majority of respondents said that they are not actually reporting
the results of the postmortem of an incident at the senior, senior level management. That's
a problem right and especially as organizations are saying that there's more accountability
by the CEO where they want more accountability at the board level maybe through the audit
committee or the risk management committee. This suggests that there's a communication
issue. We are not reporting to those folks. That's how I read it. Where are we reporting?
Where are we doing these cyber threat briefings primarily to the IT organization? I hate to
say this but it's like we are talking to ourselves if we are just doing it there. Again ...
I am back. You are back.
I am going to chalk it up to the whether apocalypse here. My call died. Sorry about that but I
got back. This to me was one of the most important results in our survey because it told us that
... executive management is just not being briefed about threats to the organization.
I think that first of all, executive management is often the target of these attacks. If you
think about spear fishing, you've got to at least educate these about the sort of risks
that might be personally targeted at them but it's also important that they are aware
of the threats the organization as a whole. I'm concerned that people are not reporting
because they don't want to report bad news. If you are the IT security guy and you tell
the boss, "Hey, our organization is potentially targeted." He's going to turn back at you
and say, "Why is that and what are you doing about it and why do we have these problems?"
You might renascent to be totally open with management team about the incidents that you
have. The issue is that sometimes IT security folks
don't communicate using the sort of language that executive managers want to hear. They
talk in terms of vulnerability, exploits and compromise the machine, the malware and those
are technical things that are not really of the mindset of the executive leadership team.
They want to hear about business continuity and the cost associated with mitigating these
incidents and downtime and things like that. You've got to translate some of the security
threats that you face from the technical perspective into a financial perspective in order to make
them relevant to the executive leadership team. I think that a lot of folks at IT security
don't know how to make that translation happen. Great. I'm really glad that you commented
on that slide. On the next slide, it's a two-parter. Let's start with the left. This is kind of
gift yes, no unsure response and it's a response to, do you have metrics to measure the effectiveness
of incident response and do have metrics to measure the detection and containment of incidents?
The tallest bar in both cases is the no response. For those people that said yes, that's the
unsure. Those people are kind of operating in their own world but for those that said
yes we looked at really four categories of commonly to five categories including mean
time to fix. That's the MTTF. Mean time to identify, mean time to know the root cause
and the mean time to verify. The most common category for those that do
have metrics is the mean time to fix followed by the mean time to identify. Tom what do
you think? Well, like I said in the beginning if you
can't measure something you can't manage it and particularly going back to the previous
slide. From the previous slide, if you can't measure it then you are not going to be able
to communicate about it in quantitative terms. That's really what the executive leadership
team is looking for from you from a financial perspective. You've got translate the experience
you are having into dollars and cents and in order to be able to do that you have to
be able to quantify it. Metrics are incredibly important. At the same time, these are all
time-focused metrics. You don't want to manage your incident response team purely based on
the speed at which they react to incidents because you need to make sure that incidents
are thoroughly investigated and contained. If you just push the fast-forward button,
you can create a situation where people are cutting corners in order to meet your requirements
and that's not what you want. However, time-based metrics to me is very valuable in terms of
understanding the overall impact to the organization as well as measuring the consequences of things
that you do to improve your incident response capacity, or the tooling that they have. If
you go in and invest in more response capabilities to translate into a more efficient response
or a more thorough response and keeping track of these things is useful in that respect.
I also want to say you want to track the incidents themselves, how many incidents you are experiencing,
what kinds of incidents they are, how far into your organization they are and how the
attacker manager to breach the organization's defenses.
Those kinds of statistics can tell you things like what are the vulnerabilities in your
infrastructure that attackers are targeting most frequently and that can help you prioritize
some of your other security efforts. Our metrics around metrics are incredibly important data
source I think for our IT security organization. Very cool thank you and you might want to
... can you take this slide Tom because I ...
Yeah, I can. In addition to asking what kinds of metrics people were using we asked them
what results they were getting from their measurements. This slide shows you there's
sort of a process here where you try to identify the threat and then you know what the root
cause was and then you fix the threat and somebody comes along and verifies the threat
was fixed. If you look at these responses this goes to what I'm saying. People are able
to identify the threat fairly quickly but it takes weeks or months to conclude the incident
and understand how it happened and then to fix the systems that were affected and bring
them back online have fixed the vulnerabilities that were exploited.
The whole process working the incident can take them a very long time and I think that's
important to consider when you think about the total impact that the incident has on
the organization from a business continuity standpoint and from in terms of impact on
operations. Until things are fixed that incident could continue to have a negative impact on
the organization. I want to comment on the fact that our responses
on this case seem to be more optimistic than other surveys that have asked similar questions.
If you look at the Verizon data breach incident report, which is one that I have a great respect
for or if you look at Mandiant's report, which I also really liked, they are means trying
to identify was way, way longer than the one that we got in our survey. I think that there
are two potential reasons for that. The first is that they are measuring actual
incidents whereas we are measuring the perceptions of people who are familiar with incident response
and so there may be some halo effect where IT professionals belief that they are able
to identify incidents much more quickly than they actually can. In addition, they need
you looking at different data. Our survey asked IT professionals to deal with all kinds
of incidents from a simple malware infection to really complicated compromises. Whereas
Verizon and Mandiant are mostly just feeling dealing with the really big stuff, the stuff
that's so complicated that you would hire an outside consulting firm or you would involve
law enforcement. It maybe that the sword of incident that they are measuring tend to be
the ones that are harder to identify and ultimately harder to resolve but regardless clearly even
simple incidents are taking too long to resolve. In our view and that work could be done to
improve the amount of time it takes to understand it and resolve these incidents.
Great response. Thank you. This slide speaks for itself. What are the most effective tools
for detecting security breaches and the number response is the analysis of NetFlow or a packet
captures followed by SIEM followed by intrusion preventions or detection systems, IPS or IDS
followed by IP reputation and threat feeds services and at the very bottom, it's still
a healthy 56 percent the antivirus. Any reaction to this Tom?
This is obviously validating data point for us because we built NetFlow audit trails and
what it's telling us that the survey respondents believe that those audit trails are a key
tool that they use to identify security breaches within their environment. Collecting NetFlow,
collecting packet captures, collecting syst log those are the things that people said
are the most important things for them to be doing preventive measures like intrusion
detection and antivirus. I think that was interesting and I think it helps underline
the value of those audit trails in protecting an environment from attack.
Very cool indeed and now the most important slide of the day, the recommendations. Can
you help me with the recommendations Tom? I can. I mean first of all, you need to have
an incident response team. Don't be one of the, I think, 34 percent I think who said
they don't have one or it's not fully functional. You want experienced full time members if
you can. Clearly, a lot of our incident responders are very experienced people. You want to assess
the readiness of your team and to make sure that they are prepared and you want to work
through some of the scenarios that could occur before hand so that you're prepared in advanced.
You want to provide clearly defined rules of engagement to the incident team. You don't
want to have a situation where managers in the business are refusing or allowing the
incident response team to do things they need to do in the midst of the crisis.
You want to involve multidisciplinary areas of the organization in the incident response
process. It's not just a technical problem particularly if it involves an employee and
you want to invest in the right tools that the incident response needs in order to be
effective. If you don't have the right audit trails in place then there is no way you can
investigate the incident because you don't have a record of what happened. You've got
to have those records there. It's also really important to use metrics to measure what's
happening in your organizations from an incident response standpoint and that's important because
it allows you to A, to really understand what's happening with your business from a security
breach standpoint. B, communicate that information to the leadership team of your company in
a quantitative fashion that allows you to get a real financial sense of the impact that
security breaches are happening in your organization. I think that it's really important that CEOs
today are in the loop that they are aware of the security threats that their organizations
face. It's clearly a high-level discussion. If you consider some of the things that have
disclosed over the past couple of months people need to know what's happening and they need
to have a financial understanding of its impact and that's something that IT security teams
ought to be doing. Hopefully, if they do that, if they improve that level of communication
that they'll get the resources that they need financially in order to build the incident
response capabilities that they ought to have. I want to leave with one thought. We didn't
include this result in the survey results but we share here that our survey respondents
81 percent of them said that if they had the right tools and the right people and the right
resources that they could effectively protect their organization against attack. I was really
surprised by that result. That's a great deal of confidence from our survey respondents
that they could actually be effective if they were properly equipped and I think the reality
is that they just started. As equipped they ought to be in most cases.
This slide has a URL for the report, which you can go download with Lancope. There's
a lot of other data points that we collected that we didn't discuss here that are very
interesting and some analysis there and hopefully this is something that you can share with
colleagues as well who are interested and thinking about it in certain response.
Thank you very much Larry for coming on our web cast today. It's really great to have
your insight here and I think you guys did a great job with the survey and really helped
illuminate some data points that are very helpful for people in understanding this problem.
Thank you Tom. Thanks for making my day. It's always a pleasure to talk with you.