Survey: Security Analytics and Intelligence
Download as PPTX, PDF2 likes3,768 views
The 2013 survey by SolarWinds and SANS included over 600 IT professionals, highlighting the allocation of IT budgets for security, challenges in threat detection, and response times to attacks. Key findings showed 45% of organizations spend less than 20% of their IT budget on security, with significant difficulties in identifying and mitigating threats. Recommendations emphasized the need for better log data collection and correlation to enhance real-time threat detection and improve security analytics.
Survey: Security Analytics and Intelligence
- 1. 1 Survey: Security Analytics and Intelligence A look at the impact of security threats and the use of security analytics and intelligence to mitigate those threats © 2013, SolarWinds Worldwide, LLC. All rights reserved. Conducted by SANS Institute June/July 2013
- 2. 2 Introduction » SolarWinds, in conjunction with SANS, recently conducted a survey on Security Analytics and Intelligence with participation from over 600 IT professionals » This presentation provides insight into IT budgets for security, difficulties faced in identifying attacks and breaches, and more 2 The Agenda • Participants: Whom did we survey? • Results: What did they say? • Key Take Away: What does the survey mean to you? • Recommendations: What can you do? SANS & SOLARWINDS IT SECURITY SURVEY 2013
- 3. 3 Whom Did We Survey? 3 19.0% 17.2% 15.6% 8.7% 8.7% 8.2% 7.0% 5.9% 5.1% 2.9% 0.9% 0.9% Government/Military Financial Services/Banking Other Education HighTech Health care/Pharmaceutical Telecommunications Carrier/Service… Manufacturing Energy/Utilities Retail Engineering/Construc tion HostingService Provider Participants: Industry wise SANS & SOLARWINDS IT SECURITY SURVEY 2013 45% of the survey taker organizations were from Federal, BFSI and Healthcare
- 4. 4 IT Budget Spent on IT Security • 45% of the survey takers were spending less than 20% of their IT budget on information security management, compliance and response • About 30% spent less than 10% on information security management, compliance and response Unknown, 40.0% Less than 5%, 21.3% 6% to 10%, 16.0% 11% to 20%, 7.9% 21% to 30%, 7.3% 31% to 40%, 2.0% 41% to 50%, 1.2% 51% to 60%, 0.9% Greater than 60%, 1.7% Other, 1.6% SANS & SOLARWINDS IT SECURITY SURVEY 2013
- 5. 5 Threat Detection and Response SANS & SOLARWINDS IT SECURITY SURVEY 2013
- 6. 6 Difficulty in Detecting Threats 33.4% 23.5% 21.1% 7.8% 5.7% 3.0% 2.8% 1.3% 1.3% Noattacks(thatwe knowabout) 2to5 Unknown 1 6to10 11to20 21to50 51to100 Morethan100 Difficulty in detecting threats In the past two years, 45% of the respondent companies had 1 or more attacks that were difficult to detect. SANS & SOLARWINDS IT SECURITY SURVEY 2013
- 7. 7 Time Taken to Detect the Impact of the Attacks • 30% of the organizations took up to a week to detect the impact • 14% of them took about 1-3 months Within the same day One week or less A month or less Three months or less Five months or less 10 months or less More than 10 months Unknown SANS & SOLARWINDS IT SECURITY SURVEY 2013
- 8. 8 Time Taken for Attack Remediation • 35% of companies took up to a week to remediate after the initial knowledge of an attack • About 11% of the companies took 1-3 months Within the same day One week or less A month or less Three months or less Five months or less 10 months or less More than 10 months Unknown SANS & SOLARWINDS IT SECURITY SURVEY 2013
- 9. 9 Data Collection and Correlation SANS & SOLARWINDS IT SECURITY SURVEY 2013
- 10. 10 Top 3 Impediments to Discovering and Following Up on Attacks 39% 21% 19% Not collecting appropriate security data Not Identifying relevant event context (Event correlation) Lack of system awareness and vulnerability awareness SANS & SOLARWINDS IT SECURITY SURVEY 2013
- 11. 11 Types of Operational and Security Data Collected for Security Analytics Top 3 Types of Data Currently Collected: • Log data from network devices, servers and applications • Monitoring data from firewalls, vulnerability scanners, IDS/IPS • Access data 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% Log data from network (routers/switches) and servers, applications and/or endpoints Monitoring data provided through firewalls, network- based vulnerability scanners, IDS/IPS, UTMs, etc. Access data from applications and access control systems Unstructured data-at-rest and RAM data from endpoints (servers and end-user devices) Security assessment data from endpoint (aka from NAC/MDM scans), application and server monitoring tools Assessment and exception data (not on the whitelist of approved behaviors) taken from mobile/BYOD endpoints… Monitoring and exception data pertaining to internal virtual and cloud environments Monitoring and exception data pertaining to public cloud usage Other Unknown Don't plan to collect Plan to collect within 12 months Currently collect Top 3 Within 12 Months: • Security assessment data from endpoint, application and server monitoring tools • Monitoring and exception data from internal virtual and cloud environments • Access data from applications and access control systems
- 12. 12 How Satisfied are Organizations with their Security Tools? SANS & SOLARWINDS IT SECURITY SURVEY 2013
- 13. 13 Alarming Factor!! 59% of the organizations don’t know whether they are collecting security data in real time or not. SANS & SOLARWINDS IT SECURITY SURVEY 2013
- 14. 14 Correlation of Event Logs • 30% of the organizations did not have any automated correlation of log data • 45% of the organizations manually scripted searches based on hunches • 39% of them had no third party intelligence tools 0% 10% 20% 30% 40% 50% Other Hadoop or other free or distributed data analysis tools Unstructured data analysis tools with NoSQL and other methods. Advanced intelligence/threat profiling database No automated correlation of logs, just manual scanning for exceptions by experts Manual and manually-scripted searches based on evidence and hunches Use of SIEM technologies and systems Dedicated log management platform used for IT security and operations SANS & SOLARWINDS IT SECURITY SURVEY 2013
- 15. 15 More on Correlation 38% of the respondent organizations did not have log correlation for external threat intelligence tools And guess what??? 44% of the organizations are doing only up to 25% of their inquiries to detect threats in real time. SANS & SOLARWINDS IT SECURITY SURVEY 2013 About 36% of the organizations never had any automated pattern recognition
- 16. 16 Satisfaction with Current Analytics and Intelligence Capabilities • About 59% of the organizations are not satisfied with their library of appropriate queries and reports • 56% of the organizations are not satisfied with their relevant event context intelligence • 56% of them have no visibility into actionable security events 1.25 1.30 1.35 1.40 1.45 1.50 1.55 1.60 1.65 1.70 1.75 Producing or having a library of appropriate… Relevant event context (intelligence) to observe… Training/intelligence expertise Integration of other monitoring systems into… Costs for tools, maintenance and personnel Visibility into actionable security events across… Ability to alert based on exceptions to what is… Reduction of false positives and/or false negatives Performance and response time issues Other Storage capacity and access of data in needed formats SANS & SOLARWINDS IT SECURITY SURVEY 2013
- 17. 17 Primary Use Cases for Evaluation of Security Tools External malware Advanced Persistent threats Compliance monitoring 0% 5% 10% 15% 20% 25% SANS & SOLARWINDS IT SECURITY SURVEY 2013 24% - External malware 13% - Advanced persistent threats 11% - Compliance monitoring
- 18. 18 Top 3 Future Investments in Security SANS & SOLARWINDS IT SECURITY SURVEY 2013 0% 10% 20% 30% 40% 50% 60% 70% Securityinformationmanagement tools/SIEMsystemswithbuilt-in analyticscapabilities Personnel/trainingtodetect patterns(analytics)andmanage systems Vulnerabilitymanagement Networkprotections (UTM,IDS/IPS,etc.) Endpointvisibility Applicationprotectionsand visibility Intelligenceproductsorservices Analyticsengines Other Top 3 Future Investments in Security: 1. SIEM Tools 2. Training 3. Vulnerability Management
- 19. 19 For truly effective security and threat management, organizations need to: Collect and correlate appropriate log and event data across all relevant sources throughout the IT infrastructure Handle larger volumes of log data efficiently Establish a baseline of “normal” behavior in order to identify anomalies Identify threats and attacks in real time Reduce the time between detection and response Implement the right tools for advanced analytics and intelligence Key Takeaways SANS & SOLARWINDS IT SECURITY SURVEY 2013
- 20. 20 » Event correlation for event context and actionable intelligence » Real-time analysis for immediate threat detection and mitigation » Advanced IT search to simplify event forensics and expedite root cause analysis » Built-in reporting to streamline security and compliance How Can SIEM Solutions Help You? SANS & SOLARWINDS IT SECURITY SURVEY 2013 65% of the organizations want to make their security investments on SIEM systems
- 21. 21 SolarWinds Log & Event Manager Log Collection, Analysis, and Real-Time Correlation Collects log & event data from tens of thousands of devices & performs true real-time, in-memory correlation Powerful Active Response technology enables you to quickly & automatically take action against threats Advanced IT Search employs highly effective data visualization tools – word clouds, tree maps, & more Quickly generates compliance reports for PCI DSS, GLBA, SOX, NERC CIP, HIPAA, & more Built-in correlation rules, reports, & responses for out-of-the-box visibility and proactive threat protection SANS & SOLARWINDS IT SECURITY SURVEY 2013
- 22. 22 Thank You! SANS & SOLARWINDS IT SECURITY SURVEY 2013