ori 8
gin pa
al ges
res of
ea
rch
MarketFocus
In-depth analysis from Intel Security
September 2016
HOUSE OF THE
RISING SUN
Headlines about data breaches
do not reflect CISOs’
upbeat infosec
attitudes
MarketFocus
House of the rising sun
While high-profile data breaches continue to jar corporate boardrooms, companies seem fairly upbeat about
their ability to respond to attacks, new research from SC Magazine finds. Esther Shein explores the security priorities
of companies large and small and what they see as their data security impediments for the year to come.
I
with revenues of $1 billion or more, of which there
n spite of the doom-and-gloom media reports
were a total of 74 in this sample, are also making it
of massive data breaches at major retailers,
a priority to protect users off-network. So too are
government agencies and hospitals, companies
almost 64 percent of companies with more than 5,000
across a wide swath of industries, sizes and revenues
employees, of which there were 105 respondents.
feel pretty good about their level of preparedness
Yet, at the same time, regardless of size and revenue,
in the event of a security breach, according to the
respondent companies
findings of a recent SC
What type of threats
place preventing mobile
Magazine survey of 222
are
you
most
concerned
with
preventing?
malware low on their
IT security professionals
priority list, behind data
sponsored by Intel
breaches, ransomware,
Security and conducted
Data breaches
targeted attacks and
by C.A. Walker Research
zero-day malware, among
Solutions.
Ransomware
other concerns. The only
A significant majority
concerns ranking lower
of respondents say they
were file-less malware
already are performing
Targeted attacks
and greyware. Security
security functions
pros at companies of
including suspicious
all different sizes and
activity detection and
Zero-day malware
revenues also place a low
validation; malicious
priority on protecting offactivity containment;
Malware
network users, ranking
incident data search and
moving laterally
it last among their top
investigation; and visibility
security objectives.
and data collection. Other
DDoS
This is considered
activities include threat
likely because companies
hunting and sandbox
already have deployed
detection of zero-day
Mobile malware
security software on
threats, albeit, to a lesser
corporate desktops
degree.
File-less malware
and laptops for remote
With the increasing
users, believes Candace
prevalence of mobile
Worley, vice president
workers, nearly 69
Greyware
of enterprise solutions
percent of companies
34.7%
22.1%
14%
9.9%
5.9%
5%
4.5%
2.7%
1.4%
2 • www.Intelsecurity.com
marketing at Intel Security. Although on-network
which there were 50 respondents.
users get additional security protections from tools like
Conversely, of the respondents at companies with
intrusion detection systems (IDS) or firewalls at the
greater than $1 billion in revenue, only 17 percent
edge, “I still have endpoint protections (on my laptop)
considered this their top priority, with two other
no matter where I go,’’ she explains.
priorities placing higher. In that revenue segment, the top
“Over time, the host-based security capabilities have
priority was maintaining productivity while the secondmatured to the point where you have not just antivirus
place finisher was minimizing damage from attacks.
and local firewalls, but
There is likely a strong
application controls and
focus on reducing
What are your highest priority
security objectives?
IDS and elements of
vulnerabilities in the data
containment or machine
center where security
learning or other types of
pros have full visibility of
Reduce vulnerability
technology resident on the
in-and-out traffic activity,
laptop. That’s a fair amount
so they are focusing on
of protection,” she says.
the systems with the
Maintain productivity
In addition, new
greatest amounts of data
encryption techniques are
and protecting that,
Maintain compliance
extremely difficult, if not
observes Josh Thurston,
impossible for a hacker
security strategist,
to crack, even on lost or
Americas, in the Office
Minimize damage
from attacks
stolen mobile devices,
of the CTO, at Intel
she adds. As long as a
Security. Interestingly,
company is implementing
protecting off-network
Reduce incidents
appropriate authentication
users ranked the lowest
techniques, mobile
among respondents
Connect the workforce
workers should be well
across the board,
protected, she says.
and Thurston thinks
In terms of companies’
companies perceive that
Control costs
highest priority security
to mean if an employee’s
objectives, 31.5 percent
phone is stolen it can be
Protect
of all respondents ranked
replaced, or if a laptop is
off-network users
“reduce vulnerability” as
breached, IT simply won’t
their number one goal,
let it connect back to the
followed by “maintain productivity,” a key concern for
network and will put that on the back burner.
23 percent of companies with between 1,001 and 5,000
“They care most about their servers — virtual and
employees, of which there were 52 in the survey, and
physical — and their infrastructure because that’s
just over 21 percent at companies with revenues of $1
the livelihood of their business and where most data
billion or more. Of the total respondents, 18.5 percent
resides,” Thurston says.
ranked maintaining productivity first, 13 percent
While productivity is important, it would seem
ranked it second and 14 percent ranked it third.
that it might pale in comparison to recovering from a
Twenty-three percent ranked it as their lowest priority.
network attack, yet companies don’t always see it that
Reducing vulnerability was cited as the top priority
way. People focused on productivity are very concerned
by 40 percent of respondents at companies with
about issues like how to take a person out of the office
1,000 or fewer employees, of which there were 65
for three weeks of security training on software without
respondents, and 38 percent of whom are at companies
it impacting their work, notes Scott Montgomery, vice
with revenues between $100 million to $1 billion, of
president and chief technical strategist at Intel Security.
31.5%
18.5%
13.5%
12.2%
9.5%
6.8%
4.1%
4.1%
www.intelsecurity.com • 3
What impedes you from meeting
your security objectives?
What best describes your approach
to meeting your security objectives today
Overall cost of security
29.3%
Process improvement
Time consuming
manual processes
19.8%
Optimizing current
technology investment
18.5%
Uncoordinated defenses
16.7%
Lack of skilled security
professionals
11.3%
Lack of appropriate
tools/technology
Volume of infections
4.5%
78.8%
68.5%
65.8%
Training security staff
60.4%
Acquiring new
technology
30.6%
Security vendor
consolidation
Other
4.1%
That’s typically not possible; there is a definite
States the organization has been compliant” with the
impact, he notes. But at the same time, “If they’re not
required standards, he says.
trained on what we bought, they’re not helping,’’ he
Minimizing damage from attacks ranked fourth
says. “So reducing the number of vulnerabilities is a
among organizations’ priority concerns and
cry for help on patching.” There is a double whammy,
Montgomery thinks that’s because most organizations
he quips, “if I take any form of a productivity hit.”
that get breached are not aware it is happening.
Companies are also challenged by security systems
sprawl, which is yet another reason to provide
Legacy systems – the forgotten stepchild
training, but many companies are not doing it
Respondents gave “reduce incidents” the fifth spot
adequately, Montgomery says. “This thinking is very
on ladder rung of security priorities and cited various
counterproductive, because
types of malware (zero-day,
if people were better at
malware moving laterally and
[using] the tools they have
mobile) as the threats they
they’d probably get better
are most concerned with
results with less labor, but
preventing. This suggests
because they’re under- or
that companies might not be
un-trained; they’re just kind
paying as much attention to
of grinding along.”
protecting themselves against
Scott Montgomery, VP, Chief technical
strategist,
Intel
Security
He expresses surprise that
attacks on legacy systems
maintaining productivity
that haven’t been updated,
wasn’t cited as the highest priority objective, and
patched or had new antivirus software installed.
believes that “maintain compliance,” which ranked
Frost & Sullivan released a report in April 2015, the
third, “is a wasted effort.” Montgomery points out that
(ISC)² Global Information Security Workforce Study,
Target, the victim of a highly publicized breach, had
on the alarming lack of security practitioners, while
been certified as PCI compliant at the time the breach
the number of devices is increasing, especially with
was identified. “[In] every major breach in the United
the proliferation of Internet of Things (IoT) devices.
“Reducing the number of
vulnerabilities is a cry for
help on patching”
4 • www.Intelsecurity.com
“There are only 24 hours in a day and a flat number of
people and more devices for them to protect so quality
and efficiency are suffering,” he says.
“We’re doing a lousy job protecting legacy systems
because they are probably
the last consideration,’’
Montgomery says. What is top
of mind? “The new stuff —
cloud, mobile, BYOD. What
about the mainframe, where
all the data is? Nobody’s
looked at it in a year.”
Often, legacy systems are no
longer patched by the vendor, nor are old versions of an
operating system or application being supported by the
vendor that developed or sold it so it cannot be updated,
adds Worley. This is especially true in manufacturing
companies, which have spent millions of dollars to build
proprietary software for a business process and find that
their entire manufacturing system is now vulnerable to
attack. In that case, one of the key things they can do
is utilize application control, which allows IT to set a
policy that says the only thing allowed to execute on a
box is known or whitelisted software, she says.
“What that means is you, the admin, will designate
an upgraded server and
tell that application control
product it can only accept
changes to the system
from this server, and only
software that is sent to you
by an approved updater will
be allowed to update on the
Scott Montgomery
system,” Worley says.
This approach is used by a number of Intel
Security’s customers on ATMs, point-of-sale and
manufacturing line systems, where software is not
updated very often, she says.
A somewhat surprising finding was how low
respondents across the board ranked “control costs” as
a high priority security objective.
“I’m actually kind of shocked that it’s that low,’’ says
Which of the following security functions
are you doing today?
Which of the following security functions are a
high priority in the next 12 months?
“We’ve done
a lousy job protecting
legacy systems”
Suspicious activity
detection and validation
86.5%
Suspicious activity
detection and validation
Malicious activity
containment
81.5%
Malicious activity
containment
Incident data search
and investigation
76.6%
Incident data search
and investigation
Visibility and
data collection
74.3%
Visibility and
data collection
In-line prevention of
zero-day threats
Off-network
user protection
Threat hunting
Sandbox detection of
zero-day threats
64%
58.1%
50.5%
42.8%
In-line prevention of
zero-day threats
Threat hunting
71.6%
67.1%
53.2%
46.4%
42.3%
35.6%
Sandbox detection of
zero-day threats
28.4%
Off-network user
protection
26.6%
www.intelsecurity.com • 5
Which of the following security functions
are a priority in the next 12 months?
Visibility and data collection
Low priority
Which of the following security functions
are a priority in the next 12 months?
Incident data search and investigation
Low priority
7.2%
5.9%
High priority
High priority
46.4%
Medium priority
46.4%
53.2%
Medium priority
41%
Thurston, “because after all, everyone in this industry
“That’s controlling costs in a very different way. I
… is asking for customers’ money but there’s not a lot
think some companies are saying, ‘I can spend a little
of money being given out these days.”
upfront, maybe more than I planned originally on
That is the case even in niche industries like
security, and reduce the risk of spending a lot on the
healthcare, which have to meet compliance standards
backend to clean up a breach,’” Worley says.
but are seeing their budgets getting cut. Thurston
Montgomery sees that response as the only positive
says he expected controlling costs to be chief among
to come out of the number of high-profile breaches.
security objectives because
“[The highly publicized
companies are “constantly
attacks] raised awareness to
penny pinching and they
the board room level,’’ he
want the most security for
says. “People were getting
the least amount of money.”
sacked and the board room
Worley agrees that
started asking questions like
companies acquiring security
‘What do I need to do to
software want the best
help my teams?’ I don’t think
deal possible because they
there’s a shortage of money.”
have limited budgets. “It’s
Yet, when respondents
Candace Worley, VP of enterprise
probably a statement that
were asked what impedes
solutions marketing, Intel Security
security is a critical concern
them from meeting their
for us and we’ll spend what we need to secure our
security objectives, 29 percent of respondents cited the
organization,’’ she says. On the flip side, breaches are
overall cost of security as the number one response.
extremely expensive to fix, so if a company spends
Of that figure, nearly 41 percent were companies with
money upfront that mitigates the risk of an otherwise
revenues of less than $100 million. Worley attributes
expensive data breach, that company could end up
the discrepancy to the fact that, “they’re tortured souls.
ahead financially.
I think it’s indicative of the fact that they’re working
“I can spend a little upfront
... and reduce the risk of
spending a lot more on
the back-end to clean
up the breach”
6 • www.Intelsecurity.com
Which of the following security functions
are a priority in the next 12 months?
Suspicious activity dectection and validation
Which of the following security functions
are a priority in the next 12 months?
Threat hunting
Low priority
4.1%
Low priority
19.4%
Medium priority
24.3%
High priority
High priority
35.6%
71.6%
Medium priority
45%
within limited budgets, so they’re trying constantly
to balance this interplay of limited budgets with what
I have to spend to protect my environment. It’s a
balancing act that’s not easy for them to manage.”
Thurston finds this baffling and admits he doesn’t
understand why there was such a “flip-flop” on the
answers. His theory is that companies might be
overwhelmed by the number of security products
on the market. “Twenty years ago, you got a firewall
and antivirus, and you thought about doing intrusion
detection, and that was pretty much it,’’ he says.
“Nowadays, you have 70 to 80 products you can look at
deploying from 800 vendors, and every product has a
special use case and you want to buy it. But you have to
consider, ‘Am I robbing Peter to pay Paul’ in every one
of those scenarios. It’s become a very daunting task
for CISOs” to figure out how to get the most for their
limited funds.
Montgomery wonders if respondents were factoring
in the cost of salaries, noting that salaries are “through
the roof for security analysts in particular,” and in
some cases, a top security analyst can command more
salary than the CISO.
One revealing insight was that almost 20 percent
of all respondents chose “time-consuming manual
processes” as the second greatest impediment
to meeting their security objectives, followed by
uncoordinated defenses (18.5 percent), and “lack of
skilled security professionals,” which was cited by
almost 17 percent and has been a widely discussed
source of angst in the security community. Of the
respondents citing the manual process issues, 17
percent are at companies with more than 5,000
employees and almost 14 percent are at companies
with revenues of $1 billion or more.
Improving process is a business imperative
When asked what best describes their approach to
meeting their security objectives today, almost 79
percent said “process improvement.” Of those, the
vast majority percentagewise, almost 86 percent, were
at companies with greater than 5,000 employees.
Thurston isn’t surprised by that, noting that the way
customers approach security is very manual and
user- or security-practitioner centric. He describes
this as meaning an individual might take care of one
responsibility and not let other members of the team
in on the latest findings because there is no process, no
workflow and a lack of communication that does not
encourage sharing intelligence.
www.intelsecurity.com • 7
Which of the following security functions
are a priority in the next 12 months?
Malicious activity containment
Low priority
Low priority
3.6%
Medium priority
29.3%
Which of the following security functions
are a priority in the next 12 months?
In-line prevention of zero-day threats
8.6%
High priority
67.1%
Medium priority
49.1%
High priority
42.3%
He expresses surprise that security vendor
more or less built a Tower of Babel,” he says, meaning
consolidation, which ranked further down the list
they’re trying to get best of breed security tools,
(nearly 31 percent) of how companies are meeting
when in fact, none of the tools talk to one another.
security objectives, wasn’t the highest objective.
Consequently, companies find themselves having to
Thurston recalls a customer visit where he met with
meet lots of vendors and call a variety of help desks
the vast majority of its security team – from the CIO
for support. If the companies reduce the number
to the CISO to the individuals responsible for various
of vendors, they “would immediately get process
networking and business
improvement, optimization
unit teams. Someone at the
of [their] current technology
company commented that
investment” and fewer
they use 77 security vendors,
vendors that have to train
and Thurston suggested this
employees, so security would
might be an issue.
be better, Thurston says.
The client said it would
“If that was the number
like to reduce its vendor
one approach, all other
Josh Thurston, security strategist,
count to 20, Thurston says,
items in that table would be
Office of the CTO, Intel Security
and he replied, “How about
inherently improved.”
under 10? How big of a
Worley thinks
problem is that?” Thurston says the client’s reply was:
respondents chose process improvement because it
“We’re spending four hours with you, and we do that
could mean something as basic as when a patch is
a lot.” Thurston says he tried to get them to see how
shipped, there needs to be a process in place for IT
time consuming that is and later on, he began asking
to apply it to an OS immediately. Even if an OS or
other customers how many vendors they have and
application vendor releases a patch for a vulnerability
how many meetings they have in a week. “They keep
or series of vulnerabilities they’ve found and fixed,
running in circles and they’re all discovering they’ve
oftentimes – either because of resource shortages or
“They’re all discovering
they’ve more or less built a
Tower of Babel”
8 • www.Intelsecurity.com
Which of the following security functions
are a priority in the next 12 months?
Sandbox detection of zero-day threats
Low priority
23%
High priority
28.4%
Which of the following security functions
are a priority in the next 12 months?
Off-network user protection
Low priority
27.9%
Medium priority
26.6%
Medium priority
48.6%
because of change control processes – applying that
patch is delayed by days, weeks or months, she says.
And of course, the longer it takes a company to apply
a patch means a larger window of opportunity for a
potential hacker.
“It could also mean we need to put in place file
integrity monitoring or change control processes that
track changes made to a system and notify the IT
or security organization when changes outside the
standard we’ve set have been made to a server or host,’’
Worley adds.
For Thurston, the biggest surprise of the survey is
that companies simply do not feel impeded from their
objectives by a lack of skilled security professionals.
“I have not been to a single customer (who) tells me
they’re stable or overstaffed. So not having enough
people should impede them most, along with lack
of appropriate tools and technology,” which ranked
near the bottom at 11 percent, followed by volume
of infections at 4.5 percent. He agrees that timeconsuming manual processes are a big impediment
because that leads to a lack of integration and
automation. Thurston wonders if perhaps respondents
are thinking more about long-term objectives than
their “day in, day out regiment.” Regardless, he says,
High priority
45.5%
“coming back to a lack of people and lack of tools
should be their number one and two problems.”
Ultimately, CISOs and other security professionals
seem to be confident in their security precautions.
Even though breaches seem to be inevitable, a large
percentage of the respondents believe that they are
well positioned to identify and stop the breaches
before they do significant damage. Whether or not
they actually are as prepared as they believe they are
will become evident if and when a breach occurs.
Methodology
This SC Magazine survey, sponsored by Intel,
was conducted in July and based on 222 responses
from a wide range of companies including those in
the finance, technology services, federal, state and
municipal government, military, manufacturing,
healthcare, education, retail, utility and telecom sectors.
Respondents included systems/security administrators,
IT managers, engineers/architects, consultants, CSOs/
CISOs, CIOs, managing director/director and EVP/SR
VP of risk/privacy compliance. Some charts and totals
equal more than 100 percent due to multiple answers.
www.intelsecurity.com • 9
Intel Security is intensely focused on developing proactive, proven security solutions and services that protect
systems, networks, and mobile devices for business and personal use around the world. Intel Security is
combining the experience and expertise of McAfee with the innovation and proven performance of Intel to
make security an essential ingredient in every architecture and on every computing platform.
For more information, visit www.intelsecurity.com
This supplement was commissioned by Intel Security and produced by SC Magazine, a Haymarket Media, Inc. brand.