Every time a leading security company releases a report on their detailed research on the state of enterprise or personal security I hold my breath. Are things as bad as they seem? Are they getting worse? Are the white hats keeping up with the black hats? When will the trends reverse direction?
Getting answers to these is why I read the reports cover to cover. It is also why, since researchers come from different perspectives and look at different data sets, I like to recommend for download the ones that resonate. Such is the case with the release by Solutionary (a managed security services provider that since last August is an NTT (News - Alert) Group security company) of the NTT Group 2014 Global Threat Intelligence Report (GTIR).
The GTIR, developed using threat intelligence and attack data and contributions from the entire NTT Group security companies for the first time—which includes Solutionary, NTT Com Security, Dimension Data (News - Alert), NTT Innovation Institute and NTT Data—to put it mildly has amassed a wealth of information for IT professionals to evaluate.
Report finds getting security basics in place and having response plan are key to protection
This was a huge effort. More than 1,300 NTT security experts and researchers – from nine regions, seven R&D centers and 16 Security Operations Centers (SOC) around the world – collected and analyzed approximately three billion attacks during 2013 to produce the key findings in the GTIR.
The report focuses on five critical areas of security:
What readers will find valuable is the detailed section on striking a balance of security costs versus the risks of not having the right protection. Also worth spending time on are the recommendations and strategies for minimizing the impact of threats and reducing the threat mitigation timeline which are conveyed in multiple charts and real-world case studies.
This is an extensive cataloging and analysis of the mischief perpetrated in 2013. In addition, as Solutionary points out, the primary objective of the 2014 GTIR is to emphasize to security professionals and C-level executives that the security basics, when done right, can be enough to mitigate and even avoid the high-profile, costly data breach altogether.
The report emphasizes that the best chance to reduce the impact of threats comes from combining threat avoidance and threat response capabilities into a strategic approach.
Rather than leave you in suspense, here are some of the key findings with brief notes on their impact:
Rob Kraus, director of research, Solutionary Security Engineering Research Team, stated that, “The 2014 GTIR underscores the importance of doing the basics right. It also backs it up with examples and findings that are both actionable for the deepest of security practitioners and succinct enough for the Fortune 100 CEO.”
To whet readers’ appetites, below is a graphic from the report that looks at attack types. There is a significant amount of granular data on these along with which markets are favorite targets. As Kraus explained to TMC (News - Alert), the bad news is what he called the “weaponization of vulnerabilities.”
Source (News - Alert): NTT Group 2014 Global Threat Intelligence Report (GTIR)
In discussing the report with TMC, Kraus made a few points about the survey that amplified the NTT concerning doing the basics. “Not only does the report show how many companies are not doing the basics—such as missing patches, mis-configuring servers, not have updated anti-virus capabilities, etc., which could mitigate a lot of risks—but even those doing the basics are not doing them well.” In fact, he noted that many of the problems detected by the researchers were developed by bad actors in the 2004-2011 time period and that solutions to them have been around for a while but have not been implemented by many IT departments.
“This does not mean that advanced detection and control capabilities are not advised. We believe that having the right and best tools to mitigate the greatest amount of risk is the path to follow, and that sophisticated protection, early detection, rapid validation and fast response must be the goal. However, it does mean that a significant amount of risk can be mitigated just by following simple common sense and staying on top of things,” Kraus explained.
Kraus and his team hope readers will focus additional basic blocking and tackling items. These include: making sure your company has done a risk assessment; has an incident plan in place (surprising only 8-10 percent of companies have a tested plan in place); and had money put aside if there is an incident.
Kraus added that, “The GTIR highlights not just the importance of doing the basics well, but also understanding that this is as much about people and process as it is about technology. Organizations, for example, that do lifecycle management of their resources achieve a better security posture than those who don’t. Plus, once a security assessment has been done, those who understand that the financial commitment is to process and not to a project and hence set aside the resources needed to monitor and control things as the attacks continue to increase in frequency and sophistication are the ones best positioned to avoid potentially catastrophic consequences.”
As the first point about the cost of a “minor” SQL injection attack exceeding $196,000 illustrates, when bad things happen costs can run up very quickly, and this does not include the costs associated with things like the damage to brand reputation, legal liabilities and other collateral damage. It is also why this report is interesting reading not just for IT, but for C-levels across an enterprise.