New IT Security Survey Reveals Nearly Half of Companies Assume They Have Been Compromised

A majority of organizations are operating under the assumption that their network has already been compromised, or will be, according to a survey conducted by the SANS Institute on behalf of Guidance Software. When the limitations of perimeter security are exposed, endpoints and critical servers rife with sensitive information are rendered vulnerable. With many high profile breaches in 2013 occurring on endpoints, interest in improving endpoint security is top-of-mind for many information security professionals.

In the first-ever SANS Endpoint Security Survey, SANS surveyed 948 IT Security professionals in the United States to determine how they monitor, assess, protect and investigate their endpoints, including servers. The largest group of respondents encompassed security administrators and security analysts. More than one-third of those respondents (34 percent) work in IT management (e.g., CIO or related duties) or security management (e.g., CISO or similar responsibilities). The overall results of the survey indicate that the topic speaks to the strategic concerns of management while also addressing the technical concerns of those in the trenches.

The survey results demonstrated that more and more attacks are bypassing perimeter security, despite the fact that the respondents do not consider the attacks to be sophisticated. Survey respondents indicated the desire for more visibility into more types of data and processes across organizational endpoints as intruders evade perimeter defenses. A large majority of respondents want delivery of relevant data collected from endpoints in under an hour. Finally, while currently post-attack remediation of endpoints is largely manual, more than half of respondents recognize the need for automated incident response and remediation, and plan to implement such within two years.

Key findings from the survey include:

• Prevention: 47 percent of respondents are operating under the assumption they’ve been compromised; with another 5 percent saying they operate under the assumption that if they have not already been compromised, they eventually will be.
• Detection: Although 70 percent are collecting data from endpoints, only 16 percent find more than half of their threats through active discovery or hunting. Over 48 percent felt that greater visibility into sensitive information like personally identifiable information or ARP cache entries on unauthorized endpoints would be extremely useful.
• Response: Delays to breach response times are clearly unacceptable, as 83 percent of the respondents said they needed results from endpoint queries in an hour or less. More than 26 percent indicated that they wanted the data in five minutes or less, underscoring the importance of conducting timely digital investigations.
• Remediation: The vast majority (77 percent) rely on slow and expensive “wiping and reimaging.” Furthermore, 54 percent of the respondents have automated less than 10 percent of their workflow to manage the remediation process. Recognizing this issue, over 60 percent of those who have not yet automated, indicate that they plan to do so in the next 24 months.

“The survey results demonstrate clearly that organizations are failing to close the loop between their network and endpoint protections and intelligence,” says Deb Radcliff, executive editor of the SANS Analyst Program, which produced the report. “Further, they’re using mostly manual processes to uncover compromises and assess impact, both of which are costly in terms of IT manpower and loss of productivity while critical servers and end-user machines are returned to a trusted state.”

Top Challenges to Incident Recovery: Some of the biggest challenges to incident recovery were connected to lack of visibility and ability to assess damage to endpoints and the network. The top five challenges were:

1. Assessing the impact
2. Determining the scope of a threat across multiple endpoints
3. Determining the scope of compromise on a single endpoint
4. Hunting for compromised endpoints
5. Losing data inadvertently during a wipe / reimage

“There is a growing shift in awareness with CISOs and other IT Security professionals recognizing that they must operate under the assumption of compromise and proactively detect anomalies to better defend the enterprise,” said Alex Andrianopoulos, Vice President, Marketing at Guidance Software. “In today’s security environment, the ability to quickly detect, analyze and remediate incidents is critical. To do so, organizations must gain greater visibility into activity across all enterprise endpoints.”

The complete survey results will be presented by the SANS Institute on a webcast, March 13 at 1:00 pm Eastern / 10:00 am Pacific. To register for the webcast, please visit: https://www.sans.org/webcasts/97817.

About SANS Institute
The SANS Institute was established in 1989 as a cooperative research and education organization. SANS is the most trusted and, by far, the largest source for world-class information security training and security certification in the world, offering over 50 training courses each year. GIAC, an affiliate of the SANS Institute, is a certification body featuring over 25 hands-on, technical certifications in information security. SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; it also operates the Internet's early warning system—the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to help the entire information security community. (www.SANS.org)

About Guidance Software, Inc.
Guidance Software is recognized worldwide as the industry leader in digital investigative solutions. Its EnCase® Enterprise platform, deployed on over 20 million endpoints, is used by numerous government agencies, more than 65 percent of the Fortune 100, and more than 40 percent of the Fortune 500, to conduct digital investigations of servers, laptops, desktops and mobile devices. Built on the EnCase Enterprise platform are market-leading electronic discovery and cyber security solutions, EnCase® eDiscovery, EnCase® Cybersecurity, and EnCase® Analytics. They empower organizations to respond to litigation discovery requests, perform sensitive data discovery for compliance purposes, conduct speedy and thorough security incident response, and reveal previously hidden advanced persistent threats or malicious insider activity. For more information about Guidance Software, visit www.encase.com.

EnCase®, EnScript®, FastBloc®, EnCE®, EnCEP®, Guidance Software™ and Tableau™ are registered trademarks or trademarks owned by Guidance Software in the United States and other jurisdictions and may not be used without prior written permission. All other trademarks and copyrights referenced in this press release are the property of their respective owners.