Sergey Nivens - Fotolia

US IT professionals overconfident in cyber attack detection, study finds

Most US IT professionals are confident in key security controls to detect cyber attacks – but unsure how long it would take automated tools to discover a breach

IT professionals in the US are overconfident in their ability to detect a data breach, a study of more than 760 IT professionals across four industry sectors revealed.

Most respondents expressed high levels of confidence in seven key security controls required to detect cyber attacks on endpoints – but many were unsure how long it would take automated tools to discover key indicators of compromise.

More the two thirds of those polled on behalf of security firm Tripwire admitted they only had a general idea, were unsure or did not use automated tools.

However, regarding how long it would take to detect a configuration change to an endpoint on their organisations’ networks, 71% believed it would happen in minutes or hours.

Nearly half of energy and health care respondents said they had the lowest percentage of successful patches in a typical patch cycle, with a success rate of less than 80%.

Almost two thirds of respondents were unsure how long it would take for automated tools to generate an alert if they detected an unauthorised device on the network; while 23% said that 90% of the hardware assets on their organisations’ networks are automatically discovered.

Nearly half of respondents working for federal government organisations said not all detected vulnerabilities are remediated in 15 to 30 days.

Just over two fifths of midmarket organisations do not detect all attempts to access files on local systems or network-accessible file shares by users who do not have the appropriate privileges.

Read more about security automation

Managers miss key information

The survey found 61% of respondents working in the financial services sector said their automated tools do not pick up all the information necessary to identify the locations, departments and other critical details about unauthorised configuration changes to endpoint devices.

“All of these results fall into the ‘we can do that, but I’m not sure how long it takes’ category,” said Tim Erlin, director of IT security and risk strategy for Tripwire.

“It’s good news that most organisations are investing in basic security controls, however IT managers and executives – who don’t have visibility into the time it takes to identify unauthorised changes and devices – are missing key information necessary to defend themselves against cyber attacks.”

The study is based on seven key security controls required by a wide variety of security regulations, including PCI DSS, SOX, NERC CIP, NIST 800-53 and IRS 1075.

These controls also align with US-CERT and CERT-UK recommendations and international guidance such as the UK government’s Cyber Essentials Scheme.

These regulations and frameworks recommend:

  • Accurate hardware and software inventory;
  • Continuous configuration management and hardening;
  • Comprehensive vulnerability management;
  • Patch and log management;
  • Identity and access management.

These controls are aimed at delivering specific, actionable information necessary to defend against the most pervasive and dangerous cyber attacks, including nation-state sponsored attacks.

Rapid action limits damage

Erlin said it was vital for organisations to identify indications of compromise quickly, so that appropriate action can be taken before any damage is done.

According to Mandiant’s M-Trends 2015 report, the average time required to detect an advanced persistent threat on a corporate network is 205 days. In addition, Verizon’s 2015 Data Breach Investigations Report revealed that two thirds of targeted attacks generally took months to detect.

Read more on Hackers and cybercrime prevention

Data Center
Data Management