Most companies can’t detect compromised credentials
14 January 2016 | 0
Nearly two thirds (60%) of companies cannot detect compromised credentials, according to Rapid7’s incident detection and response survey results.
That is just one of the shock findings from a survey of 271 security professionals from all size organisations and industries about challenges to security teams, strategic initiatives, and current security tools being used. It is little wonder why more than 90% of respondents admitted to being worried about attacks that use compromised credentials.
Respondents said that the top three strategic initiatives have been:
(1) deploy and maintain a security information and event management (SIEM)
(2) expand on vulnerability management programmes
(3) improve or replace network firewalls
More than half (52%) of organisations already use a SIEM, with a further 21% looking to purchase one in the future.
The flexible ability to aggregate and correlate logs enables organisations to simultaneously monitor firewall, endpoint, and DNS data. However, there are still gaps in cloud services, DHCP-to-user mapping, and honey pots.
Almost three quarters (73%) of security teams have either deployed SIEM or plan to do so, with 50% of SIEM users claiming incident detection is the main reason they purchased the tool. There are only so many hours in the day, and security teams have limited resources. While they naturally do not enjoy receiving false-positive alerts, there is a real gap in how many alerts are generated and how many can actually be investigated.
Of the security pros surveyed, 62% said their organisation receives more daily alerts than can be viewed, investigated, and remediated. More than three quarters (76%) of respondents are not comfortable investigating more than 25 alerts every day, yet 29% are receiving more than 75 alerts every day. Detection alerts need to be fine-tuned, as some respondents report receiving over 1,000 alerts daily.
Seventy-nine percent of the security professionals surveyed said their companies are using at least one cloud service, with Office 365 topping the list, following by Google Apps and Salesforce.com.
Sixty percent are using only “approved” cloud services, nearly 21% don’t allow cloud services at all, and almost 19% leave it up to users to choose. Cloud services that fell under “other” included Dropbox, NetSuite, and Microsoft Azure. Only a mere 33% of organisations have security visibility into cloud services.
“The reality is that attack surfaces will continue to expand,” wrote Rapid7. “The challenge is that with cloud services, attackers merely need to steal credentials to access confidential records. Currently, 59% of organisations report a lack of security visibility into their cloud services. Moving into the new year, security teams must prioritise detecting compromised credentials and the resulting lateral movement, not only on the network, but locally on endpoints and across cloud services.”
“Prevention is no longer a sufficient approach to security,” the Rapid7 report stated. “Organisations continue their reach and productivity through partners, cloud services and mobile devices, all which increase risk.”
“The top three attack vectors behind breaches continue to be compromised credentials, malware, and phishing,” Rapid7 noted. “Both security vendors and practitioners must ensure that attacks leveraging these methods can be detected immediately across the entire network ecosystem. Further, this must be done while taking into account the realities of the security world: limited time and resources, very low tolerance for false-positive alerts, and the desire to receive alerts in a centrally managed system that covers all IT assets, from the endpoint to the cloud.”
IDG News Service