Security Experts:

Enterprise IT Talks Proactive Security, But Stays on Defense, Survey Finds

Many large organizations are not confident in their ability to fight off the latest salvos of advanced persistent threats, and are relying on reactive approaches even as they talk about being more proactive, a new survey has found.

The survey, which was conducted in June on behalf of security vendor CounterTack, fielded responses from 100 executives responsible for IT security at companies with more than $100 million in annual revenue. The survey found that 84 percent believe their organizations are vulnerable to advanced persistent threats (APTs) targeting critical assets. What's more, almost half (49 percent) of everyone surveyed said their organization had been attacked within the last 12 months.

“This survey corroborates the anecdotal evidence many of us in the industry are exposed to, which paints a chillingly accurate picture of a growing chasm between executive awareness about the nature of rapidly evolving threats and the available resources to address them,” said Richard Stiennon, chief research analyst, IT-Harvest, in a statement. “While the willingness of information security executives to explore new ways of dealing with targeted advanced threats in the coming months is an encouraging finding, it’s also evident that economic constraints and outmoded thinking will remain stumbling blocks.”

According to the survey, static, perimeter defensive tools such as firewalls are on the frontlines of the fight against APTs – something that, along with the fact that 36 percent said they would be unable to see or stop an attacker that get onto their network, underscores the need for a new approach, argued John Worrall, executive vice president of product management at CounterTack.   

"My conversations with security officers and practitioners in companies of all sizes indicate that the vast majority of organizations lack visibility," he told SecurityWeek. "Logging systems can be a very effective tool to for compliance reporting, but they have fundamental shortfalls when it comes to event correlation. First of all, there is just so much data from so many different sources. That makes it very difficult to know what to look for.  Second, correlation rules can be very complex. If they aren't well constructed, the critical data will be missed."

Eighty percent of respondents believe enterprises should adopt "a military-style approach to security learned from physical battlefields" based on intelligence gathering and situational awareness. Just 21 percent said they are currently taking a proactive, "warrior" approach to security that focuses on finding threats on the network and fighting back. Meanwhile, 58 percent described their strategy as "protector" – meaning they focus on keeping intruders out via layered security.

Ninety-two percent of respondents agreed that fighting back to interrupt an in-progress cyber-attack is necessary. This concept of a more proactive approach to security has given rise to a number of companies focused on helping enterprises build intelligence on the attackers targeting them so they can improve their defenses by infusing a deeper understanding of risk into their security strategy. Others still, advocate retaliatory hacking – a more aggressive approach that, as U.S. Cyber Command attorney Robert Clark argued at the Black Hat conference in July, can sometimes cross into murky legal territory.

"Organizations are just beginning to adopt the warrior approach for a number of reasons," said Worrall. "First, advanced targeted attacks are still not well understood by the majority of organizations, or security teams don't receive the executive support needed to combat them...[The] survey told us that almost half of respondents were confident that they have not fallen victim to an APT attack. Yet that flies in the face of just about every other data point we’ve seen. Organizations either have been the victim of an APT and know it, or they've been a victim and they don't know it. Given the nature of the attacks, it's impossible to firmly state that you haven't been a victim."

"Second, combating APTs requires a whole new approach to information security," he added. "The cyber battlefield has moved inside the organization, and a new mind, skill and tool set is required to adjust the battle plan. For example, over 60 percent of the CounterTack survey respondents stated that the lack of intelligence and situational awareness of activities inside their network - [that] is a major obstacle in their efforts to combat APTs."