Check Point has published two major reports into the current threat landscape: its own 2016 Security Report, and the SANS Exploits at the Endpoint: SANS 2016 Threat Landscape Survey (sponsored by Check Point).
Check Point 2016 Security Report
The Check Point Security Report (PDF) draws on research from more than 1,100 Security Checkups, events discovered through ThreatCloud (connected to more than 25,000 gateways worldwide), and more than 6,000 gateways reporting to Check Point's Threat Emulation Cloud. The result covers all of the major industrial sectors (for example, 40% industrial, 15% finance, 13% government). Healthcare was not separated from 'other'.
It is divided into a series of sections covering the 'attack arsenal', the use of mobile devices for both pleasure and business, 'attack patterns', the ripple effect of insecurity, and 'staying one step ahead'. Each section discusses examples that illustrate the subject, and concludes with relevant security recommendations.
The attack arsenal comprises known malware, unknown malware and zero-day exploits able to attack the growing number and diversity of devices and locations used by organizations. Recommendations are based on prevention (layered security, stopping zero-day malware and using virtual patching); and simplifying the security architecture through a single or unified controls.
There are now more mobile devices than desktop computers, and many users combine both pleasure and business on a single mobile device: mobiles are, says the report, "both an access curse and a business productivity blessing." Check Point's recommendations in this area are workforce awareness training, defining the risk tolerance and developing policies to suit, enforcing basic hygiene, containerization on the mobile device to separate business from personal use, and investing in technologies that look forward but still integrate with existing controls.
The report defines three major attack patterns: the growth in the use of code execution attacks (36 happened every day in 2015); DDoS attacks (a new one every 20 minutes); and spear-phishing / whaling. Check Point's recommendations are a unified architecture to cover the entire environment that includes protection against zero-day malware; security management through a single pane of glass; and the development of an effective incident response plan.
"The impact of cybercrime costs more than the value of the stolen information," says the report. "The ripple effects are often more damaging than the actual theft." This is getting worse in both volume (business data records lost over the past three years have increased by more than 400%), and cost (as the cost and complexity of compliance increases). The specific recommendations focus on awareness. Staff must be aware of consequences; security teams must be aware of the efficacy of their controls and have clear visibility into network activity; and leadership must be aware, or be made aware, of current threat levels and potential business impacts.
Staying ahead of the security threat is a complex issue and the most complex section of the report. One approach is to use best practice frameworks and compliance regulations; but the reality is that most organizations fail to implement either completely. "Our researchers," notes the report, "were shocked to find only 53.3 percent of configuration settings were defined according to industry best practices." It goes on to suggest, "Forward-looking security starts with having a best-of-breed set of fundamental security tools. Advanced Threat Prevention, mobile device protection, and segmenting your network so it can be monitored closely are critical to fully protecting your organization." Check Point's recommendations here have all been covered in the previous sections -- but it makes perhaps the most contentious recommendation of the entire report: "Ideally, scarce IT resources are better invested in preventing threats than on chasing alerts and responding to security incidents."
In reality, that final statement sums up a primary issue facing all security teams today. Should organizations accept the reality that they will be hacked and invest resources in detecting and mitigating existing hacks with all possible speed; or should they believe that they can actually prevent hacks and concentrate on doing so?
SANS Threat Landscape Survey
The SANS survey (PDF) draws on responses from 301 IT and security professionals, across all industry sectors and company sizes. "Although some threats are industry specific, the overall results indicate that we all face the same primary threats such as phishing, ransomware and Trojan horses," says the report.
One interesting suggestion from the survey is that while threats and their discovery are similar across geographic regions, "the European respondents may be ahead of their U.S. counterparts in deploying automated monitoring and alerting solutions."
The most prevalent discovered threats are phishing (in 80% of organizations) followed by spear-phishing and whaling (58% of organizations). Third is the non-specific category of 'trojan' found by 53% of respondents; but fourth (49% of respondents) is ransomware. Ransomware is often delivered by phishing attacks.
"As these phishing and ransomware trends intersect," writes SANS, "they create the perfect storm for legitimate user actions to result in significant, costly consequences to the organization, such as having to pay tens of thousands of dollars in ransom to retrieve critical access to maliciously encrypted data or to regain control of keys, or experiencing service denials that cause loss of business."
The four most reported methods of threat ingress are email attachment (75%), the browser via a link in email (45%), the browser via drive-by or download (40%), and application vulnerabilities (27%). SANS takeaway from this is: "Users should only be able to reach vetted web services from the corporate network."
No threat detection tool is currently given total confidence. Eighty-three percent of respondents find endpoint scanning helpful, while 70% find IDS/IPS/unified threat management (UTM) systems useful. Only 47% responded with behavior modeling/DLP; but this "is an area that Gartner predicts will grow as the use of analytics to detect threat increases." But it will need to be coupled with automated means to block detections as "analysts don't have time to implement new controls manually before the threat manifests itself."
SANS notes modern adaptive threats "don't have a ready supply of signatures to scan for." Its recommendation is to whitelist everything that is allowed to operate on an endpoint. "Another means is to install behavior-based detections, where threat detection tools flag and stop anomalous or nefarious actions." The SANS rather obvious takeaway here is that the problems "all stem from lack of the right skills with the right tools in place to target, defend and otherwise keep threats in check."
Given the proliferation of phishing and ransomware, SANS' final call to action is that "shoring up the end user/endpoint protections should be top priority for organizations that want to make the biggest impact on reducing their overall risk." More specifically, this should include next generation technologies that are not solely reliant on malware signatures.
While these two reports mirror each other in the description of the current threat landscape, they actually come to two different conclusions.
The Check Point 2016 Security Report says, "Benjamin Franklin's axiom that 'an ounce of prevention is worth a pound of cure' is especially apt in the era of unknown malware and zero-day vulnerabilities. Ideally, scarce IT resources are better invested in preventing threats than on chasing alerts and responding to security incidents." Behavioral analysis for threat detection is given scarce mention.
The SANS report, however, recognizes that behavioral analysis is not yet common, but suggests that security needs to be enhanced by the ability "to detect malicious activity that may have started."