Security Experts:

Connect with us

Hi, what are you looking for?


Management & Strategy

Enterprise IT Talks Proactive Security, But Stays on Defense, Survey Finds

Many large organizations are not confident in their ability to fight off the latest salvos of advanced persistent threats, and are relying on reactive approaches even as they talk about being more proactive, a new survey has found.

Many large organizations are not confident in their ability to fight off the latest salvos of advanced persistent threats, and are relying on reactive approaches even as they talk about being more proactive, a new survey has found.

The survey, which was conducted in June on behalf of security vendor CounterTack, fielded responses from 100 executives responsible for IT security at companies with more than $100 million in annual revenue. The survey found that 84 percent believe their organizations are vulnerable to advanced persistent threats (APTs) targeting critical assets. What’s more, almost half (49 percent) of everyone surveyed said their organization had been attacked within the last 12 months.

“This survey corroborates the anecdotal evidence many of us in the industry are exposed to, which paints a chillingly accurate picture of a growing chasm between executive awareness about the nature of rapidly evolving threats and the available resources to address them,” said Richard Stiennon, chief research analyst, IT-Harvest, in a statement. “While the willingness of information security executives to explore new ways of dealing with targeted advanced threats in the coming months is an encouraging finding, it’s also evident that economic constraints and outmoded thinking will remain stumbling blocks.”

According to the survey, static, perimeter defensive tools such as firewalls are on the frontlines of the fight against APTs – something that, along with the fact that 36 percent said they would be unable to see or stop an attacker that get onto their network, underscores the need for a new approach, argued John Worrall, executive vice president of product management at CounterTack.   

“My conversations with security officers and practitioners in companies of all sizes indicate that the vast majority of organizations lack visibility,” he told SecurityWeek. “Logging systems can be a very effective tool to for compliance reporting, but they have fundamental shortfalls when it comes to event correlation. First of all, there is just so much data from so many different sources. That makes it very difficult to know what to look for.  Second, correlation rules can be very complex. If they aren’t well constructed, the critical data will be missed.”

Eighty percent of respondents believe enterprises should adopt “a military-style approach to security learned from physical battlefields” based on intelligence gathering and situational awareness. Just 21 percent said they are currently taking a proactive, “warrior” approach to security that focuses on finding threats on the network and fighting back. Meanwhile, 58 percent described their strategy as “protector” – meaning they focus on keeping intruders out via layered security.

Ninety-two percent of respondents agreed that fighting back to interrupt an in-progress cyber-attack is necessary. This concept of a more proactive approach to security has given rise to a number of companies focused on helping enterprises build intelligence on the attackers targeting them so they can improve their defenses by infusing a deeper understanding of risk into their security strategy. Others still, advocate retaliatory hacking – a more aggressive approach that, as U.S. Cyber Command attorney Robert Clark argued at the Black Hat conference in July, can sometimes cross into murky legal territory.

“Organizations are just beginning to adopt the warrior approach for a number of reasons,” said Worrall. “First, advanced targeted attacks are still not well understood by the majority of organizations, or security teams don’t receive the executive support needed to combat them…[The] survey told us that almost half of respondents were confident that they have not fallen victim to an APT attack. Yet that flies in the face of just about every other data point we’ve seen. Organizations either have been the victim of an APT and know it, or they’ve been a victim and they don’t know it. Given the nature of the attacks, it’s impossible to firmly state that you haven’t been a victim.”

“Second, combating APTs requires a whole new approach to information security,” he added. “The cyber battlefield has moved inside the organization, and a new mind, skill and tool set is required to adjust the battle plan. For example, over 60 percent of the CounterTack survey respondents stated that the lack of intelligence and situational awareness of activities inside their network – [that] is a major obstacle in their efforts to combat APTs.”

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Risk Management

A threat-based approach to security often focuses on a checklist to meet industry requirements but overlooked the key component of security: reducing risk.


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...