the state of malware detection &...

The State of Malware Detection & Prevention

Ponemon Institute© Research Report

Sponsored by Cyphort Independently conducted by Ponemon Institute LLC Publication Date: March 2016

Ponemon Institute© Research Report Page 1

The State of Malware Detection & Prevention Ponemon Institute, February 2016

Part 1. Introduction We are pleased to present the findings of The State of Malware Detection & Prevention sponsored by Cyphort. The study reveals the difficulty in preventing and detecting malware and advanced threats. The IT function also seems to lack the information and intelligence necessary to update senior executives on cybersecurity risks. We surveyed 597 IT and IT security practitioners in the U.S. who have responsibility for directing cybersecurity activities and/or investments within their organization. All respondents have a network-based malware detection tool or are familiar with this type of tool. Getting malware attacks under control continues to be a challenge for companies. As shown in Figure 1, 68 percent of respondents say their security operations team spends a significant amount of time chasing false positives. However, only 32 percent of respondents say their teams spend a significant amount of time prioritizing alerts that need to be investigated. Despite such catastrophic data breaches as Target, cyber threats are not getting the appropriate attention from senior leadership they deserve. As shown in the findings of this research, respondents say they do not have the necessary intelligence to make a convincing case to the C-suite about the threats facing their company. The following findings further reveal the problems IT security faces in safeguarding their companies’ high value and sensitive information. Companies are ineffective in dealing with malware and advanced threats. Only 39 percent of respondents rate their ability to detect a cyber attack as highly effective, and similarly only 30 percent rate their ability to prevent cyber attacks as highly effective. Respondents also say their organizations are doing poorly in prioritizing alerts and minimizing false positives. As mentioned above, a significant amount time is spent chasing false positives but not prioritizing alerts. Most respondents say C-level executives aren’t concerned about cyber threats. Respondents admit they do not have the intelligence and information to effectively update senior executives on cyber threats. If they do meet with senior executives, 70 percent of respondents say they report on these risks to C-level executives only on a need to know basis (36 percent of respondents) or never (34 percent of respondents). Sixty-three percent of respondents say their companies had one or more advanced attacks during the past 12 months. On average, it took 170 days to detect an advanced attack, 39 days to contain and 43 days to remediate an advanced attack. The percentage of malware alerts investigated and determined to be false positives. On average, 29 percent of all malware alerts received by their security operations team are investigated and an average of 40 percent are considered to be false positives. Only 18 percent of respondents say their malware detection tool provides a level of risk for each incident.

Figure 1. How security operation teams

spend a significant amount of time Strongly agree and agree responses combined


Do organizations reimage endpoints based on malware detected in the network? More than half (51 percent) of respondents say their organization reimages endpoints based on malware detected in the network. An average of 33 percent of endpoint re-images or remediations are performed without knowing whether it was truly infected. The most effective solutions for remediation of advanced attacks are network-based sandboxing and network behavior anomaly analysis.


Part 2. Key findings In this section, we discuss the key findings from this research, which focus on why companies struggle to have an effective strategy to prevent and detect malware and advanced threats. The complete audited findings are presented in the appendix of this report. Companies are ineffective in dealing with malware and advanced threats. According to Figure 2, most respondents do not rate their ability to detect or prevent cyber attacks as highly effective. Thirty-nine percent of respondents rate their ability to detect a cyber attack as highly effective and 30 percent rate their ability to prevent cyber attacks as highly effective. As described above, a significant amount of time is spent chasing false positives and little time prioritizing alerts that need to be investigated. Only 17 percent of respondents rate their effectiveness in prioritizing alerts as highly effective and only 13 percent of respondents rate their effectiveness in minimizing false positives as highly effective. Figure 2. How effective is your organization in detecting and preventing cyber attacks, prioritizing alerts and minimizing false positives? On a scale of 1 = not effective to 10 = highly effective, 7 + responses reported

39%

30%

17%

13%

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

Detecting cyber attacks Preventing cyber attacks

Prioritizing alerts Minimizing false positives


Keeping the C-suite informed about cyber threats rarely happens. Seventy percent of respondents say C-level executives are updated on security incidents never (34 percent of respondents) or on a need-to-know basis (36 percent of respondents), as shown in Figure 3. Figure 3. How often are C-Level executives updated on security incidents?

However, as shown in Figure 4, only 36 percent of respondents say IT security and others who are responsible for security have the necessary information to make the C-suite aware of the potential risk posed by advanced threats and whether or not the organization has a strong cybersecurity posture. Because senior executives are not informed, it is understandable that less than half of respondents (47 percent) say these executives are concerned about cyber attacks against their companies. Figure 4. Why C-Level executives are not concerned Strongly agree and agree responses combined

4% 3%

23%

36% 34%

0%

5%

10%

15%

20%

25%

30%

35%

40%

Weekly Monthly Annually On a need to know basis

Never

47%

36%

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

50%

C-Level executives are concerned about cyber attacks

The IT security function has information to effectively update the C-Level on cyber threats


Companies use vendor-supplied information most often. According to Figure 5, the main intelligence sources about malware are vendor-supplied information and peer-to-peer communications (68 percent of respondents and 52 percent of respondents, respectively). This is followed by intelligence shared with industry groups (37 percent of respondents). Figure 5. What are the main intelligence sources about malware used by their organization? More than one response permitted

Consumer information is the most important data to protect. As shown in Figure 6, 64 percent of respondents say it is most critical to protect consumer information and 42 percent say the focus should be on intellectual property. Because of the need to avoid data breaches involving consumer information, respondents believe Target and Sony are considered to have the most damaging consequences to the breached organization. Figure 6. Which types of confidential and sensitive information are most at risk to hackers? More than one response permitted

3%

10%

15%

37%

52%

68%

0% 10% 20% 30% 40% 50% 60% 70% 80%

Other

Information received from law enforcement

Information received from government

Intelligence sharing within industry group

Peer-to-peer communications

Vendor-supplied information

4%

3%

16%

32%

39%

42%

64%

0% 10% 20% 30% 40% 50% 60% 70%

Other

R&D

Accounting & financial information

HR/Employee information, including Social Security numbers

Confidential business information

Intellectual property, including source code and patents

Customer information


Cybersecurity budgets are expected to increase or stay the same. The average 2016 cybersecurity budget is approximately $16 million and 34 percent will be allocated to incident response efforts. According to Figure 7, 37 percent of respondents believe this is an increase over the 2015 budget and 50 percent of respondents say the budget has not changed from last year. Figure 7. How will the 2016 cybersecurity budget differ from the 2015 cybersecurity budget?

Most companies had one or more advanced attacks during the past 12 months. Sixty-three percent of respondents say their organization had one or more advanced attacks during the past year. As shown in Figure 8, it took an average of 170 days to detect. It took an average of almost 40 days to contain after detection and an average of 43 days to remediate after containment. Figure 8. How long did it take to detect, contain and remediate an advanced attack? Extrapolated value in days

37%

50%

13%

0%

10%

20%

30%

40%

50%

60%

The budget will increase The budget will stay the same The budget will decrease

170

39 43

0

20

40

60

80

100

120

140

160

180

Detect Contain Remediate


Companies lack visibility of threats activity across the enterprise. According to Figure 9, barriers to remediation are a lack of visibility of threat activity across the enterprise (76 percent of respondents). Consistent with other findings, 63 percent of respondents say the inability to prioritize threats as a barrier. The majority (55 percent) of respondents say it is a lack of in-house expertise. Figure 9. What are the barriers to remediation of advanced threat attacks? More than one response permitted

Investigations of malware alerts often are false positives. As presented in Figure 10, on average 29 percent of all malware alerts received by their security operations team are investigated and an average of 40 percent are considered to be false positives. Only 18 percent of respondents say their malware detection tool provides a level of risk for each incident. Figure 10. What percentage of malware alerts are investigated and determined to be false positives? Extrapolated value

3%

55%

63%

76%

0% 10% 20% 30% 40% 50% 60% 70% 80%

Other

Lack of in-house expertise

Inability to prioritize threats

Lack of visibility of threat activity across the enterprise

29%

40%

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

Investigated malware alerts False positive malware alerts


Organizations reimage endpoints based on malware detected in the network? More than half (51 percent) of respondents say their organization reimages endpoints based on malware detected in the network. An average of 33 percent of endpoint re-images or remediations are performed without knowing whether it was truly infected, as shown in Figure 11. Figure 11. What percent of endpoint re-images/remediations are performed without knowing whether it was truly infected? Extrapolated average = 33 percent

According to Figure 12, the most effective solutions for remediation of advanced attacks are network-based sandboxing and network behavior anomaly analysis. Figure 12. The most effective solutions for detection and remediation of advanced attacks 1 = most important to 4 = least important

4%

8% 7%

17%

29%

24%

11%

0%

5%

10%

15%

20%

25%

30%

35%

< 1% 1% to 10% 11% to 20% 21% to 30% 31% to 40% 41% to 50% > 50%

1.23

2.45

2.88

3.42

1.00

1.50

2.00

2.50

3.00

3.50

4.00

Network-based sandboxing

Network behavior anomaly analysis

Cloud-based sandboxing

Endpoint detection and remediation


Part 3. Methods A sampling frame of 15,774 experienced IT and IT security practitioners located in the United States were selected as participants to this survey. To ensure knowledgeable responses, all participants in this research are responsible for directing cybersecurity activities and/or investments within their organization. Table 1 shows 648 total returns. Screening and reliability checks required the removal of 51 surveys. Our final sample consisted of 597 surveys (3.8 percent response rate). Table 1. Sample response Freq Pct% Total sampling frame 15,774 100% Total returns 648 4.1% Rejected or screened surveys 51 0.3% Final sample 597 3.8%

Pie Chart 1 reports the respondent’s organizational level within participating organizations. By design, more than half of respondents (59 percent) are at or above the supervisory levels. Pie Chart 1. Current position within the organization

As shown in Pie Chart 2, more than half of the respondents (55 percent) report to the CIO or head of corporate IT, and 19 percent report to the CISO/CSO or head of IT security. Pie Chart 2. Direct reporting channel

3%

18%

21%

17%

34%

5% 2%

Executive/VP

Director

Manager

Supervisor

Staff/technician

Contractor

Other

55%

19%

18%

4% 4%

CIO or head of corporate IT

CISO/CSO or head of IT security

Business unit leader or general manager

Head of compliance or internal audit

Other


As shown in Pie Chart 3, 41 percent of respondents described their job or role within the organization as having a global footprint, 40 percent respondent their geographic footprint is local and 19 percent described their geographic footprint as regional. Pie Chart 3. Geographic footprint

Fifty percent of respondents indicated their scope of their job or role within the organization is at the corporate level, as shown in Pie Chart 4. Another 30 percent responded their scope or role is in support or the service center and 18 percent responded line of business. Pie Chart 4. Scope of respondents job or role within the organization

41%

40%

19%

Global

Local

Regional

50%

30%

18%

2%

Corporate

Support/service center

Line of business

Other


As shown in Pie Chart 5, 70 percent of respondents are from organizations with a global headcount of more than 5,000 employees.

Pie Chart 5. Full-time headcount of the respondents’ global organization

Pie Chart 6 reports the industry segments of respondents’ organizations. This chart identifies financial services (17 percent) as the largest segment, followed by health & pharmaceutical (11 percent), and public sector (10 percent). Pie Chart 6. Industry classification of respondents’ organizations

9%

21%

26%

24%

12%

8%

Less than 1,000

1,000 than 5,000

5,001 to 10,000

10,001 to 25,000

25,001 to 75,000

More than 75,000

17%

11%

10%

9% 9%

9%

8%

6%

5%

4% 3%

2% 2% 3%

Financial services Health & pharmaceutical Public sector Industrial Services Technology & software Retail Energy & utilities Consumer products Transportation Hospitality Communications Education & research Entertainment & media Other


Part 4. Caveats

There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys.

Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument. Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals who are IT or IT security practitioners. We also acknowledge that the results may be biased by external events such as media coverage. We also acknowledge bias caused by compensating subjects to complete this research within a holdout period. Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide a truthful response.


Appendix: Detailed Survey Results

The following tables provide the frequency or percentage frequency of responses to all survey questions contained in this study. All survey responses were captured in December 22, 2015 through January 4, 2016.

Survey response Freq Total sampling frame 15,774 Total returns 648 Rejected or screened surveys 51 Final sample 597 Response rate 3.8%

Screening questions S1. How familiar are you with your organization’s approach to cyber attacks? Pct%

Very familiar 33% Familiar 47% Somewhat familiar 20% No knowledge (Stop) 0% Total 100%

S2. Do you have any responsibility for directing cybersecurity activities and/or investments within your organization? Pct% Yes, full responsibility 29% Yes, some responsibility 60% Yes, minimum responsibility 11% No responsibility (Stop) 0% Total 100%

S3. Does your organization have a network-based malware detection tool or are you familiar with this type of tool? Pct% Yes 100% No (Stop) 0% Total 100%

Part 1. Background Q1. Using the following 10-point scale, please rate how effective your organization is

in detecting cyber attacks. 1 = not effective to 10 = highly effective. Pct% 1 or 2 17% 3 or 4 21% 5 or 6 23% 7 or 8 22% 9 or 10 17% Total 100% Extrapolated value 5.52

Q2. Using the following 10-point scale, please rate how effective your organization is in preventing cyber attacks. 1 = not effective to 10 = highly effective. Pct% 1 or 2 21% 3 or 4 25% 5 or 6 24% 7 or 8 18% 9 or 10 12% Total 100% Extrapolated value 5.00


Q3. Using the following 10-point scale, please rate your organization’s effectiveness in prioritizing alerts that pose the greatest risk? 1 = low to 10 = high. Pct% 1 or 2 25% 3 or 4 35% 5 or 6 23% 7 or 8 12% 9 or 10 5% Total 100% Extrapolated value 4.24

Q4. Using the following 10-point scale, please rate your organization’s effectiveness in minimizing false positives in the detection of malware infections? 1 = low to 10 = high. Pct% 1 or 2 30% 3 or 4 36% 5 or 6 21% 7 or 8 10% 9 or 10 3% Total 100% Extrapolated value 3.90

Part 2. Attributions: Please rate the following statements using the five-point scale provided below each item. Strongly agree and Agree responses combined. Pct% Q5a. Our security operations team spends a significant amount of time prioritizing alerts that need to be investigated. 32% Q5b. Our security operations team spends a significant amount of time chasing false positives. 68% Q5c. C-Level executives are concerned about cyber attacks against our company. 47% Q5d. Our IT security function and others who are responsible for security have the appropriate information to make the C-Suite aware of the potential risk posed by advanced threats and whether or not we are prepared to protect the organization. 36%

Part 3. General Questions Q6. What percent of all malware alerts received by your security operations team are

investigated? Pct% Less than 1% 6% 1% to 10% 18% 11% to 25% 35% 26% to 50% 20% 51% to 75% 16% 76% to 100% 5% Total 100% Extrapolated value 29% Q7. What percentage of all identified malware alerts are determined to be false positives? Pct% None 0% < 2% 4% 2% to 5% 6% 6% to 10% 9% 11% to 20% 8% 21% to 30% 10% 31% to 50% 28% 51% to 75% 27% 76% to 100% 8% Total 100% Extrapolated value 40%


Q8. Does your malware detection tool provide a level of risk for each incident? Pct% Yes 18% No 82% Total 100%

Q9a. Does your organization reimage endpoints based on malware detected in the network? Pct% Yes 51% No 49% Total 100%

Q9b. If yes, what percent of endpoint re-images/remediations are performed without knowing whether it was truly infected? Pct% Less than 1% 4% 1% to 10% 8% 11% to 20% 7% 21% to 30% 17% 31% to 40% 29% 41% to 50% 24% Greater than 50% 11% Total 100% Extrapolated value 33%

Q10. What are the main intelligence sources about malware used by your organization? Pct% Vendor-supplied information 68% Peer-to-peer communications 52% Intelligence sharing within industry group 37% Information received from government 15% Information received from law enforcement 10% Other (please specify) 3% Total 185%

Q11. How often are C-Level executives updated on security incidents? Pct% Weekly 4% Monthly 3% Annually 23% On a need to know basis 36% Never 34% Total 100%

Q12. Which types of confidential and sensitive information in your organization are most at risk to hackers? Please select 2 top choices. Pct% Customer information 64% HR/Employee information, including Social Security numbers 32% Intellectual property, including source code and patents 42% R&D 3% Confidential business information 39% Accounting & financial information 16% Other (please specify) 4% Total 200%


Q13. Which publicized cyber attack do you think resulted in the most damaging consequences to the breached organization? Please select only one. Pct% Target 28% Sony 22% Home Depot 2% Ashley Madison 10% JP Morgan Chase 8% Anthem Health 11% OPM 19% Total 100%

Q14. Approximately, what is the dollar range that best describes your organization’s cybersecurity budget for 2016? Pct% < $1 million 2% $1 to 5 million 12% $6 to $10 million 12% $11 to $15 million 31% $16 to $20 million 24% $21 to $25 million 11% $26 to $50 million 6% $50 to $100 million 2% > $100 million 0% Total 100% Extrapolated value (millions) $15.97

Q15. Approximately, what percentage of the 2016 cybersecurity budget will be designated for incident response efforts? Pct% < 2% 0% 2% to 5% 9% 6% to 10% 8% 11% to 20% 11% 21% to 30% 27% 31% to 50% 23% 51% to 75% 16% 76% to 100% 6% Total 100% Extrapolated value 34%

Q16. How will the 2016 cybersecurity budget differ from the 2015 cybersecurity budget? Pct% The budget will increase 37% The budget will stay the same 50% The budget will decrease 13% Total 100%

Part 4. Targeted malware Q17a. Did your organization experience one or more advanced attacks during the

past 12 months? Pct% Yes 63% No 37% Total 100%


Q17b. If yes, on average how long did it take to detect? Pct% Less than 1 hour 4% 1 to 4 hours 10% 5 to 8 hours 15% 1 to 2 days 6% 3 to 7 days 12% 1 to 4 weeks 8% 1 to 3 months 3% 4 to 6 months 9% 6 to 12 months 11% 1 to 2 years 13% More than 2 years 9% Total 100% Extrapolated value (days) 169.86

Q17c. If yes, on average how long did it take to contain after detection? Pct% Less than 1 hour 7% 1 to 4 hours 8% 5 to 8 hours 13% 1 to 2 days 12% 3 to 7 days 14% 1 to 4 weeks 16% 1 to 3 months 14% 4 to 6 months 13% 6 to 12 months 2% 1 to 2 years 1% More than 2 years 0% Total 100% Extrapolated value (days) 39.28

Q17d. If yes, on average how long did it take to remediate after containment? Pct% Less than 1 hour 3% 1 to 4 hours 8% 5 to 8 hours 7% 1 to 2 days 12% 3 to 7 days 12% 1 to 4 weeks 25% 1 to 3 months 19% 4 to 6 months 9% 6 to 12 months 4% 1 to 2 years 1% More than 2 years 0% Total 100% Extrapolated value (days) 42.67

Q17e. What are the barriers to remediation of advanced threat attacks? Select all that apply. Pct% Lack of visibility of threat activity across the enterprise 76% Inability to prioritize threats 63% Lack of in-house expertise 55% Other (please specify) 3% Total 197%


Q18. Please rank the following solutions for effective detection and remediation of advanced attacks from1 = most important to 4 = least important Average Rank Network-based sandboxing 1.23 Cloud-based sandboxing 2.88 Endpoint detection and remediation 3.42 Network behavior anomaly analysis 2.45 Average 2.50

Part 5. Sample Characteristics D1. What best describes your position level within the organization? Pct%

Executive/VP 3% Director 18% Manager 21% Supervisor 17% Staff/technician 34% Contractor 5% Other (please specify) 2% Total 100%

D2. What best describes your direct reporting channel? Pct% CEO/executive committee 1% COO or head of operations 1% CFO, controller or head of finance 0% CIO or head of corporate IT 55% Business unit leader or general manager 18% Head of compliance or internal audit 4% CISO/CSO or head of IT security 19% CPO or head of corporate privacy 0% Other (please specify) 2% Total 100%

D3. What best describes the geographic footprint of your job or role? Pct% Global 41% Regional 19% Local 40% Total 100%

D4. What best describes the scope of your job or role? Pct% Corporate 50% Line of business 18% Support/service center 30% Other (please specify) 2% Total 100%

D5. What range best describes the full-time headcount of your global organization? Pct% Less than 1,000 9% 1,000 than 5,000 21% 5,001 to 10,000 26% 10,001 to 25,000 24% 25,001 to 75,000 12% More than 75,000 8% Total 100%


D6. What best describes your organization’s primary industry classification? Pct% Agriculture & food services 1% Communications 2% Consumer products 5% Defense & aerospace 1% Education & research 2% Energy & utilities 6% Entertainment & media 2% Financial services 17% Health & pharmaceutical 11% Hospitality 3% Industrial 9% Public sector 10% Retail 8% Services 9% Technology & software 9% Transportation 4% Other (please specify) 1% Total 100%

Please contact [email protected] or call us at 800.877.3118 if you have any questions.

Ponemon Institute

Advancing Responsible Information Management Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations. As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or company identifiable information in our business research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions.

the state of malware detection &...

Documents