In January 2003 Open launched the industry's first security event management survey, delivered interactively via the Web. The survey sought to explore the threats and issues IT security managers expect to be facing in the coming year, and how their needs are evolving as the threat profile and the workload they face on a daily basis changes.

Key Findings

The survey elicited some interesting data points, which are discussed in more detail in the body of this analysis. Key findings included:

  • 89% of respondents want real-time threat analysis, but only 5% could get it
  • 60% of users have no way of detecting blended, multi-point attacks
  • Not one CIO, CSO, or CISO rated cyberwarfare or terrorism as one of the year's top threats
  • Physical security and social engineering were low priority, despite the fact that these represent the easiest ways of overcoming technology-based security approaches
  • Budget issues were the largest issue security practitioners faced entering the year, ahead of more traditional security items such as threat risk assessment and managing false positives.
  • Strong Demand for Real-Time Security Event Management

    Eighty-nine percent of respondents declared that real-time analysis of security threat data was very or somewhat important, outnumbering 75 to 1 those few who thought that real-time responses were very unimportant.

    This was one of the most important findings of the survey: SOCs must find a way to deliver real-time threat analysis. For large organizations with 5,000 or more employees, only 3 out of 45 did not consider real time to be important, showing that larger enterprises were even more interested in real-time performance, on average, than were smaller (and more numerous) firms.

    This makes sense when one considers that real-time threat detection enables users to prevent compromises earlier in the attack cycle, which in turn reduces the number of successful attacks and decreases the need to perform extensive post-compromise forensic analyses.

    Despite the overwhelming desire from the survey for real-time data analysis, actual practice in the field got nowhere near to approaching these desires. In fact, nearly a third of respondents (26%) never, rarely or only examined data after a compromise, while only 17% were looking at sensor data with less than a day's delay. Only 5% of respondents claimed to be delivering real-time threat analysis.

    Most Enterprises are Vulnerable to Multi-Point Attacks

    Despite the lack of close to real-time threat analysis, nearly a third of respondents indicated that they were linking data from multiple sensors as part of their analysis activity.

    A significant minority of security professionals is therefore looking for the high-risk, subtle, multi-point blended attacks, showing a growing sophistication in some quarters. However, with 60% of users reporting that they did not correlate data across multiple devices, corporate America is still very much at risk from sophisticated and determined attackers, whether motivated by criminal intent, industrial espionage, or international politics. These metrics indicate that a significant number of security organizations are completely missing these attacks, yielding higher compromise rates and large numbers of false negatives.

    Budget Issues Threaten Corporate IT Security

    When asked what their top issues were, the most common response by far was shrinking IT budgets. Respondents clearly felt that the greatest threat to their being successful was lack of appropriate IT funding.

    Alongside funding issues, 89% of respondents felt that their workloads had increased, while 36% felt that there security operations were only adequate or worse.

    Taken together, these indicators may be warning of trouble ahead for large enterprises, as security staff become less effective as they struggle to keep up with increasing incident volumes on (what are felt to be) shrinking budgets.

    Perversely, 72% felt that IT security was getting more attention, despite the general perception that funding and/or staffing was being reduced. Clearly there are significant opportunities in this space for vendors like Open whose technologies can automate many security operations tasks, freeing staff to be both more effective and more efficient despite increased threat volumes.

    Are InfoSec Professionals Over-Confident?

    The survey showed that physical security (1%) and social engineering (2%) -- the two core ways of overcoming security technologies -- were the lowest-ranked threats after Web site defacement. Security professionals appear to be either naive or over-confident in the technology (potentially an occupational hazard), and are at risk of neglecting the relatively simple ways by which a sophisticated attacker can subvert or overcome technology.

    It is worth remembering that the world's most famous hacker, the recently released Kevin Mitnick, achieved his goals by persuading help desks to change system root passwords (social engineering) and by dumpster diving for sensitive materials (physical security).

    Conclusions

    The combination of budget woes, neglect of non-technical security practices, a general inability to manage threats in real-time and multi-point attacks at all, show that, despite all the security technology, awareness and debates, there still exists very large unmanaged operational risks in the world's most sophisticated IT economy.

    Phil Hollows is vice president of product marketing for OpenService, Inc., based in Westborough, Mass.