Escolar Documentos
Profissional Documentos
Cultura Documentos
Advanced Threats
Sponsored by NetWitness
Independently conducted by Ponemon Institute LLC
Publication Date: 30 June 2010
I. Executive Summary
Ponemon Institute and NetWitness are pleased to present the results of a comprehensive study on
advanced threats. While the definition of what constitutes an advanced threat still varies within the
industry, for purposes of this research we have defined an advanced threat as a methodology employed
to evade an organization’s present technical and process countermeasures which relies on a variety of
attack techniques as opposed to one specific type.
The predominant majority of these threats are represented by unknown, zero-day attacks, but there are
increasingly many instances where known attacks are being re-engineered and repackaged to extend
their usefulness. According to the IT and IT security practitioners in our study, the issue of advanced
threats is of growing concern – with 83 percent stating that they believe their organization has been the
target of such threats in the recent past.
According to our study, the top two problems organizations face in managing advanced threats are
insufficient intelligence and the proper security technologies. The majority of respondents also believe
that advanced exploits and malware have successfully evaded the anti-virus (AV) and intrusion detection
system (IDS) technologies they primarily rely upon to prevent attacks against their information systems. .
In addition to the difficulty in preventing advanced threats, the study reveals how slow organizations are
to detect them. It takes one month or longer before an advanced threat is detected, according to 46
percent of respondents which leaves a very large window of opportunity for any type of nefarious activity.
As documented in Ponemon Institute’s Cost of a Data Breach studies, the theft of sensitive and
confidential information about customers, employees and business partners can result in devastating
1
economic consequences.
We surveyed 591 IT and IT security practitioners (hereafter referred to as IT practitioners) located in the
United States. We queried these individuals about the following topics:
Following is a summary of the most salient findings from our study. We expand upon each one of these
findings in the following section of this paper.
Advanced threats seem to be pervasive and growing. 83 percent of respondents believe their
organization has been the target of an advanced threat. 71 percent believe they have seen an
increase in advanced threats over the past 12 months and 70 percent say that advanced threats
suggest a new, more dangerous threat landscape.
Uncertainty about the frequency of attacks indicates the difficulty in detecting them. 44 percent
of respondents believe they were frequent targets of such threats. However, 41 percent say they
were unable to determine how frequently they were targeted, indicating a lack of the proper
intelligence required to pinpoint these threats.
1
See the 2009 Cost of Data Breach: US Study, Ponemon Institute January 2010.
Sponsored by NetWitness
Ponemon Institute©: Private & Confidential Document Page 1
Sensitive data is targeted. 50 percent believe the targets of advanced threat attacks were sensitive
proprietary data such as source code, non-financial business confidential information and financial
information. 48 percent believe the targets were PII including customer or consumer information and
employee records.
Policies and procedures exist but support from personnel and technology seems to be
inadequate to address the problem. More than half (58 percent) of respondents believe they have
the procedures and policies in place to defend against advanced threats. However, only about one-
third (32 percent) report that their security-enabling technologies are adequate and only 26 percent
report security personnel are adequate to deal with advanced threats.
Prevention and detection of advanced threats is difficult. Organizations risk a costly data breach
because detection of an advanced threat takes too long. 80 percent of respondents say it takes a day
or longer to detect an advanced threat and 46 percent say it takes 30 days or longer. This leaves a
huge window of opportunity to steal confidential or sensitive information. In addition, 79 percent
believe that advanced threats are very difficult to prevent, detect and resolve.
The most effective technologies have yet to be deployed. 92 percent of respondents believe
network and traffic intelligence solutions are essential, very important or important. Yet, only 8
percent say these technologies are their first choice to detect or prevent an advanced threat. 69
percent of respondents say that AV and 61 percent of respondents say that IDS are typically used to
detect or discover advanced threats. Yet, 90 percent report that exploits or malware have either
evaded their IDS systems or they are unsure. 91 percent say that exploits and malware have evaded
their AV systems or they are unsure. The same percentage (91 percent) believes exploits bypassing
their IDS and AV systems to be advanced threats.
Sponsored by NetWitness
Ponemon Institute©: Private & Confidential Document Page 2
II. Key Findings
This section provides details about our most important findings. We organized the paper according to four
major themes that emerged from the findings. These are: attributions about advanced threats; why
organizations face a growing security problem; the lack of preparedness to deal with advanced threats;
and the difficulty in detecting advanced threats. Whenever feasible, we provide a simple graph to
illustrate the result. A tabular presentation may be provided as an alternative illustration when the result is
too complex to graph.
Table 1 reports IT practitioners’ agreement with six attributions about their organizations’ approach to
dealing with advanced threats. These findings indicate that respondents are aware of the risk of
advanced threats, but are not prepared to deal with them because of insufficient resources and
personnel.
As shown above, 48 percent strongly agree or agree that their organization is more likely than most other
organizations to be the target of advanced threats. However, less than one-third strongly agree or agree
that their organization has enabling security technologies that effectively prevent or quickly detect
advanced threats (32 percent) or resources to prevent or quickly detect advanced threats (35 percent).
As shown in Bar Chart 1, 19 percent of respondents say that absolutely their organization has been the
target of an advanced threat. Twenty-eight percent say it is very likely and 36 percent say it is likely. Only
12 percent say it is possible they had an attack and 5 percent say they never had an attack.
Sponsored by NetWitness
Ponemon Institute©: Private & Confidential Document Page 3
Bar Chart 1: Likelihood the organization has been a target
Bar Chart 2 reports 44 percent of respondents believe their organization has been the target of an
advanced threat all the time (12 percent), most of the time (17 percent) or some of the time (15 percent).
However, almost the same percentage (41 percent) can’t determine if they have been the target.
The realization that this is a growing threat among IT practitioners is shown in Bar Chart 3, where the
majority of respondents believe attacks are rapidly increasing (35 percent) or increasing (36 percent).
As shown in Bar Chart 4, the primary consequences of an advanced threat are IT downtime (51 percent),
theft of intellectual property (45 percent) and theft of confidential or sensitive information (44 percent).
Thirty percent report that nothing happened.
Sponsored by NetWitness
Ponemon Institute©: Private & Confidential Document Page 4
Bar Chart 4: What happened as a result of advanced threats
Bar Chart 5 reports the respondent’s views on the most frequent attack techniques that have been
employed against their organizations, which are viruses (91 percent), malware (80 percent) and worms
(67 percent). It is important to note that for the purposes of this research, we have defined an advanced
threat as a methodology employed to evade an organization’s present technical and process
countermeasures which relies on a variety of attack techniques as opposed to one specific type.
Bar Chart 6 shows 79 percent strongly agree or agree that advanced threats are very difficult to prevent,
detect and resolve. In addition, 70 percent believe advanced threats suggest a new, more dangerous
threat landscape.
Sponsored by NetWitness
Ponemon Institute©: Private & Confidential Document Page 5
Bar Chart 6: Perceptions about advanced threats
There does not appear to be one consistent approach used by IT practitioners to prevent and detect
advanced threats. Specifically, respondents describe their approach for preventing and detecting
advanced threats in Bar Chart 7 as ad hoc (31 percent), a combination of manual procedures and
security technologies (27 percent), mostly a process that relies on perimeter controls such as IDS and AV
solutions (17 percent) and mostly a process that relies on manual controls such as log management
procedures. It is notable that only 8 percent select as their one best choice a process that relies on
network intelligence technologies when considering the findings detailed later in Bar Chart 9.
Policies and procedures exist but their implementation may be lagging. More than half (58 percent) state
they have the procedures and policies in place to defend against advanced threats (see Bar Chart 8).
However, 50 percent report that their security-enabling technologies are not adequate and 64 percent
report their security personnel are not adequate to deal with the threat.
Sponsored by NetWitness
Ponemon Institute©: Private & Confidential Document Page 6
Bar Chart 8: Defensive capabilities against advance threats
As shown in Pie Chart 1 below, 51 percent have no dedicated staff to respond to advanced threats and
34 percent have less than two staff members. As revealed throughout these findings, the lack of
personnel who are knowledgeable about advanced threats is making it difficult for IT practitioners to
protect their information systems.
According to Table 2, the key problems organizations in our study face when managing advanced threats
are insufficient intelligence and insufficient technologies. Keeping pace with the rash of sophisticated
attacks is also of concern to more than a quarter of all respondents.
Pie Chart 1: Staff dedicated to advance threats Table 2: Problems managing advance threats
Bar Chart 9 shows 92 percent of respondents believe network or traffic intelligence technologies are
important (24 percent), very important (45 percent), or essential (23 percent) to discovering advanced
threats. Only 8 percent say this technology is not important.
Sponsored by NetWitness
Ponemon Institute©: Private & Confidential Document Page 7
Bar Chart 9: Importance of network and traffic intelligence
As shown in Bar Chart 10, only 25 percent are very confident (8 percent) or confident (17 percent) that
their organizations have the ability to detect advanced threats, 37 percent are not confident and 7 percent
are unsure. This finding is consistent with the fact that only 8 percent of organizations in our study select
as their first choice a process that relies upon network intelligence technologies. However, 92 percent
believe those technologies to be important or essential in discovering advanced threats. The more
common approach is ad hoc and a combination of manual procedures and security technologies.
Bar Chart 11 shows different ways organizations detect advance threats. Anti-virus/anti-malware software
(69 percent) and IDS (61 percent) are the two technologies most frequently cited for preventing or
detecting advance threats. 2
2
Cross-tab analysis revealed that respondents who expressed a very confident or confident response in Bar Chart 10
were almost twice as likely to deploy event correlation management software (SIEM) or network intelligence tools
than respondents who are not confident.
Sponsored by NetWitness
Ponemon Institute©: Private & Confidential Document Page 8
Bar Chart 11: How organizations detect advanced threats
`
Despite the importance of AV and IDS solutions, as noted in Bar Chart 12, more than 79 percent report
that they have experienced situations when exploits and malware have evaded AV solutions and 71
percent report that exploits and malware have evaded IDS solutions.
According to a recent white paper by NetWitness related to the discovery of a large ZeuS botnet labeled
“Kneber”, the botnet “had less than a 10 percent detection rate among all anti-virus products and the
botnet communication was not identified by existing intrusion systems. This compromise, the scope of
global penetration and the shear magnitude of the collected data illustrates the inadequacy of signature-
based network monitoring methods used by most commercial and public sector organizations today.” 3
As noted in Bar Chart 13, less than 9 percent of respondents say their organizations are able to detect
the attack immediately. About 26 percent are able to detect an attack within a few hours (11 percent) or
one day (15 percent). Thirty-nine percent report that it is within 30 days (23 percent) or 60 days (16
3
See: The “Kneber” Botnet: A ZeuS Discovery and Analysis White Paper, NetWitness 2010 p.2.
Sponsored by NetWitness
Ponemon Institute©: Private & Confidential Document Page 9
percent). Only 7 percent of respondents say it takes longer than 60 days, on average, to detect an
advanced threat.
The inability of organizations to respond to advanced threats, such as zero days, can immediately result
in significant business impact, such as data loss, disruption of service and malicious attacks upon critical
infrastructure. The “typical” slower than necessary response is unlikely to change for many respondents
given that only 24 percent believe that prevention or quick detection of advanced threats is a top security
priority within their organizations today (see Table 1). As described above, respondents believe that
advanced threats put customer information at risk and this creates a perfect storm for a costly data
breach. 4
Bar Chart 13: Length of time before an advanced threat is detected
Bar Chart 14 reports the average rank for four threat areas, where four is the highest possible rank and
one is the lowest possible rank in terms of significance if detection does not occur. Clearly, the most
significant risk to organizations is the loss of confidential information followed by the theft of trade secrets.
Unfortunately, it is well known that criminals are profiting from the sale of these types of sensitive and
proprietary business information. The ultimate consequence of these data thefts can be devastating for
any organization.
Bar Chart 14: Risks of an undetected advance threat
Average rank from 4 = most significant to 1 = least significant risk
4
In a study conducted by Verizon Business RISK team, it was shown that data breaches still go undiscovered and
uncontained for weeks or months in 75 percent of the cases they examined. See 2009 Data Breach Investigations
Report, A Study Conducted by the Verizon Business RISK team.
Sponsored by NetWitness
Ponemon Institute©: Private & Confidential Document Page10
Bar Chart 15 shows the data most at risk are customer or consumer information or intellectual property
such as source code, followed by intellectual property such as source code. Employee records and
financial information appear to be at a lower risk level.
The findings of our research suggest a growing awareness among IT practitioners of the problem of
advanced threats. However, there appears to be a series of problems in confronting the issue:
• In the view of our respondents, senior management does not appear to understand the seriousness
of the threat nor do they appear to be making the issue a top priority.
• Those surveyed believed that they had the proper processes in place but lacked the appropriate
resources, skill sets and technologies needed to combat the problem.
• Detection is a major concern amongst IT practitioners. While most of those surveyed felt confident
that their organizations were the target of advanced threats, nearly half were unable to determine
accurately how frequently they were targeted.
• The two most heavily relied upon technologies for combating advanced threats are Anti-Virus and
IDS but the vast majority of respondents believe that these technologies are inadequate in detecting
these types of threats. Further, they say their A/V and IDS solutions are being bypassed.
• There is overwhelming majority consensus that network and traffic intelligence solutions are needed
to detect and combat advanced threats but only a very slim minority currently have these solutions in
place.
1. Senior management must be educated on the seriousness of the advanced threats issue in order to
garner support for the investments in people and technology required to combat the problem.
2. There is a need to train existing security teams and hire new team members in advanced threat
detection techniques.
Sponsored by NetWitness
Ponemon Institute©: Private & Confidential Document Page11
3. Over reliance on A/V and IDS solutions has weakened the collective security posture as these
solutions cannot stand up in the face of the advanced threats we now see.
4. New solutions focused on network and traffic intelligence are seen as the best way to combat
advanced threats and much broader adoption is required.
A sampling frame of nearly 12,000 adult-aged individuals who reside within the United States was used to
recruit and select participants to this survey. Our randomly selected sampling frame was built from
several proprietary lists of experienced IT and IT security practitioners. In total, 702 respondents
completed the survey. Of the returned instruments, 111 surveys failed reliability checks. A total of 591
surveys were used as our final sample, which represents a 5 percent response rate.
Pie Chart 3 reports the primary industry sector of respondents’ organizations. As shown, the largest
segments include financial services (19 percent), government (16 percent), and healthcare (11 percent).
Sponsored by NetWitness
Ponemon Institute©: Private & Confidential Document Page12
Table 4 reports the respondent organization’s global headcount. As shown, a majority of respondents
work within companies with more than 1,000 employees. Over 51 percent of respondents are located in
larger-sized companies with more than 5,000 employees.
Table 5 reports the respondent’s primary reporting channel. As can be seen, 52 percent of respondents
are located in the organization’s IT department (led by the company’s CIO). Seventeen percent report to
the company’s security officer or CISO.
Table 6 reports the respondent organization’s global footprint. As can be seen, a large number of
participating organizations are multinational companies that operate outside the United States, Canada
and Europe.
Sponsored by NetWitness
Ponemon Institute©: Private & Confidential Document Page13
Table 7 reports the approximate position level or title of respondents. As shown, a majority of
respondents state they are at or above the supervisory level (56 percent). The mean experience of
respondents in this study is 11.12 years and the median is 10.5 years.
V. Caveats
There are inherent limitations to survey research that need to be carefully considered before drawing
inferences from findings. The following items are specific limitations that are germane to most Web-based
surveys.
Non-response bias: The current findings are based on a sample of survey returns. We sent surveys
to a representative sample of individuals, resulting in a large number of usable returned responses.
Despite non-response tests, it is always possible that individuals who did not participate are
substantially different in terms of underlying beliefs from those who completed the instrument.
Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is
representative of individuals who are IT or IT security practitioners. We also acknowledge that the
results may be biased by external events such as media coverage. We also acknowledge bias
caused by compensating subjects to complete this research within a holdout period. Finally, because
we used a Web-based collection method, it is possible that non-Web responses by mailed survey or
telephone call would result in a different pattern of findings.
Self-reported results: The quality of survey research is based on the integrity of confidential
responses received from subjects. While certain checks and balances can be incorporated into the
survey process, there is always the possibility that a subject did not provide a truthful response.
Sponsored by NetWitness
Ponemon Institute©: Private & Confidential Document Page14
Appendix I: Survey Details
The survey was conducted in April and May 2010. Our sampling frame includes qualified IT and IT security
practitioners located in business and government organizations in the United States.
I. Background
Q1a. Have you experienced situations when exploits and malware
have evaded your IDS? Pct%
Yes 71%
No 10%
Unsure 19%
Total 100%
Sponsored by NetWitness
Ponemon Institute©: Private & Confidential Document Page15
II. Attributions
Please rate your opinions for Q2a to Q2f using the scale provided
below each statement. Strongly agree Agree
Q2a. My organization has enabling security technologies that
effectively prevent or quickly detect advanced threats. 13% 19%
Q2b. My organization has sufficient resources to prevent or quickly
detect advanced threats. 15% 20%
Q2c. My organization has security personnel who are well trained
and able to identify and resolve advanced threats. 11% 16%
Q2d. In my organization, IT leaders are fully aware of advanced
threats and how they can negatively impact the enterprise. 8% 11%
Q2e. In my organization, the prevention or quick detection of
advanced threats is a top security priority. 10% 14%
Q2f. My organization is more likely than most other companies to be
the target of advanced threats. 24% 24%
Average 14% 17%
III. Experience
Q3a. Has your organization been the target of an advanced threat? Pct%
Absolutely 19%
Very likely 28%
Likely 36%
Possible [Go to 4a] 12%
Never [Go to 4a] 5%
Total 100%
Q3b. To the best of your knowledge, how often has your organization
been the target of an advanced threat over the past 12 months? Pct%
All the time 12%
Most of the time 17%
Some of the time 15%
Rarely 9%
Never 6%
Can’t determine 41%
Total 100%
Sponsored by NetWitness
Ponemon Institute©: Private & Confidential Document Page16
Q3d. What happened to your organization as a result of an advanced
threat? Please select all that apply. Pct%
Nothing happened 30%
IT downtime 51%
Business interruption 26%
Theft of confidential or sensitive information 44%
Theft of intellectual property 45%
Damage to IT infrastructure 6%
Damage to software (source code) 7%
Destruction of information asset 2%
Other 0%
Total 211%
Q3g. Typically, how long does it take you and your organization to Extrapolated
detect an advanced threat? Pct% days
Immediately (zero days) 9% 0.00
Within a few hours 11% 0.02
Within one day 15% 0.15
Within one week 19% 1.33
Within 30 days 23% 6.90
Within 60 days 16% 9.60
More than 60 days 7% 5.04
Total 100% 23.04
Sponsored by NetWitness
Ponemon Institute©: Private & Confidential Document Page17
Q4a. How familiar are you with ZeuS? Pct%
Very familiar 20%
Familiar 43%
Not familiar 29%
No knowledge 8%
Total 100%
Q7. Please rate the following statements using the scale provided
below. Strongly agree Agree
Q7a. Nation-state sponsored advanced threats occur frequently. 8% 13%
Q7b. Criminal group sponsored advanced threats occur frequently. 16% 28%
Q7c. Advanced threats suggest a new, more dangerous threat
landscape. 26% 44%
Q7d. Advanced threats are simply another form of computer crime
(i.e., nothing new). 18% 16%
Q7e. Advanced threats are very difficult to prevent, detect and
resolve. 29% 50%
Sponsored by NetWitness
Ponemon Institute©: Private & Confidential Document Page18
Q8. In what countries do advanced threats come from? Please
select the top five countries from the following list. Pct%
China (PRC) 25%
Russian Federation 14%
Romania 10%
Brazil 9%
Czech Republic 6%
UAE (Dubai) 6%
All other countries 28%
Total 100%
Q10. Has your organization been the target of an advanced threat? Pct%
Absolutely 20%
Very likely 28%
Likely 35%
Possible 17%
Never 0%
Total 100%
Sponsored by NetWitness
Ponemon Institute©: Private & Confidential Document Page19
Q13. What level of staffing do you have to respond to advanced Extrapolated
threats throughout the enterprise? Pct% dedicated staff
No dedicated staff 51% 0
Less than 2 34% 0.51
Between 2 and 5 9% 0.32
Between 6 and 10 6% 0.48
Between 11 and 15 0% 0
Greater than 15 0% 0
Total 100% 1.31
Q14. What best describes the process for preventing and detecting
advanced threats in your organization today? Please select one best
choice. Pct%
An “ad hoc” process 31%
Mostly a process that relies on manual controls such as log
management procedures 16%
Mostly a process that relies on perimeter controls such as IDS and
AV solutions 17%
Mostly a process that relies on network intelligence technologies 8%
A combination of manual procedures and security technologies 27%
None of the above. 0%
Total 100%
Q16. How confident are you that your organization has the ability to
detect to advanced threats that attack your organization? Pct%
Very confident 8%
Confident 17%
Somewhat confident 30%
Not confident 37%
Unsure 7%
Total 100%
Sponsored by NetWitness
Ponemon Institute©: Private & Confidential Document Page20
Q17. In your opinion, what are the key problems you face in
managing advanced threats that target your organization? Please
select only your top two choices. Pct%
Insufficient intelligence about threats 45%
Insufficient security technologies 39%
Keeping pace with the rash of sophisticated attacks 27%
Lack of consistently applied control procedures 12%
Insufficient resources 37%
Lack of well trained or experienced personnel 36%
Other (please specify) 2%
Total 199%
Q19. In your opinion (best guess), what dollar range best describes Extrapolated
the total cost incurred by your organization in the past 12 months to value in
defend it against advanced threats? Pct% $millions
Less than $1 million 7% 0.05
Between $1 to 5 million 9% 0.26
Between $6 to $10 million 15% 1.20
Between $11 to $15 million 23% 3.00
Between $16 to $20 million 20% 3.56
Between $21 to $30 million 15% 3.85
Between $31 to $40 million 5% 1.92
Between $41 to $50 million 2% 0.90
Between $51 to $60 million 0% 0.00
Between $61 to $70 million 1% 0.65
Between $71 to $80 million 0% 0.00
Between $81 to $90 million 1% 0.93
Between $91 to $100 million 0% 0.00
Over $100 million 2% 2.64
Total 100% 18.97
Sponsored by NetWitness
Ponemon Institute©: Private & Confidential Document Page21
IV. Your role
D1. What organizational level best describes your current position? Pct%
Senior Executive 1%
Vice President 2%
Director 17%
Manager 21%
Supervisor 15%
Technician 32%
Staff 5%
Contractor 5%
Other 3%
Total 100%
D2. Check the Primary Person you or your IT security leader reports
to within the organization. Pct%
CEO/Executive Committee 0%
Chief Financial Officer (CFO) 3%
Chief Technology Officer (CTO) 7%
Chief Information Officer (CIO) 52%
Chief Information Security Officer (CISO) 17%
Compliance Officer 7%
Human Resources VP 0%
Chief Security Officer (CSO) 4%
Chief Risk Officer 7%
Other 2%
Total 100%
Mean Median
D3. Total years of relevant work experience 11.12 10.5
D4. What industry best describes your organization’s industry focus? Pct%
Communications 7%
Consumer products 6%
Defense 3%
Education 3%
Energy 2%
Financial services 19%
Government 16%
Health & pharma 11%
Hospitality 3%
Industrial 4%
Media 2%
Retail 6%
Services 4%
Technology 5%
Transportation 4%
Other 3%
Sponsored by NetWitness
Ponemon Institute©: Private & Confidential Document Page22
D5. Where are your employees located? (check all that apply): Pct%
United States 100%
Canada 63%
Europe 65%
Middle east 16%
Asia-Pacific 29%
Latin America (including Mexico) 31%
Total 304%
Ponemon Institute
Advancing Responsible Information Management
Ponemon Institute is dedicated to independent research and education that advances responsible information and
privacy management practices within business and government. Our mission is to conduct high quality, empirical
studies on critical issues affecting the management and security of sensitive information about people and
organizations.
As a member of the Council of American Survey Research Organizations (CASRO),we uphold strict data
confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from
individuals (or company identifiable information in our business research). Furthermore, we have strict quality
standards to ensure that subjects are not asked extraneous, irrelevant or improper questions.
Sponsored by NetWitness
Ponemon Institute©: Private & Confidential Document Page23