2015: Time to Rethink Enterprise IT Security
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Previous Next blackhat.com July 2015 Previous Next 2015 Black Hat Attendee Survey Previous Next 2015: Time to Previous Next Rethink Enterprise Download IT Security In first-ever survey, sophisticated security professionals say enterprise security priorities don’t address the most serious threats Subscribe
Register
Previous Next
2015 Black Hat Attendee Survey
Previous Next
Previous Next
SYNOPSIS
Survey Name The 2015 Black Hat Attendee Survey
Previous Next
Survey Date July 2015
Region North America
Download
Number of Respondents 460
Purpose To gauge the attitudes and plans of one of the IT security industry’s most experi-
enced and highly-trained audiences: attendees of the Black Hat conference.
Subscribe
Methodology In June 2015 Dark Reading and Black Hat conducted a survey of the Black Hat
USA conference attendees. The online survey yielded data from 460 management and staff
ABOUT US RESEARCH security professionals, predominantly at large companies, with 64% working at companies
For more than 17 years, Black
with 1,000 or more employees.
Hat has provided attendees
with the very latest in informa-
tion security research, devel- The greatest possible margin of error for the total respondent base (N=460) is +/- 4.5
opment, and trends. These percentage points. UBM Tech was responsible for all programming and data analysis. These
high-profile global events and procedures were carried out in strict accordance with standard market research practices.
trainings are driven by the
needs of the security commu-
nity, striving to bring together
the best minds in the industry.
More information is available
at: http://www.blackhat.com.
www.blackhat.com July 2015 2Register
Previous Next
The 2015 Black Hat Attendee Survey
Previous Next
Previous Next
2015: Time to Rethink Enterprise IT Security
Previous Next
Executive Summary cludes responses from 460 top-level secu-
In 2015, enterprises will spend more than rity experts, including some of the most IT
$71.1 billion on information security – more security-savvy professionals in the industry.
than they have ever spent before, according More than 61 percent of the respondents
Download to Gartner Group figures. Yet, the incidence carry a full-time “security” job title, and 25
of major data breaches – as evidenced by percent are managers of the security effort
compromises at corporations such as An- in their organization. Nearly two-thirds of
them, Sony, and many others – shows no the respondents have received credentials
signs of abating. As enterprises continue to as Certified Information Systems Security
Subscribe
struggle with online attacks and data leaks, Professionals (CISSP), and many also hold
many are asking one common question: other advanced credentials. Nearly half (47
What are we doing wrong? percent) of the respondents work in organi-
This year, we decided to put this ques- zations that have 5,000 employees or more. In short, the survey indicates that most en-
tion – and many more – to one of the most Clearly, these are the individuals who make terprises are not spending their time, bud-
security-savvy audiences in the industry: information security happen in large organi- get, and staffing resources on the problems
those who have attended the annual Black zations – the people who spend their days that most security-savvy professionals con-
Hat USA conference. Black Hat, a forum that examining online exploits and data leaks sider to be the greatest threats.
features some of the most advanced security and who develop and implement enterprise In the study, the vast majority of security
research in the world, is a destination for dis- defenses. Yet, the 2015 Black Hat Attendee professionals – 57 percent – cited sophis-
cussion among top security minds, including Survey reveals a disturbing gap between the ticated, targeted attacks as their greatest
leading ethical hackers, IT security manage- priorities and concerns of these security-sav- concern (Figure 1). Yet, only 26 percent of
ment, and technology developers. vy individuals and the actual expenditure of respondents indicated that targeted at-
The 2015 Black Hat Attendee Survey in- security resources in the average enterprise. tacks were among the top three IT security
www.blackhat.com July 2015 3Register
Previous Next
The 2015 Black Hat Attendee Survey
Figure 1
Previous Next
Of the following threats and challenges, which are of the
Previous Next spending priorities in their organization, and greatest concern to you?
only 20 percent of respondents said that tar- Sophisticated attacks targeted directly at the organization
57%
geted attacks were among the top three tasks Phishing, social network exploits or other forms of social engineering
Previous Next
where they spend the most time. Social en- 46%
gineering attacks, which were cited as a top Accidental data leaks by end users who fail to follow security policy
21%
concern by 46 percent of respondents, are Polymorphic malware that evades signature-based defenses
similarly shortchanged in time and budget.
Download 20%
Espionage or surveillance by foreign governments or competitors
And potential threats posed by the Internet
of Things, which ranked as the greatest con- 20%
Security vulnerabilities introduced by my own application development team
cern two years from now, are barely being 20%
addressed in current time or budget expen- Data theft or sabotage by malicious insiders in the organization
ditures. 17%
Subscribe Attacks or exploits on cloud services, applications, or storage systems used by my organization
The 2015 Black Hat Attendee survey also re- 16%
veals a serious shortage of IT security resourc- Internal mistakes or external attacks that cause my organization to lose compliance with industry
es in the days ahead. While nearly three quar- or regulatory requirements
14%
ters (73 percent) of respondents think it likely Security vulnerabilities introduced through the purchase of off-the-shelf applications or systems
that their organizations will have to deal with 13%
a major data breach in the year ahead, a ma- Attacks on suppliers, contractors, or other partners that are connected to my organization’s network
12%
jority also feel that they do not have enough Data theft, sabotage, or disclosure by “hacktivists” or politically-motivated attackers
budget, staff, and training to handle the load. 12%
And, for good or ill, this shortage of staff- Surveillance by my own government
ing and skilled resources has created a seller’s 9%
Attacks or exploits brought into the organization via mobile devices
market for the most security-savvy profession- 8%
als. Some 94 percent of security professionals Digital attacks on non-computer devices and systems – the Internet of Things
believe they would have little trouble finding 7%
another job, and while most are happy in their Note: Maximum of three responses allowed
Data: UBM survey of 460 security professionals, June 2015
www.blackhat.com July 2015 4Register
Previous Next
The 2015 Black Hat Attendee Survey
Previous Next
Previous Next current positions, nearly two thirds (63 per- cent), vulnerabilities in software developed the most time, and only 31 percent said that
cent) say they would listen to a job opportu- in-house (20 percent), polymorphic malware social engineering attacks are among their
nity posed by another employer. (20 percent), and cyber espionage (20 per- top three tasks.
Previous Next
This report summarizes some of the results cent) finished a mixed bag of third concerns Similarly, IT security spending priorities
from the survey and offers some insight on (respondents were allowed to choose up to differ significantly from the level of concern
how the industry’s most knowledgeable se- three). The data suggests that Black Hat at- among security-savvy professionals. Just
FAST FACT curity professionals regard the current state tendees are aware of potential exploits and at- 26 percent of respondents ranked targeted
Download
57%
of the industry – and their own situations. tacks that could be created by outsiders, and attacks as one of their top three priorities
Clearly, the IT security industry has some sig- this knowledge causes significant concern. for spending. Accidental leaks (26 percent),
nificant challenges ahead. Yet, when asked which defensive tasks potential regulatory compliance issues (25
Consider sophisticated
consume the most time in the course of percent), and security vulnerabilities intro-
attacks to be one of their
Subscribe Priorities and Resources: A Troubling their workday, security professionals offered duced by internally developed applications
3 greatest concerns.
Disparity a very different picture. In response to this (23 percent) also ranked most frequently
As organizations struggle to find better, more question, more than a third of Black Hat at- among the top three spending priorities.
efficient defenses against attack, perhaps the tendees said that their most time-consum- The widespread range of spending priori-
most significant result from the 2015 Black ing tasks are in addressing vulnerabilities ties in the survey shows that budgets may
Hat Attendee survey is the disparity between introduced by internally developed software be failing to keep up with the latest threats,
the threats that keep security professionals (35 percent) and vulnerabilities introduced and that security professionals are not able
awake at night and the tasks that keep them by off-the-shelf software (33 percent). The to tune that spending to meet their most
occupied during the day. data suggests that application flaws across current concerns. (Figure 3)
At 57 percent, the list of security pros’ great- the enterprise consume a great deal of time Many security professionals feel that the
est concerns was headed by sophisticated for the IT staff, yet are seldom considered the perception of current threats – both in the
attacks targeted directly at the organization. greatest threats. (Figure 2) media and among their managers and su-
Phishing and social engineering constituted By contrast, only 20 percent of security pervisors — is different from their own. Close
the second-greatest concern at 46 percent. professionals counted targeted attacks as to half (41 percent) of respondents believe
Issues such as accidental data leaks (21 per- one of the top three areas where they spend that the media has overplayed the issue of
www.blackhat.com July 2015 5Register
Previous Next
The 2015 Black Hat Attendee Survey
Figure 2
Previous Next
Which consume the greatest amount of your time during
Previous Next domestic government surveillance, and more an average day?
than a quarter (27 percent) say the media fo- Security vulnerabilities introduced by my own application development team
35%
cuses too heavily on hacktivists and politically Security vulnerabilities introduced through the purchase of off-the-shelf applications or systems
Previous Next
motivated attackers. Among management, 33%
security professionals perceive a high rate of Phishing, social network exploits or other forms of social engineering
31%
concern (29 percent) over malicious insiders, Internal mistakes or external attacks that cause my organization to lose compliance with industry
which was a top concern for only 17 percent of
Download or regulatory requirements
30%
security professionals. And while many securi-
Accidental data leaks by end users who fail to follow security policy
ty professionals believe their management has
26%
mirroring concern for targeted attacks (44 per- Sophisticated attacks targeted directly at the organization
cent) and social engineering (29 percent), they 20%
still indicate a difference between their own Polymorphic malware that evades signature-based defenses
Subscribe 14%
level of concern and those of their managers. Attacks or exploits on cloud services, applications, or storage systems used by my organization
Similarly, many Black Hat attendees feel that 11%
key threats are being overlooked. Twenty-six Attacks or exploits brought into the organization via mobile devices
8%
percent of respondents say that phishing and Attacks on suppliers, contractors, or other partners that are connected to my organization’s network
social engineering do not get enough atten- 8%
tion in the media and at industry events. Acci- Espionage or surveillance by foreign governments or competitors
8%
dental data leaks by end users and new vulner- Data theft or sabotage by malicious insiders in the organization
abilities introduced by off-the-shelf software 7%
are also areas that are do not receive adequate Data theft, sabotage, or disclosure by “hacktivists” or politically-motivated attackers
6%
attention, respondents said.
Digital attacks on non-computer devices and systems – the Internet of Things
And the disparity between security profes- 6%
sionals’ concerns and mainstream concerns Surveillance by my own government
will likely continue to be significant, accord- 2%
ing to survey data. More than a third of re- Note: Maximum of three responses allowed
Data: UBM survey of 460 security professionals, June 2015
www.blackhat.comRegister
Previous Next
The 2015 Black Hat Attendee Survey
Figure 3
Previous Next
Which consume the greatest portion of your IT security
Previous Next spondents (36 percent) said they believe that spending or budget?
threats borne by non-computer devices – the Accidental data leaks by end users who fail to follow security policy
26%
Internet of Things (IoT) – will be among their Sophisticated attacks targeted directly at the organization
Previous Next
top concerns two years from now. Yet at the 26%
moment, only 6 percent of respondents say Internal mistakes or external attacks that cause my organization to lose compliance with industry or
regulatory requirements
IoT security constitutes a top security prior- 25%
ity in time spent, and only 3 percent say it’s a
Download Security vulnerabilities introduced through the purchase of off-the-shelf applications or systems
23%
budget priority. (Figure 4)
Phishing, social network exploits or other forms of social engineering
22%
Increasing Threats Highlight Shortage Security vulnerabilities introduced by my own application development team
of Security Resources 21%
How likely is it that a particular enterprise will Polymorphic malware that evades signature-based defenses
Subscribe 15%
experience a major breach in the coming year? Data theft or sabotage by malicious insiders in the organization
Business executives may continue to hope to 13%
remain unscathed, but security professionals Attacks or exploits on cloud services, applications, or storage systems used by my organization
12%
are facing the hard reality that their organiza- Attacks or exploits brought into the organization via mobile devices
tions probably will be next. Some 73 percent of 9%
Black Hat attendees say it is likely that they will Espionage or surveillance by foreign governments or competitors
have to respond to a significant compromise in 6%
Attacks on suppliers, contractors, or other partners that are connected to my organization’s network
the coming year: 13 percent say they have “no 6%
doubt” about it, 24 percent say that it’s “highly Data theft, sabotage, or disclosure by “hacktivists” or politically-motivated attackers
5%
likely,” and 36 percent say that it’s “somewhat
Digital attacks on non-computer devices and systems – the Internet of Things
likely.” Many security experts use the phrase, 3%
“It’s not a matter of if, but when.” Surveillance by my own government
What will be the most likely point of entry? 2%
Nearly a third (33 percent) of security-savvy Note: Maximum of three responses allowed
Data: UBM survey of 460 security professionals, June 2015
www.blackhat.com July 2015 7Register
Previous Next
Figure 4 The 2015 Black Hat Attendee Survey
Previous Next
Which do you believe will be of greatest concern two years
Previous Next IT pros say that “end users who violate secu- from now?
rity policy and are easily fooled by social engi- Digital attacks on non-computer devices and systems – the Internet of Things
36%
neering attacks” are the weakest links in the IT Sophisticated attacks targeted directly at the organization
Previous Next
security chain of defense. Interestingly, how- 33%
ever, one-fifth of respondents are also worried Espionage or surveillance by foreign governments or competitors
about their own defense strategies, citing “a 26%
Attacks or exploits on cloud services, applications, or storage systems used by my organization
lack of security architecture and planning that
Download 24%
goes beyond firefighting” as their weakest link. Attacks or exploits brought into the organization via mobile devices
This attitude is also pervasive in IT security dis- 22%
Polymorphic malware that evades signature-based defenses
cussions: A sense that the “layering” of single- 22%
purpose technologies and solutions might be Phishing, social network exploits or other forms of social engineering
leaving too many cracks for attackers to get 22%
Subscribe Surveillance by my own government
through. (Figure 5) 15%
A key reason for security professionals’ con- Attacks on suppliers, contractors, or other partners that are connected to my organization’s network
cerns about future attacks is the shortage of 13%
Data theft, sabotage, or disclosure by “hacktivists” or politically-motivated attackers
resources that they feel in their own orga- 12%
nizations. In the Black Hat Attendee Survey, Security vulnerabilities introduced through the purchase of off-the-shelf applications or systems
only 27 percent of respondents said they feel 10%
Accidental data leaks by end users who fail to follow security policy
their organization has enough staff to de-
10%
fend itself against current threats; nearly a Data theft or sabotage by malicious insiders in the organization
quarter (22 percent) described their security 9%
departments as being “completely underwa- Internal mistakes or external attacks that cause my organization to lose compliance with industry
or regulatory requirements
ter.” (Figure 6) Similarly, only one third (34 8%
percent) of security pros said their organi- Security vulnerabilities introduced by my own application development team
zation has enough budget to defend itself 7%
against current threats; 21 percent said they Note: Maximum of three responses allowed
Data: UBM survey of 460 security professionals, June 2015
www.blackhat.com July 2015 8Register
Previous Next
The 2015 Black Hat Attendee Survey
Previous Next
Previous Next are “severely hampered” in their defenses Figure 5
by a lack of funding.
Even among security pros themselves, What is the weakest link in today’s enterprise IT defenses?
Previous Next
there is a sense that a shortage of skills and End users who violate security policy and are too easily fooled by social engineering attacks
training may impair the ability to respond 33%
to current threats. While 36 percent said A lack of comprehensive security architecture and planning that goes beyond “firefighting”
20%
FAST FACT they have the skills they need to do their
Download Mobile device vulnerabilities
36%
jobs, some 55 percent said they could use 9%
some training. Nine percent said they feel Cloud services and cloud application vulnerabilities
7%
they are ill-prepared to handle future at- Signature-based security products that can’t recognize new and zero-day threats
Predict that IoT security will
tacks or exploits they may encounter in the 7%
be a top concern in two years. Vulnerabilities in internally-developed software
Subscribe near future.
6%
The central message that comes across in An overabundance of security information and event data that takes too long to analyze
all of these questions is that while sophisti- 5%
cated security professionals are increasingly Vulnerabilities in off-the-shelf software
4%
convinced that a major breach is inevitable,
Web-based threats and the failure of SSL and digital certificates
most of those security pros do not feel they 3%
have the resources and training they need Single-function security tools and products that don’t talk to each other
to defend their organizations. The combina- 3%
PC, Mac and endpoint vulnerabilities
tion of these responses should ring warning 3%
bells to the industry that security defense Data: UBM survey of 460 security professionals, June 2015
strategies and resources need serious re-
thinking, and that the people who walk the Enterprise Security Equals Job Security market for advanced security talent such as
walls and guard the doors are not confident The combination of a growing threat, per- those who attend Black Hat. Some 94 percent
in their ability to keep online adversaries ceived weaknesses in cyber defenses, and a of survey respondents feel that, should they
out of enterprise systems and data. shortage of skilled people has created a seller’s need to make a change, they could get anoth-
www.blackhat.com July 2015 9Register
Previous Next
Figure 6 The 2015 Black Hat Attendee Survey
Previous Next
Does your organization have enough security staff to defend
Previous Next er job “without too much trouble.” This indicates
itself against current threats?
What staff?
that many security professionals feel secure and
mobile in their careers. 5% Yes
No, we are completely underwater
Previous Next
Interestingly, however, most security pros are
17% 27%
happy where they are – in fact, only 12 percent of
respondents described themselves as actively job-
FAST FACT hunting today. 58 percent are not even updating
Download
24%
their resumes, and nearly a quarter (24 percent) 51% No, we could use a little help
say they are happy in their jobs and it would take
a lot to get them to change positions. (Figure 7)
are happy in their jobs and
A key reason for their job satisfaction may be
have no plans to change. Data: UBM survey of 460 security professionals, June 2015
Subscribe the support security pros are getting from their
management. As mentioned earlier, most of the Figure 7
survey respondents felt that their management
had roughly the same priorities as they do. Near-
Do you have plans to seek an IT security position anytime in
ly a third of respondents described their non-IT the near future?
counterparts as supportive of IT security initia- I am an indentured servant and would 1%
Yes, I am actively looking for
be beheaded if I tried to escape
tives, and 81 percent indicated that they have employment right now
12%
at least some support from non-IT management I really love my job and my 24%
who “get” the security problem. This is a signifi- employerand it would take
a LOT to get me to move
cant shift from a few years ago, when many stud- No definite plans, but I am
30%
ies indicated that non-IT managers did not under- always updating my resume
and looking for a better post
stand the security problem or how to support it. 33%
I’m not doing any active job research,
In general, most security pros also feel that their but if some other company called me,
management is offering a growth path for their I would listen
careers. Some 38 percent said they know the next
Data: UBM survey of 460 security professionals, June 2015
www.blackhat.com July 2015 10Register
Previous Next
The 2015 Black Hat Attendee Survey
Previous Next
Previous Next level they can reach on the corporate ladder Figure 8
and are actively working toward it. Another
42 percent said they feel they know their op- Do you have a clear, upward career growth path in your current
Previous Next
tions and are pretty sure they “will be here for place of employment? I can’t type because I’m smashed up against this glass ceiling
a while.” These figures suggest that only 20
percent of security pros are looking for a new 3%
position; with numbers like these, it seems
Download Yes, I know the next step or level I can
likely that it will continue to be difficult to find No, I can’t see any clear path for
growth and I’m thinking about 17% get to and I am working toward it now
security job candidates on the open market looking for another job
for some time to come. (Figure 8) 38%
I’m not sure, but I think I’m doing 11%
a good job and I think my
Subscribe Conclusions employer will take care of me
The 2015 Black Hat Attendee Survey offers 31%
several takeaways that indicate a need to re-
think the current enterprise IT security model. No, but I have some ideas about my options
and I’m pretty sure I’ll be here a while
Perhaps the most important of these is that
Data: UBM survey of 460 security professionals, June 2015
security pros are not spending their time and
budget in a manner that is commensurate continuous pressure on security staffs and Finally, the shortage of available security
with their concerns about current threats. departments, even in the largest and most talent will likely continue in days to come.
While issues such as compliance and appli- security-savvy organizations. Most security While most security pros feel confident in
cation security take a significant amount of pros feel that they do not have enough peo- their ability to change jobs, the vast majority
their time, they need greater leeway to focus ple, budget, or training to handle the current are happy in their current positions and feel
on emerging threats such as targeted attacks threat, and most have not yet begun to ad- they are well-supported by management.
and social engineering exploits that pose the dress what security pros believe will be their Finding sophisticated professionals, such as
greatest danger to their organizations. greatest concern two years from now: the In- those in the Black Hat attendee base, will not
The growing online threat also is putting ternet of Things. be easy in the future.
www.blackhat.com July 2015 11You can also read
