2. 2
Introduction
» SolarWinds, in conjunction
with SANS, recently
conducted a survey on
Security Analytics and
Intelligence with
participation from over
600 IT professionals
» This presentation provides
insight into IT budgets for
security, difficulties faced
in identifying attacks and
breaches, and more
2
The Agenda
• Participants: Whom did we
survey?
• Results: What did they say?
• Key Take Away: What does
the survey mean to you?
• Recommendations: What
can you do?
SANS & SOLARWINDS IT SECURITY SURVEY 2013
3. 3
Whom Did We Survey?
3
19.0%
17.2%
15.6%
8.7% 8.7% 8.2%
7.0%
5.9%
5.1%
2.9% 0.9% 0.9%
Government/Military
Financial
Services/Banking
Other
Education
HighTech
Health
care/Pharmaceutical
Telecommunications
Carrier/Service…
Manufacturing
Energy/Utilities
Retail
Engineering/Construc
tion
HostingService
Provider
Participants: Industry wise
SANS & SOLARWINDS IT SECURITY SURVEY 2013
45% of the survey
taker organizations
were from
Federal, BFSI and
Healthcare
4. 4
IT Budget Spent on IT Security
• 45% of the survey takers were spending less than 20% of their IT budget on information security
management, compliance and response
• About 30% spent less than 10% on information security management, compliance and response
Unknown, 40.0%
Less than 5%, 21.3%
6% to 10%, 16.0%
11% to 20%, 7.9%
21% to 30%, 7.3%
31% to 40%, 2.0%
41% to 50%, 1.2%
51% to 60%, 0.9%
Greater than 60%, 1.7%
Other, 1.6%
SANS & SOLARWINDS IT SECURITY SURVEY 2013
6. 6
Difficulty in Detecting Threats
33.4%
23.5%
21.1%
7.8%
5.7%
3.0% 2.8%
1.3% 1.3%
Noattacks(thatwe
knowabout)
2to5
Unknown
1
6to10
11to20
21to50
51to100
Morethan100
Difficulty in detecting threats
In the past two years,
45% of the respondent
companies had 1 or more
attacks that were difficult
to detect.
SANS & SOLARWINDS IT SECURITY SURVEY 2013
7. 7
Time Taken to Detect the Impact of the Attacks
• 30% of the organizations took up to a week to detect the impact
• 14% of them took about 1-3 months
Within the same
day
One week or less
A month or less
Three months or
less
Five months or less
10 months or less
More than 10
months
Unknown
SANS & SOLARWINDS IT SECURITY SURVEY 2013
8. 8
Time Taken for Attack Remediation
• 35% of companies took up to a week to remediate after the initial knowledge of an attack
• About 11% of the companies took 1-3 months
Within the same
day
One week or less
A month or less
Three months or
less
Five months or less
10 months or less
More than 10
months
Unknown
SANS & SOLARWINDS IT SECURITY SURVEY 2013
10. 10
Top 3 Impediments to Discovering
and Following Up on Attacks
39%
21%
19%
Not collecting appropriate
security data
Not Identifying relevant event
context (Event correlation)
Lack of system awareness and
vulnerability awareness
SANS & SOLARWINDS IT SECURITY SURVEY 2013
11. 11
Types of Operational and Security Data Collected
for Security Analytics
Top 3 Types of Data
Currently Collected:
• Log data from network
devices, servers and
applications
• Monitoring data from
firewalls, vulnerability
scanners, IDS/IPS
• Access data
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Log data from network (routers/switches) and
servers, applications and/or endpoints
Monitoring data provided through firewalls, network-
based vulnerability scanners, IDS/IPS, UTMs, etc.
Access data from applications and access control systems
Unstructured data-at-rest and RAM data from endpoints
(servers and end-user devices)
Security assessment data from endpoint (aka from
NAC/MDM scans), application and server monitoring tools
Assessment and exception data (not on the whitelist of
approved behaviors) taken from mobile/BYOD endpoints…
Monitoring and exception data pertaining to internal
virtual and cloud environments
Monitoring and exception data pertaining to public cloud
usage
Other
Unknown Don't plan to collect Plan to collect within 12 months Currently collect
Top 3 Within 12 Months:
• Security assessment data
from
endpoint, application and
server monitoring tools
• Monitoring and exception
data from internal virtual
and cloud environments
• Access data from
applications and access
control systems
12. 12
How Satisfied are Organizations
with their Security Tools?
SANS & SOLARWINDS IT SECURITY SURVEY 2013
13. 13
Alarming Factor!!
59% of the organizations
don’t know whether they
are collecting security data
in real time or not.
SANS & SOLARWINDS IT SECURITY SURVEY 2013
14. 14
Correlation of Event Logs
• 30% of the organizations did not have any automated correlation of log data
• 45% of the organizations manually scripted searches based on hunches
• 39% of them had no third party intelligence tools
0% 10% 20% 30% 40% 50%
Other
Hadoop or other free or distributed data
analysis tools
Unstructured data analysis tools with NoSQL
and other methods.
Advanced intelligence/threat profiling
database
No automated correlation of logs, just
manual scanning for exceptions by experts
Manual and manually-scripted searches
based on evidence and hunches
Use of SIEM technologies and systems
Dedicated log management platform used for
IT security and operations
SANS & SOLARWINDS IT SECURITY SURVEY 2013
15. 15
More on Correlation
38% of the
respondent
organizations did
not have log
correlation for
external threat
intelligence tools
And guess what???
44% of the organizations are doing only up to 25% of their inquiries to
detect threats in real time.
SANS & SOLARWINDS IT SECURITY SURVEY 2013
About 36% of the organizations
never had any automated
pattern recognition
16. 16
Satisfaction with Current Analytics
and Intelligence Capabilities
• About 59% of the organizations are not satisfied with their library of appropriate
queries and reports
• 56% of the organizations are not satisfied with their relevant event context intelligence
• 56% of them have no visibility into actionable security events
1.25 1.30 1.35 1.40 1.45 1.50 1.55 1.60 1.65 1.70 1.75
Producing or having a library of appropriate…
Relevant event context (intelligence) to observe…
Training/intelligence expertise
Integration of other monitoring systems into…
Costs for tools, maintenance and personnel
Visibility into actionable security events across…
Ability to alert based on exceptions to what is…
Reduction of false positives and/or false negatives
Performance and response time issues
Other
Storage capacity and access of data in needed formats
SANS & SOLARWINDS IT SECURITY SURVEY 2013
17. 17
Primary Use Cases for Evaluation of Security Tools
External malware
Advanced Persistent threats
Compliance monitoring
0%
5%
10%
15%
20%
25%
SANS & SOLARWINDS IT SECURITY SURVEY 2013
24% - External malware
13% - Advanced
persistent threats
11% - Compliance
monitoring
18. 18
Top 3 Future Investments in Security
SANS & SOLARWINDS IT SECURITY SURVEY 2013
0%
10%
20%
30%
40%
50%
60%
70%
Securityinformationmanagement
tools/SIEMsystemswithbuilt-in
analyticscapabilities
Personnel/trainingtodetect
patterns(analytics)andmanage
systems
Vulnerabilitymanagement
Networkprotections
(UTM,IDS/IPS,etc.)
Endpointvisibility
Applicationprotectionsand
visibility
Intelligenceproductsorservices
Analyticsengines
Other
Top 3 Future Investments
in Security:
1. SIEM Tools
2. Training
3. Vulnerability
Management
19. 19
For truly effective security and threat management, organizations
need to:
Collect and correlate appropriate log and event data across all
relevant sources throughout the IT infrastructure
Handle larger volumes of log data efficiently
Establish a baseline of “normal” behavior in order to identify
anomalies
Identify threats and attacks in real time
Reduce the time between detection and response
Implement the right tools for advanced analytics and intelligence
Key Takeaways
SANS & SOLARWINDS IT SECURITY SURVEY 2013
20. 20
» Event correlation for event context and
actionable intelligence
» Real-time analysis for immediate threat
detection and mitigation
» Advanced IT search to simplify event
forensics and expedite root cause analysis
» Built-in reporting to streamline security
and compliance
How Can SIEM Solutions Help You?
SANS & SOLARWINDS IT SECURITY SURVEY 2013
65% of the
organizations
want to make
their security
investments on
SIEM systems
21. 21
SolarWinds Log & Event Manager
Log Collection, Analysis, and Real-Time
Correlation
Collects log & event data from tens of
thousands of devices & performs true
real-time, in-memory correlation
Powerful Active Response technology
enables you to quickly & automatically
take action against threats
Advanced IT Search employs highly
effective data visualization tools –
word clouds, tree maps, & more
Quickly generates compliance reports
for PCI DSS, GLBA, SOX, NERC
CIP, HIPAA, & more
Built-in correlation rules, reports, &
responses for out-of-the-box visibility
and proactive threat protection
SANS & SOLARWINDS IT SECURITY SURVEY 2013