Information Security Strategies in the Age of Zero-Day Threats · Between December 2016 and March 2017, Gatepoint Research invited selected IT executives to participate in a survey

Summary Results | April 2017

Copyright ©2016 Gatepoint Research. All rights reserved. This report is the sole property of Gatepoint Research and may not be used, reproduced or redistributed in any form including, but not limited to, print & digital form without express written consent of Gatepoint Research. Copyright ©2016 Gatepoint Research. All rights reserved. This report is the sole property of Gatepoint Research and may not be used, reproduced or redistributed in any form including, but not limited to, print & digital form without express written consent of Gatepoint Research.

Information Security Strategies in the Age of Zero-Day Threats



Copyright ©2016 Gatepoint Research. All rights reserved. This report is the sole property of Gatepoint Research and may not be used, reproduced or redistributed in any form including, but not limited to, print & digital form without express written consent of Gatepoint Research.

Survey Summary▶ Between December 2016 and March 2017, Gatepoint Research invited selected IT

executives to participate in a survey themed Information Security Strategies in the Age

of Zero-Day Threats.

▶ Candidates were invited via email and 100 executives have participated to date.

▶ Management levels represented are predominantly senior decision makers: 8% hold

the title CxO, 17% are VPs, 39% are Directors, and 36% are Managers.

▶ Survey participants represent firms from a wide variety of industries including

financial services, general manufacturing, business services, healthcare, high tech

manufacturing, retail trade, consumer services, education, primary

manufacturing, telecom services, and utilities.

▶ Responders work for firms with a wide range of revenue levels:

62% work in Fortune 1000 companies with revenues over $1.5 billion;

10% work in Large firms whose revenues are between $500 million and $1.5

billion;

7% work in Mid-Market firms with $250 million to $500 million in revenues;

21% work in Small companies with less than $250 million in revenues.

▶ 100% of responders participated voluntarily; none were engaged using telemarketing.



Executive Overview

Information security is, now more than ever, a game played on the offense. Zero day threats and

advanced attacks require protection in place that detects and reacts to threats in their earliest

stages, before critical data has been breached or systems sabotaged. What strategies are

organizations using now, and how are they improving security in the near future?

This survey asks respondents to report:

▶ How has the senior management in your organization evolved with regard to security threats over the last several years?

▶ Do you feel your company is investing enough money and manpower into security to keep ahead of developing attack methods?

▶ Do your security tools collect and analyze data from various sources and endpoints? Can you adequately correlate the findings from these various sources?

▶ What significant threat detection challenges are you facing?

▶ What are the implications of multiple false positive security alerts?

▶ Is your organization comfortable with trying new technologies to combat security threats?



Over the last 2 years how have concerns about information security changed among senior management at your

organization?

Without a doubt, senior management concerns over information security has heightened in the last 2 years. Not one respondent to the survey reports

decreased levels of concern among executives.

40%

51%

9%

0% 0%0%

10%

20%

30%

40%

50%

60%

Increased dramatically Increased Stayed the same Decreased Decreased dramatically



How satisfied are you with the investment your company is making in information security tools and staff?

(Rate 1 to 5, 1 = not at all satisfied, 5 = highly satisfied)

68% of respondents claim to be “satisfied” to “highly satisfied” with the level of

investment their companies are making in information security.

3% 4%

22%

46%

22%

2%0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

50%

1 2 3 4 5 N/A

NOT AT ALL SATISFIED HIGHLY SATISIFIED



How many full-time employees are dedicated to

providing information security in your organization?

65% of respondents report their organization dedicates 6 or more full time

employees to information security.

10%13%

9%

65%

3%0%

10%

20%

30%

40%

50%

60%

70%

0-1 2-3 4-5 6 or more N/A



What are some of the threat detection and response

challenges you're currently facing?

Top three threat challenges cited by respondents: Keeping up with new threats (56%), understanding the scope of the attack (50%), detecting attacks while in

progress (48%).

56%

50%

48%

40%

38%

38%

7%

0% 10% 20% 30% 40% 50% 60%

Keeping up with new threats,including zero-day threats

Understanding the full scope of the attack

The ability to detect an attack while it'sin progress, so we can take steps to thwart it

The ability to correlate data coming from various security tools

We have security tools, but not enough expertise in-house to use them as effectively as we'd like

We have to monitor each of our security toolsindividually; there's no master interface

N/A



Do you have security tools that collect, monitor or

analyze each of the following?

Most respondents report having security tools that collect/monitor/analyze data

in place across these four areas.

86%

86%

74%

65%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Log data

End point data (desktops, laptops,mobile devices, etc.)

Network packets

NetFlow data



How well can you correlate data coming from different sources, such as logs, packets, NetFlow data and/or end points?

(Rate 1 to 5, 1 = not well at all, 5 = very well)

Correlating data is a challenge for many organizations. Just under half of those surveyed say they can correlate their data between logs, packets, NetFlow data,

etc., “well” to “very well.”

5%

11%

32%

38%

10%

3%0%

5%

10%

15%

20%

25%

30%

35%

40%

1 2 3 4 5 N/A

NOT WELL AT ALL VERY WELL



For which of the following reasons do you use a

security incident and event management (SIEM) tool?

SIEM tools are reportedly used primarily to boost the effectiveness of security staff (65%) and correlate data from other tools (63%), but often also used to detect advanced persistent threats (58%) and collect logs and data (54%).

65%

63%

58%

54%

41%

12%

0% 10% 20% 30% 40% 50% 60% 70%

To improve effectiveness of security staff

To correlate data from various other security tools

To detect advanced persistent threats

To collect logs plus other security data

We're required to for compliance reasons

We don't use a SIEM tool



What negative implications do you experience from

false positive security alerts?

Survey respondents bemoan the “noise” caused by false positive alerts, which

may dilute the response to legitimate threats.

46%

35%

35%

31%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%

They cause too much noise, causing usto deprioritize legitimate security alerts

They generate an inordinate amount ofadditional work for security staff

We don't have significant problemswith false positives

We find it difficult to appropriately tunesecurity systems to eliminate false positives



How comfortable is your company with respect to

trying new technologies? (Rate 1 to 5, 1 = not at all comfortable, 5 = very comfortable)

Respondents indicate that most of their organizations are “comfortable” to “very

comfortable” trying new technologies.

3%

6%

36%

34%

17%

2%0%

5%

10%

15%

20%

25%

30%

35%

40%

1 2 3 4 5 N/A

NOT AT ALL COMFORTABLE VERY COMFORTABLE



Profile of Responders:

Industry Sectors

A wide variety of industry sectors participated in the survey.

Financial Services18%

Mfg - General16%

Business Services16%

Healthcare14%

Mfg - High Tech12%

Retail Trade9%

Consumer Services3%

Education3%

Mfg - Primary2%

Telecom Services

2%

Utilities2%

Media1%

Transportation1%

Wholesale Trade1%




Revenue

Nearly two thirds of those surveyed work in Fortune 1000 companies with over

$1.5 billion in revenue.

>$1.5billion62%

$500 million -$1.5 billion

10%

$250 - 500 million7%

<$250 million21%




Job Level

64% of survey participants hold executive positions in their companies.

Manager, 36%

Director, 39%

VP, 17%

CxO, 8%



RSA offers business-driven security solutions

that uniquely link business context with

security incidents to help organizations

manage risk and protect what matters most.

RSA solutions are designed to effectively

detect and respond to advanced attacks;

manage user identities and access; and

reduce business risk, fraud and cybercrime.

RSA protects millions of users around the

world and helps more than 90% of Fortune

500 companies thrive in an uncertain, high-

risk world.

For more information go to RSA.com

https://www.rsa.com/en-us

Documents

Information Security Strategies in the Age of Zero-Day Threats · Between December 2016 and March 2017, Gatepoint Research invited selected IT executives to participate in a survey