According to the Solera Networks’ Second Annual Network Forensics Survey, conducted by Trusted Strategies, only a small percentage of the 200 security professional respondents said they could gather enough information from a network attack to prevent it in the future.
“At the end of the day, security professionals know they need better tools to figure what happened [during a security breach]; they just don’t have them”, observed Pete Schlampp, vice president of marketing and product management at Solera Networks.
The survey found that 35% of respondents said they have had a significant network security incident within the last three years, and 82% said that it is likely they will experience a significant network security incident within the next three years.
“What this tells us is that the vast majority of respondents believe they are going to have breaches of their networks. When I speak to people one-on-one, I’ve never had someone tell me that they are not concerned about a security incident in the near future”, Schlampp told Infosecurity.
Surprisingly, 96% of respondents feel threatened by employees’ web activity, and 71% fear that instant messaging could pose a network security threat, according to the survey.
“Especially now with trends such as social networking, these guys feel like they are not in control of their end users, who are out there on websites sharing information, doing research, etc. This activity is not within the realm of control of their security tools”, said Schlampp.
A full 93% of respondents said they are most concerned about network and system outages, and 92% are worried about lengthy recovery times from network attacks.
Schlampp noted that security professionals are concerned about the length of network recovery time because that directly impacts their job performance. But a majority of respondents believe that the primary goals of networks attacks are the theft of intellectual property and financial gain, not taking down the network.
“This points to a mismatch between what the average IT guy is concerned with in terms of their jobs and what they know the primary objectives of an attack are….People are concerned about keeping their jobs. They are concerned that when these breaches occur, their system is going to be down, their CEO is going to say, ‘Hey, email’s been down for the last hour.’ That’s going to put their job on the line. Whereas the truth is they know the objectives of the attack are not about down time”, Schlampp explained.
Alan Hall, director of marketing at Solera Networks, added that “there needs to be better alignment between those who are commissioned to protect the networks and those who are commissioned to run the business. There needs to be better sharing of information from the executive level to those responsible for security so they understand what the objectives of the business are because this will play into how they protect the network.”
According to the survey, 35% of respondents do not have an up-to-date network breach response plan, and 52% are not ready to handle a significant network security incident. Sixty-four percent of respondents said they do not have the data or tools to determine the full scope of network security incidents, and 20% said it is “impossible to determine scope”.
One solution is for security professionals to be able to record and track what happens during network breaches so they can take steps to prevent breaches in the future. Schlampp said that respondents expressed the need to replay events in real time so they can make decision about what to do next.
“The answer is to have a network forensics capability that actually records everything that happens on the network for a certain period of time….When an incident occurs, security professionals want to be able to go back and say what happened. So ultimately there is a need to make our tools better and have a higher fidelity today”, Schlampp said.
One of the respondents to the survey, Roar Thon with the Norwegian National Security Organization, summed it up this way: “Everybody should do what they can to protect themselves from being attacked, but the sad truth is that the most important thing you should plan and prepare for is how to behave when the attacker has succeeded.”