New report shows drop in security incidents from misconfigurations but there’s work to be done

Trustwave recently published its annual Global Security Report, which analyzed hundreds of incidents and breaches at organizations across 21 countries globally.  The comprehensive report examined a range of issues including the common causes of security incidents, the types of data breached, the areas of networks that were targeted, and how applications were secured, giving a good overall picture of the state of corporate security.

Some of the key findings include:

• Payment card data is most at risk, with more than half of the incidents and breaches examined by Trustwave targeting this data
• The retail industry was most affected with 22% of all incidents and breaches investigated by Trustwave affecting this market sector
• Once intrusions were detected Trustwave found that organizations are able to efficiently contain the attack, with a median intrusion to containment time of 2.5 days

Overall, compared to last year’s report, there were some areas of improvement in organizations’ overall security postures, but this was offset by declines in other areas. Here are some of the findings that caught our attention as they relate to security policy management.

Drop in Incidents resulting from misconfigurations

In the 2017 report Trustwave found that security incidents resulting from misconfigurations accounted for 6.3% of all incidents – down from 17% last year.  While this shows dramatic improvement, it’s still a concern that some organizations aren’t taking steps to eliminate this unnecessary risk from their security practices.  By proactively assessing all security changes for risk and compliance violations as well as automatically managing the change process for security devices enterprises can avoid many of these misconfigurations.

The report also revealed that security incidents resulting from misconfigurations had the biggest impact on ecommerce environments (11% of all intrusions) and point-of-sale systems (5% of all intrusions).  This underlines the value of network segmentation, to prevent the possibility of a hacker being able to exploit a vulnerability caused by a misconfiguration to move laterally from across the network.  Areas of the network that are business-critical or process sensitive data should be strongly segregated from other parts of the corporate network, to stop criminals being able to roam unchecked while searching for valuable assets.

Intrusion-to-detection time falls

As well as a drop in misconfiguration-related security incidents, this year’s report found a marked improvement in intrusion detection times.  The median number of days from an intrusion to detection of a compromise is now  49 days – 30.5 days faster than last year – but this is still quite a considerable length of time, despite more and more organizations deploying SIEM solutions to help them detect and respond to security events. There was also some variation depending on whether compromises were internally (16 days) or externally (65 days) detected.

Part of the issue here could be that these solutions typically collect alerts and logs from a broad range of security sensors, such as anti-virus, firewall alerts, IDS and so on, which generate tens of thousands of alerts per day.  As a result it is extremely difficult for security teams to identify which of those alerts are genuine incidents and which are false alarms.  This clearly extends the amount of time it takes security teams to investigate and identify a real intrusion.

To counter this, security teams should apply business context into its security incident response analysis, so that they can prioritize and deal more efficiently with the incidents that present the biggest threat to the business.

And, again, network segmentation can help mitigate the damage possible during that average 49-day detection time, as it inhibits hackers’ progress and access to resources once they are in the network.

Applications are increasingly vulnerable

Less encouragingly, the 2017 report found that application vulnerabilities are increasing:  more than 99.7% of applications tested by Trustwave had at least one security vulnerability associated with it, up from 97% in last year’s report, with the mean number of vulnerabilities detected being 11 per application.  Alarmingly, 10% of those were classed as critical or high risk.  Of course, many enterprises use vulnerability scanners to help address this issue, but these tools typically do not apply a business context to the vulnerabilities, which makes it difficult for teams to prioritize their remediation efforts.  

As we recently blogged, the conventional approach to vulnerability management neglects the fact that not only is a server or network device at risk but – more importantly – so is any application that relies on that server or device.  For a more accurate picture of business risk, organizations need to link vulnerabilities to the business applications that they affect.

By doing this, the organization’s internal stakeholders can quickly and easily weigh up the various remediation options and timing, balancing the potential risk of a security incident on the business against the impact of any downtime that’s needed to fix the problem.

Ultimately, while the Trustwave report highlights the dynamic and dangerous security landscape, many of the most serious cyber-risks can be mitigated with intelligent implementation of basic, strong infosecurity principles.  Careful network segmentation and automating security device changes can go a long way towards mitigating the security threats facing businesses today.  The report makes several key recommendations as to how organizations can improve their overall security posture and can be read in full here.