Professional Documents
Culture Documents
Cisco 2015 Annual Security Report: - Section Name
Cisco 2015 Annual Security Report: - Section Name
Executive Summary
1. Threat Intelligence
This section provides an overview of the latest threat research
from Cisco, including updates on exploit kits, spam, threats
and vulnerabilities, and malvertising (malicious advertising)
trends. Online criminals growing reliance on users to help
launch their attacks is also examined. To produce their
analysis of observed trends in 2014, Cisco Security Research
utilized a global set of telemetry data. The threat intelligence
provided in the report represents work conducted by top
security experts across Cisco.
2. Security Capabilities Benchmark Study
To gauge perceptions of security professionals on the state of
security in their organizations, Cisco asked chief information
security officers (CISOs) and security operations (SecOps)
managers in nine countries and at organizations of different
sizes about their security resources and procedures. The
studys findings are exclusive to the Cisco 2015 Annual
Security Report.
3. Geopolitical and Industry Trends
In this section, Cisco security, geopolitical, and policy
experts identify current and emerging geopolitical trends that
organizationsparticularly, multinational companiesshould
monitor. In focus: how cybercrime is flourishing in areas of
weak governance. Also covered are recent developments
around the world related to the issues of data sovereignty,
data localization, encryption, and data compatibility.
Key Discoveries
Table of Contents
Executive Summary .......................................................... 2
Key Discoveries................................................................. 4
Attackers vs. Defenders: An Ongoing Race .................... 6
VS.
Cisco 2015 Annual Security Report | Attackers vs. Defenders: An Ongoing Race
1. Threat Intelligence
Cisco Security Research has assembled and analyzed security insights in this report based
on a global set of telemetry data. Cisco security experts perform ongoing research and
analysis of discovered threats, such as malware traffic, which can provide insights on
possible future criminal behavior and aid in the detection of threats.
Jan. 2014
Nov. 2014
Mozilla
Oracle Java
OpenSSL
Linux Kernel
Apache Struts
Framework 2
HP
Adobe Flash
Player, Reader
Microsoft
WordPress 2
Source: Cisco Security Research
ICS-SCADA 11.6%
CMS 11.6%
Infrastructure 41.9%
Exploits
Application 32.6%
Alerts
6756
537
January
December
2012
2013
2014
Source: Cisco Security Research
Headline
Urgency
33695
35880
Credibility
Severity
Base
Temporal
5.0
5.0
10.0
7.4
35879
10.0
7.4
36121
7.5
6.2
32718
9.3
7.7
33961
9.3
7.7
28462
9.3
7.7
30128
10.0
8.3
(Total)
(7400)
(6200)
(6200)
(5300)
2011
2012
2013
New Alerts
2014
Updated Alerts
Source: Cisco Security Research
EMC (2)
Microsoft (13)
HP (13)
10
Log Volume
PDF
Flash
Silverlight
Dec. 2012
Jan. 2014
Silverlight
228%
Java
34%
7%
Flash
3%
Sep. 2014
Source: Cisco Security Research
11
56%
12
13
Top 10 (1-5)
magnitude
Top 10 (6-10)
magnitude
1.68
3.89
Legal
1.63
Manufacturing
2.53
1.51
Transportation
and Shipping
2.08
Insurance
1.49
Aviation
2.01
Utilities
1.42
14
Figure 10. Web Malware Attack Methods: Comparison of the Top Four and Bottom Four High-Risk Verticals
Adware
iFrame Injection OI
Clickfraud
15
Figure 11. Highest-Risk Verticals for Malware Exposure across AMER, APJC, and EMEA
AMER
magnitude
EMEA
magnitude
APJC
magnitude
Aviation
5.0
2.8
Insurance
6.0
2.8
2.0
Land Management
3.5
Accounting
2.4
Insurance
2.0
Automotive
3.4
Telecommunications
1.1
Manufacturing
1.6
and Shipping
3.2
Utilities
1.1
1.6
Manufacturing
2.4
IT and
Transportation
16
Attack Method
Total %
Attack Method
Total %
Script
24.93%
iFrame Injection
51.48%
iFrame Injection
17.43%
Script
15.17%
Exploit
13.63%
Exploit
8.64%
OI (detection malware)
10.35%
Scam
7.31%
Trojan
10.06%
OI (detection malware)
4.16%
Total %
Scam
25.26%
Script
25.04%
iFrame Injection
18.68%
OI (detection malware)
9.93%
Exploit
6.72%
Source: Cisco Security Research
17
11/13
7.00%
Other
Sender
1.00%
Marketing
Sender
8.00%
Snowshoe
Sender
0.00%
Freemail
Sender
6/14
12:00:00-15:45:00
18
Russia
United States
6.00%
(20% 11/14)
Korea, Republic of
1.00%
China
25.00%
(29% 11/14)
Taiwan
0.00%
India
Brazil
0.00%
(2% 11/14)
1.00%
(2% 11/14)
Increase
(1% 11/14)
Vietnam
2.00%
(1% 11/14)
(3% 11/14)
Decrease
259 BN/Day
Oct
Jan
Sep
Feb
Mar
Aug
Apr
Jul
May
Jun
Source: Cisco Security Research
19
Table 2. Threat Outbreak Alerts: Most Persistent Spam and Phishing Threats
IntelliShield ID
Headline
Version
24986
95
31819
88
30527
81
36121
80
23517
79
23517
78
27077
78
26690
78
Urgency
Credibility
Severity
20
Exfiltrates Browsing
and Other Information
Software Bundles
Add-On
Injects Ads into
Visited Web Pages
Contains Additional
Malicious Software
21
Linux
Microsoft IE
70
Companies
11
Months
1751
Max affected
Jan. 2014
Nov. 2014
Affected Users Per Month
Source: Cisco Security Research
22
Some of the domains have been active for more than a year,
but most have a much shorter lifecycleonly a few weeks,
in many cases (Figure 19). All of the domains share one
characteristic: They become popular very quickly.
568+ Unique
Domains
High Popularity
10 Have
Rankings Over Past 6 Months
couplose.com
couploss.com
coupvictory.com
couphomegame.com
mulctsamsaracorbel.com
unbentdilativecutpurse.com
yardarmsweatermothy.com
tollbahsuburban.com
optopti.net
pretool.net
June 2014
Nov. 2014
Alexa.com Traffic Rank:
<10,000
10,000-1,000,000
>1,000,000
Source: Cisco Security Research
23
15%
14%
9%
7%
8%
7%
Utilities
and
Energy
Chemical
Engineering
52%
48%
6%
Healthcare
6%
21%
3%
TelePharmaceutical
communications
2%
Agriculture
(250-999 Employees)
SecOps
Other
Researching &
Evaluating Solutions
Defining Requirements
(1000+ Employees)
83%
46%
Mining
78%
76%
Enterprise
Midmarket
1%
54%
CISO or
Equivalent
Setting Overall
Vision & Strategy
66%
Approving Budgets
81%
Areas of Security
Involvement
Making Final
Brand
Recommendations
79%
Implementing &
Managing Solutions
Cisco 2015 Annual Security Report | 2. Cisco Security Capabilities Benchmark Study
24
Why the gap in confidence levels? Its likely due to the fact that
CISOs are more removed from day-to-day security activities,
whereas SecOps staff are working closely to resolve both major
and minor security incidents. A CISO of a very large organization
might not realize that a thousand machines are infected by
malware in a typical day, whereas the SecOps manager would
have devoted much more time to mitigating the infection, hence
his or her less optimistic outlook on organizational security.
90%
54%
% Strongly agree that security processes are optimized now focus on process improvement:
Utilities/Energy & Telecommunications
62%
Government
52%
Financial
50%
Few differences emerge between enterprise and midmarket organizations, indicating that number of
employees alone has little to do with security sophistication.
Source: Cisco Security Capabilities Benchmark Study
Cisco 2015 Annual Security Report | 2. Cisco Security Capabilities Benchmark Study
25
Cisco explored several options for sample segmentation before selecting a five-segment solution based on
a series of questions targeting security processes. The five-segment solution maps fairly closely to the
Capability Maturity Model Integration (CMMI).
Level 5: Focus is
on process
improvement
Optimizing
High
Level 4: Processes
quantitatively
measured and
controlled
Quantitatively
Managed
Level 3: Processes
characterized for
the organization;
often proactive
Defined
Repeatable
Initial
Level 2: Processes
characterized for
projects; often
reactive
Level 1: Processes
are ad hoc,
unpredictable
Upper-Middle
Middle
Lower-Middle
Low
Cisco 2015 Annual Security Report | 2. Cisco Security Capabilities Benchmark Study
26
The high level of organizations with a security point person is encouraging: Without security leadership, process are less defined,
communicated and enforced. Its likely that recent high-profile security breaches have spurred on organizations to carve out
a place for security management in their executive ranks.
91%
SecOps
CISO or Equivalent
48%
62%
46%
59%
CISOs (and equivalent) are more optimistic than SecOps managers about the state of security in their
companies, perhaps because theyre further from day-to-day realities.
Source: Cisco Security Capabilities Benchmark Study
Cisco 2015 Annual Security Report | 2. Cisco Security Capabilities Benchmark Study
27
Less-sophisticated security organizations generally do not believe that executives consider security a high priority, nor do they
believe that security processes are clear and well-understood
Security-Sophisticated
Less-Sophisticated
91%
22%
88%
0%
78%
17%
32
Low
49
29
30
32
Lower-Mid
Middle
Upper-Mid
High
Beware of Overconfidence
While CISOs and SecOps managers are showing
confidence in their security operations, they also
indicate that they do not use standard tools that
can help thwart security breaches. Less than 50
percent of respondents use the following tools:
Cisco 2015 Annual Security Report | 2. Cisco Security Capabilities Benchmark Study
28
21%
None/All internal
51%
42%
41%
Monitoring
35%
Audit
34%
Incident Response
Remediation
NO 9%
123
63%
YES 91%
24%
15%
2%
1-9
8%
9%
10-19
20-29
18%
16%
7%
30-39
40-49
Government appears to outsource more security services than other industry groups.
Source: Cisco Security Capabilities Benchmark Study
Cisco 2015 Annual Security Report | 2. Cisco Security Capabilities Benchmark Study
29
About two-thirds of respondents say that their security technologies are up to date and frequently updated
64%
33%
3%
A significantly higher proportion of CISOs (70%) say their organizations infrastructure is very up to date, compared with SecOps managers (57%).
Telecommunications companies are most likely to say their security infrastructure is kept up to date.
Security27.
Threat
Defenses
Used
by Organizations
Figure
Security
Threat
Defenses
Used by Organizations
Various security threat defenses used by organizations in 2014.
Security Threat Defenses
Used by Organization
SecOps n=797
CISO n=941
CISO n=887
57%
64%
30%
39%
Web security
56%
62%
33%
41%
Email/messaging security
53%
58%
33%
41%
55%
55%
Encryption/privacy/data protection
52%
55%
Access control/authorization
55%
52%
24%
24%
Authentication
54%
51%
24%
22%
Mobility security
48%
54%
24%
32%
Secured wireless
47%
52%
22%
30%
Endpoint protection/anti-malware
45%
52%
24%
27%
Vulnerability scanning
44%
51%
24%
26%
VPN
49%
46%
25%
27%
43%
47%
16%
23%
39%
46%
Network forensics
41%
43%
38%
40%
Penetration testing
39%
37%
20%
19%
DDoS defense
35%
37%
Endpoint forensics
29%
33%
Thirteen percent of respondents say none of the security threat defenses used are administered through cloud-based
services. This is especially true for those in the healthcare, financial services, and pharmaceutical industries.
Source: Cisco Security Capabilities Benchmark Study
Cisco 2015 Annual Security Report | 2. Cisco Security Capabilities Benchmark Study
30
SecOps
n=1738
CISO n=941
n=797
Disagree/Agree/Strongly
Agree
Disagree/Agree/Strongly
Agree
11%
40%
49%
4%
38%
58%
9%
45%
46%
4%
36%
60%
10%
39%
51%
4%
34%
62%
6%
41%
53%
3%
31%
66%
8%
35%
57%
4%
32%
64%
10%
38%
52%
4%
32%
64%
9%
41%
50%
4%
35%
61%
SecOps
n=1738
CISO n=941
n=797
Disagree/Agree/Strongly
Agree
Disagree/Agree/Strongly
Agree
7%
42%
51%
3%
36%
61%
10%
41%
49%
4%
39%
57%
11%
40%
49%
3%
37%
60%
10%
43%
47%
3%
38%
59%
8%
39%
53%
4%
33%
63%
9%
38%
53%
3%
36%
61%
9%
40%
51%
3%
37%
60%
Security is well integrated into our organizations goals and business capabilities
10%
39%
51%
2%
34%
64%
15%
44%
41%
8%
42%
50%
More midmarket respondents strongly agree that they review and improve security practices regularly,
formally, and strategically over time compared to enterprise respondents.
Source: Cisco Security Capabilities Benchmark Study
Cisco 2015 Annual Security Report | 2. Cisco Security Capabilities Benchmark Study
31
Figure 29. Respondent Beliefs About Company Security Controls and Organizational Security Tools
Whilesecurity
securityprofessionals
professionals believe their organizations
a quarter
of of
respondents
While
organizations have
havegood
goodsecurity
securitycontrols,
controls,about
about
a quarter
respondents perceive
perceive
theirtools
security
be only somewhat
their
security
to betools
onlytosomewhat
effective. effective
SecOps
CISO n=941
n=797
Disagree/Agree/Strongly
Agree
Disagree/Agree/Strongly
Agree
15%
42%
43%
6%
40%
54%
11%
46%
43%
4%
39%
57%
We have good systems for verifying that security incidents actually occurred
11%
41%
48%
4%
36%
60%
10%
43%
47%
4%
37%
59%
10%
46%
44%
3%
40%
57%
9%
40%
51%
4%
35%
61%
Cyber risk assessments are routinely incorporated into our overall risk
assessment process
10%
37%
53%
4%
36%
60%
Significantly more utilities/energy respondents strongly agree with the statement we have well-documented
processes and procedures for incident response and tracking than professionals from most all other industries.
SecOps n=797
n=1738
Not at All or Not
Very Effective
Somewhat
Effective
Very
Effective
CISO n=941
Extremely
Effective
Somewhat
Effective
Very
Effective
Extremely
Effective
31%
44%
18%
22%
51%
25%
31%
45%
19%
23%
55%
21%
28%
46%
21%
21%
54%
24%
30%
44%
20%
24%
53%
22%
33%
44%
18%
27%
52%
20%
Security professionals in the transportation industry express less confidence in their organizations ability to
detect and defend against known security threats.
Source: Cisco Security Capabilities Benchmark Study
Cisco 2015 Annual Security Report | 2. Cisco Security Capabilities Benchmark Study
32
Figure 30. Processes Used to Analyze Compromised Systems and Eliminate Causes of Security Incidences
Security professionals are most likely to use firewall logs to analyze compromises, even though these logs do not usually
contain high-quality data or context for the information. For better analysis of compromises, security professionals should
view IDS and IPS logs, proxy, host-based intrusion prevention systems (HIPS), application logs, and NetFlow regularly.
It Security
is also surprising
to see
Correlated
Event/Log
Analysis
lower on the
list though
of toolsthese
usedlogs
to analyze
compromises.
professionals
arethat
most
likely to use
firewall logs
analyzewas
compromises,
even
do not usually
It contain
may mean
that the data
respondents
are
data
linking
sources
of data together,
whichprofessionals
can help provide more
high-quality
or context
fornot
thecorrelating
information.
Foror
better
analysis
of compromises,
security
should view
IDS/IPS
regularly
in-depth
analysis
of alogs
security
event.
SecOps
CISO
n=797
n=941
Firewall log
59%
62%
58%
60%
51%
58%
51%
54%
Registry analysis
48%
51%
44%
48%
40%
44%
Memory forensics
39%
43%
Disk forensics
38%
41%
38%
38%
36%
38%
Government respondents tend to report using more processes for analyzing compromised systems
than respondents from most other industries.
SecOps
CISO
n=797
n=941
55%
60%
55%
56%
51%
55%
Additional monitoring
51%
53%
Policy updates
50%
51%
47%
49%
46%
48%
43%
47%
CISOs and SecOps responses are consistent, with the exception of stop communication of malicious software.
Cisco 2015 Annual Security Report | 2. Cisco Security Capabilities Benchmark Study
33
Figure
31. CISOs and SecOps Responses on Post-Incident Controls
More CISOs report implementing additional, post-incident controls than do security operations professionals
More CISOs report implementing additional, post-incident controls than do security operations professionals.
Processes to Restore Affected Systems
SecOps
CISO
n=797
n=941
Implement additional or new detections and controls, based on identified weaknesses post-incident
55%
65%
59%
60%
53%
60%
Differential restoration
53%
58%
33%
36%
Telecommunications and utilities/energy respondents say they utilize gold image restoration
more than other industries.
SecOps
CISO
n=797
n=941
Operations
44%
48%
Technology partners
42%
47%
Engineering
38%
37%
Human resources
37%
35%
Legal
37%
35%
All employees
38%
33%
Manufacturing
31%
36%
Business partners
31%
33%
Marketing
30%
31%
Public relations
30%
27%
External authorities
25%
20%
Government agencies are significantly more likely to have clearly defined notification processes with more
constituent groups than other industries.
Source: Cisco Security Capabilities Benchmark Study
Cisco 2015 Annual Security Report | 2. Cisco Security Capabilities Benchmark Study
34
Most companies fit more sophisticated security profilesthis is true in all countries and industries
Segment Sizing
High
39%
Upper-Mid
23%
Middle
26%
Low-Mid
8%
Low
4%
Segment distribution varies by country, but more mature segments dominate in all
10%
3%
5%
44%
27%
2%
7%
1%
23%
34%
24%
1%
8%
43%
57%
8%
38%
13%
41%
25%
16%
35%
25%
25%
18%
United States
Brazil
Germany
Italy
United Kingdom
7%
3%
9%
30%
3%
36%
32%
7%
15%
7%
24%
54%
20%
14%
19%
16%
35%
Australia
High (38%)
29%
China
Upper-Mid (27%)
40%
India
Middle (22%)
Japan
Low-Mid (12%)
Low (4%)
Cisco 2015 Annual Security Report | 2. Cisco Security Capabilities Benchmark Study
35
Nearly half of telecommunications and utilities/energy organizations are classified into the highly sophisticated security segment
9%
3%
11%
25%
5%
39%
25%
28%
35%
Chemical
Engineering
9%
5% 3%
9%
5%
43%
22%
26%
23%
Financial
Services
Government
Healthcare
20%
13%
43%
21%
21%
6% 5%
3%
43%
20%
5%
31%
5%
28%
Non-Computer-Related
Manufacturing
1%1%
2%
35%
47%
26%
47%
25%
23%
32%
Pharmaceuticals
High (39%)
22%
Telecommunications
Upper-Mid (27%)
25%
25%
Transportation
Middle (24%)
Utilities/Energy
Low-Mid (13%)
Low (4%)
Cisco 2015 Annual Security Report | 2. Cisco Security Capabilities Benchmark Study
36
Large midsize organizations show a high level of sophistication in their security posture.
23%
4%
25%
4%
23%
23%
24%
32%
4%
5%
11%
37%
44%
Small Organizations
Midsize Organizations
High
Upper-Mid
Middle
38%
Enterprises
Low-Mid
Low
Segments reflect increasing levels of sophistication around the priority of security within the organization and how that translates
into processes and procedures.
Significantly more midsize organizations rate in the upper-mid and high levels than do small organizations and enterprises.
At least 60 percent fit more security-sophisticated profiles.
Source: Cisco Security Capabilities Benchmark Study
Cisco 2015 Annual Security Report | 2. Cisco Security Capabilities Benchmark Study
37
Cisco security, geopolitical, and policy experts identify current and emerging geopolitical
trends that organizations, particularly multinational companies, should monitor. These same
experts also examine recent and potential developments around the world related to the
issues of data sovereignty, data localization, encryption, and data compatibility.
Cybercrime Thriving in
Areas of Weak Governance
While CISOs and other security leaders may not always think
to pay close attention to geopolitical dynamics, they should,
especially if they work for a multinational organization. What
happens in the geopolitical landscape can have a direct impact
on global supply chains, and how the business manages
customer and employee data in different countries; it also can
create more legal and regulatory costs, risk of trade secret
theft, and physical and reputational risks.
Cybercrime is flourishing around the world, especially in areas
of weak governance. Eastern Europe, which has long been a
hotbed of organized crime, is one example. In areas of weak
governance, it is not unusual to find evidence of strong ties
between government intelligence services and organized
groups involved in cybercrime.
38
Access
Data Sovereignty
Data Localization
Data Encryption
39
Big Data
Internet of Things
Regulation
Expectations
Cloud Sharing
Consumer
Expectations
40
41
Cisco security experts suggest that it is time for enterprises to start looking differently at
how they approach cybersecurity so they can truly make their organizations more secure.
Strategies include considering new approaches to help align people, processes, and
technology, making security a topic at the corporate boardroom level, and adopting more
sophisticated security controls that can reduce the endpoint and attack surfaceand harden
the network after an attack.
Secure Access: Understanding Who Is on
Your Network, When, and How
CISOs and other security professionals are faced with
complex challenges regarding access to network information
and services. Thanks to the trends toward mobility and
bring-your-own-device (BYOD) policies, they must ensure
that employees can gain access to enterprise resources, no
matter where they happen to be, and no matter how they
join the network.
Security professionals also need to protect the network from
unapproved users or criminal attacks, and they must do so
in a way that doesnt impede access by legitimate users.
For example, virtual private networks (VPNs) used to be
the standard solution for providing network access control.
However, some VPNs call for complicated login procedures
by users as well as special software, limiting when and how
people join the network. In addition, many VPNs dont help IT
departments identify who is gaining access and from where,
nor can VPNs identify the devices in use. VPNs are evolving
to provide more visibility, while producing a more transparent
user experience in order to provide better endpoint security.
Network access controls (NACs) are evolving away from basic
security protection to more sophisticated endpoint visibility,
access, and security (EVAS) controls. Unlike older NAC
technologies, EVAS use more granular information to enforce
Cisco 2015 Annual Security Report | 4. Changing the View Toward Cybersecurity
42
Figure 39. The Evolution of Network Access Controls (NACs) to Endpoint Visibility, Access, and Security (EVAS) Controls
Device Profile
Feed Service
Network Telemetry
Who
What
Where
NAC Evolution
to EVAS
When
How
VPN Client
Mobile
Switch
Router
DC Switch
Wireless Controller
Cisco 2015 Annual Security Report | 4. Changing the View Toward Cybersecurity
43
Cisco 2015 Annual Security Report | 4. Changing the View Toward Cybersecurity
44
Cisco 2015 Annual Security Report | 4. Changing the View Toward Cybersecurity
45
About Cisco
Cisco 2015 Annual Security Report | 4. Changing the View Toward Cybersecurity
46
Appendix
Resources
6%
33%
61%
Completely Separate
Partially Within IT
All Within IT
Executives Title
Respondents who report executive with security responsibility; n=1465
29%
NO 9%
24%
16%
YES 91%
CISO
CSO
CIO
10%
CEO
9%
CTO
7%
4%
S.VP IT COO
1%
Other
Healthcare is less likely than other industries to identify an executive accountable for security.
47
Nearly two-thirds
executive
leadership
considers
security
a highapriority.
Nearly
two-thirdssay
saythat
that
executive
leadership
considers
security
high priority.
Executive Engagement
SecOps
n=1738
CISO
n=797
Disagree/Agree/Strongly
Agree
n=941
Disagree/Agree/Strongly
Agree
8%
34%
58%
3%
30%
67%
9%
39%
52%
2%
32%
64%
11%
44%
45%
4%
37%
59%
More respondents who report they have not had to manage public scrutiny of a security breach in the organization
strongly agree with executive leadership at my organization considers security a high priority.
High proportions
proportionsreport
report
security
processes
encourage
employee
participation.
High
security
processes
that that
encourage
employee
participation.
Security Processes
SecOps
n=1738
CISO n=941
n=797
Disagree/Agree/Strongly
Agree
Disagree/Agree/Strongly
Agree
12%
39%
49%
6%
40%
54%
13%
43%
44%
4%
39%
57%
11%
34%
55%
4%
36%
60%
13%
39%
48%
4%
37%
59%
14%
40%
46%
3%
40%
47%
13%
40%
47%
4%
35%
61%
12%
42%
46%
4%
36%
60%
Security professionals from midmarket organizations tend to express higher levels of agreement with security
process items than do enterprise professionals.
48
NO 10%
17%
1%
82%
79%
Third-party contractors
38%
Human resources
25%
Other employees
10%
Other
1%
Fifteen percent of financial services professionals say security training is not offered regularly.
15%
Financial
Services
NO 11%
NO 36%
YES 89%
YES 64%
49
Over half of respondents say their organization has had to manage public scrutiny of a security breach.
NO 46%
YES 54%
On-premise hosting of the organizations networks is most common; fewer than one in 10 report they are hosted in a public cloud.
23%
On-Premise
Third-Party
54%
On-Premise
50%
On-Premise
Private Cloud
Where Are
Where
Networks Hosted?
Networks
n=1727
8%
Off-Premise
Public Cloud
18%
Off-Premise
Private Cloud
Significantly more SecOps respondents say off-premise hosting (both private and public cloud) is
used in their organization, compared to CISOs.
50
Sophistication
Segments vary predictably on many measures of security sophistication
Low
Low-Mid
Middle
Upper-Mid
High
22%
38%
45%
71%
81%
17%
19%
32%
52%
79%
0%
22%
15%
72%
88%
0%
17%
33%
65%
76%
0%
17%
33%
65%
76%
16%
27%
36%
52%
76%
17%
26%
40%
58%
73%
17%
21%
41%
63%
80%
17%
21%
38%
59%
78%
0%
23%
25%
63%
70%
Low
Low-Mid
Middle
Upper-Mid
High
85%
91%
88%
93%
93%
59%
47%
58%
65%
60%
47%
44%
50%
59%
54%
51
Endnotes
1.
2.
3.
4.
5.
marco-civil-da-internet-brazils-new-internet-law-could-broadlyimpact-online-companies-privacy-and-data-handling-practices/.
10. Russian data localization law may now come into force one year ahead of
schedule, in September 2015, by Hogan Lovells, Natalia Gulyaeva, Maria
Sedykh, and Bret S. Cohen, Lexology.com, December 18, 2014:
http://www.lexology.com/library/detail.aspx?g=849ca1a9-2aa242a7-902f-32e140af9d1e.
11. GCHQ Chief Accuses U.S. Tech Giants of Becoming Terrorists Networks
of Choice, by Ben Quinn, James Ball, and Dominic Rushe, The Guardian,
November 3, 2014: http://www.theguardian.com/uk-news/2014/
nov/03/privacy-gchq-spying-robert-hannigan.
12. Internet Security Necessary for Global Technology Economy, by Mark
internet-security-necessary-for-global-technology-economy.
products-and-mitigations
13. Cybersecurity: What the Board of Directors Needs to Ask, ISACA and
The Institute of Internal Auditors Research Foundation, August 2014:
http://www.isaca.org/Knowledge-Center/Research/
ResearchDeliverables/Pages/Cybersecurity-What-the-Board-of-
com/2014/08/28/technology/hackers-target-banks-including-
Directors-Needs-to-Ask.aspx.
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_
security/openssl-heartbleed-vulnerability-cve-2014-0160-cisco-
7.
Brazils New Internet Law Could Broadly Impact Online Privacy and Data
6.
9.
14. Its Time for Corporate Boards to Tackle Cybersecurity. Heres Why,
by Andrew Nusca, FORTUNE magazine, April 25, 2014:
http://fortune.com/2014/04/25/its-time-for-corporate-boards-totackle-cybersecurity-heres-why/.
52
Americas Headquarters
Cisco Systems Inc.
San Jose, CA
Europe Headquarters
Cisco Systems International BV
Amsterdam, The Netherlands
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at www.cisco.com/go/offices.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco
trademarks, go to www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners, The use of the word partner
does not imply a partnership between Cisco and any other company. (1110R)