Professional Documents
Culture Documents
Cisco 2016 ASR
Cisco 2016 ASR
Executive Summary
Executive Summary
INDUSTRY INSIGHTS
This section examines security trends affecting enterprises,
including the growing use of encryption and the potential
security risks it presents. We look at the weaknesses in
how small and midsize businesses (SMBs) are protecting
their networks. And we present research on enterprises
relying on outdated, unsupported, or end-of-life software
to support their IT infrastructure.
SECURITY CAPABILITIES BENCHMARK STUDY
This section covers the results of Ciscos second Security
Capabilities Benchmark study, which focused on security
professionals perceptions of the state of security in their
organizations. In comparing 2015 survey results with
those of 2014, Cisco found that chief security officers
(CSOs) and security operations (SecOps) managers are
less confident that their security infrastructure is up to
date, or that they are able to thwart attacks. However,
the survey also indicates that enterprises are stepping
up training and other security processes in a bid to
strengthen their networks. The studys findings are
exclusive to the Cisco 2016 Annual Security Report.
A LOOK FORWARD
This section offers a view of the geopolitical landscape
affecting security. We discuss findings from two
Cisco studiesone examining executives concerns
about cybersecurity, and the other focusing on IT
decision-makers perceptions about security risk and
trustworthiness. We also give an update on our progress
in reducing time to detection (TTD), and underscore
the value of moving to an integrated threat defense
architecture as a way to combat threats.
Table of Contents
Table of Contents
EXECUTIVE SUMMARY........................................... 2
INDUSTRY INSIGHTS...........................................29
MAJOR DEVELOPMENTS
AND DISCOVERIES................................................. 4
A LOOK FORWARD..............................................55
ABOUT CISCO.....................................................64
APPENDIX................................................................... 68
Threat Intelligence
Major Developments
and Discoveries
Major Developments
and Discoveries
Threat Intelligence
Threat Intelligence
Threat Intelligence
Threat Intelligence
Cisco has assembled and analyzed a global set of telemetry data for
this report. Our ongoing research and analysis of discovered threats,
such as malware traffic, can provide insights on possible future criminal
behavior and aid in the detection of threats.
Featured Stories
Industry Collaboration Helps Cisco Sideline Far-Reaching and
Highly Profitable Exploit Kit and Ransomware Campaign
The Angler exploit kit is one of the largest and most
effective exploit kits on the market. It has been linked to
several high-profile malvertising (malicious advertising) and
ransomware campaigns. And it has been a major factor
in the overall explosion of ransomware activity that our
threat researchers have been monitoring closely for the
past several years. Miscreants use ransomware to encrypt
users files, providing the keys for decryption only after
users pay a ransomusually in the $300 to $500 range.
As reported in the Cisco 2015 Midyear Security Report,
cryptocurrencies like bitcoin and anonymization networks
such as Tor make it easy for adversaries to enter the
malware market and quickly begin generating revenue.
Ransomwares rise in popularity can be tied to two main
advantages: It is a low-maintenance operation for threat
actors, and it offers a quick path to monetization because
the users pay adversaries directly in cryptocurrencies.
Through research of Angler and related ransomware trends,
Cisco determined that some operators of the exploit kit were
using an inordinate percentage of worldwide proxy servers for
Angler that were on servers operated by Limestone Networks.
This server use is a prime example of another trend that our
researchers have been observing in the shadow economy
of late: threat actors commingling legitimate and malicious
resources to carry out their campaigns.
SHARE
12
10
15
20
31
July 2015
Source: Cisco Security Research
10
Threat Intelligence
SHARE
5
6
July 2015
Figure X.
Provider, July
July 2015
2015
Figure
3. Angler
Angler HTTP
HTTP Requests by Provider,
Provider A
(Limestone Networks)
Provider B
(Hetzner)
75% of all
measured
traffic
Provider C
Provider D
Provider E
Provider F
Provider G
Provider H
Provider I
Provider J
Provider K
Provider L
Number of Requests
6000
10,000
11
Threat Intelligence
15
31
July 2015
Source: Cisco Security Research
Adobe Patches Hacking Teams Flash Player Zero-Day, by Eduard Kovacs, SecurityWeek, July 8, 2015:
http://www.securityweek.com/adobe-patches-hacking-teams-flash-player-zero-day.
12
Angler Revenue
9K
40
147
90K
10
147
served exploits
of users being
served exploits
were compromised
unique IP addresses
compromised
were served exploits
in a single day
90K
%
40%
redirection
servers
targets
per
monthper day
targets
per server
per day
Threat Intelligence
62
delivered
ransomware
X 2.9
2.9%
of ransoms paid
redirection
ransoms
9515 users are paying ransomsofper
month
servers
paid per day
300
average ransom
300
average ransom
62%
of Angler infections
delivered ransomware
== 34M
$
34M
SHARE
13
Threat Intelligence
Requests
page
Referred to
proxy server
User
Rollup of log
data pushed to
master server
Status Server
Master Server
Cisco also discovered that the servers that the users were
connecting to did not actually host any of the malicious
Angler activity. They were serving as a conduit. A user
would get into the redirection chain and submit a GET
request for a landing page, which would land on the proxy
server. The proxy server would route the traffic to an exploit
server in a different country, on a different provider. During
our research, we found that a single exploit server was
associated with multiple proxy servers. (See Figure 5.)
Cisco identified a status server that was handling tasks
such as health monitoring. Every single proxy server that
the status server was monitoring had a pair of unique URLs.
If the path was queried, the status server would return
an HTTP status code 204 message. The adversaries
could uniquely identify each proxy server and make sure
it not only was operating, but also that defenders had not
tampered with it. Using the other URL, the attackers could
collect the logs from the proxy server and determine how
efficiently their network was operating.
Industry collaboration was a critical component in Ciscos
ability to investigate the Angler exploit kit activity. Ultimately,
it helped stop redirects to the Angler proxy servers on
a U.S. service provider and bring awareness to a highly
sophisticated cybercrime operation that was affecting
thousands of users every day.
SHARE
Threat Intelligence
UNIQUE THREAT
The SSHPsychos DDoS network is a unique threat for
several reasons. Because it enlists tens of thousands of
machines distributed across the Internet, it has the power
to launch a distributed denial of service (DDoS) attack
that cannot be addressed on a device-by-device basis. In
this case, the botnet was being created using brute-force
attacks involving secure shell (SSH) traffic (Figure 6).
The SSH protocol is used to allow secure communications,
and it is commonly used for the remote administration of
systems. At times, SSHPsychos accounted for more than
35 percent of all global Internet SSH traffic (Figure 7),
according to analysis by Cisco and Level 3.
SHARE
Scanners completing
successful logins
SSH brute-force attempts
(300K unique passwords)
Target Network
Malware Host
Figure
X.AtAtItsPeak,
Accounted
of of
Internet
SSH Traffic
Figure 7.
Peak,SSHPsychos
SSHPsychos Accounted
forfor
35 35%
Percent
Global Internet
Traffic
Brute-Force Attempts
150K
100K
50K
Feb.
SSHPsychos 103.41.124.0/23
Mar.
SSHPsychos 103.41.125.0/23
Apr.
SSHPsychos 43.255.190.0/23
15
Brute-Force Attempts
Cisco Collaborating
with Level 3
Threat Intelligence
180K
40%
120K
0.3%
60K
Browser Infection Detection
0
June
Source: Cisco Security Research
July
0
Jan.
Apr.
Jul.
Oct.
2015
Source: Cisco Security Research
16
Threat Intelligence
Apr.
May
Jun.
Jul.
Aug.
Sep.
Oct.
2015
Gamarue
Bedep
Miuref
Vawtrak
Cryptowall
Other
17
0
Apr.
May
Jun.
Jul.
Aug.
Sep.
Oct.
2015
Multipurpose Botnets
Click-Fraud Botnets
Banking Trojans
Ransomware
100
100
Comparison of
Botnet Infections
200
% of Botnet Types
Apr.
May
Jun.
Jul.
Aug.
Sep.
Oct.
2015
Gamarue
Bedep
Vawtrak
Cryptowall
Miuref
SHARE
18
Threat Intelligence
The DNS Blind Spot: Attacks Using DNS for Command and Control
Ciscos analysis of malware validated as known bad
found that the majority of that malware91.3 percentuse
the Domain Name Service in one of these three ways:
To gain command and control
To exfiltrate data
To redirect traffic
To arrive at this percentage, we mined all sample behaviors
from a variety of sandboxes that we own. Malware that was
determined not to use DNS in any way, or that simply used
DNS to conduct Internet health checks, was removed
from the sample for analysis. The remaining malware was
using DNS to connect to sites that were validated as bad or
were considered suspicious.
Despite adversaries reliance on DNS to help further malware
campaigns, few companies are monitoring DNS for security
purposes (or monitoring DNS at all). This lack of oversight
makes DNS an ideal avenue for attackers. According to a
recent survey we conducted (see Figure 13), 68 percent of
security professionals report that their organizations do
not monitor threats from recursive DNS. (Recursive DNS
nameservers provide the IP addresses of intended domain
names to the requesting hosts.)
Figure X.
Monitoring Threats via Recursive DNS
91.3%
of malware uses
DNS in attacks
68%
of organizations
dont monitor
recursive DNS
19
Threat Intelligence
TwoYear Comparison
500
4/5
4/5
3/5
3/5
30
Sep. 2013
Sep. 2015
Flash
Java
Threat Intelligence
14%
36,681
Facebook Scams
31,627
JavaScript
14,816
5070
Windows Binaries
4911
3798
Phishing
3726
iFrame
3552
JavaScript Obfuscation
3383
Redir
3261
Jan.
Flash
Nov.
Adobe News: Flash, HTML5 and Open Web Standards, Adobe, November 30, 2015:
http://blogs.adobe.com/conversations/2015/11/flash-html5-and-open-web-standards.html.
21
Figure X.
Sample of Lower-Volume Malware Observed
Threat Intelligence
35
15
10
JavaScript Blackhole
Windows Trojan
Suspicious PDFs
Trojan Downloader
Windows Hoax
Windows Backdoor
iFrame
Windows Worm
22
Threat Updates
ADOBE FLASH TOPS VULNERABILITIES LIST
The Adobe Flash platform has been a popular threat vector
for criminals for several years. Flash vulnerabilities still
turn up frequently on lists of high-urgency alerts. In 2015,
the good news was that the vendors of products in which
these exploits commonly occur, such as web browsers,
recognized this weakness and are now taking steps to
reduce opportunities for adversaries.
In 2016, criminals are most likely to focus their exploits
and attacks on Adobe Flash users. Some of these Flash
vulnerabilities have exploits available online either publicly
or for sale as part of exploit kits. (As noted on page 21, the
volume of Flash-related content has declined, but Flash
Figure X. Total Number of CVEs by Vendor
remains a primary exploitation vector.)
Threat Intelligence
SHARE
400
200
SA
P
Ap
ac
he
Si
em
en
Fe s
Pr do
oj ra
ec
W t
ire
sh
ar
k
Lin
ux
Re
d
Ha
t
EM
C
IB
M
Go
og
le
M
oz
illa
W
or
dP
re
ss
No
ve
(C U ll
an bu
on nt
ica u
l)
De
bi
an
Ap
pl
e
O
ra
cle
M
icr
os
of
t
Ci
sc
o
Ad
ob
e
HP
Number of CVEs
600
20
15
10
Cisco
23
Threat Intelligence
Flash Vulnerabilities
Other Vulnerabilities
Angler
Magnitude
Nuclear Pack
Neutrino
Rig
Nuclear
Fiesta
Sweet Orange
NullHole
Hanjuan
Flash EK
Public Exploits
CVE-2015
- 0310
0311
0313
0336
0359
1671
2419
3090
3104
3105
3113
5119
5122
5560
7645
24
Threat Intelligence
Electronics
8
6
4
2
1
Healthcare
2
Banking
1
and Finance
Energy, Oil,
and Gas
2
1
2
Manufacturing 1
Agriculture
and Mining
Education
2
1
Automotive
2
1
Legal
2
1
Retail and
Wholesale
Insurance
4
2
1
Charities
and NGO
4
2
1
Real Estate
2
and Land Mgmt. 1
Utilities
4
2
1
Media and
Publishing
4
2
1
Aviation
4
2
1
Travel and
Leisure
4
2
1
Food and
Beverage
4
2
1
Transportation
and Shipping
4
2
1
IT Telecom.
2
1
Accounting
4
2
1
4
2
1
Engineering and 2
1
Construction
Entertainment
4
2
1
Heating,
Plumbing,
and A/C
Government
Industrial
8
6
4
2
1
Nov.
2014
Nov.
2014
Professional
Services
Sept.
2015
8
6
4
2
1
Sept.
2015
Nov.
2014
8
6
4
2
1
4
2
1
2
1
Pharmaceutical 2
1
and Chemical
Sept.
2015
4
2
1
Nov.
2014
Sept.
2015
25
Threat Intelligence
Government
8
4
0
-2
-8
Electronics
8
4
0
-2
-8
Healthcare
8
4
0
-2
-8
Professional
Services
8
4
0
-2
-8
Banking
and Finance
2
0
-2
Energy, Oil,
and Gas
2
0
-2
Manufacturing 0
Agriculture
and Mining
2
0
-2
Education
2
0
-2
Automotive
2
0
-2
Legal
2
0
-2
Retail and
Wholesale
2
0
-2
Insurance
2
0
-2
Charities
and NGO
2
0
-2
Real Estate
and Land Mgmt.0
Utilities
2
0
-2
Media
0
and Publishing
Food and
Beverage
2
0
-2
Transportation 0
and Shipping -2
Industrial
2
0
-2
Engineering and
0
Construction
Nov.
2014
2
-2
-2
-2
2
0
-2
Travel and
Leisure
2
0
-2
IT Telecom.
2
0
-2
Accounting
2
0
-2
Heating,
Plumbing,
and A/C
2
0
-2
Entertainment 0
-2
Nov.
2014
-2
Aviation
Sept.
2015
Pharmaceutical
0
and Chemical
-2
Sept.
2015
Nov.
2014
Sept.
2015
Nov.
2014
Sept.
2015
SHARE
26
Threat Intelligence
Figure
X. Web
BlocksbybyCountry
Country
or Region
Figure 23.
Web Blocks
or Region
Denmark 1
Canada 1.5
United States 1
Germany 1.5
France 2
Russia 1
Poland 1.5
China 4
Japan 1
Hong Kong 9
27
Threat Intelligence
Note that Hong Kong saw higher than normal web block
activity beginning in the spring of 2015, as did France.
Both have since experienced a significant drop in web
block activity, but because the higher rates of activity earlier
this year were so far above the baseline, the recent decline
in activity still leaves Hong Kong quite higher by the end
of the year than at the start. The spike in block activity in
France returned to normal levels by midsummer.
France
China
5
3
1
0
Germany
9
7
5
3
1
0
Italy
21
19
17
15
13
11
9
7
5
3
1
0
Nov.
2014
Hong Kong
Feb.
Apr.
Jun.
2015
Aug.
Oct.
5
3
1
0
9
7
5
3
1
0
21
19
17
15
13
11
9
7
5
3
1
0
Nov.
2014
Feb.
Apr.
Jun.
2015
Aug.
Oct.
28
Threat Intelligence
Industry Insights
29
Industry Insights
Industry Insights
SHARE
Figure
SSLPercentages
Percentages
Figure 25.
X.SSL
Percentage of Traffic
60
40
% Total Bytes
57%
46%
% HTTPS Requests
33.56%
20
24%
Jan.
2015
Oct.
30
Industry Insights
% Delta
50%
36%
Webpage Translation
32%
Photo Search/Images
27%
Gambling
26%
Pornography
25%
Internet Telephony
Streaming Video
Online Communities
19%
17%
14%
Personal Sites
14%
Reference
13%
Illegal Downloads
13%
Illegal Drugs
12%
11%
10%
10%
Web-Based Email
10%
Adult
8%
Advertisements
8%
Mobile Phones
8%
SHARE
31
Industry Insights
ads.yahoo.com
maps.googleapis.com
platform.twitter.com
pixel.adsafeprotected.com
au.download.windowsupdate.com
c2s-openrtb.liverail.com
2650%
Encrypted
12 Hosts
5175%
Encrypted
12 Hosts
ad.doubleclick.net
0.2mdn.net
www.google.com
googleads.g.doubleclick.net
76100%
Encrypted
32
Hosts
crl.microsoft.com
http.00.s.sophosxl.net
025%
Encrypted
44
Hosts
ads.adaptv.advertising.com
ad4.liverail.com
ib.adnxs.com
v4.moatads.com
ping.chartbeat.net
www.google-analytics.com
outlook.office365.com
hangouts.google.com
% Encrypted
b.scorecardresearch.com
pagead2.googlesyndication.com
0-25%
26-50%
51-75%
76-100%
Entropy: In computing, entropy (lack of order or predictability) is the randomness collected by an operating system or application for use in
cryptography or other uses that require random data.
32
Industry Insights
Internet Data
82%
70%
53%
36%
37%
52%
50%
14%
University 1
University 2
Hospital
ISP
Sep.
212
Jul.
181
Jan.
May
128
83
Feb.
73
235
Aug.
123
Mar.
Oct.
171
Jun.
Apr.
114
82
33
Industry Insights
The malware used these lists to find working commandand-control servers, allowing the malware to operate even
if a compromised server failed. Researchers also identified
malware downloaders that contained a list of WordPress
sites storing payloads. If one download site was not working,
the malware went to the next one and downloaded malicious
payloads from the working WordPress server.
Figure
X. How
CryptowallSites
Ransomware
uses hacked WordPress servers for Command and Control
Figure 29.
How WordPress
Are Compromised
1
2 Flash Exploit
!
5
SHARE
Cryptowall Encrypts
Documents
!
!
34
Industry Insights
Years
5
4
3
2
1
0
Ai
rp
or
t
C
om
m
s.
Dr
ug
M
fg
.
En
te
rp
ris
e
Fi
na
nc
ia
He
l
al
th
ca
re
In
su
ra
nc
e
Re
ta
il
Se
Pr rv
ov ice
id
er
Te
le
co
m
.
19.9
16.3
15.7
15
10
Telecom.
Retail
4.8
0.6
Comms.
Airport
Drug Mfg.
Insurance
Enterprise
35
Industry Insights
Figure
AnnualAlert
AlertTotals
Totals
Figure X.
32.Cumulative
Cumulative Annual
6K
Total Alerts
8K
4K
2K
0
Jan.
Dec.
SHARE
36
Industry Insights
SHARE
2015
861
681
76
37
42
270
220
269
201
CWE-264: Permissions,
Privileges, and Access Control
CWE-200: Information
Leak/Disclosure
CWE-79: Cross-Site
Scripting (XSS)
50
36
45
(Increase)
CWE-352: Cross-Site
Request Forgery (CSRF)
42
12
27
22
191
35
20
120
26
CWE-78: OS Command
Injections
10
(Increase)
CWE-16: Configuration
Judging from the results of the Cisco 2014 Security Capabilities Benchmark Study, SMBs are using fewer processes
to analyze compromises and fewer threat defense tools
than they used last year. For example, 48 percent of SMBs
said in 2015 that they used web security; 59 percent said they
did in 2014. Only 29 percent said they used patching and configuration tools in 2015, compared with 39 percent in 2014.
In addition, of the SMB respondents that do not have an
executive responsible for security, nearly one-quarter do
not believe their businesses are high-value targets for online
criminals. This belief hints at overconfidence in their businesss
ability to thwart todays sophisticated online attacksor, more
likely, that attacks will never happen to their business.
37
Industry Insights
eliminate
causes
of an Obstacles
incident, and restore systems
Figure
X.the
SMB
Biggest
Company Size
250-499 500-999
1000-9999
10,000+
Budget Constraints
40%
39%
39%
41%
Compatibility Issues
with Legacy Systems
34%
30%
32%
34%
Competing Priorities
25%
25%
24%
24%
2015
Mobile Security
52%
42%
Secured Wireless
51%
41%
Vulnerability Scanning
48%
40%
VPN
46%
36%
35%
Penetration Testing
38%
32%
Network Forensics
41%
29%
39%
29%
Endpoint Forensics
31%
23%
Source: Cisco
Security
Study
Figure
X. 2015
SMBs
UseCapabilities
FewerBenchmark
Security
Processes than Large Enterprises
Figure 35. SMBs Use Fewer Security Processes than Large Enterprises
Which of These ProcessesIf AnyDoes Your Organization Use to Analyze Compromised Systems?
1000-9999
10,000+
Company Size
250-499
500-999
Memory Forensics
36%
36%
35%
34%
43%
47%
52%
53%
34%
34%
40%
42%
40%
32%
34%
39%
47%
51%
55%
59%
Registry Analysis
43%
47%
52%
53%
IOC Detection
31%
34%
37%
36%
What Processes Does Your Organization Use to Restore Affected Systems to Pre-Incident Operational Levels?
Patch and Update Applications Deemed Vulnerable
51%
53%
57%
60%
49%
55%
57%
61%
38
Industry Insights
Organizatio
(Explanatio
with Direct
Yes
Company Size
SMBs are less likely than large enterprises to have dealt with
Ta
250-499
500-999
1000-9999
10,000+
89%
93%
92%
92%
250-49
a public X.SMBs
security breach,
probably
a result
of their smaller
Figure
Do Not
Perceive
Themselves
as High-Value Targets
Figure 11%
X.SMBs Do Not
Perceive Themselves
as
High-Value Tar
22
7%
8%
8%
footprint from a network standpoint. While 52 percent of
enterprises with more than 10,000 employees have managed
Figure X. SMBs Report Fewer Public Breaches;
the aftermath of a public security breach, only 39 percent of
Less Likely than Enterprises to Initiate
businesses with fewer than 500 employees have done so.
Changes in Response
to Manage
a Public
Security
Breach Who
IsHad
There
an Executive
at Your
Organization
Has Direct Responsibility and Accountability for Security?
Yes
No
Company Size
39%
250-499
11%
52%
500-999
1000-9999
7%
8%
89%SMB 250-49993%
92% 10,000+
Enterprise
SHARE
78%
10,000+
8%
92%
250-499
250-499
22%
11%
78%
89%
500-999
500-999
26%
7%
74%
93%
1000-9999
1000-9999
13%
8%
87%
92%
10,000+
10,000+
17%
8%
83%
92%
Organizatio
(Explanatio
with Direct
Yes
250-499
22
78%
39
Industry Insights
Figure 39.
More SMBs
Security
Services in 2015
Figure
X. More
SMBsOutsource
Outsource
in 2015
When it Comes to Security, Which of the Following Types of Services, if Any, Are Outsourced Fully or in Part to Third Parties?
Company Size
250-499
500-999
1000-9999
10,000+
46%
51%
54%
55%
Monitoring
45%
46%
42%
44%
Auditing
42%
46%
46%
56%
Incident Response
39%
44%
44%
40%
Threat Intelligence
35%
37%
42%
41%
Remediation
33%
38%
36%
36%
None
18%
12%
11%
10%
Why Does Your Organization (SMB 250-499) Choose to Outsource This/These Service(s)?
More Cost-Efficient
Desire for
Unbiased Insight
Lack of Internal
Experience
55%
45%
45%
30%
31%
SHARE
40
Industry Insights
41
42
2015 (n=2432)
51%
Audit
41%
Monitoring
42%
44%
42%
39%
N/A
Remediation
None/Internal
36%
34%
21%
47%
35%
Incident Response
Threat Intel.
52%
Figure 41.
Off-Premises Hosting
Rise
Figure
X. Off-Premise
Hostingon
onthe
the
Rise
On-Premises Hosting of the Organizations Networks is Still
the Most Common; However, Off-Premises Hosting Has
Increased Since Last Year
2014 (n=1727)
2015 (n=2417)
On-Premises as Part of
a Private Cloud
12%
50%
On-Premises
Why Are These Services Outsourced?
51%
54%
48%
2015 (n=1129)
53%
More CostEfficient
49%
46%
31%
31%
23%
18%
8%
24%
20%
10%
43
39%
32%
Compatibility Issues
2015 (n=2432)
Lack of Knowledge
23%
Organizational Culture/Attitude
23%
Certification Requirements
25%
22%
Competing Priorities
24%
22%
24%
20%
ASeparate
Minority of
Organizations
Still Have Security Budgets that Are
Security
Budgets
Completely Separate From it, but Incidence Has Increased.
Is the Security Budget Part of the IT Budget?
2014 (n=1720)
2015 (n=2417)
$
Completely Separate
(n=2432)
48%
6%
9%
$
Partially Within IT
33%
33%
All Within IT
61%
58%
43%
39%
38%
38%
Middle
Upper-Mid
High
SHARE
Low
Lower-Mid
44
Already Certified
7%
31%
70%
70%
67%
65%
64%
63%
63%
Financial Services
Telecommunications
Healthcare
Government
Utilities/Energy
Other Industry
63%
58%
57%
46%
44%
36%
Figure 46. Firewalls and Data Loss Prevention Are Most Commonly Used Security Tools
Defenses Administered Through CloudBased Services (Security Respondents
Who Use Security Threat Defenses)
Security Threat Defenses Used by Organization
2014 (n=1738)
Firewall*
N/A
2015 (n=2432)
2014 (n=1646)
65%
2015 (n=2268)
31%
55%
56%
Authentication
52%
53%
Encryption/Privacy/Data Protection
53%
53%
Email/Messaging Security
56%
52%
37%
34%
Web Security
59%
51%
37%
31%
60%
N/A
35%
*Firewall and intrusion prevention were one code in 2014: Network security, firewalls, and intrusion prevention.
Source: Cisco 2015 Security Capabilities Benchmark Study
45
Figure
Off-Premise Hosting on the Rise
SecurityX.Policies
Nearly Two-Thirds are Already Certified on a Standardized
Security Policy or Practice.
Security Standards
Figure
SHAREX. Confidence is Lower in 2015
52%
52%
54%
1%
66%
59%
38%
1%
Figure
Confidence
Is Confident
Lower inthat
2015
In 2015, 48.
Companies
are Less
Their Security Infrastructure is Up-to-Date; Budget is the Top Barrier to Upgrades.
2014 (n=1738)
2015 (n=2432)
64%
59%
33%
37%
3%
5%
As a sign that confidence is on the decline, security professionals show slightly less confidence in their technologies. In
2014, 64 percent said their security infrastructure was up to
date and constantly upgraded. In 2015, that number dropped
to 59 percent (Figure 48). Also, in 2014, 33 percent said their
organizations were not equipped with the latest security tools;
that number rose to 37 percent in 2015.
46
Strongly Disagree
Disagree
Agree
Strongly Agree
59%
45
51
46
45
Security Policies
2 5
Disagree
Agree
35
Strongly Agree
58
2014
n=1738
93
96
2015
n=2432
1 4
42
54
SHARE
47
Security Controls
Strongly Disagree
2014
n=1738
2015
n=2432
Disagree
1 6
Agree
Strongly Agree
38
54
92
95
1 5
41
54
SHARE
Strongly Disagree
Security Operationalization
2014
n=1738
2015
n=2432
2014
n=1738
2015
n=2432
2014
n=1738
2015
n=2432
1 4
Disagree
Agree
38
Strongly Agree
56
94
96
1 4
2
40
56
38
56
94
95
1 4
2
43
9
52
43
36
89
91
1
46
45
48
Figure X. One-Fourth of Enterprises Believe Security Tools Are Only Somewhat Effective
Figure 53. One-Fourth of Enterprises Believe Security Tools Are Only Somewhat Effective
Similar to Last Year, Over a Quarter Perceive Their Security Tools to be Only Somewhat Rather Than Very or Extremely Effective
Effectiveness of Security Tools
Not at All
2014
n=1738
2015
n=2432
2014
n=1738
2015
n=2432
2014
n=1738
2015
n=2432
2014
n=1738
2015
n=2432
2014
n=1738
2015
n=2432
0 3
Not Very
Somewhat Effective
24
Very
50
Extremely
23
73
75
0 2
0
23
51
27
24
49
21
70
70
0 2
1 3
28
27
49
21
51
20
71
70
0 2
1 4
28
26
50
48
20
22
70
69
0 2
0 3
29
30
50
48
19
19
67
68
0 2
30
49
19
Similar to the respondents in 2014, more than one-fourth of the security professionals in 2015 said they perceive their security
tools to be only somewhat effective (Figure 53).
49
2014
53%
Yes
2015
VS
48%
Yes
Not Very
10%
Somewhat
42%
A Lot
47%
Figure X.
More Organizations Conduct Security Training
SHARE
43%
Source: Cisco 2015 Security Capabilities Benchmark Study
50
Level
Optimizing
High
Quantitatively
Managed
Upper
Middle
Defined
Middle
Repeatable
Lower
Middle
Initial
Low
Which of the Following Do You Consider the Biggest Obstcles to Adopting Advanced Security Processes and Technology?
Sophistication Level
Low
LowerMiddle
Budget Constraints
Upper Management
Buy-In
Competing Priorities
Lack of Trained
Personnel
41%
14%
Compatibility Issues
with Legacy Systems
Competing Priorities
27%
21%
27%
20%
21%
28%
14%
Organizational Culture
Attitude About Security
Reluctant to Purchase
Until They Are Proven
in the Market
20%
31%
17%
31%
12%
23%
25%
36%
UpperMiddle
48%
19%
Lack of Knowledge
About Adv. Security
Processes and Tech
Middle
23%
39%
20%
26%
22%
25%
High
38%
22%
26%
19%
23%
29%
34%
26%
27%
22%
25%
24%
25%
25%
25%
38%
19%
22%
23%
22%
33%
25%
22%
19%
22%
51
SecuritySecurity
Capabilities
Benchmark
Study
Figure X. Gauging
Maturity
by
Infrastructure and Industry
Constant Update,
Latest Tech
Financial Services:
Banking, Insurance
Non-ComputerRelated
Manufacturing
Transportation
Pharmaceuticals
Other
Utilities/Energy
Chemical
Engineering
Manufacturing
Regular Upgrade
Cadence
Telecommunications
Government
Healthcare
Middle
Mining
Upper Middle
High
SHARE
Figure 59. Maturity Levels by Industry
Segment Distribution by Industry
Low
Sophistication Level
Utilities/Energy
1%
Transportation
1%
Telecommunications
2%
Pharmaceutical
2%
Non-ComputerRelated Manufacturing
1%
10%
Healthcare
1%
10%
Government
3%
Financial Services
1%
Chemical Engineering
1%
15%
5%
LowerMiddle
26%
3%
10%
6%
34%
30%
28%
26%
21%
32%
20%
High
23%
46%
28%
30%
10%
UpperMiddle
28%
28%
11%
Middle
21%
22%
22%
25%
26%
33%
33%
44%
32%
37%
34%
38%
39%
52
Constant Update,
Latest Tech
China
Japan
Australia
Russia
2014 (n=1637)
2014
Low
3%
2%
Brazil
2%
1%
5%
9%
24%
24%
Germany
1%
1%
4%
12%
27%
24%
Italy
1%
4%
China
India
Japan
Mexico
0%
0%
27%
22%
23%
3%
9%
1%
10%
4%
LowerMiddle
United States
Australia
8%
14%
13%
36%
25%
32%
19%
7%
5%
7%
2%
6%
Russia
1%
France
1%
20%
21%
3%
4%
15%
16%
8%
14%
15%
Middle
High
44%
45%
35%
26%
34%
40%
25%
24%
43%
39%
25%
23%
38%
34%
18%
22%
41%
32%
35%
36%
29%
25%
16%
30%
29%
36%
32%
54%
40%
34%
16%
20%
16%
35%
High
16%
27%
14%
34%
27%
2015 (n=2401)
UpperMiddle
29%
32%
37%
3%
6%
7%
1%
Upper Middle
8%
Mexico
France
Middle
0%
India
U.K.
Regular Upgrade
Cadence
SHARE
United Kingdom
Brazil
Germany
Sophistication Level
U.S.
Italy
26%
20%
40%
32%
32%
50%
32%
29%
53
RECOMMENDATIONS: RESPONDING TO
THE REALITY CHECK
As our Security Benchmark Capabilities Study shows,
reality has set in for security professionals. Security
professionals confidence in their readiness to block
attackers is wavering. However, the reality checks provided
by high-profile exploits have had a positive effect on the
industry, judging from the uptick in security training and
formal policy development. In addition, the more frequent
outsourcing of audits and incident response services
indicates that defenders are searching for expert help.
Enterprises should continue to raise their awareness of
their security preparedness, and security professionals
must champion the growth of budgetary outlays to support
technology and personnel. In addition, confidence will rise
when security practitioners deploy tools that can not only
detect threats, but also contain their impact and boost
understanding of ways to prevent future attacks.
54
A Look Forward
55
A Look Forward
A Look Forward
The Court of Justice declares that the Commissions U.S. Safe Harbour Decision is invalid, CJEU, October 6, 2015:
http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf.
Safe Harbor 2.0 framework begins to capsize as January deadline nears, by Glyn Moody, Ars Technica, November 16, 2015:
http://arstechnica.com/tech-policy/2015/11/safe-harbour-2-0-framework-begins-to-capsize-as-january-deadline-nears/.
Safe Harbor 2.0 framework begins to capsize as January deadline nears, by Glyn Moody, Ars Technica, November 16, 2015:
http://arstechnica.com/tech-policy/2015/11/safe-harbour-2-0-framework-begins-to-capsize-as-january-deadline-nears/.
Paris Attacks Fan Encryption Debate, by Danny Yadron, Alistair Barr, and Daisuke Wakabayashi, The Wall Street Journal, November 19, 2015:
http://www.wsj.com/articles/paris-attacks-fan-encryption-debate-1447987407.
56
A Look Forward
Inability of Cybersecurity
Policy to Keep Up with the
Pace of Business Change
27%
26%
Insufficient Investment
in Cybersecurity
24%
Ineffective Enforcement
of Cybersecurity Policies
21%
57
A Look Forward
31%
Confidential Financial
Information
Customer
Information
(Transactional Data)
65%
30%
Confidential
Business
Information
(Operational Data)
50%
Mobility
43%
42%
IT Security
Cloud-Based
SHARE
58
Figure X.
External
Faced (Total
Figure
65.Challenges
External Challenges
Faced Respondents)
(Total Respondents)
Malware
68%
Phishing
54%
43%
38%
Brute-Force Attacks
35%
Zero-Day Attacks
35%
I Do Not Consider
Any of These to Be Challenges
for My Organization
A Look Forward
Figure X.
Internal66.
Challenges
Faced
(Total Respondents)
Figure
Internal Security
Challenges
Faced
(Total Respondents)
54%
47%
Hardware or Software
Vulnerabilities
46%
39%
26%
92%
Dedicated
Security Team
88%
Organization-Wide
Security Strategy
59%
Standardized
Validation Policies
and Procedures
SHARE
3%
59
A Look Forward
50.3
46.4
44.5
44.4
49.3
41.4
34.3
32.8
Median TTD
Retrospectives
27.0
20.4
17.5
379366
286457
197158
112766
112664
Dec. 2014
96106
205601
192975
150480
154353
185539
Oct. 2015
60
A Look Forward
Figure
X.
cated threat defenses and close collaboration among skilled
Time
to
Detection Comparison,
security researchers has been perhaps even more critical to
June
vs
our ability September
to consistently 2015
and significantly reduce the median
Hours
Hours
Systweak
Browse Fox
InstallCore
PennyBee
MyWebSearch
Elex
Visicom
SupTab
Esprot
MyPCBackup
Compete Downloader
NetFilter
Linkury
BitCocktail
Wajam
Kranet
OpenCandy
17.5
GigaClicks RuKometa
StartPage
VS
OptimizerPro
ConvertAd
35.3
Oct. (Median)
Sharik MultiPlug
June (Median)
Spigot
SpeedingUpMyPC
Generik
CrossRider
AddLyrics
Yotoon
Dagava
SHARE
61
A Look Forward
62
A Look Forward
63
A Look Forward
About Cisco
64
About Cisco
About Cisco
65
About Cisco
66
About Cisco
67
About Cisco
Appendix
68
Appendix
Appendix
Ciscos 2015 Security Capabilities Benchmark Study:
Respondent Profile and Resources
Figure X. Respondent Profiles
14%
Non-ComputerRelated
Manufacturing
4%
6%
2014 (n=1738)
14%
15%
Financial Services:
Banking, Insurance
46%
1%
SecOps
8%
3%
5%
6%
Telecommunications
Mining
CSOs
2014
56%
3%
Utilities/Energy
CSOs vs SecOps
9%
Government
7%
3%
Healthcare
12%
Chemical Engineering
or Manufacturing
1%
3%
Pharmaceuticals
7%
2015 (n=2432)
8%
5%
Transportation
27%
21%
2%
Agriculture/Forestry/
Fishing
Organization Size
Other Industry
2014
2015
2015
45%
55%
Large
Enterprise
Enterprise
0% 13%
46% 38%
2014
54% 49%
2015
81%
67%
83%
75%
75%
78%
79%
73%
71%
76%
Defining Requirements
Approving Budgets
Midmarket
66%
57%
69
Figure X.
Although only 9% have a security budget thats separate from the IT budget, this has
increased significantly since 2014
Cisco 2016 Annual Security Report
Appendix
Figure 72. Although Only 9% Have a Security Budget Thats Separate From the IT Budget, This Has Increased
Significantly Since 2014
Is the Security Budget Part of the IT Budget? (IT Department Members)
2014 (n=1720)
Completely Separate
Partially Within IT
2015 (n=2412)
Completely Separate
6%
33%
61%
All Within IT
Partially Within IT
9%
33%
58%
All Within IT
2014
97%
VS
Job Title
2015
98%
2014 (n=1738)
2015 (n=2432)
98%
98%
2014 (n=1706)
2015 (n=2382)
97%
94%
34%
18%
16%
13%
President/Owner
18%
6%
6%
Director of
Security Operations
7%
6%
VP of IT Security
5%
Director or Manager of IT
4%
4%
VP of IT Security
4%
Security Operations
Manager
4%
VP of IT
2%
Security Architect
4%
Executive Board
2%
VP of IT
3%
1%
3%
1%
Another Title
2%
Another Title
0%
70
Appendix
Figure X. Firewalls and Data Loss Prevention Are Most Commonly Used Security Tools
Figure 74. Firewall Is the Most Common Security Threat Defense Tool Used; Fewer Security Threat Defenses Are
Being Administered Through Cloud-Based Services in 2015 Compared to 2014
Defenses Administered Through CloudBased Services (Security Respondents
Who Use Security Threat Defenses)
Security Threat Defenses Used by Organization
2014 (n=1738)
Firewall*
N/A
2014 (n=1646)
2015 (n=2432)
65%
2015 (n=2268)
31%
55%
56%
Authentication
52%
53%
Encryption/Privacy/Data Protection
53%
53%
Email/Messaging Security
56%
52%
37%
34%
Web Security
59%
51%
37%
31%
Endpoint Protection/Anti-Malware
49%
49%
25%
25%
Access Control/Authorization
53%
48%
45%
45%
Intrusion Prevention*
N/A
44%
20%
Mobility Security
51%
44%
28%
24%
Secured Wireless
50%
41%
26%
19%
Vulnerability Scanning
48%
41%
25%
21%
VPN
48%
40%
26%
21%
43%
38%
DDoS Defense
36%
37%
Penetration Testing
38%
34%
20%
17%
39%
32%
Network Forensics
42%
31%
Endpoint Forensics
31%
60%
1%
26%
N/A
1%
35%
13%
11%
71
Appendix
Figure X. Advice and consulting still top most security services outsourced
Outsourcing
Figure 75. Advice and Consulting Still Topmost Security Services Outsourced
Significant Increases Seen in Audit and Incident Response Outsourcing. Outsourcing Is Seen as Being More Cost-Efficient.
Half (52%) follow a standardized security policy practice such as ISO 27001the same as last year. Of these, the vast majority are either
already certified or in the process of becoming certified.
31%
Already Certified
7%
70%
70%
67%
65%
64%
63%
63%
Financial Services
Telecommunications
Healthcare
Government
Utilities/Energy
Other Industry
63%
58%
57%
46%
44%
36%
Figure X.
Company view of outsourcing: Large Enterprises are significantly more likely to outsource
audits and advice and consulting
Figure 76. Company View of Outsourcing: Large Enterprises Are Significantly More Likely to Outsource Audits,
Advice and Consulting
Which Security Services Are Outsourced?
Advice and
Consulting
Audit
Monitoring
Midmarket
(n=1189)
49%
45%
Enterprise
(n=924)
54%
46%
Large
Enterprise
(n=319)
55%
56%
46%
42%
44%
Incident
Response
42%
44%
40%
Threat
Intelligence
Remediation
36%
36%
None/
All Internal
14%
42%
37%
11%
41%
36%
10%
72
Figure X.
Country
viewAnnual
of outsourcing:
Japan is significantly more likely to outsource advice and consulting
Cisco
2016
Security Report
Appendix
Figure 77. Country View of Outsourcing: Japan Is Significantly More Likely to Outsource Advice and Consulting
Which Security Services Are Outsourced?
TOTAL
U.S.
Brazil
Germany
Italy
U.K.
Australia
China
India
Japan
Mexico
Russia
France
52%
51%
19%
51%
44%
54%
52%
54%
64%
58%
41%
55%
47%
50%
55%
38%
48%
50%
36%
33%
51%
41%
63%
40%
59%
44%
48%
49%
32%
39%
41%
52%
31%
51%
51%
49%
37%
50%
46%
39%
32%
38%
43%
53%
34%
49%
53%
45%
27%
54%
42%
40%
37%
46%
36%
16%
36%
48%
47%
44%
42%
39%
34%
32%
38%
34%
31%
47%
37%
41%
40%
21%
41%
41%
18%
9%
18%
13%
19%
4%
19%
12%
10%
3%
16%
4%
On-premise hosting of the organizations networks is still the most common; however,
off-premise hosting has increased since last year
Source: Cisco 2015 Security Capabilities Benchmark Study
Figure 78. On-Premises Hosting of Networks Is Still the Most Common; However, Off-Premises Hosting has
Increased Since Last Year
2014 (n=1727)
2015 (n=2417)
OffPremises
51%
54%
48%
23%
All OnPremises
24%
ThirdParty Managed
18%
20%
Private Cloud
8%
10%
Public Cloud
73
2014
53%
VS
2015
48%
Not very
Somewhat
1% 10%
A lot
42%
47%
Appendix
Figure X.
Fewer
organizations
in 2015 report having had to manage public scrutiny of security breaches,
Public
Security
Breach
(Top
5 Mentions)
Respondents
Affected by a Security Breach (2015 n=1109) Increased Security Awareness Training Among Employees
compared to 2014
Increased Investment in Security Defense Technologies or Solutions
training Public
after a public
breach.
Figure
79. Fewer Organizations in 2015 Report Having Had to Manage
Scrutiny
of Security Breaches
43%
IncreasedBreaches
InvestmentAre
in Security
DefenseofTechnologies
or Solutions
Security
Strong Drivers
Security Improvements:
42%
Fewer Organizations in 2015 Report Having Had to Manage
Established a Formal Set of Security Policies and Procedures
Public Scrutiny of Security Breaches Compared to 2014.
41%
2014
53%
40%
2015
48%
VS
Increased Investment in the Training of Security Staff
40%
43%
41%
42%
47%
(Top
Mentions)
Respondents
Affected
by a Security
Breach (2015
n=1109) Breach?
Increased Security Awareness Training Among Employees
Has 5
Your
Organization
Ever Had
to Manage
Public Scrutiny
of a Security
43%
Respondents Dedicated to Security.2014 (n=1701) 2015 (n=1347)
2014
53%
2015
48%
Yes
Yes
Not at all
43%
Not very
Somewhat
A lot
41%
74
Appendix
Figure X. 5-segment model tracks closely to Security Capability Maturity Model (CMM)
Figure 81. 5-Segment Model Tracks Closely to Security Capability Maturity Model (CMM)
60%
Segment Sizing
2014 (n=1637)
4%
LowerMiddle
Middle
8%
UpperMiddle
26%
High
23%
39%
Figure X.
As in 2014, nearly all agree or strongly agree that executive leadership considers security a high priority
Source: Cisco 2015 Security Capabilities Benchmark Study
2015 (n=2401)
2%
9%
25%
28%
36%
Figure 82. As in 2014, Nearly All Agree or Strongly Agree that Executive Leadership Considers Security a High Priority
Security Policies
Strongly Disagree
2 4
Disagree
Agree
Strongly Agree
32
63
2014
n=1738
94
94
2015
n=2432
1 4
35
61
2 5
35
58
2014
Security Roles and Responsibilities are Clarified
Within My Organizations Executive Team
n=1738
94
95
2015
n=2432
1 4
36
58
2 4
36
57
2014
n=1738
93
95
2015
n=2432
1 4
2
40
55
40
53
2014
n=1738
93
94
2015
n=2432
1 5
41
53
75
Fewer in 2015 Strongly Agree that They Do a Good Job Building Security Into Systems and Applications
Security Policies
Cisco
2016Review
Annual
Report and
We Regularly
OurSecurity
Security Practices
Strongly Disagree
2014
n=1738
2 5
Disagree
35
2015
1 3
2014
n=1738
2 4
Security Policies
2015
n=2432
2014
2014
n=1738
n=1738
Strongly Disagree
1 3
2 5
2 3
2014
2014
n=1738
n=1738
2015
2015
n=2432
n=2432
2014
2014
n=1738
n=1738
2015
2015
n=2432
n=2432
2014
n=1738
2014
n=1738
2015
n=2432
2015
n=2432
2014
2014
n=1738
n=1738
2015
2015
n=2432
n=2432
2014
2014
n=1738
n=1738
2015
2015
n=2432
n=2432
2014
n=1738
2015
n=2432
2014
n=1738
2015
n=2432
60
33
61
94
97
Disagree
38
35
35
Agree
Strongly Agree
59
59
60
94
95
97
95
2015
n=2432
n=2432
Appendix
37
Access 83.
Rights
to Networks,
Systems,
Applications,
Figure
Mixed
Confidence
in Ability
to Build Security into Systems
Fewer in 2015 Strongly Agree that They Do a Good Job Building Security Into Systems and Applications
Functions, and Data are Appropriately Controlled
Strongly Agree
59
94
97
Processes
Agree
1
0
2
2
3
4
4
4
37
38
60
57
61
57
33
36
94
93
97
96
1
1
2
2
3
4
3
4
38
40
35
38
59
56
60
56
95
94
95
97
0
1
2
2
4
2
4
5
38
41
36
35
57
56
57
58
93
96
93
96
1
1
2
2
4
4
4
6
40
42
38
39
56
54
56
54
94
93
97
95
1
1
2
2
2
5
5
5
41
56
53
58
53
42
3540
93
93
96
95
1
1 4
5
2 6
42
44
39
54
51
54
93
95
1 5
2 5
42
53
40
53
93
95
1 5
44
76
51
2014
n=1738
2 4
38
94
97
2015
n=2432
1 2into Systems
Figure X. Lower Confidence in Ability to Build Security
56
2 5
2014
Good Security
n=1738
41
56
Appendix
35
Controls
58
93
96
2015
Most Say They are Comfortable With Their Security Controls
n=2432 Strongly Disagree
Disagree42
Agree
Security Policies
4
Strongly 1
Disagree
Disagree
Agree
Security Controls
5
35 39
2 6
2 5
37
2014
2014 n=1738
94
93
We Regularly
Review
Security and
Practices andn=1738
Information
Assets
areOur
Inventoried
We Have
WellDocumented
93 95
97
Tools
toClassified
Ensure
that They areProcesses
Up to Date and Effective
Clearly
and Procedures for Incident Response
95
2015
and Tracking
2015 n=2432
3
37
1 5
42
n=2432
1 5
2014
1 6
n=1738
2014
Access Rights to Networks, Systems, Applications,
We Do an Excellent Job of Managing HR Securityn=1738
Functions, and Data are Appropriately Controlled
We Have Good Systems for Verifying that
2015
Security Incidents Actually Occurred
n=2432
2015
41 33 40
2 5
4
38
92
95
3844
n=2432
Source: Cisco
Security Capabilities
Benchmark
Figure
X. 2015
Enterprises
Believe
They Study
Have
Good Security
2 3 Controls
1 5
2014
n=1738
2 5
Figure
84.
Enterprises
Believe
Theyand
Have Good Security Controls
Technical
Security
Controls
in Systems
Most Say They are Comfortable With Their Security2014
Controls
We Do aControls
Good Job of Notifying and
Security
n=1738
2015
Strongly Disagree
n=2432
0 4
2 5
2015
2 4
2014
n=2432
n=1738 2014
1 4
n=1738
2 5
2014
2015
n=1738 2015
n=2432
n=2432
1 5
1 4
2015
1 6
n=2432
2014
2014
1 4
n=1738 n=1738
We Do
Have
Good Job
Systems
for Verifying
that
a Good
of Building
Security
Into Our
Security Incidents
ActuallyDeveloping,
Occurred and
Procedures
for Acquiring,
2014
Maintaining Systems
2015
n=1738
We Have Effective Processes for Interpreting n=2432
and Prioritizing Incoming Incident Reports and
Understanding Them
2015
1 2
2 5
2 5
1 5
n=1738 n=1738
2 8
2014 2015
2015 n=2432
n=1738
n=2432
1 4
2015 2014
2 5
n=2432
2014 n=1738
n=1738 1 6
95
95
94
95
38
Disagree
37
93
93
95
96
40
94
41 40
96
2 6
1 5
2 8
2014
n=1738
92 94
95 97
54
53
51
56
54
58
51
41
93
94
96
95
42
9042
93
39
52
49
54
53
54
54
44
49
93
94 95
Except for the statement We
96 do a good job of notifying and
collaborating with stakeholders about security incidents, CSOs
1 5 are more positive about attributes
42
surrounding security controls 53
2 5 than SecOps managers.
40
53
43
53
42
Strongly Agree
57
56
57
53
54
56
93
41 41
95
43 35
40
51
54
56
38
43
1 4
Agree
36
42
42
2015
n=2432
1 5
60
54
43
38
51
59
35
43
2 5
n=2432 2014
2014
We
Into
We Do
Do aa Good
Good Job
Job of
of Building
NotifyingSecurity
and
Systems
and Applications
Collaborating
with Stakeholders About
Security Incidents
We Follow a Standardized Incident Response
Practice Such Aas Rfc2350, ISO/IEC
27035:2011, or U.S. Cert
2 4
41
60
53
54
53
61
54
93
94
95
97
1 5
3
Strongly Agree
54
Strongly Agree
59
54
56
93
95
43
41
93
95
44
51
51
77
52
49
2014
n=1738
94
95
2015
n=2432
1 4
42
2 5
53
Appendix
54
40
2014
Figure X. Enterprises Believe They Have
Good Security Controls
n=1738
94
96
Figure
84. Enterprises Believe They Have Good Security Controls (continued)
Most Say They are Comfortable With Their Security Controls
2015
Security Controls
n=2432
2014
2014
We
ProcessesProcesses
for Interpreting
We Have
Have Effective
WellDocumented
and Procedures
Prioritizing Incoming
Incident
Reports and
and
for Incident
Response
Understanding
and Tracking Them
Disagree
1Strongly
4
2
2 5
5
Disagree
43
93
93
95
95
2015
2015
2014
2014
n=1738
1
1
2
1
5
5
8
6
38
43
41
41
n=1738
2015
2015
n=2432
n=2432
Strongly Agree
53
51
56
n=1738
n=1738
n=2432
n=2432
Agree
37 42
52
54
49
54
90
92
93
95
1 6
1 5
44
41
49
54
Figure
X.
Security
Incidents
Source:
Cisco
2015 Security Capabilities Benchmark Study2015
Quarantine/removal of malicious applications
and root cause analysis continue to
n=2432
1 4
42
be the top processes used
2 5
53
40
54
2014
94
42
n=1738
Stopping Communication of
Malicious Software
2015
Additional
n=2432 Monitoring
55%
53
55%
51
55%
93
95
43
41
n=2432
Long-Term
Fix Development
1 6
51%
48%
Incidents
We FollowSecurity
a Standardized
Incident Response
Practice Such Aas Rfc2350, ISO/IEC
Reimage System to Previous State
27035:2011, or U.S. Cert
2015
90
93 45%
44
53%
53%
52%
1 5
Policy Updates
2 8
Stopping
2014 Communication of Compromised
n=1738
Application
56%
43
47%
48%
47%
52
49
47%
41%
40%
49
78
Security Operationalization
Strongly Disagree
2014
n=1738
2015
n=2432
Disagree
2 4
Agree
36
58
94
96
1 3
1 4
2014
Figure X. Enterprises Lack Confidence in Ability
to Contain Compromises
n=1738
Appendix
39
38
57
56
94
We Review
Improve Our
Security
Practices
Figure
86. and
Enterprises
Exhibit
Mixed
Confidence in Ability to Contain Compromises
However,
Continue
to Lack Over
Confidence
Regularly,Companies
Formally, and
Strategically
Time in Their Abilities to Scope and Contain Compromises 96
2015
Disagree
Agree
Security Operationalization
n=2432 Strongly Disagree
1 4
40
2 4
36
2 5
38
2014
2014
n=1738
We Regularly Review Connection Activity on the
n=1738
94
93
Network
to Ensure
that Security Measures
We Routinely
and Systematically
Investigateare
96
96
Working
as Intended
Security Incidents
2015
2015
n=2432
n=2432 1 3
39
1 4
40
1 4
38
1 5
40
2014
2014
n=1738
n=1738
94
We
and Improve
Our
Security
94
We Review
Can Increase
Security
Controls
onPractices
High-Value
96
Regularly,
Formally,
and
Strategically
Over
Time
97
Assets Should Circumstances Require
2015
2015
n=2432
n=2432 1 4
40
1 3
41
2 5
38
1 5
37
2014
2014
n=1738
93
n=1738
We
and Systematically
Investigate
Our Routinely
Threat Detection
and Blocking
Capabilities
94
96
Security
are Kept Incidents
Up to Date
96
2015
2015
n=2432
n=2432 1 4
40
1 3
40
1
2 5
5
3640
2014
2014
n=1738
n=1738
94
We
Can
Increase
Security
Controls
on
High-Value
94
Security is Well Integrated into Our Organizations
97
Assets
Should
Circumstances
Require
96
Goals and Business Capabilities
2015
2015
n=2432
n=2432 1 3
41
1 4
40
1 5
37
1 5
40
2014
2014
n=1738
Our
ThreatTools
Detection
and
Blocking
n=1738
94
We Have
in Place
that
EnableCapabilities
Us to Review
93
are
Up Feedback
to Date Regarding the Capabilities
96
and Kept
Provide
96
2015
of Our Security Practices
2015
n=2432
n=2432 1 3
40
1 4
44
2 5
36
2
5
38
2014
2014
n=1738
94
n=1738
Security is Well Integrated into Our Organizations
94
Our Security Technologies are Well Integrated to
96
Goals and Business Capabilities
Work Effectively Together
95
2015
2015
n=2432
n=2432 1 4
40
1 4
43
1 5
40
2 9
43
2014
2014
n=1738
We Have Tools in Place that Enable Us to Review
93
n=1738
89
It is Easy
to Determine
the Scope the
of aCapabilities
Compromise,
and
Provide
Feedback Regarding
96
Contain
it, and Remediate
91
of
Our Security
Practices from Exploits
2015
2015
n=2432
n=2432 1 4
44
1 8
46
2 5
38
Source: Cisco 2015 Security Capabilities Benchmark Study
2014
n=1738
94
Our Security Technologies are Well Integrated to
Work Effectively Together
95
2015
n=2432
1 4
43
2014
n=1738
2015
n=2432
Strongly Agree
43
57
56
56
54
56
56
55
57
56
56
54
58
56
56
57
53
56
52
58
56
56
52
53
46
52
45
56
52
46
89
91
1
Strongly Agree
56
58
55
46
79
45
n=2432
2014
n=1738
2015
n=2432
Figure
Enterprises
We HaveX.
Tools
in Place thatLack
EnableConfidence
Us to Review in
2014
Ability
to
n=1738
1 3
2 5
40
56
58
36
94
96
1 4
40
Appendix
56
1 5
40
53
Contain Compromises
93
and Provide
Feedback Regarding
Capabilities
Figure
86. Enterprises
Exhibitthe
Mixed
Confidence in Ability to Contain Compromises (continued)
96
However,
Companies
Continue to Lack Confidence in Their Abilities to Scope and Contain Compromises
of Our Security
Practices
2015
n=2432 Strongly Disagree
Disagree
Agree
Strongly Agree
Security Operationalization
1 4
44
52
36 38
58
22 54
56
2014
2014
n=1738
n=1738
We Regularly Review Connection Activity on the
94
94
Our Security Technologies are Well Integrated to
Network to Ensure that Security Measures are
96
Work Effectively Together
95
Working as Intended
2015
2015
n=2432
n=2432
39 43
57
11 3
4
52
38 43
56
21 49
46
2014
2014
n=1738
n=1738
94
89
ItWe
is Easy
to Determine
theOur
Scope
of a Practices
Compromise,
Review
and Improve
Security
96
Contain
it, Formally,
and Remediate
from Exploits
91
Regularly,
and Strategically
Over Time
2015
2015
n=2432
n=2432
40 46
56
11 48
45
Figure X.
2 5
38
55
Source: Cisco 2015 Security Capabilities Benchmark Study
Firewall logs and system log analysis continue
to be the most commonly
2014
n=1738
used processes to analyze compromised systems
93
We Routinely and Systematically Investigate
96
Security Incidents
2015
n=2432
1 4to Be the Most Commonly
40Used Processes to Analyze 56
Figure 87. Firewall Logs and System Log Analysis Continue
1
5
40
54
Compromised Systems
2014
n=1738
94
2014
(n=1738) 2015 (n=2432)
We Can Increase Security Controls on High-ValueProcesses to Analyze Compromised Systems
Enterprise
and Large
Enterprise Require
companies
97
Assets Should
Circumstances
Firewall2015
Log
61%
45%
report using more processes for analyzing
compromised systems than do Midmarket
n=2432
1 3
41 59%
System Log Analysis
40%56
companies.
1 5
37
57
Network
Flow Analysis
53%
40%
2014
n=1738
55%
34%
Our Threat Detection and Blocking Capabilities Malware or File Regression Analysis
94
are Kept Up to Date
96
Registry Analysis
50%
33%
2015
n=2432
Full Packet
Capture
32% 56
1 3Analysis
4047%
2 5Analysis
Correlated Event/Log
36 42%
2014
Enterprise and
Midmarket
Disk Forensics
n=1738
Large Enterprise
Security
is Well Integrated into Our Organizations
40%
94
38%96
IOC Detection
2015
Memory
Forensics
n=2432
1 4
External Incident Response/Analysis
1 5
None of2014
the Above
n=1738
We Have Tools in Place that Enable Us to Review
2%
2015
n=2432
2014
n=1738
2015
n=2432
2014
n=1738
2015
n=2432
1 4
2 5
26%
24%
21%
93
96
44
38
58
27%
41%
40
37%40
and Provide
Feedback
Capabilities
Source:
Cisco 2015
SecurityRegarding
Capabilities the
Benchmark
Study
of Our Security Practices
28%
56
53
1%
52
56
94
95
1 4
2
43
52
43
46
89
91
1
46
80
45
Figure X.
Restoring from a pre-incident backup is the most common process to
restore
affected
systems
in 2015
Cisco 2016
Annual
Security
Report
Appendix
Figure 88. Restoring From a Pre-Incident Backup Is the Most Common Process to Restore Affected Systems in 2015
Processes to Restore Affected Systems
Respondents in China say they patch and
update applications deemed vulnerable
more frequently than do respondents in
other countries surveyed.
China
Patch
Management
2014 (n=1738)
2015 (n=2432)
57%
59%
60%
56%
60%
55%
51%
56%
35%
2%
35%
1%
Figure 89. The CEO or President Is Most Likely to Be Notified of Security Incidents, Followed by
Operations and the Finance Department
Significantly more large enterprise respondents
mention notifying external authorities in the
event of an incident than those from Midmarket
and Enterprise companies.
N/A
46%
40%
34%
45%
Engineering
38%
33%
Human Resources
36%
32%
Legal
36%
Manufacturing
33%
27%
All Employees
35%
26%
Public Relations
28%
Business Partners
94%
40%
N/A
Technology Partners
Large Enterprise
97%
45%
Operations
Finance Department
2015 (n=2432)
32%
External Authorities
Insurance Companies
22%
N/A
28%
24%
21%
18%
15%
81
Appendix
Figure X. Nearly all companies (97%) deliver security training at least once a year
Training
Figure 90. Nearly All Companies (97%) Deliver Security Training at Least Once a Year
Are Security Awareness and/or Training Programs
Delivered to Security Staff on a Regular Basis?
(Respondents Dedicated to Security)
2014
1%
17%
82%
N/A
(n=1560)
2014 (n=1726)
97%
11% No
2015
(n=2147) N/A 3%
39%
58%
89% Yes
Figure X.
<1 Time/2Year
1 Times/ 2Year
1 Times/Year
2+ Times/Year
Fewer organizations in 2015 report having had to manage public scrutiny of security breaches,(no 2014 data)
compared to 2014
More companies that have experienced a breach
regularly conduct security awareness and/or
training programs (96%) than those companies that
have not experienced a breach (83%).
2015 (n=2402)
Security
Are Strong Drivers of Security Improvements:
10% Breaches
No
Have
96%
VS
Have Not
83%
2014
53%
2015
48%
VS Study
Source: Cisco 2015 Security Capabilities Benchmark
Not at all
Not very
Somewhat
1% 10%
42%
A lot
47%
Figure 91. Frequency of Security Awareness Training and Incidence of Formal Security Policies Are Both Up Since
2014Evidence of Action
(Top 5 Mentions) Respondents Affected by a Security Breach (2015 n=1109) Increased Security Awareness Training Among Employees
Increased Investment in Security Defense Technologies or Solutions
43%
Increased Investment in Security Defense Technologies or Solutions
42%
Established a Formal Set of Security Policies and Procedures
41%
Increased Enforcement of Data Protection Laws and Regulations
40%
Increased Investment in the Training of Security Staff
40%
43%
In 2015, 41 percent of respondents said they established a
formal set of security policies and procedures.
41%
82
Figure X.
As in 2014, nearly 9 in 10 say their security staff attend security-focused conferences or training
Cisco 2016 Annual Security Report
Appendix
Figure 92. As in 2014, Nearly 9 in 10 Say Their Security Staff Attend Security-Focused Conferences or Training
Do Security Staff Members Attend Conferences and/or
External Training to Improve and Maintain Their Skills?
(Respondents Dedicated to Security)
2014 (n=1738)
2015 (n=2432)
11%
11%
89%
Yes
89%
Yes
2014 (n=1738)
2015 (n=2432)
36% 64%
Yes
35% 65%
Yes
83
Appendix
Understand the
strategies, policies,
and solutions being
implemented to
mitigate security risks
Gauge interest in
receiving communications about how to
validate IT vendor
trustworthiness
Two methodologies were utilized to provide insight into each of these research objectives:
(All respondents involved in IT purchase decision=making)
Quantitative web-based survey among
20 service providers
20
45
84
Appendix
Company Size
10,000
or more
U.K.
U.S.
38%
22%
5000-9999
Germany
27% 19%
16%
1000-2499
32%
2500-4999
30%
France
16%
InfoSec Classification
47%
InfoSec
Non-InfoSec
53%
11%
11%
10%
10%
8%
7%
6%
5%
5%
Finance
Healthcare
Non-Computer
Manufacturing
Retail
Government
Insurance
Energy, Oil,
and Gas
Engineering
Telecom.
Job Title
Purchase Involvement
25%
9%
Director
Sr. Engineer/Architect
Engineer
6%
71%
3%
26%
2%
69%
Set Vision/Strategy
Ensure Compliance
30%
Manager
Legal
Other
Implement/Manage Solutions
Authorize Funding/Approve Budget
69%
77%
80%
77%
53%
85
Appendix
U.S./Canada
10
Company Size
3
France 3
U.K.
Germany
100-999
5000 or more
InfoSec Classification
14
InfoSec
1000-4900
Job Title
Application Services
11%
CIO/CTO/CSO
Tech Services
11%
VP of IT
Mobile Telecom.
6%
Director of IT
Media Services
4%
Senior Manager
Wired Telecom.
3%
Sr. Engineer/Architect
Manager
6
Non-InfoSec
Purchase Involvement
7%
1%
8%
1%
2%
1%
Set Vision/Strategy
80%
Ensure Compliance
100%
70%
Research/Evaluate Solutions
95%
85%
Implement/Manage Solutions
Authorize Funding/Approve
75%
60%
86
Europe Headquarters
Asia Pacific Headquarters
Americas Headquarters
Cisco Systems International BV Amsterdam,
Cisco Systems (USA) Pte. Ltd.
Cisco Systems, Inc.
The Netherlands
Singapore
San Jose, CA
Europe Headquarters
Asia Pacific Headquarters
Americas Headquarters
has moreInc.
than 200 offices worldwide. Addresses,
phone
numbers,
and fax numbers are listed
onSystems
the Cisco
Website atBV
www.cisco.com/go/offices.
Cisco
International
Amsterdam,
Cisco Systems
(USA)
Pte. Ltd.
Cisco Systems,
The Netherlands
Singapore
San Jose, CA
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco
Cisco
has morego
than
200URL:
offices
worldwide. Addresses, phone
numbers,
and fax numbers
are are
listed
the Cisco
Website
at www.cisco.com/go/offices.
trademarks,
to this
www.cisco.com/go/trademarks.
Third
party trademarks
mentioned
theon
property
of their
respective
owners. The use of the word
partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco
trademarks, go to this URL: www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word
partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Europe Headquarters
Asia Pacific Headquarters
Americas Headquarters
Cisco Systems International BV Amsterdam,
Cisco Systems (USA) Pte. Ltd.
Cisco Systems, Inc.
The Netherlands
Singapore
San Jose, CA
Europe Headquarters
Asia Pacific Headquarters
Americas Headquarters
more Inc.
than 200 offices worldwide. Addresses,
phone (USA)
numbers,
on theSystems
Cisco Website
at www.cisco.com/go/offices.
International
BV Amsterdam,
Cisco Systems
Pte.and
Ltd.fax numbers are listed Cisco
Cisco has
Systems,
The Netherlands
Singapore
San
Jose, CA
Published
January 2016
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco
Cisco has more
than
offices
worldwide. Addresses, phone
numbers,
and fax numbers
are listed
onproperty
the Cisco
at www.cisco.com/go/offices.
trademarks,
go to
this200
URL:
www.cisco.com/go/trademarks.
Third
party trademarks
mentioned
are the
ofWebsite
their respective
owners. The use of the
2016 Cisco and/or its affiliates. All rights reserved.
word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco
trademarks, go to this URL: www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the
word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Adobe, Acrobat, and Flash are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries.