The law of unintended consequences strikes again. In an effort to address security risks in enterprise IT systems and the critical data in them, numerous security standards and requirement frameworks have emerged over the years. But most of these efforts have had the opposite effect — diverting organizations’ limited resources away from actual cyber defense toward reports and compliance.
Recognizing this serious problem, the U.S. National Security Agency (NSA) in 2008 launched Critical Security Controls (CSCs), a prioritized list of controls likely to have the greatest impact in protecting organizations from evolving real-world threats. This SANS Institute survey of nearly 700 IT professionals across a range of industries examines how well the CSCs are known in government and industry and how they are being used.
For the latest threat intelligence reports, visit https://www.fireeye.com/current-threats/threat-intelligence-reports.html.
With malware attacks growing more sophisticated, swift, and dangerous by the day — and billions of dollars spent to combat them — surprisingly few organizations have a grip on the problem. Only 20 percent of security professionals surveyed by Information Security Media Group (ISMG) rated their incident response program “very effective.” Nearly two-thirds struggle to detect APTs, limiting their ability to defend today’s most pernicious threats. In addition, more than 60 percent struggle with the speed of detection, and more than 40 percent struggle with the accuracy of detection. Those shortcomings give attackers more time to steal data and embed their malware deeper into targeted systems. For the latest threat intelligence reports, visit https://www.fireeye.com/current-threats/threat-intelligence-reports.html.
SANS 2013 Report: Digital Forensics and Incident Response Survey FireEye, Inc.
Cloud computing and bring-your-own-device (BYOD) workplace policies are expanding the endpoints in IT infrastructures — and more complexity when it comes to investigating cyber attacks. The SANS 2013 Report on Digital Forensics and Incident Response Survey reveals some of the major difficulties that security professionals face in this new environment and how to better prepare for future investigations. Collecting responses from more than 450 security professionals across a range of industries and company sizes, the survey found that nearly 90 percent of respondents had conducted at least one forensics investigation within the last two years. But just 54 percent called their digital forensics capabilities “reasonably effective.” For the latest threat intelligence reports, visit https://www.fireeye.com/current-threats/threat-intelligence-reports.html
How close is your organization to being breached | Safe SecurityRahul Tyagi
Traditional methods are certainly limited in
their capabilities and this is easily proven by
the multitude of breaches businesses were a
victim of, across the globe. The 2020 Q3 Data
Breach QuickView Report revealed that the
number of records exposed in 2020 has
increased to 36 billion globally. The report
stated that there were 2,953 publicly
reported breaches in the first three quarters
of 2020 itself! 2020 is already named the
“worst year on record” by the end of Q2 in
terms of the total number of records
exposed. With the growing sophistication of
cyber-attacks and global damages related
to cybercrime reaching $6 trillion by 2021, we
need a solution that simplifies
cybersecurity.
To know more about breach probability visit : www.safe.security
Today, the delegation of risk decisions to the IT team
cannot be the only solution and has to be a shared
responsibility. The board and business executives are
expected to incorporate the management of cyber risk
as part of their business strategy since they are
accountable to stakeholders, regulators and
customers. For the CROs, CISOs, and Security and Risk
Management Professionals to be on the same page,
there has to be a single source of truth for
communicating the impact that cyber risk has on
business outcomes, in a language that everyone can
understand.
M-Trends® 2010: The Advanced Persistent ThreatFireEye, Inc.
The inaugural M-Trends report details threat intelligence learned while conducting intrusion investigations for the U.S. government, the defense industrial base, and commercial organizations. This report focuses on the Advanced Persistent Threat (APT), and outlines trends, techniques, and real details of how the APT successfully compromises any target it desires. For the latest M-Trends report, visit https://www.fireeye.com/mtrends
With malware attacks growing more sophisticated, swift, and dangerous by the day — and billions of dollars spent to combat them — surprisingly few organizations have a grip on the problem. Only 20 percent of security professionals surveyed by Information Security Media Group (ISMG) rated their incident response program “very effective.” Nearly two-thirds struggle to detect APTs, limiting their ability to defend today’s most pernicious threats. In addition, more than 60 percent struggle with the speed of detection, and more than 40 percent struggle with the accuracy of detection. Those shortcomings give attackers more time to steal data and embed their malware deeper into targeted systems. For the latest threat intelligence reports, visit https://www.fireeye.com/current-threats/threat-intelligence-reports.html.
SANS 2013 Report: Digital Forensics and Incident Response Survey FireEye, Inc.
Cloud computing and bring-your-own-device (BYOD) workplace policies are expanding the endpoints in IT infrastructures — and more complexity when it comes to investigating cyber attacks. The SANS 2013 Report on Digital Forensics and Incident Response Survey reveals some of the major difficulties that security professionals face in this new environment and how to better prepare for future investigations. Collecting responses from more than 450 security professionals across a range of industries and company sizes, the survey found that nearly 90 percent of respondents had conducted at least one forensics investigation within the last two years. But just 54 percent called their digital forensics capabilities “reasonably effective.” For the latest threat intelligence reports, visit https://www.fireeye.com/current-threats/threat-intelligence-reports.html
How close is your organization to being breached | Safe SecurityRahul Tyagi
Traditional methods are certainly limited in
their capabilities and this is easily proven by
the multitude of breaches businesses were a
victim of, across the globe. The 2020 Q3 Data
Breach QuickView Report revealed that the
number of records exposed in 2020 has
increased to 36 billion globally. The report
stated that there were 2,953 publicly
reported breaches in the first three quarters
of 2020 itself! 2020 is already named the
“worst year on record” by the end of Q2 in
terms of the total number of records
exposed. With the growing sophistication of
cyber-attacks and global damages related
to cybercrime reaching $6 trillion by 2021, we
need a solution that simplifies
cybersecurity.
To know more about breach probability visit : www.safe.security
Today, the delegation of risk decisions to the IT team
cannot be the only solution and has to be a shared
responsibility. The board and business executives are
expected to incorporate the management of cyber risk
as part of their business strategy since they are
accountable to stakeholders, regulators and
customers. For the CROs, CISOs, and Security and Risk
Management Professionals to be on the same page,
there has to be a single source of truth for
communicating the impact that cyber risk has on
business outcomes, in a language that everyone can
understand.
M-Trends® 2010: The Advanced Persistent ThreatFireEye, Inc.
The inaugural M-Trends report details threat intelligence learned while conducting intrusion investigations for the U.S. government, the defense industrial base, and commercial organizations. This report focuses on the Advanced Persistent Threat (APT), and outlines trends, techniques, and real details of how the APT successfully compromises any target it desires. For the latest M-Trends report, visit https://www.fireeye.com/mtrends
Executive Summary of the 2016 Scalar Security StudyScalar Decisions
Executive Summary of the 2016 Scalar Security Study, The Cyber Security Readiness of Canadian Organizations, published February 2016. The full report can be downloaded at: scalar.ca/security-study-2016/
When asked if their organization’s incident response efficiency and effectiveness is limited by the time and effort required for manual processes, 93% of the cybersecurity professionals surveyed responded, “yes”, according to The State of Incident Response ESG report.
This poses as a real problem since 22% of organizations find it challenging to keep up with the volume of security alerts.
Access this ESG research report and take a closer look at these obstacles while providing important factors for incident response excellence.
In this report, we put this area of application security understanding to the test by measuring how various web programming languages and development frameworks actually perform in the field. To which classes of attack are they most prone, how often and for how long; and, how do they fare against popular alternatives? Is it really true that the most popular modern languages and frameworks yield similar results in production websites?
By analyzing the vulnerability assessment results of more than 30,000 websites under management with WhiteHat Sentinel, we begin to answer these questions. These answers may enable the application security community to ask better and deeper questions, which will eventually lead to more secure websites. Organizations deploying these technologies can have a closer look at particularly risk-prone areas. Software vendors may focus on areas that are found to be lacking. Developers can increase their familiarity with the strengths and weaknesses of their technology stack. All of this is vitally important because security must be baked into development frameworks and must be virtually transparent. Only then will application security progress be made.
How to measure your cybersecurity performanceAbhishek Sood
In order for organizations to stay competitive, they must always be improving. This too is true for their cybersecurity.
Being able to properly harvest and digest cybersecurity benchmarking information is critical for today’s CIOs. If you realize that your cybersecurity is not at the level it should be, evaluating it properly can help you raise appropriate resources to fix the issues.
Discover how to get the full picture of your organization's security performance compared to your peers. Learn why benchmarking is so critical for today's CIOs and how to clearly communicate benchmarking data to your board.
Executive Summary of the 2016 Scalar Security StudyScalar Decisions
Executive Summary of the 2016 Scalar Security Study, The Cyber Security Readiness of Canadian Organizations, published February 2016. The full report can be downloaded at: scalar.ca/security-study-2016/
When asked if their organization’s incident response efficiency and effectiveness is limited by the time and effort required for manual processes, 93% of the cybersecurity professionals surveyed responded, “yes”, according to The State of Incident Response ESG report.
This poses as a real problem since 22% of organizations find it challenging to keep up with the volume of security alerts.
Access this ESG research report and take a closer look at these obstacles while providing important factors for incident response excellence.
In this report, we put this area of application security understanding to the test by measuring how various web programming languages and development frameworks actually perform in the field. To which classes of attack are they most prone, how often and for how long; and, how do they fare against popular alternatives? Is it really true that the most popular modern languages and frameworks yield similar results in production websites?
By analyzing the vulnerability assessment results of more than 30,000 websites under management with WhiteHat Sentinel, we begin to answer these questions. These answers may enable the application security community to ask better and deeper questions, which will eventually lead to more secure websites. Organizations deploying these technologies can have a closer look at particularly risk-prone areas. Software vendors may focus on areas that are found to be lacking. Developers can increase their familiarity with the strengths and weaknesses of their technology stack. All of this is vitally important because security must be baked into development frameworks and must be virtually transparent. Only then will application security progress be made.
How to measure your cybersecurity performanceAbhishek Sood
In order for organizations to stay competitive, they must always be improving. This too is true for their cybersecurity.
Being able to properly harvest and digest cybersecurity benchmarking information is critical for today’s CIOs. If you realize that your cybersecurity is not at the level it should be, evaluating it properly can help you raise appropriate resources to fix the issues.
Discover how to get the full picture of your organization's security performance compared to your peers. Learn why benchmarking is so critical for today's CIOs and how to clearly communicate benchmarking data to your board.
Risk management plan
Executive Summary
The past few decades have seen technological evolutions on a rapid scale with the growth of the industry taking over the world by storm. Governments and companies alike are investing in further research and development of futuristic technologies in order to work towards a more efficient future in terms of productivity and task automation. The evolution of computers and powerful technologies being made available to the public with them having high processing power and some being small, powerful and portable has led to people having information in their hands, literally.
However, with the advantages of the recently introduced technologies, there still are threats brought about by the same since they have raised privacy and other security concerns as well as health concerns associated with a number of the devices. This paper is aimed at identification of strategies to handle risks which may arise from the continuous development of new technologies (Galati, 2015). Comment by Schneider, Paul: This is the only sentence in this summary which focuses on the paper, and it does a very poor job of previewing everything that the reader will see in this paper.
Project Summary
Scope Comment by Schneider, Paul: This section tells me nothing about the scope for your project. What are the task/activities needed to successfully complete your project?
This report is important in analysis of the importance of information technologies being managed and security implemented since with their introduction, most companies have taken them up therefore the need to prevent attacks via technologies implemented. Critical processes in business are reliant to information technologies therefore need for safeguarding them against hacking attacks among other similar threats relating to information technologies.
Milestones Comment by Schneider, Paul: This section tells me nothing about the milestones for your project. When does the project start? When does the project end? What are all of the milestones between the start & end?
All businesses especially in a technologically growing and depend world need to learn the vulnerabilities posed by the developments as well as methods which can be used to control or curb them. Most companies have successfully put in place firewalls and administrators of networks to monitor, analyze and notify of irregularities which may cause a breach to sensitive company information.
Cost Constraints Comment by Schneider, Paul: Very poor job.
In implementation of security within information technologies, there are costs involved, some being one off and others being recurrent however all serving the same purpose. Costs inclusive in implementation of security protocols are such as purchase as hardware and software offering security such as firewalls, antiviruses, antimalware programs and programs for detection of network intrusions. Costs can also arise from contracting an external organization to ...
Assessing and Managing IT Security RisksChris Ross
Data privacy and protection has become the gold standard in IT. Scale Venture Partners and Wisegate share what they learned from over 100 IT professionals questioned about the risks and technology trends driving their security programs. Read about the move towards data centric security and the need for improvement in automated security controls and metrics reporting.
To better understand how organizations manage the planning and securing of their digital assets, McAfee, Inc. retained Evalueserve to conduct an independent assessment of how organizations manage their security policies and processes, and what threats are perceived to pose the greatest
risk to their business. This global study of Enterprise-class organizations highlights how IT decision makers view the challenges of securing information assets in a highly regulated and increasingly complex global business environment. It is also forward-looking, revealing companies’ IT security priorities around processes, practices and technology for 2012 and beyond.
Etude PwC sécurité de l’information et protection des données (2014)PwC France
http://pwc.to/1gXASnC
Le "Global State of Information Security 2012" est une étude mondiale de PwC, du CIO Magazine et du CSO Magazine. C’est la 15ème année consécutive que PwC réalise cette enquête par PwC, et la 9ème année avec “CIO magazine” et “CSO magazine”. Plus de 9 600 réponses de PDG, Directeurs Financiers, DSI, RSSI et responsables IT et sécurité, répartis dans 115 pays. 36% des répondants sont d’Amérique du Nord, 26% d’Europe, 21% d’Asie-Pacifique, 16% d’Amérique du Sud, et 2% du Moyen-Orient et de l’Afrique.
A critical gap exists between the enterprise mobility vision and
real-world implementations.
Enterprise mobility and trends like bring your own device
(BYOD) aren’t just hot topics of conversation.
According to the over 1,600 IT and security professionals we surveyed, mobility is a top priority for most IT departments.
Unfortunately, there’s a critical gap between the vision these IT leaders have for enterprise mobility and the real-world implementations.
The insights gathered from IT professionals in the Americas, Asia Pacific, Europe, the Middle East, and Africa demonstrate that organisations from around the world share many of the same priorities, challenges and risks.
The Science and Art of Cyber Incident Response (with Case Studies)Kroll
In this joint presentation for the ISSA-LA Summit X in Los Angeles, Jennifer Rathburn, a cybersecurity and data privacy law expert at Foley & Lardner LLP and William Dixon, Associate Managing Director in Kroll's Cyber Risk practice, highlight three incident response scenarios and tips on breach preparation and response.
To learn more, contact Jennifer or William at:
Jennifer Rathburn, Foley & Lardner LLP
jrathburn@foley.com; 414-297-5864
William Dixon, Kroll, a Division of Duff & Phelps
william.dixon@kroll.com; 213-247-3973
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONIJNSA Journal
Information security necessitates the implementation of safeguards to guarantee an adequate defense against attacks, threats, and breaches from occurring. Nonetheless, even with “adequate” defensive efforts, the taste for accessing sensitive and confidential financial information is too tempting, and attacks continue to escalate. Organizations must plan ahead so that identified attacks, threats, and breaches are appropriately managed to a successful resolution. A proven method to address information security problems is achieved through the effective implementation of access security controls. This paper proposes a quantitative approach for organizations to evaluate access security controls over financial information using Analytic Hierarchy Process (AHP), and determines which controls best suit management’s goals and objectives. Through a case study, the approach is proven successful in providing a way for measuring the quality of access security controls over financial information based on multiple application-specific criteria.
Read the article Security Controls that Work by Dwayne Melancon .pdfsales113
Read the article \"Security Controls that Work\" by Dwayne Melancon in the 2007 Issue,
Volume 4 of the Information Systems Control Journal (available
http://www.isaca.org/Journal/Past-Issues/2007/Volume-4 /Pages/Security-Controls-That-
Work1.aspx). Write a report that answers the following questions:
1. What are the differences between high-performing organizations and medium- and low-
performing organizations in terms of normal operating performance? Detection of security
breaches? Percentage of budget devoted to IT?
2. Which controls were used by almost all high-performing organizations, but were not used by
any low- or medium-performers? 3. What three things do high-performing organizations never
do?
4. What metrics can an IT auditor use to assess how an organization is performing in terms of
change controls and change management? Why are those metrics particularly useful?
Security Controls That Work By Dwayne Melançon, CISA Ask the average IT or security
manager what measures his/her organization takes to secure its networks, systems, applications
and data, and the answer will most likely involve a combination of traditional perimeter
protection solutions (such as firewalls, intrusion detection, antivirus and antispyware) together
with patch management, business continuance strategies, and access control methods and
policies. All of these measures make sense at first glance, yet the deluge of intrusions, data
thefts, worms and other attacks continues unabated, with organizations losing productivity,
revenue and customers every year. There are many reasons for this gap in controls and
effectiveness. Access controls can be taken only so far before they run into legitimate resistance
from employees who find their productivity hampered by the very controls designed to protect it.
Traditional perimeter protection and access control are not as effective at blocking attacks from
inside organizations as they are at blocking external hackers, which says a lot, since the latter
manage to breach thousands of company networks every year. And, as the number and frequency
of zero-day attacks continue to grow, the effectiveness of patch management and traditional
signature-based intrusion detection, antivirus and antispyware solutions is increasingly in doubt.
All of this begs a host of questions: How is it possible to determine whether an organization’s
security controls actually work? Of all the hundreds of practices and objectives within Control
Objectives for Information and related Technology (COBIT), IT Infrastructure Library (ITIL)
and the other frameworks an organization may implement, which ones are truly the most
effective at helping the organization block and respond to attacks—and which ones merely sound
good but do not accomplish all that much in practice? Why are some organizations vastly better
than others at preventing and responding to attacks? On which controls should auditors focus to
verify that the infrastructure is genuinely protec.
Similar to SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness to Action (20)
Asia Pacific & The Security Gap: Don't Stand StillFireEye, Inc.
During a breach, attackers will infect a machine and any connected systems with malicious software. Once in, persistence is established by forcing this software to run every time you boot-up your computer. This leads to the theft of sensitive data. Find out about the unique challenges faced in the Asia Pacific region, so you can take the necessary actions to step up your security.
EMEA & The Security Gap: Don't Stand StillFireEye, Inc.
During a breach, attackers will infect a machine and any connected systems with malicious software. Once in, persistence is established by forcing this software to run every time you boot-up your computer. This leads to the theft of sensitive data. Find out about the unique challenges faced in the EMEA region, so you can take the necessary actions to step up your security.
[Industry Intelligence Brief] Cyber Threats to the Legal and Professional Ser...FireEye, Inc.
Get an overview the threat groups targeting the legal and professional services industries, as well as the top 5 malware and crimewave families detected.
[Infographic] Healthcare Cyber Security: Threat PrognosisFireEye, Inc.
Data breaches cost the healthcare industry $6 billion a year. Learn how you can justify the cost for better healthcare cyber security in this infographic. For more information, visit https://www.fireeye.com/solutions/healthcare.html
[Infographic] Email: The First Security Gap Targeted by AttackersFireEye, Inc.
When two-thirds of all email is spam, it's easy to miss dangerous email attacks that evade spam filters. FireEye Email Security offers 6 unmatched advantages to help save — millions in income and reputation. Visit www.fireeye.com/go/email for more information.
Analyses, décryptages, statistiques et études de cas : ce rapport annuel sur les menaces revient sur l'évolution des outils et tactiques mis en œuvre par les auteurs de menaces APT.
5 Reasons Cyber Attackers Target Small and Medium Businesses FireEye, Inc.
High-profile data breaches of corporate giants make the headlines. But 77% of cyber crime actually targets small and midsize enterprises (SMEs). Here's why SMEs are targets, and what you can do about it.
Connected Cares: The Open Road For HackersFireEye, Inc.
As vehicles become both increasingly complex and better connected to the Internet, their increased connectivity makes them even more vulnerable to advanced cyber attacks. This report looks at the five most concerning potential threats created by vehicle software vulnerabilities — including various threat scenarios, their likelihood of occurring and their potential impact — and offers suggestions on how to address this growing cyber security challenge.
M-Trends® 2013: Attack the Security GapFireEye, Inc.
Mandiant’s annual threat report reveals evolving trends, case studies and best practices gained from Mandiant observations to targeted attacks in the last year. The report, compiled from hundreds of Mandiant advanced threat investigations, also includes approaches that organizations can take to improve the way they detect, respond to, and contain complex breaches. For the latest M-Trends report, https://www.fireeye.com/mtrends.
Mandiant’s annual threat report reveals key insights, statistics and case studies illustrating how the tools and tactics of advanced targeted attackers, including the Advanced Persistent Threat (APT), have evolved over the last year. The report, based on hundreds of advanced threat investigations, also shares approaches that organizations can take to improve the way they detect, respond to, and contain complex breaches. For the latest M-Trends report, https://www.fireeye.com/mtrends
In 2010, Mandiant's first M-Trends report detailed how the Advanced Persistent Threat (APT) successfully compromised its victims. In 2011, the attackers continued to expand their targets and innovated their techniques. In this report, those attack techniques are explored further and key steps you can take are identified so you can address the threat in your enterprise. For the latest M-Trends report, visit https://www.fireeye.com/mtrends
Do you know the internal signs of a compromise? This deck takes you through the process our Mandiant services teams go through to help discover if an organization has been compromised. You can also view the full webinar here: https://www.brighttalk.com/webcast/10703/187133?utm_source=SS
WHAT EVERY BOARD OF DIRECTORS SHOULD KNOW
BEFORE, DURING AND AFTER AN ATTACK
View the webinar:
https://www2.fireeye.com/The_Board_and_CyberSecurity_webinar_EMEA.html?utm_source=SS
Download the full report:
https://www2.fireeye.com/WEB-2015-The-Cyber-Security-Playbook.html?utm_source=SS
Proatively Engaged: Questions Executives Should Ask Their Security TeamsFireEye, Inc.
Jim Aldridge from FireEye discusses what executives should ask their security teams. This is available on the FireEye Blog www.fireeye.com/blog/executive-perspective/2015/11/proactively_engaged.html
FireEye Advanced Threat Protection - What You Need to KnowFireEye, Inc.
Like water, cybercrime moves effortlessly around obstacles. Today, security-conscious enterprises and federal governments choose FireEye™ for industry-leading protection against advanced cybercrime and targeted attacks. FireEye stops advanced malware, zero-day and targeted APT attacks. FireEye’s appliances supplement traditional and next-generation firewalls, IPS, AV, and gateways, adding integrated multi-stage protection against today’s multi-vectored Web, email, and file-based threats.
The FireEye Advanced Threat Report is based on research and trend analysis conducted by the FireEye Malware Intelligence Labs providing insights to the most current threat landscapes.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness to Action
1. SANS 2013 Critical Security Controls Survey:
Moving From Awareness to Action
June 2013
A SANS Whitepaper
Written by: John Pescatore
Advisor: Tony Sager
Level of Awareness Page 5
Perceived Benefits and Barriers to Adoption Page 7
Assessment: Identifying the Gaps Page 9
Levels of Adoption Page 11
Implementation Progress and Experience Page 15
Measurement and Metrics Page 17
Sponsored by FireEye
2. Over the years, many security standards and requirements frameworks have been developed in attempts
to address risks to enterprise systems and the critical data in them. However, most of these efforts have
essentially become exercises in reporting on compliance and have actually diverted security program
resources from the constantly evolving attacks that must be addressed. In 2008, the U.S. National Security
Agency (NSA) recognized the diversion of resources as a serious problem, and the agency began an effort
that took an“offense must inform defense”approach to prioritizing a list of the controls that would have the
greatest impact in improving risk posture against real-world threats.1
A consortium of U.S. and international
agencies quickly grew, and ultimately, recommendations for what were to become the Critical Security
Controls (CSCs) were coordinated through the SANS Institute.2
How well are the CSCs known in government and private industry, and how are they being used? More
importantly, what can we learn from CSC implementations to date? These and other questions were posed to
699 respondents to a recent online survey conducted by the SANS Institute.
This is what we found:
• The majority of respondents (73%) are aware of the CSCs and have adopted or are planning to adopt
them, while a further 15% are aware of the Controls, but have no plans to adopt them. Only 12% hadn’t
heard of the Controls before the survey.
• The respondents’primary driver for Controls adoption is the desire to improve enterprise visibility and
reduce security incidents.
• Operational silos within the IT security organization and between IT and other business departments are
still the greatest impediment to implementing repeatable processes based on the Controls.
• Only 10% of respondents feel they’ve done a complete job of implementing all of the Controls that apply
to their organizations.
More detailed information and advice about the results and the CSCs are included in this paper.
SANS Analyst Program 1 SANS 2013 Critical Security Controls Survey: Moving From Awareness to Action
1 www.sans.org/critical-security-controls/history.php
2 www.sans.org/critical-security-controls
Executive Summary
3. The SANS Institute conducted an online survey on attitudes toward the adoption of the CSCs during March
and April 2013. The survey had a total of 699 respondents.
Who Took the Survey
Security professionals represented the largest occupational group among the respondents, with the largest
single occupational category in the survey being security administrators or analysts, at 45% of the total.
Senior security professionals (security managers, directors or CSO/CISOs) made up 25%, and the IT manager/
director/CIO categories each represented slightly more than 10%. Network operations/systems administration
personnel made up 20% of respondents, and compliance officer/auditors and consultants made up another
11% (see Figure 1).
Figure 1. Roles of Respondents
Numerous respondents in the broadly distributed“Other”category indicated they are also administrators,
but many developers were also represented in the“Other”category. (Note that respondents were allowed to
choose more than one option, representing an overlap in responsibilities in some cases.)
SANS Analyst Program 2 SANS 2013 Critical Security Controls Survey: Moving From Awareness to Action
Demographics and Analytics
4. Demographics and Analytics (CONTINUED)
The Industries Represented
The types of organizations represented by the respondents skewed heavily toward multinational or other
large enterprises. The single largest group of respondents (40%) work for large enterprises (defined as having
2,000 or more employees), and 14% work for global 200 enterprises, which typically have more than 50,000
employees. The remaining respondents were more or less evenly distributed among small- and medium-size
enterprises, as shown in Figure 2.
Figure 2. Size of Organization
Interestingly, though the CSCs were initially conceived as a framework oriented toward federal government
IT, a broad range of industry verticals were represented in this survey, with government entities (20%) and
financial institutions (17%) being the largest. Smaller but still significant industry segments were education,
high tech, health care/pharmaceutical, manufacturing and energy/utilities (see Figure 3).
Figure 3. Industries Represented
This varied industry representation indicates that organizations of all types are finding uses for the Controls.
SANS Analyst Program 3 SANS 2013 Critical Security Controls Survey: Moving From Awareness to Action
5. Demographics and Analytics (CONTINUED)
The Focus of SANS’ Analysis
For analytical purposes, SANS grouped the responses to the survey questions into six areas, which are
essentially arranged chronologically:
1. Awareness – The levels in the organization that are aware of the CSCs
2. Perception of benefits and barriers to adoption –“Going-in”assumptions of both gains expected
from Controls adoption and reasons the Controls couldn’t be adopted or wouldn’t work
3. Initial assessment – Whether and how an initial gap assessment was performed
4. Levels of adoption – The extent to which the Controls have been integrated with and optimized for IT
and IT security processes
5. Implementation progress and experience – Which Controls have been implemented, and what
roadmaps and tools were used
6. Measurement and metrics – How benefits have been quantified and where major benefits have
been seen
SANS Analyst Program 4 SANS 2013 Critical Security Controls Survey: Moving From Awareness to Action
6. Currently, 20 areas of security are listed in the Critical Controls, version 4.1. These Controls begin with
inventory and assessment of devices and applications, and include perimeter defenses, vulnerability
remediation, application security, incident response and more. Figure 4 displays each of the Controls with links
embedded beneath the buttons.
Figure 4. Top 20 Critical Controls
SANS Analyst Program 5 SANS 2013 Critical Security Controls Survey: Moving From Awareness to Action
Level of Awareness
Secure Configurations for Hardware Software on Mobile Devices, Laptops, Workstations, and Servers3
Data Recovery Capability8
Boundary Defense13
Incident Response and Management18
Inventory of Authorized and Unauthorized Software2
Wireless Device Control7
Controlled Use of Administrative Privileges12
Data Loss Prevention17
Continuous Vulnerability Assessment and Remediation4
Security Skills Assessment and Appropriate Training to Fill Gaps9
Maintenance, Monitoring, and Analysis of Audit Logs14
Secure Network Engineering19
Malware Defenses5
Secure Configurations for Network Devices such as Firewalls, Routers, and Switches10
Controlled Access Based on the Need to Know15
Penetration Tests and Red Team Exercises20
Inventory of Authorized and Unauthorized Devices1
Application Software Security6
Limitation and Control of Network Ports, Protocols, and Services11
Account Monitoring and Control16
2 0 C r i t i c a l S e c u r i t y C o n t r o l s
for Effective Cyber Defense
7. Level of Awareness (CONTINUED)
As noted in the introduction, a large percentage of the survey respondents (73%) have adopted, or are
planning to adopt, some or all of the Controls, and another 15% are aware of them but have not adopted any
of them. Surveys on any topic tend to attract respondents who are familiar with that topic, but even when this
fact is taken into account, a combined 88% represents a very high level of awareness.
This finding is consistent with many of the long-form responses to the last question on the survey—which
asked for suggestions for improvements to the Controls effort—as well as with anecdotal information SANS
has received at CSC-related briefings and meetings. For example, the Multi-State Information Sharing and
Analysis Center (MS-ISAC)3
has shown a very high level of awareness in U.S. state government agencies. The
fact that the CSCs meet the need for a“lens”that focuses security efforts on the areas offering the highest
payback against existing threats is clearly driving this high level of adoption.
The survey results
also show significant
awareness—and
influence—by high-level
decision makers, with
CIOs displaying slightly
higher awareness than
CISOs. Almost one-third
reported that CEOs/COOs
are aware and supportive
of the Controls, as shown
in Figure 5.
The low awareness
reported by compliance
managers may seem
surprising, but it’s
important to note that
companies that match
the survey respondents’
demographics often don’t have a formal chief compliance officer position. This same factor impacts the reported
level of privacy officer awareness. However, a more significant factor is that although security and privacy are
intertwined, the CSC effort has not been directly focused on issues like disclosure, notification and other legal
requirements that are top-of-mind for privacy officers. As stated earlier, the CSCs are focused on reducing the
cost and complexities of IT security through automation and, ultimately, on improving risk posture.
Takeaway: The high degree of awareness by top-level decision makers presents
an opportunity to leverage the CSCs to make meaningful long-term gains in the
effective and efficient delivery of enterprise security.
SANS Analyst Program 6 SANS 2013 Critical Security Controls Survey: Moving From Awareness to Action
Figure 5. High-Level Support
3 http://msisac.cisecurity.org
8. One goal of the survey was to determine what benefits enterprises see in adopting the Critical Security
Controls, as well as what barriers are preventing or slowing adoption.
Perceived Benefits
The CSC effort began as a way to prioritize the security tools that are most effective in detecting, mitigating
or blocking current threats. That benefit has clearly come across to the respondents: The top three drivers for
adopting the CSCs all relate to increasing visibility of attacks, improving response and reducing risk, as shown
in Figure 6.
Figure 6. Drivers of Adoption of the Critical Security Controls
Another major goal of the CSC effort has been to focus on threats first, and then to address compliance-
driven requirements. Compliance should be focused primarily on reporting on the results of a threat-focused
approach to security rather than on compliance itself as the primary goal. So, it’s no surprise that reconciling
and augmenting compliance regimes and other security frameworks was the next most frequently cited driver
for adopting the CSCs.
Only slightly more than 17% of the survey respondents cited internal directives as their major driver. This
is actually higher than expected, because the CSCs are a community-driven, voluntary effort. They do not
replace any compliance regime, and there is no compliance regime forcing businesses to adopt them.
This makes the fact that almost one in five respondents do have internal policies driving their use rather
impressive. However, if the gains realized by implementing the Controls are to become lasting, they must be
embedded into formal policies and security program directives.
Takeaway: Due to all the publicity around advanced attacks, higher levels of
awareness of risks mean gains for support of the CSCs.
The use of the CSCs should be “baked into” updates to security architectures,
policies and roadmaps.
SANS Analyst Program 7 SANS 2013 Critical Security Controls Survey: Moving From Awareness to Action
Perceived Benefits and Barriers to Adoption
Other
Rising number of intrusions discovered within our environment
To reconcile/augment other security frameworks
or compliance schemes (e.g., FISMA, PCI, ISO)
Increasing numbers of attacks attempted against our systems
We need a better means to detect advanced
attacks/improve response
We need a clearer picture of our risk posture
To manage vulnerabilities/improve risk posture
In response to internal group or agency directives
(such as from DHS, OMB, headquarters)
90%80%70%60%50%40%30%20%10%0%
9. Perceived Benefits and Barriers to Adoption (CONTINUED)
Barriers to Adoption
To understand how to implement the Controls, it’s important to know what gets in the way of adopting
them. According to the respondents, the two most significant barriers to CSC adoption (see Figure 7) are
organizational problems (operational silos) and training issues.
Figure 7. Barriers to Adopting the Critical Security Controls
Many of the CSCs either are aimed at mitigating IT operations deficiencies (for example, configuration
management, patch management and privilege management) or require integration with IT operations processes
and systems (such as inventory, application development and need-to-know access). In order for security
improvements to be made, security and IT operations must work together and have integrated processes.
The third most frequently cited barrier to adoption is the inability to prioritize which of the Controls to
implement first. This might seem surprising, because the CSCs are numbered in attack mitigation priority
order. However, the concern over prioritization highlights the fact that very few of the Controls actually stand
alone: There are relationships between individual Controls, between Controls and other compliance drivers
and between groups of the Controls—all constricted by the demands of legacy systems and limited budgets.
These interactions are unique to each company and require individual prioritization efforts.
The perceived lack of planning or management capabilities was also highly cited. This is a common problem
with any attempt at change; organizations may have great implementation skills, but without planning
strength and management systems, they calcify and find change difficult. It becomes much easier for them to
focus on repeating the same compliance processes, even if those processes are not effective.
Takeaway: The best way to fight resistance to change is to gain high-level
management support. Almost 55% of respondents indicated they have CIO
awareness and support for the CSCs, and 32% have awareness at the CEO/COO
level. Only 25% reported lack of that support as a problem, so CISOs should prioritize
and leverage this high level of visibility to accelerate implementation of the controls.
SANS Analyst Program 8 SANS 2013 Critical Security Controls Survey: Moving From Awareness to Action
10. Organizations would see significant benefits from starting with an initial gap assessment—because knowing
which Controls to start with is perceived as such a barrier—and then looking at implementing the Controls
in risk-prioritized order. The survey asked the respondents how they performed an initial gap assessment.
Of those who answered this question, only 13% have not performed gap assessments at all. The remainder
reported that they were conducting gap assessments. Their responses, however, show a heavy reliance on
manual processes for assessing the gaps between the current state of security and the Controls, as shown in
Figure 8.
Figure 8. Means of Performing Initial Gap Assessments
Fewer than 3% of the respondents rely solely on automated tools, 27% are using only manual processes and
44% are using a combination of automated and manual tools—which means that more than 73% are relying
heavily on manual processes. There is a“Catch 22”effect at work here: Until an organization has mature
security processes, it won’t be able to automate those processes using automated tools. However, without
focusing on updating and automating the key threat-facing processes, organizations are often consumed with
day-to-day“firefighting”and don’t have the time or resources to focus on process maturity.
It ultimately comes down to resources. No security organization can just let existing“fires”burn in order to
improve processes—both tasks have to be tackled at the same time. This invariably requires increased effort,
which requires approval from management. Obtaining this approval requires that the security organization
convince management that there’s a problem that impacts the business and then demonstrate that the
increased investment of resources will solve the problem in a cost-effective manner.
SANS Analyst Program 9 SANS 2013 Critical Security Controls Survey: Moving From Awareness to Action
Assessment: Identifying the Gaps
11. Assessment: Identifying the Gaps (CONTINUED)
A traditional way around the first part of this problem is to use external consultancies to perform the gap
assessment, but the survey results show that only 10% of the respondents have done so. This most likely
reflects two factors: Budget concerns during the period of economic uncertainty leading up to the survey
prevented many organizations from using outside consultants (SANS estimates that typically 25% of
enterprises routinely use external consultancies for security assessments), and much of the community effort
around the CSCs has come from end-user organizations and not from security services providers. In the first
months of 2013, at SANS events and in other discussions, we have seen growth in consultancies focusing on
the CSCs.
Takeaway: Organizations that have not conducted gap assessments, or have only ad
hoc processes for doing so, should look to external consultancies that have embraced
the CSCs (see www.sans.org/critical-security-controls/vendor-solutions). The
engagement deliverables should include recommendations for automated tools for
future self-assessment.
The second part of this problem will be addressed in the“Measurements and Metrics”section of this paper.
SANS Analyst Program 10 SANS 2013 Critical Security Controls Survey: Moving From Awareness to Action
12. A key goal of the survey was to determine where enterprises were in planning and implementing the CSCs.
Implementation Roadmaps
A large percentage of respondents have plans to adopt the Controls, and about 54% have some form of
implementation roadmap in place. Only 18% have a complete roadmap, 27% have some parts of a roadmap
defined and 9% are focusing on one or two Control areas in their roadmaps, as illustrated in Figure 9.
Figure 9. Use of Roadmaps for CSC Implementation
In keeping with the prioritized“secure a little, test a little”approach that drives the CSC effort, we don’t expect
more than 25–30% of enterprises to ever complete a formal roadmap. The majority will focus their efforts on
near-term implementations of the highest-priority Controls and on upgrading existing implementations of
some of the lower-level Controls. Roadmap efforts will be focused on the remaining Controls and longer-term
efforts where upgrading security controls will be tied to IT infrastructure upgrades and transitions.
The 13% of respondents who have not yet started to develop a roadmap will likely remain in the range of
enterprises that will never formally put one together. Many of the remaining respondents who indicated
that they are just starting are likely to require external consultancy support or additional personnel to begin
developing a roadmap.
SANS Analyst Program 11 SANS 2013 Critical Security Controls Survey: Moving From Awareness to Action
Levels of Adoption
13. Levels of Adoption (CONTINUED)
When respondents were asked whether they’ve actually implemented Controls, 22% of them indicated they
have not implemented any of the Controls. Because the CSCs essentially represent a basic level of security
“hygiene”to mitigate targeted threats, it would be deeply troubling if more than one out of five enterprises
hadn’t implemented any of the Controls. However, other industry figures and anecdotal evidence show that,
for example, border defense and firewall penetration is above 95%. Other long-form responses suggest that
survey respondents were likely commenting on the low levels of effectiveness of their existing Controls as
opposed to a complete lack.
Takeaway: Most enterprises should prioritize first upgrading or enhancing existing
Controls to address identified threats in the short term and then move on to formal
roadmaps.
An enterprise that really hasn’t implemented any vulnerability assessment,
antimalware or border defense should find Control 18 (Incident Response and
Management) a good starting point—because its network has likely already been
compromised.
Controls Being Implemented Now
A mature security program using the CSCs would have policy, automation and centralized management
integrating all 20 Controls into all other elements of security. In another survey question concerning
maturation of implementations, less than 10% of the respondents reported having reached this level across
all Controls, but more than one-third reported having reached that level for some of the Controls (most likely
the ones we call“Mature”and“Evolving”controls in a question later in the survey.) Less than one-third of
respondents stated that“only a few”of their Controls are at the mature state, and these are most likely only the
Mature Controls, such as desktop antimalware and border defense.
Just over 20% of the respondents indicated that they’re working on policy but haven’t yet reached the
implementation stage for any of the Controls. This may indicate the phenomenon that is sometimes
called“paralysis by analysis,”because none of the Controls requires any major changes to typical existing
security policies.
SANS Analyst Program 12 SANS 2013 Critical Security Controls Survey: Moving From Awareness to Action
14. Levels of Adoption (CONTINUED)
SANS Analyst Program 13 SANS 2013 Critical Security Controls Survey: Moving From Awareness to Action
Table 1 provides a ranking of the Controls survey respondents are already deploying—either as partial or full
implementations.
Control Partial Full Total Weighted
Malware defenses 122 126 248 500
Boundary defense 99 125 224 474
Data recovery capability 115 107 222 436
Secure configurations for network devices
such as firewalls, routers, and switches
119 104 223 431
Controlled use of administrative privileges 131 92 223 407
Limitation/control of network ports, protocols and services 127 88 215 391
Inventory of authorized and unauthorized devices 172 71 243 385
Continuous vulnerability assessment and remediation 136 82 218 382
Incident response and management 121 86 207 379
Wireless device control 119 83 202 368
Secure configurations for hardware and software and
mobile devices, laptops, workstations, and servers
156 68 224 360
Controlled access based on the need to know 136 72 208 352
Inventory of authorized and unauthorized software 168 61 229 351
Account monitoring and control 137 66 203 335
Secure network engineering 123 67 190 324
Maintenance, monitoring, and analysis of audit logs 144 53 197 303
Data loss prevention (DLP) 121 54 175 283
Penetration tests and red team exercises 129 49 178 276
Application software security 146 37 183 257
Security skills assessment and appropriate training
to fill gaps
134 38 172 248
Table 1. Critical Security Controls Deployed
15. Levels of Adoption (CONTINUED)
SANS Analyst Program 14 SANS 2013 Critical Security Controls Survey: Moving From Awareness to Action
By weighting full deployment at three times partial deployment (“Weighted”) and then looking at the ratio of
full to partial, we broke the implementation level of the Controls down into different segments:
• Mature controls. Antimalware, boundary defense and data recovery show up with higher levels
of complete implementations. This isn’t surprising, because antivirus tools, firewalls and business
continuity/disaster recovery/continuity of operations (BC/DR/COOP) are the most mature areas
of security. Note that nearly half of the answers on malware cited only partial deployment, which
doesn’t align with the market realities that more than 95% of desktops and more than 90% of email
servers have antivirus software installed. With so many enterprises indicating a partial deployment
for antimalware tools, enterprises may be recognizing that advanced threat detection techniques are
needed to augment traditional signature-centric approaches. Similar responses around data recovery
likely represent movement toward cloud-based recovery capabilities as a way of reducing costs and
addressing mobility.
• Evolving controls. Controls such as those for controlling administrative privileges, limiting ports,
vulnerability assessment, inventory and account monitoring are basic security configuration practices.
However, these Controls show only medium levels of full adoption and high levels of partial adoption.
This result reflects the dynamic threat and vulnerability environment, as well as the impact that bring
your own device (BYOD) policies and the use of the cloud have had on how IT and security organizations
try to implement these Controls. Anecdotal evidence suggests that many enterprises have begun to
realize that vulnerability scanning on a quarterly basis, done in isolation from other security processes,
does not even come close to“continuous vulnerability monitoring,”which leads to upgrades and
improvements.
• Immature controls. Controls like log monitoring, data loss prevention (DLP), penetration testing and
application security show low levels of full adoption and medium levels of partial adoption. These are
areas in which enterprises have frequently made investments, found the first generation of products
to be overhyped and often abandoned them. (Common examples are security information and event
management [SIEM] and DLP.) Another scenario may be that an enterprise did not have the trained
personnel to implement products (such as application security and pen testing tools) and resorted to
sporadic use of consultancies for assessments.
Takeaway: Enhancing existing implementation of Mature and Evolving Controls
likely represents the most effective and efficient approach to increase resistance
to current advanced threats. But they’re not the only controls needed to reduce
risk and automate security processes. The Controls listed as Immature can provide
very high payback, but may require training of security staff or the use of external
professional services to ensure adequate return.
16. One of the most effective and efficient ways to implement the CSCs is to integrate them with existing
operational practices, such as configuration and asset management. However, almost 80% of the survey
respondents indicated that they are focusing on the Controls that make the most sense, while the next-largest
group, at 52%, is conducting outreach to other business groups to integrate the management of the Controls
into existing IT and security operations. (Note that respondents were allowed to choose“All that apply”for this
question.) Only 21% said they are actively developing connectors to other programs or processes, as shown in
Figure 10.
Figure 10. Level of Controls Integration
To gain long-term security benefit from the Controls, integration into formal repeatable business and IT
processes is critical. More than half of the respondents reported that they have made some effort to reach out
to other groups, and this should lead to higher levels of integration in the future.
Security organizations are also taking advantages of technology refresh cycles (47%) and identified gaps
(43%), all of which can be used to justify investment in technologies to implement the CSCs. Less than 10% of
the survey respondents indicated that they are using managed security service providers (MSSPs) to monitor
CSCs, indicating that they do not yet consider the CSC effort routine enough or mature enough to outsource.
We believe this will change rapidly over the next few years, as MSSPs begin to map their service offerings to
the CSCs, especially for mature Controls such as advanced boundary defense and antimalware.
Takeaway: Implementing the CSCs can deliver immediate benefits, but repeatable,
reliable long-term benefits will require integration into business, IT and security
management processes.
SANS Analyst Program 15 SANS 2013 Critical Security Controls Survey: Moving From Awareness to Action
Implementation Progress and Experience
17. Implementation Progress and Experience (CONTINUED)
SANS Analyst Program 16 SANS 2013 Critical Security Controls Survey: Moving From Awareness to Action
Tools to Manage
Figure 11 indicates the systems the survey respondents cited as already in place to manage Control areas,
along with the level of update or addition to capabilities needed to manage the Controls.
Figure 11. Tools Used to Manage Critical Control Areas
Boundary defense, endpoint protection and vulnerability assessment showed the lowest levels of
enhancement, as well as high legacy levels. SIEM/log management and application security were reported
at significantly lower legacy levels, and both showed high levels of updating needed. Many enterprises
focused their initial SIEM deployments on compliance-driven reporting, and these deployments likely aren’t
scalable enough to support enterprisewide continuous monitoring and security analytics. Similarly, secure
development life cycles put in place for traditional client/server apps often break when the application
developers’focus moves to mobile and cloud-based apps that require more rapid development cycles.
Security intelligence and analytics, data protection and network behavior analysis came in at much lower legacy
levels, with even higher levels of update and addition, indicating that these are the least mature areas overall.
Takeaway: Enterprises are planning to take advantage of near-term opportunities
to upgrade SIEM and application security capabilities as part of their efforts to
deploy the CSCs. More advanced capabilities, such as security analytics, DLP,
network behavior analysis and network forensics, represent longer-term initiatives.
18. SANS Analyst Program 17 SANS 2013 Critical Security Controls Survey: Moving From Awareness to Action
In at least one respect, the world of the CSCs is not very different from the broader security world:
Spreadsheets still dominate as the reporting and analysis tool of choice, according to the survey responses.
However, commercial reporting tools were the next most frequently cited, and were the highest reported as
being planned for use in the next 12 months, as shown in Figure 12.
Figure 12. Type of Reporting
Homegrown dashboards were the next most frequent choice for the next 12 months, at almost twice the level
of spreadsheets.
Takeaway: As implementations of the CSCs mature, demand for commercial
reporting tools and dashboards will grow.
Measurement and Metrics
19. Measurement and Metrics (CONTINUED)
SANS Analyst Program 18 SANS 2013 Critical Security Controls Survey: Moving From Awareness to Action
Systemic Improvements: The Ultimate Goal
The goal for implementing the Critical Security Controls is systemic improvement through assessment,
remediation and improved/streamlined system defenses—and the documentation of these improvements
then used to satisfy compliance reporting requirements.
Security managers have historically reported that what they do reduces risks, but have had problems
quantifying that reduction. That trend continues here, with almost 80% of the survey respondents who
have implemented the Controls believing they have reduced risk, but less than 25% able to quantify that
improvement in risk posture. The rest were uncertain (13%) or didn’t quantify their security postures (8%).
When asked about specific improvements and benefits derived from the Controls they have implemented so
far, respondents cited risk reduction, improvements to risk posture and improved situational awareness as
their most important benefits (see Figure 13).
Figure 13. Benefits of Controls Implemented
These results reflect, once again, a strong belief that a major benefit of the CSCs lies in risk reduction (58%) and
improvements to overall risk posture (even though only 24% could quantify this, as shown in the preceding
section). Compliance benefits ranked slightly higher than those from threat mitigation.
20. Measurement and Metrics (CONTINUED)
SANS Analyst Program 19 SANS 2013 Critical Security Controls Survey: Moving From Awareness to Action
As an example of comparative costs of CSC-related risk reduction, SANS recently looked at a recent security
incident, where Idaho State University was fined $400K by the Department of HHS for not noticing firewall
policy changes that resulted in the potential exposure of personal health information for 17,500 patients.4
We estimated the overall cost of that incident as roughly $2M, whereas the implementation of a single CSC
(Critical Security Control 10: Secure Configurations for Firewalls, Routers, and Switches), at an estimated cost of
$75,000, would have avoided the incident and attendant costs.
Takeaway: One of the major benefits of mature use of the CSCs is that it allows
auditors to focus their compliance monitoring efforts on those Controls that have
the most impact in terms of vulnerability reduction and threat mitigation. The
survey results show that the respondents appear to be achieving that synergy.
Enhancing the Value of the CSCs
The last question in the survey allowed for free-form answers, and 123 respondents took the time to give their
suggestions on how to improve the CSC effort. Most of their responses concerned benchmarking, making the
Controls interactive and adding the ability to map to other requirements, such as the U.S. Federal Information
Security Management Act (FISMA). Other respondents asked for better statistical interfaces and more real-life case
studies involving the Controls. (More case studies do exist, and they’re being added to the SANS Reading Room.)5,6
Here are some of the most commonly cited responses:
1. Show benchmarks and metrics of successful CSC implementations.
2. Provide more information on case studies and best practices around implementation and operation.
3. Show links to and integration with other compliance regimes and security frameworks.
4. Provide more information on products, tools, and templates that help implement the CSCs.
5. Show dashboards used for ongoing monitoring of effectiveness of the Controls.
6. Provide tailored versions of the Controls for different verticals, different business priorities, etc.
SANS is also mapping the Controls to tools in a poster that it updates annually.7
And, some vendors are
developing tools that include compliance components for the CSCs, as well as compliance modules they
already include (for example, for FISMA and the Sarbanes-Oxley Act). They should also be integrating
dashboard reports and tailored versions based on industry verticals.
Takeaway: Organizations are addressing many of the Controls by developing tools
and middleware for their own uses. However, tool vendors are also integrating more
functionality and templates into their products. SANS hopes that in 2014, when this
survey is revisited, more of these tools and metrics will be in place.
4 www.sans.org/security-trends/2013/05/30/analyzing-the-cost-of-a-hipaa-related-breach-through-the-lens-of-the-critical-security-controls
5 www.sans.org/reading_room/analysts_program/implementing-critical-security-controls.pdf
6 www.sans.org/reading_room/analysts_program/mcAfee_next_generation.pdf
7 www.sans.org/critical-security-controls/spring-2013-poster.pdf
21. Conclusion
The survey results show that the CSCs have quickly reached a high level of visibility and, crucially, have
attention and support at high levels within enterprises.
There are many partial CSC implementation efforts currently under way. Many of those efforts focus on
upgrading earlier implementations of mature security controls, such as border defenses, endpoint protection
and vulnerability assessment tools, to make them more effective against advanced threats. Other areas, such
as SIEM, antimalware and application security, require investments in new skills or new products to reduce the
likelihood of breaches.
Enterprises are looking at more advanced technologies as well, but they are assigning high priority to more
visibility into successful implementations of the CSCs and effective benchmarks and metrics to measure
and demonstrate benefit. Because the CSC effort is community driven, SANS believes we will see increased
information sharing across the CSC community of products that work, processes that scale, awareness
approaches that do change behavior and metrics that do demonstrate to management the return on
investment provided by implementing the CSCs.
Within that broad community, we also expect to see vertical-specific tailoring of the priority of Controls and
of the ways to overcome barriers to adoption. There are already vibrant vertical efforts in federal and state
government and industrial applications, and growing efforts in the health care and retail industries.
Compliance regimes are invariably rigid, top-down structures, whereas the CSC effort is purposely bottom-
up and is continually being updated. While that has obvious benefits, it also relies on a community effort to
succeed. This survey shows that that the required community effort is under way and is already beginning to
drive changes.
SANS and the survey sponsors invite you to participate in the continuing process.
SANS Analyst Program 20 SANS 2013 Critical Security Controls Survey: Moving From Awareness to Action
7 www.sans.org/critical-security-controls/winter-2012-poster.pdf
22. About the Author
SANS Analyst Program 21 SANS 2013 Critical Security Controls Survey: Moving From Awareness to Action
John Pescatore joined SANS in January 2013, with 35 years of experience in computer, network and
information security. He was Gartner’s lead security analyst for more than 13 years, working with global
5000 corporations, government agencies and major technology and service providers. In 2008, he
was named one of the top 15 most influential people in security and has testified before Congress on
cybersecurity.
Prior to joining Gartner Inc. in 1999, John was senior consultant for Entrust Technologies and Trusted
Information Systems, where he started, grew and managed security consulting groups focusing on
firewalls, network security, encryption and public key infrastructures. Prior to that, he spent 11 years with
GTE developing secure computing and telecommunications systems. In 1985 he won a GTE-wide Warner
Technical Achievement award.
John began his career at the National Security Agency, where he designed secure voice systems, and the
United States Secret Service, where he developed secure communications and surveillance systems—and
the occasional ballistic armor installation. He holds a bachelor’s degree in electrical engineering from the
University of Connecticut and is an NSA-certified cryptologic engineer. He is an Extra class amateur radio
operator, callsign K3TN.
SANS would like to thank this survey’s sponsor: