Cybercriminals most likely to be
caught on servers and networks
ophos, a global leader in
network and endpoint security,
has announced the findings
of its global survey, 7 Uncomfortable
Truths of Endpoint Security, which has
revealed that IT managers are more
likely to catch cybercriminals on their
organisation’s servers and networks
than anywhere else.
S
In fact, IT managers discovered 37% of
their most significant cyberattacks on
their organisation’s servers and 37% on
its networks. Only 17% were discovered
on endpoints and 10% were found on
mobile devices. The survey polled more
than 3,100 IT decision makers from mid-
sized businesses in 12 countries.
Chester Wisniewski, Principal Research
Scientist, Sophos, said: “Servers
store financial, employee, proprietary
and other sensitive data, and with
stricter laws like GDPR that require
organisations to report data breaches,
server security stakes are at an
all-time high.
gained entry and 17% don’t know how
long the threat was in the environment
before it was detected, according to
the survey. find, block and remediate; if IT is still
building up a security foundation, EDR
is an integral piece that provides much
needed threat intelligence.”
To improve this lack of visibility, IT
managers need endpoint detection and
response (EDR) technology that exposes
threat starting points and the digital
footprints of attackers moving laterally
through a network. On average, organisations that
investigate one or more potential security
incidents each month spend 48 days a
year (four days a month) investigating
them, according to the survey.
“If IT managers don’t know the origin or
movement of an attack, then they can’t
minimise risk and interrupt the attack
chain to prevent further infiltration,”
said Wisniewski.
“EDR helps IT managers identify risk and
put a process in place for organisations
at both ends of the security maturity
model. If IT is more focused on
detection, EDR can more quickly
“It makes sense that IT managers are
focused on protecting business-critical
servers and stopping attackers from
getting on the network in the first place
and this leads to more cybercriminal
detections in these two areas.
|
Issue 12
Chester Wisniewski, Principal Research
Scientist, Sophos
“Once cybercriminals know certain types
of attacks work, they typically replicate
them within organisations. Uncovering
and blocking attack patterns would help
reduce the number of days IT managers
spend investigating potential incidents.” u
59
www.intelligentciso.com
“Most spray and pray cyberattacks
can be stopped within seconds at
the endpoints without causing alarm.
Persistent attackers, including those
executing targeted ransomware like
SamSam, take the time they need to
breach a system by finding poorly
chosen, guessable passwords on
remotely accessible systems (RDP, VNC,
VPN, etc.), establish a foothold and
quietly move around until the damage is
done,” added Wisniewski.
“If IT managers have defence-in-depth
with EDR, they can also investigate
an incident more quickly and use the
resulting threat intelligence to help find the
same infection across an estate.
“However, IT managers can’t ignore
endpoints because most cyberattacks
start there, yet a higher than expected
amount of IT managers still can’t identify
how threats are getting into the system
and when.”
A total of 20% of IT managers who were
victim to one or more cyberattacks last
year can’t pinpoint how the attackers
It comes as no surprise that IT managers
ranked identification of suspicious
events (27%), alert management (18%)
and prioritisation of suspicious events
(13%) as the top three features they
need from EDR solutions to reduce the
time taken to identify and respond to
security alerts.