Embed Size (px)
Citation preview
CYBER THREAT INTELLIGENCE REPORT
VOLOGY.COM | 888.808.2199
Through a combination of expansive managed security solutions, professional IT
security services and our 24/7/365 U.S.-based Security Operations Center, Vology
provides a comprehensive cybersecurity program to mitigate the vulnerabilities of
organizations’ critical infrastructure and intellectual property.
Reducing the risks caused by cyber threats for our customers is our most important task, and understanding
the trends we uncover in the analysis of their networks allows us to focus our efforts and provide as secure an
IT environment for them as possible.
Prior to developing an all-encompassing, customized security program for each customer, Vology will,
in many cases, perform a Cyber Threat Assessment Program (CTAP). The CTAP validates the customer’s
network security accuracy, analyzes application traffic, assesses user productivity and monitors network
performance — all at no cost to the customer and is completed within five to seven days. The results of the
CTAP are then presented with a comprehensive report that details the customer’s network security posture
and network activity, paving the way for the development of a wide-ranging security solution.
Vology’s Cyber Threat Intelligence Report, presents a cross-section of CTAP results performed on customers’
networks to provide insight into trends, common vulnerabilities and other data potentially threatening your
current security stance.
To have a Vology CTAP performed on your network to better understand your security posture and network
performance, contact your Vology representative today at 888-808-2199, or visit us at vology.com.
2 VOLOGY.COM | 888.808.2199
Average Number of IPS Events
An Intrusion Prevention System (IPS) is a threat prevention/security technology that
monitors traffic flow through a network and detects potential vulnerability exploits. In
order to attempt to gain access and control of an application or machine, attackers will
direct malicious inputs at a target application or service. An IPS event is the count of one
such directed input.
Across our data set, the average number of IPS events detected was 220,619 over a four-day
period, or 55,154/day. That’s forty-three percent of organizations above 100,000 daily events, and
twenty-nine percent under 10,000 daily events. According to an industry leading security product
manufacturer and threat intelligence agency, the average across all industries is 18,269 daily events.
Fifty-seven percent of our data set is above that average. This number underscores the fact that most
companies do not have clear insight into what is actually happening inside their networks, nor do they have
the appropriate tools to identify and remediate the threats.
% of Organizations by Number of Daily IPS Events
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
>100,000
50,000-100,000
25,000-50,000
5,000-25,000
<5,000
43%
14%
14%
29%
0%
Application Vulnerability Exploits
Application vulnerabilities involve a weakness or system flaw in an application. These vulnerabilities
can be exploited to compromise security and can be caused by several issues including weak or invalid
form inputs, web server misconfiguration and other application design flaws. There are numerous ways
attackers can take advantage of application vulnerabilities, with severity levels between 1-5 indicating
the level of vulnerability. Looking at the most severe — levels 3-5 — our data showed all organizations
had at least one Severity-5 exploit, with an average of four. Forty-three percent of organizations tested had
greater than four Severity-5 exploits.
3 VOLOGY.COM | 888.808.2199
86% of organizations tested had at least one Severity-4 exploit, where only 14% had more than two.
Likewise, 86% of organizations had at least one Severity-3 exploit, with 28% having more than two.
% of Organizations with Severity 3-5 App Vulnerability Exploits
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Level 5
Level 4
Level 3
100%
86%
86%
% of Organizations with Severity 3-5 App Vulnerability Exploits
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
>10
7-10
4-6
<3
29%
43%
14%
14%
4 VOLOGY.COM | 888.808.2199
Application Vulnerability Attacks
Application vulnerabilities, which are also known as IPS attacks, act as entry points used to
bypass security infrastructure and allow potential attackers a foothold into your network.
Most likely due to either overlooked updates or the lack of a patch management process,
the identification of unpatched hosts is critical to protecting against application vulnerability attacks.
Across our data set, organizations suffered an average of 26 application vulnerability attacks during
their CTAP. Twenty-eight percent were attacked greater than 26 times, forty-three percent between
20-25 times and twenty-nine percent less than 20.
% of Organizations by Number of Application Vulnerability Attacks
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
>40
30-40
20-30
10-20
<10
43%
14%
14%
29%
0%
Malicious Websites Detected
Malicious websites are sites known to host software and/or malware that is designed to covertly
collect information, damage the host computer or otherwise manipulate the target machine without
the user’s consent.
Generally, visiting a malicious website is a precursor to infection and represents the initial stages of the
kill chain. Blocking malicious sites and/or instructing employees not to visit or install software from
unknown websites is the best form of prevention.
During the time of their CTAP, forty-three percent of all organizations had malicious websites detected,
with an average of 23 sites detected per organization.
5 VOLOGY.COM | 888.808.2199
Phishing Websites
Similar to malicious websites, phishing websites emulate the web pages of legitimate
websites to collect personal or private (i.e. logins, passwords, etc.) information from end users.
Phishing websites are often linked to within unsolicited emails sent to unsuspecting employees.
A skeptical approach to emails asking for personal information and hovering over links to determine
validity can prevent most phishing attacks.
Like the results for malicious websites detected, forty-three percent of organizations had positive results for
phishing websites, with an average of six per organization.
Proxy Applications Detected
These applications are used — usually intentionally — to bypass in-place security
measures. For instance, users may circumvent a firewall by disguising or encrypting external
communications. In many cases, this can be considered a willful act and a violation of
corporate use policies.
Eighty-six percent of organizations tested showed at least one instance of a proxy application. The average
number of applications detected was five, with fourteen percent of organizations showing ten or higher.
Remote Access Applications Detected
Remote access applications are often used to access internal hosts remotely, thus bypassing Network
Address Translation (NAT) or providing a secondary access path (i.g. backdoor) to internal hosts. In a
worst-case scenario, remote access can be used to facilitate data exfiltration and corporate espionage
activity. Many times, the use of remote access is unrestricted and internal corporate use changes should
be put into practice. Further, remote access protocols are especially dangerous with respect to separated
employees who may have had elevated privileges (i.e. Systems administrators) or access to ancilliary
account credentials such as service accounts. These are easily installed, configured and highly susceptible
to data exfiltration of corporate data, intellectual property or customer information.
All organizations conducting a CTAP had remote access applications detected. The average number of
applications per organization was five. Forty-three percent of organizations had seven or greater.
6 VOLOGY.COM | 888.808.2199
% of Organizations with Severity 3-5 App Vulnerability Exploits
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
>10
7-10
4-6
<3
29%
43%
14%
14%
P2P and File Sharing Applications
Peer-to-peer (P2P) and file sharing applications can be used to bypass existing content
controls and lead to unauthorized data transfer and data policy violations. Policies on
appropriate use of these applications need to be implemented.
Forty-three percent of organizations in the data set had at least one instance of a P2P or file sharing
application found during their CTAP. The average across those organizations was one.
Network Usage
For our data set, the CTAP results also provide the top cloud, infrastructure, social media and streaming
services across each organization. This data provides IT managers and executive management a glimpse
into potential application usage that can be used to circumvent or even replace corporate infrastructure
already in use. Knowing what applications are being accessed can help ensure sensitive corporate data is
not transferred to the Cloud and/or exposed if the cloud provider’s security infrastructure is breached.
Cloud SaaSCloud SaaS — % of time App appears in top 3 highest usage
YouTube Office 365 Facebook Amazon Logmein WebEx Netflix LinkedIn DropBox
80%
60%
40%
20%
71%
43% 43% 43%
29% 29%14% 14% 14%
Amazon GoDaddy Azure Meraki Trend Micro
120%
100%
80%
60%
40%
20%
100%
86%
57%43%
14%
Facebook Twitter LinkedIn Instagram Snapchat
120%
100%
80%
60%
40%
20%
100%
86%71%
29%
14%
Cloud IaaSCloud IaaS — % of time appears in top 3 highest usage
Social Media AccessedSocial Media — % of time appears in top 3 highest usage
YouTube RTCP Netflix Vimeo Pandora WMP Flowplayer
80%
70%
60%
50%
40%
30%
20%
10%
71%
57%
43% 43%
29%
Streaming AccessedStreaming Media — % of time appears in top 3 highest usage
29%
14%
8 VOLOGY.COM | 888.808.2199
Network Usage, continued
Cloud SaaSCloud SaaS — % of time App appears in top 3 highest usage
YouTube Office 365 Facebook Amazon Logmein WebEx Netflix LinkedIn DropBox
80%
60%
40%
20%
71%
43% 43% 43%
29% 29%14% 14% 14%
Amazon GoDaddy Azure Meraki Trend Micro
120%
100%
80%
60%
40%
20%
100%
86%
57%43%
14%
Facebook Twitter LinkedIn Instagram Snapchat
120%
100%
80%
60%
40%
20%
100%
86%71%
29%
14%
Cloud IaaSCloud IaaS — % of time appears in top 3 highest usage
Social Media AccessedSocial Media — % of time appears in top 3 highest usage
YouTube RTCP Netflix Vimeo Pandora WMP Flowplayer
80%
70%
60%
50%
40%
30%
20%
10%
71%
57%
43% 43%
29%
Streaming AccessedStreaming Media — % of time appears in top 3 highest usage
29%
14%
8 VOLOGY.COM | 888.808.2199
Cloud SaaSCloud SaaS — % of time App appears in top 3 highest usage
YouTube Office 365 Facebook Amazon Logmein WebEx Netflix LinkedIn DropBox
80%
60%
40%
20%
71%
43% 43% 43%
29% 29%14% 14% 14%
Amazon GoDaddy Azure Meraki Trend Micro
120%
100%
80%
60%
40%
20%
100%
86%
57%43%
14%
Facebook Twitter LinkedIn Instagram Snapchat
120%
100%
80%
60%
40%
20%
100%
86%71%
29%
14%
Cloud IaaSCloud IaaS — % of time appears in top 3 highest usage
Social Media AccessedSocial Media — % of time appears in top 3 highest usage
YouTube RTCP Netflix Vimeo Pandora WMP Flowplayer
80%
70%
60%
50%
40%
30%
20%
10%
71%
57%
43% 43%
29%
Streaming AccessedStreaming Media — % of time appears in top 3 highest usage
29%
14%
Top 10 Application Vulnerabilities
Application vulnerabilities can be exploited to compromise the security of your network.
Our industry partner’s research team analyzes these vulnerabilities and then develops
signatures to detect them. We currently leverage a database of more than 5,800 known application
threats to detect attacks that evade traditional firewall systems. Below are the most frequent
vulnerabilities by type for the CTAP data set:
Buffe
r Erro
rs
Info
rmat
ion
Dis
clos
ure
DoS
Code
Inje
ctio
nAcc
ess
Contr
olBot
net
Impr
oper
Aut
hent
icat
ion
Mal
war
e
Remot
e Cod
e Exe
cutio
n
Frag
men
t Ano
mal
y
Passw
ord
Secu
rity
Bybas
s
Privile
dge/
Acces
s Con
trol
Anom
aly
Brute
For
ce
Buffe
r Ove
rflo
wCod
e Exe
cutio
nD
NS
Anom
aly
Privile
dge
Eleva
tion
SYN
Per
mis
sion
25%
20%
15%
10%
5%
22%
Top Application Vulnerabilities by Type
14%12% 10%
7% 5% 4% 4% 4% 3% 3% 3%1% 1% 1% 1% 1% 1% 1%
Vology’s Cyber Threat Intelligence Report is not intended to be a replacement for a comprehensive test of
your IT network. It allows for better understanding of current threats across a number of Vology customers
representing many industries, and to provide insight into trends, common vulnerabilities and other
potentially threatening IT issues you should be aware of.
To schedule your own Vology CTAP to better understand your security posture and network performance,
contact your Vology representative today at 888-808-2199 or visit us at vology.com.
Vology, a leading Managed IT, Security and Cloud Services Provider, positions companies for growth by powering digital transformation and delivering custom solutions. Vology currently monitors, manages and maintains 260,000 devices at 32,000 customer sites, providing 24/7/365 support through its U.S.-based Network and Security Operations Centers. Vology is ranked as the No. 21 Managed Services Provider in the world on the 2018 MSP 501 list with access to 2,200 fully vetted field technicians nationwide.
ABOUT VOLOGY
GET IN TOUCH
888.808.2199 [email protected]
