SolarWinds Federal Cybersecurity Survey 2016

© 2016 Market Connections, Inc.

SolarWinds® Federal Cybersecurity Survey Summary Report2016

© 2016 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.

SOLARWINDS FEDERAL CYBERSECURITY SURVEY SUMMARY REPORT | MARKET CONNECTIONS, INC. | 703.378.2025© 2016 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED.

2

Background and ObjectivesSolarWinds contracted Market Connections to design and conduct an online survey among 200 federal government IT decision makers and influencers in December 2015 and January 2016. SolarWinds was not revealed as the sponsor of the survey.

The main objectives of the survey were to:

• Determine challenges faced by IT professionals to prevent IT security threats

• Quantify sources and types of IT security threats and what makes agencies more or less vulnerable

• Measure changes in investment of resources in addressing threats

• Determine the IT security tools used to mitigate risk and the time it takes to detect security events and compliance issues

• Address the affects of IT modernization and consolidation efforts on agency IT security challenges

Throughout the report, notable significant differences are reported.

Due to rounding, graphs may not add up to 100%.

BACKGROUND AND OBJECTIVES


3

Organizations Represented

RESPONDENT CLASSIFICATIONS

• If a respondent did not work for any of the specific organization types noted below, the survey was terminated.

Which of the following best describes your current employer?What agency do you work for?

Federal Legislature

Federal Judicial Branch

Intelligence Agency

Department of Defense or Military Service

Federal, Civilian or Independent Government Agency

0% 10% 20% 30% 40% 50% 60%

2%

2%

2%

43%

50%

Organizations RepresentedSample Organizations Represented

(In Alphabetical Order)

Air Force Department of Transportation (DOT)

Army Department of Treasury (TREAS)

Department of Agriculture (USDA) Department of Veteran Affairs (VA)

Department of Commerce (DOC) General Services Administration (GSA)

Department of Defense (DOD) Judicial/Courts Department of Energy (DOE) Marine Corps

Department of Health and Human Services (HHS) National Science Foundation (NSF)

Department of Homeland Security (DHS) Navy

Department of Labor (DOL) Office of Personnel Management (OPM)

Department of State (DOS) Social Security Administration (SSA)

Department of the Interior (DOI) US Postal Service (USPS)N=200


4

Other involvement

Make the final decision

Develop technical requirements

Evaluate or recommend firms

Manage or implement security/IT operations

On a team that makes decisions

0% 10% 20% 30% 40% 50% 60%

5%

20%

45%

46%

50%

54%

RESPONDENT CLASSIFICATIONS

How are you involved in your organization’s decisions or recommendations regarding IT operations and management and IT security solutions and services? (select all that apply)

Note: Multiple responses allowedN=200

Decision Making Involvement• All respondents are knowledgeable or involved in decisions and recommendations regarding IT

operations and management and IT security solutions and services.


Less than 1 Year

1-2 Years

3-4 Years

5-9 Years

10-14 Years

15-20 Years

20+ Years

0% 10% 20% 30% 40%

1%

3%

10%

20%

20%

16%

30%

Tenure

Other

CSO/CISO

CIO/CTO

Security/IA director or manager

Security/IA staff

IT/IS staff

IT director/manager

0% 10% 20% 30% 40%

16%

2%

4%

6%

8%

27%

36%

Job Function

RESPONDENT CLASSIFICATIONS 5

Which of the following best describes your current job title/function?How long have you been working at your current agency?

Job Function and Tenure

Examples Include:• Director of

Operations• Management

Analyst• Program

Manager

N=200

• A variety of job functions and tenures are represented in the sample, with most being IT management and working at their agency for over 20 years.


6IT MODERNIZATION AND CONSOLIDATION

48%

20%

32%

Increase

Decrease

No effect

In your opinion, do you think the government’s IT modernization and consolidation efforts have resulted in an increase or decrease in the IT security challenges your agency faces?

N=200

Government IT Modernization• Almost half say that the government’s IT modernization and consolidation efforts have

resulted in an increase in security challenges.• Less than one-quarter believe that security challenges have decreased.



Other

Too much consolidation

Increased compliance reporting

Cloud services adoption

Organizational changes have disrupted IT processes

Lack of familiarity with new systems

Complex enterprise management tools

Incomplete transitions and difficulty supporting everything

0% 10% 20% 30% 40% 50% 60%

5%

29%

31%

35%

36%

44%

46%

48%

Increased IT Challenges

What are the reasons you believe cyber security challenges have increased as a result of the government's IT modernization and consolidation efforts? (select all that apply)


Increased Security Challenges• Incomplete transitions during consolidation and modernization projects, complex enterprise

management tools and the lack of familiarity with new systems are the main reasons respondents believe IT modernization efforts have resulted in increased security challenges.



Reduced need and time for training

Fewer IT management tools with fewer interfaces

Reduced number of devices to support

Cloud services adoption

Fewer configurations to manage and support

Standardization simplifies admin/mgmt

Legacy equipment replacement

Legacy software replacement

0% 10% 20% 30% 40% 50% 60%

15%

25%

25%

32%

40%

42%

52%

55%

Decreased IT Challenges

What are the reasons you believe cyber security challenges have decreased as a result of the government's IT modernization and consolidation efforts? (select all that apply)


Decreased Security Challenges• Replacement of legacy software and equipment are the main reasons respondents believe IT

modernization efforts have resulted in decreased security challenges.


9

Other

Lack of clear standards

Lack of technical solutions available at my agency

Lack of training for personnel

Lack of manpower

Lack of top-level direction and leadership

Inadequate collaboration with other internal teams or departments

Competing priorities and other initiatives

Complexity of internal environment

Budget constraints

0% 5% 10% 15% 20% 25% 30% 35%

2%

4%

4%

6%

7%

7%

12%

14%

16%

29%

IT Security Obstacles

IT SECURITY OBSTACLES, THREATS AND BREACHES

What is the most significant high-level obstacle to maintaining or improving IT security at your agency?

N=200

January 2014: Budget

constraints 40%

• Budget constraints top the list of significant obstacles to maintaining or improving agency IT security. This has decreased from 40% in the SolarWinds Cybersecurity Survey conducted Q1 2014.


10

None of the above

Unsure of these threats

Other

Industrial spies

For-profit crime

Malicious insiders

Terrorists

Hacktivists

General hacking community

Foreign governments

Careless/untrained insiders

0% 10% 20% 30% 40% 50% 60%

1%

1%

2%

16%

18%

22%

24%

38%

46%

48%

48%

Sources of Security Threats


What are the greatest sources of IT security threats to your agency? (select all that apply)


= statistically significant difference

Defense Civilian

Foreign governments 62% 37%

General hacking community 35% 56%

For-profit crime 12% 24%

• Careless/untrained insiders, foreign governments and the general hacking community are noted as the largest sources of security threats at federal agencies.


11

Sources of Security Threats -Trend


• There has been no significant reduction in the various sources of security threats. Since 2014, respondents indicate significant increases in threats from foreign governments and hacktivists.

What are the greatest sources of IT security threats to your agency? (select all that apply)



2014 2015 2016

Careless/untrained insiders 42% 53% 48%

Foreign governments 34% 38% 48%

General hacking community 47% 46% 46%

Hacktivists 26% 30% 38%

Terrorists 21% 18% 24%

Malicious insiders 17% 23% 22%

For-profit crime 11% 14% 18%

Industrial spies 6% 10% 16%

= top 3 sources


12IT SECURITY OBSTACLES, THREATS AND BREACHES

• IT professionals consider human error as the most common security breach to occur in their agency in the past year.

Unaware of a breach

Other

Denial of service

Privileged account abuse

Theft of IT equipment

Malware

Phishing

Human error

0% 10% 20% 30% 40% 50% 60% 70% 80%

3%

4%

25%

30%

36%

50%

58%

68%

Security Breaches Occurred

Which of the following types of IT security breaches have occurred in your agency in the past year? (select all that apply)

IT Breaches

None

1

2

3

4

5 or more

0% 5% 10% 15% 20% 25% 30% 35% 40%

3%

20%

27%

21%

16%

14%

Number of Different Types of Breaches Indicated



13

None

1

2

3

4

5 or more

0% 5% 10% 15% 20% 25% 30% 35% 40%

2%

32%

35%

23%

6%

2%

Number of Different Types of Consequences Indicated


• Personally identifiable information data theft is the most common consequence followed by service outages.

Which of the following has your agency experienced in the last year due to security breaches? (select all that apply)

Consequences of IT Breaches

None of the above

Other

Financial fraud

Modification of databases

Agency data theft

Misuse of systems

Service degradation

Service outage

PII data theft

-10% 0% 10% 20% 30% 40% 50% 60%

2%

3%

8%

12%

25%

36%

39%

40%

44%

Consequences of Security Breaches



14

Vulnerability to Attacks


• The majority feel their agency is as vulnerable to attacks today as it was a year ago.

• However, more feel that the agency is less vulnerable as opposed to more vulnerable.

In your opinion, is your agency more or less vulnerable to IT security attacks than it was a year ago?

N=200

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

8% 20% 55% 10% 6%

1 2 3 4 5

About theSame

Less Vulnerable

More Vulnerable

Mean2.87


15

OtherIncreased ad-hoc or rogue configuration changes

Increased reliance on external vendorsIncreased use of technology not supported by the IT department

Use or increased use of public cloudIncreased attack surface

Increased amount of dataLack of end user security training

Internal bureaucracyDecrease in funding for IT security

Increased use of mobile devicesIncreased network complexity

End users do not follow set policiesIncreased volume of attacks

Increased sophistication of threats

0% 10% 20% 30% 40% 50%

2%3%

9%9%

10%10%

16%16%

17%17%

20%22%

24%26%

44%


What makes your agency more vulnerable to IT security attacks than a year ago? (select the top three)

Note: Multiple responses allowed

Defense Civilian

Increased sophistication of threats 37% 50%

End users do not follow set policies 32% 18%

Reasons Agencies are More Vulnerable• An increase in the sophistication of threats is the top factor that makes an agency more

vulnerable to IT security attacks than a year ago.

N=200 = statistically significant difference


16

Other

Improved BYOD policy

Improved analysis of logs or user-behavior patterns

Improved IT asset management system

Implemented or improved an identity management system

IT/data center consolidation

Improved or increased security training for agency personnel

Implemented configuration change management tools

Introduced or expanded the use of data encryption

Standardized network configurations and monitoring

Improved patch management

Improved application security

Increased use of Smart Cards for dual-factor authentication

0% 5% 10% 15% 20% 25% 30% 35% 40%

2%6%

8%14%

16%18%

19%20%

22%22%

27%28%

38%

Reasons Agencies are Less Vulnerable


What makes your agency less vulnerable to IT security attacks than a year ago? (select the top three)


Defense Civilian

Increased use of Smart Cards for dual-factor authentication

26% 49%

N=200

• Increased use of Smart Cards for dual-factor authentication is given the most credit for making agencies less vulnerable to IT security attacks than a year ago.



17

IT Security Investment

INVESTMENT

How will your organization’s investment in resources for IT security in 2016 compare with 2015?

Staff

Security tools or solutions

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

5%

4%

18%

12%

48%

33%

29%

51%

Don't know Decrease Remain the same Increase

• Half say their agency will increase investment in security tools or solutions in 2016; however, that will not generally translate into investment in staff.

N=200


18

None of the above

File integrity monitoring

Security information event management (SIEM)

Messaging security

Network admission control (NAC) solutions

Endpoint security software

Identity and access management tools

Web application security tools

Configuration management

Patch management software

Smart Card/Common Access Card

0% 10% 20% 30% 40% 50% 60% 70% 80%

1%

34%

36%

43%

50%

58%

59%

60%

62%

62%

72%

Current Use of Security Products

SECURITY PRODUCT USE

Which of these security products and practices are currently in use in your organization? (select all that apply)

Defense Civilian

Web application security tools 52% 66%

• Smart Card/Common Access Cards are used by almost three-fourths of IT professionals.

= statistically significant differenceNote: Multiple responses allowedN=200


19SECURITY PRODUCT USE

Network admission control (NAC)

File integrity monitoring

Messaging security

Web application security

SIEM

Configuration management

Patch management

Endpoint security

Identity and access management

Smart Card / Common Access Card

0% 10% 20% 30% 40% 50% 60%

1%

1%

3%

4%

4%

5%

7%

8%

14%

52%

Percent that Selected Each Product as Most Valuable

Please rank the top three security products you find most valuable.

Most Valuable Security Products• Smart Card/Common Access Card for authentication is by far the most valuable security

product used by federal IT professionals.


(Rank 1-3, 1 is Most Valuable) Average Rank

Smart Card / Common Access Card 1.29

Identity and access management tools 1.79

Messaging security software 2.09

Patch management software 2.09

Endpoint security software 2.15Configuration management software 2.28

Security information event management (SIEM) software

2.30

Web application security tools 2.30

Network admission control (NAC) solutions 2.37

File integrity monitoring software 2.47


20SECURITY PRODUCT USE

1 2 3 4 5 6 7 8 9 100%

2%

4%

6%

8%

10%

12%

14%

16%

13%

5%

12%

14%

12%

10%

12%

10%

5%

11%

Which of these security products and practices are currently in use in your organization?

Note: Multiple responses allowed. *See slide 18 for complete list of products on surveyN=200

Number of Security Products Used• IT professionals say they use approximately five out of the ten listed products or practices

included on the survey.

Mean

5.35


21

IT Security Changes

IT SECURITY CHANGES

Compared to 2014, how did each of the following change in your agency in 2015?

Time to detection

Time to response

Time to resolution

Number of IT security incidents

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

8%

7%

8%

8%

38%

38%

21%

20%

35%

33%

45%

34%

20%

22%

26%

38%

Don't know Decreased Remained the same Increased

• The plurality believe that time to detection and response has decreased in 2015, and the number of IT security incidents have increased.

N=200


22

Defense Civilian Defense Civilian Defense Civilian Defense Civilian0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

7% 9% 8% 7% 8% 6% 8% 9%

23% 17%

48%28%

44%32% 24% 18%

33% 34%

34%

36%

32%

34% 47%43%

37% 39%

10%28%

16%28% 21% 29%Increased

Remained the same

Decreased

Don't know

IT SECURITY CHANGES

• Though defense and civilian IT professionals agree on the trend in the number of incidents, they differ on their responses to security incidents.

• A significantly greater proportion of civilian IT professionals have seen increased response and detection times, while a significantly greater proportion of defense IT professionals have seen decreases in response and detection times.


Time to detection

Time to response

Time to resolution

IT Security Changes

Compared to 2014, how did each of the following change in your agency in 2015?

N=200 = statistically significant difference


23DETECTION AND RESPONSE

Social engineering

Cross site scripting

Misuse/abuse of credentials

Phishing attacks

SQL injections

Exploit of vulnerabilities

Malware

Denial of device attacks

Rogue devices

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

20%

20%

14%

12%

19%

14%

11%

15%

12%

4%

4%

2%

1%

2%

2%

1%

1%

1%

11%

5%

8%

8%

6%

10%

7%

4%

10%

22%

23%

28%

20%

22%

22%

18%

14%

14%

33%

29%

26%

38%

28%

29%

32%

30%

23%

10%

20%

22%

22%

24%

24%

30%

36%

39%

Don't know/unsure No ability to detect Within a few weeks Within a few days Within one day Within minutes

How long does it typically take your organization to detect and/or analyze the following security events?

Security Event Detection Speed• Quicker detection is noted for rogue devices, denial of device attacks and malware.

N=200



Inappropriate sharing of documents

Patches not up to date

Authorized non-compliant changes

Data copied to an unapproved device

Unauthorized configuration changes

Inappropriate internet access

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

16%

9%

13%

14%

11%

11%

0.11

0.02

0.1

0.02

0.01

13%

15%

9%

7%

8%

7%

27%

29%

24%

24%

24%

19%

22%

35%

30%

20%

23%

24%

11%

12%

21%

26%

31%

38%

Don't know/unsure No ability to detect Within a few weeks Within a few days Within one day Within minutes

How long does it typically take your organization to detect the following compliance issues?

N=200

Compliance Detection Speed• Quicker detection is noted for inappropriate internet access and unauthorized configuration

changes.• Inappropriate sharing is the most difficult to detect.



Defense Civilian Defense Civilian Defense Civilian0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

8%17%

7%15% 10% 17%8%

12%

8%

9%2%

11%

11%

17%

19%

29%

25%

22%

20%

26%

27%

19%

25%

17%54%

27%38%

25% 32%20%

2%

1%

3%5%

13%

Within minutes

Within one day

Within a few days

Within a few weeks

No ability to detect

Don't know/un-sure

How long does it typically take your organization to detect and/or analyze the following security events?How long does it typically take your organization to detect the following compliance issues?

Rogue devices

Unauthorized configuration

changes

Data copied to unapproved

devices

Security Event & Compliance Detection• A significantly greater proportion of defense respondents indicate detection of rogue devices,

unauthorized configuration changes and data copied to unapproved devices within minutes.

= statistically significant differenceN=200


26SECURITY PRODUCT USE, DETECTION AND RESPONSE

Compared to 2014, how did each of the following change in your agency in 2015?Which of these security products and practices are currently in use in your organization? (select all that apply)

Use Do not use

Use Do not use

Use Do not use

Use Do not use

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

7% 9% 7% 8% 7% 7% 8% 9%

21% 18%

45%25%

44%26% 22% 20%

30% 39%

34%

37%

31%

36%50%

37%

42% 33%14%

30%17%

32%20%

34%Increased

Remained the same

Decreased

Don't know/un-sure


Time to detection

Time toresponse

Time toresolution

Patch Management and Detection Trend• Relative to non-users, a significantly greater proportion of users of patch management

software report a decrease in the time to detect and response to IT security incidents.

= statistically significant differenceUse n=124Do not use n=76



Unaware of a breach

Other

Denial of service



Malware

Phishing

Human error

0% 10% 20% 30% 40% 50% 60% 70% 80%

4%

1%

24%

26%

32%

42%

42%

58%

2%

5%

26%

31%

38%

56%

68%

75%


UseDo Not Use


Use Do not use0

1

2

3

4

2.98

2.25


Patch Management and IT Breaches• Likely due to increased detection, IT professionals who use patch management software

report more breaches of many kinds in the past year.

= statistically significant differenceNote: Multiple responses allowedUse n=124Do not use n=76



• Those who currently use patch management software are significantly more able to detect, within minutes, the following events:o Rogue deviceso Denial of device attackso Unauthorized

configuration changes



Social engineering


Phishing



SQL Injections


Data copied to unapproved device

Malware




Rogue devices

0% 10% 20% 30% 40% 50%

16%

17%

9%

17%

24%

20%

17%

20%

21%

21%

26%

24%

24%

32%

28%

8%

9%

10%

21%

21%

22%

24%

26%

26%

28%

33%

35%

43%

43%

46%

UseDo Not Use



Patch Management and Detection Within Minutes


Use n=124Do not use n=76



• Relative to non-users, a significantly greater proportion of users of configuration management software report a decrease in the time to respond to IT security incidents.


Use Do not use

Use Do not use

Use Do not use

Use Do not use

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

7% 10% 7% 8% 7% 6% 8% 9%

19%22%

41% 32%47%

23%

49% 39%

35%32%

32%39%

28%

41%

21%22%

40% 37%19% 22% 17%

30% 22% 30%Increased

Remained the same

Decreased

Don't know/un-sure


Time to detection

Time toresponse

Time toresolution


Configuration Management and Detection Trend




• Likely due to increased detection, IT professionals who use configuration management software report more breaches of all kinds.

Unaware of a breach

Other

Denial of service



Malware

Phishing

Human error

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

3%

4%

24%

27%

30%

38%

44%

56%

3%

3%

26%

31%

39%

59%

67%

77%


UseDo Not Use


Use Do not use0

1

2

3

4

3.02

2.23


Configuration Management and IT Breaches

= statistically significant differenceNote: Multiple responses allowed




• Those who currently use configuration management software primarily see benefits with respect to rogue devices on the network and distributed denial of device attacks.

Social engineering



Authorized non-complaint changes



Phishing



SQL injections

Malware




Rogue devices

0% 10% 20% 30% 40% 50%

14%

14%

11%

25%

16%

20%

22%

30%

23%

18%

28%

29%

41%

24%

32%

7%

9%

12%

18%

21%

22%

22%

22%

25%

27%

32%

32%

37%

43%

44%

UseDo Not Use


Configuration Management and Detection Within Minutes

Note: Multiple responses allowed = statistically significant difference





Use Do not use

Use Do not use

Use Do not use

Use Do not use

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

7% 9% 8% 7% 7% 7% 7% 9%

15%23%

44%34%

44%34%

21% 21%

32%

34%

28%39%

29%35%

49% 43%

46%34%

19% 20% 19% 24% 24% 27%Increased

Remained the same

Decreased

Don't know/unsure


Time to detection

Time toresponse

Time toresolution

SIEM and Detection Trend• Security information event management (SIEM) software users report an increase in incident

detection and a decrease in time to detect and respond. However, they report similar changes to those who do not use SIEM. There are no statistically significant differences.




Unaware of a breach

Other

Denial of service



Malware

Phishing

Human error

0% 10% 20% 30% 40% 50% 60% 70% 80%

3%

2%

23%

30%

31%

50%

51%

64%

3%

7%

28%

28%

43%

51%

71%

76%


UseDo Not Use

Use Do not use0

1

2

3

4

3.04

2.52


SIEM and IT Breaches• SIEM users detect phishing attacks in their agency significantly more than those who do not

use SIEM.


= statistically significant differenceNote: Multiple responses allowed




• Those who currently use SIEM software are significantly more able to detect, within minutes, almost all threats listed on the survey.

Social engineering






Phishing



SQL injections



Malware


Rogue devices

0% 10% 20% 30% 40% 50% 60%

9%

11%

11%

17%

14%

17%

18%

23%

20%

18%

26%

31%

23%

34%

31%

11%

11%

14%

28%

29%

29%

29%

29%

32%

33%

40%

43%

44%

46%

53%

UseDo Not Use


SIEM and Detection Within Minutes

Note: Multiple responses allowed = statistically significant difference



35

Contact Information

RESEARCH TO INFORM YOUR BUSINESS DECISIONS

Laurie Morrow, Director of Research Services | Market Connections, Inc.11350 Random Hills Road, Suite 800 | Fairfax, VA 22033 | 703.378.2025, ext. [email protected]

Lisa M. Sherwin Wulf, Director of Marketing - Federal | [email protected] www.solarwinds.com/federalLinkedIn: SolarWinds Government

mailto:[email protected]

http://www.solarwinds.com/federal

https://www.linkedin.com/company/solarwinds-government

https://www.linkedin.com/company/solarwinds-government


36

The SOLARWINDS and SOLARWINDS & Design marks are the exclusive property of SolarWinds Worldwide, LLC and its affiliates, are registered with the U.S.

Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may

be common law marks, registered or pending registration in the United States or in other countries. All other trademarks mentioned herein are used for identification purposes only and may be or are trademarks or registered

trademarks of their respective companies.

Technology

SolarWinds Federal Cybersecurity Survey 2016