60% of companies cannot detect compromised credentials, survey says

Sixty percent of companies cannot detect compromised credentials, according to Rapid7’s incident detection and response survey results.

That is just one of the “yikes” revealed when 271 security professionals from all size organizations and industries responded to the survey so Rapid7 could learn more about challenges to security teams, strategic initiatives, and current security tools being used. It is little wonder why over 90% of respondents admitted to being worried about attacks that use compromised credentials.

Respondents told Rapid7 that the top three strategic initiatives have been:

(1) deploy and maintain a SIEM; (2) expand on their vulnerability management program; and (3) improve or replace their network firewalls. 52% of organizations already use a SIEM, with a further 21% looking to purchase one in the future. The flexible ability to aggregate and correlate logs enables organizations to simultaneously monitor firewall, endpoint, and DNS data. However, there are still gaps in cloud services, DHCP-to-user mapping, and honey pots.

Seventy-three percent of security teams have either deployed SIEM or plan to do so, with 50% of SIEM users claiming incident detection is the main reason they purchased the tool. There are only so many hours in the day, and security teams have limited resources. While they naturally do not enjoy receiving false-positive alerts, there is a real gap in how many alerts are generated and how many can actually be investigated.

Sixty-two percent of security pros surveyed said their organization receives more daily alerts than can be viewed, investigated, and remediated. Seventy-six percent of respondents are not comfortable investigating more than 25 alerts every day, yet 29% are receiving more than 75 alerts every day. Detection alerts need to be fine-tuned, as some respondents report receiving over 1,000 alerts daily.

Seventy-nine percent of the security professionals surveyed said their companies are using at least one cloud service, with Office 365 topping the list, following by Google Apps and Salesforce.com.

Sixty percent are using only “approved” cloud services, nearly 21% don’t allow cloud services at all, and almost 19% leave it up to users to choose. (Yikes!) Cloud services that fell under “other” included Dropbox, NetSuite, and Microsoft Azure. Only a mere 33% of organizations have security visibility into cloud services.

“The reality is that attack surfaces will continue to expand,” wrote Rapid7. “The challenge is that with cloud services, attackers merely need to steal credentials to access confidential records. Currently, 59% of organizations report a lack of security visibility into their cloud services. Moving into the new year, security teams must prioritize detecting compromised credentials and the resulting lateral movement, not only on the network, but locally on endpoints and across cloud services.”

“Prevention is no longer a sufficient approach to security,” the Rapid7 report stated. “Organizations continue their reach and productivity through partners, cloud services and mobile devices, all which increase risk.”

“The top three attack vectors behind breaches continue to be compromised credentials, malware, and phishing,” Rapid7 noted. “Both security vendors and practitioners must ensure that attacks leveraging these methods can be detected immediately across the entire network ecosystem. Further, this must be done while taking into account the realities of the security world: limited time and resources, very low tolerance for false-positive alerts, and the desire to receive alerts in a centrally managed system that covers all IT assets, from the endpoint to the cloud.”

Yet with only 40% of security teams being able to immediately detect those types of attacks – and that is from all sizes of organizations across industries such as healthcare, finance, retail, and government – then what are people supposed to do if 60% of those companies cannot detect compromised credentials?

Microsoft MVP and security developer Troy Hunt, who recently blogged about all the annoying things websites are doing to screw up users’ experiences so far in 2016, also runs Have I Been Pwned. I cannot tell you how many times since he started the site that people have said the first notification of an account being compromised has come via a ‘Have I Been Pwned?’ notification.

I highly recommend signing up to be notified if your email address get pwned in the future. We all know better than to reuse passwords, but if you can’t beat that disease then if you get notified you can at least race out and change the same password used on other sites. Hopefully that implies a strong and unique password for each site.

I asked Hunt if he would advise people to be notified if their email address ends up compromised or pwned via a data dump. He said, “Obviously I have a vested interest, but yes, signing up for HIBP is a great way of keeping abreast of where your information is being compromised. The other thing I strongly advocate is a password manager; get one and use unique passwords everywhere then at least once a compromise happens, you don’t have to deal with changing all your accounts.”

If you are so inclined, go grab a copy of Rapid7’s State of Incident Detection & Response report or check out its incident detection and response solutions.