SANS Institute released its 2017 Data Protection Survey, “Sensitive Data at Risk,” which highlights the ongoing challenge of using centralized security to protect the decentralized data that is prevalent and growing across today’s enterprise IT environments.

The report revealed that 78 percent of responding organizations encountered two or more threats over the past year, 68 percent experienced multiple occurrences of the same threat and 12 percent suffered a breach. Among the 12 percent of victims, 48 percent reported that threat actors exfiltrated data via encrypted channels.

Security professionals in government (14 percent) comprised the second-largest industry represented in the findings. Respondents in banking and finance (16.3 percent) topped the list, while technology (12 percent) and cybersecurity (8.9 percent) rounded out the top four.

Key Findings

Survey respondents reported that ransomware and insider threats (malicious or unintentional) remain the top two concerns for security professionals. Ransomware remains the biggest perceived one-off threat, while insiders represent the primary recurring threat.

Over the past year, threat actors most frequently targeted user credentials and privileged accounts, followed by customer identifiable personal information and intellectual property. The report’s authors noted, “In short, access data is equally as valuable to attackers as direct access to customer, corporate and employee data.”

Threat actors continued an established trend of exfiltrating data from organizations in an encrypted format. This exfiltration technique, the authors noted, can be difficult to detect without proper egress traffic monitoring and advanced filtering, such as deep-packet inspection technologies capable of examining the content of network traffic.

According to respondents, the security tools most used and perceived as most effective include encryption (e.g., SSH, SSL, HTTPS, VPNs), access management, email filtering and firewalls.

Security professionals also reported heavy reliance on security information and event management tools (SIEMs) to detect breaches. While discovery is better than ignorance, the report noted an important shortcoming of SIEM-based detection: “A SIEM focuses at the system level, not the user level, in logging events from devices and systems on the network. Such data is designed to inform administrators that something happened at the system or infrastructure level, but it offers limited insight into actual user activity, behavior and intent.”

Analysis of Findings

Several important themes emerge from the findings. First, security professionals continue to wrestle with effective methods for monitoring and securing increasingly decentralized data. The report indicates that most enterprise data still resides, at least in part, on enterprise-issued and -controlled IT assets, such as servers, databases and devices. Still, many organizations reported ongoing difficulty gaining full visibility into their network and user environments.

Broader trends suggest – and SANS findings support – that the amount of data stored and used on third-party IT assets continues to grow. The popularity and convenience of personal mobile devices (e.g., bring your own device), cloud-based storage and externally hosted applications for work are, in part, driving the trend.

The decentralization of enterprise data coincides with organizations’ continued reliance on centralized security infrastructure to detect threats and block attacks. The survey results show that centralized system- and network-level security appliances, such as SIEMs, revealed breaches more often over the past year than newer, more advanced decentralized capabilities, such as user monitoring and behavioral analysis.

Many of the report’s findings highlight the complexity entailed by the current centralized security vs. decentralized data environment. The crux of this conundrum is perhaps best encapsulated by the dual challenges of enforcing organization-wide security policies while overcoming the perceived ineffectiveness of user training and awareness programs.

Following malware and insiders, respondents cited the category “unknown” as a top underlying cause of data breaches. The reason for this finding is unclear, but it could result from insufficient network and user visibility, incomplete security tool sets or inadequate numbers of skilled professionals. Any of these deficiencies in security posture could result in an inability to correlate malicious activity to breached data.

Following “unknown” causes, respondents reported a significant occurrence of “unintended disclosure of sensitive data.” This finding follows reports this year of multiple incidents in which misconfigured cloud services, such as Amazon’s Simple Storage Service, exposed data. For instance, in June, security researchers discovered that the political consultancy Deep Root Analytics had unintentionally made detailed data on nearly 200 million U.S. voters accessible via the public internet. The voter data resided on a cloud server without password protection.

The report highlighted several ongoing paradoxes faced by security professionals. For instance, respondents reported “enforcing policy across the lifespan of sensitive data” as their organizations’ greatest security challenge, while citing policy enforcement as the most effective control. Those surveyed said employee training is the least effective security control, even while employees increasingly use IT assets (e.g., third-party applications) often beyond enterprise security’s reach.

Respondents cited “lack of staffing and resources” as their organizations’ second greatest security challenge, a finding that is notable for two reasons. First, survey data revealed that most breaches were discovered via security logs, a task that still partially, if not largely, relies on human analysis in many organizations. Second, as the survey’s authors noted, the current threat environment is asymmetric, with threat actors increasingly automating attacks, while defenders are encumbered by manual processes.

What’s Working and Important Considerations

As far as what’s working for defenders, respondents said encryption (82.9 percent), access control (79.3 percent) and firewall/unified threat management systems (72.4 percent) were most effective at the network level. Email security (74.3 percent), vulnerability management (55.7 percent) and host-based encryption (51.4 percent) were reported to be most effective for endpoint protection.

The SANS authors advised security practitioners to consider network visibility, identity and access management, industry best practices and automation as important factors in securing data in today’s enterprise environments.

And, for all the persistent security concerns around cloud-hosted data, the authors reassured security pros that it’s not necessarily the worst option: “Cloud storage backups, with the proper set of controls, may be a safer alternative than those backup tapes in the trunk of your sys admin’s car.”

The full report is available online.