A survey conducted by Securosis and financed by data security vendor Imperva of 1,100 security professionals yielded some interesting and conflicted results. The survey evaluated perceived effectiveness, not actual effectiveness, of several technologies (not specific products). The responses came from professionals across all major verticals and from organizations of varying sizes. Job titles included IT manager, IT security manager, IT security professional.
The top ten most effective controls were perceived to be:
- Access Management – Tools to restrict access to ?les/content beyond standard access controls.
- Server/Endpoint Hardening – Locking down systems, including whitelisting, HIPS, and other lockdown/patch
- management.
- Email Filtering – Basic keyword/regular expression ?ltering of email.
- Full Drive Encryption – Encryption of laptop/desktop drives.
- Network Segregation Isolating sensitive data/applications on subnets.
- Data Loss Prevention- Network – Tools capable of scanning for content with advanced techniques
- Data Loss Prevention- Endpoint – Tools capable of scanning for content with advanced techniques (more than regular expressions)
- USB/Media Encryption/Device Control
- Database Activity Monitoring – Tools to actively monitor all or some database activity (more than basic audit logs).
Securosis notes:
One major ?aw in the survey is that, despite our quality assurance and editing before releasing the questions, web application ?rewalls were omitted from the potential response list, and rated well in the previous questions. WAF was also the most cited write in control, followed (again) by user education.
Here’s what the respondents thought were the least effective:
- Email Filtering
- USB/Portable Media Encryption or Device Control
- Database Activity Monitoring
- Backup Tape Encryption
- Content Discovery (Process)
- Network Segregation
- Other (list in comments)
- Enterprise Digital Rights Management
- Data Masking
- Full Drive Encryption
What’s interesting is that e-mail filtering came in as number three on the list of most effective list and number one on the “least effective” list.
“There will always be a gulf between perceived and actual security,” says Chris King, director of product marketing at Palo Alto Networks. “Aside from the fact that the latter is difficult to measure (all we can measure is our opinion of its effectiveness), threats are a moving target.”
Securosis’ survey found that most controls were actually pretty effective. “Around half of respondents reported that nearly half of the controls completely or dramatically reduced incidents.”