CISCO 2017 Annual Cyber Security Report

Cisco 2017 Annual Cybersecurity Report
Table of Contents
EXECUTIVE SUMMARY AND MAJOR FINDINGS.............. 3 DEFENDER BEHAVIOR.................................................... 42
INTRODUCTION................................................................ 8 Vulnerabilities on the Decline in 2016............................ 42
THE EXPANSION OF THE ATTACK SURFACE................. 10 Middleware: Adversaries See Opportunity in
ATTACKER BEHAVIOR....................................................13 Unpatched Software...................................................... 44
Time to Patch: Closing the Recovery Time Frame......... 45
The Reconnaissance Phase........................................... 13
Web Attack Methods: Short Tail Threats Help CISCO 2017 SECURITY CAPABILITIES
BENCHMARK STUDY...................................................... 49
Adversaries Lay the Groundwork for Campaigns........... 13
Perceptions: Security Professionals Confident
The Weaponization Phase............................................. 15 in Tools, Less Sure Theyre Using Them Effectively....... 49
Web Attack Vectors: Flash Is Fading, but Constraints: Time, Talent, and Money
Users Must Remain Vigilant........................................... 15 Affect the Ability to Respond to Threats........................ 51
Application Security: Managing OAuth Connection
Impact: More Organizations Experiencing Losses
Risk Amid an App Explosion.......................................... 16
from Breaches............................................................... 55
The Delivery Phase........................................................ 20
Outcomes: Increased Scrutiny Will Play a Role in
Disappearance of Major Exploit Kits Presents Security Improvements.................................................. 58
Opportunities for Smaller Players and New Entrants....... 20 Trust Versus Cost: What Drives
Malvertising: Adversaries Use Brokers to Increase Security Purchases?...................................................... 61
Speed and Agility.......................................................... 22 Summary: What the Benchmark Study Reveals............. 62
Investigation Finds 75 Percent of Organizations
INDUSTRY...................................................................... 64
Affected by Adware Infections...................................... 23
Global Spam Is Increasingand So Is the Value Chain Security: Success in a Digital
Percentage of Malicious Attachments........................... 25 World Hinges on Mitigating Third-Party Risk.................. 64
Geopolitical Update: Encryption, Trust, and a
The Installation Phase.................................................... 30 Call for Transparency..................................................... 65
Web Attack Methods: Long Tail Snapshot High-Speed Encryption: A Scalable Solution
Reveals Threats That Users Can Easily Avoid................ 30 to Protecting Data in Transit.......................................... 66
Vertical Risk of Malware Encounters: Attackers Network Performance and Adoption Versus
See Value Across the Board.......................................... 31 Security Maturity............................................................ 67
Regional Overview of Web Block Activity...................... 32
CONCLUSION................................................................. 71
Time to Detection: An Essential Metric for
A Rapidly Expanding Attack Surface Requires an
Measuring Defenders Progress.................................... 33
Interconnected and Integrated Approach to Security........ 71
Time to Evolve: For Some Threats,
The Key Goal: Reducing Adversaries
Change Is Constant........................................................ 34
Operational Space......................................................... 73
ABOUT CISCO................................................................ 74
Contributors to the Cisco 2017 Annual
Cybersecurity Report..................................................... 75
APPENDIX...................................................................... 78
2 Table of Contents
Executive Summary
As the attack surface increases, defenders must focus on their most
important goal: reducing their adversaries operational space.
Adversaries have more tools at their disposal than ever of opportunity that attackers try to exploit. We examine
before. They also have a keen sense of when to use each data compiled by Cisco threat researchers and other
one for maximum effect. The explosive growth of mobile experts. Our research and insights are intended to help
endpoints and online traffic works in their favor. They have organizations respond effectively to todays rapidly evolving
more space in which to operate and more choices of and sophisticated threats.
targets and approaches.
This report is divided into the following sections:
Defenders can use an array of strategies to meet the
challenges of an expanding threat landscape. They can
Attacker Behavior
purchase best-of-breed solutions that work separately to
provide information and protection. And they can compete In this section, we examine how attackers reconnoiter
for personnel in a market where talent is in short supply and vulnerable networks and deliver malware. We explain how
budgets are tight. tools such as email, third-party cloud applications, and
adware are weaponized. And we describe the methods
Stopping all attacks may not be possible. But you can that cybercriminals employ during the installation phase
minimize both the risk and the impact of threats by of an attack. This section also introduces our time to
constraining your adversaries operational space and, thus, evolve (TTE) research, which shows how adversaries keep
their ability to compromise assets. One measure you can their tactics fresh and evade detection. We also give an
take is simplifying your collection of security tools into an update on our efforts to reduce our average median time to
interconnected and integrated security architecture. detection (TTD). In addition, we present the latest research
from Cisco on malware risk for various industries and
Integrated security tools working together in an
geographic regions.
automated architecture can streamline the process of
detecting and mitigating threats. You will then have time
Defender Behavior
to address more complex and persistent issues. Many
organizations use at least a half dozen solutions from just We offer updates on vulnerabilities in this section. One
as many vendors (page 53). In many cases, their security focus is on the emerging weaknesses in middleware
teams can investigate only half the security alerts they libraries that present opportunities for adversaries to use
receive on a given day. the same tools across many applications, reducing the
time and cost needed to compromise users. We also share
The Cisco 2017 Annual Cybersecurity Report presents Ciscos research on patching trends. We note the benefit
research, insights, and perspectives from Cisco Security of presenting users with a regular cadence of updates to
Research. We highlight the relentless push-and-pull encourage the adoption of safer versions of common web
dynamic between adversaries trying to gain more time browsers and productivity solutions.
to operate and defenders working to close the windows
3 Executive Summary and Major Findings

Cisco 2017 Security Capabilities Benchmark Study Industry

This section covers the results of our third Security In this section, we explain the importance of ensuring
Capabilities Benchmark study, which focuses on security value chain security. We examine the potential harm of
professionals perceptions of the state of security in governments stockpiling information about zero-day
their organizations. This year, security professionals exploits and vulnerabilities in vendors products. In addition,
seem confident in the tools they have on hand, but we discuss the use of rapid encryption as a solution for
they are uncertain about whether these resources can protecting data in high-speed environments. Finally, we
help them reduce the operational space of adversaries. outline the challenges of organizational security as global
The study also shows that public security breaches are Internet traffic, and the potential attack surface, grow.
having a measurable impact on opportunities, revenue,
and customers. At the same time, breaches are driving Conclusion
technology and process improvements in organizations. In the conclusion, we suggest that defenders adapt their
For more in-depth analysis around the state of security security practices so they can better meet typical security
in organizations, go to page 49. challenges along the attack chain and reduce adversaries
operational space. This section also offers specific
guidance on establishing an integrated and simplified
approach to security: one that will connect executive
leadership, policy, protocols, and tools to prevent, detect,
and mitigate threats.

Major Findings
Three leading exploit kitsAngler, Nuclear, and An investigation by Cisco that included 130
Neutrinoabruptly disappeared from the landscape organizations across verticals found that 75 percent
in 2016, leaving room for smaller players and new of those companies are affected by adware infections.
entrants to make their mark. Adversaries can potentially use these infections to
facilitate other malware attacks.
According to the Cisco 2017 Security Capabilities
Benchmark Study, most companies use more than five Increasingly, the operators behind malvertising
security vendors and more than five security products campaigns are using brokers (also referred to as
in their environment. Fifty-five percent of the security gates). Brokers enable them to move with greater
professionals use at least six vendors; 45 percent use speed, maintain their operational space, and evade
anywhere from one to five vendors; and 65 percent detection. These intermediary links allow adversaries
use six or more products. to switch quickly from one malicious server to another
without changing the initial redirection.
The top constraints to adopting advanced security
products and solutions, according to the benchmark Spam accounts for nearly two-thirds (65 percent)
study, are budget (cited by 35 percent of the of total email volume, and our research suggests
respondents), product compatibility (28 percent), that global spam volume is growing due to large and
certification (25 percent), and talent (25 percent). thriving spam-sending botnets. According to Cisco
threat researchers, about 8 percent to 10 percent of
The Cisco 2017 Security Capabilities Benchmark
the global spam observed in 2016 could be classified
Study found that, due to various constraints,
as malicious. In addition, the percentage of spam
organizations can investigate only 56 percent of
with malicious email attachments is increasing, and
the security alerts they receive on a given day. Half
adversaries appear to be experimenting with a wide
of the investigated alerts (28 percent) are deemed
range of file types to help their campaigns succeed.
legitimate; less than half (46 percent) of legitimate
alerts are remediated. In addition, 44 percent of According to the Security Capabilities Benchmark
security operations managers see more than 5000 Study, organizations that have not yet suffered a
security alerts per day. security breach may believe their networks are safe.
This confidence is probably misplaced, considering
Twenty-seven percent of connected third-party cloud
that 49 percent of the security professionals surveyed
applications introduced by employees into enterprise
said their organizations have had to manage public
environments in 2016 posed a high security risk.
scrutiny following a security breach.
Open authentication (OAuth) connections touch the
corporate infrastructure and can communicate freely
with corporate cloud and software-as-a-service
(SaaS) platforms after users grant access.

The Cisco 2017 Security Capabilities Benchmark Vulnerabilities in middlewaresoftware that serves
Study also found that nearly a quarter of the as a bridge or connector between platforms or
organizations that have suffered an attack lost applicationsare becoming more apparent, raising
business opportunities. Four in 10 said those concerns that middleware is becoming a popular
losses are substantial. One in five organizations lost threat vector. Many enterprises rely on middleware,
customers due to an attack, and nearly 30 percent so the threat could affect every industry. During the
lost revenue. course of a Cisco project, our threat researchers
discovered that a majority of new vulnerabilities
When breaches occur, operations and finance
examined were attributable to the use of middleware.
were the functions most likely to be affected (36
percent and 30 percent, respectively), followed The cadence of software updates can affect user
by brand reputation and customer retention (both behavior when it comes to installing patches and
at 26 percent), according to respondents to the upgrades. According to our researchers, regular and
benchmark study. predictable update schedules result in users upgrading
their software sooner, reducing the time during which
Network outages that are caused by security breaches
adversaries can take advantage of vulnerabilities.
can often have a long-lasting impact. According to
the benchmark study, 45 percent of the outages The 2017 Security Capabilities Benchmark Study
lasted from 1 to 8 hours; 15 percent lasted 9 to 16 found that most organizations rely on third-party
hours, and 11 percent lasted 17 to 24 hours. Forty- vendors for at least 20 percent of their security, and
one percent (see page 55) of these outages affected those who rely most heavily on these resources are
between 11 percent and 30 percent of systems. most likely to expand their use in the future.

Introduction
Introduction
Adversaries have a vast and varied portfolio of techniques to valuable enterprise resources and to conduct their
for gaining access to organizational resources and for activities without being detected.
attaining unconstrained time to operate. Their strategies
Automation is essential to achieving this goal. It helps
cover all the basics and include:
you understand what normal activity is in the network
Taking advantage of lapses in patching and updating environment, so you can focus scarce resources on
Luring users into socially engineered traps investigating and resolving true threats. Simplifying
security operations also helps you become more effective
Injecting malware into supposedly legitimate online content
such as advertising at eliminating adversaries unconstrained operational
space. However, the benchmark study shows that most
They have many other capabilities, as well, from exploiting organizations are using more than five solutions from
middleware vulnerabilities to dropping malicious spam. And more than five vendors (page 53).
once theyve achieved their goals, they can quickly and
quietly shut down their operations. Such a complex web of technology, and the overwhelming
number of security alerts, is a recipe for less, not more,
Adversaries work nonstop to evolve their threats, move with protection. Adding more security talent can help, of
even more speed, and find ways to widen their operational course. With more experts on board, the logic goes, the
space. The explosive growth in Internet trafficdriven better the organizations ability to manage technology and
largely by faster mobile speeds and the proliferation of deliver better outcomes. However, scarce security talent
online devicesworks in their favor by helping to expand the and limited security budgets make hiring sprees unlikely.
attack surface. As that happens, the stakes grow higher for Instead, most organizations must make do with the talent
enterprises. The Cisco 2017 Security Capabilities Benchmark they have. They rely on outsourced talent to add muscle to
Study found that more than one-third of organizations that their security teams while also conserving budget.
have been subject to an attack lost 20 percent of revenue
or more. Forty-nine percent of the respondents said their The real answer to meeting these challenges, as we
business had faced public scrutiny due to a security breach. explain later in this report, is to operationalize people,
processes, and technology in an integrated manner. To
How many enterprises can suffer such damage to their operationalize security is to truly understand what the
bottom line and remain healthy? Defenders must focus their enterprise needs to protect, as well as what measures
resources on reducing their adversaries operational space. should be used to protect those vital assets.
Attackers will then find it extremely difficult to gain access
The Cisco 2017 Annual Cybersecurity Report presents our latest security industry advances designed to help
organizations and users defend against attacks. We also look at the techniques and strategies that adversaries
use to break through those defenses. The report also highlights major findings from the Cisco 2017 Security
Capabilities Benchmark Study, which examines the security posture of enterprises and their perceptions of their
preparedness to defend against attacks.
8 Introduction
The Expansion of the
Attack Surface
The Expansion of the

Attack Surface
Mobile devices. Public cloud. Cloud infrastructure. User analyzed the dynamic factors that facilitate network growth.
behavior. Security professionals who participated in Ciscos Consider these statistics from the most recent report,
third annual Security Capabilities Benchmark Study cited The Zettabyte EraTrends and Analysis:
all those elements as top sources of concern when they
Annual global IP traffic will pass the zettabyte (ZB)
think about their organizations risk of exposure to a cyber
threshold by the end of 2016 and reach 2.3 ZB per year by
attack (Figure 1). This is understandable: The proliferation
2020. (A zettabyte is 1000 exabytes, or 1 billion terabytes.)
of mobile devices creates more endpoints to protect. The That represents a threefold increase in global IP traffic in
cloud is expanding the security perimeter. And users are, the next 5 years.
and always will be, a weak link in the security chain.
Traffic from wireless and mobile devices will account for
As businesses embrace digitizationand the Internet of two-thirds (66 percent) of total IP traffic by 2020. Wired
devices will account for only 34 percent.
Everything (IoE) begins to take shapedefenders will have
even more to worry about. The attack surface will only From 2015 to 2020, average broadband speeds will
expand, giving adversaries more space to operate. nearly double.
By 2020, 82 percent of all consumer Internet traffic globally

For more than a decade, the Cisco Visual Networking
will be IP video traffic, up from 70 percent in 2015.
Index (VNI) has provided global IP traffic forecasts and
Figure 1 Security Professionals Biggest Sources of Concern Related to Cyber Attacks

Figure 1 Security Professionals Biggest Sources of Concern Related to Cyber Attacks
User Behavior
Mobile Devices Data in Public Cloud Cloud Infrastructure (For Example, Clicking Malicious
Links in Email or Websites)
58% 57% 57% 57%

Percentage of Security Professionals Who Find the Categories Very or Extremely Challenging
Source: Cisco 2017 Security Capabilities Benchmark Study
Download the 2017 graphics at: www.cisco.com/go/acr2017graphics
Internet of Everything FAQ, Cisco: http://ioeassessment.cisco.com/learn/ioe-faq.

The Zettabyte EraTrends and Analysis, Cisco VNI, 2016:
http://www.cisco.com/c/en/us/solutions/collateral/service-provider/visual-networking-index-vni/vni-hyperconnectivity-wp.html.
10 The Expansion of the Attack Surface

In addition, the Cisco VNI Forecast and Methodology, Organizations must:

20152020 white paper predicts that the volume of
Integrate their security technology
global Internet traffic in 2020 will be 95 times as great as
it was in 2005. Simplify their security operations
Rely more on automation

Of course, opportunistic cybercriminals pay close
attention to these trends, too. We are already seeing This approach will help reduce operational expenses, ease
operators in the shadow economy taking steps to become the burden on security personnel, and deliver better security
more agile in this changing environment. They are creating outcomes. Most important, it will give defenders the ability
highly targeted and varied attacks designed to succeed to focus more of their time on eliminating the unconstrained
across the expanding attack surface. Meanwhile, security space in which adversaries currently operate.
teams are in a constant firefighting mode, overwhelmed
by alerts. Theyre having to rely on an array of security
products in the network environment that only add more
complexity and can even increase an organizations
susceptibility to threats.
Cisco VNI Forecast and Methodology, 20152020, Cisco VNI, 2016:

http://www.cisco.com/c/en/us/solutions/collateral/service-provider/visual-networking-index-vni/complete-white-paper-c11-481360.html.
11 The Expansion of the Attack Surface

Attacker Behavior
Attacker Behavior
Reconnaissance Weaponization Delivery Installation
Attackers research, identify, and select their targets.
Web Attack Methods: Short Tail Threats Figure 22 Most

Figure MostCommonly
CommonlyObserved Malware
Observed Malware
Help Adversaries Lay the Groundwork
for Campaigns Sample
Count
Reconnaissance is, of course, a foundational step for

87,329 PUA and Suspicious Binaries
launching a cyber attack. In this phase, adversaries look for
vulnerable Internet infrastructure or network weaknesses
that will allow them to gain access to users computers and,
ultimately, to infiltrate organizations. 50,081 Trojan Droppers (VBS)
Suspicious Windows binaries and potentially unwanted

35,887 Facebook Scam Links
applications (PUAs) topped the list of web attack
methods for 2016 by a significant margin (see Figure 2). 27,627 Trojan Downloaders (Scripts)
Suspicious Windows binaries deliver threats such as
spyware and adware. Malicious browser extensions are 24,737 Browser Redirection (JS)
an example of PUAs.
18,505 Browser Redirection-Downloads
Facebook scams, which include fake offers and media

15,933 Phishing (Links)
content along with survey scams, ranked third on our
list. The continued prominence of Facebook scams 14,020 Android Trojans (Iop)
on our annual and midyear lists of the most commonly
observed malware highlights the foundational role of social 12,848 Browser Redirection
engineering in many cyber attacks. Facebook has nearly

11,600 Facebook Hijacking
1.8 billion monthly active users worldwide. It is logical
territory for cybercriminals and other actors looking to dupe 11,506 Heuristic Blocks (Scripts)
users. One positive development is the companys recent
7712 Packed Binaries
announcement that it is taking steps to eliminate fake
5995 Trojan Downloaders (JS)
news and hoaxes. Critics suggest such content may have
5510 Trojans, Heuristic (Win32)
influenced voters in the 2016 U.S. presidential election.
5467 Browser iFrame Attacks
4970 Android (Axent)
4584 Android Trojans (Loki)
4398 Malware (FakeAvCn)
3646 Trojans (HideLink)
Facebook stats, September 2016: http://newsroom.fb.com/company-info/.
Zuckerberg Vows to Weed Out Facebook Fake News, by Jessica Guynn and 3006 Malware (HappJS)
Kevin McCoy, USA Today, November 14, 2016:
http://www.usatoday.com/story/tech/2016/11/13/zuckerberg-vows-weed-
out-facebook-fake-news/93770512/. Source: Cisco Security Research
13 Attacker Behavior
Browser redirection malware rounded out the top five most 10 most commonly seen types of malware in 2016. Loki
commonly observed malware types for 2016. As discussed malware, which appears toward the very end of the short
in the Cisco 2016 Midyear Cybersecurity Report, browser tail shown in Figure 2 (see previous page), is particularly
infections can expose users to malicious advertising troublesome because it can replicate and infect other files
(malvertising), which adversaries use to set up ransomware and programs.
and other malware campaigns. Cisco threat researchers warn
Figure 3 helps to illustrate malware trends that Cisco
that malicious adware, which includes ad injectors, browser-
threat researchers have observed since late 2015. It
settings hijackers, utilities, and downloaders, is a growing
shows that adversaries have made a definite shift in the
problem. In fact, we have identified adware infections in 75
reconnaissance phase of web-based attacks. More threats
percent of the companies we recently investigated as part
now specifically seek vulnerable browsers and plugins. This
of our research into the adware problem. (For more on this
shift corresponds with adversaries growing reliance on
topic, see Investigation Finds 75 Percent of Organizations
malvertising, as it becomes more difficult to exploit large
Affected by Adware Infections, page 23.)
numbers of users through traditional web attack vectors.
Other malware types listed in Figure 3, such as browser (See the next section, Web Attack Vectors: Flash Is
JavaScript abuse malware and browser iFrame abuse Fading, but Users Must Remain Vigilant, page 15.)
malware, are also designed to facilitate browser
The message for individual users, security professionals,
infections. Trojans (droppers and downloaders) also
and enterprises is clear: Making sure that browsers are
appear among the top five most commonly observed
secure, and disabling or removing unnecessary browser
malware types, which indicates that they remain popular
plugins, can go a long way toward preventing malware
tools for gaining initial access to users computers and
infections. These infections can lead to more significant,
to organizational networks.
disruptive, and costly attacks, such as ransomware
Another trend to watch: consistently high use of malware campaigns. These simple steps can greatly reduce your
that targets users of the Android operating platform. exposure to common web-based threats and prevent
Android Trojans have been moving steadily up the short- adversaries from finding the operational space to carry out
tail list over the past 2 years. They ranked among the top the next phase of the attack chain: weaponization.
Figure 3 Most Commonly Observed Malware, Q4 2015Q3 2016

Figure 3 Most Commonly Observed Malware, Q4 2015Q3 2016
50K
40K
Sample Count
30K
20K
10K
0K
iFrame
Trojans
Android
Trojans
(lop)
Browser
Redirection-
Downloads
Phishing
Links
Browser
Redirection
(JS)
Heuristic
Blocks (Win32)
Trojan
Downloaders
(JS)
Facebook
Hijacking
PUA and
Suspicious
Binaries
Packed
(Multipacked)
Browser
Redirection
Trojan
Droppers
(VBS)
Trojan
Downloaders
(Scripts)
Facebook
Scam Links
iFrame
Downloaders
Q4 2015 Q1 2016 Q2 2016 Q3 2016
Source: Cisco Security Research
Cisco 2016 Midyear Cybersecurity Report: http://www.cisco.com/c/m/en_us/offers/sc04/2016-midyear-cybersecurity-report/index.html.
Attackers pair remote access malware with exploits in deliverable payloads.
Web Attack Vectors: Flash Is Fading, but Users Must Remain Vigilant
Adobe Flash has long been an attractive web attack Users must remain cautious and should uninstall Flash
vector for adversaries who want to exploit and unless they need it for business reasons. If they must use it,
compromise systems. However, as the amount of they must stay current with updates. Using web browsers
Adobe Flash content on the web continues to decline that feature automatic patching capabilities can help. As
and awareness about Flash vulnerabilities growsit is noted in Web Attack Methods: Short Tail Threats Help
becoming more difficult for cybercriminals to exploit Adversaries Lay the Groundwork for Campaigns on
users at the scale they once enjoyed. page 13, using secure browsersand disabling or removing
unnecessary browser pluginswill significantly reduce your
Adobe itself is moving away from full development and
exposure to web-based threats.
support of the software platform and has encouraged
developers to adopt newer standards such as HTML5. Java, PDF, and Silverlight
Providers of popular web browsers are also taking a strong
Both Java and PDF Internet traffic experienced notable
position on Flash. For example, Google announced in 2016
declines in 2016. Silverlight traffic has already reached a
that it will phase out full support for Adobe Flash on its
level that is not worthwhile for threat researchers to
Chrome browser. Firefox is continuing to support legacy
track regularly.
Flash content, but it is blocking certain Flash content that
is not essential to the user experience. Java, once the dominant web attack vector, has seen
its security posture improve significantly in recent years.
Flash may be fading, but exploit kit developers are helping
Oracles decision in early 2016 to eliminate its Java
it endure as an attack vector. However, there are signs this
browser plugin has helped to make Java a less attractive
may be changing. After three leading exploit kitsAngler,
web attack vector. PDF attacks are also increasingly rare.
Nuclear, and Neutrinoabruptly disappeared from the
For that reason, they can be easier to detect, which is why
threat landscape in 2016, our threat researchers observed
many adversaries now use this strategy less often.
a significant decline in Flash-related Internet traffic. (See
Disappearance of Major Exploit Kits Presents Opportunities However, as with Flash, cybercriminals still use Java, PDF,
for Smaller Players and New Entrants, page 20.) The and Silverlight to exploit users. Individual users, enterprises,
actors behind the Angler exploit kit heavily targeted Flash and security professionals must be aware of these potential
vulnerabilities to compromise users. The Nuclear exploit kit roads to compromise. To reduce their risk of exposure to
had a similar focus on Flash. And Neutrino relied on Flash these threats, they must:
files to deliver exploits.
Download patches
Use up-to-date web technology
Avoid web content that might present risk
Flash, HTML5 and Open Web Standards, Adobe News, November 2015: https://blogs.adobe.com/conversations/2015/11/flash-html5-and-open-web-standards.html.
Flash and Chrome, by Anthony LaForge, The Keyword blog, Google, August 9, 2016: https://blog.google/products/chrome/flash-and-chrome/.
Reducing Adobe Flash Usage in Firefox, by Benjamin Smedberg, Future Release blog, Mozilla, July 20, 2016:
https://blog.mozilla.org/futurereleases/2016/07/20/reducing-adobe-flash-usage-in-firefox/.
Application Security: Managing OAuth Connection Risk Amid an App Explosion

When enterprises shift to the cloud, their security perimeter Community trust rating: Peer-driven and crowd-sourced
extends into the virtual realm. However, that security perimeter evaluations are used for this assessment.
quickly dissipates with each connected third-party cloud Application threat intelligence: This comprehensive
application that employees introduce into the environment. background check by cybersecurity experts is based on an
applications various security attributes, such as security
Workers want to improve their productivity and stay
certifications, breach history, and analyst reviews.
connected while on the job. But these shadow IT Figure 4 Explosive Growth of Connected
applications create a risk for enterprises. They touch the Third-Party Cloud Applications, 2016
corporate infrastructure and can communicate freely with the Figure 4 Explosive Growth of Connected Third-Party
corporate cloud and software-as-a-service (SaaS) platforms Cloud Applications, 2016
as soon as users grant access through open authentication
(OAuth). These apps can have extensiveand, at times,
excessiveaccess scopes. They must be managed carefully
because they can view, delete, externalize, and store
corporate data, and even act on behalf of users.
The cloud security provider CloudLock, now part of Cisco,

222,000
October
has been tracking the growth of connected third-party cloud
applications across a sample group of 900 organizations
129,000
representing a range of industries. As Figure 4 shows, there January
were about 129,000 unique applications observed at the
beginning of 2016. By the end of October, that number had
Number of Unique Applications
grown to 222,000.
The number of applications has increased approximately

Figure 5 Growth of Third-Party Cloud
Source: Cisco CloudLock
11 times since 2014. (See Figure 5.)
Applications,
Figure 5 Growth Year-Over-Year Comparison
of Third-Party Cloud Applications,
Classifying the Riskiest Applications Year-Over-Year Comparison
To help security teams understand which connected third-

party cloud applications in their environment present the
most risk to network security, CloudLock developed the
Cloud Application Risk Index (CARI). The process involves
several evaluations: 222,000
Data-access requirements: Organizations answer the 108,000
following questions, among others: What permissions
20,400
are required to authorize the application? Does granting
data access mean that the application has programmatic
(API) access to corporate SaaS platforms through OAuth
connections? Can the application (and by extension, Oct 2014 Oct 2015 Oct 2016
the vendor) act on behalf of users and take actions with
corporate data, such as viewing and deleting? Source: Cisco CloudLock
Risk Scores and Examples
After categorizing third-party cloud applications using the CARI, CloudLock assigns a risk score for each app
on a scale of 1 (lowest risk) to 5 (highest risk).
An app that would score 1 on the scale might have, for example, minimal access scopes (it can see email only),
a 100 percent community trust rating, and no breach history.
An app that would score 5 on the scale might be one with full account access (it can see all emails,
documents, navigation history, calendar, and more), an 8 percent trust rating (meaning, only 8 percent of
administrators trust it), and no security certification.
CloudLock used the CARI to categorize the 222,000 Figure

Figure 66 Third-Party
Third-Party Applications
Applications Classified
Classified as as
applications it had identified across the 900 organizations High Risk
High Risk
in its sample. Of those total applications, 27 percent
were deemed to be high risk, while the majority fell into
the medium-risk category. (See Figure 6.) Half of those
organizations had OAuth connections related to a
27%
High Risk
popular gaming application that was released in the
summer of 2016.
15%
Low Risk
222,000
Third-Party
Applications
58%
Medium Risk
SHARE
Through our analysis, we have found that all organizations,

regardless of their size, industry, or region, have a
relatively even distribution of low-, medium-, and high-risk
applications (Figures 7 and 8).
Figure 7 Distribution of Low-, Medium-, and High-Risk Applications, by Region

Figure 7 Distribution of Low-, Medium-, and High-Risk Applications, by Region
12 10 11
15
31 30 32 30
North
America LATAM EMEA APAC
54 58 58 59
Low Risk Medium Risk High Risk
Figure 8 Distribution of Low-, Medium-, and High-Risk Applications, by Industry

Figure 8 Distribution of Low-, Medium-, and High-Risk Applications, by Industry
8 10 16 16 17 8
35 33 28 31 31 31
57 57 56 53 52 61
Financial Services Government Healthcare Providers Higher Education K-12 Manufacturing
16 10 14 12 16
28 32 30 30 32
56 58 56 58 52
Media and Retail Technology Travel, Hospitality, Others

Entertainment and Transportation
Low Risk Medium Risk High Risk
Cutting Through the Noise

To identify suspicious user and entity behavior in a security team will want to investigate that activity
corporate SaaS platforms, including third-party cloud to confirm that it is legitimate.
applications, security teams must sift through billions of
According to our analysis, only 1 in 5000 user activities
user activities to define normal patterns of user behavior
0.02 percentthat are associated with connected third-party
in their organization's environment. They must look for
cloud applications is suspicious. The challenge for security
anomalies that fall outside those expected patterns. Then
teams, of course, is pinpointing that one instance.
they need to correlate suspicious activities to determine
what might be a true threat that requires investigation. Only with automation can security teams cut through
the noise of security alerts and focus their resources
An example of suspicious activity is excessive login activity
on investigating true threats. The multistage process
from several countries in a short period. Say that normal
of identifying normal and potentially suspicious user
user behavior in a certain organization is for employees to
activities that is described aboveand illustrated in
log in to a specific application from no more than one or
Figure 9hinges on the use of automation, with
two countries per week. If one user starts logging in to that
algorithms applied at every stage.
application from 68 countries over the course of one week,
Figure 9 Identifying User Behavior Patterns with Automation (Process)

Figure 9 Identifying User Behavior Patterns with Automation (Process)
All User Behavior
Anomalies
Suspicious Activities
0.02% of All Activities
True Threat
113X
Than Average 58% Abnormal Behavior
Login Failures
227X
1 Billion User Activities Per Month Than Average 31% Login Activities
File Downloads
141X
Than Average 11% Admin Actions
Data Asset Deletion
Policie
s alysis
alized al An
Centr extu
Cont
rch
Resea ence
Cyber tellig
e unity In
igenc Com
m
t Intell
Threa
sight
ity In
lnerabil
d Vu
Clou
SHARE
Through the malicious use of email, file attachments, websites, and other tools, attackers transmit
their cyberweapons to targets.
Figure 10 Exploit Kit Landing Page Blocks,

JanuaryNovember 2016
Disappearance of Major Exploit Kits Figure 10 Exploit Kit Landing Page Blocks,
JanuaryNovember 2016
Presents Opportunities for Smaller
Players and New Entrants 7407
7K
2016 saw dramatic changes in the exploit kit environment.
At the start of the year, Angler, Nuclear, Neutrino, and RIG 6K
were clear leaders among exploit kits. By November, RIG was
Number of Blocks
5K
the only one from that group still active. As Figure 10 shows,
exploit kit activity dropped off significantly around June. 4K
Nuclear was the first to disappear, suddenly ceasing 3K
operation in May. Why its authors abandoned it is a 2K

mystery. The Neutrino exploit kit, which also left the scene
1051
in 2016, relied on Flash files to deliver vulnerabilities. (See 1K
Figure 11 on next page for a list of top vulnerabilities in 0

known exploit kits in 2016.)
Jan
Feb
Mar
Apr
Jul
Aug
Sep
Oct
Nov
May
Jun
Flash remains an attractive web attack vector for
adversaries, but it is likely to become less so over time. Source: Cisco Security Research
Fewer sites and browsers are supporting Flash fully or
at all, and there is generally greater awareness about
Flash vulnerabilities. (For more on this topic, see Web
Attack Vectors: Flash Is Fading, but Users Must Remain Download the 2017 graphics at: www.cisco.com/go/acr2017graphics
Vigilant, on page 15.)
A Giant Goes Silent

Anglerthe most advanced and largest among known Now that three of the most dominant exploit kits have
exploit kitsalso targeted Flash vulnerabilities and was cleared the field, smaller players and new entrants can
linked to several high-profile malvertising and ransomware expand their market share. And they are becoming more
campaigns. However, unlike Nuclear and Neutrinos sophisticated and agile. Exploit kits that appeared poised
disappearance, Anglers departure in 2016 is not a mystery. for growth in late 2016 were Sundown, Sweet Orange,
and Magnitude. These kits, as well as RIG, are known to
In late spring, about 50 hackers and cybercriminals
target Flash, Silverlight, and Microsoft Internet Explorer
were arrested in Russia; the group was linked to the
vulnerabilities. (See Figure 11.) Uninstalling Flash, and
Lurk malware, a banking Trojan that specifically targeted
disabling or removing unnecessary browser plugins, will
Russian banks. Cisco threat researchers identified clear
help users reduce the risk that they will be compromised
connections between Lurk and Angler, including the fact
by these threats.
that Lurk was being delivered largely through Angler
to victims inside Russia. Following the arrests, Angler
vanished from the exploit kit marketplace.
Figure 11 Top
Figure 11 TopVulnerabilities
Vulnerabilitiesin in Exploit
Exploit KitsKits
Angler
Neutrino (1,2)
Magnitude
RIG
Nuclear
Sundown
Hunter
CVE- 2015- 2015- 2015- 2016- 2016- 2016- 2016- 2016- 2015- 2015- 2015- 2015- 2015- 2015-
7645 8446 8651 0034 1019 1001 4117 0189 5119 5122 3043 0318 3113 2419
Flash Silverlight IE 9-11 IE 10-11
SHARE
Russian Hacker Gang Arrested Over $25M Theft, BBC News, June 2, 2016: http://www.bbc.com/news/technology-36434104.
For more on this topic, see the July 2016 Cisco Talos blog post, Connecting the Dots Reveals Crimeware Shake-Up.
Malvertising: Adversaries Use Brokers to Increase Speed and Agility
Users are directed to exploit kits in two primary ways: affected millions of users in North America, Europe,
compromised websites and malvertising. Adversaries Asia-Pacific, and the Middle East. The campaigns
will place a link to an exploit kit landing page into a global reach and use of many languages are noteworthy.
malicious ad or a compromised website, or they will
ShadowGate, which used domain shadowing, was
use an intermediate link, known as a broker. (These
first seen in early 2015. It would go quiet at times
links, positioned between compromised websites and
and then randomly start up again to direct traffic to
exploit kit servers, are also referred to as gates.)
exploit kit landing pages. Initially, ShadowGate was
The broker serves as an intermediary between the
used to direct users to the Angler exploit kit only.
initial redirection and the actual exploit kit that delivers
But after Angler disappeared in the summer of 2016,
the malware payload to users.
users were directed to the Neutrino exploit kit, until
The latter tactic is becoming more popular as attackers that vanished as well a few months later. (For more
find they must move faster to maintain their operational on this story, see Disappearance of Major Exploit Kits
space and evade detection. Brokers allow adversaries Presents Opportunities for Smaller Players and New
to switch quickly from one malicious server to another Entrants, on page 20.)
without changing the initial redirection. Because they
Even though ShadowGate saw a high volume of web
dont need to constantly modify websites or malicious
traffic, only a tiny fraction of interactions led to a user
ads to start the infection chain, exploit kit operators
being directed to an exploit kit. The malicious ads
can carry out longer campaigns.
were mostly impressionsads that render on the page
ShadowGate: A Cost-Effective Campaign and require no user interaction. This online advertising
model allowed the actors responsible for ShadowGate
As it becomes more difficult to compromise large
to operate their campaign more cost-effectively.
numbers of users through traditional web attack
vectors alone (see page 15), adversaries are Our research into ShadowGate led to a joint effort with
relying more on malvertising to expose users to a major web hosting company. We worked together to
exploit kits. Our threat researchers dubbed a recent mitigate the threat by reclaiming registrant accounts
global malvertising campaign ShadowGate. This that adversaries had used to host the activity. We then
campaign illustrates how malicious ads are providing took down all applicable subdomains.
adversaries with more flexibility and opportunity to
target users across geographic regions at scale. For more details on the ShadowGate campaign,
see the September 2016 Cisco Talos blog post,
ShadowGate involved websites ranging from popular Talos ShadowGate Take Down: Global Malvertising
culture to retail to pornography to news. It potentially Campaign Thwarted.
Investigation Finds 75 Percent of Organizations Affected by Adware Infections

Adware, when used for legitimate purposes, is software We categorized the adware into four groups, based on the
that downloads or displays advertising through redirections, primary behavior of each component:
pop-ups, and ad injections and generates revenue for its
Ad injectors: This adware usually resides in the browser and
creators. However, cybercriminals are also using adware
can affect all operating systems.
as a tool to help increase their revenue stream. They
Browser-settings hijackers: This adware component can
use malicious adware not only to profit from injecting
change computer settings to make the browser less secure.
advertising, but also as a first step to facilitate other
malware campaigns, such as DNSChanger malware. Utilities: This is a large and growing category of adware.
Malicious adware is delivered through software bundles; Utilities are web applications that offer a useful service to
users, such as PC optimization. These applications can inject
publishers create one installer with a legitimate application
advertising, but their primary purpose is to convince users
along with dozens of malicious adware applications.
to pay for the service. However, in many cases, utilities are
Bad actors use adware to: nothing more than scams and provide no benefits to users.
Downloaders: This adware can deliver other software,
Inject advertising, which may lead to further infections or
such as a toolbar.
exposure to exploit kits
Change browser and operating system settings to We determined that 75 percent of the organizations in our
weaken security study were affected by adware infections.
Break antivirus or other security products
Gain full control of the host, so they can install other

malicious software Figure 12 Percentage
Figure 12 Percentageofof Organizations
Organizations with
with
Adware Infections
Adware Infections
Track users by location, identity, services used, and sites
commonly visited
Exfiltrate information such as personal data, credentials,

and infrastructure information (for example, a companys
Over the past 12 months
internal sales pages)
>75%
To assess the scope of the adware problem for enterprises,
Cisco threat researchers examined 80 different adware
variants. About 130 organizations across verticals were
included in our investigation, which took place from
November 2015 to November 2016. of organizations investigated
have adware infections
SHARE
Figure 13 shows the types of incidents we observed All the adware components we identified during our
in the organizations included in our investigation. Ad investigation can place users and organizations at risk
injectors were the primary source of infections. This for malicious activity. Security teams must recognize the
finding indicates that most of these unwanted applications threat that adware infections pose and make sure that
target web browsers. We have also seen an increase users in the organization are fully aware of the risks.
in browser-based infections during the last few years,
For additional information on this topic, see the February
which suggests adversaries are finding success with this
2016 Cisco Security blog post, DNSChanger Outbreak
strategy for compromising users.
Linked to Adware Install Base.
Figure 13 Breakdown of Total Incidents by Adware Component

Figure 13 Breakdown of Total Incidents by Adware Component
2.0%
Percentage of Users Infected
1.5%
1.0%
0.5%
0
Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct
2015 2016
Percentage of Users Infected with Adware
60%
50%
40%
30%
20%
10%
0%
2015 2016
Utilities Browser-Settings Hijackers Downloaders Ad Injectors
Global Spam Is Increasingand So Is the Percentage of Malicious Attachments

Cisco threat researchers conducted two studies in 2016 about 8 percent to 10 percent of global spam observed in
using opt-in customer telemetry to estimate what percentage 2016 could be categorized as malicious.
of total email volume is spam. We found that spam accounts
From August to October 2016, there was a significant
for nearly two-thirds (65 percent) of total email volume. Our
increase in the number of IP connection blocks (Figure 14).
research also suggests that global spam volume is growing,
This trend can be attributed to an overall rise in spam volume,
due primarily to large and thriving spam-sending botnets like
as well as reputation systems adapting to information about
Necurs. In addition, we determined through our analysis that
spam senders.
Figure 14 IP Blocks by Country, December 2015November 2016

Figure 14 IP Blocks by Country, December 2015November 2016
Germany
414K | 548K Russia
343K | 352K
France
United States 222K | 467K
1351K | 2046K Japan
China 194K | 286K
903K | 760K
Vietnam
Mexico 990K | 1684K
214K | 495K
Brazil India
252K | 587K 254K | 1662K
Dec 2015 Oct 2016
SHARE
IP connection blocks are spam messages that are blocked immediately by spam-detecting technology because the spam sender has a bad reputation score. Examples include
messages that have originated from known spam-sending botnets or compromised networks that are known to participate in spam attacks.
The five-year graph from the Composite Blocking List volume observed in 2016. This graph shows the overall
(CBL), a DNS-based blackhole list of suspected spam- size of the SpamCop Block List (SCBL) from November
sending computer infections, also shows a dramatic 2015 to November 2016. Each row in the SCBL
increase in total spam volume during 2016 (Figure 15). represents a distinct IP address.
A review of 10-year data from CBL (not shown) suggests Between November 2105 and February 2016, SCBL size
that 2016 spam volume is close to the record-high levels hovered below 200,000 IP addresses. In September and
seen in 2010. New antispam technologies, and high-profile October, SCBL size exceeded 400,000 IP addresses before
takedowns of spam-related botnets, have helped to keep dropping off in October, which our threat researchers
spam levels low in recent years. Our threat researchers attribute to the operators of Necurs simply taking time off.
attribute the recent increase in global spam volume to Also note the significant decline in June. At the end of May,
the Necurs botnet. Necurs is a primary vector for Locky there were arrests in Russia related to the Lurk banking
ransomware. It also distributes threats such as the Dridex Trojan (see page 21). Subsequently, several high-profile
banking Trojan. threats, including Necurs, went silent. However, 3 weeks
later, Necurs was back in action, adding more than 200,000
Figure 16 is an internal graph generated by Ciscos
IP addresses to the SCBL in less than 2 hours.
SpamCop service that illustrates the change in spam
Figure 15 Total Spam Volume

Figure 15 Total Spam Volume
3.5K
3K
Emails / Second
2.5K
2K
1.5K
1K
0.5K
0
2012 2013 2014 2015 2016
Source: CBL
Figure 16 Overall
Figure 16 OverallSize
Sizeofof SCBL
SCBL
500k
400k
Rows
300k
200k
100k
0
Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov
2015 2016
Source: SpamCop
SHARE
For more information about CBL, visit http://www.abuseat.org/.
Many of the host IPs sending Necurs spam have been Patterns with .wsf files during 2016 (see Figure 17) provide
infected for more than 2 years. To help keep the full scope an example of how adversaries will evolve malicious
of the botnet hidden, Necurs will send spam only from a spam tactics over time. This file type was rarely used as
subset of infected hosts. An infected host might be used a malicious attachment before February 2016. Then, the
for 2 to 3 days, and then sometimes not again for 2 to use of this file type begins to grow as the Necurs botnet
3 weeks. This behavior complicates the job of security becomes more active. By July, .wsf files accounted for
personnel who respond to spam attacks. They may believe 22 percent of all malicious spam attachments. This was
they have found and successfully cleaned an infected host, also around the time that global spam activity increased
but the actors behind Necurs are just biding their time until dramatically (see previous section), an uptick that was due
they launch another attack. largely to the Necurs botnet.
Seventy-five percent of total spam observed in October Through August, September, and October, we saw
2016 contained malicious attachments. Most of that spam fluctuations in the percentages of .wsf files. This indicates
was sent by the Necurs botnet. (See Figure 17.) Necurs that adversaries were pulling back at times when the file
sends malicious .zip attachments that include embedded type was being detected more frequently.
executable files such as JavaScript, .hta, .wsf, and VBScript
downloaders. In calculating the percentage of total spam
containing malicious attachments, we count both the
Figure 17 Percentage
Figure 17 Percentageofof Total
Total Spam
Spam Containing
Containing
container file (.zip) and the child files within it (such as
Malicious Attachments
Malicious Attachments
a JavaScript file) as individual malicious attachments.
80%
Attackers Experiment with Attachment Types to Keep
Malicious Spam Campaigns Fresh Containing Malicious Attachments
Contains Malicious .hta
Our threat researchers examined how adversaries use
different types of file attachments to help prevent malicious 60%
Percentage of Total Spam
spam from being detected. What we found is that they are

continually evolving their strategies, experimenting with a Contains Malicious .js
wide range of file types, and quickly switching tactics when
40%
they dont find success.
Contains Malicious .zip
Figure 17 shows how malicious spam operators

experimented with the use of .docm, JavaScript, .wsf, and Contains Malicious .docm
.hta files during the period observed. As noted earlier, many 20%
of these file types are associated with spam sent by the
Contains Malicious .wsf
Necurs botnet. (For research related to other file types we
examined, see the Appendix on page 78.)
0%
The specific percentages for the different file types
2015 Jan
Feb
Mar
Apr
May
Jul
Aug
Sep
Oct
Nov
Dec
2016 Jan
Feb
Mar
Apr
May
Jul
Aug
Sep
Oct
Jun
Jun
in a given month are derived using the percentage of

total spam that contained malicious attachments seen
in that month. So, for example, in July 2016, .docm
files represented 8 percent of the total percentage of
malicious attachments observed.
SHARE
Hailstorms and Snowshoes Contrast the hailstorm attack to a snowshoe spam

Two types of malicious spam attacks are especially campaign, also shown in Figure 18, where attackers
problematic for defenders: hailstorm attacks and snowshoe attempt to fly under the radar of volume-based detection
attacks. Both employ the elements of speed and targeting, solutions. The number of DNS lookups is steady, but there
and both are highly effective. are only about 25 queries per hour. These low-volume
attacks allow adversaries to quietly distribute spam from a
Hailstorm attacks target antispam systems. The operators large swath of IP addresses.
behind these attacks take advantage of the very small
window of time between the moment they launch their Even though these spam attacks operate differently, they
spam campaign and when antispam systems see it and do have things in common. Through either approach,
push coverage out to antispam scanners. Adversaries adversaries can:
typically have only seconds or minutes to operate before Evade a bad reputation by sending from clean IPs
their campaigns are detected and blocked. and domains
The spike in Figure 18 is a hailstorm attack. The activity Emulate marketing mail with professional content and
is shown in the Cisco Investigate interface. Just before subscription management
the attack, no one was resolving the IP address. Then, Use well-configured email systems rather than sloppy scripts
suddenly, the number of computers resolving the domain or spam bots
in DNS spiked to more than 78,000 before dropping back Properly set up forward-confirmed reverse DNS and Send
down to zero. Policy Framework (SPF) records
Figure 18 Comparison
Figure 18 Comparisonofof Hailstorm
Hailstorm andand Snowshoe
Snowshoe Spam
Spam Attacks
Attacks
Hailstorm Spam Attack 78,651 Queries

75,000
DNS Queries / Hour
50,000
25,000
0
16 18 20 22 24 26 28 30 2 4 6 8 10 12 14
Sep Oct
DNS Queries / Hour
Snowshoe Spam Attack

40
35 Queries
20
0
16 18 20 22 24 26 28 30 2 4 6 8 10 12 14
Sep Oct
Date
Source: Cisco Investigate
SHARE
Adversaries can also impair content detection by mutating Figure 19 shows top threat outbreak alerts; this is an overview
text and cycling through file types. (For more details on of the spam and phishing messages that we observed
how cybercriminals evolve their threats to evade defenders, adversaries frequently updating in 2016 in order to bypass
see the Time to Evolve section on page 34.) For more email security checks and rules. It is important to know what
information on how they experiment with malicious file types of email threats are the most prevalent so that you can
attachments for spam, see the previous section. avoid being duped by these malicious messages.
Figure 19
Figure 19 Top
TopThreat
ThreatOutbreak
OutbreakAlerts
Alerts
Publication Publication Attachment Last Publication

Version Identifier Name and URL Message Summary File Type Language Date
96 35656 RuleID4626 Invoice, Payment .zip German, English 04/25/16
87 34577 RuleID10277 Purchase Order .zip German, English 06/02/16
82 36916 RuleID4400KVR Purchase Order .zip English 02/01/16
Purchase Order,
74 38971 RuleID15448 .zip, .gz English 08/08/16
Payment, Receipt
Order, Payment,
72 41513 RuleID18688 .zip English 09/01/16
Seminar
Purchase Order,
70 40056 RuleID6396 .rar English 06/07/16
Payment, Receipt
66 34796 RuleID5118 Product Order, Payment .zip German, English 09/29/16
Invoice, Payment, English, German,

64 39317 RuleID4626 (cont) .zip 01/28/16
Shipping Spanish
Confirmation, Payment/
64 36917 RuleID4961KVR .zip English 07/08/16
Transfer, Order, Shipping
Delivery Notice, Court
63 37179 RuleID13288 .zip English, Spanish 07/21/16
Appearance, Ticket Invoice
Shipping, Quote,
61 38095 RuleID858KVR .zip English 08/01/16
Payment
Quote Request, English, German,
58 39150 RuleID4961KVR .zip 01/25/16
Product Order Multiple Languages
Transfer, Shipping, English, German,
47 41886 RuleID4961 .zip 02/22/16
Invoice Spanish
Once the threat is in position, it installs a back door on a targets system, providing adversaries with
persistent access.
Figure 20 Sample of Observed
Lower-Volume Malware
Web Attack Methods: Long Tail Figure 20 Sample of Observed Lower-Volume Malware
Snapshot Reveals Threats That Users
Can Easily Avoid
91 PUA and Suspicious Binaries
The so-called long tail of the web attack methods spectrum
(Figure 20) includes a collection of lower-volume malware
types that are employed at a later stage in the attack
36 Heuristic
chain: installation. In this phase, the threat that has been
delivereda banking Trojan, a virus, a downloader, or some
other exploitinstalls a back door in the target system, 16 Worm (Allaple)
providing adversaries with persistent access and the
opportunity to exfiltrate data, launch ransomware attacks, 14 Trojans Downloader (HTML)
and engage in other mischief.

10 Trojans Downloader (JS)
The threats listed in Figure 20 are samples of malware
signatures found outside the top 50 most commonly 9 Trojans (Agent)
observed malware types. The long tail of web attack

7 Trojans Downloader (VBS)
methods is, essentially, a snapshot of threats that are
quietly at work on a machine or system after a successful
7 Backdoor (Java)
attack. Many of these infections were first spawned by an
encounter with malicious adware or exposure to a well- 5 Trojans (Locky)
5 Heuristic (CVE-2013-0422)
crafted phishing scam. These are situations that users can
3 Virus (Replog)
often easily avoid or quickly remediate. 2 Trojans (Win32)
2 Virus (Fas)
2 Trojans Downloader Malware (Small)
SHARE 2 Trojans (Cryptodef)
2 Backdoor (Farfli)
2 Backdoor (Gbot)
1 Linux (Veribak)
1 Browser Redirection Trojans (JSRedir)
1 Trojans Downloader (Upatre)
1 Trojans Downloader (Win32)
1 Backdoor (NuPrader)
1 Trojans (Shifu)
1 Trojans (Zbot)
1 Trojans (Yakes)
1 Trojans (Scar)
1 Trojans (Reconyc)
1 Trojans (Crypt)
1 Trojans (Crypmod)
1 Trojans (Bitman)
1 Trojans (Deshacop)
Vertical Risk of Malware Encounters: Attackers See Value Across the Board
In the Cisco 2016 Midyear Cybersecurity Report, a key In looking at verticals and their block rates over time
message about the risk of malware was that no vertical is (Figure 21), we see that, at some point over the course of
safe. Judging from our researchers periodic examination several months, every industry has been subject to attack
of attack traffic (block rates) and normal or expected traffic and at varying levels. Its clear that as attacks rise
traffic by industry, this message held true in the latter half and fall, they affect different verticals at different times
of the year. but none are spared.
Figure
Figure21
21 Percentage
Percentageofof
Monthly Vertical
Monthly Block
Vertical Rates
Block Rates
40% 40% 40% 40%
20% 20% 20% 20%
0% 0% 0% 0%
Accounting Agriculture and Mining Automotive Aviation
40% 40% 40% 40%
20% 20% 20% 20%
0% 0% 0% 0%
Banking and Finance Charities and NGOs Education Electronics
40% 40% 40% 40%
20% 20% 20% 20%
0% 0% 0% 0%
Energy, Oil, and Gas Engineering and Construction Entertainment Food and Beverage
40% 40% 40% 40%
20% 20% 20% 20%
0% 0% 0% 0%
Government Healthcare Heating, Plumbing, and A/C Industrial
40% 40% 40% 40%
20% 20% 20% 20%
0% 0% 0% 0%
Insurance IT and Telecommunications Legal Manufacturing
40% 40% 40% 40%
20% 20% 20% 20%
0% 0% 0% 0%
Media and Publishing Pharmaceutical and Chemical Professional Services Real Estate and Land Mgmt.
40% 40% 40% 40%
20% 20% 20% 20%
0% 0% 0% 0%
Retail and Wholesale Transportation and Shipping Travel and Leisure Utilities
SHARE
Regional Overview of Web Block Activity

Adversaries frequently shift their base of operation, houses the far greater share of blocks, but this should be
searching for weak infrastructure from which they can considered a function of the countrys far greater share of
launch their campaigns. By examining overall Internet traffic online traffic. In addition, the United States is one of the
volume and block activity, Cisco threat researchers can offer worlds largest targets of malware attacks.
insight on where malware is originating.
The takeaway for security professionals: Much like the
As Figure 22 shows, traffic from the United States vertical web block activity, the regional web block activity
edged up slightly from the block rates seen in the Cisco shows that malware traffic is a global problem.
2016 Midyear Cybersecurity Report. The United States
Figure 22 Web Blocks by Country

Figure 22 Web Blocks by Country
Expected Ratio: 1.0
3.88 Germany
0.94 Russia
France 0.87
Canada 2.11
1.47 Ukraine
United States 1.20 Italy 1.22

1.31 China
Belize 1.54
1.07 Vietnam
Panama 1.46 1.15 Venezuela
2.84 Indonesia
Peru 1.43
1.60 Australia
1.00 Turkey
Chile 0.83
Malaysia 3.52
Romania 2.77
SHARE
Time to Detection: An Essential Metric for Measuring Defenders Progress

Cisco is continually refining our approach to measuring Reviewing retrospective data is important not only for
TTD so that we can ensure we are tracking and reporting determining a more accurate measure of our median
the most accurate estimate of our median TTD. Recent TTD, but also for studying how threats evolve over time.
adjustments to our approach have increased our visibility into Numerous threats in the landscape are particularly evasive
files that were categorized as unknown when first seen and can take a long time to identify even though they are
and then later identified as known bad after continuous known to the security community.
analysis and global observation. With a more holistic view
Adversaries will evolve certain malware families to avoid
of data, we are better able to pinpoint when a threat first
detection and increase their time to operate. This tactic
emerged and exactly how long it took for security teams to
hinders defenders progress in gaining, and then maintaining,
determine that it was a threat.
an edge in detecting many types of known threats. (For more
This new insight helped us to determine that our median TTD on this topic, see Time to Evolve: For Some Threats, Change
was 39 hours in November 2015. (See Figure 23.) By January Is Constant, page 34). However, the fact that cybercriminals
2016, we had reduced the median TTD to 6.9 hours. After are evolving their threats frequently and rapidly indicates that
collecting and analyzing data for October 2016, our threat they are facing intense and constant pressure to find ways to
researchers determined that Cisco products had achieved a keep their threats operating and profitable.
median TTD of 14 hours for the period from November 2015 Figure 23 Median TTD by Month
to October 2016. (Note: The median TTD figure for 2016 is Figure 23 Median TTD by Month
the average of the medians for the period observed.)
40
39.16
The median TTD fluctuated throughout 2016 but trended
downward overall. Increases in the median TTD indicate
30
times when adversaries launched a wave of new threats.
Median Hours
The subsequent decreases reflect periods where

defenders gained the upper hand and could identify
20 18.22
known threats quickly. 15.19
Figure 23 also shows that the median TTD was about 15

10 8.11
hours by the end of April 2016, which is greater than the
13-hour figure we reported in the Cisco 2016 Midyear 8.48 8.58
6.89 6.48 6.05
Cybersecurity Report. That 15-hour figure is based on data 0
collected from November 2015 through April 2016. It was
2015 Nov
Dec
Jan
Feb
Mar
Apr
May
Jun
Jul
Aug
Sep
Oct
not derived using our modified approach to analyzing more
detailed retrospective information about files. Using the new
2016
midyear TTD figure, we can report that TTD declined to about

9 hours for the period from May through October 2016.
Cisco defines time to detection, or TTD, as the window of time between a compromise and the detection of
a threat. We determine this time window using opt-in security telemetry gathered from Cisco security products
deployed around the globe. Using our global visibility and a continuous analytics model, we are able to measure
from the moment malicious code runs on an endpoint to the time it is determined to be a threat for all malicious
code that was unclassified at the time of encounter.
Cisco 2016 Midyear Cybersecurity Report: http://www.cisco.com/c/m/en_us/offers/sc04/2016-midyear-cybersecurity-report/index.html.
Time to Evolve: For Some Threats, Change Is Constant

Cybercriminals use various obfuscation techniques to Through our research, we learned that:
keep their malware strong and profitable. Two common
Ransomware families appear to have a similar rotation of new
methods they employ are evolving their payload delivery
binaries. However, Locky uses more file extension and MIME
types and quickly generating new files (defeating hash-only
combinations to deliver its payload.
detection methods). Our researchers closely examined
Some malware families employ only a handful of file delivery
how adversaries have used these two strategies to help six
methods. Others use 10 or more. Adversaries tend to use
well-known malware familiesLocky, Cerber, Nemucod,
effective binaries over long periods. In other cases, files pop
Adwind RAT, Kryptik, and Dridexevade detection and
up and then drop off quickly, indicating that the malware
continue compromising users and systems. authors are under pressure to switch tactics.
Through our analysis, we sought to measure the time to The Adwind RAT and Kryptik malware families have a higher
evolve (TTE): the time it takes adversaries to change the median TTD. (For more on TTD, see page 33.) We also see
way specific malware is delivered and the length of time a greater mix of file ages for these families. This suggests
between each change in tactics. We analyzed web attack that adversaries reuse effective binaries that they know are
difficult to detect.
data from different Cisco sourcesspecifically, web proxy
data, cloud and endpoint advanced malware products, and Looking at the file ages for the Dridex malware family, it
composite antimalware engines. appears that the shadow economy may be abandoning use
of this once-popular banking Trojan. In late 2016, detection
Our researchers looked for changes in file extensions volume for Dridex declined, as did the development of new
delivering the malware and the file content (or MIME) binaries to deliver this malware. This trend suggests that
type as defined by a users system. We determined that the malwares authors no longer see value in evolving this
each malware family has a unique pattern of evolution. threator that they have found a new way to package the
For each family, we examined the patterns in both web malware that has made it harder to detect.
and email delivery methods. We also tracked the ages of

unique hashes associated with each malware family to
determine how quickly adversaries are creating new files
(and thus, new hashes).
TTE and TTD

The six malware families we analyzed in our TTE study are Old and pervasive threats that adversaries dont bother to
listed in Figure 24. The chart depicts the median TTD for evolve much, or at all, are also typically detected below the
the top 20 malware families (by detection count) that our median TTD. Examples include malware families like Bayrob
researchers observed from November 2015 to November (botnet malware), Mydoom (a computer worm that affects
2016. Our average median TTD for that period was about 14 Microsoft Windows), and Dridex (the banking Trojan).
hours. (For details on how we calculate TTD, see page 33.)
In the following sections, we present research highlights
Many of the malware families that Cisco products are on TTE and TTD for the Locky, Nemucod, Adwind RAT, and
detecting within the median TTD are industrialized threats Kryptik malware families. Detailed findings for Cerber and
that spread quickly and are therefore more prevalent. Dridex are included in the Appendix on page 78.
Cerber and Locky, which are both types of ransomware,
are examples.
Figure 24 TTD
Figure 24 TTDMedians
Mediansof of
TopTop Malware
Malware Families
Families (Top
(Top 20 20 Families
Families by Detection
by Detection Count) Count)
35
nemucod
Percentage of Total Detections
30
25 bayrob
20
15
10
docdl
locky dridex
5 donoff
insight
fareit kryptik
mabezat adwind
mydoom cerber mamianune razy upatre
0 hancitor adnel zbot zusy
0 5 10 15 20 25 30 35 40 45 50
Cisco Average TTD

Median TTD Hours
SHARE
TTE Analysis: Locky

Through our TTE research, we learned that Locky and The top half of the chart depicts the ages of files that were
Cerber employ a limited number of file extension and MIME observed during a specific month. The bottom portion of
combinations to deliver malware through the web or by the chart shows monthly changes in the volume of Locky-
email. (See Figure 25.) We observed several combinations related hashes, both new and previously observed files.
that included file content types related to Microsoft Word
In Figure 26, also note the decline in volume in June as well
(msdownload, ms-word). However, the associated file
as the distribution of file ages. The Necurs botnet, which
extensions (.exe and .cgi) did not point back to a Word
was known to deliver Locky, was taken down in June. This
file. We also identified content types that pointed to
likely sidelined the malware authors efforts to keep the
malicious .zip files.
malware fresh during that month. However, its clear that
Both Locky and Cerber also appear to use new binaries they recovered quickly. By July, the malware had returned
frequently as an attempt to evade file-based detection. File to its more standard mix of file ages with the majority (74
ages for the Locky malware family are shown in Figure 26. percent) being less than a day old when first detected.
Figure 25 File Extension and MIME Combinations

Figure
for the25 File Extension
Family of Threatsand MIME
and Combinations
Indicators That for Figure 26 Hash Ages for the Locky Malware
the Family of Threats and Indicators That Lead to and
Figure 26 Hash Ages for the Locky Malware
Family and Percent of Total Hash Volume Observed
Lead to and Include the Locky Payload Family and Percent of Total Hash Volume
Include the Locky Payload (Web and Email Vectors) Per Month
(Web and Email Vectors) Observed Per Month
100%
May
Aug
Sep
Nov
Mar
Feb
Apr
Jun
Hashes, Hash Age <24 Hours

Jan
Oct
Jul
Unique Vectors
Percentage of Locky
doc & application/msword 75%

exe & application/msdownload
no extension & text/plain
exe & application/msdos-prog... 50%
xls & application/vnd.ms-excel
js & text/plain
zip & application/zip 25%
doc & text/plain
no extension & application/zip 0%
aspx & application/zip Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct
jsp & application/zip 2015 2016
lib & text/plain
Percentage of Total
no extension & application/dosexec

rar & application/x-rar 10%
Hash Volume
js & text/html
php & application/zip
5%
rtf & application/msword
docm & application/vnd.open...
no extension & application/vnd... 0%
no extension & application/ms-wo... Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct
cgi & application/ms-word.doc... 2015 2016
wsf & text/html
doc & application/vnd.open...
wsf & application/xml Source: Cisco Security Research
no extension & application/vnd...
js & text/javascript
xls & application/vnd.openxml...
vbs & text/plain
Email Web
SHARE
The rapid cycling of binaries for this ransomware is not Figure 27

Figure 27 TTD
TTDfor
forthe Locky
the Malware
Locky Family
Malware Family
surprising. Instances of Locky and Cerber are often
detected either on the same day they are introduced or
116.1
within 1 to 2 days after, making it imperative for adversaries 120
100 89.3
to evolve these threats continually if they want them to
Median Hours
remain active and effective. (Figure 24, discussed earlier, 80
60
shows that Cisco products detected both Locky and Cerber
40
ransomware within the median TTD in 2016.)
20 7.1 5.9
4.7
Figure 27 shows the median TTD for Locky ransomware, 0
which declined dramatically from about 116 hours in Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct
2015 2016
November 2015 to just under 5 hours in October 2016.
TTE Analysis: Nemucod One reason Nemucod malware was so prevalent in 2016,
In 2016, Nemucod was the most frequently detected according to our threat researchers, is that its authors
malware among the top 20 families shown in Figure 24. frequently evolved this threat. Cisco identified more than 15
Adversaries use this downloader malware to distribute file extension and MIME combinations associated with the
ransomware and other threats, such as backdoor Trojans that Nemucod family that were used to deliver malware through
facilitate click fraud. Some variants of Nemucod also serve as the web. Many more combinations were used to deliver the
engines for delivering the Nemucod malware payload. threat to users through email (Figure 28).
Several file extension and MIME combinations (web and

email) were designed to point users to malicious .zip files
Figure 28 File Extension and MIME Combinations
Figure 28 File Extension and MIME Combinations for
or archives. Adversaries also reused many combinations
for Nemucod
Nemucod (Web(Web and Vectors)
and Email Email Vectors) during the months we observed.
As Figure 29 shows, many Nemucod hashes are less

May
Aug
Sep
Nov
Mar
Feb
Apr
Jun
Jan
Oct than 2 days old when they are detected. In September

Jul
Unique Vectors
js & application/javascript and October 2016, almost every binary related to the
html & text/html
Nemucod family that was blocked was less than a day old.
zip & application/zip
no extension & application/zip

Figure 29 Hash Ages for the Nemucod Malware
zip & application/x-zip-comp... Family andHash
Figure 29 Percent
Ages of
forTotal Hash Volume
the Nemucod Malware Family
html & application/zip
php & application/zip Observed
and PercentPer Month
of Total Hash Volume Observed Per Month
zip & text/plain
js & text/plain
js & text/x-pascal 100%
js & text/javascript
Percentage of Nemucod
dat & application/vnd.ms-tnef

rar & application/x-rar 75%
aspxx & application/zip
xls & application/zip
aspx & application/zip 50%
cgi & application/zip
wsf & text/html
no extension & application/archive 25%
html & application/archive
cgi & application/archive
0%
js & text/x-makefile
js & text/x-c Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct
jsp & application/zip 2015 2016
no extension & text/html
jse & text/plain
Percentage of Total
zip & application/archive 50%

lib & text/plain
Hash Volume
lib & text/x-makefile

lib & text/x-c 25%
lib & text/x-pascal
gif & application/zip
jpg & application/zip 0%
pdf & application/zip Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct
docx & application/zip
2015 2016
tiff & application/zip
zip & application/x-rar
wrn & text/plain Source: Cisco Security Research
wrn & text/x-c
wrn & text/x-pascal
vbs & text/plain
js & text/html
tgz & application/x-gzip
Figure 30 TTD
Figure 30 TTDfor
for the
the Nemucod
Nemucod Malware
Malware Family
Family
wsf & application/xml
docx & application/vnd.open...
doc & application/zip 85.0
rar & application/zip 80
Median Hours
php & application/javascript

zip & application/x-gzip 60
cab & application/vnd.ms-cab...
hta & text/html 40 46.3 21.8
asp & application/zip 13.9
20 7.3
cgi & audio/wav
hta & application/zip 0
Email Web 2015 2016
Source: Cisco Security Research Source: Cisco Security Research
TTE Analysis: Adwind RAT

Cisco threat researchers found that Adwind RAT (remote We also found that the median TTD for Adwind RAT
access Trojan) malware is delivered through file extension is consistently higher than the median TTD for other
and MIME combinations that include .zip or .jar files. This malware families we analyzed (Figure 33). The malwares
is true whether the malware is being delivered through the authors have apparently developed hard-to-detect
email or web attack vector. (See Figure 31.) delivery mechanisms that keep Adwind RAT successful.
Therefore, they dont need to rotate through new hashes
Adwind RAT used a wide range of hash ages throughout
as frequently or as rapidly as the actors behind other
most of the period observed in 2016, except during
malware families do. The Adwind Trojan is also known by
September and October, when most files seen were
other names, such as JSocket and AlienSpy.
1 to 2 days old (Figure 32).
Figure 32 Hash Ages for the Adwind RAT

Figure
Figure 31
31 File
FileExtension
Extensionand
andMIME
MIMECombinations for
Combinations Figure 32 Hash Ages for the Adwind RAT
Malware Family and Percent of Total Hash
Adwind RAT (Web and Email Vectors)
for Adwind RAT (Web and Email Vectors) Malware Family and Percent of Total Hash Volume
Volume Observed Per Month
Observed Per Month
100%
May
Aug
Sep
Nov
Mar
Feb
Apr
Jun
Jan
Oct

Jul
Percentage of Adwind RAT

Unique Vectors
jar & application/java-archive 75%
jar & application/zip
jar & application/archive
no extension & application/archive
class & application/x-java-applet
0%
Email Web
2015 2016
Percentage of Total
1.5%
Hash Volume
1%
Download the 2017 graphics at: www.cisco.com/go/acr2017graphics 0.5%
0%
2015 2016
Figure 33 TTD for the Adwind RAT

Figure 33 Family
Malware TTD for the Adwind RAT Malware Family
80 70.7
Median Hours
60
40
20 30.0 25.3 13.0
0 16.2
2015 2016
TTE Analysis: Kryptik In our analysis of the six malware families, we find that
Kryptik, like Adwind RAT malware, had a median TTD that adversaries must shift tactics frequently to take advantage
was consistently higher (about 20 hours) than other malware of the small window of time during which their threats
families Cisco analyzed for the TTE study from November can operate successfully. These adjustments indicate that
2015 through October 2016 (Figure 36). However, by defenders are getting better at detecting known malware
October, Cisco products had reduced the median TTD quickly, even after a threat has evolved. Attackers are under
window for Kryptik malware to less than 9 hours (Figure 36). pressure to find new ways to avoid detection and keep their
campaigns profitable.
The Kryptik malware family also used a wider range of
hash ages than the other malware families we analyzed, In this complex landscape of rapid evolution, where all
particularly during the first half of 2016. The ability of malware families behave differently, human expertise and
Kryptiks authors to rely on older hashes for so long indicates point solutions are not enough to identify and respond
that defenders had trouble detecting this malware type. quickly to threats. An integrated security architecture
that provides real-time insight into threats, along with
During the period that we observed, Kryptiks authors automated detection and defense, is essential for improving
employed a wide range of payload delivery methods through TTD and ensuring swift remediation when infections occur.
the web attack vector. The authors used JavaScript files Figure 35 Hash Ages for the Kryptik Malware
and archive files such as .zip files in file extension and MIME Family and Percent of Total Hash Volume
combinations for both web and email. (See Figure 34.) Figure 35 Hash Ages for the Kryptik Malware Family
Observed Per Month
Some of the combinations date back to 2011. and Percent of Total Hash Volume Observed Per Month
100%
Percentage of Kryptik
75%
Figure 34 50%
Figure 34 File
FileExtension
Extensionand
andMIME Combinations
MIME for
Combinations
Kryptik (Web and Email Vectors)
for Kryptik (Web and Email Vectors) 25%
0%
May
Aug
Sep
Nov
Mar
Feb
Apr
Jun
Jan
Oct
Jul
Unique Vectors
2015 2016
js & application/javascript
Percentage of Total
gif & image/gif

jpg & image/jpeg 2%
Hash Volume
html & text/html

js & text/javascript 1%
no extension & text/html
htm & text/html
0%
php & text/html
ico & text/html Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct
png & image/png 2015 2016
zip & application/x-zip-comp...
doc & application/msword
no extension & application/exe
no extension & application/zip Figure 36 TTD for Kryptik Malware Family
js & text/plain
rar & application/x-rar
Figure 36 TTD for Kryptik Malware Family
scr & application/x-dosexec
exe & application/x-dosexec
jar & application/zip 80
Median Hours
63.7
gif & text/html
no extension & application/archive 60
vbs & text/plain 34.4
40 55.1 22.4
asp & text/html
no extension & application/java... 20
php & application/exe 8.7
tbz2 & application/x-rar 0
Email Web 2015 2016
Defender Behavior
Defender Behavior
Vulnerabilities on the Decline in 2016
In the second half of 2016, vendor-disclosed vulnerabilities paying off. That is, vendors are now focusing on identifying
dropped significantly from 2015, according to our research vulnerabilities and correcting them before products reach
(Figure 37). The National Vulnerability Database shows the market.
a similar decline. The reasons for the drop in disclosed
In 2016, Apple was the vendor showing the most dramatic
vulnerability advisories are not entirely clear.
decline in vulnerabilities: The company reported 705
It should be noted that 2015 was an unusually active year vulnerabilities in 2015, and 324 vulnerabilities in 2016 (a 54
for vulnerabilities, so the 2016 numbers may reflect a percent decline). Similarly, Cisco reported 488 vulnerabilities
normal pace of vulnerability advisories. From January to in 2015, and 310 in 2016 (a 36 percent decline).
October 2015, total alerts reached 7602. During the same
A concern among security researchers is that vulnerability
time period in 2016, total alerts reached 6380; during this
fatigue may be setting in among security professionals.
period in 2014, total alerts were 6272.
In recent months, there has not been a major vulnerability
The high number of vulnerability reports in 2015 may announcement that sent shock waves through the industry,
indicate that vendors were looking more closely at existing as Heartbleed did in 2014. In fact, the hype around
products and code, more carefully implementing secure named vulnerabilities such as Heartbleed and the
development lifecycle (SDL) practices, and identifying increase in 2015 likely contributed to the level of fatigue
vulnerabilities and subsequently fixing them. The decline in or, at least, to less interest in reporting vulnerabilities.
reported vulnerabilities may indicate that these efforts are
Figure
Figure37
37 Cumulative
CumulativeAnnual
AnnualAlert Totals
Alert Totals
9K
8K
7K
6380
6K 5976
5483
5K 4969
Alerts
4407
4K 3811
3K 2992
2193
2K
1327
1K
634
0
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
2013 2014 2015 2016
42 Defender Behavior
Figure 38 Critical Vulnerability Advisories by Vendor and Type

Figure 38 Critical Vulnerability Advisories by Vendor and Type
Microsoft Adobe Cisco TPS ICS VMware Apple Apache Oracle HP

174 162 28 25 10 8 5 3 3 3
Source: National Vulnerability Database (NVD)
Cisco is now using severity/impact ratings (SIRs), in which the rating levels are critical, high, medium, and low. The ratings reflect a simplified
prioritization of scores from the Common Vulnerability Scoring System (CVSS). In addition, Cisco has adopted CVSS v3.0, the successor to CVSS v2.0.
Because of this change, some vulnerabilities may have higher scores than before, so security professionals may see a small increase in vulnerabilities that
are rated critical and high, instead of medium and low. For more information about this scoring change, read the Cisco Security blog post,
The Evolution of Scoring Security Vulnerabilities: The Sequel.
Figure 39 Selected Critical Vulnerability Advisories

In the Cisco 2017 Security Capabilities Benchmark Study Figure 39 Selected Critical Vulnerability Advisories
(page 49), security professionals indicated a slight decrease
Advisory Title Date Issued
in their agreement about security operationalization. This
decrease may be connected to fatigue about the need to Adobe Acrobat and Acrobat Reader memory
Jul 28, 2016
corruption code execution vulnerability
continually implement upgrades and patches. For example,
in 2016, 53 percent of security professionals said they Adobe Acrobat and Acrobat Reader memory
Jul 28, 2016
corruption remote code execution vulnerability
strongly agreed that they review and improve security
Adobe Acrobat and Acrobat Reader memory
practices regularly, formally, and strategically; in 2014 and corruption vulnerability
Jul 21, 2016
2015, 56 percent strongly agreed.
Adobe Acrobat and Acrobat Reader integer
May 23, 2016
overflow vulnerability
Of course, a decline in vulnerabilities should not lead to
overconfidence about the threat landscape: No one should Adobe Acrobat and Acrobat Reader memory
Feb 08, 2016
corruption remote code execution vulnerability
adopt the mindset that attention to threats can lapse, even
in the absence of high-profile vulnerabilities. Adobe Acrobat and Acrobat Reader memory
Jul 28, 2016
corruption vulnerability
As weve advised in past reports, security professionals Adobe Acrobat and Acrobat Reader memory
Jul 18, 2016
should make a concerted effort to prioritize patches. If a
lack of staffing and other resources prevents the timely Adobe Acrobat and Acrobat Reader memory
Jun 23, 2016
installation of all available patches, evaluate which ones are
most critical to network safety, and place those at the top Adobe Acrobat and Acrobat Reader memory
May 24, 2016
of the to-do list.
Adobe Acrobat and Acrobat Reader memory
May 23, 2016
Download the 2017 graphics at: www.cisco.com/go/acr2017graphics Source: Cisco Security Research
The advisories listed above are selected 2016 critical-rated vulnerabilities

that were reported by multiple sources to have exploit code publicly
available or to be actively exploited in the wild.
Server and Client Vulnerabilities Middleware: Adversaries See Opportunity

As discussed in the Cisco 2016 Midyear Cybersecurity in Unpatched Software
Report, adversaries are finding space and time to
operate within server-side solutions. By launching In the Cisco 2016 Midyear Cybersecurity Report, we
attacks within server software, they can potentially gain shared data about attacks against server-side systems.
control of more network resources, or move laterally In 2017, middleware, which connects platforms or
among other critical solutions. applications, is poised to attract attackers seeking
places to operate where defenders are slow to react
Cisco researchers have tracked client and server or recognize a threat.
vulnerabilities by vendor (Figure 40).
Cisco researchers, while looking for vulnerabilities in
third-party software, discovered an average of 14 new
Figure 40 Client-Server Vulnerabilities
Figure 40 Client-Server Vulnerabilities Breakdown, vulnerabilities in software per month. Most of those
Breakdown, 20152016
20152016 vulnerabilities (62) were attributable to the use of middleware.
Of those 62 vulnerabilities, 20 were found within code that
handles PDFs; 12 were found in code that handles images;
10 were found in code for common office productivity
solutions; nine were found in code for compression; and
11 were found in other libraries (Figure 41).
Server Client Network
Vulnerabilities Vulnerabilities Vulnerabilities
Vulnerabilities in middleware pose a unique security threat
(From 2332 to 3142) (From 2300 to 2106) (From 501 to 396) because their libraries are not usually updated as rapidly
34% 8% 20% as software that is more client-facingthat is, software that
users interact with directly on a day-to-day basis, such as
productivity solutions. Middleware libraries may be left out
Source: National Vulnerability Database
of software audits, so vulnerabilities remain in place.
Figure 41 Vulnerabilities Found in Middleware Libraries

Figure 41 Vulnerabilities Found in Middleware Libraries
PDF Image Office Compression Other
20 12 10 9 11
SHARE
Organizations may gamble on middleware being safe Time to Patch: Closing the Recovery
and may place greater attention on updating high-profile Time Frame
solutions. But they can lose the bet that adversaries
wont seek entry to networks through these low-profile Many users do not download and install patches in a
pathways. Middleware thus becomes a security blind spot timely manner. Adversaries can use these unpatched
for defenders and an opportunity for attackers. vulnerabilities to gain entry to networks. In our latest
research, we find that the key to encouraging users to
The challenge of updating middleware libraries closely relates download and install patches may rest in the cadence of
to the open-source software problem (discussed in the Cisco software updates from vendors.
2015 Midyear Security Report), since many middleware
solutions come from open-source developers. (However, the A security patch release is a clear indication to attackers
problem at hand can affect both open-source and proprietary that there is a vulnerability worth exploiting. Although
middleware developers.) Therefore, middleware libraries may sophisticated attackers have likely been exploiting the
rely on many developers to keep them updated. On the list of vulnerabilities for some time, the notification of a patch tells
tasks that an overtaxed IT or security team needs to manage, many others that its open season on the earlier versions.
middleware library updates may not be a top priority, but they
When software vendors release new versions on a regular
should be given greater attention.
schedule, users become conditioned to downloading
What is the potential impact of a middleware vulnerability and installing updates. Conversely, when vendor upgrade
that is exploited by adversaries? Given the connections releases are erratic, users are less likely to install them.
between middleware and other crucial systems, such as They will continue to operate outdated solutions that may
email or messaging, an attacker could move laterally into contain exploitable vulnerabilities.
these systems and send phishing messages or spam. Or
Other behaviors that affect the upgrade cycle include:
attackers could masquerade as authorized users and abuse
trust relationships between users to gain further access. How disruptive the reminder experience is
To avoid becoming the victim of an attack launched through How easy it is to opt out
a middleware vulnerability, you should: How often the software is used
Actively maintain a list of known dependencies and libraries There are varying windows of time in which users are likely
in the applications you use to install an upgrade when it is released by the vendor. Our
Actively monitor the security of these applications, and researchers looked at the installations of software on the
mitigate risks as much as possible endpoints used by our customers. Their software fell into
Insert a service-level agreement in contracts with software three categories:
vendors for providing patches in a timely manner
New versions: The endpoint ran the newest available version
Routinely audit and review software dependencies and of the software
library use
Recent versions: The endpoint ran one of the previous three
Ask software vendors for details on how they maintain and versions of the software, but not the newest
test their products
Old versions: The endpoint ran software that was more than
In short: Delays in patching increase the operational space three versions behind the current release
for attackers and allow them more time to gain control of
As an example, if a software vendor released version 28
critical systems. In the next section, we discuss this impact
on January 1, 2017, version 28 would be new; version 26
and trends in the patching of common productivity solutions
would be recent; and version 23 would be old. (The figures
such as web browsers.
on the next page contain callouts of the weekly time periods
where one or more versions of the software were released.)
In examining users of Adobe Flash (Figure 42), we found In examining upgrades for the Google Chrome web
that, within the first week of an update release, nearly browser, we see a different pattern. It reflects a regular
80 percent of users install the softwares latest version. cadence of upgrades, as well as a strong opt-out policy that
In other words, it takes only about one week for the user makes it difficult for users to ignore update notifications. As
population to get up to speed with the latest version. This seen in Figure 42, endpoints running the newest version
one-week recovery period represents hackers window stay relatively steady over the course of many weeks.
of opportunity.
The Chrome data shows that users recover relatively
In looking at late Q4 2015 in the Adobe Flash graphic, we quickly. In the case of regular updates, one week is roughly
see a sharp drop in the number of users on the newest the recovery timeline. In one span of 9 weeks running
version of the solution. In the time period we examined, through Q2 and Q3 of 2016, however, there were seven
Adobe released five versions of Flash in quick succession, updates. During this time the population recovered, but
representing a mix of functionality additions, bug fixes, and upgrade fatigue began to set in. The percentage of users
security updates. Such a flurry of updates may confuse staying with an older version steadily climbs despite the
users. They may question whether they need to download majority of the population recovering.
so many updates; they can become fatigued by the number
Mozillas Firefox browser also offers updates on a regular
of upgrade notifications; and they may think theyve
schedule, but the recovery period after an update is released
already downloaded a crucial update and can ignore new
appears to take as long as a month. That is, users do not
notifications. No matter what drives their lack of interest in
download and install updates as frequently as Chrome
installing an update, its bad news for defenders.
users do. One reason may be that some users might not
use the browser regularly and therefore arent seeing and
downloading updates. (See Figure 43 on next page.)
Figure 42 Time to Patch for Adobe Flash and Google Chrome

Figure 42 Time to Patch for Adobe Flash and Google Chrome
Adobe
Flash
Outdated 83% 67% 99% 94% 88%
63% 69% 67% 70% 68% 76% 77% 94% 88% 80% 88% 94% 94% 92% 82% 86%
Versions: 78% 93%
Week: 0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75
May 2015
Google
Chrome
Outdated 97% 70% 95%
8% 63% 48% 87% 54% 94% 98% 94% 97%
Versions: 98% 54% 98% 97% 98%
Week: 0 5 10 15 20 25 30 35 40 45 50 55
May 2015
Update Released Low High

Adoption of Latest Update
SHARE
We found that Firefox updated its versions about every other for users to install upgrades after a release. At one point,
week, with the frequency of updates increasing over the there were two releases within 5 weeks, which affected the
course of the observation period. This increase in frequency user population for more than 3 months, as can be seen
is reflected in the growth of old Firefox versions within the between Q4 of 2015 and Q1 of 2016.
population. The recovery time is roughly 1.5 weeks, but the
Microsoft announced the end of life of Silverlight in 2012,
times overlap. The population that tries to stay current drops
although patches and bug fixes are still being released.
to as little as 30 percent of the user base. At some point,
However, it poses the same problem that Internet Explorer
two-thirds of the users have resorted to simply running the
does: Outdated and unpatched software invites attackers
browser more than four versions behind the most current
to easily exploit it.
one. So, although Firefox is rapidly addressing issues and
fixing bugs, the user base is not updating and restarting on The recovery period for Java users shows that most are
the same frequency. running versions of the software that are one to three
versions behind the most recent release. The time to
For software, the level of use seems to also be an indicator
recovery is about 3 weeks. An unusual pattern with Java
of its vulnerability. When users do not access software
is that the dominant populations are those that use recent
often and therefore arent aware of the need to patch and
versions. The Java update cycle is from 1 to 2 months.
upgrade it, the ignored software provides space and time
for attackers to operate. The overall lesson from time-to-patch cycles is that
upgrade release patterns are a contributing factor in user
We can see this in the research on Microsoft Silverlight,
security posture, which can place networks at risk.
which shows a recovery period of as long as 2 months
Figure 43 Time to Patch for Firefox, Silverlight, and Java

Figure 43 Time to Patch for Firefox, Silverlight, and Java
Firefox
Outdated 99% 93% 93% 95% 97% 94% 94% 87%

98% 98% 99% 94% 92% 96% 94% 99% 96% 93% 97% 99% 99% 97%
Versions: 94% 92% 99% 88% 95% 85%
Week: 0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75
May 2015
Silverlight
Outdated 26% 88% 93% 91%
Versions:
Week: 0 5 10 15 20 25 30 35 40 45 50 55
May 2015
Java
Outdated 84% 99% 93% 99% 96% 91% 98% 97% 99% 98%
Versions:
Week: 0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75
May 2015
Update Released Low High

Adoption of Latest Update
Cisco 2017
Security Capabilities
Benchmark Study
Cisco 2017 Security Capabilities

Benchmark Study
To gauge the perceptions of security professionals on the state of security in their
organizations, Cisco asked chief security officers (CSOs) and security operations
(SecOps) managers in several countries and at organizations of various sizes about
their perceptions of their own security resources and procedures. The Cisco 2017
Security Capabilities Benchmark Study offers insights on the maturity level of security
operations and security practices currently in use, and also compares these results
with those of the 2016 and 2015 reports. The study was conducted across 13
countries with more than 2900 respondents.
Security professionals want to make their organizations infrastructure is up to date, although that confidence appears
more secure, but in a way that responds to the complex to be waning a bit from previous years. In 2016, 58 percent of
attacker landscape and their adversaries efforts to expand the respondents said their security infrastructure is very up to
their operational space. Many organizations are relying date and is constantly upgraded with the latest technologies.
on many solutions from many vendors. This tactic adds to Thirty-seven percent said they replace or upgrade their
the complexity and confusion of securing networks as the security technologies on a regular basis but arent equipped
Internet continues to grow in terms of speed, connected with the latest-and-greatest tools (Figure 44).
devices, and traffic. Organizations need to aim for simplicity Figure 44 Percentages of Security
and integration if they are to protect themselves.
Professionals Who Feel
Figure 44 Percentages of Their Security
Security Professionals
Infrastructure Is Up to Date
Who Feel Their Security Infrastructure Is Up to Date
Perceptions: Security Professionals
Confident in Tools, Less Sure Theyre
Using Them Effectively
Most security professionals believe that they have adequate
solutions on hand and that their security infrastructures are
up to date. However, according to our study, this confidence
Described as
comes with some uncertainty. These professionals are not Described as Replaced/Upgraded
always sure they can muster the budgets and brainpower to Very Up to Date on Regular Cadence
Best Technologies Available Not Equipped with
truly take advantage of the technology they have. Latest and Greatest Tools
Threats to organizations are coming from every direction. 58% 37%

Adversaries are nimble and creative, and theyre able to outfox 2016 (n=2912)
defenses. Even in this sobering environment, the majority
of security professionals feel confident that their security Source: Cisco 2017 Security Capabilities Benchmark Study
49 Cisco 2017 Security Capabilities Benchmark Study

Figure 45 Percentages of Security Professionals

In addition, more than two-thirds of security professionals Who Perceive Various Security Tools to
Figure 45 Percentages of Security Professionals Who
perceive their security tools as very effective or extremely Be Highly Effective
Perceive Various Security Tools to Be Highly Effective
effective. For example, 74 percent believe their tools are
very or extremely effective in blocking known security
threats, while 71 percent believe their tools are effective
at detecting network anomalies and dynamically defending
against shifts in adaptive threats (Figure 45).
The problem: Confidence in tools does not necessarily

transfer to effective security. As the study indicates,
74% 71%
Perceive Their Tools to Perceive Their Tools to
security departments are wrestling with complicated tools Be Very or Extremely Effective Be Very or Extremely Effective
from many vendors, as well as a lack of in-house talent. Against Known Security Threats at Detecting Network Anomalies
and Dynamically Defending
This boils down to an intent versus reality problem. Against Shifts in Adaptive Threats
Security professionals want simple, effective security tools,
2016 (n=2912)
but they dont have the integrated approach they need to
make this vision happen.
Security remains a high priority for the top levels of many

organizations. And security professionals believe that
Figure 46 Percentages
Figure 46 PercentagesofofSecurity
Professionals
executive teams keep security high on the list of key
Who Believe Security Is a High Priority at the
Who Believe Security Is a High Priority at the
organizational goals. The challenge, of course, is to match
Executive Level,20142016
Executive Level, 20142016
executive support with the talent and technology that can
affect security outcomes.
The number of security professionals strongly agreeing that

their executive leadership considers security a high priority
was 59 percent in 2016, down slightly from 61 percent Strong Agreement That Executive Strong Agreement That Security
Leadership at Organization Roles and Responsibilities
in 2015 and 63 percent in 2014 (Figure 46). In 2016, 55 Considers Security a High Priority Are Clarified Within
percent of security professionals agreed that security roles Organizations Executive Team
and responsibilities are clarified within their organizations

executive team; in 2015 and 2014, 58 percent agreed. 63% 61% 59% 58% 58% 55%
In summary, security professionals have confidence in the
tools on hand, and they appear to have the ear of corporate
leaders in addressing security issues. But that confidence is
waning slightly. Security professionals are becoming aware 2014 2015 2016 2014 2015 2016
of attacker successes and the unwieldiness of managing
2014 (n=1738), 2015 (n=2432), 2016 (n=2912)
the growing attack surface.
SHARE

Constraints: Time, Talent, and Money Affect the Ability to Respond to Threats
If security professionals are relatively confident that they Money is only part of the problem. For example, compatibility
have the tools needed to detect threats and mitigate issues speak to the problem of disconnected systems that
damage, they also recognize that certain structural dont integrate. And concerns about the lack of trained
constraints stand in the way of their goals. A tight budget personnel highlight the problem of having the tools but
is a perennial challenge. But other constraints on effective not the talent to truly understand what is happening in the
security speak to the problems of simplifying and security environment.
automating security.
The struggle to find talent is a concern, considering
In 2016, 35 percent of security professionals said that the expertise and decision-making abilities needed to
budget was their biggest obstacle to adopting advanced fight targeted attacks and shifting adversary tactics. A
security processes and technology (a slight decrease from well-resourced and expert IT security team, paired with
2015, when 39 percent said budget was the number one the right tools, can make technology and policies work
obstacle), as seen in Figure 47. As in 2015, compatibility together and achieve better security outcomes.
issues with legacy systems was the second-most-common
The median number of security professionals at the
obstacle: 28 percent named compatibility in 2016, compared
surveyed organizations was 33, compared with 25 in
with 32 percent in 2015.
2015. In 2016, 19 percent of organizations had between
50 and 99 dedicated security professionals; 9 percent had
100 to 199 security professionals; and 12 percent had
200 or more (Figure 48).
Figure 47 Biggest
Figure 47 BiggestObstacles
Obstacles to Security
to Security Figure 48 Number
Figure 48 Numberofof Security
Professionals Employed
Employed by Organizations
by Organizations
Number of Dedicated Security Professionals
2015 (n=2432) 2016 (n=2912) 1-9 15
Budget Constraints 39% 35%

10-19 17
Compatibility Issues 32% 28% 20-29 13
Certification Requirements 25% 25% 30-39 8
40-49 6
Lack of Trained Personnel 22% 25%
50-99 19
30 25 33
100-199 9
2014 2015 2016
200+ 12
SHARE
0% 5% 10% 15% 20%
Percentage of Median Number of Professionals

Organizations 2016 Dedicated to Security

Figure49
Figure 49 Number
Numberofof Security
Professionals by Size
by Size of Organization
of Organization
5%
5% 15%
7%
11%
20% 10% 33%
17%
14% 12% 7%
6%
21% 7% 12%
4%
10% 7% 22%
15% 16%
7% 17%
Midmarket Enterprise Large Enterprise (10,000+)
1-9 10-19 20-29 30-39 40-49 50-99 100-199 200+
SHARE
The number of security professionals varies by organizational

size. As shown in Figure 49, 33 percent of large enterprises
with more than 10,000 employees had at least 200 Outsourcing and the Cloud Help
security employees. Stretch Budgets
Whatever the constraints, security professionals need to Many security professionals participating in
ask hard questions about the barriers that limit their ability the benchmark study felt they were cash-
to face coming threats. strapped when making security purchases.
They stretched their budget by outsourcing
For example, when it comes to budget, how much is
some tasks or using cloud solutions. They
really enough? As survey respondents explained, security
also relied on automation.
teams must compete against many other corporate
priorities, even within the IT setting. If they cant secure
funds for more tools, then the budget they do have must
work harder. For example, automation can be used to
offset limited manpower.
Similar questions should be asked about the software and

hardware compatibility problem. As compatibility issues
multiply, how many different versions of software and
hardwaremost of which may not be operating effectively
must be managed? And how will security teams handle the
multiple certification requirements needed?

Figure 50 Percentages of Respondents Who

Aside from those limitations, security professionals Strongly
Figure 50 Agree with Security
Percentages of Respondents Who Strongly
are also placing slightly less emphasis on security Agree with Security Operationalization
Operationalization Statements Statements
operationalization. This trend may raise concerns
that security professionals are building a suboptimal
security infrastructure. Signs of a weakening focus on
operationalization can indicate that organizations are not
prepared to defend a widening attack landscape. We Review and Improve We Routinely and
Our Security Practices Systematically Investigate
For example, in 2016, 53 percent of the respondents Regularly, Formally, and Security Incidents
Strategically Over Time
strongly agreed that they review and improve security
practices regularly, formally, and strategically; in 2014 and
2015, 56 percent strongly agreed. Likewise, in 2016, 53 56% 56% 56%
53% 55% 53%
percent said they strongly agreed that they routinely and
systematically investigate security incidents, compared with
55 percent in 2014 and 56 percent in 2015 (Figure 50).
If security professionals are slipping in their goals to put 2014 2015 2016 2014 2015 2016
security into use, then it may not be a surprise that they

2014 (n=1738), 2015 (n=2432), 2016 (n=2912)
cant effectively deploy the tools they have, much less add
new tools. If, as study respondents told us, they cannot use Source: Cisco 2017 Security Capabilities Benchmark Study
the technology that they already have on hand, they need
simpler streamlined tools that automate security processes.
Figure 51 Number of Security Vendors and
And those tools need to provide a holistic picture of what is Figure 51 Number of Security Vendors and Products
Products Used by Organizations
going on in the network environment. Used by Organizations
The lack of integration in security can allow gaps of time Number of Security Vendors in Security Environment
2016 (n=2850), Graphic Rounded to Nearest Whole Number
and space, where bad actors can launch attacks. The
tendency of security professionals to juggle solutions and
platforms from many vendors can complicate assembling
a seamless defense. As seen in Figure 51, a majority of
companies use more than five security vendors and more
15 610 1120 2150 Over 50
than five security products in their environment. Fifty-five Vendors Vendors Vendors Vendors Vendors
percent of security professionals use at least six vendors;
45% 29% 18% 7% 3%
45 percent use anywhere from one to five vendors; and
65 percent use six or more products. 55% Use More Than 5 Vendors

Number of Security Products in Security Environment
2016 (n=2860), Graphic Rounded to Nearest Whole Number
15 6-10 1125 2650 Over 50

Products Products Products Products Products
35% 29% 21% 11% 6%
65% Use More Than 5 Products

Figure 52 Percentages of Security Alerts That Are Not Investigated or Remediated

Figure 52 Percentages of Security Alerts That Are Not Investigated or Remediated
7% 93%
Experienced No Experienced
Security Alert Security Alert
44% 56%
Of Alerts NOT Of Alerts Are
Investigated Investigated
46%
Of Legitimate Alerts
Are Remediated
28%
54% Of Investigated
Alerts Are Legitimate
Of Legitimate Alerts
Are NOT Remediated
2016 (n=2796)
If operationalization goals are slipping, if tools are not used at The fact that nearly half of alerts go uninvestigated should
their maximum effectiveness, and if manpower is not robust, raise concern. What is in the group of alerts that is not
the result is faltering security. Security professionals are forced being remediated: Are they low-level threats that might
to skip the investigation of alerts simply because they do not merely spread spam, or could they result in a ransomware
have the talent, tools, or automated solutions available to attack or cripple a network? To investigate and understand
determine which ones are critical and why they are occurring. a greater slice of the threat landscape, organizations
need to rely on automation as well as properly integrated
Perhaps due to several factorssuch as the lack of an
solutions. Automation can help stretch precious resources
integrated defense system or the lack of staff time
and remove the burden of detection and investigation from
organizations are able to investigate a little more than half
the security team.
the security alerts they receive in a given day. As shown
in Figure 52, 56 percent of alerts are investigated, and The inability to view so many alerts raises questions about
44 percent are not investigated; of those alerts that are their impact on an organizations overall success. What
investigated, 28 percent are deemed legitimate alerts. could these uninvestigated threats do to productivity,
Forty-six percent of legitimate alerts are then remediated. customer satisfaction, and confidence in the enterprise?
As respondents told us, even small network outages or
To put the problem into more concrete terms, if an
security breaches can have long-term effects on the
organization records 5000 alerts per day, this means:
bottom line. Even when losses were relatively minor and
2800 alerts (56 percent) are investigated, while 2200 (44 the affected systems were fairly easy to identify and
percent) are not isolate, security leaders regard breaches as significant
Of those investigated, 784 alerts (28 percent) are legitimate,
because of the stress they put on the organization.
while 2016 (72 percent) are not
Of the legitimate alerts, 360 (46 percent) are remediated, SHARE

while 424 (54 percent) are not remediated

Figure 53 Length and Extent of Outages

The stresses can affect organizations in many ways. Security Figure 53byLength
Caused andBreaches
Security Extent of Outages Caused by
teams must devote time to managing network outages that Security Breaches
occur after a security breach. Nearly half of these outages
Organizations Systems Down Time Due to Breach
lasted as long as 8 hours. Forty-five percent of the outages
2016 (n=2665)
lasted from 1 to 8 hours (Figure 53); 15 percent lasted 9 to
16 hours, and 11 percent lasted 17 to 24 hours. Forty-one
percent of these outages affected between 11 percent and
30 percent of the organizations systems.
No Less Than 18 916 1724 Over 24
Outage 1 Hour Hours Hours Hours Hours
Impact: More Organizations Experience 7% 13% 45% 15% 11% 9%

Losses from Breaches
Percentage of Systems Impacted Due to Breach
The effects of breaches arent limited to outages. Breaches
2016 (n=2463)
also mean the loss of money, time, and reputation. Security
teams who believe they will dodge this bullet are ignoring
the reality of the data. As our study shows, almost half
of organizations have had to cope with public scrutiny
No 110% 1130% 3150% Over 50%
following a security breach. Given the attackers range of Impact Impacted Impacted Impacted Impacted
ability and tactics, the question isnt if a security breach will
1% 19% 41% 24% 15%
happen, but when.
As the benchmark study shows, security professionals are Source: Cisco 2017 Security Capabilities Benchmark Study
jarred into reality when breaches occur. They often change
security strategies or bolster defenses. Organizations that Figure 54 Percentage
PercentageofofOrganizations
Organizations
Figure 54
have not yet suffered a breach of their networks due to Experiencing a Public Breach
Experiencing a Public Breach
attackers may be relieved theyve escaped. However, this
confidence is probably misplaced.
Forty-nine percent of the security professionals surveyed Had to Manage

49% Public Scrutiny
said their organization has had to manage public scrutiny of of a Security Breach
a security breach. Of those organizations, forty-nine percent 2016 (n=2824)
disclosed the breach voluntarily, while 31 percent said the
disclosure was made by a third-party (Figure 54). In other
words, nearly one-third of the surveyed organizations were
forced to deal with the involuntary disclosure of a breach. How the Most Recent Breach
Became Known Externally
Its clear that the days of quietly dealing with breaches may
(n=1389)
be long gone. There are too many regulators, media, and
social media users who will expose the news.
SHARE
Involuntarily Required
Voluntarily
Disclosed Reporting
Disclosed
(Third-Party) (Regulatory/Legal)
31% 31% 50%

Figure
Figure55
55 Functions
FunctionsMost
MostLikely to Be
Likely Affected
to Be by aby
Affected Public Breach
a Public Breach
Brand Customer Intellectual

Operations Finances
Reputation Retention Property
36% 30% 26% 26% 24%
Business Partner Supplier Legal Regulatory Have Not Had Any Security
Relationships Relationships Engagements Scrutiny Breaches in the Past Year
22% 20% 20% 19% 10%
SHARE
The damage to organizations goes far beyond the time it takes After operations, finance was the function most likely to be
to deal with a breach or outage. There are real and substantial affected (cited by 30 percent of the respondents), followed
impacts that enterprises should try mightily to avoid. by brand reputation and customer retention (both at
26 percent).
As seen in Figure 55, 36 percent of security professionals
said that operations was the function most likely to be No organization that plans to grow and achieve success
affected. This means that core systems of productivity, wants to be in a position of having critical departments
which affect industries from transportation to healthcare to affected by security breaches. Security professionals
manufacturing, can slow down or even grind to a halt. should view the survey results with an eye toward their
own organizations, and ask themselves: If my organization
suffers this kind of loss from a breach, what happens to the
business down the road?

The opportunity losses for companies suffering online Figure 57 Percentage

Figure 57 Percentage of of Organizational
Organizational Revenue Lost
attacks are daunting. Twenty-three percent of the surveyed Revenue Lost
as the Result of as
an the Result of an Attack
Attack
security professionals said that in 2016, their organizations
experienced a loss of opportunity due to attacks (Figure 56).
Of that group, 58 percent said that the total opportunity lost 29% Experienced a Loss
of Revenue
was under 20 percent; 25 percent said the lost opportunity
was 20 to 40 percent, and 9 percent said the lost opportunity IT Security Personnel
(n=2912)
amounted to 40 to 60 percent.
Many organizations can quantify the revenue losses

they experience due to public breaches. As seen in
Figure 57, 29 percent of security professionals said their
organizations experienced a loss of revenue as a result of
attacks. Of that group, 38 percent said that revenue loss
Lost Less Lost Lost Lost Lost
was 20 percent or higher. Than 20% 2040% 4060% 6080% 80100%
Online attacks also result in fewer customers. As shown 62% 20% 10% 4% 4%
in Figure 58, 22 percent of organizations said they lost
customers as a result of attacks. Of that group, 39 percent 38%
said they lost 20 percent of their customers or more. Saw Substantial Loss of Revenue
(n=778)
Download the 2017 graphics at: www.cisco.com/go/acr2017graphics Source: Cisco 2017 Security Capabilities Benchmark Study
Figure 56 Percentage
Figure 56 Percentage ofof Business
Business Opportunity
Opportunity Lost Figure 58 Percentage
Figure 58 Percentage ofof Customers
Customers LostLost
by by
Lost
as theas the Result
Result from anfrom an Attack
Attack Companies
Companies DueDuetoto Attacks
Attacks
Experienced a Loss Experienced a Loss

23% of Opportunity 22% of Customers
IT Security Personnel IT Security Personnel

(n=2912) (n=2912)
Lost Less Lost Lost Lost Lost Lost Less Lost Lost Lost Lost
Than 20% 2040% 4060% 6080% 80100% Than 20% 2040% 4060% 6080% 80100%
58% 25% 9% 5% 3% 61% 21% 8% 6% 4%
42% 39%
Saw Substantial Loss of Opportunity Saw Substantial Loss of Customers
(n=625) (n=641)
Source: Cisco 2017 Security Capabilities Benchmark Study Source: Cisco 2017 Security Capabilities Benchmark Study

Figure 59 How Security Breaches

Outcomes: Increased Scrutiny Will Play a Figure 59 How Security Breaches Drive Improvements
Drive Improvements
Role in Security Improvements
As the survey results show, the impact of breaches Said Security Breach Drove
Improvements in Threat
can be long-lasting and widespread. If one assumes 90% Defense Technologies,
an organization will be affected by a breach at some Policies, or Procedures
point, the question is, what happens next? Where should Security Professionals (n=1388)
management shift their attention and resources so that
breaches are less likely to occur?
The aftermath of a breach is a learning opportunity, Top 5 Improvements Made to Protect

Company from Security Breaches
an experience that should not go to waste in terms of
2016 (n=1375)
investing in better approaches.
Ninety percent of the security professionals said that a

Separated Security Team
security breach drove improvements in threat defense 38% from IT Department
technologies and processes, as shown in Figure 59. Of
those organizations affected by breaches, 38 percent said
they responded by separating the security team from the Increased Security Awareness
IT department; 38 percent said they increased security
38% Training Among Employees
awareness training among employees; and 37 percent said

they increased their focus on risk analysis and mitigation.
Increased Focus on Risk Analysis
37% and Risk Mitigation
SHARE
Increased Investment in
37% Security Defense Technologies
or Solutions
Increased Investment in
37% Training of Security Staff

Figure 60 Organizations' Reliance

Organizations recognize that they have to exercise on Outsourcing
Figure 60 Organizations' Reliance on Outsourcing
creativity to move beyond the constraints of talent,
Outsourced Security Services
technology compatibility, and budget. One strategy is to 2016 (n=2912)
adopt outsourced services to strengthen the budget and
also tap into talent that may not be in-house.
In 2016, 51 percent of security professionals outsourced

advice and consulting, while 45 percent outsourced
incident response (Figure 60). Fifty-two percent said they Advice and Consulting Incident Response
outsource services to save costs, while 48 percent said 51% 45%

they do so to obtain unbiased insights.
As they do with outsourcing, organizations also rely on Why Services Are Outsourced
2016 (n=2631)
third-party vendors to augment their defense strategies.
The security ecosystem provides them with ways to share
the responsibility for security.
Seventy-two percent of the security professionals said

that they rely on third-party vendors for 20 to 80 percent Be More Cost-Efficient Obtain Unbiased Insight
of their security, as seen in Figure 61. Those organizations 52% 48%
that rely heavily on outside help for security were most
likely to say that they will increase their use of third-party
vendors in the future.
SHARE
Figure 61 Percentage of Organizations' Reliance on Outsourcing

Figure 61 Percentage of Organizations' Reliance on Outsourcing
IT Security Personnel (n=2595)
Rely More Than 80% Rely Less Than 20%

15% 3%
27% 21%
33% 6% 49%
11% 22% 19%
14% 9%
72%
Rely 4080% 31% Rely on Third-Party
Vendors for 2080%
6% of Security 2%
25% 25%
39% 43%
24%
6%
41% 5%
25%
Rely 2040%
Change in Reliance in the Next Year

IT Security Personnel Relying on Third-Party Vendors (n=2504)
Decrease Significantly Decrease Somewhat Remain the Same Increase Somewhat Increase Significantly

Figure 62 Sources of Increased Scrutiny

Figure 62 Sources of Increased Scrutiny
Executive Clients and Business Watchdog and

Employees
Leadership Customers Partners Interest Groups
74% 73% 72% 72% 70%
Insurance
Regulators Investors Press
Companies
70% 69% 67% 60%
2016 (n=2912)
As organizations take steps to strengthen their security Seventy-four percent of the security professionals said
posture, they can expect that more attention will be paid scrutiny will come from the executive leadership;
to their efforts. This scrutiny will come from influential 73 percent, from clients and customers; and 72 percent,
audiences and therefore cant be ignored. How these from employees, as seen in Figure 62.
audiences concerns are addressed can have a significant
impact on an organizations ability to defend itself.

Figure 63 How Trust and Cost-Effectiveness Drive Security Decisions

Figure 63 How Trust and Cost-Effectiveness Drive Security Decisions
Security Threat Defense Solution Purchasing Reasons for Favoring a Reasons for Favoring an Enterprise
IT Security Personnel (n=2665) Best-of-Breed Approach Architecture Approach
Organization That Purchased Organizations That Typically Follow
Best-of-Breed Point Solutions an Enterprise Architecture Approach
Typically Follow Enterprise
Architecture Approach Trust More Than Enterprise Trust More Than Best-of-Breed
Architecture Approach
39%
Typically Follow Project- 65% 36%
Based Approach (For
Example, Best-of-Breed Best-of-Breed Solutions Enterprise Architecture Approach
Point Products) Are More Cost-Effective Is More Cost-Effective
39%
41% 59%
Best-of-Breed Solutions Enterprise Architecture

Are Easier to Implement Approach Is Easier to Implement
24% 33%
4%
Deploy Point 18%
Products as Needed Best-of-Breed Solutions Enterprise Architecture Approach
Are Faster to Implement Is Faster to Implement
Only Deploy to Meet Compliance 13% 10%
or Regulatory Requirements
Trust Versus Cost: What Drives Security Purchases?

Security professionals want the very best solutions for This isnt an either/or dilemma. Organizations need both
protecting their organizations, but their perceptions differ best-of-breed and integrated security solutions. Both
on how to create the ideal secure environment. Do they approaches offer benefits and will simplify security while
purchase best-of-breed solutions from a variety of vendors providing automated response tools (Figure 63).
because they trust these solutions will solve many different
By combining best-of-breed solutions with an integrated
problems? Or do they turn to an integrated architecture,
approach, security teams can take steps toward less complex
because they believe this approach is more cost-effective?
yet more effective security. The integrated approach helps
Although there are many drivers for security investments,
security professionals understand whats happening at every
greater simplicity can benefit every organization.
stage of defense. Such an approach reduces attackers
As seen in Figure 63, the security professionals seem operational space. It is simple, allowing teams to deploy
evenly split between trust and cost in choosing between solutions at scale. It is open, allowing for best-of-breed
best-of-breed and architected solutions. Sixty-five percent solutions as needed. And its automated for faster detection.
said they favor best-of-breed solutions because they trust
them more than an enterprise architecture approach. On
the other hand, 59 percent said they favor an architected
approach because they believe it is more cost-effective.

Summary: What the Benchmark Study Reveals

There is a world of difference between amassing security customers, organizations can no longer simply wish away
tools and actually having the capability to use those tools to gaps in security protection, because the question is not if
reduce risk and close the operational space for adversaries. a breach will happen, but when.
Respondents to the benchmark study believe they have the
One takeaway from the benchmark study is that the
tools that will thwart attackers. But they also acknowledge
constraints limiting agile and effective security will always
that constraints such as a lack of manpower and poor
be with us: There will never be as much budget and talent
product compatibility can render good tools much less
as security professionals believe they need. If we accept
effective than theyd hoped.
these constraints, then the idea of simplifying security and
The sobering findings regarding the impact of breaches deploying automated solutions makes sense.
should provide security professionals with ample evidence
Simplifying security also makes use of best-of-breed
of the need to improve processes and protocols. Faced
solutions and an integrated architecture. Organizations
with real and immediate effects like lost revenue and
need the benefits of both approaches.

Industry
Industry
Value Chain Security: Success in a Digital World Hinges on Mitigating Third-Party Risk
Value chain security is an essential element of success Develop a flexible security architecture that can be shared
in a connected economy. Ensuring that the right security with and deployed across the variety of third parties in
is in the right place at the right time throughout the value that ecosystem
chainthe end-to-end lifecycle for hardware, software, Assess whether those third parties are operating within the
and servicesis an imperative. tolerance levels set by the organizations security architecture
Be alert to new security risks that the ecosystem may

The eight stages of the value chain are shown in Figure 64.
present as digitization increases
Information technology and operations technology are Organizations must also think about security before
converging in this digitized world. It is not enough for introducing a new business model or an offering that
organizations to focus only on protecting their internal requires involvement by, or that otherwise affects, their
business models, offerings, and infrastructure. Organizations third-party ecosystem. Any potential value and productivity
must look at their value chain holistically and consider whether gains must be weighed against potential risks, particularly
each third-party that is involved in their business model or around data security and privacy.
touching their offerings poses a risk to their security.
Awareness of the importance of the value chain is growing
The short answer is that they likely do: Research by the both globally and in specific industry sectors. Recent U.S. IT
SANS Institute found that 80 percent of data breaches procurement legislation mandated a 1-year assessment by
originate from third parties. To reduce risk, organizations the U.S. Department of Defense regarding open technology
must foster a value chain where trust is not implicit and standards in procurements for information technology and
security is everyones responsibility. As a foundational step cybersecurity acquisitions. In the highly converged energy
toward achieving this goal, organizations should: sector, the North American Electric Reliability Corporation
(NERC) is actively developing new requirements addressing
Identify the key players in their third-party ecosystem and
understand what those third parties deliver its cyber value chain.
Figure 64 The Stages of the Value Chain

Figure 64 The Stages of the Value Chain
Design Plan Source Make Quality Deliver Sustain End of Life
Source: Cisco
SHARE
Combatting Cyber Risks in the Supply Chain, SANS Institute, 2015: https://www.sans.org/reading-room/whitepapers/analyst/combatting-cyber-risks-supply-chain-36252.
Public Law 114-92
NERC ordered to undertake this effort by United States Federal Energy Regulatory Commission 18 CFR Part 40 [Docket No. RM15-14-002; Order No. 829].
64 Industry
Organizations, together with their third parties, need to answer Governments in the post-Snowden era have been
questions such as, How will data be generated and by increasingly strident in their desire to regulate digital
whom? and, Should the data be digitally mined? Further communications and to access data when needed.
clarity requires determining the answers to such questions as, However, users have been just as ardent in their demand
Who owns the digital assets we are collecting or creating? for privacy. Events such as the recent head-butting
and, With whom must we share that information? Another between Apple and the FBI over an iPhone belonging to
critical question to answer: Who owns what liability and a terrorist have done nothing to assuage users worries
obligation when a breach occurs? about privacy. If anything, it taught a generation of digital
users, especially in the United States, about end-to-end
This value chain-centric approach helps ensure that
encryption. Many users are now demanding end-to-end
security considerations are built in at every stage of the
encryption from their technology providers, and they want
solutions lifecycle. The right architecture, combined with
to hold the encryption keys.
adherence to the appropriate security standards, will help
to drive pervasive securityand build trustthroughout the This marks a fundamental shift in the cybersecurity
entire value chain. landscape as we have known it. Organizations are going to
need to architect their environments so they can navigate
and respond to competing agendas.
Geopolitical Update: Encryption, Trust, While this shift is taking place, more governments are
and a Call for Transparency giving themselves the legal rightoften on a broad
In previous cybersecurity reports, Cisco geopolitical experts basisto bypass or break encryption or technical
examined the uncertainty in the Internet governance protection measures, often without the knowledge of
landscape, the rights of the individual versus the rights the manufacturer, communication provider, or the user.
of the state, and the ways that governments and private This is creating tension not only between authorities and
businesses might navigate the data-protection dilemma. technology firms but also between governments, who are
One common topic across these discussions has been not necessarily keen to see their citizens data accessed
encryption. We believe that encryption will continue to by third-country authorities. Many governments collect
permeate, perhaps even dominate, the cybersecurity information about zero-day exploits and vulnerabilities
debate for the foreseeable future. that they discover in vendor software; however, they are
not always transparent with vendors about the information
The proliferation of national and regional data privacy they possess, or sharing it in a timely manner.
laws has created unease among vendors and users
attempting to navigate those laws. In this uncertain Hoarding such valuable information prevents vendors
environment, issues such as data sovereignty and from improving security in their products and providing
data localization have come to the fore, helping to fuel users with better protection from threats. Even though
growth in cloud computing and localized data storage as governments may have good reason to hold some of
businesses seek a creative solution to meeting complex this intelligence close, there is also a need for greater
and evolving privacy regulations. transparency and trust in the global cybersecurity
landscape. Governments therefore should conduct a frank
At the same time, the escalating number of data breaches assessment of their current policies regarding the hoarding
and advanced persistent threats, and the publicity around of zero-day exploits. They should start from the default
hacks sponsored by nation-statesincluding those position that sharing information with vendors can only
conducted during high-profile events such as the U.S. lead to a far more secure digital environment for everyone.
presidential electionare making users even less confident
that their sensitive data and privacy will be protected.
For more on this topic, see Data Localization Takes Off as Regulation Uncertainty Continues, by Stephen Dockery, June 6, 2016, The Wall Street Journal:
http://blogs.wsj.com/riskandcompliance/2016/06/06/data-localization-takes-off-as-regulation-uncertainty-continues/.
65 Industry
High-Speed Encryption: A Scalable Solution to Protecting Data in Transit
As explained in the geopolitical section on page 65, Another approach seeing increased traction is
end-to-end encryption will remain a topic of much encryption capabilities built in to a network or cloud
debate and consternation between governments service to protect data in transit. This is an evolution
and industry for the foreseeable future. Regardless of the traditional gateway VPN model, a solution
of any tension stemming from this issue, however, that addresses the dynamic nature of networks and
user demand for end-to-end data encryption with the high-speed transmission rates of data center
customer-held keys is increasing. traffic. Enterprises are using the operational and cost
efficiencies provided by the new capabilities to protect
Cisco geopolitical experts anticipate that some
data coming from any application in that environment
streams and pools of data will likely remain encrypted
as it travels at high speed to another location.
with vendor-managed keys at least for the short term,
particularly in ad-driven business models. Elsewhere, Network-based encryption is only one tool for
however, we should expect to see the use of end-to- protecting data, however. To ensure they are doing
end encryption with customer-held keys gaining more enough to protect their data while it is in transit or
traction, absent a legal mandate to the contrary. at rest, organizations should look at the challenge
holistically. A good place to begin is by asking
Meanwhile, look for organizations to also seek more
technology vendors basic but important questions
control over how they protect their data while it
such as:
is in transit, particularly as it moves at high speed
from one data center to another. This was once an How is data protected when its in transit?
arduous task for enterprises due to the limitations How is it protected when its at rest?
of legacy technologies and the impact on network
Who has access to the data?
performance. However, new approaches are making
Where is the data stored?
this process easier.
What is the policy for deleting data, when and if it
One solution is application-layer security, where must be deleted?
applications are modified to encrypt data.
Deploying this type of security can be very Again, these questions are only a starting point for a
resource-intensive, complex to implement, and broader dialogue about data protection that should
operationally expensive depending on how many evolve to include a discussion of topics such as data
applications an organization uses. resiliency and availability.
66 Industry
Network Performance and Adoption Versus Security Maturity: Online Speeds, Traffic,
and Preparedness Are Not Growing at the Same Pace
Defenders want to stay ahead of their adversaries. To be Cisco has matched the VNI Forecast to data about
behind them is to be in a potentially dangerous place. defender maturity, taken from Ciscos annual Security
The worry is that defenders cant improve their security Capabilities Benchmark Study (see page 49). In examining
posture at the same pace that adversaries can gain space maturity growth rates in the 2015, 2016, and 2017
and time to operate. Given the pace of growth of fixed and benchmark reports, as seen in Figure 65, security maturity
mobile Internet traffic worldwide, defenders are obligated is underwhelming compared with the growth of Internet
to match this growth with gains in the maturity of their traffic. Some countries, such as China and Germany,
security infrastructure. actually show a slight decline in maturity over this time
period. Broadband speeds, in particular, are improving
The Cisco VNI Forecast examines global IP traffic
and growing at a significantly greater rate than other
annually, including mobile and Wi-Fi traffic. The forecasts
networking variables shown in Figure 65. Faster speeds
provide 5-year projections for IP traffic, the number of
and more connected devices foster greater traffic growth,
Internet users, and the number of personal devices and
but organizations are struggling to bolster their security
machine-to-machine (M2M) connections that will be
measures and infrastructures at similar rates.
supported by IP networks. (Visit here for more details on
the VNI Forecast.) For example, the forecast estimates
that by 2020, smartphones will generate 30 percent of
total IP traffic.
Figure65
Figure 65 Security
SecurityMaturity
Maturity and
and Growth
Growth Rates
Rates
300%
250%
Percentage of Growth
200%
150%
100%
50%
0%
Australia Brazil Canada China France Germany India Italy Japan Mexico Russia United United Overall
Kingdom States
Security Maturity Total Traffic Devices Fixed Internet Users Mobile Internet Traffic Mobile Speed
Source: Cisco Security Research, Cisco VNI, and Cisco 2017 Security Capabilities Benchmark Study
SHARE
67 Industry
Certain industries also lag in terms of their security maturity is broadly adopted. Global mobile traffic was 5 percent of
compared with other industries, as seen in Figure 66. In total IP traffic in 2015, according to the VNI Forecast; it is
particular, pharmaceuticals, healthcare, and transportation projected to be 16 percent of total IP traffic by 2020.
are behind other industries.
Its clear that security organizations must step up their
Its important to note that the dramatic rise in mobile maturity efforts, and quickly, if they are to match the growth
speeds is an outcome of the broad adoption of 4G and in Internet traffic, which portends growth in the potential
LTE networks by telecommunications providers. When attack surface. In addition, organizations must respond to the
large-scale deployments of 5G networks become available growth in the use of endpoints that are not fixed or wired to
toward the end of this decade, mobile speeds are expected corporate networks. They must also accommodate a more
to become comparable to fixed network speeds. According widespread use of personal devices from which workers
to the current Mobile VNI Forecast, global mobile traffic access corporate data.
will likely gain a greater share of total IP traffic when 5G
Figure 66 Security Maturity in Industry Verticals

Figure 66 Security Maturity in Industry Verticals
Industry by Segment
5 4 7 14 5
36 29
30 31 39 30
39 27
48
31
18 27 29
29 23
Education Financial Services Government Healthcare Non-Computer-Related

(n=44) (n=501) (n=345) (n=211) Manufacturing
(n=355)
9 5 3 5 5
30 32 30
30 42 24 38 33
38
39
21 27
34 28 24
Pharmaceuticals Retail Telecommunications Transportation Utilities/Energy

(n=56) (n=286) (n=303) (n=174) (n=113)
Graphic Rounded to Nearest Whole Number
Low Middle Upper-Mid High
68 Industry
Figure 67 Security
Figure 67 SecurityMaturity
Maturitybyby Country
Country
4 4 7 5 5
28 28
41 25 25 34
41 31 36 38
USA Brazil Germany Italy UK
29 30 31 29
28
5 13 3 7 4
31 31 17
35 21
31
Australia China 47 India Japan
32 47 Mexico
35
31 26
34 21 26
4 6 7
32 33
39 30
35
Russia France Canada 36
27 26 23
2016 (n=2852) Graphic Rounded to Nearest Whole Number
Low Middle Upper-Mid High
Faster speeds are not the only factor driving growth For more information about the Cisco VNI Forecast, visit the
of Internet traffic. The IoT is accelerating the number Cisco website or read the Cisco blog post on the annual
of devices that are attached to the Internet, not only VNI forecast for 2015 to 2020.
adding to the growth of traffic but also adding potential
pathways for attackers.
69 Industry
Conclusion
Conclusion
A Rapidly Expanding Attack Surface Requires an Interconnected and
Integrated Approach to Security
In analyzing data from Ciscos Security Capabilities Policy: Policy has strong ties to mitigation. Controlling
Benchmark Study (see page 49), we are able to access rights to networks, systems, applications, functions,
examine patterns and decisions that help organizations and data will affect the ability to mitigate damage from
minimize risk. We can therefore see where they should security breaches. In addition, policies to ensure a regular
review of security practices will help prevent attacks.
make security investments that can lead to a significant
difference in risk exposure. We measured risk by looking at Protocols: The right protocols can help prevent and
the lengths of breaches as well as percentages of system detect breaches, but they also have a strong relationship to
outages (see Figure 53 on page 55 regarding the length of mitigation. In particular, regular reviews of connection activity
breaches and the systems affected). on networks, to ensure that security measures are working,
are key to both prevention and mitigation. Its also beneficial
To understand how organizations create effective to review and improve security practices regularly, formally,
safeguards against risk, we need to examine what drivers and strategically over time.
affect their ability to prevent, detect, and mitigate risk. Tools: The judicious and appropriate application of tools
(See Figure 68.) The drivers must include these elements: has the strongest relationship with mitigation. With tools in
place, users can review and provide feedback that is vital to
Executive leadership: The top leadership must prioritize
detection and prevention as well as mitigation.
security. This is critical for the mitigation of attacks, as well
as their prevention. The executive team should also have
clear and established metrics for assessing the effectiveness
of a security program.
Figure
Figure68
68 Drivers
Driversand
andSafeguards for for
Safeguards Minimizing RiskRisk
Minimizing
Drivers Safeguards
Measure Influence of Policy, Executive Measure Influence of Firms Ability
Leadership, Protocols, Tools on Firms to Prevent, Detect, and Mitigate
Ability to Prevent, Detect, and Mitigate Effects of a Breach on Risk
Effects of a Breach
Executive
Leadership
Prevent
Policy
Detect Minimized Risk
Protocols
Mitigate
Tools
71 Conclusion
The security safeguards that organizations useprevention, Mitigation: Well-documented processes and procedures
detection, and mitigationcan be viewed as measures of for incident response and tracking are key to effective breach
influence on an organizations ability to minimize risk. mitigation. Organizations also need strong protocols to
(See Figure 68.) manage their response to crises.
All of these drivers and safeguards are interconnected

These safeguards must include the following elements:
and interdependent. Security professionals cant
Prevention: To minimize the impact of security breaches, simply cherry-pick a couple of drivers and one or two
employees must report security failures and problems. Its safeguards, and believe they have solved the security
also crucial for security processes and procedures to be problem. They need every driver, and every safeguard.
clear and well understood. Security teams must analyze where their weaknesses
Detection: The best detection methods for minimizing the arefor example, low levels of support from leaders, or
impact of breaches are those that allow organizations to a lack of tools to mitigate breachesand calculate where
spot security weaknesses before they become full-blown investments in security must be made.
incidents. To accomplish this, its vital to have a good system
for categorizing incident-related information.
72 Conclusion
The Key Goal: Reducing Adversaries Operational Space

Reducingand ideally, eliminatingthe unconstrained When weaponized threats are delivered, defenders must
operational space of adversaries, and making attackers apply every tool in their arsenal to prevent them from
presence known, must be top priorities for defenders. spreading and worsening. This is where an integrated
The reality is that no one can stop all attacks, or protect security architecture becomes critical. It will provide real-
everything that can and should be protected. But if you time insight into threats as well as automated detection and
focus on closing the operational space that cybercriminals defense, which are essential for improving threat detection.
must have for their campaigns to be effective and
At the installation phase, security teams must stay informed
profitable, you can prevent them from reaching critical
about the state of the environment as they respond to and
systems and data without entirely evading detection.
investigate the compromise. If that environment is simple,
This report categorized different approaches that open, and automated, and if defenders have taken the
adversaries use to compromise and attack users and other proactive steps outlined above, they can then focus
systems. We based our categoriesreconnaissance, their resources on helping the business to answer critical
weaponization, delivery, and installationon where the questions such as:
attacks are typically deployed in the attack chain. This
What did the attackers access?
exercise was meant to illustrate when, how, and where
adversaries take advantage of vulnerabilities and other Why were they able to get to it?
weaknesses to gain a foothold on a device or in a Where did they go?

system, launch their campaign, and then reap the Are they still operating in our network?
rewards they seek.
The answers to these questions will allow security teams
We suggest that defenders adapt their security approaches not only to take appropriate actions to prevent further
to stay ahead of attackers basic processes. For example, attacks, but also to inform management and the board
to undermine adversaries during the reconnaissance phase, about possible exposures and necessary disclosures.
security teams should be: Then, the business can begin the process of ensuring that
Gathering information about the latest threats and vulnerabilities it has comprehensive controls and mitigations in place to
address any security gapsthe weaknesses that provided
Ensuring they are controlling access to their networks
the operational space adversaries needed to succeedthat
Limiting the organizations exposure in an expanding were identified during the compromise.
attack surface
Managing configurations
Developing consistent response practices and procedures

that are informed by this work
73 Conclusion
About Cisco
Cisco delivers intelligent cybersecurity for the real world, Our sophisticated infrastructure and systems consume
providing one of the industrys most comprehensive this telemetry, helping machine-learning systems and
advanced-threat protection portfolios of solutions across researchers to track threats across networks, data centers,
the broadest set of attack vectors. Ciscos threat- endpoints, mobile devices, virtual systems, web, email,
centric and operationalized approach to security reduces and from the cloud to identify root causes and scope
complexity and fragmentation while providing superior outbreaks. The resulting intelligence is translated into real-
visibility, consistent control, and advanced threat protection time protections for our product and service offerings that
before, during, and after an attack. are immediately delivered globally to Cisco customers.
Threat researchers from the Cisco Collective Security To learn more about Ciscos threat-centric approach to
Intelligence (CSI) ecosystem bring together, under a single security, visit www.cisco.com/go/security.
umbrella, the industrys leading threat intelligence, using
telemetry obtained from the vast footprint of devices and
sensors, public and private feeds, and the open-source
community. This amounts to a daily ingest of billions of
web requests and millions of emails, malware samples,
and network intrusions.
74 About Cisco
Contributors to the Cisco 2017 Annual Cybersecurity Report
CloudLock Global Government Affairs

CloudLock, a Cisco company, is a leading provider of Cisco engages with governments at many different levels
cloud access security broker (CASB) solutions that help to help shape public policy and regulations that support
organizations securely use the cloud. CloudLock delivers the technology sector and help governments meet their
visibility and control for software-as-a-service (SaaS), goals. The Global Government Affairs team develops and
platform-as-a-service (PaaS), and infrastructure-as- influences pro-technology public policies and regulations.
a-service (IaaS) environments across users, data, and Working collaboratively with industry stakeholders and
applications. CloudLock delivers actionable cybersecurity association partners, the team builds relationships with
intelligence through its data scientist-led CyberLab and government leaders to influence policies that affect Ciscos
crowd-sourced security analytics. For more information, business and overall ICT adoption, looking to help shape
visit https://www.cloudlock.com. policy decisions at a global, national, and local level.
The Government Affairs team is composed of former
Security and Trust Organization elected officials, parliamentarians, regulators, senior U.S.
Ciscos Security and Trust Organization underscores government officials, and government affairs professionals
Ciscos commitment to address two of the most critical who help Cisco promote and protect the use of technology
issues that are top of mind for boardrooms and world around the world.
leaders alike. The organizations core missions include
protecting Ciscos public and private customers, enabling Cognitive Threat Analytics
and ensuring Cisco Secure Development Lifecycle and Ciscos Cognitive Threat Analytics is a cloud-based
Trustworthy Systems efforts across Ciscos product and service that discovers breaches, malware operating inside
service portfolio, and protecting the Cisco enterprise from protected networks, and other security threats by means of
ever-evolving threats. Cisco takes a holistic approach statistical analysis of network traffic data. It addresses gaps
to pervasive security and trust, which includes people, in perimeter-based defenses by identifying the symptoms
policies, processes, and technology. The Security and of a malware infection or data breach using behavioral
Trust Organization drives operational excellence, focusing analysis and anomaly detection. Cognitive Threat Analytics
across InfoSec, Trustworthy Engineering, Data Protection relies on advanced statistical modeling and machine
and Privacy, Cloud Security, Transparency and Validation, learning to independently identify new threats, learn from
and Advanced Security Research and Government. For what it sees, and adapt over time.
more information, visit http://trust.cisco.com.
75 About Cisco
IntelliShield Team Security Research and Operations (SR&O)

The IntelliShield team performs vulnerability and threat Security Research and Operations (SR&O) is responsible
research, analysis, integration, and correlation of data for threat and vulnerability management of all Cisco
and information from across Cisco Security Research and products and services, including the industry-leading
Operations and external sources to produce the IntelliShield Product Security Incident Response Team (PSIRT). SR&O
Security Intelligence Service, which supports multiple Cisco helps customers understand the evolving threat landscape
products and services. at events such as Cisco Live and Black Hat, as well as
through collaboration with its peers across Cisco and the
Talos Security Intelligence and Research Group industry. Additionally, SR&O delivers new services such as
Talos is Ciscos threat intelligence organization, an elite Ciscos Custom Threat Intelligence (CTI), which can identify
group of security experts devoted to providing superior indicators of compromise that have not been detected or
protection for Cisco customers, products, and services. mitigated by existing security infrastructures.
Talos is composed of leading threat researchers supported
by sophisticated systems to create threat intelligence for Cisco Visual Networking Index (VNI)
Cisco products that detect, analyze, and protect against The Cisco VNI Global IP Traffic Forecast for 2015 to 2020
known and emerging threats. Talos maintains the official relies on independent analyst forecasts and real-world
rule sets of Snort.org, ClamAV, SenderBase.org, and network usage data. Upon this foundation are layered
SpamCop, and is the primary team that contributes threat Ciscos own estimates for global IP traffic and service
information to the Cisco CSI ecosystem. adoption. A detailed methodology description is included
in the complete report. Over its 11-year history, Cisco
VNI research has become a highly regarded measure
of the Internets growth. National governments, network
regulators, academic researchers, telecommunications
companies, technology experts, and industry and business
press and analysts rely on the annual study to help plan
for the digital future.
76 About Cisco
Appendix
Appendix
Cisco 2017 Security Capabilities Benchmark Study
Figure 69Survey
Figure 69 Survey Capabilities
Capabilities Benchmark
Benchmark StudyStudy
Industries Areas of Security Involvement
2% Making Final Brand Recommendations Regarding Solutions

Education
(Higher Education) 2% 74%
1% 76%
81%
Financial Services: 18%
Banking, Insurance 14%
15% Setting Overall Vision and Strategy
73%
12% 75%
Government 12% 83%
9%
8% Researching and Evaluating Solutions

Healthcare 4% 72%
6% 75%
78%
Manufacturing: 12%
Non-Computer Related 15%
14% Implementing and Managing Solutions
71%
2% 73%
Pharmaceuticals 3% 79%
3%
10% Defining Requirements

Retail 3% 67%
3% 71%
76%
11%
Telecommunications 8%
6% Approving Budgets
54%
6% 57%
Transportation 5% 66%
8%
4%
Utilities/Energy 3%
7%
16%
Non-Key Industry 27%
21% 2016 (n=2912) 2015 (n=2432) 2014 (n=1738)
Organization Size CSO vs. Sec Op

Large
Midmarket Enterprise Enterprise CSO Sec Op
2016 50% 38% 12% 2016 49% 51%
2015 49% 38% 13% 2015 45% 55%
2014 54% 46% 2014 54% 46%
78 Appendix
Figure 70Number
Figure 70 Number of Dedicated
of Dedicated Security
Professionals
2014 (n=1738) 2015 (n=2432) 2016 (n=2912)
1-9 18% 17% 15%
10-19 16% 18% 17%
20-29 12% 17% 13%
30-39 8% 9% 8%
40-49 4% 4% 6%
50-99 19% 16% 19%
100-199 9% 9% 9%
200 or more 15% 10% 12%
Median Number of Professionals Dedicated to Security 30 25 33
Perceptions
Figure 71Majority
Figure 71 Majorityof of Security
Professionals Feel Security
Feel Security Infrastructure
Infrastructure Is Up to Is Up to Date
Date
How Would You Describe Your Security Infrastructure?
Very Up to Date Replaced/Upgraded on Regular Basis Replaced/Upgraded Only When Necessary

Best Technologies Available Not Equipped with Latest-and-Greatest Tools No Longer Working, Obsolete, or New Needs
2016
58% 37% 5%
(n=2912)
2015
59% 37% 5%
(n=2432)
2014
64% 33% 3%
(n=1738)
79 Appendix
Figure 72Percentages
Figure 72 Percentages of Security
of Security Professionals
Professionals Who Perceive Various Security Tools to Be Highly Effective
Who Perceive Various Security Tools to Be Highly Effective
Blocking Against Known Security Threats 2% <1% 24% 51% 23% 74%
Detecting Network Anomalies and Dynamically

2% <1% 27% 50% 21% 71%
Defending Against Shifts in Adaptive Threats
Enabling Us to Enforce Security Policies 2% <1% 28% 49% 22% 71%
Enabling Us to Assess Potential Security Risks 2% <1% 28% 49% 20% 69%
Determining the Scope of a Compromise,

2% <1% 29% 49% 20% 69%
Containing It and Remediating Further Exploits
2016 (n=2912)
Not at All Not Very Somewhat Very Extremely % Very + Extremely
Graphic Rounded to
Effective Effective Effective Effective Effective Effective
Nearest Whole Number
Figure 73 Percentages of Security Professionals Who Believe

Security
Figure 73 Is a High Priority
Percentages at theProfessionals
of Security Executive Level
Who Believe Security Is a High Priority at the Executive Level
Security Roles and Responsibilities Cyber-Risk Assessments Are Routinely

Executive Leadership at My Organization Are Clarified Within My Incorporated into Our Overall Risk
Considers Security a High Priority Organizations Executive Team Assessment Process
2016 1% 4% 37% 59% 96% 1% 4% 41% 55% 96% 1% 4% 43% 53% 96%
2015 1% 4% 35% 61% 96% 1% 4% 36% 58% 95% 1% 4% 40% 55% 95%
2014 2% 4% 32% 63% 94% 2% 5% 35% 58% 94% 2% 4% 36% 57% 93%
My Organizations Executive Team Has

Established Clear Metrics for Assessing
Effectiveness of Our Security Program
2016 1% 4% 44% 51% 95%
2015 1% 5% 41% 53% 94%
2014 2% 6% 40% 53% 93%
2016 (n=2912)
2015 (n=2432) Strongly Disagree Disagree Agree Strongly Agree % Agree + Strongly Agree
2014 (n=1738)
Source: Cisco 2017 Security Capabilities Benchmark Study 51% 94%
80 Appendix
Figure 74 Percentages of Respondents Who Strongly Agree

with
FigureSecurity Operationalization
74 Percentages Statements
of Respondents Who Strongly Agree with Security Operationalization Statements
We Review and Improve Our Security We Regularly Review Connection

Practices Regularly, Formally, and Our Threat Detection and Blocking Activity on Network to Ensure Security
Strategically Over Time Capabilities Are Kept Up to Date Measures Are Working as Intended
2016 0% 4% 42% 53% 96% 0% 4% 41% 55% 95% 0% 4% 43% 53% 95%
2015 1% 4% 40% 56% 96% 1% 3% 40% 56% 96% 1% 3% 39% 57% 96%
2014 1% 4% 38% 56% 95% 1% 5% 37% 57% 94% 2% 4% 36% 58% 94%
We Can Increase Security Controls Security Is Well-Integrated into Our Security Technologies
on High-Value Assets Should Our Organizations Goals and Are Well-Integrated to Work
Circumstances Require Business Capabilities Effectively Together
2016 0% 4% 45% 51% 95% 1% 4% 40% 55% 95% 0% 5% 42% 53% 95%
2015 1% 3% 41% 56% 96% 1% 4% 40% 56% 96% 1% 4% 43% 52% 95%
2014 1% 5% 40% 54% 94% 2% 5% 36% 58% 94% 2% 5% 38% 56% 93%
We Have Tools in Place That Enable Us to It Is Easy to Determine the Scope

We Routinely and Systematically Review and Provide Feedback Regarding of a Compromise, Contain It, and
Investigate Security Incidents the Capabilities of Our Security Practice Remediate from Exploits
2016 0% 5% 41% 53% 95% 0% 5% 46% 49% 95% 1% 7% 49% 43% 92%
2015 1% 4% 40% 56% 96% 1% 4% 44% 52% 95% 1% 8% 46% 45% 91%
2014 2% 5% 38% 55% 93% 1% 5% 40% 53% 93% 2% 9% 43% 46% 89%
2016 (n=2912)
2014 (n=1738)
81 Appendix
Constraints
Figure 75 Biggest Obstacles to Security

Figure 75 Biggest Obstacles to Security Figure 76 Number of Security Vendors and
Figure 76Used
Products Number of Security Vendors
by Organizations
and Products Used by Organizations
2015 (n=2432) 2016 (n=2912)
Budget Constraints 39% 35% 1-5 Products 35%
Compatibility Issues 32% 28% 6-10 Products 29%
Certification Requirements 25% 25%

11-25 Products 21%
Lack of Trained Personnel 22% 25%
26-50 Products 11%
Competing Priorities 24% 24%
51-100 Products 4%
Current Workload Too Heavy 24% 23%
More Than 100 Products 2%

Lack of Knowledge 23% 22%
Reluctance to Purchase Until 2016 (n=2860)

22% 22%
Theyre Proven
Organizational Culture/Attitude 23% 22%

Organization Is Not a High-Value
N/A 18%
Target for Attacks
Security Is Not an Executive
N/A 17%
Level Priority
Figure 78 Number of Security Products

Figure 77Number
Figure 77 Number of of Security
Security Vendors
Vendors Used by Figure 78 Number of Security Products Used by
Used by Size of Organization
Size of Organization
Used by Size of Organization Size of Organization
Large
How Many Different Large How Many Different Midmarket Enterprise Enterprise
Security Vendors (i.e., Brands, Midmarket Enterprise Enterprise Security Products Are in 250-1K 1K10K 10k+
Manufacturers) Are in Your 250-1K 1K10K 10k+ Your Security Environment? Employees Employees Employees
Security Environment? Employees Employees Employees
1-5 37.9% 32.7% 25.1%
1-5 46.9% 43.4% 39.9%
6-10 29.0% 30.1% 22.5%
6-10 28.4% 30.9% 21.3%
11-25 19.8% 20.4% 23.7%
11-20 17.6% 15.8% 23.1%
26-50 9.6% 10.5% 15.6%
21-50 5.6% 7.1% 8.7%
51-100 3.0% 4.3% 7.8%
More Than 50 1.4% 2.8% 6.9%
More Than 100 0.8% 1.9% 5.4%
Total Organizations 1435 1082 333
Total Organizations 1442 1084 334
82 Appendix
Figure 79Year-over-Year
Figure 79 Year-over-Year Decrease
Decrease of Security
of Security BudgetBudget Coming
Coming Within Within IT Budget
IT Budget
Is the Security Budget Part of the IT Budget? (IT Department Members) 2014 (n=1673) 2015 (n=2374) 2016 (n=2828)
All Within IT 61% 58% 55%
Partially Within IT 33% 33% 36%
Completely Separate 6% 9% 9%
Figure 80 Year-over-Year Decrease
Decrease of Security
of Security Spend
Spend as as a Proportion
a Proportion of the IT Budget
of the IT Budget
IT Budget Spend on Security as a Function 2014 (n=1673) 2015 (n=2374) 2016 (n=2828)
0% 7% 9% 10%
1-5% 4% 3% 4%
6-10% 12% 11% 16%
11-15% 23% 23% 27%
16-25% 29% 31% 26%
26%-50% 21% 19% 15%
51% or More 5% 4% 2%
83 Appendix
Impacts
Figure 81 Percentages of Organization's
of Organization's Figure 82Percentages
of Organization's Revenue
Opportunities Lost as a Result of Attacks
Opportunities Lost as a Result of Attacks Revenue
Lost as a Result of Attacks of Attacks
Lost as a Result
None (0%) 1% None (0%) 1%
Some, but Less Than 20% 58% Some, but Less Than 20% 62%
20% to Just Under 40% 25% 20% to Just Under 40% 20%
All (100%) 0% All (100%) 1%
Respondents From Organizations Who Respondents From Organizations Who

Lost Opportunities in Past Year (n=625) Lost Revenue in Past Year (n=778)
of Organization's Customers
Customers Lost as a Result
Lost as a Result of Attacks of Attacks
None (0%) 1%
Some, but Less Than 20% 60%
20% to Just Under 40% 21%
All (100%) 1%
Respondents From Organizations Who

Lost Customers in Past Year (n=641)
84 Appendix
Outcomes
Figure 84 Percentages of Organizations
of Organizations Relying
Relying on Outsourcing
on Outsourcing
Which Security
Services Are 2014 2015 2016 Why Are These 2015 2016
Outsourced? (n=1738) (n=2432) (n=2912) Services Outsourced? (n=2129) (n=2631)
Advice and
51% 52% 51% More Cost-Efficient 53% 52%
Consulting
Audit 41% 47% 46% Desire for Unbiased Insight 49% 48%
More Timely Response

Incident Response 35% 42% 45% 46% 46%
to Incidents
Monitoring 42% 44% 45% Lack of Internal Expertise 31% 33%
Threat Intelligence N/A 39% 41% Lack of Internal Resources 31% 33%
Remediation 34% 36% 35%
None/All Internal 21% 12% 10%
of Organization's Security
Security Reliant Upon Third-Party
Reliant Upon Third-Party Vendors Vendors
None (0%) 4%
Some, but Less Than 20% 18%
All (100%) 1%
IT Security Personnel
(n=2595)
85 Appendix
Figure 86 Percentages of Security Services Outsourced by Size of Organization

Figure 86 Percentages of Security Services Outsourced by Size of Organization
Which Security Services Are Outsourced? Midmarket (n=1459) Enterprise (n=1102) Large Enterprise (n=351)
Advice and Consulting 50% 52% 51%
Audit 44% 47% 50%
Monitoring 46% 43% 44%
Threat Intelligence 41% 41% 40%
Incident Response 48% 44% 39%
Remediation 35% 34% 37%
None/All Internal 8% 11% 11%
Figure 87Sources
Figure 87 Sourcesof of Increased
Increased Scrutiny
Scrutiny
Executive Leadership 2% 4% 20% 44% 30% 74%
Clients and Customers 2% 4% 21% 41% 32% 73%
Employees 2% 5% 22% 44% 28% 72%
Business Partners 2% 5% 22% 43% 29% 72%
Watchdog and Interest Groups 2% 5% 23% 44% 26% 70%
Regulators 2% 4% 24% 43% 27% 70%
Investors 3% 5% 23% 41% 28% 69%
Insurance Companies 3% 5% 25% 41% 26% 67%
Press 4% 8% 28% 39% 21% 60%
2016 (n=2912)
Graphic Rounded to
Scrutinizing Scrutinizing Scrutinizing Scrutinizing Scrutinizing Scrutinizing
86 Appendix
Figure 88Increase
Figure 88 Increase
of of Off-Premises
Off-Premises Private
Private Cloud
Cloud and Third-Party
and Third-Party Managed
Managed On-Premises
On-Premises Hosting Hosting
Where Networks Are Hosted 2014 (n=1727) 2015 (n=2417) 2016 (n=2887)
On-Premises as Part of a Private Cloud 50% 51% 50%
On-Premises 54% 48% 46%
On-Premises but Managed by an External Third-Party 23% 24% 27%
Off-Premises Private Cloud 18% 20% 25%
Off-Premises Public Cloud 8% 10% 9%
Operations, Policies, Procedures, and Capabilities
Figure 89 Proportion of Companies with a Security Executive

Figure 89 Proportion of Companies with a Security Executive
Is There an Executive at Your Organization Who Has Executives Title

Direct Responsibility and Accountability for Security? Respondents Who Reported Executive with Security Responsibility
Respondents Who Reported Clarified Roles and Responsibilities
No Yes
Chief Security Officer 53%
2016 52%
8% 92%
(n=2754) (CSO) 53%
Chief Information Officer 14%

15%
(CIO) 16%
2015
8% 92%
(n=2288) 10%
Chief Executive Officer
11%
(CEO) or equivalent 10%
2014 Senior Vice President (SVP) or 8%

9% 91% 11%
(n=1603) Vice President (VP) of IT 7%
Chief Technology Officer 8%

8%
(CTO) 9%
Chief Risk and Compliance Officer 4%

(CRO) or (CCO) N/A
N/A
Chief Operating Officer 3%

2%
(COO) 4%
1%
Another Title 1%
1%
2016 (n=2530) 2015 (n=2095) 2014 (n=1465)
87 Appendix
Figure 90 Percentage of Companies That Have a Formal Organization-Wide Security Strategy and
Figure 90 Percentages of Companies That Have a Formal Organization-Wide Security Strategy and
Follow StandardizedSecurity
Follow Standardized Security Policy
Policy Practices
Practices
Security Standards Standardized Security Policy Practice
Have a Written Formal Organization-Wide 62% Preparing for

Security Strategy That's Reviewed Regularly 66% Certification
59% Process
Follow a Standardized Information 55%

52%
Security Policy Practice such as
ISO 27001 52% 7%
Formally Define Critical Business 43% Currently in

Assets That Require Special Consideration 38% Process of
54%
for Risk Management That Are Either Becoming 28% Follows Standardized
Business-Critical or Regulated to Have Certified Information Security
Increased Protection Policy Practice
Follow Health-Care Focused Standardized 2% 2016 (n=1596) 65% Already

Security Policies such as NIST 80066, N/A Certified
ISO27799, ISO80001 N/A
None of the Above 1%

1%
1%
2016 (n=2912) 2015 (n=2432) 2014 (n=1738)

with
FigureSecurity Processof
Respondents Who Strongly Agree with Security Process Statements
Employees at My Organization Are Security Processes and Procedures Line-of-Business Managers Are
Encouraged to Report Failures and at My Organization Are Clear and Encouraged to Contribute to Security
Problems with Security Well-Understood Policies and Procedures
2016 1% 4% 38% 58% 96% <1% 4% 40% 55% 96% 1% 4% 43% 52% 95%
2015 1% 4% 33% 62% 95% 1% 4% 39% 57% 95% 1% 5% 40% 55% 94%
2014 3% 5% 32% 61% 92% 3% 6% 36% 56% 91% 3% 5% 39% 53% 92%
Security Processes at My Organization Security Processes at My Organization My Organization Has Optimized Its
Enable Us to Anticipate and Mitigate Are Measured and Controlled Using Security Processes and Is Now
Potential Security Issues Proactively Quantitative Data Focused on Process Improvement
2016 1% 4% 43% 53% 96% 1% 4% 45% 50% 95% 1% 4% 43% 52% 95%
2015 1% 4% 43% 53% 95% 1% 4% 42% 53% 95% 1% 4% 42% 53% 95%
2014 3% 7% 38% 53% 91% 3% 6% 37% 54% 91% 3% 5% 39% 53% 92%
My Organization Is Able to Detect Line-of-Business Managers Get Security

Security Weaknesses Before They Policy Group Involved Before Making a
Become Full-Blown Incidents Line-of-Business Application Decision
2016 1% 4% 46% 49% 96% 1% 5% 45% 49% 94% 51% 94%
2015 1% 4% 45% 51% 95% N/A
2014 3% 6% 41% 49% 91% N/A
2016 (n=2912)
2014 (n=1738)
88 Appendix

with
FigureSecurity Processof
Respondents Who Strongly Agree with Security Process Statements
Access Rights to Networks, Systems,

Applications, Functions and Data Are Technical Security Controls in Systems Computer Facilities Within My
Appropriately Controlled and Networks Are Well Managed Organization Are Well Protected
2016 <1% 3% 41% 55% 97% <1% 4% 40% 56% 96% <1% 4% 41% 55% 96%
2015 1% 3% 38% 59% 97% 0% 4% 38% 57% 96% 1% 4% 40% 56% 96%
2014 2% 4% 33% 61% 94% 2% 3% 35% 60% 95% 2% 4% 36% 57% 94%
We Regularly Review Our Security We Do a Good Job of Building Security

Practices and Tools to Ensure That They We Do a Good Job of Building Security into Our Procedures for Acquiring,
Are Up to Date and Effective into Systems and Applications Developing, and Maintaining Systems
2016 <1% 4% 40% 56% 96% <1% 4% 43% 53% 96% <1% 4% 43% 52% 96%
2015 1% 3% 37% 60% 97% 1% 4% 42% 54% 96% 1% 3% 41% 56% 96%
2014 2% 5% 35% 59% 93% 2% 5% 35% 58% 93% 2% 4% 38% 56% 94%
We Do a Good Job Building Security

Information Assets Are Inventoried We Do an Excellent Job of Managing into External, Customer-Facing
and Clearly Classified HR Security Mobile Apps
2016 <1% 4% 44% 51% 95% 1% 5% 45% 49% 94% 1% 6% 43% 51% 94%
2015 1% 5% 42% 53% 95% 1% 5% 44% 51% 94% N/A
2014 2% 6% 39% 54% 93% 2% 5% 40% 53% 93% N/A
2016 (n=2912)
2014 (n=1738)
89 Appendix

with
FigureSecurity ControlsofStatements
93 Percentages Respondents Who Strongly Agree with Security Controls Statements
We Have Well-Documented Processes We Do a Good Job of Notifying and

and Procedures for Incident Response We Have Good Systems for Verifying Collaborating with Stakeholders About
and Tracking That Security Incidents Actually Occurred Security Incidents
2016 <1% 4% 42% 53% 95% <1% 4% 42% 53% 95% 1% 5% 43% 52% 95%
2015 1% 4% 42% 54% 96% 1% 5% 41% 54% 95% 1% 4% 42% 53% 95%
2014 2% 5% 37% 56% 94% 1% 6% 38% 54% 93% 2% 5% 43% 51% 94%
We Have Effective Processes for We Follow a Standardized Incident

We Have a Good System for Categorizing Interpreting and Prioritizing Incoming Response Practice Such as RFC2350,
Incident-Related Information Incident Reports and Understanding Them ISO/IEC 27035:2011 or US Cert
2016 <1% 4% 44% 51% 96% <1% 4% 45% 50% 96% 1% 6% 44% 50% 93%
2015 1% 4% 43% 53% 96% 1% 5% 43% 52% 95% 1% 6% 44% 49% 93%
2014 2% 5% 40% 54% 93% 2% 5% 42% 51% 93% 2% 8% 41% 49% 90%
We Have a Good Crisis Management

Response Protocol
2016 <1% 5% 44% 51% 95% 51% 94%
2015 N/A
2014 N/A
2016 (n=2912)
2014 (n=1738)
Figure 94Management
Figure 94 Managementandand Efficacy
Efficacy of Security
of Security Technologies
Technologies
What Are the Most Time-Consuming and Most What Are the Most Effective Security
Difficult Security Technologies for Staff to Manage? Technologies Used by the Organization?
(Mentions over 10%) 2016 (n=2895) 2016 (n=2895)
Firewall 20% 28%
DDoS Defense 16% 14%
Data Loss Prevention 16% 14%
Encryption/Privacy/Data Protection 15% 17%
Endpoint Protection/Antivirus, Anti-Malware 12% 15%
Mobility Security 12% 10%
Secure DNS 12% 13%
Email/Messaging Security 11% 12%
Access Control/Authorization 11% 14%
Intrusion Prevention 11% 10%
90 Appendix
Figure 95 Year-over-Year Use
Use of Security
of Security Threat
Threat Defense
Defense
Defenses Defenses
Security Threat Tthrough Security Threat Tthrough
Defenses Used Cloud-Based Defenses Used Cloud-Based
by Organization Services* by Organization Services*
58% 34% 35% 20%

Firewall** 65% 31% Mobility Security 44% 24%
N/A N/A 51% 28%
45% N/A 32% 18%

Data Loss Prevention 56% N/A VPN 40% 21%
55% N/A 48% 26%
Encryption/Privacy/ 44% N/A 32% N/A

53% N/A Network Forensics 31% N/A
Data Protection 53% N/A 42% N/A
42% 22% Security Information and 32% N/A

Secure DNS N/A N/A Event Management (SIEM) 38% N/A
N/A N/A 43% N/A
42% 27% 32% 15%

Email/Messaging Security 52% 34% Vulnerability Scanning 41% 21%
56% 37% 48% 25%
41% 25% Patching and 30% N/A

Web Security 51% 31% Configuration 32% N/A
59% 37% 39% N/A
Endpoint Protection/ 41% 24% Multi-Factor 29% N/A

49% 25% N/A N/A
Anti-Malware 49% 25% Authentication N/A N/A
Access Control/ 40% N/A 27% 12%

48% N/A Penetration Testing 34% 17%
Authorization 53% N/A 38% 20%
38% N/A 26% N/A

DDoS Defense 37% N/A Endpoint Forensics 26% N/A
36% N/A 31% N/A
37% 19% N/A N/A

Secured Wireless 41% 19% Authentication 53% N/A
50% 26% 52% N/A
35% N/A Network Security, N/A N/A

Identity Administration/
45% N/A Firewalls and N/A N/A
User Provisioning
45% N/A Intrusion Prevention** 60% 35%
35% 17% 1% 8%
Intrusion Prevention** 44% 20% None of the Above 1% 11%
N/A N/A 1% 13%
2016 (n=2912) 2016 (n=2725) * Security Respondents Who Use Security Threat Defenses
2015 (n=2432) 2015 (n=2268) ** Firewall and Intrusion Prevention Were One Code in 2014:
2014 (n=1738) 2014 (n=1646) Network Security, Firewalls and Intrusion Prevention
2016 2015 2014
91 Appendix
Figure 96Extent
Figure 96 Extent That
That Customer
Customer Protection
Protection Factors
Factors into Security
into Security Decision-Making
Decision-Making
To What Extent Does Customer Protection Factor into

Your Security Decision-Making? 0% 1% 10% 45% 44% 89%
2016 (n=2878)
Not at All Not Very Much Somewhat Very Much Extremely % Very Much +
Graphic Rounded to
Extremely
Risks and Vulnerabilities
Figure 97ITITSecurity
Figure 97 Security Personnel's
Personnel's Biggest
Biggest Sources
Sources of Concern
of Concern Related
Related toAttacks
to Cyber Cyber Attacks
Targeted Attacks 4% 18% 42% 36% 78%
Advanced Persistent Threats 4% <1% 43% 33% 76%
Proliferation of BYOD and Smart Devices 6% 20% 45% 28% 74%
Viability of Disaster Recovery and Business Continuity 5% 23% 47% 26% 72%
Insider Exfiltration 6% 22% 42% 30% 72%
Outsourcing of Critical Business Processes to a Third-Party

6% 23% 46% 26% 72%
(and Lack of Controls Around Third-Party Services)
Ransomware 6% 23% 46% 25% 71%
Cloud Computing 7% 24% 43% 26% 69%
Regulatory Compliance Constraints 6% 25% 44% 25% 69%
2016 (n=2912)
Graphic Rounded to Not a Risk Slight Risk Moderate Risk High Risk % Moderate + High Risk
92 Appendix
Figure 98Security
Figure 98 Security Professionals'
Professionals' Biggest
Biggest Sources
Sources of Concern
of Concern Related
Related to Attacks
to Cyber Cyber Attacks
Mobile Devices 3% 10% 30% 38% 20% 58%
Data in Public Cloud 2% 10% 30% 36% 21% 57%
Cloud Infrastructure 2% 11% 30% 38% 19% 57%
User Behavior (E.g., Clicking

2% 10% 31% 37% 20% 57%
Malicious Links in Email or Websites)
Customer Data 2% 11% 32% 37% 18% 54%
Data Center/Servers 3% 11% 32% 37% 18% 54%
Organization Data 2% 12% 32% 37% 17% 54%
Network Infrastructure 2% 11% 33% 37% 17% 54%
Applications 2% 11% 34% 36% 16% 52%
Client Operating Systems (e.g., Windows 7,

3% 14% 32% 36% 16% 52%
Windows 10, MacOS, etc.)
2016 (n=2912)
Graphic Rounded to
Challenging Challenging Challenging Challenging Challenging Challenging
Figure 99 Distribution of Security Teams' Efforts

Figure 99 Distribution of Security Teams' Efforts
IT Security Personnel (n=2854) Endpoints Customer Data Servers
Where Does the Security Team Spend the Majority of Its Efforts? 23% 29% 47%
93 Appendix
Incident Response
Figure100
Percentages of Security
of Security Alerts
Alerts ThatThat Are Investigated
Are Investigated or Remediated
or Remediated
Have Not Experienced

7% a Security Alert
Have Experienced Average Alerts Seen By

93% a Security Alert Organization on a Daily Basis
Of Seen Alerts
56% Are Investigated
Less Than 5K 50%
28% Of Investigated Alerts

Are Legitimate
5K10K 15%
46% Of Legitimate Alerts

Are Remediated
10K50K 11%
50K100K 8%
2016 (n=2796) 100K150K 6%

Over 150K 4%
Figure 101 Average Time to Detect

Figure 101 Average Time to Detect Security Breaches
Security Breaches
2016 (n=2860)
8 Hours or Less 43%
9-24 Hours 25%
25-48 Hours 15%
More Than 2 Days but Less Than 1 Week 7%
1-2 Weeks 5%
3 Weeks to a Month 3%
1 Month to 3 Months 1%
More Than 3 Months, but Less Than 1 Year 1%
1 Year or More 0%
94 Appendix
Figure 102Groups
Figure 102 Groups Notified
Notified in the
in the Event
Event of anofIncident
an Incident
46% 30% 22%

Office of the CEO 45% Legal 32% Marketing 26%
or President N/A 36% 31%
40% 29% 21%

Operations 40% Engineering 33% Business Partners 21%
46% 38% 32%
37% 25% 15%

Finance Department 40% All Employees 27% Insurance Companies 15%
N/A 35% N/A
36% 25% 15%

Technology Partners 34% Manufacturing 28% External Authorities 18%
45% 33% 22%
31% 23%
Human Resources 33% Public Relations 24%
36% 28%
2016 (n=2912) 2015 (n=2432) 2014 (n=1738)
Figure
Figure103
103KPIs Used
KPI's by Organizations
Used to Assess
by Organizations to
Security Performance
Assess Security Performance
2016 (n=2912)
Time to Detect (e.g., Time Threat Entered
59%
Environment to Detection)
Time to Patch (e.g., Time from Patch
52%
Release to Implementation)
Time to Contain (e.g., Time from Detection
44%
to Containment/Quarantine)
Time to Remediate (e.g., Time from
30%
Quarantine to Operational)
95 Appendix
Figure 104 Year-over-YearUse Use of Process
of Process to Analyze
to Analyze Compromised
Compromised Systems Systems
Processes to Analyze Compromised Systems 2014 (n=1738) 2015 (n=2432) 2016 (n=2912)
Firewall Log 61% 57% 56%
System Log Analysis 59% 53% 50%
Network Flow Analysis 53% 49% 49%
Malware or File Regression Analysis 55% 48% 47%
Registry Analysis 50% 47% 43%
Full Packet Capture Analysis 47% 38% 40%
IOC Detection 38% 35% 38%
Disk Forensics 40% 36% 36%
Correlated Event/Log Analysis 42% 37% 35%
Memory Forensics 41% 34% 34%
External Incident Response/Analysis Teams 37% 33% 34%
None of the Above 2% 1% 1%
of Process to Eliminate
to Eliminate theof
the Cause Cause of Security
Security Incidents Incidents
Processes to Eliminate Cause of Security Incidents 2014 (n=1738) 2015 (n=2432) 2016 (n=2912)
Quarantine or Remove Malicious Application 58% 55% 52%
Root Cause Analysis 55% 55% 51%
Stop Communication of Malicious Software 53% 53% 48%
Additional Monitoring 52% 48% 48%
Policy Updates 51% 47% 45%
Stop Communication of Compromised Application 48% 47% 43%
Long-Term Fix Development 47% 40% 41%
Re-image System to Previous State 45% 41% 39%
96 Appendix
of Process to Restore
to Restore Affected
Affected SystemsSystems
Processes to Restore Affected Systems 2014 (n=1738) 2015 (n=2432) 2016 (n=2912)
Implementing Additional or New Detections and Controls Based on

60% 56% 56%
Identified Weaknesses Post Incident
Restoring from a Pre-Incident Backup 57% 59% 55%
Patching and Updating Applications Deemed Vulnerable 60% 55% 53%
Differential Restoration (Removing Changes Caused by an Incident) 56% 51% 50%
Gold Image Restoration 35% 35% 34%
Figure 107Attack
Figure 107 Attack Simulations:
Simulations: Frequency
Frequency and and Extent
Extent of Driving
of Driving Security
Security Defense
Defense Improvements
Improvements
How Often Does Your Organization Run Attack Simulations? To What Extent Do the Results of Attack Simulations Drive
Improvements in Your Security Defense Policies, Procedures,
2016 (n=2868) or Security Technologies?
2016 (n=2736)
Never 4%
44% 47%
Weekly 28%
Monthly 33%
Quarterly 21%
Semi-Annually 8%
Annually 4% 8%
0% 1%
Regularly, but Less 3%
Than Once a Year
1 2 3 4 5
Not at All A Great Extent
Figure 108Importance
Figure 108 Importance of Attributing
of Attributing Origin
Origin of a of a Security
Security Breach
Breach
How Important Is Attribution to Your Company When

Responding to a Security Breach? 0% 1% 7% 41% 52% 92%
IT Security Personnel (n=2901)

Graphic Rounded to
Important Important Important Important Important Important
97 Appendix
Breaches and Their Impacts
Figure 109 Percentage of Organizations

Figure 109 Percentage of Organizations Experience a Figure 110How
Figure 110 How Much
Much DidDid
the the Breach
Breach DriveDrive
Experience
Public Breacha Public Breach Improvements
Improvements ininYour
Your Security
Security Threat
Threat Defense
Defense
Policies, Procedures,
Policies, Procedures,oror
Technologies?
Technologies?
52%
38%
53% 48% 49% 9%

0% 1%
2014 2015 2016 1 2 3 4 5
(n=1701) (n=2347) (n=2824)
Not at All A Great Extent
Respondents Affected By a Security Breach (n=1388)
Figure 111 Length and Extent of Outages Caused by Security Breaches

Figure 111 Length and Extent of Outages Caused by Security Breaches
Length of System Outages Due to Breach Percentage of Systems Impacted Due to Breach
2016 (n=2665) 2016 (n=2463)
0 Hours, No Outage 7% 0% 1%
Less Than 1 Hour 13% 110% 19%
14 Hours 25% 1120% 22%
58 Hours 20% 2130% 20%
916 Hours 15% 3140% 15%
1724 Hours 11% 4150% 10%
More Than 24 Hours 9% 5160% 6%
61% or More 9%
98 Appendix
Figure 112 Improvements

Figure 112 Improvements Made
Made to Protect
to Protect YourYour Company
Company from Security
from Security Breaches
Breaches
43% 42% 40% 37%

37% 38% 38% 38% 37% 37%
Separated Security Increased Security Increased Focus Increased Investment Increased Investment
Team from Awareness Training on Risk Analysis in Security Defense in Training of
IT Department Among Employees and Risk Mitigation Technologies or Solutions Security Staff
2015 (n=1109) 2016 (n=1375)
99 Appendix
Vendor Choice and Expectations
Figure 113 Importance of Data Protection and Privacy for Vendors

Figure 113 Importance of Data Protection and Privacy for Vendors
What Data Protection and Privacy Processes and Policies What Data Protection, Privacy Standards and Certifications
Are Most Important for a Vendor to Have? Are Required for a Vendor to Work with Your Organization?
2016 (n=2912) 2016 (n=2870)
Organization-Wide Policies
35% ISO 27001 39%
on Data Access Controls
Data Incident
33% ISO 27018 34%
Response Program
Organization-Wide Policies NIST Cybersecurity

31% 28%
on Breach Notifications Framework/Standards
Organization-Wide Policies on
27% Privacy Shield 28%
Access to Data Held by Vendor
Mandatory and Continuous Service Organizational

27% 28%
Employee Training Controls (SOC) Compliance
Organization-Level
26% TRUSTe Compliance 26%
Privacy of Design
Assess Data Risk and

GAPP (Generally
Organizational Maturity 25% 26%
Accepted Privacy Principles)
Policies on Sharing Data

24% HIPAA Compliance 25%
Residency and Data Sovereignty
Active Dialogue With Board of

22% EU Model Clauses 25%
Directors Regarding Data Risk
Data Retention Policies 13% PCI-DSS Compliance 23%
Proactive Measurement and Binding Corporate Rules

9% 23%
Monitoring/Audit Compliance
APEC Cross Border

Privacy Rules 18%
FedRAMP 18%
FISMA 17%
100 Appendix
Security Capability Maturity Model
Figure 114 Security Maturity by Country

Figure 114 Security Maturity by Country
USA Brazil Germany Italy
2016 4% 25% 29% 41% 4% 25% 30% 41% 7% 31% 28% 34% 5% 36% 31% 28%
2015 4% 22% 27% 45% 9% 24% 26% 40% 12% 24% 24% 39% 7% 36% 23% 34%
2014 10% 16% 27% 44% 5% 35% 24% 34% 4% 25% 27% 43% 23% 25%13% 38%
United Kingdom Australia China India
2016 5% 38% 29% 28% 5% 31% 34% 31% 13% 35% 21% 31% 5% 17% 31% 47%
2015 14% 32% 22% 32% 5% 29% 36% 29% 6% 37% 25% 32% 4% 21% 34% 40%
2014 16% 18% 25% 41% 16% 35% 19% 30% 3% 29% 32% 36% 10% 16% 20% 54%
Japan Mexico Russia France
2016 7% 32% 26% 35% 4% 21% 26% 47% 4% 30% 27% 39% 6% 35% 26% 32%
2015 16% 34% 16% 32% 14% 20% 16% 50% 14% 27% 26% 32% 15% 35% 20% 29%
2014 22% 40% 14% 24% N/A N/A N/A
Canada
2016 7% 36% 23% 33%
Low Lower-Middle Upper-Mid High
Figure 115 Maturity Model Ranks Organizations Figure 116 Segment Sizing for Maturity Model
Figure 115 Maturity Model Ranks Organizations Based Figure 116 Segment Sizing for Maturity Model
Based on Security Process
on Security Process
5-Segment Based 36%

On Q9 Series High 36%
39%
Level 5 Optimizing High 28%

Focus Is on Process Improvement Upper
Middle 25%
23%
Quantitatively Managed Upper 30%
Level 4 Processes Quantitatively Measured Middle
and Controlled Middle 28%
26%
Defined 6%
Level 3 Processes Characterized for the Organization; Middle Lower
Middle 9%
Often Proactive
8%
Repeatable Lower
1%
Level 2 Processes Characterized for Projects; Low 2%
Middle
Often Reactive 4%
Level 1 Initial Low 2016 (n=2852) 2015 (n=2401) 2014 (n=1637)

Processes Are Ad Hoc; Unpredictable
101 Appendix
Industry-Specific
Figure 117 Percentage of Healthcare
Businesses That Have Implemented Figure 118 Resources Healthcare Companies
Figure 117 Percentage of Healthcare Businesses That Figure 118 Resources Healthcare Companies Use to
Standardized Security Policies Use to Measure Themselves Against HIPAA
Have Implemented Standardized Security Policies Measure Themselves Against HIPAA Privacy Rules
Privacy Rules
Implemented Standardized Security Policies Which Resources Are Used to
Healthcare Business Follows Healthcare-Specific Information Measure Companies Against HIPAA Healthcare Businesses
Security Policy Practice, 2016 (n=65) Privacy Rules and Security? 2016 (n=219)
ISO80001 (Medical Device) 74% HIT Security Guidance 52%
ISO27799 60% Current HIPAA Document

52%
(Currently Omnibus)
NIST 800-66 45%
HHS.OCR Audit Frameworks 40%
HITRUST or Other Private Framework 37%
Third-Party Assessments 24%
Figure 119 Most Common Security Measures Among the Healthcare Businesses
with Medical
Figure Device
119 Most Networks
Common Security Measures Among the Healthcare Businesses with Medical Device Networks
Does Your Organization Have a Medical Device Network That Is Which of These Security Measures, if Any, Has Your Company
Converged with a Main Hospital Network? Implemented to Protect and Secure Your Medical Device Network?
Companies with a Medical Device Network in Their Organization (n=207)
No, There Is Not a Network Access Control 59%

Medical Device
Network in Our Advanced Malware Protection/Detection 56%
Organization
Multi-Factor Device Authentication 49%
No, the Medical 6%

IPS/IDS, Deep Packet Inspection 48%
Device Network(s)
Is/Are Isolated 15%
and Managed Automated Threat Defense/Response 48%
Internally
Healthcare Traffic Analysis/
45%
Businesses Anomaly Detection
16% (n=219)
No, the 63% Posture Assessments and/or Device Profiling 40%
Medical Device Yes
Segmentation/
Network(s) Is/Are 32%
Micro Segmentation
Standalone and
Managed by None of the Above 1%
a Vendor
102 Appendix
Figure120
Figure 120Sample
Sample Profile
Profile for Telecommunications
for Telecommunications
Which Telecommunications Subsector Is Which of These Services Does Your

Your Organization Primarily Involved In? Company Offer to Your Customers?
Telecommunications Businesses (n=307) Telecommunications Businesses (n=308)
Managed Security Services

Communications Equipment 47% 71%
Provided to End Customers
Service Provider (Traditional) Core Production Networks, such as

33% 60%
IP (Including Television), Mobile, etc.
Cable/Satellite Operator 11% Enterprise Environment 59%
Media/Broadcasting 7% Datacenters 57%
Over-the-Top Provider (Netflix, Hulu, Etc.) 2%
Figure121
Figure 121Security
Security Strategies
Strategies Factors
Factors for Telecommunications
for Telecommunications
Relative Priority to Security Strategies and Protocols

Telecommunications Businesses (n=308)
Average Percentage Average Percentage Average Percentage

of Availability of Confidentiality of Integrity
34% 36% 31%

Availability: Assuring Confidentiality: Assuring That Data Integrity: Assuring That Data
Reliable Access to Data Is Only Accessed by Appropriate Parties Is Precise and Accurate
Figure 122Security
Figure 122 Security Priorities
Priorities forfor Telecommunications
Telecommunications
Rank in Terms of Priority to Security in Organization Telecommunications Businesses (n=308)
Securing the Data Centers 34% 21% 24% 22%
In the Core Production Network That Delivers Highly

26% 21% 29% 24%
Available IP and/or Mobile Services
Providing Managed Security Services 21% 30% 19% 30%
The Enterprise Network and Internal Data 20% 28% 29% 24%
Ranked 1st Ranked 2nd Ranked 3rd Ranked 4th
103 Appendix
Figure 123 Sample Profile for Transportation

Figure 123 Sample Profile for Transportation
Does Your Company Utilize a Does Your Company Participate In Security

Security Operations Center (SOC)? Standards Bodies or Industry Organizations?
No, But There Are Plans

to Implement a Security No
Operations Center in the
Next Year
14% 12%
No, and
There Are No
Immediate
11%
Plans to Transportation Transportation
Implement a Businesses Businesses
Security (n=179) (n=179)
Operations 75% Yes 88%
Center Yes
Which Transportation Subsector Is Your Which of the Following Security Areas

Organization Primarily Involved In? Do You Have Responsibility In?
Transportation Businesses (n=180) Transportation Businesses (n=180)
Freight and Logistics 54% Operational Technology Security 84%
Mass Transit 11% Critical Infrastructure Security 71%
Rail 9% Vehicle Security 43%
Roadways 9%
Aviation 7%
Maritime 5%
Vehicles 5%
104 Appendix
Figure 124 Sample Profile for Utilities/Energy

Figure 124 Sample Profile for Utilities/Energy
How Often Does Your Organization Conduct

Which Utilities/Energy Subsector Is a Drill or Exercise to Test Your Companys When These Drills or Exercises Are
Your Organization Primarily Involved In? Response Plan to a Cybersecurity Incident? Performed, Which Parties Are Involved?
Once Every 6 Months 55% Security Partners 84%

Oil and Gas
Internal Non-Security
Once a Year 37% 69%
Personnel
Once Every 2 Years 6% Business Partners 64%
Rarely 2% First Responders 33%
42% Never 0% Local or State Agencies 31%

Utilities/Energy
Businesses
Utilities/Energy Businesses (n=116) Federal Agencies 26%
(n=116)
58%
Other Utility Providers 20%
Utilities/Energy Businesses (n=116)

Electric Utilities
Figure 125Sample
Figure 125 Sample Profile
Profile for for Financial
Financial Services
Services
Which Financial Services Subsector Is How Much Do You Think Security Is Being
Your Organization Primarily Involved In? Influenced by the Following Trends?
Financial Markets 52% 0% Digital Business 1% 1% 10% 41% 47% 88%
Retail Banking 25% FinTech 0% 2% 10% 46% 42% 88%
Insurance 23% DevOps 0% 1% 13% 47% 39% 85%
BiModal IT 0% 2% 15% 48% 35% 82%
Financial Services Businesses (n=509)

Not at All A Great Extent % Top 2
Graphic Rounded to
Choices
105 Appendix
Figure 126Data
Figure 126 Data Security
Security forfor Retail
Retail
To What Extent Do You Agree or Disagree

With Each of These Statements?
Ensuring Security of Our Retail Customers' Data Is of High

1% 2% 32% 66% 98%
Importance to the Executive Leadership Within My Organization
My Company Is Able to Maintain Full PCI
<1% 3% 36% 61% 97%
(Payment Card Industry) Compliance
Customer Confidential Credit Card Data Stays Secure
Throughout Its Entire Lifecycle Within My Company 1% 3% 33% 63% 96%
Retail Businesses (n=290)

Strongly Somewhat Somewhat Strongly % Somewhat +
Graphic Rounded to
Disagree Disagree Agree Agree Strongly Agree
106 Appendix
Malware Families
Figure 128 Hash Ages for the Dridex Malware

Figure 127 File
Figure 127 FileExtension
Extension
andand MIME
MIME Combinations for Family andHash
Figure 128 Percent
Ages of
forTotal HashMalware
the Dridex Volume Family and
Combinations
Dridex (Web and Email Vectors) and Email Vectors)
for Dridex (Web Observed Per Month
Percent of Total Hash Volume Observed Per Month
100%
May
Aug
Sep
Nov
Mar
Feb
Apr
Jun
Jan
Oct
Jul
Unique Vectors
Percentage of Dridex Hashes

exe & application/msdos-program
docm & application/vnd.ms-word...
80%
docm & application/vnd.openxml...
xls & application/vnd.ms-excel
doc & application/msword 60%
doc & text/plain
pxls & application/vnd.ms-excel 40%
pdf & application/msword
doc & appl/text 20%
doc & application/vnd.msword
doc & application/winword
doc & application/word 0%
doc & application/x-msw6
doc & application/doc Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct
doc & application/vnd.ms-word 2015 2016
doc & application/x-msword
no extension & application/msword <24 Hours 12 Days 310 Days
no extension & text/plain
js & text/plain
rtf & application/vnd.openxml...
1130 Days 3190 Days 90+ Days
no extension & application/rtf
no extension & application/vnd...
Total Hash Volume
exe & application/executable 1%

Percentage of
doc & application/vnd.openxml...

doc & application/xml
rtf & application/xml
rtf & text/plain
0.5%
rtf & application/msword
pdf & application/vnd.openxml...
dot & application/vnd.openxml... 0%
Email Web 2015 2016
Figure 129TTD
Figure 129 TTDforfor
thethe Dridex
Dridex Malware
Malware Family
Family
20.4
20 16.9
Median Hours
15
10.2
10 7.2
5.5
5
0
2015 2016
107 Appendix
Figure 130 File Extension and MIME

Combinations for the Family of Threats and Figure 132Hash
Hash Ages
Figure 130 File Extension and MIME Combinations for Figure 132 Ages forfor
thethe Cerber
Cerber Malware
Malware
Indicators That Lead to and Include the Cerber Family and Percent of Total Hash Volume
the Family of Threats and Indicators That Lead to and Family and Percent of Total Hash Volume Observed
Payload (Web and Email Vectors)
Include the Cerber Payload (Web and Email Vectors) Observed
Per Month Per Month
100%
May
Aug
Sep
Nov
Mar
Feb
Apr
Jun
Jan
Oct
Jul
Unique Vectors
Percentage of Cerber Hashes

doc & application/msword
vbs & text/plain
r tf & application/vnd.openxml... 60%
dotm & application/vnd.open...
js & text/plain
html & application/zip
jpg & image/jpeg
r tf & application/msword 20%
Email Web
0%
Source: Cisco Security Research Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct
2015 2016
<24 Hours 12 Days 310 Days

Figure 131 TTD
Figure 131 TTDfor
forthe
the Cerber
Cerber Malware
Malware Family
Family
Total Hash Volume 1130 Days 3190 Days 90+ Days
160 0.2%
Percentage of
Median Hours
120
0.1%
80
116.1 0%
40 26.2
5.1 5.9 Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct
2015 2016
0
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Source: Cisco Security Research
2016
Figure 133 Hash Ages for the Locky Malware Figure 134 Hash Ages for the Nemucod
Family Per Hash
Figure 133 MonthAges for the Locky Malware Family Malware
Figure 134Family Per for
Hash Ages Month
the Nemucod Malware
Per Month Family Per Month
100% 100%
Percentage of Nemucod Hashes
Percentage of Locky Hashes
80% 80%
60% 60%
40% 40%
20% 20%
0% 0%
Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct
2015 2016 2015 2016
<24 Hours 12 Days 310 Days <24 Hours 12 Days 310 Days
1130 Days 3190 Days 90+ Days 1130 Days 3190 Days 90+ Days
108 Appendix
Figure 135 Hash Ages for the Adwind RAT

Malware Family Per Month
Figure 136 Hash Ages for the Kryptik Malware
Figure 135 Hash Ages for the Adwind RAT Family136
Figure Per Hash
MonthAges for the Kryptik Malware
Malware Family Per Month Family Per Month
100% 100%
Percentage of Adwind RAT Hashes
Percentage of Kryptik Hashes

80% 80%
60% 60%
40% 40%
20% 20%
0% 0%
Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct
2015 2016 2015 2016
<24 Hours 12 Days 310 Days <24 Hours 12 Days 310 Days
1130 Days 3190 Days 90+ Days 1130 Days 3190 Days 90+ Days
Download the Graphics Updates and Corrections
All the graphics in this report are downloadable at: To see updates and corrections to the information in
www.cisco.com/go/acr2017graphics this report, visit: www.cisco.com/go/acr2017errata
109 Appendix
Americas Headquarters Asia Pacific Headquarters Europe Headquarters
Cisco Systems, Inc. Cisco Systems (USA) Pte. Ltd. Cisco Systems International BV Amsterdam,
San Jose, CA Singapore The Netherlands
Cisco has more than 200 oces worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/oces.
Published January 2017
2017 Cisco and/or its affiliates. All rights reserved.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its aliates in the U.S. and other countries. To view a list of Cisco trademarks,
go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does
not imply a partnership relationship between Cisco and any other company. (1110R)
Adobe, Acrobat, and Flash are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries.

CISCO 2017 Annual Cyber Security Report

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

CISCO 2017 Annual Cyber Security Report

Hochgeladen von

Copyright:

Verfügbare Formate

Cisco 2017 Annual Cybersecurity Report

3 Executive Summary and Major Findings

Cisco 2017 Security Capabilities Benchmark Study Industry

4 Executive Summary and Major Findings

5 Executive Summary and Major Findings

6 Executive Summary and Major Findings

The Expansion of the

By 2020, 82 percent of all consumer Internet traffic globally

Figure 1 Security Professionals Biggest Sources of Concern Related to Cyber Attacks

58% 57% 57% 57%

Source: Cisco 2017 Security Capabilities Benchmark Study

Download the 2017 graphics at: www.cisco.com/go/acr2017graphics

Internet of Everything FAQ, Cisco: http://ioeassessment.cisco.com/learn/ioe-faq.

10 The Expansion of the Attack Surface

In addition, the Cisco VNI Forecast and Methodology, Organizations must:

Rely more on automation

Cisco VNI Forecast and Methodology, 20152020, Cisco VNI, 2016:

11 The Expansion of the Attack Surface

Attackers research, identify, and select their targets.

Web Attack Methods: Short Tail Threats Figure 22 Most

Reconnaissance is, of course, a foundational step for

Suspicious Windows binaries and potentially unwanted

Facebook scams, which include fake offers and media

engineering in many cyber attacks. Facebook has nearly

Figure 3 Most Commonly Observed Malware, Q4 2015Q3 2016

Q4 2015 Q1 2016 Q2 2016 Q3 2016

Source: Cisco Security Research

Cisco 2016 Midyear Cybersecurity Report: http://www.cisco.com/c/m/en_us/offers/sc04/2016-midyear-cybersecurity-report/index.html.

Reconnaissance Weaponization Delivery Installation

Attackers pair remote access malware with exploits in deliverable payloads.

Use up-to-date web technology

Avoid web content that might present risk

Application Security: Managing OAuth Connection Risk Amid an App Explosion

The cloud security provider CloudLock, now part of Cisco,

The number of applications has increased approximately

To help security teams understand which connected third-

Download the 2017 graphics at: www.cisco.com/go/acr2017graphics

Risk Scores and Examples

CloudLock used the CARI to categorize the 222,000 Figure

Source: Cisco CloudLock

Through our analysis, we have found that all organizations,

Figure 7 Distribution of Low-, Medium-, and High-Risk Applications, by Region

Low Risk Medium Risk High Risk

Source: Cisco CloudLock

Figure 8 Distribution of Low-, Medium-, and High-Risk Applications, by Industry

Financial Services Government Healthcare Providers Higher Education K-12 Manufacturing

Media and Retail Technology Travel, Hospitality, Others

Low Risk Medium Risk High Risk

Source: Cisco CloudLock

Download the 2017 graphics at: www.cisco.com/go/acr2017graphics

Cutting Through the Noise

Figure 9 Identifying User Behavior Patterns with Automation (Process)

All User Behavior

Source: Cisco CloudLock

Reconnaissance Weaponization Delivery Installation

Figure 10 Exploit Kit Landing Page Blocks,

Nuclear was the first to disappear, suddenly ceasing 3K

operation in May. Why its authors abandoned it is a 2K

Figure 11 on next page for a list of top vulnerabilities in 0

A Giant Goes Silent

Flash Silverlight IE 9-11 IE 10-11

Source: Cisco Security Research

Malvertising: Adversaries Use Brokers to Increase Speed and Agility

Investigation Finds 75 Percent of Organizations Affected by Adware Infections