----- **Cisco 2017 Annual Cybersecurity Report** ### Table of Contents **EXECUTIVE SUMMARY AND MAJOR FINDINGS .............3** **INTRODUCTION ...............................................................8** **THE EXPANSION OF THE ATTACK SURFACE ................10** **ATTACKER BEHAVIOR ...................................................13** **The Reconnaissance Phase ..........................................13** Web Attack Methods: “Short Tail” Threats Help Adversaries Lay the Groundwork for Campaigns ..........13 **The Weaponization Phase ............................................15** Web Attack Vectors: Flash Is Fading, but Users Must Remain Vigilant ..........................................15 Application Security: Managing OAuth Connection Risk Amid an App Explosion .........................................16 **The Delivery Phase .......................................................20** Disappearance of Major Exploit Kits Presents Opportunities for Smaller Players and New Entrants ......20 Malvertising: Adversaries Use Brokers to Increase Speed and Agility .........................................................22 Investigation Finds 75 Percent of Organizations Affected by Adware Infections......................................23 Global Spam Is Increasing—and So Is the Percentage of Malicious Attachments ..........................25 **The Installation Phase ...................................................30** Web Attack Methods: “Long Tail” Snapshot Reveals Threats That Users Can Easily Avoid ...............30 Vertical Risk of Malware Encounters: Attackers See Value Across the Board .........................................31 Regional Overview of Web Block Activity......................32 Time to Detection: An Essential Metric for Measuring Defenders’ Progress ...................................33 Time to Evolve: For Some Threats, Change Is Constant .......................................................34 **2** **DEFENDER BEHAVIOR ...................................................42** Vulnerabilities on the Decline in 2016 ...........................42 Middleware: Adversaries See Opportunity in Unpatched Software .....................................................44 Time to Patch: Closing the Recovery Time Frame ........45 **CISCO 2017 SECURITY CAPABILITIES** **BENCHMARK STUDY .....................................................49** Perceptions: Security Professionals Confident in Tools, Less Sure They’re Using Them Effectively ......49 Constraints: Time, Talent, and Money Affect the Ability to Respond to Threats .......................51 Impact: More Organizations Experiencing Losses from Breaches ..............................................................55 Outcomes: Increased Scrutiny Will Play a Role in Security Improvements .................................................58 Trust Versus Cost: What Drives Security Purchases? .....................................................61 Summary: What the Benchmark Study Reveals ............62 **INDUSTRY .....................................................................64** Value Chain Security: Success in a Digital World Hinges on Mitigating Third-Party Risk .................64 Geopolitical Update: Encryption, Trust, and a Call for Transparency ....................................................65 High-Speed Encryption: A Scalable Solution to Protecting Data in Transit..........................................66 Network Performance and Adoption Versus Security Maturity ...........................................................67 **CONCLUSION ................................................................71** A Rapidly Expanding Attack Surface Requires an Interconnected and Integrated Approach to Security .......71 The Key Goal: Reducing Adversaries’ Operational Space ........................................................73 **ABOUT CISCO ...............................................................74** Contributors to the Cisco 2017 Annual Cybersecurity Report ....................................................75 **APPENDIX .....................................................................78** **Table of Contents** ----- **Cisco 2017 Annual Cybersecurity Report** ### Executive Summary ##### As the attack surface increases, defenders must focus on their most important goal: reducing their adversaries’ operational space. Adversaries have more tools at their disposal than ever before. They also have a keen sense of when to use each one for maximum effect. The explosive growth of mobile endpoints and online traffic works in their favor. They have more space in which to operate and more choices of targets and approaches. Defenders can use an array of strategies to meet the challenges of an expanding threat landscape. They can purchase best-of-breed solutions that work separately to provide information and protection. And they can compete for personnel in a market where talent is in short supply and budgets are tight. Stopping all attacks may not be possible. But you can minimize both the risk and the impact of threats by constraining your adversaries’ operational space and, thus, their ability to compromise assets. One measure you can take is simplifying your collection of security tools into an interconnected and integrated security architecture. Integrated security tools working together in an automated architecture can streamline the process of detecting and mitigating threats. You will then have time to address more complex and persistent issues. Many organizations use at least a half dozen solutions from just as many vendors (page 53). In many cases, their security teams can investigate only half the security alerts they receive on a given day. The Cisco 2017 Annual Cybersecurity Report presents research, insights, and perspectives from Cisco Security Research. We highlight the relentless push-and-pull dynamic between adversaries trying to gain more time to operate and defenders working to close the windows of opportunity that attackers try to exploit. We examine data compiled by Cisco threat researchers and other experts. Our research and insights are intended to help organizations respond effectively to today’s rapidly evolving and sophisticated threats. **This report is divided into the following sections:** **Attacker Behavior** In this section, we examine how attackers reconnoiter vulnerable networks and deliver malware. We explain how tools such as email, third-party cloud applications, and adware are weaponized. And we describe the methods that cybercriminals employ during the installation phase of an attack. This section also introduces our “time to evolve” (TTE) research, which shows how adversaries keep their tactics fresh and evade detection. We also give an update on our efforts to reduce our average median time to detection (TTD). In addition, we present the latest research from Cisco on malware risk for various industries and geographic regions. **Defender Behavior** We offer updates on vulnerabilities in this section. One focus is on the emerging weaknesses in middleware libraries that present opportunities for adversaries to use the same tools across many applications, reducing the time and cost needed to compromise users. We also share Cisco’s research on patching trends. We note the benefit of presenting users with a regular cadence of updates to encourage the adoption of safer versions of common web browsers and productivity solutions. **3** **Executive Summary and Major Findings** ----- **Cisco 2017 Annual Cybersecurity Report** **Cisco 2017 Security Capabilities Benchmark Study** This section covers the results of our third Security Capabilities Benchmark study, which focuses on security professionals’ perceptions of the state of security in their organizations. This year, security professionals seem confident in the tools they have on hand, but they are uncertain about whether these resources can help them reduce the operational space of adversaries. The study also shows that public security breaches are having a measurable impact on opportunities, revenue, and customers. At the same time, breaches are driving technology and process improvements in organizations. For more in-depth analysis around the state of security in organizations, go to page 49. **Industry** In this section, we explain the importance of ensuring value chain security. We examine the potential harm of governments stockpiling information about zero-day exploits and vulnerabilities in vendors’ products. In addition, we discuss the use of rapid encryption as a solution for protecting data in high-speed environments. Finally, we outline the challenges of organizational security as global Internet traffic, and the potential attack surface, grow. **Conclusion** In the conclusion, we suggest that defenders adapt their security practices so they can better meet typical security challenges along the attack chain and reduce adversaries’ operational space. This section also offers specific guidance on establishing an integrated and simplified approach to security: one that will connect executive leadership, policy, protocols, and tools to prevent, detect, and mitigate threats. **4** **Executive Summary and Major Findings** **4** ----- **Cisco 2017 Annual Cybersecurity Report** ### Major Findings - hree leading exploit kits—Angler, Nuclear, and Neutrino—abruptly disappeared from the landscape in 2016, leaving room for smaller players and new entrants to make their mark. - ccording to the Cisco 2017 Security Capabilities Benchmark Study, most companies use more than five security vendors and more than five security products in their environment. Fifty-five percent of the security professionals use at least six vendors; 45 percent use anywhere from one to five vendors; and 65 percent use six or more products. - he top constraints to adopting advanced security products and solutions, according to the benchmark study, are budget (cited by 35 percent of the respondents), product compatibility (28 percent), certification (25 percent), and talent (25 percent). - he Cisco 2017 Security Capabilities Benchmark Study found that, due to various constraints, organizations can investigate only 56 percent of the security alerts they receive on a given day. Half of the investigated alerts (28 percent) are deemed legitimate; less than half (46 percent) of legitimate alerts are remediated. In addition, 44 percent of security operations managers see more than 5000 security alerts per day. - wenty-seven percent of connected third-party cloud applications introduced by employees into enterprise environments in 2016 posed a high security risk. Open authentication (OAuth) connections touch the corporate infrastructure and can communicate freely with corporate cloud and software-as-a-service (SaaS) platforms after users grant access. - n investigation by Cisco that included 130 organizations across verticals found that 75 percent of those companies are affected by adware infections. Adversaries can potentially use these infections to facilitate other malware attacks. - ncreasingly, the operators behind malvertising campaigns are using brokers (also referred to as “gates”). Brokers enable them to move with greater speed, maintain their operational space, and evade detection. These intermediary links allow adversaries to switch quickly from one malicious server to another without changing the initial redirection. - pam accounts for nearly two-thirds (65 percent) of total email volume, and our research suggests that global spam volume is growing due to large and thriving spam-sending botnets. According to Cisco threat researchers, about 8 percent to 10 percent of the global spam observed in 2016 could be classified as malicious. In addition, the percentage of spam with malicious email attachments is increasing, and adversaries appear to be experimenting with a wide range of file types to help their campaigns succeed. - ccording to the Security Capabilities Benchmark Study, organizations that have not yet suffered a security breach may believe their networks are safe. This confidence is probably misplaced, considering that 49 percent of the security professionals surveyed said their organizations have had to manage public scrutiny following a security breach. **5** **Executive Summary and Major Findings** ----- **Cisco 2017 Annual Cybersecurity Report** - he Cisco 2017 Security Capabilities Benchmark Study also found that nearly a quarter of the organizations that have suffered an attack lost business opportunities. Four in 10 said those losses are substantial. One in five organizations lost customers due to an attack, and nearly 30 percent lost revenue. - hen breaches occur, operations and finance were the functions most likely to be affected (36 percent and 30 percent, respectively), followed by brand reputation and customer retention (both at 26 percent), according to respondents to the benchmark study. - etwork outages that are caused by security breaches can often have a long-lasting impact. According to the benchmark study, 45 percent of the outages lasted from 1 to 8 hours; 15 percent lasted 9 to 16 hours, and 11 percent lasted 17 to 24 hours. Fortyone percent (see page 55) of these outages affected between 11 percent and 30 percent of systems. - ulnerabilities in middleware—software that serves as a bridge or connector between platforms or applications—are becoming more apparent, raising concerns that middleware is becoming a popular threat vector. Many enterprises rely on middleware, so the threat could affect every industry. During the course of a Cisco® project, our threat researchers discovered that a majority of new vulnerabilities examined were attributable to the use of middleware. - he cadence of software updates can affect user behavior when it comes to installing patches and upgrades. According to our researchers, regular and predictable update schedules result in users upgrading their software sooner, reducing the time during which adversaries can take advantage of vulnerabilities. - he 2017 Security Capabilities Benchmark Study found that most organizations rely on third-party vendors for at least 20 percent of their security, and those who rely most heavily on these resources are most likely to expand their use in the future. **6** **Executive Summary and Major Findings** **Executive Summary and Major Findings** ----- # Introduction ----- **Cisco 2017 Annual Cybersecurity Report** ### Introduction Adversaries have a vast and varied portfolio of techniques for gaining access to organizational resources and for attaining unconstrained time to operate. Their strategies cover all the basics and include: - Taking advantage of lapses in patching and updating - Luring users into socially engineered traps - Injecting malware into supposedly legitimate online content such as advertising They have many other capabilities, as well, from exploiting middleware vulnerabilities to dropping malicious spam. And once they’ve achieved their goals, they can quickly and quietly shut down their operations. Adversaries work nonstop to evolve their threats, move with even more speed, and find ways to widen their operational space. The explosive growth in Internet traffic—driven largely by faster mobile speeds and the proliferation of online devices—works in their favor by helping to expand the attack surface. As that happens, the stakes grow higher for enterprises. The Cisco 2017 Security Capabilities Benchmark Study found that more than one-third of organizations that have been subject to an attack lost 20 percent of revenue or more. Forty-nine percent of the respondents said their business had faced public scrutiny due to a security breach. How many enterprises can suffer such damage to their bottom line and remain healthy? Defenders must focus their resources on reducing their adversaries’ operational space. Attackers will then find it extremely difficult to gain access to valuable enterprise resources and to conduct their activities without being detected. Automation is essential to achieving this goal. It helps you understand what normal activity is in the network environment, so you can focus scarce resources on investigating and resolving true threats. Simplifying security operations also helps you become more effective at eliminating adversaries’ unconstrained operational space. However, the benchmark study shows that most organizations are using more than five solutions from more than five vendors (page 53). Such a complex web of technology, and the overwhelming number of security alerts, is a recipe for less, not more, protection. Adding more security talent can help, of course. With more experts on board, the logic goes, the better the organization’s ability to manage technology and deliver better outcomes. However, scarce security talent and limited security budgets make hiring sprees unlikely. Instead, most organizations must make do with the talent they have. They rely on outsourced talent to add muscle to their security teams while also conserving budget. The real answer to meeting these challenges, as we explain later in this report, is to operationalize people, processes, and technology in an integrated manner. To operationalize security is to truly understand what the enterprise needs to protect, as well as what measures should be used to protect those vital assets. **8** **Introduction** ----- # The Expansion of the Attack Surface ----- **Cisco 2017 Annual Cybersecurity Report** ### The Expansion of the Attack Surface _Mobile devices. Public cloud. Cloud infrastructure. User_ _behavior. Security professionals who participated in Cisco’s_ third annual Security Capabilities Benchmark Study cited all those elements as top sources of concern when they think about their organization’s risk of exposure to a cyber attack (Figure 1). This is understandable: The proliferation of mobile devices creates more endpoints to protect. The cloud is expanding the security perimeter. And users are, and always will be, a weak link in the security chain. As businesses embrace digitization—and the Internet of Everything (IoE)¹ begins to take shape—defenders will have even more to worry about. The attack surface will only expand, giving adversaries more space to operate. [For more than a decade, the Cisco® Visual Networking](http://www.cisco.com/c/en/us/solutions/service-provider/visual-networking-index-vni/index.html) [Index (VNI) has provided global IP traffic forecasts and](http://www.cisco.com/c/en/us/solutions/service-provider/visual-networking-index-vni/index.html) analyzed the dynamic factors that facilitate network growth. Consider these statistics from the most recent report, _The Zettabyte Era—Trends and Analysis:²_ - Annual global IP traffic will pass the zettabyte (ZB) threshold by the end of 2016 and reach 2.3 ZB per year by 2020. (A zettabyte is 1000 exabytes, or 1 billion terabytes.) That represents a threefold increase in global IP traffic in the next 5 years. - Traffic from wireless and mobile devices will account for two-thirds (66 percent) of total IP traffic by 2020. Wired devices will account for only 34 percent. - From 2015 to 2020, average broadband speeds will nearly double. - By 2020, 82 percent of all consumer Internet traffic globally will be IP video traffic, up from 70 percent in 2015. ###### Figure 1 Security Professionals’ Biggest Sources of Concern Related to Cyber Attacks Mobile Devices Data in Public Cloud Cloud Infrastructure #### 57% User Behavior (For Example, Clicking Malicious Links in Email or Websites) #### 57% #### 58% #### 57% **Percentage of Security Professionals Who Find the Categories Very or Extremely Challenging** Source: Cisco 2017 Security Capabilities Benchmark Study [Download the 2017 graphics at: www.cisco.com/go/acr2017graphics](http://www.cisco.com/go/acr2017graphics) [¹ “Internet of Everything FAQ,” Cisco: http://ioeassessment.cisco.com/learn/ioe-faq.](http://ioeassessment.cisco.com/learn/ioe-faq) ² The Zettabyte Era—Trends and Analysis, Cisco VNI, 2016: [http://www.cisco.com/c/en/us/solutions/collateral/service-provider/visual-networking-index-vni/vni-hyperconnectivity-wp.html.](http://www.cisco.com/c/en/us/solutions/collateral/service-provider/visual-networking-index-vni/vni-hyperconnectivity-wp.html) **10** **The Expansion of the Attack Surface** ----- **Cisco 2017 Annual Cybersecurity Report** In addition, the Cisco VNI™ Forecast and Methodology, _2015–2020 white paper³ predicts that the volume of_ global Internet traffic in 2020 will be 95 times as great as it was in 2005. Of course, opportunistic cybercriminals pay close attention to these trends, too. We are already seeing operators in the shadow economy taking steps to become more agile in this changing environment. They are creating highly targeted and varied attacks designed to succeed across the expanding attack surface. Meanwhile, security teams are in a constant firefighting mode, overwhelmed by alerts. They’re having to rely on an array of security products in the network environment that only add more complexity and can even increase an organization’s susceptibility to threats. Organizations must: - Integrate their security technology - Simplify their security operations - Rely more on automation This approach will help reduce operational expenses, ease the burden on security personnel, and deliver better security outcomes. Most important, it will give defenders the ability to focus more of their time on eliminating the unconstrained space in which adversaries currently operate. . **The Expansion of the Attack Surface** ³ Cisco VNI Forecast and Methodology, 2015–2020, Cisco VNI, 2016: [http://www.cisco.com/c/en/us/solutions/collateral/service-provider/visual-networking-index-vni/complete-white-paper-c11-481360.html](http://www.cisco.com/c/en/us/solutions/collateral/service-provider/visual-networking-index-vni/complete-white-paper-c11-481360.html) **11** ----- # Attacker Behavior ----- **Cisco 2017 Annual Cybersecurity Report** ### Attacker Behavior ###### Web Attack Methods: “Short Tail” Threats Help Adversaries Lay the Groundwork for Campaigns Reconnaissance is, of course, a foundational step for launching a cyber attack. In this phase, adversaries look for vulnerable Internet infrastructure or network weaknesses that will allow them to gain access to users’ computers and, ultimately, to infiltrate organizations. Suspicious Windows binaries and potentially unwanted applications (PUAs) topped the list of web attack methods for 2016 by a significant margin (see Figure 2). Suspicious Windows binaries deliver threats such as spyware and adware. Malicious browser extensions are an example of PUAs. Facebook scams, which include fake offers and media content along with survey scams, ranked third on our list. The continued prominence of Facebook scams on our annual and midyear lists of the most commonly observed malware highlights the foundational role of social engineering in many cyber attacks. Facebook has nearly 1.8 billion monthly active users worldwide.⁴ It is logical territory for cybercriminals and other actors looking to dupe users. One positive development is the company’s recent announcement that it is taking steps to eliminate fake news and hoaxes. Critics suggest such content may have influenced voters in the 2016 U.S. presidential election.⁵ [⁴ Facebook stats, September 2016: http://newsroom.fb.com/company-info/.](http://newsroom.fb.com/company-info/) ⁵ “Zuckerberg Vows to Weed Out Facebook ‘Fake News,’” by Jessica Guynn and Kevin McCoy, USA Today, November 14, 2016: [http://www.usatoday.com/story/tech/2016/11/13/zuckerberg-vows-weed-](http://www.usatoday.com/story/tech/2016/11/13/zuckerberg-vows-weed-out-facebook-fake-news/93770512/) [out-facebook-fake-news/93770512/.](http://www.usatoday.com/story/tech/2016/11/13/zuckerberg-vows-weed-out-facebook-fake-news/93770512/) **13** ###### Figure 2 Most Commonly Observed Malware **Sample** **Count** **Attacker Behavior** 87,329 50,081 35,887 27,627 24,737 18,505 15,933 14,020 12,848 11,600 11,506 7712 5995 5510 5467 4970 4584 4398 3646 3006 PUA and Suspicious Binaries Trojan Droppers (VBS) Facebook Scam Links Trojan Downloaders (Scripts) Browser Redirection (JS) Browser Redirection-Downloads Phishing (Links) Android Trojans (Iop) Browser Redirection Facebook Hijacking Heuristic Blocks (Scripts) Packed Binaries Trojan Downloaders (JS) Trojans, Heuristic (Win32) Browser iFrame Attacks Android (Axent) Android Trojans (Loki) Malware (FakeAvCn) Trojans (HideLink) Malware (HappJS) Source: Cisco Security Research ----- **Cisco 2017 Annual Cybersecurity Report** Browser redirection malware rounded out the top five most commonly observed malware types for 2016. As discussed in the Cisco 2016 Midyear Cybersecurity Report,⁶ browser infections can expose users to malicious advertising (malvertising), which adversaries use to set up ransomware and other malware campaigns. Cisco threat researchers warn that malicious adware, which includes ad injectors, browsersettings hijackers, utilities, and downloaders, is a growing problem. In fact, we have identified adware infections in 75 percent of the companies we recently investigated as part of our research into the adware problem. (For more on this topic, see “Investigation Finds 75 Percent of Organizations Affected by Adware Infections,” page 23.) 10 most commonly seen types of malware in 2016. Loki malware, which appears toward the very end of the short tail shown in Figure 2 (see previous page), is particularly troublesome because it can replicate and infect other files and programs. Figure 3 helps to illustrate malware trends that Cisco threat researchers have observed since late 2015. It shows that adversaries have made a definite shift in the reconnaissance phase of web-based attacks. More threats now specifically seek vulnerable browsers and plugins. This shift corresponds with adversaries’ growing reliance on malvertising, as it becomes more difficult to exploit large numbers of users through traditional web attack vectors. (See the next section, “Web Attack Vectors: Flash Is Fading, but Users Must Remain Vigilant,” page 15.) Other malware types listed in Figure 3, such as browser JavaScript abuse malware and browser iFrame abuse malware, are also designed to facilitate browser infections. Trojans (droppers and downloaders) also appear among the top five most commonly observed malware types, which indicates that they remain popular tools for gaining initial access to users’ computers and to organizational networks. Another trend to watch: consistently high use of malware that targets users of the Android operating platform. Android Trojans have been moving steadily up the shorttail list over the past 2 years. They ranked among the top The message for individual users, security professionals, and enterprises is clear: Making sure that browsers are secure, and disabling or removing unnecessary browser plugins, can go a long way toward preventing malware infections. These infections can lead to more significant, disruptive, and costly attacks, such as ransomware campaigns. These simple steps can greatly reduce your exposure to common web-based threats and prevent adversaries from finding the operational space to carry out the next phase of the attack chain: weaponization. ###### Figure 3 Most Commonly Observed Malware, Q4 2015–Q3 2016 50K 40K 30K 20K 10K 0K Source: Cisco Security Research Q4 2015 Q1 2016 Q2 2016 Q3 2016 ⁶ _[Cisco 2016 Midyear Cybersecurity Report: http://www.cisco.com/c/m/en_us/offers/sc04/2016-midyear-cybersecurity-report/index.html.](http://www.cisco.com/c/m/en_us/offers/sc04/2016-midyear-cybersecurity-report/index.html)_ **14** **Attacker Behavior** ----- **Cisco 2017 Annual Cybersecurity Report** ##### Reconnaissance Weaponization Delivery Attackers pair remote access malware with exploits in deliverable payloads. ###### Web Attack Vectors: Flash Is Fading, but Users Must Remain Vigilant Adobe Flash has long been an attractive web attack vector for adversaries who want to exploit and compromise systems. However, as the amount of Adobe Flash content on the web continues to decline— and awareness about Flash vulnerabilities grows—it is becoming more difficult for cybercriminals to exploit users at the scale they once enjoyed. Adobe itself is moving away from full development and support of the software platform and has encouraged developers to adopt newer standards such as HTML5.⁷ Providers of popular web browsers are also taking a strong position on Flash. For example, Google announced in 2016 that it will phase out full support for Adobe Flash on its Chrome browser.⁸ Firefox is continuing to support legacy Flash content, but it is blocking “certain Flash content that is not essential to the user experience.”⁹ Flash may be fading, but exploit kit developers are helping it endure as an attack vector. However, there are signs this may be changing. After three leading exploit kits—Angler, Nuclear, and Neutrino—abruptly disappeared from the threat landscape in 2016, our threat researchers observed a significant decline in Flash-related Internet traffic. (See “Disappearance of Major Exploit Kits Presents Opportunities for Smaller Players and New Entrants,” page 20.) The actors behind the Angler exploit kit heavily targeted Flash vulnerabilities to compromise users. The Nuclear exploit kit had a similar focus on Flash. And Neutrino relied on Flash files to deliver exploits. Users must remain cautious and should uninstall Flash unless they need it for business reasons. If they must use it, they must stay current with updates. Using web browsers that feature automatic patching capabilities can help. As noted in “Web Attack Methods: ‘Short Tail’ Threats Help Adversaries Lay the Groundwork for Campaigns” on page 13, using secure browsers—and disabling or removing unnecessary browser plugins—will significantly reduce your exposure to web-based threats. **Java, PDF, and Silverlight** Both Java and PDF Internet traffic experienced notable declines in 2016. Silverlight traffic has already reached a level that is not worthwhile for threat researchers to track regularly. Java, once the dominant web attack vector, has seen its security posture improve significantly in recent years. Oracle’s decision in early 2016 to eliminate its Java browser plugin has helped to make Java a less attractive web attack vector. PDF attacks are also increasingly rare. For that reason, they can be easier to detect, which is why many adversaries now use this strategy less often. However, as with Flash, cybercriminals still use Java, PDF, and Silverlight to exploit users. Individual users, enterprises, and security professionals must be aware of these potential roads to compromise. To reduce their risk of exposure to these threats, they must: - Download patches - Use up-to-date web technology - Avoid web content that might present risk ⁷ [“Flash, HTML5 and Open Web Standards,” Adobe News, November 2015: https://blogs.adobe.com/conversations/2015/11/flash-html5-and-open-web-standards.html.](https://blogs.adobe.com/conversations/2015/11/flash-html5-and-open-web-standards.html) ⁸ [“Flash and Chrome,” by Anthony LaForge, The Keyword blog, Google, August 9, 2016: https://blog.google/products/chrome/flash-and-chrome/.](https://blog.google/products/chrome/flash-and-chrome/) ⁹ “Reducing Adobe Flash Usage in Firefox,” by Benjamin Smedberg, Future Release blog, Mozilla, July 20, 2016: [https://blog.mozilla.org/futurereleases/2016/07/20/reducing-adobe-flash-usage-in-firefox/.](https://blog.mozilla.org/futurereleases/2016/07/20/reducing-adobe-flash-usage-in-firefox/) **15** **Attacker Behavior** ----- **Cisco 2017 Annual Cybersecurity Report** ###### Application Security: Managing OAuth Connection Risk Amid an App Explosion When enterprises shift to the cloud, their security perimeter extends into the virtual realm. However, that security perimeter quickly dissipates with each connected third-party cloud application that employees introduce into the environment. Workers want to improve their productivity and stay connected while on the job. But these shadow IT applications create a risk for enterprises. They touch the corporate infrastructure and can communicate freely with the corporate cloud and software-as-a-service (SaaS) platforms as soon as users grant access through open authentication (OAuth). These apps can have extensive—and, at times, excessive—access scopes. They must be managed carefully because they can view, delete, externalize, and store corporate data, and even act on behalf of users. The cloud security provider CloudLock, now part of Cisco, has been tracking the growth of connected third-party cloud applications across a sample group of 900 organizations representing a range of industries. As Figure 4 shows, there were about 129,000 unique applications observed at the beginning of 2016. By the end of October, that number had grown to 222,000. The number of applications has increased approximately 11 times since 2014. (See Figure 5.) **Classifying the Riskiest Applications** To help security teams understand which connected thirdparty cloud applications in their environment present the most risk to network security, CloudLock developed the Cloud Application Risk Index (CARI). The process involves several evaluations: - **Data-access requirements: Organizations answer the** following questions, among others: What permissions are required to authorize the application? Does granting data access mean that the application has programmatic (API) access to corporate SaaS platforms through OAuth connections? Can the application (and by extension, the vendor) act on behalf of users and take actions with corporate data, such as viewing and deleting? **16** - **Community trust rating: Peer-driven and crowd-sourced** evaluations are used for this assessment. - **Application threat intelligence: This comprehensive** background check by cybersecurity experts is based on an application’s various security attributes, such as security certifications, breach history, and analyst reviews. ###### Figure 4 Explosive Growth of Connected Third-Party **Cloud Applications, 2016** #### 222,000 October ###### 129,000 January **Number of Unique Applications** Source: Cisco CloudLock ###### Figure 5 Growth of Third-Party Cloud Applications, **Year-Over-Year Comparison** #### 222,000 ###### 108,000 20,400 Oct 2014 Oct 2015 Oct 2016 Source: Cisco CloudLock [Download the 2017 graphics at: www.cisco.com/go/acr2017graphics](http://www.cisco.com/go/acr2017graphics) **Attacker Behavior** #### 222,000 October ###### 129,000 January #### 222,000 ----- **Cisco 2017 Annual Cybersecurity Report** ###### Risk Scores and Examples on a scale of 1 (lowest risk) to 5 (highest risk). a 100 percent community trust rating, and no breach history. An app that would score 5 on the scale might be one with full account access (it can see all emails, documents, navigation history, calendar, and more), an 8 percent trust rating (meaning, only 8 percent of administrators trust it), and no security certification. CloudLock used the CARI to categorize the 222,000 applications it had identified across the 900 organizations in its sample. Of those total applications, 27 percent were deemed to be high risk, while the majority fell into the medium-risk category. (See Figure 6.) Half of those organizations had OAuth connections related to a popular gaming application that was released in the summer of 2016. **17** ###### Figure 6 Third-Party Applications Classified as **High Risk** ###### 27% High Risk ###### 15% Low Risk 222,000 Third-Party Applications ###### 58% Medium Risk Source: Cisco CloudLock **S H A R E** **Attacker Behavior** ###### 27% High Risk ----- **Cisco 2017 Annual Cybersecurity Report** Through our analysis, we have found that all organizations, regardless of their size, industry, or region, have a relatively even distribution of low-, medium-, and high-risk applications (Figures 7 and 8). ###### Figure 7 Distribution of Low-, Medium-, and High-Risk Applications, by Region 15 12 10 ###### 31 30 32 **North** **LATAM** **EMEA** **America** 54 58 58 Low Risk Medium Risk High Risk Source: Cisco CloudLock ###### Figure 8 Distribution of Low-, Medium-, and High-Risk Applications, by Industry ###### Figure 7 Distribution of Low-, Medium-, and High-Risk Applications, by Region 12 10 ###### 30 32 **LATAM** **EMEA** 10 11 ###### 30 **EMEA** **APAC** **LATAM** ###### 31 **North** **America** ###### 30 **LATAM** ###### 35 ###### 28 ###### 31 ###### 31 Healthcare Providers 14 ###### 30 56 Technology 10 ###### 32 30 **EMEA** 15 **North** **America** ###### 33 ###### 31 Higher Education 12 ###### 30 58 Travel, Hospitality, and Transportation 15 12 ###### 30 **North** **LATAM** **America** 54 58 K-12 Others **APAC** Manufacturing **Attacker Behavior** Financial Services 16 ###### 28 56 Media and Entertainment Source: Cisco CloudLock Government 10 58 Retail ###### 32 ###### 28 ###### 30 Low Risk Medium Risk High Risk ###### 32 [Download the 2017 graphics at: www.cisco.com/go/acr2017graphics](http://www.cisco.com/go/acr2017graphics) ###### 30 **18** ----- **Cisco 2017 Annual Cybersecurity Report** **Cutting Through the Noise** To identify suspicious user and entity behavior in corporate SaaS platforms, including third-party cloud applications, security teams must sift through billions of user activities to define normal patterns of user behavior in their organization's environment. They must look for anomalies that fall outside those expected patterns. Then they need to correlate suspicious activities to determine what might be a true threat that requires investigation. An example of suspicious activity is excessive login activity from several countries in a short period. Say that normal user behavior in a certain organization is for employees to log in to a specific application from no more than one or two countries per week. If one user starts logging in to that application from 68 countries over the course of one week, a security team will want to investigate that activity to confirm that it is legitimate. According to our analysis, only 1 in 5000 user activities— 0.02 percent—that are associated with connected third-party cloud applications is suspicious. The challenge for security teams, of course, is pinpointing that one instance. Only with automation can security teams cut through the “noise” of security alerts and focus their resources on investigating true threats. The multistage process of identifying normal and potentially suspicious user activities that is described above—and illustrated in Figure 9—hinges on the use of automation, with algorithms applied at every stage. ###### Figure 9 Identifying User Behavior Patterns with Automation (Process) **All User Behavior** **Anomalies** **Suspicious Activities** 0.02% of All Activities 113X Than Average 58% Abnormal Behavior Login Failures 227X 1 Billion User Activities Per Month Than Average 31% Login Activities File Downloads 141X Than Average 11% Admin Actions Data Asset Deletion Source: Cisco CloudLock **S H A R E** **19** **Anomalies** **Suspicious Activities** 0.02% of All Activities **True Threat** 113X Than Average 58% Abnormal Behavior Login Failures 227X 1 Billion User Activities Per Month Than Average 31% Login Activities File Downloads 141X Than Average 11% Admin Actions Data Asset Deletion **Attacker Behavior** ----- **Cisco 2017 Annual Cybersecurity Report** ##### Reconnaissance Weaponization Through the malicious use of email, file attachments, websites, and other tools, attackers transmit their cyberweapons to targets. ###### Disappearance of Major Exploit Kits Presents Opportunities for Smaller Players and New Entrants ###### Figure 10 Exploit Kit Landing Page Blocks, January —November 2016 7407 2016 saw dramatic changes in the exploit kit environment. At the start of the year, Angler, Nuclear, Neutrino, and RIG were clear leaders among exploit kits. By November, RIG was the only one from that group still active. As Figure 10 shows, exploit kit activity dropped off significantly around June. Nuclear was the first to disappear, suddenly ceasing operation in May. Why its authors abandoned it is a mystery. The Neutrino exploit kit, which also left the scene in 2016, relied on Flash files to deliver vulnerabilities. (See Figure 11 on next page for a list of top vulnerabilities in known exploit kits in 2016.) Flash remains an attractive web attack vector for adversaries, but it is likely to become less so over time. Fewer sites and browsers are supporting Flash fully or at all, and there is generally greater awareness about Flash vulnerabilities. (For more on this topic, see “Web Attack Vectors: Flash Is Fading, but Users Must Remain Vigilant,” on page 15.) 1051 [Download the 2017 graphics at: www.cisco.com/go/acr2017graphics](http://www.cisco.com/go/acr2017graphics) **Attacker Behavior** 7K 6K 5K 4K 3K 2K 1K 1051 0 Source: Cisco Security Research **20** ----- **Cisco 2017 Annual Cybersecurity Report** **A Giant Goes Silent** Angler—the most advanced and largest among known exploit kits—also targeted Flash vulnerabilities and was linked to several high-profile malvertising and ransomware campaigns. However, unlike Nuclear and Neutrino’s disappearance, Angler’s departure in 2016 is not a mystery. In late spring, about 50 hackers and cybercriminals were arrested in Russia; the group was linked to the Lurk malware, a banking Trojan that specifically targeted Russian banks.¹⁰ Cisco threat researchers identified clear connections between Lurk and Angler, including the fact that Lurk was being delivered largely through Angler to victims inside Russia. Following the arrests, Angler vanished from the exploit kit marketplace.¹¹ ###### Figure 11 Top Vulnerabilities in Exploit Kits Angler Neutrino (1,2) Magnitude RIG Nuclear Sundown Hunter 2015- 2015- 2015- 2016- 2016- 2016CVE Now that three of the most dominant exploit kits have cleared the field, smaller players and new entrants can expand their market share. And they are becoming more sophisticated and agile. Exploit kits that appeared poised for growth in late 2016 were Sundown, Sweet Orange, and Magnitude. These kits, as well as RIG, are known to target Flash, Silverlight, and Microsoft Internet Explorer vulnerabilities. (See Figure 11.) Uninstalling Flash, and disabling or removing unnecessary browser plugins, will help users reduce the risk that they will be compromised by these threats. Flash Silverlight IE 9-11 IE 10-11 Source: Cisco Security Research **S H A R E** [¹⁰ “Russian Hacker Gang Arrested Over $25M Theft,” BBC News, June 2, 2016: http://www.bbc.com/news/technology-36434104.](http://www.bbc.com/news/technology-36434104) ¹¹ For more on this topic, see the July 2016 Cisco Talos blog post, [Connecting the Dots Reveals Crimeware Shake-Up.](http://blog.talosintel.com/2016/07/lurk-crimeware-connections.html) **21** **Attacker Behavior** ----- **Cisco 2017 Annual Cybersecurity Report** **22** **Attacker Behavior** ----- **Cisco 2017 Annual Cybersecurity Report** ###### Investigation Finds 75 Percent of Organizations Affected by Adware Infections Adware, when used for legitimate purposes, is software that downloads or displays advertising through redirections, pop-ups, and ad injections and generates revenue for its creators. However, cybercriminals are also using adware as a tool to help increase their revenue stream. They use malicious adware not only to profit from injecting advertising, but also as a first step to facilitate other malware campaigns, such as DNSChanger malware. Malicious adware is delivered through software bundles; publishers create one installer with a legitimate application along with dozens of malicious adware applications. Bad actors use adware to: - Inject advertising, which may lead to further infections or exposure to exploit kits - Change browser and operating system settings to weaken security - Break antivirus or other security products - Gain full control of the host, so they can install other malicious software - Track users by location, identity, services used, and sites commonly visited - Exfiltrate information such as personal data, credentials, and infrastructure information (for example, a company’s internal sales pages) To assess the scope of the adware problem for enterprises, Cisco threat researchers examined 80 different adware variants. About 130 organizations across verticals were included in our investigation, which took place from November 2015 to November 2016. **23** We categorized the adware into four groups, based on the primary behavior of each component: - **Ad injectors: This adware usually resides in the browser and** can affect all operating systems. - **Browser-settings hijackers: This adware component can** change computer settings to make the browser less secure. - **Utilities: This is a large and growing category of adware.** Utilities are web applications that offer a useful service to users, such as PC optimization. These applications can inject advertising, but their primary purpose is to convince users to pay for the service. However, in many cases, utilities are nothing more than scams and provide no benefits to users. - **Downloaders: This adware can deliver other software,** such as a toolbar. We determined that 75 percent of the organizations in our study were affected by adware infections. ###### Figure 12 Percentage of Organizations with Adware Infections Over the past 12 months ## >75% of organizations investigated have adware infections Source: Cisco Security Research **S H A R E** **Attacker Behavior** Over the past 12 months ## >75% of organizations investigated have adware infections ----- **Cisco 2017 Annual Cybersecurity Report** Figure 13 shows the types of incidents we observed in the organizations included in our investigation. Ad injectors were the primary source of infections. This finding indicates that most of these unwanted applications target web browsers. We have also seen an increase in browser-based infections during the last few years, which suggests adversaries are finding success with this strategy for compromising users. All the adware components we identified during our investigation can place users and organizations at risk for malicious activity. Security teams must recognize the threat that adware infections pose and make sure that users in the organization are fully aware of the risks. For additional information on this topic, see the February [2016 Cisco Security blog post, DNSChanger Outbreak](http://blogs.cisco.com/security/dnschanger-outbreak-linked-to-adware-install-base) [Linked to Adware Install Base.](http://blogs.cisco.com/security/dnschanger-outbreak-linked-to-adware-install-base) ###### Figure 13 Breakdown of Total Incidents by Adware Component 2.0% 1.5% 1.0% 0.5% 0 60% 50% 40% 30% 20% 10% 0% Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct 2015 2016 Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct 2015 2016 Utilities Browser-Settings Hijackers Downloaders Ad Injectors Source: Cisco Security Research [Download the 2017 graphics at: www.cisco.com/go/acr2017graphics](http://www.cisco.com/go/acr2017graphics) **24** **Attacker Behavior** ----- **Cisco 2017 Annual Cybersecurity Report** ###### Global Spam Is Increasing—and So Is the Percentage of Malicious Attachments Cisco threat researchers conducted two studies in 2016 using opt-in customer telemetry to estimate what percentage of total email volume is spam. We found that spam accounts for nearly two-thirds (65 percent) of total email volume. Our research also suggests that global spam volume is growing, due primarily to large and thriving spam-sending botnets like Necurs. In addition, we determined through our analysis that ###### Figure 14 IP Blocks by Country, December 2015—November 2016 Germany 414K | 548K France United States 222K | 467K 1351K | 2046K Mexico 214K | 495K Brazil 252K | 587K Dec 2015 Source: Cisco Security Research **S H A R E** about 8 percent to 10 percent of global spam observed in 2016 could be categorized as malicious. From August to October 2016, there was a significant increase in the number of IP connection blocks (Figure 14).¹² This trend can be attributed to an overall rise in spam volume, as well as reputation systems adapting to information about spam senders. as well as reputation systems adapting to information about Necurs. In addition, we determined through our analysis that spam senders. ###### Figure 14 IP Blocks by Country, December 2015—November 2016 Germany 414K | 548K Russia 343K | 352K France United States 222K | 467K 1351K | 2046K Japan China 194K | 286K 903K | 760K Vietnam Mexico 990K | 1684K 214K | 495K Brazil India 252K | 587K 254K | 1662K Dec 2015 Oct 2016 ¹² IP connection blocks are spam messages that are blocked immediately by spam-detecting technology because the spam sender has a bad reputation score. Examples include messages that have originated from known spam-sending botnets or compromised networks that are known to participate in spam attacks. **25** **Attacker Behavior** ----- **Cisco 2017 Annual Cybersecurity Report** The five-year graph from the Composite Blocking List (CBL), a DNS-based “blackhole list” of suspected spamsending computer infections,¹³ also shows a dramatic increase in total spam volume during 2016 (Figure 15). A review of 10-year data from CBL (not shown) suggests that 2016 spam volume is close to the record-high levels seen in 2010. New antispam technologies, and high-profile takedowns of spam-related botnets, have helped to keep spam levels low in recent years. Our threat researchers attribute the recent increase in global spam volume to the Necurs botnet. Necurs is a primary vector for Locky ransomware. It also distributes threats such as the Dridex banking Trojan. Figure 16 is an internal graph generated by Cisco’s SpamCop service that illustrates the change in spam volume observed in 2016. This graph shows the overall size of the SpamCop Block List (SCBL) from November 2015 to November 2016. Each row in the SCBL represents a distinct IP address. Between November 2105 and February 2016, SCBL size hovered below 200,000 IP addresses. In September and October, SCBL size exceeded 400,000 IP addresses before dropping off in October, which our threat researchers attribute to the operators of Necurs simply taking time off. Also note the significant decline in June. At the end of May, there were arrests in Russia related to the Lurk banking Trojan (see page 21). Subsequently, several high-profile threats, including Necurs, went silent. However, 3 weeks later, Necurs was back in action, adding more than 200,000 IP addresses to the SCBL in less than 2 hours. ###### Figure 15 Total Spam Volume 3.5K 3K 2.5K 2K 1.5K 1K 0.5K 0 2012 2013 2014 2015 2016 Source: CBL ###### Figure 16 Overall Size of SCBL 500k 400k 300k 200k 100k 0 Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov 2015 2016 Source: SpamCop **S H A R E** [¹³ For more information about CBL, visit http://www.abuseat.org/.](http://www.abuseat.org/) **26** **Attacker Behavior** ----- **Cisco 2017 Annual Cybersecurity Report** Many of the host IPs sending Necurs spam have been infected for more than 2 years. To help keep the full scope of the botnet hidden, Necurs will send spam only from a subset of infected hosts. An infected host might be used for 2 to 3 days, and then sometimes not again for 2 to 3 weeks. This behavior complicates the job of security personnel who respond to spam attacks. They may believe they have found and successfully cleaned an infected host, but the actors behind Necurs are just biding their time until they launch another attack. Seventy-five percent of total spam observed in October 2016 contained malicious attachments. Most of that spam was sent by the Necurs botnet. (See Figure 17.) Necurs sends malicious .zip attachments that include embedded executable files such as JavaScript, .hta, .wsf, and VBScript downloaders. In calculating the percentage of total spam containing malicious attachments, we count both the “container” file (.zip) and the “child” files within it (such as a JavaScript file) as individual malicious attachments. ###### Figure 17 Percentage of Total Spam Containing Malicious Attachments 80% Patterns with .wsf files during 2016 (see Figure 17) provide an example of how adversaries will evolve malicious spam tactics over time. This file type was rarely used as a malicious attachment before February 2016. Then, the use of this file type begins to grow as the Necurs botnet becomes more active. By July, .wsf files accounted for 22 percent of all malicious spam attachments. This was also around the time that global spam activity increased dramatically (see previous section), an uptick that was due largely to the Necurs botnet. Through August, September, and October, we saw fluctuations in the percentages of .wsf files. This indicates that adversaries were pulling back at times when the file type was being detected more frequently. **Attackers Experiment with Attachment Types to Keep** **Malicious Spam Campaigns Fresh** Our threat researchers examined how adversaries use different types of file attachments to help prevent malicious spam from being detected. What we found is that they are continually evolving their strategies, experimenting with a wide range of file types, and quickly switching tactics when they don’t find success. Figure 17 shows how malicious spam operators experimented with the use of .docm, JavaScript, .wsf, and .hta files during the period observed. As noted earlier, many of these file types are associated with spam sent by the Necurs botnet. (For research related to other file types we examined, see the Appendix on page 78.) Containing Malicious Attachments Contains Malicious .hta 60% 40% Contains Malicious .js Contains Malicious .zip 20% Contains Malicious .docm Contains Malicious .wsf The specific percentages for the different file types in a given month are derived using the percentage of total spam that contained malicious attachments seen in that month. So, for example, in July 2016, .docm files represented 8 percent of the total percentage of malicious attachments observed. **27** 0% Source: Cisco Security Research **Attacker Behavior** **S H A R E** ----- **Cisco 2017 Annual Cybersecurity Report** **Hailstorms and Snowshoes** Two types of malicious spam attacks are especially problematic for defenders: hailstorm attacks and snowshoe attacks. Both employ the elements of speed and targeting, and both are highly effective. Hailstorm attacks target antispam systems. The operators behind these attacks take advantage of the very small window of time between the moment they launch their spam campaign and when antispam systems see it and push coverage out to antispam scanners. Adversaries typically have only seconds or minutes to operate before their campaigns are detected and blocked. The spike in Figure 18 is a hailstorm attack. The activity is shown in the Cisco Investigate interface. Just before the attack, no one was resolving the IP address. Then, suddenly, the number of computers resolving the domain in DNS spiked to more than 78,000 before dropping back down to zero. Contrast the hailstorm attack to a snowshoe spam campaign, also shown in Figure 18, where attackers attempt to fly under the radar of volume-based detection solutions. The number of DNS lookups is steady, but there are only about 25 queries per hour. These low-volume attacks allow adversaries to quietly distribute spam from a large swath of IP addresses. Even though these spam attacks operate differently, they do have things in common. Through either approach, adversaries can: - Use well-configured email systems rather than sloppy scripts or spam bots - Properly set up forward-confirmed reverse DNS and Send Policy Framework (SPF) records - Evade a bad reputation by sending from clean IPs and domains - Emulate marketing mail with professional content and subscription management ###### Figure 18 Comparison of Hailstorm and Snowshoe Spam Attacks **Hailstorm Spam Attack** 78,651 Queries 75,000 50,000 25,000 0 16 18 20 22 24 26 28 30 2 4 6 8 10 12 14 Sep Oct **Snowshoe Spam Attack** 40 20 0 35 Queries 16 18 20 22 24 26 28 30 2 4 6 8 10 12 14 Sep Oct **Date** Source: Cisco Investigate **S H A R E** **28** **Attacker Behavior** ----- **Cisco 2017 Annual Cybersecurity Report** Adversaries can also impair content detection by mutating text and cycling through file types. (For more details on how cybercriminals evolve their threats to evade defenders, see the “Time to Evolve” section on page 34.) For more information on how they experiment with malicious file attachments for spam, see the previous section. ###### Figure 19 Top Threat Outbreak Alerts Figure 19 shows top threat outbreak alerts; this is an overview of the spam and phishing messages that we observed adversaries frequently updating in 2016 in order to bypass email security checks and rules. It is important to know what types of email threats are the most prevalent so that you can avoid being duped by these malicious messages. **Publication** **Publication** **Attachment** **Last Publication** **Version** **Identifier** **Name and URL** **Message Summary** **File Type** **Language** **Date** 96 35656 RuleID4626 Invoice, Payment .zip German, English 04/25/16 87 34577 RuleID10277 Purchase Order .zip German, English 06/02/16 82 36916 RuleID4400KVR Purchase Order .zip English 02/01/16 Purchase Order, 74 38971 RuleID15448 .zip, .gz English 08/08/16 Payment, Receipt Order, Payment, 72 41513 RuleID18688 .zip English 09/01/16 Seminar Purchase Order, 70 40056 RuleID6396 .rar English 06/07/16 Payment, Receipt 66 34796 RuleID5118 Product Order, Payment .zip German, English 09/29/16 Invoice, Payment, English, German, 64 39317 RuleID4626 (cont) .zip 01/28/16 Shipping Spanish Confirmation, Payment/ 64 36917 RuleID4961KVR .zip English 07/08/16 Transfer, Order, Shipping Delivery Notice, Court 63 37179 RuleID13288 .zip English, Spanish 07/21/16 Appearance, Ticket Invoice Shipping, Quote, 61 38095 RuleID858KVR .zip English 08/01/16 Payment Quote Request, English, German, 58 39150 RuleID4961KVR .zip 01/25/16 Product Order Multiple Languages Transfer, Shipping, English, German, 47 41886 RuleID4961 .zip 02/22/16 Invoice Spanish Source: Cisco Security Research [Download the 2017 graphics at: www.cisco.com/go/acr2017graphics](http://www.cisco.com/go/acr2017graphics) **29** **Attacker Behavior** **29** ----- **Cisco 2017 Annual Cybersecurity Report** ##### Reconnaissance Weaponization Once the threat is in position, it installs a back door on a target’s system, providing adversaries with persistent access. ###### Web Attack Methods: “Long Tail” Snapshot Reveals Threats That Users Can Easily Avoid The so-called long tail of the web attack methods spectrum (Figure 20) includes a collection of lower-volume malware types that are employed at a later stage in the attack chain: installation. In this phase, the threat that has been delivered—a banking Trojan, a virus, a downloader, or some other exploit—installs a back door in the target system, providing adversaries with persistent access and the opportunity to exfiltrate data, launch ransomware attacks, and engage in other mischief. The threats listed in Figure 20 are samples of malware signatures found outside the top 50 most commonly observed malware types. The long tail of web attack methods is, essentially, a snapshot of threats that are quietly at work on a machine or system after a successful attack. Many of these infections were first spawned by an encounter with malicious adware or exposure to a wellcrafted phishing scam. These are situations that users can often easily avoid or quickly remediate. **S H A R E** **30** **Attacker Behavior** ###### Figure 20 Sample of Observed Lower-Volume Malware 91 PUA and Suspicious Binaries 36 Heuristic 16 Worm (Allaple) 14 Trojans Downloader (HTML) 10 Trojans Downloader (JS) 9 Trojans (Agent) 7 Trojans Downloader (VBS) 7 5 5 3 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1 1 1 1 1 Backdoor (Java) Trojans (Locky) Heuristic (CVE-2013-0422) Virus (Replog) Trojans (Win32) Virus (Fas) Trojans Downloader Malware (Small) Trojans (Cryptodef) Backdoor (Farfli) Backdoor (Gbot) Linux (Veribak) Browser Redirection Trojans (JSRedir) Trojans Downloader (Upatre) Trojans Downloader (Win32) Backdoor (NuPrader) Trojans (Shifu) Trojans (Zbot) Trojans (Yakes) Trojans (Scar) Trojans (Reconyc) Trojans (Crypt) Trojans (Crypmod) Trojans (Bitman) Trojans (Deshacop) Source: Cisco Security Research ----- **Cisco 2017 Annual Cybersecurity Report** ###### Vertical Risk of Malware Encounters: Attackers See Value Across the Board [In the Cisco 2016 Midyear Cybersecurity Report, a key](http://www.cisco.com/c/m/en_us/offers/sc04/2016-midyear-cybersecurity-report/index.html) message about the risk of malware was that “no vertical is safe.” Judging from our researchers’ periodic examination of attack traffic (“block rates”) and “normal” or expected traffic by industry, this message held true in the latter half of the year. ###### Figure 21 Percentage of Monthly Vertical Block Rates In looking at verticals and their block rates over time (Figure 21), we see that, at some point over the course of several months, every industry has been subject to attack traffic and at varying levels. It’s clear that as attacks rise and fall, they affect different verticals at different times— but none are spared. 40% 20% 0% 40% 20% 0% 40% 20% 0% 40% 20% 0% 40% 20% 0% 40% 20% 0% 40% 20% 0% 40% 20% 0% 40% 20% 0% **Media and Publishing** **Retail and Wholesale** 40% 20% 0% **Accounting** **Agriculture and Mining** **Automotive** **Aviation** **Banking and Finance** **Energy, Oil, and Gas** **Government** 40% 20% 0% 40% 20% 0% **Engineering and Construction** 40% 20% 0% **Healthcare** 40% 20% 0% **Charities and NGOs** 40% 20% 0% **Electronics** 40% 20% 0% **Food and Beverage** 40% 20% 0% **Industrial** 40% 20% 0% **Manufacturing** 40% 20% 0% **Real Estate and Land Mgmt.** 40% 20% 0% **Utilities** **Attacker Behavior** 40% 20% 0% 40% 20% 0% 40% 20% 0% 40% 20% 0% **Education** **Entertainment** **Heating, Plumbing, and A/C** **Insurance** **IT and Telecommunications** **Legal** 40% 20% 0% 40% 20% 0% 40% 20% 0% **Pharmaceutical and Chemical** 40% 20% 0% **Transportation and Shipping** **Travel and Leisure** **Professional Services** Source: Cisco Security Research **S H A R E** **31** ----- **Cisco 2017 Annual Cybersecurity Report** **Regional Overview of Web Block Activity** Adversaries frequently shift their base of operation, searching for weak infrastructure from which they can launch their campaigns. By examining overall Internet traffic volume and block activity, Cisco threat researchers can offer insight on where malware is originating. As Figure 22 shows, traffic from the United States [edged up slightly from the block rates seen in the Cisco](http://www.cisco.com/c/m/en_us/offers/sc04/2016-midyear-cybersecurity-report/index.html) _[2016 Midyear Cybersecurity Report. The United States](http://www.cisco.com/c/m/en_us/offers/sc04/2016-midyear-cybersecurity-report/index.html)_ ###### Figure 22 Web Blocks by Country **Expected Ratio: 1.0** France 0.87 Canada 2.11 United States 1.20 Italy 1.22 Belize 1.54 Panama 1.46 1.15 Venezuela Peru 1.43 Chile 0.83 Romania Source: Cisco Security Research **S H A R E** **32** houses the far greater share of blocks, but this should be considered a function of the country’s far greater share of online traffic. In addition, the United States is one of the world’s largest targets of malware attacks. The takeaway for security professionals: Much like the vertical web block activity, the regional web block activity shows that malware traffic is a global problem. [edged up slightly from the block rates seen in the Cisco](http://www.cisco.com/c/m/en_us/offers/sc04/2016-midyear-cybersecurity-report/index.html) shows that malware traffic is a global problem. _[2016 Midyear Cybersecurity Report. The United States](http://www.cisco.com/c/m/en_us/offers/sc04/2016-midyear-cybersecurity-report/index.html)_ ###### Figure 22 Web Blocks by Country **Expected Ratio: 1.0** 3.88 Germany 0.94 Russia France 0.87 Canada 2.11 1.47 Ukraine United States 1.20 Italy 1.22 1.31 China Belize 1.54 1.07 Vietnam Panama 1.46 1.15 Venezuela 2.84 Indonesia Peru 1.43 1.60 Australia 1.00 Turkey Chile 0.83 Malaysia 3.52 Romania 2.77 ----- **Cisco 2017 Annual Cybersecurity Report** ###### Time to Detection: An Essential Metric for Measuring Defenders’ Progress Cisco is continually refining our approach to measuring TTD so that we can ensure we are tracking and reporting the most accurate estimate of our median TTD. Recent adjustments to our approach have increased our visibility into files that were categorized as “unknown” when first seen and then later identified as “known bad” after continuous analysis and global observation. With a more holistic view of data, we are better able to pinpoint when a threat first emerged and exactly how long it took for security teams to determine that it was a threat. This new insight helped us to determine that our median TTD was 39 hours in November 2015. (See Figure 23.) By January 2016, we had reduced the median TTD to 6.9 hours. After collecting and analyzing data for October 2016, our threat researchers determined that Cisco products had achieved a median TTD of 14 hours for the period from November 2015 to October 2016. (Note: The median TTD figure for 2016 is the average of the medians for the period observed.) The median TTD fluctuated throughout 2016 but trended downward overall. Increases in the median TTD indicate times when adversaries launched a wave of new threats. The subsequent decreases reflect periods where defenders gained the upper hand and could identify known threats quickly. Reviewing retrospective data is important not only for determining a more accurate measure of our median TTD, but also for studying how threats evolve over time. Numerous threats in the landscape are particularly evasive and can take a long time to identify even though they are known to the security community. Adversaries will evolve certain malware families to avoid detection and increase their time to operate. This tactic hinders defenders’ progress in gaining, and then maintaining, an edge in detecting many types of known threats. (For more on this topic, see “Time to Evolve: For Some Threats, Change Is Constant,” page 34). However, the fact that cybercriminals are evolving their threats frequently and rapidly indicates that they are facing intense and constant pressure to find ways to keep their threats operating and profitable. 15.19 ###### Figure 23 Median TTD by Month 40 30 39.16 18.22 Figure 23 also shows that the median TTD was about 15 hours by the end of April 2016, which is greater than the 13-hour figure we reported in the Cisco 2016 Midyear _Cybersecurity Report.¹⁴ That 15-hour figure is based on data_ collected from November 2015 through April 2016. It was not derived using our modified approach to analyzing more detailed retrospective information about files. Using the new midyear TTD figure, we can report that TTD declined to about 9 hours for the period from May through October 2016. 20 10 8.11 8.58 6.89 8.48 0 Source: Cisco Security Research _Cisco defines “time to detection,” or TTD, as the window of time between a compromise and the detection of_ _a threat. We determine this time window using opt-in security telemetry gathered from Cisco security products_ _deployed around the globe. Using our global visibility and a continuous analytics model, we are able to measure_ _from the moment malicious code runs on an endpoint to the time it is determined to be a threat for all malicious_ _code that was unclassified at the time of encounter._ [¹⁴ Cisco 2016 Midyear Cybersecurity Report: http://www.cisco.com/c/m/en_us/offers/sc04/2016-midyear-cybersecurity-report/index.html.](http://www.cisco.com/c/m/en_us/offers/sc04/2016-midyear-cybersecurity-report/index.html) 6.48 6.05 **Attacker Behavior** **33** ----- **Cisco 2017 Annual Cybersecurity Report** ###### Time to Evolve: For Some Threats, Change Is Constant Cybercriminals use various obfuscation techniques to keep their malware strong and profitable. Two common methods they employ are evolving their payload delivery types and quickly generating new files (defeating hash-only detection methods). Our researchers closely examined how adversaries have used these two strategies to help six well-known malware families—Locky, Cerber, Nemucod, Adwind RAT, Kryptik, and Dridex—evade detection and continue compromising users and systems. Through our analysis, we sought to measure the “time to evolve” (TTE): the time it takes adversaries to change the way specific malware is delivered and the length of time between each change in tactics. We analyzed web attack data from different Cisco sources—specifically, web proxy data, cloud and endpoint advanced malware products, and composite antimalware engines. Our researchers looked for changes in file extensions delivering the malware and the file content (or MIME) type as defined by a user’s system. We determined that each malware family has a unique pattern of evolution. For each family, we examined the patterns in both web and email delivery methods. We also tracked the ages of unique hashes associated with each malware family to determine how quickly adversaries are creating new files (and thus, new hashes). Through our research, we learned that: - Ransomware families appear to have a similar rotation of new binaries. However, Locky uses more file extension and MIME combinations to deliver its payload. - Some malware families employ only a handful of file delivery methods. Others use 10 or more. Adversaries tend to use effective binaries over long periods. In other cases, files pop up and then drop off quickly, indicating that the malware authors are under pressure to switch tactics. - The Adwind RAT and Kryptik malware families have a higher median TTD. (For more on TTD, see page 33.) We also see a greater mix of file ages for these families. This suggests that adversaries reuse effective binaries that they know are difficult to detect. - Looking at the file ages for the Dridex malware family, it appears that the shadow economy may be abandoning use of this once-popular banking Trojan. In late 2016, detection volume for Dridex declined, as did the development of new binaries to deliver this malware. This trend suggests that the malware’s authors no longer see value in evolving this threat—or that they have found a new way to package the malware that has made it harder to detect. **Attacker Behavior** **34** ----- **Cisco 2017 Annual Cybersecurity Report** **TTE and TTD** The six malware families we analyzed in our TTE study are listed in Figure 24. The chart depicts the median TTD for the top 20 malware families (by detection count) that our researchers observed from November 2015 to November 2016. Our average median TTD for that period was about 14 hours. (For details on how we calculate TTD, see page 33.) Old and pervasive threats that adversaries don’t bother to evolve much, or at all, are also typically detected below the median TTD. Examples include malware families like Bayrob (botnet malware), Mydoom (a computer worm that affects Microsoft Windows), and Dridex (the banking Trojan). In the following sections, we present research highlights on TTE and TTD for the Locky, Nemucod, Adwind RAT, and Kryptik malware families. Detailed findings for Cerber and Dridex are included in the Appendix on page 78. Many of the malware families that Cisco products are detecting within the median TTD are industrialized threats that spread quickly and are therefore more prevalent. Cerber and Locky, which are both types of ransomware, are examples. ###### Figure 24 TTD Medians of Top Malware Families (Top 20 Families by Detection Count) 35 30 25 20 15 10 5 0mydoom hancitorcerber adnel mamianune zbot adwind zusy razy upatre 0 5 10 15 20 25 30 35 40 45 50 |Col1|Col2|Col3|n|emucod|Col6|Col7|Col8|Col9|Col10|Col11| |---|---|---|---|---|---|---|---|---|---|---| ||bayrob|||||||||| |||||||||||| |||||||||||| |||||||||||| ||docdl locky drid|ex||||||||| |insi ydoom ce|ght don rber|off fareit mamianune|||mabezat a zbot|dwind zusy|razy|kryptik||upatre| |hancitor adnel 0 5 10|||15 20 25 30 35 40 45 5|||||||| Cisco Average TTD **Median TTD Hours** Source: Cisco Security Research **S H A R E** **35** **Attacker Behavior** ----- **Cisco 2017 Annual Cybersecurity Report** **TTE Analysis: Locky** Through our TTE research, we learned that Locky and Cerber employ a limited number of file extension and MIME combinations to deliver malware through the web or by email. (See Figure 25.) We observed several combinations that included file content types related to Microsoft Word (msdownload, ms-word). However, the associated file extensions (.exe and .cgi) did not point back to a Word file. We also identified content types that pointed to malicious .zip files. Both Locky and Cerber also appear to use new binaries frequently as an attempt to evade file-based detection. File ages for the Locky malware family are shown in Figure 26. ###### Figure 25 File Extension and MIME Combinations for the Family of Threats and Indicators That Lead to and Include the Locky Payload (Web and Email Vectors) The top half of the chart depicts the ages of files that were observed during a specific month. The bottom portion of the chart shows monthly changes in the volume of Lockyrelated hashes, both new and previously observed files. In Figure 26, also note the decline in volume in June as well as the distribution of file ages. The Necurs botnet, which was known to deliver Locky, was taken down in June. This likely sidelined the malware authors’ efforts to keep the malware fresh during that month. However, it’s clear that they recovered quickly. By July, the malware had returned to its more standard mix of file ages with the majority (74 percent) being less than a day old when first detected. ###### Figure 26 Hash Ages for the Locky Malware Family and Percent of Total Hash Volume Observed Per Month **Unique Vectors** doc & application/msword exe & application/msdownload no extension & text/plain exe & application/msdos-prog... xls & application/vnd.ms-excel js & text/plain zip & application/zip doc & text/plain 100% 75% 50% 25% no extension & application/zip aspx & application/zip jsp & application/zip lib & text/plain no extension & application/dosexec rar & application/x-rar js & text/html php & application/zip rtf & application/msword docm & application/vnd.open... no extension & application/vnd... no extension & application/ms-wo... cgi & application/ms-word.doc... wsf & text/html doc & application/vnd.open... wsf & application/xml no extension & application/vnd... js & text/javascript xls & application/vnd.openxml... vbs & text/plain 0% Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct 2015 2016 10% 5% 0% Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct 2015 2016 Source: Cisco Security Research Email Web Source: Cisco Security Research **S H A R E** **36** **Attacker Behavior** ----- **Cisco 2017 Annual Cybersecurity Report** The rapid cycling of binaries for this ransomware is not surprising. Instances of Locky and Cerber are often detected either on the same day they are introduced or within 1 to 2 days after, making it imperative for adversaries to evolve these threats continually if they want them to remain active and effective. (Figure 24, discussed earlier, shows that Cisco products detected both Locky and Cerber ransomware within the median TTD in 2016.) 120 100 80 60 40 20 ###### Figure 27 TTD for the Locky Malware Family 116.1 Figure 27 shows the median TTD for Locky ransomware, which declined dramatically from about 116 hours in November 2015 to just under 5 hours in October 2016. **37** **Attacker Behavior** 0 Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct 2015 2016 Source: Cisco Security Research ----- **Cisco 2017 Annual Cybersecurity Report** **TTE Analysis: Nemucod** In 2016, Nemucod was the most frequently detected malware among the top 20 families shown in Figure 24. Adversaries use this downloader malware to distribute ransomware and other threats, such as backdoor Trojans that facilitate click fraud. Some variants of Nemucod also serve as engines for delivering the Nemucod malware payload. ###### Figure 28 File Extension and MIME Combinations for Nemucod (Web and Email Vectors) One reason Nemucod malware was so prevalent in 2016, according to our threat researchers, is that its authors frequently evolved this threat. Cisco identified more than 15 file extension and MIME combinations associated with the Nemucod family that were used to deliver malware through the web. Many more combinations were used to deliver the threat to users through email (Figure 28). Several file extension and MIME combinations (web and email) were designed to point users to malicious .zip files or archives. Adversaries also reused many combinations during the months we observed. **Unique Vectors** js & application/javascript html & text/html zip & application/zip no extension & application/zip zip & application/x-zip-comp... html & application/zip php & application/zip zip & text/plain js & text/plain js & text/x-pascal js & text/javascript dat & application/vnd.ms-tnef rar & application/x-rar aspxx & application/zip xls & application/zip aspx & application/zip cgi & application/zip wsf & text/html no extension & application/archive html & application/archive cgi & application/archive js & text/x-makefile js & text/x-c jsp & application/zip no extension & text/html jse & text/plain zip & application/archive lib & text/plain lib & text/x-makefile lib & text/x-c lib & text/x-pascal gif & application/zip jpg & application/zip pdf & application/zip docx & application/zip tiff & application/zip zip & application/x-rar wrn & text/plain wrn & text/x-c wrn & text/x-pascal vbs & text/plain js & text/html tgz & application/x-gzip wsf & application/xml docx & application/vnd.open... doc & application/zip rar & application/zip php & application/javascript zip & application/x-gzip cab & application/vnd.ms-cab... hta & text/html asp & application/zip cgi & audio/wav hta & application/zip Source: Cisco Security Research As Figure 29 shows, many Nemucod hashes are less than 2 days old when they are detected. In September and October 2016, almost every binary related to the Nemucod family that was blocked was less than a day old. ###### Figure 29 Hash Ages for the Nemucod Malware Family and Percent of Total Hash Volume Observed Per Month 100% 75% 50% 25% 0% 50% Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct 2015 2016 25% 0% Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct 2015 2016 Source: Cisco Security Research ###### Figure 30 TTD for the Nemucod Malware Family 85.0 80 60 40 20 0 46.3 21.8 13.9 7.3 Email Web Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct 2015 2016 Source: Cisco Security Research **38** **Attacker Behavior** ----- **Cisco 2017 Annual Cybersecurity Report** **TTE Analysis: Adwind RAT** Cisco threat researchers found that Adwind RAT (remote access Trojan) malware is delivered through file extension and MIME combinations that include .zip or .jar files. This is true whether the malware is being delivered through the email or web attack vector. (See Figure 31.) Adwind RAT used a wide range of hash ages throughout most of the period observed in 2016, except during September and October, when most files seen were 1 to 2 days old (Figure 32). ###### Figure 31 File Extension and MIME Combinations for Adwind RAT (Web and Email Vectors) **Unique Vectors** We also found that the median TTD for Adwind RAT is consistently higher than the median TTD for other malware families we analyzed (Figure 33). The malware’s authors have apparently developed hard-to-detect delivery mechanisms that keep Adwind RAT successful. Therefore, they don’t need to rotate through new hashes as frequently or as rapidly as the actors behind other malware families do. The Adwind Trojan is also known by other names, such as JSocket and AlienSpy. ###### Figure 32 Hash Ages for the Adwind RAT Malware Family and Percent of Total Hash Volume Observed Per Month 100% 75% jar & application/java-archive jar & application/zip jar & application/archive zip & application/zip no extension & application/archive no extension & application/zip class & application/x-java-applet 50% 25% Email Web Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct 2015 2016 Source: Cisco Security Research [Download the 2017 graphics at: www.cisco.com/go/acr2017graphics](http://www.cisco.com/go/acr2017graphics) 0% 1.5% 1% 0.5% 0% Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct 2015 2016 Source: Cisco Security Research ###### Figure 33 TTD for the Adwind RAT Malware Family 80 60 40 20 0 70.7 30.0 25.3 16.2 13.0 Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct 2015 2016 Source: Cisco Security Research **39** **Attacker Behavior** ----- **Cisco 2017 Annual Cybersecurity Report** **TTE Analysis: Kryptik** Kryptik, like Adwind RAT malware, had a median TTD that was consistently higher (about 20 hours) than other malware families Cisco analyzed for the TTE study from November 2015 through October 2016 (Figure 36). However, by October, Cisco products had reduced the median TTD window for Kryptik malware to less than 9 hours (Figure 36). The Kryptik malware family also used a wider range of hash ages than the other malware families we analyzed, particularly during the first half of 2016. The ability of Kryptik’s authors to rely on older hashes for so long indicates that defenders had trouble detecting this malware type. During the period that we observed, Kryptik’s authors employed a wide range of payload delivery methods through the web attack vector. The authors used JavaScript files and archive files such as .zip files in file extension and MIME combinations for both web and email. (See Figure 34.) Some of the combinations date back to 2011. ###### Figure 34 File Extension and MIME Combinations for Kryptik (Web and Email Vectors) In our analysis of the six malware families, we find that adversaries must shift tactics frequently to take advantage of the small window of time during which their threats can operate successfully. These adjustments indicate that defenders are getting better at detecting known malware quickly, even after a threat has evolved. Attackers are under pressure to find new ways to avoid detection and keep their campaigns profitable. In this complex landscape of rapid evolution, where all malware families behave differently, human expertise and point solutions are not enough to identify and respond quickly to threats. An integrated security architecture that provides real-time insight into threats, along with automated detection and defense, is essential for improving TTD and ensuring swift remediation when infections occur. ###### Figure 35 Hash Ages for the Kryptik Malware Family and Percent of Total Hash Volume Observed Per Month 50% 25% 100% 75% **Unique Vectors** 0% 2% 1% 0% Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct 2015 2016 js & application/javascript gif & image/gif jpg & image/jpeg html & text/html js & text/javascript no extension & text/html htm & text/html php & text/html ico & text/html png & image/png zip & application/x-zip-comp... zip & application/zip Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct 2015 2016 Source: Cisco Security Research exe & application/msdownload doc & application/msword no extension & application/exe no extension & application/zip js & text/plain rar & application/x-rar scr & application/x-dosexec exe & application/x-dosexec jar & application/zip gif & text/html no extension & application/archive vbs & text/plain asp & text/html no extension & application/java... php & application/exe tbz2 & application/x-rar Source: Cisco Security Research ###### Figure 36 TTD for Kryptik Malware Family 80 60 40 20 0 63.7 22.4 55.1 34.4 8.7 Email Web Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct 2015 2016 Source: Cisco Security Research **40** **Attacker Behavior** ----- # Defender Behavior ----- **Cisco 2017 Annual Cybersecurity Report** ### Defender Behavior ###### Vulnerabilities on the Decline in 2016 In the second half of 2016, vendor-disclosed vulnerabilities dropped significantly from 2015, according to our research [(Figure 37). The National Vulnerability Database shows](https://nvd.nist.gov/) a similar decline. The reasons for the drop in disclosed vulnerability advisories are not entirely clear. It should be noted that 2015 was an unusually active year for vulnerabilities, so the 2016 numbers may reflect a normal pace of vulnerability advisories. From January to October 2015, total alerts reached 7602. During the same time period in 2016, total alerts reached 6380; during this period in 2014, total alerts were 6272. The high number of vulnerability reports in 2015 may indicate that vendors were looking more closely at existing products and code, more carefully implementing secure development lifecycle (SDL) practices, and identifying vulnerabilities and subsequently fixing them. The decline in reported vulnerabilities may indicate that these efforts are paying off. That is, vendors are now focusing on identifying vulnerabilities and correcting them before products reach the market. In 2016, Apple was the vendor showing the most dramatic decline in vulnerabilities: The company reported 705 vulnerabilities in 2015, and 324 vulnerabilities in 2016 (a 54 percent decline). Similarly, Cisco reported 488 vulnerabilities in 2015, and 310 in 2016 (a 36 percent decline). A concern among security researchers is that “vulnerability fatigue” may be setting in among security professionals. In recent months, there has not been a major vulnerability announcement that sent shock waves through the industry, as Heartbleed did in 2014. In fact, the hype around “named” vulnerabilities such as Heartbleed and the increase in 2015 likely contributed to the level of fatigue— or, at least, to less interest in reporting vulnerabilities. ###### Figure 37 Cumulative Annual Alert Totals 9K 8K 7K 6K 5K 4K 3K 2K 1K 0 Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec 2013 2014 2015 2016 |Col1|Col2|Col3|Col4|Col5|Col6|Col7|Col8|Col9|Col10|Col11|Col12|Col13|Col14|Col15|Col16|Col17|Col18|Col19|Col20|Col21|Col22|Col23|Col24|Col25|Col26|Col27|Col28|Col29|Col30|Col31|Col32|Col33|Col34| |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| ||||||||||||||||||||||||||||||||||| |5976|||||||||||||||||||||||||||6380||||||| |4969|||||||||||||||||||||5483||||||||||||| |4407 3811|||||||||||||||||||||||||||||||||| |2992|||||||||||||||||||||||||||||||||| |2193|||||||||||||||||||||||||||||||||| |1327|||||||||||||||||||||||||||||||||| |634|||||||||||||||||||||||||||||||||| Source: Cisco Security Research **42** **Defender Behavior** ----- **Cisco 2017 Annual Cybersecurity Report** ###### Figure 38 Critical Vulnerability Advisories by Vendor and Type Microsoft Adobe Cisco TPS ICS VMware Apple Apache Oracle HP ###### 174 162 28 25 10 8 5 3 3 3 Source: National Vulnerability Database (NVD) Cisco is now using severity/impact ratings (SIRs), in which the rating levels are “critical,” “high,” “medium,” and “low.” The ratings reflect a simplified prioritization of scores from the Common Vulnerability Scoring System (CVSS). In addition, Cisco has adopted CVSS v3.0, the successor to CVSS v2.0. Because of this change, some vulnerabilities may have higher scores than before, so security professionals may see a small increase in vulnerabilities that are rated “critical” and “high,” instead of “medium” and “low.” For more information about this scoring change, read the Cisco Security blog post, [The Evolution of Scoring Security Vulnerabilities: The Sequel.](https://blogs.cisco.com/security/cvssv3-study) In the Cisco 2017 Security Capabilities Benchmark Study (page 49), security professionals indicated a slight decrease in their agreement about security operationalization. This decrease may be connected to “fatigue” about the need to continually implement upgrades and patches. For example, in 2016, 53 percent of security professionals said they strongly agreed that they review and improve security practices regularly, formally, and strategically; in 2014 and 2015, 56 percent strongly agreed. Of course, a decline in vulnerabilities should not lead to overconfidence about the threat landscape: No one should adopt the mindset that attention to threats can lapse, even in the absence of high-profile vulnerabilities. As we’ve advised in past reports, security professionals should make a concerted effort to prioritize patches. If a lack of staffing and other resources prevents the timely installation of all available patches, evaluate which ones are most critical to network safety, and place those at the top of the to-do list. [Download the 2017 graphics at: www.cisco.com/go/acr2017graphics](http://www.cisco.com/go/acr2017graphics) ###### Figure 39 Selected Critical Vulnerability Advisories **Advisory Title** **Date Issued** Adobe Acrobat and Acrobat Reader memory corruption code execution vulnerability Adobe Acrobat and Acrobat Reader memory corruption remote code execution vulnerability Adobe Acrobat and Acrobat Reader memory corruption vulnerability Adobe Acrobat and Acrobat Reader integer overflow vulnerability Adobe Acrobat and Acrobat Reader memory corruption remote code execution vulnerability Adobe Acrobat and Acrobat Reader memory corruption vulnerability Adobe Acrobat and Acrobat Reader memory corruption vulnerability Adobe Acrobat and Acrobat Reader memory corruption vulnerability Adobe Acrobat and Acrobat Reader memory corruption vulnerability Adobe Acrobat and Acrobat Reader memory corruption vulnerability Source: Cisco Security Research Jul 28, 2016 Jul 28, 2016 Jul 21, 2016 May 23, 2016 Feb 08, 2016 Jul 28, 2016 Jul 18, 2016 Jun 23, 2016 May 24, 2016 May 23, 2016 The advisories listed above are selected 2016 critical-rated vulnerabilities that were reported by multiple sources to have exploit code publicly available or to be actively exploited in the wild. **43** **Defender Behavior** ----- **Cisco 2017 Annual Cybersecurity Report** **Server and Client Vulnerabilities** [As discussed in the Cisco 2016 Midyear Cybersecurity](http://www.cisco.com/c/m/en_us/offers/sc04/2016-midyear-cybersecurity-report/index.html) _[Report, adversaries are finding space and time to](http://www.cisco.com/c/m/en_us/offers/sc04/2016-midyear-cybersecurity-report/index.html)_ operate within server-side solutions. By launching attacks within server software, they can potentially gain control of more network resources, or move laterally among other critical solutions. Cisco researchers have tracked client and server vulnerabilities by vendor (Figure 40). ###### Figure 40 Client-Server Vulnerabilities Breakdown, 2015—2016 Server Vulnerabilities (From 2332 to 3142) Client Vulnerabilities (From 2300 to 2106) Network Vulnerabilities (From 501 to 396) ###### 34% 8% 20% Source: National Vulnerability Database ###### Figure 41 Vulnerabilities Found in Middleware Libraries ###### Middleware: Adversaries See Opportunity in Unpatched Software [In the Cisco 2016 Midyear Cybersecurity Report, we](http://www.cisco.com/c/m/en_us/offers/sc04/2016-midyear-cybersecurity-report/index.html) shared data about attacks against server-side systems. In 2017, middleware, which connects platforms or applications, is poised to attract attackers seeking places to operate where defenders are slow to react or recognize a threat. Cisco researchers, while looking for vulnerabilities in third-party software, discovered an average of 14 new vulnerabilities in software per month. Most of those vulnerabilities (62) were attributable to the use of middleware. Of those 62 vulnerabilities, 20 were found within code that handles PDFs; 12 were found in code that handles images; 10 were found in code for common office productivity solutions; nine were found in code for compression; and 11 were found in other libraries (Figure 41). Vulnerabilities in middleware pose a unique security threat because their libraries are not usually updated as rapidly as software that is more client-facing—that is, software that users interact with directly on a day-to-day basis, such as productivity solutions. Middleware libraries may be left out of software audits, so vulnerabilities remain in place. PDF ###### 20 Source: Cisco Security Research **S H A R E** Image ###### 12 Office ###### 10 Compression ###### 9 Other ###### 11 **44** **Defender Behavior** ----- **Cisco 2017 Annual Cybersecurity Report** Organizations may gamble on middleware being safe and may place greater attention on updating high-profile solutions. But they can lose the bet that adversaries won’t seek entry to networks through these low-profile pathways. Middleware thus becomes a security blind spot for defenders and an opportunity for attackers. The challenge of updating middleware libraries closely relates [to the open-source software problem (discussed in the Cisco](http://www.cisco.com/web/offers/lp/2015-midyear-security-report/index.html) _[2015 Midyear Security Report), since many middleware](http://www.cisco.com/web/offers/lp/2015-midyear-security-report/index.html)_ solutions come from open-source developers. (However, the problem at hand can affect both open-source and proprietary middleware developers.) Therefore, middleware libraries may rely on many developers to keep them updated. On the list of tasks that an overtaxed IT or security team needs to manage, middleware library updates may not be a top priority, but they should be given greater attention. What is the potential impact of a middleware vulnerability that is exploited by adversaries? Given the connections between middleware and other crucial systems, such as email or messaging, an attacker could move laterally into these systems and send phishing messages or spam. Or attackers could masquerade as authorized users and abuse trust relationships between users to gain further access. To avoid becoming the victim of an attack launched through a middleware vulnerability, you should: - Actively maintain a list of known dependencies and libraries in the applications you use - Actively monitor the security of these applications, and mitigate risks as much as possible - Insert a service-level agreement in contracts with software vendors for providing patches in a timely manner - Routinely audit and review software dependencies and library use - Ask software vendors for details on how they maintain and test their products In short: Delays in patching increase the operational space for attackers and allow them more time to gain control of critical systems. In the next section, we discuss this impact and trends in the patching of common productivity solutions such as web browsers. ###### Time to Patch: Closing the Recovery Time Frame Many users do not download and install patches in a timely manner. Adversaries can use these unpatched vulnerabilities to gain entry to networks. In our latest research, we find that the key to encouraging users to download and install patches may rest in the cadence of software updates from vendors. A security patch release is a clear indication to attackers that there is a vulnerability worth exploiting. Although sophisticated attackers have likely been exploiting the vulnerabilities for some time, the notification of a patch tells many others that it’s open season on the earlier versions. When software vendors release new versions on a regular schedule, users become conditioned to downloading and installing updates. Conversely, when vendor upgrade releases are erratic, users are less likely to install them. They will continue to operate outdated solutions that may contain exploitable vulnerabilities. Other behaviors that affect the upgrade cycle include: - How disruptive the reminder experience is - How easy it is to opt out - How often the software is used There are varying windows of time in which users are likely to install an upgrade when it is released by the vendor. Our researchers looked at the installations of software on the endpoints used by our customers. Their software fell into three categories: - **New versions: The endpoint ran the newest available version** of the software - **Recent versions: The endpoint ran one of the previous three** versions of the software, but not the newest - **Old versions: The endpoint ran software that was more than** three versions behind the current release As an example, if a software vendor released version 28 on January 1, 2017, version 28 would be new; version 26 would be recent; and version 23 would be old. (The figures on the next page contain callouts of the weekly time periods where one or more versions of the software were released.) **45** **Defender Behavior** ----- **Cisco 2017 Annual Cybersecurity Report** In examining users of Adobe Flash (Figure 42), we found that, within the first week of an update release, nearly 80 percent of users install the software’s latest version. In other words, it takes only about one week for the user population to get up to speed with the latest version. This one-week “recovery” period represents hackers’ window of opportunity. In looking at late Q4 2015 in the Adobe Flash graphic, we see a sharp drop in the number of users on the newest version of the solution. In the time period we examined, Adobe released five versions of Flash in quick succession, representing a mix of functionality additions, bug fixes, and security updates. Such a flurry of updates may confuse users. They may question whether they need to download so many updates; they can become fatigued by the number of upgrade notifications; and they may think they’ve already downloaded a crucial update and can ignore new notifications. No matter what drives their lack of interest in installing an update, it’s bad news for defenders. In examining upgrades for the Google Chrome web browser, we see a different pattern. It reflects a regular cadence of upgrades, as well as a strong opt-out policy that makes it difficult for users to ignore update notifications. As seen in Figure 42, endpoints running the newest version stay relatively steady over the course of many weeks. The Chrome data shows that users recover relatively quickly. In the case of regular updates, one week is roughly the recovery timeline. In one span of 9 weeks running through Q2 and Q3 of 2016, however, there were seven updates. During this time the population recovered, but upgrade fatigue began to set in. The percentage of users staying with an older version steadily climbs despite the majority of the population recovering. Mozilla’s Firefox browser also offers updates on a regular schedule, but the recovery period after an update is released appears to take as long as a month. That is, users do not download and install updates as frequently as Chrome users do. One reason may be that some users might not use the browser regularly and therefore aren’t seeing and downloading updates. (See Figure 43 on next page.) ###### Figure 42 Time to Patch for Adobe Flash and Google Chrome **Adobe** **Flash** Outdated Versions: Week: **Google** **Chrome** Outdated Versions: Week: 0 5 10 15 20 25 30 35 40 45 50 55 May 2015 Update Released Low High Adoption of Latest Update 63% 69% 83% 67% 99% 94% 88% 67% 70% 68% 76% 77% 94% 88% 80% 88% 94% 94% 92% 82% 86% 93% 78% 0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 May 2015 8% 63% 48% 87% 54% 94% 97% 70% 95% 98% 94% 97% 54% 98% 97% 98% 98% Source: Cisco Security Research **S H A R E** **46** **Defender Behavior** ----- **Cisco 2017 Annual Cybersecurity Report** We found that Firefox updated its versions about every other week, with the frequency of updates increasing over the course of the observation period. This increase in frequency is reflected in the growth of old Firefox versions within the population. The recovery time is roughly 1.5 weeks, but the times overlap. The population that tries to stay current drops to as little as 30 percent of the user base. At some point, two-thirds of the users have resorted to simply running the browser more than four versions behind the most current one. So, although Firefox is rapidly addressing issues and fixing bugs, the user base is not updating and restarting on the same frequency. For software, the level of use seems to also be an indicator of its vulnerability. When users do not access software often and therefore aren’t aware of the need to patch and upgrade it, the ignored software provides space and time for attackers to operate. We can see this in the research on Microsoft Silverlight, which shows a recovery period of as long as 2 months ###### Figure 43 Time to Patch for Firefox, Silverlight, and Java **Firefox** for users to install upgrades after a release. At one point, there were two releases within 5 weeks, which affected the user population for more than 3 months, as can be seen between Q4 of 2015 and Q1 of 2016. Microsoft announced the end of life of Silverlight in 2012, although patches and bug fixes are still being released. However, it poses the same problem that Internet Explorer does: Outdated and unpatched software invites attackers to easily exploit it. The recovery period for Java users shows that most are running versions of the software that are one to three versions behind the most recent release. The time to recovery is about 3 weeks. An unusual pattern with Java is that the dominant populations are those that use recent versions. The Java update cycle is from 1 to 2 months. The overall lesson from time-to-patch cycles is that upgrade release patterns are a contributing factor in user security posture, which can place networks at risk. Outdated Versions: 99% 93% 93% 95% 97% 94% 94% 87% 98% 98% 99% 94% 92% 96% 94% 99% 96% 93% 97% 99% 99% 97% 94% 92% 99% 88% 95% 85% Week: 0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 May 2015 **Silverlight** Outdated Versions: Week: **Java** Outdated Versions: 26% 88% 93% 91% 0 5 10 15 20 25 30 35 40 45 50 55 May 2015 84% 99% 93% 99% 96% 91% 98% 97% 99% 98% Week: 0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 May 2015 Update Released Low High Adoption of Latest Update Source: Cisco Security Research [Download the 2017 graphics at: www.cisco.com/go/acr2017graphics](http://www.cisco.com/go/acr2017graphics) **47** **Defender Behavior** ----- # Cisco 2017 Security Capabilities Benchmark Study ----- **Cisco 2017 Annual Cybersecurity Report** ### Cisco 2017 Security Capabilities Benchmark Study ##### To gauge the perceptions of security professionals on the state of security in their organizations, Cisco asked chief security officers (CSOs) and security operations (SecOps) managers in several countries and at organizations of various sizes about their perceptions of their own security resources and procedures. The Cisco 2017 Security Capabilities Benchmark Study offers insights on the maturity level of security operations and security practices currently in use, and also compares these results with those of the 2016 and 2015 reports. The study was conducted across 13 countries with more than 2900 respondents. Security professionals want to make their organizations more secure, but in a way that responds to the complex attacker landscape and their adversaries’ efforts to expand their operational space. Many organizations are relying on many solutions from many vendors. This tactic adds to the complexity and confusion of securing networks as the Internet continues to grow in terms of speed, connected devices, and traffic. Organizations need to aim for simplicity and integration if they are to protect themselves. ###### Perceptions: Security Professionals Confident in Tools, Less Sure They’re Using Them Effectively Most security professionals believe that they have adequate solutions on hand and that their security infrastructures are up to date. However, according to our study, this confidence comes with some uncertainty. These professionals are not always sure they can muster the budgets and brainpower to truly take advantage of the technology they have. Threats to organizations are coming from every direction. Adversaries are nimble and creative, and they’re able to outfox defenses. Even in this sobering environment, the majority of security professionals feel confident that their security **49** infrastructure is up to date, although that confidence appears to be waning a bit from previous years. In 2016, 58 percent of the respondents said their security infrastructure is very up to date and is constantly upgraded with the latest technologies. Thirty-seven percent said they replace or upgrade their security technologies on a regular basis but aren’t equipped with the latest-and-greatest tools (Figure 44). ###### Figure 44 Percentages of Security Professionals Who Feel Their Security Infrastructure Is Up to Date 2016 (n=2912) Source: Cisco 2017 Security Capabilities Benchmark Study **Cisco 2017 Security Capabilities Benchmark Study** Described as Very Up to Date Best Technologies Available #### 58% Described as Replaced/Upgraded on Regular Cadence Not Equipped with Latest and Greatest Tools #### 37% ----- **Cisco 2017 Annual Cybersecurity Report** In addition, more than two-thirds of security professionals perceive their security tools as very effective or extremely effective. For example, 74 percent believe their tools are very or extremely effective in blocking known security threats, while 71 percent believe their tools are effective at detecting network anomalies and dynamically defending against shifts in adaptive threats (Figure 45). The problem: Confidence in tools does not necessarily transfer to effective security. As the study indicates, security departments are wrestling with complicated tools from many vendors, as well as a lack of in-house talent. This boils down to an “intent versus reality” problem. Security professionals want simple, effective security tools, but they don’t have the integrated approach they need to make this vision happen. Security remains a high priority for the top levels of many organizations. And security professionals believe that executive teams keep security high on the list of key organizational goals. The challenge, of course, is to match executive support with the talent and technology that can affect security outcomes. The number of security professionals strongly agreeing that their executive leadership considers security a high priority was 59 percent in 2016, down slightly from 61 percent in 2015 and 63 percent in 2014 (Figure 46). In 2016, 55 percent of security professionals agreed that security roles and responsibilities are clarified within their organization’s executive team; in 2015 and 2014, 58 percent agreed. In summary, security professionals have confidence in the tools on hand, and they appear to have the ear of corporate leaders in addressing security issues. But that confidence is waning slightly. Security professionals are becoming aware of attacker successes and the unwieldiness of managing the growing attack surface. ###### Figure 45 Percentages of Security Professionals Who Perceive Various Security Tools to Be Highly Effective #### 74% Perceive Their Tools to Be Very or Extremely Effective Against Known Security Threats #### 71% Perceive Their Tools to Be Very or Extremely Effective at Detecting Network Anomalies and Dynamically Defending Against Shifts in Adaptive Threats 2016 (n=2912) Source: Cisco 2017 Security Capabilities Benchmark Study ###### Figure 46 Percentages of Security Professionals Who Believe Security Is a High Priority at the Executive Level, 2014–2016 **Strong Agreement That Executive** **Leadership at Organization** **Considers Security a High Priority** **Strong Agreement That Security** **Roles and Responsibilities** **Are Clarified Within** **Organization’s Executive Team** ###### 63% 61% 59% 58% 58% 55% ###### 63% ###### 59% ###### 58% 2014 ###### 61% ###### 55% 2015 2016 2014 2015 2016 2014 (n=1738), 2015 (n=2432), 2016 (n=2912) ###### 58% Source: Cisco 2017 Security Capabilities Benchmark Study **S H A R E** **Cisco 2017 Security Capabilities Benchmark Study** **50** ----- **Cisco 2017 Annual Cybersecurity Report** ###### Constraints: Time, Talent, and Money Affect the Ability to Respond to Threats If security professionals are relatively confident that they have the tools needed to detect threats and mitigate damage, they also recognize that certain structural constraints stand in the way of their goals. A tight budget is a perennial challenge. But other constraints on effective security speak to the problems of simplifying and automating security. In 2016, 35 percent of security professionals said that budget was their biggest obstacle to adopting advanced security processes and technology (a slight decrease from 2015, when 39 percent said budget was the number one obstacle), as seen in Figure 47. As in 2015, compatibility issues with legacy systems was the second-most-common obstacle: 28 percent named compatibility in 2016, compared with 32 percent in 2015. Money is only part of the problem. For example, compatibility issues speak to the problem of disconnected systems that don’t integrate. And concerns about the lack of trained personnel highlight the problem of having the tools but not the talent to truly understand what is happening in the security environment. The struggle to find talent is a concern, considering the expertise and decision-making abilities needed to fight targeted attacks and shifting adversary tactics. A well-resourced and expert IT security team, paired with the right tools, can make technology and policies work together and achieve better security outcomes. The median number of security professionals at the surveyed organizations was 33, compared with 25 in 2015. In 2016, 19 percent of organizations had between 50 and 99 dedicated security professionals; 9 percent had 100 to 199 security professionals; and 12 percent had 200 or more (Figure 48). ###### Figure 47 Biggest Obstacles to Security Figure 48 Number of Security Professionals Employed by Organizations 2015 (n=2432) 2016 (n=2912) 15 Budget Constraints Compatibility Issues 32% 39% 35% 1-9 10-19 20-29 30-39 40-49 50-99 17 13 28% Certification Requirements Lack of Trained Personnel 22% 8 25% 25% 25% 6 19 Source: Cisco 2017 Security Capabilities Benchmark Study **S H A R E** 100-199 200+ 12 0% 5% 10% 15% 20% 9 #### 30 25 33 2014 2015 2016 **Median Number of Professionals** **Dedicated to Security** **Percentage of** **Organizations 2016** **51** Source: Cisco 2017 Security Capabilities Benchmark Study **Cisco 2017 Security Capabilities Benchmark Study** ----- **Cisco 2017 Annual Cybersecurity Report** ###### Figure 49 Number of Security Professionals by Size of Organization Midmarket Enterprise Large Enterprise (10,000+) 1-9 10-19 20-29 30-39 40-49 50-99 100-199 200+ Source: Cisco 2017 Security Capabilities Benchmark Study **S H A R E** The number of security professionals varies by organizational size. As shown in Figure 49, 33 percent of large enterprises with more than 10,000 employees had at least 200 **Outsourcing and the Cloud Help** security employees. **Stretch Budgets** Whatever the constraints, security professionals need to Many security professionals participating in ask hard questions about the barriers that limit their ability the benchmark study felt they were cashto face coming threats. strapped when making security purchases. They stretched their budget by outsourcing For example, when it comes to budget, how much is some tasks or using cloud solutions. They really enough? As survey respondents explained, security also relied on automation. teams must compete against many other corporate priorities, even within the IT setting. If they can’t secure funds for more tools, then the budget they do have must work harder. For example, automation can be used to offset limited manpower. Similar questions should be asked about the software and hardware compatibility problem. As compatibility issues multiply, how many different versions of software and hardware—most of which may not be operating effectively— must be managed? And how will security teams handle the multiple certification requirements needed? **52** **Cisco 2017 Security Capabilities Benchmark Study** **Cisco 2017 Security Capabilities Benchmark Study** ----- **Cisco 2017 Annual Cybersecurity Report** Aside from those limitations, security professionals are also placing slightly less emphasis on security operationalization. This trend may raise concerns that security professionals are building a suboptimal security infrastructure. Signs of a weakening focus on operationalization can indicate that organizations are not prepared to defend a widening attack landscape. For example, in 2016, 53 percent of the respondents strongly agreed that they review and improve security practices regularly, formally, and strategically; in 2014 and 2015, 56 percent strongly agreed. Likewise, in 2016, 53 percent said they strongly agreed that they routinely and systematically investigate security incidents, compared with 55 percent in 2014 and 56 percent in 2015 (Figure 50). If security professionals are slipping in their goals to put security into use, then it may not be a surprise that they can’t effectively deploy the tools they have, much less add new tools. If, as study respondents told us, they cannot use the technology that they already have on hand, they need simpler streamlined tools that automate security processes. And those tools need to provide a holistic picture of what is going on in the network environment. The lack of integration in security can allow gaps of time and space, where bad actors can launch attacks. The tendency of security professionals to juggle solutions and platforms from many vendors can complicate assembling a seamless defense. As seen in Figure 51, a majority of companies use more than five security vendors and more than five security products in their environment. Fifty-five percent of security professionals use at least six vendors; 45 percent use anywhere from one to five vendors; and 65 percent use six or more products. [Download the 2017 graphics at: www.cisco.com/go/acr2017graphics](http://www.cisco.com/go/acr2017graphics) **53** ###### 56% ###### 56% ###### 53% Source: Cisco 2017 Security Capabilities Benchmark Study **Cisco 2017 Security Capabilities Benchmark Study** ###### Figure 50 Percentages of Respondents Who Strongly Agree with Security Operationalization Statements **We Review and Improve** **Our Security Practices** **Regularly, Formally, and** **Strategically Over Time** **We Routinely and** **Systematically Investigate** **Security Incidents** ###### 56% 56% 53% 55% 56% 53% ###### 56% ###### 53% 2014 ###### 55% 2015 2016 2014 2015 2016 2014 (n=1738), 2015 (n=2432), 2016 (n=2912) Source: Cisco 2017 Security Capabilities Benchmark Study ###### Figure 51 Number of Security Vendors and Products Used by Organizations **Number of Security Vendors in Security Environment** 2016 (n=2850), Graphic Rounded to Nearest Whole Number 1–5 Vendors 6–10 Vendors 11–20 Vendors 21–50 Vendors ###### 45% 29% 18% 7% 55% Use More Than 5 Vendors Over 50 Vendors ###### 3% **Number of Security Products in Security Environment** 2016 (n=2860), Graphic Rounded to Nearest Whole Number 1–5 Products ###### 35% ###### 29% 21% 11% 6% 65% Use More Than 5 Products 6-10 Products 11–25 Products 26–50 Products Over 50 Products ----- **Cisco 2017 Annual Cybersecurity Report** ###### Figure 52 Percentages of Security Alerts That Are Not Investigated or Remediated 7% Experienced No Security Alert ###### 44% 56% Of Alerts NOT Of Alerts Are Investigated Investigated ###### 46% Of Legitimate Alerts Are Remediated ###### 54% Of Legitimate Alerts Are NOT Remediated 2016 (n=2796) Source: Cisco 2017 Security Capabilities Benchmark Study ###### 93% Experienced Security Alert ###### 28% Of Investigated Alerts Are Legitimate If operationalization goals are slipping, if tools are not used at their maximum effectiveness, and if manpower is not robust, the result is faltering security. Security professionals are forced to skip the investigation of alerts simply because they do not have the talent, tools, or automated solutions available to determine which ones are critical and why they are occurring. Perhaps due to several factors—such as the lack of an integrated defense system or the lack of staff time— organizations are able to investigate a little more than half the security alerts they receive in a given day. As shown in Figure 52, 56 percent of alerts are investigated, and 44 percent are not investigated; of those alerts that are investigated, 28 percent are deemed legitimate alerts. Forty-six percent of legitimate alerts are then remediated. To put the problem into more concrete terms, if an organization records 5000 alerts per day, this means: - 2800 alerts (56 percent) are investigated, while 2200 (44 percent) are not - Of those investigated, 784 alerts (28 percent) are legitimate, while 2016 (72 percent) are not - Of the legitimate alerts, 360 (46 percent) are remediated, while 424 (54 percent) are not remediated **54** The fact that nearly half of alerts go uninvestigated should raise concern. What is in the group of alerts that is not being remediated: Are they low-level threats that might merely spread spam, or could they result in a ransomware attack or cripple a network? To investigate and understand a greater slice of the threat landscape, organizations need to rely on automation as well as properly integrated solutions. Automation can help stretch precious resources and remove the burden of detection and investigation from the security team. The inability to view so many alerts raises questions about their impact on an organization’s overall success. What could these uninvestigated threats do to productivity, customer satisfaction, and confidence in the enterprise? As respondents told us, even small network outages or security breaches can have long-term effects on the bottom line. Even when losses were relatively minor and the affected systems were fairly easy to identify and isolate, security leaders regard breaches as significant because of the stress they put on the organization. **S H A R E** **Cisco 2017 Security Capabilities Benchmark Study** ----- **Cisco 2017 Annual Cybersecurity Report** The stresses can affect organizations in many ways. Security teams must devote time to managing network outages that occur after a security breach. Nearly half of these outages lasted as long as 8 hours. Forty-five percent of the outages lasted from 1 to 8 hours (Figure 53); 15 percent lasted 9 to 16 hours, and 11 percent lasted 17 to 24 hours. Forty-one percent of these outages affected between 11 percent and 30 percent of the organizations’ systems. ###### Impact: More Organizations Experience Losses from Breaches The effects of breaches aren’t limited to outages. Breaches also mean the loss of money, time, and reputation. Security teams who believe they will dodge this bullet are ignoring the reality of the data. As our study shows, almost half of organizations have had to cope with public scrutiny following a security breach. Given the attackers’ range of ability and tactics, the question isn’t if a security breach will happen, but when. As the benchmark study shows, security professionals are jarred into reality when breaches occur. They often change security strategies or bolster defenses. Organizations that have not yet suffered a breach of their networks due to attackers may be relieved they’ve escaped. However, this confidence is probably misplaced. Forty-nine percent of the security professionals surveyed said their organization has had to manage public scrutiny of a security breach. Of those organizations, forty-nine percent disclosed the breach voluntarily, while 31 percent said the disclosure was made by a third-party (Figure 54). In other words, nearly one-third of the surveyed organizations were forced to deal with the involuntary disclosure of a breach. It’s clear that the days of quietly dealing with breaches may be long gone. There are too many regulators, media, and social media users who will expose the news. **S H A R E** **55** ###### 49% Public Scrutiny of a Security Breach 2016 (n=2824) **How the Most Recent Breach** **Became Known Externally** (n=1389) ###### 31% 31% 50% Source: Cisco 2017 Security Capabilities Benchmark Study **Cisco 2017 Security Capabilities Benchmark Study** ###### Figure 53 Length and Extent of Outages Caused by Security Breaches **Organizations’ Systems Down Time Due to Breach** 2016 (n=2665) No Less Than 1–8 9–16 17–24 Over 24 Outage 1 Hour Hours Hours Hours Hours ###### 7% ###### 13% 45% 15% 11% 9% **Percentage of Systems Impacted Due to Breach** 2016 (n=2463) No 1–10% 11–30% 31–50% Over 50% Impact Impacted Impacted Impacted Impacted ###### 1% ###### 19% 41% 24% 15% Source: Cisco 2017 Security Capabilities Benchmark Study ###### Figure 54 Percentage of Organizations Experiencing a Public Breach Involuntarily Disclosed (Third-Party) Required Reporting (Regulatory/Legal) Voluntarily Disclosed ----- **Cisco 2017 Annual Cybersecurity Report** ###### Figure 55 Functions Most Likely to Be Affected by a Public Breach Customer Retention ###### 26% Regulatory Scrutiny Intellectual Property ###### 24% Have Not Had Any Security Breaches in the Past Year Operations Finances ###### 36% 30% Business Partner Relationships Supplier Relationships Brand Reputation ###### 26% Legal Engagements ###### 22% 20% 20% 19% 10% Source: Cisco Security Research **S H A R E** The damage to organizations goes far beyond the time it takes to deal with a breach or outage. There are real and substantial impacts that enterprises should try mightily to avoid. As seen in Figure 55, 36 percent of security professionals said that operations was the function most likely to be affected. This means that core systems of productivity, which affect industries from transportation to healthcare to manufacturing, can slow down or even grind to a halt. After operations, finance was the function most likely to be affected (cited by 30 percent of the respondents), followed by brand reputation and customer retention (both at 26 percent). No organization that plans to grow and achieve success wants to be in a position of having critical departments affected by security breaches. Security professionals should view the survey results with an eye toward their own organizations, and ask themselves: If my organization suffers this kind of loss from a breach, what happens to the business down the road? **Cisco 2017 Security Capabilities Benchmark Study** **56** ----- **Cisco 2017 Annual Cybersecurity Report** The opportunity losses for companies suffering online attacks are daunting. Twenty-three percent of the surveyed security professionals said that in 2016, their organizations experienced a loss of opportunity due to attacks (Figure 56). Of that group, 58 percent said that the total opportunity lost was under 20 percent; 25 percent said the lost opportunity was 20 to 40 percent, and 9 percent said the lost opportunity amounted to 40 to 60 percent. Many organizations can quantify the revenue losses they experience due to public breaches. As seen in Figure 57, 29 percent of security professionals said their organizations experienced a loss of revenue as a result of attacks. Of that group, 38 percent said that revenue loss was 20 percent or higher. Online attacks also result in fewer customers. As shown in Figure 58, 22 percent of organizations said they lost customers as a result of attacks. Of that group, 39 percent said they lost 20 percent of their customers or more. ###### Figure 57 Percentage of Organizational Revenue Lost as the Result of an Attack 29% Experienced a Loss of Revenue IT Security Personnel (n=2912) Lost Less Lost Lost Lost Lost Than 20% 20–40% 40–60% 60–80% 80–100% ###### 62% 20% 10% 4% 4% 38% Saw Substantial Loss of Revenue (n=778) ###### 29% of Revenue IT Security Personnel (n=2912) Lost Less Lost Lost Lost Lost Than 20% 20–40% 40–60% 60–80% 80–100% ###### 62% 20% 10% 4% 4% [Download the 2017 graphics at: www.cisco.com/go/acr2017graphics](http://www.cisco.com/go/acr2017graphics) Source: Cisco 2017 Security Capabilities Benchmark Study ###### Figure 56 Percentage of Business Opportunity Lost as the Result from an Attack 23% Experienced a Loss of Opportunity IT Security Personnel (n=2912) Lost Less Lost Lost Lost Lost Than 20% 20–40% 40–60% 60–80% 80–100% ###### 58% 25% 9% 5% 3% 42% Saw Substantial Loss of Opportunity (n=625) Source: Cisco 2017 Security Capabilities Benchmark Study **57** ###### Figure 58 Percentage of Customers Lost by Companies Due to Attacks 22% Experienced a Loss of Customers IT Security Personnel (n=2912) Lost Less Lost Lost Lost Lost Than 20% 20–40% 40–60% 60–80% 80–100% ###### 61% 21% 8% 6% 4% 39% Saw Substantial Loss of Customers (n=641) Source: Cisco 2017 Security Capabilities Benchmark Study **Cisco 2017 Security Capabilities Benchmark Study** ###### 23% of Opportunity IT Security Personnel (n=2912) Lost Less Lost Lost Lost Lost Than 20% 20–40% 40–60% 60–80% 80–100% ###### 58% 25% 9% 5% 3% ----- **Cisco 2017 Annual Cybersecurity Report** ###### Outcomes: Increased Scrutiny Will Play a Role in Security Improvements As the survey results show, the impact of breaches can be long-lasting and widespread. If one assumes an organization will be affected by a breach at some point, the question is, what happens next? Where should management shift their attention and resources so that breaches are less likely to occur? The aftermath of a breach is a learning opportunity, an experience that should not go to waste in terms of investing in better approaches. Ninety percent of the security professionals said that a security breach drove improvements in threat defense technologies and processes, as shown in Figure 59. Of those organizations affected by breaches, 38 percent said they responded by separating the security team from the IT department; 38 percent said they increased security awareness training among employees; and 37 percent said they increased their focus on risk analysis and mitigation. **S H A R E** **58** ###### 90% Defense Technologies, Policies, or Procedures Security Professionals (n=1388) **Top 5 Improvements Made to Protect** **Company from Security Breaches** 2016 (n=1375) ###### 38% Separated Security Team from IT Department Source: Cisco 2017 Security Capabilities Benchmark Study **Cisco 2017 Security Capabilities Benchmark Study** ###### Figure 59 How Security Breaches Drive Improvements ###### 38% 37% 37% 37% Increased Security Awareness Training Among Employees Increased Focus on Risk Analysis and Risk Mitigation Increased Investment in Security Defense Technologies or Solutions Increased Investment in Training of Security Staff ----- **Cisco 2017 Annual Cybersecurity Report** Organizations recognize that they have to exercise creativity to move beyond the constraints of talent, technology compatibility, and budget. One strategy is to adopt outsourced services to strengthen the budget and also tap into talent that may not be in-house. In 2016, 51 percent of security professionals outsourced advice and consulting, while 45 percent outsourced incident response (Figure 60). Fifty-two percent said they outsource services to save costs, while 48 percent said they do so to obtain unbiased insights. As they do with outsourcing, organizations also rely on third-party vendors to augment their defense strategies. The security ecosystem provides them with ways to share the responsibility for security. Seventy-two percent of the security professionals said that they rely on third-party vendors for 20 to 80 percent of their security, as seen in Figure 61. Those organizations that rely heavily on outside help for security were most likely to say that they will increase their use of third-party vendors in the future. **S H A R E** ###### Figure 60 Organizations' Reliance on Outsourcing **Outsourced Security Services** 2016 (n=2912) Advice and Consulting ###### 51% Incident Response ###### 45% **Why Services Are Outsourced** 2016 (n=2631) Be More Cost-Efficient ###### 52% Obtain Unbiased Insight ###### 48% Source: Cisco 2017 Security Capabilities Benchmark Study ###### Figure 61 Percentage of Organizations' Reliance on Outsourcing IT Security Personnel (n=2595) Rely More Than 80% Rely Less Than 20% **Change in Reliance in the Next Year** IT Security Personnel Relying on Third-Party Vendors (n=2504) Decrease Significantly Decrease Somewhat Remain the Same Increase Somewhat Increase Significantly Source: Cisco 2017 Security Capabilities Benchmark Study **59** **Cisco 2017 Security Capabilities Benchmark Study** ----- **Cisco 2017 Annual Cybersecurity Report** ###### Figure 62 Sources of Increased Scrutiny Executive Leadership Clients and Customers Employees ###### 72% Insurance Companies ###### 67% 2016 (n=2912) Watchdog and Interest Groups ###### 70% Business Partners ###### 72% Press ###### 60% ###### 74% 73% Regulators ###### 70% Investors ###### 69% Source: Cisco 2017 Security Capabilities Benchmark Study As organizations take steps to strengthen their security posture, they can expect that more attention will be paid to their efforts. This scrutiny will come from influential audiences and therefore can’t be ignored. How these audiences’ concerns are addressed can have a significant impact on an organization’s ability to defend itself. **60** Seventy-four percent of the security professionals said scrutiny will come from the executive leadership; 73 percent, from clients and customers; and 72 percent, from employees, as seen in Figure 62. **Cisco 2017 Security Capabilities Benchmark Study** **Cisco 2017 Security Capabilities Benchmark Study** ----- **Cisco 2017 Annual Cybersecurity Report** ###### Figure 63 How Trust and Cost-Effectiveness Drive Security Decisions **Security Threat Defense Solution Purchasing** IT Security Personnel (n=2665) Typically Follow Enterprise Architecture Approach 39% Typically Follow ProjectBased Approach (For Example, Best-of-Breed Point Products) 39% 4% Deploy Point 18% Products as Needed Only Deploy to Meet Compliance or Regulatory Requirements Source: Cisco 2017 Security Capabilities Benchmark Study **Reasons for Favoring a** **Best-of-Breed Approach** Organization That Purchased Best-of-Breed Point Solutions Trust More Than Enterprise Architecture Approach **Reasons for Favoring an Enterprise** **Architecture Approach** Organizations That Typically Follow an Enterprise Architecture Approach Trust More Than Best-of-Breed Best-of-Breed Solutions Are More Cost-Effective 65% 36% Enterprise Architecture Approach Is More Cost-Effective 41% 59% Best-of-Breed Solutions Are Easier to Implement Enterprise Architecture Approach Is Easier to Implement 24% 33% Best-of-Breed Solutions Are Faster to Implement Enterprise Architecture Approach Is Faster to Implement 13% 10% ###### Trust Versus Cost: What Drives Security Purchases? Security professionals want the very best solutions for protecting their organizations, but their perceptions differ on how to create the ideal secure environment. Do they purchase best-of-breed solutions from a variety of vendors because they trust these solutions will solve many different problems? Or do they turn to an integrated architecture, because they believe this approach is more cost-effective? Although there are many drivers for security investments, greater simplicity can benefit every organization. As seen in Figure 63, the security professionals seem evenly split between trust and cost in choosing between best-of-breed and architected solutions. Sixty-five percent said they favor best-of-breed solutions because they trust them more than an enterprise architecture approach. On the other hand, 59 percent said they favor an architected approach because they believe it is more cost-effective. **61** This isn’t an either/or dilemma. Organizations need both best-of-breed and integrated security solutions. Both approaches offer benefits and will simplify security while providing automated response tools (Figure 63). By combining best-of-breed solutions with an integrated approach, security teams can take steps toward less complex yet more effective security. The integrated approach helps security professionals understand what’s happening at every stage of defense. Such an approach reduces attackers’ operational space. It is simple, allowing teams to deploy solutions at scale. It is open, allowing for best-of-breed solutions as needed. And it’s automated for faster detection. **Cisco 2017 Security Capabilities Benchmark Study** ----- **Cisco 2017 Annual Cybersecurity Report** ###### Summary: What the Benchmark Study Reveals There is a world of difference between amassing security tools and actually having the capability to use those tools to reduce risk and close the operational space for adversaries. Respondents to the benchmark study believe they have the tools that will thwart attackers. But they also acknowledge that constraints such as a lack of manpower and poor product compatibility can render good tools much less effective than they’d hoped. The sobering findings regarding the impact of breaches should provide security professionals with ample evidence of the need to improve processes and protocols. Faced with real and immediate effects like lost revenue and **62** customers, organizations can no longer simply wish away gaps in security protection, because the question is not if a breach will happen, but when. One takeaway from the benchmark study is that the constraints limiting agile and effective security will always be with us: There will never be as much budget and talent as security professionals believe they need. If we accept these constraints, then the idea of simplifying security and deploying automated solutions makes sense. Simplifying security also makes use of best-of-breed solutions and an integrated architecture. Organizations need the benefits of both approaches. **Cisco 2017 Security Capabilities Benchmark Study** ----- # Industry ----- **Cisco 2017 Annual Cybersecurity Report** ### Industry ###### Value Chain Security: Success in a Digital World Hinges on Mitigating Third-Party Risk Value chain security is an essential element of success in a connected economy. Ensuring that the right security is in the right place at the right time throughout the value chain—the end-to-end lifecycle for hardware, software, and services—is an imperative. The eight stages of the value chain are shown in Figure 64. Information technology and operations technology are converging in this digitized world. It is not enough for organizations to focus only on protecting their internal business models, offerings, and infrastructure. Organizations must look at their value chain holistically and consider whether each third-party that is involved in their business model or touching their offerings poses a risk to their security. The short answer is that they likely do: Research by the SANS Institute found that 80 percent of data breaches originate from third parties.¹⁵ To reduce risk, organizations must foster a value chain where trust is not implicit and security is everyone’s responsibility. As a foundational step toward achieving this goal, organizations should: - Identify the key players in their third-party ecosystem and understand what those third parties deliver ###### Figure 64 The Stages of the Value Chain - Develop a flexible security architecture that can be shared with and deployed across the variety of third parties in that ecosystem - Assess whether those third parties are operating within the tolerance levels set by the organization’s security architecture - Be alert to new security risks that the ecosystem may present as digitization increases Organizations must also think about security before introducing a new business model or an offering that requires involvement by, or that otherwise affects, their third-party ecosystem. Any potential value and productivity gains must be weighed against potential risks, particularly around data security and privacy. Awareness of the importance of the value chain is growing both globally and in specific industry sectors. Recent U.S. IT procurement legislation mandated a 1-year assessment by the U.S. Department of Defense regarding open technology standards in procurements for information technology and cybersecurity acquisitions.¹⁶ In the highly converged energy sector, the North American Electric Reliability Corporation (NERC) is actively developing new requirements addressing its cyber value chain.¹⁷ Design Plan Source Make Quality Deliver Sustain End of Life Source: Cisco **S H A R E** [¹⁵ Combatting Cyber Risks in the Supply Chain, SANS Institute, 2015: https://www.sans.org/reading-room/whitepapers/analyst/combatting-cyber-risks-supply-chain-36252.](https://www.sans.org/reading-room/whitepapers/analyst/combatting-cyber-risks-supply-chain-36252) ¹⁶ Public Law 114-92 § ¹⁷ NERC ordered to undertake this effort by United States Federal Energy Regulatory Commission 18 CFR Part 40 [Docket No. RM15-14-002; Order No. 829]. **64** **Industry** ----- **Cisco 2017 Annual Cybersecurity Report** Organizations, together with their third parties, need to answer questions such as, “How will data be generated and by whom?” and, “Should the data be digitally mined?” Further clarity requires determining the answers to such questions as, “Who owns the digital assets we are collecting or creating?” and, “With whom must we share that information?” Another critical question to answer: “Who owns what liability and obligation when a breach occurs?” This value chain-centric approach helps ensure that security considerations are built in at every stage of the solutions lifecycle. The right architecture, combined with adherence to the appropriate security standards, will help to drive pervasive security—and build trust—throughout the entire value chain. ###### Geopolitical Update: Encryption, Trust, and a Call for Transparency In previous cybersecurity reports, Cisco geopolitical experts examined the uncertainty in the Internet governance landscape, the rights of the individual versus the rights of the state, and the ways that governments and private businesses might navigate the data-protection dilemma. One common topic across these discussions has been encryption. We believe that encryption will continue to permeate, perhaps even dominate, the cybersecurity debate for the foreseeable future. The proliferation of national and regional data privacy laws has created unease among vendors and users attempting to navigate those laws. In this uncertain environment, issues such as data sovereignty and data localization have come to the fore, helping to fuel growth in cloud computing and localized data storage as businesses seek a creative solution to meeting complex and evolving privacy regulations.¹⁸ At the same time, the escalating number of data breaches and advanced persistent threats, and the publicity around hacks sponsored by nation-states—including those conducted during high-profile events such as the U.S. presidential election—are making users even less confident that their sensitive data and privacy will be protected. Governments in the post-Snowden era have been increasingly strident in their desire to regulate digital communications and to access data when needed. However, users have been just as ardent in their demand for privacy. Events such as the recent head-butting between Apple and the FBI over an iPhone belonging to a terrorist have done nothing to assuage users’ worries about privacy. If anything, it taught a generation of digital users, especially in the United States, about end-to-end encryption. Many users are now demanding end-to-end encryption from their technology providers, and they want to hold the encryption keys. This marks a fundamental shift in the cybersecurity landscape as we have known it. Organizations are going to need to architect their environments so they can navigate and respond to competing agendas. While this shift is taking place, more governments are giving themselves the legal right—often on a broad basis—to bypass or break encryption or technical protection measures, often without the knowledge of the manufacturer, communication provider, or the user. This is creating tension not only between authorities and technology firms but also between governments, who are not necessarily keen to see their citizens’ data accessed by third-country authorities. Many governments collect information about zero-day exploits and vulnerabilities that they discover in vendor software; however, they are not always transparent with vendors about the information they possess, or sharing it in a timely manner. Hoarding such valuable information prevents vendors from improving security in their products and providing users with better protection from threats. Even though governments may have good reason to hold some of this intelligence close, there is also a need for greater transparency and trust in the global cybersecurity landscape. Governments therefore should conduct a frank assessment of their current policies regarding the hoarding of zero-day exploits. They should start from the default position that sharing information with vendors can only lead to a far more secure digital environment for everyone. ¹⁸ For more on this topic, see “Data Localization Takes Off as Regulation Uncertainty Continues,” by Stephen Dockery, June 6, 2016, The Wall Street Journal: [http://blogs.wsj.com/riskandcompliance/2016/06/06/data-localization-takes-off-as-regulation-uncertainty-continues/.](http://blogs.wsj.com/riskandcompliance/2016/06/06/data-localization-takes-off-as-regulation-uncertai) **65** **Industry** ----- **Cisco 2017 Annual Cybersecurity Report** **66** **Industry** ----- **Cisco 2017 Annual Cybersecurity Report** ###### Network Performance and Adoption Versus Security Maturity: Online Speeds, Traffic, and Preparedness Are Not Growing at the Same Pace Defenders want to stay ahead of their adversaries. To be behind them is to be in a potentially dangerous place. The worry is that defenders can’t improve their security posture at the same pace that adversaries can gain space and time to operate. Given the pace of growth of fixed and mobile Internet traffic worldwide, defenders are obligated to match this growth with gains in the maturity of their security infrastructure. The Cisco VNI Forecast examines global IP traffic annually, including mobile and Wi-Fi traffic. The forecasts provide 5-year projections for IP traffic, the number of Internet users, and the number of personal devices and machine-to-machine (M2M) connections that will be [supported by IP networks. (Visit here for more details on](http://www.cisco.com/c/en/us/solutions/service-provider/visual-networking-index-vni/index.html) the VNI Forecast.) For example, the forecast estimates that by 2020, smartphones will generate 30 percent of total IP traffic. ###### Figure 65 Security Maturity and Growth Rates Cisco has matched the VNI Forecast to data about defender maturity, taken from Cisco’s annual Security Capabilities Benchmark Study (see page 49). In examining maturity growth rates in the 2015, 2016, and 2017 benchmark reports, as seen in Figure 65, security maturity is underwhelming compared with the growth of Internet traffic. Some countries, such as China and Germany, actually show a slight decline in maturity over this time period. Broadband speeds, in particular, are improving and growing at a significantly greater rate than other networking variables shown in Figure 65. Faster speeds and more connected devices foster greater traffic growth, but organizations are struggling to bolster their security measures and infrastructures at similar rates. 300% 250% 200% 150% 100% 50% 0% Australia Brazil Canada China France Germany India Italy Japan Mexico Russia United Kingdom United States **Overall** **Industry** Security Maturity Total Traffic Devices Fixed Internet Users Mobile Internet Traffic Mobile Speed Source: Cisco Security Research, Cisco VNI, and Cisco 2017 Security Capabilities Benchmark Study **S H A R E** **67** ----- **Cisco 2017 Annual Cybersecurity Report** Certain industries also lag in terms of their security maturity compared with other industries, as seen in Figure 66. In particular, pharmaceuticals, healthcare, and transportation are behind other industries. It’s important to note that the dramatic rise in mobile speeds is an outcome of the broad adoption of 4G and LTE networks by telecommunications providers. When large-scale deployments of 5G networks become available toward the end of this decade, mobile speeds are expected to become comparable to fixed network speeds. According to the current Mobile VNI Forecast, global mobile traffic will likely gain a greater share of total IP traffic when 5G ###### Figure 66 Security Maturity in Industry Verticals **Industry by Segment** is broadly adopted. Global mobile traffic was 5 percent of total IP traffic in 2015, according to the VNI Forecast; it is projected to be 16 percent of total IP traffic by 2020. It’s clear that security organizations must step up their maturity efforts, and quickly, if they are to match the growth in Internet traffic, which portends growth in the potential attack surface. In addition, organizations must respond to the growth in the use of endpoints that are not fixed or wired to corporate networks. They must also accommodate a more widespread use of personal devices from which workers access corporate data. ###### 48 ###### 39 ###### 36 ###### 29 Education (n=44) 9 ###### 30 21 Pharmaceuticals (n=56) ###### 39 Financial Services (n=501) 5 ###### 32 34 Retail (n=286) Government (n=345) 3 ###### 42 24 28 Telecommunications (n=303) Graphic Rounded to Nearest Whole Number Healthcare (n=211) 5 ###### 30 27 Transportation (n=174) Non-Computer-Related Manufacturing (n=355) 5 ###### 38 33 24 Utilities/Energy (n=113) **Industry** ###### 42 ###### 32 ###### 30 Low Middle Upper-Mid High Source: Cisco 2017 Security Capabilities Benchmark Study **68** ###### 38 24 ----- **Cisco 2017 Annual Cybersecurity Report** ###### Figure 67 Security Maturity by Country 4 4 7 25 25 34 28 ###### 41 41 31 **USA** **Brazil** **Germany** 29 30 28 31 ###### 31 5 31 13 3 17 31 35 **Australia** **China** 47 **India** 35 31 34 21 4 6 7 ###### 39 30 32 33 35 **Russia** **France** **Canada** 36 27 26 23 2016 (n=2852) Graphic Rounded to Nearest Whole Number Low Middle Upper-Mid High Source: Cisco 2017 Security Capabilities Benchmark Study ###### 47 India ###### 41 **USA** ###### 39 **Russia** ###### 34 **Germany** ###### 32 **France** ###### 31 **China** ###### 28 **UK** Faster speeds are not the only factor driving growth of Internet traffic. The IoT is accelerating the number of devices that are attached to the Internet, not only adding to the growth of traffic but also adding potential pathways for attackers. ###### 47 **Mexico** ###### 35 **Japan** ###### 31 **Australia** For more information about the Cisco VNI Forecast, visit the [Cisco website or read the Cisco blog post on the annual](http://www.cisco.com/c/en/us/solutions/service-provider/visual-networking-index-vni/index.html) [VNI forecast for 2015 to 2020.](http://blogs.cisco.com/sp/updated-cisco-vni-complete-forecast-released-today-so-what?_ga=1.213955538.475831013.1478563405) **Industry** **69** ###### 33 **Canada** ----- # Conclusion ----- **Cisco 2017 Annual Cybersecurity Report** ### Conclusion ###### A Rapidly Expanding Attack Surface Requires an Interconnected and Integrated Approach to Security In analyzing data from Cisco’s Security Capabilities Benchmark Study (see page 49), we are able to examine patterns and decisions that help organizations minimize risk. We can therefore see where they should make security investments that can lead to a significant difference in risk exposure. We measured risk by looking at the lengths of breaches as well as percentages of system outages (see Figure 53 on page 55 regarding the length of breaches and the systems affected). To understand how organizations create effective safeguards against risk, we need to examine what drivers affect their ability to prevent, detect, and mitigate risk. (See Figure 68.) The drivers must include these elements: - **Executive leadership: The top leadership must prioritize** security. This is critical for the mitigation of attacks, as well as their prevention. The executive team should also have clear and established metrics for assessing the effectiveness of a security program. ###### Figure 68 Drivers and Safeguards for Minimizing Risk - **Policy: Policy has strong ties to mitigation. Controlling** access rights to networks, systems, applications, functions, and data will affect the ability to mitigate damage from security breaches. In addition, policies to ensure a regular review of security practices will help prevent attacks. - **Protocols: The right protocols can help prevent and** detect breaches, but they also have a strong relationship to mitigation. In particular, regular reviews of connection activity on networks, to ensure that security measures are working, are key to both prevention and mitigation. It’s also beneficial to review and improve security practices regularly, formally, and strategically over time. - **Tools: The judicious and appropriate application of tools** has the strongest relationship with mitigation. With tools in place, users can review and provide feedback that is vital to detection and prevention as well as mitigation. **Drivers** Measure Influence of Policy, Executive Leadership, Protocols, Tools on Firm’s Ability to Prevent, Detect, and Mitigate Effects of a Breach ###### Executive Leadership Policy Protocols Tools Source: Cisco 2017 Security Capabilities Benchmark Study **Safeguards** Measure Influence of Firm’s Ability to Prevent, Detect, and Mitigate Effects of a Breach on Risk [Download the 2017 graphics at: www.cisco.com/go/acr2017graphics](http://www.cisco.com/go/acr2017graphics) **71** **Conclusion** ----- **Cisco 2017 Annual Cybersecurity Report** The security safeguards that organizations use—prevention, detection, and mitigation—can be viewed as measures of influence on an organization’s ability to minimize risk. (See Figure 68.) These safeguards must include the following elements: - **Prevention: To minimize the impact of security breaches,** employees must report security failures and problems. It’s also crucial for security processes and procedures to be clear and well understood. - **Detection: The best detection methods for minimizing the** impact of breaches are those that allow organizations to spot security weaknesses before they become full-blown incidents. To accomplish this, it’s vital to have a good system for categorizing incident-related information. **72** - **Mitigation: Well-documented processes and procedures** for incident response and tracking are key to effective breach mitigation. Organizations also need strong protocols to manage their response to crises. All of these drivers and safeguards are interconnected and interdependent. Security professionals can’t simply cherry-pick a couple of drivers and one or two safeguards, and believe they have solved the security problem. They need every driver, and every safeguard. Security teams must analyze where their weaknesses are—for example, low levels of support from leaders, or a lack of tools to mitigate breaches—and calculate where investments in security must be made. **Conclusion** ----- **Cisco 2017 Annual Cybersecurity Report** ###### The Key Goal: Reducing Adversaries’ Operational Space Reducing—and ideally, eliminating—the unconstrained operational space of adversaries, and making attackers’ presence known, must be top priorities for defenders. The reality is that no one can stop all attacks, or protect everything that can and should be protected. But if you focus on closing the operational space that cybercriminals must have for their campaigns to be effective and profitable, you can prevent them from reaching critical systems and data without entirely evading detection. This report categorized different approaches that adversaries use to compromise and attack users and systems. We based our categories—reconnaissance, weaponization, delivery, and installation—on where the attacks are typically deployed in the attack chain. This exercise was meant to illustrate when, how, and where adversaries take advantage of vulnerabilities and other weaknesses to gain a foothold on a device or in a system, launch their campaign, and then reap the rewards they seek. We suggest that defenders adapt their security approaches to stay ahead of attackers’ basic processes. For example, to undermine adversaries during the reconnaissance phase, security teams should be: - Gathering information about the latest threats and vulnerabilities - Ensuring they are controlling access to their networks - Limiting the organization’s exposure in an expanding attack surface - Managing configurations - Developing consistent response practices and procedures that are informed by this work **73** When weaponized threats are delivered, defenders must apply every tool in their arsenal to prevent them from spreading and worsening. This is where an integrated security architecture becomes critical. It will provide realtime insight into threats as well as automated detection and defense, which are essential for improving threat detection. At the installation phase, security teams must stay informed about the state of the environment as they respond to and investigate the compromise. If that environment is simple, open, and automated, and if defenders have taken the other proactive steps outlined above, they can then focus their resources on helping the business to answer critical questions such as: - What did the attackers access? - Why were they able to get to it? - Where did they go? - Are they still operating in our network? The answers to these questions will allow security teams not only to take appropriate actions to prevent further attacks, but also to inform management and the board about possible exposures and necessary disclosures. Then, the business can begin the process of ensuring that it has comprehensive controls and mitigations in place to address any security gaps—the weaknesses that provided the operational space adversaries needed to succeed—that were identified during the compromise. **Conclusion** ----- **Cisco 2017 Annual Cybersecurity Report** ### About Cisco Cisco delivers intelligent cybersecurity for the real world, providing one of the industry’s most comprehensive advanced-threat protection portfolios of solutions across the broadest set of attack vectors. Cisco’s threatcentric and operationalized approach to security reduces complexity and fragmentation while providing superior visibility, consistent control, and advanced threat protection before, during, and after an attack. Threat researchers from the Cisco Collective Security Intelligence (CSI) ecosystem bring together, under a single umbrella, the industry’s leading threat intelligence, using telemetry obtained from the vast footprint of devices and sensors, public and private feeds, and the open-source community. This amounts to a daily ingest of billions of web requests and millions of emails, malware samples, and network intrusions. **74** Our sophisticated infrastructure and systems consume this telemetry, helping machine-learning systems and researchers to track threats across networks, data centers, endpoints, mobile devices, virtual systems, web, email, and from the cloud to identify root causes and scope outbreaks. The resulting intelligence is translated into realtime protections for our product and service offerings that are immediately delivered globally to Cisco customers. To learn more about Cisco’s threat-centric approach to [security, visit www.cisco.com/go/security.](http://www.cisco.com/go/security) **About Cisco** ----- **Cisco 2017 Annual Cybersecurity Report** ###### Contributors to the Cisco 2017 Annual Cybersecurity Report **CloudLock** CloudLock, a Cisco company, is a leading provider of cloud access security broker (CASB) solutions that help organizations securely use the cloud. CloudLock delivers visibility and control for software-as-a-service (SaaS), platform-as-a-service (PaaS), and infrastructure-asa-service (IaaS) environments across users, data, and applications. CloudLock delivers actionable cybersecurity intelligence through its data scientist-led CyberLab and crowd-sourced security analytics. For more information, [visit https://www.cloudlock.com.](https://www.cloudlock.com) **Security and Trust Organization** Cisco’s Security and Trust Organization underscores Cisco’s commitment to address two of the most critical issues that are top of mind for boardrooms and world leaders alike. The organization’s core missions include protecting Cisco’s public and private customers, enabling and ensuring Cisco Secure Development Lifecycle and Trustworthy Systems efforts across Cisco’s product and service portfolio, and protecting the Cisco enterprise from ever-evolving threats. Cisco takes a holistic approach to pervasive security and trust, which includes people, policies, processes, and technology. The Security and Trust Organization drives operational excellence, focusing across InfoSec, Trustworthy Engineering, Data Protection and Privacy, Cloud Security, Transparency and Validation, and Advanced Security Research and Government. For [more information, visit http://trust.cisco.com.](http://trust.cisco.com) **75** **Global Government Affairs** Cisco engages with governments at many different levels to help shape public policy and regulations that support the technology sector and help governments meet their goals. The Global Government Affairs team develops and influences pro-technology public policies and regulations. Working collaboratively with industry stakeholders and association partners, the team builds relationships with government leaders to influence policies that affect Cisco’s business and overall ICT adoption, looking to help shape policy decisions at a global, national, and local level. The Government Affairs team is composed of former elected officials, parliamentarians, regulators, senior U.S. government officials, and government affairs professionals who help Cisco promote and protect the use of technology around the world. **Cognitive Threat Analytics** Cisco’s Cognitive Threat Analytics is a cloud-based service that discovers breaches, malware operating inside protected networks, and other security threats by means of statistical analysis of network traffic data. It addresses gaps in perimeter-based defenses by identifying the symptoms of a malware infection or data breach using behavioral analysis and anomaly detection. Cognitive Threat Analytics relies on advanced statistical modeling and machine learning to independently identify new threats, learn from what it sees, and adapt over time. **About Cisco** ----- **Cisco 2017 Annual Cybersecurity Report** **IntelliShield Team** The IntelliShield team performs vulnerability and threat research, analysis, integration, and correlation of data and information from across Cisco Security Research and Operations and external sources to produce the IntelliShield Security Intelligence Service, which supports multiple Cisco products and services. **Talos Security Intelligence and Research Group** Talos is Cisco’s threat intelligence organization, an elite group of security experts devoted to providing superior protection for Cisco customers, products, and services. Talos is composed of leading threat researchers supported by sophisticated systems to create threat intelligence for Cisco products that detect, analyze, and protect against known and emerging threats. Talos maintains the official rule sets of Snort.org, ClamAV, SenderBase.org, and SpamCop, and is the primary team that contributes threat information to the Cisco CSI ecosystem. **Security Research and Operations (SR&O)** Security Research and Operations (SR&O) is responsible for threat and vulnerability management of all Cisco products and services, including the industry-leading Product Security Incident Response Team (PSIRT). SR&O helps customers understand the evolving threat landscape at events such as Cisco Live and Black Hat, as well as through collaboration with its peers across Cisco and the industry. Additionally, SR&O delivers new services such as Cisco’s Custom Threat Intelligence (CTI), which can identify indicators of compromise that have not been detected or mitigated by existing security infrastructures. **Cisco Visual Networking Index (VNI)** The Cisco VNI Global IP Traffic Forecast for 2015 to 2020 relies on independent analyst forecasts and real-world network usage data. Upon this foundation are layered Cisco’s own estimates for global IP traffic and service adoption. A detailed methodology description is included in the complete report. Over its 11-year history, Cisco VNI research has become a highly regarded measure of the Internet’s growth. National governments, network regulators, academic researchers, telecommunications companies, technology experts, and industry and business press and analysts rely on the annual study to help plan for the digital future. **About Cisco** **76** ----- # Appendix ----- **Cisco 2017 Annual Cybersecurity Report** ### Appendix ###### Cisco 2017 Security Capabilities Benchmark Study Figure 69 Survey Capabilities Benchmark Study **Industries** Education (Higher Education) Financial Services: Banking, Insurance Government Healthcare Manufacturing: Non-Computer Related Pharmaceuticals Retail Telecommunications Transportation Utilities/Energy Non-Key Industry 2% 2% 1% 18% 14% 15% 12% 12% 9% 8% 4% 6% 12% 15% 14% 2% 3% 3% 10% 3% 3% 11% 8% 6% 6% 5% 8% 4% 3% 7% 16% 27% 21% **Areas of Security Involvement** Making Final Brand Recommendations Regarding Solutions 74% 76% 81% Setting Overall Vision and Strategy 73% 75% 83% Researching and Evaluating Solutions 72% 75% 78% Implementing and Managing Solutions 71% 73% 79% Defining Requirements 67% 71% 76% Approving Budgets 54% 57% 66% 2016 (n=2912) 2015 (n=2432) 2014 (n=1738) **Organization Size** **CSO vs. Sec Op** Large Midmarket Enterprise Enterprise CSO Sec Op 2016 2015 2014 50% 49% 38% 38% 12% 13% 46% 45% 2016 2015 2014 49% 54% 54% 51% 55% 46% **Appendix** Source: Cisco 2017 Security Capabilities Benchmark Study **78** ----- **Cisco 2017 Annual Cybersecurity Report** ###### Figure 70 Number of Dedicated Security Professionals 1-9 10-19 20-29 30-39 40-49 50-99 100-199 200 or more 15% 2014 (n=1738) 2015 (n=2432) 2016 (n=2912) 18% 17% 16% 18% 12% 17% 8% 9% 4% 4% 19% 15% 17% 13% 8% 6% 19% 9% 12% 9% 16% 9% 10% **Median Number of Professionals Dedicated to Security** **30** **25** **33** Source: Cisco 2017 Security Capabilities Benchmark Study ###### Perceptions Figure 71 Majority of Security Professionals Feel Security Infrastructure Is Up to Date **How Would You Describe Your Security Infrastructure?** Very Up to Date Best Technologies Available Replaced/Upgraded on Regular Basis Not Equipped with Latest-and-Greatest Tools Replaced/Upgraded Only When Necessary No Longer Working, Obsolete, or New Needs 2016 (n=2912) 2015 (n=2432) 2014 (n=1738) 58% 37% 5% 59% 37% 5% 64% 33% 3% Source: Cisco 2017 Security Capabilities Benchmark Study **79** **Appendix** ----- **Cisco 2017 Annual Cybersecurity Report** ###### Figure 72 Percentages of Security Professionals Who Perceive Various Security Tools to Be Highly Effective 2016 (n=2912) Graphic Rounded to Nearest Whole Number Not at All Not Very Somewhat Very Effective Effective Effective Effective Extremely Effective % Very + Extremely Effective Source: Cisco 2017 Security Capabilities Benchmark Study ###### Figure 73 Percentages of Security Professionals Who Believe Security Is a High Priority at the Executive Level Cyber-Risk Assessments Are Routinely Incorporated into Our Overall Risk Assessment Process Executive Leadership at My Organization Considers Security a High Priority Security Roles and Responsibilities Are Clarified Within My Organization’s Executive Team **2016** 2015 2014 **2016** 2015 2014 **53%** 55% **55%** 58% 1% **96%** 95% **96%** 95% **1%** **4%** **1%** **4%** **59%** 61% **96%** 96% **1%** **4%** 4% **43%** 40% 4% **41%** 36% 1% 4% **37%** 35% 1% 2% 4% 32% 63% 94% 2% 5% 35% 58% 94% 2% 4% 36% 57% 93% My Organization’s Executive Team Has Established Clear Metrics for Assessing Effectiveness of Our Security Program 1% **4%** **95%** 94% 93% **51%** 53% 53% 1% 2% 5% 6% **44%** 41% 40% 2016 (n=2912) 2015 (n=2432) Strongly Disagree Disagree Agree Strongly Agree % Agree + Strongly Agree 2014 (n=1738) Source: Cisco 2017 Security Capabilities Benchmark Study **80** 51% **94%** **Appendix** ----- **Cisco 2017 Annual Cybersecurity Report** ###### Figure 74 Percentages of Respondents Who Strongly Agree with Security Operationalization Statements We Review and Improve Our Security Practices Regularly, Formally, and Strategically Over Time Our Threat Detection and Blocking Capabilities Are Kept Up to Date We Regularly Review Connection Activity on Network to Ensure Security Measures Are Working as Intended **53%** 57% **2016** 2015 2014 **2016** 2015 2014 **2016** 2015 2014 **55%** 56% 1% **95%** 96% **95%** 96% **0%** **4%** **0%** **4%** **53%** 56% **96%** 96% **0%** **4%** 3% **43%** 39% 3% **41%** 40% 1% 4% **42%** 40% 1% 1% 4% 38% 56% 95% 1% 5% 37% 57% 94% 2% 4% 36% 58% 94% We Can Increase Security Controls on High-Value Assets Should Circumstances Require Security Is Well-Integrated into Our Organization’s Goals and Business Capabilities Our Security Technologies Are Well-Integrated to Work Effectively Together **53%** 52% **55%** 56% 1% **95%** 95% **95%** 96% **0%** **4%** **0%** **5%** **95%** 96% 94% **1%** **4%** **51%** 56% 54% 4% **42%** 43% 4% **40%** 40% 1% 1% 3% 5% **45%** 41% 40% 1% 2% 5% 36% 58% 94% 2% 5% 38% 56% 93% It Is Easy to Determine the Scope of a Compromise, Contain It, and Remediate from Exploits We Routinely and Systematically Investigate Security Incidents **0%** **5%** **41%** **53%** **95%** We Have Tools in Place That Enable Us to Review and Provide Feedback Regarding the Capabilities of Our Security Practice **43%** 45% **49%** 52% 1% **92%** 91% **0%** **5%** **95%** 95% **1%** **7%** 8% **49%** 46% 4% **46%** 44% 1% 4% 56% 55% 96% 93% 1% 2% 5% 40% 38% 1% 5% 40% 53% 93% 2% 9% 43% 46% 89% 2016 (n=2912) 2015 (n=2432) Strongly Disagree Disagree Agree Strongly Agree % Agree + Strongly Agree 2014 (n=1738) Source: Cisco 2017 Security Capabilities Benchmark Study **81** **Appendix** ----- **Cisco 2017 Annual Cybersecurity Report** ###### Constraints Figure 75 Biggest Obstacles to Security 2015 (n=2432) 2016 (n=2912) ###### Figure 76 Number of Security Vendors and Products Used by Organizations 2% 35% Budget Constraints Compatibility Issues Certification Requirements Lack of Trained Personnel Competing Priorities Current Workload Too Heavy Lack of Knowledge Reluctance to Purchase Until They’re Proven Organizational Culture/Attitude Organization Is Not a High-Value Target for Attacks Security Is Not an Executive Level Priority 39% 35% 32% 28% 1-5 Products 6-10 Products 11-25 Products 26-50 Products 51-100 Products More Than 100 Products 29% 25% 21% 22% 11% 24% 24% 23% 22% 22% 22% 18% 25% 25% 24% 4% 2016 (n=2860) Source: Cisco 2017 Security Capabilities Benchmark Study ###### Figure 78 Number of Security Products Used by Size of Organization 23% 22% 23% N/A N/A 17% Source: Cisco 2017 Security Capabilities Benchmark Study ###### Figure 77 Number of Security Vendors Used by Size of Organization **How Many Different** **Security Products Are in** **Your Security Environment?** 1-5 **How Many Different** **Security Vendors (i.e., Brands,** **Manufacturers) Are in Your** **Security Environment?** 1-5 Midmarket 250-1K Employees 46.9% Midmarket 250-1K Employees 37.9% Enterprise 1K–10K Employees 32.7% 25.1% Large Enterprise 10k+ Employees Enterprise 1K–10K Employees 43.4% 39.9% Large Enterprise 10k+ Employees 6-10 28.4% 30.9% 21.3% 11-20 17.6% 15.8% 23.1% 21-50 5.6% 7.1% 8.7% More Than 50 1.4% 2.8% 6.9% **Total Organizations** **1435** **1082** **333** Source: Cisco 2017 Security Capabilities Benchmark Study **82** 6-10 29.0% 30.1% 22.5% 11-25 19.8% 20.4% 23.7% 26-50 9.6% 10.5% 15.6% 51-100 3.0% 4.3% 7.8% More Than 100 0.8% 1.9% 5.4% **Total Organizations** **1442** **1084** **334** Source: Cisco 2017 Security Capabilities Benchmark Study **Appendix** ----- **Cisco 2017 Annual Cybersecurity Report** ###### Figure 79 Year-over-Year Decrease of Security Budget Coming Within IT Budget **Is the Security Budget Part of the IT Budget? (IT Department Members)** 2014 (n=1673) 2015 (n=2374) 2016 (n=2828) 58% 33% 9% All Within IT Partially Within IT Completely Separate Source: Cisco 2017 Security Capabilities Benchmark Study 61% 33% 6% 55% 36% 9% ###### Figure 80 Year-over-Year Decrease of Security Spend as a Proportion of the IT Budget **IT Budget Spend on Security as a Function** 2014 (n=1673) 2015 (n=2374) 2016 (n=2828) 0% 1-5% 6-10% 11-15% 16-25% 26%-50% 51% or More Source: Cisco 2017 Security Capabilities Benchmark Study **83** **Appendix** 10% 7% 4% 12% 23% 29% 9% 3% 4% 16% 27% 26% 15% 21% 5% 11% 23% 31% 19% 4% 2% ----- **Cisco 2017 Annual Cybersecurity Report** ###### Impacts Figure 81 Percentages of Organization's Opportunities Lost as a Result of Attacks ###### Figure 82 Percentages of Organization's Revenue Lost as a Result of Attacks 1% 20% 10% 4% 3% 1% None (0%) Some, but Less Than 20% 20% to Just Under 40% 40% to Just Under 60% 60% to Just Under 80% 80% to Just Under 100% All (100%) 1% 25% 9% 5% 3% 0% 58% None (0%) Some, but Less Than 20% 20% to Just Under 40% 40% to Just Under 60% 60% to Just Under 80% 80% to Just Under 100% All (100%) 62% Respondents From Organizations Who Lost Opportunities in Past Year (n=625) Source: Cisco 2017 Security Capabilities Benchmark Study ###### Figure 83 Percentages of Organization's Customers Lost as a Result of Attacks Respondents From Organizations Who Lost Revenue in Past Year (n=778) Source: Cisco 2017 Security Capabilities Benchmark Study **Appendix** None (0%) Some, but Less Than 20% 20% to Just Under 40% 40% to Just Under 60% 60% to Just Under 80% 80% to Just Under 100% All (100%) 1% 21% 8% 6% 4% 1% 60% Respondents From Organizations Who Lost Customers in Past Year (n=641) Source: Cisco 2017 Security Capabilities Benchmark Study **84** ----- **Cisco 2017 Annual Cybersecurity Report** ###### Outcomes Figure 84 Percentages of Organizations Relying on Outsourcing **Which Security** **Services Are** **Outsourced?** Advice and Consulting Audit Incident Response Monitoring Threat Intelligence Remediation None/All Internal 2014 2015 2016 **Why Are These** (n=1738) (n=2432) (n=2912) **Services Outsourced?** 2016 (n=2631) 52% 48% 46% 33% **Appendix** More Cost-Efficient Desire for Unbiased Insight More Timely Response to Incidents Lack of Internal Expertise Lack of Internal Resources 51% 41% 35% 42% N/A 34% 21% 52% 47% 42% 44% 39% 36% 12% 51% 46% 45% 45% 41% 2015 (n=2129) 53% 49% 46% 31% 31% 33% 35% 10% Source: Cisco 2017 Security Capabilities Benchmark Study ###### Figure 85 Percentages of Organization's Security Reliant Upon Third-Party Vendors None (0%) Some, but Less Than 20% 20% to Just Under 40% 40% to Just Under 60% 60% to Just Under 80% 80% to Just Under 100% All (100%) 1% 4% 18% 41% 21% 10% 4% IT Security Personnel (n=2595) Source: Cisco 2017 Security Capabilities Benchmark Study **85** ----- **Cisco 2017 Annual Cybersecurity Report** ###### Figure 86 Percentages of Security Services Outsourced by Size of Organization **Which Security Services Are Outsourced?** Midmarket (n=1459) Enterprise (n=1102) Large Enterprise (n=351) 52% 47% 43% 41% 44% 34% 11% Advice and Consulting Audit Monitoring Threat Intelligence Incident Response Remediation None/All Internal 50% 44% 46% 41% 48% 35% 51% 50% 44% 40% 39% 8% Source: Cisco 2017 Security Capabilities Benchmark Study ###### Figure 87 Sources of Increased Scrutiny 2016 (n=2912) Graphic Rounded to Nearest Whole Number Not at All Not Very Somewhat Very Scrutinizing Scrutinizing Scrutinizing Scrutinizing Extremely Scrutinizing 37% 11% 30% 32% 28% 29% 26% 27% 28% 26% 21% % Very + Extremely Scrutinizing Source: Cisco 2017 Security Capabilities Benchmark Study **86** **Appendix** ----- **Cisco 2017 Annual Cybersecurity Report** ###### Figure 88 Increase of Off-Premises Private Cloud and Third-Party Managed On-Premises Hosting **Where Networks Are Hosted** 2014 (n=1727) 2015 (n=2417) 2016 (n=2887) 51% 48% 24% 20% 10% On-Premises as Part of a Private Cloud On-Premises On-Premises but Managed by an External Third-Party Off-Premises Private Cloud Off-Premises Public Cloud Source: Cisco 2017 Security Capabilities Benchmark Study 50% 54% 23% 18% 8% 50% 46% 27% 25% 9% ###### Operations, Policies, Procedures, and Capabilities Figure 89 Proportion of Companies with a Security Executive 53% 52% 53% **Is There an Executive at Your Organization Who Has** **Direct Responsibility and Accountability for Security?** Respondents Who Reported Clarified Roles and Responsibilities No Yes **Executive’s Title** Respondents Who Reported Executive with Security Responsibility Chief Security Officer (CSO) 2016 (n=2754) 2015 (n=2288) 2014 (n=1603) 8% 92% 14% 15% 16% 10% 11% 10% 8% 11% 7% 8% 8% 9% 4% N/A N/A 3% 2% 4% 1% 1% 1% 8% 92% 9% 91% Chief Information Officer (CIO) Chief Executive Officer (CEO) or equivalent Senior Vice President (SVP) or Vice President (VP) of IT Chief Technology Officer (CTO) Chief Risk and Compliance Officer (CRO) or (CCO) Chief Operating Officer (COO) Another Title Source: Cisco 2017 Security Capabilities Benchmark Study **87** 2016 (n=2530) 2015 (n=2095) 2014 (n=1465) **Appendix** ----- **Cisco 2017 Annual Cybersecurity Report** ###### Figure 90 Percentages of Companies That Have a Formal Organization-Wide Security Strategy and Follow Standardized Security Policy Practices **Security Standards** **Standardized Security Policy Practice** Have a Written Formal Organization-Wide Security Strategy That's Reviewed Regularly Follow a Standardized Information Security Policy Practice such as ISO 27001 Formally Define Critical Business Assets That Require Special Consideration for Risk Management That Are Either Business-Critical or Regulated to Have Increased Protection 62% 66% 59% 55% 52% 52% 43% 38% 54% Currently in Process of Becoming Certified Preparing for Certification Process Follow Health-Care Focused Standardized 2% 2016 (n=1596) 65% Security Policies such as NIST 800‒66, N/A ISO27799, ISO80001 N/A Already Certified None of the Above 1% 1% 1% 2016 (n=2912) 2015 (n=2432) 2014 (n=1738) Source: Cisco 2017 Security Capabilities Benchmark Study ###### Figure 91 Percentages of Respondents Who Strongly Agree with Security Process Statements Employees at My Organization Are Encouraged to Report Failures and Problems with Security Security Processes and Procedures at My Organization Are Clear and Well-Understood Line-of-Business Managers Are Encouraged to Contribute to Security Policies and Procedures **52%** 55% **55%** 57% 1% **2016** 2015 2014 **2016** 2015 2014 **2016** 2015 2014 **95%** 94% **96%** 95% **1%** **4%** **96%** **1%** **4%** **58%** 62% 95% **<1%** **4%** 5% **43%** 40% 4% **40%** 39% 1% 4% **38%** 33% 1% 3% 5% 32% 61% 92% 3% 6% 36% 56% 91% 3% 5% 39% 53% 92% Security Processes at My Organization Enable Us to Anticipate and Mitigate Potential Security Issues Proactively Security Processes at My Organization Are Measured and Controlled Using Quantitative Data My Organization Has Optimized Its Security Processes and Is Now Focused on Process Improvement **52%** 53% **50%** 53% 1% **95%** 95% **95%** 95% **1%** **4%** **1%** **4%** 95% **1%** **4%** **53%** 53% **96%** 4% **43%** 42% 4% **45%** 42% 1% 4% **43%** 43% 1% 3% 7% 38% 53% 91% 3% 6% 37% 54% 91% 3% 5% 39% 53% 92% My Organization Is Able to Detect Security Weaknesses Before They Become Full-Blown Incidents Line-of-Business Managers Get Security Policy Group Involved Before Making a Line-of-Business Application Decision **1%** **4%** 95% 91% **1%** **5%** **45%** **49%** **94%** 51% **94%** N/A N/A **49%** 51% 49% **96%** 1% 3% 4% 6% **46%** 45% 41% 2016 (n=2912) 2015 (n=2432) 2014 (n=1738) Strongly Disagree Disagree Agree Strongly Agree % Agree + Strongly Agree Source: Cisco 2017 Security Capabilities Benchmark Study **88** **Appendix** ----- **Cisco 2017 Annual Cybersecurity Report** ###### Figure 92 Percentages of Respondents Who Strongly Agree with Security Process Statements Access Rights to Networks, Systems, Applications, Functions and Data Are Appropriately Controlled Technical Security Controls in Systems and Networks Are Well Managed Computer Facilities Within My Organization Are Well Protected **55%** 56% **56%** 57% 1% **2016** 2015 2014 **2016** 2015 2014 **2016** 2015 2014 **96%** 96% **96%** 96% **<1%** **3%** **<1%** **4%** **55%** 59% **97%** 97% **<1%** **4%** 4% **41%** 40% 4% **40%** 38% 1% 3% **41%** 38% 0% 2% 4% 33% 61% 94% 2% 3% 35% 60% 95% 2% 4% 36% 57% 94% We Regularly Review Our Security Practices and Tools to Ensure That They Are Up to Date and Effective We Do a Good Job of Building Security into Systems and Applications We Do a Good Job of Building Security into Our Procedures for Acquiring, Developing, and Maintaining Systems **52%** 56% **53%** 54% 1% **96%** 96% **96%** 96% **<1%** **4%** **<1%** **4%** **96%** 97% **<1%** **4%** **56%** 60% 3% **43%** 41% 4% **43%** 42% 1% 3% **40%** 37% 1% 2% 5% 35% 59% 93% 2% 5% 35% 58% 93% 2% 4% 38% 56% 94% Information Assets Are Inventoried and Clearly Classified We Do an Excellent Job of Managing HR Security We Do a Good Job Building Security into External, Customer-Facing Mobile Apps **<1%** **4%** **95%** 95% **1%** **5%** **45%** **49%** **94%** **1%** **6%** **43%** **51%** **94%** **51%** 53% 5% 51% 44% 94% 1% 5% **44%** 42% 1% N/A N/A 2% 6% 39% 54% 93% 2% 5% 40% 53% 93% 2016 (n=2912) 2015 (n=2432) 2014 (n=1738) Strongly Disagree Disagree Agree Strongly Agree % Agree + Strongly Agree Source: Cisco 2017 Security Capabilities Benchmark Study **89** **Appendix** ----- **Cisco 2017 Annual Cybersecurity Report** ###### Figure 93 Percentages of Respondents Who Strongly Agree with Security Controls Statements We Have Well-Documented Processes and Procedures for Incident Response and Tracking We Have Good Systems for Verifying That Security Incidents Actually Occurred We Do a Good Job of Notifying and Collaborating with Stakeholders About Security Incidents **52%** 53% **2016** 2015 2014 **2016** 2015 2014 **2016** 2015 2014 **53%** 54% 1% **95%** 95% **95%** 95% **<1%** **4%** **1%** **5%** **53%** 54% **95%** 96% **<1%** **4%** 4% **43%** 42% 5% **42%** 41% 1% 4% **42%** 42% 1% 2% 5% 37% 56% 94% 1% 6% 38% 54% 93% 2% 5% 43% 51% 94% We Follow a Standardized Incident Response Practice Such as RFC2350, ISO/IEC 27035:2011 or US Cert **6%** **44%** **50%** **93%** 6% 44% 49% 93% 8% 41% 49% 90% 51% **94%** We Have a Good System for Categorizing Incident-Related Information **4%** **44%** **51%** **96%** 4% 43% 53% 96% 5% 40% 54% 93% We Have a Good Crisis Management Response Protocol We Have Effective Processes for Interpreting and Prioritizing Incoming Incident Reports and Understanding Them **<1%** **5%** **44%** **51%** **95%** N/A N/A 2016 (n=2912) 2015 (n=2432) Strongly Disagree Disagree Agree Strongly Agree % Agree + Strongly Agree 2014 (n=1738) Source: Cisco 2017 Security Capabilities Benchmark Study ###### Figure 94 Management and Efficacy of Security Technologies **What Are the Most Effective Security** **Technologies Used by the Organization?** 2016 (n=2895) 28% 14% 14% 17% Firewall DDoS Defense Data Loss Prevention Encryption/Privacy/Data Protection Endpoint Protection/Antivirus, Anti-Malware Mobility Security Secure DNS Email/Messaging Security Access Control/Authorization Intrusion Prevention **What Are the Most Time-Consuming and Most** **Difficult Security Technologies for Staff to Manage?** (Mentions over 10%) 2016 (n=2895) 20% 16% 16% 15% 12% 12% 12% 11% 11% 11% 15% 10% 13% 12% 14% 10% Source: Cisco 2017 Security Capabilities Benchmark Study **90** **Appendix** ----- **Cisco 2017 Annual Cybersecurity Report** ###### Figure 95 Year-over-Year Use of Security Threat Defense **Security Threat** **Defenses Used** **by Organization** **Defenses** **Tthrough** **Cloud-Based** **Services*** **Defenses** **Tthrough** **Cloud-Based** **Services*** 20% 24% 28% 18% 21% 26% N/A N/A N/A N/A N/A N/A 15% 21% 25% N/A N/A N/A N/A N/A N/A 12% 17% 20% N/A N/A N/A 58% 34% Firewall** 65% 31% Mobility Security N/A N/A N/A N/A N/A N/A N/A N/A **Security Threat** **Defenses Used** **by Organization** 35% 44% 51% 32% 40% 48% 32% 31% 42% 32% 38% 43% 32% 41% 48% 30% 32% 39% 29% N/A N/A 27% 34% 38% 26% 26% 31% 1% 8% 1% 11% 1% 13% Data Loss Prevention Encryption/Privacy/ Data Protection Secure DNS Email/Messaging Security Web Security Endpoint Protection/ Anti-Malware Access Control/ Authorization DDoS Defense Secured Wireless Identity Administration/ User Provisioning Intrusion Prevention** 42% 22% N/A N/A N/A N/A 42% 27% 52% 34% 56% 37% 41% 25% 51% 31% 59% 37% 41% 24% 49% 25% 49% 25% 40% N/A 48% N/A 53% N/A 38% N/A 37% N/A 36% N/A 37% 19% 41% 19% 50% 26% 35% N/A 45% N/A 45% N/A 35% 17% 44% 20% N/A N/A 45% 56% 55% 44% 53% 53% VPN Network Forensics Security Information and Event Management (SIEM) Vulnerability Scanning Patching and Configuration Multi-Factor Authentication Penetration Testing Endpoint Forensics Authentication Network Security, Firewalls and Intrusion Prevention** None of the Above N/A N/A 53% N/A 52% N/A N/A N/A N/A N/A 60% 35% 2016 (n=2912) 2015 (n=2432) 2014 (n=1738) Source: Cisco 2017 Security Capabilities Benchmark Study **91** 2016 (n=2725) 2015 (n=2268) 2014 (n=1646) - Security Respondents Who Use Security Threat Defenses ** Firewall and Intrusion Prevention Were One Code in 2014: “Network Security, Firewalls and Intrusion Prevention” **Appendix** 2016 2015 2014 ----- **Cisco 2017 Annual Cybersecurity Report** ###### Figure 96 Extent That Customer Protection Factors into Security Decision-Making 2016 (n=2878) Graphic Rounded to Nearest Whole Number Not at All Not Very Much Somewhat Very Much Extremely % Very Much + Extremely Source: Cisco 2017 Security Capabilities Benchmark Study ###### Risks and Vulnerabilities Figure 97 IT Security Personnel's Biggest Sources of Concern Related to Cyber Attacks 2016 (n=2912) Graphic Rounded to Nearest Whole Number Not a Risk Slight Risk Moderate Risk High Risk % Moderate + High Risk Source: Cisco 2017 Security Capabilities Benchmark Study **92** **Appendix** ----- **Cisco 2017 Annual Cybersecurity Report** ###### Figure 98 Security Professionals' Biggest Sources of Concern Related to Cyber Attacks 2016 (n=2912) Graphic Rounded to Nearest Whole Number Not at All Not Very Somewhat Very Challenging Challenging Challenging Challenging Extremely Challenging % Very + Extremely Challenging Source: Cisco 2017 Security Capabilities Benchmark Study ###### Figure 99 Distribution of Security Teams' Efforts IT Security Personnel (n=2854) Endpoints Customer Data Servers Where Does the Security Team Spend the Majority of Its Efforts? 23% 29% 47% Source: Cisco 2017 Security Capabilities Benchmark Study **93** **Appendix** ----- **Cisco 2017 Annual Cybersecurity Report** ###### Incident Response Figure 100 Percentages of Security Alerts That Are Investigated or Remediated 7% Have Not Experienceda Security Alert 93% Have Experienceda Security Alert 56% Of Seen AlertsAre Investigated 28% Of Investigated AlertsAre Legitimate 46% Of Legitimate AlertsAre Remediated 2016 (n=2796) Source: Cisco 2017 Security Capabilities Benchmark Study ###### Figure 101 Average Time to Detect Security Breaches 2016 (n=2860) **Average Alerts Seen By** **Organization on a Daily Basis** Less Than 5K 5K–10K 10K–50K 50K–100K 100K–150K Over 150K ###### 50% 15% 11% 8% 6% 4% **Appendix** 8 Hours or Less 9-24 Hours 25-48 Hours More Than 2 Days but Less Than 1 Week 1-2 Weeks 3 Weeks to a Month 1 Month to 3 Months More Than 3 Months, but Less Than 1 Year 1 Year or More 5% 3% 1% 1% 0% 43% 25% 15% 7% Source: Cisco 2017 Security Capabilities Benchmark Study **94** ----- **Cisco 2017 Annual Cybersecurity Report** ###### Figure 102 Groups Notified in the Event of an Incident Office of the CEO or President Operations Finance Department Technology Partners Human Resources 46% 30% 22% 45% Legal 32% Marketing 26% N/A 36% 31% 40% 29% 21% 40% Engineering 33% Business Partners 21% 46% 38% 32% 37% 25% 15% 40% All Employees 27% Insurance Companies 15% N/A 35% N/A 36% 34% 31% 33% 36% 25% 28% 33% 23% 24% 28% External Authorities 15% 18% 22% 45% Manufacturing Public Relations 2016 (n=2912) 2015 (n=2432) 2014 (n=1738) Source: Cisco 2017 Security Capabilities Benchmark Study ###### Figure 103 KPIs Used by Organizations to Assess Security Performance 2016 (n=2912) Time to Detect (e.g., Time Threat Entered Environment to Detection) Time to Patch (e.g., Time from Patch Release to Implementation) Time to Contain (e.g., Time from Detection to Containment/Quarantine) Time to Remediate (e.g., Time from Quarantine to Operational) None of the Above 3% 59% 52% 44% 30% Source: Cisco 2017 Security Capabilities Benchmark Study **95** **Appendix** ----- **Cisco 2017 Annual Cybersecurity Report** ###### Figure 104 Year-over-Year Use of Process to Analyze Compromised Systems **Processes to Analyze Compromised Systems** 2014 (n=1738) 2015 (n=2432) 2016 (n=2912) 57% 53% 49% 48% 47% 38% 35% 36% 37% 34% 33% 1% Firewall Log System Log Analysis Network Flow Analysis Malware or File Regression Analysis Registry Analysis Full Packet Capture Analysis IOC Detection Disk Forensics Correlated Event/Log Analysis Memory Forensics External Incident Response/Analysis Teams None of the Above Source: Cisco 2017 Security Capabilities Benchmark Study 61% 59% 53% 55% 50% 47% 38% 40% 42% 41% 37% 2% 56% 50% 49% 47% 43% 40% 38% 36% 35% 34% 34% 1% ###### Figure 105 Year-over-Year Use of Process to Eliminate the Cause of Security Incidents **Processes to Eliminate Cause of Security Incidents** 2014 (n=1738) 2015 (n=2432) 2016 (n=2912) 55% 55% 53% 48% 47% 47% 40% 41% 1% Quarantine or Remove Malicious Application Root Cause Analysis Stop Communication of Malicious Software Additional Monitoring Policy Updates Stop Communication of Compromised Application Long-Term Fix Development Re-image System to Previous State None of the Above Source: Cisco 2017 Security Capabilities Benchmark Study **96** 58% 55% 53% 52% 51% 48% 47% 45% 2% **Appendix** 52% 51% 48% 48% 45% 43% 41% 39% 1% ----- **Cisco 2017 Annual Cybersecurity Report** ###### Figure 106 Year-over-Year Use of Process to Restore Affected Systems **Processes to Restore Affected Systems** 2014 (n=1738) 2015 (n=2432) 2016 (n=2912) Implementing Additional or New Detections and Controls Based on Identified Weaknesses Post Incident Restoring from a Pre-Incident Backup Patching and Updating Applications Deemed Vulnerable Differential Restoration (Removing Changes Caused by an Incident) Gold Image Restoration None of the Above Source: Cisco 2017 Security Capabilities Benchmark Study 60% 57% 60% 56% 35% 2% 56% 59% 55% 51% 35% 1% 56% 55% 53% 50% 34% 1% ###### Figure 107 Attack Simulations: Frequency and Extent of Driving Security Defense Improvements **How Often Does Your Organization Run Attack Simulations?** 2016 (n=2868) **To What Extent Do the Results of Attack Simulations Drive** **Improvements in Your Security Defense Policies, Procedures,** **or Security Technologies?** 2016 (n=2736) Never 4% Weekly 28% ###### 47% 44% Monthly Quarterly Semi-Annually Annually Regularly, but Less Than Once a Year ###### 1% 3% 0% 1 2 3 4 5 Not at All A Great Extent 28% 33% 21% 8% 4% 8% ###### 1% 3% 0% Source: Cisco 2017 Security Capabilities Benchmark Study ###### Figure 108 Importance of Attributing Origin of a Security Breach IT Security Personnel (n=2901) Graphic Rounded to Nearest Whole Number Not at All Not Very Somewhat Very Important Important Important Important Extremely Important % Very + Extremely Important **Appendix** Source: Cisco 2017 Security Capabilities Benchmark Study **97** ----- **Cisco 2017 Annual Cybersecurity Report** ###### Breaches and Their Impacts Figure 109 Percentage of Organizations Experience a Public Breach 53% 48% 49% ###### Figure 110 How Much Did the Breach Drive Improvements in Your Security Threat Defense Policies, Procedures, or Technologies? 52% 38% ###### 0% ###### 9% 1% 2014 (n=1701) 2015 (n=2347) 2016 (n=2824) Not at All A Great Extent Respondents Affected By a Security Breach (n=1388) Source: Cisco 2017 Security Capabilities Benchmark Study 1 2 3 4 5 Source: Cisco 2017 Security Capabilities Benchmark Study ###### Figure 111 Length and Extent of Outages Caused by Security Breaches **Length of System Outages Due to Breach** 2016 (n=2665) **Percentage of Systems Impacted Due to Breach** 2016 (n=2463) 0 Hours, No Outage 7% 0% 1% 19% Less Than 1 Hour 1‒4 Hours 5‒8 Hours 9‒16 Hours 17‒24 Hours More Than 24 Hours 13% 25% 1‒10% 11‒20% 21‒30% 31‒40% 41‒50% 51‒60% 61% or More 22% 20% 20% 15% 15% 11% 10% 9% 6% 9% Source: Cisco 2017 Security Capabilities Benchmark Study **98** **Appendix** ----- **Cisco 2017 Annual Cybersecurity Report** ###### Figure 112 Improvements Made to Protect Your Company from Security Breaches 37% 38% 43% 38% 38% 37% 42% 37% 40% 37% Separated Security Team from IT Department Increased Security Awareness Training Among Employees Increased Focus on Risk Analysis and Risk Mitigation Increased Investment in Security Defense Technologies or Solutions Increased Investment in Training of Security Staff **Appendix** 2015 (n=1109) 2016 (n=1375) Source: Cisco 2017 Security Capabilities Benchmark Study **99** ----- **Cisco 2017 Annual Cybersecurity Report** ###### Vendor Choice and Expectations Figure 113 Importance of Data Protection and Privacy for Vendors **What Data Protection and Privacy Processes and Policies** **Are Most Important for a Vendor to Have?** 2016 (n=2912) **What Data Protection, Privacy Standards and Certifications** **Are Required for a Vendor to Work with Your Organization?** 2016 (n=2870) Organization-Wide Policies 35% ISO 27001 on Data Access Controls 39% Data Incident Response Program Organization-Wide Policies on Breach Notifications Organization-Wide Policies on Access to Data Held by Vendor Mandatory and Continuous Employee Training Organization-Level Privacy of Design Assess Data Risk and Organizational Maturity Policies on Sharing Data Residency and Data Sovereignty Active Dialogue With Board of Directors Regarding Data Risk Data Retention Policies Proactive Measurement and Monitoring/Audit Compliance 17% 33% ISO 27018 NIST Cybersecurity Framework/Standards Privacy Shield Service Organizational Controls (SOC) Compliance TRUSTe Compliance GAPP (Generally Accepted Privacy Principles) HIPAA Compliance EU Model Clauses PCI-DSS Compliance Binding Corporate Rules APEC Cross Border Privacy Rules FedRAMP FISMA 34% 31% 28% 27% 28% 27% 28% 26% 26% 25% 26% 24% 25% 22% 25% 13% 23% 9% 23% 18% 18% Source: Cisco 2017 Security Capabilities Benchmark Study **100** **Appendix** ----- **Cisco 2017 Annual Cybersecurity Report** ###### Security Capability Maturity Model Figure 114 Security Maturity by Country USA Brazil Germany Italy **25%** **29%** **41%** 22% 27% 45% 16% 27% 44% United Kingdom **38%** **29%** **28%** 32% 22% 32% 18% 25% 41% Japan **32%** **26%** **35%** 34% 16% 32% **4%** 9% 5% **5%** 5% 16% **4%** 14% **21%** **26%** **47%** 20% 16% 50% **25%** **30%** **41%** 24% 26% 40% 35% 24% 34% **7%** 12% 4% **31%** **28%** **34%** 24% 24% 39% 25% 27% 43% **5%** 7% 23% **36%** **31%** **28%** 36% 23% 34% 25%13% 38% **2016** 2015 2014 **2016** 2015 2014 **2016** 2015 2014 **2016** **4%** 4% 10% **5%** 14% 16% **7%** 16% Australia China India **5%** 4% 10% **31%** **34%** **31%** **35%** **21%** **31%** 37% 25% 32% 29% 32% 36% **17%** **31%** **47%** 21% 34% 40% 16% 20% 54% 29% 36% 29% **13%** 6% 3% 35% 19% 30% Mexico Russia France **4%** 14% **30%** **27%** **39%** 27% 26% 32% **6%** 15% **35%** **26%** **32%** 35% 20% 29% 22% 40% 14% 24% N/A N/A N/A Canada **7%** **36%** **23%** **33%** Low Lower-Middle Upper-Mid High Source: Cisco 2017 Security Capabilities Benchmark Study ###### Figure 115 Maturity Model Ranks Organizations Based on Security Process 5-Segment Based On Q9 Series ###### Figure 116 Segment Sizing for Maturity Model 36% 36% 39% Upper– Middle Middle Upper– Middle Middle Lower– Middle 1% Low 2% 4% 2016 (n=2852) 2015 (n=2401) 2014 (n=1637) Source: Cisco 2017 Security Capabilities Benchmark Study **Appendix** High **Level 5** **Level 4** **Level 3** **Level 2** **Level 1** ###### Optimizing Focus Is on Process Improvement ###### Quantitatively Managed Processes Quantitatively Measured and Controlled ###### Defined Processes Characterized for the Organization; Often Proactive ###### Repeatable Processes Characterized for Projects; Often Reactive ###### Initial Processes Are Ad Hoc; Unpredictable 28% 25% High 23% 30% 28% 26% 6% 9% 8% Low Low Source: Cisco 2017 Security Capabilities Benchmark Study **101** Lower– Middle ----- **Cisco 2017 Annual Cybersecurity Report** ###### Industry-Specific Figure 117 Percentage of Healthcare Businesses That Have Implemented Standardized Security Policies **Implemented Standardized Security Policies** Healthcare Business Follows Healthcare-Specific Information Security Policy Practice, 2016 (n=65) **Which Resources Are Used to** **Measure Companies Against HIPAA** **Privacy Rules and Security?** HIT Security Guidance Current HIPAA Document (Currently Omnibus) HHS.OCR Audit Frameworks HITRUST or Other Private Framework Third-Party Assessments ###### Figure 118 Resources Healthcare Companies Use to Measure Themselves Against HIPAA Privacy Rules 24% Healthcare Businesses 2016 (n=219) ISO80001 (Medical Device) ISO27799 NIST 800-66 74% 60% 45% 40% 52% 52% Source: Cisco 2017 Security Capabilities Benchmark Study 37% None of the Above 6% Source: Cisco 2017 Security Capabilities Benchmark Study ###### Figure 119 Most Common Security Measures Among the Healthcare Businesses with Medical Device Networks **Does Your Organization Have a Medical Device Network That Is** **Converged with a Main Hospital Network?** No, There Is Not a Medical Device Network in Our Organization No, the Medical 6% Device Network(s) Is/Are Isolated 15% and Managed Internally Healthcare Businesses 16% (n=219) No, the 63% Yes Medical Device Network(s) Is/Are Standalone and Managed by a Vendor Source: Cisco 2017 Security Capabilities Benchmark Study **102** **Which of These Security Measures, if Any, Has Your Company** **Implemented to Protect and Secure Your Medical Device Network?** Companies with a Medical Device Network in Their Organization (n=207) **Appendix** Network Access Control Advanced Malware Protection/Detection Multi-Factor Device Authentication IPS/IDS, Deep Packet Inspection Automated Threat Defense/Response Traffic Analysis/ Anomaly Detection Posture Assessments and/or Device Profiling Segmentation/ Micro Segmentation 59% 56% 49% 48% 48% 45% 40% 32% None of the Above 1% ----- **Cisco 2017 Annual Cybersecurity Report** ###### Figure 120 Sample Profile for Telecommunications **Which Telecommunications Subsector Is** **Your Organization Primarily Involved In?** Telecommunications Businesses (n=307) **Which of These Services Does Your** **Company Offer to Your Customers?** Telecommunications Businesses (n=308) Communications Equipment Service Provider (Traditional) Cable/Satellite Operator Media/Broadcasting Over-the-Top Provider (Netflix, Hulu, Etc.) Managed Security Services 47% Provided to End Customers 2% 71% 60% 59% 57% 33% 11% Core Production Networks, such as IP (Including Television), Mobile, etc. Enterprise Environment Datacenters 7% Source: Cisco 2017 Security Capabilities Benchmark Study ###### Figure 121 Security Strategies Factors for Telecommunications **Relative Priority to Security Strategies and Protocols** Telecommunications Businesses (n=308) Average Percentage of Availability Average Percentage Average Percentage of Confidentiality of Integrity #### 34% 36% 31% **Availability: Assuring** Reliable Access to Data **Confidentiality: Assuring That Data** Is Only Accessed by Appropriate Parties **Integrity: Assuring That Data** Is Precise and Accurate Source: Cisco 2017 Security Capabilities Benchmark Study ###### Figure 122 Security Priorities for Telecommunications **Rank in Terms of Priority to Security in Organization** Telecommunications Businesses (n=308) Securing the Data Centers In the Core Production Network That Delivers Highly Available IP and/or Mobile Services Providing Managed Security Services The Enterprise Network and Internal Data Source: Cisco 2017 Security Capabilities Benchmark Study **103** 34% 21% 24% 22% 26% 21% 29% 24% 21% 30% 19% 30% 20% 28% 29% 24% Ranked 1st Ranked 2nd Ranked 3rd Ranked 4th **Appendix** ----- **Cisco 2017 Annual Cybersecurity Report** ###### Figure 123 Sample Profile for Transportation **Does Your Company Utilize a** **Does Your Company Participate In Security** **Security Operations Center (SOC)?** **Standards Bodies or Industry Organizations?** No, But There Are Plans to Implement a Security Operations Center in the Next Year ###### 14% No, and There Are No 11% Immediate Plans to Implement a Security Operations Center **Which Transportation Subsector Is Your** **Organization Primarily Involved In?** Transportation Businesses (n=180) Freight and Logistics Mass Transit Rail Roadways Aviation Maritime Vehicles 5% 5% Yes No ###### 12% Transportation Businesses (n=179) **Which of the Following Security Areas** **Do You Have Responsibility In?** Transportation Businesses (n=180) Yes 54% Operational Technology Security 84% 71% 43% 11% 9% 9% Critical Infrastructure Security Vehicle Security 7% Source: Cisco 2017 Security Capabilities Benchmark Study **104** **Appendix** ----- **Cisco 2017 Annual Cybersecurity Report** ###### Figure 124 Sample Profile for Utilities/Energy **When These Drills or Exercises Are** **Performed, Which Parties Are Involved?** Security Partners **Which Utilities/Energy Subsector Is** **Your Organization Primarily Involved In?** Oil and Gas ###### 42% Utilities/Energy Businesses (n=116) 58% Electric Utilities **How Often Does Your Organization Conduct** **a Drill or Exercise to Test Your Company’s** **Response Plan to a Cybersecurity Incident?** 84% Once Every 6 Months Once a Year Once Every 2 Years Rarely Never 6% 2% 0% 31% 55% 1% 37% 69% 64% 33% Utilities/Energy Businesses (n=116) Internal Non-Security Personnel Business Partners First Responders Local or State Agencies Federal Agencies Other Utility Providers None of the Above 26% 20% Utilities/Energy Businesses (n=116) Source: Cisco 2017 Security Capabilities Benchmark Study ###### Figure 125 Sample Profile for Financial Services **Which Financial Services Subsector Is** **How Much Do You Think Security Is Being** **Your Organization Primarily Involved In?** **Influenced by the Following Trends?** Financial Services Businesses (n=509) Graphic Rounded to Nearest Whole Number Source: Cisco 2017 Security Capabilities Benchmark Study **105** **Appendix** Not at All A Great Extent % Top 2 Choices ----- **Cisco 2017 Annual Cybersecurity Report** ###### Figure 126 Data Security for Retail **To What Extent Do You Agree or Disagree** **With Each of These Statements?** Retail Businesses (n=290) Graphic Rounded to Nearest Whole Number Strongly Somewhat Somewhat Disagree Disagree Agree Strongly Agree % Somewhat + Strongly Agree Source: Cisco 2017 Security Capabilities Benchmark Study **106** **Appendix** ----- **Cisco 2017 Annual Cybersecurity Report** ###### Malware Families ###### Figure 127 File Extension and MIME Combinations for Dridex (Web and Email Vectors) **Unique Vectors** ###### Figure 128 Hash Ages for the Dridex Malware Family and Percent of Total Hash Volume Observed Per Month 100% exe & application/msdos-program docm & application/vnd.ms-word... docm & application/vnd.openxml... xls & application/vnd.ms-excel doc & application/msword exe & application/msdownload doc & text/plain pxls & application/vnd.ms-excel pdf & application/msword zip & application/zip zip & application/zip doc & appl/text doc & application/vnd.msword doc & application/winword doc & application/word doc & application/x-msw6 doc & application/doc doc & application/vnd.ms-word doc & application/x-msword no extension & application/msword no extension & text/plain js & text/plain rtf & application/vnd.openxml... no extension & application/rtf no extension & application/vnd... exe & application/executable doc & application/vnd.openxml... doc & application/xml rtf & application/xml rtf & text/plain rtf & application/msword pdf & application/vnd.openxml... dot & application/vnd.openxml... Source: Cisco Security Research 80% 60% 40% 20% 0% 1% Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct 2015 2016 <24 Hours 1–2 Days 3–10 Days 11–30 Days 31–90 Days 90+ Days 0.5% 0% Email Web Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct 2015 2016 Source: Cisco Security Research ###### Figure 129 TTD for the Dridex Malware Family 20.4 20 15 10 5 0 16.9 10.2 7.2 5.5 Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct 2015 2016 Source: Cisco Security Research **107** **Appendix** ----- **Cisco 2017 Annual Cybersecurity Report** ###### Figure 130 File Extension and MIME Combinations for the Family of Threats and Indicators That Lead to and Include the Cerber Payload (Web and Email Vectors) ###### Figure 132 Hash Ages for the Cerber Malware Family and Percent of Total Hash Volume Observed Per Month 100% **Unique Vectors** zip & application/zip doc & application/msword vbs & text/plain rtf & application/vnd.openxml... dotm & application/vnd.open... exe & application/msdownload js & text/plain  no extension & application/zip html & application/zip jpg & image/jpeg rtf & application/msword Source: Cisco Security Research 80% 60% 40% 20% Email Web ###### Figure 131 TTD for the Cerber Malware Family 160 120 0% 0.2% Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct 2015 2016 <24 Hours 1–2 Days 3–10 Days 11–30 Days 31–90 Days 90+ Days 80 40 0 116.1 26.2 0.1% 0% 5.1 5.9 Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct 2015 2016 Source: Cisco Security Research Jan Feb Mar Apr May Jun Jul Aug Sep Oct 2016 Source: Cisco Security Research ###### Figure 133 Hash Ages for the Locky Malware Family Per Month 100% ###### Figure 134 Hash Ages for the Nemucod Malware Family Per Month 100% 80% 60% 80% 60% 40% 20% 40% 20% 0% 0% Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct 2015 2016 Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct 2015 2016 <24 Hours 1–2 Days 3–10 Days 11–30 Days 31–90 Days 90+ Days Source: Cisco Security Research <24 Hours 1–2 Days 3–10 Days 11–30 Days 31–90 Days 90+ Days Source: Cisco Security Research **108** **Appendix** ----- **Cisco 2017 Annual Cybersecurity Report** ###### Figure 135 Hash Ages for the Adwind RAT Figure 136 Hash Ages for the Kryptik Malware Malware Family Per Month Family Per Month 100% 80% 100% 80% 60% 40% 60% 40% 20% 0% 20% 0% Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct 2015 2016 Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep Oct 2015 2016 <24 Hours 1–2 Days 3–10 Days 11–30 Days 31–90 Days 90+ Days Source: Cisco Security Research <24 Hours 1–2 Days 3–10 Days 11–30 Days 31–90 Days 90+ Days Source: Cisco Security Research **109** **Appendix** ----- **Americas Headquarters** Cisco Systems, Inc. San Jose, CA **Asia Pacific Headquarters** Cisco Systems (USA) Pte. Ltd. Singapore **Europe Headquarters** Cisco Systems International BV Amsterdam, The Netherlands [Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.](http://www.cisco.com/cisco/web/siteassets/contacts/index.html) Published January 2017 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: [www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does](http://www.cisco.com/go/trademarks) not imply a partnership relationship between Cisco and any other company. (1110R) Adobe, Acrobat, and Flash are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries. -----