ITWeb, in partnership with CyberAntix, conducted an online cyber security survey in June that interrogated the current status of South African organisations’ incident response preparedness.
The survey aimed to establish which security solutions organisations have in place, and looked into how businesses are handling alerts, their alerting configurations and how alerts are responded to. It also asked whether they’re scanning their environment for vulnerabilities.
A total of 208 responses were captured, with 56% of respondents being at executive or middle management level, working across a range of industries.
The top five security solutions that respondents’ organisations had in place were antivirus (69%), Active Directory (50%), Web application firewall (45%), endpoint detection and response (41%) and DNS protection (35%).
Dr Pierre Jacobs, head of Compliance and Operations at CyberAntix, says, “The respondents’ answers seem to indicate that there’s a focus on endpoint protection controls. Active Directory also seems to be a concern. DNS protection is still quite novel, and I have only seen this at larger organisations. What strikes me is the lack of reference to perimiter and network controls."
While 63% of respondents say they receive alerts directly in dashboards or mailboxes, nearly a quarter (23%) centrally collect all logs and send alerts from a SIEM solution. And 10% don’t receive any alerts at all.
Dr Jacobs comments: “It seems as if the majority of respondents understand the importance of monitoring for alerts. Usage of a SIEM is indicative of a SOC / cyber operations capability. It seems as if not many respondents have a SOC (23%) and therein lies an opportunity. The lack of SOC / cyber ops capability usage leads me to conclude that not many respondents action the events / alerts they see, and this in turn could mean that monitoring is done for compliance requirements only.”
What strikes me is the lack of reference to perimeter and network controls.
Dr Pierre Jacobs, CyberAntix
He highlights that this is only a hypothesis, and one that is supported by the answers to the further question in the survey.
Asked about the alerting configuration of their security solutions, 41% of respondents say some of the alerts are vendor default and they have configured some customised alerts to suit their organisation's specific requirements. 36% say a large amount of alerts have been configured to suit their organisation’s specific requirements. A quarter (23%) say all of the alerts are vendor default and they haven’t configured any customised alerts.
“It’s heartening to see that 36% of organisations fine tuned their alerts. Alerting and use cases should be tailored to an organisation’s cybersecurity requirements (critical assets / threat model / industry vertical and so on). This ensures highfidelity alerts. This provides us with a unique opportunity with 64% of respondents.”
Thirty-eight percent of respondents are doing internal vulnerability scans and are actively managing vulnerabilities. Some 29% do internal vulnerability scans themselves mostly to receive a report for compliance requirements, while 21% outsource this function to a third party and 13% don’t scan for vulnerabilities within the environment at all.
“Vulnerability scanning should be actively managed, and vulnerabilities addressed. Only 38% of respondents actively manage and address vulnerability scans. It is interesting to see that there’s quite a healthy appetite to outsource vulnerability scanning to third parties. In my experience, outsourcing penetration testing is more common. This may be indicative that most respondents do not have a robust vulnerability management strategy and process in place,” says Dr Jacobs.
Asked which compliance requirements their organisation needed to adhere to or would like to adopt in the future, 68% said POPIA, half (47%) said ISO 27000 and 37% said COBIT5. These were followed by NIST and GDPR, with 26% each.
“Government is mandated by DPSA to use COBIT. POPIA is to be expected. It would be interesting to see how many respondents will seek ISO 27000 certification,” he concludes.
Share