Venafi Survey: 23% of Security Professionals Don’t Know How Their Organization Is Addressing Threats Hiding in Encryption
April 5, 2017
Nearly a quarter of the survey respondents (23%) have no idea how much of their encrypted traffic is decrypted and inspected.
Venafi®, the leading provider of protection for machine identities, today announced the results of a survey of over 1540 information security professionals on their organizations’ capability to defend against threats hiding in encrypted communications. According to the survey, nearly a quarter of the respondents (23 percent) have no idea how much of their encrypted traffic is decrypted and inspected.
“Encryption offers the perfect cover for cyber criminals,” said Kevin Bocek, chief security strategist for Venafi. “It’s alarming that almost one out of four security professionals doesn’t know if his or her organization is looking for threats hiding in encrypted traffic. It’s clear that most IT and security professionals don’t realize the security technologies they depend on to protect their business are useless against the increasing number of attacks hiding in encrypted traffic.”
Key survey findings include:
According to the 2017 Mandiant M-Trends report, the average time it takes to detect a cyber attack is 99 days, but 41 percent of respondents to the Venafi survey believe they can detect and respond to a cyber attack hidden in encrypted traffic within one week. Additionally, 20 percent believe they can detect and respond to a cyber attack within one day.
A surprising number of respondents (41 percent) say they encrypt at least 70 percent of their internal network traffic; 57 percent say they encrypt 70 percent or more of their external web traffic.
Almost one fifth (19 percent) of the respondents said they decrypt and inspect all of their encrypted traffic.
“Although the vast majority of the respondents inspect and decrypt a small percentage of their internal encrypted traffic, they still believe they can quickly remediate a cyber attack hidden in encrypted traffic,” Bocek continued. “The problem is that attackers lurking in encrypted traffic make quick responses even more difficult. This is especially true for organizations without mature inbound, cross-network, and outbound inspection programs. This overconfidence makes it very clear that most security professionals don’t have the strategies necessary to protect against malicious encrypted traffic.”
Venafi conducted this survey of over 1540 information security professionals at RSA Conference 2017.