Blog Post

Sophos Survey Highlights Need for Better Network Security


A recent Sophos global survey finds that IT managers are more than twice as likely to catch cybercriminals on their organization’s servers and networks than anywhere else:

A screenshot of a cell phone Description automatically generated

We agree: network traffic analysis is the most effective approach to detecting today’s threats. But then again, we might be biased. 😊

With that said, there are a variety of ways to interpret this data. One is that compromises are found on servers more often because they are better protected than endpoints or mobile devices. You read that right. The thinking is that because servers have better protection and alerting capabilities, it’s easier to identify attackers there. Detection on servers could also be easier given servers tend to have fixed functions, which makes spotting anomalous behavior a lot easier in comparison. Never mind that servers (hopefully) should have fewer layer 8 (“the human element”) security problems.

The sad reality is that there could be just as many compromises on endpoints and mobile devices that don’t manifest themselves on servers, but we simply don’t know about them.

On the other hand, it makes sense that the network is effective because it represents ground truth. Attackers can disable endpoint security agents, install kernel rootkits to bypass security controls, and delete logs / traces – but they can’t unsend a packet.

This also raises an interesting question: how many of those server compromises had an endpoint ahead of them in the kill chain vs. being exploited directly? Given the way the threat environment has been evolving, it is plausible that the answer is a fairly high percentage. And unfortunately, it also means that by the time you detect it on the server, it might be far into the kill-chain and the impact / costs could already be mounting.

Playing blindfolded is not a recipe for success

Blindfolded - I've got to stop playing ... pin the tail on the hacker!!!

The survey also highlights that many IT teams lack visibility into attacker dwell time. When asked how long it took to discover the most significant cyberattack in the last year, the average response from participating organizations was 13 hours (for those that knew the answer, that is). With 17 percent of threats, organizations weren’t even sure how long it was in their environment before being discovered. Club that with the fact that 20 percent have no idea how the attacker got in! How can you truly mitigate a threat that you don’t know about or can’t track back?

These stats are extremely alarming for a variety of reasons. While adversaries can wreak significant damage in mere seconds or minutes, let alone hours, it’s clear most security teams lack the tools necessary to identify these threats as soon as they arise. According to the survey, the challenge with investigations and root cause analysis goes much deeper: organizations spend, on average, 41 days each year investigating non-issues. That’s a whopping 85 percent of the time they spend investigating as a whole! This highlights a huge inefficiency and speaks volumes of the security investigation gap that many SOCs unfortunately face.

Awake’s Approach

A screenshot of a computer Description automatically generated

Given security teams’ limited time and resources, The Awake Security platform delivers context-rich and correlated incidents across entities, time, protocols and attack stage. This has two advantages:

  • Firstly, it helps security teams move beyond the typical and cumbersome alert triage process inundating many SOCs. It also helps identify the root cause, “patient 0”, while exposing the entire kill-chain—how did the attacker get in, how long have they been in the environment, and what is the scope of entities involved (devices, users, applications, etc.).
  • Secondly, correlating a number of weak-signal behaviors that by themselves would be noisy alerts into a “smoking gun” incident keeps the false positives down. This helps dramatically lower that wasted investigation time the survey exposed.

Within our customer deployments we find that The Awake Security Platform’s entity-centric approach also offers 143 percent greater visibility to what’s actually in your environment. This gives teams the unique ability to spot sophisticated attacker tactics, techniques and procedures (TTPs) that only a highly-experienced threat hunter could see previously. These advanced detection “skills” are built into the platform, empowering analysts at every level to spot threats early in the attacker lifecycle and cut response time.

If you’re struggling with the same security issues brought to life in the Sophos survey, schedule a demo with Awake today.