Monthly Archives: September 2017

Declining confidence in IT, but still reasons for optimism

Larry Ponemon

Public sector organizations are feeling the pains of digital transformation. Faced with modernization, data center upgrades and continuous cloud-first initiatives, this transformation of the IT environment is making it a challenge to deliver services, comply with service level agreements (SLAs), meet citizens’ expectations and achieve organizational missions.

The evidence is clear from a research study conducted by the Ponemon Institute and sponsored by Splunk of 736 decision makers in federal & department of defense IT Operations.

Challenges & Trends in Federal & Department of Defense: the United States reveals that digital transformation is well underway with budgets shifting from traditional on premise investments to more cloud and agile development paradigms.

This shift in the IT environment, while being embraced, has led to an overall loss of confidence in federal and DoD operations and is evidenced in respondents’ lack of confidence in their organizations’ ability to accomplish the following:

  • Have the people with the right skills to “get the job one”
  • Ensure performance and availability of systems to meet SLAs consistently
  • Manage data center upgrades
  • Perform IT operations efficiently
  • Migrate workloads and applications to the cloud

Research findings explain the reasons for the loss of confidence. These include skills gap among existing resources, according to 71 percent of respondents. Respondents also cite silos of IT systems and technologies and an inability to integrate them (71 percent of respondents) and complexity and diversity of IT systems and technology (67 percent of respondents).

Even with monitoring and data analytics in place, these tools are disconnected from each other and most respondents believe they are ineffective at helping quickly pinpoint issues and determine root cause (78 percent of respondents) because they do not offer end-to-end visibility.

Respondents also say that a lack of collaboration across teams and not enough data fidelity and
context are challenges to timely issue resolutions. Such challenges also affect organizations’ ability to quickly and efficiently respond to system outages and interruptions.

On average, it takes 42 hours and 12 staff members to restore the IT system to operational status following a system outage or interruption.

Despite the loss of confidence, respondents do see a silver lining in the transformation of their IT operations. According to respondents, the move to DevOps (development and operations) is making it easier to deliver quality services on time and within budget. To support the transformation, organizations are shifting spending from on premise to cloud computing, DevOps and new technologies.

Respondents also recognize that machine learning capabilities (27 percent), better network visibility across the entire organization (26 percent) and better enforcement of current policies and regulations (26 percent) can improve their organizations’ IT operations. Respondents are also increasingly aware of the types of data available and how such data can be used across
operational silos to reduce risks to their organizations.

Following are key findings from this research:

Confidence in current IT operations is lower than it was 12 months ago. The primary reasons for this change are not having the staff with the right skills “to get the job done”, the inability to ensure performance and ability to ensure performance and availability of systems to meet SLAs and inability to manage data center upgrades.

The confidence gap seems to stem from a skills gap, silos and complexity. Respondents believe that the greatest difficulties in carrying out their duties arise from a skills gap among existing resources (71 percent of respondents), silos of IT systems and technologies and a lack of ability to integrate them (71 percent of respondents) and complexity and diversity of IT systems and technology (67 percent of respondents).

Machine learning capabilities, visibility and enforcement of policies are seen as critical to improving IT operations. Out of a list of five options of the most effective way to strengthen IT operations, 27 percent of respondents believe that machine learning capabilities would be most effective. Better network visibility across the entire organization and better enforcement of current policies and regulations would strengthen IT operations (both 26 percent of respondents).

Spending on cloud operations and DevOps will grow significantly while on-premise spending dwindles. Almost one-half of respondents (49 percent) say that spending on cloud operations and 48 percent of respondents say DevOps will grow over the next year, while only 31 percent say that on-premise spending would do the same.

Alerts still remain too numerous and erroneous, and current event monitoring tools are not solving the problem. More than half of respondents say they still receive too many alerts (52 percent) and that those alerts generate too many false positives (55 percent). Seventy-eight percent of respondents are unsure or do not think that their current crop of analytics and monitoring tools are helping them pinpoint problems and determine root causes because they lack end-to-end visibility.

The challenges and risks described in this research result in inefficient response to system outages and interruptions. According to 65 percent of respondents, their organizations lack a consistent and formal IT outage response process. On average, it takes 42 hours and 12 staff members to restore the IT system to operational status following a system outage and interruption.

Will IT and security converge? More than two-thirds of respondents (73 percent) do not believe or are unsure if their security and IT operations will converge in the future.

Is it possible to use the same data sets across the organization to solve problems? Sixty-four percent of respondents are unsure or don’t think the data sets they are using can solve multiple challenges such as IT troubleshooting, service monitoring, security and business/mission analytics. Similarly, 66 percent of respondents are doubtful the same data can be used throughout the organization.

For the full study, click here: https://www.splunk.com/en_us/resources/public-sector/ponemon-research.html 

‘Nothing … in the way except motivation’ — Report claims hackers have penetrated deep into energy sector networks

Bob Sullivan

It started off as a fake invitation to a New Year’s Eve party, emailed to energy section employees. It ended with hackers taking screen shots of power grid control computer screens. Well, we can only hope it ended there.

Symantec Corporation released an alarming report this week claiming that a group of power grid hackers it calls “Dragonfly 2.0” have made their most successful raid into critical infrastructure computers in the U.S. and around the world.

“The energy sector in Europe and North America being targeted by a new wave of cyber attacks that could provide attackers with the means to severely disrupt affected operations,” Symantec wrote in its report.

In a chilling statement to Wired, Symatec’s Eric Chien said the incident means the intruders are, as the moment, capable of causing disruptions and power outages as they wish. They are just waiting for the right moment.

“There’s a difference between being a step away from conducting sabotage and actually being in a position to conduct sabotage … being able to flip the switch on power generation,” Eric Chien said. “We’re now talking about on-the-ground technical evidence this could happen in the US, and there’s nothing left standing in the way except the motivation of some actor out in the world.

Security researchers have been watching Dragonfly for years, claiming the group has been probing energy sector machines since at least 2011. Symantec says it went dark until a reemergence in late December 2015, when the New Year’s Even party invite went out. There is a “a distinct increase in activity in 2017,” Symantec said.

“The Dragonfly 2.0 campaigns show how the attackers may be entering into a new phase, with recent campaigns potentially providing them with access to operational systems, access that could be used for more disruptive purposes in future,” according to the report.

Symantec doesn’t say where Dragonfly is from — and its report shows the hackers might be intentionally trying to confuse investigators.  But late last year, the Department of Homeland Security claimed Dragonfly’s origins were Russian, and it was one of several groups groups working to “compromise and exploit networks and endpoints associated with the U.S. election, as well as a range of U.S. Government, political, and private sector entities. was part of organized camp.”

Symantec says the most concerning evidence found during its analysis were the screen captures.

“In one particular instance the attackers used a clear format for naming the screen capture files, [machine description and location].[organization name]. The string “cntrl” (control) is used in many of the machine descriptions, possibly indicating that these machines have access to operational systems,” it said.

Symantec links the initial hacker campaign to this more recent spate of attacks because there are similarities in the malware used. The Dragonfly campaigns that began in 2011 “now appear to have been a more exploratory phase,” Symantec said.

“The Dragonfly 2.0 campaigns show how the attackers may be entering into a new phase, with recent campaigns potentially providing them with access to operational systems, access that could be used for more disruptive purposes in future,” the firm claims. “What (the group) plans to do with all this intelligence has yet to become clear, but its capabilities do extend to materially disrupting targeted organizations should it choose to do so.”

Omer Schneider, CEO and co-founder of security firm CyberX, said this type of attack is inevitable.

“Why is everyone so surprised?” Schneider said. “As early as 2014, the ICS-CERT warned that adversaries had penetrated our control networks to perform cyber-espionage. Over time the adversaries have gotten even more sophisticated and now they’ve stolen credentials that give them direct access to control systems in our energy sector. If I were a foreign power, this would be a great way to threaten the US while I invade other countries or engage in other aggressive actions against US allies.”