Attackers are bypassing perimeter detection methods

More organisations are operating under the assumption that their network has already been compromised, or will be, according to a survey conducted by the SANS Institute on the behalf of Guidance Software. Fifty-six percent of those surveyed assume that they have been breached or will be soon compared with 47 percent last year. However, organisations are not taking a proactive approach to detecting threats or achieving greater visibility into their networks.

SANS surveyed 1,827 IT professionals in the United States for the 2nd annual SANS Endpoint Security Survey, to explore how IT professionals monitor, assess, protect and investigate their endpoints, including servers. A majority of respondents were security analysts (33 percent), followed by security managers or chief information security officers (16 percent), and IT managers or CIOs (13 percent).

The survey results underscore that despite the increased assumption of compromise, visibility into endpoints remains an issue. Highlighting the need for detection at the endpoint, this year, 55 percent of respondents say that up to 30 percent of their incidents should have been detected by perimeter security measures but weren’t. Furthermore, organizations admit that stealthy attacks are not the ones bypassing their defenses—39 percent reported that less than 10 percent of their adversaries were advanced or used stealth advanced exploit and hiding techniques.

“Relying solely on perimeter detection is insufficient to detect and root out threats. In fact, it appears that the lack of visibility into threats is increasing as organizations become overly dependent on perimeter defenses,” said Jake Williams, Instructor and Course Author at the SANS Institute. “Furthermore, many organizations are not proactively hunting for threats on their networks, which is a risky approach since they are not working under the assumption of compromise. Instead, many are simply waiting for alerts from defenses attackers have long since bypassed.”

Other key findings from the survey include:

• Prevention—Thirty-four percent did not know what percentage of threats are detected through proactive discovery. This a double-fold increase from last year’s survey. Additionally, 25 percent indicated that they do not know what threats should have been blocked by firewalls, routers and other edge detection solutions.
• Detection—Fifty-five percent of respondents say 30 percent of incidents should have been detected by perimeter security measures but weren’t, and almost a quarter of respondents were notified of a compromise by a third party.
• Automation—For a majority of participants, false positive rates are unacceptably high, with 52 percent of organizations suffering false positive rates in excess of 20 percent. Automation levels continue to lag behind what respondents want. Respondents’ projections of achieving automation in 24 months remained relatively stable compared to last year.
• Response—A majority (83 percent) need results from endpoint queries in an hour or less and 28 percent want that data in five minutes or less. The ability to quickly conduct investigations is a top priority.
• Remediation—Wipe and reimage remains the most popular technique for remediating compromised endpoints according to 79 percent of respondents.

Top Challenges to Incident Recovery: In addition to learning about respondents’ opinions about outsourcing or insourcing security response actions, the survey also measured the top five challenges to incident recovery. They were:

  • Assessing the impact
  • Determining the scope of a threat across multiple endpoints
  • Determining when the incident is fully remediated
  • Hunting for compromised endpoints
  • Determining what company confidential and/or regulated data was at risk because of compromised endpoints

“Cybercriminals are constantly looking for new ways to bypass security measures and no organization is immune from attack,” said Ken Basore, CIO for Guidance Software. “Organisations must embrace an aggressive approach – constantly searching for threats inside their network. In order to be vigilant, organisations must gain visibility into endpoints to determine what sensitive data is stored on them and be able to create a sustainable model of protection.”

About Security Buyer

Security Buyer is the leading authority in global security content, delivering expert news, in-depth articles, exclusive interviews, and industry insights across print, digital, and event platforms. Published 10 times a year, the magazine is a trusted resource for professionals seeking updates and analysis on the latest developments in the security sector.

To submit an article, or for sponsorship opportunities, please contact our team below.

Rebecca Spayne picture 2025

Rebecca Spayne

Managing
EDITOR

Georgina Turner image

Georgina Turner

Sales
Manager

Afua Akoto image - Security Buyer

Afua Akoto

Marketing Manager

Read the Latest Issue

Follow us on X

Follow us on X

Click Here

Follow us on LinkedIn

Follow us on LinkedIn

Click Here

Advertise here

Reach decision makers and amplify your marketing

Advertise here

Click Here

Related News

Cloud

Understanding Cloud Data Security and Priorities

Survey Creation and Methodology The Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to widely…
digital trust

Building digital trust

A new global study has identified significant economic value in building digital trust. A 5% increase in digital trust results…

Videosoft partners with Cradlepoint

Videosoft Global has announced a partnership with Cradlepoint, a leader in cloud-delivered 5G and LTE wireless network edge solutions.

Videosoft partners with Cradlepoint

Videosoft Global has announced a partnership with Cradlepoint, a leader in cloud-delivered 5G and LTE wireless network edge solutions.

ManageEngine releases SaaS version of Analytics Plus

ManageEngine today announced that its IT analytics product, Analytics Plus, is now available as a SaaS offering.

Videosoft partners with Cradlepoint

Videosoft Global has announced a partnership with Cradlepoint, a leader in cloud-delivered 5G and LTE wireless network edge solutions.

ManageEngine releases SaaS version of Analytics Plus

ManageEngine today announced that its IT analytics product, Analytics Plus, is now available as a SaaS offering.
quantum

97% of UK businesses expect quantum computing to disrupt their sectors

97% of UK businesses expect quantum computing to disrupt their sectors. A report published by EY revealed a significant number (97%) of UK
NinjaOne

NinjaOne hires former Head of Security at Splunk

NinjaOne, the unified IT operations platform for managed service providers (MSPs) and IT departments, announces Mike Arrowsmith as its new
IT security

The convergence of physical and IT security

“The age of IoT and AI means that physical and IT security are no longer separate domains. Instead, everything is connected, and you need to converge your
Scroll to Top