Home Tags Security
HP's ArcSight 6.8c release provides a new real-time correlation engine and an improved user interface. Hewlett-Packard today announced the ArcSight Enterprise Security Management (ESM) 6.8c release, providing users with a number of new and enhanced features. Updates to ArcSight ESM—the security information and event management (SIEM) technology that HP gained via a $1.5 billion acquisition in 2010—include the Correlation Optimized Retention and Retrieval (CORR) real-time correlation engine. The ArcSight ESM 6.8c release has an automated rule optimizer that evaluates rule structures against incoming data and makes them more efficient. "Essentially, this reduces the number of partial rule matches that eat up system resources, enabling the system to monitor more credible potential threats and evaluate more events within the same allocation of system resources," Jeff Whalen, senior manager, product marketing for HP ArcSight told eWEEK. The ESM 6.8c release includes the HP ArcSight Command Center (ACC), which has also been enhanced. Users now have the ability to specify and monitor active channels of data with ACC though the browser-based Web interface. "By bringing this capability to the Web user interface, ArcSight enables additional team members to participate by utilizing this process through an easy-to-use, point-and-click interface that streamlines the detection to investigation process," Whalen said. The new ESM release also offers users the promise of improved search speed and increased storage. ESM 6.8c increases on-board storage by 50 percent, from 8TB to 12TB, giving analysts access to more information to conduct investigations and analytics, Whalen said. More storage also means more data to search through, which is why HP ArcSight also improved its search performance, he added. "In rare event search use cases, we saw up to a 1,000x faster results than the previous release of ESM," Whalen said. A key use case for ArcSight ESM is as part of a Payment Card Industry Data Security Standard (PCI DSS) compliance initiative. The PCI DSS 3.0 specification was announced in November 2013 and formally goes into effect on Jan. 1. ArcSight ESM 6.8c's feature functionality provides organizations with the framework necessary to incorporate changes in the PCI DSS 3.0 specification, Whalen said. HP has a broad security portfolio, and the integration of ArcSight ESM 6.8c with other HP products is part of the overall HP security effort. For example, with HP's TippingPoint intrusion prevention system (IPS), an ArcSight user is able to issue commands to close ports and block IP addresses when a threat is detected and can automatically do so using the HP ArcSight Threat Response Manager package, Whalen said. There is also an integration with HP Fortify to monitor applications for compromises and breaches with the HP Application View package for HP ArcSight. "Utilizing HP Fortify runtime technology, Application View can see and log all application activity, including users, data access, source and destination IP addresses," Whalen said. Whalen added that log data can be sent to HP ArcSight for correlation as well as monitored through built-in dashboards and reports. The SIEM market is competitive and has multiple vendors, including IBM's QRadar SIEM and open-source upstarts like AlienVault. Whalen did not specifically identify the primary competition for ArcSight. "HP ArcSight already provides leading user behavior monitoring for insider threats," Whalen said. "We focused this latest release on improving the underlying, foundational technology that helps customers make the most of their deployments that sit at the heart of their security operations practice." Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
Distributed denial-of-service (DDoS) attacks continue to be a growing trend in 2014, according to the third-quarter 2014 Verisign Distributed Denial of Service Trends Report. Some of the trends in the third quarter were continuations of ones observed i...
Researchers from FireEye reveal a new hacking ring that has been targeting more than 100 financial services organizations to gain insight into non-public financial information. An active group known as FIN4 is hacking Wall Street financial firms in a bid to gain privileged financial information about non-public upcoming market moving announcements, according to a new report from FireEye. The FIN4 campaign began in the middle of 2013, according to FireEye. Sixty-eight percent of the companies that have been targeted are publicly traded health care and pharmaceutical companies, while 20 percent have been identified as firms that advise public companies on securities, legal, and merger and acquisition matters. The name "FIN4" is one that FireEye chose for the group, Jen Weedon, threat intel manager at FireEye, told eWEEK. "We use the letters FIN for groups that we assess are financially motivated; it's an internal designation," Weedon explained. At this stage, it's not entirely clear how much money the FIN4 group has stolen, though FireEye is confident the group has had significant access to valuable insider information. "The amount of insider information they potentially have access to with all the credentials they've stolen is staggering, and would definitely give them a big leg up against an average investor," Weedon said. The way FIN4 works is the group leverages a number of well-known attack techniques to trick users into giving up access credentials. The techniques used by FIN4 are relatively simple but effective, she said. One of the techniques used is to "weaponize" documents. A weaponized document is one that looks legitimate but may have been stolen from another victim's inbox and may include some form of malware or Trojan virus. FIN4 sends the weaponized documents to targets that the hacker group believes have access to valuable insider financial information. "These documents have embedded malicious macros which, if a user enters their credentials, allows FIN4 to capture the username and password of that user," Weedon said. "Then FIN4 has legitimate access to their inbox." Often, there is no malware on the victim machine, she said, adding that FIN4 can craft very realistic messages and inject themselves into ongoing email threats in victims' inboxes, so they are using pure social engineering to get the information they seek. The idea of using a document macro capability to execute some form of attack is not a new one. The FIN4 hackers are leveraging Microsoft Visual Basic (VBA) macros, which was the same basic attack method used by hackers in 1999 and 2000 with the Melissa and ILOVEYOU macro viruses. So far in 2014, however, multiple vendors have reported an increase in VBA macro-based malware as the old attack method mounts a comeback. As a potential defense against the FIN4 attackers, Weedon said that disabling VBA macros in Microsoft Office by default will help. Additionally, blocking FIN4's domains, which FireEye identifies in its report, is a good best practice. Weedon also suggests that organizations enable two-factor authentication for remote Webmail access to further reduce risk. Going a step further, Weedon said that FireEye has shared its research and findings with law enforcement. Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
The deal for the startup bolsters Intel's security efforts and gives it another tool beyond passwords to help consumers protect online data. Intel is bulking up its security and software capabilities with the acquisition of PasswordBox, a small ID management startup whose technology enables users to do such tasks as log into Websites without having to memorize their passwords and protect personal information online. Intel officials announced the deal Dec. 1, adding that the PasswordBox business will be folded into the Safe Identity unit within Intel's Security Group. There have been more than 14 million downloads of the startup's technology, which lets users store their log-in information in a virtual lockbox. When a user wants to get into a Website or an app, he or she clicks on the site and the PasswordBox deals with the log-in process. The software runs on both Apple iOS devices and those running Google's Android operating system. It's another step in an effort by Intel to move the security industry beyond passwords, which have become a headache to users and a security risk for businesses, according to Intel officials. "Everyone can relate to password fatigue," Chris Young, senior vice president and general manager of Intel Security Group, said in a statement. "The PasswordBox service has already brought relief to millions of consumers who now enjoy simple, instant login. Intel Security and PasswordBox share the same goal of improving digital identity protection across all devices and platforms." No financial details about the acquisition were released. PasswordBox was launched in July 2013 and has since grown to include 44 employees. In a Nov. 27 post on the company blog, PasswordBox officials reiterated Young's comments regarding a common goal between the two companies, and noted that joining Intel gives them access to a wide range of expertise, resources and support. "The possibilities of what we can build tomorrow—and how many people's lives we can positively impact—are extraordinary," the officials wrote. PasswordBox's technology includes log-in capabilities via the company's one-tap feature for mobile devices and one-click for Web browsers. Users won't see much change immediately, and Intel is offering new and existing customers a premium subscription for free, a deal that will last until Intel Security releases a new products, according to the PasswordBox officials. The tech industry is investigating a broad array of password alternatives—such as biometrics and single sign-on—for security online. Intel for the past several years has been working to build up its security capabilities, including the $7.68 billion deal to buy McAfee in 2011. The chip maker in January launched Intel Security, which combined the McAfee unit with the security efforts already underway at Intel. In September, Intel hired Young, who previously had spent three years heading up Cisco Systems' security business. Intel officials said the PasswordBox acquisition will offer a number of benefits to users, including reducing the security challenges and headaches caused by the large numbers of passwords that consumers are forced to remember. Young noted a 2013 report by Deloitte that predicted that last year, 90 percent of user-generated passwords would be vulnerable to hacking, and that "inadequate password protection may result in billions of dollars of losses, declining confidence in Internet transactions and significant damage to the reputations of the companies compromised by attacks." Also in the report, Deloitte said that the 10,000 most common passwords would access almost 98 percent of all accounts. In a blog post in May 2013 that laid out suggestions for creating more secure passwords, Intel and McAfee officials noted that 74 percent of Internet users use the same password for multiple sites, opening them up to even more dangers if the password is hacked. A report last year by information services firm Experian found that the average user had 26 password-protected online accounts but used an average of only five different passwords. Other benefits of the PasswordBox deal will be greater simplicity for users, who now are pushed to create increasingly complex passwords, and future products that will help consumers protect their log-in credentials and personal information, Intel officials said.
TrustPipe discovered that there are distinctive markers, similar to markers in DNA, that are designed to identify whole classes of threats. Cyber-security startup TrustPipe launched what it calls a hack-proof solution for computers and devices, using a newly patented protocol called "marker-based security." TrustPipe discovered that there are distinctive markers, similar to the markers in DNA, that are designed to identify whole classes of threats. It detects and blocks all variants, past and future, of each threat class, so it can tell when something unknown enters a system and makes sure it is quarantined before it can cause any damage. For example, TrustPipe-protected systems were not vulnerable to the Heartbleed and Shellshock threats because, while those threats were new to signature-based systems, to TrustPipe they were already members of an existing class, so no immediate update was required. In the case of a new threat class, which occurs once or twice a year, TrustPipe automatically discovers the new threat, protects the compromised computer in real time, and then shares its discovery with every other TrustPipe in the world, inoculating the entire TrustPipe ecosystem. "While many businesses, large and small, like to think that they are not a target—no pun intended—the fact is that every Internet-connected computer is constantly being probed by hackers," Ridgely Evers, TrustPipe CEO, told eWEEK. "The worst part is, these attacks succeed just because you are connected to the Internet—you don't have to "do" anything to expose yourself." Evers noted thousands of new attack vectors are uncovered each year—more than 18 per day in 2013—far outstripping the abilities of even the best network security teams to stay current. The platform was developed by a team of Silicon Valley veterans with experience in network security, including data scientist Kanen Flowers and Evers, co-founders of nCircle, which was acquired by Tripwire last year. Determining the ROI of security is challenging because "the benefit is 'bad stuff that didn't happen,' which is tough to measure," Evers said. "Therefore, when a business is contemplating alternative ways to use its resources, security is hard to cost-justify. That was one of the primary drivers behind our decision to keep the cost of TrustPipe—both the consumer as well as the business versions—extremely low." The company also announced it has signed a reseller agreement with NCR's telecom and technology business, a specialist in consumer transaction technologies with a presence in 180 countries worldwide. NCR will distribute, install and manage enterprise implementations of TrustPipe, beginning with TrustXP—a special version of TrustPipe designed to harden and extend the life of the approximately 300 million Windows XP computers still in use around the world. The enterprise version, TrustPipe for Business, is available from NCR, by visiting NCR's Website, while the consumer version is available from the TrustPipe Website. "The trend lines are clear—as the value of data on the Internet grows, the sophistication, patience and funding of attackers grows even faster. There are no barriers to entry for bad guys, and there are huge financial or political rewards," Evers said. "In other words, things are going to get worse with time."
NEWS ANALYSIS: Holiday season shoppers will now be able to buy things more securely as acceptance of cards with EMV chips grows, but real payment card security is still a long way off. I was standing in line at a Walmart store in Fairfax, Va., when I spied the tell-tale slot in the credit card machine. Under the slot was a stylized image of part of a credit card with a chip. So when it was my turn I slipped one of my credit cards with an EMV (Eurocard MasterCard Visa) chip into the slot and waited. The pharmacist and a staffer moved over for a look. A series of prompts appeared on the credit card reader's LCD screen, at which point I punched in my PIN. The transaction took a few more seconds, then a receipt came out of the printer. I'd just done something that's all too rare in the U.S., despite the fact that it's common everywhere else in the world. I'd made a purchase using a chip and PIN card. When I talked to the pharmacist at the register, she told me that only a couple of other customers had attempted to use cards with chips while she was there, but she said that she knew they were starting to appear in Walmart's stores. Part of the reason, she said, was that the company's own branded credit cards were all being replaced by chip and PIN cards. My search continued. I shopped at several Target stores and two Home Depot stores in the Washington, DC, suburbs. The machines with the slots for accepting EMV cards were usually there. Target, which was hit a year ago by a massive data breach, seems to have replaced all of the card reader machines. But they didn't accept EMV cards—you still have to swipe the card so the machine can read the magnetic stripe. At Home Depot, which had an even worse data breach, the implementation of secure card readers seems to be only partially complete. I kept looking. The manager of a Safeway grocery store in Fairfax County, Va., had no idea what an EMV card was, for example. But there were bright spots, as well. I was able to make secure payments using either cards with EMV chips or with Apple Pay at a variety of stores including at the Wegmans grocery chain and at a Subway restaurant. I was able to buy a healthful and nourishing breakfast at McDonalds securely. I took my quest to Sam's Club in the remote city of Lynchburg, Va., and I was able to buy some Diet Coke and a land line phone using my EMV-equipped credit card. I also visited a number of small businesses and whenever I had occasion to use a credit card, I would ask about EMV acceptance.
NEWS ANALYSIS: Full details emerge on the U.S. Postal Service breach, and some of the insights are surprising, including the fact that the USPS didn't immediately block compromised servers. The United States Postal Service (USPS) publicly admitted that it was the victim of a cyber-intrusion on Nov. 10. As it turns out, the USPS had been aware of a potential intrusion since Sept. 11, and it took several months of planning and strategic actions until the public and USPS employees were informed. Full details on the USPS breach were provided by Randy Miskanic, vice president of secure digital solutions at the USPS, in testimony before the Subcommittee on Federal Workforce, U.S. Postal Service & the Census at the U.S. House of Representatives. The testimony, which took place on Nov. 19, is posted online and provides 11 pages of details on the actions and timeline of the USPS breach incident. The testimony gives insight into how much time and process is involved in detecting and responding to a breach, which is far from a rapid process. Miskanic testified that on Sept. 11, 2014, the U.S. Postal Service Office of Inspector General (USPS OIG) received information from the U.S. Computer Emergency Readiness Team (US-CERT) regarding four Postal Service servers that may have been compromised. Rather than immediately take action to shut down or otherwise block the compromised servers, the USPS was advised to take no action. "The USPS OIG provided the CISO [Chief Information Security Officer] with an operational security warning advising that actions taken without coordination are likely to adversely impact the Postal Service's overall security posture," Miskanic testified. "The guidance document instructed the CISO to take no action—including further investigative activity, scanning, re-imaging, resetting account passwords, taking systems offline or searching IP addresses." Initially, the USPS suspected that only four servers were compromised, but through monitoring actions that occurred from Sept. 19 to Oct. 2, an additional 29 servers were identified as potentially being compromised. The USPS identified three Postal Service user accounts as potentially being compromised as well. On Oct. 20, USPS staff provided a classified briefing to the National Security Council staff and the White House cyber-security director about the incident. It wasn't until Nov. 7, nearly two months after first being alerted to the breach in September, that the USPS activated a full remediation plan to remove the attacker risk from the network. "Implementing remediation plan elements required initiation of an information systems network brownout period, which limited communications between the Postal Service network and the Internet," Miskanic testified. "During the Nov. 8-Nov. 9 brownout period, virtual private network (VPN) connections were blocked and remote network access was denied." The USPS also put in additional security controls during the two-day brownout, including two-factor authentication for administrative accounts. Going a step further, the USPS began to block access to personal online email services, including Gmail and Yahoo. "In addition, direct database access is now only enabled to technology support staff, and a number of business applications have been retired," Miskanic testified. "These safeguards will continue to be reviewed and enhanced over the coming months in order to increase our overall security posture." What the Miskanic testimony clearly illustrates is that detecting or being alerted to a breach is only the first step in what can be a lengthy process to recovery. It's interesting to note that the USPS itself did not initially detect the breach, but rather was alerted to it by US-CERT. The fact that the initial course of action was to not immediately block the impacted servers is also very interesting. The USPS and its security partners wanted to be thorough and make sure they fully understood the problem so it could be properly fixed in a coordinated manner. In many security incidents, there is often a rush to judgment, but that's not necessarily always the right course of action. The USPS attack and response provide organizations with a case study in how a thoughtful process can be implemented in the event of a cyber-security incident. Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
Google may be asked to apply the privacy obligation to its main Google.com site. European Union privacy regulators may ask Google to extend users' "right to be forgotten" to its Websites outside the EU as well. Regulators meeting in Brussels, Belgium, Nov. 26 have prepared a proposal that will require Google to apply the EU privacy obligation—which gives its citizens the right to ask Google to remove content—to its main Google.com site in the United States and to other sites viewable from the EU, Bloomberg Businessweek reported today. The decision apparently is rooted in concerns that information blocked by Google in the EU will still be accessible to Internet users there simply by visiting Google search sites in other countries, Bloomberg said, quoting unnamed sources. If the proposal is approved, all search engine companies, and not just Google, will be required to abide by it. Isabelle Falque-Pierrotin, the chairman of the EU data protection council, is expected to present the guidelines later today, possibly with some modifications, the Bloomberg report noted. A Google spokesman said the company hasn't seen the EU Article 29 Working Party's new guidelines yet. "But we will study them carefully when they're published," he said. Marc Rotenberg, president of the Electronic Privacy Information Center (EPIC), said the proposal that is reportedly being considered by the EU makes sense. "This is a logical and sensible request from the European Union since Google is the entity that gathers the personal data and chooses to make the subsequent disclosure," he said in emailed comments. "It would make little sense to allow Google to publish in domains outside of Europe private facts concerning EU citizens that should be removed from Google search results." The more interesting question now is how Google will respond to growing expectation that the company will recognize a similar legal right in the United States and other countries, he said. In May of this year, the Court of Justice for the European Union held that European privacy law gives citizens the right to ask Internet search engine companies like Google to remove search results pointing to inaccurate, outdated or incomplete data about them. The Right to Be Forgotten decision was related to a lawsuit filed by an individual in Spain who wanted Google to remove search results pointing to two articles in a Spanish-language newspaper from 1998 that mentioned his name in connection with the recovery of Social Security debts. Since the European court ruling this May, Google says it has received more than 174,000 right-to-be-forgotten requests from EU citizens and has evaluated some 602,000 URLs for removal. So far, the company has removed 42 percent of the URLs that people have asked it to remove and is in the process of working through the remaining requests. The removal requests have involved a wide range of content, including criminal records, embarrassing photos, slander, online bullying, negative press mentions and content pertaining to sexual crimes, Google has noted. Google has maintained that while it wants to be respectful of EU law, the right-to-be-forgotten obligation is a new and difficult challenge for the company. It requires Google "to weigh, on a case-by-case basis, an individual's right to be forgotten with the public's right to information," Google's Advisory Council on the Right to be Forgotten has noted. "We want to strike this balance right." This week's proposal, if adopted, would extend Google's obligation to remove content at the request of EU users to its main Website as well. It is unclear how the company will respond to the new development or even what its legal obligations will be under the new proposal. Either way, the company is likely going to have to find a way to respond to the issue quickly because there are signs of similar demands from countries outside the EU as well. In October, for instance, a court in Tokyo ordered Google to remove about 120 search engine results pointing to articles hinting about a certain individual's involvement in a crime from more than 10 years ago. Some privacy groups, such as the Electronic Frontier Foundation, have expressed alarm at the EU requirement and have likened it to censorship. "The court has created a vague and unappealable model, where Internet intermediaries must censor their own references to publicly available information in the name of privacy, with little guidance or obligation to balance the needs of free expression," the EFF noted in a blog in July. "That won't work in keeping that information private, and will make matters worse in the global battle against state censorship."
NEWS ANALYSIS: Although 2014 has been the year of the retail breach, consumers looking to do some holiday shopping have very little to worry about. On Black Friday in 2013, millions of consumers shopped at retailers that had been breached by point-of-sale (POS) malware. A year later, has anything changed? Target admitted in December 2013 that it was breached between Nov. 27 and Dec. 15 of that year in an incident in which 70 million customers were impacted. The breach also cost Target $148 million in expenses and took the jobs of Target's CIO and CEO. As it turns out, the Target breach was only the leading edge of an avalanche of retail breaches that were disclosed in 2014. Grocery chain SuperValu, UPS, Michaels, Dairy Queen, Goodwill, Staples and Home Depot are among the retailers that admitted being breached during the year. Surprisingly, while the Target breach was reported last December and was the subject of intense scrutiny and discussion in the first half of this year, lessons learned from that incident apparently were not enough to stem the tide. Home Depot, for example, reported its breach in September, with the actual attack lasting from April to September. That means that Home Depot's systems were breached long after Target's disclosure and long after the retailer should have been able to discern lessons and best practices from that incident. With Home Depot, the retailer has admitted that a third-party vendor's username and password were compromised. That credential compromise was then leveraged by the attacker to gain access to the Home Depot network. Once inside, a privilege escalation flaw was exploited, giving the attacker broader access. With that access, some form of POS malware was deployed, which is how the customer information was stolen. The problem with the Home Depot breach scenario is that it is likely the same as what happened at Target. It is also likely the same scenario that has played out at other retailers as well, including some that consumers will shop at on Black Friday. While this has been a year of disclosures and discussion about retail breaches, the simple truth is this: Little has changed. POS malware is still widely deployed, with the Backoff POS malware alone infecting a thousand retailers, according to the U.S. Secret Service. Going a step further, privilege escalation vulnerabilities, which in my view are at the root of many retail breaches, remain difficult to deal with. Case in point, it was just last week that Microsoft issued an emergency out-of-band patch for a Kerberos authentication flaw identified as CVE-2014-6324. That vulnerability could potentially enable an attacker to elevate his or her privileges to control an entire system. While there is a patch available, Microsoft itself warned that a complete fix of a potentially compromised domain requires the organization to completely rebuild its domain. Given the proximity to Black Friday and the complexity of rebuilding domains, I suspect that not all retailers that run Windows have actually heeded Microsoft's advice. While there are likely still privilege escalation risks present in some retailer networks and there are also likely still many undetected POS infections, not all is lost. Don't Panic While the risk of retailer breaches on Black Friday is still present, there is much reason for optimism too. Thanks to the Target breach and those like it, there has been heightened awareness among law enforcement and credit card issuers. While as yet unknown breaches and POS malware might well be lurking on Black Friday retailer systems, the "good guys" are watching for bad things.
Adobe issued an out-of-band patch update on Nov. 25 for a vulnerability identified as CVE-2014-8439, which impacts the Adobe Flash Player. Typically, an out-of-band patch update is a rare event that is reserved for severe and risky zero-day flaws, but that's not quite what is going on with the new Adobe update. The CVE-2014-8439 vulnerability was actually first mitigated during Adobe's regular patch Tuesday update on Oct. 14. Adobe spokesperson, Heather Edell told eWEEK that that October update included a proactive mitigation, which typically is not assigned a common vulnerabilities and exploits, or CVE, number. "We were later notified that there was an attack in the wild, and we identified that the proactive mitigation was blocking this attack," Edell said. "Since there was a specific attack in this area, we added further mitigations in today's release." The actual CVE-2014-8439 vulnerability is what Adobe's advisory describes as a "de-referenced memory pointer that could lead to code execution." Though Adobe has now issued further mitigations for CVE-2014-8439, it's not because any attacks were actually able to bypass the protection that Adobe provided in the October update. "Out of an abundance of caution, we are releasing further changes that strengthen the mitigation against potential variants," Edell said. "That said, we are not aware of any attacks, in the wild or otherwise, that can bypass the October mitigation." In my view, this is truly a dramatic turnaround for Adobe, in contrast to the way it used to deal with security. Back in 2009, Adobe was largely a reactive company when it came to security, dealing with what seemed like an endless stream of zero-day vulnerabilities with active exploits in the wild. The Nov. 25 out-of-band update, in contrast, is a remarkably proactive effort to protect users. In a 2013 video interview I did with Adobe Chief Security Officer Brad Arkin, he explained to me how Adobe made security a core principle of the entire company's development efforts. It's an effort that is clearly working today. Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
Security professionals are reluctant to adopt a more comprehensive endpoint data security approach for fear the gains in security may be outweighed. Information security professionals overwhelmingly covet a single, comprehensive endpoint security solution; however, endpoint security deployment is tactical and driven more by firefighting than strategy, according to a report on endpoint security conducted by Enterprise Strategy Group (ESG) on behalf of Digital Guardian. Despite recognition of the problem—that endpoints are still at risk and data breaches are increasingly common—more than one-third of respondents to the survey aren't addressing the problem strategically because members of the security staff are spending too much time attending to high-priority issues. More than half of the survey respondents increased budgets for endpoint security, but much of the investment went to antivirus (AV) protections, and nearly one-third of respondents describe a complex enterprise landscape where they deploy three or more unique AV products. "To truly secure the data, you must be at the endpoint, you must see every data and process event, and you must have controls set up. This is hard, but it can be done," Ken Levine, CEO of Digital Guardian, told eWEEK. "Given that data is the target from threats originating both inside and outside the organization, companies must recognize this and make data protection a priority for 2015. The good news is that the winds are changing—we're hearing from more and more customers that are seeing the need as billions of dollars in perimeter defenses have not been able to stop data breaches." Compounding this complexity is the fact that more than half of those surveyed shift between AV vendors frequently, impacting end-user performance and draining IT resources. When asked what type of endpoint security technology approaches would be most attractive, more than half of the respondents said a comprehensive endpoint security solution from a single vendor. "We strongly believe that protecting data at the endpoint should top the security professionals' list of 2015 priorities. While traditional DLP [data loss prevention] solutions have not necessarily been implemented beyond compliance, a proper data protection strategy is still the single best way to go," Levine said. "Even the recent hacking incident at Sony Studios makes it clear—data is the target and adding protections at the data level is the only way to ensure protection." Yet the report indicated senior security professionals are reluctant to adopt a more comprehensive endpoint data security approach for fear the gains in security may be outweighed by an impact on end-user productivity, a significant and common enterprise concern. "The research shows that the biggest stumbling block is even getting up to the start line," Levine said. "Companies already have antivirus protections in place, so when faced with questions about endpoint security it is easier to shuffle around AV vendors to help address problems, rather than taking a step back and developing a strategy. IT professionals are also very sensitive to negatively impacting end-user productivity and disrupting the status quo."