SANS Endpoint Survey Results Released: Endpoint Security Processes and Visibility Remain Challenges

Centralised logging and automation solutions are now a necessity to detect, defend against and respond to modern attacks, according to the SANS 2019 Endpoint Protection and Response Survey released by SANS Institute. These solutions include data analytics tools – such as security information and event management (SIEM) and endpoint detection and response (EDR) – as well as anomaly detection technologies like user behaviour monitoring and machine learning.


“Attacks often start on employee workstations, then pivot to critical data sources on servers,” says SANS instructor and survey co-author Justin Henderson. “That makes endpoints ground zero for protecting an organisation’s assets. But defending them from attacks isn’t easy.”


In fact, 39% of survey respondents have concerns about employee-owned mobile devices and lack processes to cover them in corporate policy. Employer-owned devices fare better, with only 25% being concerned about such endpoints and unable to cover them in organisational security plans. This lack of control may be related to the fact that fewer than 27% of employee-owned laptops and mobile devices are centrally managed.


“Due to the never-ending nature of cyberattacks, it is vital that organisations collect the data that will enable them to quickly identify the attack, mitigate any damage and remediate the issues,” according to survey co-author and SANS instructor John Hubbard. “However, due to the complex nature of logging and multitude of data sources, many organisations struggle to gather the proper data they need to conduct efficient incident response and remediation activities.”


While 11% of respondents report an inability to identify what data has been breached, and 66% find it difficult, the SANS survey indicates that a combination of file access auditing, DLP and EDR solutions might help organisations that struggle with these activities. The 2019 survey also shows that the use of next-generation endpoint controls is increasing within organisations. Anomaly detection increased by 10% and machine learning solutions increased by 12%. Even tools such as automation tools and vulnerability scanners increased in implementation by 5% year-over-year.


Other statistics identified in the report included:


  • 62% of breaches can be identified within the first 24 hours
  • 28% of survey respondents confirmed that attackers had accessed endpoints
  • Phishing was the top attack vector (cited by 57.8% of respondents), followed by browser-based drive-by download attacks (51.8%) and then credential theft or compromise (48.2%).


You can download the report from:


The report is sponsored by Cisco Systems, OpenText Inc., Sophos Inc., and VMware Carbon Black.



About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organisation. SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals at governments and commercial institutions worldwide. Renowned SANS instructors teach over 60 different courses at more than 200 live cyber security training events as well as online. GIAC, an affiliate of the SANS Institute, validates a practitioner’s qualifications via over 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers master’s degrees in cyber security. SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; it also operates the Internet’s early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organisations from corporations to universities, working together to help the entire information security community. (


Comments are closed.

Do NOT follow this link or you will be banned from the site!