Tripwire Study: Federal Government IT Professionals Overconfident in Insider Threat Detection

PORTLAND, Ore. – June 30, 2016 – Tripwire, Inc., a leading global provider of endpoint detection and response, security and compliance solutions, today announced the results of an extensive study conducted for Tripwire by Dimensional Research. The Tripwire study evaluated the confidence of IT professionals regarding the efficacy of seven key security controls, which must be in place to quickly detect a cyber attack in progress. Study respondents included 763 IT professionals from various industries, including 103 participants from federal government organizations.

Despite the persistent issues surrounding privileged access, almost one-third (thirty percent) of federal government respondents in Tripwire’s survey disclosed they are not able to detect every non-privileged user’s attempt to access files. In addition, seventy-three percent of federal government respondents assume their system would generate an alert or email within hours if a user inappropriately accessed file shares. Verizon’s 2016 DBIR reported that seventy percent data breaches caused by insider misuse took weeks, or even years, to detect.

According to Verizon’s 2016 Data Breach Intelligence Investigations Report (DBIR), the public sector reported more security incidents than any other industry in 2015. In addition, privileged access misuse and non-malicious events made up nearly half (forty-six percent) of the reported incidents.

“More and more, information security is about protecting sensitive data,” said Tim Erlin, director of IT security and risk strategy for Tripwire. “Federal government agencies have a gap in identifying when data is accessed and how it’s shared. We can expect more breaches to occur until these gaps are addressed.”

Additional findings from the study include:

  • Seventy-eight percent of federal government respondents believe they could detect new devices on their network within hours. However, over half (fifty-two percent) of the respondents do not know exactly how long the detection process would take. 
  • Fifty-eight percent of federal government respondents say their automated tools do not pick up all the necessary information, such as the locations and departments, needed to identify unauthorized configuration changes to endpoint devices.
  • A quarter (twenty-five percent) of federal government respondents say their standard patching process does not include validation of patch success on all target systems.
  • Forty-eight percent of federal government respondents report that all detected vulnerabilities are not fixed within 15 to 30 days.

“Authorization creep is something many organizations fail to address,” said Travis Smith, senior security research engineer for Tripwire. “As employees change roles or are promoted, their roles and responsibilities change; as does their access to confidential information. Protecting confidential information is more than reviewing access denied attempts; employees may be abusing authorized access as well. Following these recommended controls and continuous monitoring over critical and/or confidential information is vital to reduce the likelihood or impact of insider threat.” 

Tripwire’s study is based on seven key security controls required by a wide variety of compliance regulations, including PCI DSS, SOX, NERC CIP, MAS TRM, NIST 800-53, CIS Top 20 and IRS 1075. These controls also align with the United States Computer Emergency Readiness Team (US-CERT) recommendations and international guidance, such as the Australian Signals Directorate’s Strategies to Mitigate Targeted Cyber Intrusions.

The recommendations and guidance include:

  • Accurate hardware inventory.
  • Accurate software inventory.
  • Continuous configuration management and hardening.
  • Comprehensive vulnerability management.
  • Patch management.
  • Log management.
  • Identity and access management.

When implemented across an organization, these controls deliver specific, actionable information necessary to defend against the most pervasive and dangerous cyber attacks. It is vital for organizations to identify indicators of compromise quickly so that appropriate action can be taken before any damage is done.

For more information on this study, please visit:

About Tripwire

Tripwire is a leading provider of security, compliance and IT operations solutions for enterprises, industrial organizations, service providers and government agencies. Tripwire solutions are based on high-fidelity asset visibility and deep endpoint intelligence combined with business context; together these solutions integrate and automate security and IT operations. Tripwire’s portfolio of enterprise-class solutions includes configuration and policy management, file integrity monitoring, vulnerability management, log management, and reporting and analytics. Learn more at, get security news, trends and insights at or follow us on Twitter @TripwireInc.

Press Contacts

Ray Lapena
PR Manager