A few years ago, we saw a clear difference between state actors and criminals looking at the technologies and procedures they applied attacking an environment. Over time we have seen these two groups coming closer together. In the meantime, criminals seem to have caught up. They started to use more sophisticated and targeted malware and they do not shy away from calling their victims and helping them to run “the macro in the Word document”…
FireEye shows these trend in their latest report M-Trends 2017: Trends Behind Today’s Breaches & Cyber Attacks and the Infosecurity Magazine did an interesting summary of it Cyber-criminal Tactics Get Incredibly Sophisticated.
This is “just” one side of the coin and there is another one as well: Businesses invest more and more money on security but seem to be losing the game. Additionally, they are overconfident in their ability to defend and want to continue the road they took. This is shown by a study we released last fall. Just a few “highlights” (lowlights) of it quoted from Accenture Survey: One in Three Cyberattacks Result in a Security Breach, Yet Most Organizations Remain Confident in Their Ability to Protect Themselves
What has Been Done in the Past is not Working
Out with the old and in with the new is easier said than done, especially when it comes to embracing new technologies or cyber defense tools.
- While survey respondents say internal breaches have the greatest impact, 58 percent prioritize heightened capabilities in perimeter-based controls instead of pivoting to address high-impact internal threats.
- Research findings further show that most companies do not have effective technology in place to monitor for cyberattacks and are focused on risks and outcomes that have not kept pace with the threat.
- Only slightly more than one-third (37percent) of respondents say they are confident in their ability to perform the essential activity of monitoring for breaches and only a similar number (36 percent) say the same about minimizing disruptions.
Getting Smarter about Security Spending
Recent high-profile cyberattacks have driven significant increases in cybersecurity awareness and spending. Yet, the sentiment among those surveyed suggests organizations will continue to pursue the same countermeasures instead of investing in new and different security controls to mitigate threats.
- For example, given extra budget, 44 percent to 54 percent of respondents would “double down” on their current cybersecurity spending priorities – even though those investments have not significantly deterred regular and ongoing breaches.
- These priorities include protecting the company’s reputation (54 percent), safeguarding company information (47 percent), and protecting customer data (44 percent).
- Far fewer companies would invest the extra funds in efforts that would directly affect their bottom line, such as mitigating against financial losses (28 percent) or investing in cybersecurity training (17 percent).
Key country highlights from the report include:
- Overall, it takes longer to spot a breach in the US and the UK with over a quarter of organizations taking a year or more to detect a successful attack. (30 percent in the US; 26 percent in the UK).
- Organizations in France, Australia and the US are the least confident in their ability to monitor for a breach compared to the global average.
- Organizations in Germany (52 percent) and the UK (50 percent) are the most confident in monitoring for breaches compared to the global average (38 percent).
- Organizations in France spend the most (9.4 percent) of their total IT budget on cybersecurity compared to the global average of 8.2 percent.
- Organizations in Australia and the US spend the lowest amount on cybersecurity, as a percent of their total IT budget. (8 percent in the US; 7.6 percent in Australia).
So, we know that the attackers get smarter and are successful, we know that it takes way too long to spot breaches and we still would “would “double down” on […] current cybersecurity spending priorities” if we would get more money. Unfortunately, we see this way too often: Was long as we are compliant to the regulations and standards and do the same as the competition, our job is safe.
I think that this needs to change and we need new approaches to reboot our security. There are a few areas, which need investigation and need to be driven within security organizations:
- Understand your adversary: One of the most underutilized asset we have today in my opinion is threat intelligence on all levels. This means tactical (like vulnerabilities, bad URLs, malware signatures etc.) as well as strategic (who is your adversary? Why is he/she attacking – and why now and not yesterday? This will help to align your defense and detection mechanism with the threat exposure as well as your business strategy.
- Test the Cloud: It is interesting that a lot of the best security people (at least the ones I know) work for the big Cloud providers. This is where the really interesting work is and this is where you most probably find the best protection you can get. But think about the workloads you put on top as well. They might compromise the whole security stack if you are sloppy.
- Move to latest technology: This remains a credo since ages but still holds true. Do not stay on old and outdated software and where you need to, protect/isolate them appropriately
- Test your defenses regularly: This does not men penetration tests only. They are needed to check vulnerabilities in any given piece of software but the attacker will go broad and try to find ways around it – like calling your users if needed
- Assume compromise: Once you start to test your defenses you will most probably start to look at new mantras for your security architecture. One of them will be that you assume compromise with whatever you do – and this will change the way you think dramatically.
I guess there are much more ideas how to reboot security – what needs to be done from your point of view?