14 minute read
WHEN GOOD JUST ISN’T GOOD ENOUGH
WHEN GOOD JUST ISN’T GOOD ENOUGH MARTIN MACKAY, SVP, EMEA AT PROOFPOINT, ON HOW TO BUILD A ROBUST CYBER DEFENCE
There is a common misconception among organisations globally that having a ‘good’ security posture will keep their allimportant business data safe and cyber criminals out. But what does ‘good’ really look like, and is it good enough?
Advertisement
Today’s threats target people, not infrastructure. So, while technical solutions and controls remain crucial in building a robust cyber defence, they are just one aspect of a broad and deep barrier against the latest threats.
Whether via malicious links, account compromise, or social engineering, threat actors are turning their attention to what, for many organisations, is the last line of defence. A last line that is often illprepared. Its people.
All it takes is one click, from one employee. No matter how robust your technical systems are, cyber criminals have just found their way into your organisation. In fact, according to Proofpoint’s recent survey of IT leaders in the UAE, 55% of CSOs and CISOs cited human error and lack of security awareness as one of the biggest IT security risks.
It is therefore crucial to have in place an approach that puts people at the heart of cyber defence – ensuring employees are not just able to spot and deter attacks but are acutely aware of their role in keeping our organisations safe.
Navigating a new normal
With millions more employees working from home, outside the protections of the office environment, organisations worldwide have had their attack surfaces widen, leaving them more exposed to cyber threats during this global crisis than ever before.
Cybercriminals are all too aware of this fact and have wasted no time exploiting the opportunity.
Using social engineering attacks, cybercriminals trick employees so they can steal credentials, siphon sensitive data, reroute pay checks and fraudulently transfer funds. No matter the technical solution in place, one click is all it takes for a cyber attack to be successful.
Dubbed the most expensive issue in cybersecurity, one method of email attack that has spiked in recent years is Business Email Compromise (BEC). According to the latest Proofpoint research, 15% of UAE CSOs and CISOs reported BEC as one of the leading methods of cyber attack against their organisation last year. This form of attack is fast growing in popularity for two simple reasons – it works, and it pays.
Building tomorrow’s defences today
When it comes to defending against BEC attacks, these exceptional
circumstances have shown many organisations’ cyber defence to be anything but. Large remote workforces, increasingly reliant on email, have exposed a significant weak spot which many are failing to address.
People and email are the attack surface of choice for the modern cyber criminal. Most defence strategies do not reflect this. Despite over 90% of advanced threats stemming from email, just 10% of cybersecurity spending is focused in this area.
Those on the frontline suffer from a similar lack of investment.
According Proofpoint’s UAE CISO Report, 75% of the organisations admitted to training their employees on cybersecurity best practices as little as twice a year or less.
This must change. We cannot expect our people to protect our organisations without equipping them with the tools and knowledge to do so.
Just as cyber criminals have taken this opportunity to hone their attacks, so too must we take this opportunity to hone our defence. We cannot build cybersecurity strategies on the principles of yesterday. Our strategies must reflect the threat landscape of today and be ready for the attacks of tomorrow.
Putting people at the heart of your defence
Email-based attacks were causing devastation long before the coronavirus pandemic and will continue to do so long after.
However, the by-product of enforced mass remote working has presented an opportunity to examine the most common attacks we face – and the controls we put in place to defend against them.
The fact that network and endpoint security remains the primary
THE FACT THAT NETWORK AND ENDPOINT SECURITY REMAINS THE PRIMARY AREA OF FOCUS FOR SECURITY TEAMS, DESPITE BEING FAR FROM THE PRIMARY FOCUS FOR CYBER CRIMINALS, SHOULD CAUSE CONCERN.
area of focus for security teams, despite being far from the primary focus for cyber criminals, should cause concern.
It’s past time for a new way of thinking. The old tactic of defending the perimeter is obsolete. There is no longer a perimeter to defend. Our people are mobile, accessing corporate data from everywhere on all sorts of devices, networks and platforms outside of the traditional corporate network. People are at the heart of most cyber attacks. It is only logical to place them at the heart of cyber defence.
Detecting and deterring common threats requires a vigilant, knowledgeable workforce. This is only possible when training goes beyond general awareness of common threats and instils in end users an understanding of how their behaviour can be the difference between a successful attempt and a successful attack.
A ‘good’ cyber defence really isn’t good enough to protect against today’s dynamic threat landscape, as organisations globally continue to find out. Harming your business is the primary aim of cyber attackers. If defending it is not at the forefront of all users’ minds, there will only ever be one winner.
AN ACTIVE APPROACH TO SECURITY
ANTHONY PERRIDGE, VP OF INTERNATIONAL AT THREATQUOTIENT, SAYS CYBER THREAT INTELLIGENCE IS PAYING RICH DIVIDENDS TO USERS.
In the battle to protect businesses from relentless attempts at infiltration, theft and disruption by cybercriminals, knowledge is power. Over recent years, this fact has been formalised through the growing adoption of cyber threat intelligence (CTI) With the creation of teams and implementation of CTI programmes, organisations aim to build a proactive defence posture and stay one step ahead of adversaries. The 2020 SANS Cyber Threat Intelligence survey sponsored by ThreatQuotient, analyses the state of play in cyber threat intelligence worldwide, indicates that we are entering an exciting period. CTI shows strong signs of maturing and cementing its place in the cybersecurity arsenal. 82% of survey respondents say their CTI activities are delivering value. We are also seeing organisations become more strategic about how they implement the intelligence process and a growing recognition of the value of collaboration with the wider threat intelligence community. The following are my key highlights from this year’s research findings.
CTI is coming of age
There were twice as many respondents to this year’s survey compared to 2019 and more respondents than ever before reported that they are operating a CTI programme in their organisation.85% overall said that they had some form of CTI resource, with nearly half (49.5%) having a formal, dedicated team. A further 27% have shared responsibility with staff drawn from other teams, while 9% have a solo CTI analyst. This is a welcome sign that CTI is accelerating as a component of companies’ cybersecurity strategies.
Also encouraging was the fact that the percentage with a dedicated team has risen steadily in the past three years. Investment in headcount is on the rise, indicating that businesses are committing to CTI for the long term.
In-house teams are not going it alone, either. 61% of respondents said CTI tasks are handled by a combination of in-house and service provider teams, an increase of 54% in 2019. This combination of external resources and internal expertise means organisations can better understand and address the threats they face.
Organisations are becoming more strategic about CTI
At the start, and the heart, of an effective CTI programme are clearly defined intelligence requirements (IRs). These identify the specific questions and concerns to be addressed by the programme to ensure the right data is collected and the appropriate focus is placed on the relevant threat areas by analysts. They are critical in providing the business-specific context for CTI programmes so that they deliver the most valuable outcomes for that organisation.
So it is encouraging that this year’s survey found the percentage of respondents reporting that they have clearly defined intelligence requirements has jumped 13.5%, from 30% in 2019 to 44% in 2020. Another positive sign is the growth in the number of contributors to CTI requirements – there was more input from security operations teams, incident response teams and C-Suite executives, showing that a diverse group of stakeholders is helping to drive both the tactical and strategic direction of the CTI programme. The next stage in maturity will be to see more regular and structured reviews of intelligence requirements, as most still review IRs on an ad hoc or unknown basis.
Intelligence sources, automation and management advances - but more to be done
When it comes to collecting data to
answer the intelligence requirements, there has been a jump in the percentage consulting both open source feeds and those from CTIspecific vendors. There has also been an increase in organisations producing threat intelligence data in-house to complement externally sourced data – more than 40% of organisations said they both produce and consume threat intelligence data.
With this wealth of data at their disposal, the survey asked how organisations process high volumes of intelligence to gain actionable insight, and the degree of automation used to lift the burden from CTI teams. The survey shows that automation is still some ways off, with the majority of processing tasks completed either manually or semi-automated. While basic tasks such as data de-duping are commonly automated, more complex activities, such as reverse-engineering samples are a manual undertaking for 48% of respondents.
In CTI management, the picture is slightly better with more organisations reporting automation in SIEM platforms and CTI management platforms. As CTI continues to prove its value, we would anticipate seeing more automation and tuning of tools to fit the context, priorities, and specific threats that businesses face. This supports analysts to focus their efforts where human evaluation is most effective and respond more proactively to threats.
Measurement is proving a challenge
Another sign that an approach is maturing is when focus shifts from operational considerations around what tools and teams can do, to measuring the effectiveness of their actions. Here the survey found that there is still some way to go. While a resounding 82% of respondents find value in CTI, only 4% had processes in place to measure effectiveness. However, the growing rigour in identifying clear intelligence requirements can offer a good starting point here. Once these are set, goals can be set based on answering the IRs through the CTI programme.
Collaboration is critical
Perhaps the most encouraging finding from the SANS Cyber Threat Intelligence survey is confirmation that collaboration is being embraced as a core component of security programmes. 45% reported membership of an Information Sharing and Analysis Centre (ISAC) which is a high percentage, given that they are not available in all verticals or territories. The main benefits noted are timely and relevant threat information and the ability to network with contacts at other member organisations.
Now, more than ever, the uncertain cyber and physical environment and new threats emerging out of the disruption of COVID-19 pandemic mean that intelligence analysts need to share best practice data and strategies to overcome threats.
Ultimately, the 2020 SANS Cyber Threat Intelligence survey offers robust evidence that CTI is increasing in adoption and is proving its worth to a greater number of organisations than ever before. When threat intelligence is effectively collected, integrated, automated, prioritised and shared between analysts and wider stakeholders, organisations become more agile and effective at addressing the threats they face. We are in an exciting period for the industry, where organisations can see real, measurable impact from their accelerating investment in CTI teams and tools and we look forward to seeing further evidence of success in next year’s survey.
COMPLEXITY IS THE WORST ENEMY OF CYBERSECURITY
MULTI-VENDOR SECURITY ENVIRONMENTS AND AN UNMANAGEABLE NUMBER OF SECURITY ALERTS ARE CAUSING CYBERSECURITY FATIGUE IN IT SECURITY SPECIALISTS, AND HARMING ORGANIZATION’S ABILITY TO PROTECT THEMSELVES, WRITES FADY YOUNES, CYBERSECURITY DIRECTOR, MIDDLE EAST & AFRICA, CISCO
Keeping up with cybersecurity is one of the biggest challenges facing CIOs today. Managing cybersecurity, and your organization is safe from the latest threats requires investment in skilled resources and time.
Managing cybersecurity is made more difficult by the need to support a complex environment of multiple security products from multiple vendors. Today’s businesses need to protect many different aspects of their operations, and getting the best protection for each can require deploying best-ofbreed solutions from different vendors. Typically, businesses have addressed new threats by adding another solution to their network, whether that solution can integrate with the existing IT environment or not. Managing multiple security solutions, with multiple sets of alerts, and ensuring there are no gaps in coverage, is a major challenge for CISOs.
In Cisco’s sixth annual CISO Benchmark Report, released in February this year, most organizations reported that they found managing a multi-vendor environment to be challenging, with 28% saying it was “very challenging”. Just 17% of respondents said it is easy to manage
a multi-vendor environment down from 26% in 2017.
The report found that while the majority of organizations (86%) are using between 1 and 20 different security technologies, 13% said they are using over 20, and 4% of companies report using a staggering 50 or more different security solutions.
Managing so many different vendors is not just a burden on time and resources for the IT department, but can also become a factor in reducing the effectiveness of cybersecurity protection as well. Dealing with integration issues and a high volume of security alerts can distract security engineers from tackling other challenges they face, such as public cloud issues, mobile device management and dealing with patching and update cycles in a timely fashion.
Failure to integrate multiple security solutions can also leave gaps in coverage, or create a situation where the IT team doesn’t properly understand what protection a particular solution is providing or how it works, impacting visibility and awareness into the true security state of the network.
An overly-complex IT environment has also been identified as a factor in ‘cybersecurity fatigue’. Forty-two percent of respondents to the CISO Benchmark report said they are suffering from cybersecurity fatigue, defined as virtually giving up on proactively defending against malicious actor. Ninety-six percent of those who reported suffering cybersecurity fatigue cited managing a multi-vendor environment as being a cause of their burnout.
It is easy to see how complex environments can easily overwhelm the IT team. From 2017 to 2020, the percentage of respondents reporting that they receive over 100,000 security alerts per day rose from 11% to 17%. Only around one-third (36%) say they get less than 5,000 alerts per day. High volume of alerts is clearly a factor in cybersecurity fatigue, with 93% of sufferers saying they get over 5,000 alerts per day.
Addressing these overly-complex security environments is essential for IT departments that want to take back
control of their security environments. One of the key trends highlighted by the CISO benchmark is vendor consolidation – since 2017, the number of CISOs saying they are using 20 or less vendors has increased by 7%, and there has been a 6% decrease in those saying they use 21-50 solutions. Reducing the number of vendors can bring clarity to the security environment and help ease the burden on the IT team.
Another strategy for gaining more control over your security landscape is automation. CISOs are looking to automate security processes such as asset discovery, vulnerability remediation, detecting anomalous activity, and especially managing the volume of alerts and updates. Human intervention is still required to set up and monitor automated processes, but it clearly offers a solution – 77% of respondents to our CISO Benchmark study said that they are planning to increase automation to simplify and speed up response times in their security ecosystems.
To really manage the complexity of IT environments with multiple vendors, CISOs are looking for solutions that can integrate, automate and consolidate their entire estate into one manageable whole. Cisco’s SecureX platform is one such solution, an open, scalable, cloudbased platform, that integrates security solutions from multiple vendors, and enables organizations to add in best-inclass functionalities direct from Cisco to meet new threats and requirements.
A single platform with integrated threat and security management gives the security team full visibility into their IT environment across network, endpoint, cloud and applications, and allows them to work smarter by automating and prioritizing security alerts, to reduce the impact of cyber fatigue.
By integrating all of its security solutions under one platform, including solutions from multiple vendors, a business can preserve IT investment, at the same time as gaining a better understanding of any duplication or unused capabilities, allowing them to eliminate redundancies and optimize usage of existing solutions and further streamline the environment.
Security challenges are not going to get any less complex, but with the right strategic approach, security environments do not have to become more complex. Removing the burden of complicated multi-vendor security environments can reduce cyber fatigue, and give the CISO the time to work smarter, streamline defense and focus on prevention as well as detection and remediation.
