Cybersecurity Needs a Rebuild, Not Duct Tape
Cyberthreat protection is broken. If it wasn’t, the frequency of successful ransomware attacks and breaches would certainly not be as high as it is – and rising. And it’s not for a lack of investment in cybersecurity solutions. Sure, smaller companies cannot afford all the protection tools that larger companies have in place, but does the number of protection tools matter? Larger companies continue to suffer from ransomware and breaches, in spite of massive investments in cybersecurity tools and expertise.
What’s going on here? Why are budgets continuously increasing, the number of security tools continuously expanding, and the number of security professionals required never at the levels we desire – all while companies continue to get hacked? Granted, cybercriminals do improve their capabilities, making attacks continuously more difficult to defend. But, does this mean we simply have to learn to live with successful cyberattacks?
I think there are many reasons that we’re still unable to adequately address the cybersecurity problem. I would argue that the following are the top three.
- The continued inability to adequately detect advanced persistent threats (APTs). According to the IBM Cost of a Data Breach Report 2019, the mean time to identify a malicious attack is 230 days. We keep throwing money and resources at prevention solutions and detection solutions, so why do threats get through?
Remember, while we’re spending money on defending our environments, cybercriminals are investing their energies in figuring out ways to bypass our defenses. They found that while the point protection controls work well, they’re not foolproof. Once they find a small crack and get their foot in the door, if they’re smart, they work their way through the network and can go undetected for very long periods of time.
Most security stacks are just not well integrated or integrated at all. Even those that are integrated seem to be loosely duct taped, struggling to speak the same language and fully synchronize capabilities to provide a truly coordinated protection layer. Seemingly benign alerts from disparate controls are ignored as they lack the context to see the real underlying threat. Wily cybercriminals are free to navigate the network until they find something of value or take the company down with ransomware.
- The continued inability to adequately address the mountain of alerts generated every day. Security professionals can only do so much. Screening out high risk alerts from “noise” requires time and effort. Performing an investigation on high risk alerts requires time and effort. Developing and executing a remediation plan for high risk alerts requires time and effort. You see where I’m going here. While we have a lot of security technology, it still requires a significant manual effort to address the real and perceived risks identified by the technology.
Jumping between different systems and databases to investigate and understand the severity of a threat takes time. The way information is handled and presented across different systems exacerbates this effort.
- The continued inability to adequately staff our cybersecurity teams. Cybersecurity is one of the most demanding professions available. Beside the foundation education required for the profession, ongoing education and experience is required to maintain the proficiency required for the craft. Cybercriminal opponents are often highly intelligent, technically gifted and amazingly persistent. And they have access to a growing underground network like-minded colleagues all too willing to share (or sell) new attack methods.
Today, there simply are not enough highly skilled security professionals to meet the demand companies have for those skills. And, the growing number of security solutions means that there are never enough security professionals skilled at the particular set of solutions at any one company so the learning curve for even a skilled analyst is high.
A Ray of Hope?
Now that I’ve painted a bleak picture of the state of cybersecurity today, there is a bright light on the horizon. Heck, it’s not even on the horizon, it’s right in front of our faces. A new class of technology is available that virtually eliminates all of the problems I cite above. I know, another new technology.
But I believe this technology – Extended Detection and Response (XDR) – is different. It builds on previous technologies while addressing their shortcomings. And the shortcomings we face when running multiple disparate security controls. And the issue of the security skills shortage. XDR essentially provides and coordinates multiple threat detection controls while automating required response actions on a single unified platform.