Uninvestigated security threats can swamp an organization

As business impacts of breaches grow, transparency and defenses start to improve

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Businesses are pouring more and more money into cybersecurity, making it the fastest-growing IT market segment. But despite the heavy investment, security professionals’ confidence is waning in their ability to defend against cyber criminals, according to a newly released report by Cisco.

Global cybersecurity spending has nearly doubled in the past five years—growing from $63.7 billion in 2011 to an estimated $122.45 billion in 2016, according to research firm Market and Market.

Related: Ransomware rampage takes aim at business targets

Yet Cisco found that budget constraints, incompatible vendor products, and shortage of talent are creating major barriers for organizations. So much so, that 44 percent of security alerts go uninvestigated.

About a third of investigated alerts turn out to be legitimate—but only 46 percent of those legitimate alerts are actually being remediated.

“It’s a twofer,” says Franc Artes, architect with Cisco’s Security Business Group. “It’s not just [saying], ‘We didn’t get to a bunch of stuff,’ but also, ‘A big majority of what we did review, we didn’t get to remediate.’”

The 2017 Annual Security Report released Jan. 31, included a poll of nearly 3,000 chief security officers and security operations leaders. Among them, budget constraints and compatibility issues were the top two obstacles to security—the same as in last year’s report.

Cisco found that 65 percent of respondents used more than five cybersecurity products and 55 percent used more than five vendors. Some organizations were using 50 or more (of each).

These disparate technologies often don’t integrate with one another. Adding to the challenge, Artes says, is a lack of “human beings to follow up on everything that needs to be done.”

The result is a system based on triage—and Artes says this is “like not looking at the 44 percent of the victims coming into the triage.”

“Lack of trained personnel is huge,” he says. “We have a major problem with finding people who are capable of doing all this work, especially when you start to consider the fact that we have so many different vendors and so many different products next to a heterogeneous network.”

Impacts felt across entire enterprise

Cisco found that only 58 percent of the security leaders described their security infrastructure as very up-to-date. That number has been on the decline in the past couple of years—from 59 percent in the 2016 report and 64 percent in the 2015 version.

This waning confidence is perhaps not surprising, considering the broad ramifications of data breaches. And there were plenty of breaches to be had last year: The Identity Theft Resource Center logged a record 1,093 breaches. That’s a 40 percent increase from 2015.

Artes says that in the past, organizations looked at a breach impact mostly from the perspective of operational losses, including loss of revenue and cost of remediation. Now, they’re taking a more holistic view.

Besides operations (named by 36 percent of respondents) and finances (30 percent), the other top aspects most likely to be affected by a breach that was publicly disclosed included:

• Brand reputation (26 percent)

• Customer retention (26 percent)

• Intellectual property (24 percent)

• Business partner relationships (22 percent)

• Supplier relationships (20 percent)

• Legal engagements (20 percent)

• Regulatory scrutiny (19 percent)

It’s worth noting that half of the organizations whose breach became public made the disclosure voluntarily. Artes says companies are becoming more transparent, partly because the stigma that came with a breach is gone. The likelihood of a breach is now an accepted reality.

“[There is] an understanding that the defenders have to be right 100 percent of the time, and the attacker needs to be right only once,” he says.

The good news is that breaches—whether those experienced first-hand or those disclosed by other companies—are driving defense improvements, Artes says. The top two are the separation of the security team from the IT team, and an increased awareness among employees.

“The business impact is becoming more and more apparent, and part of that is (due) to the transparency—we’re speaking about it, we’re recognizing it, we’re addressing it,” Artes says.

One takeaway from the Cisco report is that things aren’t going to get any less complicated for security practitioners. On one hand is the continuously expanding attack surface, considering the projected growth in IP traffic, mobile devices and cloud use. On the other is the evolution of cyber criminals.

“They’re realizing … they have to evolve faster and faster because the industry itself is getting faster and faster,” Artes says.

Among Cisco’s conclusions is that “defenders must focus their resources on reducing their adversaries’ operational space” and use automation as part of their strategy.

“Human expertise cannot be thrown at this and actually solve it,” said Cisco Chief Security and Trust Officer John N. Stewart in a video overview of the report. “You need integrated security architecture with near real-time insight, automated detection … and automated defense.”

More stories related to ransomware:
Evolving ransomware targets schools, local government agencies
Understanding ransomware helps organizations devise solutions

Your money or your data: Ransomware attacks leave everyone vulnerable