Budget Shifts Tip the Scales Against Cyber Attackers
On average, IT budgets are up this year, but with over 858 breaches in 2016 alone, many begin to ask whether budgets are being spent on the right things. It has become clear to most organizations that prevention solutions alone aren’t reliably working and most CISOs have accepted that the focus is no longer on if they will be breached, but more so on when and how prepared they are to quickly find and address the incident. Many large corporations, will openly say that there is always a malicious attack going on somewhere in their network. The trick then becomes separating the noise from the critical incidents. Whether you are getting tens or millions of alerts a day determining what truly needs to be addressed, as you can imagine, can be quite challenging and exhausting.
Realistically, it is impossible to prevent every determined attacker from gaining unauthorized access to IT infrastructure and with the right time and tenacity, finding their way to an organization’s sensitive data or critical infrastructure controls. From early breaches like those at Heartland Payment Systems and Epsilon Data Management to high profile breaches involving Target, Home Depot and Sony Pictures, time and again attackers have proven there’s always a way to get past prevention products. Organizations in industries that invest heavily in information security and compliance like finance and retail are also not immune and have found that preventative security controls like firewalls, intrusion prevention, signature-based anti-malware, and single-factor authentication are just not enough to stop the targeted attacker.
With this in mind, the discussions and budget allocations are now shifting to include allocation to detection solutions. With this change comes many questions including choice in technologies, amount of budget to allocate, where this budget allocation comes from and at what expense or reduction to other technologies. The situation is complexity is compounded by the technology for advanced detection being led by emerging vendors vs. their traditional suppliers.
According to industry estimates, enterprises have historically spent more than 75% of their InfoSec technology budgets on preventative technologies. A survey conducted by Pierre Audoin Consultants (PAC) in the United Kingdom shows that the traditional split in spending between planning, preparing and preventing an attack versus detecting and responding to one, is narrowing, even if only modestly. PAC polled 200 decision-makers in the U.K., France and Germany for their responses to a variety of questions pertaining to security spending, perimeter defenses and incident detection response. The responses showed a shift in spending toward detect-and-response capabilities and a corresponding move away from prevention-and-protection tools in many organizations. Better still, organizations that participated in the survey expected to spend about 39 percent of their IT security budget overall on detection and response within two years, up 16 points from the 23 percent they currently spend on those capabilities. At the same time, spending on protection-and-prevention tools such as firewalls and antivirus tools is expected to trend downward 16 points, from an average of around 77 percent today to 61 percent in 2017. The median spend on these technologies is expected to drop from 75 percent to 60 percent.
“We see this as a rebalancing of cybersecurity spend to a more appropriate split of operational attention,” PAC said in its report. “While the focus on Prevent & Protect needs to be maintained, looking for breaches and quickly remediating them has increased in priority,” the report said.
To support this, the report indicated that 67 percent of the respondents had suffered a data breach over the past year, while a full 100 percent said they had experienced a breach at least once in the past. Nearly seven in 10 of those who suffered a breach took between one month and six months on average to detect the breach.
The numbers are similar to those released by security vendor Trustwave in their 2015 report, which also showed that organizations are taking increasingly longer to detect network and system intrusions. Importantly, the survey also showed that a lack of incident detection-and response capabilities is seriously hindering the ability of many organizations to spot an intrusion into their networks. In more than eight out of 10 of the 574 breaches investigated by Trustwave last year, an external party reported the intrusion to the victim. In such situations, organizations took at least 126 days to detect the breach after initial intrusion, the Trustwave survey showed.
So, if the need for an increased investment in detection seems self-evident, why would this shift be happening gradually and in some cases being met with resistance by CISOs? This may be driven by a reluctance to invest in newer vendors with less proven technologies or it could be a concern driven by high false positives and resource intensity of solutions based on signature look up or pattern matching technologies or possibly they don’t believe that detection technology can effectively work to detect these advance threats. There are both myths and realities to these beliefs.
Two newer technologies appear to be gaining traction and adoption in closing the detection gap. One is big data – UBA and the other is deception technology. UBA provides more granular detection than a traditional SIEM, though remains prone to false positives and as such can create a higher demand on security operations teams as it learns the environment. As a CISO that I know would say, “It takes a while to get good”. Deception is the other growing technology that takes a different approach of deceiving attackers into engaging with decoys and lures. As another CISO has shared, he likes this approach because now the attacker has to be right all of the time. One mistaken engagement with a decoy or theft of planted credentials will tip of their presence. A high-fidelity alert is then generated so that the security teams can immediately isolate and address the incident. Interestingly, am also seeing situations where both of these technologies are being deployed for additional check and balance. An example of this would be in deploying UBA on a user network and deception for stolen credential detection and to detect at scale within data centers.
While the speed and size of budgetary shifts will vary in every organization and there are no “correct” percentages, adding detection into your security mix will go a long way in reducing a company’s risk of falling prey to a devastating breach and at a minimum, will significantly help in improving operational efficiency for detection and attack incident handling.