Richard Cassidy, Senior Director Security Strategy EMEA, Exabeam, discusses why the short-term mindset of the cybersecurity industry needs to change and how the future isn’t as uncertain as some would have you believe.
The cybersecurity industry has a problem with long-term commitment. Too often, CISOs and CIOs become fixated on the discovery of new threats and the subsequent ad-infinitum battle in detection and alert investigation. As a result, they often fail to put in the time and effort needed to lay down a comprehensive long-term cybersecurity strategy for their organisation. The challenge is, if the focus is always on the ‘here and now’, businesses will forever be stuck playing catch up to the incredible rate of innovation in the adversarial space. While that happens, cybercriminals have their targets exactly where they want them.
New threats, same old attack vectors
In many ways, the industry has only itself to blame for the ‘short-term strategy’ predicament that our executive leaders now find themselves in. For too long, fear and uncertainty have been used as potent sales tools by technology vendors and solutions providers alike, claiming cybersecurity moves so fast that you can’t predict what’s around the next corner. This scaremongering approach to cybersecurity decision-making practice may help to sell the latest security products, but it also actively encourages a short-term mindset. However, while it’s true that new threats are emerging all the time, many of the attack vectors they rely on haven’t changed that much in decades.
For example, according to the SANS Institute, 95% of all attacks on modern enterprise networks are the result of successful spear phishing – a technique that’s been around for at least 10 years (while phishing itself, has been around since the 90s). Furthermore, some form of social engineering attack – a technique as old as time itself – is a key factor in up to 99% of cyberattacks. These attack methods aren’t new by any means and neither are the main defence strategies against them, such as regular cybersecurity training and rapid identification of ‘abnormal’ user behaviour on the network.
It’s fair to say that many of the rules of the game have been the same for a long time. Criminal organisations who were attacking mainframes back in the 80s and 90s are attacking cloud platforms today, using very similar tactics and techniques. This begs the question then, ‘is it a legacy mindset that’s holding the industry back from an overhaul in effective cybersecurity strategy and enablement, rather than proclaimed legacy tech?’
Future-proof your cybersecurity
Of course, that’s not to say that nothing’s changed at all. Perhaps the biggest difference between then and now is the scale of everything involved. Over time, gigabytes of data have turned into terabytes and soon they’ll become petabytes; the same process can be seen in data transfer speeds and in ‘Moore’s law’ in data processing power speeds. Elsewhere, changing business habits have seen more employees work remotely, spreading business users out over even greater geographical distances. All of this makes it much harder for security teams to manually keep track of sensitive data and spot the abnormal behaviour patterns that indicates malicious activity.
Fortunately, data analytics and anomaly detection is one area where technology really can make a difference. Advances in automation and Machine Learning mean organisations can now build platforms that take a huge amount of manual legwork off the security teams, enabling them to focus on more important areas of the analytics and investigation process. The cost of these technologies is coming down too. Where they were once the reserve of largest enterprises, now businesses of all sizes can benefit from the time savings and insights they provide.
The road ahead looks just as familiar
Within the cybersecurity industry, many vendors are touting Quantum Computing as the next big game-changer, claiming criminals will be able to crack encryption keys and passwords much more easily with it. They’re also increasing the rate of attack automation and collaborating much more effectively (hacking-as-a-service) in sharing zero-day tools and username/password data, thereby significantly reducing the reliance on social engineering techniques.
While this may be true, there’s still no need to panic. Even if criminals manage to gain access to networks without the use of social engineering, there are already technologies available such as user entity behaviour analytics (UEBA), which can counteract this. UEBA works by benchmarking legitimate users’ behaviour over a period of time and establishing the parameters of ‘normal activity’ based on key criteria such as geographical location, login times and files accessed. If any user’s behaviour deviates too far from known normal benchmarks, such as logging in from China at 2am when they usually login from London during normal working hours, this behaviour is automatically flagged as suspicious to the security team. As such, even if the criminal used Quantum Computing instead of social engineering to crack a user’s credentials, their behaviour on the network will quickly get them noticed. The other significant benefit of using behavioural analytics is that all relevant activity data across other activity streams can be automatically stitched together into incident alerts, providing security teams with instant context as to the risk level of an event. This supports much more effective response and mitigation outcomes.
Despite what certain corners of the cybersecurity industry may say, it really is possible to predict and plan much longer term than many organisations realise. Yes, new threats appear all the time, but once you look under the hood, the startling similarities many of them have to one another become increasingly apparent. With this in mind, it’s time to stop thinking about cybersecurity in standard budgetary cycles of three to five years and instead consider how you can effectively extend your planning to timeframes in excess of 10 years over time. Sure, we don’t know what’s around the corner, but chances are it’ll look a lot more familiar than we think when it arrives…