Align The Attack/Defense Mismatch Part 1: Make Security Teams More Productive
Despite the fact that companies invest $92 billion annually on cyber security, 80% of organizations are still breached. Just this month, highly publicized breaches at Acer, Cisco’s GotoMyPC, and Calgary University suggest that on the whole, our approach to cyber defense is fundamentally flawed. And the worst part is – today’s sophisticated attackers know exactly what these flaws are and exploit them at will.
THE ATTACK AND DEFENSE MISMATCH: FACTS VS. REALITY
Attackers scout out their targets in advance and tailor their malware to evade common perimeter defenses. Once inside the network, they move laterally among servers and endpoints, communicate with Command & Control servers and exfiltrate data. These stealthy, multi-stage attacks often go unnoticed for months, leaving massive damage in their wake. The dearth of effective detection and response measures is reflected in the fact that the mean time to identify an attack is 256 days (Ponemon Research).
*Data from the Poneman Cost of the Data Breach report and Verizion DBR 2016
Multi-Point Attacks vs. Disjointed Defense
So why are we failing? There are fundamental mismatches between the focused way that attackers operate, and the disjointed way that organizations defend themselves:
- Security operations are using disconnected, single-vector point tools, while attackers are using complex, multi-vector, multi-staged attacks
- Analysts lack the tools to make sense of and prioritize alerts, so they don’t know what to investigate first – while attackers are focused on their targets
- Analysts receive information from various reports and consoles that do not reflect the timeline of a multistage attack. They need to infer the storyline themselves . Attackers break up the attack into multiple small steps to make that harder.
The Other Cost of Disjointed Defense – Inefficient, Expensive Security Operations
The statistics prove that our disjointed approach is enabling attackers to get through and to dwell on our networks for far too long. But there is another cost – security operations are far too complex and time-consuming. Given the shortage of skilled cyber analysts, this is becoming a serious concern.
Our current approach leads to alert fatigue, lengthy and inefficient manual investigation processes, and incomplete attack intelligence on which to base incident response. All of this translates into high false-positive rates, wasted efforts and increased costs.
New Perspective, New Defense.
New threats require a new approach to cyber security, one that is intelligence-driven rather than alert-driven. We need solutions that automate the processes that human analysts use, gathering leads, collecting forensic evidence to corroborate or refute them, and building the picture of a complete incident. At the same time, we need technology that includes the human analyst, leverages their experience and intuition, to complete and improve the process.
Fortunately, there is a better way. To learn more about how an intelligence-driven approach to cyber defense can detect and remediate complex attacks quickly and efficiently, read our new white paper: 6 Principles that Dramatically Improve the Efficiency of Security Operations.