The annual Scalar Security Study, published in February 2019 and conducted by IDC Canada, identified a new normal across the threat landscape: cybersecurity incidents, be it exfiltration, infiltration or denial of service, occur on a regular basis. Focused on small, midsize and large organizations in Canada, the study confirms that intrusions are inevitable and moreover that a majority of organizations experience successful attacks. To address this, the focus of the Canadian organizations’ cybersecurity efforts is shifting from an emphasis on protection against attacks to improving the detection of malicious actors on the network and responding to and recovering from incidents as quickly as possible. According to the report, organizations need to become cyber resilient, meaning that they should emphasize on the importance of business continuity and the need to return to normal operations and a trusted state after an incident has occurred.
Key Findings
- One key finding of the report is that the cost of compromise is at an all-time high. Although the average number of attacks per organization per year has declined (from 455 to 440 per organization), the average cost per organization of responding to and recovering from cybersecurity incidents has increased significantly (from $3.7 million to between $4.8 million - $5.8 million).
The major reason behind this increase is the fact that detection and response times are too slow. This is due to deficiencies in planning for cybersecurity incident response and recovery back to trusted state. These deficiencies also result in unrealistic expectations for the time required to recover. Interestingly, even compliance with the basic cyber resilience practices has a positive impact on recovery time.
- Another key finding is that the attack surface of the Canadian organizations is expanding exponentially because of remote access to corporate networks. This creates new opportunities for malicious actors to succeed in their nefarious plans. In addition, most Canadian organizations have to comply with three or more government or industry regulations. These relate to data or privacy (such as PIPEDA/Digital Privacy Act, SOX or GDPR).
Canadian organizations are adopting cloud solutions to migrate their infrastructure. These cloud security strategies are not keeping up with the adoption rate. Less than 60% of organizations update their public cloud environments within a week of patch release. This leaves them vulnerable to targeted attacks conducted by malicious actors.
- Last but not least, the security strategy of the Canadian organizations is shifting from protection to detection and response. Although traditional perimeter and endpoint security solutions will continue to be deployed, they are beginning to be complemented by AI, machine learning and new detection techniques. These three forces are key enablers for enhancing Canadian organizations' security posture.
The main conclusion of the report is that Canadian organizations are still too confident in their capabilities to successfully defend against cybersecurity attacks, but the ever-growing significance of cybersecurity breaches occurring on a regular basis has made organizations rethink their cybersecurity strategies. This shift in security behavior is expressed by the adoption of technologies, leveraging artificial intelligence and machine learning that can more proactively detect malicious activity on networks and devices. Despite that change, many organizations have deficiencies in how they handle the security risk created by people and inadequate cyber security planning. Organizations that understand cyber resilience and take a holistic approach suffer far fewer security incidents and significantly reduce the costs associated with them.
Discussion on the findings
The report identifies that most organizations are barred from performing timely patching or software updates. To be fair, patching continues to be a difficult challenge for organizations of any size. Even with the best intentions, there are significant obstacles that delay patching. If we want to be precise, the decision to either roll out, unroll or disregard a specific patch falls within the larger context of vulnerability management. This is a security practice designed to proactively mitigate or prevent the exploitation of vulnerabilities.
Vulnerability Management
Vulnerability management is more than just getting alerts whenever your infrastructure needs a patch applied. It is about making informed decisions and properly prioritizing what vulnerabilities to mitigate and how. This is achieved by embedding internal hooks for telemetry into all systems of interest as well as external hooks for threat intelligence from all sources. Vulnerability management has to be backed up by good threat intelligence that provides a deeper understanding of how and why threat actors are targeting certain vulnerabilities and ignoring others. Intelligence on vulnerability exploitability prepares your organization to strike the correct balance between patching vulnerable systems and interrupting business operations.
Top Three Organisational Concerns
The report also mentions that the top three organizational concerns relating to security posture are about the end-user risk. Specifically, untrained staff who may result in insider threats, mobility threats and confidential and sensitive data not being backed up. Unfortunately, the human factor is still a security program’s weakest link since nearly half of the companies surveyed do not conduct formal security training to help employees identify scams such as phishing or how to properly care for sensitive data. Although there are various technological advances for behavioral analytics, organizations should not be over-reliant on technology. User awareness programs should be developed in a manner that promotes cybersecurity culture as an integral part of the organizational culture.
The Golden Triangle of Cybersecurity
This brings into discussion the Golden Triangle of cybersecurity: technology, people and processes. Many companies have invested heavily in acquiring technology to detect intrusions; however, they have not invested in training staff to properly configure and update these systems or align the tools with a larger security strategy. On the other hand, the lack of streamlined processes overload security teams with repetitive tasks and false positives. Once properly identified, these can be carried out by automated security orchestration solutions. The use of such automation solutions, leveraging the power of AI and machine learning, will free up time for the security teams to detect intrusions. The Scalar security study highlights just this. There is a need for a change of attitude and for developing people and process to streamline workflows and even automate some of these functions. Speaking about processes, it is also interesting to note that updates to existing incident response plans occur following a security incident or because of changes to industry standards or government legislation. Considering the cost of a security breach, this is one area that really cannot afford to be neglected. There are many excellent reasons to update an incident response plan, but less than 40% of organizations are completing these updates.
Incident Response Plans
Organizations that have experienced a security breach know that during a breach it is not the moment to discover that the incident response plan needs to be updated. As a result, the costs associated with responding to, and recovering from, cybersecurity incidents are going up. Most of these costs are because of slow detection and response as well as deficiencies in planning. As Scalar's Chief Technology Officer Theo Van Wyk wrote on a blog, “incident response documentation cuts downtime and saves money.”
Regulations
A final thought. Most Canadian organizations are obliged to comply with numerous government or industry regulations. These are made for a good purpose – to protect our personal identifiable information (PII) and the organizations’ assets. But what happens when this plethora of regulations adds to the complexity of cybersecurity, especially if some measures or prerequisites are contradicting? The confluence of a threat landscape that is constantly evolving, an attack surface that is rapidly evolving and security compliance requirements that are increasingly complex makes cybersecurity an extremely difficult undertaking.
Final Takeaways
The reality is that there is no immunity against intrusion, operational disruptions and data theft. Thus, while prevention remains a key part of any cyber defense strategy, detection and remediation are quickly becoming critical focus areas for many organizations. These changes necessitate a new security approach, one that
- integrates each of the security technologies into a whole, enabling transparency and centralized policy controls;
- employs automation through an integrated security platform to minimize time-to-detect and time-to-respond, as it should also demonstrate compliance with industry regulations and security standards;
- adopts a proactive security posture which relies on real-time threat intelligence and its dissemination across and between each security element; and
- leverages the power of AI and machine learning to extend security capabilities to identify unknown threats, minimize false positives or pinpoint potential user and endpoint threats.
If your organization wants to become cyber resilient, it needs to embrace the fact that it’s not a matter of if your organization will be compromised but when. Assuming that your organization is a target for malicious actors, this mentality can best empower organizational leadership and decision makers to handle attacks when they happen. And the best way to achieve this is by adopting cyber resilience practices developed by NIST, US or Canadian governments, the European Union and the European Central Bank. Irfahn Khimji, Regional Manager, Canada at Tripwire, notes that there are other bodies of standards that can also help:
The thing a lot of security folks tend to forget is that cybersecurity risk is, at the end of the day, a business risk. A business risk needs to be mitigated based on the likelihood and impact it has to the business. As we see in this study, the cost of recovering from a security incident is increasing significantly whereas the number of incidents has remained fairly stable. In order to effectively mitigate this risk, a solid foundation of security controls should be implemented. The Centre for Internet Security recommends that organizations should start with knowing what’s on their network, ensuring that those assets are appropriately hardened and confirming that the vulnerability risk on those assets are mitigated. Only once an effective foundation is built will advanced detection techniques also be effective.
Tripwire’s products integrate the CIS security controls into their functionality so that they can better product organizations. Click here to learn more about this integration.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
