As we discussed in last week’s blog post, businesses are paying more than ever before for cybersecurity solutions, and market forecasters predict that this spending will only increase in years to come. Every time a large-scale attack gets media attention, publicly-held companies rush to reassure investors that their IT security spending is enough to reduce their vulnerability. But is the protection that they’re buying truly worth its cost? And how can smaller organizations ensure that they’re receiving the best value for their cybersecurity investments?
Today’s cybersecurity marketplace is crowded. Buyers are confronted with an ever-expanding array of options when selecting vendors, products and services. Faced with limited budgets and nearly unlimited alternatives, decision-makers can easily find themselves overwhelmed. And armed with the knowledge that organizational investments into cybersecurity have failed to curb the growth of cybercrime, how can you ensure that the protection you’re paying for is real?
Too Much Focus on Endpoints
Traditionally organizations have based their defenses on malware detection and intrusion prevention, primarily attending to the interfaces between their private networks and the public Internet. Legacy solutions like firewalls and anti-virus software programs are primarily preventative in nature, aiming to keep malware from reaching enterprise networks and devices. These preventative approaches become less and less effective with each passing year.
Nonetheless, organizations continue to spend more on endpoint protection than on any other category of security tool. And this spending continues even though these protection platforms are often ineffective: in one survey, 53% of companies who fell victim to a ransomware attack were running multiple antivirus software products simultaneously. And only 52% of these solutions were able to detect a simulated ransomware attack in test conditions. In the 2018 Thales Data Threat report, endpoint security solutions were ranked dead last in terms of their effectiveness.
Too Many Vendors
The cybersecurity market also faces the challenge of oversaturation. With more than 1,200 vendor-specific solutions available, it’s becoming increasingly difficult to choose between them. Decision-makers are tasked with evaluating multiple vendors’ competing claims, but often lack a thorough understanding of what’s actually needed to keep their businesses safe.
The results can be chaotic: in one recent survey, major enterprise CISOs said that—on average—they were relying on more than 80 security vendors each. Although it might seem that such an abundance of solutions would result in ample protection, the opposite is often the case. These solutions are often poorly integrated, failing to communicate with each other or requiring users to log into multiple separate management consoles in order to monitor their performance.
As attack surfaces rapidly expand and attacks grow in sophistication, it can be tempting to simply add another vendor’s product for each newly-discovered vulnerability or threat. But doing so guarantees ever-rising costs, without ensuring that that the solutions will work well together. Organizations already struggle with the complexity of cybersecurity solutions, and when multiple products from competing vendors are being used, it can be even more difficult to extract meaningful threat intelligence from the alerts generated—and to do so quickly.
Cutting Through the Hype
Given these challenges, how can you choose the best security solution for your organization? One answer is to find experts without a financial stake the cybersecurity industry: look for independent authorities to validate any claims made by individual vendors.
One such organization is MITRE. Chartered to work in the public interest, MITRE is an independent nonprofit that operates federally-funded research and development centers. Their objective is to conduct scientific research and analyze technological challenges and cybersecurity threats. For the past five years, MITRE has worked to develop the ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework, a detailed, globally-accessible knowledge base of the tactics and techniques used by attackers, according to real-world observations.
The ATT&CK model’s key characteristic is a shift in primary focus: from prevention to detection. Developed with the goal of detecting advanced persistent threats (APTs) more quickly, ATT&CK is founded on an “assume breach” premise. Researchers at MITRE operate with the expectation that it’s simply impossible to keep attackers off your network, and instead seek to categorize and catalog attackers’ most common post-breach behaviors, with the goal of reducing the amount of time it takes to detect an intrusion.
By making this information available to the public, ATT&CK’s creators hoped to improve the sharing and coordination of intelligence across the cybersecurity industry, and thus to enhance all vendors’ ability to predict attacker behavior and to create stronger dynamic defenses. Instead of concentrating on identifying particular malicious domains, IP addresses or file hashes, which attackers are always changing, the researchers sought to document the general tactics and techniques used by adversaries interacting with real systems.
Lessons from ATT&CK: What to Look for in a Solution
Today’s most effective security platforms are built upon the same foundational premises as the ATT&CK framework: they construct dynamic defenses by focusing on post-breach detection. The threat landscape is constantly evolving: it doesn’t make financial sense to purchase a new solution each time a new attack vector is discovered. Instead you need a multi-layered platform-based approach that can evolve right along with the challenges. A crucial component of such approaches is their reliance on behavioral analytics powered by comprehensive dynamic threat models, which incorporate intelligence from both commercial and open sources (including ATT&CK). An ideal system’s behavioral analytics can be adapted and tuned for your particular environment.
It’s also important to find a system that’s seamlessly integrated, ensuring that components from various vendors will work together to improve overall detection rates, rather than merely generating alerts that you don’t have the resources to investigate or interpret.
As the number and complexity of threats continue to increase, monitoring them is beginning to exceed human capability. Thus moment-to-moment traffic and threat analysis must be increasingly automated, and machine learning and artificial intelligence relied upon to perform this task. How well this “learning” works to set effective network policies is critical to the strength of your defenses.
To learn more about how the Secureli platform incorporates advanced behavioral analytics powered by artificial intelligence into a comprehensive threat detection and remediation system, contact Netswitch today. Our integrated services are available for a flat monthly per-device fee—pricing that will remain stable no matter what happens in the threat landscape.