As cybercrime evolves, it is time organizations adopt proactive strategies to help prevent, detect, and resolve information security breaches. “Cybercrime has become more sophisticated as perpetrators have realized that there is profit to be gained,” says Anton Tkachov Chief Security Architect, Financial Systems Cybersecurity, PwC. “In the 1970s, for example, computer viruses were just a prank; today, ransomware is a very lucrative market. Cybercriminals have realized the potential gain and started to operate as mature businesses with large investment and R&D budgets.” Today, cybercriminals have a position of advantage because of several notable asymmetries existing between them and their victims. It’s time for security professionals to turn the tables on cybercriminals by embracing risk-based decision making, investing in detection and response, and empowering security teams with tools to improve speed and efficiency.
Asymmetries between cybercriminals and cybersecurity
“We have to be right 100 percent of the time. Cybercriminals only have to be right once.”
The asymmetries that exist between cybercriminals and their victims, organizations, and individuals the world over, generate costs that include lost information assets, human hours, lawsuits, and intangibles like goodwill and trust.
|Strategy||Designed to maintain compliance and detect known attack types via rule-based methods and technology. These tend to revolve around conventional security systems such as SIEMs, anti-virus software, firewalls, and intrusion detection systems. This creates a static and defensive posture and cybersecurity professionals must defend against all known vulnerabilities.||Cybercriminals deploy known attack methods that are typically blocked by traditional cybersecurity services, but they also innovate new attacks every day that are unknown to cybersecurity professionals. Even conventional attacks, such as email phishing, are deployed with increased sophistication. Cybercriminals maintain dynamic behavior and ultimately need only exploit a single vulnerability, known or unknown.|
|Speed||Traditional SOCs were designed to prevent threats in a security era when breaches were less common. Thus, they are known to be slow to detect and to respond to successful attacks. Today, breaches are inevitable. Most traditional security teams and operations are unable to evict attackers before they cause harm. The Ponemon Institute found the average U.S. organization takes 206 days to detect a data breach.||An attacker needs very little time to cause significant damage. When an attack is successful in getting by perimeter defenses, according to the 2019 Verizon Data Breach Investigations Report, the typical time to compromise amounts to mere minutes. From there, it only takes a few more hours for a hacker to locate and move to their target and exfiltrate valuable data.|
|Efficiency||Most Fortune 500 companies will have to deploy over 100 high-priced security experts and spend millions building up their own internal security posture in order to attempt to defend themselves. The most frequent ratio quoted is one analyst for every 50 to 75 devices.||A single bad actor deploying either a free exploit or low-cost off-the-shelf software can cripple an entire Fortune 500 company.|
|Cost||Maintaining and enhancing cybersecurity requires significant investment. Adapting to new attacks requires continued investment.||Launching a cyberattack requires little investment, allowing cybercriminals to be agile. They are able to negligible cost with support from the underground economy.|
|Collaboration||Collaboration and convergence are on the rise. Recognition of the importance of cybersecurity have made it to the board room, yet gaps remain and many organizations still work in silos.||There is a great deal of collaboration and communication happening among hackers, and in particular on the Dark Web.|
|ROI||It is difficult to quantify changes in risk achieved by new cybersecurity investments.||Cybercriminals can easily measure their Return on Investment. They continuously innovate and improve their strategies and products for launching cyberattacks.|
What we can learn
The problem is not that cybersecurity systems are failing, it’s that cybercriminals are playing an entirely different game in entirely different conditions. Corporations concerned about the integrity of their cybersecurity policies and practices should start thinking, and acting, more like cyber criminals if they want to level the playing field.
Lesson No. 1: Risk-Based Decision Making
The major motivation for most cybercriminals: money. Risk-based decision making involves understanding the major problems an organization will face and prioritizing investments to achieve ideal business outcomes. The truth is, organizations do not always have the resources to address all threats equally. Organizations must consider their assets in terms of where the greatest risks and costs will reside in the case of a security breach. This involves assessing vulnerabilities across the entire company. This requires a system-wide approach. As convergence between physical and cyber security evolves due to the increasing amount of IoT enabled systems, assessing risk becomes more complex and not always falling within the domain of IT.
Once organizations have assessed vulnerabilities and identified risks across the organizations, threat intelligence software like Media Sonar enables consolidation of critical physical and cyber assets across an organization. Used in Security Operations Centers as an operational hub, having a consolidated view of critical assets in association with potential threats can go a long way in providing a complete view of the risk and threat landscape.
Lesson No. 2: Invest in Detection & Response
According to a 2015 report by Mandiant, the average targeted malware compromise was present for 205 days before detection, the longest presence was 2982 days, and 69% were discovered by external parties, not internal IT security functions.
Let’s face it. Compromises are inevitable. Perfect prevention is not achievable. Organizations need to detect vulnerabilities and risks from all sides, and respond accordingly. Security leaders must shift from prevention and protection to invest in technological and human capabilities that can detect a threat before or as it occurs. Tools don’t do threat detection, people do.
Our software flags potential threats using Internet chatter and content from hidden sites across the Surface, Deep, and Dark Web where threats are most likely to reside. Where a growing amount of crime involves Internet communication and collaboration, Media Sonar Threat Models alleviates the drain on resources. A recent Forrester Opportunity Report highlights that 52 percent of firms use four or more data sources and 37 percent use five or more to investigate threats. Media Sonar consolidates these data sources, integrating them with rule-based queries to display potential threats on a single pane.
Lesson No. 3: Speed & Efficiency
Cybersecurity professionals must be able to investigate the source of the threat as well as the potential business impact of the breach. Not only that, but they must be able to do this quickly. Organizations must provide the tools for first responders to react quickly and investigate the source and impact of breaches.
The Threat Detection Forrester Opportunity Report indicates that on average, it takes 35% of firms three or more days to investigate a threat. For 38% of firms, it takes between one and three days. With Media Sonar’s Pathfinder tool and a consolidated view of data sources, security professionals can speed up their investigations of Internet chatter and intelligence in a ¼ of the time it takes to search multiple data sources manually.
Embracing these lessons requires a willingness to deviate from perceived security conventions. It’s quite simple. First, follow the money. Invest in resources and tools to empower the people protecting your organization from threats. Shift focus away from prevention to detection and response. Work smart, not hard.
Media Sonar partners with organizations around the world to improve their . To learn more about our software, and the different ways your organization can use our software in your security operations, contact us to book a demo.