An effective cyber security program?
The ever-growing threats of cyberattacks have made every small and big enterprise spend a fortune on implementing a vigilant and resilient cyber security program. A popular cybercrime magazine Cyber Security Ventures predicted in June 2019 that the global cumulative cyber security spending of five years would exceed $ 1 trillion mark by 2021. However, if we look at the Mandiant Security Effectiveness Report for 2020, the numbers tell a different story. As per the report, 53% infiltrations and 68% ransomware attacks were unnoticed while 91% of the attacks did not even generate an alert. These numbers that we just mentioned raise a profoundly serious question about the effectiveness of our security defences.
Even though organizations are spending a significant portion of their budget on security, the return on investment seems to be negligible. As per the information compiled by the Identity Theft Resource Centre and the U.S. Department of Health and Human Services, nearly 3.2 million records were exposed in the first two quarters of 2020. The primary reason for this gigantic failure is the insanity of cyber security strategies, at least by the definition from Albert Einstein which states “the definition of insanity is doing the same thing over and over again and expecting different results.” People still follow the traditional approach to security while expecting vigilance and resilience. It is rightly said in our previous blog post that battling a fleet of cannons is not possible with swords and spears.
Security Operations Centre is a combination of people, process and technology which are tightly coupled to each other. An inefficiency or gap in any one of the three would collapse the entire security defence. A typical process flow of most security operations looks something like the diagram below:
A set of point products such as firewall, IDS/IPS, WAF, etc. ensure protection and technologies such as SIEM, Threat Intel and UEBA analyse and correlate the data collected by the point products to establish a detection mechanism. The analytics and correlation results are then consumed by the security analysts for decision making and an action is taken on the same set of point products. This entire workflow is driven by a set of processes implemented by the organization. However, with evolving threat vectors and increasing attack volume, this workflow tends to fail.
Though only 9% of attacks generate an alert, security analysts are suffering from alert fatigue. This implies that there is a significant disparity in configuration of alerts which fail to capture red flags while just adds to the noise in the system. At the same time, since only 26% of the alerts are investigated due to several other factors, there is a possibility that the other 74% may had some or may be many true positives as well which were overlooked.
These inefficiencies and gaps in each stage of security lifecycle from technology implementation to operations, process creation to establishment and resource onboarding to effective utilizations sums up to the overall failure of cyber security defence and as a result, we get poor to low return on investments made on security. All attempts to an effective cyber security program fail due the fundamental flaws in our security strategies and as they say, change is the only constant, same is required to increase the effectiveness of our cyber security programs.