Despite a resolutely bullish rise in security spending — Gartner estimates the total reached a staggering $75 billion for 2015 — we continued to see record-high numbers in terms of data breaches and personal records lost.
So what gives? Where is this money going and why isn’t it having a measurable impact?
Much of the answer can be found in organizations’ belief that data breaches are inevitable. They’ve shifted the lion’s share of their new spending into identification and cleanup, and are now neither demanding nor expecting that their investments will prevent security incidents in the first place. Particularly on vulnerable endpoints — user systems mostly — this leads to a problem of compounding complexity. More machines are suspect, more traffic is designated for analysis, and infected systems generate volumes of traffic which flood even the best monitoring and analytics. The problem gets worse as more types of attacks need to be watched for, as attack infrastructure becomes more dynamic, and as more user functions take place in SaaS or cloud-based systems, moving those operations from local to network events.
To cut the attack chain short we need to focus on where it starts — user endpoints.
In the mid-1990’s, the most common attacks were against servers and infrastructure. That’s where the important data was, and in an absence of strong protections, it was the most logical and efficient place for attackers to go. They could get direct access to the information they wanted.
But that was 20 years ago. Security for servers and hosting centers is now much better understood, and the problem is manageable, with limited numbers of authorized users, systems, and predictable connections and transactions. Advances in security have created more secure datacenters and there are well-known best practices for locking down central shared resources against direct attacks.
As organizations moved more and more services to these datacenters, however, user access to information also became more distributed and richer. Naturally, attacks were then retargeted to user systems. They are much more numerous, less consistently protected, and their operators are often neither aware of security concerns or even particularly technical. What’s more, the applications that dominate the users’ days (mail programs and browsers) exist specifically to bring outside content onto that local machine, whether that content is malicious or not. As a result, these user systems present a perfect blend of human and machine weaknesses to make the distribution of attacks automated, inexpensive, and uncomplicated.
The Snowball Effect: 4 Stages of Cyber Attack Response
While it is true that some number of systems will likely be always breached, it is also true that for every machine that resists a breach, there are many downstream savings. While it’s obvious that stopping a breach earlier saves money, the scope of this savings is pretty amazing.
1) The Best Case Scenario: Prevent Infection in the First Place
Most malicious software begins its life on a system as an invader of some other process’ space and resources. It infects a browser or a productivity program and uses those resources and privileges to make itself persistent and to get to work. If stopped here, as it is trying to take over a legitimate process, then there is very little impact aside from the attacked process having to restart.
2) Clean Up and Prevent the Spread
If the infection is successful, though, good malware will have the access it needs to corrupt the system and begin to steal credentials, lock-down resources, or exfiltrate data. At this point, the user’s system is pretty much a loss, and will likely need to be reloaded from backups (if they exist). If detected here (likely through some host-based monitoring), the damage is limited to this one machine. The impact may be painful, but at least it’s contained and easier to analyze.
Unfortunately, most attacks are not identified at this point.
3) Investigate and Quarantine
According to the Ponemon Institute, the average time to detect is more like 14 weeks, and is usually seen first by customers, partners, or law enforcement. Sometimes it will be seen by a good Managed Security Services provider or SIEM. During those weeks, though, the infection is spreading.
Shared resources are a common way that other machines are infected, as are the password and credential sniffers resident in most malware. All it really takes is a few days for the infection to spread to others connected to the infected user, and then spread further, onto machines that share a connection with the new victims. At this point, the damage escalates quickly. The cost of remediation also swells, as the investigation required to understand which machines are infected, what kind of data has been lost, and how much resetting of credentials and authorization needs to be done becomes increasingly complex and time-consuming.
4) Disclose, Notify, and Pay
Even this is not the end of the chain. Once an organization is effectively breached, then the most damaging events occur. Private employee and customer data is stolen or encrypted, sensitive emails are accessed, and organizational reputation begins to suffer publicly. Regulatory pressure, fines, and audits are likely, as is the potential for liability claims among these later victims. The costs are almost unlimited, and they continue to grow as the courts begin to understand the potential for injury and attorneys recognize the opportunity for pursuing civil damages.
The old axiom continues to hold true: Prevention beats cure.
As following this chain of impact shows, security investment needs to be rebalanced to more logically address both prevention and detection. We may not be able to stop every end-user system breach, but stopping them as close as possible at the point of infection is the clearest way to simplify our security, reduce our costs, and permit security teams to focus on the strategies and symptoms of the most sophisticated and targeted attacks.