Despite all the spending on cybersecurity, attackers are the ones winning the security war. And unless things change dramatically on the defense side, the situation will get far worse, was the grim conclusion RAND Corporation researchers drew in their latest report.
RAND didn’t pull any punches in its 162-page report, The Defender’s Dilemma, noting that defenders responsible for protecting corporate and personal data are unprepared, overwhelmed, and unsupported.
Researchers interviewed CISOs, reviewed existing technologies, and assessed the challenges behind making secure software in order to create the economic models, which make up the report, recently released by Juniper Networks.
“Chief information security officers (CISOs) feel they are treading water at best—investing more money in security without feeling any more secure. Even more concerning, they believe that attackers are quickly gaining on defenders and many are not sure about if or when they have invested enough in security,” the authors wrote.
Estimates peg worldwide spending on cybersecurity as approaching $70 billion per year and growing at 10 to 15 percent annually but “it would be an understatement to say organizations are dissatisfied with their security,” the report said.
One of the challenges facing organizations is the fact that attack methods don’t stay static. With every investment in defenses and security technologies, attackers figure out how to evade them. This dynamic ultimately drives up the amount companies must spend on security technologies to maintain the same level of protection. There is a half-life to security technology, and the drop-off is significant: RAND’s model projects that over 10 years the effectiveness of these technologies that face countermeasures falls by 65 percent.
“Measures beget countermeasures (the adversarial dynamic) pretty much sums up the root cause of cyber buildup,” RAND said, noting the model showed spending on security tools as a proportion to the overall cost of security increased by 16.2 percent over the span of several years.
Attackers just have to be lucky once, but defenders have to look at all potential risks. The defender’s job is to make it too expensive in terms of time, resources, knowledge, and money for the attacker to find that lucky break. That is an expensive proposition for the defender, and is set to get more expensive as security teams are being asked to manage an increasingly diverse set of security technologies.
Certain types of security tools are not prone to the problem of countermeasures, such as those focused on improving security and patch management, automation and improving policy enforcement across the corporate network, RAND found. Attackers do try to find countermeasures to tools such as anomaly detection, sandboxing malware, and anti-phishing training. Most companies need a mixture of tools that fall into both categories to protect their systems, the report concluded.
Security has a leadership problem and CISOs don’t have a clear vision of what they need to do. “The concept of active defense has multiple meanings, no standard definition, and evokes little enthusiasm,” the report found. Threat intelligence is a buzzword and everyone is excited about it, but no one really know what to do with it. The pessimism also extends to the government’s efforts to help improve the situation.
“CISOs we interviewed did not express much interest in government efforts to improve cybersecurity, other than a willingness to cooperate after an attack,” the report found.
CISOs are most concerned about the effect of a cyberattack on the organization’s reputation, rather than direct costs. “The actual intellectual property or data that might be affected matters less than the fact that any intellectual property or data are at risk,” the report found.
“CISOs are still grasping at how best to report security program performance to the board, and it comes as no surprise that corporate executives are managing to public perception of security and data safety,” Trey Ford, Global Security Strategist at Rapid7 told SecurityWeek.
Some of the report’s findings reinforce things many security professionals have said in the past, such as the fact that there is no one-size-fits-all security. Companies need to think about their individual situations, infrastructure, and culture when planning out their security investments, RAND said. “Small to medium-sized businesses benefit most from basic tools and policies, while large organizations and high-value targets require investments in a full range of policies and tools given the likelihood that they will be targeted by an advanced attack,” RAND concluded.
Other findings are just common sense, such as the fact that reducing the number of software vulnerabilities present when the software is shipped will reduce overall costs. RAND’s model found that if the frequency of software vulnerabilities could be reduced by half, the overall cost of cybersecurity to companies would reduce by 25 percent. This is where attention to software testing, secure coding practices, and a full software development lifecycle would pay off.
Another common sense element found that people-centric investments, such as technologies to automate security management, advanced security training for employees, and hiring security staff led to greater cost-savings down the road. Organizations with high levels of security diligence curbed costs of managing security by 19 percent in the first year, and 28 percent by the tenth year compared to organizations with low diligence, RAND found in its survey.
Instead of measuring the volume of blocked attacks, organizations need to find better ways to understand the factors that influence the total cost of cybersecurity risk. Instead of relying on metrics that measure how the technology works or focusing on vulnerabilities, organizations need to look at business outcomes and impact to operations.
“What’s clear is that in order for organizations to turn the table on attackers, they need to orient their thinking and investments toward managing risks in addition to threats,” Sherry Ryan, chief information security officer of Juniper Networks, said in a statement. Juniper also released an interactive interpretation of RAND’s economic model which would give businesses general guidance on where they should invest their time and resources across the major areas to reduce potential security costs.
The previous RAND report examined underground markets for cybercrime tools and how cyber-attackers sell and buy stolen data. This latest report examined the grey market, where researchers sell vulnerabilities to the highest bidder, which could be governments and defense contractors. A single flaw can fetch between $200,000 and $300,000, depending on its severity, RAND estimated. Researchers can get as much as 10 times more for a working exploit through the black and grey market than by reporting the vulnerability directly to the company who owns the software, according to the RAND report.
Another challenge is the fact that while it’s possible to measure how much is being spent on information security, it is not easy to tally how much is being saved as a result. Even understanding data breach loss is subjective, since no one knows how to estimate it, the report found. RAND looked at losses from cyberattacks, direct costs of user training, direct costs of buying and using tools, indirect costs associated with restrictions on devices, and indirect costs associated with air-gapping sensitive systems in its model.
RAND was pessimistic in its view of the security landscape, but noted that may be the industry’s saving grace. “The best reason for being optimistic over the future of cybersecurity is the growth in ranks of those pessimistic about it,” the report’s authors wrote.