Security Experts:

Today's Security Trap: Increasing Spending but Not Efficacy

Many organizations assume that once security controls are put in place, they will be effective indefinitely

According to Gartner, organizations are expected to spend $150.4 million on IT security and risk management technologies in 2021, which would reflect a 12.4 percent increase compared to 2020. You would think with that much money invested in security we would be several steps ahead of the bad guys. However, hardly a week goes by without a new high-profile cyber-attack (e.g., Radixx, Pulse Security, Trend Micro, SolarWinds, Shopify, CryptoForHealth Twitter hack). In this context, it is essential for organizations to understand that security solutions’ efficacy matters more than the fact they are deployed. What’s the value of a security tool if it fails to work the way it is intended. So, what can be done to assure security efficacy?

Typically, security effectiveness is measured by an organization’s ability to protect against known and unknown threats. To prevent a threat from exploiting a vulnerability that would generate a security incident, organizations most commonly rely on the implementation of security controls in combination with security tools. Unfortunately, many organizations assume that once security controls are put in place, they will be effective indefinitely. As a result, validation of whether established security controls are working as intended, often does not occur. This approach leads to blind spots that are being exploited by cyber adversaries in their attack chain, increasing an enterprise’s cyber risk exposure unnecessarily. 

You Cannot Fix, What You Cannot See

Reviewing Security ToolsWhy perform requests for proposals, proof of concepts, and time-consuming vendor selection processes if you cannot validate that the security solution you implemented is doing what it’s intended to do? This includes, identifying gaps so you can fine-tune the configuration and continuous validation through automated monitoring to mitigate potential decay in the health of the tool.

Unfortunately, many security solutions lack the capability to monitor their own integrity or health, often turning an organization’s investment into shelf-ware. While it may be true that the health of a security application can be impacted by faulty implementations, poor integrations, and lackluster maintenance, more commonly the following factors influence the integrity and efficacy of security applications:

• Re-imaging of an end user’s device often leads to the software not being re-installed.

• Critical files are often corrupted when new third-party applications are installed or updated.

• Negligent users that damage or remove applications unknowingly.

• Malicious insiders and/or hackers that disable security applications to bypass security controls.

In fact, according to the 2020 State of Endpoint Resilience Report (PDF), nearly one in three enterprise devices have security applications (e.g., anti-virus, anti-malware, endpoint protection, client management, VPN) installed that are no longer working as intended. Furthermore, more than five percent of enterprise devices were missing one or more of these critical controls altogether.

Continuous Efficacy Assessment and Mitigation

To improve security processes, the continuous collection and analysis of relevant data to test the efficacy of controls is necessary. As mentioned above, without knowing whether the health of a security application has been jeopardized, an organization’s ability to react to malicious actions, collisions, or software damage, is impossible. In turn, we are seeing the introduction of enhanced regulations (e.g., PCI DSS, NIST SP 800-137) that prescribe continuous diagnostics of security controls. 

In this context, more and more security practitioners are taking advantage of a new concept described as application persistence, which refers to the ability of a software-based application to continue functioning across disruptions, unintentional decay, or malicious actions that are fundamental to its operation. 

As a result, application persistence contributes to an organization’s digital resilience by providing the needed visibility to assess security efficacy and offering the ability to self-heal critical third-party security applications when they’re disabled, altered, or otherwise made vulnerable. Organizations taking advantage of application persistence as part of their endpoint security strategy can achieve the following benefits:

• Ensure application integrity by maintaining health and efficacy.

• Increase operational efficiency by relying on automatic, zero-touch, built-in resilience.

• Reduce IT helpdesk tickets for application failures.

• Maximize productivity by guaranteeing availability of mission-critical applications.

• Increase ROI for existing security and software investments.

The most effective application persistence solutions are embedded in the firmware of endpoint devices, assuring that neither decay nor malicious actions can tamper with their self-healing capabilities and enabling the collection of the most granular information sets across devices, applications, and data.

Despite the long-standing belief that deploying more security solutions will result in greater protection against threats, the truth of the matter can be very different. That’s because every security application added to an endpoint device has the potential to increase complexity and risk exposure, contribute to application decay, and affect the overall health of the device. Instead, organizations should focus on validating security efficacy regardless of how many security controls or applications have been deployed.

RelatedThe VC View: Data Security - Deciphering a Misunderstood Category

Related: Firmware Attacks Outpacing Security Investments, Microsoft Says

view counter
Torsten George is currently a cyber security evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).