Why Cybersecurity Never Seems to Improve, and What You Can Do About It
Security defenses are improving, but cybercriminals move faster than defenders, and the attack surface seems broader than ever. There are five reasons why enterprise security is so challenging.
Why does it seem that the security profession is continually moving at a fast clip, while at best staying in place or falling behind when it comes to protecting against threats? Seeing the massive and continual flow of publicized threats, vulnerabilities, and breaches does make it seem that things are getting worse faster than they are getting better. It seems we are trapped in a security version of Groundhog Day or worse, a mind-bending episode of Black Mirror!
But if true - and I think it is - why is this? Let’s leave aside the not-insignificant fact that attackers continue to evolve and get more targeted and sophisticated all the time. Frankly, unless you carry a badge, there isn’t much you can do to directly affect the supply, risk calculation, and focus of global cybercriminals. As a typical IT and security professional, your role is primarily defensive, not offensive. But why is defending so challenging? Let me list some of the primary reasons.
The technology, data, and applications we are defending are in continual growth and flux
Most, or at least many organizations, are littered with a continually expanding footprint of on-premises and cloud-based applications and infrastructure. And much of the on-premises systems aren’t consistently managed, patched, upgraded, or even known! And, of course, the cloud is both here and coming fast, accelerated with the Covid-related rush of the last couple of months. And now to add yet another access vector, the wave of internet-enabled and connected IoT computing devices are hitting many organizations. Good luck defending this!
Should you flow your users and network traffic through your VPN to enforce and monitor security by passing the traffic through your on-premises systems? Whoops, you have blown out your VPN and network capacity with the move to mass work from home! Also, what about your off-network - cloud-based - services? Transition your security controls to be cloud-based as well! Great idea, but what about control and visibility of what is going on on-premises or in those cloud security services? Are these security systems integrated or at least integrable via an open API? If not, moving to cloud-based security controls is one step forward and one step backward!
Security systems and processes are too manual
Security experts are both expensive and in very short supply; they are, after all, what the security skills gap is all about. In most industries where human resources are expensive and in short supply, greater automation is often the reaction. Any function that is both repetitive and does not require much unique problem solving, logically leads to automation. Greater automation is certainly coming to security - just look at the rise of SOAR tools. But I wouldn’t even characterize security automation to be in the first inning of progress - more like barely in spring training. Without effective automation security teams are faced with the bad choice between limiting alerting and investigations and missing indicators of compromise. Not an ideal tradeoff.
Employees contributing to social engineering and business process discovery by cybercriminals
In World War II, posters extolling “loose lips sink ships” became popular to communicate the risk of sharing sensitive information at all related to future troop and ship movements. For focused and observant adversaries, bits of seemingly random information can be strung together to develop a comprehensive view of the systems, processes, and people that make up a targeted organization. Suffice it to say with LinkedIn, Twitter, Facebook, Reddit, Instagram, and many other public-facing social media sites, there are many “loose lips” from which to draw valuable insights, as well as people on the inside with whom to connect. The sharing is too broad and too common, making it exponentially more difficult for a security professional to control the sharing of information that can contribute to the sinking of their “ship”.
The wide-open internet, ripe for domain spoofing
The internet and the web were designed to be decentralized and under the control of no one person or organization – an open network with very few rules of the road. For this, we should be very thankful as it has been central to its dynamic growth. But it is also clear that this openness directly contributes to the challenges associated with securing the commerce and communications that go over it. While no one knows if you are dog on the internet, similarly it is very hard to tell if you are the person or organization you claim to be. Do you have permission to send email from that domain? Do you have a license to setup a website that claims and looks to be provided by a particular brand or entity? Who knows? It really is browser (or email receiver) beware! Securing this the web is kind of like being a sheriff in a town with billions of people and little or no laws.
Limited threat intelligence sharing
Not to dwell too much on wartime analogies, but it only makes sense that the good guys - the allies - share intelligence to defeat a common enemy. But is there a common enemy? Not 100%, but close enough. Do the good security guys share threat intelligence? Yes, absolutely. Enough and in a way to be both fast and actionable by most organizations? Not so much.
We are getting there as an industry, but we have a long way to go. Ideally, as soon as one whitehat discovers a new vulnerability, exploit, or malicious domains, IPs, or web sites, all of the security vendors, systems, and enterprise defenders would immediately be so informed! We are a long way from this being a reality, but there does appear to be a light at the of the tunnel.
While there are certainly other factors that contribute to the lack of security progress at the macro, global level, I hope you agree that the 5 challenges discussed above are important contributors that need to be addressed. As security professionals all we can do is do better tomorrow.
Fortunately, all of these security topics and more will be discussed in depth in the Advanced Security track at Mimecast’s upcoming virtual Cyber Resilience Summit on June 23 & 24 (24 & 25 in Australia & New Zealand). This event is free to attend and is 100% virtual. Please come and join the discussion of these and other key security challenges.
Want more great articles like this?Subscribe to our blog.
Get all the latest news, tips and articles delivered right to your inbox
You will receive an email shortly