Have enterprises basically just given up on IT security? Global budgets fell by 4% in 2014 over the previous year and as a percentage of total IT budget they’ve remained at 4% or less for the past five years. The picture is even starker for firms with revenues of less than $100m, who claim to have reduced security budgets 20% since 2013.
Yet the threats keep on escalating. When it comes to information security, there are really only two situations out there: companies that have been breached, and companies that still don’t know it.
If 2014 was the “Year of the Data Breach” then 2015 is proving to be at least its equal. This month alone we’ve seen TV stations shunted off air by pro-jihadi cyber terrorists; the discovery of major new state-backed attack groups; and another massive data breach at a US healthcare provider.
We talk today about managing risk, rather than providing 100% security – because there’s no such thing. The conclusion I have reached is that the traditional information security model is broken. But why? And how can we fix it?
The New Normal
Today’s threat landscape is virtually unrecognizable from that of a decade ago. It’s populated by well resourced, highly determined and sophisticated actors, who could be motivated by ideology (hacktivists and cyber terrorists), geopolitical gain (state-sponsored hackers) or, more usually, plain old money. While you’ll still see the worms and viruses of old circulating the internet today, most cyber criminals have all but abandoned these vectors in favor of something far more targeted, more covert and more successful.
Targeted attacks and Advanced Persistent Threats (APTs) first broke into the public awareness in around 2010, when the so-called Operation Aurora attacks on Google and others presaged the firm’s exit from China. Stuxnet followed that same year and suddenly the floodgates had been opened: there was a new threat in town. It typically begins with a “spear phishing” email or social media message using social engineering techniques to encourage the user to open a malicious attachment or click on a malicious link, triggering a malware download.
The malware will load in the background without the user’s knowledge, evade detection by traditional tools and escalate privileges inside the network until it finds the data it’s looking for.
Attackers spend time researching their targets on the internet to hone their phishing lures, and increasingly are taking extra time again to zero in on IT administrators, whose privileged accounts will give them the keys to the kingdom straight off the bat. They also spend time researching where vulnerabilities lie on the target systems so that the malware can do its job, bypassing existing defenses.
The cybercriminal underground that sits beneath all of this on the non-indexed “Dark Web” of anonymization networks like Tor and I2P and private forums is a vast, unknowable beast. Best estimates have put its size as 4-500 times the size of the “surface” web. Cybercriminals buy and sell stolen credit cards, identities, and exploit kits and other attack tools which have democratized the ability to launch sophisticated targeted campaigns.
The fact that enterprises are now hugely more exposed to such threats through a tsunami of new vulnerabilities appearing every month, and through a proliferation of new cloud services and applications, makes the bad guys’ job even easier. That they have to secure these increasingly complex physical-virtual-cloud environments with minimal budget is just the icing on the cake.
Yet the stakes are higher than ever. The average cost of a data breach stood at $3.5m last year, up 15% on 2013. The repercussions are vast: loss of brand and shareholder value, damage to customer loyalty, legal costs, financial penalties and remediation and clean-up costs, to name but a few. Target claimed in Q2 2014 alone that losses related to its massive breach totaled $148m. Sony Pictures’ losses are almost unquantifiable, given that now a huge treasure trove of valuable IP and internal emails have been made publicly available by Wikileaks.
A losing battle?
Given the size, scale and sheer organization of the cybercrime underground – notwithstanding the threat from state-sponsored attackers targeting your IP or hacktivists looking to take you down – it’s not surprising that the security industry is constantly on the back foot. Its adversaries are more agile, and have the element of surprise and the cloak of anonymity on their side.
Slowly the security industry has adapted – building new solutions which moved away from the old static AV signature-based paradigm. First it developed heuristics detection – which spotted malware based on characteristics in its code – and behavioral-based techniques. There’s also been a shift to cloud-based threat prevention systems which stop or block threats before they hit the network.
The new generation of tools pioneered by the likes of FireEye is designed to stop those all-important zero-day threats often used in targeted attacks – that is, those which exploit as-yet-unseen flaws. Sandboxing executes an unknown threat in a virtual environment in near-realtime to see if it’s dangerous or not. Security vendors have also been developing tools which leverage big data analysis of customer data and threats in the wild to identify and correlate new malware. Such is the sheer volume of threats that these companies need vast data centers and computing power to even stay on a par with the cybercriminals.
Traditional infosec is broken
Yet after all that investment … software security vendors still admit that the best security stance for a CSO today is to accept he or she has already been breached. If a hacker is determined enough they will get into your organization. The best the industry can do is to provide systems which try to spot as soon as possible when this has happened, to minimize the risk of data loss.
So, I say today that security as we know it is broken. We need to find a new way, and that way requires us to look at hardware-based solutions.
If you don’t believe me, take a look at the below and answer truthfully….
Did You Know?
- Your PC/mobile device can be compromised just by visiting a malicious webpage?
- Targeted attacks go undetected for months or even years. The recently discovered Equation Group had been operating for at least 14 years under cover.
- Around 4% of malicious messages are clicked on, irrespective of volume. Every organization can be phished/breached.
- Just opening a malicious PDF or Word attachment could lead to a covert, multi-year data breach?
- 5,435 new vulnerabilities were discovered in 3,870 products from 500 vendors in 2014. That’s an increase of 18% over 2013 and up 55% from five years ago.
- Apple products are not immune. Its latest iOS update patched a staggering 39 vulnerabilities.
- Nearly one million new pieces of mobile malware were discovered last year – that’s a jump of almost 400%.
- There were 200,000 new malware strains discovered every day in 2014.
- The pace of malware creation is increasing all the time: the volume of malware found last year accounts for one third of all malware ever written.
Cesare Garlati
Chief Security Strategist, prpl Foundation
Broken Lock image from Sébastien Launay (https://flic.kr/p/o6VqmV) licensed under CC-BY (https://creativecommons.org/licenses/by/2.0/)