Cisco: Despite Findings, Security Picture Brightening
Spending on cybersecurity is expected to exceed $37 billion this year, although new data indicates that may be a case of too little, too late. The Cisco 2016 Annual Security Report found that only 45% of organizations are confident in their security posture, while 92% agree that regulators and investors will expect companies to manage cybersecurity risk exposure.
There is a huge disconnect between confidence and expectations, but the situation is not as bleak as it appears, Jason Brvenik, Principal Engineer, Cisco Security Business Group, tells IT Trends & Analysis.
The Cisco report is only the latest in a veritable flood of doom & gloom surveys and analyses, primarily from security vendors looking to sell customers their latest wares:
-55% of all attacks were carried out by either malicious insiders or inadvertent actors, and over 95% of breaches caused by insiders was caused by human error (IBM);
-83% of respondents face challenges with privileged account management (Dell);
-the average annualized cost of cybercrime has soared 82% over the last 6 years, to $15 million per US organization;
-the average time to resolve a cyber attack was 46 days (sorry Cisco), with an average cost to participating organizations of more than $1.9 million during this 46-day period, up 22% from last year (HP).
Two months ago security guru Jon Oltsik, Senior Principal Analyst, Enterprise Strategy Group, handicapped enterprise security vendors, putting Cisco just behind IBM in his list. What follows are his comments in full:
‘The networking giant also brings in around $2 billion in revenue. Since the Sourcefire acquisition in 2013, Cisco has made a series of excellent purchases in areas like managed security services (OpenDNS), security services (Neohapsis), malware analytics (ThreatGRID), and network security management (Lancope) giving the company as comprehensive a portfolio as anyone. Like IBM, however, Cisco security is a blip in its overall business, but the current (Chuck Robbins) and former (John Chambers) CEOs have pledged their commitment to the security business unit. While Cisco used to sell security on the back of big networking deals, times have changed. To increase security sales, Cisco security needs to match its product and services strength with its own independent enterprise-class sales and marketing. Finally, Cisco customers have long memories so the company must maintain its patience as it works with security customers who may still hold a grudge about the Catalyst security blades they purchased back in 2006.’
“In 2016, the security plaudits should go to software and service providers who can identify threats earlier and provide organisations with the quality of security intelligence they need to keep data safe,” stated Andrew Kellett, Principal Analyst, Software – IT solutions, and author of the Ovum report. “More realistically, it is likely to go to vendors who can spot security breaches soon after they occur and deal effectively with the aftermath of remediation.”
The evolution of cybercrime from hackers and current and former employees to organized crime is a positive development, said Brvenik. With this commercialization, it’s now almost as easy for the good guys as it is for the bad guys to go online and the latest exploit kits. In addition, at same time respondents are reporting lower confidence, “we’re seeing a higher percentage of investment.”
Looking ahead, he believes better security is all about the entire ecosystem. A security technology alone will not solve your problem, said Brvenik, and to that end we strive to reduce the operational space of the bad guy, and apply these approaches to our entire security footprint.
“The defender has to be right 100% of the time and the attacker only has to be right once. That’s an unreasonable objective… You can’t be right 100% of the time.”
Other key findings in the Cisco survey include:
-aging infrastructure: between 2014 and 2015, the number of organizations that said their security infrastructure was up-to-date dropped by 10%; 92% of Internet devices are running known vulnerabilities; 31% of all devices analyzed are no longer supported or maintained by the vendor;
-SMBs as a potential weak link: these organizations use fewer threat defense tools and processes;
-outsourcing on the rise: as part of a trend to address the talent shortage, comanies are realizing the value of outsourcing services to balance their security portfolios;
-shifting server activity: online criminals have shifted to compromised servers, such as those for WordPress, to support their attacks;
-browser-based data leakage: malicious browser extensions have been a potential source of major data leaks, affecting more than 85% of organizations;
-the DNS blind spot: nearly 92% of “known bad” malware was found to use DNS as a key capability;
-time to detection faster: the industry estimate for time to detection of a cybercrime is 100 to 200 days (Cisco has reduced this figure from 46 to 17.5 hours); and,
-trust matters: with organizations increasingly adopting digitization strategies for their operations, the combined volume of data, devices, sensors, and services are creating new needs for transparency, trustworthiness, and accountability for customers.