Make 2019 the year you focus on the ROI of your cyber security initiatives.
By now you’ve heard all the 2019 predictions from cybersecurity vendors and practitioners. As every year, many are insightful and thought-provoking, some meant to invoke self-serving fear and doubt about the next big threat, others just repeats from the year prior.
However, what very few mention, because it’s hard to quantify and doesn’t make for good headlines or clickbait, is the escalating trend of technology confusion and overload. This didn’t happen overnight. More investment has poured into the cybersecurity market than any other B2B software market.
In 2017, $4.9 billion was invested in cyber security start-ups. And while there are some truly innovative technologies solving real problems, far too many providers just do more of the same thing in different packaging, or simply throw food at a wall to see if it will stick.
So how can organizations make sure that the solutions they choose provide the best defense possible?
This year it’s time to change your model. Period. More money and more investments don’t necessarily translate into better protection. Every security tool should be measured and evaluated; don't keep using the same group of vendors for products and services out of inertia.
And you know what else? You know what you almost never hear? “Perhaps Mr. Customer, you should pay less and get more?” Never. But who could really argue with Geico?
You need to consider threat trends that do not impact your organization – yet. The most damaging threats don't give you time to react. Attackers who are targeting organizations know the defenses they deploy, and they know how to evade those defenses. In fact, FireEye reports the average dwell time for an attack is 101 days. In that time between breach and discovery, attacks download additional stages, including malware, create botnets, and move laterally from endpoint to endpoint or from endpoints to servers and operational technology. Some, like the recent Starwood Hotels breach, took more than four years to discover.
The way I would frame 2019 in terms of the approach organizations should take is this: What you don't know WILL hurt you. Badly. Why? The answer is simple. Signature-based detection in cybersecurity, is still the default method to detect, counter and hopefully eliminate threat – known threats at least. Your bigger issue is if you are targeted as part of a deliberate threat campaign, signature-based threats aren’t your biggest problem – fileless attacks are.
The status quo approach isn't working, functionally or economically. As a security operator, you have technologies that you and your team members favor. You probably have legacy relationships with some of the larger security providers, EPP players and those who deliver key managed services. But organizations cannot keep on adding security tool after security tool until their IT systems and security teams no longer function effectively. It’s not sustainable.
A better, more progressive strategy consolidates technologies, where each component measurably reduces residual risk and not necessarily by just paying more. Such a carefully considered strategy ensures that IT, business and security needs are all aligned.
You need to know how your tools impact your cybersecurity effectiveness. The research and analysis firm Forrester lays out sound guidelines for building out a rationale to weigh your security efficiency. It applies some simple yet telling components to assess your security model performance and points out how current accepted measurements do not accurately capture value and can lead to less than optimal results.
Examples of Ineffective Security Measures:
Justify Security Spending:
To accurately justify security spending, organizations must analyze and assess the current state of their security infrastructure, determine what is working and choose what is needed to improve security value. Each component of the security model has its own weight and effect on overall value. Avoid the sunk cost fallacy and end projects that do not contribute sufficiently to your security posture.
Cybersecurity is about risk management and loss prevention. As such, there are certain basics. Looking at the endpoint, antivirus in some form is a must for every business. If you are an all Windows organization, this might simply be the Windows Defender antivirus built into Windows 10 (it’s come a long way in recent years).
Or there are numerous good third-party antivirus choices. Many midsize and larger enterprises will also choose to use EDR tools. No matter which security solutions make up your security model, Morphisec can improve the ROI for those investments. Detection-based security solutions such as antivirus and EDR do not protect against unknown, evasive attacks as they require prior knowledge in order to detect or predict malicious activity. Morphisec reduces the TCO of a detection-based security stack by up to 60% by reducing dwell time of advanced attacks to zero.
Why? By applying Moving Target Defense as a critical layer of defense, which is specifically architected as your most powerful and efficient preventative control – you are preventing a substantially higher volume of the most relevant, damaging threats that antivirus cannot.
Second, the more threats you prevent, the lighter the burden on threat investigations, which equals more man-hours back on the table to spend investigation cycles on fewer threats. Your forensic investigators will thank you because they will know they can better focus on sorting through the white noise produced by EDR and AV agents to prioritize their work.
Make 2019 the year where you change how you structure your security model. The incremental contribution to risk reduction provided by each additional security component has an exponentially diminishing return. It’s time to stop adding more layers and start prioritizing the ‘right’ layers. By critically evaluating each element of your security stack, adding innovative technologies like Moving Target Defense that make your security tools work more efficiently, and discarding components with a poor cost-risk reduction ratio, you can build a much leaner, more effective security model.