Cybersecurity spending is something of a corporate paradox. Ultimately, the discipline of cybersecurity is about risk reduction. You purchase an endpoint protection platform and other security tools--network firewalls, data loss prevention, etc.--to reduce the risk of an attack compromising your systems.
Reducing risk in the supply chain operates on a similar theory. Spend more on broadening your supplier base, and you reduce the risk of a catastrophic failure in any one supplier interrupting your processes. Spend money on reducing the risk of an attack, and you’d expect to see a corresponding decrease in the number and severity of breaches.
Enterprises of all sizes, including those with lean security teams, are applying this theory: at least $123 billion was spent on cybersecurity last year. This record level of spending also ties into annual growth for cybersecurity budgets of 15 percent per year. At this rate, cybersecurity spending is growing to the point where, by 2025, enterprises will spend over $1 trillion annually.
There are a few answers to that question. The first is that organizations have spent their money primarily on detection and response solutions. These solutions detect the techniques that we’ve learned about after they’ve already been used in the wild. Adversaries then shift their techniques, consistently staying one step ahead. This stands in contrast to proactive hardening measures that prevent tactics in a more general sense. By focusing on proactive hardening measures, there doesn’t have to be a “patient zero” to react to and adversaries then can’t react to the additional defenses we’ve put in place and bypass.
Following the COVID-19 pandemic, cybersecurity is only becoming a more pressing issue and one that organizations will continue to spend money on trying to solve. The way forward--especially for lean security teams--isn’t in spending more money on solutions that follow the existing paradigm, however. Rather, what’s needed is a new way forward--one that doesn’t focus on finding attackers who are already here, but instead preventing attackers from ever coming in at all.
While enterprises are not necessarily benefiting from extra spending on cybersecurity, solutions providers certainly are. Even as the overall return on investment from additional spending appears to decline, revenue for security solutions providers is projected to increase by 20 percent in 2021 alone. This contradictory situation results from an industry that too often relies on upselling businesses with the idea that more tools is always better. As a result, many enterprises have dozens of security solutions but little real security.
Amid a rising cyber threat level, solutions providers are quick to point to new generations of products that use "AI" or "machine learning" to defeat advanced threats. However, despite the growing number of such "innovative" tools in the cybersecurity space, the reality is that only 9 percent of attacks generate security alerts, with 53 percent of successful attacks going undetected. Further, current cybersecurity solutions only prevent 33 percent of attacks, with just over a quarter of attacks being detected after infiltration As a result, the only output from increased expenditure is a growing abundance of false-positive threat alerts.
The better answer here is to take a hard look at the entire cybersecurity technology stack to determine if all those platforms are really driving value or adding protection. A layered, defense-in-depth approach is a good idea to dissuade opportunistic attackers, but dedicated threat actors can and will find ways around most defenses. Also, consider that often the best way forward is through taking the easiest steps.
In the MITRE ATT&CK Framework, for example, taking the “free” steps of ensuring software is patched in a timely manner, training your users, limiting admin privileges, and leveraging OS-native security controls can mitigate 10x more adversary techniques (60 out of 178) than deploying so-called “next-gen” antivirus software. NGAV tools that use machine learning algorithms and behavioral prevention only mitigate 6 of 178 techniques and don’t guarantee even those will be prevented. Kind of makes you wonder about current cybersecurity orthodoxy.
As shown by headline-grabbing cyberattacks on organizations like Garmin and the U.S. government via the SolarWinds supply chain attack, the ability of threat actors to launch devastating attacks has never been greater. Listings proliferate on the Dark Web for infostealers, ransomware, trojans, and exploit kits.
Thanks to the advent of ransomware as a service (RaaS), even unsophisticated threat actors can now pull off devastating attacks. In return for giving ransomware creators a cut of their profits, ordinary cybercriminals can access weapons-grade ransomware.
As a result, for organizations in every sector, ransomware attacks are now the number one cyber threat they face. Delivered through social engineering attacks like phishing and increasingly able to bypass security controls, the number of ransomware attacks increased by over 700 percent in 2020 alone.
The ease of purchasing malicious attacks means that low-skill, profit-driven cybercriminals are now often just as capable as state-funded threat actors. Furthermore, the proliferation of fileless malware that launches in-memory, and is often invisible to most AV solutions, further increases the likelihood that cyber attacks will succeed — according to the Ponemon Institute, as many as 70 percent of breaches now use fileless attacks.
Even though the gap between cybersecurity investment and results continues to grow, enterprises can still mitigate cyber threats. As stated above, proper protection doesn't mean doubling down on expensive solutions or increasing spending. Instead, effective cybersecurity hygiene realized through security stalwarts such as multi-factor authentication for endpoints, regularly patching software, and endpoint hardening is now more critical than ever. Alongside security awareness training for employees, enterprises can use strong cyber hygiene to put effective obstacles between attacks and domain controllers.
As they seek to stall cyberattack chains, organizations need to focus on defeating the first two stages of a cyberattack within the MITRE ATT&CK Framework — initial access and execution. The first stage, initial access, can be halted through the kind of positive cyber hygiene mentioned above. However, combating the second stage, execution, requires organizations to deploy a security solution, such as moving target defense, which can neutralize an attack before it can cause damage.
Throwing money at cybersecurity tools will not necessarily make your organization safer. There are dozens of free steps to be taken first that reduce your attack surface and harden the organization against cyber threats, well before deploying any so-called “next-gen” protection designed to abstract malware or XDR that intends to detect known adversarial techniques. Moreover, as threat actors increasingly launch attacks to go after backups, remediation is becoming more difficult and costly.
This situation doesn't mean that enterprises can or should accept falling victim to cyberattacks as an inevitability. By combining proactive cybersecurity with a consolidated solution stack that leverages OS native controls with moving target defense, organizations can escape the cybersecurity paradox without increasing expenditure. Making cybersecurity work for your enterprise in 2021 should be a product of doing more with less and not the other way around.