3 Reasons You Can’t Fully Trust Your Security Tools And What You Can Do About It
How well are organizations protecting themselves against cyber threats and what is the overall effectiveness of their security infrastructure? The recent Mandiant Security Effectiveness Report 2020 released by FireEye shows that companies are at much greater risk than they realize.
Organizations make significant investments in security infrastructure, hire and train cybersecurity teams, and put processes in place to protect critical assets. But research shows that without evidence of security performance, organizations are operating on assumptions that don’t match reality and leave them with significant risks.
Cyberattacks go unnoticed by security teams
The Mandiant report reveals that on average, 53% of attacks successfully infiltrate environments without being detected. Alerts were generated for only 9% of attacks, demonstrating that most organizations and their security teams do not have sufficient visibility into serious threats, even when they use central SIEM, SOAR, and analysis platforms.
The Mandiant report summarizes the results of thousands of tests performed by experts from the Mandiant Security Validation team. These tests consisted of real attacks, specific malicious behaviors, and actor-attributed techniques and tactics run in enterprise-level production environments representing 11 industries against 123 market-leading security technologies, including network, email, endpoint, and cloud solutions.
The report also takes a deep look into techniques and tactics used by attackers and outlines the primary challenges uncovered in enterprise environments through security validation and testing:
Reconnaissance: In testing network traffic, organizations reported only 4% of reconnaissance activity generated an alert.
Infiltrations & ransomware: 68% of the time, organizations reported their controls did not prevent or detect detonation within their environment.
Policy evasion: 65% of the time, security environments were not able to prevent or detect the approaches being tested.
Malicious file transfer: 48% of the time, controls in place were not able to prevent or detect the delivery and movement of malicious files.
Command & control: 97% of the behaviors executed did not result in a corresponding alert being generated in the SIEM.
Data exfiltration: Exfiltration techniques and tactics were successful 67% of the time during initial testing.
Lateral movement: 54% of the techniques and tactics used in testing lateral movement were missed.
The challenges and complexities of having unique environments, multiple teams, and constant change require security programs to continuously evolve. While being responsible for protecting organizational assets, security teams often do not have the corresponding operational authority or visibility into decisions or changes being made that impact the infrastructure. This disconnect results in “environmental drift,” which causes the organization’s risk posture to change unexpectedly. In the absence of continuous validation of controls, this can put the organization in a precarious position.
Continuous monitoring and assessment
Security teams need a way to continuously measure and monitor controls to capture quantitative evidence of security gaps as well as to validate the effectiveness of their security programs through ongoing assessment and optimization. This will enable companies to minimize cyber risks by protecting not only critical assets but also brand reputation and economic value.
Services such as compromise assessments allow organizations to conduct full asset and application discovery, detect cyber threats and indicators of compromise, diagnose flaws in IT and cybersecurity operations, and find technical evidence of compliance measures in place and deviations to be corrected. This sort of cybersecurity health checkup reveals which controls work, which don’t, and which are missing.
Security operations center (SOC) services are a great solution that can help companies and organizations improve their capabilities in continuously monitoring their IT infrastructure to discover hidden behavioral anomalies, detect threats early, and respond to incidents. However, SOC services need to be customized. Just as you can’t use security technologies with default configurations and need to tune them after deployment — taking into account the specifics of your operations and your IT environment — you also can’t effectively use SOC services such as incident detection, vulnerability management, and threat hunting without customizing them.
ISSP experts strongly recommend first analyzing your business and cybersecurity posture, then using the results of this assessment as the basis for configuring managed security services and making them more effective.
Cybersecurity for the big and the small
There is an assumption that is still popular among small businesses that cyber threats are relevant only for large enterprises and organizations that have much to lose. But adversaries know that small companies and startups often lack the resources needed to take care of cybersecurity and choose them as easy targets. These attacks can have devastating effects, including the closure of businesses. Small companies and startups are also used as intermediary targets in supply chain cyberattacks. Taking cybersecurity seriously is something organizations must do no matter their industry or size.