How InfoSec Managers Can Catch Up to Cyber Criminals

Amit Tewary
By Amit Tewary

August 9, 2018

InfoSec managers have a hard job, to say the least. They are put in charge of defending an organization that may receive hundreds, if not thousands, of attacks every day. They have hundreds of thousands of critical assets to manage. And, worst of all, they face the fundamental asymmetry of cyber security.

The asymmetry works like this. Just one successful attack can create a significant negative impact on an organization. Because of this, InfoSec managers have to successfully defend against every attack they receive in order to protect their organization... but cyber criminals only need to succeed with a single attack to achieve their objectives.

As time goes on, and both the cost of a breach and the volume of attacks deployed increase, this asymmetry will only increase. Yet it is not the only gap that exists, and is growing, between cyber criminals and the InfoSec managers working round-the-clock to defend against them.

In this blog, we will explore a few of the critical asymmetries between InfoSec managers and their attackers.

Attackers Have Evolved, Defenders Have Not

Most InfoSec managers work within a traditional SOC that has been designed to maintain compliance and to detect known attacks via rules-based methods. The capabilities of these traditional SOCs tend to still revolve around conventional security services such as SIEMs, anti-virus software, firewalls, and intrusion detection systems.

These activities are still important. But while many internal security operations appear stuck with last generation activities, cyber criminals have evolved. They continue to deploy the known attack methods blocked by traditional security services. But they also create new, unknown attacks every day. A host of new malicious actors now threaten organizations. And even conventional attacks—such as email phishing—are being deployed with enhanced sophistication as part of advanced, long-term targeted attacks.

Attackers Act Fast, Defenders Act Slow

Traditional SOCs are known to be slow to detect, and slow to respond to, successful attacks. This is not entirely their fault. Traditional SOCs were designed to prevent threats, in a cyber security era when breaches were less common. But today, breaches are now inevitable. And most traditional security teams and operations have not learned how to evict attackers before they cause harm.

In their most recent study on the impact of cyber attacks on organizations, the Ponemon Institute found the average U.S. organization takes 206 days to detect a data breach. The report suggests that organizations should aim to detect a successful attack within 100 days of being breached, in order to reduce the damages incurred by millions of dollars.

And yet, even detecting a breach in 100 days is laughable when you consider how little time an attacker needs to cause significant damage. Recently, we were contacted by a major global manufacturing organization. They had been breached that morning, and within a couple of hours, the attackers had already spread to nearly 500 of their critical systems, and forced the organization to suspend production activities.

We were able to evict the attacker within a few hours and return the organization to business quickly, but this case highlights the massive difference in speed between attackers and defenders. Defenders are trying their hardest to detect breaches in about three to four months, while attackers only need a three to four hours to achieve their objective.

Cyber Attacks are Cheap, Cyber Security is Expensive

A single one bad actor deploying either a free exploit, or low-cost of-the-shelf software, can cripple an entire Fortune 500 company. (This will only increase as more attackers utilize low-cost AI services.) By contrast, that Fortune 500 company will have to deploy over 100 high-priced security experts, and spend millions building up their own internal security posture, in order to attempt to defend themselves.

It is perhaps here, in the area of cost, that the asymmetry between cyber criminals and the InfoSec managers employed to combat them, comes into play. Cyber criminals require little to no resources to reach their objectives. InfoSec managers have traditionally faced massive resource requirements, and limited budgets, to defend themselves.

This asymmetry of cost—as well as the asymmetries of speed, evolution, and success ratios—are brutal for InfoSec managers. But they are not insurmountable. To help InfoSec managers devise a way to close the gaps between their performance and their attackers’, we’ve put together a new whitepaper: The InfoSec Manager’s Manager’s Guide to AI-Driven Managed Detection and Response. Download it today and devise the best way to fill the gaps in your 'security posture, and to keep your organization’s defenses one step ahead of your attackers.

Tags: AI-Driven MDR, Gartner Security & Risk Management Summit, Managed Detection and Response


Amit Tewary