Speed: a new paradigm for cyber defense
Companies today are spending more than ever to protect their digital assets. Worldwide spending on cyber security has reached over 80 billion and is likely to double in the next 4 years. Yet, security breaches are rising steadily at a compounded growth rate of 60% for the last 5 years. This year; we had one of the largest data breach in history which affected over 500 million accounts, we had one of the largest attack on banks with over USD 100mn stolen, hundreds of corporate breaches, and thousands of ransomware attacks. Obviously, more security spending does not translate to better security.
Asymmetry in Cyber Security
It’s a common adage that while the defender has to protect thousands of weaknesses, an attacker needs to find just one and exploit it. Cyber security fundamentally is an asymmetric problem where defense needs manifold resources compared to an attacker. To solve this problem, the dominant paradigm from the last decade was layered security, where more and more security products were installed for creating a defense in depth framework. While that paradigm still holds good for prevention, it has diminishing returns beyond a point.
Over the last few years, industry has accepted that it is not possible to prevent incidents within finite resources. So, it would rather increase the focus on detection and response capabilities. Hence—the new paradigm now—accept that breaches will happen, and invest in detecting and responding to them.
State of Detection and Response
Modern attacks are sophisticated and long drawn. Advanced attackers enter a network using one vector and then navigate the network for months until they reach their objective. The industry average for detecting these breaches is around 200 days. And even when an attack gets detected the response takes weeks or months to contain, eradicate, and recover from the attack.
This delay in detection and response is the primary cause for large losses in cyber breaches. The average loss per breach stands at 4 million USD. This cost can be significantly reduced if attacks can be detected and responded to early.
Speed as the new Determinant of Success
Clearly, the focus should shift to faster detection and response. A breach in your IT security may not always mean financial or reputational losses, but if your IT security failed to detect and respond to a breach for a long time then you can be sure there will consequences. What today cyber defense needs is manifold increase in speed of operations. With enough speed, every breach will be insignificant. As part of this paradigm, the questions that management should ask are: How fast can we detect attacks?
Is detection as fast as the attacks? How fast can we investigate, contain and eradicate attacks? Are our defenses as fast as the time attackers take to carry out their objective?
Critical Capabilities for Fast Cyber Operations
Cyber security of the future will focus on investing in capabilities that increase the speed of security operations. Primarily, it involves three aspects:
- Building situational awareness: For fast discovery of attacks, security operations need complete visibility into every asset, user activity, network traffic, system vulnerabilities, and network topography at all times. Today, such visibility is limited to a few critical assets and users, which severely impedes discovery of attacks. With rapid progress of big data technologies and reduced cost of storage, organizations can easily move towards a strategy of collecting and storing all security data for full situational awareness. Availability of such data then helps in accelerating both the discovery of abnormalities and in fast incident analysis.
- Applying machine learning: Modern attacks bypass traditional rule based security systems. Such attacks then remain undiscovered for long periods till further malicious activity triggers a rule. For fast and early discovery, machine learning and data sciences methods are very useful. These tools can discover abnormalities based on patterns, profiles, past incidents, and outliers. Today machine learning is getting used in every field of IT and business and it is time to introduce them into security operations as well.
- Automating response function: Today the process of triaging, investigating, and containing an incident is entirely manual. If an alert is triggered, the security operation center manually collects data from systems and manually analyzes the incident. The containment actions in terms of system reconfiguration, access changes, or reimaging are again highly manual. This significantly increases the response time. Process automation, programmatic response, and automated orchestration of security activities are the ways to make response as fast as the attacks.
The way forward for cyber security is to upgrade security operations to run so fast that the impact of breaches becomes immaterial. Speed will be the new determinant of success for cyber security.
Rajat Mohanty is the Co-founder, Chairman of the Board of Directors and Chief Executive Officer of Paladion Networks. He has been Paladion’s Chairman & CEO since the inception of the Company in July 2000