The California Data Breach Report for 2016 identifies malware and hacking as the greatest threat both in the number of breaches and the number of records being breached. This is a growing problem compared to other types of breach, increasing by 13 percent in the past four years, from 45 percent of breaches in 2012 to 58 percent in 2015.
In response to this threat Gartner identifies that worldwide cybersecurity spend topped $75 million in 2015. According to researcher MarketsandMarkets that spending will soar to $101 billion in 2018, and hit $170 billion by 2020. The justification for this massive growth comes from the escalation in the cat and mouse game between the attacker and target which has created a complex, technically challenging environment.
This spending increase has created a significant industry for Detect and Response vendors which sell their products upwards of a million dollars for large enterprises. This is not counting the cost of implementing the complex solutions and building a staff to support such technologies. These numbers seem to apply equally to vendor solutions built in the cloud or on premise as detection is expensive and fraught with false positives which dramatically increases cost of response. Mandiant / FireEye has found the time, in average, to detect a breach in 2015 was 205 days with an average cost of remediation according to Ponemon at $640,000 over 31 days. Good work if you can get it at $20,000 a day!
So what is the choice security pros must make? In order to control spending there has to be a paradigm shift from Detection and Response to Prevention which will in turn help lower security spending.
The basic block and tackling of security must be in place with patching, visualization, asset identification, and network segmentation leading the charge. This helps decreases the attack surface for potential hackers but let’s be clear this only serves to create the lanes in which to breach the environment.
The attacker will use evasion techniques to penetrate known defenses artfully evading detection. Yes, you have been breached! This applies equally to APT, Remote Access Trojans, Spyware, Ransomware, Banking Trojans and others. The end result is to find a suitable host to unload the damaging payload and steal or encrypt the intended target. Blogs on this can be found at many of the well know incident response vendor’s websites as they break down the attacks found with the vulnerabilities used to breach. By the way, a couple tweaks to detected code and the malware can be reused again without detection.
While the market for detection of breach activity is not dead a new layer of true prevention technology is needed. The ability to deceive the malware during the attack thus never allowing the payload the install seems to be a growing trend. Gartner has specifically started to cover this capability in a research paper referred to as ”Endpoint EPP and EDR Response Providers could deceive the malware and attacker.” While Gartner is in early investigation of this technology Minerva Labs is making this capability a reality today for customers.
Utilizing preventative deception technology provides a measurable impact on the security of an organization because the evasive malware is stopped earlier in the chain thus active breach does never occurs. The Malware is now rendered inert with the exact location being pinpointed. In turn, this greatly reduces the cost of remediation with accurate and easy response achieved as it has come after the malware has been stopped prior to installation at on the host.
The great part about this approach is current security solutions become more effective and your environment is protected against the most aggressive and evasive attacks. The value proposition of moving to the next generation anti-ransomware tools can be fraught with error for only a marginal increase in detection. It is my premise that security teams need to figure out new ways to provide true prevention to reduce the cost of cybersecurity. If they can do this within the infrastructure they have already made investment, then this premise holds even more potential.
The choice is yours prevent then detect or keep detecting after the breach and pay to cost of response.