By Simon Crosby, Co-founder & CTO, Bromium
In the blink of an eye, 2015 is almost over. When looking back at it and what it meant for the cybersecurity industry, this year has been predictably busy. We saw large acquisitions, including those of EMC by Dell and Websense by Raytheon, while companies such as Rapid7 and Sophos went public. Large funding rounds were a near weekly occurrence, and as a result the sector raised more than $2.3 billion within the first nine months.
Cybersecurity spending increased sharply and by the end of the year should finish at around US$80 billion, according to Gartner’s estimates. While the U.S. House and Senate continued to debate cybersecurity legislation, US government agencies amassed a whopping security budget of $12.5 billion, collectively.
There were unforgettable breaches — like TalkTalk, Hilton, and Carphone Warehouse, although the sexiest headlines went to the Ashley Madison breach. There also were countless daily reports of breaches due to “sophisticated attacks” and resulting losses from companies whose infrastructure — despite all the spending — remained woefully vulnerable. Even United States President Barack Obama stepped into the fray, cementing an agreement with China in the hope of limiting the scope of nation-state hacking. Good luck with that!
Looking back, it’s painfully clear that while we may not have known then the names and faces of the victims, or the numbers behind the M&A, funding, budget and breach news, most of this was predictable in 2014. So will next year be any different, or are we doomed to repeat the past, yet again?
Unfortunately in most respects, 2016 won’t change much: users will still unknowingly click on malicious links; IT departments will still be bad at staying up to date with patching; the bad guys will continue to attack; and the tide of misery from breaches will persist. What matters most is whether your organisation will be a victim or not. Of course you could do nothing, and be lucky. But the only way to control your fate is to lead your organisation to the high ground based on a well-considered, security-first strategy.
It is important to remember that, despite their claims, most security vendors cannot help you. Within the market we see too many “me too” vendors, who’s main focus in on the staple of detection. Within the endpoint security sector alone, over 40 vendors are bringing to market a feature set that Gartner terms “EDR,” or endpoint detection and response. The sole goal of this is to help find a breach in progress — provided you know what to look for in the first place. Despite vendor claims, detection can’t protect you, and it isn’t advancing much, even when disguised as artificial intelligence (AI). In a world of adaptive, intelligent attackers, even the best AI technologies have a tendency to make masses of mistakes. In fact, Ponemon estimates that a typical large enterprise spends up to 395 hours per week processing false alerts — approximately $1.27 million per year.
Of course, security (still) won’t be solved inside the Beltway. Year after year, public sector companies hang their hats on the hope that cybersecurity legislation will somehow do the trick. This year was no different. You may recall recall that CISA and the Wassenaar Agreement both sparked industry-wide debates around data security, civil liberties, privacy and exploit controls. There is no doubt that security is a serious issue and a hard problem to solve, but it’s one that is not going to be solved by governments. . Much like healthcare, security is a systematic problem that requires more than a band-aid or firewall to fix. Security legislation will require government collaboration that it is simply unrealistic to expect at this current time. .
It is also important to remember that the same vendors that promise to secure you still won’t be held accountable for breaches. PwC predicts that the cyber insurance market will triple in the next five years. While insurance will do little for the peace of mind or job stability for CISOs whose companies experience a breach, it will hopefully force organisations to take a long, hard look at the cost of their continued insecurity. It’s time for you to force your vendors to be accountable instead. If a vendor claims to secure your network, force them to accept liability if your organisation is breached. Pay your endpoint security vendors based on the value they deliver. Free is a good option when regulations demand the functionality, but the vendors fail to protect you. Force your vendors to put their money behind their marketing messages. Greater accountability means greater drive for cybersecurity technologies that do what they claim to do and actually help to mitigate threats.
My recommendation: Instead of relying on post-hoc analysis in the hope of spotting a breach, your focus in 2016 should be on adopting solutions that make your infrastructure more secure by design, to prevent a breach before it starts. Move to the cloud. Adopt micro-segmentation and micro-virtualisation. And upgrade to the latest operating systems.
I don’t think we’ll see an end to data breaches in the near future, but if organisations stop relying on faith in marketing claims and government and being complacent and start questioning the status quo and demanding answers and accountability from vendors, we’ll be able to see many of the breach news headlines disappear.