Almost every organization recognizes the importance of Digital Transformation (DX) to boost industry competitiveness, expand revenue, improve customer experience, increase business agility, and/or enhance operational efficiency. However, DX initiatives frequently outpace the ability of the IT organization to provide effective security. Increased use of cloud computing, IoT, and CI/CD software development processes are just a couple examples of DX activities that have the potential to significantly escalate cyber risk. 68% of Boards of Directors acknowledge their company can no longer count on extending its historical strategy over the next five years. Future growth will depend on the adoption of a different business model and an entirely new set of assumptions about what success will look like.*
Cyber security remains a top 3 area where corporate Boards of Directors are looking to improve the effectiveness of their oversight, just slightly trailing two other foundational oversight categories of strategy execution and strategy development.* As it stands, only 64% of directors say the Board’s understanding of cyber risk is strong enough to provide effective oversight.* *The 2019–2020 NACD Public Company Governance Survey.
Only 24% of companies describe their risk management processes as "mature" or "robust." Larger sized organizations, public companies, and financial services companies are at the higher end of the maturity spectrum, but only 35-40% of these groups characterize their risk management process as "mature" or "robust." * Source: American Institute of Certified Public Accountants (AICPA) 2020 State Risk Oversight.
Regulations are constantly evolving as evidenced by the recent initiation of onerous new data privacy regs such as GDPR in 2018 and the California Consumer Privacy Act (CCPA) in early 2020. It is overwhelming for most organizations to keep pace with this constant change. Due to the risk of large financial penalties and adverse business impacts, compliance mandates are often listed among the top factors that drive cyber security programs. In a 2019 study about Security Priorities from IDG, the top two factors that help determine the priority of an organizations' security spending were listed as:
#1 -- Implementing security best practices mentioned by 73% of respondents
#2 -- Compliance mandates at 66%
Onerous new data privacy regulations are taking shape across the globe, building on momentum created by the enactment of the General Data Protection Regulation (GDPR) in the EU in 2018. The first sweeping data privacy law in the US was enacted on January 1, 2020 in the form of the California Consumer Privacy Act (CCPA). These laws are only the beginning of a global trend which will dramatically increase the requirements for cyber security programs in the future.
The digital ambitions of most organizations dramatically expand their cyber attack surface by pushing IT infrastructure into the cloud, connecting IoT, and accelerating software development cycles. Security leaders must become more aware of business objectives and strive to demonstrate how cyber programs enable business success.
Asset Management is critical to an effective cybersecurity strategy. You cannot properly secure what you do not know exists. In addition, by continuously tracking and optimizing the IT asset footprint, other functions such as patch management become far more streamlined.
To more effectively compete in the digital economy, companies are pushing more change into IT production environments at a faster pace which strains change management practices.
Formalized change management programs can slow progress, but must be engrained in the evolving corporate culture. Good processes are built with verification and validation steps to catch exceptions and mistakes.
Effective patch management is a critical component to any security program. While there are varying valid reasons for why it may not be feasible – or a high priority – to implement some patches, it is hard to accept that many high-impact breaches stem from vulnerabilities for which patches do exist.
Configuration management proactively and continuously monitors and hardens the security configurations of an organization’s operating systems, applications and network devices. A formalized configuration management program is important to demonstrate compliance with various regulations including PCI DSS and HIPAA.
Many breaches are the result of deficiencies in IAM programs. By 2023, 75% of security failures will result from inadequate management of identities, access, and privileges, up from 50% in 2020.*
*Gartner Managing Privileged Access in Cloud Infrastructure, Published 9 June 2020
Network security is likely one of the largest line items in the security technology budget. In an era of digital transformation, the old paradigm of the protected network perimeter has become less relevant. Network security concepts are being forced to morph with the advent of virtual/cloud IT environments and distributed IoT devices.
Due to the growing sophistication of attacks, endpoint security has been forced to evolve beyond signature-based blocking. Therefore, next-gen antivirus incorporates new prevention techniques, such as machine learning, that do not rely on signatures. Endpoint detection and response (EDR) capabilities have also proven to be increasingly vital to help security analysts investigate and remediate issues that are discovered.
Vulnerability management should be more than running a vulnerability scanner every once in a while and remediating the resulting vulnerabilities. An effective vulnerability management program includes more continuous scanning, prioritized remediation, completion tracking, root-cause analysis and detailed reporting.
Email should be a focal point for security executives for several reasons. First, it continues to be one of the most effective attack vectors to deliver phishing lures and malware. Second, misdelivery (which includes email ending up with the wrong recipients) has grown to become the #3 contributor to breaches. Finally, email platforms themselves have become an increasingly attractive target for bad actors and were involved in roughly 20% of breaches in 2019. All of these factors are well covered by the 2020 Verizon Data Breach Investigations Report.
Secure web gateways represent a fairly mature market, but they provide value for advanced URL filtering and threat defense. Traditional web security capability is becoming increasingly sourced from cloud-based offerings rather than on-prem appliances.
Taking that trend a step further, many technology vendors are increasingly consolidating web security, CASB, DLP, lighter-weight firewall, and other security components and delivering that as an integrated cloud service.
Effective threat management is about understanding your attack surface and gaps and what assets are most appealing to threat actors. Being ready and able to respond is best accomplished by continually assessing your security controls and processes, as well as testing and training people. Proactive threat hunting is also critically important. New security technologies and policies must be integrated and strategic, not just deployed tactically. Optiv can provide significant guidance in the development and maturation of your threat management program.
Web applications are now involved in 43% of breaches -- up more than double compared to the prior year -- and were by far the top asset targeted by cyber attackers in 2019.*
Roughly 80% of the time, these assets are infiltrated with stolen credentials or brute force tactics. For the other 20% of the time, web apps fall victim to vulnerability exploits.*
As it stands, roughly 83% of all applications contain at least one vulnerability when they are first scanned, and more than 20% contain at least one high severity flaw.**
*Verizon 2020 Data Breach Investigations Report.
**Veracode 2019 State of Software Security report.
Among the multitude of security assessments Optiv conducts for clients annually, Data Protection stands out as one of the lowest maturity disciplines in most organizations. Penalties for poor data protection practices are set to escalate due to new regulations such as GDPR. Optiv expects continued strong corporate investment in data security infrastructure including data access governance, encryption, and DLP.
Forming a Security Operations Center (SOC) is an important step toward advancing the effectiveness of an organization's security operations.
Roughly 60% of organizations currently have a SOC and another 15-20% plan to develop a SOC in the future. In addition, around 60% of organizations with a SOC access additional capability by outsourcing at least some functions to an MSSP or MDR provider. Less than 50% of in-house SOCs currently achieve 24X7 monitoring and management.*
SOCs face many challenges today due to growing attack surfaces, increasingly sophisticated cyber threats, an overwhelming flow of alerts to manage from security tools, and the daunting task of attracting and retaining talent.
Against these odds, it is not surprising that only 50% of organations rank their SOC effectiveness at a 7 or higher on a scale of 1 to 10.*
*Ponemon SOC Performance Report June 2020
There are only two ways to know if an organization’s people, processes, and technologies are truly effective against an attacker: either get attacked by a good guy or get attacked by a bad guy. Utilizing offensive penetration testing teams (the good guys) to bring the enemy’s perspective to the forefront of an organization’s strategy is a key component to driving the most impactful remediations and improvements.
Security information and event management (SIEM) is a foundational tool that provides better visibility into threats, acceclerates detection and response, and boosts the efficiency of security operations.
29% of SIEM users say it helped them reduce breaches significantly and another 45% said it helped them reduce breaches somewhat.*
*Cybersecurity Insiders SIEM Survey 2020.
For many organizations, a serious security incident is a matter of "when" and not "if." This reality makes developing and practicing a response plan a critical objective for any CISO. Unfortunately, only 26% of companies have a cybersecurity incident response plan that is applied consistently across the enterprise, and 23% of companies have no plan at all.*
* Ponemon Cyber Resilient Enterprise (June 2020).
Cyber threat intelligence (CTI) is critical to gain perspective on adversarial tactics, techniques, and procedures. CTI helps security teams be more proactive in threat prevention, and more effective in threat detection and response. CTI is also a key input for proactive threat hunting.
DevSecOps is a software development best practice that embraces the inherent agility benefits of DevOps, but recognizes that security testing and validation needs to be infused early in the process. By 2022, 90% of software development projects will claim to be following DevSecOps practices, up from 40% in 2019.*
*Gartner Integrating Security Into the DevSecOps Toolchain, 15 November 2019
To more rapidly access required capabilities or ehance business agility, organizations are increasingly relying on partnerships with third-party entities. These third-party relationships often involve IT connectivity and potentially the sharing of sensitive information. Today, 60% of organizations are working with more than 1,000 third-parties.* Unless properly managed, this partner ecosystem can represent a significant cyber security risk as attackers can look to exploit the weakest links in order to gain access to their primary target.
*Gartner blog from August 2019: An iterative approach better equips legal and compliance leaders to combat third-party risks in a rapidly changing business environment.
Utilizing public cloud services has become foundational to empower the agility and innovation of the digital enterprise. Unfortunately, input from the security team is often an after-thought as companies rush to the cloud. Furthermore, the need for software security to be more deeply infused in the development cycle is only escalated by the ephemeral nature of various cloud native services.
Due to a realization that preventative security controls are not foolproof, security budgets are shifting to also emphasize detection and response.
Popular tools to enable this effort incorporate data capture at the endpoint (Endpoint Detection and Response or EDR) and in the network.
"By 2025, 70% of organizations with more than 5,000 seats will have endpoint detection and response (EDR) capabilities, up from 20% today."*
* Gartner Market Guide for Endpoint Detection and Response Solutions, Peter Firstbrook, 26 November 2018.
Security organizations are struggling due to a shortage of talent, an abundance of tools to manage and alert overload. SOAR (Security Orchestration, Automation, and Response) platforms provide relief by aggregating security intelligence and context from disparate systems and applying machine intelligence to streamline (or even automate) the incident detection and response process.
Threat Hunting is a proactive, ongoing effort to identify and eradicate adversaries that have already pierced security controls and are dwelling in an organization's network. Effective threat hunting leverages threat intelligence, telemetry from security tools, and relies extensively on the ingenuity of the threat analyst.
While many security organizations likely conduct some form of threat hunting today, often times these efforts are more reactive and only done on an ad-hoc basis.
43% of organizations do threat hunting on an ad-hoc basis compared to only 29% who assign dedicated hunting staff. (1)
Unfortunately, only 35% or organizations are using more proactive hunting campaigns driven by "hypotheses" about threats developed by internal analysts. (1)
(1) SANS 2019 Threat Hunting Survey
For Optiv, the concept of Fusion Center describes a necessary evolution and improvement beyond current gen SOC capabilities which center around device management and monitoring. For organizations looking to advance their SOC effectiveness, Optiv can assist by serving as your outsourcing partner and delivering fully customized capabilities across many key functions including, but not limited to, items in the list below.
As organizations’ use of big data continues to grow, extracting value from it while also keeping it secure has become a greater challenge. Optiv helps clients architect and secure big data infrastructures by simplifying architectures to normalize and effectively analyze data to drive business benefit. These solutions can be used for cyber defense to fully harness the power of installed security technology that is often siloed in nature and creates an overwhelming amount of threat telemetry that is difficult to capture and analyze.
Optiv big data solutions can also be deployed in support of general business use cases to enhance insights and decision making around initiatives such as revenue optimization, customer engagement, and cost reduction.
Machine learning (ML) analyzes and synthesizes an avalanche of information that humans alone could not match. It is the practice of using algorithms to parse data, learn from it, and then make a determination or prediction about something in the world.
Ultimately, ML could represent another attack vector for cyber adversaries as they look to hack into and corrupt ML processing models to degrade their capabilities for cyber defense.
The proliferation of Internet of Things (IoT) promises to greatly enhance user experience for consumer-focused implementations and boost operational efficiencies and effectiveness within enterprise applications. However, the resulting increase in the number of smart endpoints connected to corportate networks also creates significantly more entry points for cyber adversaries.
Gartner projects there will be more than 5.8 billion IoT devices used in enterprise and automotive (non-consumer) applications by the end of 2020, and that number will more than double by 2025.*
*Optiv analysis of Gartner IoT Forecast statistics as of September 2019, and a Gartner press release from 29 August 2019 "Gartner says 5.8 Billion Enterprise and Automotive IoT Endpoints Will Be In Use in 2020."
Blockchain is a method to record transactions that provides high security by design: transactions are verified with advanced cryptography and spread across many computers in a peer-to-peer network (distributed ledger). Blockchain implementations are still nascent, and this immaturity makes it challenging to predict the ultimate impact the technology will have.
In coming years, the technology will likely influence cybersecurity applications related to data and identity integrity and transaction protection. Blockchain has captured the imagination of the market, but production deployments at scale have been limited so far.
Artificial intelligence (AI) involves machines that can perform tasks that are characteristic of human intelligence. AI is still in its infancy but represents an advancement beyond machine learning. Security practitioners have signficant optimism about the potential positive impact of AI for cyber defense. However, cyber adversaries will also harness the power of AI to launch increasingly sophisticated and dynamically adapting attacks.
Internal actors play a role in 25-35% of breaches according to Verizon DBIR analysis over the past several years.
40% of insider incidents are driven by malicious intent, with the rest resulting from negligence.*
Internal actors play a role in 25-35% of breaches according to Verizon DBIR analysis over the past several years.
60% of insider incidents involve simple negligence with the rest driven by malicious intent.*
A small minority of breaches are related to Hacktivist activity where the motivation is not related to either financial gain or espionage. According to the Verizon DBIR report from 2017, 73% of breaches were financially motivated and 21% were related to espionage. This would leave up to 6% of breaches that are split between Hacktivists, Grudge, or Fun. Hactivist breach attribution has generally trended down over the past couple years compared to the level observed in the 2017 report.
Nation State actors play a role in 10-20% of breaches according to Verizon DBIR analysis over the past several years. Not surprisingly, a common target for this group is the information infrastructure of foreign government entities with cyber espionage often as a prime objective. In fact, Nation State and State-Affiliated actors accounted for close to 80% of all government breaches involving external actors in the 2019 Verizon DBIR report. In the 2020 Verizon DBIR report, Nation State targeting of foreign governments appears to have eased somewhat, but instead spread to the Manufacturing vertical where it accounted for roughly 40% of breaches.
Because of either direct (or clandestine) government funding and support, this group of cyber combatants typically possess the most sophisticated capabilities.
Hackers and criminal groups play a role in 50-60% of breaches according to the Verizon DBIR analysis over the past several years.
By protecting criticial systems from downtime and safeguarding customer privacy, security leaders are quickly becoming critical partners for digital transformation success. That said, CISOs have their work cut out for them in terms of continuing to educate business executives and the board of directors about the challenges and accomplishments of their role. Only 64% of directors say the Board’s understanding of cyber risk is strong enough to provide effective oversight.*
*NACD Public Company Governance Survey 2019-2020.
Lack of budget continues to rank among the top inhibitors to building an effective security program.
IT budgets commonly account for around 3-6% of an organization's total revenue. Cyber security generally consumes 5-15% of the IT budget.
According to one recent survey, only 35% of organizations measure the effectiveness of their security program against the cost of investment.* Clearly that ratio will need to rise dramatically in the future as security executives fight for necessary funding to address their expanding digital attack suface.
*SANS 2020 IT Cybersecurity Spending Survey
Lack of skilled personnel is consistently mentioned by organizations as one of the top inhibitors to building effective cybersecurity programs. Organizations can create substantial competitive advantage based on their ability to attract, train, and retain cyber talent. Another alternative is to leverage outside experts through consulting or outsourcing partnerships.
Organizations generally spend around 30-35% of their security budgets on people and see investment in this area as being far more effective in reducing the risk of a breach compared to either technology or process.*
*Optiv / ESI ThoughtLab Security Imperative Survey 2020
Organizations generally spend around 30-40% of their security budgets on technology.* Optiv routinely sees client environments that utilize 50 or more discreet security technologies.
There is certainly no shortage of well funded cyber security technology companies out there all positioning their vision as the best solution in the market. This presents a major challenge for security practitioners and one where a trusted partner like Optiv is ideally positioned to help provide perspective and guidance.
*Optiv / ESI ThoughtLab Security Imperative Survey 2020
Due to an overwhelming number of disparate tools in their environment, many organizations are hitting the tipping point where tech sprawl has actually become counter-productive. Security teams are spending so much time simply managing the tech stack and drowning in all the associated alerts that it detracts from security effectiveness. Furthermore, it is not easy to validate which tools in the environment are actually performing as expected and providing value. The ideal architecture would consist of the minimum number of tools that could be tightly integrated to provide the maximum security effectiveness. Investments in underutilized or underperforming tools could then be recycled into higher ROI propositions.
Close to 70% of organizations do not evaluate the effectiveness of their security spending.*
*SANS 2020 IT Cybersecurity Spending Survey.
Traditional security perimeters are dissolving as organizations accelerate digital transformation initiates and extend their IT estates outside of the corporate data center and into the public cloud and IoT. Zero Trust (ZT) is not a new technology, but rather a pragmatic framework for how to integrate multiple security controls. ZT relies heavily on IAM and emphasizes a couple important principles:
Never trust, always verify. Continuously authenticate and authorize identities at multiple points across the IT estate. Just because an identity has been admitted at one point of entry does not mean it can be “trusted” to access all other resources on the network.
Enforce least privilege. Ensure identities can access only those resources which are required to complete their job function and nothing more.
Secure Access Service Edge (SASE) is a term coined by Gartner in 2019. While still embryonic, SASE can dramatically simplify WAN access and security for remote worker and distributed branch office use cases. In the SASE model, intelligence to deliver WAN access and security are consolidated into a cloud delivered offering. This dramatically reduces the burden at the branch level to manageme on-prem infrastructure, while at the same time harnessing the agility of the cloud to seamlessly support growth in users or functionality. From a security standpoint, SASE aspires to consolidate multiple controls including, but not limited to: Secure Web Gateway, CASB, DLP, Zero Trust Network Access/Software Defined Perimeter, and Firewalling.