Two cybersecurity trend lines have moved unremittingly up the same curve over the past two decades — and that’s not a good thing.
Year-in and year-out, organizations have steadily increased spending to defend their networks — and they continue to do so, with no end in sight. Research firm MarketsandMarkets estimates that the global cybersecurity market size will grow from $137.85 billion in 2017 to $231.94 billion by 2022, a compound annual growth rate of 11.0%.
At the same time, the damage and disruption caused by malicious hackers has also continued to rise, with no end in sight. One recent measure of this comes from a survey of senior officials at 120 large enterprises, conducted by research firm Forrester and sponsored by Centrify, a leading supplier of identity and access management (IAM) technologies.
C-level executives disclosed to Forrester that two thirds of their companies had been breached multiple times – a startling five times on average over the past two years. What’s more, respondents indicated these break-ins occurred evenly all across the network, at endpoints, servers, data bases and in software-as-a-service systems.
One might have reasonably expected a steady rise in spending on cybersecurity products and services, over a two decade span, to have resulted in much better protected business networks. But such has not been the case.
LastWatchdog sat down with Centrify CEO Tom Kemp to drill down on why things have turned out the way they have – and discuss whether this pattern will ever change. The text has been edited for clarity and length.
LW: You’ve advocated that we need to rethink security, why so?
Kemp: Clearly things are not working. The way that we’re going about security is actually failing. We’re falling further behind, and the reason why is really two-fold. First, we’re going through a massive shift to the cloud. But the vast majority of IT spending in security is still for on-premises. So there’s a mismatch; we’re almost fighting last year’s war.
The other aspect is that the attack vectors have completely changed, as well. Hackers are increasingly focusing on users and their identities. Verizon’s Data Breach Investigations Report shows us that, two years ago, half of breaches involved compromised credentials. That’s grown to 81%. So the focus has completely shifted towards attacking the user, trying to get their credentials, and that now represents 81% of the breaches; but that’s less than 10% on the spend. So there’s another mismatch.
LW: How much of this is of our own doing, pushing ahead with how we use networks without adequately addressing security along the way?
Kemp: The reality is that everything is, in the end, accessible by a password. And when the world is so focused on passwords, really bad things will happen. We saw that during the elections, with the hacking of the DNC and Podesta, and with the OPM breach . . . when we did that study with 120 large enterprises, we saw that there was a group A that was getting breached significantly less than group B.
It turned out that group A followed a maturity model of consolidating passwords, reducing the number passwords out there, layering on multi-factor authentication, limiting lateral movement, enforcing least privilege, and auditing. It turned out to be very simple things, just good identity hygiene, that caused a significant reduction in breaches.
LW: Where can organizations look first to begin doing this?
Kemp: They can take what we call an identity assurance approach; consolidate the number of identity stores, reduce privileged access, reduce passwords, layer on multi-factor authentication, and then eventually you can potentially leverage machine learning and have adaptive multi-factor authentication to ask for additional bits of information from the user.
And then from there, you can limit lateral movement, implement least privilege policies, and provide user-level auditing. This all does result in a significant reduction in the number of breaches that we’ve seen with one group of large enterprises.
LW: So it’s kind of a progression?
Kemp. Yes. It’s a maturity model.
LW: So how does tie back to the notion of a mismatch of spending?
Kemp: I think people need to stop trying to fight the old land war. The nature of the battle is completely changed. You can still have the legacy stuff, but don’t invest in it anymore. Realize that the new attack vector is your users. And I’m not just talking about throwing technology at it. There’s process involved and there really needs to be a lot more education of users. With the attack vectors we’re seeing today, you really need to consider people, process and technology.
LW: Can improving security impact productivity?
Kemp: Absolutely. You can now more rapidly adoption of newer technologies. If you, let’s say, provide multi-factor authentication, that can make it easier to add the next app, and actually improve the whole productivity and digital transformation that lot of organizations are trying to achieve. So, yes, good security could actually lead to increased productivity and increased adoption of technology. Eventually, you’ll be able to turn off the old legacy stuff, and go for more cloud-based, pay-as-you-go type of applications.
LW: And so that also taps into advanced machine-learning security solutions?
Kemp: Look, there is a machine learning revolution going on. Machine learning is being applied to financial transactions and health care services. From a security standpoint, just look at all the data generated and captured on a daily basis: logon attempts, failed logon attempts, user activity, etc. That information can and should be processed in real time, to detect potential malicious activity. You don’t want to be a situation where the whole Christmas tree goes off, and you completely shut everything down. But you can actually layer on machine learning to make authentication more adaptive.
LW: That’s possible now, isn’t it?
Kemp: It is and we really need to leverage it. With mobile you get location, which allows you to implement conditional access. Also, mobile can be another form of authentication; the fact that you even have the device, and respond to a notification on the device. But then you can also leverage in biometrics, with face ID and Touch ID. Consumers and end users are used to doing that to get it access to their own phone, to unlock their own device. Why not leverage that technology to make access more secure?
*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: http://www.lastwatchdog.com/podcast-the-case-for-rethinking-security-starting-with-smarter-management-of-privileged-access-logons/