CISOs’ Latest Struggle: When Prevention Is Faulty, but Investigation Is a Burden

In a fast-changing landscape where large cyberattacks make the news virtually every month, companies have started shifting their security defense paradigm towards gaining more visibility into the way attacks occur, and how they become targets

By 2021, the global cost of cybersecurity breaches will reach US$6 trillion, double the total for 2015, the World Economic Forum forecasts.1 Building shields to simply safeguard IT infrastructures is no longer enough, especially when protection fails and a breach occurs. And breaches will occur sooner rather than later.

Thus, analysts observe that companies’ security spending has already started migrating from prevention-only approaches to focus more on detection and response. Advisory firm Gartner expects that spending on enhancing detection and response (EDR) capabilities will become a key priority for security buyers through 2020.2 Traditional cybersecurity features, also perceived as passive defensive practices (e.g. endpoint protection platforms (EPP), firewalls, app security and intrusion prevention systems), which focus on prevention, are constantly being improved by active defense mechanisms, such as EDR tools, to provide relevant, accurate reports into security operations and analytics.

EDR is experiencing solid growth, with revenues expected to increase 50% per year until 2020 to more than $1.5 billion. Analysts say the main growth driver is that protection has failed too many times and enterprises need additional visibility and detection to augment their EPP methods.3

Endpoint detection and response solutions will not only help CISOs protect their infrastructure against sophisticated cyber threats, facilitate early detection and gather intelligence, but also bring visibility into stealthy attacks, enabling rapid containment.

In addition to the improved detection and response approaches to prolific security incidents, EDR tools also address the shortage of cybersecurity professionals, estimated to reach a record1.8 million qualified information security personnel by 2022, up 20% from 2015.4 Two-thirds of information security professionals reported having too few workers to address current threats, while the number of cyber threats rises to new records each year.

More specifically, endpoint detection and response tools best fit resource-strapped businesses with lean IT teams that operate without a coordinating hub for cybersecurity activities, also known as Security Operation Center or SOC. It’s a common situation many companies have to deal with. Even though SOCs are increasingly common, almost half of organizations don’t have one5, creating many security challenges: slower identification of intrusions, ad-hoc or no processes following a security breach, inability to efficiently protect the most valuable assets from advanced attacks, and delayed isolation of corrupted infrastructures. Detection and response capabilities allow these companies to easily and immediately detect the attack and react to minimize the impact on its network, brand reputation and customers.

This Bitdefender survey, which polled 1,050 people responsible for purchasing IT security within companies with 1,000+ computers in Europe and the US, explores CISOs’ needs in the prevention-detection-response-investigation era and weights how the lack of visibility, speed, and personnel affects building stronger security practices in companies with both over-burdened and under-resourced IT teams.

Key findings

As cybercriminals and threat developers shift to sophisticated and more complex threats, such as unknown malware or file-less attacks, to evade traditional solutions, companies have started adding layers of protection that back up the standard endpoint protection platforms (EPPs). However, even if stacking multiple solutions, such as EDR capabilities, brings stronger security, CISOs still face trouble managing multiple platforms, chasing false alerts and increasing security teams while keeping costs down.

A Bitdefender survey of large companies in the US and Europe shows that most Chief Information Security Officers have had difficulties in deploying and maintaining complicated endpoint security architectures. Some 72% of information security professionals admit their IT team experiences both agent and alert fatigue. Four in five respondents in Sweden, Denmark and Italy say their IT team experience alert and agent fatigue (82%, 80%, and 81% respectively), compared to 58% of Germans.

In this context, organizations that plan to expand their IT security teams to fight zero-day exploits, advanced persistent threats, and other devastating types of cybercrime face severe recruiting challenges, with more than one in six CISOs in the US and Europe, on average, admitting the company they work for is negatively affected by the global cyber skills deficit. Almost three quarters (74%) of Swedes – the highest percentage from those surveyed – acknowledge the adverse effects of the shortage of cybersecurity professionals; Italians scored lowest, yet still a significant proportion, at 41%.

Overall, 69% of CISOs perceive their team as under resourced. Again, with the exception of Italy, over half of respondents in all markets consider their IT security team is too small.

While most companies have started taking steps to defend against advanced attacks by developing Security Operations Centers (SOCs) – fundamentally an internal team of IT security specialists that deals with security issues on an organizational and technical level – many still have no internal structure to deal with modern threats. With no SOCs in place, CISOs complain about different security flaws. Over two in three IT execs from UK and Denmark said speed to investigate suspicious activity is one of their toughest tests, while 64% of Americans mentioned monitoring activities, and 52% of Germans perceive the ability to quickly respond and remediate potential threats as the main obstacle created by the absence of a well-funded and well-resourced SOC. Half of Danes leading security teams in companies with no SOCs note keeping up with alerts as a challenge, while 43% of Italians have difficulties finding unknown attackers inside the network, and 48% of French indicate poor visibility of their IT environment.

Most CISOs say fighting attacks of increasing complexity demands increasing budgets. In total, 43% of IT security professionals say they have a big enough budget to efficiently secure infrastructures. While half of Swedes and Italians would rate budgets as sufficient (58% and 54% respectively), less than 30% of French and Brits (31%) say the same. Meanwhile, a third of UK, US and German respondents (33%, 34% and 33% respectively) say their budget could not accommodate infrastructure expansion, and 24% of Germans say their budgets could not support a future increase in headcount.

On top of that, in terms of manpower and time consumption, managing EDR tools is described as difficult or very difficult by half of IT execs. 15% of US CISOs said it is very difficult, and 73% of Brits say it is difficult deploying these technologies. Some security professionals who use both protection and detection and response-based security feel they are too noisy. Of all endpoint alerts triggered by monitoring and response technologies handled by Swedish security teams, 56% are false alarms. In this field, high scores have been reported in all surveyed countries: UK and US (49%), Denmark (47%), France (45%), Germany (37%), and Italy (36%).

Download the full report here.


1World Economic Forum, Global Risks Report 2017, January, 2017

2 – Gartner, Detection and Response is Top Security Priority for Organizations, March, 2017

3 – Gartner, Avivah Litan, EDR Market grows to $1.5 billion in 2020, March, 2017

4 – Booz Allen Hamilton Holding Corp, ISC2, Frost&Sullivan, Global Information Security Workforce Study, 2017

5 – EY, Global Information Security Survey 2017–2018, January, 2018

*** This is a Security Bloggers Network syndicated blog from Business Insights In Virtualization and Cloud Security authored by Razvan Muresan. Read the original post at: