Security Tools Fail to Stop Significant Security Incidents
The security industry is failing to keep pace with evolving cybercrime tactics, techniques and procedures as security and IT teams face mounting expectations to keep their organizations protected from such threats.
This was the result of a Vectra AI survey of 1,800 global IT security decision-makers at companies with over 1,000 employees, which found that in the last year, 74% of respondents experienced a significant security event within their organization that required an incident response effort.
Nearly eight in 10 (79%) security decision-makers said they have bought tools that have failed on at least one occasion and cited poor integration, failure to detect modern attacks and lack of visibility as reasons for the failures.
The report also revealed 83% of respondents said they believe traditional approaches do not protect against modern threats and they need to change the game when it comes to dealing with attackers.
Despite these challenges, survey results also indicated progress is being made: Of the 74% of respondents that experienced an event that required significant incident response, 43% were alerted to the problem by their security tools.
Tim Wade, deputy CTO at Vectra AI, said from his perspective, easily the most concerning finding is that nearly three out of four organizations surveyed suffered a significant security incident over the last year.
“While it’s likely that some of those organizations have underfunded their cybersecurity objectives, many haven’t—they’ve just made investments that, for one reason or another, haven’t achieved the outcomes they set out to achieve,” he said.
Managing Modern Risks
He also pointed out that four out of five security leaders recognized that the status quo isn’t cutting it when it comes to managing modern risks.
“This generally involves a philosophy that shifts away from an overreliance on and investment in prevention-centric approaches, and instead embraces resilience—a philosophy rooted in the understanding that stopping every instance of an attack is a fool’s errand,” he said.
Instead, Wade said the focus should be on managing the endgame by uncovering and containing problems before damage is done.
“Offensive informs defense,” he explained. “It’s time for security leaders to roll up their sleeves and recognize that governance, risk and compliance are important parts of a risk strategy, but are independently insufficient to verify the efficacy of most tools and services.”
He noted that if a tool promises to manage adversary tradecraft, it needs to be subjected to adversary tradecraft.
“Security leaders need to invest in putting their organization through the ringer and often this is achieved with focused, recurring red team exercises with short cycles to iteratively measure improvements,” Wade added.
The survey also indicated the ongoing cybersecurity skills shortage is slowing down the move away from legacy security strategies; half of respondents admitted they could use more security talent on their team.
However, the rise in attack sophistication and the growing threat level is having an impact at top of the organization, with 87% of respondents stating recent high-profile attacks have meant that boards are starting to take proper notice of cybersecurity.
Still, 83% of respondents said the board’s security decisions are influenced by existing relationships with legacy security and IT vendors.
Changing the Security Game
Regarding the ways security leaders need to “change the game” when it comes to dealing with attackers, Wade pointed out the relationship between adversaries and defenders is asymmetrical and given time, motivation and resources, an adversary will establish a foothold.
“Anyone operating under the illusion that anything else is true will find they’re on a path toward disappointment,” he said. “Changing the game in that context involves rewriting the script so that every inch that an adversary gains is disproportionately more expensive for them and carries the risk that they’ll be uncovered, contained, expelled and all that effort will be for naught.”
He said organizations that attempt to prevent every attack will never run a cost-effective, risk-effective security program, but organizations that invest in the full spectrum of capabilities and measure success by their resilience will find they’re much better suited to face modern adversaries.
“Digital transformation and IT modernization initiatives are driving change at an ever-increasing pace,” he said. “Yet, companies are not the only ones innovating. Cybercriminals are, too.”
