Organisational security capabilities may be improving on a regular basis but a confluence of issues means that security personnel are fighting an ever-widening ‘effectiveness gap’ that is keeping them on the back foot, a senior Cisco Systems security executive has warned.
Traditionally poor integration between the mesh of security products in the typical organisation meant that “as more money is dumped into the problem, capabilities are plateauing,” Dave Justice, vice president of the Cisco Systems Global Security Sales Organisation told the packed room during the Security Innovation Day at the company’s Cisco Live! Conference in Melbourne.
“Everyone has a solution but they don’t really work well together,” he continued. “Complexity is going up exponentially as you add on more and more things. But it’s not about point products; the value really comes from the integration.”
Integration often remained an idealised goal for organisations that were struggling to make sense of the ever-increasing flood of data their systems were producing. Cisco’s 2017 Security Capabilities Benchmark Study (SCBS) – contained within its 2017 Annual Cybersecurity Report – found that nearly 1 in 5 companies had between 11 and 20 vendors – and that fully 55 percent of organisations use security products from more than 5 vendors.
The challenge had not gotten any easier, Justice said, as the explosion of Internet of Things (IoT) devices and the addition of cloud-based software-as-a-service (SaaS) offerings further complicated the layout and functioning of security defences.
“You would think SaaS applications would have great security capabilities, but in many cases they open a lot of holes in your network,” he explained, “and they give you a lack of visibility.”
Despite “staggering” investments in cloud security, the increasing movement of data outside the organisation – Gartner figures suggest, for example, that 25 percent of identified enterprise attacks will involve IoT even though just 10 percent of security investment will go to stopping them – will remain a bugbear for security executives trying to stay on top of their security exposure.
Citing “really high” renewal rates for its security services, Justice said customers are seeing strong value from increasingly integrated tools that provide well-integrated defences. Over time, these would increasingly leverage machine-learning and automation capabilities that would seek to close the effectiveness gap by increasing the rate at which organisations can pore over the never-ending flood of security data.
Steve Martino, Cisco’s vice president and chief information security officer, highlighted the importance of an adaptive defence in addressing these issues: “it’s not enough to say ‘I’ll put these defences up and they will work 100 percent of the time’,” he said. “You have to have an active hunting program to go find things happening on your network that you didn’t want to happen.”
“If your model is to sit back and watch the lights light up and go track down the alerts when they go off, you’re going to fail. You have to say ‘these are the types of attacks I’m going to look for’, and have a set of metrics that tell you whether you’re doing a good job or not doing a good job.”
The importance of keeping protection strategies updated was noted in the SCBS, in which just 58 percent of the 2912 respondents, across 13 countries, said they were very up to date and using the best technologies available.
Fully 37 percent said their infrastructure was upgraded on a regular cadence but that they were not equipped with the latest and greatest tools. And only 74 percent said that their tools were very or extremely effective against known security threats.
Notably, the perception of senior leadership’s support of cybersecurity had declined steadily over the last three years despite growing awareness of cybersecurity issues. Just 59 percent of respondents said that executive leaders considered security a high priority while 55 percent agreed that security roles and responsibilities were clarified amongst the executive team; these were down from 63 percent and 58 percent in 2014, respectively.
Such findings highlighted Justice’s argument that security tools’ evolution was going to be driven as much by increasing automation as by dramatic changes in companies’ human security resources and capabilities. “What’s going to solve this problem is not going to be people, and it’s not going to be how much money you can throw at it,” he said.
“It’s going to be automation and machines making sense of this data, and responding to it in an automated fashion. My biggest challenge within the organisation is keeping our customers up to date with the changes. We have a lot of work to do, but we have made huge strides.”