As companies struggle to discern the scope of cyberattacks, attention shifts to better detection
Organizations are aware of cybersecurity risks and understand what's at stake. What more is there to know?
National Cybersecurity Awareness Month
Here we are again. Another one. Another large-scale cybersecurity incident. Another revelation that a breach was larger than previously thought. Another round of executive changes that impact organizations after fallout from a breach.
At times, it seems, the only true constant in cybersecurity is that an attack's impact will grow in severity while organizations are caught with the same vulnerabilities time and again.
Some cyberattack impacts are quantifiable. FedEx, for example, lost $300 million in operating income following the global Nyetya cyberattack in June. Those costs stem from lost revenue and remediation efforts. But the global malware attack acted as a wiper, destroying data, not necessarily trying to compromise it.
Data breaches are different. Attackers try to access systems to unlock troves of data and use it for various purposes, usually nefarious. Though random cyberattacks are bound to occur, most attacks target sensitive data troves that can be capitalized on.
The scale and scope of data breaches is also increasing. In 2016, 4.3 billion records were exposed, eclipsing the previous record of almost 3.2 billion, reached in 2013. To gain database access, attackers don't often have to work very hard. Bad actors gain access to compromised servers for just $6.
The security sector has long accepted that it is not a matter of if, but when organizations are going to suffer a cyberattack. What has become increasingly clear is companies don't know when they are compromised with attackers having unfettered system access for months at a time.
Cybersecurity started as a "100% focus on prevention," said Scott Millis, CTO at Cyber adAPT. Now, companies need to figure out how to better spot an attack.
The revelation of the 2 billion additional compromised Yahoo accounts — every Yahoo account in existence in 2013 — won't necessarily strike a chord with the security community. The announcement just places further emphasis on the reality of Yahoo's poor network visibility.
Yahoo can offer organizations specific lessons about the necessity of maintaining good audit trails, according to Avivah Litan, cybersecurity analyst for Gartner. It's "disappointing that they don't know the extent of the breach right away."
Logging and understanding network traffic remains important as companies need a baseline to compare to, akin to the black boxes on airplanes. Without assessing what network behavior normally looks like, it's difficult to understand when something is out of place.
Not only did Yahoo lack the internal forensics, which is why it took it so long to understand the scope of the breach, it also lacked a layered security approach, according to Litan. Companies are bound to catch intruders if enough security layers are in place, particularly if there are access controls, behavior analytics and people paying attention.
If prevention is impossible, how about detection?
The commonly held industry standard is that prevention will fail so companies must instead turn to rapid detection and response.
But for Litan, prevention "may" fail.
While humans are doing the detection and response, to adequately deter modern cyberthreats, companies need better advanced threat hunters. Put another way, companies need advanced machine analytics.
"Unfortunately, at least I think for a while, response is purely in the hands of human beings. It's very, very difficult to imagine a sort of self-healing system that scales out to the billions of devices that are out there," said Millis, "It's very difficult to wrap your mind around a system that can be instantaneously remediated."
Instead, prevention is based on detection. If companies become better at advanced analytics, organization can move derived insights into prevention. "The faster you find out, even with limited human resources, the better chance you have of preventing exfiltration or damage," Millis said.
While there is no silver bullet to cybersecurity, as technology becomes more intelligent human processes can become enhanced and improved.
"Assume breaches are going to get past most of your measures, so you need stronger automations for what's been happening before," Litan said. "That’s where smarter analytics does play a role."
Once processes start to become more automated, and move away from detection post-infection, according to Litan, prevention can become possible
Follow Naomi Eide on Twitter