Cybersecurity: It's about time
The sprawling and complex set of subjects we call cyber security can all be tied to one fundamental concept -- time. The time it takes a cyberattack to penetrate, the time from initial compromise to lateral movement across the network, the time it takes for an attack to be detected, to be analyzed, to be responded to and remediated.
Time is one of seven base quantities in the International System of Units upon which all other measures are constructed. No surprise then that it’s the single most important factor in cybersecurity program success.
Industry research indicates that within just two hours, on average, attackers can break out from the initial compromised endpoint and move to other machines in the network. Assuming machine zero is not the end game, that’s the window companies have to detect and stop an attack before damage spreads. Yet according to a Ponemon Institute study, mean dwell time – the amount of time an attacker lurks in an environment before being detected -- lasts 191 days.
A case in point, Equifax was breached in mid-May 2017 and not discovered until July 29, 2017. That’s shorter than the average dwell time but still long enough for catastrophic consequences Damage estimates currently stand at $439 million, with over 145 million people affected.
There’s a direct relationship between the time an organization takes to contain a breach and breach costs. The same Ponemon study found that the cost of a data breach was nearly $1 million lower on average for organizations that were able to contain a data breach in less than thirty days.
Unfortunately, time is the one thing security organizations have in short supply. Some of this boils down to the well-known cybersec labor shortage -- lack of skilled staff ranks as the top CISO concern, even ahead of breaches. But much can, ironically, be chalked up to the security industry’s success. Companies are so swamped with telemetry from security tools that they can’t wade through the noise. A recent survey by analyst firm ESG found that 25 percent of cybersecurity and IT professionals state their security teams spend too much time responding to and investigating alerts, many of which are false alarms.
The result can be disastrous. Early alerts warned Target’s security team of malicious activity well before discovery of the now-infamous data breach, but they were treated as more items in a long list of logged events. No SecOps team has the time to investigate every incident.
So how can companies claw back the time they desperately need to make their cybersecurity programs more manageable and effective?
The most obvious answer is better prevention. If you prevent attacks from getting into your organization in the first place then your dwell time collapses to zero. Most standard prevention solutions like antivirus, however, offer little protection against the evasive techniques used by today’s sophisticated attacks. So in terms of reducing overall dwell time, they don’t contribute much.
The newer crop of AI-based security tools gets closer, reducing threat detection and response times, but they can never reach the goal of zero as they will always need some amount of time to identify and decide about a threat. At the same time, attackers and attack technology are getting ever-quicker too. So the gap might shrink or grow at times but will always be there. These solutions also tend to be complex to operate, adding to the time burden on that front.
To really give time back to security teams we need to step outside the three dimensional box. Companies must evolve their protection strategies and incorporate approaches that don’t operate in the time-bound world of detection and response, away from labor intensive monitoring and analytics. For example, endpoint technologies that work in the memory space to prevent attacks from exploiting the resources they need to proceed forward. Or network defenses like micro-segmentation that shrink the attack surface. Cybersecurity needs to move into the next dimension. It’s about time.
Ronen Yehoshua is the CEO of Morphisec. He comes with over 20 year of operational, business and investments experience in the Hi-tech industry and has worked with hundreds of cyber and communication startups in his 20+ years of technology management and VC experience.