Why a bigger budget isn't necessarily the key to good cybersecurity [Q&A]
Cyberattacks are expected to reach historic levels this year, in both volume and sophistication, yet many organizations are reducing their 2023 cybersecurity budgets.
We spoke to Steve Benton, VP of threat research at intelligence-driven cybersecurity specialist Anomali, to discover how a different approach might offer strong protection without breaking the bank.
BN: Why are traditional security tools proving less effective in the current environment?
SB: With the rapid pace of digital transformation and rising attacks, we are hearing from businesses about a lack of integrated cybersecurity solutions as a barrier to detecting, responding to, and recovering from cyberattacks and data breaches.
BN: Have changes in working culture opened up new routes for attackers?
SB: Absolutely. Many organizations are facing reductions with layoffs -- in those sorts of environments, where people are concerned about their jobs or are losing their jobs, you will see a significant rise in insider threat. You have potentially, at the very least, employees that don't care anymore. They become lax in their behaviors, which can be an opportunity for attackers.
Layoffs also put stress on offboarding processes, including shutting down terminated employee accesses and other steps needed to protect your data. As layoffs take place, employees could deliberately want to take an organization’s data. As for the people who are left behind, you could be unknowingly aggregating privileges and breaking the segregation of duties and other things. So you end up with users with much higher privileges than you possibly recognize.
Attackers will be watching the press for organizations that they're interested in, and, if they're seeing layoffs there, they'll possibly be using that news to do some form of social engineering in order to get access.
BN: How can a 'less is more' approach improve protection and offer value for money?
SB: First off, let me say during my nearly two decades as a deputy CISO and Chief Security Officer, every year, I had to do more with less. It was because, like for any organization, security is part of a company’s overhead. It is a cost base for the organization. So, you are always being pressured to achieve more on that cost base, and that cost base will come under rigor if uncontrolled year over year.
That said, I never looked at it as doing more with fewer people. That's the wrong way to look at it. Instead, I ask the question: How can I make a greater impact with less?
Every tool in a security ecosystem creates an overhead expense in terms of its operation and support. As a result, we need to look very carefully at what each toolset provides in terms of controls in my security ecosystem. I ultimately want a set of overlapping, amplifying, and supporting controls, but I don't want to have too much.
A continuous assessment is required. For example, if I have tools I've had for a while but aren't really hitting that sweet spot, I need to retire those products. And for those newer tools that we've made the investment in over the last few years, I need to show that we're actually utilizing -- and optimizing -- those correctly in my security operations. The question then is: how do you coordinate and drive what you focus those toolsets on? The answer is intelligence.
BN: How big a factor is threat intelligence in improving protection?
SB: Huge. It's only over the last few years that the power of intelligence has truly been understood in security operations rather than just by smaller threat intelligence teams. Anomali very much has been at the forefront of shifting that line of thinking across the entire industry and other security vendors have begun to follow. There are only a few that understand how intelligence truly works and can be operationalized; Anomali is one of the strongest, if not the strongest, around now.
No one is to blame here. CISOs and other leaders often didn't have the right inputs to fully understand the value of intelligence. Those inputs are now available, and the security ecosystem is better-understood thanks to years of performance of these security tools against the threats.
BN: What simple steps can organizations take to improve protection?
SB: Over the last few decades, the security industry has been creating more and more different barriers to an attack. But when you stack all that stuff up, ask yourself: Does that really protect me or am I sort of admiring this great stack of stuff and not seeing the actual weaknesses that will still allow attackers to be successful? Organizations must stop admiring what they've built and have the courage to look at it through the eyes of an attacker.
Organizations should focus on protecting their ever growing attack surface and its potential vulnerabilities, which become more complex in fully remote environments. Second, they should enable open communications across groups to help ID and address cyber risks before they become issues. Third, they should deploy defense strategies and tools to reduce overall company risk, regardless of where employees work.