Preventing cybersecurity stagnation through breach containment
There’s a famous quote by Einstein which reads: “Insanity is doing the same thing over and over again and expecting different results.”
In cybersecurity, this saying has never been more fitting. We’ve seen years of increased investment, a figure Gartner estimates will reach $212 billion this year, yet the cost of breaches continues to rise, reaching $4.8 million in 2024. That’s 10 percent higher than 2023, according to IBM.
Something isn’t working. Organizations are investing more and more in preventative methods, yet attacks are still getting in. And when they do, it’s a struggle to quickly identify and contain them, so it’s clear that our approach to security needs to change.
The only way to stop this repetitive cycle of insanity is to abandon the pursuit of perfect defenses and instead ensure that we can limit the impact of a breach when it occurs.
Attackers are finding it far too easy
Cybercriminals have it easy right now. They continue to exploit a lack of basic cybersecurity hygiene, using the same tried-and-tested techniques they have for years and with a high degree of success.
For example, it’s well known that lateral movement is a key factor in successful ransomware attacks -- Ponemon’s Global Cost of Ransomware Study proves it. Yet, over half say attackers exploited unpatched systems to move laterally and escalate system privileges. We need to stop handing attackers the easy win.
Similarly, the majority of attacks use common protocols like Remote Desktop Protocol (RDP) or file sharing technologies like Server Message Block (SMB) for ransomware delivery and propagation. These protocols are “on by default” in standard operating systems installations, yet most users don’t use them. So, why are these protocols even open?
If we’re aware of the issue of lateral movement, we need to do more to stop it from happening. Poor hygiene makes organizations a sitting duck.
The boring basics matter more than ever
Arguably, part of the problem is a tendency to favor adoption of new and emerging tools, over mastering the basics. But this is why time and time again we see organizations still fall at the first hurdle -- the fundamentals.
Effective patch management, strict access controls, and regular vulnerability assessments are critical in limiting an attacker’s ability to move laterally. In this sense, containment isn’t just about technology; it’s about discipline.
The most important controls to combat ransomware are those in place before any infection. Most CISOs agree that end-user training has an upper limit of effectiveness. Cyber awareness alone is no longer enough. Organizations need cyber preparedness. Awareness tells people that threats exist, while preparedness trains them to act when threats arrive.
Organizations need to take pride in mastering the basics and stop allowing criminals to exploit the same predictable weaknesses. But this requires a concerted effort from the top-down.
Good security hygiene should be seen as much of an accomplishment as implementing a new security capability. And business leaders should provide the necessary budget and demand that acceptable hygiene levels are met.
Focus on containing a breach when it happens
The smartest move an organization can make is to limit the blast radius when an attacker gets in.
Containment doesn’t stop an attack from happening, it stops it from spreading.
Ponemon’s research found that 58 percent of organizations had to halt operations following a ransomware attack, with the average outage lasting 12 hours. That’s a whole business day lost and more than enough time for reputational damage and serious financial losses. Through containment, you keep your most critical assets safe.
Instead, we see many organizations waste critical hours after a breach asking, “what went wrong, and who’s to blame?” It’s a natural human reaction during a crisis, but also a dangerous one.
Senior leaders must move away from the blame game. Blaming others in the organizations sets an unrealistic expectation that you should know everything about every piece of technology at all times. This is nearly impossible.
Instead, mature organizations respond with clarity and calm. Fix the issue, understand how it happened, and prevent it from spreading.
I recently spoke with Dr Erik Huffman, an award-winning entrepreneur and cyberpsychologist, who explained this perfectly, “if there is negligence, figure that out after you fix the problem.” Blaming a breach on “negligence” alone shows a fundamental misunderstanding of how cybersecurity actually works.
Think like attackers: embrace AI security graphs for rapid detection and containment of threats
Instead of scrambling to find who is to blame for a breach, organizations must take proactive steps to limit the damage before it happens.
For all their wrongs, attackers are great at one thing -- observability. They are great at mapping out systems, users, and relationships, looking for connections to exploit. We, the defenders, need to take the same approach.
To gain the advantage, organizations need a complete picture of threats and attacker movement across their environment. Tools like
AI-driven security graphs can offer this dynamic and visual understanding, making it easier for organizations to identify vulnerabilities, gain visibility into attack patterns, and isolate and contain threats in real time.
We need to get the formula right. That means first, mastering the basics, secondly prioritizing containment, and then finally automating this process with AI.
Adopting attacker-like thinking combined with AI-powered tools can be the difference between a minor disruption and a catastrophic breach. This shift in mentality brings us to a crucial realization: perfection isn't the goal, resilience is.
Containment is your security seatbelt
We need to start looking at cybersecurity like driving. You wear a seatbelt not because it prevents crashes, but because it limits damage when crashes happen.
Breach containment is your cybersecurity seatbelt. A layer of resilience that protects you from worst-case scenarios.
Strategies like Zero Trust that take the “never trust, always verify” approach are your airbags and traction control systems. This mentality is key to accept that cyber risk exists and to prepare your environment and your people accordingly.
Attackers don’t want a challenge. They want an easy win. The more friction we introduce, the more effort they have to expend, and the more likely they are to give up and move on.
We don’t have to be perfect. We just have to stop being easy targets.
Image credit: Rawpixel/depositphotos.com
Raghu Nandakumara is Head of Industry Solutions, Illumio.