Theme to Watch in 2023: Cybersecurity and Closing the Detection Gap

February 2, 2023 / Ben Bajarin

Summary

  • The detection gap in cybersecurity leads to a continuous drain on security operations teams and high costs for organizations.
  • CSOs need to prioritize early detection and adopt a culture of security throughout the organization to be proactive in the face of increasing cyber threats.
  • Closing the detection gap requires a change in posture towards cybersecurity and can be addressed through better technology and solutions.

If there was one pocket of the technology industry that truly benefited the most from a global pandemic that forced workers from the office into remote locations it was the security industry. A mass exodus from the office to the home caused many CSOs headaches and anxiety as office-based tools, hardware assets, and information left the building. The enterprise security strategy to build an impenetrable wall of defense broke wide open when it had to also include employees’ homes. While the pandemic did force many organizations to rush forward their digital transformation efforts, it also forced a paradigm change in the way many CSOs thought about security protocols, technology, and architecture.  What has become more clear is the inability of the existing malware detection systems to detect truly dangerous and insidious malware. All of this, and more, has caused early detection of threats and attacks to be more of a priority in modern security architectures.

The Problem

For most CSOs, it is no secret their organizations are constantly under attack. Most enterprise security architectures focus first on protection, attempting to build an impenetrable wall (spoiler there is no such thing). Essentially, the current security architecture priorities go: protect, detect, respond, and recover. The issue, however, goes to the fallacy of the impenetrable wall, which was significantly exposed thanks to the pandemic and shift to remote work. Pouring resources into protection only goes so far. This is why there is a trend to reshuffle security architectures to put an increased investment in detection and limit dwell time.

In IBM’s 2022 report titled Cost of a Data Breach: A Million Dollar Race to Detect and Respond, they shared some staggering statistics.

  • The average cost of a data breach is $4.35 million USD
  • 83% of organizations had more than one data breach
  • 45% of the breaches were cloud-based
  • 277 days was the average time it took to identify and contain a data breach

Even though a stated priority, detection remains a challenge for many organizations. I had the opportunity to talk with Alex Gray, former Chief of Staff of the National Security Council at the White House. During his time at the NSC, he was responsible for the broader protection of the White House but also for how the US Gov was thinking more broadly about cybersecurity and national security. During our conversation, we talked at length about the current detection gap. Something he was keenly aware of from a matter of national security but also for many US companies who struggle with the same problem as many organizations large and small face millions of attacks each year. He stated “The protection against intrusions is flawed. There is no such thing as an impenetrable wall. There is a detection gap that is extraordinary and damaging.  The paradigm needs to change from being reactionary to proactive.”

The continued impact on internal resources was a constant theme in my conversation with Alex Gray as well as many CSOs I have chatted with over the last 12 months. The detection gap leads to a non-stop drag on security operations teams and until the detection gap is closed, this will not change. In our conversation, Alex Gray articulated the importance of going on offense, and not allowing internal SecOps forces to continue to take endless attrition during cybersecurity warfare.

I also had the chance to talk to Doug Fisher, CSO of Lenovo. He gave a presentation on security I attended and based on his experience, I wanted a chance to have a follow-up conversation specifically on the detection gap in cybersecurity but also around how he is leading efforts to bring a more security-conscious culture inside Lenovo. Something I think Lenovo is paving the way with as an organization. During our conversation, Mr. Fisher shared some insight not just from his efforts internally at Lenovo but from conversations he has had with other global CSOs. He shared how for an organization’s security efforts to be successful, in this modern era of increasing cyber threats, requires a culture of security to be ingrained into the entire organization. The IBM report I mentioned earlier, highlighted that 59% of the organizations IBM studied didn’t deploy zero trust procedures. What Doug Fisher shared about his strategy to bring a more security-minded culture to Lenovo goes beyond zero trust. He outlined during our conversation that “One goal I have internally is reducing trust level, thus increasing the amount of authentication. Building deeper on the theme of zero trust. One of the main ways we are doing this is to require re-authentication again if we have any suspicion of where a device is logging onto our network.” My takeaway, in this shift to increase the amount of authentication, is every device is guilty until proven innocent. 

One important point Mr. Fisher made during our conversation was how most CSOs tend to get hesitant when being attacked. This goes back to the overall point of emphasizing detection as a priority so CSOs can more frequently be on offense rather than defense. This point is a good one, and one I have heard from other CSOs as their concern is often not knowing the quality of the attack alert and whether or not it is a false positive. Shutting down a part of the organization’s infrastructure would have an impact on the organization. But he pointed out the impact of being hesitant is more disruptive than immediately responding even if it is a false positive. But this goes back to a new culture of security being ingrained into more organizations.  Employees need to understand the true impact of these data breaches on their business continuity. It may feel like an inconvenience but that is where cultural buy-in at the highest levels of an organization is essential.

Lastly, during our chat, Doug Fisher outlined some helpful suggestions for other CSOs. He encouraged better modeling of the cost-per-minute as a whole to the organization to be down and use that as motivation to increase processes that allow more quick recovery.

The doubling down and going beyond zero trust approach was a theme that came up in my conversation with Kenneth Bible, the Chief Information Security Officer at the U.S. Department of Homeland Security. Mr. Bible referenced an Executive Order (EO) 14028, Improving the Nation’s Cybersecurity, issued by the President that led to a memorandum aimed at “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles.” In our conversation, he echoed the importance of doubling down zero trust and creating security procedures that take a more granular approach to network and corporate assets.  During our conversation, Mr. Bible stated, “Given the executive order on zero trust as a mandate has emphasized the shift to prioritize detection sooner as a security architecture strategy. We face the same challenges on how to prioritize resources and we see the need as well to shift resources to prioritize early detection of cyber security threats”

One of the ways DHS is working on early detection is with the “Hack DHS” bug bounty program. During our conversation, Mr. Bible emphasized the importance of this program in the DHS’s efforts to be more proactive with early detection “This program is an important way we at the DHS are partnering with the cybersecurity research community to try and identify and plug vulnerabilities before the bad guys do. The Hack DHS program has helped identify several hundred findings that could have resulted in system degradation or impacted mission-critical services.”

Every conversation I had with CSOs in the Fortune 500 and high-level Government officials confirmed there is a detection gap that needs to be closed in cybersecurity.

How to Close the Detection Gap

How to close the detection gap is the key question CSOs need to address in their security architecture. There is a benchmark called the 1-10-60 rule. This goes as follows: One minute or less to detect, ten minutes or less to investigate, and 60 min or less to remediate. This seems like a lofty goal, when in industries with some of the best cybersecurity practices the average is one hour or more to detect, four hours to investigate, and more than four hours to remediate.

Everyone in the security space I talked to agreed that something needs to change in our posture toward cybersecurity and the consensus is better technology, and better solutions will play a role in equipping security teams to be more proactive against attacks. We are already seeing innovative approaches to early detection start to take shape. I want to highlight a few approaches that are interesting on their own but also represent the opportunity in security architecture to prioritize early detection and being more proactive to threats than reactive.

In many of the emerging cybersecurity solutions I looked at, a common goal was to move to a better architecture that allows for continuous monitoring and higher accuracy in actionable security alerts. A key challenge to getting to this end goal was a common security architecture approach that used a large, resource-heavy agent, often 1gb or more in size, on as many assets as possible. This approach is resource heavy and does not scale. A company taking a different approach to this is Crytica Security. Crytica’s approach is specifically designed to cut down dwell time to under 180 seconds and yield only critical alerts to security operations teams. Their approach uses an extremely small probe/agent (<70 kb) that can scale from server to IoT endpoint, continuous monitoring for any changes to a device’s executable code resulting in no false positives, and a distributed intelligence approach that leads to the detection of never seen before malware. Dr. Kerry Nemovicher, CEO of Crytica Security, stated as he was articulating the Crytica Security solution “We need detection that can stand on its own, with the ability to detect malware infections continuously, in close to real-time, as they occur. We need detection systems that cannot be defeated by nor bypassed by sophisticated malware. Crytica provides exactly this type of rapid, resilient, and reliable detection capability.” 

Another emerging approach is the use of AI in cybersecurity. IBM listed AI in cybersecurity for automation and threat management as a trend in cybersecurity. I had a chance to speak with J.R. Rao an IBM Fellow and CTO, Security Research. In our conversation, J.R. Rao outlined how AI-powered defenses will become more relevant and needed as attackers start to use AI as a tool to enhance their attacks. Hackers are constantly evolving and as the tools to defend get better so do the tools to attack. IBM has been advocating for AI as a foundation approach to cybersecurity and has been investing in AI-powered solutions to be integrated into each part of the threat management cycle. During our conversation, J.R. Rao highlights that “IBM has been developing AI solutions around automation, continuous machine learning, and AI for detection which will equip SpecOps teams to be more proactive and less reactive to attacks. AI threat detection, using trusted advisors, will help the security operation center to prioritize serious threats and be able to respond to alerts prioritized by criticality.”

IBM highlights some early successes in using AI, in their report. Stating:

  • AI plus automation increases visibility and productivity across security operations. Leading AI Adopters are monitoring 95% of network communications and cutting time to detect incidents by a third.
  • Top performers increased their return on security investment (ROSI) by 40% or more and reduced data breach costs by at least 18%.

With the rapidly increasing capabilities of AI, integrating specifically trained and optimized AI techniques into security architectures seems an essential part of modern security architectures.

As it stands today, most organizations’ IT leaders agree they do not currently have the tools or the approach to contain a breach within an hour. A 2020 Crowdstrike report indicated 31 hours as the average time to close a breach once it is discovered. In total, the average company would need 162 hours to detect, triage, and contain a breach. Even though the Crowdstrike study was done in 2020, from talks with many experts in the field it does not seem like much has meaningfully changed in closing the detection gap.

This is why new tools, new technologies, and a better culture of security is necessary for all organizations in the modern age.

 

Join the newsletter and stay up to date

Trusted by 80% of the top 10 Fortune 500 technology companies