By: Hadi Jaafarawi, Managing Director, Middle East at Qualys
Most of us know that problems rarely evaporate when we throw money at them. And in the Arab Gulf region, where ransomware, phishing, and a range of other attacks continue to plague digital estates, cybersecurity leaders know they must do something. But is their investment making an impact, or is it for naught? According to a PwC survey that included the Middle East, more than two thirds (69%) of security leaders around the world expect their cybersecurity budget to go up this year. And more than a quarter (26%) expect a double-digit rise.
In attempting to assess whether their investments are wise — or indeed what may have gone wrong where wasteful spending has been discovered — decision-makers should be aware that they have challenges in common. There are three major reasons why their cybersecurity budgets are wasted.
- Lack of visibility
Most organisations invest heavily in security solutions but often deploy them to limited subsets of their assets. Many use more than 10 solutions that have limited to no interoperability. Response times suffer amid alert fatigue, with analysts pressured to compile data on an event, assess value and risk, and prioritise it for follow up. Needless to say, modern threat actors are considerably more agile.
Organisational and informational silos hide assets. Everything from laptops and printers to IoT devices and cloud applications can shimmy under the radar. A comprehensive, accurate, up-to-date, adequately categorised asset inventory underpins every strong threat posture. Inventory should come before everything else. Only when the security team knows what is in place can analysts hope to address vulnerabilities and configuration errors and administer fixes.
- A false sense of security
But even enterprises with a robust register of digital assets can suffer from overconfidence. Solutions such as endpoint detection and response (EDR), antivirus, and firewalls only help when they are switched on. Often — as has been found to be the case in many real-world post-mortems of cyberattacks — they can be disabled on individual devices. Of course, good inventory management can be the first step in detecting such issues, but organisations must also establish policies and procedures for detecting misconfigurations and addressing them.
Another common misconfiguration error that business stakeholders may assume is automatically addressed by installed solutions is the presence of easily exploited vulnerabilities for which patches have long been available. Again, such issues can be identified by a comprehensive audit and inventory, but they still require constant attention to ensure every asset is protected.
Another factor contributing to an enterprise’s false sense of security may be the presence of a third party in its security strategy. If it has enlisted the services of a managed security service provider (MSSP), a lack of oversight may lead to diminished visibility and to overconfidence in the threat posture. SLAs and KPIs need constant attention, whether by a CISO or by a CIO, and MSSPs must align with the client’s policies and be held accountable for lapses.
- Insufficient automation
Let us now consider an organisation that has established the requisite visibility across its architecture and has initiated the best practices needed to rid itself of unwarranted assumptions about its security. It now has everything it needs for a robust posture, but it still needs to understand its data to move to an agile state, where it can take effective action against real risks. For example, security analysts need to be able to distinguish serious vulnerabilities from ones unlikely to be exploited. Automation is invaluable in sifting through the data at hand — both real-time inventory data and historic contextual data.
Automation can also greatly speed up compliance audits, as well as making them cheaper and more accurate. And other processes, such as the prioritisation of remediation efforts, are also served by machine intelligence. Extended detection and response (XDR) — a cloud-native solution capable of sweeping visibility of the entire technology stack — is uniquely positioned to automate much of the day-to-day security tasks that slow down threat hunters. In particular, context-sensitive XDR can assemble data on risk posture, asset criticality, and threats themselves to deliver a rich view for security analysts.
Context XDR sifts through comprehensive vulnerability and exploit insights for a threatened asset’s OS and for third-party apps, to discover misconfigurations and end-of-life (EOL) flags. This is more reliable than risk-scoring based on how OS-patch statuses relate to common vulnerabilities. Context XDR is also capable of policy-driven automation of criticality assignments. XDR is the ideal example of how automation and having the right data at the right time, such as threat intelligence, can lead to an empowering information ecosystem. Security teams can prevent and mitigate events that may otherwise have led to cautionary tales. Advanced XDR solutions can take data wherever they find it, including from third-party solutions within the technology stack. Context XDR’s ability to combine data from multiple sources into coherent views that show risk, priority, and threat intelligence side by side is a significant step towards eliminating false positives and alert fatigue.
Innovate in peace
Poor visibility, overconfidence, and a lack of automation. Taken together, these can be catastrophic and provide the perfect breeding ground for cyberattacks. The sophistication and resourcing of bad actors appears as if it is outpacing that of their victims, especially when it comes to skillsets. But forewarned is forearmed. Knowing the stumbling blocks between investment and tangible returns allows CISOs and CIOs to make stronger business cases for control of their systems, and to steer investments towards the resources needed to do something useful with that control. No more blindness, no more false confidence; just a safe digital estate where people innovate in peace.