The awareness of the cybersecurity threat has skyrocketed in recent years. That has translated into explosive growth for the cybersecurity market. From a size of only $3.5 billion in 2004, the global market exceeded $137 billion in 2017 and is forecast to reach $248 billion by 2023.
Despite those billions being spent most organizations cannot empirically prove the solutions they have purchased are actually working. To an amazing degree cybersecurity effectiveness is judged by assumptions rather than validated by data. Many organizations believe their security investments are effectively protecting critical assets and data, when in fact they have already been breached.
This is borne out by a new report released by Mandient Security Validation, formerly Verodin and now owned by FireEye. Titled “A Deep Dive into Cyber Reality,” the report highlights a dangerous disconnect between assumptions and reality when it comes to validating cybersecurity effectiveness.
Compiling data from more than 100 production environments, the report states that 53 percent of attacks conducted were successful in penetrating the security infrastructure without organization’s knowledge. And of the remaining 47 percent that were not successful, only one quarter were actually detected! Some other sobering findings:
- Only four percent of reconnaissance activity generated an alert in the organization’s Security Incident and Event management (SIEM) platform
- On average 80 percent of security tools are misconfigured and underutilized at default settings
- 48 percent of the time controls in place were not able to prevent or detect the delivery or movement of malicious files
- Data exfiltration techniques and tactics were successful 67 percent of the time in initial testing
- 97 percent of the behaviors executed did not have a corresponding alert generated in the SIEM
FireEye has set up a page with more test results, podcasts and a link to download the report.
Senior technology leadership in government and private sector organizations need to adopt a new mindset. They need the ability to continuously monitor, measure, and manage cybersecurity in an automated way. This approach offers empiric evidence about the effectiveness of security controls, rather than simply making assumptions based on default configurations or security vendor promises. With validated performance data it is also easier for IT to justify additional funding for better cybersecurity.
Validating cybersecurity effectiveness should be as empirical for the CISO as reporting total assets is for the CFO. Until that happens online attackers will continue to have the upper hand – no matter how fast the cybersecurity market grows.