Cybersecurity validation to tackle threats that can go unnoticed

With businesses rushing to provide access to remote workers in recent months, one big challenge that has come up is cybersecurity. Many old practices simply don’t work any more with the new arrangement.

One response is to throw more solutions at emerging problems, including more VPN (virtual private networking) ports for more users or adding another Web application firewall.

Perhaps what’s more important is knowing if one’s existing cybersecurity solutions are actually working as advertised, according to a growing number of experts, who are championing a relatively new practice called cybersecurity validation.

After all, businesses continue to get attacked despite more defences being put up. Fifty-five per cent of attacks infiltrate businesses unnoticed, while 68 per cent of ransomware attacks are also unnoticed, according to a FireEye report out last month.

To arrive at the results, the cybersecurity vendor ran thousands of tests across 11 industries, from real attacks to specific malicious behaviours, on network, e-mail, endpoint and cloud solutions.

What it found was worrying. The 123 security technologies it tested against could only detect 4 per cent of reconnaissance activity and could not prevent data from being stolen 67 per cent of the time.

While businesses continue to invest significant budget dollars in security controls and assume they are fully protected, a majority of the tested attacks successfully infiltrated their production environments without their knowledge, according to the report.

In many cases, businesses may be running solutions “out of the box” and have not set them up to work correctly, said Steve Ledzian, FireEye’s chief technology officer for Asia-Pacific.

Different groups in a business such as developers, IT teams and cybersecurity teams may also be changing, say, firewalls settings and not having full visibility of what is going on, he told Techgoondu in a recent interview.

But will adding yet another technology solution – cybersecurity validation – help businesses that have already installed dozens of solutions to keep out the bad guys? Well, their proponents think so.

After all, the majority of businesses in the United States have no idea if their security tools are working, according to a report released last year by AttackIQ, another validation solution provider.

In this study carried out by Ponemon Institute last year, it found that 58 per cent of the companies surveyed were increasing their cybersecurity budgets but 53 per cent of IT experts admitted they did not know how well the tools they had deployed were working.

“When processes and solutions like this fail, many companies respond by throwing more money at the problem,” said Larry Ponemon, founder and chairman of Ponemon Institute, in a news report on Help Net Security.

“Further security spending needs to be put on hold until enterprise IT and security leaders understand why their current investments are not able to detect and block all known adversary techniques, tactics and procedures,” he added.

While penetration tests and bug bounties are useful, these are usually only carried out periodically, perhaps not more than a few times a year. Using the same experts in these exercises may also expose the testing to familiar patterns and leave other loopholes undetected.

What cybersecurity validation does is to carry out tests more regularly, for example, to detect different types of attacks from reconnaissance to infiltration.

These tools will ask if a system has seen it send data from one point in a network to another, for example. If the security control reports that it has not blocked the activity, then a human operator can fix these controls.

With these tests automated and run continuously, they can offer a much clearer and timely view of how vulnerable a business is, despite the many cybersecurity solutions it has in place.

FireEye’s Ledzian said that this has resonated with many chief information officers and chief information security officers (CISOs) who are often called now to board meetings to explain how well prepared a business is in warding off attacks.

Like chief financial officers who can give a quantifiable, measurable answer of a company’s financial health, now CISOs can use the validation results to offer a quantifiable answer to say how secure it is from cyberattacks, he noted.