In 2014, it seemed that no industry went unscathed. The data breaches this year were broad and deep. Software maker Adobe was hit for 152 million records. Online marketplace eBay was drained of another 145 million; Bank and financial services firm JP Morgan Chase 76 million; retailers Target and The Home Depot for another 70 million and 56 million records, respectively. There were numerous healthcare breach disclosures as well, such as at Community Health Services, which lost records on 4.5 million patients.
The attackers are getting creative and they are costing businesses big. In its October earnings call, eBay cited its data breach as one of the primary reasons for dramatically lower third quarter revenue growth. Earlier in October, security vendor Invincea released information on how attackers are targeting organizations in the defense and aerospace industry through highly targeted malicious advertising.
Despite it being yet another year of staggering data breaches, and as you’ll see later from the 12th annual Global State of Information Security Survey 2015 conducted by PricewaterhouseCoopers and CSO, these breaches are costing enterprises more – and information security budgets aren’t keeping up with the threat. In some cases, they even have fallen slightly. It’s as if security teams manage to make a small foothold against cyber attacks one year, and the next year they slide back.
2014’s big cyber chill
Financially motivated breaches aren’t all that continued to make their mark this year. International espionage-related hacking remained big in the headlines. Notably, the US government took unprecedented action in May when a Pennsylvania grand jury indicted five members of the Chinese military on felony hacking charges.
While largely lauded as a bold step, not everyone cheered the move. “This is probably the worst thing we could have done,” said retired Lt. Col. William Hagestad II, author of the book Operation Middle Kingdom: China's Use of Computers & Networks as a Weapon System, in our story published earlier this year. “When we place them on the same wanted posters as jihadists and terrorists, we say that we don’t understand them and are out of ideas. And if there was any relationship building in place, it was castrated with this dumb action,” he said.
The result of that indictment played heavily, Hagestad contended, into the chilling of the trade ties between the US and China this year. Audi, GM, Volkswagen, and companies in the tech sector “are all now being investigated for fraud or malfeasance because of that [indictment] action,” he said.
Executives take notice
The cybersecurity headlines and data breaches are having an impact on perceptions of security by executives. “Especially when executives see the fallout at the executive level,” says Kenneth Swick, information security officer at Citi Group. “I am seeing higher budget allocations, and from the additional recruitment activity across industries I am absolutely certain that financial sectors are responding to all of this breach news.”
All of this makes the previous optimistic cybersecurity convictions in last year’s Global State of Information Security Survey annual survey, covered in our story Security spending continues to run a step behind the threats, look overly hopeful in comparison. In last year’s survey, a surprising 84 percent of CEOs and 82 percent of CIOs stated that they believed that their cybersecurity programs were currently effective. Even 78 percent of CISOs expressed confidence in their programs.
With record setting breaches and the confidence of many most certainly shattered, 2014 is certainly a year that will be noticed in the cybersecurity history books.
An infrastructure remains at risk, breach incidents and costs rise
It seems that the very applications that help to keep the Internet secure and running revealed a number of deep crinkles this year. In April, a significant security flaw dubbed “Heartbleed” became publicly known. The flaw resides within the OpenSSL cryptography library and makes it possible to steal data from vulnerable systems. That flaw was shortly followed in September by Shellshock, another large vulnerability. Shellshock, a set of flaws uncovered in the popular Unix Bash shell, makes it possible for attackers to execute commands of their choice on target systems. Another flaw, POODLE, resides within the dated SSL 3.0 protocol, and makes it easier to steal user cookies and then potentially use that advantage to conduct further attacks.
The relentless hammering of new software vulnerabilities, the increasing sophistication of attackers, and misplaced optimism from previous years are all taking their toll. The reality is that more enterprises saw even more encroachments onto their networks, with the number of detected incidents rising to 42.8 million this year. That’s an increase of nearly 50 percent from the prior year. In fact, since 2009, the annual growth rate of detected incidents has risen 66 percent.
For larger enterprises, the financial losses associated with these incidents are also up. Large companies experienced a rise of 53 percent in related costs. Mike Rothman, an analyst at the IT security research firm Securosis, says the rise in costs largely come down to regulatory mandated expenses associated with breaches – and larger enterprises tend to have many more records compromised than their small and midsized counterparts. Midsized organizations experienced a slower, but still a sizable, bump with a 25 percent increase in incident costs.
Security budgets flat, security analytics hot
Remarkably, IT security budgets are flat, even down in some areas, this past year. That result is causing some scratching of heads. “The drop in budget may not be an actual drop in real dollars, but an accounting shift,” says Javvad Malik, an analyst at the 451 Group. That accounting shift could be related to enterprise refresh cycles, which would make the dip a temporary blip, or it could be due to the lower costs associated with cloud, virtualization, and employees increasingly bringing their own devices. ”That's going be the long tail that's going to carry on for a number of years. We've seen a lot of investments move away from on-premise, and overall you may see a broad reduction of IT budgets,” Malik says.
Brian Honan, CEO at Dublin, Ireland-based BH Consulting, agrees. “A greater adoption of cloud computing for enterprise applications and projects is the first reason,” Honan says. “This is moving many large IT projects away from being solely IT budget items to items shared with business units,” he says.
But data need to be comprehended to be useful. “The issue is not how much data you are getting, or how you look at data in new ways, but how effective is the information you get and how can you act on it? Pretty visualizations and pie charts don't protect your systems. Good actionable information does,” says Honan.
One thing is certain: as more data is spread through on-premise clouds, mobile devices, and third-party providers, CISOs are going to need all of the information about how their data are being used, who is accessing them, and where they’re going as they can get their hands on.
The rush to data-driven security
Perhaps the rising costs of breaches, the increasingly high profile of information security, and better insight from security-related data will have a positive impact on how enterprises successfully defend and respond in the years ahead. Many certainly are pinning more on increased insight through data. This year (the first time the survey question was asked), 64 percent of respondents reported that they use big data analytics to improve their security programs. And for those that do use big data analytics, 55 percent said that it can help in detecting incidents.
Malik isn’t convinced that those results are reflective of the real-world use of big data analytics – certainly not as it’s broadly defined. It’s clear, however, that businesses of all sizes are using data more. They are reading their logs more. They are turning to their security information and even monitoring tools, and they’re looking at the data they are collecting in a more intelligent way.
Given that broad definition of security analytics, it’s accurate to contend that anything from basic log analysis to intrusion-detection event alerts and up through sophisticated big data analytics fall under the umbrella of “security analytics” by many. Yet, Rothman argues that most enterprises heading down this path have yet to reach a level of maturity where their security data analytics efforts are improving their operational effectiveness. “I just don't think that many of these companies have figured out how to leverage those data more effectively. But they are certainly trying. That is clearly an area of increased investment in the industry,” says Rothman.
Doing data right
How do enterprises do better with data? The solutions are straightforward, but not necessarily simple. “There are two approaches to figuring out what is happening in your environment. One is threat modeling. You determine what your valuable data are to potential adversaries. Determine the ways those adversaries could potentially get to those data. When that’s complete, build a threat model around it and enumerate the monitoring analytics that are in place to look for those specific attacks,” says Rothman.
The other approach is to baseline enterprise activity. There are tons of security-rich data within traffic logs and netflows; there are application and database logs; there are transaction data; there are authentication and logon data. Baseline these data, Rothman advises. “Then constantly look for anomalous situations that deviate from that baseline.” But it’s not just about raw data collection, of course. “The issue is not how much data you are getting, or how you look at them in new ways, but how effective is the information you get and how can you act on it? Pretty visualizations and pie-charts don't protect your systems; good actionable information does,” says Honan.
Most of the experts interviewed suggest that enterprises also continue to expand the systems and types of data monitored. “If you are only using events from a certain type of device, start adding more events. If you are not using full back-capture, then start doing that. If you are not pulling end-point level telemetry, then that would be another area to start thinking about,” says Rothman. “What you want to do is start building out a broader collection environment. This will give you the ability to start looking for patterns based upon a more inclusive and broader data set,” he says.
Regardless of the level of enterprise maturity with security analytics efforts now, security technologies will have analytics capabilities built in soon. Gartner predicts that by 2020, 40 percent of enterprises will have built a purpose-built security data warehouse. “By storing and analyzing the data over time, and by incorporating context and including outside threat and community intelligence, patterns of "normal" can be established and data analytics can be used to identify when meaningful deviations from normal have occurred, the research firm predicted earlier this year.
That type of data analytics integration with security platforms would certainly be welcome. Perhaps that pervasive availability of security analytical tools will help solve what Citi’s Swick says is one of the biggest challenges security pros have when it comes to having too much data with too little actionable insight. “Many CISOs are implementing SIEMs because that's what they're supposed to do. They don’t understand enough about what it is that they are undertaking,” says Swick.
Improved analytics toolsets could certainly help security teams to not only understand more about the data they collect – and the risks that events actually pose to the business – but also what to do about pressing threats and attacks much more swiftly than they do today. That most certainly would be a big and welcome step forward.