Todd Feinman, CEO at Spirion, said many budgets still have at least a small component of expense associated with security solutions indicative of older and outdated security methodologies. One example is traditional Data Loss Prevention (DLP) intended for data-in-motion network blocking.
“This approach is very focused on the perimeter and has not stopped data leaks consistently because it does not solve the root cause of the data loss problem – which is workstations and servers storing at-risk sensitive data. This traditional DLP approach is also error prone because it trades off accuracy in the form of false positives to achieve necessary perimeter data scanning speed,” he said.
Newer approaches emphasize using technology to discover where sensitive data lives – data that, if leaked, would cause reputation and/or financial damage. Sensitive data discovery solutions can also be complemented by automated classification solutions to tag data so it persistently identifies itself as confidential. Leveraging the discovery results ensures accurate classification without human involvement. Newer content management and endpoint protection solutions can then block confidential classified data with extremely high precision and help employees and organizations understand, control and protect their data better.
Ron Winward, security evangelist at Radware, said organizations feel that protecting data-at-rest is the most effective way to prevent a breach, yet it’s what they spend the least amount of money on. But are organizations really forsaking data-at-rest protection when they spend on network and endpoint solutions? Not exactly, he said.
Breaching an endpoint is a perfect way into a network, where once you’re in, your activity is masked to look like it’s coming from what are usually trusted IP addresses, he said. Endpoint security continues to be a critical part of protection strategies.
Network-based protection is also critical, but what has changed over the years is the level of protection that you can get, he said. First, anything at a perimeter that can dynamically track behaviors — including encrypted sessions like SSL/TLS — is a critical aspect of protection, especially as the majority of internet traffic moves to encryption. But these devices are also starting to include data and other multi-threat protections in them — even at the border.
There is also a tremendous amount of end-of-sale/end-of-life security equipment in the field, which organizations are refreshing now. The difference, though, is that many of the new devices going in, like Next Generation Firewalls (NGF), would be classified as “network” devices, but are also capable of doing other services. Another obvious place to protect data-at-rest is with a Web Application Firewall (WAF) that can be placed in front of public-facing servers (or via cloud) and dynamically watch for misbehavior that can lead to breaches.
“When you break it down, there are many data-at-rest protections built into devices that might be classified as network or endpoint solutions. And buyers are concentrating spend here because they’re getting more for their dollar,” Winward said. “As organizations decide where they spend their budget, network devices like perimeter protection and/or WAF could still be the best solution because of those advancements. But the key is that the solution needs to be behavioral in order to properly protect them. Attackers are creative and the only way to stay ahead of changing threats is with behavioral, algorithmic responses.”
Layering more and more of the same type of products at the gateway does not incrementally increase the level of protection simply because traditional security products operate much the same way, eventually causing the costs to outweigh the returns on investment, Taylor said.
He continued that many corporations believe that the only alternative to traditional antivirus is sandbox technology, which can be expensive, resource hungry and difficult to manage in terms of threat reporting, as well as easily compromised.
“If border and desktop protection is failing, what’s the alternative? Cyber threats are not going to go away, we are dealing with a new frontier that is agile, well-funded, highly skilled, and for all intents and purposes, ‘only has to get it right once’ to compromise an enterprise,” Taylor said.
Rich Campagna, vice president of product at Bitglass, said, Mobile Device Management (MDM) is one area where companies are spending on outdated security solutions. Current MDM tools are a good fit for managed devices, but changes in employee behavior and the move to cloud apps has led to a popularity of bring your own device (BYOD) programs. Control-oriented MDM tools have limited applicability for BYOD, primarily due to employee privacy concerns and complexity of deployment.
John Michelsen, CPO at Zimperium agrees that a focus needs to be placed on mobile. "Mobile is a clear area of vulnerability and yet many companies don't budget appropriately for mobile security until they are exposed to the reality of the threat.”
He said there is still a misconception that MDM will stop a hacker when it stops your own employees, not bad guys.
“Many of our customers have started by deploying zIPS [Zimperium's mobile intrusion prevention system app] into a pilot group to gather data on how vulnerable, at risk they really are. Once the lights are turned on and they see the reality, they quickly find budget and deploy to the rest of their devices,” he said.
Compliance is to blame
Security budgets are often closely tied to compliance and risk analysis that place too much emphasis on outdated sets of controls, said Jason Luce, CEO and co-founder, ScaleFT. “We know this because every week we read about another major incident in the news where it was likely that rubber stamp compliance was in place. IT departments within these companies who are actually responsible for implementing security measures are well aware that the world has changed around them, but are stuck checking off compliance boxes.”
Malik notes four approaches to security spending:
- Benchmark-driven (i.e., what is everyone else doing?)
- Compliance-driven
- Metric-driven
- Evidence-driven
“There is no right or wrong security product investment strategy. However, companies should identify the risk they can believe in, then find the evidence that they are addressing those risks, ideally with a security platform that can address a multitude of risks in one offering, as opposed to investing in a separate point solution to address each individual risk,” Malik said.
Kris Lovejoy, CEO at BluVector, said there is a shift away from data-at-rest solutions because the market is fragmented. CISOs are tired of buying “silver bullets” that not only don’t work as advertised, but completely “disable” business innovation. Anyone who has been on the other end of the “innovation vs. security” discussion knows who wins. This, combined with reality that “compliance” is no longer an excuse on which you can write a business case, means data security has become decidedly unsexy, she said.
With compliance also comes a call from the boardroom to follow standards and stay within budget. Taylor said business leaders need to accelerate the process of addressing cyber risk in the boardroom while applying proper management procedures as to how they will manage risk going forward. Among other things, this will involve setting a ‘new baseline’ for defense.
“They will need to fill the gaps in security at a new level, not more of the same layered security at the border, including ensuring the security of documents, which are the lifeblood of a company and the biggest threat vector for malware, particularly ransomware threats,” he said.
ThreatConnect CEO Adam Vincent said one culprit of this issue is the lack of communication, or fragmentation, between cybersecurity tools. While it can take mere minutes for an adversary to compromise a network, it can take an organization days, weeks, or more to detect it due to security tools not accurately and efficiently communicating.
"To reduce fragmentation and close the detection gap, companies need to focus their security investments into uniting people, processes and technologies in one place. Intelligence-driven cybersecurity platforms make this possible by eliminating silos, while also ensuring that threat intelligence information is shared efficiently between tools and teams to improve response times and even predict attacks.”
What you should do
It is not necessarily about buying one type of tool vs. another, but more about making sure that all tools serve the purpose of reducing risk, and that they are comprehensively implemented across the organization, said Mike Donaldson, solutions specialist at Bay Dynamics.
“Oftentimes, tools are selected for technical prowess, but without an eye towards how they fit together in the ecosystem to protect the business. Similarly, even tools purchased with the best of intentions, are left only partially implemented because of organizational changes, technical or political hurdles, or good old inertia,” he said.
There is not a “one size fits all” recommendation for the effectiveness of existing security tools and controls, what tools should be implemented next, or what controls can have exceptions. Therefore, purchasing decisions must be made based on the relationship of business objectives and security posture, what assets have the highest business criticality and value, and what mitigation is needed to make sure those assets are not compromised in light of existing threats and vulnerabilities.
He adds that companies should focus on ensuring that their current security tools are maximized for value and effectiveness. Often security tools sit in siloes, each one producing various outputs that separately paint a very different picture of residual risk and security posture across individual assets as well as across various business units. This makes it very difficult for security teams to quantify risk and prioritize alerts, incidents and findings. Companies need to bring together their security tools and translate the information coming from them into one picture that explains their most significant risks and actions to take that reduce that risk exposure.
“Ultimately, all the fundamental security tools are needed. However, what’s most important is to leverage a risk-based approach against business objectives to determine what order to implement the tools, what level of protection is necessary by asset criticality and value, and then taking measures to normalize the information outputs of disjointed tools and group them by specific risks so that a centralized and comprehensive view of cyber security posture is available and real time residual risk can be tracked and managed,” he said.
Eisenberg stressed the importance of endpoint security. “Security doesn't begin and end at the office. It doesn't matter if you have the best network security systems and practices in place if that laptop or smartphone is taken home or on the road and has potential for compromise.”
He advises organizations to spend more on advanced malware protection, with a heavy focus on cloud security, third-party risk management, endpoint security, and identity and access management. A holistic solution — from program to product to implementation and beyond — is the key to a better security program.
Enterprises should be focused on maintaining and keeping up with the current core infrastructure as their priority, said Chris Camacho, chief strategy officer at Flashpoint. Companies should start with networking equipment and ensure no products are end-of-life or no longer supported. If this is the case, then replacement of these devices should be prioritized and the devices should not be used. After ensuring core network equipment is covered under maintenance, pay the vendor the money required to get the license and support updated and apply all patches and upgrades.
After taking network inventory do an architectural assessment on what you currently own. Is it time to look at next-generation firewalls? Do a cost analysis on current devices and spend and determine if managing a single vendor that provides multiple defense-in-depth services would save money in the long run, he said.
451 says look for data security tool sets that offer services-based deployments, platforms and automation that reduce usage and deployment complexity for an additional layer of protection for data.
Most companies don’t really understand how hackers operate and haven’t quantified their risks or how secure they are, said Guy Bejerano, co-founder and CEO of SafeBreach. “As a result, they keep buying new security products that they believe will protect them from advanced threats. In fact, some financial organizations have a 'no vendor left behind' policy where they select multiple vendors providing the same security technology, presumably to increase the odds of success.”
Instead of a “product-centric” security strategy, what organizations need is an “adversary-centric” strategy, he said. By understanding the hacker’s perspective, motivations and techniques you can continuously validate whether the security controls in place can actually stand up to the most likely breach scenarios.