Automation is the key to mitigation of today’s cyber threats

I recently ran across an article titled “Cisco Report Finds Organizations Relying on Automated Cyber-Security.” It got me thinking about what we are doing these days and must continue to do in this area.

The report is Cisco’s 2018 annual cyber security report, which showed that cyber criminals are increasingly evading security technology with encryption.  Cisco used survey data from 3600 CISO’s to complete the report. Some facts worth noting; 36 % of companies stated they rely on automation to mitigate cyber threats. According to Cisco’s analysis of over 400,000 malicious binary files, approximately 70 percent made use of some form of encryption. The report stated that defender sandboxes are even being defeated.

Flashback: I still remember in 1997, the OS was Windows NT 4 and the Word Concept Macro Virus damaged Normal.DOC templates or hackers simply defaced a web site, versus the advanced persistent threats now used to target and take whatever the adversary wants.  We have come a long way!

Long before advanced antivirus, when I was systems admin for the Shuttle Space program, we used Microsoft SMS (Systems Management Server) to deploy a new virus signature update monthly. Can you imagine? We are now doing real-time updates!  

The good news is that, during all these elevated threats, many organizations are now relying on automation, as well as machine learning and artificial intelligence, for their cyber-security operations.

“If you want to make use of a lot of security data quickly, you have to make use of a fair amount of automation,” according to Martin Roesch, Chief Architect in the Security Business Group at Cisco. Roesch also noted that more organizations are using more products from more vendors than ever before.

Regarding the use of technology to mitigate cyber threats, Ira Winkler states in his recently published book, Advanced Persistent Security:

“We address the arrogance within the industry that believes that implementing advanced technologies is the best way to improve security programs.  Rather we must look at a much higher level to carefully evaluate our business sectors place in the threat landscape and map real world threats our business will encounter considering the Protection, Detect and Respond model as it applies to the cyber kill chain.”

The bottom line here is to look at the real risk to your business and its data. One size doesn’t fit all. For example: We would not apply the same security controls to a public school district as we would to the NSA. Both have unique threats and one is public and one concerns national intelligence and it’s not so public. Both have different assets, and each will be targeted by various groups for different reasons.  

What types of systems are targeted? Devops is developing non-hardened systems fast. Among the different types of security concerns analyzed in the annual Cisco report is the issue of exposed development systems. Franc Artes, architect in the Security Business Group at Cisco, said that devops servers – including MongoDB, CouchDB, Memcache and Elasticsearch – were left wide open by organizations in 2017, enabling potential attackers to easily extract information.

Cisco’s 2018 report also examined the issue of cybersecurity alerts and how organizations respond to them. Cisco found that 93 percent of organizations had at least one security alert in 2017, and only 56 percent of alerts were investigated. Of the 56 alerts that were investigated, Cisco reported that only 34 percent were considered to be legitimate.

Receiving alerts is one thing. Being able to detect real threats is another.

A key metric that Cisco tracks for itself is the time to detection (TTD) for threats. “In 2016, Cisco reported that its annual median TTD for new threats was 14 hours. That figured improved significantly in 2017, dropping down to 4.6 hours.”

Cisco is very focused on the time to detect malware with their technology. All of this helps Cisco improve its cloud-based systems to collect more data and learn faster, narrowing the gap between cybercriminals once again. At least for the moment.

The final recommendations from Cisco’s 68-page report are:

• Regular patching to mitigate known threats
• Review and practice security response procedures
• Testing restoration procedures
• Regular data backups are also good security best practices

Overall, Cisco’s advice is for organizations to be more prepared for security incidents before they happen with proper testing and policies.