Attacks/Breaches

4/11/2018
11:55 AM
Dark Reading
Dark Reading
Products and Releases
50%
50%

CISO Conundrum: Multiple Solutions Harden Posture but Create Alert Fatigue

BUCHAREST, Romania/SANTA CLARA, Calif., April 11, 2018 – Bitdefender, a leading global cybersecurity technology company protecting 500 million users worldwide, today announced the results of its latest survey, showing that more than half of CISOs worldwide (61 percent US) are worried about a global skills shortage. Sixty-nine percent of respondents around the globe also reported that their team is under resourced, with more than half of respondents in all markets but Italy reporting that their IT security team is too small. Seventy-two percent of information security professionals admitted that their IT team experienced agent and alert fatigue, and 34 percent of US respondents said their budget could not accommodate infrastructure expansion.

The Bitdefender survey explores CISOs’ needs in the prevention-detection-response-investigation era and reveals how the lack of visibility, speed, and personnel affects the development of stronger security practices in companies with both over-burdened and under-resourced IT teams. The survey polled 1,050 people responsible for purchasing IT security within companies in the US and Europe.

Half of the CISOs surveyed worldwide admitted their company was breached in the past year, but one sixth of those respondents don’t know how the breach occurred. Fifty-five percent of US respondents had experienced an advanced attack or malware outbreak. One quarter of all respondents expect this issue to continue, and think their company is likely to face an ongoing security breach without them knowing it. Using existing security tools, US CISOs believe 61 percent of advanced attacks can be prevented, detected, and isolated, but anticipate it would take four weeks to detect any such attack—the highest average amount of time of any market surveyed.

With the global cost of cybersecurity breaches expected to reach $6 trillion by 2021, analysts have seen companies’ security spending start migrating from prevention-only approaches to focus more on detection and response. Gartner expects that spending on enhancing endpoint detection and response (EDR) capabilities will become a key priority for security buyers through 2020.

Better tools needed for rapid detection and response

CISOs agree that prevention is faulty, but investigation is a burden. EDR capabilities can provide improved detection and response approaches to prolific security incidents, and using automation can help to address the global shortage of cybersecurity professionals. Specifically, EDR tools best fit resource-strapped businesses with lean IT teams that operate without a Security Operation Center (SOC). However, half of IT executives worldwide said that managing EDR tools is difficult or very difficult. In both the US and UK, 49 percent of all endpoint alerts triggered by monitoring and response techniques turned out to be false alarms. Sixty-four percent of Americans in companies with no SOC said monitoring activities are one of their toughest challenges. Spotting an ongoing breach also means fighting alert fatigue caused by noisy traditional security solutions. It’s a race against time when filtering security alerts, which can be especially difficult if the organization is understaffed and overburdened. Forty-three percent of US respondents, and one third of respondents across all markets, said that lack of proper security tools is the main obstacle that prevents rapid detection and response during a cyberattack.

Time is of the Essence

On average, 82 percent of security professionals in Europe and the US say that reaction time is a key differentiator in mitigating cyberattacks. CISOs attest that time is of the essence when isolating the incident to prevent spreading (68 percent), identifying how the breach occurs (55 percent), and evaluating losses and the impact of the breach (51 percent). CISOs agree that delayed response to a cyber incident can also make it harder to accurately identify the initial time of attack and assess the timeframe (30 percent), understand the motivation for the cyberattack (19 percent), or improve the incident response plan for future attempts (17 percent).

 “Today’s resource- and skill-constrained IT security teams need an endpoint detection and response (EDR) approach that allows for less human intervention and a higher level of fidelity in incident investigations,”Bitdefender’s VP of Enterprise Solutions Harish Agastya said. “EDR for everyone can be achieved through a funnel-based approach of prevention-detection-investigation-response, leaving the EDR layer to focus on threats further down the funnel in the unknown or potential threat category, and IT teams to focus solely on the alerts and tasks that are truly significant.”

Bitdefender security specialists strongly advise enterprise CISOs consider: the importance and value of an integrated prevent-detect-investigate-respond-evolve approach to endpoint security.

  • Prevent: block all known bad and a high percentage of unknown bad at pre-execution layer itself, without saturating the EDR analytics engine with unnecessary incident alerts
  • Detect: supported by built-in intelligence from threat protection engines and analysis of a stream of behavioral events from an endpoint event recorder
  • Investigate: aided by contextually relevant information on the class of threat that is detected (via the built-in intelligence), the reason of detection (via threat analytics), and ultimate verdict (via an integrated sandbox).
  • Respond: via a single pane of glass incident response interface that enables tactical remedial actions immediately and widely across the enterprise.
  • Evolve: enables the feedback loop from current detection to future prevention via in-place policy tuning and fortification.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: White Privelege Day
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17282
PUBLISHED: 2018-09-20
An issue was discovered in Exiv2 v0.26. The function Exiv2::DataValue::copy in value.cpp has a NULL pointer dereference.
CVE-2018-14592
PUBLISHED: 2018-09-20
The CWJoomla CW Article Attachments PRO extension before 2.0.7 and CW Article Attachments FREE extension before 1.0.6 for Joomla! allow SQL Injection within download.php.
CVE-2018-15832
PUBLISHED: 2018-09-20
upc.exe in Ubisoft Uplay Desktop Client versions 63.0.5699.0 allows remote attackers to execute arbitrary code. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of URI ha...
CVE-2018-16282
PUBLISHED: 2018-09-20
A command injection vulnerability in the web server functionality of Moxa EDR-810 V4.2 build 18041013 allows remote attackers to execute arbitrary OS commands with root privilege via the caname parameter to the /xml/net_WebCADELETEGetValue URI.
CVE-2018-16752
PUBLISHED: 2018-09-20
LINK-NET LW-N605R devices with firmware 12.20.2.1486 allow Remote Code Execution via shell metacharacters in the HOST field of the ping feature at adm/systools.asp. Authentication is needed but the default password of admin for the admin account may be used in some cases.