Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:10 PM
Connect Directly

Security, Networking Collaboration Cuts Breach Cost

CISOs report increases in alert fatigue and the number of records breached, as well as the struggle to secure mobile devices in a new Cisco study.

RSA CONFERENCE 2020 - San Francisco - The security team, instead of operating in silos, can lower overall post-breach costs if it collaborates with other teams across the organization.

Cybersecurity is still a top priority for executive leadership, researchers say in Cisco's "2020 CISO Benchmark Report." The survey of 2,800 IT decision-makers reveals key trends and pain points as companies face issues such as alert fatigue, mobile security, and private cloud security.

Ninety percent of respondents agree business executives have created clear metrics for assessing the effectiveness of a security program. Time-to-detect ranks highest as a key performance indicator (KPI); however, for reporting to the C-suite or board, time-to-remediate is equally key because it represents the total impact of an incident: downtime, records affected, cost of investigation, lost revenue, lost customers, lost opportunities, and out-of-pocket costs.

Organizations reporting more than 100,000 records compromised in their most severe breach grew from 15% in 2019 to more than 19% in 2020. A major incident has the greatest effect on business operations (36%), followed by brand reputation (33%), finances (28%), intellectual property (27%), customer retention (27%), and supplier relationship (26%), researchers found.

Alert fatigue is a major issue when you consider the number of security products cluttering enterprise environments. There is a gradual trend to reduce complexity through vendor consolidation, with 86% of businesses using up to 20 vendors, and only 13% using more than 20. In 2019, 15% of companies used more than 20 vendors; in 2018, that number was up to 21%.

"We're starting to see this move toward fewer consoles and move toward greater collaboration with other teams," says Wolf Goerlich, advisory CISO with Duo Security (now under Cisco). "CISOs who act on those two trends have better outcomes for the organization."

As companies consolidate their vendor use, they voice a greater challenge to handle the tools they have: 28% feel managing a multivendor environment is "very challenging," up from 20% in 2017. More than half (53%) feel it's "somewhat challenging" and fewer (17%) say the process is easy. "My team is stretched beyond the capabilities for which they can be effective," says Ben Munroe, director of product at Cisco, of common customer concerns.

Respondents who report alert fatigue are more likely to struggle in a multivendor environment: Of those who claim fatigue, 93% receive at least 5,000 alerts per day. The amount of companies receiving 5,000 or fewer alerts per day dropped from 50% in 2017 to 36% in 2020; during the same time frame, the amount receiving 100,000+ daily alerts grew from 11% to 17%.

Network, Security Collaboration Cuts Costs
More than 91% of respondents say they are "very" or "extremely" collaborative; collaboration between endpoint and security teams is also high, at 87%. This trend can have financial benefits in the aftermath of a breach. In 2020, 59% of companies that say they are very/extremely collaborative between networking and security teams experienced a financial impact under $100,000 for their biggest breach, the lowest category offered for breach cost.

"A lot of it has to do with dwell time: How do we detect what's going on in our environment; how do we remediate what's going on in our environment," Goerlich explains. "To detect, you have to have a really solid understanding of what's going on in our networks and the cloud infrastructure we're plugged into."

And who better to detect than the subject matter experts? The networking team has a better understanding of the environment; as a result, team members know what's typical and what isn't. "There's a reduction in time to detect because they understand what normal looks like, so they can help us understand what abnormal behaviors are," he continues.

The networking team can also help stop threats. When a security operations center analyst spots an event, often because good practices they won't pull out the equipment. They'll pass this off to the subject matter experts, and the networking team takes over for quarantine, remediation, and cleanup.

"When you have those tight collaborations, you can say, 'This is what we see, this is what needs to happen,' and the handoff is much smoother," Goerlich says.

Key Concerns: Unpatched Vulnerabilities, Private Cloud
Forty-six percent of businesses report a security incident caused by an unpatched flaw, up from 30% in last year's study. Of those that suffered a major breach due to an unpatched bug, 68% suffered data loss of 10,000 records or more — significantly more than the 41% that lost the same amount due to breaches from other causes.

Mobile security is another key concern for this year's study: 52% of respondents say mobile devices are now "very" or "extremely" challenging to defend. Half of respondents say the same about securing private cloud infrastructure, and 41% say the same about securing network infrastructure.

Building on Data: Cisco SecureX Launch
Alongside its release of its "2020 CISO Benchmark Report," Cisco today launched a new security platform, SecureX. This is meant to connect Cisco security products with the tools in existing enterprise infrastructure, to improve visibility for endpoints, applications, networks, and cloud. The idea is to provide a single view of threat detections and policy violations in one place.

"Fatigued organizations, an overwhelming number of alerts, a need for automation [are] directly reflected in the way we have brought SecureX to market," says Munroe.

SecureX can scan data and traffic from Amazon Web Services, Microsoft Azure, and Google Cloud, along with private data centers. Security operations teams can share context with IT operations and network operations to create and strengthen security policies across workflows, facilitating the level of collaboration that can potentially drive down the cost of an incident.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "10 Tough Questions CEOs Are Asking CISOs."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS Build 20210202 and later Q...
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...