Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

6/8/2020
09:00 AM
By Earl Matthews, Maj Gen, (Ret), Vice President of Strategy, Mandiant Security Validation
By Earl Matthews, Maj Gen, (Ret), Vice President of Strategy, Mandiant Security Validation
Sponsored Article
100%
0%

Why Now Is the Time for Security Validation

With tight budgets and a cybersecurity skills shortage, companies need a process, risk framework, and platform to continuously measure, optimize and rationalize security investments.

Did you know…

  • 53% of attacks successfully infiltrated without detection?
  • Only 9% of alerts are sent to the SIEM?
  • 65% of the time, CISOs are unaware that an attack could bypass their defenses?

Do you know what these statistics mean for your company, or how secure your assets are and what value you’re getting from your security investments? The data comes from the Mandiant Security Effectiveness Report 2020, A Deep Dive Into Cyber Reality, which shares findings from an evaluation of enterprise production environments across 11 global industries. The report reveals that despite a steady growth in security spending, organizations operate under the assumption that they are protected from cyber threats when in fact, most companies will be breached -- or already have been but they don’t know it.

This happens for many reasons, but most frequently because:

  • Security tools have not been properly configured or have regressed over time,
  • There are gaps in security protocols,
  • The IT environment is overly complicated, or
  • Security teams do not always have visibility to changes made to the IT infrastructure -- which is catastrophic, as one small change in the network can cause environmental drift to security.

This is clearly problematic from a security standpoint but it also means companies are investing in security and not getting the intended value. In today’s economic climate, businesses can’t afford to spend money on technology that doesn’t perform as expected. This was the case before Covid-19 struck, but now, with economic uncertainties and companies needing to cut costs, the mandate has become clear: CISOs and CFOs must work together in new ways to answer the age-old question “Are we safe from attacks?” with quantifiable metrics and proof. How well they do this may very well determine the financial future of the company.

Security Validation: Reduce Risk While Optimizing Performance 
What I’m talking about is the need for CISOs and CFOs to validate performance of their security investments. Validation is about measuring the effectiveness of a security program across technology, people, and processes to determine if an organization is getting value from their security spend. It’s also about aligning the security stack with desired business outcomes -- be it cutting costs, reducing risk or strengthening the brand, particularly when measured against the threats most likely to target the business.

This is not easy. Most organizations today have between 30-70 security tools, which lends to IT complexity and overlapping controls. Sure, companies are doing everything they can to maintain a strong security posture. But spending millions of dollars without knowing how well each control is performing or how to optimize each point solution for a particular IT environment is not an effective strategy.

To properly validate security performance, companies need a process, risk framework, and a platform to continuously measure a company’s security effectiveness, validate security performance, and financially rationalize cybersecurity investments. This process and framework cannot be a one-time process. Continuous vigilance and validation must be the new normal in order to protect against the acts of cyberhackers and respond to IT infrastructure drift, and unforeseen acts of nature. Three key steps must be taken:

  1. Assess to understand the relevance of threat intelligence and exposure to a likely attack and establish a baseline of the effectiveness of a company’s current cyber security program.
  2. Optimize to ensure that effectiveness is maintained, if not increased, once gaps and shortcomings are addressed or changes to the organization’s risk profile are established.
  3. Rationalization of financial value and costs means attaching financial value to cybersecurity effectiveness in order to justify spend, reduce costs and eliminate duplication and waste  while simultaneously maintaining or increasing security effectiveness in key areas: executive communications, remote working protocols, and customer data protection. Financial rationalization can demonstrate the alignment between the efforts of the cybersecurity technology stack, policies, and people with the desired outcomes, priorities, costs, and risk profile of the company.

I will be hosting a webinar on this topic, Validate Security Performance to Rationalize Investments, as part of the FireEye Virtual Summit at 4pm ET on June 11, in which I will discuss the need for rationalization of security investments and outline key steps to strengthen your security posture and minimize cyber risk. (To register for the webinar visit here.)

Without data-driven evidence of security performance, companies stake their brand reputation and financial performance on assumptions that simply don’t match reality. Only by validating the effectiveness of security controls through automated data measurement, optimization and rationalization can a company maximize protections and minimize risk across the entire business.

To learn more about the FireEye Virtual Summit, or to register, click here.

About the Author

Earl Matthews, Maj General (Ret)
VP Strategy, Mandiant Security Validation
Major General Earl Matthews USAF is an award-winning retired Major General of the U.S. Air Force with a successful career influencing the development and application of cybersecurity and information management technology. His strengths include his ability to lead large-scale, diverse, global organizations that operate, extend, maintain and defend global networks. He has earned a reputation as a motivational leader and change agent focused on delivering technical innovations that resolve complex challenges.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/14/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14499
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper access control vulnerability. Successful exploitation of this vulnerability may allow an attacker to obtain all user accounts credentials.
CVE-2020-14501
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper authentication for critical function (CWE-306) issue. Successful exploitation of this vulnerability may allow an attacker to obtain the information of the user table, including the administrator credentials in plain text. An attacker may also ...
CVE-2020-14503
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper input validation vulnerability. Successful exploitation of this vulnerability could allow an attacker to remotely execute arbitrary code.
CVE-2020-14497
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, contains multiple SQL injection vulnerabilities that are vulnerable to the use of an attacker-controlled string in the construction of SQL queries. An attacker could extract user credentials, read or modify information, and remotely execute code.
CVE-2020-14505
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper neutralization of special elements used in a command (“command injection�) vulnerability. Successful exploitation of this vulnerability may allow an attacker to send a HTTP GET or POST request that create...