According to 2015’s Black Hat Attendee survey, the gap between the top threats that organizations face and the areas into which investment, technology, and defensive capabilities are being built is growing.
Specific, targeted attacks and spear phishing top the list of concerns for the 460 top-level security experts surveyed for the report — and tellingly, only 26% of the same group reported that investments were being made into these areas.
Given that spear phishing and sophisticated attacks account for more than 90% of all breaches, this failure to build realtime, accurate, actionable detection and remediation capabilities is a significant problem.
Most information security teams spend the majority of their time on the least significant threats.
According to the report, “application flaws across the enterprise consume a great deal of time for the IT staff, yet are seldom considered the greatest threats.”
Underlying this point is a more fundamental one: lack of time to spend on proactive defense is one of the most significant problems facing most organizations’ information security teams. Consider Frost and Sullivan’s recent report on the state of the industry; the average team spends 85% or more of its time focused on remediating known threat.
This misalignment is a significant source of risk for these organizations, however. Patch management, internal code testing, perimeter firewalls, and cloud workload security are all critical components in a robust security stack, but targeted attacks that focus on compromising user accounts, using those credentials for east-west movement and privilege escalation, and exfiltrating sensitive data must be a focus in an effective defense in depth strategy.
Targeted attacks and spear phishing are highest risks, but rarely detected.
“Security pros are not spending their time and budget in a manner that is commensurate with their concerns about current threats.”
Even a cursory review of the breaches that have hit the news in 2015 so far reveal that without strong “left of exploit” capabilities — technology and solutions that can identify early stage attacks, when they are still at the spear phishing, account compromise, and privilege escalation stage — results in data loss.
From healthcare companies to the federal government, it is clear that traditional security solutions are necessary, but on absent early stage, proactive detection and defense, simply can’t prevent breach.
The challenge here is that the traditional solutions to this problem are equally failing to keep up with today’s threat landscape. SIEM platforms, log aggregation, and incident response can’t find these earlest-stage threat vectors — the spear phishing and account compromises that leads to full exploit, often flying under the radar of most other tools. Absent comprehensive situational awareness, it takes weeks or even months to detect and respond to data loss, if it is ever found at all.