The increase in ever-more complex data breaches and ransomware attacks is seeing the CISO bring the subject of the cybersecurity to the boardroom. It’s a proactive stance to provide adequate defences, rather a reactive move to counter a detected breach.
However, this all comes at a cost, and with The Economist suggesting that a global recession in 2023 is inevitable, justifying any big investments is going to be even harder. Budgets will be coming under increasing scrutiny.1
The cybersecurity industry itself adds to these challenges with its expanding range of individual cybersecurity vendors and technologies, coupled with a lack of suitably knowledgeable staff.
The result is that it is vital for CISOs to be able to offer cybersecurity solutions that integrate with other applications, are easy to deploy and provide cyber protection – whilst offering value for money and ROI.
Going into 2023 there will be areas that CISOs need to defend to protect their funding, areas that need to be streamlined as they are either out of date or cash-heavy; and finally, the priority areas where investment is vital to the ongoing security of an organization.
Areas to Defend: Critical Apps, Cloud Security and Breach Detection
Organisations should continue to invest in solutions that protect the end customer, as well as critical infrastructure, and cloud security tools. As we know, it is a case of when you will be attacked and not if, so the final area for protected spend is Breach Detection.
API security. APIs are well-known and highly visible doorways into an organisation’s data and business processes. Often, they lack adequate security safeguards and are a prime attack target. Traditional security tools such as WAFs (web application firewalls) and bot management solutions are expanding to cover API attacks, but they depend on easily evadible detection, and lack the real-time ability to discern good from bad API activity. They are also reliant on static, least common denominator protection spread across multiple technology components. Unified API protection is now offering protection across the entire API risk surface.
“API security incidents are on the rise with attackers finding exploitable errors as defined in the OWASP API Top 10 and targeting gaps in business logic. One of the more recent API security attacks was against Optus Telecom where the malicious actor was able to retrieve the personal information by exploiting several exploits listed in the OWASP API Security Top 10 list. Much like previous API security incidents that have made the news, the attacks have a significant impact on the business bottom line.”
Matt Keil, Director of Product Marketing, Cequence
Bot management solutions. Legitimate bot traffic is a necessary part of the Internet and organisations want to detect and allow good bot traffic. However in 2021 over a quarter of total internet traffic was bad bots.2 Boot management solutions can protect web applications, mobile applications, and APIs from bots targeting applications and systems. They do this by actively profiling traffic to determine intent and perform protection techniques such as delaying, blocking, or misdirecting traffic from bad bots.
Threat intelligence. As organisational attack surfaces get bigger and more complex, it is vital that businesses can understand and protect them. Threat intelligence needs to be treated an integral to other functions rather than standalone, allowing you to prioritise and filter alerts and other threats.
“In the world of cybersecurity, advanced persistent threats (APTs) and defenders are constantly trying to outmanoeuvre each other. Data on a threat actor’s next move is crucial to proactively tailoring your defenses and preempt future attacks.”
Kurt Baker, Senior Director of Product Marketing, CrowdStrike
Zero Trust Access. The recent increase in remote workers has created a requirement for robust network access controls, as VPN solutions no longer provide the level of security due to out-dated methodologies for network connectivity. Zero Trust Access, combined with software-defined perimeters, provides an agile and flexible solution for secure remote access, regardless of location. Whether resources are on-prem, in the cloud, or as part of a hybrid architecture, they are accessed based on policy, allowing for discrete control of who or what can access a particular asset.
“Zero Trust architectures are the most powerful and practical way to increase safety and reduce risk for industrial cyber-physical processes”
Jens Meggers, Executive Chairman, Mission Secure
“As Zero Trust implementations increase, and breaches continue to leverage compromised accounts, more and more focus will be placed on privileged access management [and] MFA hardware tokens.”
Harold Byun, Chief Product Officer, AppOmni
Multifactor authentication (MFA). Although the use of passwords alone is declining, it’s hard to completely eradicate. Despite its limitations and vulnerabilities, it’s also simple, cheap, and easy to implement, so security teams are increasingly depending on MFA. MFA is a simple and higher-value security technology that organisations can deploy to minimise the risks of password-based attacks, whilst keeping your cybersecurity strategy aligned to Zero Trust principles. Although passwordless authentication technologies are emerging, it is MFA that offers the most widely deployed protection.
“Phishing attacks in 2022 saw a massive increase in the use of non-email-based phishing techniques … To gain control of users’ accounts despite MFA verification, attackers launched MFA fatigue attacks, bombarding users with authentication requests and fake, official-looking login pages. SIM-swapping attacks – transferring a mobile phone account and phone number to a new SIM card under the attacker’s control to impersonate the victim to send or receive SMS, phone calls, messages, and MFA verification codes, skyrocketed in 2022.
Integrating token and biometric factors into MFA procedures and educating employees about these new fishing techniques are two potential strategies organizations may adopt to increase resilience.”
Dave Klein, Cymulate
SOAR and SIEM. Rapidly evolving threats have overwhelmed legacy rules-based SIEM solutions. While the collection of data is important, SIEM solutions tend to produce more alerts than SecOps teams can respond to effectively. SOAR provides orchestrated processes and automation to give better visibility, improved detection, and enhanced workflow. This addition of SOAR to SIEM enables the security team to handle alert loads quickly and efficiently. This frees up staff for more skills-based tasks which results in a higher-performing SOC.
Crisis response simulations and Pro-active purple teams. Cybersecurity crisis response simulations need to be more expansive than those generally conducted by IT, including directors and leadership teams in the process, and should run everyone through exercises that simulate a breach or ransomware scenario. Purple teaming offers a collaborative effort between offensive (red) and defensive (blue) security teams. This allows the ‘defenders’ to validate defenses, identify gaps, find weaknesses, and learn how adversaries attack and adapt.
Areas to Reduce: Standalone Solutions, Managed Security Services and Legacy, On-Premises Networking
It is not just the IT environment itself that is proving to be complex. Compounded by additions of shadow IT from the many ‘as-a-service’ options, it is often surrounded by dozens of standalone security applications and controls, many of which are not cloud-native.
Standalone security solutions. When each system works independently, they cannot interact with any other system and are managed and monitored independently, resulting in slow and cumbersome operation. Generally, more operators are needed to interact with the higher number of user consoles. Each system will have its own network infrastructure which needs to be managed and secured separately. Integrated systems can utilise the same network infrastructure and thereby reduce hardware and provide additional information for investigators.
Managed security services providers. Many MSSPs have become little more than alert factories sending standard messages about alerts that don’t provide any context, respond actively to threats or assist in decision-making. Many are moving to managed detection and response (MDR) which offers both threat detection and response.
Legacy, on-premises network security technologies. Security professionals used to utilise technologies to protect the physical boundaries of legacy infrastructure and on-premises hardware. With applications moving to the cloud, and users shifting to a hybrid work model this antiquated solution set no longer provides adequate protection. CISOs should turn to XDR and Zero Trust Access.
Areas to Invest: Threat Insight, Detection, And Response, Plus Privacy Tech For AI
Budgets are going to be squeezed but we still think it is important to be investing in these areas:
Software supply chain security. Supply chain solutions are typically complicated multi-element systems. Almost all companies use various third-party and open-source software for business functions like engineering, marketing, and customer success. As a result, IT and security teams must monitor and manage all the changes to this complex web of software and are often dependent upon third-party providers to ensure the security of the code.
Open-source code creates unique challenges, for example, developers often rely on open-source code when creating third-party supply chain solutions. This makes it almost impossible for security teams to identify potential vulnerabilities in those applications. The wholesale shift of applications to the cloud has also contributed to third-party risk and supply chain vulnerabilities. The 2020 SolarWinds attack is a prime example of a devastating, downstream supply chain attack. Many organisations are turning to MDR as well as more specific supply chain solutions.
“Business leaders are quickly becoming aware of the implications of supply chain vulnerabilities. Driven partly by new compliance requirements, executives are tasking their IT and security teams to find and implement effective threat detection and response solutions.”
Eldon Sprickerhoff, Founder and Advisor, eSentire
Managed detection and response (MDR). MDR solutions usually include an element of EDR but the management is outsourced on an ‘as-a-service’ basis. This removes the need for additional staffing, especially important given the global shortage of highly skilled cybersecurity professionals and the related skills gap. This can be useful for organisations struggling to find or retain talent.
Extended detection and response (XDR). Whereas EDR focusses solely on endpoint security, XDR, as its name suggests, ‘extends’ to cover cloud and networks, and collects and correlates data from across the infrastructure so it can improve threat visibility across the entire enterprise. Many organisations are moving from EDR to XDR. An XDR solution analyses, prioritizes and streamlines this data, meaning it can be delivered to security teams in a normalized format through a single, consolidated console. However analyst Allie Mellen explained in a recent Forester report “good XDR lives and dies by the foundation of a good EDR”, confirming that a solid EDR base is vital.3
“MDR is a service, not a tool. XDR is the tool and that’s why it’s critical to make MDR outcomes more effective.” “When you have confusion over MDR and XDR, it’s no surprise that the industry is having a hard time evaluating threat investigation capabilities.”
Tia Hopkins, Field CTO and Chief Cyber Risk Strategist at eSentire
Attack surface management (ASM). ASM takes the attackers view of your total attack surface, both known and unknown. In short, it is everything outside of the firewall that attackers can and will discover, even if you don’t know it exists. It is particularly useful for organisations suffering from application sprawl via shadow IT, as identification of digital assets is a fundamental part of robust threat intelligence. It can greatly reduce the risk of data breaches and data leaks. Attack Surface Management gives you that total visibility so that you can monitor and manage your attack surface with confidence.
Breach and attack simulation (BAS). BAS is a way to gain real-time visibility and continually validate your security. With simulations organisations can launch comprehensive, production-safe, and constantly updated attacks that assess the efficacy of your defenses against ransomware, credential abuse and DDoS attacks, to name but a few.
“The ubiquitous digitization of businesses, the rise in volume and frequency of nation-state cyber-attacks, and the increased attractivity of cybercrime – particularly ransomware – increased awareness and anxiety among executive management, resulted in an escalating interest for proactive measures, which translates into a rising demand for automated and continuous security testing techniques.”
Carolyn Crandall, Chief Security Advocate and CMO, Cymulate
Matt Parker, Babble CEO, concludes
“Today’s CISOs face a constant juggling act with increasing pressure on IT budgets and the need to justify spend. At the same time, the rise in sophisticated cyber attacks makes it vital for businesses to invest in bolstering cyber resilience. Making the right decisions on tooling and services will prove pivotal for cybersecurity success in 2023.”
If you would like to know more about how Babble can protect your organization whilst making the most of your budget, please contact us on 0845 625 9025.