It’s time again for our Midyear Cybersecurity Report (MCR), providing updates from Cisco security researchers on the state of security from the first half of the year. The 2016 MCR supplements the 2016 Cisco Annual Security Report published in January with mid-year analysis and insights on the evolving trends and threats across the industry. It also offers valuable guidance on what you can do to be more secure. Time is the resounding theme throughout the 2016 MCR and a pivotal factor in how we protect our businesses, our assets, and ourselves.
This report’s Cybercrime Spotlight is on ransomware, as this specific threat is becoming more widespread and potent. Our adversaries focus more than ever on generating revenue, and now deploy ransomware to target enterprise users in addition to individuals. These direct attacks are becoming increasingly efficient and lucrative, generating huge profits. Our security researchers calculate that ransomware operating out of a single provider may net our adversaries nearly $34 million annually. That’s a significant industry, and it’s time we improve our odds to handle this type of attack.
The 2016 MCR also shows how the advances in malicious tradecraft, questionable network hygiene, and conflicting geopolitical perspectives all play a role in this unstable and evolving landscape. We see malware originating from various sites around the world, and attackers quickly shifting their operations from region to region to stay one-step ahead. We see multinational businesses facing uncertainty as governments grow increasingly concerned about the challenges of keeping pace with technological change, understanding threats, and controlling access and data. And we see governments sending contradicting signals by creating legislation and requirements that may limit and conflict with international commerce, secure technology, privacy law, and trustworthy public-private partnerships.
The Challenges We Face
Today’s asymmetric attacks are outpacing responses. Attackers’ innovative methods of exploit, persistency, shifting tactics, and ability to operate on a global level create an ominously complex and moving target. Our research shows that adversaries are now exploiting vulnerabilities in encryption, authorization, and server-side systems, using ‘malvertising as a service’ to infect web users, well as tampering with secure connections like HTTPS. This final example alone has users thinking incorrectly that their connections are secure, leading to a false sense of security and making it increasingly difficult to determine if a connection has been compromised.
It’s really quite simple: the more attack vectors that go unnoticed and the longer we allow attackers’ time to exploit our systems and infrastructure, the greater their chance for success. It’s on us to close that opportunity.
What are the current industry estimates to detect attacks? 100-200 days and that’s entirely unacceptable. When given days, weeks, months ─ or longer ─ to infiltrate and exploit our systems and infrastructure, attackers simply enjoy too much unconstrained time to operate and do harm.
Patching? Really? It’s 2016!
The key to undermining our adversaries’ success is reducing their Time to Operate, that is, the time it takes to identify and exploit vulnerability before defenders can detect and stop it. We’re seeing exposure in unpatched systems and outdated devices provide considerable time for bad actors to operate. Many vendors do the right thing by providing timely notifications, fixes, and distribution of vulnerability patches. Yet findings show that users often don’t update their systems, a failure of the basic ‘blocking and tackling’ tactics of a secure enterprise.
Our goal? To accelerate Time to Secure – a combination of Time to Patch (TTP), which is the gap between when vendors announce public vulnerabilities and when users patch, and Time to Detect (TTD), the gap between an attack and an organization’s ability to respond. These key indicators can enable defenders to hone in on the techniques that constrain attackers and force them to change strategies.
Do You Know Your Median Time to Detect?
You need to… and work hard to close that window of opportunity. Cisco is committed to reducing our median TTD, and our results speak for themselves. We’ve cut ours significantly from more than 2 days over a year ago to just over 8 hours this April, with a median detection of less than 14 hours. We will continuously strive to trim our median TTD further, and recommend for other companies to measure and track their own improvement over time.
Measurement is key, but it needs to be the right measurement. As the report shows, organizations that try to improve threat detection and incident response by relying on indicators of compromise (IOCs) – and not true threat intelligence – are actually doing little to improve their security posture.
Time for a More Secure Future
As you can see, attackers and defenders are locked in an arms race in which the bad guys are racing to expand their Time to Operate and the good guys strive to accelerate their Time to Secure.
So what can we start doing today that will get us to a better tomorrow? Here are three recommendations; the report offers more:
- Reduce attackers’ Time to Operate – Employ a ‘first-line of defense’ such as patching, password management and segmentation to impede lateral movement and propagation
- Accelerate your Time to Secure – Measure and strive to reduce your median Time to Detect ongoing
- Improve your network hygiene – Improve IT hygiene by upgrading aging infrastructure and systems, patching quickly, and consistently backing up your data
For those who believe they are not a target – stop thinking that way. We all need to identify, constrain, and work to close the opportunity and operational space of attackers. This is critical as there’s no time like the present to improve our security. Time is certainly not on our side, and we need to act now before time runs out.
To learn more about this vital research and the necessary steps you can take to protect your business, your assets, and yourselves, download and read the Cisco 2016 Midyear Cybersecurity Report. Let us know what resonates with you and how we can help.
Useful reminder/info. It allows those who are not in the security business in particular to bring up the right questions to those who are…
Thanks Claire-Juliette Lutten-Beale – we are trying very hard to produce useful information that we can all use!
great summary with clear call to action for our customers.
Love working with you Ken – you’re a great leader, and you’ve put security front and center in your market as we work to help our customers together!
John can you provide some more color on how Cisco is measuring time to detection? What data points are you gathering to come up with the measure?
Danny, absolutely. We use netflow (with Cisco Lancope), DNS, the IDS/IPS systems, CiscoAMP, scan data, asset inventory systems, RedSeal, just to name a few. It’s a huge set of data in an organized and queryable data lake, and then its regularly queried with playbooks” at least once a day – and playbooks are added/removed as needed for efficacy.
hope that helps!
Very informative conent. Proud to see Cisco leading the Security space!
We agree Priya, and we know it will take hard work to continue to help our customers – we’re all in!
I shudder to think of pervasive IoT/IoE, opening up even more avenues for exploitation by professional hackers (groups, countries, etc.). Cyber wars and organized hacking are becoming the weapons of the internet era.
It’s our role in life to increase the usefulness and reduce the exposure IoT is here, it’s not going away, and so we simply must design it and build into it as much as possible to make our lives better. Easy? No. But required.
it very usefull
Veenu – glad it was helpful!