Mandiant recently released their M-Trends 2014 cyber security report that contains a fair bit of analysis of cyber security, top trends for 2014 as well as their conclusion that cyber security problems are here to stay, but far too many organizations are unprepared for the inevitable breach.
My take on the trends:
- Faced with Data Breach Fatigue, the public is now demanding to know whodunnit, and to whom they dunnit, but most organizations are struggling with disclosure, let alone knowing that they are hacked. Can you believe that the average number of days for an organization to know that it's been attacked is 205 days? Or the fact that 69% of breaches were reported to the target organizations from an external source?
- Best blog comment I read after the Anthem report: "Well, this Anthem breach is just in time! My free credit protection account from the Target breach was just about to expire". Joking aside, retail is the most attacked segment with over 1,000 businesses breached. But one does wonder if retail has better disclosure than the rest of the industry and hence they are trending higher?
- Symantec's Senior Vice President for Information Security came out last year in an WSJ interview saying anti-virus is dead. The Mandiant report confirms just that. No surprises here. Most of the victims' anti-virus didn't do nada in detecting Mimikatz, a popular post-exploitation open-source tool. Now here's the kicker. If security software completely fails to detect a piece of attack software whose source code is out in the open, what are the odds of it having any hope against zero days or closed source malware?
- We all instinctively knew that malware is malware and all forms are bad for an organization. Turns out the lines are getting blurrier between nation-state attacks and financially motivated cybercrime. First it was Regin, then it was QWERTY and then turns out it they were the same. Partly why the whodunnit's get harder to pin point.
I personally like the highlighted sentence in the conclusion:
As cyber security goes mainstream, organizations should consider data breaches in a new light—not a source of fear and shame but a business reality. They should anticipate and confront security incidents with confidence. That boldness requires a new approach to cyber security.
I'd say a new approach to cyber security is well overdue, but perhaps from a different perspective. As the man from Symantec said, "antivirus is dead". That's pretty significant given that nearly all security technologies today are essentially antivirus by another name - they all ultimately try to tell the good from the bad. That's clearly not working. If organizations with so-called cutting-edge security products take an average of 205 days to figure out they are breached, the take away is we've got to get smarter about eliminating malware all together, not just invest more time and resources in post-breach detection technologies.
Photo courtesy: uwf.edu