How to Build an Economically-Driven Cyber Defense Strategy
There still lingers an undeserved mystery around cyberattacks. A romantic mythology born in the 1980s of a “rebel with a modem,” preserving freedom of information or simply hacking to prove that they can.
Today, a few hackers may be ideologically motivated, but the majority of attacks are financially-driven crimes. This is seen most clearly in the rise of ransomware; no mystery, just pure and simple extortion.
And consider the latest victim of choice, the healthcare industry, sacrosanct in most people’s eyes but merely a lucrative, vulnerable target to cybercriminals. As such, cybercrime follows the economic rules of any business – reward must outweigh costs – and should be confronted on those terms.
Cybercrime by the Numbers
Today, the numbers overwhelmingly favor attackers and the bar has been lowered to the point that almost anyone can enter a life of cybercrime.
A standard ransomware campaign could earn an attacker a 1,425 percent ROI, according to a report by Trustwave. This is in large part thanks to the explosion of Exploit Kits (EKs) – toolkits with packaged exploit codes – and other black market malware that puts sophisticated attack techniques into criminals’ hands for a fraction of the cost of the potential payout.
Commercial crimeware can be purchased for as little as $500 a month. For an extra fee, customers can even rent “crypting services” to make the malicious software harder to detect.
As with any SAAS product, more sophisticated packages are available for a higher price. Some exploit kits come complete with built-in distribution channels, technical support and are updated regularly with newly discovered vulnerabilities.
The most advanced kits even include features to detect when they are executing in a virtualized environment, polymorphic evasion tactics and other sophisticated anti-detection techniques. And although the cost of more sophisticated crimeware-as-a-service packages is upwards of $10,000 a month, it’s still far less than companies spend to deal with a breach.
The 2016 Ponemon Cost of Data Breach Study found that the average cost of a data breach is now $4 million, up 29% since 2013. And this does not take into account the costs to businesses of attempting to prevent such breaches – the money spent on patching system vulnerabilities, installing layers of technical equipment, and handling all the false positives or negatives that these technologies alert about.
According to Gartner, worldwide information security spending will reach $81.6 Billion in 2016. How can organizations raise the cost for attackers significantly enough to deter the crime, without incurring crippling security and operational costs?
Early Prevention for Minimized Costs
The 2016 Ponemon study also found that the longer it takes to detect and contain a data breach, the more costly it becomes to resolve. While breaches that were identified in less than 100 days cost companies an average of $3.23 million, breaches that were found after the 100 day mark cost over $1 million more on average ($4.38 million).
Unfortunately, the majority of breaches are found well after this critical period: The average time to identify a breach in the study was 201 days, and the average time to contain a breach was 70 days.
Stopping an attack early also lowers the payoff to its perpetrators. Fewer systems infiltrated, less data and/or intellectual property exfiltrated, more time and resources required to find and successfully penetrate new targets.
Realizing this, enterprises keep adding more security layers and more personnel to manage them in an attempt to keep attackers out. But this just swings the economics towards the attackers. Organizations’ costs keep going up, criminals’ costs keep going down, and despite all the security layers, APTs, zero days, and known attacks on unpatched systems still often manage to get through.
The Smarter Security Stack
The most secure and economically sound approach is to stack the optimum, rather than maximum, complementing security technologies. This proposed new cybersecurity stack should balance traditional and innovative approaches while always keeping benefit, risk and operational load in mind.
Applying the Pareto principle to risk mitigation — 20% of the invested input is responsible for 80% of the results obtained — can help judiciously build a nimbler, less bloated, less costly, less distracting stack.
Endpoints are the first line of cyber defense and the place most often compromised - more than 70% of successful breaches originate on the endpoint, according to IDC Research. At a minimum, an optimal endpoint stack should start with effective and efficient prevention.
This cannot be anti-virus alone. Even the most sophisticated “next-gen” anti-virus must make decision on whether to allow or block a file, and therefore is necessarily limited to its detection logic whether that be based on heuristics, signatures, reputation lists or machine learning. They also are completely insufficient to prevent file-less intrusions.
Rather than rip and replace with New Gen products (let’s admit it, it will take years to throw AV out), could the stack be addressed differently?
Despite these flaws, anti-virus is still the most efficient prevention for run-of-the-mill malware. Rather than replacing it, one could augment AV with new memory protection and exploit prevention technologies.
For example, Moving Target Defense uses counter-deception techniques to change the attack surface—in memory in particular—so that attackers can’t find their target. This method has proven to be very effective against advanced and targeted attacks, complementing anti-virus prevention.
Other components could be added according to some unmet critical (rather than incremental) risk mitigation need, with the goal of bringing the widest range of protection with the least cost and business disruption. Businesses that are attacked frequently may want to add EDR and sandboxing techniques, especially given that malware is most likely already in their network.
The result is a lean, economical stack with fewer agents to maintain, a lower level of compatibility issues, less CPU drain, fewer false alerts and lower remediation costs. Such a stack is not only cost-effective it makes the organization more costly and less rewarding to attack.
By changing the economics of attacks – making the cost of attack higher than the gain – cybercriminals will take their business elsewhere.
(About the author: Ronen Yehoshua is the co-founder and chief executive officer of Morphisec, with more than 20 year of technology management and venture capital experience.)