Information sharing over how breaches happen and what needs to be done to stop them must happen, and if necessary regulatory structures will have to be set up in the same way that the aviation industry investigates crashes.
That's according to Trey Ford, global security strategist at Rapid7 and a trained pilot, who says that only by forensically investigating all major breaches – in much the same way as the aviation industry learned early in its history to do investigate aircraft crashes – will the IT industry get to grips with its cyber-security problem.
In this exclusive interview, recorded at the London offices of SCMagazineUK.com, Ford explained how this approach helped the aviation industry develop the safety protocols that make flying arguably the safest mode of transport.
He also suggests that the cyber-insurance industry will help, “drag the industry kicking and screaming into the daylight,” as claims get rejected and shareholders want to know why. Ford says, “Statisticians will come back with clear actuarial data, just like, seat belts save lives – we'll see, based on ‘crash data', here's how to make your organisation safer.”
Rapid 7's own research, the just published 2015 Incident Detection Response Survey, entails, “community knowledge being documented in a measured way,” according to Ford, and it threw up some interesting stats of its own including that some 45 percent of organisations are definitely planning to increase spending on incident detection and response programmes and solutions this year.
Lack of visibility into user risk, excess alerts and lengthy investigations are the main concerns in the report, with some 90 percent of organisations worried about compromised credentials. Some 60 percent say they cannot catch these types of attacks, and this ties in with the shift seen toward identifying and responding to attacks that have happened. Its moving on from compliance to actually detecting untoward activity.
Compromised credentials are reported to have been the leading attack vector for the past five years. In addition, the report suggests that intruders now remain undetected for an average of 197 days within retail organizations and 98 days within financial services organisations once they've breached a network.
The report adds that 62 percent of organisations are receiving more alerts than they can feasibly investigate.
“Security professionals are struggling to detect and investigate incidents because the monitoring solutions available do not provide visibility into today's modern IT environments and cannot give users the insight they need to make decisions quickly,” said Lee Weiner, senior vice president of products and engineering at Rapid7. “This lack of understanding – or context – is causing massive alert fatigue and leaving companies unable to effectively detect the most used attack method today: compromised credentials.”
Specifically looking at what efforts are being made to monitor the situation, security teams are seen to be investing further in incident detection and response solutions to detect and contain compromise when it occurs. But while 55 percent of organisations say they are using a SIEM (Security Information and Event Management) to aid with incident detection and response, it is here that the figure of 62 percent says they receive more alerts than they can handle.
While 79 percent of respondents allow the use of at least one cloud service, SIEMs are not being used to monitor cloud service use so it's unsurprising that only a third report visibility into such services.