Many businesses are failing to invest in blocking the threats that are actually hitting them, says Eddie Schwartz, vice-president of global security solutions, Verizon.
“This is because most of their budget is still being spent on traditional perimeter defences, which means there is little left over for anything else,” he told Computer Weekly.
“Most organisations adopt a ‘peanut butter approach’ of spreading defences evenly across their entire IT estate, instead of investing in systems to block the kinds of attack most likely to hit them,” he said.
The firm’s researchers found that, while no organisation is immune from attack, 92% of cyber attacks in the past 10 years can be linked to just nine basic attack patterns.
Attack type by sector
Read more about data breaches
- Most cyber attacks use only three methods, Verizon breach report shows
- Target CEO quits after data breach
- Sears confirms data breach investigation amid retailer data breaches
- Orange data breach underlines need for encryption, say experts
- Target data breach: Why UK business needs to pay attention
- Bitly urges users to secure accounts after security breach
- Target’s CIO resigns after massive data breach
Of these, most companies have to face only two or four types of threat, depending on the industry vertical, which determines the kind of data they hold and the types of attacks and attackers they face.
While financial firms need to prioritise web application attacks and payment card skimming, for example, retailers need to focus on point of sale intrusions and denial of service attacks.
“This is the coolest report of its kind,” said Schwartz. “The data enables organisations to identify the most prevalent kinds of attacks on their industry and the most appropriate security controls to deploy.”
“Leading organisations are starting with who is likely to attack them and how that relates to the business and what they need to protect as a threat model for identifying the most effective controls,” he said.
This is a much better approach, he said, than spending vast sums of money creating a semblance of security that attackers can easily bypass.
This is a huge problem, said Schwartz, because once an attacker in inside a network, in most organisations they are able to move laterally without difficulty and without being detected for some time.
“Historically, security has been about understanding what is bad and looking for that, but it needs to be more about understanding what is good so we can identify meaningful differences,” he said.
This means organisations need to look at things like network dynamics and baselining, anomaly detection and big data analytics to help identify malicious activity, said Schwartz.
“Once they start doing things they become more visible if you know what you are looking for, which presents a huge opportunity that the security industry needs to get better at exploiting,” he said.
Schwartz predicts that, in the next three years, organisations will move towards employing service providers who can undertake most of their cyber defence for them.
“Very few organisations have the resources to develop the necessary capabilities in-house, so they will look instead to service providers who can do it at a reasonable cost through economies of scale,” he said.
While organisations will continue to do basic security hygiene, vulnerability management and governance, risk and compliance, they will move out of more complex areas.
The areas most likely to moved over to specialist service providers, he said, include cyber operations, cyber attack management, cyber intelligence, and cyber investigations and forensics.