IT decision makers are feeling great about their ability to keep threats, including ransomware, from breaching their networks. Over three-quarters of them reported feeling, at a minimum, very confident in their company's ability to prevent or mitigate security threats, according to the ExtraHop Cyber Confidence Index 2022, a new report that surveyed and analyzed how security leaders are evaluating their current security practices.
The Cyber Confidence Index also tells us that CISO confidence may be misplaced: According to the report, 85% of the same respondents reported at least one ransomware attack in the past five years.
How is ransomware thwarting the most confident security and IT leaders? According to the survey, attack vectors are plentiful: 92% of respondents admitted to using at least one insecure protocol in their environments, and an average of 29% of devices are reported as unmanaged. Adding to the advantage ransomware gangs have on today's organizations, the survey found that response times to critical vulnerabilities are within an adversary's window of opportunity, with 39% taking up to three days, and 24% taking up to a week.
Another recent survey by SANS, Modernizing Security Operations, asked security analysts—aka the teams that IT and security leaders manage—questions about SecOps modernization. In contrast to the ExtraHop results that point to CISO overconfidence, the SANS survey cited in their key findings that 19.7% of respondents said they do not feel their organization's SecOps team effectively mitigates risk. Among the possible reasons, the survey noted that "respondents report a disconnect between stakeholder understanding of breach impacts and desired response/resolution timeframes, meaning that resourcing doesn't align with expectations and that impacts become more significant."
This means that today's leaders may be overestimating the abilities and resources of their teams. If ignorance is bliss, a disconnect can likewise lead to an overestimation of multiple aspects of security. Armed with this knowledge, today's CISOs now have an opportunity to stand out from the overconfident, and lean into strategies that ensure SecOps success.
Simplify Security Hygiene
The fact that insecure protocols, including SMBv1, which was notoriously exploited by destructive WannaCry and NotPetya ransomware, is still prevalent in 92% of environments is worrying, but not entirely unexpected. It's not uncommon for software, network-connected hardware, and cloud configuration templates to contain deprecated protocols, easily introducing these onto a network.
Likewise, unmanaged devices, including print servers, VoIP phones, and other IoT devices have become a frequently leveraged entry point onto a network, as they frequently contain unpatched vulnerabilities for attackers to exploit. Identifying and patching or disconnecting unused devices is critical to prevent intrusions.
No matter how your network is managed, insecure protocols and unmanaged devices are bound to pop up, which makes regular device inventory, for both software and hardware, a critical security hygiene practice.
At a bare minimum, organizations should be conducting regular point-in-time audits to check for lingering or new instances of insecure protocols or unmanaged devices. For large-scale enterprises, automating the inventory process should be simplified by leveraging tools such as NDR platforms that have continuous network monitoring.
Correlate and Share Data
According to the ExtraHop survey, 43% of IT and security leaders reported that cooperation between network, security, and cloud teams is a challenge, and 35% cited inadequate or overlapping tooling.
Security tool sprawl, especially among disjointed IT teams, has been a longstanding problem. What's more, it has always been easy to gather a mountain of data from logs and endpoint agents. Unfortunately, when tasked with faster investigation and response times, more data isn't necessarily helpful.
To break down IT siloes, minimize tool sprawl, and speed up processes, leaders should consider network visibility solutions and share these insights across teams. Network visibility is becoming an increasingly necessary component for security, but the right data can also break down any cross-IT friction by providing the network insight needed to determine if an incident stems from an application error or an attack underway.
Of course, network data on its own isn't a solution for teams fighting complexity, how that data is correlated and shared matters for overburdened security analysts. AI-based cybersecurity tools minimize the work of analysts by parsing through that mountain of data to look for anomalies, serving up the right information to analysts that can be used to investigate and respond.
Invest in Layered Security
Today's attackers are relying more on techniques that bypass endpoint-based detectors, including phishing, credential theft, and brute force attacks. According to the Verizon 2021 Data Breach Investigations Report, phishing—a form of social engineering attack—is a component of 36% of breaches. As ransomware gangs have become adept at evading perimeter security, they have also become increasingly good at extorting victims by exfiltrating data with the threat of publishing or selling sensitive information, making backups no longer enough to safeguard an organization.
To combat perimeter-evading tactics and prevent data exfiltration, the ability to detect ransomware during the midgame—that is, after an initial compromise—is a necessary part of a modern cybersecurity strategy. To do this, organizations should invest in a layered approach to security that includes EDR, network detection and response (NDR), and log-based SIEM tools to round out Gartner's SOC visibility triad.
If your organization hasn't yet made the investment, adding network-facing detections to your toolset may sound costly and cumbersome. Accounting for the fact that 85% of all organizations see one ransomware incident per year on average, and 42% of organizations reported paying ransom at least most of the time, the investment in post-compromise detection pays off.
New Gartner Report: What Happens If You Pay Ransomware?
What's more, integrated EDR, NDR, and SIEM tools, including the implementation of a best-of-breed, open XDR platform, can help streamline and automate workflows, which actually works to reduce workload and encourage much-needed data sharing across teams. By adding AI-enabled solutions, these integrations can help teams add context to an otherwise overwhelming amount of data.
Transform Security Operations with Reveal(x)
Assess Your Risk
The most telling finding from the ExtraHop Cyber Confidence Index 2022 is that leaders who reported the use of insecure protocols are more likely to be confident in their security posture. This hints that some leaders are underestimating today's attackers, and lagging behind the modern security solutions that can help defeat them.
The process of continual modernization, including adding new security solutions, and implementing modern security frameworks can be initially costly and disruptive. But for leaders who may be re-evaluating their ability to respond to threats, the payoff of pivoting to a proactive, modern approach has the potential to save an organization from the devastating mix of lost productivity, downtime, and reputational damage that can result from attacks by today's advanced ransomware gangs.