Deep Instinct: what's keeping CISOs up at night?
With a different ransomware attack and data breach hitting our news every day, CISO’s can be forgiven for thinking that there is no hope in protecting their organisation from malware attacks. As shown by Deep Instinct’s recent Voice of SecOps report, a staggering 86 percent of UK businesses do not believe it is even possible to prevent ransomware and malware attacks from hitting their organisations. This is further compounded by the fact that 70 percent of UK businesses say that they cannot ensure that every endpoint has the same level of protection as each other.
The sheer challenge of trying to secure every endpoint, whether it’s a small or large enterprise, is daunting, and it’s understandable that under pressure and understaffed Security Operation Center (SOC) teams are struggling, despite doing all they can to try and stop attacks. Cyber security is also highly dynamic, with attackers continually exploiting new vulnerabilities, developing new malware, and discovering ways to evade or counter existing security solutions. Changing the mindset of CISOs is therefore, no easy feat, with a host of concerns and challenges keeping them up at night.
Is the volume of false positives one of the biggest challenges facing UK organisations today?
The sheer volume of security alerts triggered by today’s typical security stack is certainly one of the biggest challenges facing organisations today. SOC teams must manually analyse thousands of threat alerts a day, many of which are false positives or low priority items. This means security teams have spent time, effort and money analysing something that isn’t actually a threat. For example, our researchers found a large enterprise was receiving around 75,000 security alerts a day, with just two being legitimate threats. That is an extraordinary amount of time spent analysing something that ends up amounting to nothing.
Due to the number of false positives SOC teams must deal with, real threats are sometimes left untreated for hours, if not days. An average 10 out of every 39 hours in a working week is spent handling false positives, and the average response time in dealing with cyber-attacks is 20.9 hours – leading to around a quarter of the week being wasted on manual work that generates no real value. The slow response time by IT teams leaves room for attackers to spend time moving throughout the network, inflicting more damage as they go. The volume of false positives SOC teams deal with has a continuous knock-on effect to the entire security posture of the business, so it really is one of, if not the biggest challenges facing organisations today.
Why does endpoint exposure continue to be a risk for organisations?
There is a worrying trend that UK organisations are not fully protecting endpoints, and in some cases, they have no protection at all. Our report found that one third of endpoints deployed in the UK currently have no security agent installed, and with the 70 percent saying they cannot ensure that every endpoint has the same level of protection, the risk becomes even greater. Endpoint exposure provides hacking groups with opportunities to easily breach an organisation’s network without being detected.
This is further compounded by hackers selling access to an organisation’s networks to other hackers on the dark web. The proliferation of Ransomware-as-a-Service sales on the dark web inevitably results in less evasive and sophisticated hackers being successful because they have been told which network has unprotected entry points.
This culminates in organisations being exposed to multiple cyber-attacks if they are unable to patch endpoints or have the same level of protection across all endpoints on the network.
How has cloud transformation added to the risk of cyberattacks?
The dramatic rise of remote workers in the past year has seen an acceleration of cloud transformation by five to seven years, meaning organisations have a more expansive threat landscape. With organisations deploying public, private or hybrid clouds, there is an increased risk they won’t have full visibility into their endpoint estate and can’t determine if files that already exist on their cloud, or are being uploaded to their cloud, are free from malware. Two-thirds of UK businesses are concerned that third parties will upload malicious files to their cloud repository and only a quarter have “complete” confidence that their cloud/local repository files don’t already hold malicious files.
SOC teams are already under pressure with the time taken in dealing with false positives and exposure from endpoints. The acceleration of cloud adoption and transformation adds to this strain, particularly as CISOs are worried about the threat of malicious files being added to the network.
How can organisations start predicting and preventing cyber-attacks rather than just mitigating them?
The methods used by hackers have now changed, they are trying to inflict significant damage in the quickest possible time, so their dwell time has lessened but the damage they cause is staying the same or getting worse. This method of attack means that organisations need to be wary of cyber-attacks that have a high infection rate and can execute quickly.
Once ransomware attacks have entered and infected the network it is already too late. The fastest ransomware can encrypt in just 15 seconds, the impact of this dwell time can be significant with damage not only to the networks, but also to the organisation’s reputation. It is crucial for organisations to start investing in prevention rather than just investing in cyber solutions that mitigate the damage caused by a cyberattack.
Adopting a prevention first mindset will also allow the issue of slow response times to be resolved. In order to do this, CISOs need to adopt solutions such as Deep Learning. A subset of AI, Deep Learning can make unsupervised decisions resulting in files being identified as benign or malicious autonomously in under 20 milliseconds, stopping a ransomware attack pre-execution, before it can encrypt important data.
Deep learning involves the creation of a neurological network which is trained on raw data samples of millions of files. Unlike machine learning where data is converted into a small feature vector, such as statistical correlations, one of the major strengths of deep learning is the massive number of characteristics from the raw data that it processes to obtain a decision. The deep learning algorithm is fully autonomous, and analyses 100% of the data, therefore it is not subject to human error and false positives are dramatically reduced.
This more complex approach is also harder for criminals to crack, greatly reducing the risk of an attacker entering the network through a vulnerable endpoint.
IT teams will benefit from an immediate reduction in the volume of false positives consuming their days, which subsequently means their time can be better spent on valuable activities such as threat hunting, and ensure they are free to react quickly when a legitimate threat emerges. The proactive nature of Deep Learning could give organisations the much-needed shield to deflect the crippling blows heading their way.