Every year companies spend more on their security posture, whether it be in cybersecurity products, services or training. Yet despite these earnestly placed bucks, the occurrence of breaches is not ceding, but on the contrary, increasing. As I mentioned in my last piece, by the end of 2019, Gartner expected global spending on cybersecurity to exceed $124 billion.
Yet amazingly, these heavy investments have not necessarily resulted in greater security. We are still losing the war against the continued onslaught of cyberattacks. According to recent IDC and Thales data, about two-thirds of U.S. companies have suffered data breaches. This percentage was slightly higher than the global figure of 60%.
Cyber Risk Analytics released their “2019 MidYear Data Breach Quick View Report,” which had some interesting, if not dismaying findings:
• 3,813 breaches were reported through June 30, 2019, with the consequence of exposing over 4.1 billion records. In a comparison against the same period in 2018, this represents a 54% jump in reported breaches, with a similar rise in exposed records.
• In a comparison of industry verticals, the business sector accounted for 67% of reported breaches, followed by medical (14%), government (12%) and education (7%).
However, it’s not just the frequency that organizations need to worry about; the cost of a data breach is also growing. According to the Ponemon Institute’s “2019 Cost of Data Breach” study, the average total cost of a breach rose from $3.6 million to $3.92 million.
The statistics all point to the fact that the current model for cybersecurity is inherently broken, and the situation only appears to be getting worse.
The situation demands an honest appraisal of the cybersecurity industry to understand how it has fallen into this mess and how it can possibly work its way out.
Many organizations are using either antivirus (AV) or endpoint detection and response (EDR) products. Either of these security products can involve a host of problems:
• Many AV solutions use signatures and heuristics that are only effective against known threats. Considering that on average 350,000 new malware variants are created every day, relying only on known malware hashes is simply not going to tide you over the security threshold.
• Most AV and almost all EDR products are only triggered post-execution. This necessitates the threat entering the enterprise system before the security product can be activated into chasing after the attack.
• Many solutions take too long to detect and remediate attacks. According to the Ponemon Institute, the average time to identify a breach in 2019 was 206 days, and the average time to contain a breach was 73 days, for a total of 279 affected days. The longevity of breaches has a direct impact on the extent of the damage.
• Many of the products out there that sport their threat hunting, threat intelligence and research capabilities are inherently very sophisticated business intelligence platforms. While they provide informative dashboards and in-depth insight into an organization’s security status, they sometimes offer too little when it comes to actual security and actioning measures.
• The more sophisticated solutions in the market use some sort of AI algorithm like traditional machine learning. Although it’s very accurate at detecting a wide range of known attack vectors, machine learning loses its ground when detecting never-seen-before attacks, particularly malware that has a unique configuration. The reason for this is that these algorithms are too dependent on characteristics that are predetermined in a process called feature engineering. If bad actors develop a unique form of malware beyond the expert’s expectations, it could slip by undetected.
• Many solutions, particularly those that provide a wealth of event data, require human management and maintenance. This puts further pressure on the increasing demand for human experts with the relevant cybersecurity skill set.
A preventative approach to cybersecurity should reject the “assume breach” mentality. It should powerfully buck the trend by demonstrating that it’s possible to stop unknown and never-seen-before attacks prior to execution. Through the application of deep learning, the most advanced subset of AI, it is possible for computer scientists to do this. The deep learning neural network should be able to autonomously apply its predictive determination to prevent threats from entering the enterprise.
However, as the CEO and cofounder of a deep learning cybersecurity company, I know there are many challenges in applying deep learning to cybersecurity. Primarily, the knowledge threshold is extremely high; there are not a lot of deep learning scientists out there, and even fewer who have the expertise needed to modify a core framework to a new dedicated domain. Secondly, the cost in time and resources involved in building a deep neural network makes it unattainable for many enterprises’ IT departments to easily incorporate into their security stack.
Therefore, to effectively incorporate a preventative approach based on deep learning, executives can also assess their market options and identify a solution that best meets their needs. There are several factors for CISOs to consider as they assess their options:
1. Any solution you choose as a CISO should not be a bet. Select a solution based on an educated decision that involves testing the latest technologies.
2. Select a solution that operates in pre-execution so no damage can be wrought.
3. If you need wide platform play, ensure coverage is provided no matter what operating system your employees are using.
4. Determine the quality of a solution based on its levels of predictive accuracy.
All these factors should ensure business continuity is guaranteed.
The are many benefits in a detection approach, but principally, the right approach should be able to save the enterprise considerable costs and resources from no longer having to contend with the collateral damages of an attack. Naturally, a preventative approach should also reduce pressure on the SOC team, lower personnel demands and remove alert fatigue. Time and computing resources should not be sacrificed to the disastrous fallout of a breach. And business continuity can be blissfully assured.