Federal CIOs and CISOs certainly face plenty of concerns keeping their data and IT systems secure. But here’s one concern they need to add to their list: A new study of global enterprises in 11 major industries, including government, found that despite of all the security tools they deploy, just over 90% of cybersecurity attacks did not generate an alert. The study also found 53% of infiltration attacks and 68% of ransomware attacks went unnoticed.
If that sounds alarming, it should be.
The findings come from the latest Mandiant “Security Effectiveness Report,” which assesses the effectiveness of security controls used at participating organizations around the world, by executing thousands of mock attacks on more than 120 market-leading security technologies deployed by those organizations.
It probably won’t come as a surprise that these large-scale organizations manage between 30 to 50 different security tools. What is surprising: In spite of the investment in all of these tools — or, perhaps because there are so many — these organizations only succeeded in detecting 26% of Mandiant’s various attacks, on average, and preventing just 33% of them.
These findings should serve as something of a wakeup call that even the best-run organizations, using best-of-breed equipment, are probably overestimating how effectively their security controls are performing.
As a former U.S. Air Force CISO, our SIEM (security incident event management) appliance was the most important tool we had in our security architecture. That’s where all the logs are going. If, as the Mandiant findings suggest, only 9% of attacks are triggering an alert, that means a substantial number of security events aren’t registering properly on most organizations’ SIEM tools. That in turn leaves security teams flying in the dark without a proper instrument panel — and ill-equipped to take action when breaches occur.
There are several reasons why private sector enterprises — and very likely, many federal agencies — are encountering such a disconnect between how their security products are performing compared to what most IT leaders expect.
First, too many security products are set up using standard configurations instead of tailoring them to work properly with other devices on the network.
Second, most organizations still lack the resources and the training regimen to tune and test all their various security products properly. That’s not to mention the need to patch and maintain them correctly after they’ve been deployed.
Third, security events still may fail to make it to the SIEM for various technical reasons that need to be understood.
Finally, and perhaps most importantly, is what I call “environmental drift” — the ongoing changes to the IT environment that create unseen breakdowns in your security monitoring and alert systems.
IT systems and applications change on a daily basis. New applications are being deployed; tools are upgraded; equipment gets changed out. Patches don’t always work, or worse, they break existing security controls. Changes aren’t clearly communicated. Inevitably, mistakes happen. If your entire IT environment is changing every day, the question that needs to be answered is: Are your security control systems keeping up and how do you know for sure?
Internal and external audits and pen testing are still important, but enterprises need intelligent, automated tools to keep up with the daily changes in your IT environment.
Another important question to answer: Are you able to determine which security products are actually doing the heavy lifting? Various studies from Gartner or Forrester suggest that most enterprises are only using about 25% of any one tool. If the average firewall costs $100,000 and you’re only using a fraction of its capability, that’s not a great return. Most organizations recognize they’re suffering from tool bloat but are often reluctant to pull the plug on their investments.
Every enterprise IT leader faces the unenviable challenge of balancing one technology choice against another choice. The best defense today still requires a combination of powerful tools and current threat intelligence, tuned to your organization’s needs. But it also requires having real-time visibility into your security tools — and the assurance that those tools are performing the way your organization needs, not just the way the vendor promised.
Maj. Gen. Earl Matthews (USAF Retired) is Vice President of Strategy at Mandiant Security Validation. He served in the U.S. Air Force for more three decades, most recently as Director for Cyber Operations and Chief Information Security Officer.
Find out more how FireEye and Mandiant can help your agency get the most out of its cybersecurity management tools.