10 Key Takeaways From Cisco's Annual Cybersecurity Report
Attackers are getting better at evading detection and have made serious headway in exploiting new technologies like IoT and cloud services, Cisco's cybersecurity report finds.
Important Findings From Cisco
Cyberattackers have reached an unprecedented level of sophistication, and the impact of their exploits has never been more widely felt, according to the findings of Cisco Systems' annual cybersecurity report.
Attackers are getting better at evading detection and have made serious headway in exploiting new technologies like the Internet of Things and cloud services. Between October 2016 and October 2017, the number of malware attacks increased 250 percent. Attackers study what organizations do and fail to do to defend themselves. Social media and the public cloud have become serious vulnerabilities.
And while businesses are making more investments to protect themselves, whether through artificial intelligence or operational technology, many are still prcaticing bad habits that jeopardize corporate systems and data. Patch management still isn't done very well in most organizations, Franc Artes, architect in Cisco's security business group, told CRN.
Cisco partners who in the past have been reluctant to dive into the security arena are beginning to realize they need to do more to help their customers and are finding ways to profitably offer security optimization, management and assessment solutions, Steve Benvenuto, senior director of Cisco's global security partner sales, said in an interview with CRN.
Here are 10 key takeaways from the Cisco report.
The Cloud Is No More Secure Than Your Own Infrastructure
About 53 percent of the 3,600 survey respondents said more than half their corporate infrastructure is now in the public cloud. "The appeal is better security, but that's not always the case," Cisco's Artes said.
"If you're renting infrastructure as a service, the reality is the security is exactly the same as it was when you were responsible for the technology. You get scalability, but that's the same reason we see attackers using cloud and microservices architecture. They can expand and dynamically re-create their command and controls. They're capable of hiding in public cloud because nobody is going to block the entire AWS or Google Cloud Platform in order to stop them. We see a lot of the same bad practices that were being made when organizations ran architecture and infrastructure in-house and it was generally isolated from the internet. In the cloud, they're accessible by everyone who has an internet account in the entire world," he said.
Business Don't Know How Many IoT Devices They Have
The vast majority of survey respondents are not aware of exactly how many IoT devices are on their corporate networks. This is because devices are being introduced by multiple teams within an organization, like the facilities management team, or the physical security team adding IP cameras to do security of campuses, according to Artes.
"TVs, DVRs, camera systems -- the IT team isn't responsible for those devices," Artes told CRN. "They're not patching and updating those devices. Groups that are responsible for those devices definitely are not patching and updating those devices," he said. "It doesn't change whether we're talking about health care and CAT scan machines or Corporation X and its video-over-IP surveillance systems. The problem is systemic across every vertical."
Attacks Are On The Rise
The survey found that application layer attacks are on the increase, while network layer attacks are declining.
"This follows the fact that attackers are studying us," Artes said. "We have moved to web-based and cloud-based systems and architecture, and that's where the focus of a lot of attacks are. Many systems use open authentication services and the attacker is leveraging Facebook account credentials to get access to financial systems that workers use. Burst attacks are increasing in intensity, frequency and duration."
DevOps Is A Huge Ransomware Risk
DevOps services like MongoDB and Docker are exposed to the internet and run in a cloud, but many users simply use default usernames and passwords for administrators on systems that contain personal identification and production data, the survey found.
"That's heinously bad," Artes said. And while some DevOps-focused database firms have improved, others have not, leaving customer databases completely unprotected, he said. "They're still running default usernames and passwords, but now they contain even more [personally identifiable information] and production data. Before, at least they were inside our behind multiple layers of security. Now, they're on the internet and in cloud services. Developers don't realize they need to build the same layers of security within a cloud construct with virtual security appliances the same way they would have built physical security appliances into a physical construct."
Companies Are Spending More On AI and Machine Learning
Expectations for artificial intelligence are on the rise, according to the study. More than 83 percent of respondents said using automation to reduce the effort required to secure their organization is a chief security goal. More than 90 percent said security is being enhanced by behavioral analytics tools. AI works well at identifying "bad actors," people who access financial systems that don't normally do so, for example, according to Artes.
OT Is Becoming A More Viable Defense Against Attack
More than 70 percent of respondents said they now recognize their operational technology infrastructure is a viable "attack vector." And while 20 percent said it isn't now, they expect it to be in the next few years.
"They're moving over from proprietary systems to open architectures," Artes said. "In industrial control systems, if one country wanted to stop another from refining plutonium, for example, it involved dropping lots of USB sticks in parking lots and waiting for somebody to insert that USB stick on the ICS network. Today, we see more ICS being connected to the network itself, but we're troubled by a lack of knowledge of modern security technology and practices by admins of ICS networks. They're rarely utilizing firewalls, IPS, other types of security technology."
More Vendors, More Problems
The volume of security problems respondents had can be linked to how many different vendors they use, according to Artes. "The more vendors they had, the more challenging it is for them to orchestrate security changes across their organization," he said. "The fewer vendors, the more likely they were to say it wasn’t challenging at all."
The study also contains some interesting information about security concerns among individual vertical industries. In education, 17 percent of respondents said it was very challenging to maintain and orchestrate security. In health care 42 percent said it was very challenging.
Almost Half Of Alerts Are Not Investigated
Just over half of alerts are investigated, and only about half of those are actually remediated, the study found. "It's eye-opening," Artes said. "If this was a football team, it's like saying one-third of the time we don't even bother to send the defensive line onto the field, and that's not going to result in a very good football game."
Machine Learning Drastically Reduces Time To Detect Attacks
Almost all respondents said they're hoping AI and machine learning will help manage security alerts, and "get the defensive line out on the field more than one-third of the time," Artes said. More than half of respondents said they are now outsourcing security consulting, and 47 percent are outsourcing incident response. "They recognize it's a very finite skill set and when they have an incident it's important to have professionals that can clear it very quickly and reduce the operational cost incurred during an outage," he said.
Partners Need To Have 'The Talk'
The industry is facing a talent shortage in cybersecurity, Cisco's Benvenuto told CRN, and that means more solution providers must step up. "There's a need for partners to do more, and the need is real," Benvenuto said. "The need for integrated security is top of mind for customers, but the conversations are weaving together. These are secure networking, secure data conversations and they involve practices around data center, IoT and industry verticals. The security conversation is absolutely embedded in those and it's hard to separate." Benvenuto said partners must continue to make investments in pre-sales education around security, as well as the development of consulting services, assessment services and managed services.
Perhaps most important is the education of partners' front-line sellers. "They used to be cautious about it, but it's an important part of the conversation," he said.