Cisco’s latest Annual Security Report is out, and it shows that while organizations are becoming more adept at responding to security attacks, adversaries are also refining their techniques. There is no way around the fact that security must be an integral part of every business strategy.
This year’s security report has a great deal of new information in it since last year’s report, so be sure to give it your eye. More than ever, cybercrime has become a money game, where millions of dollars can be made with ransomware. It’s also a battle that’s no longer being waged just in the “shadows of the Internet,” says the report. Attackers are boldly tapping more often into legitimate online resources.
Cisco CEO and CSO Talk Security
Cisco’s CEO Chuck Robbins and Chief Security Officer John Stewart sat down earlier this month to discuss the findings in the 2016 Annual Security Report. You can watch a video of that conversation right here:
For those of you wishing an even quicker scan of what’s going on, I’ve included an abbreviated transcript of some of the key comments from the discussion between Robbins and Stewart:
Robbins: One thing that strikes me [about the report] is how attackers are so resilient, and are becoming increasingly sophisticated. What stood out to you as the most important findings in the report?
Stewart: First, attackers have become bolder and more coordinated. They’re sharing information. They’re moving and innovating very very rapidly. We’re watching the malicious actor teams embrace legitimate techniques like strong infrastructure and the use of virtual hosting—almost similar to IT teams that would be running any other business-critical service if it were legitimate. Now driven by financial gain, the attackers are looking for the most effective—and just like every other “business”—lowest-cost way to steal as much information as possible.
But there’s good news, as they’re always should be, because we’re getting better at finding them even quicker.
The second thing we discovered in this year’s report is the need to recognize and respond to security threats in real time, and then also be able to contain the incident if something gets through—in short, “time to detect.” So, there is good news. All businesses have started to think through how fast they can detect an attack, an infected device, or a successful breach. And that race is on: attackers being successful and then getting caught.
Last year, in 2015, in the midyear security report, we talked about that time to detect being about two days, even for us when we were using all the data and all the systems in order to find out if attacks had started. We continue to make some serious progress in reducing that time. By October of last year, we had reduced the median time to 17.5 hours. We’re not stopping there. The industry has got to get it to hours and then, potentially, as an attack starts, getting it mitigated.
The third point is that in analyzing over 115,000 Internet-facing devices, we discovered that 92 percent of that sample were actually connected to the Internet and running software that had known vulnerabilities. Potentially even more damaging is that 36 percent of that set of systems had reached their last day of support. The conclusion we drew from that is that it’s got to be about proactive upgrades, patching, and recognizing just how critical it is to connect systems that are resilient and up to date, and to take control of them and run them well before an adversary decides to.
Robbins: Those are very interesting findings and, frankly, very consistent with what we’re hearing from our customers. Security is obviously the number 1, 2, and 3 concern with our customers. We must continue to make progress, as you say, and we have to move more rapidly. We have to keep up with the ongoing threats, but that can be a challenge.
Stewart: We do know that our customers in all businesses and all walks of life are struggling to keep pace, not only with the attacks but also with the amount of technology and solutions that have to be deployed. Only 45 percent of businesses reporting to us say they’re confident about their ability to determine the scope of an attack and stop it. That figure is down [from earlier], and that tells us that we’re going to have to work that much harder to make sure that 10 out of 10 businesses are confident in their security posture.
Robbins: Certainly it’s a problem that our industry must face head-on. Many of our customers have up to 50 different security vendors in their infrastructure. At Cisco, we’re deploying an architectural approach to how we deal with security going forward. Our customers want an integrated threat defense strategy. They need to raise their confidence, as you say.
Stewart: Yes, the first and foremost change [we’re advocating in the report] is that security, in and of itself, is a business strategy. It’s not a small group of people sitting in a dark room trying to protect a company. It’s not just IT. It’s actually part of a business strategy that every senior leader of all types of businesses has to embrace. And, we’ve got to embrace the fact that security, by design, has got to be part of everything that’s being built.
The hard thing that still seems to take so much energy is how much we have to collaborate [around security], and how hard that seems to be. Last but not least, that whole integrated approach that you mentioned has to be part of the security architecture discussion. It can’t be about 50 to 100 vendors being stitched together for every business. We’ve got a chance to change the game by turning it into an architecture.
Now take a look at the nine-minute video or the full Cisco 2016 Annual Security Report. And if you’re ready to embrace security as part of your organization’s business strategy, have a look at the security and cybersecurity training options here on the Cisco Learning Network.
Gary Pfitzer is a content manager at Learning@Cisco, focused on bringing various aspects of today's IT journey to light through business papers, blogging, customer success stories, and other writing.