It's the 10th anniversary of Cisco's annual report on security and cybersecurity, and for this one, Cisco went out and surveyed 2900 of its customers. In addition, Cisco gathered the threat data that it has from the 5000 employees who work on security products at the company and fed that into the report.
As always, there is ample food for thought in the report! Cisco continues to focus on the time to detection measurement in terms of meeting threats; its own time to detection was down to just six hours in November 2016. But, in the face of increasing agility on the part of cyberattackers, the company has introduced a new metric: "time to evolve," the time it takes adversaries to change how they deliver specific malware and the length of time between each tactical change. Our own evolution in the cybersecurity game depends on our ability to understand and address our adversaries as very adept chameleons.
In addition, automated detection and automatic defense are key concepts to advance in our evolution of a simple, integrated security architecture that provides near-real-time insight into threats.
Crucial themes being sounded by survey respondents in this year's report are lack of budget and having disparate defense systems that don't integrate, which can be a huge vulnerability because it can allow for gaps of time and space where cybercriminals can launch attacks. And there was another big challenge cropping up in the survey, of interest for all of us here in the learning community: not enough trained talent.
Discussing the Evolutionary Struggle Between Attackers and Defenders
David Ulevitch, who heads up Cisco's Security Business Group, and our Chief Security and Trust Officer John Stewart sat down upon release of the Cisco 2017 Annual Cybersecurity Report at the tail end of January to chat about its findings. You can watch a video of that conversation right here:
For those of you wishing an even quicker scan of what’s going on, I’ve included a transcript of the exchange between Ulevitch and Stewart:
Ulevitch: One of the things that struck me in this report was about the consequences that people are dealing with from the public disclosure of a breach. They're not just dealing with the operational disruption or the loss of customers—they're dealing with declining revenue, and they're dealing with the overall complexity of trying to respond to a breach. So, what are the biggest barriers preventing organizations today from improving their security? Do they just provide another product?
Stewart: Not quite, but we do know that the survey of the 2900 customers and, frankly, just the constant pulse we've kept on the industry have surfaced three different issues. First, in 2017, we're still talking about security budgets—that has not changed. It's a perennial challenge.
The second issue is this "disparate systems" problem. This is one that's really started to emerge: "I've got so many vendors, so many products. They're not integrating. I'm spending an incredible amount of energy upgrading aging infrastructure, and I'm having to bolt on security at the end versus actually embedding it from the start."
And the third issue, which has shown up pretty consistently, is "I can't find enough trained personnel." So, those three are the top items that really showed up this year.
Ulevitch: So, we know that we can't just give folks another product—and that they can't find the right people. How are we going to help organizations overcome these challenges then?
Stewart: The way that the survey describes it is that, first, existing industries and enterprise customers are just stretching their budget, and, in some cases, they're adopting expertise from an outsourced provider. And they're relying more and more on cloud solutions for ease of implementation and speed. And then there's an "automation vehicle": how we can use technology to adapt to some of the problems. What we've obviously got to deliver—and this is true in the industry as well as here at Cisco—is an integrated security strategy that is more effective, including cost-effective, and is risk-managed well—with a really good expert IT security team that we're going to help build, frankly, with our customers and that will ultimately lead to the right tools, policies, and processes all working together in an automated way.
Ulevitch: I think that's right, and a huge area in our focus is to really simplify things and make them all work together.
One of the other things that really struck me in the report was not just this focus on time to detection—that window of time between compromise and the detection of a threat. We know that's a useful metric, and we've talked about that in past years. I know we hold ourselves accountable to that time to detection, but this year there was a new metric, which involves how quickly attackers are shifting their tactics and evolving to avoid that detection. So, talk to us about that.
Stewart: So, it's always innovation: The attack team grows. The defense team grows. It goes back and forth, and we're constantly trying to outgame each other. And we've been tracking time to detection for years. It's actually a really good strong indicator of security effectiveness. That said, we know that we've got to look at something else, which is how quickly are attackers evolving to adapt their techniques and, as a result, essentially maintaining the effectiveness of the malware they have heading toward us?
We did an analysis on six different malware families to measure what we call "time to evolve": the time that basically says malware delivery has changed, and what is the duration between those changes so that we know how fast that we have to adapt to protect our customers. We compare them both [time to evolve and time to detection], and as you might imagine, we are using those benchmark metrics in concert to determine how fast we as a business need to be.
Ulevitch: That's interesting. So, this idea that the malware families are actually evolving and changing their approaches to affect victims ... I think the report pointed out that some are relying on just a handful of approaches and delivery methods, but others are using up to 10 different approaches to affect their victims.
Stewart: Yeah, and you can see the story: You've got fast and frequent evolution as a new approach by which to overwhelm the defense teams, where the malware families are behaving very differently. But, we know this: human expertise cannot be thrown at this and actually solve it. We, in fact, are demonstrating that the time to evolve is proving that you need integrated security architecture with near-real-time insight, automated detection, and then this third rail, which we've got to get right, which is automatic defense.
Ulevitch: As you know, that's a huge area of focus for the portfolio—that goal of really trying to help our customers simplify their security by automating their security, and automating that defense.
Now watch the six-minute video and, better yet, scrutinize the full Cisco 2017 Annual Cybersecurity Report. The report will teach you a lot more about the behavior of attackers, the behavior and new trends of defenders to mitigate those attacks, the impact upon organizations of breaches, new industry developments, and all of Cisco's suggestions for how the state of the industry can improve.
And if this year's report excites you to take a more active role in your organization's security, have a look at how you can build your skill and confidence with some security or cybersecurity operations training.
Gary Pfitzer is a content manager at Learning@Cisco, focused on bringing various aspects of today's IT journey to light through business papers, blogging, customer success stories, and other writing.