Security teams make four “impossible” trade-offs when fending off threats. They must decide which attacks to prioritize; choose which vulnerabilities to fix; optimize prevention or detection controls, and finally decide what to log and what to warn about. So reports Picus Security following a report released this month.
Based on an analysis of more than 14 million simulated cyber attacks, the report’s authors highlight four “impossible trade-offs” that constrain the ability of today’s security teams:
Priorities
On average, organizations’ security measures (such as next-gen firewalls and intrusion prevention solutions) prevent only six out of every 10 attacks. However, some attack types are prevented much more effectively than others. For example, organizations can prevent 73 percent of malware downloads but only 18 percent of data exfiltration attacks.
Organizations also prevent less than half of complex multistage attacks. This is particularly troubling in light of earlier findings this year that showed more than one-third of malware samples exhibit 20 or more attacker tactics, techniques, and procedures (TTPs).
The study also shows wide variations in the ability of organizations to prevent specific threats. Over one-third of organizations can prevent Black Basta and BianLian ransomware attacks, for example, but only seventeen percent can prevent Mount Locker. This is even though this malware emerged in 2021 before the other two malware attacks.
Vulnerabilities
The report also highlights the limitations in security teams’ approaches to managing common vulnerabilities and exposures (CVEs). Analysis of the simulated attacks shows that the list of top 10 CVEs to which teams remain most exposed includes mostly critical and high-risk vulnerabilities, as well as CVEs that have been known for years. Some CVEs discovered in 2019 remain a threat to more than 80 percent of organizations.
Prevention or detection checks
In general, the better an organization is at preventing threats, the weaker it is at detecting them, and vice versa. Globally, for example, healthcare is the least effective sector in preventing attacks but is twice as successful as the average organization in detecting them. North American organizations are almost twice as successful at preventing attacks as they are at triggering alerts to detect attacks.
What to log and what to warn about
Organizations using security event and incident management (SIEM) solutions also face decisions about how much to invest in attack detection. In most cases, organizations routinely prioritize logging over alerting, but they do neither very well. Simulation data shows that, on average, organizations log four out of 10 attacks but generate alerts for only two out of 10 attacks.
“Like a too-short blanket that only covers one’s head or feet, security teams can only devote their time, money, and resources to a limited number of problems at once,” said co-founder and VP of Picus Labs, Suleyman Ozarslan. “But by taking a more unified approach that combines insights from attack simulations with data on attack surface and vulnerabilities, security teams can efficiently and effectively allocate resources to address their most critical exposures. This allows them to simultaneously improve their ability to prevent and detect attacks, rather than compromise.”