Regardless of whether or not US based companies want to admit it, 3 out of every 10 end users has had their mail credentials exposed by malicious actors, malware, viruses or through the use of insecure networks. Why then are these companies so bold as to think that they have not been breached?
A recent review of malicious actors has shown that in many cases companies will not even know that they have been breached. During a recent review of a server that was compromised and used to exfiltrate data from some of the largest companies in the US, nearly 3 out of every 10 companies credentials were present on the system. Of the companies that we work with, we were able to confirm that the credentials were current or recent. Meaning that even with adequate policies in place for password changes, that the threat actors could have leveraged this information to obtain illegal access to the companies confidential information.
Most don't care
Most of the companies we have spoken to have flat out denied that the information presented was valid (even when we went to executives and validated the information ahead of time). This points to a much larger issue in that security professionals are expected to deny anything as once it's confirmed, it is costly for companies to deal with the overall security issue. We had purposefully gone around middle management and directly to several board members at a few companies to test a theory. We believed that when confronted with information that middle management would deny the information and not report it to the board members. Guess what?! We were right!
The biggest issue is that security personnel are trained from early in their careers to deny, deny and then deny again. The problem with this approach is that the CISO may never become aware of the security issue and the problem will continue. The bigger issue is that since the issue hasn't been resolve, that information from the company may be accessed by unauthorized third parties.
Even if your security teams do detect the breach or loss of credentials or proprietary information, culture may cause companies to deny to the point of exhaustion when just as easily they could have resolved the issue and moved on. Remember the issues at Uber? We do too!
Too good is just that, too good - And costly if you make money from incidents
Another recent finding is that when we have tried to market our solutions to managed service providers, many of them told us that if we cut their service calls down by 70% that they would lose income. Instead of purchasing solutions that actually render malicious content safe, they would rather continue having infections so they can roll out the incident response teams and bill big bills for services that would not have been needed if they had our FirstWatch technology in place.
We get it, companies are making millions off of their customers but at what cost? The best thing that could happen here is that once attacks and malware are better prevented that your security personnel can shift left and work on threat intelligence within your organization. You see if your products are stopping infections, your organization can shift to a role that involves looking at specific attacks on your organization an getting away from chasing the never ending commodity malware fight. If you can eliminate the headaches of many of the viruses and malware threats, then you can concentrate on non cyber attack vectors which are sometimes more damaging in the long run such as insider threat issues, theft of intellectual property and workplace security issues.
Remember that just like war, security issues keep budgets in place, keep people employed and ensure that the security apparatus functions. Many companies are not willing to do better. They need a certain number of incidents and in the end, that will be their downfall. It's only a matter of time that the company can't recover from a large attack that cost them their profits and ultimately their business. Technologies can be used to do grave harm and damage to a competitor or the nation of residence of the enterprise, their Government or the security teams that keep us all safe.
Sometimes being too good cuts profit, but companies need to actually want to make their customers more secure. Most managed security providers need incidents or else they will not survive.
The Threat of Big Data
In short years ago when information was disclosed that was damaging in nature, eventually you could recover and that information would go away. With the advent of unlimited storage and cloud services, information never dies. Once a piece of information is out there it can literally be stored indefinitely. While big data allows companies to do more with less and store large amounts of data for long periods of time. It also creates the issue of information lifespan whereas in the past if a companies information somehow leaked, the lifespan of harm that could be caused by that leak was only temporary. If the company could just hold on long enough for people to lose the information, it was gone forever and could be forever denied.
Today data lives forever. Once something is on the Internet or stored in a cloud it remains there. The bad pieces of information or even good pieces of information can be correlated over time and be used by bad actors to build a picture of the overall competitor that damages the competitor, Government or others long into the future. Analytics are making it possible to connect seemingly unrelated pieces of information into very large and complex bodies of work that can be used for good and evil.
Think about it this way. At Jigsaw Security we have threat intelligence that we started collecting in 2008 through today. In our case we are using this vast amount of information to keep our customers safe and to build out analytics to find methods and connections between attacks that we have observed. In that same vein, companies could use vast amounts of news, information, technical documents of their competitors and other information to build vast amounts of business intelligence that could be used to attack their competitors. Whereas in years past companies only had limited resources to process data, today some large companies rival the intelligence services of some third world nations. In addition those smaller countries now have a way to process the information that only 10 years ago would have been impossible. In short the technology is allowing virtually anyone to be able to build and operate intelligence apparatus without restrictions that can be used for good or evil. While technology advancements have saved companies lots of money, it is creating issues for Governments, large businesses that now have to worry about smaller businesses gaining a competitive advantage or the vast amounts of data having to be protected which makes computing and security all the more challenging.
Everything that is good can be used to protect or can be made to do harm if used by bad actors.
Conclusion
Basically the point of this article is to explain that with advancements comes new risk. Things are changing so fast that it is hard for organizations to keep up. For every single technology break through, there are bad actors that will leverage the same methods as the good guys to do harm. This shift in technology is problematic well into the future. We really want Managed Security Providers to buy technologies that prevent attacks. Just because you stop more attacks and are more effective does not mean that you will lose income. You just have to charge your customers for the number of varifiable saved infections and make it more cost effective than your incident response and protect more customers to make up the difference.