Threat Intelligence - Old Habits Die Hard
As we move through 2019 at a fast pace, one thing is certain. Breaches, intellectual property theft and other attacks are happening at an alarming rate and even though technology is improving, we still cannot fix many of the very humanistic issues that cause breaches and security incidents in the first place. It is not a surprise why Kevin Mitnick was so successful in getting into computer systems without authorization by exploiting the human side of the equation. Even with proper training, automated defense, firewalls and anti-virus, attacks continue and will continue. What is not as well known in the industry is that many of these attacks start out with social engineering or crafted phishing exercises to try and gain a foothold by exploiting the human element. This is no different than going into a casino. Sure it's fine if your the casino operator with the edge but eventually everybody that comes through that door will run out of money at some point, probabilities will take over and you will end up broke. The same holds true with breaking into computer systems. The more you focus your attacks on the human element, the higher the probability that somebody will click that malicious link or infect themselves with the attackers malware. It's only a matter of time.
As we move into our 4th year at Jigsaw Security we are starting to see a trend. Traditionally we have sold our solutions to managed security providers that use our technology and data to protect their clients without having to spend years of development time to get to a working solution. In many cases we have our MSP partners up and running with our solution in a few days and we are starting to see that MSP's are not very happy with us. Normally this would be a bad thing but lately we have been getting pushback on some of our technologies because they work extremely well. Not to pick on our MSP customers but here are some of the reason we have run into when trying to sell our solution to these customers:
We make 75% of our profits from incident response, if we use this solution we will have to lay off our staff
The system is blocking legitimate traffic (more on this in a second)
The cost is too high to implement the solution
These are some of the excuses we have heard and I'll call them excuses for now but the reality is there is a much larger problem in play here. You see for a very long time many of these Managed Security Providers have been operating in the spot it, respond, get paid types of scenarios. Whereas they should be operating in the prevent attacks from happening, get paid for not having infections instead of getting paid large incident response numbers. I mean the industry leader Fireeye sort of set the industry in motion with their $400/hr incident response rates (and in some cases sometimes much more). The problem with this is it sets an exception that there will be breaches and they will be costly instead of stopping the infections in the first place. If you do your job right, there will be very few incidents to respond to. That's our view on it, tell us we are wrong here.
I would much rather get paid for my success than my failures but that doesn't sit well with the bean counters. Guess what?!, It doesn't sit well at all for me. I have seen our solution completely eliminate most if not all cyber security issues, then we can focus our efforts on insider threat, intellectual property theft, fraud, waste and abuse and cyber will still need to be managed but it can be managed in such a way as to not take advantage of the customers when they are at the low point, after an attack has occurred.
Another issue is that many providers are spending 80% of their budget on cyber security solutions when cyber security issues only account for 30% to 45% of incidents in most organizations. Why does cyber get the majority of the budget? Because when something goes wrong it's visible, which tells me many companies are hiding their non cyber related incidents but that they are still occurring. This is not the way to do business. It's not ethical and it hurts your customers by taking large sums of money when they are at their worst that could be better used to focus on the human element that is way more vulnerable than your cyber security infrastructure.
If you break down the areas of attack (seen above from our Patented Jigsaw Threat Mitigation Model) you will see that there are 6 core areas (phases of concern). So if we are to use this as our base for deciding where the CISO's money should be spent it would be 16-17% of the security budget per phase. Note that 2 of these ares are cyber related and they account for 32% of issue. So that means that at most your CISO should be spending no more than 32% of the budget on cyber related issue. The industry average is 78% of the budget is spent on cyber.
One of the things we hear often is that "your solution is blocking legitimate traffic", no that's not correct. Our system blocks the locations and hosting of malicious malware and ransomware. In order to ensure you are protected from time to time legitimate resources are blocked until they are cleaned by their owners. So if we are blocking a popular site (like a specific Github project for instance) we are doing it for a valid reason.
Another thing we often hear is that our "cost is to high". The cost is actually cheaper than other competing solutions. In fact, due to how we protect networks (DNS and Heuristic), the cost to roll out our solution is way cheaper than antivirus, firewalls and obsolete technologies. The real cost is when your proprietary data starts showing up and Chinese competitors are now producing the same product that you have with slight changes for pennies on the dollar to what it cost you to develop, prototype, test, manufacture, market and sell your product.
We really hope that in 2020 we will see a shift away from rewarding these security companies for their failures. Ask yourself this question: I have the "best" company providing my incident response in the world, what would happen if they did their job and I had 95% less infections? How much time and resources could I save? Could I better use my talented employees ensuring employees are fully trained to prevent attacks on our most vulnerable asset, our employees.
In short we have threat intelligence but not all threat intelligence is created equal. 65% of the companies we surveyed last year said that they are only using threat intelligence to hunt for malware. Well this tells me that if I want to get into 65% of these companies all I have to do is create a malware that nobody has ever seen or reported to anti-virus before and I can maintain a foothold for months or even years. This is what is occurring and companies are not even aware that they are infected. Professional hackers will never reuse code or malware, it's too risky for them. The true threat out there are the private intelligence agencies that work for smaller countries or smaller companies that target their competition and never get caught, spying and intellectual property theft. Threat intelligence can't stop any of that yet it's still being sold.
The problem with threat intelligence is that it is defined differently by whomever is interpreting the definition. Threat intelligence is living data, it changes by the minute. Host come and go, yet companies don't update their data. It's a problem we have solved with the Jigsaw MSP solutions.
For more information or to get demo of the Jigsaw Security Enterprise platform please call 800-447-2150 Ext. 6 and we will get you setup with a security product specialist. Once you see how our products work, you'll throw out your firewalls and anti-virus because they are highly ineffective and not keeping you safe. I challenge you to let Jigsaw Security try and penetrate your network, if we get in, try our products, if not, we go away and never bother you again. It really is that simple and easier that our competitions definition of "threat intelligence". Give us a shot, we get paid for our success, not our failures and that's what sets us apart from a messed up industry known as "cyber security".