Cisco released its 2018 Annual Cybersecurity Report (ACR) on Feb. 21, revealing insights from its own efforts, as well as a survey of 3,600 Chief Information Security Officers (CISOs).
Among the high-level findings in the 68-page report is that 39 percent of organizations stated they rely on automation for their cyber-security efforts. Additionally, according to Cisco’s analysis of over 400,000 malicious binary files, approximately 70 percent made use of some form of encryption. Cisco also found that attackers are increasingly evading defender sandboxes with sophisticated techniques.
“I’m not surprised attackers are going after supply chain, using cryptography and evading sandboxed environments, we’ve seen all these things coming for a long time,” Martin Roesch, Chief Architect in the Security Business Group at Cisco, told eWEEK. “I’ve been doing this for so long, it’s pretty hard for me to be surprised at this point.”
Roesch did note however that he was pleasantly surprised that so many organizations are now relying on automation, as well as machine learning and artificial intelligence, for their cyber-security operations.
“If you want to make use of a lot of security data quickly, you have to make use of a fair amount of automation,” Roesch said.
Roesch also noted that the ACR highlights the fact that organizations are using more cyber-security products from more vendors than ever before. In 2017, 25 percent respondents reported that they used cyber-security technologies from 11 to 20 vendors, up from 18 percent in 2016.
Exposed Systems
Among the different types of security concerns analyzed in the ACR is the issue of exposed development systems. Franc Artes, Architect, in the Security Business Group at Cisco said that DevOps servers including MongoDB, CouchDB, Memcache and Elasticsearch were left wide open by organizations in 2017, enabling potential attackers to easily extract information.
“We see that DevOps organizations are building quickly, but while they are scaling they are not unfortunately making sure they have hardened their systems,” Artes said.
Cisco’s ACR also examined the issue of cyber-security alerts and how organizations respond to them. Cisco found that 93 percent of organizations had at least one security alert in 2017, though only 56 percent of alerts were actually investigated. Looking at the alerts that were investigated, Cisco reported that only 34 percent were considered to be legitimate.
Getting alerts is one thing, while actually being able to detect real threats is another. A key metric that Cisco tracks for itself is the time to detection (TTD) for threats. In 2016, Cisco reported that its annual median TTD for new threats was 14 hours. That figured improved significantly in 2017, dropping down to 4.6 hours.
“We’re very focussed on our time to detect malware with our technology,” Artes said.
Correspondingly Artes said that there was a 10x increase in the number of observed threat samples in 2017 over 2016. As it turns out, the higher volume of threat samples has actually helped to improve the TDD as the increased data volume have allowed Cisco’s cloud-based technologies to learn faster.
Recommendations for Improved Security
There are a number of different things that organizations can do to improve cyber-security, including regular patching to mitigate known threats. Artes said that organizations need to get the basic “blocking and tackling” of cyber-security in place, which includes patching, to form a basis for risk mitigation.
Artes noted that Cisco also recommends that organizations review and practice security response procedures. Testing restoration procedures as well as regular data backups are also good security best practices. Overall, Cisco’s advice is for organizations to be more prepared for security incidents before they happen with proper testing and policies.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.