Over the course of 2015, the overall level of confidence that organizations had in how secure they were declined marginally from 2014, according to Cisco’s 2016 Annual Security Report. The decline in confidence in companies’ ability to determine the scope of network compromises and to remediate damage comes as vulnerabilities remain commonplace, though Cisco has found some positive trends, including the increasing use of automatic patching for software.
“The data shows that organizations are not feeling as confident about security as they were even a year ago,” John Stewart, Cisco’s chief security officer, told eWEEK.
Last year, Cisco’s security report found that, for 2014, 64 percent of organizations were confident in their security tools and processes, while in 2015, that level declined to 59 percent.
Cisco’s research over the course of 2015 also identified the trend of increasingly sophisticated attack infrastructure.
Attackers are now making use of actively maintained and monitored infrastructure that is able to rapidly scale up and is also failure-tolerant, Jason Brvenik, principal engineer in the Security Business Group at Cisco, explained. “Attacker infrastructure is now being designed and built to be resilient against attacks,” Brvenik told eWEEK.
Cisco researchers were active in 2015 in helping take down attacker infrastructure, most notably a large part of the Angler exploit kit. In October, Cisco assisted in the shutdown of Angler exploit kit infrastructure that was generating as much as $30 million in revenue per year for the attackers.
Outdated software remains a major risk, according to the report. Cisco looked at a sample of Internet-connected infrastructure and found that 92 percent of devices had at least one known security vulnerability. That said, Brvenik noted that there is a solution to the challenge of certain classes of outdated software: auto-updating mechanisms. Most modern Web browsers now provide some form of auto-update mechanism that can solve part of the issue of running old software.
Also on the positive front is a continued focus on security training that has grown year-over-year. Cisco found that 97 percent of security professionals in 2015 said they conducted security training at least once a year, an increase from 82 percent in 2014.
The time to detection for Cisco’s customers to identify a breach is also improving. In Cisco’s 2015 Midyear Security Report, the time to detection was reported at 46 hours, which by October 2015, improved to 17.5 hours as the median.
“The time to detection metric tells you your window of opportunity to respond to an active breach,” Brvenik said. “17.5 hours is still not good enough, but it’s a vast improvement.”
Stewart has a few ideas on how things can or should change in the future to help improve the level of security confidence that organizations have. Stewart commented that awareness of security risks just needs to turn into strategy and execution by enterprises to limit those risks. He also suggests that security organizations need to connect senior management with business metrics on how to improve the status of security. One such metric is continuing to work on and improve the time to detection for a breach.
“We have to put proof into the pudding and say we’ll prove to you that, in fact, here’s how we’re making progress and here is what the effect of that progress is,” Stewart said.
Looking forward to 2016, Stewart emphasized that unlike other areas of Cisco’s business that produce multi-year forecasts (such as the Visual Networking Index), the company does not make predictions on the future of attacks. With security, the adversaries are active and there are many unknown variables that constantly shift. “I suspect that there is no end in sight to attacks,” Stewart said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.