Organisations are suffering security breaches in large numbers, but increasingly these breaches go undetected – leading to damage and data loss.
This was the warning given by Infosecurity Europe Hall of Fame inductee Dr Eric Cole.
Dr Cole, chief scientist at Secure Anchor, said that organisations often underestimate the volume of attacks being directed against them.
"So many organisations are broken into, but they are not detecting adversaries," he said. Attackers are using tools such as encryption to stay below the radar. "We have set up crypto-free zones for customers. Now we can pick up a breach in 11 seconds, not 11 months, because we see the crypto."
But he said that organisations that fall victim to attack often share a "checkbox" approach to security; one that is well intentioned, but not effective. "We need to make sure we are doing the right thing, not just doing good things," he said.
Over the last 10 years, attackers have "cranked up" the threat, moving from opportunistic, to much more deliberate attacks. Attackers have become more stealthy, but also more targeted. At the same time, organisations are falling victim to "accidental insiders", honest employees who make mistakes, as much as to deliberate and malicious intruders.
This, though, stems from the security culture in many organsations.
"Most organisations and most businesses are focused on functionality and making money, not on security," Cole said. Vulnerabilities such as Heartbleed, or Windows XP going end of life, are "game changers". "We have to assume no software is secure. It is about awareness." Companies should have learned from Heartbleed. "Any piece of software on the network is vulnerable… We are running our networks in way too open way, with too much visibility. There should be isolation, to minimise risks if one system is compromised."
Failures in security, Cole said, can often be reduced to three areas: asset identification, configuration management, and change control. CISOs should check how well their systems handle all three areas.
"Go back on work and give yourself a grade. How do you rank in asset identification? What is plugged in? Do you know how systems are built? Is there a process for change? You need a solid foundation. If not, all the latest technology won't protect you."
But organisations also need to work to improve their incident response capabilities.
"I've noticed in last three to five years, that incident response has moved from nice to have to must have.
"Recognise you will get broken into minimise the frequency and impact of attacks. If [think] you haven't had an incident in last 12 month as it's because you've not detected them." CEOs, he said, sometimes complain that they spend more on security, but are seeing more incidents. But this does not mean they are more vulnerable.
"What it means is you are gaining more visibility," he said.