Europeans face evolving cyberthreats. Defence strategies need to be robust and pragmatic

Next story

Cybersecurity is a complicated and constantly changing endeavor requiring robust security solutions and services such as cyber threat intelligence, automated incident response, and managed detection and response (MDR). But having all of these is not enough, according to Tope Olufon, senior analyst at Forrester, a leading global market research company.

At the ESET WORLD 2024 conference, Mr. Olufon also highlighted the importance of threat actor motives and the specific context in which cybersecurity solutions are deployed. He also kindly answered a few of ESET’s questions afterward.

Considering the fluid threat landscape together with cybersecurity context, it is not possible to say what the best product is or how, for example, a good threat intelligence report should look, according to Mr. Olufon.

“No matter, how you slice and dice a threat intelligence report, what matters the most in the end is what it means for you, how can you use this and how this is going to make you more secure tomorrow, next week, or next year,” Mr. Olufon said.

Today’s threat landscape

Currently, the two most commonly reported attack methods are software supply chain breaches and software vulnerabilities, as organisations hit by those attacks tend to have noisy and opaque system environments, according to Forrester. 

This means that companies still struggle to achieve good visibility of their IT assets and are flooded by numerous false positive detections.  “The visibility needed to define your organisational needs and to set a context for cybersecurity investments is missing,” Mr. Olufon said.

Here are biggest information/IT security challenges noticed by Forrester:

  • Receiving too many false positive detection alerts
  • Lack of comprehensive IT asset visibility
  • Complexity of IT environment
  • Inability to measure the effectiveness of a security program
  • Receiving too many detection alerts

Besides these internal challenges, organisations need to also adapt to current external trends: Geopolitics are a lot more significant, since previously “insulated” sectors such as health care are now prime targets for threat actors, and the global skills gap means that things will get worse.

“It is an asymmetric playing field,” Mr. Olufon said, stressing that it doesn’t mean that those more vulnerable organisations are hopeless. “While there are, of course, some constraints, those organisations can start from somewhere. Organisations can start with creating an asset inventory, identifying what they have. The only way to eat an elephant is one fork at a time and that’s how you approach cybersecurity regardless of industry.”

Another thing that organisations need to consider is threat actors’ motivation. There are threat groups that go only for their targets’ money, but others want to stir political instability, or disrupt critical infrastructure.

To understand the current threat landscape and be prepared for upcoming threats, organisations should use cyber threat intelligence. However, many of them struggle to incorporate the compiled information into their security programs.

“In those organisations, the threat intelligence is something you pay for and show to the board at quarterly meetings. ‘We noticed 1000 samples of this attack,’ that doesn’t really mean anything,” Mr. Olufon said.

Therefore, threat intelligence needs to be contextualised and the right stakeholders need to be identified.

Responding to incidents

Despite cybersecurity companies investing a lot into prevention, organisations need to anticipate that something bad is going to happen. Therefore, incident response (IR) capabilities are a key part of cyber defences.

Successful incident response means that a threat is mitigated quickly, and a targeted company doesn’t lose money or customers. But this is easier said than done. Currently, organisations face several challenges when using proper IR:

  • Risks grow exponentially, but resources do not. Talent and tooling need to constantly evolve.
  • Data sovereignty requirements make data collection and storage a complex issue because local data residence requirements could make organisations’ capabilities constrained. 
  • Evolving privacy requirements introduce new complexities to employee activity monitoring as privacy requirements in some countries make data collection difficult.
  • Threat intelligence feeds are poorly integrated. Threat-hunting efforts are also rudimentary. 

And all this sheds light on the importance of MDR. Its essential component is Endpoint Detection and Response (EDR) which brings to the table the ability to respond to an incident both while it is still occurring and immediately after. Other important MDR components are threat-hunting capabilities.

“Human-driven threat hunting capabilities to be precise. Because what we have seen in the market is a lot of vendors saying that they have AI-driven threat hunting. But that is not sufficient, as AI is still just an enabler” Mr. Olufon said.

Finally, MDR should use automation because threat actors are very good at automation too, and MDR should help achieve a balance of powers.

But again, context is important. An MDR provider should also be able to bring contextual recommendations to improve an organisation’s security posture. For example, by helping them to not only identify vulnerabilities but also smaller mistakes that lead to cracks in defenses.

Securing the future

All of this is good for today, but organisations need to look to the future and anticipate what is going to happen over the next months and years.

We can already see concepts like edge intelligence, TuringBots, or extended reality and organisations certainly don’t want to fall behind threat actors when they start to use these new technologies.

Let’s take cloud computing as an example: “A lot of companies still don’t have a cloud security strategy, but we have had cloud since 2006 and IT teams have been leveraging the cloud since then. Security teams started to take it seriously in 2016, ten years later, while still trying to treat the cloud as an emerging tech. It doesn’t really work that way,” Mr. Olufon said.

Conclusion

To sum up, the adversaries’ motivation and their capabilities are evolving, they are very good in automation and finding vulnerabilities in their targets’ systems. On the other hand, organisations often struggle with deploying automated cybersecurity solutions and don’t have a good visibility into their systems.

Especially, in case of more vulnerable organisations such as healthcare or charity organisations, all these challenges make cyber environment rather asymmetric. That is why organisations need to be smart about how they plan their defense strategies, how they adjust their budget, and how to make the most out of cybersecurity solutions they deployed.