It's time to move away from the reactive detect-to-protect cybersecurity model, says security firm Bromium.
Building a slide deck, pitch, or presentation? Here are the big takeaways:
- The average large (2,000+ people) enterprise spends $16.7 million annually on security software and salaries of the professionals who maintain it. Despite that, the ability of traditional security software to protect businesses isn't improving.—Bromium
- Isolating network resources and virtualizing machines is one solution, and the other is implementing a zero-trust security model. —TechRepublic
The average large enterprise spends $16.7 million annually on security software and the people who run it, yet it just isn't working, revealed a report from security firm Bromium (registration required).
The cost of cybercrime has risen 62% in the past five years, and with 2017 being the worst year on record for data breaches it's hard to disagree with Bromium's simple analysis of the situation: Currently available cybersecurity tools aren't working.
As previously reported by TechRepublic, Bromium isn't alone in its pessimistic assessment of the reactive cybersecurity model. "A new, proactive approach combining technologies, procedures and education can help find problem areas before attackers discover them," Seth Robinson, senior director of technology analysis for CompTIA, said in a press release.
Where the money is going
Bromium breaks the $16.7 million cost down into two major categories: security software and the humans needed to operate and maintain it.
Software costs only account for an average of $345,700 for a large (defined in the study as at least 2,000 people) enterprise. That further breaks down as:
- $160,000 per year on advanced threat protection (ATP) software. ATP is defined as security software that uses AI and machine learning to detect abnormal behavior as an indicator of security compromise.
- $44,000 per year on traditional or next-gen antivirus software. Both, Bromium said, are insufficient at defending against increasingly common polymorphic attacks.
- $30,000 per year on whitelisting/blacklisting solutions. Both solutions require a large amount of manual work to build lists and maintain them when new threats are found and permissions are granted.
- $112,200 per year on detonation environments—sandboxes for checking the legitimacy of weblinks, which account for 46% of attacks, according to the report.
The human cost of maintaining cybersecurity systems is where nearly all of the cost is going—it accounts for the other $16.3 million of the average enterprise security expenditure. The breakdown for this category is as follows:
- $16 million per year on security alert triage. Security software is bombarding security operations centers with false positives—an average of 796 per week, Bromium found. Because investigating alerts is essential, lots of highly paid time gets wasted.
- $96,059 per year rebuilding infected machines. When an infection happens, most professionals will take the safe route and reimage. At an average of 4 hours per device and 51 device per month, the costs quickly add up.
- $30,000 per year on emergency patching. More and more vendors are releasing emergency security patches outside of normal cycles, which is leading to an extra 780 hours per year spent rolling out patches.
- $19,900+ per patch for outside expenses and overtime. Bromium found that third-party contracting for the installation of security patches is common, as is paying overtime to a team member to stay after hours to install emergency patches when it won't interrupt work.
Changing the security mindset
Bromium's biggest suggestion for improving enterprise cybersecurity is application isolation and VM isolation, which is unsurprising considering it's their main product.
What Bromium proposes is a kind of zero-trust networking, which many see as the way forward for cybersecurity.
SEE: Incident response policy (Tech Pro Research)
By virtualizing machines and providing access to data and resources only as needed, there is much less risk of infection or compromise. Zero-trust networks don't assume anything about the state of a user's end point machine, and while setting up a zero-trust infrastructure is a lot of effort, it may be the only way to head off cybersecurity threats.
Hackers are getting better at defeating security software, and the software simply isn't keeping up. It's time to invest in a new paradigm that, while it may be costly up front, could save a lot of time and headaches in the future.
- IT pro's guide to effective patch management (free PDF) (TechRepublic)
- When someone says to me 'I've found the silver bullet'... (ZDNet)
- The best security? Have Zero Trust, says expert (TechRepublic)
- New alliance advocates the blockchain to improve IoT security, trust (ZDNet)
- 5 steps leaders can take to improve cybersecurity in their organization (TechRepublic)