Our team has had the opportunity to sit down with several CISOs to discuss their current security challenges, and we’ve heard their concerns loud and clear:
Their teams are overwhelmed with an increased attack surface being targeted by malicious actors with more sophisticated tactics, and as leaders they are struggling to balance this on top of other security priorities to protect their organizations from these growing threats, all with less budget.
It’s a monster task and one they don’t take lightly.
We appreciate the candor these leaders provided directly about ways they can protect their organization, customers, and bottom line using darknet insights, and we want to pay it forward by offering our perspective on some of the top-of-mind topics for security executives and solutions that may make these challenges a little bit easier to overcome. Here we offer the first in a set of two blogs covering these topics from our conversations with CISOs.
The Common Denominator: People are an Underlying Problem for Enterprise Security
If you follow SpyCloud, you know we’ve been talking a lot about malware recently – because while it tries to be sneaky and undetectable on a user’s device, it is the fastest-growing invasive cyber tactic out there and organizations are struggling to combat it. The threat in infostealer malware lies in its ability to extract credentials, web session cookies, and other valuable data (think PII) that can be used to launch account takeover (ATO) and follow-on ransomware attacks, yet today’s malware infection incident response typically takes a device-focused approach rather than an identity-focused approach.
The threat of malware is not going away, and human behavior is unfortunately not helping the situation. One way bad actors launch malware is through phishing, and CISOs told us they are observing greater sophistication in phishing attempts that are indistinguishable from legitimate correspondence. Another social engineering tactic on the rise is Business Email Compromise (BEC) attacks in which bad actors use stolen credentials to masquerade as high-ranking executives, making urgent requests for large payments or gift card purchases, soliciting credentials, or sending malicious links to launch malware. Phishing and pretexting attacks like BEC were the top two social engineering actions in 2022 according to the Verizon 2023 Data Breach Investigations Report, with email being the delivery method in 98% of these incidents.
In an environment where employees are overwhelmed and sometimes don’t pay attention, someone might go ahead and accidentally click that malicious link or download that encrypted file, causing headaches for themselves and the organization.
The impacts of human behavior go beyond falling for social engineering tricks. Employees who use under-managed devices that aren’t current on security policies or unmanaged personal devices that aren’t within the IT security team’s purview create a blind spot for security practitioners and leaders. Furthermore, the use of unapproved applications or services, or shadow IT, are often used innocently but create “shadow data” and again fall outside of traditional security oversight. All these instances create yet another entry point into your organization, leaving an opening for criminals to exploit with malware.
The human element was involved in nearly 3 out of 4 breaches last year, according to Verizon. With bad actors continuing to take advantage of human behavior and employees continuing to be an unwitting insider threat, awareness of the entry points for malware infections that lead to full-blown security incidents is just one way CISOs and their teams can protect their organization.
All Eyes on What You Can’t See
Remote work and the increased use of cloud applications to perform business functions impact the growing attack surface of organizations, leading to more blind spots and opportunities for Security Operations Center (SOC) teams to miss threats. However, they can’t be expected to protect what they can’t even see, which is why CISOs acknowledge that visibility into these key areas are critical for protecting the enterprise.
For instance, browser synchronization allows users to save their account authentication details in a browser on one device and then access it using another device. While this adds to the convenience in a hybrid work environment, it also causes a critical opening into your organization: consider an employee accessing work accounts and systems using a relative’s personal device that is unknowingly infected with infostealer malware. The malware exfiltrates the user credentials and all active web sessions, including the unsuspecting employees’ access to critical corporate cloud applications. With this information in hand, bad actors can hijack sessions and log into your network, masquerading as a legitimate user. This plays into the previously mentioned shadow IT and shadow data with regard to security teams having better visibility into all devices that have access to networks and systems, whether they be corporate owned or otherwise.
When it comes to exposed cloud applications, think online email and office applications, cloud hosting environments, customer relationship managers (CRMs), payroll management, video conference platforms, source code repositories, and much more. Just one exposed SSO credential could give criminals incredible levels of access to corporate data. For example, our latest Fortune 1000 Identity Exposure Report shows that SpyCloud recaptured a total of 223,098 credential pairs exfiltrated by malware that specifically allow access to over 56,000 cloud-based applications, giving bad actors unfettered access to your organization. Since these third-party applications are typically outside of IT’s control, their exposure is a blind spot for most enterprise security teams.
So Many Alerts, So Little Time: Automation Helps SOC Teams Prioritize Time and Resources
We weren’t surprised to hear automation pop up in discussions with security leaders since The CISOs Report: Perspectives, Challenges and Plans for 2022 and Beyond revealed that 41% of surveyed CISOs included automation in their top three goals.
Our conversations with these security leaders revealed that alert fatigue is real for SOC teams and automation is a critical factor in deciding whether to add yet another tool to the security stack. With so many threats on the horizon and various tools tasked with monitoring said threats, SOC teams can receive hundreds of alerts each day. Triaging these alerts can cause consternation:
Which alerts are priority?
Which alerts are reputable?
Which alerts cannot be ignored, thus triggering additional action from the team?
Rather than spending the bulk of their time addressing alerts for false positives, awareness of threats outside of corporate oversight can help SOC teams reduce mean-time-to-discovery (MTTD) and achieve more effective incident response.
We understand that automation goes well beyond security alerts. For example, manually monitoring for and detecting stolen data such as compromised credentials and session cookies found on the darknet is nearly impossible for security teams. That’s why automation is a key factor for SpyCloud customers like Atlassian, who use our solution to quickly detect compromised credentials and remediate them automatically with SpyCloud’s fresh, actionable breach data and malware bot logs at their fingertips. And EUROCONTROL, who automates activities, responses, and analysis with SpyCloud solutions so the teams can be more efficient and focus on other value-added projects.
Another consideration when it comes to automation is that you can’t think of it as something that involves no human interaction. Yes, security executives, leaders, and practitioners all champion automation, but it isn’t “free.” Automated security solutions are part of a process that takes people to build it, care for it, and feed it. And the automation is only as good as the data that it accesses and processes; SOC teams need to have enough confidence in their data to allow machines to take action to truly achieve the most efficient automation.
When it comes to procuring a new security solution, CISOs take into account ease of deployment, ease of use, high fidelity alerts and analysis, and automation according to our findings. All of these factors contribute to simplifying and streamlining cybersecurity tools.
