Every year companies around the world invest hundreds of billions of dollars in cybersecurity products, services, and training—yet malware compromise and massive data breaches are still a regular occurrence. According to data from Cybersecurity Ventures, cybersecurity spending for the five years leading up to 2021 is expected to exceed $1 trillion—with a “T”—but the annual global losses from cyber attacks is expected to hit $6 trillion by the same year. Clearly, there is something fundamentally wrong with the standard model of cybersecurity.
Common Cybersecurity Strategy is Insane
The way companies approach cybersecurity is literally insane—at least according to the popular quote attributed to Albert Einstein: “The definition of insanity is doing the same thing over and over again and expecting different results.”
Imagine if your house was like the cybersecurity market. You invest thousands of dollars every year in the best tools and services to ensure it is safe and secure. You have cutting edge technology to detect burglars and prevent unauthorized access, and innovative solutions to prevent fires and guard against flooding. Now, imagine that every year your house gets broken into and all of your possessions stolen, and then it burns to the ground…and you start over and do it again. That is basically the prevailing model for cybersecurity.
Meanwhile, the cybersecurity industry as a whole right now seems to be perceived as a hot commodity. Companies that don’t traditionally operate in the security space are investing in the cybersecurity space and buying up industry-leading companies that are household names. Intel acquired McAfee (and eventually spun it back off), BlackBerry bought Cylance, and Broadcom has purchased both CA and—more recently—Symantec.
Many organizations try to throw money at the problem. They assume that if they just allocate more budget and purchase the right products and services, they will be secure. However, some of the largest and most expensive data breaches in history occurred at companies with significant investments in cybersecurity tools and platforms, and that have huge teams of cybersecurity experts and vast resources at their disposal.
In other words, cybersecurity is a very lucrative business, but buying more of it does not guarantee you will be secure. In fact, it often doesn’t actually deliver on its promise.
I recently had a chance to speak with Matt Moynahan, CEO of Forcepoint, about these issues. He told me that he is extremely concerned with the current state of the cybersecurity industry. “We’re talking about arguably one of the most important industries in the next millennium—where the consequences of failure range from terrorism to nation-state espionage—and the world’s largest cybersecurity company was just acquired by a Singapore chip maker.”
Moynahan stressed that one of the fundamental problems with cybersecurity today is that it is trying to solve for the wrong problem. At the very least, it is an outdated problem. The industry as a whole has been built on—and is still primarily driven by—point solutions designed to “keep people out.” It’s a model that assumes there is an “us” and a “them”, an “inside” and an “outside”—and then strives to ensure that malicious actors from the “them” and “outside” groups can be detected and blocked before they can compromise systems and data.
History—or the headlines on any given week—illustrates that this model is dysfunctional at best.
The core cybersecurity tools like firewalls and antimalware defenses are still necessary, but not necessarily something to spend too much money on. They are cybersecurity “table stakes” and serve a purpose to identify and block a majority of known threats, so they still have value. However, they are clearly not enough on their own.
Moynahan explained it in terms similar to my home analogy. “Imagine living in a bad neighborhood where you can never lock your door. That is your network.”
The new model of cybersecurity revolves around technologies like multifactor authentication, behavioral analytics, and deception technology. Multifactor, or two-factor, authentication raises the bar for gaining authorized access to systems and data in the first place and prevents attackers from slipping in with compromised or stolen credentials alone. Behavioral analysis and deception technology provide more comprehensive monitoring and protection based on the assumption that attackers will get through—that the “them” is “us” and they are already inside.
With that assumption, security becomes less about preventing unauthorized access and more about ensuring the activities of those who have access makes sense and don’t violate any policies. The reality is that most attacks—at the point where they are detected—are “inside” attacks, because whether they are performed by a disgruntled employee or an external attacker using stolen or compromised credentials, they appear to be from an “authorized” user from the perspective of the IT department.
Monitoring behavior is a more proactive and more effective means of detecting suspicious or malicious behavior. Bob may be an employee who is authorized to access employee data and company financial records, but Bob will also have a normal pattern of behavior that can be used to flag unusual activity. If Bob works normal business hours at an office in Tulsa, it’s easy to detect suspicious activity if he suddenly logs in from Tel Aviv at 3am on Saturday. If Bob generally accesses, but does not download, financial data, behavioral analysis can alert IT if Bob suddenly decides to download gigabytes of sensitive information.
By virtually any objective measurement, the traditional model of cybersecurity has failed. It doesn’t make any sense to simply continue pouring money into the next point solution and hope things will turn out differently. It’s time for organizations to recognize that the technology ecosystem and the threat landscape have evolved, and that a new approach is necessary for more effective cybersecurity.
By Tony Bradley