CYREBRO’s IR Analysis – Visibility Gaps and How to Eliminate Them
Today, the question isn’t if your company will suffer from a security incident, it’s when.
A few years ago, a shocking statistic came to light when CYREBRO analyzed internal incident response (IR) reports: 75% of reported security incidents were caused by inadequate investment in security solutions that caused blind spots in network visibility.
Unearthing that statistic and its implications was one of the inspirations that led to us creating the CYREBRO SOC Platform. We immediately understood that even the most minor blind spot could be exploited, putting a company at risk. With most businesses suffering from a skills and staff shortage, they’ve turned to automated tools to pick up the slack. However, a lack of tools or incorrectly configured ones, plus incomplete cybersecurity practices, create network blindness, leaving companies unable to deny threats or mitigate them once they are found.
CYREBRO research uncovers the three most common causes of incidents
As companies adopt new technologies, their attack surfaces inevitably grow, but often their security practices and cyber tools remain stagnant, creating gaps in network visibility. As we investigated recorded IR cases, we discovered the three most common causes for incidents and attacks.
Easily accessible ports and services
Although some servers need to be accessible from the internet, too often ports, servers, and critical services are open and exposed online. Attackers can take over servers, using them as an entry point to resources and internal networks. Our research found that 64% of the security incidents stemmed from critical ports and services being accessible from the internet with no filtering.
Outdated and end of life systems are likely to be exploited
Outdated systems that no longer receive security updates and unpatched systems are common targets for attackers who deploy scripts that automatically scan for systems which are susceptible to well-known vulnerabilities. In 67% of the cases we investigated, attackers utilized unpatched, outdated, or End of Life applications and operating systems in attacks.
Weak visibility due to missing tools
Companies that transitioned from on-premise solutions to cloud platforms and SaaS solutions without the proper tools were exposed and unable to detect and respond to incidents. We found that 78% of attacks happened because companies didn’t have an EDR or antimalware solution installed on endpoints, and 35% of the subjects had no IPS or IDS solution in their network.
Visibility prevents chaos
How can companies prevent incidents in the first place? The only solution is to gain complete network visibility, which boils down to having an awareness of all the components and data within their network. Without visibility or a centralized endpoint solution, hackers are undetectable. They can move through networks, conduct malicious activities, and wreak havoc.
Don’t leave analysts empty handed
Businesses that have proper visibility give analysts a fighting chance as they can view attackers’ actions, decipher what and how the attack happened, and react in real time. Arming your security team with the tools needed to achieve visibility across the board – network, endpoint, and user activity – is essential as attacks become more frequent and more sophisticated. However, an assortment of standalone tools can cause more problems than they solve. Instead, companies must seek out solutions that work together to eliminate blind spots.
Putting it together through experience
The insights and findings discussed here come from our own investigations of real IR cases we encountered over the last few years. We’ve seen too many companies become victims due to either a lack of tools or the inability to connect all of their security systems and tools to a central command, which is the only way to achieve complete visibility.
Without visibility across your entire infrastructure, it’s impossible to truly understand what is happening in your environment. Your team won’t be able to construct the correct attack story, making recovery incredibly difficult and preventing similar attacks in the future nearly impossible. Given that it takes an average of 287 days to identify a breach with an average cost of $4.24 million, can you afford a lack of visibility?
If you want to learn how to eliminate the common visibility gaps, which tools and systems you should invest in, and the proper cybersecurity practices to implement, download your free copy of our 2022 Incident Response Analysis Report.