Cybersecurity risk has never been more challenging for security teams than in today’s world. Every organization deals with a continuous, unrelenting stream of cybersecurity threats, risks and attacks that are ever increasing in terms of frequency, volume, sophistication and potential business impact. Every day feels like cybersecurity déjà vu, as defenders are caught up executing the well-known security model of prevent, detect and respond.
This results in a daily grind of repetitive, time-consuming tasks, including: blocking and tackling; responding to alerts and false positives; triaging incidents; chasing down vulnerabilities; and running different security tools, to name just a few. Ultimately, the effectiveness of this approach is moderate, at best. According to IBM's 2021 "Cost of Data Breach Report," the average time to detect and contain a cyber attack is 287 days - that is over nine months!
Alert volume is a common, but ineffective, metric, often used in this environment. The problem is that every security tool used by an organization does an excellent job at generating alerts, but the vast majority of these have little to do with the real cybersecurity risk to an organization. Security teams spend a significant amount of time and effort attempting to process and close out these alerts, sifting through them hoping to find a real “bad day” alert that requires a true incident response effort.
A recent Forbes article stated, “The growing number of cyber alerts, threats and breaches is creating a vicious cycle and increased costs for many companies and organizations that can turn into crisis situations for business leaders.” As cyber attacks increase year after year, security teams typically turn to additional tools for strengthening their security programs and protecting their attack surface. However, the more tools and alerts, the more confusion! It’s a cybersecurity self-fulfilling prophecy.
A better approach that is being used by an increasing number of organizations is one based on the “early warning” of cybersecurity threats, risks and attacks. The more advanced warning that a security team has, the better prepared they are to limit—or even prevent—the impact of a potential issue.
Providing Effective Early Warning is Difficult
The ability to generate actionable early warning in the cybersecurity world is a difficult problem. Most mature security teams attempt to develop their own early warning capabilities by cobbling together various cyber-threat intelligence feeds and services. Some of these vendors claim that advanced algorithms enabled by artificial intelligence or machine learning provide the early warning that security teams crave—and are willing to pay for!
Often, however, the promise of effective and actionable early warning doesn’t pan out as advertised. Why not? Data—lots of data—is one big reason for this difficulty. An almost infinite number of data sets are constantly growing, evolving and disappearing. Somehow, in this dynamic data environment, early warning services need to find, process, develop context and generate a value-added cyber alert to an organization that is actionable in a time-sensitive manner…and, well, you can probably see the challenge that most ill-equipped organizations face.
Speed is another contributing factor to the difficulty in generating effective early warning. The intensity of today’s threat environment has dramatically increased due to automation. Deployment of malware on a large scale is trivial in today’s botnet-infested internet world. According to another Forbes article, cybercriminals use botnet assaults to accomplish a variety of tasks including: gaining access to financial and personal data; overwhelming reputable web services; extorting funds from victims; selling access to other criminals; employing scams involving cryptocurrency; exploiting backdoors created by viruses and worms; and deploying malware, such as keystroke loggers. This level of automation allows a cybercriminal organization to deploy an exploit across the internet very quickly, well in advance of any typical timeline for releasing patches, if the vulnerability is even known. Timing is not on the side of defenders.
Finally, the number of attackers has dramatically increased due to the commoditization of attacker tools and services. You don’t need to be a highly skilled hacker in today’s cybercrime world. Botnets can be rented as a service, while user credentials providing access to company domains can be purchased, and turnkey kits for deploying ransomware against any organization are readily for sale. As stated in one recent article entitled, “Dark Web Markets are Thriving,”: Only a small minority of cybercriminals really code, most are just in it for the money—and the barrier to entry is so low that almost anyone can be a threat actor.”
Advantages of Early Warning
Every security team in the world desires as much notice as possible about any potential cyber issue that could turn into a full-blown incident response. If you’ve ever led a security team, you know that the late-night weekend call from your operations center is not going to be good news! The number-one advantage to effective early warning is the ability to prepare. Whether you receive information about the advanced warning of a vulnerability, the type of cyber attack, or the specific threat actor focused on your organization, your posture will have changed from reactive to proactive—and that is gold, pure gold, for defenders. With advanced notice, actions can be taken to assess risk, understand business implications, strengthen defenses, collaborate with key partners such as law enforcement, or, in some cases, validate that you are as well-postured as you can be.
Depending on the nature of a potential issue, another advantage to effective early warning is the ability to ensure business resilience, because it allows an enterprise to understand how processes could be affected and, more importantly, how they can be protected.
For a clear example of this, one need look no further than the 2014 cyber attack on Sony Pictures where nation-state attackers exploited vulnerabilities to gain undetected access and, ultimately, root-level control of the company's entire IT infrastructure. The result was a massive, widespread destruction of data, along with the exfiltration and exposure of sensitive information, resulting in the complete rebuilding of the network and an extended interruption of business that impacted a single company. A more recent example on the other end of the impact spectrum was Log4J, a significant vulnerability that morphed into a series of issues that affected many organizations. Ultimately the root cause was related to Java servlet containers, which are inherently insecure and fraught with risk when directly exposed to the Internet.
In both cases, companies were already behind the power curve of containment and completely reacting to the situation. Security teams move into fire-fighting mode at the point when attackers are already slashing and burning, or, alternatively, being exploited, as in the case of a major vulnerability like Log4J. It’s easy to see why early warning in either situation would allow security teams to better prevent the issue altogether or, at least, mitigate its effects through more effective preparation and incident response.
Finally, a key advantage of early warning is effective prioritization. There’s an old saying that goes something like, “If everything is a top priority, nothing is a top priority,” and that is certainly the case in cybersecurity. Effective early warning allows security teams to focus their limited resources—including time!—on the concerns of greatest risk to the company. Actionable and reliable early warning moves real issues to the top of the list for handling. A trusted source for effective early warning information is a security team’s best friend.
The ability to generate effective early warning for security teams is an art, as well as a science. While the need for it is great, the ability to provide it is not widespread—for all the reasons we’ve discussed in this blog. However, there are a few companies that have significantly invested in developing early warning capabilities for cyber. Enter Arctic Security: For years, Arctic Security has helped national cybersecurity centers build their early warning services. Currently, their platform, Arctic Hub, makes millions of observations from around the globe every single day, and their early warning service, Arctic EWS, translates these observations into real, actionable advance notice for companies of all sizes.
A recent commercial from a well-known insurance company comes to mind when considering Arctic Security as an early warning service provider. With their vast, global perspective, they must know a thing or two about early warning, because they’ve seen a thing or two. Bottom line: If you’re a security team looking for a new best friend in the cybersecurity early warning business, you just might find one in Arctic Security.
About TAG Cyber
TAG Cyber is a trusted cyber security research analyst firm, providing unbiased industry insights and recommendations to security solution providers and Fortune 100 enterprises. Founded in 2016 by Dr. Edward Amoroso, former SVP/CSO of AT&T, the company bucks the trend of pay-for-play research by offering in-depth research, market analysis, consulting, and personalized content based on hundreds of engagements with clients and non-clients alike—all from a former practitioner perspective.
Copyright © 2022 TAG Cyber LLC. This report may not be reproduced, distributed, or shared without TAG Cyber’s written permission. The material in this report is comprised of the opinions of the TAG Cyber analysts and is not to be interpreted as consisting of factual assertions. All warranties regarding the correctness, usefulness, accuracy, or completeness of this report are disclaimed herein.