As security breaches become more disruptive and expensive, enterprises are increasingly encrypting Internet traffic. But a growing number of cyber criminals are also using encryption — in their case, it’s to avoid detection and spread malware. And they’re using this tool more frequently than the good guys.
According to the most recent Cisco Annual Cybersecurity Report, published today, half of all Internet traffic, both legitimate and malicious, is encrypted as of October 2017. This is up from 38 percent a year earlier. “We saw a 12 percent increase in the overall amount of encrypted Internet traffic,” said Franc Artes, architect, security business group at Cisco.
But Cisco’s report found that the hackers are out-encrypting the companies trying to protect their networks.
During this same one-year period, the percentage of attackers encrypting malware skyrocketed from 19 percent to 70 percent — a 268 percent increase. “They are clearly out-scaling the defenders,” Artes said, referring to the attackers’ use of encryption. “This is specifically designed so they can bypass security detection. The attackers are paying very close attention to how the defenders are running their defense, and they are in some cases exploiting the very practice that is being used.”
Another tool these attackers are exploiting is the cloud, Artes said. “They, like us, are using the cloud, and for the same reasons,” he added. “It can scale. It’s effective. They don’t need as many employees, and [enterprises] can’t just block all of Amazon and all of Google.”
CISOs Rely on Automation, AI
Cisco interviewed 3,600 chief information security officers (CISOs) for the report, which also puts a dollar amount on the cost of attacks. According to respondents, more than half of all attacks resulted in financial damages of more than $500,000. This includes lost revenue, customers, opportunities, and out-of-pocket costs.
Many of the CISOs surveyed said they use automation and artificial intelligence (AI) to secure their networks. Some 83 percent said they are reliant on automation, and 74 percent said they use AI to reduce the level of effort to secure the organization. Ninety-two percent of security professionals said behavior analytics tools work well.
“They’re trying to augment staffing issues where they can’t find enough staffing, and at the speed at which attacks take place,” Artes said. “It’s literally at the speed of light.”
Cisco also found that companies that use a larger number of security vendors reported a higher degree of orchestration challenges. Of the organizations that employ between one and five vendors, only 8 percent said they found orchestration of these various security products to be “somewhat” or “very challenging.” On the other end of the spectrum, 55 percent of respondents that use 50 or more vendors said orchestration is somewhat or very challenging.
Uninvestigated security alerts still create a huge business risk, according to the report. It found 44 percent of all alerts are not investigated. Of the investigated alerts that are legitimate threats, about half (49 percent) are not remediated.
Cisco’s Security Recommendations
The report ends with a list of recommendations that companies can take to boost their security posture. This includes adhering to corporate policies and practices when it comes to things like patching.
Artes points to the global WannaCry randsomware attack as an example of this one. It targeted Microsoft Windows operating systems that hadn’t been patched even though Microsoft had released patches for the exploit. “This is basic patch management that still isn’t being done effectively,” he said.
Both IT and security teams need to assume ownership of Internet of Things (IoT) device security, the report says. This includes scanning them, updating firmware, and other security reviews.
Additionally, companies should review third-party efficacy testing of security technologies and trust third-parties’ — not vendors’ own testing results — to determine best-of-breed products.
Companies should also back up data often and test restoration procedures — as well as their security response procedures themselves. “Pay for and utilize penetration testing,” Artes said. “What companies are often not doing is measuring: ‘were we faster or slower at detecting a hacker, or at remediating damage?’ It’s not a question of will we get hacked. It’s when we get hacked, how will we respond and have we been practicing.”