By Dr Suleyman Ozarslan, Picus Security Co-founder and VP of Picus Labs
Like a short blanket that covers the wearer’s head or feet, but never both at the same time, security teams can only dedicate their time, money, and resources to so many problems at once. The short blanket dilemma is a perennial issue in IT security. Teams deploy their budgets and resources to cover one exposed spot, but this inevitably leaves other areas out in the cold. A perfect example is the choice organizations face between preventing and detecting threats. Unfortunately, it is very rare for organizations to excel at both.
Picus recently conducted an analysis of 14 million cyberattack simulations performed by our platform in the first half of 2023, revealing the extent of this short blanket problem. Our Blue Report highlights four ‘impossible trade-offs’ that hinder organizations’ readiness to defend themselves against the latest threats.
1. Choosing which attacks to prioritize
With unlimited time, resources, and knowledge, security could be an easy job. In reality, however, every security team must choose which attacks to prioritize and which to de-prioritize based on their own time and resource constraints.
Our simulation data shows that, on average, organizations’ security controls (such as next-gen firewalls and intrusion prevention solutions) will prevent 6 out of every 10 attacks. However, some types of attacks are prevented far more effectively than others. For instance, organizations can prevent 73% of malware downloads but only 18% of data exfiltration attacks.
There are also wide variations in organizations’ ability to prevent specific threats. For example, more than a third of organizations can prevent Black Basta and BianLian ransomware attacks but only 17% can prevent Mount Locker. This is despite Mount Locker’s emergence in 2021, long before the other two malware types. It suggests that security teams are having to prioritize and deprioritize their defense against different ransomware groups over time.
2. Choosing which vulnerabilities to remediate
The Blue Report also reveals the limitations of security teams’ approach to managing common vulnerabilities and exposures (CVEs). Some organizations focus on fixing long-standing vulnerabilities first, but others will actively prioritize more recent vulnerabilities over older ones.
Today, the majority of organizations remain exposed to several critical and high risk CVEs that have been known for years. Some CVEs discovered in 2019 remain a threat to more than 80% of organizations. With limited resources, vulnerability management teams must choose to remediate some CVEs over others – at their peril.
3. Choosing to optimize prevention or detection controls
The data shows that the better an organization is at preventing threats, the weaker it is at detecting them, and vice versa. For instance, globally, healthcare is the least effective sector at preventing attacks but is twice as successful as the average organization when it comes to detecting them. North American organizations are almost twice as successful at preventing attacks as they are at triggering alerts to detect attacks in progress.
Different organizations, sectors, and even regions all have a reason to choose between a prevention or detection-first approach to security. However, the data shows in black and white that most organizations struggle to be proficient at both.
4. Choosing to log or create an alert
Organizations leveraging security event and incident management (SIEM) solutions also face decisions about how much to invest in attack detection. In most cases, organizations will prioritize logging over alerting, but do neither very well. Simulation data shows that, on average, organizations log 4 out of 10 attacks but only generate alerts for 2 in 10 attacks.
Faced with a trade-off in time and resources, organizations are prioritizing logging over alerting – but both areas require improvement.
The short blanket problem solved
Since preventing and detecting every threat is practically impossible, security teams will always have to prioritize some aspects of security more than others. It may not be possible to ask the board for a bigger blanket. However, it should be possible to ensure that it is always applied where it is needed to fit the needs of its wearer.
The goal for CISOs is to consistently make the best decisions for their organization’s specific needs. They need real-time data to prove where there are gaps in their defenses at any given moment. They need to be honest about which parts of the business are out in the cold, so that they can determine the level of risk they are prepared to accept.
This requires being proactive rather than reactive, and discovering the potential for security incidents before they happen. Indeed, CISOs are increasingly following the principles of continuous threat exposure management (CTEM) to achieve a more holistic view of their risks. By adopting a more unified approach that incorporates insights from attack simulations combined with attack surface and vulnerability data, security teams can allocate resources efficiently and effectively to address their most critical exposures. As a result, they can simultaneously improve their ability to prioritize their attention in the areas that will have the greatest security impact.
