Every year, businesses spend billions and billions of dollars on software and services designed to protect against cyberattacks. But the game is rigged; defenders are set to fail no matter how much they spend.
An organization’s security posture is determined by a complex web of factors, from the level of cybersecurity training among employees to the sensitivity of firewalllevel of network monitoring and ability to keep abreast of developments malware threats.
However, no matter how good and extensive a company’s defenses, there is one force that always pulls in the opposite direction: software vulnerabilities. If an attacker is given a route to the network on a silver platter, there is little their victim can do to stop them.
“We don’t talk enough about vulnerabilities; there has been a huge increase in volume and the situation is close to being out of control,” said Laurent Celerier, Executive Vice President of Technology and Marketing at Orange Cyberdefense (OCD). Tech Radar Pro.
“Behind every vulnerability is an attack opportunity, and cybercriminals are moving faster and faster through the chain of destruction.”
The simple reality is this: organizations are fighting an uphill battle against an ever-increasing volume of attacks, driven by factors beyond their control.
A problem of incentives
Although cybercriminals abuse a variety of attack vectors to gain access to corporate networks, data from various sources indicates that a significant portion (some say the majority) of all cyberattacks can be attributed to software vulnerability.
The number of detected vulnerabilities is also increasing. According to OCD Intelligence, over 17,000 bugs were discovered in the last year alone. Some of this increase can be attributed to improved detection capabilities, but the trend is nonetheless concerning.
There is a degree to which vulnerabilities are unavoidable; the price to pay for doing business in the world of software development. Some modern apps are made up of millions of lines of code, provided by hundreds of different developers, so errors are inevitable.
The addiction to open-source components has also increased the likelihood of bugs finding their way into applications. The fact that the code is publicly available does not necessarily mean that it has undergone sufficient scrutiny.
However, some steps can be taken by stakeholders to mitigate the risks associated with vulnerabilities. For example, IT departments could focus on optimizing patch management process to the highest degree possible, ensuring that devices and waiters remain vulnerable for as short a time as possible. Software vendors could also play their part by engaging in a more rigorous update checking process.
In practice, however, things are rarely that simple. In a world where attracting customers depends on the ability to innovate faster than the competition, suppliers cannot afford to dwell on checks and balances to too long, while internal IT teams are often stretched to capacity.
“At this point, the IT ecosystem has no incentive to bring better software to market because they are all in competition and need to evolve quickly. This means that they release solutions that are not of sufficient quality,” Celerier said.
“Additionally, most vulnerability management costs fall on the customer, who must test the new release and shut down production to deploy the patch, which takes time and expertise.
To help address these issues, Celerier says a culture of zero tolerance for poor quality software releases must be established. But equally, he admits that a heavy-handed approach could easily backfire.
“Shaming vendors for offering poor products is necessary, but this tactic has collateral damage: it could end up with people not reporting vulnerabilities,” he explained. “It’s quite tricky.”
In a separate interview with Tech Radar Prothis issue was raised from another angle by Sudhakar Ramakrishna, CEO of SolarWinds, who in 2019 suffered what turned out to be one of the most severe cyberattacks in history.
“There is still a lot of victim shaming, so companies often end up solving the problems without saying anything about them. There is definitely a reluctance to speak up,” he told us.
A situation in which software companies are reprimanded for the poor quality of their releases and companies reprimanded for being the victims of attacks is likely to produce a culture of concealment that will only make the problem worse.
The wrong focus
Another way the security industry and IT pros are giving attackers the edge is through concentration of investment.
Typically, cybersecurity companies operate on small segments of the cybersecurity chain, leaving the rest to other vendors. For example, an organization may provide detection and response services, but not the facilities needed to protect against attacks in the first place.
Hugues Foulon, CEO of OCD, told us that failure to appropriately distribute security investments throughout the chain contributes to the ease with which hackers are able to execute attacks.
Instead of investing heavily in the ability to anticipate new cyber threats and respond to attacks when they occur, most companies invest the majority of funds in technologies designed to protect. “The curve is upside down,” he explained.
“The threat today is not the same as last year, so it is always important to be aware of the changing threat landscape. Based on threat intelligence, we need to anticipate what might happen and, if an attack does occur, be able to put a remediation plan in place as soon as possible. »
Concentrating resources and investments among security vendors could also be more optimally allocated, Foulon suggested, particularly when it comes to emerging technologies like artificial intelligence.
“To be completely honest, a lot of people talk about AI in cybersecurity, but the reality is quite different. We are more humble at OCD – we mostly talk about process automation,” he said .
“Yes, there is AI, but it is not the number one priority at this stage. [for OCD]; the level of maturity is low. That’s not what our competitors say, but I doubt they do what they claim to the outside market.
Funding allocation is a difficult issue in all sectors of all businesses, but when it comes to cybersecurity, the stakes are particularly high. The cost of repairing data breaches climbing to an absolute recordthe consequences of failing to invest appropriately are obvious.
Is there a solution?
The combination of risks created by software flaws and the inefficient allocation of funding has left organizations more vulnerable to attack than they perhaps should be.
More worryingly, market forces have created a situation in which attempts to build up defenses are undermined by factors beyond the victim’s control. Until economic incentives are realigned, software vendors will have little reason to tighten their patch checking practices.
Asked to find a solution to this problem, Celerier suggested that new regulations are needed to force vendors to prioritize security when developing software updates. “In France, we like regulation,” he joked.
He also suggested that moving away from on-site will go some way to easing the patch management problem of course, because pushing an update to the cloud is much simpler than having IT teams perform a manual installation on thousands of servers.
More generally, OCD also finds it important that security partners cover every step of the cybersecurity chain – from identifying risk areas to protecting against attacks and resolving incidents. This way, companies need to liaise with a single third party, reducing logistical complexity and minimizing the likelihood of an attack slipping through the cracks.
A potential client might be justified in wondering if it is really advantageous to work with a single jack-of-all-trades, rather than several specialists. But OCD says the evidence for its model is there for all to see.
Not only does the company rely on its own products to protect its internal network – “in IT, we drink our own champagne,” Celerier said – but also has an unblemished record for blocking one of the most more powerful: Ransomware.
There may be no silver bullet to the cybersecurity conundrum facing businesses, OCD concedes, but a commitment to engage proportionately with every possible tool available to the defender is a first. not important.
- Protect your devices against attacks with the best antivirus services on the market