PROBLEM

It is estimated that the global economy loses $400 Billion/year to cybersecurity incidents1, despite data security becoming a board-level discussion item2. This is happening as the vast majority of attacks target end-users and over 90% of these attacks coming through malware that is delivered through web browsing3. Even as security becomes a growing concern and area of investment, the solutions are lagging behind, prompting a leading report to state “One thing is very clear: The cybersecurity programs of US organizations do not rival the persistence, tactical skills, and technological prowess of their potential cyber adversaries”4.

How can this be? The problem does not lie with organizations lack of diligence, priority, or investment. Companies have been piling on additional security controls, while seeing diminishing returns and skyrocketing costs. Rather, this situation is caused by the over-reliance on detection and prevention as the mechanisms to defeat attacks, while there is no separation between vulnerable systems and potentially malicious content.

Detection cannot fully protect from all attacks, as it is by its very nature reactive: the attackers innovate with their findings and new techniques, and solutions need to rely on reputation or heuristics for detection. Both approaches have been found lacking with reputation becoming irrelevant as 90% of malware become unique to each organization5 and web security gateway classification allowing as much as 90% of malicious traffic through6. Heuristics fare no better with even the most advanced solutions only detecting 72% of “zero day” attacks7, and 81% of respondents in a large survey claiming that “Even with my organization’s security tools, web- borne malware can be completely undetectable”8.
The root cause of vulnerabilities that organizations experience is lack of separation: The Internet is too large and varied to be effectively classified, and active content by default is transferred “en banc” to browsers. Organizations are left with a never-ending chase to detect malice instead of isolating vulnerable targets and the content from each other.

IT Security budgets have increased in 2014 by 20% (from 5.1% of total IT spending to 6.1%9). Organizations10 concerned with the increasing risk of cyber-attacks and data breaches are moving beyond the traditional security tools of Firewalls, A/V and IDS to solutions such as next generation Firewalls, Sandboxes, big data analytics and more.

And as investment increases, the costs are not relegated just to implementation and management of solutions. Sophisticated alerting solutions generate tens of thousands of alerts a week, with only 19% of those considered reliable and only 4% being investigated. The operational cost of false positives alone is estimated at $1.27 Million/year for a typical organization. This math becomes even more concerning given the liability weight given to alert monitoring in recent data breaches by the courts11. But the actual costs run even higher when one considers the time spent in actual remediation of security events with an average of 600 weekly hours spent on containing malware alone.

Moreover, not all costs are associated with prevention and remediation. Organizations that choose to restrict access to various functionality and internet destinations suffer not only from the opportunity cost of lost productivity, but also from a significant operational burden of exception handling when employees request access in order to accomplish the tasks assigned to them.

These costs are not a “fait accompli”. They arise from an over-reliance on monitoring and detection, which cannot fully deal with today’s sophisticated attacks, requiring additional solutions with diminishing marginal returns and higher operational investment. The solutions organizations should strive for a proactive solution that prevents attacks from happening, rather than the Sisyphean task of recognising them.

Beyond the monetary and productivity cost, existing controls have hidden costs that are not immediately apparent. For example:

• Many organizations block uncategorized traffic, where no information is known about the destination web site
• Many organizations have legacy applications that only support a certain version of a browser or Java. These versions often have security vulnerabilities and are no longer maintained, causing a dilemma between business availability and security and compliance
• Certain sites are blocked due to the reputational and data loss risk (malicious comments on social networking, uploading sensitive information to file sharing sites, etc.)
• HR departments often measure productivity loss as a function of network traffic which is not indicative of actual time spent on that site. Likewise, this same problem leads to lack of reliability in compliance investigations
• Data security is often a concern in adopting new technologies

Many of these costs are caused by lack of visibility and fine-grained control and because the binary yes/no approach of detection solutions causes an inherent trade-off between functionality and risk. A proper solution for the current cybersecurity paradigm problem should allow full control and visualization of web traffic, while affording users the ability to
engage safely in unclassified environments where the risk is unknown.