SMEs Face Advanced Threat Sophistication Gap

Investigation maze concept

In-brief: Cisco Vice President Scott Harrell says that small and mid-sized organizations are in the crosshairs of sophisticated cyber criminals. Unfortunately, such firms often lack the tools and skills to identify and contain such threats.

Attackers are becoming more sophisticated and they are using increasingly evasive methods to attack customers of all sizes. According to the recently released Cisco 2015 Annual Security Report, the growing trend among attackers is to take advantage of gaps in security to evade detection and conceal malicious activity.

Scott Harrell_Cisco
Scott is a Vice President of Product Management at Cisco Systems.

A few of the key discoveries from the report include:

  • Snowshoe Spam is now emerging as a preferred strike method.
    Attackers are sending low volumes of spam from a large set of IP addresses to avoid detection, creating an opportunity to leverage compromised accounts in multiple ways.
  • Widely used exploit kits are getting dismantled by security companies.
    As a result, online criminals are using other less common kits to successfully carry out their tactics – a sustainable business model as it does not attract too much attention.
  • Exploits combine attacks on Flash and JavaScript.
    Flash and JavaScript have historically been insecure on their own, but with advances in security detection and defenses, attackers have adapted by deploying exploits that combine their respective weaknesses. Sharing exploits over two different files – one Flash and one JavaScript – can make it more difficult for security devices to identify and block the exploit and to analyze it with reverse engineering tools.

What do these data points mean? More sophisticated attacks – for enterprises of all sizes.

Fortunately, the news here isn’t all bad. Feedback from security professionals in nine countries, the Cisco Security Capabilities Benchmark Study (which is included in the Cisco 2015 Annual Security Report) suggests that midsize companies’ perception of threats measure up well against their larger counterparts.

For example, according to the study, there are few perceived differences between midsize organizations (500-999 employees) and enterprises (1000+ employees) in terms of their readiness to respond to security incidents.

However, our survey did find a noticeable gap in protections. Specifically: we found dramatically less sophistication in security practices between small and mid-sized firms and large enterprise. Also concerning was the gap in organizations’ perceived ability to understand and contain a compromise.

These gaps shouldn’t be too surprising. Traditionally, defending against “sophisticated attacks” has been a concern for large, multi national enterprises or organizations with a foot in high-risk industry verticals like defense, energy, financial services and banking or technology.

But these days, attackers are using these sophisticated methods to infiltrate small businesses that employ between 250 and 500 people, to midsize organizations of 500-999 people to large global enterprises with 1,000 or more employees. Like any business owner, cyber criminals and nation-backed adversaries look at the field of potential targets with an eye to ROI (return on investment) and diversification.

As I meet with professionals from this variety of organizations, I’m often asked for my guidance on how to combat these sophisticated threats. Regardless of the size of the organization, my response reinforces the need for a threat-centric and operational approach that reduces complexity and fragmentation. More than ever, organizations need superior visibility, continuous control, and advanced threat protection across their network and the entire attack continuum.

Too often I see customers opting for “good enough” security at crucial points in the kill chain. Companies might have email protection or web security devices in place that address some – but not all – possible attack vectors, but will not have layered other mitigating technologies and policies to cover the gaps.

This approach is understandable, but attackers are increasingly aware of and exploiting these gaps in threat-centric protection. Failing to address advanced threat vectors is dangerous when you consider that the cost of a single breach could exceed those security investments by a factor of 10 or more, and force healthy small and midsize enterprises out of business and completely.

What’s my advice? Regardless of the size of your organization:

  • Adopt a threat-centric and operational security model that looks at security from an attacker’s perspective. Your security program should be focused on threats, not just the policies or controls.
  • Seek out systems that improve your retrospective analysis capabilities. If breeches are inevitable, modern security systems must provide visibility that enables security operators to play back attacks and quickly hone in on the root cause and extent of a breach. Fast identification shortens “dwell time” and allows organizations to contain threats and limit the severity and cost of a breach when (not if) it occurs.

Today, we have volumes of usable information at our fingertips about the evolving dynamic threat landscape and the attackers we seek to defend ourselves against. The capabilities necessary to take action quickly before, during, and after an attack are available to us. Now is the time to act: putting in place a threat-centric and operational approach that delivers threat-centric protection across the attack continuum at every ingress into our networks and pervasively across our users’ devices.

Comments are closed.