The dangers to SMBs and businesses of all sizes from cyberattacks are well known. But what’s driving these attacks, and what do cybersecurity stakeholders need to do that they’re not already doing?
To answer these questions, we recently analyzed dozens of detailed incident response (IR) reports from businesses across a range of industries, locations, and company sizes. The findings were surprising and concerning, to say the least. Here’s what we learned:
The Common Denominator: Visibility
From enterprises with 5000+ employees to SMBs with fewer than 15, across diverse network architectures, vastly different network sizes, and varying software and network management solutions – we found a single overriding deficiency in cybersecurity: lack of network visibility.
By “network visibility,” I mean a clear awareness of the components, devices, servers and data that actually comprise the network. This may sound strange. But the fact is that in many of the IR cases we surveyed, client networks had several blindspots and areas whose visibility was not accounted for.
The end result is that IT departments frequently just don’t know what’s out there.
Why is this actually a problem? Once an attacker gets into a corporate network, he or she is essentially free to conduct malicious activities – steal data, hijack accounts, deploy ransomware, or even just destroy assets for the heck of it. Without network visibility, cyberattackers are more likely to move undetected and laterally through a network – leaving malware to propagate, unchecked, until it’s too late.
Top Three Impediments to Visibility
The numbers from our survey bear out the top three key impediments to visibility and security: Easily accessible ports and services, outdated, unpatched, and end-of-life systems and a deficient security toolset.
Easily Accessible Ports and Services
64% of security incidents examined were the result of ports, servers, and critical services that were left open and exposed to web access. This generally happens simply because as an organization grows, so does its network. Servers running backend development, testing, applications, services, VPNs, CRM suites and more need to be accessible from the internet. However, these assets remain part of the network and thus pose a security risk if not adequately secured.
Outdated, Unpatched and End-of-life Systems
In 67% of the cases we researched, the attacker exploited unpatched, outdated, or end-of-life applications and operating systems. In many of these, the attack entry point was an old internet-facing server or device running Windows 8, 7 and even XP. These systems stopped receiving security updates years (if not decades) ago. Yet their continued accessibility allowed attackers a way in. Other cases resulted from application and web servers hosting outdated versions of Jenkins, Oracle WebLogic, and IIS, which are vulnerable to Remote Code Execution (RCE) attacks, granting hackers complete control of infected systems.
A Deficient Security Toolset
78% of the networks whose incidents we reviewed had no Endpoint Detection and Response (EDR) or antimalware solutions installed on endpoints, and 35% of these had no IPS or IDS solutions. Without a proper and updated cybersecurity toolset, visibility is severely impeded, and attacks can run rampant. Most of the incidents we reviewed could have been completely avoided if an EDR solution had been installed on the targeted devices.
The Bottom Line
Based on the impediments to visibility discussed above, every enterprise or SMB needs to aspire to meet three simple criteria:
Of course, meeting these criteria is far more complex than just delineating them. Yet the starting point is always visibility. Our research showed that businesses lacking visibility and monitoring across endpoints, exposed ports, servers, critical services, outdated and end-of-life systems and applications were far more likely to be attacked. And when such attacks occurred, they tended to be more severe – since monitoring all network assets and systems facilitates quick detection and incident response. Without this, IR teams are challenged even to understand what happened – let alone beginning the process of containment, eradication, and remediation.
To achieve visibility, analysts have recognized the need for a cybersecurity “mesh”. Rather than focus on standalone tools, organizations need to ensure that solutions work interoperably. Once merged with a network’s existing defenses, solutions like a SOC Platform can bridge network gaps, identify weaknesses, and make sure that defenders have access to the status of every endpoint in real-time. The ability to connect all security systems and tools into a single, central command offers an unmatched level of visibility, context, and clarity about network incidents. Because in network security what you can see, frequently can’t hurt you.
Read the full CYREBRO report on the trends we saw in incidents reports and learn why network and endpoint visibility is critical to enhancing cybersecurity.