John Smith, principal solution architect at Veracode, calls on vendors to ensure that companies can derive actionable intelligence from cyber analytics solutions.
The number and complexity of cyber threats are constantly evolving. And traditional automated solutions, whether simple vulnerability scanning programmes or anti-virus solutions, are increasingly challenged by the new threats.
Companies are now looking to new solutions to help them navigate this dangerous cyber climate. Cybersecurity analytics are becoming an increasingly popular solution, but with every layer of the IT environment demanding its own analysis many companies end up inundated with data. This often leaves IT directors overwhelmed, deriving little actionable insight.
A little less conversation, a little more action please
This data overload, without the tools and understanding to act on it, merely creates noise for most IT team. For example, the anchor to many companies’ cybersecurity programmes, security information and event management (SIEM) technology, provides real-time analysis to generate security alerts for problems across both network hardware and applications. But the ever-increasing wealth of data is reducing the intelligence these solutions can derive.
The drastic growth of IT environments brought about by the Internet of Things, BYOD and cloud deployment has vastly increased the number of alerts flagged by SIEM tools. Without any prioritisation or insight on how to mitigate these threats, alerts often become little more than a constant chatter that ultimately goes ignored by an already challenged security team,
Analytics packages cannot just add to the flood of data and alerts for IT departments to wade through. The manpower and resources needed to analyse, prioritise and action the appropriate cases is but a dream for most companies as the number of devices continues to grow. Instead, it’s down to security companies to ensure these solutions enable any company to garner actionable intelligence to direct their cybersecurity operations.
Setting standards
Understanding the security principles behind threats is crucial for cyber analysis. This is certainly true of application security, which still lacks any standards of what an acceptable security flaw density is, which criticality of defects are acceptable, or even what remediation timeframe is adequate.
No industry is spared in this threat space which continues to grow in size and sophistication. The Talk Talk breach achieved with the well-known exploit, SQL injection, demonstrated how a poor understanding of the threat landscape can have catastrophic consequences for businesses.
Application security analytics programmes are important for detecting flaws. But when just throwing up numbers and alerts without context, companies gain little intelligence to determine what more they ought to be doing.
Our own tuned-in customers frequently come to us asking for help in benchmarking their performance, with questions, such as “do I have more serious security vulnerabilities than my peers?” and “what percentage of vulnerabilities do my peers remediate?”. And with some companies still assessing but a small percentage of even their Internet-facing applications, this insight can be essential to drive companies to make important changes to their cyber defences.
Intelligence, not information
The State of Software Security report launched earlier year enabled Veracode to provide companies with clear industry benchmarks for the percentage of compliant applications on companies’ networks across a number of sectors. Financial services are setting the standard with 42 percent of the companies’ applications compliant with the OWASP Top 10 Policy (the widely accepted standard for application security) on the first risk assessment.
Those companies in the financial services sector reading the report with a much lower percentage of compliant applications are able to determine from this benchmark that more must be done to achieve the industry standard. CISOs and IT directors can then use this intelligence to demonstrate to the board that greater investment is required to ensure their company doesn’t face the disastrous consequences of a breach.
Each unique IT environment has its strengths and weaknesses. Cyber analytics allow CISOs and IT directors to move away from a one-size-fits-all approach to cybersecurity and revolutionise their approach by gaining an in-depth understanding of their networks, applications and endpoints.
But this can only be achieved if the wealth of information is useful. The cybersecurity industry must ensure that they don’t merely sell their customers analytics, but provide them with the tools to gain intelligence.
Good cyber hygiene isn’t about one company, or one country. Cybersecurity poses a global threat to our economies and our privacy. It’s the responsibility, therefore, of the cybersecurity community to work to ensure that companies have the tools to make intelligent decisions regarding their cyber defences.
[su_box title=”About Veracode” style=”noise” box_color=”#336588″]
Veracode is a leader in securing web, mobile and third-party applications for the world’s largest global enterprises. By enabling organizations to rapidly identify and remediate application-layer threats before cyberattackers can exploit them, Veracode helps enterprises speed their innovations to market – without compromising security.Veracode’s powerful cloud-based platform, deep security expertise and systematic, policy-based approach provide enterprises with a simpler and more scalable way to reduce application-layer risk across their global software infrastructures.Veracode serves hundreds of customers across a wide range of industries, including nearly one-third of the Fortune 100, three of the top four U.S. commercial banks and more than 20 of Forbes’ 100 Most Valuable Brands.[/su_box]
EMEA CTO
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.