The numbers are bleak. According Gartner, the estimated global cybersecurity spend may reach $133.7 billion by the end of 2022. With over 60% of business leaders feeling that their cybersecurity risks are increasing, the costs of IT security are onerous at best.
Unfortunately, the opposite side of that fence is even worse. A study from RiskBased estimates that data breaches exposed over four billion records in the first half of 2019, and this may be smaller than the number of potential records exposed in the more recent FireEye breach. Verizon cites that over 70% of breaches are financially motivated, and a quarter of all breaches are motivated by espionage. Companies need to act now and cannot afford to delay in bolstering their cybersecurity programs and solutions.
Despite the importance of cybersecurity, organizations are struggling to manage their budget. That’s why it is important to take steps to lower the cybersecurity cash crunch with these quick four tips:
Don’t mismanage your AWS CloudTrail data or ignore logs.
CloudTrail logs were originally designed to help troubleshoot issues, and therefore captured a lot of valuable information. We commonly see that CloudTrail logs are exceptionally noisy. In 2019, Security Boulevard reported that the signal to noise ratio in a typical CloudTrail is 1 to 25,000. Organizations need to quickly sift through CloudTrail data to understand what is useful and actionable information and how to disregard the excess noise. Ignoring your logs, or placing the raw data into a SIEM, drives costs and represents two erroneous approaches toward mishandling AWS CloudTrail data that companies often commit.
Understanding what makes logs an important component to security.
Critical Indicators of Compromise (IOC) data is hidden in the CloudTrail logs and can provide an early warning of an attack. Some of the information this data provides includes new regions or services that have been recently enabled, new users or changes in security group policies.
These logs also provide:
- New Identity Access Management users and keys.
- Information on recent modifications to the route table of new VPNs
- Changes to S3 buckets, or even the use of a non-multifactor authentication account.
For these and other reasons, we strongly encourage IT security professionals to find a way to get value out of the logs and to avoid simply storing them. “They actually contain more information than most organizations know about,” said Vice President of Product Marketing Abner Germanow at Lacework, “and companies that check regularly will not only find more accurate indicators or potential breaches, but they will also benefit from an economically advantageous nature. For example, by pre-filtering your logs, we’re often able to reduce log data by 90% or more in a typical setting, while capturing a lot more valuable data, resulting often in lower operating costs for our customers.”
Drain the ocean of false positives.
It is not uncommon for a large enterprise cloud to create about 2 billion transactions in any given month. That’s a lot of information to go through for any IT security team, and usually this amount of data results in more than just fatigue — it also results in misallocation of resource time and higher costs. By nature, there are going to be a lot of false positives with so much data. The struggle then becomes about determining what is really important information and what is simply noise? Another way to look at it is, what do I need to pay attention to since we have a finite amount of time and a limited availability of resources?
Our approach is to work with our customers to understand what that cost picture looks like. The traditional way to compute the costs of investigating a possible phishing attack for a tier one alert is an equation using one employee salary, by hour, multiplied by the estimated time it would take to mitigate an issue. This computation roughly translates to $25 per alert. And if you multiply that cost by, let’s assume 10 alerts, the result is not too noisy of an environment for many companies. But in a large enterprise, those costs can balloon to well over $90,000 each year.
To mitigate these costs, many organizations write suppression rules. But this approach could result in unforeseen cyberattacks. “If you think about it, you want to be able to see all of the activity in your enterprise,” said Germanow. “Companies need to see the data and have the context to determine threat from noise. And they need to get to the data quickly and continuously.”
If you’re writing suppressions, you’re seeing less than you should, and that could help a breach remain unseen. One of the things that Lacework helps organizations understand is what their risk picture looks like specifically for their cloud infrastructure. For small organizations, a breach will typically cost, according to IBM, around $2.5 million, and that is calculated over three years. Therefore, investing in a solution that minimizes the noise of false alerts, while allowing your IT security teams full visibility is an effective use of funds that could result in operational cost saves.
Buyer beware, free tools and solutions come at a price.
One more tip that produces cost savings for organizations is to eliminate the use of free solutions. Free cybersecurity solutions often fall short of providing the visibility companies need to remain safe. Investing in select IT security tools for this need not only addresses these visibility gaps caused by free solutions, but the right solutions also deliver unparalleled and aggregated visibility on all potential vulnerabilities within existing cloud platforms.
In a similar fashion, IT security organizations commonly layer multiple tools in the hopes of securing their environment. This traditional “layering” approach used to work in the days of only on-premises infrastructure. In cloud environments, however, the more tools you add, the more complexities and vulnerabilities you produce.
Putting it all together.
Improperly securing your infrastructure and cloud platforms can inadvertently cost you revenue– especially if you’re not efficient in your approach. Whether you’re depending on manual rule writing to secure your dynamic cloud environment, or defaulting to a litany of security solutions to solve each issue, relying on such traditional approaches not only leaves you more vulnerable than you think, but these approaches can also break the bank.
By following our top ways that organizations can save time and money through a cloud-first approach to security, your organization not only benefits from tangible steps that makes your cloud environment more secure, but your organization also achieves this capability without burning through your security budget.
At the center of this approach is the goal of understanding how manual alert suppression rules create blind spots and increase your breach risk. But this approach also explores how false positive security alerts, without context can be extremely costly. Our approach also explores why ignoring your logs — or exporting those logs to a SIEM — are two of the biggest offenders when it comes to security budget utilization. Finally, we help organizations understand why more is not always better when it comes to relying on multiple security tools.
The landscape may seem bleak, with organizations such as Cybersecurity Ventures estimating that damage related to cyber crime may reach $6 trillion annually by 2021. But by taking our recommended steps to secure your cloud, you can make strides at fortifying your total infrastructure with effective security.
Image by Jp Valery on Unsplash.