Last year, Cisco focused on technology. This year’s security report shifts the emphasis to people.
Cisco’s annual security reports are typically “high-level” panoramas, confirming what most veteran security types already know and expect. That appears to be the case in the company’s 2015 Midyear Security Report — with one possible exception. So, let’s see what Cisco’s security researchers figured out.
Courtesy of Cisco
The report authors compiled and analyzed data in the following categories:
Threat Intelligence (page 7): Being the longest section of the report suggests there’s a lot of threat data from 2014-2015. An interesting insight from this section, “In the business world, companies strive to be known as industry leaders. But for exploit-kit authors operating in the so-called ‘shadow economy,’ maintaining fourth or fifth position among leading exploit kits may be an even more telling sign of success.”
Cisco Security Capabilities Benchmark Study (page 24): CISOs and security-operations managers were asked about their organization’s security resources and procedures to find possible disparities between what’s envisioned and what’s actually in place.
The researchers seem to have found at least one. Close to 75 percent of CISOs believe their security tools are very or extremely effective. However, the research found that “less than 50 percent of respondents use standard tools such as patching and configuration to help prevent security breaches.”
Geopolitical and Industry Trends (page 38): The report authors looked at how geopolitical dynamics affect companies with regards to data compatibility, data localization, data sovereignty, and encryption.
A new consideration this year is the strengthening of transnational terrorist groups. Currently there is no evidence terrorist groups use cyber crime to fund their activities. “But as these organizations grow, they could turn to cyber crime as a way to fund their efforts,” the report added.
Changing the View Toward Cybersecurity — from Users to the Corporate Boardroom (page 42): Cisco continues to champion making security a high priority in corporate boardrooms.
Comments by Cisco’s John Stewart
In this video discussing the security report: John Chambers (former CEO now executive chairman) asked John Stewart (chief security and trust officer) what, in his mind, stood out about the report. Stewart offered the following:
The pace of innovation by the attacking community is incredible:
- Exploits currently have close to a 40-percent success rate, meaning four out of ten attacks are successful.
- Defense systems are unable to detect fast-morphing malware.
- Increased fund transfers using cashless environments like Bitcoin over Tor eliminate law enforcement’s ability to trace criminal activity.
There is a need for “integrated threat defense architecture.” Customers realize they need a pervasive security system covering everything digital. Stewart said that vendors, including Cisco, need to step up.
Cisco Security Manifesto
It seems that Cisco has stepped up. To help companies develop an integrated threat defense architecture, Chambers, Stewart, and security experts at Cisco came up with the Cisco Security Manifesto (page 45). “This inaugural security manifesto can help security teams and the users in their organizations to better understand and respond to the cybersecurity challenges of today’s world,” mentioned the report. “These principles can serve as a baseline for organizations as they strive to become more dynamic in their approach to security.”
The principles are:
Principle 1: Security must be considered a growth engine for the business. The idea is to look at security differently — how it can enable the company’s success while still protecting its digital assets.
Principle 2: Security must work with existing architecture. Organizations should not have to change the way they do business to accommodate new security technologies.
Principle 3: Security must be transparent and informative. If users understand why security is in place, they are more likely to abide by security edicts even if it involves more effort on their part
Principle 4: Security must enable visibility and appropriate action. An open security architecture helps those responsible understand how the technology operates so when the company’s infrastructure is having issues, they know what’s wrong and how to fix it.
Principle 5: “Security must be viewed as a ‘people problem,’” said the report. “A technology-centric approach to security does not improve security; in fact, it exacerbates it. Technologies are merely tools that can enhance the ability of people to secure their environment.”
People problem, how so?
Cisco is a tech company, so when it says a technology-centered approach aggravates the problem, it raised a few eyebrows among battle-hardened IT veterans. Here are some comments offered earlier in the report:
Second paragraph: “Caught in the middle are the users. But now, it appears they not only are the targets, but also the complicit enablers of attacks.”
Third paragraph: “The Cisco 2015 Annual Security Report… Cisco, explores the ongoing race between attackers and defenders, and how users are becoming ever weaker links in the security chain.”
A key discovery (page 4): “Users’ careless behavior when using the Internet, combined with targeted campaigns by adversaries, places many industry verticals at higher risk of web malware exposure.”
So it seems that approaches based on technology do not improve security; and users are complicit, weak links who behave carelessly.
The Security Manifesto does offer a solution, “People, processes and technology together must form the defense against today’s threats. Commitment and vigilance by all users in the organization, from the top down, empower security success.”