Given the skills shortage and the inherent complexity in an organization’s security stack, monitoring cybersecurity is a serious ongoing problem.
Thousands of tests performed by experts have culminated in a report that reveals: a majority of the tested attacks successfully infiltrated the organizations’ production environments without their knowledge.
While organizations continue to invest significant budget dollars in security controls and assume that this means assets are fully protected, the reality is that security effectiveness needs further scrutiny.
The security effective report from the Mandiant Security Validation (previously known as Verodin) team consisted of real attacks, specific malicious behavior patterns, and actor-attributed techniques and tactics run in enterprise-level production environments across 11 industries against 123 market-leading security technologies, including network, email, endpoint, and cloud solutions.
Said Chris Key, SVP, Mandiant Security Validation: “Every organization wants reliable data that tells them if their security investments are delivering real value and protecting them from becoming the next major cyber-attack headline. Our research shows that while the majority of companies assume they’re protected, the truth is that more often than not—they are exposed.”
Security effectiveness challenges
In the tests, 53% of attacks successfully infiltrated environments without detection. Also, 26% of attacks successfully infiltrated environments but were detected, while 33% of attacks were prevented by security tools. Only in 9% of attacks were alerts generated, demonstrating that most organizations and their security teams do not have the visibility they need for serious threats, even when they use central security information and event management (SIEM), security orchestration, automation and response (SOAR) and analysis platforms.
In conducting its analysis, the Mandiant Security Validation team observed that the most common reasons for poor optimization of organizations’ security tools were:
- Deployed under default “out-of-the-box” configurations
- Lack of resources to tune and tweak post-deployment
- Security events not making it to the SIEM
- Inability to force controls testing
- Unexpected changes or drift in the underlying infrastructure
The report also takes a deeper look into techniques and tactics used by attackers and outlines the primary challenges most commonly uncovered in enterprise environments through security validation and conducting testing:
- Reconnaissance: In testing network traffic, organizations reported only 4% of reconnaissance activity generated an alert.
- Infiltrations and ransomware: 68% of the time, organizations reported their controls did not prevent or detect the detonation within their environment.
- Policy evasion: 65% of the time, security environments were not able to prevent or detect the approaches being tested.
- Malicious file transfer: 48% of the time, controls in place were not able to prevent or detect the delivery and movement of malicious files.
- Command and Control: 97% of the behavioral patterns executed did not have a corresponding alert generated in the SIEM.
- Data exfiltration: Exfiltration techniques and tactics were successful 67% of the time during initial testing.
- Lateral movement: 54% of the techniques and tactics used to execute testing of lateral movement were missed.
In addition to the above insights and most likely underlying causes of each issue, the Mandiant Security Effectiveness Report 2020 offers real-world examples that demonstrate the negative impact these performance gaps have caused in various industry sectors.
“Whether or not they realize it, organizations across all industries need to combat the alarming reality that is revealed in our report,” Key continued. “The only proven way to do that is through continuous validation of security controls against new and existing threats, with technology that automates the measurement of security effectiveness and provides data efficacy of measured outcomes.”