Cybersecurity Challenges that Take Miracles to Solve

Annos Mirabilis: Part 1 of 2

Written by: Prasanth Ganesan , Founder & CEO at System Two Security , and Kamesh Raghavendra , Chief Product Officer at The Hive, LLC

Cybersecurity: An uneven arms race that favors adversaries.

Today, the annual costs of cybersecurity incidents represent around 6% of global GDP. The impact of cybersecurity threats dwarfs the annual impact of wars (about 1.5%) and the total global military spending (about 2.2%) combined. The first and the only significant line of defense against these threats is enterprise cybersecurity spending, which roughly averages at 1% of revenues or 10% of IT budgets . This spending is distributed across three layers of infrastructure, each of which is either built in-house or outsourced to managed security service providers (MSSPs):

• Security operations center (SOC) organization: These are teams of specialized cybersecurity analysts, who monitor, analyze, detect, and respond to both new and known cybersecurity threats. However, enterprises are grossly understaffed with over 3.5 million unfilled positions across SOCs.
• SOC tools: These tools process large volumes of log data from enterprise endpoints, devices, cloud services and networks for detecting, identifying, alerting, and responding to known cybersecurity threats hardwired as internal rules. However, the cybersecurity industry has created a tool fatigue for SOCs, as analysts grapple with an average of over 50 tools in their SOC.
• Data infrastructure: The volume, time window and access (e.g. data indexing) to data from various enterprise sources determine the sensitivity of detecting cybersecurity threats. However, security data infrastructure has been ridden with disconnected silos due to the sprawl in competing SOC tools.

With such a state of affairs in cyber-defense, it doesn’t come as a surprise that enterprises take an average time of 277 days to detect cybersecurity breaches. The battleground continues to be tilted in favor of the adversaries despite decades of concerted above mentioned investments in technology, training and organization by both enterprises and nation states. 

The adversaries continue to gain advantage in cybersecurity due to the following factors favoring them:

• Subversive threats: Constantly evolving and sophisticated new cyber threats consistently outpace brittle hardwired detection rules (e.g. indicators of compromise or IOCs) used by enterprises. The adversaries get a comfortable window of attack before understaffed threat hunting teams can discover the new variants of attacks or external SOC tool vendors can upgrade their products’ detection rules. Global attack-as-a-service providers funded by nation states design and deploy new threats at an industrial scale, frequency, and vertical-specific sophistication.
• Machine-speed breaches: Adversaries have optimized the breakout time of cyberattacks to just minutes with multi-pronged parallel sequences, giving no chance for even internal human-led SOC interventions let alone external SOC tool vendors to respond.
• AI-powered attacks: Dystopian applications of AI to generate new attacks will only make this far worse in the near future.

Unfulfilled Promise of AI: Too artificial to subdue adversaries.

As the Pentagon’s CIO, Dave McKeown, recently rued , attempts to apply AI in cybersecurity have been disappointing at best. The success in applications of AI in consumer Internet products stands in stark contrast with the dismal failure of traditional AI in cybersecurity to dent the 277 days taken to detect breaches, despite attempts from both big vendors and startups over the past 15yrs. These attempts have struggled with multiple challenges in cybersecurity AI:

• Untrainable ephemeral threat patterns: Unlike the durable patterns in consumer shopping and objects in images, adversarial attack patterns are highly ephemeral and subversive to train traditional AI models. The rate of changes in threat actor behaviors far outpace the prerequisite repetitive patterns for training AI models.
• Untransferable learnings: Cybersecurity industry does not provide free data sharing consents enjoyed by consumer Internet companies. This prohibits the transfer of learnings across enterprises, leaving each enterprise fend for themselves with very limited data. Honeypot services that attempt to lure attackers and learn threat patterns are too sparse to make a dent into the scale of the adversaries.
• Unfathomable context: The combinatorial complexity of the size, vertical, systems, geographies and configurations of an enterprise makes it cost prohibitive to fine tune traditional AI models for reaching any reasonable predictive accuracy.
• Unaffordable AI talent: The cost centers that deliver enterprise cybersecurity cannot afford to hire premium data science and AI talent unlike the plum profit centers of consumer Internet companies. 

Broken Economics: Too many vendors and tools to scale.

Enterprises are forced to depend on multiple detection engineering vendors for intelligence on new threats and attacks as they are incapable of scaling internal organizational talent, detection rules or AI. Each vendor in an enterprise’s fast growing SOC tool list was added due a new attack surface or new category of threat actor in the past, and the enterprise grapples with the risk of decommissioning the tool. These vendors often compete with one another and have proprietary data process workflows that bring huge inefficiencies and cost burden to the enterprise.

Some large vendors are vehemently advocating tool consolidation . However, it will remain an elusive goal until enterprises have direct near real-time path to detecting, containing, and responding to new threat actor behaviors, which would displace all indirect time-delayed dependencies on tool vendors.

The uneven arms race of cybersecurity prohibits enterprises from depending on a sole tool vendor (or “arms provider”) even if such a consolidation may provide significant cost benefits. SOCs will continue to be doomed to stay on the shaky middle-ground of depending on indirect intelligence about new threat actor behaviors from multiple vendors and tools.

Thus, the miracle years of cybersecurity have eluded us for the past two decades due to:

• An uneven arms race stacked up in favor of adversaries’ subversive tactics and speed.
• An unfulfilled promise of AI due to several limitations to its adoption in cybersecurity.
• Untenable risks of SOC platform consolidation due to the lack of direct, near real-time means of responding to new threat actor behaviors and indirect dependency on multiple SOC tool vendors.

The recent advent of Generative AI brings new underlying technologies that are changing this. In the next blog, we delve into the promises of this technology and our product that delivers it for addressing the above challenges head-on.