Virtualization Technology News and Information
VMblog Expert Interview: DomainTools Talks Results and Take Aways from their Annual Cybersecurity Report Card


Earlier this month, DomainTools released its annual Cybersecurity Report Card in which security analysts, threat hunters, and other cyber professionals on the front lines self-grade the security posture of their organizations.  To find out more, VMblog spoke with Tim Helming, Security Evangelist at DomainTools.

VMblog:  What is the Cybersecurity Report Card?

Tim Helming:  Each year since 2017, DomainTools has sent a survey to information security practitioners asking them to rate their operations in various ways, along with an overall letter grade. The questions on the survey cover things like breach attempts detected, successful breaches, security budget, training, tools, and more. The goal is to get some insights into how these practitioners perceive their own operations and to track trends in these perceptions over the years. For the 2020 Report Card, some 520 individuals from companies ranging in size, industry, and geography participated. Around 60% of respondents were front-line practitioners such as security researchers, analysts, or threat hunters.

VMblog:  How did this year's results compare to previous years?

Helming:  In terms of the overall "grades," there was around a 6% decrease in the number of "A" grades, at 24% of the total, while "B" stood at around 49%, "C" at about 24%, "D" at just under 3%, and no F grades. While the A's declined a bit, the middle of the pack improved slightly, with gains in B's and declines in C's, and no F's. But the letter grades don't tell the whole story. A bright spot for 2020 was that the breach prevention rate rose. While the number of reported breaches held steady year over year, following several years of steady declines, the number of attempts rose distinctly. 

VMblog:  What challenges did the shift to work from home (WFH) pose for security?

Helming:  There were many! While most organizations have had some remote or WFH employees for years, some didn't. And even those that did accommodate WFH previously, had to suddenly support it at a different scale. Add to that rolling out new technologies, expanding and contracting the use of existing ones, totally recalculating capacities, risk profiles, threat models, and user needs, changing network topologies, modifying incident response and recovery plans, limiting or adjusting IT's physical access to infrastructure, and, no doubt, countless other changes-it was a huge ask, and it had to happen very fast. 

VMblog:  Were there changes to the threat landscape due to the pandemic?

Helming:  Yes, unfortunately. Cybercriminals lost no time capitalizing on the public hunger for COVID information, launching phishing campaigns, COVID-themed malware, and other such attacks. Respondents to the Report Card survey reported a significant uptick in attempted breaches in the first few months of 2020: nearly 60% of respondents reported a moderate to drastic increase in attacks vs 2019. There can be little doubt that malicious actors saw the strains on IT and security operations as an opportunity to attack a compromised victim. Happily, as mentioned before, even though the number of attempted attacks rose, we also saw a higher rate of successful prevention.

VMblog:  What went well in terms of how organizations "graded" themselves?

Helming:  For one thing, it was clear that the respondents were thoughtful about their responses (and, to be sure, the survey was designed to elicit these). They didn't merely apply letter grades, but evaluated their organizations across a wide spectrum of areas, including executive support, training, budget, attacks and defenses, practices, and more. The consonance of the letter grades and the supporting data suggests that the grades are a useful assessment. 

VMblog:  Where is there still room for improvement?

Helming:  As the decrease in "A" grades, not to mention the roughly one-quarter of respondents at "C" or below attest, we aren't "there" yet collectively. Some of the individual areas where we saw room for improvement were directly related to the remote work shift. For example, some 35% of respondents said that the shift increased their average detection response time. As for how long that detection time is, in 2019, 60% of respondents said they could detect an attack within a day, and that number decreased slightly to 57% in 2020.

VMblog:  What should executive leadership take away from this survey?

Helming:  Budget matters! Among the organizations that gave themselves grades of "A," over 94% of them had security budgets either remain steady from the previous year (~74%) or grow (~20%). While throwing more money at security in and of itself is not a solution, security teams need resources for top performance. Another key takeaway is that, statistically speaking, the odds are good that your own team has done some pretty amazing work this year and should be acknowledged for it!

VMblog:  What should SOC personnel take away?

Helming:  First off, collectively they should buy themselves a drink! This year, which is far from over as of this writing, has thrown absolutely massive tests at security teams, and they have risen to the occasion admirably. Also, keep in mind that what tests us the most severely also gives us the best opportunities for growth. Perhaps some of the changes you had to make in order to handle the pandemic uncovered ways in which you can (or already did) improve your overall security posture. Perhaps your threat modeling, while changing, also got sharper. If we know one thing about folks in this field, it is that they know how to face a challenge and come out the better for it.


Published Wednesday, October 28, 2020 7:34 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<October 2020>