Earlier this month, DomainTools released its annual Cybersecurity Report Card in which security analysts, threat hunters, and other cyber professionals on the front lines self-grade the security posture of their organizations. To find out more, VMblog spoke with Tim Helming, Security Evangelist at DomainTools.
VMblog: What is the Cybersecurity Report Card?
Tim Helming: Each
year since 2017, DomainTools has sent a survey to information security
practitioners asking them to rate their operations in various ways, along with
an overall letter grade. The questions on the survey cover things like breach
attempts detected, successful breaches, security budget, training, tools, and
more. The goal is to get some insights into how these practitioners perceive
their own operations and to track trends in these perceptions over the years.
For the 2020
Report Card,
some 520 individuals from companies ranging in size, industry, and geography
participated. Around 60% of respondents were front-line practitioners such as
security researchers, analysts, or threat hunters.
VMblog: How did this year's results compare to previous years?
Helming: In
terms of the overall "grades," there was around a 6% decrease in the number of
"A" grades, at 24% of the total, while "B" stood at around 49%, "C" at about
24%, "D" at just under 3%, and no F grades. While the A's declined a bit, the
middle of the pack improved slightly, with gains in B's and declines in C's,
and no F's. But the letter grades don't tell the whole story. A bright spot for
2020 was that the breach prevention rate rose. While the number of reported
breaches held steady year over year, following several years of steady
declines, the number of attempts rose distinctly.
VMblog: What challenges did the shift to work from home (WFH) pose for
security?
Helming: There
were many! While most organizations have had some remote or WFH employees for
years, some didn't. And even those that did accommodate WFH previously, had to
suddenly support it at a different scale. Add to that rolling out new
technologies, expanding and contracting the use of existing ones, totally
recalculating capacities, risk profiles, threat models, and user needs,
changing network topologies, modifying incident response and recovery plans,
limiting or adjusting IT's physical access to infrastructure, and, no doubt,
countless other changes-it was a huge ask, and it had to happen very
fast.
VMblog: Were there changes to the threat landscape due to the pandemic?
Helming: Yes,
unfortunately. Cybercriminals lost no time capitalizing on the public hunger
for COVID information, launching phishing campaigns, COVID-themed
malware,
and other such attacks. Respondents to the Report Card survey reported a
significant uptick in attempted breaches in the first few months of 2020:
nearly 60% of respondents reported a moderate to drastic increase in attacks vs
2019. There can be little doubt that malicious actors saw the strains on IT and
security operations as an opportunity to attack a compromised victim. Happily,
as mentioned before, even though the number of attempted attacks rose, we also
saw a higher rate of successful prevention.
VMblog: What went well in terms of how organizations "graded"
themselves?
Helming: For
one thing, it was clear that the respondents were thoughtful about their
responses (and, to be sure, the survey was designed to elicit these). They
didn't merely apply letter grades, but evaluated their organizations across a
wide spectrum of areas, including executive support, training, budget, attacks
and defenses, practices, and more. The consonance of the letter grades and the
supporting data suggests that the grades are a useful assessment.
VMblog: Where is there still room for improvement?
Helming: As
the decrease in "A" grades, not to mention the roughly one-quarter of
respondents at "C" or below attest, we aren't "there" yet collectively. Some of
the individual areas where we saw room for improvement were directly related to
the remote work shift. For example, some 35% of respondents said that the shift
increased their average detection response time. As for how long that detection
time is, in 2019, 60% of respondents said they could detect an attack within a
day, and that number decreased slightly to 57% in 2020.
VMblog: What should executive leadership take away from this survey?
Helming: Budget
matters! Among the organizations that gave themselves grades of "A," over 94%
of them had security budgets either remain steady from the previous year (~74%)
or grow (~20%). While throwing more money at security in and of itself is not a
solution, security teams need resources for top performance. Another key
takeaway is that, statistically speaking, the odds are good that your own team
has done some pretty amazing work this year and should be acknowledged for it!
VMblog: What should SOC personnel take away?
Helming: First
off, collectively they should buy themselves a drink! This year, which is far
from over as of this writing, has thrown absolutely massive tests at security
teams, and they have risen to the occasion admirably. Also, keep in mind that
what tests us the most severely also gives us the best opportunities for
growth. Perhaps some of the changes you had to make in order to handle the
pandemic uncovered ways in which you can (or already did) improve your overall
security posture. Perhaps your threat modeling, while changing, also got sharper.
If we know one thing about folks in this field, it is that they know how to
face a challenge and come out the better for it.
##