Enterprises throw money at cybersecurity but half of attacks are still a success

Mandiant says that intrusions, policy evasion, and reconnaissance are commonplace in today's enterprise environments.

Online fraudsters find new narrative in virus crisis

Enterprise investment in cybersecurity is improving but deployment and maintenance issues are allowing far too many successful attacks against corporate networks, a new report suggests. 

On Tuesday, FireEye's Mandiant released its annual Security Effectiveness Report. Based on enterprise contributions, penetration tests, and the analysis of 100 enterprise-level production environments across 11 industries, the report concludes that while organizations are significantly increasing cybersecurity budgets, the reality is that many attacks are still successfully infiltrating enterprise environments.

According to the US cybersecurity firm, security investments are not necessarily delivering their full value -- especially when no form of automated security validation or post-deployment checks are in place. 

After running tests in enterprise environments, the researchers behind the report say that issues including "out of the box" configuration, a lack of post-deployment checks and tweaks, drift or changes in underlying enterprise infrastructure, and security events not being reported to SIEM revealed a lack of visibility that is placing corporate networks and data at risk. 

The company says that on average, an enterprise company will have between 30 and 50 security solutions in place -- but this is no guarantee of their effectiveness.    

See also: This is what happens to cryptocurrency paid out in sextortion campaigns

In total, 53% of attacks performed were successful and infiltration without detection was achieved. 26% of attacks were successful but were detected, while 33% of attacks were prevented by security solutions. However, only 9% of attacks led to an alert being generated. 

Mandiant says that in many cases, security tools tend to behave in different ways depending on their environment and a "disconnect" between IT and in-house security teams can lead to security tool performance issues -- no matter the size of the organization. 

"While security teams have the responsibility of protecting the organization's assets, they do not always have the corresponding operational authority or visibility into decisions or changes being made that impact the infrastructure," the report says. "This disconnect results in "environmental drift" which causes the organization's risk posture to change unexpectedly. In the absence of continuous validation of controls, this can put the organization in a precarious position."

CNET: Coronavirus stimulus scams are here. How to identify these new online and text attacks

The integration of hybrid and cloud environments, together with legacy IT infrastructure, means that visibility into corporate networks and security tool effectiveness can also be clouded -- including cases of cloud solution misconfiguration and when there is a lack of corporate resource control relating to BYOD policies. 

On average, organizations found they missed 54% of early-stage attack tactics. When tests were performed on network traffic, for example, Mandiant found that organizations only received alerts for reconnaissance and spying-related activity 4% of the time. Data exfiltration techniques and tactics were successful 67% of the time, and in 65% of cases, policy evasion was possible. 

TechRepublic: One billion certificates later, Let's Encrypt's crazy dream to secure the web is coming true

"As organizations -- from the C-suite and board of directors down to those on the frontlines of cyber defense -- struggle to strengthen cyber hygiene and minimize risk, it has become imperative that organizations validate security effectiveness," Mandiant says. "Without evidence of security performance, companies operate on assumptions which simply don't match reality, and which leaves them with significant risk."

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0