Tipping the Balance: The Power of Automated Cyber Defense Federations

Just as astronomers are grappling with the universe expanding faster than models predicted, we’re facing our own cosmic-scale challenges in cybersecurity. Scientists recently discovered that the universe’s expansion rate is accelerating, a mystery prompting them to rethink long-held theories. By observing distant galaxies, they have determined that the universe is stretching and doing so at a pace that surprises them. Researchers attribute this unexpected acceleration to dark energy, which baffles them. 

In a parallel universe of our own making, our digital space is expanding at an alarming rate. With 75.44 billion devices expected to be connected to the Internet by 2025, and expected growth from web3, blockchain, and the metaverse, the complexity of maintaining robust cybersecurity grows ever more daunting. Just as cosmologists are pushing their models' boundaries to explain cosmic phenomena, we must evolve our approach to cybersecurity. 

According to Splunk’s State of Security report, data breaches and ransomware attacks have increased 13% and 14% since 2021. McKinsey expects cybercrime to cost up to $10.5 trillion by 2025.  Over the past quarter century, the approach to cybersecurity has not kept pace with adversaries and will not scale, given the expected growth in Internet utilization and the shortage of cybersecurity talent. 

In this three-part series, I will explore the evolution of cyberspace and the critical need to adopt automation and collaboration.

From isolation to federation: Why companies are stronger united

It’s no longer practical for companies to defend themselves in isolation. Instead, the future lies in adopting a hybrid model leveraging Automated Cyber Defense Federations (ACDFs. These federations bring groups of companies together, using multiple cloud-based security tools to protect members more efficiently. While each company keeps its autonomy, they share common defense capabilities and automatically exchange critical defense information to reduce detection and response times. With the rise of blockchain and the metaverse, forming ACDFs isn’t just smart — it’s essential. It’s time to shift our security mindset from isolated defenses to a collaborative approach, where companies work together to secure the ever-expanding cyberspace.

The technology exists today to establish ACDFs. Companies and organizations can stand up ACDFs leveraging cloud-based defense products, such as automated intelligence exchange platforms and intelligence workflows bundled with Machine Learning.  Ad hoc groups could establish ACDFs to exchange real-time information about cyber events. Take collegiate conferences like the Big 10 and Big 12, for example — they could form ACDFs to exchange malicious code detection searches, thereby expediting the detection of cyber threat activity across higher ed. Cloud-based security providers would automate the exchange, enriching data with other relevant intelligence.

From firewalls to federations: The evolution of cybersecurity solutions

Over the past thirty years, the security industry has rapidly evolved, with around 4,000 security vendors in the market. Companies like McAfee and Symantec led the way with early anti-virus software, while Checkpoint introduced the firewall, RSA brought encryption, and Entrust pioneered identity management. As attackers developed new tactics, vendors responded by creating solutions for threats like trojans, spyware, and ransomware.

Mergers and acquisitions enabled companies to offer integrated security solutions. As attacks grew more sophisticated and compliance demands increased, vendors developed tools to manage and investigate security events, including data analytics, intelligence management, and orchestration.

Recently, vendors have launched comprehensive solutions like Extended Detection and Response (XDR) and Managed Detection and Response (MDR), which provide holistic security across various assets. Managed Security Service Providers (MSSPs) also offer support, ranging from Level 1 and 2 assistance to comprehensive defense.

Attacks expose security management gaps

Despite the growth and sophistication of tools to detect and prevent threats, several types, including supply chain attacks and ransomware, expose cracks in companies’ efforts to secure themselves independently.

Supply chain attacks represent a particular problem as they can surface from 3rd party software.  Gartner estimates that supply chain attacks will impact 45% of companies worldwide by 2025. SolarWinds represents an excellent example of a supply chain attack. Russian hackers surreptitiously buried malicious code in SolarWinds’ Orion product that was deployed to SolarWinds’ Orion customer base.  Once deployed, the hack allowed Russia to move more quickly, undetected, through the networks of government agencies and private sector companies. Only after FireEye—a customer of SolarWinds—discovered the code was the attack detected. The hack impacted over 100 companies in government and the private sector. 

Ransomware is particularly difficult to defend against, given multiple attack vectors, including the user sitting behind a computer, brute force attack, or exploiting a vulnerability.  One click can place a company at risk.  Ransomware groups recycle code to launch slight variations of attacks– targeting vulnerabilities that are over a decade old, dating back to 2009. 

The 2021 attack on Kaseya represents a blend of a supply chain and ransomware attack. Kaseya, a software company that manages networks, systems, and infrastructure, supports 100s of MSPs.  Attackers targeted several vulnerabilities within Kaseya software, affecting MSPs and disrupting over 1,000 companies, including the meat producer JBA SA. More recently, the attack on CDK Global, a software company that supports over 15,000 auto dealerships, disrupted dealership supply chains, forcing dealers to revert to Excel spreadsheets and handwritten notes.

Even with strong cybersecurity programs, companies still experience breaches. Thousands of vendors and solutions exist, yet adversaries continue to outpace defenses. Why? 

Six reasons why adversaries continue to succeed:

1. The pace and volume of cyber attacks are increasing, overwhelming analysts. McKinsey estimates we’re short 3.5 million analysts. We could not keep pace even if we could produce and train enough analysts. A more delicate topic is the limitations of a human analyst. 
   
   
2. Security tools and sources are not integrated, requiring analysts to intervene and slowing response time. The Wall Street Journal noted in a piece that vendors’ need to integrate their products. “More than three-quarters of 280 cybersecurity professionals want to see vendors build open standards into their products to enable interoperability, according to a TechTarget survey quoted by Rundle. (There has been some progress here through projects like OASIS that, through open source standards, improve tool interoperability.) 
   
   
3. Faulty code production through poor DevOps practices leads to vulnerabilities exploited by attackers. Half of the security professionals report that developers are failing to identify cybersecurity issues -– attributing 75% of vulnerabilities to developers, according to VentureBeat.
   
   
4. Perhaps most frustrating, hackers recycle exploits and vulnerabilities. For example, the Nokayawa ransomware campaign recycles code. Hackers continue to attack known vulnerabilities that remain unpatched.  Log4j vulnerabilities, identified over two years ago, continue to be exploited. Vulnerabilities remain unpatched. HackerOne reported, “The National Institute of Standards and Technology (NIST) reported finding 18,378 vulnerabilities in 2021. According to HackerOne, software vulnerabilities increased by 20% in 2021 compared to 2020.”
   
   
5. Adversaries are beginning to adopt organizational constructs and capabilities of defenders. For example, adversaries leverage integrated tools and capabilities with artificial intelligence and machine learning. In effect, adversaries build “attack management programs” to run operations efficiently. For example, ransomware gangs are adopting “trojan as a service” or dropper as a service.
   
   
6. Organizations predominantly work individually to protect themselves. Each company working to defend itself is a construct of the past. An unfortunate byproduct of regulation is reinforcing a go-it-alone mindset for companies. Requirements to disclose significant security events to the SEC and CISA make sense. Still, the focus becomes disclosure to government agencies rather than collaboration with others who could experience similar attacks. 

Don’t let your defenses lag. Explore Splunk’s State of Security 2024: The Race to Harness AI report for in-depth analysis, and subscribe to the Perspectives newsletter for regular updates on how to stay ahead of cyber threats.