Your doorbell rings. What’s your first reaction? Do you check your Ring or Nest camera to see who it is? Or do you just open the door and allow them direct access to your home whether you know them or not? Cybersecurity software today works on the basis that you verify the identity of all “visitors” or “packages” before you let them in.
This approach works well most of the time, but it’s far from foolproof. Current detection-based systems are either provided as software used by in-house security teams or bought as a service by enterprises that can’t afford DIY security. Research firms estimate the size of the market today at around $200bn, growing to as much as $500bn by the end of the decade.
Why is the market growing so fast? Partly because the threat level continues to rise. According to DataProt, each day, there are 560,000 new pieces of malware detected. There is also the emerging threat of AI, weaponized by hackers to increase the volume and ingenuity of attacks. Then there is the cost to businesses of failing to defend themselves.
It’s impossible to put an accurate figure on the cost of successful cybersecurity attacks, partly because businesses are reluctant to disclose it, but the estimates are wild.
Cybersecurity Ventures calculated the global cost of ransomware and other attacks in 2023 at $8 trillion, which is very nearly a billion dollars an hour. That figure is projected to top $10 trillion by the middle of the decade. If the world’s hackers were a state, they would be third behind the US and China.
In that context, spending on cybersecurity defense appears modest, but only if it’s working. The phenomenal scale of the global crime bill suggests that it isn’t.
All detection-based defensive methods depend on being able to verify that something is safe before you let it in. Unless the person on your doorstep is a known villain or they’re brandishing a weapon, you’ll do one of two things: let them in and hope for the best, or keep them out until you’re satisfied that they’ll do you no harm.
The second of these sounds sensible, and if it were left to security teams, everything would be in a permanent state of lockdown. Great for security but not so great if you’re trying to run a business. One estimate put the productivity cost of overengineered security at more than 20 minutes a week for every employee – 182 lost days every year for a firm with 250 employees. CISOs report numerous complaints from users that security procedures damage productivity and inhibit innovation.
Productivity takes a second hit when a successful attack is made. The clean-up operation can impact the whole workforce if individual devices need to be inspected, software agents need updating, or new security policies are introduced.
Then there are the cybersecurity teams themselves. The relentless grind of responding to threat alerts and the tedious work of remediation are cited as major factors in the exodus of professionals from a sector already suffering from a skills shortage.
The other problem with detection is that apparently benign entities don’t declare their intent immediately but may sit inside systems for months or years before delivering their payload. When the web hosting company GoDaddy started hearing reports from customers that their sites were being targeted with ransomware demands in December 2022, the malicious code had been sitting in the company’s systems for years.
This phenomenon, known as dwell time, is the time an intruder sits undetected in systems. The mean average dwell time across the industry is 21 days. With good monitoring and analysis of communications, some of these intruders can be found before they get to work. Many more are not.
The imperfect nature of defense is built into the cybersecurity industry’s business model. As the truism goes, the hackers only have to be right once; the security team has to be right 100% of the time. Even so, customers may feel short-changed.
“When detection doesn’t work, a lot of security vendors will start pressing you to purchase their incident response retainers,” Jared Winn, VP of technology and infrastructure at Greater Sum Ventures, told me. “How can they justify asking for more money from the customer that they have failed to protect?”
Even if we accept that the cybersecurity war is unwinnable in absolute terms, we shouldn’t assume that we can’t do more to cut our losses.
Today we shut out anything suspicious until we’ve had a chance to check it out. It’s frustrating, it’s bad for productivity, and it’s not working. What if we flipped the model so that no one ever had to wait at the door?
This is where the analogy gets a bit silly, but what if you could surround every visitor with a protective sphere so that even if they have a concealed weapon, they can’t harm you?
It’s counterintuitive, but the best way to protect the network may be to admit everything and let it run. You could do this safely in a virtualized environment without restricting what the user is able to access and impeding their productivity. Anything that comes onto the network could read from the environment but not write to it. Incoming code would still be analyzed for signs of harmful behavior. If malware is detected, it can be terminated without having been able to spread anywhere.
It’s time for CISOs and security teams to have a rethink and ask what they are really looking for in a cybersecurity solution: something that’s great at spotting risks or a solution that is focused on preventing damage. Too much of the cybersecurity debate is around the former – obsessed with higher detection rates, quicker detection rates, and faster detection rates.
The technology to do the latter exists. We can use it or – to paraphrase Einstein’s definition of madness – continue to do the same thing and hope for a different result.