Cybersecurity continues to be a growing priority for organizations of all sizes, across all industries. See how the latest stats and trends are shaping plans, spending, and priorities for 2018.
Things change quickly in the world of cybersecurity. With new threats appearing on a daily basis and attackers continuously evolving their techniques, it can be extremely difficult to keep up. If you seldom feel confident you're making measurable progress and getting ahead of the game, you're not alone.
In fact, when asked about the state of their security risk, the majority of IT and security pros responded that, last year, things actually took a step backwards.
Considering 2017 was the year that brought us the biggest ransomware outbreak in history (WannaCry) and a data breach that exposed the personal information of nearly half the United States' population (Equifax) it's perhaps no surprise that organizations report they're facing more dangers online.
To top it off, the start of 2018 coincided with the stunning disclosure of the Meltdown and Spectre vulnerabilities, which put practically every operating system and device on the planet at risk. Progress has been made on patches for Meltdown and Spectre, but it's come in fits and starts and the (still incomplete) fixes have been plagued with issues.
While risks and threats continue to pile up, the good news for IT and security pros is the challenges they're facing aren't insurmountable. A key part of managing them effectively is staying up-to-date on most current threats, but also stepping back to understand the big-picture trends that are driving them.
To help, here are 10 telling stats that provide context for how cybersecurity is evolving and offer insight into what's coming next.
The majority of successful attacks are now fileless. Source: The Ponemon Institute
One of the most significant trends we've seen in 2017 and early 2018 is the ongoing shift away from using malicious .exe files to package and deploy malware. This represents a major change in the way attacks are carried out, and it poses a severe problem for traditional security solutions such as antivirus, which rely heavily on analyzing executable files in order to make detections.
It's become common to describe attacks that avoid the use of malicious executables as "fileless," even though they typically do involve other types of files at one stage of the attack or another. The terminology can be confusing, but what's clear is that these attacks are very much on the rise, largely for two reasons:
For these reasons, the adoption of fileless attack techniques has been steadily on the rise. While it's estimated that one in five attacks leveraged fileless techniques in 2016, this year that ratio is expected to be one in three attacks.
These stats make it clear that attacks have evolved, and the majority of currently available security products are still trying to catch up. That brings us to trend #2.
One of the primary reasons why organizations may have indicated their security risk rose significantly in 2017 is that their faith in traditional, bedrock security solutions such as antivirus has been in heavy decline.
When asked whether they agreed traditional, signature-based antivirus solutions provide the necessary protection required to stop current attacks against their systems, nearly seven out of 10 organizations replied "no."
As a result, the majority of organizations are investigating other options, including next-generation antivirus products and other new endpoint solutions. Many have made moves to augment their antivirus with an additional layer of advanced protection, while others have invested in endpoint detection and response (EDR) solutions in hopes of mitigating damage when attacks do get through. Some are even ripping out their antivirus altogether.
The downside to adding additional layers while maintaining existing solutions, of course, is that it places additional strains on security teams and their budgets. Not only are new tools an additional cost, they're also another thing that has to be managed on an ongoing basis. That brings us to trend #3.
In addition to reporting a significant rise in the new types of attacks they're seeing, organizations also report struggling to keep the cost and complexity of managing security down.
In an attempt to respond to new threats and provide more advanced protection beyond file analysis, some traditional and next-generation antivirus vendors have begun offering supplemental add-ons and additional features. In many cases, these features require more active hands-on management than teams may be used to, including more intensive whitelisting and far more false positives. In fact, false positives were ranked as the #1 "hidden" cost of endpoint protection in Ponemon's 2017 State of Endpoint Security Risk report.
Adding to the management challenge is the fact that organizations now have an average of seven different agents installed on endpoints, with each requiring its own monitoring. Simply put, the majority of organizations feel like they're underwater.
On the plus side for security teams, funding continues to rise, with Gartner forecasting an 8 percent increase in global security spending to the tune of $96 billion, total.
According to Gartner, there are several factors behind the rise, but the biggest motivation stems from the numerous high-profile attacks and data breaches that plagued organizations in 2017. Companies don't want to become the next Equifax, and they're increasingly aware of just how costly today's cyber attacks can be.
Ponemon pegs the average total cost of a single attack at $5 million (or roughly $300 per employee), and indicates the biggest itemized cost is system downtime.
Costs can span a broad range depending on the organization and the scenario, but for the majority of attacks, downtime is indeed the real killer. Having systems locked down or pulled offline can be extremely disruptive, and it can send unexpected ripple effects across an organization's operations.
Take, for example, the ransomware attack that hit Erie County Medical Center last April. It took the Buffalo, NY area hospital more than three months to fully recover from the incident, with total costs estimated at $10 million.
When attacks hit large corporations, the costs can be even more astronomical. Global shipping giant Maersk reported losses of roughly $300 million from the NotPetya attack in June 2017. The pharmaceutical company Merck acknowledged the attack caused similar losses in Q3 plus an additional $300 million in Q4.
With attacks actively evolving to spread more quickly and cause as much damage as possible, the costs are mushrooming. Cybersecurity Ventures estimated cyber attacks cost businesses $1.5 billion in 2016. Experts estimate the total global losses from last year's WannaCry outbreak alone were in the ballpark of $4 billion.
These are staggering numbers, and companies have clearly decided additional security spending up front is well worth it if it reduces their risk. The nature of the threats organizations need to be prepared for is rapidly changing, however, and the types of attacks they saw in 2017 are very different from the types of attacks they're most likely to encounter this year.
It wasn't long ago that ransomware was the undisputed top payload of choice for attackers looking to make a quick Bitcoin. It dominated the threatscape for a solid two years, during which time it often seemed like it was practically the only type of attack anyone was talking about.
During the first half of 2017, if your company suffered a malware infection it was more likely to be ransomware than anything else. At the peak of the ransomware boom in June 2017, researchers at Malwarebytes reported 7 out of every 10 malware payloads were ransomware.
Then, suddenly, something unexpected happened — ransomware usage plummeted.
In July, the ratio of ransomware dropped to less than 30 percent of all malware payloads. By December, the ratio had fallen below 5 percent.
Ransomware use plummeted in the second half of 2017. Source: Malwarebytes
Experts are pointing to several factors that help explain the dramatic decline:
Cryptomining malware has been everywhere in Q1 2018. Here's a quick recap in case you haven't been keeping score at home:
And that's just eight weeks into the year. It also doesn't cover the activity from 2017, including the WannaMine and Adylkuzz campaigns that utilized the same leaked NSA exploit (EternalBlue) that fueled the WannaCry outbreak.
Malicious cryptomining (or "cryptojacking") has clearly caught on, and attackers are showing no hesitation adding it to their bag of tricks. In addition to adding cryptomining scripts to malicious or compromised websites, cryptominer payloads have also taken the place of ransomware payloads in a wide variety of malware campaigns. Spam emails and exploit kits are dropping them with increased frequency, and other applications such as Facebook Messenger are being exploited to spread them, as well.
Attackers are also increasingly bundling cryptominers together with other malware payloads such as credential stealers and backdoors, in an attempt to further monetize their attacks (the PZChao campaign is a good recent example).
The move from ransomware to cryptomining malware represents a significant shift in priorities for attackers. While the former is all about inflicting damage (typically encryption) and initiating a big reveal (ransom screen), the latter is all about laying low, evading detection, and running as quietly as possible in the background for as long as possible.
Organizations that responded to ransomware infections by investing in backup were smart to do so, but now they face a threat designed to infect them just as effectively while silently draining their resources and bogging down their systems over time.
Organizations need to adapt their security efforts accordingly, and make sure they're properly equipped to address infections that aren't as blatant as ransomware — infections that are instead getting increasingly stealthy and evasive.
How do you fight an infection you may not even know you have? The best answer is preventing it in the first place, and organizations need to prioritize preventative measures like replacing legacy antivirus solutions with stronger, more modern endpoint protection, instead. That will help address the threat of cryptomining malware installed on machines. For malicious browser-based cyptomining, organizations and users can consider installing extensions like No Coin, minerBlock, NoScript, and ScriptSafe.
If these stats tell us anything, it's that things evolve quickly in the world of security. Find out how Barkly can help you stay one step ahead of attacks with the strongest, smartest endpoint protection available.
If you've enjoyed this post and want to receive more like it, subscribe to the Barkly blog and I'll send you a note to say thanks.
Get the latest security news, tips, and trends straight to your inbox.
Get the latest security news, tips, and trends straight to your inbox.