April 9, 2015 By Gretchen Marx 5 min read

Every year, thousands of companies evaluate their current security posture and implement solutions to help fill gaps in their security programs. The following are four security myths that may keep your organization from moving to a higher level of security:

Myth: Your Company Is Not Infected

Reality: Attackers Bypass Traditional Security Defenses Every Day

Your company is infected; every company is getting attacked every day. What makes it so hard to find the attackers? They certainly don’t stand up and say, “Hi, I’m in your system.” Instead, they lie low for weeks — even months — until they’re ready to attack critical systems and steal your data. Or, they exploit vulnerabilities on Web-facing applications to quickly grab data before you realize what happened.

There has been a focus on building layered security defenses for years. However, traditional security architectures and tools are failing in today’s threat landscape; they just can’t see the threats. In one study published by the Ponemon Institute, advanced attacks went undetected for an average of 225 days. The following are some ways you can you defend against advanced threats:

  • Stop Unknown Threats: Antivirus, firewalls and other signature-based defenses are good at stopping known threats or blocking traffic that matches a specific pattern. However, attackers have gotten incredibly savvy; they know these tools are looking for known signatures. Therefore, they mutate their threats just enough so tools can’t detect them — or worse, they use zero-day exploits nobody knows about. You need to be able to stop threats you’ve never seen before. This requires new technology to identify when attackers are exploiting applications or protocols to gain unauthorized access to systems and install malware. You need to shield against entire classes of vulnerabilities, not match known exploits.
  • Identify Anomalies and Weaknesses: You can find evidence of an attack by analyzing behaviors and identifying anomalies, such as a behavior that is out of the ordinary for the individual, data that is going places it shouldn’t go or users who are logging in from strange locations at unusual times. You need to alert your security team to these vulnerabilities in their configurations and help them manage the thousands of vulnerabilities with automated tools.
  • Understand and Remediate Incidents: If an attacker does get through, your security team needs alerts to detect it quickly. They need to understand what happened so they can remediate it.

Start looking into behavioral controls, advanced analytics, forensics capabilities and threat research to get ahead of the attacks on your company. All this protection has to apply across your entire infrastructure, from your networks and endpoints to your data and applications. It also has to apply in the data center, on physical devices, on virtual machines and in the cloud.

Myth: You Are Spending Your Money Wisely

Reality: Security Spending Does Not Align With Risk

Security is tough. There is a lot to protect and not enough budget to make it all happen. That’s why you should consider taking a risk-based approach.

Organizations are buried in data, but according to one recent study, just 2 percent of the data in a company represents 70 percent of its critical assets, such as customer information, intellectual property, marketing plans and sales plays. Do you know where that information is? Have you identified it? Have you determined whether it is in structured or unstructured form, in the data center or on the cloud? This is crucial to really protecting your organization.

Do you know who is accessing your most critical data? Some of those users, such as database administrators, have elevated privileges. How can you determine whether their actions, either malicious or inadvertent, are putting your data at risk?

Based on a study performed by the Ponemon Institute, the highest security risk is at the application layer. Yet organizations often focus on the network layer, allocating most of their resources and attention there. You are adding new Web and mobile applications on a weekly or possibly even a daily basis. Have you scanned every one of those apps for security holes?

You need to provide protection not only to the data, but to applications that transform that data and the people who access and use it. Adopting a multilayered, risk-based defense can help you protect your critical assets in the data center and the cloud, provide extra protection for privileged users and identify vulnerabilities in Web, mobile and back-end production applications.

With capabilities to discover, protect and monitor your data, applications and people, you can help ensure your organization is guarding the right assets at the right time from bad actors.

Myth: Innovation Is Too Risky

Reality: Cloud and Mobile Will Reinvent Security

It is not a question of if you will use cloud and mobile solutions, but when. The cloud provides the agility and flexibility to allow you to grow your IT capabilities at speed and scale while reducing costs.

As cloud adoption grows, companies have more resources — applications, data and services — residing on different platforms; some run on public clouds, while others run on private clouds. The cloud can give you the opportunity to do security over and do it right with a diverse portfolio of services.

Look for a vendor that has security capabilities that extend from the data center to the cloud so your security team can seamlessly manage both environments. You need to be able to manage user access, protect the data you’re moving to the cloud and identify vulnerabilities in new applications on the cloud, all while maintaining visibility across both the data center and the cloud.

Mobile devices need protection for the device itself, for the content and applications on the device and for the transactions going from the device to your back-end systems.

In short, work with a vendor who can help build security in from the beginning and wrap security around both cloud and mobile initiatives.

Myth: You Can Do This Alone

Reality: Security Requires a Collective Defense

Wouldn’t it be nice if you had access to information about what’s happening right now across the entire Internet? What’s happening to peers in your industry? What are the latest vulnerabilities?

Businesses need to get better about sharing data, because the bad guys sure are.

Look for vendors who embed global threat information in their products and services, and take advantage of sharing resources throughout the industry. Without viable global threat information, your company is operating in the dark. At the same time, you may be challenged to find the right people to staff your security team: Almost 83 percent of companies report that they can’t find people with the needed security skills.

Focus on the security controls for which you have in-house expertise, and look for help from a trusted partner to augment your team where you have gaps.

Busting Security Myths With Thoughtful Intelligence

Traditional security defenses are no match for today’s unrelenting, well-funded attackers. Organizations must avoid buying into these security myths and accelerate their ability to limit new risk and apply intelligence to stop attackers, regardless of how advanced or persistent they are. New analytics, innovation and a systematic approach to security are necessary. Forward-thinking organizations can establish a favorable risk posture that reduces the likelihood of costly exposures, liberating their budget for innovation and turning risk into opportunity.

More from Advanced Threats

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

16 min read - Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries…

A spotlight on Akira ransomware from X-Force Incident Response and Threat Intelligence

7 min read - This article was made possible thanks to contributions from Aaron Gdanski.IBM X-Force Incident Response and Threat Intelligence teams have investigated several Akira ransomware attacks since this threat actor group emerged in March 2023. This blog will share X-Force’s unique perspective on Akira gained while observing the threat actors behind this ransomware, including commands used to deploy the ransomware, active exploitation of CVE-2023-20269 and analysis of the ransomware binary.The Akira ransomware group has gained notoriety in the current cybersecurity landscape, underscored…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today