Every year, thousands of companies evaluate their current security posture and implement solutions to help fill gaps in their security programs. The following are four security myths that may keep your organization from moving to a higher level of security:

Myth: Your Company Is Not Infected

Reality: Attackers Bypass Traditional Security Defenses Every Day

Your company is infected; every company is getting attacked every day. What makes it so hard to find the attackers? They certainly don’t stand up and say, “Hi, I’m in your system.” Instead, they lie low for weeks — even months — until they’re ready to attack critical systems and steal your data. Or, they exploit vulnerabilities on Web-facing applications to quickly grab data before you realize what happened.

There has been a focus on building layered security defenses for years. However, traditional security architectures and tools are failing in today’s threat landscape; they just can’t see the threats. In one study published by the Ponemon Institute, advanced attacks went undetected for an average of 225 days. The following are some ways you can you defend against advanced threats:

  • Stop Unknown Threats: Antivirus, firewalls and other signature-based defenses are good at stopping known threats or blocking traffic that matches a specific pattern. However, attackers have gotten incredibly savvy; they know these tools are looking for known signatures. Therefore, they mutate their threats just enough so tools can’t detect them — or worse, they use zero-day exploits nobody knows about. You need to be able to stop threats you’ve never seen before. This requires new technology to identify when attackers are exploiting applications or protocols to gain unauthorized access to systems and install malware. You need to shield against entire classes of vulnerabilities, not match known exploits.
  • Identify Anomalies and Weaknesses: You can find evidence of an attack by analyzing behaviors and identifying anomalies, such as a behavior that is out of the ordinary for the individual, data that is going places it shouldn’t go or users who are logging in from strange locations at unusual times. You need to alert your security team to these vulnerabilities in their configurations and help them manage the thousands of vulnerabilities with automated tools.
  • Understand and Remediate Incidents: If an attacker does get through, your security team needs alerts to detect it quickly. They need to understand what happened so they can remediate it.

Start looking into behavioral controls, advanced analytics, forensics capabilities and threat research to get ahead of the attacks on your company. All this protection has to apply across your entire infrastructure, from your networks and endpoints to your data and applications. It also has to apply in the data center, on physical devices, on virtual machines and in the cloud.

Myth: You Are Spending Your Money Wisely

Reality: Security Spending Does Not Align With Risk

Security is tough. There is a lot to protect and not enough budget to make it all happen. That’s why you should consider taking a risk-based approach.

Organizations are buried in data, but according to one recent study, just 2 percent of the data in a company represents 70 percent of its critical assets, such as customer information, intellectual property, marketing plans and sales plays. Do you know where that information is? Have you identified it? Have you determined whether it is in structured or unstructured form, in the data center or on the cloud? This is crucial to really protecting your organization.

Do you know who is accessing your most critical data? Some of those users, such as database administrators, have elevated privileges. How can you determine whether their actions, either malicious or inadvertent, are putting your data at risk?

Based on a study performed by the Ponemon Institute, the highest security risk is at the application layer. Yet organizations often focus on the network layer, allocating most of their resources and attention there. You are adding new Web and mobile applications on a weekly or possibly even a daily basis. Have you scanned every one of those apps for security holes?

You need to provide protection not only to the data, but to applications that transform that data and the people who access and use it. Adopting a multilayered, risk-based defense can help you protect your critical assets in the data center and the cloud, provide extra protection for privileged users and identify vulnerabilities in Web, mobile and back-end production applications.

With capabilities to discover, protect and monitor your data, applications and people, you can help ensure your organization is guarding the right assets at the right time from bad actors.

Myth: Innovation Is Too Risky

Reality: Cloud and Mobile Will Reinvent Security

It is not a question of if you will use cloud and mobile solutions, but when. The cloud provides the agility and flexibility to allow you to grow your IT capabilities at speed and scale while reducing costs.

As cloud adoption grows, companies have more resources — applications, data and services — residing on different platforms; some run on public clouds, while others run on private clouds. The cloud can give you the opportunity to do security over and do it right with a diverse portfolio of services.

Look for a vendor that has security capabilities that extend from the data center to the cloud so your security team can seamlessly manage both environments. You need to be able to manage user access, protect the data you’re moving to the cloud and identify vulnerabilities in new applications on the cloud, all while maintaining visibility across both the data center and the cloud.

Mobile devices need protection for the device itself, for the content and applications on the device and for the transactions going from the device to your back-end systems.

In short, work with a vendor who can help build security in from the beginning and wrap security around both cloud and mobile initiatives.

Myth: You Can Do This Alone

Reality: Security Requires a Collective Defense

Wouldn’t it be nice if you had access to information about what’s happening right now across the entire Internet? What’s happening to peers in your industry? What are the latest vulnerabilities?

Businesses need to get better about sharing data, because the bad guys sure are.

Look for vendors who embed global threat information in their products and services, and take advantage of sharing resources throughout the industry. Without viable global threat information, your company is operating in the dark. At the same time, you may be challenged to find the right people to staff your security team: Almost 83 percent of companies report that they can’t find people with the needed security skills.

Focus on the security controls for which you have in-house expertise, and look for help from a trusted partner to augment your team where you have gaps.

Busting Security Myths With Thoughtful Intelligence

Traditional security defenses are no match for today’s unrelenting, well-funded attackers. Organizations must avoid buying into these security myths and accelerate their ability to limit new risk and apply intelligence to stop attackers, regardless of how advanced or persistent they are. New analytics, innovation and a systematic approach to security are necessary. Forward-thinking organizations can establish a favorable risk posture that reduces the likelihood of costly exposures, liberating their budget for innovation and turning risk into opportunity.

More from Advanced Threats

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Detections That Can Help You Identify Ransomware

One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

How to Report Scam Calls and Phishing Attacks

With incidents such as the Colonial Pipeline infection and the Kaseya supply chain attack making so many headlines these days, it can be easy to forget that malicious actors are still preying on individual users. They're not using ransomware to do that so much anymore, though. Not since the rise of big game hunting, anyway. This term marks ransomware actors' shift away from attacks against individual users and towards operations targeting large enterprises, noted CNBC. But attacks like phishing and…