Figures from the annual bear this out. Ever year, Cisco asks a selection of global organisations from the Fortune 500 to monitor their internet traffic for known malware.
He says 100 per cent of those organisations that were monitored, reported having some level of compromise already, they were testing positive for malware.
“Every one of those large Fortune 500 companies have traffic going to known malware or command and control sites, which is scary.”
Moreover, the report finds the gap is widening from when an attack occurs and when the organisation actually detects the compromise.
It has always been days to weeks to detect a compromise, but this continues to trend from weeks to months, he states. This is in line with current software patching data, where many applications remain unpatched for months and years. The average patch cycle for organisations is around 55 days, whereas the attackers take an average of six days to release exploit code for a new vulnerability.
He says Cisco sees around 1.5 million intrusions – every single day – into its network and systems.
To combat these attacks, he says the internal security team assigns 50 per cent of its members to focus on the top 5 per cent of threats, the “nasty stuff, advanced malware and persistent threats”.
He says the rest go after the day to day activities like antivirus and patching, and of simply “keeping the lights on”.
Sikking underscores the need to engage security early on in any project.
“Security is a people, people, people; process and technology issue,” he states.
It is important to add context to your security decisions, he states. “Who and what is on your network? Who is talking to whom? What time of day? What network are they on? What are they talking about? Is it a valid business application?”
“Organisations need to understand how communication flows across their networks, how files are propagated across the network and if they happen to be malicious, who has the potential to be infected.”
Sikking calls this “understanding the trajectory of data through the network”.
“By combining all the contextual information as well as event based data, we can see how an infection has entered the network, basically who was ‘patient zero’ and then pivot on that information to understand who could be infected next,” he states.
Virtual patching of these vulnerabilities is providing a window of opportunity for the organisation to correct the root cause and vulnerabilities that expose the network and systems.
By combining all the contextual information as well as event based data, we can see how an infection has entered the network, basically who was ‘patient zero’ and then pivot on that information to understand who could be infected next.
“Ultimately this is all about blocking the unknowns” he states. “As an industry we have been pretty good at blocking the known stuff, like viruses and worms.”
But how do we go and discover these unknowns threats? “The only way to do that is to move into behavioural analysis.”
“We must augment the traditional antivirus and malware tools to understand malicious behaviours, looking at the point in the ‘attack chain’ where malware goes to contact the command and control servers or start to exfiltrate data.
‘Although this is a long way down the attack chain, the malware authors are very adept at bypassing our traditional protection mechanisms like firewalls and antivirus.”
Leveraging platfoms is the only way to be able to maintain any advantage over the attackers, he states.
“The first platform is to use the entire network as a sensor,” he states. “Use that to understand what is going on in your network so you can leverage the network as an enforcement point.”
The second platform is globalised information sharing of threat intelligence. “Organisations can’t do this alone anymore,” he states. “They need real-time updates of current threats and be able to dynamically change their posture to mitigate the threat impact.”
Sikking turns to the five principles in the Cisco Security Manifesto as a guide:
First is that security must be considered a growth engine for the business. “It should never be a roadblock or hassle that undermines user productivity and hinders innovation.”
Second, that security must work with existing architecture and be usable. Organisations should not have to change the way they do business to accommodate new security technologies.
Third is that security must be transparent and informative. Users need to know how they can do what they want to do safely instead of bypassing security as they do their jobs.
Fourth is that security must enable visibility and appropriate action. “We have to have visibility in our network – so they can see traffic and also assets that make up the network.”
Fifth, security must be viewed as a people problem. “Cyber criminals are exploiting people’s trust,” he states. “We need security to be transparent to the user, but when we do need to interject, we need to be informative.”
For instance, a user who tried to access a phishing attack using a fake Paypal email will be told: “You were blocked going to that site because it has been compromised and is now serving malware.”
He says organisations are doing pretty well on managing the processes and technology side. “We still have a long way to go and we must never forget how people factor into our transformation.”
He points out the latest Cisco Security Capabilities Benchmark Study finds 91 per cent of organisations have an executive with direct responsibility for security.
But he states the security leadership in networked organisations need to ascend higher - to the boardroom.
Boards need to start asking tough questions about security controls, including how quickly the enterprise can detect and remediate any compromise.
CIOs need to be prepared to answer these questions from the board including: “What else should we know?”
Read more: NZ Police opens ICT Agile Development Centre
Follow Divina Paredes on Twitter: @divinap
Follow CIO New Zealand on Twitter:@cio_nz
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.