SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
Story image
If you want to catch a thief, you need open security
Fri, 10th Mar 2023

Getting one step ahead of malicious attackers will require companies to take an entirely new approach to IT security.

When the World Economic Forum (WEF) unveiled its Global Risks Report 2023 at this year's annual meeting in Davos, they reported their top 10 ranking of the world's most severe risks over the next decade included a new entrant: "Widespread cybercrime and cyber insecurity."

That set the stage for a broader conversation about cyber resilience among the business and government leaders attending the summit. As the report's authors warn, there is no room for complacency in any area of the private or public sectors: "Alongside a rise in cybercrime, attempts to disrupt critical technology-enabled resources and services will become more common, with attacks anticipated against agriculture and water, financial systems, public security, transport, energy and domestic, space-based and undersea communication infrastructure."

Business leaders are already only too aware that today's risks transcend geographical borders and industry sectors. In particular, the ongoing Russia-Ukraine war has focused corporate minds on the shifting nature of cyber threats.

In a second report unveiled at the WEF summit, the Global Security Outlook Report for 2023, 91% of organisational leaders surveyed believe that current geopolitics make a "far-reaching, catastrophic cyber event" either moderately or very likely in the next two years. Among those specifically responsible for cybersecurity at their organisation, the figure rises to 93%.

A bigger question

The bigger question for these cyber leaders is how they might best tackle these threats. And the answer, it seems, is unlikely to be "more of the same" because, on its own, increased investment in cybersecurity technologies clearly isn't working. Something needs to change.

After all, global cybersecurity budgets have trended upward year after year for decades, with no signs of a slowdown any time soon. In 2023, analysts at research firm Gartner predict that spending on information security and risk management products and services will rise 11.3% to reach more than $188.3 billion.

At the same time, the costs of cybercrime also keep growing. In August 2022, researchers at Cybersecurity Ventures predicted that global cybercrime costs for the year would total some $7 trillion. If cybercrime were measured as a country, they pointed out, it would be the world's largest economy after the US and China. Worse still, they expect these costs to continue to mount by 15% per year over the next four years, reaching $10.5 trillion by 2025.

In short, cybersecurity is failing to keep pace with cybercrime, and the situation is only worsening. It's time we looked harder at why — and what might be done to redress the balance.

Proprietary problems

Part of the problem lies in the kinds of cybersecurity technologies that organisations deploy. For the most part, these products are based on proprietary technologies, kept hidden from the world by the companies that build and sell them. The technological 'recipes' that underpin them are closely guarded secrets. The message to customers from the companies marketing them is clear: "Just leave it to us. We know what we're doing."

It's certainly true that many of these 'black-box' security software vendors are very well-resourced. They can afford to recruit talented developers and monitor the threat landscape for serious issues, as they continually point out to customers.

But that's not enough because many of today's attackers are just as well-resourced and use increasingly sophisticated approaches and development talent. It's a point made eloquently at Davos by Jürgen Stock, Secretary-General of Interpol, the global organisation for police cooperation and crime control.

"These groups developing hacking tools are incredibly rich," he said, adding that they are getting wealthier all the time. "We have no idea how many hundreds of millions, or even billions they've made [just] through ransomware attacks and the ransoms that have been paid. It's a huge challenge for us."

And when black-box security technology falls under the scrutiny of a large and well-resourced network of hackers, a huge problem quickly emerges. By closing off their code from customers and the wider world, software suppliers make themselves a target for hackers, who realise that one undetected attack on a security product potentially exposes thousands of customers.

There is, therefore, a clear incentive for malicious actors to identify vulnerabilities in these vendors' products and patches. And that's without mentioning the management headache facing cybersecurity teams who have invested in multiple security products and are now forced to manage them all on a daily basis.

A better, more open approach

To catch a thief, you need to think like a thief. It's an old maxim, but one that applies well to today's cybercriminals.

In other words, when you're looking to get one step ahead of a well-coordinated community of attackers, you need your own well-coordinated community.

This is what Elastic has defined as 'open security'. It's an approach that relies on collaboration, with information security experts pooling their collective brainpower and sharing code, detection rules and artefacts as they work together to protect IT systems. It's a joint effort to improve security software for the benefit of the community as a whole rather than the shareholders of one specific software company.

There are several major advantages to this approach. When security software is developed out in the open, all participants can contribute to a product and run tests on it before implementing it in their own environment. Along the way, they learn from each other how various exploits work and can bring to the table new ideas about how these might be thwarted. And it helps information security professionals combine their expertise to spot potential blind spots in a product's code at a time when no single security solution can be expected to protect against each and every cyber threat.

This may sound radical, but as awareness grows, customer demand for this kind of approach is likely to grow, too. In time, it could force many of the black-box security vendors to adopt a more open strategy, giving their customers more transparency but also strengthening their own products.

Open security may, in fact, be the only way that those who seek to protect can ever hope to outnumber and overpower those who seek to disrupt and exploit.