CIOs Admit to Wasting Millions on Cybersecurity that Doesn't Work on Half of Attacks
SALT LAKE CITY, Feb. 24, 2016 /PRNewswire/ Venafi, the Immune System for the Internet, announced today the findings of a global survey of 500 CIOs conducted by Vanson Bourne about the prevalence and business impact of failed IT security. The survey found overwhelming consensus among IT executives that the foundation of cybersecuritycryptographic keys and digital certificatesis being left unprotected, leaving enterprises blind, in chaos, and unable to defend their businesses.
CIOs acknowledge they are wasting millions of dollars on layered security defences because these tools blindly trust keys and certificatesunable to differentiate between which keys and certificates should be trusted and which shouldn't. With Gartner predicting that 50% of network attacks will come over SSL/TLS this means popular security systems like FireEye will only work half of the time. And CIOs recognize that this chaos is jeopardizing their most strategic plans to build Fast IT organizations around DevOps.
Key findings include:
- 87% of CIOs believe their security defences are less effective since they can't inspect encrypted network traffic for attacks
- 90% of CIOs have or expect to suffer from an attack in which encrypted traffic is used to hide the attack
- 86% of CIOs think stolen encryption keys and digital certificates will be the next big market for hackers
- 79% of CIOs agree that their core strategy to accelerate IT and innovation is in jeopardy because these initiatives introduce new vulnerabilities
Enterprises rely on tens of thousands of keys and certificates as the foundation of trust for their websites, virtual machines, mobile devices, and cloud servers. The technology was adopted to help solve the original Internet security problem of knowing what is safe and private. From online banking, secure communications and mobile applications to the Internet of Things, everything IP-based depends upon a key and certificate to create a trusted and secure connection. But unprotected keys and certificates are being misused by cybercriminals to hide in encrypted traffic, spoof websites, deploy malware, elevate their privileges, and steal data.
Deployed technologies like endpoint protection, advanced threat protection, next generation firewalls, behavioural analytics, intrusion detection systems (IDS) and data loss prevention (DLP) are fundamentally flawed because they cannot determine which keys and certificates are good or bad, friend or foe. As a result, one consequence is that they are unable to inspect the vast majority of encrypted network traffic. This leaves gaping holes in enterprise security defences. Cybercriminals are taking advantage of these security blind spots and are using unprotected keys and certificates to hide in encrypted traffic and circumvent security controls.
"Keys and certificates are the foundation of cybersecurity, authenticating system connections and telling us if software and devices are doing what they are meant to. If this foundation collapses, we're in serious trouble," comments Kevin Bocek, Vice President Threat Intelligence and Security Strategy at Venafi. "With a compromised, stolen, or forged key and certificate, attackers can impersonate, surveil, and monitor their targets' websites, infrastructure, clouds, and mobile devices, and decrypt communications thought to be private."
"Increasingly, the systems we've put in place to verify and establish online trust are being turned against us. Worse still, the vendors that tell us they can protect us, can't. Endpoint protection, firewalls, IDS, DLP and the like are worse than useless because they are lulling people into a false sense of security. This research shows CIOs now understand they are wasting millions because security systems like FireEye can't stop half of the attacks. Gartner predicts that by 2017, more than half of the network attacks targeting enterprises will use encrypted traffic to bypass controls; these technologies can't defend against any of that! When you consider that the market for enterprise security is worth an estimated $83 billion worldwide, that's a lot of money being wasting on solutions that can only do their jobs some of the time."
"And the public markets are efficiently reflecting a loss of confidence in cybersecurity. It's no coincidence that 90% of CIOs admit to wasting billions on inadequate cybersecurity at the same time the HACK cybersecurity fund drops by 25% since November 2015. This is well ahead of the overall market downturn with a 10% decline in the S&P500 index."
The risks from unmanaged and unprotected keys and certificates increase as their numbers grow. A recent Ponemon report reveals that the average enterprise has more than 23,000 keys and certificates, and 54% of security professionals admit to not knowing where all of their keys and certificates are located, who owns them, or how they are used. CIOs are concerned that the increase in keys and certificates to support new IT initiatives will confound the problem.
In light of Encryption Everywhere plans, driven in large part by Edward Snowden's revelations and breach of the NSA, virtually all CIOs (95%) indicated they are worried about how they will securely manage and protect all encryption keys and certificates. And as the speed of IT increasescreating and decommissioning services based on elastic needskeys and certificates will grow in orders of magnitude. When asked if the speed of DevOps makes it more difficult to know what is trusted or not in their organizations, 79% of CIOs said yes.
"Gartner predicts that by 2017 three out of four enterprise organizations will be moving to a bi-modal IT structure with two stream/two speed IT: one that supports existing apps that require stability and another that delivers fast IT for innovation and business-impacting projects.," said Bocek. "Yet using agile methods and introducing DevOps is an extremely high risk and chaotic endeavour. In these new environments security will always suffer and it will become virtually impossible to keep track of what can and can't be trusted."