Top CIOs acknowledge they are wasting millions (take your pick – BSPs, EURs, or USDs) on layered security defences because these technologies blindly trust keys and certificates, according to research we just completed with independent research firm, Vanson Bourne. The bad guys use unprotected keys and certificates to bypass these security defences, exploiting keys and certificates to hide in encrypted traffic, spoof websites, deploy malware, and steal data.
MORE Get the full report, 2016 CIO Study Results: The Threat to Our Cybersecurity Foundation
The research reveals CIOs understand they are wasting millions because these layered security defences like FireEye can’t stop half of the attacks. More and more network attacks targeting enterprises use encrypted traffic to bypass controls; these technologies can’t defend against any of that.
The recently released annual threat report by Dell describes the growth in SSL/TLS decryption as a “mixed bag.” In Q4 2015, SSL/TLS connections comprised an average of over 64% of web connections, and, throughout 2015, each month increased by 53% over the corresponding month in 2014, on average. Although SSL/TLS is used to secure communications and connections, it’s also used increasingly by cybercriminals as an attack vector. When discussing the Dell report, Business Wire explains, “Using SSL or TLS encryption, skilled attackers can cipher command and control communications and malicious code to evade intrusion prevention systems (IPS) and anti-malware inspection systems.”
When you consider that the market for enterprise security is worth an estimated $83 billion worldwide, that’s a lot of money being wasting on solutions that can only do their jobs some of the time.
Keys and certificates are machine identities that authenticate system connections and telling us if software and devices are doing what they are meant to do. But when machine identities are left unmanaged and unprotected, this foundation is threatened. And if this foundation collapses, the Global 5000 and federal governments will be in serious trouble. With a compromised, stolen, or forged key and certificate, attackers can impersonate, surveil, and monitor their targets’ websites, infrastructure, clouds, and mobile devices, and decrypt communications thought to be private.
Layered security—endpoint protection, advanced threat protection, firewalls, behavioural analytics, IDS and IPS security systems, and more—are fundamentally flawed because they blindly trust machine identities, unable to determine which are good or bad.
In addition, most security professionals (54%) admit to not knowing where all of their keys and certificates are located, who owns them, or how they are used. Without visibility or access into all keys and certificates, security controls are unable to inspect the vast majority of encrypted network traffic, which leaves gaping holes in enterprise security defences.
Cybercriminals are taking advantage of these blind spots and are using unprotected keys and certificates not only to evade detection, but to achieve authentication and trusted status that bypasses other security controls and allows their actions to remain hidden.
The public markets are efficiently reflecting a loss of confidence in cybersecurity. It’s no coincidence that 90% of CIOs admit to wasting billions on inadequate cybersecurity at the same time the HACK cybersecurity fund drops by 25% since November 2015. This is well ahead of the overall market downturn with a 10% decline in the S&P500 index.
The number of keys and certificates that enterprises need to secure is exploding. In light of Encryption Everywhere plans, driven in large part by Edward Snowden’s revelations and breach of the NSA, virtually all CIOs surveyed (95%) indicated they are worried about how they will securely manage and protect all encryption keys and certificates.
And as the speed of IT increases—creating and decommissioning services based on elastic needs—keys and certificates will grow in orders of magnitude. When asked if the speed of DevOps makes it more difficult to know what is trusted or not in their organizations, 79% of CIOs said yes.
Most enterprise organizations have a moved to a bi-modal IT structure with two stream/two speed IT: one that supports existing apps that require stability and another that delivers fast IT for innovation and business-impacting projects. Yet using agile methods and introducing DevOps is an extremely high risk and chaotic endeavour. In these new environments, security will always suffer and it will become virtually impossible to keep track of what can and can’t be trusted.
The Venafi Trust Protection Platform helps you understand which machine identities should be trusted and which shouldn’t. With trust in keys and certificates restored, the value of a business’s other security investments increases.