Want to respond better to the evolving threat landscape? Give more support to boards and leaders
Kevin Mandia
strategic advisor, Google Cloud
The view from RSA Conference 2023: Security improvements bring need for more vigilance, not less
Editor’s note: Kevin’s blog originally appeared as a guest column in Google Cloud CISO Phil Venables’ newsletter published on April 28, 2023. We’re reprinting the full column here.
Each year, the RSA Conference provides the backdrop for discussions on the issues shaping cybersecurity, and never was this more important than in 2023. In my RSA Conference keynote, I talked about the challenges of the past year and how the community is responding.
Conflict and macro-economic pressures fostered the evolution of cyber attacks — as well as new approaches that will help address an increasingly challenging threat landscape.
The Mandiant team — now part of Google Cloud — brings a particularly valuable perspective to these developments shaping the future of cybersecurity. Our consultants have responded to more than 1,000 cyber intrusions in the last year, and together with our threat intelligence analysts, we are investigating and analyzing the latest attacks and threats, and learning how best to respond to and mitigate them.
The reach and resources of Google Cloud — and their commitment to innovation exemplified with our cloud security AI news — promises to further enable our unified team to make an even greater impact on our understanding of today’s threat landscape. Together, we can also deliver more insights into the attacker techniques and the defenses that should be employed by security operators.
In my keynote, I provided some details on the work of our consultants, which took place across 53 countries in 2022. We conducted 1,163 intrusion investigations, discovered 588 malware families, identified 913 new threat groups, and found 265 new threat groups via investigations. We also witnessed a rise in cyber espionage from nation-state-backed actors.
I reported on the state of zero days — vulnerabilities that were exploited in the wild before a patch was made publicly available. Mandiant identified 55 zero-day vulnerabilities exploited in 2022. While this is lower than the record-breaking 81 zero days exploited in 2021, it still represents a 200 percent increase compared to 2020. Chinese state-sponsored cyber espionage groups exploited more zero days than other cyber espionage actors in 2022.
On a positive note, we saw a decrease in the global median dwell time, which is calculated as the median number of days an attacker is present in a target’s environment before being detected. This number continues to drop year-over-year, down to 16 days in 2022. This is the shortest median global dwell time since we began reporting on this measure of cybersecurity effectiveness, a marked improvement over median dwell time of 21 days in 2021 and 24 days in 2020.
We also observed that organizations were notified of breaches by external entities in 63 percent of incidents, up from 47 percent the previous year.
This tells us that, while we continue to face significant challenges, our industry is getting better at cybersecurity and organizations globally have made progress in strengthening their defenses. But we cannot let our guard down. We have seen that attackers do not rest — and that they are increasingly sophisticated and well-funded.
Even the most experienced CISOs benefit from outside perspective and assistance with high-priority projects and breach management to ensure mission success, and the cybersecurity community needs to provide board directors and business leaders with the support they need.
We are also finding that attackers have caused bigger impacts with fewer technical skills, resulting in extortion, data theft, stolen intellectual property, and significant reputational damage. This speaks to another trend: the increasing involvement of board directors and senior executives who are traditionally called on to address these organizational risks. Board directors and business leaders are increasingly interested in becoming better educated on the cyber risks they face, better informed on the latest attacker trends to drive security investments, and ultimately better prepared for cyber threats.
This creates another challenge: While CISOs are well-versed in cybersecurity, other senior leaders often lack the understanding needed to address the challenges their organizations face today. Communications with executives are often ineffective due to a disconnect between the material presented regarding unique threats and risks to the organization, along with meaningful metrics, key performance indicators, and expected outcomes.
Even the most experienced CISOs benefit from outside perspective and assistance with high-priority projects and breach management to ensure mission success, and the cybersecurity community needs to provide board directors and business leaders with the support they need. We must help them gain knowledge of vital cybersecurity concepts so they can bolster CISO capabilities and enable them to become more involved in assessments of breach response proficiency.
Here are some fundamental questions and conversations that boards and leadership should address with their CISOs:
Are we prepared to detect and respond to the most common malware, exploits, and initial infection vectors such as phishing?
What is our protocol when we are notified by a third-party that we are potentially compromised?
Have we taken steps to harden our systems against destructive and disruptive attacks?
How prepared are we to deal with the financial threats most relevant to our organization?
How are we minimizing the risk of social engineering and other similar threats from reaching our employees?
What programs do we have to protect our employees, especially executives and highly visible employees, from these types of attacks?
How would we react if proprietary information or a client’s personally identifiable information was stolen and used as extortion against us?
Do we have full visibility into exactly how our organization is using the cloud, and are we testing our cloud architecture deployments?
What are we doing to track and patch vulnerabilities in our networks?
How are we using current threat intelligence to inform decisions?
Organizations must remain vigilant and relentless in their efforts to enhance their cybersecurity posture with modern cyber defense capabilities in order to combat today’s evolving and sophisticated adversaries.
I shared one more encouraging reality: Organizations know more about the topology, the infrastructure, and the vulnerabilities of their own networks. These are advantages they should use to prevent, detect, and recover from attacks.
With this knowledge — and the frontline insights, expertise, and innovation we can bring to the battle — organizations can improve their cyber readiness.