Professional Documents
Culture Documents
A False Sense of Cybersecurity
A False Sense of Cybersecurity
A False Sense of Cybersecurity
CYBERSECURITY
H O W F E E L I N G S A F E C A N
S A B O T A G E Y O U R B U S I N E S S
Overconfidence might be
a threat to your business.
We recently surveyed 500 senior cybersecurity
professionals – and found that while most have
suffered a breach, almost all felt that there were
no gaps in their cybersecurity coverage.
01
ADARMA | A FALSE SENSE OF CYBERSECURITY
Executive summary
Despite high levels of confidence many organisations have experienced
cyber breaches, highlighting the need for a more comprehensive approach to
cybersecurity. The complexity and fragmentation of the cybersecurity market,
the rapid adoption of multiple tools and a shortage of skilled staff further
contribute to the challenge. To address these issues, several key
recommendations are provided: 6. Consolidate the security stack
Consolidation can improve efficiency,
visibility and reduce complexity in the
security stack. However, organisations must
carefully evaluate what to consolidate
3. Avoid creating analytic islands and the value it brings. Engaging an 9. Use KPIs to ensure that you are
In the face of digital fragmentation, independent security architect can ensure delivering the outcomes you expect
organisations should strive to connect their the motivations of various parties are Test regularly so that processes are
1. Consider the entire lifecycle data to gain a holistic view of their entire considered, preventing adverse impacts embedded into all participants’ DNA.
of security technology infrastructure. This requires expertise in on cyber resilience. This will facilitate a rapid response from
It is essential to monitor the technology understanding data sources and their value all stakeholders, reducing the impact on
itself and evaluate its effectiveness and building integrations and automation cybersecurity professionals by allowing them
regularly. Organisations must ensure to ensure comprehensive visibility. to focus on incident remediation.
they have the capability and resources 7. Trust in people, not just technology
to manage their security tools effectively Confidence in cybersecurity professionals
to avoid creating a costly and unrealistic is crucial, as they play a significant
security blanket. Different tools may require 4. Review tool configurations role alongside the tools they leverage. 10. Support cybersecurity
specific expertise, so it is essential to have Tool configurations should be regularly Understanding your business context and professionals
professionals skilled in managing various reviewed to ensure their effectiveness the threats most likely to impact you will Security professionals often face
technologies. and suitability for providing the required help inform your security controls strategy. high-pressure situations and feel a
coverage. Engaging an independent third Recognising gaps in control coverage allows personal commitment to defending their
party to assess and provide an unbiased organisations to take steps to address them. organisations. Investing in workplace well-
evaluation is recommended. Overconfidence can leave organisations being initiatives and considering third-
2. Be selective in data ingestion vulnerable to unexpected attacks. party Managed Security Services Providers
Organisations should focus on identifying (MSSPs) can help alleviate some pressures
the specific data sources that cover their and support the team’s mental health.
unique use cases instead of indiscriminately 5. Use Artificial Intelligence
ingesting vast amounts of data. By ingesting (AI) cautiously 8. Engage with stakeholders
logs that alert to malicious behaviour While AI has the potential to reduce false outside of technology
particular to the organisation, teams can positives and aid in decision-making, its Data owners are invaluable in assessing the By implementing these recommendations,
save costs and avoid alert fatigue. Threat use should be approached with caution. impact of an event, as are representatives organisations can address the challenges
modelling is an effective way to facilitate The technology is still evolving, and from Legal and Compliance. In addition, of over-confidence, avoid complacency,
this. Also, ensure you have processes that organisations should closely monitor communications specialists can help and enhance their cybersecurity posture,
involve regularly reviewing data ingestion its use and decision-making to build trust proactively develop internal and external effectively protecting their business from
and evaluating the effectiveness. and confidence. communications plans. emerging threats.
02 03
ADARMA | A FALSE SENSE OF CYBERSECURITY
Contents
Executive summary 02
Contents 04
Introduction 06
1 2 3 4 5 6
COMPLEXITY THE DRIVE TO ARE SECURITY HARNESSING THE THE STATE OF RECOMMENDATIONS
AND RISK 08 CONSOLIDATE 18 TEAMS TOO FULL POTENTIAL OUR SECURITY & CONCLUSION 54
CONFIDENT? 24 OF ARTIFICIAL TEAMS 44
Does increasing the The drive to INTELLIGENCE 36 Conclusion 55
number of cyber security consolidate 20 Confidence vs. reality 26 Pressure, productivity
tools lower your risk of How can the integration and performance 46
Recommendations 56
cyberattack? 10 of AI and automation
Consolidation Battle-ready or
challenges 23 enhance security
just battle-tested? 28 Capability and
Is the fragmented security operations? 38
expertise 47
technology landscape
increasing risk to security High confidence
Automation:
teams? 14 correlates with your Improving capability
A challenge of
odds of having suffered and performance 49
resources and priorities 40
an attack 30
Is cybersecurity shifting
to a data problem? 17 Cultural impact on
Adarma's approach response to a major
Research methodology 58
to assessing coverage ransomware attack:
starts from the top down, a case study of a global
examining six key steps 32 industrial business 50 Appendix 59
04 05
ADARMA | A FALSE SENSE OF CYBERSECURITY
Introduction
Over the years, the cybersecurity It is no surprise that as organisations moved from what was formerly seen financial services, insurance, retail, aviation,
market has grown and developed, expand their IT capabilities, adopt as a compliance function or the manufacturing, technology and defence.
but it has also become more numerous SaaS services, move to the cloud, implementation of technical controls
complicated and crowded. and employ remote workers, their security to one that allows the organisation to As we work closely with in-house
teams have accumulated a vast array of exploit the opportunities that technology security teams through our Hybrid SOC
The UK Governments Cyber Security security tools and technologies. Many of presents, driving the company’s agenda engagements, we aim to gain a better
Sectoral Analysis 2023 reported that these point solutions promised to be the and delivering business outcomes and understanding of the challenges faced in
1979 companies are operating in the UK silver bullet to end all security woes. real value across the organisation. the Security Operations field. This includes
market, offering cybersecurity products But instead, have left many organisations dealing with outdated legacy technology,
and services. With so many acronyms like with a patchwork of solutions, overlapping Adarma is an independent leader in adapting to new advancements like AI, and
SIEM, SOAR, EDR, NDR, MDR, XDR, IDS, IDP, in capability or presenting gaps. detection and response services. We coping with the ongoing skills shortage that
VM, SOC, it is no wonder that the market is specialise in designing, building and affects the cybersecurity industry.
difficult to navigate. Vendors often over- Furthermore, they are struggling to hire and managing cybersecurity operations and
promise, claiming to be able to eliminate all keep the necessary talent to manage and run a UK-based Security Operations Centre This report aims to uncover security teams'
threats and breaches. Our research shows optimise this complex technology stack. staffed by over 150 security analysts, challenges and discuss strategies for
that 61% of those surveyed believe that engineers and delivery managers. We overcoming them.
the technology landscape's fragmentation Meanwhile, cybersecurity has been working deliver hybrid SOC services and security
poses a challenge to improving their its way up the Board’s agenda, now listed as advisory to enterprise customers across
security capability and performance. a top 3 risk by most. Cybersecurity has also
06 07
ADARMA | A FALSE SENSE OF CYBERSECURITY
CHAPTER 1
COMPLEXITY
& RISK
08 09
ADARMA | A FALSE SENSE OF CYBERSECURITY
Does increasing the 100% 75% 50% 25% 0% 25% 50% 75% 100%
of cyberattack? 16 14 86
It might be a natural assumption that an There are other factors at play here; 15 100 0
organisation would become more secure we assume organisations with more tools
14 25 75
with more security tools. We asked our are larger and are likely to be in more
research respondents to select the security highly targeted sectors for example. 13 20 80
4 37 2 61
3 21 7 72
2 36 11 53
1 26 12 62
10 11
ADARMA | A FALSE SENSE OF CYBERSECURITY
because we have
Scott McElney, the CISO of the Weir Group, it. The attack surface is really hard to
has pointed out that adding more tools understand; if you start adding in loads
may increase risk due to the complexities of tools and vendors, and the supply chain
more secure.
to identify any duplications or gaps the technology often requires human
in coverage. interaction, and people need to look at
those alerts and follow them through,
12 13
ADARMA | A FALSE SENSE OF CYBERSECURITY
providing cybersecurity products UK insurer explains, “The differences This increasing requirement for specialised
and services. between solutions are probably 2 to 3%, expertise adds pressure to security teams
the rest is the same, firms put all their effort to attract and retain qualified personnel,
John Maynard, chief executive officer at into the 2 to 3% - that’s where you get the who are becoming harder to find due to
Adarma, believes that the overabundance silver bullet marketing. The reality is that the growing cybersecurity skills shortage.
of confusing acronyms and marketing claims if you don’t configure it correctly, you’re
adds to this confusion and potentially getting the same tool. SIEM technology
leads companies to misunderstand or is a great example.”
overestimate their security technology's
effectiveness. “ More tools could add
“Our IT environments have become hugely more risk if you don’t
complex and expansive over recent years. have the expertise
As organisations have moved to the cloud,
many have enabled a largely remote to fine-tune and
workforce, so the attack surface has grown,” harmonise them
he explains.
across your digital
ecosystem.”
Scott McElney, CISO, the Weir Group
14 15
ADARMA | A FALSE SENSE OF CYBERSECURITY
Is cybersecurity shifting
to a data problem?
“ The volume
Individual security tools usually do a from analysing data is inversely proportional
very good job of detecting and analysing to the cost of doing so. Therefore, we must
the part of the network that they monitor. be very selective about the data types we
of data and
For example, Endpoint Detection & Response cover. He argues that CISOs mandating you
solutions are thorough in their analysis ingest everything and try and figure out
of activity on the endpoint. They do not, what is going on afterwards are taking the
however, have visibility of other parts wrong approach.
is growing
want to cover and analyse the relevant logs
The issue this can create is one dubbed that will alert you to malicious behaviour
“analytic islands”, silos of data that, while specific to how you are structured and the
exponentially.
valuable, do not contain the context of value you have to an attacker.
what else might be happening across the
network. “Most organisations suffer this Your coverage could be false if the use
digital fragmentation, so we really need cases are not correctly configured, so
value in that
integration and automation of an MSSP can potential vulnerabilities and attaining a
offer huge value,” Dan Baker, chief delivery false sense of security. Failure to do so could
officer at Adarma explains. result in significant gaps in your protection.
16 17
ADARMA | A FALSE SENSE OF CYBERSECURITY
CHAPTER 2
THE DRIVE TO
CONSOLIDATE
18 19
ADARMA | A FALSE SENSE OF CYBERSECURITY
0%
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
No, we don't see a need No, no plan yet, but we Yes, plan to but haven't Yes, we are
to consolidate tools see a need to consolidate consolidated it yet consolidating it
20 21
ADARMA | A FALSE SENSE OF CYBERSECURITY
Consolidation challenges
security tooling,
to a single vendor, and losing functionality. current products.
A skilled security architect should lead this A cyber operations director at a leading UK
motivated by Figure 3: What are the biggest challenges in consolidating your security
technology stack (Tick up to three)?
30%
20%
10%
0%
22 23
ADARMA | A FALSE SENSE OF CYBERSECURITY
CHAPTER 3
ARE SECURITY
TEAMS TOO
CONFIDENT?
95% of
Having implemented an often-complex ƅ 53% of respondents were “very confident”
security technology stack, we wanted to
ƅ 42% of respondents were “somewhat
understand how confident security teams
confident”
respondents
are in the performance of this technology
and if they can leverage the technology ƅ 5% of respondents were “not confident”
proactively to defend their organisation.
are confident
When asked, “Based on the tools you have As figure 4 displays, this confidence
in place, how confident, if at all, are you generally increases the more security
that you do NOT have gaps in your control's tooling an organisation has in place.
that they do
coverage?” we found:
coverage.
14
13
12
11
10
9
8
7
6
5
4
3
2
1
28 29
ADARMA | A FALSE SENSE OF CYBERSECURITY
80%
60%
40%
20%
At first glance, the results suggest that our Another is to infer that this confidence is
cybersecurity teams are doing well. They feel misguided and that those that are the most
assured about their coverage and ability confident are also the most complacent, Figure 8: Ability to proactively implement controls vs. if the organisation has
to detect and respond to a cyberattack. perhaps failing to review their controls and been breached in the past two years: Yes/No/I don't know
However, we wanted to ensure objective therefore leaving themselves vulnerable
data supported this perception. To do so, to attack.
80%
we compared their confidence and
perceived capability with whether the However, we also hypothesise that this could 60%
organisation had experienced a security result from differing interpretations of the
40%
breach in the last two years. term ‘coverage’. Coverage to some may be
at the security engineering level; do we have 20%
Figures 7, 8 and 9 demonstrate that the right tools and configurations in place
0%
organisations that have suffered a breach to protect against perceived threats?
Yes, always - we have the Yes, sometimes - if we No, we don't have
are more confident. This can be interpreted capacity and capability have someone that the ability to do it
to implement controls knows how to do it
in a couple of different ways; one is to say A comprehensive approach would assess
that having survived a breach, the security coverage from a holistic perspective, Yes No I don't know
team is now more confident, perhaps due including the business context and strategy,
to learnings and improvements made down to attacker tactics and corresponding
post-breach. controls required.
Figure 9: Capability in detection and response vs. if the organisation has been
breached in the past two years: Yes/No/I don't know
80%
60%
40%
20%
0%
1 - No capability 2 - Low capability 3 - Some capability 4 - Good capability 5 - Expert capability
30 31
ADARMA | A FALSE SENSE OF CYBERSECURITY
01.
What we see
What is the business context?
First, we need to understand the
background: what strategic objectives
consistently
does the organisation have?
This is especially relevant if they’re
expanding geographically or
02.
Protecting the vitals
is an inverse
relationship
entering a new market segment. We also need to understand what
is critical to running their business.
An airline, for example, must be
between
able to fly planes, and an online
retailer must be able to transact
online; this helps to understand the
confidence and
truly critical systems of a business.
03.
The threat landscape
We need to understand the
threat context for this business.
Who is likely to threaten them
05. the likelihood
of having been
and why? What assets or systems Warning systems
are they likely to target? What detection content must
be in place to alert against
04. breached.
malicious behaviour?
The attackers' MO
What Tactics, Techniques
and Procedures (TTPs) do
06.
these attackers use and
consequently, what data
sources does the SOC need to Response systems
ingest to detect said TTPs?
And do we have appropriate
response actions in place to
contain an attack should it
successfully access its target.
32 33
ADARMA | A FALSE SENSE OF CYBERSECURITY
Organisations
What we see consistently is an inverse The cyber operations director at a
relationship between confidence or prominent UK Insurer acknowledges that
perception of capability and the likelihood there are gaps in their system, and they lack
do not audit
of having been breached, and we are not confidence in their abilities. However, the
alone. The CEO Report on Cyber Resilience team works diligently every day to identify
by the University of Oxford Saïd Business and address these challenges.
School found “an inverse relationship
finances, nor
the less prepared it could be in reality. have the necessary tools to do their job well.
The reason? A misguided perception of high Focus on more than just one aspect of your
preparedness can lead to overconfidence work, be confident in all areas.
should security
and complacency, ultimately jeopardising
the organisation’s resilience.”
homework.
We would agree; organisations do not
audit their own finances, nor should security
have the necessary
teams mark their own homework. An tools to do their
independent party needs to challenge and
test your security posture to enable
job well.”
the ongoing development of resilience. Scott McElney, CISO, the Weir Group
34 35
ADARMA | A FALSE SENSE OF CYBERSECURITY
CHAPTER 4
HARNESSING
THE FULL
POTENTIAL
OF ARTIFICIAL
INTELLIGENCE
AI isn't as prone to
overconfidence as
its human colleagues.
Can it help to improve
your threat defences?
36 37
ADARMA | A FALSE SENSE OF CYBERSECURITY
human to look at
advancement in this area. C-suite leaders trust AI enough to permit it
to ease the workload of security teams.
The cyber operations director of a major UK
them; arguably,
insurer believes that AI has two significant It is a fact that the cybersecurity industry
applications in cybersecurity. “One is the is still in the early stages of utilising AI,
reduction of false positives. AI can help you and there is much room for growth and
AI could reduce
understand from your specific environment development. According to McElney, there
and user behaviour what is and is not an is a lack of expertise in this area since
alert of interest." He argues that "95% the technology is relatively new. Security
that massively.”
of alerts are false positives, but they still professionals need to be aware of the
require a human to look at them; arguably, source of information and understand if it
AI could reduce that significantly." comes from AI capabilities that have been
trained on particular data sets. Furthermore,
there are challenges in providing training on Cyber operations director, large UK insurer
these techniques since the technology is still
in its infancy.
38 39
ADARMA | A FALSE SENSE OF CYBERSECURITY
10%
Save me time
0%
0% 10% 20% 30% 40% 50%
40 41
ADARMA | A FALSE SENSE OF CYBERSECURITY
While most respondents claim their the benefits of automation to be wide- Figure 13: How would you best describe your automation efforts?
automation efforts have been somewhat ranging, implementation is not without its
Thinking about the automation that has been implemented, how would you best describe
successful, they acknowledge that getting challenges. Despite these difficulties, most the experience?
there was challenging and time-consuming. of our respondents (73%) said they believed
Our research shows that while we believe that their efforts to be worth it in the end. 0% 10% 20% 30% 40% 50%
40%
Challenging and time consuming
but we succeeded in the end
30%
10%
0%
1 2 3 4 5
Unsuccessful Somewhat Somewhat Successful Highly
Unsuccessful Successful Successful
42 43
CHAPTER 5
THE STATE
OF OUR
SECURITY
TEAMS Despite claims of
feeling secure from
attack, many security
professionals are feeling
anything but relaxed
in their current roles.
44 45
ADARMA | A FALSE SENSE OF CYBERSECURITY
0% 10% 20% 30% 40% Figure 15: Capability & expertise of security teams
Members of the team are feeling burnt
Thinking about the capability and expertise of the staff in your team, how would you rate
out and ready to quit. Staff turnover is high,
I believe a security incident is imminent. (on a scale of 1-5) the maturity of the below categories?
Threat Intelligence
Understanding the threats you face
0% 20% 40% 60% 80% 100%
Improving capability
and performance
With this in mind, we asked what prevents too many competing priorities and different
organisations from improving their tasks to be able to nominate just one factor.
capability. Respondents seemed unable to
agree on the root cause of the problem. As These results indicate that there is no single
shown in figure 16, responses were spread underlying cause of Security Operations
across the board with no clear winner. challenges, more likely it is a combination of
Perhaps it i’s the case that SOC teams have all these factors that hold our teams back.
“ It’s almost like Figure 16: What is holding you back from improving capability and performance
we’re victims
How would you rate (on a scale of 1-5) the importance of the below categories?
passion.”
Communication
We struggle to articulate the value of
security investment to the board or c-suite
Investment Priorities
Director of cyber operations, large UK insurer Competing investment priorities across
the business
Fragmentation
Fragmentation of the technology
landscape - too many points solutions
Recruitment
Unable to recruit and retain people
with the right skill sets
Budget
Lack of security budget
1. 5.
This prevents us This is not an issue
from improving that affects our
ability to improve
48 49
ADARMA | A FALSE SENSE OF CYBERSECURITY
50 51
ADARMA | A FALSE SENSE OF CYBERSECURITY
believe recruiting
With over half (51%) of organisations risk-based alerting to risk-based response.
stating their staff are challenged, stressed, This automated, risk-based approach
frustrated or exhausted, we believe enhanced the bank’s cyber risk management
52 53
ADARMA | A FALSE SENSE OF CYBERSECURITY
CHAPTER 6
CONCLUSION Conclusion
This report provides valuable While AI offers potential benefits,
54 55
ADARMA | A FALSE SENSE OF CYBERSECURITY
Recommendations
1. Do not assess security technology 4. Review your tool configurations 7. AI has the potential to help reduce 9. Get in touch. We can help you
in isolation; think about the entire lifecycle regularly; if left unattended for too long, false positives and to make isolation consolidate your toolset and protect your
of that technology and the people and they will likely stop firing or be unsuitable and containment decisions. However, we business in a complex environment. To find
processes required to configure, optimise to give you the required coverage. We should tread with caution. This technology, out more, visit www.adarma.com or get in
and integrate it on an ongoing basis. recommend that an independent third as are our skills at utilising it safely, is still touch at hello@adarma.com.
Organisations must have the capability party undertake this exercise to provide an new and in its infancy. We recommend
and resources to feed and water their objective assessment. monitoring AI and its decisions until we build .
security tools; otherwise, they can prove confidence and trust in the technology.
to be a costly and unrealistic security Identify test areas where it may bring the
blanket. Remember that different tools will greatest benefit and carefully monitor to
likely require various experts to manage 5. Consolidating your security stack can ensure desired outcomes are delivered.
them, and it is uncommon to find security help improve efficiencies and visibility, Engage staff so that they realise the risks
professionals skilled across multiple reduce complexity and potentially lower the and understand you are not saying no to
technologies. technical expertise required on your team. innovation, simply asking to understand
However, please proceed cautiously; it is the risks.
essential to understand what to consolidate
and its value. We recommend you start by
2. Be wary of creating analytic islands. developing desired business outcomes and
With digital fragmentation at an all-time then have an independent security architect 8. Security professionals are passionate
high, it is essential that an organisation lead this project to ensure the motivations of about what they do, which makes this a
can knit their data together to create a various interested parties are considered and great industry to be part of; however, it
holistic view of what is happening across that your cyber resilience is not negatively also means our people are under a lot of
their estate. This requires expertise in impacted due to a desire to cut costs. pressure and feel a personal commitment
understanding data sources and their value to defending the organisation, day and
and building integrations and automation. night. We must invest in ways to support
teams and look after their welfare and
6. Do not rely solely on technology mental health, whether through workplace
to secure your organisation. It is essential well-being initiatives or a hybrid approach
3. Be selective in the data you ingest into to have confidence in your people as much to managing your SOC using a third party
your security operations centre. First, as the tools they leverage. Knowing you MSSP. By having an MSSP undertake initial
understand where you are exposed and have gaps in your control’s coverage is not triage and develop automation, your staff
examine the data sources required to cover bad as you are more likely to be taking steps will be empowered to engage in value-add
those use cases. By ingesting the logs that to close those gaps. Being overconfident in activities that motivates them and improves
will alert you to malicious behaviour specific your coverage could leave you vulnerable to your security posture.
to your organisation, you will save money an attack you were not expecting.
and your team from alert fatigue.
56 57 | 57
ADARMA | A FALSE SENSE OF CYBERSECURITY
The individual must be employed The survey asked 22 questions covering IoT / OT protection Next Gen Firewall
in an organisation with: three topics:
SIEM Access Management
ƅ 2000+ employees 1. Tool sprawl
ƅ UK Headquartered or with 2000+ 2. AI and automation Cloud Access Security Broker Web Application Firewall
UK-based employees
3. People and the cybersecurity
ƅ 2 or more security team members skills shortage Data Loss Prevention Security Service Edge
And must have a job title of: Options to multi-choice questions were Cloud Security Posture Management EDR, Endpoint Protection
randomised. Adarma also interviewed
ƅ Information Security Manager, Director Chief Information Security Officers and Identity Protection Threat Intelligence Platform (TIP)
or Head of Security Operations Directors from their
ƅ Security Operation (Centre) Manager, customer base. Secure Email Gateway IDS/IPS
Director or Head of
58 59
ADARMA | A FALSE SENSE OF CYBERSECURITY
About Adarma
We are Adarma, independent Our team of passionate cyber defenders
leaders in detection and response work hand in hand with you to mitigate
services. We specialise in designing, risk and maximise the value of your
60
hello@adarma.com
www.adarma.com