Jen Easterly, Director of CISA (Cybersecurity and Infrastructure Security Agency), was recently quoted as saying, “Today we often blame a company that has a security vulnerability because it didn’t patch a known vulnerability. But what about the manufacturer that produced the technology that requires too many patches in the first place?”
Christy Wyatt, CEO and President at Absolute Software, takes a critical look at this question:
“Many have understood that cyber resilience is a problem that can only be solved by the manufacturers who are not up to the challenge. All of this could be changed if companies that have suffered a security breach shift the litigation to the vendors of the security tools they use to prevent such a breach.
This makes for great headlines, but it was probably not the intention and is not the reality. To truly address the cyber resilience issue, all members of the ecosystem must work together. The aim must be to close the resilience gap, because no single member can solve the problem alone. This requires shared accountability. Organizations must ensure compliance, vendors must manage complexity and resilience, and responsibility must be shared.
Don’t oversimplify causes of fragile security
Software needs to be repaired for many reasons. Changes in the software environment, new forms of risk introduced by adversaries or the user, but above all complexity are the reasons for this. Over the past decade, spending on cybersecurity has exploded. Tens of billions of dollars are spent annually to add new security features to protect end-user devices or endpoints and detect/prevent damage. As a result, an average of 11 to 12 security applications are installed on a laptop today. In any regulated area, more than two to three times as many security agents are observed, plus the many other non-security-related applications also running on these devices. And yet security breaches still happen. Why? The answer is: complexity.
Complexity makes continuity almost impossible
Millions of active devices today run more than 17 versions of Windows with over 300 patches/combinations and an endless array of configuration and connection variables. As a developer, it has been nearly impossible for both customers and vendors to create a test matrix for these infinite combinations and predict the unknowns that are added every day. Enterprise customers also lack the skills to manage, respond to, and recover from the mountains of alerts and events emanating from these systems. The reaction often comes with a delay of months.
Not to forget the SLAs of the companies themselves. Companies rightly want every known vulnerability or quality issue to be reported and fixed within days/weeks. Rapid response with patches and fixes is paramount to securing customer environments from new risks. The complexity is immense. Improving quality, mastering complexity, and new skills in analytics and AI can help over time, but what can be done today?
It’s about recovery and preventing security incidents
Absolute Software is constantly concerned with the health of applications and their impact on endpoint cyber resilience. Experience shows that not all ISVs (Independent Software Vendors) invest too little in quality. With technology built into the BIOS of millions of active devices, Absolute Software has a unique perspective. It’s clear that leading security applications in the most demanding security environments are run by some of the most accomplished security teams. However, these security applications are only 60 to 70 percent stable, meaning they are only installed, running and functioning on 60 to 70 percent of the devices that require them to be compliant. In other words, out of every dollar spent, $0.30 to $0.40 can be wasted if these controls don’t work to protect users.
It’s about getting a grip on the underlying complexity. Since it is well known that the end result will never be zero risk, a solution is required that delivers effective performance despite this complexity. We rely on a persistence technology that is already in the hardware to heal applications automatically. Absolute Resilience combines all the capabilities of Absolute Visibility and Absolute Control with critical resilience capabilities to protect endpoints from threats and vulnerabilities. This also includes reacting to security breaches and incidents and automatically monitoring and detecting “unhealthy” applications in order to independently recover, repair or even reinstall them. We have observed that this increases application resiliency from 60-70 percent compliance in some cases to 97-99 percent without additional help from the IT team.
Security has to work – and cyber resilience is a team sport
The aim must be to make security more robust with the technology that is already available. The cybersecurity industry needs to ask itself, “What is the core problem we are trying to solve?” Is it “Whose fault is it and who is being sued?” or is it more “How can we improve security together?” The latter is the real one goal, and everyone can do more.”