By Hadi Jaafarawi, Managing Director for Middle East, Qualys
That IDC predicts a 7.9% year-on-year surge in the Middle East and Africa’s cybersecurity investment in 2023, to reach US$6.2 billion, is interesting. The projection of US$7.7 billion for the region’s digital defense spend in 2026 and the interim CAGR figure of 7.8% are thought-provoking. But none of these figures are as eye-popping as the fact that MEA cybersecurity spending in 2023 will take the biggest share (more than two-fifths) of overall IT investment, even beating back services and hardware for the podium position.
There was a time when this would have been unthinkable, as security would have been an afterthought at board meetings. But in a world made hybrid by the economic twists and turns of pandemics, recessions, and supply-chain ravages, the IT suite has become more complex, and attackers have become bolder. The sophistication shown in the threat actor’s methods of recon, deployment, and execution are, one has to grudgingly admit, impressive.
This is the online climate in which regional businesses commit more and more budget to cybersecurity. But as all savvy business leaders know, throwing money at a problem is not enough. Ensuring the investment builds the right capabilities to yield a return takes guile. In cybersecurity, the often-overused word to describe our goal is a “holistic” solution. To be clear, it is easy to just trot out some words to define what we mean — “universal”, “comprehensive”, “all-encompassing”, and so on — but I believe the goal is better explained by defining what legacy practices we are replacing.
We are leaving behind information silos — a lot of point systems that do narrowly defined tasks very well, but which can be exploited by cybergangs to slip under the radar. This happens because attackers know what signals each tool goes after and so they are able to devise ways of registering as a low-level threat on each tool and therefore never being called to the attention of a security analyst.
In security investment, organizations must therefore think holistically about attack methods and inroads and design an “umbrella sentinel” system to detect behaviors and identify which ones may lead to harm in time to stop, or at least mitigate, their operation. At its heart, this methodology will employ risk-based assessment and allow for the unification of people, processes, and technology.
If we take patching as an example, our holistic approach must see the whole board and ask how the organization can overcome problems of understaffing for smaller businesses, and the vast number of devices and business units responsible for various assets in the case of larger enterprises. Qualys data shows that attackers take an average of just 19.5 days to exploit a new software vulnerability, but security teams take an average of 30.6 days to patch them.
Interestingly, however, we found that average patching times for malware and ransomware were shorter than weaponization times, meaning these attacks must exploit older issues that have not yet been patched. When trying to concentrate resources in a cost-effective way, these areas — older vulnerabilities that could be easily exploited to cause great harm — would seem to be excellent starting points. Where possible, patching should be automated. Our data shows that where patches were eligible for automatic deployment, they were applied 45% more often and 36% faster than those that had to be deployed manually.
Initial access brokers (IABs) are becoming a growth industry within the threat community. They use phishing of users or misconfigurations in public-facing assets to gather the tools of infiltration and sell them to others. IABs target paths less likely to be patched quickly, so investment strategies and resource allocation should account for this “long tail” of risk.
Also worth addressing is the misconfiguration of Web applications and cloud infrastructure. The OWASP Top Ten list can help with applications, as can close collaboration between security and developer teams to improve products before they are deployed. In our research, Qualys found 25 million flaws in 370,000 deployed Web applications, so prioritizing risk-mitigation at design time is a shrewd use of resources and budget.
On the infrastructure side, one of the most common causes of data leaks is sources mistakenly left accessible without passwords or encryption. Discovery of such misconfigurations should be automated so they can be flagged for immediate response. The Center for Internet Security provides benchmarks for security teams that operate under the three main hyperscale providers (Amazon Web Services, Microsoft Azure, and Google Cloud Platform).
The CIS measures make life much harder for threat actors, but in many cases, large majorities of organizations have not implemented the most important benchmarks, or indeed, any of them. We live in a cloud-first world. Any security team that does not address the cloud and other infrastructure holistically (there’s that word again), ignores risk and invites disaster. The CIS Hardening Benchmarks are extremely effective and directed towards plugging known gaps based on potential threats.
As in any warfare, local knowledge is a powerful advantage. Budget in hand, security teams must weaponize their own knowledge of the enterprise — its infrastructure, operations, people, and policies — to deploy security investment and resources where they will add the most value. Automation, best practices, and threat intelligence aside, it is important to remember that threat actors will never stop trying to come up with ways to breach, steal, and extort, so security teams should never stop trying to imagine how this might happen. Once one gap is plugged, another may appear. Any new device, application, or other network element represents a new potential for risk. Think about all assets, old and new, everywhere, every day. Or, to sum up… think holistically.
