The first is a major automotive manufacturer. They depend on a massive, global, just-in-time supply chain. It’s a well-organized, carefully managed operation, so when everything from the Covid-19 pandemic to the war in Ukraine made supplies harder to get, they knew how to respond. But then something unprecedented happened: a cyberattack shut down a major supplier. And without those supplies and no way to replace them, the auto manufacturer shut down too. They were not the target of the cyber attack. Nonetheless, they were a victim, losing $4-5 million for every day of shuttered production.
The second anecdote occurred at a large financial institution, the kind with hundreds of cybersecurity pros on staff. After the Log4j fiasco—when a major vulnerability was discovered inside systems across the world—the security team was gung-ho to roll out a patch. What they didn’t realize was that the patch could break the machines where it was deployed. Someone pointed this out in time. However, if the patch had rolled out as planned, it would have cost the company seven or eight figures in lost revenue and compliance violations.
These are not isolated scenarios; supply chain attacks and zero-day vulnerabilities (like in the first and second anecdotes respectively) accounted for 21% of security incidents among enterprises in 2021. Offensive attackers are evolving faster than we can defend. That needs to change – and fast.
The Looming Cliff in Cybersecurity
If the anecdotes outlined above sound bad, prepare for things to get worse. The changing nature of cyber risk is a consequence of multiple forces all converging on cybersecurity right now.
There’s the sudden explosion of remote work, which made IT environments vastly bigger, riskier, and harder to defend. Then, there’s the ongoing (and worsening) talent shortage, which continues to leave critical roles either vacant or staffed by someone under-qualified. Add regulations like GDPR, new threats like ransomware, and new critical vulnerabilities appearing constantly. With all this happening at once, it’s clear why cyber risk is rising and why, despite often heroic efforts, cyber defenders feel like they are not gaining much ground.
Managed security providers are trying to be the solution, but often don’t go quite far enough. That’s the problem: many service providers just check the boxes on cybersecurity or pass the problem over to the customer. What they rarely do is move the needle on this issue, making clients meaningfully more secure than they were before. The status quo is serving, not solving. That sets the bar for service providers very low, yet this model rarely gets questioned.
And so we find ourselves in the present, where cybersecurity is a struggle for essentially everyone. The situation is bad now (ask the two companies mentioned above). And unless we do something to address the looming cliff in cybersecurity, it will only get worse.
Risk Hunting – The Future of Cybersecurity
Another evolution of cyber risk is that it is now on the radar of the Board of Directors. They see how cyber resilience and business outcomes overlap to an ever-greater degree. This puts more pressure on the security team to deliver results, but it opens the door to more funding and higher-level support for cybersecurity. There’s never been more need for change in cybersecurity, but there’s never been more support for it, either.
What will that change entail? Risk hunting. It’s the future of cybersecurity. Leaping into action when attacks appear, hoping the defenses can catch the threat and diagnose the cure in time isn’t adequate anymore. We have seen the results of this approach. Security requires getting in front of threats. Defenders must be proactive and preventative, and that’s exactly what risk hunting accomplishes.
The specifics of risk hunting deserve their own post. What’s important is the philosophy: risk hunting strives to find and then fix any weakness a threat could exploit before the hackers can infiltrate. Lacking a path forward, potential breaches fail instead of requiring detection, response, and remediation. To put it differently, it’s not about stopping threats but becoming immune to them.
Reveald is pioneering the practice of risk hunting, disrupting the security space, and shaking up the status quo all at once. Our mantra is that the best defense is better offense. We empower security teams to see where exposures exist, rank which are the highest risk, and remediate them systematically. Reveald sets a new standard for security service providers. More importantly, we do things differently when that has never been more important. What are you seeing out there? Let us know. Find out more about risk hunting in our white paper: Cybersecurity Risk Hunting.