Size of Industry

$192,700,000,000

What is it?

Cyber security is the practice of defending computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks. It's also known as information technology security or electronic information security. The term applies in a variety of contexts, from business to mobile computing, and can be divided into a few common categories.

· Network security is the practice of securing a computer network from intruders, whether targeted attackers or opportunistic malware.

· Application security focuses on keeping software and devices free of threats. A compromised application could provide access to the data its designed to protect. Successful security begins in the design stage, well before a program or device is deployed.

· Information security protects the integrity and privacy of data, both in storage and in transit.

· Operational security includes the processes and decisions for handling and protecting data assets. The permissions users have when accessing a network and the procedures that determine how and where data may be stored or shared all fall under this umbrella.

· Disaster recovery and business continuity define how an organization responds to a cyber-security incident or any other event that causes the loss of operations or data. Disaster recovery policies dictate how the organization restores its operations and information to return to the same operating capacity as before the event. Business continuity is the plan the organization falls back on while trying to operate without certain resources.

· End-user education addresses the most unpredictable cyber-security factor: people. Anyone can accidentally introduce a virus to an otherwise secure system by failing to follow good security practices. Teaching users to delete suspicious email attachments, not plug in unidentified USB drives, and various other important lessons is vital for the security of any organization.

HOW does it work?

Understanding the types of attack, and the stages involved, will help you to better defend yourself.

An attack, particularly if carried out by a skilled adversary, may consist of repeated stages. Understanding the types of attack, and the stages involved, will help you to better defend yourself.

It's useful to group attacks into two types: targeted and un-targeted.

Un-targeted cyber attacks

In un-targeted attacks, attackers indiscriminately target as many devices, services or users as possible. They do not care about who the victim is as there will be a number of machines or services with vulnerabilities. To do this, they use techniques that take advantage of the openness of the Internet, which include:

phishing - sending emails to large numbers of people asking for sensitive information (such as bank details) or encouraging them to visit a fake website

water holing - setting up a fake website or compromising a legitimate one in order to exploit visiting users

ransomware - which could include disseminating disk encrypting extortion malware

scanning - attacking wide swathes of the Internet at random

Targeted cyber attacks

In a targeted attack, your organisation is singled out because the attacker has a specific interest in your business, or has been paid to target you. The groundwork for the attack could take months so that they can find the best route to deliver their exploit directly to your systems (or users). A targeted attack is often more damaging than an un-targeted one because it has been specifically tailored to attack your systems, processes or personnel, in the office and sometimes at home. Targeted attacks may include:

spear-phishing - sending emails to targeted individuals that could contain an attachment with malicious software, or a link that downloads malicious software

deploying a botnet - to deliver a DDOS (Distributed Denial of Service) attack

subverting the supply chain - to attack equipment or software being delivered to the organisation

Stages of an attack

Regardless of whether an attack is targeted or un-targeted, or the attacker is using commodity or bespoke tools, cyber attacks have a number of stages in common. An attack, particularly if it is carried out by a persistent adversary, may consist of repeated stages. The attacker is effectively probing your defences for weaknesses that, if exploitable, will take them closer to their ultimate goal. Understanding these stages will help you to better defend yourself.

We have adopted a simplified version of the Cyber Kill Chain (produced by Lockheed Martin) to describe the four main stages present in most cyber attacks:

Survey - investigating and analysing available information about the target in order to identify potential vulnerabilities

Delivery - getting to the point in a system where a vulnerability can be exploited

Breach - exploiting the vulnerability/vulnerabilities to gain some form of unauthorised access

Affect - carrying out activities within a system that achieve the attacker’s goal

The survey stage

Attackers will use any means available to find technical, procedural or physical vulnerabilities which they can attempt to exploit.

They will use open source information such as LinkedIn and Facebook, domain name management/search services, and social media. They will employ commodity toolkits and techniques, and standard network scanning tools to collect and assess any information about your organisation’s computers, security systems and personnel.

User error can also reveal information that can be used in attacks. Common errors include:

releasing information about the organisation’s network on a technical support forum

neglecting to remove hidden properties from documents such as author, software version and file save locations

Attackers will also use social engineering (often via social media) to exploit user naivety and goodwill to elicit further, less openly available information.

The delivery stage

During the delivery stage, the attacker will look to get into a position where they can exploit a vulnerability that they have identified, or they think could potentially exist. Examples include:

attempting to access an organisation’s online services

sending an email containing a link to a malicious website or an attachment which contains malicious code

giving an infected USB stick away at a trade fair

creating a false website in the hope that a user will visit

The crucial decision for the attacker is to select the best delivery path for the malicious software or commands that will enable them to breach your defences. In the case of a DDOS attack, it may be sufficient for them to make multiple connections to a computer in order to prevent others from accessing it.

The breach stage

The harm to your business will depend on the nature of the vulnerability and the exploitation method. It may allow them to:

make changes that affect the system’s operation

gain access to online accounts

achieve full control of a user’s computer, tablet or smartphone

Having done this, the attacker could pretend to be the victim and use their legitimate access rights to gain access to other systems and information.

The affect stage

The attacker may seek to explore your systems, expand their access and establish a persistent presence (a process sometimes called ‘consolidation’). Taking over a user’s account usually guarantees a persistent presence. With administration access to just one system, they can try to install automated scanning tools to discover more about your networks and take control of more systems. When doing this they will take great care not to trigger the system’s monitoring processes and they may even disable them for a time.

Determined and undetected attackers continue until they have achieved their end goals, which may can include:

retrieving information they would otherwise not be able to access, such as intellectual property or commercially sensitive information

making changes for their own benefit, such as creating payments into a bank account they control

disrupting normal business operation, such as overloading the organisation’s internet connection so they cannot communicate externally, or deleting the whole operating system from users’ computers

After achieving their objectives, the more capable attacker will exit, carefully removing any evidence of their presence. Or they could create an access route for future visits by them, or for others they have sold the access to. Equally, some attackers will want to seriously damage your system or make as much ‘noise’ as possible to advertise their success.

Use Case

With the top categories of security analytics use cases defined, we can dive deeper into the top use cases for businesses. You may find that only some of these use cases apply to your IT infrastructure or cybersecurity. However, knowing what security analytics can offer your business can help facilitate your research and your cybersecurity.

1. Cloud Security Monitoring

The cloud poses its own obstacles as well as its own rewards to enterprises looking to digitally transform. Indeed, the cloud offers more efficient communications and increased profitability for businesses of all sizes. However, the cloud offers particular cybersecurity challenges as the IT infrastructure scales and becomes more porous.

Security analytics offers cloud applications monitoring. This provides host-sensitive data and monitors cloud-hosted infrastructure. Also, many solutions offer support across several relevant cloud platforms.

2. User Behavior Analysis

Your users interact with your IT infrastructure all of the time, and their behaviors determine the success or failure of your cybersecurity. Therefore, your security analytics need to monitor your employees for unusual behaviors which can indicate an insider threat or a compromised account.

One of the most renowned security analytics use cases, user behavior analysis or UEBA follows behaviors across time. It can correlate potentially malicious activities by looking for suspicious patterns. Indeed, UEBA provides visibility into your IT environment, compiling user activities from multiple datasets into complete profiles.

3. Network Traffic Analysis

Traffic continually moves in and out of your network at all times, often via communications such as email. Due to its high volume, it can prove difficult to maintain transactional visibility over all the network traffic. Security analytics use cases allow for the analysis of your enterprise network traffic; it can establish baselines and detect anomalies.

Additionally, this can work in tandem with cloud security monitoring to analyze traffic moving into and out of cloud infrastructure. It can also illuminate dark spaces hidden in infrastructures and analyze encrypted sensitive data, ensuring it stays in proper channels.

4. Data Exfiltration Detection

Data exfiltration refers to any unauthorized movement of data within and moving out of your network. Unauthorized data movements could cause data leakage or data theft.

Thus, security analytics helps protect against new cases of data leakage which may elude traditional data loss prevention solutions. Indeed, these data exfiltration detection capabilities work alongside network traffic analysis. Through data exfiltration detection, security analytics can prevent data leakage beyond what is known through traditional threat intelligence. In fact, it can even discover data leakage in encrypted communications.

5. Insider Threat Detection

Insider threats can pose as much danger to your enterprise as external threat actors. An ignorant, neglectful, or actively malicious user can do as much damage as any fileless malware attack. In some rare cases, an insider threat can even destroy a network.

Via security analytics, your business can anticipate insider threats through behaviors such as abnormal login times, unauthorized database access requests, and unusual email usage. Additionally, it can look for the indicators of data theft behaviors and provide visibility into third-party actors.

6. Incident Investigation

SIEM solutions provide your IT security team with alerts; these result from correlated security events discovered around your IT infrastructure. Under normal circumstances, your team would then investigate these alerts to determine whether they lead to legitimate incidents or false alarms.

However, the sheer number of security alerts from SIEM solutions can overwhelm your IT security team. Often, correlation errors can cause more false positives than legitimate leads, fostering burnout and frustration. To mitigate these issues, security analytics can automate incident investigations, providing contextualization to alerts. Thus your team has more time to investigate legitimate leads and deal with potential breaches.

7. Threat Hunting

Of course, security alerts offer a reactive cybersecurity answer to potential breaches. But always reacting to breaches leaves you perpetually on the back foot against hackers. Instead, your IT security team must proactively engage in threat hunting. They need to search for potential indicators of breaches and dwelling threats that may linger in your IT infrastructure.

Security analytics helps to automate threat hunting, providing an extra set of eyes for your threat hunting efforts. Crucially, threat hunting automation can help with detecting malware beaconing activity and watering hole attacks, a special form of the lateral movement attack.

Market

The global cyber security services market size is expected to reach USD 192.70 billion by 2028, registering a CAGR of 10.2% over the forecast period, according to a new report by Grand View Research, Inc. Continued cybersecurity breaches on the enterprise and individual levels, and the subsequent need to address the vulnerabilities in networks, apps, and systems, are the factors expected to drive the growth. The need for identifying advanced, persistent threats to networks, monitoring critical infrastructure 24/7, and penetration testing applications for meeting various regulatory compliance standards and acts, such as FISMA, MARS-E, PCI DSS, Sarbanes-Oxley (SOX), and HIPAA, is expected to contribute to the growth of the market.

Advancements in artificial intelligence, machine learning, and the internet of things are disrupting cyberspace and reshaping the global threat landscape, thereby driving the growth of the market over the forecast period

The healthcare segment is anticipated to exhibit the highest CAGR of 11.4% over the forecast period. The increased instances of cybercrimes in the recent past, and particularly during the outbreak of the COVID-19 pandemic, have prompted healthcare application developers to address the application vulnerabilities

Asia Pacific is expected to emerge as the fastest-growing regional market over the forecast period. The growing demand for penetration testing and bug bounty services in line with the mandatory compliances, which require periodic technological evaluation, is expected to drive the growth of the regional market

Some of the major players operating in the market include Accenture, AT&T, Atos SE, Cisco, IBM, and Rapid7

As cyberattacks are getting more and more sophisticated, cyber security services are also evolving accordingly. Some of the common cyber security services include penetration testing, bug bounty, and Managed Detection Response (MDR), and the demand for these and other similar services are growing in line with the continued deployment of digital and cloud-based applications. These services help enterprises identify IT infrastructure vulnerabilities, fix the bugs, and gain access to the necessary remedies for tackling cyberattacks. Additionally, as a result of the outbreak of the COVID-19 pandemic, work-from-home and remote working mandates are impelling employees to connect with unsecured networks. Hackers are taking this opportunity to exploit the loopholes and particularly infiltrate corporate web applications. Hence, incumbents of several industries are in a dire need to continuously monitor the evolving cyber threats and safeguard their enterprise systems.

Testing web applications and databases and identifying their weaknesses and vulnerabilities are expected to emerge as the major focus areas for the incumbents of various industries and industry verticals, including BFSI, healthcare, IT, manufacturing, and retail, over the forecast period. The healthcare industry vertical has been frequently targeted by hackers and cybercriminals. Cybercrimes targeting the healthcare industry are expected to intensify in line with the continued digitalization and the introduction of IoT-based medical devices. In May 2019, the American Medical Collection Agency, a billing services provider, revealed that it was subjected to cyberattacks for a duration of eight months from August 2018 to March 2019 and that approximately 25 million patients may have been affected due to these cyberattacks. Meanwhile, a report published by Radware, a provider of cybersecurity and application delivery solutions, revealed that a healthcare organization needs to spend approximately USD 1.4 million on average to recover from a cyberattack. Thus, the growing need to protect healthcare institutions from cyberattacks has created new opportunities for cyber security services providers.