‘A fool with a tool is still a fool. Human complacency continues to leave businesses vulnerable."
That's the blunt assessment from NTT Security's SVP EMEA boss Kai Grunwitz.
And considering the vantage point that the Japan-headquartered cybersecurity services firm has over the market, that should be a sobering warning for any firm.
As a tier-one internet provider, NTT Group has visibility over 40 per cent of all global internet.
"We really benefit from that," Grunwitz said.
"We are a large part of the foundation of the internet. It gives us a view over a vast amount of data, which we analyse."
That analysis happens at ten global SOCs, one of which is in Sweden's second city, Gothenburg.
CPI was given access to all zones of the SOC (pictured), from which 3.5 trillion logs are analysed annually.
From this data, NTT has highlighted the most common verticals that cyber attackers target.
In EMEA, the financial sector accounted for 30 per cent of all attacks over the last twelve months.
Last year's most attacked sector, business and professional services, is now in the number two spot, being victim to 20 per cent of incursions.
Ransomware remains a potentially "business-ending" threat
The tech sector accounted for 17 per cent of attacks.
For tech firms, NTT Security said that the goal of many attacks is to gain access across networks to look for IP, source code or finance streams, and the popularity of IoT is a growing vulnerability, as more attack points join the network.
As far as types of attacks, despite the fact that ransomware levels dropped last year, NTT Security is clear that it remains one of the most common cyber threats, and crucially, one of the most likely to be "business-ending".
"People are still underestimating ransomware," Grunwitz said.
"And businesses do not have an integrated strategy in place if their systems are attacked and a ransom is demanded. Have they decided if they will pay?…If they demand payment in bitcoin, do they have a bitcoin account?...These are questions that need to be asked now…The worst time to make these plans is after a breach."
It's a message that MSP software provider Datto shares. Earlier this month it cautioned SMB firms in particular for believing they are immune to ransomware because of their smaller size.
Botnets and malware also remain among the most common malicious attacks.
SOC director Fredrik Westerdahl explained that his team's 30 analysts analyse 10,000 alerts every day.
"Out of that, there are around 10-50 validated incidents a day. Last year there was more botnet activity, so there were around 100-150 validated incidents a day….However it is still a threat."
"Attackers are getting better funded and more sophisticated
"200 days is average time of detection - that is way too long. You need to bring that don't minimise the cost of the breach."
The value of SOCs
It's unsurprising that NTT Security argues that he answer to this proliferation of cyber threats is for firms to invest in SOCs, specifically, its SOCs.
NTT Security's parent company is a global behometh. NTT Group includes Dimension Data, NTT Comms, NTT Data Sevices, Itelligence (all of which will be integrated under one brand this July), which together boast revenues in excess of $106bn.
It claims that the "internet visibility" it has as a tier-one ISP gives it its edge over cyber attackers, and over its rivals.
"For me it's really important that it's not just about collecting data and pointing out what threats are on the up or down, it's about what we do with the data," Grunwitz said.
"We can move our clients from being more reactive to proactive because of the access to the data we have. We leverage other NTT components such as NTT Communication to provide insights into how businesses should be changing their strategy…It is impossible without the communication data….We own the data sets so we can offer machine learning capabilities…
"If you just rely on a vendor you only have a point solution, you don't have a full approach or have a bigger data set.
"In the Gothenburg SOC, in Jan 2019, 56 per cent of incidents - that's incidents that need a response by the business or us for them - were detected by our own tools, software and methods."
"This is a clear statement to the market of our enrichment value as a security service player…We don't replace vendors, we enrich them."
However, even NTT Security concedes that running a SOC is a challenging business.
At top of mind is the ever present struggle to hire the right talent to analyse all those thousands of daily alerts.
SOC director Fredrik Westerdahl conceded that there is a "small, recycled pool of talent" and that NTT Security is having to go into schools to search for talent at younger ages than before.
NTT Security revealed that it pays its analysts a starting salary of €35,000 to €50,000, which can rise to €60,000 to €65,000 60-65 "after a couple of years' consultancy experience.
Even with that incentive, NTT Security said it was having to try "crazy methods".
"I believe in second chances", Grunwitz said.
"If there is a black hat who wants to change and use his skills to help people instead, I am open-minded to that."
"For us analytical skill set is more important to us than a certificate," Westerdahl added.
"One of our analysts did a test for us and did very well. And that's despite the fact he had recently graduated as a nurse."
Does being local matter?
When asked why NTT Security maintains a network of ten SOCs around the world, the firm's top brass said that havng a "true global footprint" is "reassuring" to its customers.
That's despite the actual location of attackers making little real difference to businesses.
In NTT's Global Threat Intelligence Report 2019, the firm found that 75 per cent of attacks against EMEA businesses came from within the EMEA region.
That's despite common misconceptions of "state espionage" from sources within China and Russia.
Attacks from sources within China against targets in EMEA dropped nearly 40 per cent over the last year to 13 per cent, behind the United States at 16 per cent.
Although this does not imply the actual attacker has changed; rather that the identifiable source of the attacks has changed.
Attackers may tend to prefer attacking sources closer to themselves, however, Kai Grunwitz maintained that that businesses should really be focused on is having a preventive strategy in place, now.
"Why do we have SOCs? Because prevent is not enough. We need to leverage data to predict, detect and then respond. Customers need to see if there are new exploits in advance…
"I am 100 per cent sure you cannot keep the bad guys out of your network. So we have to detect them before they do any harm.
"If you don't have this detection phase you will never have security."
Some say performance, others say money but it may be systems and processes that carry the day
Q1 paints mixed picture for Sweden-based storage integrator
Carmen Sorice III has issued a rebuttal to Veeam's recent claims the legacy player is slow to innovate
How well do vendors and partners really know each other? Take part in our survey and win a free Amazon voucher
We're asking vendors and channel partners alike to complete our five-minute survey to win a free Amazon gift voucher