Businesses are investing more and more of their cybersecurity budgets to try secure firmware, but these investments are barely moving the needle, new research has suggested.
Firmware, unique computer software providing low-level control for specific hardware components, has become a popular target among cybercriminals.
Now a report from Microsoft claims more than 80% of enterprises experienced at least one firmware attack in the past two years while allocating less than a third (29%) of their budgets to protecting the firmware.
Instead, they’re focusing their investments on security updates, vulnerability scanning, and advanced threat protection solutions. What’s more, the National Institute of Science and Technology’s (NIST) National Vulnerability Database (NVD) says the number of attacks against firmware rose five times in the last four years. Criminals are getting better and more destructive, every day.
Automation to the rescue
At the same time, many respondents said they were worried about malware accessing their systems and fear it may be difficult to detect them in time. For Microsoft, what the respondents are trying to suggest is that firmware is more difficult to monitor and control. Furthermore, the lack of automation is only making firmware vulnerabilities that much more dangerous.
Automation may lend a helping hand, as most respondents (82%) said they didn’t have the resources to tackle more high-impact security issues as they’re overwhelmed with low-yield manual work like software patching or hardware upgrades. A fifth (21%) of SDMs said they aren’t monitoring their firmware data. What’s more, 71% said they spend “too much” time on work that could be automated.
Firmware owes its popularity among cybercriminals, partly for being a (relatively) easy target. Many devices available today don’t offer visibility into the firmware, making it hard for IT security professionals to keep tabs on them and make sure they aren’t compromised. But, it is also popular as it holds sensitive information, such as credentials or encryption keys.
To make matters worse, many security teams are tackling the issue by bringing a knife to a gunfight. Instead of focusing on “strategic work”, as Microsoft puts it, many are focusing on “outdated protect and detect” models of security, such as the lack of proactive defense investment in kernel attack vectors.
Just below half (46%) of the respondents said they invested in hardware-based security features such as Kernel data protection (KDP), or memory encryption (36%), which are good at blocking malware that corrupts the OS kernel memory.