惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Microsoft Azure Blog
Microsoft Azure Blog
Google Online Security Blog
Google Online Security Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Simon Willison's Weblog
Simon Willison's Weblog
T
Threat Research - Cisco Blogs
C
CXSECURITY Database RSS Feed - CXSecurity.com
L
Lohrmann on Cybersecurity
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Forbes - Security
Forbes - Security
P
Palo Alto Networks Blog
Schneier on Security
Schneier on Security
S
Schneier on Security
T
Tor Project blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
WordPress大学
WordPress大学
The Hacker News
The Hacker News
Hacker News - Newest:
Hacker News - Newest: "LLM"
罗磊的独立博客
Application and Cybersecurity Blog
Application and Cybersecurity Blog
F
Fortinet All Blogs
博客园 - 三生石上(FineUI控件)
小众软件
小众软件
C
Check Point Blog
Stack Overflow Blog
Stack Overflow Blog
Blog — PlanetScale
Blog — PlanetScale
雷峰网
雷峰网
S
Security @ Cisco Blogs
PCI Perspectives
PCI Perspectives
Spread Privacy
Spread Privacy
W
WeLiveSecurity
SecWiki News
SecWiki News
A
About on SuperTechFans
H
Help Net Security
博客园 - 司徒正美
Recent Commits to openclaw:main
Recent Commits to openclaw:main
爱范儿
爱范儿
S
Securelist
M
MIT News - Artificial intelligence
云风的 BLOG
云风的 BLOG
月光博客
月光博客
Jina AI
Jina AI
博客园 - 叶小钗
Vercel News
Vercel News
阮一峰的网络日志
阮一峰的网络日志
Recent Announcements
Recent Announcements
S
Secure Thoughts
The Cloudflare Blog
美团技术团队
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More

Todyl Blog

CyberChef: How to Decode & Decrypt Malicious Scripts (Step-by-Step Guide) Achieving Zero Trust with SASE: A Practical Roadmap for Modern Network Securityso like MSP Security Maturity Assessment: Why 79% of MSPs Are Stuck in 2025 The Rising Threat of Malicious AI: What Every Organization Needs to Know Iran Cyber Threat 2026: What SMBs and MSPs Need to Know The OneStart AI Browser Deception Cyber Insurance Requirements Based on Industry Why Third-Party Security Certification Is Your MSP's Competitive Edge Why Cyber Insurance Carriers Are Shifting to Security Assurance Iran Conflict and Cyber Risk: What North American Organizations Need to Know ‍ Why Cyber Resilience Requires Security, Compliance, and Insurance MSP Security Services: How to Position Identity Protection as Competitive Advantage Identity Security Gap Assessment: A Step-by-Step Guide for MSPs How Credential Theft Attacks Are Costing MSP Clients Millions Do I Need Cyber Insurance as a Small Business? Advanced Persistent Threats (APTs) Explained Preparing for CMMC Level 1: What Your Organization Needs to Do The Real Cost of Doing Nothing in Cybersecurity MSP Security: Build vs Buy SOC The Rise of a Cybercrime Alliance: What LockBit, Qilin, and DragonForce Mean for Business Risk Cyber Threat Recovery Strategies for MSPs What MSPs Need to Know about CIRCIA Final Rule ClickFix: The Evolution of Copy-Paste Social Engineering Akira Ransomware: Threat Assessment of a Scalable RaaS Operation The Dos and Don’ts of Applying for a Cyber Insurance Policy What Is Threat Hunting? A Practical Guide for MSPs and SMBs The Business Case for Cyber Threat Management Evaluating Free and Open Source SIEM Tools in 2026 How organizations can combat BEC Using SASE to help meet cyber insurance requirements Introducing the Anomaly Framework Stopping Identity Threats with ITDR through MXDR Security Operations Over Tools Beyond Tools: A Strategic Approach to Data Security Cyber Threat Response Strategies for MSPs Threat Advisory: Email Account Compromise BECs In the Wild: When Millions of People Are Expecting the Same Email Michigan and Wisconsin Proposed Age Verification Bills and the Impact on VPNs and SASE: What You Need to Know Cyber Threat Detection Strategies for MSPs Cyber Threat Prevention Strategies for MSPs Simplifying CMMC Level 1 with Todyl GRC How to Complete Your CMMC Level 1 Self-Assessment: A Step-by-Step Walkthrough Cyber Threats Don't Take Time Off How MSPs Build Lasting Client Relationships Through Proactive Operations Risk Management for MSPs: Why Business Context Changes Everything One Action MSPs can take to Address Risk and Secure Clients Building Resilience in a Perimeter-less World with Defense-in-Depth Aligning Technology Implementation to Business Outcomes Top 5 Myths about Cybersecurity How Conditional Access Transforms Your Cybersecurity Program Why MSPs need to embrace a prescriptive model How Texas SB 2610 Positions MSPs as Strategic Risk Advisors Simplifying cybersecurity maturity with managed cloud SIEM Addressing firewall vulnerabilities Understanding the Pitfalls of RDP MSP Zero-Day Response Plan: When Security Tools Can't Help You Old is Gold: Tackling Persistent Vulnerabilities How MXDR drives operational efficiencies Using SASE for secure remote access How to find the best endpoint security solution The Cyber Insurance Crisis: Why MSPs and Their Clients Are Struggling What to ask of a prospective endpoint security vendor Thinking Red, Acting Blue: Turning Attack Tactics in Your Favor Zero-Day Attacks and False Alarms: Lessons for MSPs Dissecting the Recent Rise in 2025 Zero Days MSP Security Monitoring Strategy: Identity and Cloud Blind Spots Introducing the Todyl Community: A Collaborative Platform for MSPs Threat Advisory: PDFast Freeware Compromise Navigating Today’s Cybersecurity Threat Landscape: Where MSPs Should Start Threat Advisory: Understanding the Recent SonicWall SSL VPN Vulnerability and How to Protect Your Clients Partner Spotlight: GoTech IT Solutions Threat Advisory: SQL Injection in FortiClient CVE-2023-48788 The Importance of SSL Inspection Navigating Compliance Frameworks: Common Challenges and Effective Solutions Making the most of SASE Web Filtering Iran & Middle-East Geopolitical Shifts: Emerging Cyber Risks for SMBs MSP Security KPIs That Matter: Beyond Vanity Metrics to Business Outcomes MSP Challenges Looking into 2025 Combining EDR and NGAV for Defense-in-Depth Starting Your Security Framework Journey: A Practical Implementation Guide Cyber Insurance vs. Warranties: Key Risk Management Elements Akira Ransomware: A Persistent Threat to MSP Operations Transforming Cyber Insurance for MSPs and Their Clients Two Truths, Double Whammy: Why Vulnerability Remediation Needs a Rethink Using LAN ZeroTrust for segmentation The role of SIEM in incident response Partner Spotlight: 917 Solutions Threat Advisory: Business Email Compromise Campaign using OVPN for Obfuscation Beyond Implementation: Creating an Ongoing Security Framework Program ClickFix: Fake Captcha Leads to Real Damage Streamlining Security and Compliance Information Gathering with Assessments EpiBrowser: A Sophisticated PUP Masquerading as Chromium Partner Spotlight: AnchorSix Tips to Help MSPs Set Goals for the New Year How SIEM helps detect insider threats Massive Wave of Network Security Vulnerabilities Demands Immediate Action FortiJump: The FortiManager Zero-Day Vulnerability Explained Use cases of SASE: Software-defined perimeter Threat Advisory: LightPerlGirl Malware Why MSPs Must Prioritize CIS Critical Security Controls v8.1 for Client Success
5 Pillars for Security Program Growth in 2025
Andrew Scott · 2026-01-09 · via Todyl Blog

The cybersecurity landscape has evolved dramatically, and the data tells a compelling story. With global breach costs averaging $4.44 million and ransomware attacks becoming increasingly sophisticated, organizations face unprecedented challenges. Yet, amid this complexity, five fundamental pillars emerge as critical for building resilient security programs. Let's explore the wisdom that separates reactive organizations from proactive defenders.

1. Observability is a Must: See Everything, Miss Nothing

The Challenge: Modern attacks move fast… really fast. According to the 2025 Data Breach Investigations Report (DBIR), organizations achieved a mean time to identify and contain breaches of just 241 days in 2025, the lowest in nine years. However, this improvement masks a critical reality: 50% of breaches were identified by internal security teams, while 19% were disclosed by attackers themselves.

The Wisdom: Layered observability isn't optional; it's foundational. EDR alone is insufficient when adversaries are increasingly sophisticated. Organizations leveraging SIEM and AI automation extensively in their security operations shortened breach times by 80 days and lowered average breach costs by $1.9 million compared to those without these capabilities.

Key Insights

  • The extortion evolution: Data theft has become weaponized even before ransomware deployment. In 2025, 28% of organizations that had data encrypted also experienced data exfiltration, creating dual leverage points for attackers.
  • Detection matters: Breaches identified by security teams cost an average of $4.18 million, compared to $5.08 million when disclosed by attackers.
  • Speed is everything: Organizations with detection and response capabilities recovered faster, with 53% fully recovered within a week, up from 35% in 2024.

Action Items

  • Deploy SIEM solutions for centralized log aggregation and correlation across your entire environment.
  • Consider Managed Extended Detection and Response (MXDR) services to augment internal teams with 24/7 threat hunting and response capabilities.
  • Implement AI-powered threat detection to identify anomalies and indicators of compromise in real-time.
  • Focus on reducing mean time to detect (MTTD) and mean time to respond (MTTR) as key performance indicators.

2. Secure the Identity: The Crown Jewel Attackers Crave

The Challenge: Identity has become the new perimeter, and adversaries know it. The 2025 data reveals a troubling picture: 83% of attacks compromised the identity infrastructure, yet only 60% of organizations maintain dedicated Active Directory-specific backup systems, and just 66% include AD recovery procedures in their disaster recovery plans.

The Wisdom: Stolen credentials remain the second most common initial attack vector at 22% of breaches, costing an average of $4.67 million per incident. More concerning, the rise of infostealer malware has created an underground economy where credentials are commoditized at scale.

The Identity Crisis in Numbers

  • Infostealer impact: 30% of compromised systems identified in infostealer logs were enterprise-licensed devices, and 46% of systems with corporate logins were non-managed devices.
  • MFA isn't enough: Attackers are bypassing MFA through prompt bombing, adversary-in-the-middle (AiTM) attacks, and token theft, with 4% of breaches involving MFA bypass techniques.
  • Hybrid complexity: Organizations face identity challenges across Active Directory, Entra ID, and SaaS applications like Okta, creating multiple attack surfaces.

The Phishing Problem Persists: For the third consecutive year, phishing emerged as the top initial attack vector in 2025, accounting for 16% of breaches with an average cost of $4.8 million. But the threat has evolved: 16% of breaches now involve attackers using AI for enhanced phishing campaigns and deepfake attacks.

Action Items

  • Implement phishing-resistant authentication methods like passkeys and hardware tokens.
  • Deploy Identity Threat Detection and Response (ITDR) solutions with continuous monitoring and automated response via SOAR.
  • Establish dedicated backup systems for identity infrastructure with regular restoration testing.
  • Monitor for credential exposure in paste sites, dark web forums, and infostealer logs.
  • Apply least privilege principles rigorously across all identity platforms.
  • Implement conditional access policies that consider device trust, location, and behavioral analytics.

3. It's Not Me, It's You: The Supply Chain Reality Check

The Challenge: Third-party involvement in breaches doubled from 15% to 30% year-over-year, making supply chain compromise the second most expensive attack vector at $4.91 million per incident. These attacks also took the longest to resolve at 267 days, a full week longer than any other attack type.

The Wisdom: Your security posture is only as strong as your weakest vendor. The 2025 DBIR highlights that 30% of security incidents involving AI occurred through supply chain compromise, including compromised apps, APIs, and plug-ins.

The Third-Party Threat Landscape

  • Vendor vulnerabilities cascade: Software vulnerabilities from third parties accounted for 20% of breaches involving exploitation, with edge devices and VPNs representing 22% of exploited vulnerabilities.
  • The Snowflake effect: Notable breaches demonstrated how a single vendor compromise can cascade to 165+ organizations, with 54% of ransomware victims having their domains appear in credential dumps.
  • Supply chain attack speed: These breaches took 267 days to identify and contain—the longest of any attack vector.

Action Items

  • Conduct thorough security assessments of all vendors with access to your systems or data.
  • Require third parties to meet the same security standards as your organization, including MFA enforcement and security audit participation.
  • Implement network segmentation to limit lateral movement if a vendor connection is compromised.
  • Establish vendor risk management programs that include continuous monitoring and regular reassessments.
  • Include supply chain security requirements in procurement contracts and SLAs.
  • Prepare incident response procedures specifically for third-party compromises.

4. Environment Hardening and Patching: The Unglamorous Foundation

The Challenge: For the third consecutive year, exploited vulnerabilities topped the list of initial attack vectors, accounting for 32% of ransomware incidents and 20% of all breaches overall. The median time organizations took to fully remediate edge device vulnerabilities was 32 days, yet for 17 critical vulnerabilities tracked, the median time from CVE publication to CISA KEV listing was zero days.

The Wisdom: You're racing against weaponization, and the attackers are winning the sprint. Edge devices and VPNs saw an eight-fold increase as exploitation targets, growing from 3% to 22% of vulnerability-based attacks. This is shown in recent targeted attacks of Sonicwall, Fortinet, Cisco, Palo Alto, and even F5 network security solutions.  

The Patching Predicament

  • The remediation gap: Only 54% of organizations fully remediated edge device vulnerabilities throughout the year, leaving nearly half exposed.
  • Zero-day reality: Nine of 17 critical vulnerabilities were added to the CISA KEV catalog on or before their CVE publication date, giving defenders no head start.
  • Configuration failures: Cloud misconfiguration wasn't even a categorized threat a decade ago; today it's a prime target, with breaches involving multiple environments costing $5.05 million.

The Active Directory Attack Surface: Identity infrastructure hardening extends beyond patching. With 97% of AI-related breaches lacking proper access controls and 83% of attacks compromising identity systems, your Active Directory and cloud identity platforms require particular attention.

Action Items

  • Prioritize patching for internet-facing systems, especially edge devices, VPNs, and firewalls.
  • Implement vulnerability management programs that track time-to-patch metrics and risk-based prioritization.
  • Harden system configurations using CIS Benchmarks and vendor security baselines.
  • Regularly audit privileged account provisioning and disable dormant accounts.
  • Segment networks to contain potential breaches and limit lateral movement.
  • Implement application allowlisting and service hardening to reduce attack surface.
  • Use automated patch management solutions for rapid deployment of critical updates.
  • Establish isolated recovery environments that attackers cannot reach.

5. Governance and Policy: The Quietest Line of Defense

The Challenge: Shadow AI now affects 20% of breached organizations, adding an average of $670,000 to breach costs. More broadly, 63% of breached organizations either lack AI governance policies or are still developing them. This represents a new frontier in governance gaps that attackers are actively exploiting.

The Wisdom: What you can't see, you can't secure. The rise of shadow IT, now turbocharged by shadow AI, demonstrates that governance isn't about restricting innovation; it's about enabling it safely. Organizations with high levels of shadow AI experienced breach costs of $4.74 million compared to $4.07 million for those with low levels or none.

The Governance Gap

  • AI adoption outpacing oversight: 97% of organizations that experienced an AI-related security breach lacked proper AI access controls.
  • The policy vacuum: Among organizations with governance policies, only 34% perform regular audits for unsanctioned AI, and 61% lack AI governance technologies.
  • Inventory ignorance: Security gaps organizations weren't aware of contributed to 40.1% of successful attacks.

Post-Breach Reality Check: Investment in security following breaches dropped significantly, with only 49% of organizations planning increased security spending in 2025 compared to 63% in 2024. This suggests either budget fatigue or a dangerous complacency.

Action Items

  • Implement automated discovery tools for hardware, software, and now AI systems.
  • Create clear frameworks for AI usage, third-party integrations, and data access that balance security with business enablement.
  • Conduct regular tabletop exercises. 31% of IT/cybersecurity teams experienced staff absence due to stress after ransomware attacks. Practice incident response to build muscle memory and reduce panic.
  • Use technologies like SOAR (Security Orchestration, Automation, and Response) to automate policy enforcement at scale without overwhelming your team.
  • Review security policies on a quarterly basis to ensure they remain relevant as threats evolve.
  • Document procedures, create runbooks, and automate repetitive tasks to help lean teams manage expanding attack surfaces.

The Human Element: Don't overlook the human cost. The 2025 Ransomware Risk Report revealed that 41% of IT/cybersecurity teams reported increased anxiety about future attacks, and 25% saw their leadership replaced following an incident. Good governance includes succession planning and mental health support for security teams.

The Bottom Line: Integration is Everything

These five pillars don't exist in isolation—they form an interconnected security ecosystem. Observability without identity security leaves blind spots. Supply chain diligence without environment hardening creates internal vulnerabilities. And governance without the other four pillars is just paperwork.

The Data Speaks

  • Organizations using AI and automation extensively saved $1.9 million on average breach costs.
  • Breaches identified by internal teams cost $900,000 less than those disclosed by attackers.
  • Organizations with dedicated identity backup systems and recovery procedures recovered significantly faster.
  • Proper vendor management prevented the cascading failures that characterized major 2024-2025 breaches.

Where to Start

  1. Quick wins: Implement MFA across all systems, establish a vulnerability management program, and create an asset inventory.
  2. Medium-term investments: Deploy SIEM and MXDR capabilities, conduct vendor security assessments, and develop AI governance frameworks.
  3. Long-term transformation: Build security automation capabilities, establish continuous identity monitoring, and create a culture of security awareness.

The organizations that thrive in 2025 and beyond won't be those with the largest security budgets—they'll be those that strategically implement these five pillars with discipline and consistency. As former CISA Director Jen Easterly noted, the goal is to make ransomware "as infrequent as plane collisions."

We may not be there yet, but with observability, identity security, supply chain vigilance, environment hardening, and strong governance, we're building the foundation to get there. The question isn't whether you can afford to invest in these pillars—it's whether you can afford not to.

The insights in this article are drawn from the 2025 Data Breach Investigations Report (Verizon), IBM's 2025 Cost of a Data Breach Report, Semperis' 2025 Ransomware Risk Report, and Sophos' State of Ransomware 2025 Report.

About Andrew Scott

Andrew is a seasoned Field CISO with over a decade of experience in the cybersecurity and intelligence domains. As an expert in enterprise solutions architecture and security strategy, Managed Security Service Providers (MSSP), and Security Operations Center (SOC) leadership and transformation, Andrew excels in aligning technology solutions with business objectives to enhance organizational security.

His extensive background includes pivotal roles at Leidos, CrowdStrike, and IBM, where he led the development of complex security solutions, managed and led large SOC organizations, and transformed cybersecurity and risk management programs for both Federal and Fortune 500 private sector organizations.

Andrew’s technical expertise spans threat intelligence, SOC operations, Zero Trust implementations, security architecture, and comprehensive threat detection and remediation strategy development. A recognized thought leader, he has contributed to numerous publications and spoken at industry events, sharing his deep knowledge of threat and risk management strategies. Andrew holds several certifications, including CISSP, CRISC and GSTRT certifications.