IT Focus Area: Security
January 11, 2018
8 Cybersecurity Trends for 2018
Organizations face the challenge of defending themselves against increasingly agile cyber adversaries, while a shortage of security talent has left them vulnerable. As companies ring in 2018 with more connectivity, more digital transformation initiatives and more data, there are key security issues to consider.
Here are eight cybersecurity trends for 2018, and actions that your organization can take to mitigate the risks they present:
1. IoT Security Gets Personal
The Internet of Things (IoT) shows no sign of slowing down. While IoT adoption gives organizations unprecedented access to real-time data and insights, it also expands the attack surface. In 2017, massive DDoS attacks used hundreds of thousands of compromised IoT devices in people’s homes and workplaces to generate traffic. This is not expected to change in 2018 as cybercriminals continue to exploit the poor security and lax management of personal devices to spy on users and break into home and corporate networks.
Users now expect everything to be connected, and often don’t ask for permission from their IT department. Since organizations can’t protect what they don’t know about and most lack centralized control over the devices on their network, this will inevitably lead to more successful IoT-based attacks in 2018.
*Gartner predicts that by 2020, one third of successful attacks experienced by enterprises will be on data located in shadow IT resources, including shadow Internet of Things (IoT).
While personal devices are not company property, they can be stepping stones to sensitive corporate information. Devices such as Google Home and Amazon Echo often connect to laptops and mobile phones with legitimate access to corporate networks. If these devices are compromised, associated corporate networks can become vulnerable, giving hackers the opportunity to hold systems and files for ransom or steal sensitive data.
What You Can Do
Security leaders should guard against threats posed by both personal and company-owned devices as part of their overall cybersecurity strategies. Traditional approaches don’t work; securing IoT devices is different than securing computers, servers and mobile devices because you can’t simply install software on the device. IoT devices are closed in nature—even if you own the device, you have no ability to deploy your own security into it.
Professional IoT device assessments, including standard discovery and assessment services, and targeted evaluations of specific devices and platforms can help to evaluate the vulnerability of the organization’s IoT devices and establish an understanding of associated attack vectors.
In the past few years, IoT security solutions have emerged to facilitate real-time asset discovery and control, enabling organizations to identify and manage the devices on their network. In addition to these solutions, it is important to take advantage the other elements of security already in place. Firewalls can be used as enforcement mechanisms, for instance, and SIEM systems can enhance monitoring and analytics. Bringing all of the tools in the environment together increases the ability to orchestrate visibility and response.
Security awareness is also key. Since botnets scan the Internet for IoT systems protected by factory default or hard-coded usernames and passwords, users should be warned not to give into the temptation to plug in a device, link to the Internet and walk away. Standard default log-ins and passwords should never be used. Regularly changing the passwords that can be changed (hard-coded SSH passwords cannot be altered), and rebooting devices at least once a week to delete infections is advisable. Segment the organization's IoT network from both the internet and from critical servers, and use your firewall to segment IoT devices from critical internal services. And make sure to update your hardware’s firmware as often as possible.
2. Equifax Aftermath Drives Improvements
The recent Equifax data breach disclosure has brought open source software security issues to the forefront. The record-breaking breach has been blamed on an unpatched vulnerability in the Apache Software Foundation’s Struts version 2, an open source framework for building Java web applications.
"The Equifax data compromise was due to (Equifax's) failure to install the security updates provided in a timely manner." —Apache Software Foundation
Equifax admitted that they had intended to, but failed to patch Struts prior to the breach, and they’re not alone. Based on scans conducted by Veracode between April and September 2017, 9 in 10 organizations failed to patch the same software. The vast majority—91 percent—of applications that use Apache Struts use a version with at least one high-severity vulnerability.
Open source software is a foundational element in the applications we interact with every day—including Google, Amazon, Netflix and Uber—because it is time and cost-efficient, and facilitates productivity and innovation. According to Forrester, developers are using open source components as their foundation, creating applications with only 10 to 20 percent custom code. Unfortunately, a recent open source security report found that 67 percent of analyzed applications using open source had vulnerabilities in the components used.
Open source is not inherently bad; however, many organizations are not effectively tracking and managing it. In addition to implementing consistent and timely patch management, addressing open source security issues and infusing application code with security early in the software development lifecycle (SDLC) will be a key focus in 2018.
What You Can Do
To reduce open-source risks, security professionals are increasingly turning to software composition analysis (SCA) tools. SCA solutions analyze open source and commercial code, providing comprehensive visibility across the organization’s application landscape, and helping to build an inventory of open source components to identify vulnerabilities.
SCA is among the key tools organizations can leverage to adapt to increased application complexity, along with dynamic application security testing (DAST), static application security testing (SAST), integrated application security testing (IAST) and mediated application programming interfaces (APIs).
In addition to the right tools, integrating security into development processes is also essential. New approaches to managing application development have been rapidly evolving. The use of automation, and the alignment of development and operations teams is enabling customized software and business functions to be built more quickly. However, security teams are often still seen as roadblocks, and are therefore left out of the DevOps conversation. Having personnel from development, security and operations collaborate on projects is vital. Security teams need to evolve and move faster in order to keep up and make an impact, so that DevOps and security can be aligned within a new approach—DevSecOps.
DevSecOps can be thought of as a continuous application delivery model that brings together development, security and IT operations into a unified group to ensure security checks and controls are applied automatically and transparently throughout the software development lifecycle.
There are several key elements that organizations need to consider when planning for DevSecOps including performing threat assessments, getting buy-in from security, development and operations teams, and incorporating security parameters and metrics into development and test qualifications without slowing the process down.
There are numerous application security standards and methods to choose from, such as the Open Web Application Security Project (OWASP) Top 10, ISO/IEC 27034 and NIST 800-53/64. OWASP is particularly useful; since 2001, it has provided a place for developers and security professionals alike to contribute to deep repositories of knowledge around the best ways to detect, remediate, and defend web applications.
In addition to resources such as OWASP, infrastructure as code (IaC) automation tools such as Chef and Puppet can help your organization automate and accelerate DevOps processes.
3. GDPR Panic
A recent survey benchmarking the status of over 400 U.S. and U.K. companies' efforts to meet the May 25 deadline for the EU Global Data Protection Regulation (GDPR) revealed 61 percent of U.S. companies have not begun implementation of their GDPR compliance programs.
While organizations are vulnerable to fines only if there is a breach or if EU citizens file complaints, those that don’t take GDPR seriously and experience an incident that triggers an investigation risk heavy fines. Companies that violate certain provisions—such as the basic processing principles or the rules relating to cross-border data transfers—may face fines amounting to four percent of the company’s annual gross revenue, and up to two percent for violations such as failing to meet the breach notification rule.
Making matters worse, regulators may be looking to send out a global wake-up call in the form of a staggering fine, making an example of an organization that is not in compliance and cannot document good-faith efforts to comply.
What You Can Do
Organizations that offer goods and services to EU citizens should do their best to achieve compliance by May 25. Whether it’s the GDPR or other data protection and privacy regulations, efforts should be focused on discovering and identifying regulated data, and then managing and protecting it. While there is no “one-size-fits-all” approach, the majority of requirements in the regulation can be met through the development and/or maturation of programs many large enterprises have already begun to implement: data-centric security, incident response, and third-party risk management.
Advancing data protection capabilities requires organizations to shift their focus to securing data, rather than the IT infrastructure that houses a diminishing amount of that data. A comprehensive data-centric security strategy includes the following components:
- Data discovery
- Data classification
- Data tagging & watermarking
- Data governance
- Data loss prevention
- Data visibility
- Encryption strategies
- Enhanced gateway controls
- Identity and access management (IAM)
- Cloud access
- Continuous education
Having a well-established plan of action that can be immediately executed following a breach is critical to limiting costs and damage to the company’s reputation. The GDPR contains a 72-hour data-breach notification mandate, which will require dramatic changes to the plans of organizations not accustomed to responding to security incidents within strict timelines.
Professional services such as security program assessments can help organizations focus on their ability to detect and respond to security incidents, formally document the workflow required to triage and manage the incidents impacting the environment, and improve the processes that support current incident concerns. Compromise assessments help to determine if there has already been an incident or an incident is currently in progress. Additionally, interactive tabletop exercises and breach simulations — in conjunction with forensic and incident response “emergency services” partnerships — can also be of great value. Innovative IR platforms that feature automation and orchestration can increase your efficiency, and a comprehensive plan will enable your organization to respond aggressively to an attack, maintain compliance, minimize damage and align defenses to mitigate future intrusions.
Third parties can present your greatest area of risk exposure. It is therefore important to extend your focus beyond the organization’s figurative four walls, and consider the impact of your “extended enterprise”. The ramifications of the GDPR broaden significantly when you think about all of the third parties that are essential to your daily operations. Third parties may be considered regulated “data processors” and are thereby subject to the directive. This leads us into our next trend.
4. Supply Chain Attacks
With more suppliers and service providers accessing sensitive data than ever before, the risks associated with supply chain attacks—also known as third-party attacks—have never been higher. Data breaches caused by third parties are on the rise, and cybercriminals will continue to focus on infiltrating target systems through outside providers in 2018.
**According to a recent Ponemon Institute survey, 56 percent of organizations have had a breach that was caused by one of their vendors. And only 35 percent had an inventory of the third parties they were sharing sensitive information with.
New data protection and privacy requirements such as the EU GDPR and New York State Cybersecurity Requirements for Financial Services Companies require organizations to ensure that their suppliers' security protections are up to par. Penalties for non-compliance are steep, and many companies lack trust in their partners’ ability to protect their sensitive data, and to notify them of security incidents.
What You Can Do
Just as credit lenders don’t want high-risk customers, businesses don’t want high-risk partners. Effective third-party risk management is essential to your overall security posture. Carefully monitor the security practices of partners and vendors—engaging in third-party due diligence and periodic assessments—to ensure that cybersecurity requirements have been met throughout your supply chain.
Several key elements of a successful program appear below:
Third-party security tools can enhance your efforts by providing automated vendor risk assessment, and continuous threat monitoring. Additionally, security scoring tools can help to assess both third-party security, and your own by using predictive analytics and security risk assessment tools to issue either FICO-like scores, or grades ranging from A to F to help predict the organization’s likelihood of a breach.
"We think that at some point in the near term, a cybersecurity score will be as important as a credit score when organizations look to sign up for a partnership." —Jeffrey Wheatman, Research Director, Security and Risk Management at Gartner
In addition to providing visibility into the security posture of third-party vendors and partners, security ratings are used by cyber insurance underwriters to evaluate a company’s potential risk, and by security executives to explain risks to their board of directors in an easy-to-understand way.
5. Automation & Orchestration Initiatives
The most critical component in responding to threats is the security operations center (SOC). But many SOC teams are understaffed and under-skilled. According to ESG research, 45 percent of organizations say they have a problematic shortage of cybersecurity skills.
There will be 3.5 million unfilled cybersecurity positions by 2021. —2017 Cybersecurity Jobs Report
Organizations have too many alerts, too many technologies and not enough people. Even companies that do have skilled in-house security talent find it difficult to decrease the mean time to detect (MTTD) and the mean time to remediate security incidents. To address these issues, many companies will seek to fortify their cybersecurity strategies and improve security operations with automation and orchestration.
Security automation and orchestration technology can help to achieve the following:
- Raise the productivity of security engineers
- Minimize the mean time to resolution (MTTR)
- Integrate the products required to defend against agile threats
Automation and orchestration helps tackle the mundane; picking up and enriching alerts. But it’s starting to evolve towards enhancing threat intelligence to enable better inferences about the right decision in a particular scenario and the best action to take. Rather than just pulling together and presenting data, it’s adding a brain — applying AI and machine learning to enable analysts to make better decisions from better data.
What You Can Do
Automation is a journey that needs to be taken in steps, and companies looking for solutions are up against a list of more than 20 vendors. It is important to evaluate providers to narrow your choices down, and focus on the one that best fits your organization’s objectives.
There are several things to consider when evaluating solutions:
- Time to value. Some automation and orchestration solutions can be up and running quickly, and significantly reduce the time it takes to integrate with the existing solutions in your environment.
- Ease of use and deployment. There are different approaches to deployment; some vendors make it as easy as possible, emulating a drag-and-drop, workflow-style implementation to get your playbooks up and running. Others may require more of a development background, requiring scripting and coding skills.
- Strong Support Infrastructure. Products should have the infrastructure to ensure integrations into third-party products through their APIs. APIs change, and you don’t necessarily own the integrations on the other side. As APIs change, the solution needs to be able to quickly update plug-ins or integrations.
- Scalability. Different providers have chosen different architectures. Choose a product that can scale with your environment in the long run.
- Expertise. Evaluate the expertise behind the solution. Security automation and orchestration is a framework; it requires experts who really understand security, and can drive expertise from the front line and incorporate best practices.
Many companies leverage a vendor-independent technology partner to help them test and evaluate potential solutions. Once you have identified a provider, start with use cases that are easy to implement and low-regret. One popular initial use case is around the “abuse mailbox”. Many companies have a mailbox dedicated to customers and users who think they’re getting suspicious emails with either URLS or attachments, and aren’t sure if they should open them. Companies have to analyze the URLs and attachments in order to determine whether or not they’re malicious. This is easy for automation tools to take care of, as it only involves determining “yes” it’s bad, or “no” it’s not bad. It doesn’t require turning services off or remediating anything. Map out the processes that you want to automate over the first 12-24 months, focusing on use cases that require a low level of effort, are low-regret to implement and have a high return on time savings.
6. Ransomware Expansion
Ransomware reigned in 2017, culminating in the WannaCry and NotPetya breaches that damaged a long and distinguished list of companies. Distribution methods and attack vectors advanced and attacks on businesses accelerated, even as the percentage of victims willing to pay ransoms declined. Between military cyber warfare divisions and amateur cybercriminals the problem will persist; ransomware is projected to attack a business every 14 seconds by the end of 2019, and a pivot towards attacking IoT deployments and point of sale (POS) systems has already begun.
What You Can Do
There are steps that can be taken to defend against this kind of malware and like anything in enterprise security, a proactive approach is best.
- Take data backups seriously. Ensure not only that data is backed up on a daily basis, but that you have thoroughly tested your ability to recover systems and data in the event of an attack.
- Don’t pay the ransom. You cannot trust cybercriminals to release your systems and data, and by paying up you could be making yourself a target for future attacks.
- Patching is critical. Patching commonly exploited software, such as Java, Flash, and Adobe can help to prevent attacks from being successful in the first place.
- Implement endpoint detection and response (EDR) controls. EDR tools record endpoint activity and events and store that information either on the endpoint itself, or in a centralized database. Databases of known indicators of compromise (IOCs) and behavior analytics are then used to search the data for early breach identification in order to facilitate rapid response to malicious activity. EDR technology helps organizations achieve the following:
o Protect endpoints from known and unknown threats (including ransomware)
o Protect data wherever it resides, regardless of the endpoint’s function or the network it uses
o Centralize endpoint security with a holistic management platform that allows policies to be applied across all endpoints
- Complement efforts with threat intelligence. When properly operationalized, this will help you identify where some of these attacks are coming from and use that information to block incoming traffic at the firewall.
- Train employees. Since email is the most popular avenue of attack for ransomware, providing awareness training at least once a year can help employees detect and react to spear phishing.
7. Container Adoption
The popularity of software container platforms such as Docker have exploded over the past few years as companies look for ways to get applications to run reliably when moved from one environment to another, whether the target environment is a public cloud, a private data center or even a personal laptop. With containers, each application (or process) on a server gets its own environment to run that shares the host server's operating system (OS).
Since containers don't have to load an OS, they can be created almost instantly. They can be spun up and taken down much faster than virtual machines (VMs)—taking mere seconds to create rather than the few minutes it takes to spin up a VM. They are also more portable, easy to scale and break complex applications down into modular microservices. The same hardware can support a much greater number of containers than VMs, reducing infrastructure costs and enabling applications to deploy faster.
The application container market is expected to grow to nearly $3 billion by 2020 according to 451 Research
However, the same elements that enable containers to increase agility also present security challenges.
- The use of a shared OS model means an attack on a vulnerability in the host OS could lead to a compromise of all containers.
- Traditional host-based security agents lack the context to enforce different policies on different containers in the same host.
- The breakdown of applications into base components (microservices) transforms a small number of workloads into 10s or 100s that need to be managed.
- Because containers can be created in seconds, it is virtually impossible for traditional network and endpoint controls to keep up with the changes required to secure them.
- They create a new attack surface through the APIs and control plane, which introduce complexity in delivering the actual compute service, exposing application internals.
What You Can Do
Security teams need to be aware of container deployments that are planned or in process within the organization. A continuous vulnerability assessment and remediation program is an integral part of successful containerization initiatives.
- Use a hardened, patched OS for the host OS.
- Scan containers in development for configuration and vulnerability issues before production.
- Maintain standard configurations and container profiles.
- Use containers on a single physical host for workloads of similar trust levels until security gaps are addressed, or isolate containers using a virtual machine (VM) or physical hardware if trust levels are mixed.
- Control the extent to which containers interact internally, and limit the number of containers accessible to Docker groups through sockets or open ports.
- Enforce access controls to privileged accounts and operations for the deployment pipeline.
Container security providers offer tools for organizations using Docker, Kubernetes and other platforms. They provide full lifecycle vulnerability management and application-tailored runtime defense to help secure containers against threats. They can link containers to a predefined set of security templates so they can be created with security policies attached, isolate one workload from another, and prevent successful attacks on executing instances of software in the environment.
8. Blockchain Roadmaps
Blockchain has caught the attention of business and IT leaders not only as a way to record financial transactions, but as a way to enhance cybersecurity.
Designed to facilitate the exchange of virtual currency such as Bitcoin, blockchain is an open, distributed and decentralized electronic ledger system that can record transactions efficiently and in a verifiable way. It can also be programmed to trigger transactions automatically. Unlike current transaction and record-keeping mechanisms, there is no centralized holding of transaction and activity-related data that can be deleted, tampered with or revised—information is distributed by nodes that carry the record of the chain, so that everyone with access sees the same information at the same time.
While blockchain itself provides little in terms traditional security protections, it offers an infrastructure of transparency, providing trust in untrusted environments. Security teams are looking into ways it can improve cybersecurity with capabilities such as event tracking, cryptography, tamper detection of policy changes and transactional integrity.
In 2018, security vendors will be looking to incorporate blockchain technology.
"We predict that 2018 will be the start of an avalanche of new startups offering blockchain-related security solutions and that incumbents will scramble to update vision, strategy, and road maps so they don't lag behind,"—Forrester
What You Can Do
Despite all of the excitement, blockchain adoption will be gradual. Use cases outside of crypto-currencies are still in their infancy, and the technology is unproven in mission-critical business operations. Workable security solutions are still a ways off; in the meantime, organizations should develop a clear understanding of blockchain opportunities, capabilities and limitations. Take care when interacting with vendors touting blockchain offerings to identify exactly how the term is being used, and the ability of the solutions to meet business use cases. Don’t assume it is the best solution; before considering blockchain, answer the following questions:
- What problem are we trying to solve?
- What are the potential solutions and how do they compare?
Protecting Yourself in 2018
Like it or not, the new year in cybersecurity is upon us. While the continued rise of data breaches is frightening for businesses worldwide, taking action based on trends and vulnerabilities will help your organization prepare. By maximizing your capabilities to withstand material threats to the business, you can mitigate risk and achieve growth in 2018.