IT Focus Area: Security
February 2, 2017
Top 5 Cyber Security Predictions for 2017
The security threat landscape continues to change and present new challenges. Here are five predictions for 2017 that are worth preparing for.
1. General Data Protection Regulation Readiness Takes Priority
The passing of a new European Union (EU) data protection framework — the General Data Protection Regulation, or GDPR — is having a tremendous impact on enterprises that collect data on Europeans. The May 25, 2018 compliance deadline, which from an IT planning and management perspective is right around the corner, has U.S. organizations scrambling. According to PwC, 77 percent of U.S. multinational companies are planning to spend $1 million or more on GDPR readiness this year, and 68 percent are earmarking between $1 million and $10 million.*
Key GDPR Mandates
• Scope: Any company that markets goods or services to EU residents may be viewed as subject to the GDPR, regardless of whether the company is located or uses equipment in the EU.
• Fines: Companies that violate certain provisions, such as the basic processing principles or the rules relating to cross-border data transfers, may face fines amounting to four percent of the company’s annual gross revenue. Two percent fines will apply to other violations, such as failure to meet the breach notification requirement. These fines may not sound significant, but could translate into millions of dollars for large companies that violate the GDPR.
• Right to be Forgotten: A “right to erasure," also known as the right to be forgotten, gives a data subject the right to order a data controller/organization to erase any of their personal data in certain situations. Data controllers will be required to erase personal data “without undue delay” when the data is no longer necessary in relation to the purposes for which it was gathered or processed in the first place.
• Data Protection Officer: Companies whose “core activities” involve large-scale processing of special categories of data — defined as information that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, health or sexual orientation — will need to designate a data protection officer. Even if companies do not collect this information from customers, they may collect some of it from employees for human resources purposes and, therefore, may need to meet this requirement.
• Breach Notification: A single data breach notification requirement is applicable across the EU. The rule requires data controllers to notify the appropriate supervisory authority of a personal data breach within 72 hours of learning about it.
What Organizations Can Do
If your organization is invested in Europe and you haven’t started preparing for GDPR, you’re behind. Companies looking to maintain a European presence should assess their overall data protection capabilities to identify gaps and compliance risks. Security program, data protection and compliance assessments can help to evaluate current tools, policies and overall security practices, and adapt them to meet specific requirements.
The development and/or maturation of a data-centric security program is invaluable not only to GDPR readiness, but to all data protection and data privacy efforts. Key aspects of data-centric security that are critical to GDPR readiness are data discovery, and data classification. Many organizations don’t even know where their sensitive information is, which makes it extremely difficult to comply with GDPR requirements such as the right to be forgotten.
Data discovery tools provide visibility into the location, volume, context and risk associated with sensitive, unstructured data across the enterprise — both on-premises and in the cloud. Data classification tools can be used to improve the treatment and handling of sensitive data, and promote a culture of security that helps to enforce data governance policies and prevent inadvertent disclosure. Classification metadata can be ingested by data loss prevention (DLP), encryption and other security solutions to determine which information is sensitive, and how it should be protected.
Reducing the impact of third-party risk is also essential. Organizations need to carefully monitor the GDPR readiness of partners and vendors to ensure that they have met requirements throughout their supply chain. As arduous as the new accountabilities presented by the GDPR may seem, organizations that proactively manage GDPR compliance by advancing their security can increase consumer trust, and are likely to be more resilient going forward.
2. Continued IoT Adoption & Device Threats
Gartner predicts that through 2018, over 50 percent of Internet of Things (IoT) device manufacturers will not be able to address threats from weak authentication practices. This is not good news. Millions of IoT devices — everything from routers, security cameras and DVRs to medical devices, cars and more — have already been infected with malware, and repurposed as zombie armies by cyber attackers looking to direct their power towards targets of their choosing.
As a result, the bandwidth of distributed denial of service (DDoS) attacks reached frightening levels in 2016, hitting 986Mbps during the first half of the year (a 30 percent increase over 2015), and culminating with attacks of well over 600 Gbps on hosting provider OVH, KrebsOnSecurity.com and DNS services provider DYN. Given that an attack of 10 Gbps is enough to knock most organizations offline, these high-volume attacks, capable of taking down critical infrastructure or even the Internet infrastructure of entire countries, now rank among the most dangerous IT security threats organizations face today. Nevertheless, companies are moving ahead with increased adoption of IoT devices in 2017.
What Organizations Can Do
Until device makers require unique passwords by default, it is up to us to protect ourselves. Since botnets scan the Internet for IoT systems protected by factory default or hard-coded usernames and passwords, the most obvious advice is not to give into the temptation to plug in a device, link to the Internet and walk away. Standard default log-ins and passwords should never be used. Regularly changing the passwords that can be changed (hard-coded SSH passwords cannot be altered), and rebooting devices at least once a week to delete infections is advisable. Segment the organization's IoT network from both the internet and from critical servers, and use your firewall to segment IoT devices from critical internal services. And make sure to update your hardware’s firmware as often as possible.
Additionally, security teams should identify authentication risks, and review identity and access management practices. Professional IoT device assessments, including standard discovery and assessment services, and targeted evaluations of specific devices and platforms, can help to evaluate the vulnerability of the organization’s IoT devices, and establish an understanding of associated attack vectors.
Distributed denial of service (DDoS) protection tools can help to protect against volumetric DDoS attacks, should the organization become the unfortunate focus of an IoT botnet. Hybrid DDoS solutions can integrate on-premises protection with cloud-based scrubbing, automatically collecting and analyzing data across deployments that includes SSL inspection, behavioral analytics, bandwidth usage, health monitoring, and other statistics. This ensures that attacks can be quickly discovered and mitigation activated via hardware, upstream, or across cloud-based services.
3. The Evolution of Ransomware
The impact ransomware had on all sectors in 2016 will spur cybercriminals on. According to Osterman Research, nearly half of U.S. companies that participated in a recent cyber-attack survey reported experiencing a ransomware incident over the last year. The FBI estimates that $209M was paid to ransomware criminals in the first quarter of 2016 alone. Ransomware is likely to increase and grow in sophistication this year, getting stealthier and using automation to attack. The emergence of “Ransomware as a Service” (RaaS) providers — who host ransomware toolkits in the cloud and sell access on a subscription basis — is exacerbating the issue, making it easy for just about anyone to attempt to extort money.
Nearly 40 percent of enterprises hit by ransomware in 2015 paid the attackers in order to retrieve their data.** If companies stopped paying up, cybercriminals would be forced to explore other avenues but unfortunately, many organizations find that it is cheaper to pay the ransom than it is to lose the data. As long as companies are willing to pay ransom demands when valuable data and intellectual property is held hostage, ransomware will remain a viable choice for attackers.
What Organizations Can Do
There are steps that can be taken to defend against this kind of malware and, like anything in enterprise security, a proactive approach is best.
• First and foremost, organizations need to take data backups seriously. If the data being held hostage is cleanly backed up elsewhere, there will be no need to consider paying the ransom. Instead, systems can be wiped and reinstalled. There are many options available, from backing up to cloud providers to local storage devices or even network-attached drives.
• Patching is critical; patching commonly exploited software, such as Java, Flash, and Adobe, can help to prevent attacks from being successful in the first place.
• Enhance security capabilities with robust endpoint detection and response (EDR) controls. In the past, endpoint security focused on signature-based solutions, such as anti-virus, host IPS and heuristics, to prevent exploits and malware propagation. Today’s EDR solutions include these components, but they also enable security operations centers (SOCs) and incident response (IR) teams to leverage additional capabilities, such as continuous endpoint recording, customized detection, live endpoint investigation, remediation, and rapid attack banning. They are generally broken down into the following categories:
- Threat prevention
- Threat detection and response
- Endpoint monitoring and management
- Digital forensics
• Complement your efforts with threat intelligence. When properly operationalized, this will help you identify where some of these attacks are coming from and use that information to block incoming traffic at the firewall.
• Since email is the most popular attack avenue for ransomware, security awareness training is important. Offering awareness training at least once a year can reduce the chances of employees clicking on malicious links and attachments.
4. SaaS & Shadow IT Cloud Security Gaps Drive Action
A recent 451 Research report based on a survey of 1,100 senior IT security executives at large companies worldwide found that 85 percent of enterprises are now using sensitive data in the cloud, up from 54 percent in 2015. And 70 percent are concerned about it.***
The use of applications such as Salesforce, Microsoft Office 365 and Box, is soaring; sensitive data is easy to misuse in cloud-based applications, and few Software as a Service (SaaS) providers offer a degree of control that approaches what IT teams are used to exerting over on-premises applications. To make matters worse, the majority of organizations experience some level of unauthorized provisioning of cloud services — shadow IT — which makes it nearly impossible to ensure security policy enforcement. Gartner predicts that by 2020, a third of successful attacks experienced by enterprises will be on their shadow IT resources.
What Organizations Can Do
Organizations need to advance their data protection capabilities by focusing on the security of the data itself no matter where it is stored, used or transmitted. Cloud access security brokers (CASBs) can help. CASBs are policy enforcement points that sit between an organization's on-premises infrastructure and a cloud provider's infrastructure. They act as gatekeepers, interposing enterprise security policies as cloud-based resources are accessed. They enable organizations to manage and enforce security policies across disparate applications, providing much-needed insight into cloud activity, and acting as a single point of control for multiple applications and services.
CASBs include a Shadow IT discovery component that can audit the network to identify the SaaS applications being used, and provide a business-readiness rating that specifies how safe the applications are for the organization. Used in conjunction with Identity as a Service (IDaaS) solutions, they can ensure that access (and the removal of access) to applications and the configuration of applications and devices is under control.
There are numerous CASB solutions to choose from; a comprehensive evaluation is critical to finding the best match for an organization’s needs. Assessing how employees are currently using various cloud services, carefully planning use cases, developing policies, and architecting how the CASB will integrate into overall network and security operations are important parts of the decision-making process. A vendor-independent technology partner can help test and evaluate potential solutions, and professional services — such as data protection assessments, cloud security architecture assessments and cloud migration strategy assessments — can pave the way to a successful deployment by objectively evaluating the overall state of the organization’s security. They can also define the requirements and controls needed to securely access not only SaaS, but Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) implementations.
5. The Move Towards Security Automation
In 2016, security seemed to become less about people and more about machines. Malicious actors conscripted vulnerable IoT devices into botnets through continuous automated scanning for, and exploitation of, well-known and hard-coded credentials. Manually addressing the intensive, sustained attacks that are being directed at organizations across the globe is not a viable option. Cyber attackers have turned to automation to advance their capabilities; in order to keep up with them, we need to do the same.
Enterprise security teams often suffer from alert fatigue and, as a result, they routinely ignore alerts. A joint study conducted by security automation and orchestration provider Phantom and ESG Research surveyed 125 IT and cyber-security professionals with either knowledge of, or responsibility for, IR processes and technologies at their organization. The majority of respondents — 92 percent — reported believing the difference in skill levels among the employees dealing with IR is significant. Consequently, 30 percent said more than half of all events are ignored. However, 77 percent of those in the study stated that if given access to automation/orchestration tools, they would investigate the security events and alerts they currently ignore.
What Organizations Can Do
You can stand up to aggressive cyber attackers and combine your own virtual cyber army with your team’s skills by focusing on automation. Automation and orchestration technology can help organizations achieve the following:
- Raise the productivity of skilled security engineers
- Minimize the mean time to resolution (MTTR)
- Integrate the diverse products required to defend against agile threats
According to one expert, “…such automation can empower one FTE (Full Time Equivalent) to do as much as five FTEs once deployed at scale. We can now drive consistency across operational functions by eliminating human errors. We can isolate a computer with one click, or a “kill switch”, if destructive malware is detected.”
It is important to note that in order to optimize automation, foundational security program components need to be mature. Platforms including security information and event management (SIEM), next-generation firewall (NGFW) and data loss prevention (DLP) must be properly managed and accessible to the automation tools. Patch and vulnerability management, and configuration standards should also be effective and sustainable. Professional services, including security program, security vulnerability, SIEM and DLP assessments can pave the way to successful deployment and integration.
*PwC GDPR Series, January 2017 https://www.pwc.com/us/en/increasing-it-effectiveness/publications/assets/pwc-gdpr-series-pulse-survey.pdf
**Osterman Research/Malwarebytes: Understanding the Depth of the Global Ransomware Problem, August 2016 https://go.malwarebytes.com/OstermanRansomwareSurvey.html
***2016 451 Research/Vormetric Data Threat Report (DTR), February 24, 2016 https://451research.com/blog/53-451-research-and-vormetric-shed-light-on-the-current-state-of-data-security