IT Focus Area: security
December 31, 2018
5 Cybersecurity Trends for 2019
In 2018, “mega breaches” involving one million compromised records or more entered the cybersecurity lexicon, shaking the confidence consumers used to have in the companies they share personal information with. Strengthening enterprise security in 2019 is about more than protecting data—it’s about neutralizing potentially devastating attacks, and pursuing customer trust. As we ring in the new year with more devices, more public cloud environments and more data, it’s time to sharpen our focus on key security issues.
Here are five cybersecurity trends for 2019, and actions that your organization can take to address them:
1. Open source hacking tool adoption
Gemalto’s Breach Level Index reported over 3.3 billion stolen, lost or compromised records during the first half of 2018, a staggering 72 percent increase over the same time period in 2017.
Open source (freely available) hacking tools were widely adopted throughout the year, and are increasingly favored by threat actors over custom-made malware. New tools are released each day both by attackers in hidden hacking forums and dark web marketplaces, and by security researchers as penetration testing tools. As a result, in 2019 we can expect to see low-skilled cybercriminals catching up with expert hackers and launching sophisticated attacks with better tools, better social engineering techniques, and broader targets.
What You Can Do
Consistently evaluating security controls is critical to ensuring even the most basic security posture. Adopting the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity—commonly known as the Cybersecurity Framework—and the Center for Internet Security (CIS) Controls (formerly known as the SANS Top 20), can help organizations in all industries assess the maturity of their controls, and augment existing cybersecurity programs and risk management processes.
The voluntary NIST Cybersecurity Framework should be every company’s first line of defense. Adopting version 1.1 is a must-do for all CEOs. —Secretary of Commerce Wilbur Ross
Unlike the more comprehensive Cybersecurity Framework, the CIS Controls provide organizations with a smaller, prioritized number of tools that should be implemented first, with the goal of providing immediate results. This targeted approach helps companies eliminate the vast majority of vulnerabilities, and establish a solid baseline for cyber defense. The controls are, in essence, a technical on-ramp to the Cybersecurity Framework. The latest version of the controls—version 7—has a strong focus on automation and orchestration, an emphasis on application whitelisting and multi-factor authentication (MFA), and a shift to just one ask per control.
Many organizations have difficulty with security control self-assessments. Professional, vendor-independent Security Program Assessments can help you leverage cybersecurity frameworks to achieve a strategic view of your existing capabilities, and detail specific actions that can be taken to mature your defenses and take a risk-based approach to managing cybersecurity.
2. IoT attacks take center stage
There has been a rapid evolution in IoT attacks since the Mirai botnet in 2016, and this is expected to intensify in 2019 as threat actors leverage more and more devices to deliver everything from coin miners to malware to misinformation. Attacks on devices such as cars, medical devices and industrial control systems (ICS) bridge the digital and physical worlds, threatening bodily harm or even loss of life. Additionally, ubiquitous home-based devices are rife with vulnerabilities, providing numerous avenues for hackers to leverage as potential access points to company networks.
Statista predicts there will be more than 30 billion connected devices by 2020. The reality is that IT has been outpaced by IoT adoption; IT departments have fallen behind, and are often forced to just let these devices connect. As a result, the majority of IoT devices are unmanaged, creating a tremendous visibility gap.
*Gartner predicts that by 2020, one-third of successful attacks experienced by enterprises will be on data located in shadow IT resources, including shadow Internet of Things (IoT).
Numerous sessions at RSA Conference 2018 focused on IoT security issues. In “The New Landscape of Airborne Cyberattacks”, presenters from IoT security company Armis highlighted the vulnerability of popular voice control platforms, reporting that 82 percent of companies have an Amazon Echo in their environment. They demonstrated how hackers can attack network infrastructure via an Echo, and access confidential data.
While smart speakers with on-board virtual assistants including Alexa, Google Assistant, Siri, and Cortana may not be company property, they can be stepping stones to sensitive corporate information. If adversaries compromise one of these devices, they can use it to open up full access to your network or bridge from a less secure to a more secure network. Compromised devices can also be used as part of a botnet—joining the computing power of many devices together to take entire parts of networks down. Companies have to worry about protecting the organization against distributed denial-of-service attacks (DDoS), and from their own internal devices.
With the number of IoT devices starting to outnumber conventional IT assets, threat actors are focusing on these devices as entry points to compromise organizations and steal sensitive data. In 2019, we can expect to see the hype around IoT threats become a reality, with breaches directly tied back to IoT devices. —Chris Hoke, Managing Director, Sirius
What You Can Do
Security leaders should guard against threats posed by both personal and company-owned devices as part of their overall cybersecurity strategies. It is critical for organizations to eliminate IoT blind spots so they can discover and classify every device in the enterprise environment, and determine which network segment they are on.
Traditional approaches don’t work, because IoT devices are closed in nature—even if you own the device, you have no ability to secure it. Segment the organization's IoT network from both the internet and from critical servers. Professional IoT device assessments, including standard discovery and assessment services, and targeted evaluations of specific devices and platforms can help to evaluate the vulnerability of the organization’s IoT devices and establish an understanding of associated attack vectors.
IoT security solutions have emerged to facilitate real-time asset discovery and control, enabling organizations to identify and manage the devices on their network. In addition to these solutions, it is important to take advantage of the other elements of security already in place. Firewalls can be used as enforcement mechanisms, for instance, and modern SIEM systems can enhance monitoring and analytics. Bringing all of the tools in the environment together increases the ability to orchestrate visibility and response.
Since botnets scan the Internet for IoT systems protected by factory default or hard-coded usernames and passwords, security awareness is also key. Users should be warned not to give into the temptation to plug in a device, link to the Internet and walk away. Standard default log-ins and passwords should never be used. Regularly changing the passwords that can be changed (hard-coded SSH passwords cannot be altered) and rebooting devices at least once a week to delete infections is advisable.
3. Widening cybersecurity talent gap
The most critical component in responding to threats is the security operations center (SOC). But SOC teams are understaffed, underskilled, and overworked. Many are forced to ignore alerts that should be investigated further because they can’t keep up with the overall volume. This makes it very difficult to streamline operations and decrease the time it takes to detect and remediate security incidents.
The global cybersecurity workforce is predicted to be short 1.8 million by 2022
—Frost & Sullivan Global Information Security Workforce Study
Research indicates that the problem is getting worse. According to a global 2018 survey conducted by ESG, 51 percent of respondents claimed their organization already has a problematic shortage of cybersecurity skills.
Given the increasingly dangerous threat landscape, rising costs associated with data breaches and expanding digital transformation initiatives, the stakes for companies are high. Security operations are people-centric; finding ways to help your security team quickly analyze, prioritize and respond to threats is essential to maturing your security posture, protecting sensitive data, and keeping your business safe in 2019.
What You Can Do
Automation and Orchestration
Security automation and orchestration focuses on SOC operations and accelerating the ability of analysts to disposition alerts and start remediation. For this reason, it is becoming a powerful component of security and incident response.
Automation and orchestration solutions can help to achieve the following:
- Raise the productivity of security engineers
- Minimize the mean time to resolution (MTTR)
- Integrate the products required to defend against agile threats
In addition to helping analysts pick up and enrich alerts, the technology is evolving towards enhancing threat intelligence to enable better inferences about the right decision in a particular scenario, and the best action to take. Rather than just pulling together and presenting data, it’s adding a brain—applying AI and machine learning to enable analysts to make better decisions from better data.
Security Information and Event Management (SIEM) has been at the heart of security operations for years. Traditional solutions generate alerts to notify analysts about potential issues by pulling together event and flow data from numerous sources, then performing correlation and risk prioritization. They’re great at aggregating data from disparate systems, enabling security teams to write correlation rules on known indicators of compromise (IoCs) and report on results. However, they fall short in detecting unknown attacks, analyzing large volumes of dynamic threat data and providing insight into network and user behavior.
**According to Gartner, the security operations center must become continuously adaptive via analytics
Adding advanced analytics and cognitive capabilities to SIEM deployments can augment your investigative capabilities, increasing the speed and accuracy of security investigations and enabling the creation of a SOC workflow in your SIEM. Modern SIEMs incorporate traditional capabilities with threat intelligence, advanced historical and real-time analytics, endpoint monitoring, user and entity behavior analytics (UEBA), and AI for cognitive computing-based (i.e. smarter) orchestration and response. They can act as the intelligence and analytics engine behind an organization’s security practice, and help security teams analyze, prioritize and respond to threats in minutes, rather than hours or days.
Managed Security Services
CISOs need to evaluate their people, skills, and limitations, and manage accordingly. Without solid processes and skilled staff in place, using technology effectively can be a struggle, and the amount of data generated by solutions may be too much for your organization to handle on its own. It is important to understand what your needs are, what you can do in-house, and what you should outsource.
Many organizations choose a hybrid approach, keeping a small in-house team and leveraging a managed security services provider (MSSP) to monitor and manage specific security controls. This reduces the cost and frustration involved with staffing and increases the productivity of analysts, allowing them to be more strategic.
Incorporating managed services into your strategy better positions you to keep up with the output of security controls and streamline support across multiple product lines with a consistent, single point of contact.
4. Zero Trust Network Security
With attackers routinely stealing credentials and masquerading as legitimate users, the idea that everything on the inside of an organization’s network should be trusted has become antiquated. Introduced by Forrester Research nearly a decade ago, the concept of Zero Trust is rapidly moving from buzzword to reality. Proactive security leaders are adopting a “never trust, always verify” approach to network security challenges in 2019.
If I have 20 calls, 17 are about Zero Trust. CISOs, CIOs and CEOs are all interested, and companies of various sizes are interested. And in three years, I think Zero Trust will be cited as one of the big-time frameworks in cybersecurity. Period. —Chase Cunningham, Principal Analyst, Forrester
What You Can Do
Professional services such as a Security Architecture Review can help you obtain a detailed picture of transaction flows throughout the network, including where, when and to what extent your users are using specific applications and data resources. Armed with this visibility, your security team can incrementally deploy devices in appropriate locations to establish internal boundaries for identified trust zones, and configure the appropriate enforcement and inspection policies.
By establishing Zero Trust boundaries that effectively compartmentalize different segments of the network, you will gain unparalleled situational awareness of malicious activity, prevent the exfiltration of sensitive data and simplify adherence to compliance regulations. Technologies that support Zero Trust are quickly moving into the mainstream, enabling the implementation of micro-segmentation to create secure zones in data centers and cloud deployments that allow companies to isolate workloads from one another and secure them individually, catching not only north-south, client-to-server traffic between the data center and anything outside of it but also east-west, server-to-server traffic within the data center that bypasses traditional controls.
In addition to network segmentation, solutions such as MFA, IAM, orchestration, analytics and other technologies can be leveraged to challenge each and every access request with the following questions:
- Who is the user?
- What application are they trying to access?
- Does the request comply with our policies?
- Can they be authenticated with our existing solutions?
- What device is being used, and what is its security state?
With a Zero Trust architecture in place, there is no default confidence in users, devices, applications or packets, regardless of their location on or relative to the corporate network. Nobody and nothing will be given access until it has been established they should be trusted.
However, it is important to note that Zero Trust cannot be accomplished overnight. It takes careful planning and strategy, and involves a variety of security measures and techniques. Organizations with complex IT environments and legacy systems should consider the move to Zero Trust as a multi-phase, multi-year project. Vendor-independent advisory services can provide valuable guidance on how you can progressively migrate to a Zero Trust architecture over time.
5. Rising nation-state cyber activity
Simmering trade tensions between the U.S. and China have left governments deeply suspicious of each others’ cybercrime activities. During a keynote at RSA Conference 2018, U.S. Department of Homeland Security Secretary Kirstjen M. Nielsen warned that we’ve reached a turning point in cyber history. Digital security is merging with personal and physical security and as far as the U.S. is concerned, complacency is being replaced by consequences. In an effort to identify and punish America’s cyber adversaries, the Department of Justice (DOJ) recently charged two Chinese hackers associated with the Ministry of State Security with global computer intrusion campaigns targeting intellectual property and confidential business information.
The two were members of a hacking group operating in China known within the cybersecurity community as Advanced Persistent Threat 10 (the APT10 Group). The alleged hackers went by a number of different aliases, including “Godkiller,” “Red Apollo,” “Stone Panda,” and “POTASSIUM,” according to the charging document. Additionally, the U.S. coordinated with Canada to arrest the CFO of Huawei, one of China’s biggest companies, for conspiring to defraud banking institutions.
The trickle-down effect of nation-state hacking is a serious concern, as sophisticated techniques used by governments typically find their way into dark web marketplaces and ultimately, into the hands of cybercriminals looking to infiltrate companies.
What You Can Do
The best form of defense against attacks and those who perpetrate them is to know about them. Collaborative defense has become critical not only to national security but also to enterprise security, and threat intelligence is a force multiplier.
In war, nothing is more important…than the facts concerning the strength, dispositions and intentions of [the] opponent, and the proper interpretation of those facts. —Dwight D. Eisenhower
Threat intelligence can help enterprises arm themselves with the strategic, tactical, and operational insights they need to identify and respond to global threat activity. It includes both information related to protecting an organization from threats, and the technologies, processes, and policies designed to effectively gather and analyze that information.
There are numerous threat intelligence services you can subscribe to. Some are specific to industry verticals, specific to one manufacturer, open to third-party integration, and others offer automation tools. Each provides different levels of relevance and context, different numbers of indicators, and there are varying levels of effort involved in utilizing the information they provide.
Without a sound process for leveraging threat intelligence, the chances of deriving actionable information and value are slim. Organizations often start by wanting to leverage the most comprehensive amount of intelligence possible, and will start gathering as much raw data as they can. However, simply dumping raw information into organizations that are already drowning in data can exacerbate staffing and false positive issues. Taking a strategic view is essential. Focus initial efforts on what applies directly to your organization, and consider the complexities of ingesting intelligence in an automated way, so you can connect it with and add value to technologies such as SIEM and analyze the intelligence and outputs as they relate to your environment.
Vendor-independent proof-of-concept testing can help you identify the threat intelligence solutions that align with your cybersecurity and business goals. Advisory services can facilitate the processes you need to integrate intelligence into existing workflows, create new workflows aimed at critical thinking—not just alerting—and fuse intelligence with new and existing technologies so that you can gain insight into attackers’ plans, shorten the time between attack and detection, and focus staff efforts and decision-making.
Protecting Yourself in 2019
Like it or not, the new year in cybersecurity is upon us. While the continued rise of data breaches is frightening for businesses and customers worldwide, taking action based on trends and vulnerabilities can help organizations prepare. By streamlining security operations and maximizing your capabilities to withstand evolving threats, you can mitigate risk and achieve growth in 2019.
Find out how to mature your organization's security posture. Get your guide to transforming enterprise cybersecurity.