It’s time to step back, reflect on the year that 2019 was, and make New Year’s resolutions. We’ve taken a moment to consider the upcoming challenges and opportunities for 2020.
AI streamlines cybersecurity processes
There has been much talk of how AI offers new methods of threat detection and how the adversary is looking to subvert AI capabilities. While all the excitement no doubt continues, AI will make a real impact in 2020 in a different way: streamlining cybersecurity processes.
SOAR, security orchestration, automation, and response, is just one example. Using AI to gather the human knowledge held by cybersecurity staff through NLP and allowing it to be reusable across the rest of the team. This approach provides the building blocks for automating what are typically high-volume, simple, repetitive tasks that no security expert likes doing. It will also help ensure the right people with the right knowledge are engaged on any given project, to best navigate cybersecurity’s latest complex challenges.
How deep does faking need to get?
The idea of a trusted digital contact or source is hitting an all-time low as faking continues to grow. For the last few years, we have seen an increase in business email compromise, using stolen trusted credentials to gain access to systems. As the concept of faking continues to broaden into video, audio, and other digital formats, we are seeing faking move from simple spoofing into a complex web of lies that spans multiple platforms. We can only expect to see more complex, deeper fakes being created to trick and dupe users into doing things the adversary wants.
For critical tasks, organisations have already started to put in place secondary controls to try and identify and stop fakes, be that BEC or other successful methods. Yet as this space expands we will need to look more broadly across both digital communications and processes as to how we validate to reach the degree of trust required, else we become sceptical and work on the basis we simply don’t trust, and thus limit the associated risks and impact. With the scope of faking looking to show little abatement, we can only expect more of the latter.
Cloud becomes specialist
What was cloud first became cloud appropriate, hybrid cloud and single cloud, which is now multi-cloud. What comes next in the cloud journey? The likely answer seems to be more specialist clouds. Why? Particularly across EMEA, it seems virtual boundaries for data are growing; many policy stakeholders encourage ‘cloud first’ more and more, but adding the caveat that the data must stay in the country or region. This is driven by the ever-increasing focus on privacy.
At the same time, IoT and other big data generators are driving the need for more effective edge computing. Both requirements mean taking data and completing some form of processing, be that to hash out some personally identifiable information, convert it to metadata, or reduce the high volume of data into analytical summaries, which can then be processed at the next level.
All of this means that while the cloud is connected, it will become more specialised and fragmented to cope with these requirements. Security experts have been getting used to shared responsibility models; they are quickly having to figure out how they normalise views across multi-clouds, and the approaching multiple specialist clouds.
Cloud agility of on-demand compute will continue to provide complexity for security. Decisions will need to be made on what is taken as a service, what is done in-house, and most critically, how to do that consistently as cloud services become more specialised.
CSOs go back to school to learn the DevOps way
In the coming years, 5G will empower an IoT explosion of data, and businesses will look to take commercial advantage. Yet with all these challenges ahead that require an agile approach, many CSOs struggle with how security works in a continuous integration and development pipeline, opening up a language that for too many is still foreign.
Many CSOs grew up with scripts and GUI interfaces to drive cybersecurity. However, DevOps moves everything to code, breaking it down into the smallest reusable chunks that then require multiple levels of orchestration to function in just container and serverless environments. Some CSOs are busy trying to understand how to make security function as code and how it fits in this new digital world. Others will, in 2020 and beyond, have the challenge thrust upon them. The shift begins. Quite simply, old methods and tools don’t fit this space; CSOs are returning to education to learn the new languages, processes, and capabilities required to become part of the ecosystem.
Current 5G slowdown to lead to even bigger IoT wave
5G has already been rolled out in a few pilot cities across Europe. Yet at the same time, political news seems to be putting the brakes on the deployment of 5G, leading to potentially 12- to 24-month delays. However, this isn’t impacting the mass of IoT devices being developed to take advantage of existing 4G and the upcoming benefits of 5G. In reality, all it means is that whenever 5G is in full swing, there will be more internet-enabled 5G things ready to go.
For security leaders, what may have been a small wave will likely now be much bigger. Health devices, connected homes, autonomous vehicles, and financial trading are just a few examples of industries preparing to take advantage. When 5G does go live, the delays in rollout simply mean the CSO and security team will have more things to grapple with as the additional time means more solutions are ready for market, and many will be desperate to gain quick returns to get their own profitability plans back on track.
Businesses should not put off 5G/ IoT planning but instead use the additional time now to better define how they will identify the things in the wave when it happens, and what will be the right security process and capabilities to include. If we think having a shared model between cloud and business is complex in 2019, we must realise 5G/IoT has the ability to create far more complex technology chains and associated responsibility models.
More boards asking different and smarter questions of their security teams
Historically, most businesses want to understand the cyber risk and what impact that would have on them. The savvier organisations are, the more likely they are to have a discussion on what the right level of cybersecurity investment is to balance against this. Typically, the CSO wants the platinum solution as they want to reduce as much risk as possible; yet often business leaders may settle for less, where they see the likelihood of business impact being low and a bronze or silver solution being good enough at a much lower cost.
None of this is going away, although savvy business leaders are increasingly asking the what if question. If things do happen, what is the response strategy, how long will it take to get the business back to normal, what is the backup strategy, and are processes in place to keep the business moving? As more processes are being digitised, they are accepting that for an infinite number of reasons, things will happen; and the definition of a good security practice, and CSO leading it, is not just their ability to identify and manage the risks. Increasingly, it is about their resilience strategy developed in conjunction with the business to ensure minimising the commercial impact of the when it happens, especially in the 24/7 year-round, cloud-empowered world.
You could argue that changing regulations are driving this focus, which is true in part, but for most the tipping point is just how many critical business processes have digital dependence. CSOs always strive to be more board relevant; now they must be ready to answer increasingly tough questions.
Edge computing gathers pace
An emerging honeypot for cybercriminals? Not so long ago, we noticed an attack that hit a payment service provider, which, in my mind, is the sweet spot. There are millions of PoS devices, so for a criminal, you have to be in lots of places at once. Attack the bank, however, and you’re typically targeting the most secure spot, which means big risks and a lot of attention. As such, a bit like the three bears’ porridge, the criminal looks for the perfect balance, which is the aggregator in the middle. In that instance, the payment service provider.
Today, we are seeing the growth of edge computing, the ability to do that first-level data processing and aggregation before sending to the cloud – the logic being to reduce the latency, lag, and costs of data processing. Edge computing is still relatively in its infancy; the most common examples we all probably use are digital personal assistants, like Alexa or Cortana.
We have already seen examples of how these processes can be compromised in a number of ways; new capabilities generate new opportunities for compromise, and where the opportunity is worth it, criminals will focus. Edge computing is an aggregation point, which, like the porridge, is just the right temperature for the adversary. As such, expect to see examples of it being tested by the adversary and security strategies mature quickly around this space.
Incident response capabilities evolve, as more fail due to legacy SOC capabilities
In just about every business, the scope of digital processes has at least doubled or tripled. Cloud is a part of daily life, yet for many, the incident response process is still as it was three, four, or more years ago. You may think GDPR focused change in this space, but typically, it tested existing capabilities. With the volume of security events continuing to escalate, most simply don’t have the staff or skills to keep pace.
Many have already outsourced at least the first-level triage for a number of years. Most are realising that the processes for IR don’t work effectively during a cloud incident, which can be more complex, often requiring input from the cloud service and the organisation. These are some of the factors driving security leaders to reassess what the SOC of the future looks like and how we scale to match the relentless growth of alerts.
Today, at one end of the spectrum, we’ve seen cloud providers claiming 100% automation; and at the other end; security leaders claim nothing is actioned without human validation first. With such a broad spectrum of capabilities, and ever-increasing demands, we can only expect to see more failures that, in turn, necessitate rethinking how a SOC functions as well as where the skills and resources should be to enable it.
The earth is round, yet networks remain too flat
With more supply chains, APIs connecting digital processes, data, and procedures continuing to move to the cloud, and of course with regulations not going away, businesses are taking a step back and redefining their network structures. Many talk about concepts of Zero Trust networking, yet many see the gap between where they are and the utopia of ZTN as too big, and so have postponed doing anything. In 2020, we will see more doing than delaying, many starting either with new processes or those that are most critical; the key being that as we continue to digitise and connect processes, we must better limit the risk.
Greg Day is VP and CSO, EMEA at Palo Alto Networks.