Because of the devastating hike in high-profile security breaches, as well as executive boards' increased emphasis on damage to reputation, the main concerns in 2017 for IT security professionals will be anticipating the unknown and creating failsafe measures that out-maneuver cybercriminals. The increased sophistication and potential impact of breaches are certain to keep CIOs and other IT security professionals up at night, making it more critical for them to take a wide view of their entire network and a risk-based attitude to decision-making that balances usability, accessibility and security.
Traditional security methodologies no longer cut it, and need to be replaced by out-of-the-box and innovative solutions that can keep IT security professionals one step ahead of cybercriminals.
By far the biggest concern IT security professionals will face over the next year ransomware. This is simply because of two reasons: 1) businesses are not protecting themselves from ransomware attacks, and 2) they continue to pay the big bucks after they've been hit with a ransomware attack.
The good news is that ransomware attacks are fairly easy to prevent. An organization that has multi-layered IT security solutions (such as anti-virus and Web protection solutions) and performs regular file backups will have little to worry about.
Enterprises will be hit with new targeted attacks and new evasion techniques on a daily basis (we already see weekly trends of new targeted attacks with new evasion techniques). They will increasingly include new evasion techniques to bypass AI/Machine learning-based products. Detection tools will shorten the time between infection and detection. However, malware and especially ransomware will continue to outpace these tools with more sophisticated and much faster infection.
Ransomware leads more to backup dollars than to security dollars. Ransomware attacks are always dramatic and can result in expensive losses for companies. The attacks, distinctly different from a data breach, can be remediated by restoring data backed up before the attack and tend to prey on companies with limited IT resources. Ransomware will still receive headlines in 2017, but enterprises will focus on the more holistic strategy of preventing data theft and malware targeting sensitive information and smaller companies will look to more effective on-prem and cloud backups to recover from ransomware attacks.
The IOT threat will force the U.S.'s hand to an international confrontation on hacking. After incidents affecting critical infrastructure in the Ukraine and New York state this year and the threat of voting machine hacks, the new US administration is on the spot to address cyber espionage. The US managed to reduce Chinese hacking of private sector companies through closed-door diplomacy, but the stakes are much higher with the threat of connected device hacks on the table. On the defensive side, the EU produced legislation requiring minimal cybersecurity capabilities for critical infrastructure, and the US may follow in 2017.
Regulations with teeth impact organizations' cybersecurity posture. Laws protecting consumer privacy should serve as deterrence of cybersecurity negligence leading to data breaches, but so far regulatory bodies have earned a reputation for doling out slaps on the wrist. Data protection authorities, spearheaded by the EU's new GDPR, are increasing their vigilance – along with the cost of fines. Major fines for HIPAA and EU privacy violations in late 2016 have set the tone for next year. Expect to see global companies scrambling to implement additional privacy controls to prepare for GDPR's enforcement in 2018.
A third-party cloud breach wakes companies up to the risk of the supply web. Cloud has transformed the supply chain into a supply web, as business partners now exchange data through digital bridges. The average company connects to 1,555 partners through cloud services, and 9.3 percent of all files in the cloud shared externally contain sensitive data. In the new cloud-powered economy, data touches more hands than ever. The next third-party partner breach may come from a company IT and procurement have never heard of.
The IT corner office sees a shakeup as CISOs become the new CIOs. With the move to digitization, information technology has become a strategic asset for businesses, leading CIOs to take COO and CEO positions. In 2017, security will come into its own as a critical business enabler – both for internal systems and products. Now that every company is a software company, they also need expertise in software security provider. 2017 will be the year security cements its role as a competitive differentiator, with CISOs delivering faster product time to market and employee and customer privacy.
Microsoft will narrow the gap with Amazon for a neck-in-neck race for IaaS dominance. AWS had the fastest break out of the gate in the IaaS market, but Azure is closing in. 35.8 percent of new cloud apps in Q4 were deployed in AWS followed by 29.5 percent in Azure. Niche providers have carved out 14 percent of the market independent of brand names like Google, Rackspace, and Softlayer.
Who guards the guards? An organization will suffer the first catastrophic cloud administrator incident. Late in the year, researchers discovered the first ever Office 365 global administrator passwords for sale on the Darkweb. Administrator accounts pose unique risk because they have heightened privileges for accessing, changing, and deleting data. Companies experience an average of 3.3 privileged user threats each month. Look out for an incident to grab headlines in 2017.
Cloud projects become the best way to jumpstart an IT security career. Investors report cloud security is taking over the cybersecurity industry. Early adopters of cloud security technology will see their career prospects skyrocket as they offer coveted experience leading global cloud security projects. The average company experiences over 2.7 billion cloud events per month – only 23.2 of which are actual threats. Companies moving to the cloud want IT security professionals who can weed through the noise of false alerts and apply security at scale.
Security turns inside out to watch for data leaving the cloud rather than keeping data out of the cloud.Even companies in regulated industries like health care upload terabytes of data every month to the cloud. Companies previously focused on keeping sensitive data out of the cloud are now turning a watchful eye to sensitive data leaving cloud apps. Success will hinge on the integration of cloud and on-premises security infrastructure, a requirement for ensuring compliance and governance apply consistently across all applications.
Companies turn to top tier cloud providers to even the playing field with nation states attackers. The average organization does not have sufficient resources to defend against state-sponsored groups and their signature advanced persistent threats. Enterprise cloud providers employ some of the top talent around dedicated to the security of their platforms. Outsourcing infrastructure security to Amazon, Microsoft, and others can lend enterprises extra firepower in the “cyber arms struggle” to keep up with nation-state attackers. Cloud providers' rich APIs also enable defense-in-depth through capabilities like activity monitoring.
Info sec teams will give up on perimeter security, and instead adopt a data-centric approach. Data is flowing through and outside of organizations at an unprecedented speed, and it will only continue to accelerate in 2017, especially with the growing adoption of outsourcing, a global/mobile workforce, and the use of innovative (but perhaps non-IT sanctioned) technologies such as enterprise file synch and share (EFSS). These trends mean that the security of the infrastructure and the devices that are storing sensitive data become far less important, as information is likely present on multiple systems/devices and shared via numerous routes, many of which lead outside the traditional corporate perimeter.
The free flow of information will warrant a paradigm shift in the IT security community, who will be unable to assure the security of data as it moves across and outside of corporate boundaries. Instead, the IT security teams will shift their focus to securing the data itself, striving to achieve persistent security through solutions that control granular usage policies regardless of where the information resides.
More enterprises will realize that detection based security solutions (e.g. firewalls, web gateways and file scanners and sandboxes) are ineffective in preventing advanced threats, as they are struggling to keep up with the rate of innovation by attackers and cannot differentiate between good and bad content. According to Gartner, we can expect a growth in adoption of more conservative approaches such as air-gap and isolation, which assume all content is malicious and prevent any active and malicious content from entering the corporate network.
In 2017, we can expect mobile attacks to move mainstream and be used for commercial gains. In 2016, we started to see some state-sponsored attacks leveraging mobile vulnerabilities such as the Trident incident which leveraged mobile browser vulnerabilities and the latest iOS JPEG zero-day.
The security industry is constantly changing and the only thing we can say with certainty about the future is that it is uncertain, as the saying goes. But a number of prominent trends stand out that will leave its mark on the industry in 2017. Monica Hallin, security expert and CEO of Vindico Group, takes a look into the crystal ball and lists the three strongest trends in security in 2017:
Societies' responsibilities for the safety and security of citizens continue to erode. We have in recent decades and years, seen faster and stronger social changes globally – financially, culturally and in safety. Citizens feel that important social functions such as pensions, elderly care, health care, policing, etc., is being eroded and realize that they must take personal responsibility for their safety and security. Police is untrusted and inefficient in many countries. There is a general feeling that society does not do a good job of protecting its people from terrorism, vandalism, theft, violent and organized crime, etc., and a private individuals and corporations start to take their own responsibility for security. This trend will continue, and will encourage the security industry to offer more security services to replace or supplement the security that society can no longer provide.
Services instead of products. The security industry will accelerate the development of service-based offerings, offering packaged services-products solutions and total solutions rather than simply selling hardware. Security companies will need to be flexible and agile in a time of great and rapid changes in the world and the industry. These changes increase the demand for new products and services. Security providers who lack the ability rapidly change its business and offerings will face a difficult time. Even customers need to manage their risks and track their incidents more often, and be much quicker to revise and adapt to their needs.
Breakthrough for DNA protection. The next big thing in property and intruder protection is advanced forensic marking with DNA. The DNA can be applied as a gel or grease to property and goods for definite identification. or sprayed on robbers and burglars during attacks to securely identify them afterwards. This is a modern, inexpensive, easy and efficient security solution, very preventive – the bad guys do not like DNA. In the UK, often a leader in modern security solutions, DNA markers has been used extensively with very positive results – more than 80 percent reduction in crime, a study shows. I predict that shops, banks, warehouses, etc., but also individuals in many countries will embrace DNA in 2017. It will be a game changer much like CCTV has become.
The endpoint protection space has grown in the last year, and more people will continue to look to these solutions in 2017. While more attention has been given to endpoint security solutions to identify threats and attempted attacks, they can't catch everything. When users are the ones opening the flood gates to attackers by putting in their own credentials to a malicious or compromised set up, that's a behavior change issue that can only be addressed with ongoing investment in security training and education.
Generationally, we see a gap on the awareness side almost as much as on the talent or skills side. When the internet became prominently used in the 90s, security was not a top concern. So little was known about the threat landscape and its potential impact on you as an individual user that formalized attacks on organizations seemed so far away from a detrimental hit closer to home. Those early users are still in the workforce and operating online with devices every day, and the continued lack of awareness and understanding of security best practices is damaging to themselves, the companies they work for and their networks.
Secure Sockets Layer (SSL) abuse will lead to increased phishing sites using HTTPS. The rise in popularity of free SSL certifications paired with Google's recent initiative to label HTTP-only sites as unsafe will weaken security standards, driving potential spear-phishing or malware programs due to malicious search engine optimization practices.
Connected cars will be taken for ransom. As cars start to have connected capabilities, it is only a matter of time until we see an automobile hack on a large scale. This could include cars being held for ransom, self-driving cars being hacked to obtain their location for hijacking, unauthorized surveillance and intelligence gathering, or other automobile-focused threats.
Rogue nation states will finance themselves by stealing money. There is a dangerous possibility that rogue nation states could align with organized crime for their personal gain, such as what we saw in the SWIFT attacks. This could result in down time for countries' political, military or financial systems.
CISOs will shift more investment toward granularly identifying information vs. parametric measures. Depending on your business, digital information on average is doubling every three to nine months. The knee-jerk reaction is to protect all that ‘stuff': contain it behind hyper secure firewalls, deploy DLP (data loss prevention/protection) technologies at the parameter and key core switches, leverage active packet inspection technologies at the parameter, lock down USB ports – all good countermeasures that help partially solve for, but don't prevent the issue. In 2017 and beyond, you will see a more deliberate movement by CISOs toward first identifying what exactly it is they are securing, and assigning security levels to that content. This isn't about locking down more data to make it unusable – rather, it's about making the data usable with pervasive, invisible governance around it.
Acceleration of ‘ditch digging' R.O.T. = redundant, obsolete and trivial content. Studies have shown that up to 70 percent of data in an enterprise is “R.O.T.” – redundant, obsolete and trivial. As enterprise content ages, its value to the business declines, and the risk that content poses to the organization also goes up. For example, in Edward Snowden's case, the documentation he uncovered at work wasn't particularly relevant to Booz Allen, but it was extremely relevant and damaging to the US Government. Booz Allen clearly didn't have the proper internal content controls, policies and procedures in place; that has been a loud and clear lesson for CISOs that previously didn't invest significantly in content lifecycle management. All of the information being created can't just linger indefinitely without posing future risks. You have to ultimately delete some of it. In the information management discipline, it is a well-known fact that as content ages, its value to the corporation decreases and the risk increases by an exponential factor.
The rise of “applied governance” to unstructured data. Earlier this year, more than 20,000 pages of top-secret Indian Navy data, including schematics on the their Scorpène-class submarines, were leaked. It's been a huge setback for the Indian government. It's also an unfortunate case study for what happens when you lack controls over unstructured information, such as blueprints that might be sitting in some legacy engineering software system. Now, replace the Indian Navy scenario with a situation involving the schematics for a Nuclear power plant or consumer IoT device, and the value of secure content curation becomes even more immeasurable. If unstructured blueprints and files are being physically printed or copied, or digitally transferred, how will you even know that content now exists? Tracking this ‘dark data' – particularly in industrial environments – will be a top security priority in 2017.
Rise of the IoT DDoS attacks. First, we will continue to see a proliferation of endpoints of all different types connected to home and business networks. These include IoT/IoE devices, where all too often security is compromised in efforts to make these devices quick to market and easy to deploy. Witness the recent DDoS attacks on DNS infrastructure from such devices for an example. Many times, users do not understand that default user names and passwords must be updated for these devices to have even rudimentary defense against the onslaught of compromises trying to breach them.
Ransomware creativity spikes. We will probably also see more creative uses of ransomware beyond encrypting our high value data. These might include holding cars for ransom by disabling them, and frightening us into paying for relief from peeping toms who can control our security cameras and access private data in poorly defended cloud-based social applications.
Nation-state cyber warfare. The bad guys are not taking a break. We will see more participants as nation states experiment with cyber warfare in economic and political targets. While few of us may be victimized directly by such attacks, we all suffer from the trickle-down effects of exploit technology being more available to common criminals who are in the game for a quick profit. This technology is easily available today in the form of software development kits (SDKs), which allow almost anyone to launch phishing and ransomware attacks.