We revisit our predictions from SecTor 2014 to find out how they are unfolding.
It has been over six months since the last SecTor security conference. At that event, there was a Predictions panel, in which five cybersecurity luminaries talked about key trends in the coming year. Half a year on, how are those predictions panning out?
One of the key discussions on the panel was the increased focus among companies on adopting new technologies, and how this might lead to security issues. Any time an organization adopts a technology to enhance functionality, whether it’s a new category of mobile device, a smart sensor system, or a groundbreaking software innovation to make life easier for customers, it can stretch the attack surface. More code and more touchpoints means more risk.
Stretching the attack surface
Nowhere is this more prevalent than with the Internet of Things (IoT). Since the panel last October, the IoT has become an even more pressing security issue for many experts, warned panel moderator Bruce Cowper.
“The number of available devices and services is increasing rapidly, with consumer technology heading to the workplace. While some vendors are paying attention to security, there are still many that are not,” he warned.
Home automation vendors are a good example. He warned of a growing trend to adapt and target these devices towards businesses.
“These devices are typically not designed for enterprise management and are often left unmanaged outside of the purview of IT departments,” he warned. “Control of these devices and the data they produce is frequently not included in the business risk assessment.”
Technology market research and consulting firm Beecham Research recently said that the only reason the IoT hadn’t seen a serious attack is because it hasn’t yet been deployed in large-scale consumer or enterprise applications. But there’s another risk that has already been here for years: the digital supply chain.
Prediction panelist Dave Lewis warned last October that digital supply chain insecurity was one of the biggest problems facing businesses. Companies outsourcing functions to others, such as helpdesks, or the coding of new applications, risk losing control of the security around them, he warned.
“The digital supply chain will continue to expand as companies attempt to integrate offerings from other companies as opposed to trying to build in-house solutions,” he said. “The effort is around reducing costs, but it can potentially have the inverse effect in relation to risk.”
His prediction was that businesses would begin to pick up on this, and do something about it. Six months on, he has seen no movement.
“I fear that business, in Canada and elsewhere, will not take the necessary steps to secure their extended attack surface until there is a defining event like a major data breach that can be directly attributed to the supply chain,” he said.
Both the IoT and the digital supply chain have something in common: they increase the IT infrastructure’s complexity by an order of magnitude, creating a vast array of new attack vectors, and extending those attack points beyond the conventional firewall. The old castle-and-moat approach to computing, in which all resources were ringfenced by an impermeable perimeter, is long gone.
Security through a new lens
So, how must companies adapt to cope with these new challenges? Another panelist at SecTor’s October 2014 prediction panel, Brian O’Higgins, is bullish about the marriage of cyber security and another rapidly-evolving technology: analytics.
One of the big problems with logging IT information is that there’s such a lot of it. It creates a vast sea of data, that can be difficult to deduce anything useful from, even after a compromise, let alone beforehand.
Security analytics uses big data-style techniques to spot correlations in data and pull out actionable intelligence for cybersecurity pros, just as it does in other realms such as marketing, for example.
O’Higgins predicted that security analytics was going to be big in 2015, and he is encouraged so far.
“I have seen some missionary deployments in the enterprise now, and the results have been truly amazing in the ability to catch bad guys, so I’m going with ‘better than expected’,” he said.
The market is booming. There is a risk that everyone is talking up big data without really understanding it, warns O’Higgins, adding that it “means more than just cruising through log reports”.
Separating fact from hype will be a big challenge for security professionals interested in this product category. “However, truly using math to your benefit can bring out all kinds of anomalous behavior in your network and enterprise,” he said.
While security practitioners grapple with these new technologies, though, they will still have to devote resources to managing their old infrastructure. And they’ll be doing it with the normal budgetary constraints, because CEOs don’t always like to invest in services that don’t generate revenue. What techniques can they use to make things better?
One thing we know is that competent people lie at the heart of any good cybersecurity practice. A key prediction from the predictions panel last year was that as new technologies test corporate cybersecurity, technical skills will become an increasingly valuable resource, and companies may find themselves struggling to keep the necessary talent.
Large technology companies are at the front line in this cybersecurity struggle. They tend to adopt new digital technologies ahead of the curve, meaning that they see the challenges early, and are forced to prepare for them.
We have fewer than six months until the next SecTor cybersecurity conference in Toronto, where Kris Lovejoy, general manager for IBM security services, will be presenting. IBM is the poster child for companies that extend their digital presence across different geographical, technological and business boundaries – and attendees will hear how the company makes security work in that kind of environment.
Until then, the prediction for businesses is simple: more complexity, more challenges, and an increasing focus on acquiring and keeping cybersecurity skills to help them along their way.
Picture via Valerie Everett