Greg Day: Cyberattacks’ impact will change
Horizon scanning in EMEA for 2018 and beyond
DUBAI, December 6, 2017
By Greg Day
This time of the year is always a chance for a little reflection on the past twelve months, and– perhaps more importantly –what is likely to happen next. I remember, not so many years ago, being involved in a number of horizon-scanning initiatives that would look five or 10 years out, but the pace of change in technology means that most would now consider this too far ahead. Likewise, a year seems like a blink of an eye. Here are some of my thoughts on what I think we’ll see kicking off in the coming year, along with suggestions for how to manage these risks. In all likelihood, the impact of these will be felt for a few years to come.
Cyberattacks’ impact will change. With some of the ransomware attacks in 2017, in which medical facilities were impacted, it is clear that cyber incidents are now having real-world, physical impact on people. With the growth of digital twinning (creating a digital counterpart to an existing process or system), we can only expect more of the same affecting many more facets of everyday life. So how does that change cybersecurity?
It’s very probable that we will continue to see even more regulation step in to continue to drive baseline security higher and ensure confidence in cyber systems that impact society. The Network Information Security (NIS) Directive, which goes live in 2018, includes a new “digital service providers” category. As cyber has greater physical impact on society, we must expect to see more categories along these lines being developed, beyond the traditionally defined, critical national infrastructure, or operators of essential services.
In this context, the role of security leaders, such as the CSO, must evolve. If there is harm to citizens due to technology failure, there will likely be public requests to understand if and why there was neglect, who bears responsibility, and what relevant actions must be taken. Consequently, while just a short time ago CSOs were often worried about being fired in light of an incident, liability may become more of a concern in the future. Could this lead to CSOs requiring professional insurance in the same way as many medical practitioners do today? Might we see a longer-term requirement for formal qualification and registration to be a practicing CSO, much as others who protect human lives – such as doctors – have today?
Twenty-year old first principles are finally reset. Many of the guiding principles in cybersecurity haven’t changed much in 20 years. Typically, practitioners have strived to solve every problem to the best of their abilities, using the best solutions available at the time.
However, significant changes in IT consumption models – dynamic, agile systems that are increasingly disposable in nature and based around subscription billing – mean that businesses will no longer continue to buy and build separate siloed cybersecurity solutions that require significant capital expense and people skills, and are based on multi-year cycles. As such, the fundamentals of cybersecurity consumption will change.
Functioning in such dynamic environments requires cybersecurity to be native and automated, to work and adapt at the same pace. This doesn’t mean we won’t still have choices of technology capabilities and vendors – you only have to look at the AWS marketplace to see how this is the case. But this does mean that native security will require dynamic enablement, configuration and transposition. In the past, security often failed as businesses struggled to connect their own insights; in an agile IT world, the importance of having a consistent and integrated point of visibility, combined with automated control, will become critical.
The transient nature of increasingly consumable IT creates a further hurdle, which is that, by the time an incident is discovered, the environment in which it was instigated may no longer exist. As such, you need to be able to understand how and why the incident occurred and what was achieved, when operating in an increasingly regulated world. This will lead to greater demand to maintain historical logging data and for the correlation required to leverage it.
Cyber adversaries will extend further into ransomware, OT systems and cryptocurrencies. In recent years we have seen ransomware used for profit. However, RanRan is an example that used concepts of ransomware, not just for profit, but also to identify information that could be used to blackmail victims. While continuing to be financially focused, I believe ransomware will also start to do more data analysis, which means we could see ransoms based on data value, rather than being generic, plus more of both targeted ransomware attacks and those being used for other motives, such as blackmail.
The Dyn DDoS attack leveraged IoT devices to attack traditional computer systems. The volume of OT (operational technology) is growing at pace, whether that is factory systems or automated drones delivering medical supplies in countries like Africa, and we have yet to see the impact of such systems coming under direct attack.
However, the value to criminals of stealing medical goods will surely mean that they look to break into the IoT or OT system to redirect the goods, and this highlights the challenge we are likely to face. The growing commercial utilization of IoT and OT systems means that, for the adversary, the value of breaching and controlling these types of systems is increasing.
Finally, with the growing popularity of digital currencies, more commonly known as cryptocurrencies, we can expect to see more malware focused on stealing account information to empty these next-generation accounts. The second payment services directive(PSD2) requires payment processors to open up access to third parties, and as discussions continue around blockchain digital ledgers, it feels as if the financial industry is moving further towards the digital money space. The question is whether adversaries are prepared for this transition – evidence would suggest they are already looking at it.
Credential theft will target weak collaborative cloud points in the supply chains of all kinds of businesses. Whether it’s because of the cloud or just the dynamic nature of business, it seems we are only increasing the interconnectivity with our partners, supply chains and customers. The challenge here is working to maintain your own cybersecurity capabilities, while also looking at how to manage the risks that stem from the unknown others (partners, supply chain, etc.).
An IDC session I attended early in 2017highlighted that the number of information-based industry-collaborative clouds will increase fivefold between 2016 and 2018. As such, while adversaries continue to look for an entry point into the business, it seems likely and logical that collaborative cloud spaces may be their next doorway in. As such, businesses must start to consider what information they include in these spaces, how they validate the use of connected third parties so they can spot anomalous behaviour, and – most importantly – look at how they segregate such connection points from more critical, internal business systems, using methodologies such as the Zero Trust model.
Focus on responsibilities and accountability. From the shared model of cloud security (where the provider secures the cloud and you secure what you put in it)to shared cloud collaborations, and the push for more open commercial models such as PSD2 that aims to enable new fintech offerings to better compete in the payment services industry, the common denominator is complexity. The number of organizations and processes is increasing, which widens the scope for error, and therefore requires increased understanding and visibility of where responsibilities and accountabilities reside. The likely outcome is that every business will be looking at contract details and regulatory requirements, to be clear where these lie. By the same token, they will also be looking to keep richer audit trails and logs, detailing each transaction to be able to validate when, where and why incidents happen.
Significant new EU regulation will hit the streets. Already mentioned as part of some of the other predictions is a number of new regulations, all coming into effect in 2018. In fact, between January and May, we have GDPR, the NIS Directive and PSD2. Like any new legislation, it will take time for businesses to understand the impact these regulations will have on their business. All carry potentially significant penalties for infringement, so 2018 will be a big year for businesses in coming to grips with what each of these mean when it comes to applying cybersecurity and managing ongoing requirements. For all of these, I can only encourage you to quickly get to grips with the legal details of what these will mean to your business, both legally and practically. Ensure you have the right level of executive support and start, or continue, the work to achieve and maintain compliance.
Takeaway – your 2018 resolution: cybersecurity must be more agile. In an increasingly digital world, the pace of change is certainly not linear – it’s exponential. Here I can recommend a good Christmas read for you – Exponential Organisations by Salim Ismail. Most security professionals no longer do horizon scanning, as the pace of change makes it hard to see more than a few years out – just as mobile phone IT lifecycles are shortening from years to months. At the same time, interconnectivity and, by association, dependencies are increasing, bringing increasing regulatory pressures. All this means that cybersecurity must become more agile to keep pace. Much like DevOps capabilities, we must be ready to evolve incrementally on a daily or weekly basis. So how can we achieve this?
Not so many years ago, I surveyed some peers, and it dawned on me that the majority of their time and resources were spent on sustaining the cybersecurity legacy they had built, with little time or resources to evolve. If we are to scale for the future, we need to refocus our time and resource usage, so only the minority is spent on sustaining legacy, and the majority is supporting the exponential agility our businesses are embracing. As such, consider a New Year’s resolution to detox your legacy to ensure you can embrace your future.
About the author
Greg Day is vice president and chief security officer for EMEA, Palo Alto Networks, a US-based a network and enterprise security company.