Information security has become a source of fear and uncertainty for many organizations, so this year’s scary security predictions are backed up by recommended New Year’s resolutions. If you’re unsure of how to action this advice, just talk to us.
- Artificial intelligence (AI) is dead, long live artificial intelligence – AI is an overused term and hard to achieve; the early stages of AI are mostly machine learning and a long way from nirvana. Information security leverages machine learning to detect and understand complex patterns of machine-2-machine (m2m) and machine-2-human (m2h) interaction. Machine learning outputs will be fed to decision support solutions, driving automated outcomes via complex workflow engines. Before this vision can be realized, full integration of security operations automation is needed. Right now the market remains fragmented and solves for specific problems; the vision is to create solutions that address security’s complexity while integrated with the many facets of business operations. Before making the move to “AI”, it’s important to get your own house in order:
- Clean your data – garbage in, garbage out; confirm whether your environment is architected to deliver and consume what the solution needs
- Relevant metrics – intelligently derived insight is great, but only as good as your ability to execute against it; is your fresh insight going to get drowned out in a sea of technical metrics, or is it clear how it informs business decisions?
- Fit for purpose – does the solution align with your company’s actual problem? Do you know the root cause of the problems, that are preventing strategic goal achievement?
- Automation becomes a critical survival skill – finding information security talent isn’t getting easier; the talent gap has grown from 1.2M to 1.8M professionals by 2022. Yet as any professional knows, information security involves many repetitive tasks. Business and technology process automation can alleviate this burden, assuming you know your process, and free up resources for higher-level tasks. Combine this with implementation of AI solutions, and workflow automation becomes critical for execution. Think also about whether you will trust your AI solution to execute workflow on your behalf, or whether you would prefer to have decisions fed to humans hanlding IT service management. Before implementing automation solutions, understand what you’re automating and why, which means:
- Know your process – understanding the process that supports your business model can feel like trying to eat an elephant; gain insight into your baseline model by talking to process owners and documenting a high level flow
- Get started – many organizations suffer analysis paralysis when they look at their operational scope; start small; pick an interest, get people in a room, hash it out; repeat
- DevOps-ification security – this is the first step to information security automation; review what your DevOps team is doing through an security lens and invest in orchestration tools to strengthen your automation foundation.
- Ransomware is just getting warmed up – according to Cisco, ransomware is up 350% in 2017; MarketWatch clocks it at an eye-popping 2500%. What’s scary is that ransomware is incredibly easy and cheap to execute; the end result being that a crippling attack like WannaCry gained the perpetrators a mere $150,000, whereas it cost the global economy around $8 billion. The scary part is that execution of WannaCry depended on human factors – people who fell for phishing attempts, or who had compromised or weak passwords. And according to the Verizon DBIR report, over 80% of attacks occur this way. Since people will continue to be the weak link, take time to shore up your defenses, which means:
- Awareness, awareness, awareness – 14% of the people who fall for phishing once will fall for it twice; users need to understand the consequences of their actions and engaging your users with short use-based exercise will stick better than punitive measures
- Segment your network – understanding where your most critical assets reside; leverage VLANs with ACLs otherwise your network is as good as flat and the door is open for lateral movement and more infected machines.
- Back-up, back-up, back-up – once you’ve identified and risk rated your critical assets, and the rate at which they change, align this with a back-up strategy that ensure that even if your environment gets bricked, you can return rapidly to business as usual
- Expect a surge in malicious cloud tenants – Various modern processors have critical vulnerabilities (Meltdown and Spectre, unless you’re doing IT in a cave) that allow programs to steal data in process on the computer; while this has other far-reaching effects, in terms of performance degradation (5-30%) and massive patching requirements or even hardware replacement, it also means the multi-tenant cloud has become less secure; we’ve been preaching the perils of multi-tenancy, however, Meltdown and Spectre mean that your security is only as good as that of your neighbor’s. Now might be a good time to re-visit a few best practices around cloud security:
- Know your cloud risk – review how much of your attack surface is cloud-based; what intellectual property, sensitive or regulated data resides there; verify that your provider has proper data protection in place; review the cloud services your employees are using
- Know the limits of multi-tenancy – multi-tenancy means not only shared resources, but also limited log access, because those logs could compromise the privacy of other tenants; if you get hacked, your ability to get information, establish your case, and defined yourself is limited. Have your own logging facilities implemented in line with your business needs.
- Know that escaping the VMs is hard, but possible – meaning even if you have the world’s most hardened VM, in a multi-tenant environment you can be vulnerable via shared resources (i.e. RAM) on the host; because data in memory in most cases is in clear text
- Remember patching takes time – cloud providers will undertake massive patching operations to resolve these vulnerabilities; protect yourself; this is like a race condition in multi-threaded programming; unpatched hosts make tempting targets for malicious tenants
- Business and IT alignment will remain a work in progress – according to Deloitte’s Tech Trends 2017, 78% of (surveyed IT executives) see strategic alignment as most critical to IT’s success; and 61% say that providing information security is one of the business’ core expectations of IT. This can set the stage for conflict – when business requirements clash with security mandates. Balance is required and risk elimination isn’t a practical option. The root cause is often a lack of understanding along the stakeholder chain – from CEO down to security analyst. This fundamental communication gap means that:
- Establish a common language – demonstrate that the information security team understands the pain points of the business by connecting, correlating and communicating information security activities according to their business impact
- Leverage the language of money – partner with the business by showing the value created by information security investment in terms of mitigated business impact
- Focus on mutual priorities – leverage business impact and return on investment to agree on the most urgent activities for the information security team; this will allow the team to focus their scare resources on value-add activities
- Cybercrime will continue to spiral out of control – cybercrime is hard to keep up with; there were 1.9 billion records compromised, lost or stolen in 2017; up 164% from the 2H 2016; this crime wave is especially painful for small to mid-size companies, with 55% of SMB’s experiencing a cyber attack in the last 6 months; and 50% experiencing a data breach. With the exponential growth in the Internet of Things (IoT) – and our increasing willingness to bring IoT into our homes and offices – coupled with sloppy data privacy by consumers, companies and services providers, expect the cybercrime spree to continue. While we’d all like a shiny object or magic bullet to stop the crime, the truth is that getting back to the basics is your best protection, meaning:
- Target business-aligned governance – don’t try to boil the ocean; attack basic security hygiene issues first to get the greatest benefit; even if you don’t do everything perfectly, stepping through the logic will yield great insight in itself
- Know your environment & business requirements – this baseline will allow you to understand your risk, which controls make sense, and how to align this with what the business needs; expect fire drills, but avoid knee jerk reactions
- Avoid shiny objects with superfluous tag lines – there is no magic bullet. Even the most glorious enterprise solution isn’t a substitute (yet) for good people and process to combine with the technology. Examine technology vendors carefully, avoid those that don’t meet your business criteria.
- IoT attack surface growth continues unabated – companies are allowing a variety of connected devices , for a variety of reasons. These devices talk over a range of protocols in the wired and wireless realms and usually aren’t created with security in mind. 2017 brought the first, massive IoT botnet, Mirai, that used millions of vulnerable cameras to take down a significant part of the internet. IoT will continue proliferating; Gartner estimates there will be over 20 billion connected things by 2020. Expect more wired and/or wireless attacks on IoT either for amplyfing attacks to other entities or used for direct attacks on your organization. Start by paying attention to your network:
- Segment your network – leverage VLANs and ACLs – do not let IoT device reside on the same networks as your sensitive critical infrastructure.
- Improve your wireless awareness – remember there are wireless protocols outside of 802.11x; and don’t forget WiMax, X-Bee, and similar frequencies bear monitoring; put in place SDR-based solutions to improve your awareness.
Tackling information security can seem like an unwinnable battle; take it step by step and keep the business in perspective – always ask yourself the following:
- What are we trying to protect?
- For how long?
- How much are we willing to spend?
Same rules apply for choosing a strong crypto solution 😉
For more information on what we do, or to talk to us, please get in touch.