2014 was heralded as the ‘year of the data breach’ – but we’d seen nothing yet. From unprecedented data theft to crippling hacktivism attacks and highly targeted state-sponsored hacks, 2015 has been the bleakest year yet for the cyber security of businesses and organisations.
High profile breaches at Ashley Madison, TalkTalk and JD Wetherspoons have brought the protection of personal and enterprise data into the public consciousness.
In the war against cybercrime, companies are facing off against ever more sophisticated and crafty approaches, while the customer data they hold grows in value, and those that fail to protect it find themselves increasingly in the media and legislative spotlight with nowhere to hide.
We asked a panel of leading industry experts to highlight the major themes for enterprise cyber security in 2016 and beyond.
The increasing sophistication of DDoS attacks
There were many cyber security stories this year that raised eyebrows, but the one that stands out for many reasons is the DDoS attack and subsequent data breach of 157,000 customer records from UK telecoms provider TalkTalk.
When TalkTalk became the victim of its third cyber attack in the space of a year, it turned out to be the biggest British cyber attack on record, costing the firm an estimated £35 million.
Dave Larson, COO of Corero Network Security, believes that DDoS being utilised as a smokescreen for more nefarious data exfiltration is emerging as a more common component of reported breach activity.
TalkTalk’s apparent lack of DDoS protection in an Internet Service Provider environment hasn’t gone unnoticed, and has raised red flags across the security community.
‘The ever-growing number of tools for automating DDoS attacks means that companies will have the threat of several different attacks happening at once, or in rapid succession,’ explains Larson. ‘If the hackers are able to automate some of their attack activities that were more labour-intensive, then companies will begin to be overwhelmed by both the speed and frequency of new attacks – unless they have the appropriate mitigation solutions in place.’
> See also: Top 6 cyber security predictions for 2016
‘DDoS has evolved from your typical volumetric scale attack to smaller, short duration surgical strike attacks causing security vulnerabilities as well as availability concerns for organisations.’
Internet Service Providers (ISP’s) must reconsider the legacy approach to DDoS mitigation, and implement more sophisticated and granular protection at the Internet edge, says Larson.
‘Legacy scrubbing centre operations, or black holing victim IP’s as a response to DDoS attacks will become techniques of the past for dealing with this challenging cybersecurity issue.’
Social malware as the new wild west
Phishing isn’t going anywhere, but we can expect an increase in sophistication: fraudulent sites offering faux-customer support resulting in a remote connection compromising users’ systems – or attackers even venturing to social media outlets like SnapChat and Instagram to broaden their reach.
‘Over the last 15 years we've seen web attacks evolve to a highly sophisticated state, mobile applications are five years into this same cycle,’ says Ben Harknett, VP EMEA at RiskIQ. ‘But it doesn’t stop there, next to join the cyber-attack evolutionary path is social media attacks. Whilst still in the early stages, attacks like this have huge potential in online fraud as demonstrated by the Metro Bank Twitter incident earlier this year.’
> See also: Top 6 cyber security predictions for 2016
‘With a predictable pattern for how attacks evolve, we fully expect 2016 will see rapidly increasing maturity in attack vectors involving social media. Brace yourselves, the impact of viral, social media delivered, malware will be huge.’
The threat still lurking within organisations’ walls
Many businesses are getting serious about cyber security and adopting fundamentally new approaches to deal with today’s complex threat landscape. As Dave Palmer, director of technology at Darktrace explains, at the core of this shift is an acknowledgement that threat is, by default, inside our organisations, and must be kept in check by continual monitoring and advanced detection.
‘Companies need to accept that new reality and surmount the old idea that all threats can be blocked at the perimeter,’ says Palmer. ‘Insider threat will loom large over organisations in 2016.
However strong your perimeter is, or how well your staff are trained, insiders will always pose a significant risk. They are potentially the most damaging types of threats, as they use legitimate credentials and exploit their access in ways that are difficult to predict.’
And as networks grow and more devices become interconnected, the pool of potential insiders is getting larger too, spanning from your own employees, through to customers, suppliers or contractors who have access to parts of the corporate network.
Social engineering is one of the main mechanisms used to gain unauthorised access to systems. Brian Chappell, director of technical services EMEAI and APAC at identity management firm BeyondTrust explains, people remain a weak-link but they could also be your strongest resource.
‘Most organisations rely wholly on technological solutions to secure their networks giving their employees cursory consideration with occasional communication around the risks that their actions have,’ says Chappell. ‘We don't need to scare our staff but rather look to educate, frequently, what they can do to help mitigate those risks. Your employees could be the biggest resource you have to protect your systems.’
Behavioural analytics and machine learning coming to the fore
DarkTrace’s Palmer argues that the single most important innovation in the cyber defence sector has been the new capability of machines to automatically learn what is normal and abnormal within a network, and identify in-progress cyber-attacks without having previously seen them before.
‘The most successful companies in proactive security have embraced this model of ‘immune system’ technology that continually looks out for abnormalities, and alerts the security team in real time, before the damage has been done,’ he says.
‘Cyber security will move further towards the boardroom as a corporate issue, rather than a problem for the IT department, and become a continual process of risk mitigation.’
Automation will be critical to this process, and machine learning will become a de facto technological approach to draw insights from large sets of noisy data, quickly, predicts Palmer.
Jonathan Sander, VP product strategy at Lieberman Software thinks this year we will see a major revolution in how firewalls are installed, configured and run that deliver more value with less human tuning.
‘Part of what takes humans out of the firewall tuning business will be collective experience being put in the box,’ says Sander. ‘Some of it will be the application of machine learning technologies and other nascent AI peeking out of the lab and impacting security operations. We know that the bad guys are using automated techniques to attack, and it’s only by putting our machines to fight theirs on the front line that we can hope to keep up.’
The CSO role getting a rethink
We’re seeing a growing number of CSO (Chief Security Officer) and CISO (Chief Information Security Officer) roles as a reaction to the current cyber security environment.
‘Every large company thinks they need to hire one, but often neither the business nor the CSO understand what their role should be, to whom they should report, or even what their performance or success should look like,’ says one CSO- Dave Baker from identity and device management firm Okta. ‘I have seen many cases where the CSO was recruited from the compliance world with little understanding of actual attack security. This seriously diminishes their effectiveness.’
As the white hat hacker community grows and enters the enterprise, Baker predicts the CSO role will see a much-needed evolution.
‘Hackers who understand technical details of attack security, but also have the business acumen to communicate with CEOs and convince CIOs of their importance will make a significant impact on the role of security professionals,’ says Baker.
‘Chris Wysopal, CTO of Veracode, as well as Alex Stamos, CSO of Facebook, are popular examples of a hacker-turned-executive – we’ll see more like them in coming years.’
Ransomware turns on the enterprise
As Michael Sutton, CISO at Security as Service platform Zscaler explains, Ransomware has hit a sweet spot.
‘Users are all too willing to begrudgingly pay an expensive but not excessive ransom in exchange for the return of their precious data,’ Sutton says. ‘Even the FBI are recommending that it’s easier to pay than fight. The wildly profitable CryptoLocker has attracted many clones since it was largely knocked offline following Operation Tovar.’
Many of these clones, including more popular variants such as CryptoWall and TorrentLocker largely followed the proven formula, but we’re starting to see variations such as mobile and Linux focused ransomware.
‘The latter is especially important as it’s more likely to impact the websites and code repositories of enterprises, who in our experience are also very willing to pay up rather than risk losing critical intellectual property,’ says Sutton.
‘Expect ransomware to become increasingly corporate focused in 2016 and as it does, enterprises won’t get away with paying consumer rates. The criminals behind the ransomware campaigns are savvy and once they realise that they’ve locked up source code and financial documents that haven’t been properly backed up, you can expect prices to skyrocket … and be paid.’