As part of our look ahead at 2015, we asked industry experts what the major themes will be for cyber security. Though threats are likely to continue to evolve in sophistication, so will enterprise security strategy, as the technologies available to us mature.
The broadening attack surface
Many experts think that the attack vectors available to hackers will continue to grow this year as the Internet of Things takes root and technologies like contactless payments and mobile payment become more commonplace. Though the Internet of Things (IoT) is unlikely to see a rapid explosion in 2015, valuable data will gradually but surely become accessible through an ever-widening selection of entry points, warns Paul Nguyen, president of network security automation firm CSG Invotas.
‘We’re already seeing an increase in major attacks associated with the IoT,’ says Nguyen. ‘Botnets created on connected devices (even appliances like refrigerators) can, for example, start a spam e-mail attack. TVs with built-in cameras and microphones pose another attractive target, as do other previously innocuous household devices. The possibilities for IoT attacks are truly endless, but ultimately such attacks are likely to be about money/profit.’
Organisations will have to improve their ability to detect and correlate attack activity to respond to the increasingly sophisticated threats that accompany these high- growth technologies. But as Nguyen advises, no single product or vendor can cover every possible threat angle.
‘Organisations will need to find ways to feed all relevant data into a single big-data repository to accurately mine and filter the attack information.’
The traditional approach of securing the perimeter will no longer be enough, thinks Cisco’s UK director of cyber security Terry Greer-King, when the perimeter is with thousands of sensors deployed remotely.
‘What is required is a stringent, structured process and methodology to secure IoT, support analytics and enable the detection of anomalous behaviour,’ he says. ‘But at the core of the current problem is the proliferation of cloud, especially given the ease at which mobile devices in the workplace can connect with third-party cloud services.’
With Cisco predicting that cloud network traffic will grow more than threefold by 2017, organisations must be able to trust the information they consume as well as the systems delivering it – only then will IoT truly thrive and business adoptions of services soar.
However, in many ways traditional cybersecurity will become more of a secure utility as cloud and virtualisation adoption increases.
Such trends will have a certain amount of security built-in by leveraging cloud or virtualisation technology, although he amount and type of security that will be included will be minimal and likely to operate in the background.
‘But the most interesting opportunity that cloud presents for security is sharing threat data,’ says Nguyen. ‘Threat awareness and detection is improved with the more data organisations have access to. The cloud is the perfect place to share the massive collaboration of security Intelligence that could make a significant dent in the global cyber attack capabilities.’
Some such as Fraser Kyne from endpoint security firm Bromium say virtualisation can play a major role in enabling the cloud securely, by providing the architectural foundations on which to build the next generation of secure platforms.
The granular control of mobile endpoints
Cloud has the capacity to revolutionise business if you can control the ‘cloud in your pocket’ – the connecting devices. Roy Tobin, threat researcher for endpoint protection firm Webroot thinks avoiding the loss of sensitive data which has been downloaded onto mobile devices will be the biggest security challenge to come.
‘Gone are the days where employees had one computer, used one collaboration program and rarely visited websites,’ says Tobin. ‘Now, IT departments are tasked with protecting a wide range of devices, many of which operate outside of the company firewall.’
The solution, he believes, is Data Loss Prevention (DLP), which enables companies to maintain a network-wide inventory of data and have visibility of data movement both over the network and on mobile devices and removable media.
‘However, simply adding DLP tools to a network is not enough. Organisations need to develop a DLP strategy before they start thinking about technology solutions.’
With a number of different operating systems and a multitude of different devices available to people today, businesses’ approach of managing physical devices is becoming complex and expensive, forcing companies to commit time and resources to managing personal applications on employee’s devices that have nothing to do with their work.
‘A less costly and more effective approach is to manage what people actually do on their devices, which is to say the business applications they use,’ says Greer-King. ‘Containerisation is increasingly common and allows businesses to separate work-related applications from personal files and applications, meaning that only business-relevant applications are monitored and secured.’
The advancement of detection and monitoring
Time is becoming ever more critical in the discovery of security compromises. The longer a threat goes without being detected, the more opportunity there is for the attacker to cause damage and the worse it will be for an organisation’s reputation, record of compliance and ultimately its bottom line as customers lose confidence.
‘In attempting to detect more known and unknown threats, and to predict future risks, many organisations have begun to use more advance analyitc solutions and big data techniques,’ says Piers Wilson, head of product management at enterprise security specialist Tier-3 Huntsman. ‘However, most big data solutions identify historic and potential threats by analysing large stores of data, which is a significant weakness. Using big data to detect an unknown threat will only work with historical data; meaning that any threat that is present will still have time on the system to cause damage. Instead, organisations need to be sure that they can detect threats as soon as they appear. This will be a major challenge that businesses will be looking to overcome in 2015.’
But 2015 will never be about detection and remediation alone, adds Mike Langley, regional VP for western Europe and South Africa at Palo Alto Networks.
‘If you’re only detecting, you’re already on the back foot, and companies that come in and charge thousands a day over the course of a month to remediate your systems might tell you what happened, but they can’t do anything to get back what was stolen,’ he says.
As the enterprise market sees the benefits of a true platform-based approach to security, Langley believes we’ll see more vendors phasing out standalone unified threat management (UTM) security solutions.
‘As a result, intrusion prevention system (IPS) functionality and firewall functionality will meld more than it already has.’
Bring Your Own Identity
‘The biggest security mistake companies are making is that they are continuing to rely on outdated password-based authentication systems to protect sensitive data and cyber assets,’ warns Christian Campagnuolo, senior VP of product market, identity, at business intelligence firm MicroStrategy.
‘Passwords are by far the weakest link in cyber protection, as they can be stolen, lost or guessed. Furthermore companies are mistaken if they believe asking staff to make their passwords longer and more complicated will solve this issue.’
The rise of the cybercrime and an increase in APT activity has escalated the need for advanced authentication. However, the majority of solutions currently available on the market require a trade-off between ease of use, cost to break and cost to own. Successful systems will be simple to use and give a seamless experience where users do not need to memorise complex passwords.
‘With regards to biometric authentication, we expect, as it improves and new modalities become available that they will all become potential candidates to integrate with identity platforms such as Usher, which at the moment uses fingerprints (in addition to traditional authentication) and can step up to face and voice recognition,’ says Campagnuolo. ‘As companies come to the realisation that what they have now is not secure and is making life difficult, they will adopt biometric authentication, as one factor in a multifactor authentication system. This will change the way they identify people, access applications and entry ways, and authorise transactions through a single authentication system.’
For some security professionals the idea of one device being responsible for every aspect of your employee’s security credentials and identity could set alarm bells ringing. However, the world is becoming a cyber-mobile dominated world where more services and more money are being conveyed to people through cyber space, and all of it depends on proof of identity.
Paul Ferron, director of digital identity stratedy at CA Technologies thinks 2015 will see a growing interest in Bring Your Own Identity (BYOID) as an alternative method of authentication.
‘Already a growing number of sites are allowing visitors to login using a social or digital identity from a trusted third party, such as PayPal or Facebook,’ he explains.
According to research conducted by CA Technologies and the Ponemon Institute, while less than 20% of organisations have currently deployed BYOID, Ferron thinks the next 24 months will see a rapid adoption of this method.
One of the key challenges that will need to be addressed before BYOID can become mainstream will be that of ownership – ‘businesses lines will need to negotiate with IT departments over the ownership issues, which will require a careful balance between security versus customer convenience and marketing insights and establishing a single, accountable point of control,’ says Ferron. ‘Organisations that get the balancing act right, will make significant progress in creating stronger identity credentials for their customers in the coming years.’
Organisations will also strive for zero-touch authentication to deliver a password-free experience for their customers and employees, through the use of analytics and the ubiquity of mobile.
‘When the analytics check out – confirm a device, user behavior and location, or other attributes – a transaction can go forward without disturbing the user for additional information, achieving zero-touch authentication,’ says Ferron.
The analytics can bring in more data through models that learn additional user behaviours and attributes that help increase the level of certainty a user is who he claims to be.’
‘When the analytics uncover a questionable situation, such as logging in from another continent or from a different device, this would require a step-up authentication, such as a one-time password, delivered via mobile – not zero-touch, but as frictionless as possible when there are indicators of fraud.’