As we approach the end of the year, many of us are enjoying the holidays with our families and friends. As we prepare for the year to come, many of us are building lists of things we would like to see change as well as building a mental picture for what we expect the new year to bring. Those of us in Information Security are no different, and the things we should resolve to change very much align with what I expect the 2018 to bring.
Information Security as we know it is changing, and the change has been going on for more than a decade. There were some gradual changes and some instances of bring your own device (BYOD) creeping into the business world in the early 2000’s, but the sea change really started as the average consumer began to adopt smart phone technology around 2007. Since then we have seen two major phenomena that have changed the way we do business. First, organizations own a shrinking percentage of the number of devices employees use to connect to corporate assets. Second, organizations control a diminishing percentage of the platforms that house our most critical information asset.
The result of these two trends is that corporate IT security policies must shift from controlling how people utilize hard physical assets like computers and networks, to how employees interact with soft organizational assets like data. These trends will result in Information Security shifting from traditional perimeter-focused programs to Data Security, and Insider Threat/User and Entity Behavior Analytics programs.
That shift will also bring about some changes in the look and feel of security programs. Those changes are:
- A fundamental shift in the way analytics are performed and the profile of the analysts performing them
- A shift in the technical and engineering requirements of information security programs
- An increased reliance on Managed Security Services
Change 1 – There will be a significant change to the ways in which we analyze data
Tomorrow’s security programs will have little need for servers and system administrators. The technical resources running your firewalls and switches won’t be the people who staff your next-generation Security Operations Center (SOC). You will still need those people, but not for your security program.
Instead, you will need analysts, armies of analysts. Tomorrow’s security programs are going to be 100% focused on behavior analytics in three categories, each with its own skill set.
First, you will need data analysts. These are people with some technical acumen but their primary skill set is likely to be business focused. They will be charged with qualitatively understanding the behavior of data in an environment to determine if that activity presents a high, medium, or low business risk. These types of people are generally not found in today’s security programs, but next generation programs will need them and they will need to interface with business unit leadership frequently in order to do their work. The lack of this particular skill set is one major reason why so many organizations struggle to effectively implement technologies like Data Loss Prevention.
Second, you will need system analysts. Of the analysts’ skill sets of the future, this is the one most likely to have in your security program today. These are analysts who have a technical application and networking background, with a keen understanding of how systems should behave under normal circumstances. This allows them to be able to quickly and accurately identify and respond to systematic anomalies.
Finally, you will need behavior analysts. These people need to identify human behavior for normal and abnormal behavior. Much of that analysis can be done with machine learning algorithms. Where behavior analysts are especially valuable is in doing qualitative analysis of human behavior in order to attempt to establish motive for what they are seeing. Responses vary greatly between malicious actors and those who are well-meaning but making mistakes. Correctly identifying which group a person falls into prior to activating the appropriate response will be critical to protecting the organization from harm in a way that supports a positive culture and work environment. Balancing both of these sometimes competing priorities will be critical to organizations competing in tomorrow’s marketplace.
Change 2 – The role of technical resources in security programs will change
In the past, security systems were primarily appliance and server based. Newer security systems are often delivered from the cloud or from virtual appliances. This trend is likely to continue, which means server management and maintenance is going to become a waning skill set in the security space. You will still need technical skill sets in your security programs, but they will no longer be focused on server management and patching.
At the same time, we are seeing a trend towards the proliferation of more systems. Most of those systems will tout integration with a host of other technologies, but what the vendors really mean by “integration” is that both systems have an API with a Software Development Kit (SDK) and some documentation. Making those systems work seamlessly together will be incumbent upon the client. As such, you will need technical people with a skill set that looks like a cross between a developer and a system administrator who can understand both systems technically and develop the APIs to make them work together. I would recommend cross-training your current teams in these APIs rather than turning over the technical people on your security staff, assuming the current team has the desire and aptitude to learn this new skill set.
Change 3 – More organizations will outsource more of their security programs
Managed Security Services Providers are not new, many have been around for some time. However, the increased complexity of security solutions along with the global talent shortage of qualified professionals to fill security roles has more organizations turning to service providers to operate security programs than ever before. I expect this trend will continue as security has increased the stakes involved and complexity over the last few years.
If It Ain’t Broke…
Many people seem to want to apply the “If it ain’t broke, don’t fix it,” philosophy to Information Security, as there is often an organizational resistance to change in security while the organization is embracing rapid and transformative change that is quickly making security programs obsolete. The truth is, Information Security in many organizations is broken. That can be validated simply by looking at the increased size and pace of mega-breaches that coincides with an increased spend in security. The truth is that most organizations do not suffer from a lack of spending money on security, but instead suffer from a lack of spending money intelligently, in a way that evolves with the organization at the speed with which they do business.
Another saying that I think is more important to remember going into 2018, is “What got you here won’t get you there.” The truth is, our organizations have changed their direction with respect to how technologies are used and deployed, shifting from a primarily on-premises deployment strategy housed in data centers owned by our organizations, to a cloud services model that is more akin to leasing or renting space in a facility owned by a third party. The associated challenges have been multiplied by the fact that the vast majority of organizations are consuming services from several third parties and not just one or two. These changes are necessarily good or bad, they just are, and we must change with them in order to get to where we are trying to go as their protectors. To support the three main changes I previously mentioned, there are five core strategies we must embrace to stay ahead of the curve to build a future-proofed Information Security program:
Strategy 1 – Forget about perimeters and systems and focus on data
“The world’s most valuable resource is no longer oil, but data.” – The Economist
This quote affects the way modern organizations do business in two ways.
First, the data that you hold is valuable, not only to you but to potential adversaries, and many marketplaces exist to buy and sell stolen data. This data exists in a few forms. First, there is data belonging to your client base that you have a moral, and often legal, obligation to protect. If you aggregate that data in any way you are a target. Second, there is information that forms your competitive advantage, no matter who your company is or what you do, there is some form of Intellectual property, some of it legally protected and some of it not, that affords your organization the ability to be competitive in the market place. If you do business in the western world, there is some form of Intellectual property that is allowing you to do so. Simply put, the world has become too small and competition too fierce for proximity to customers alone to keep you in business. It’s your responsibility to find it and figure out how to protect it if you want to survive in tomorrow’s marketplace.
Second, if data is the new oil and the world’s largest and most profitable companies (Alphabet/Google, Amazon, Apple, Facebook, Microsoft, etc.) gain and maintain their competitive advantage by gathering and storing that data, then the ability to gain, retain, refine, and analyze that data is paramount to success. Additionally, global regulations like the European Union’s General Data Protection Regulation (GDPR) are beginning to mandate that companies advise data subjects of their rights related to data and give them the ability to opt out of collection at any time. What this means is that competing in the new marketplace requires the ability to gain data on as many subjects as possible which in turn means that you must build as much trust as possible with the general marketplace. How do you build that trust? Through countless hours of effort and dollars spent to cultivate your brand. How do you destroy it in an instant? Have a data breach that shows you did not value that data properly and protect it as well as you possibly could.
Strategy 2 – Incorporate the Cloud into your overall security strategy
“41% of all enterprise workloads are currently running in some type of public or private cloud. By mid-2018, that number is expected to rise to 60%” – 451 Research
We must stop acting as if the Cloud is one thing and everything else is something else entirely. In 2018, very few organizations will be 100% cloud or 100% on-premises infrastructure. The organization will be operating in some hybrid mixture that will likely continue to ebb and flow over time. Any security strategy must take into account that some systems will be accessed on platforms and services the organization owns while others will not. The same principles of security and enforcement rules must apply universally regardless of whether or not the organization owns the underlying infrastructure in order for a security program to be effective. This means the strategy must be properly defined and applied in such a way that there is no difference between on-premises and cloud security postures.
Any protection methods should be data-centric, not infrastructure-centric, and designed in such a way that there will be no changes to the protection profile if a system moves from on-premises to the cloud or vice versa. I understand this is much easier said than done, but we must challenge ourselves to make this a reality. Cloud security products have evolved to a point where this goal has become achievable.
Strategy 3 – Develop a strategy to protect data throughout its life cycle
“Private ownership of property is vital to both our freedom and our prosperity” – Cathy McMorris Rodgers (U.S Representative for Washington’s 5th Congressional District)
When did we come to accept that we can no longer exert control over information we own when it has left our perimeter? If we truly own data and it is the world’s most valuable commodity, shouldn’t we continue to protect it after it has been shared, preserving the right to revoke access to it at any subsequent time for any reason? I would argue that we should and if we do, we can fundamentally redefine what a breach means to an organization, for if a breach is to occur, but the organization has the ability to revoke access to all sensitive information after the fact, the breach has become significantly less harmful to the organization. Employing such strategies would help identify the breach in the first place as well, significantly shortening the time to detection as organizations would start to be alerted on anomalous activity related to data as soon as the attacker started to look through it. This stands in sharp contrast to what often happens today where organizations only find out about a breach several months or years after it has happened and only because authorities happen to find it on an illicit marketplace being bought and sold often as a result of an unrelated investigation.
Well-known names such as Symantec, with their Information Centric Encryption product, and Microsoft with their Azure RMS product are making great strides to make this vision a reality for their customers, along with less known and focused players like Ionic and Vera. These are exciting capabilities, but it also necessitates that organizations think of protecting their information in new and far more comprehensive ways, deciding not only to block or allow information to traverse a network segment at a specific moment of time. They must also define the parameters of acceptable use of information for both internal and external users. In most organizations this has never been done before. As the old adage goes, “with great power comes great responsibility”.
Strategy 4 – Correlate information from disparate systems
“Data is not information, information is not knowledge, knowledge is not understanding, understanding is not wisdom.” – Cliff Stoll and Gary Schubert
The purpose of the above quote is to demonstrate that data must be refined and correlated in order to increase in its value, ultimately culminating in understanding and wisdom. This concept applies especially to Information Security where data is abundant to the point of being overwhelming. Information is available, understanding is scarce, and wisdom is fleeting. The only way an organization has a realistic opportunity of gaining understanding about the threats they face and the ways which they should address those threats is to correlate all of their data points and be able to run analytics on that data.
The most traditional way of doing so is System Incident and Event Management (SIEM) solutions whose early generations made gathering actionable intelligence challenging and time consuming at best. Modern SIEM technology has improved greatly and if you ask enough people you will find both ardent supporters and strong detractors of the technology. My purpose is not to argue for or against SIEM, but to be a strong advocate for the capability of aggregating disparate data sources. This becomes increasingly important as we seek to shift our programs and rules from trying to guess attack patterns and identify those attack patterns when they occur, to a much better and resource intensive approach of establishing baselines and alerting on deviations from those baseline.
In forensics science, there is a principle known as Locard’s Exchange Principle which states that in a crime, the criminal will bring something to a crime scene and leave with something from it. Forensic science, is based on identifying the items introduced to a crime scene by a perpetrator or the items from the crime scene that can be found in possession of the perpetrator to prove he or she is the person who committed the crime. The digital world is similar in that no crime can be committed against a piece of data or system without that system or data deviating from its normal behavior. The attacker may or may not use a method to attack that is known, but regardless of the attack, from the most commoditized to the most sophisticated zero-day, something must always change. As a result, establishing the baseline for normal behavior is important, and gathering as much information from as many systems as possible and housing that information in a central repository which allows analytics to be performed is a key capability, regardless of the technology you are using to do so.
Strategy 5 – Accept that the Insider Threat is real and do something about it
“The threat of insiders is real and what can happen is you have amazing defenses to protect your intellectual property and other secrets from those who are trying to obtain them from outside your company’s walls, but you forget sometimes to have a program where you are watching those who you trust,” – Assistant Attorney General for National Security John Carlin Despite the grave risks they pose, Insider Threats remain one of least talked about and addressed Information Security challenges in the marketplace. It’s very politically unpopular to go to senior leadership and tell them that their trusted employees represent a grave threat to them, that the very people who helped build the company are among the most likely to do it harm. That is an inconvenient truth, as Al Gore might say. The insider threat is real, and it is potentially far more damaging for someone who has access to your systems and knowledge of your network to attack you than even the most skilled hacker or nation-state actor.
In 2018, we must do better and accept the fact that some people are inherently good and altruistic and some are not. In order to protect those among us who are working towards the greater good of the organization we must find and quickly neutralize those who are not. I know this will not be popular, but that’s why leadership is difficult. Sometimes doing the right thing is much more difficult than doing the wrong thing, but in order for ourselves and our organizations to reach their full potential, we must choose the hard rights over the easy wrongs every day.
I liken security to healthcare. Many people apply home remedies and over the counter medication to simple, low stakes injuries and ailments. There are not complex tools involved in these procedures and in most cases, the negative consequences of making a mistake are not disastrous. This is similar to where security started, as the tools were generally not too complex and the potential fallout, such as a defaced website or limited service interruption, was something not too serious.
Today, the stakes are much higher as, according to the National Cyber Security Alliance, 60% of small businesses that suffer a cyber-attack are out of business within six months. Even in larger companies that can sustain a cyber-attack, it has been common to see turnover in the executive ranks and board positions after a cyber-attack. The threat is existential, or close to it for most organizations, as victims are overwhelmingly either put out of business or have their leadership drastically changed after an incident.
Therefore, modern security, with its complex tools and procedures, scarce and in-depth required skill sets, and high stakes are more akin to brain surgery than first aid, especially when dealing with an organization’s most critical data assets. And while you may splint your own finger if you break it, not many of us are likely to take a scalpel to our own temporal lobe using a cosmetic mirror and a bottle of Tylenol Extra Strength. Complex security initiatives are similarly better left to the professionals.