Authored by: Carolyn Crandall, Chief Deception Officer – At the beginning of the year, I spent some time looking ahead at what the future might hold for the cybersecurity community, and I suggested a few resolutions that might help forward-thinking organizations improve their defense against future cyberattacks. Now that we’re over the halfway mark of 2019, it feels like the perfect time to make some predictions for the remainder of the year—and beyond—and discuss how we can be proactive about it.
Cyber Defenders Are Getting More Advanced… But So Are Attackers
The ability to quickly detect a cyberattack is critical, and improvements in security technology, processes, and benchmarking will continue to improve detection time. Unfortunately, there are other factors at play that could offset this expected reduction in dwell time, such as attackers adopting AI and leveraging increased computing power to find new ways to break into networks and remain hidden. Currently, dwell time averages 78 days before organizations detect an attacker, and recent reductions in this number appear to be largely due to an increase in ransomware attacks, in which attackers willingly reveal their presence early.
There is good news: there is reason to believe that dwell time will begin to fall as companies start to adopt more effective threat detection tools to supplement traditional preventative cybersecurity measures. We expect to see a continued increase in the adoption and use of deception technology in particular, due to its efficacy in detecting attacks early and for its ability to create a proactive defense capable of slowing and derailing attacks. A report by EMA substantiated this finding where users that are highly familiar with deception technology cited their dwell times to average 5.5 days, along with high confidence in detecting threats. This detection time was 12X lower than that of respondents who were not using the solution. So, although attackers are getting more sophisticated, deception technology is clearly demonstrating its value in providing a quick and accurate in-network tool for defenders, regardless of where an attack might originate or how they are attacking.
Organizations Will Improve Their Understanding of Security on Both Framework and Individual Levels
On a similar note, frameworks will also continue to shape the security field. The NIST Cybersecurity Framework, ISO 27001/27002, and the MITRE ATT&CK framework have all proven to be helpful guidelines as organizations assess security maturity and risk. At many security summits that I have attended, organizations have validated that they are rapidly embracing these models to assess risk and help shape their security posture. By incorporating more assessment benchmarking and security scoring, organizations can better identify and define security gaps, mature their security infrastructure and create a better balance of prevention and detection tools, which will assist in determining future security investment needs. I am particularly pleased to see NIST officially recommending deception for High-Value Assets holding sensitive information. The inclusion in the draft NIST report is quite timely as organizations are increasingly turning to security frameworks to help understand and assess their security models. Interested parties may download the Attivo mapping of deception technology to the NIST Framework here.
What can individuals do? Ongoing employee education and training are table stakes, and teaching people the basics of patching, password protection, and authentication can be a big help. An increased focus on verifying that best practices are working, along with the addition of appropriate safety nets will help organizations understand when controls and processes are working and when they are not. This amplified focus will spur greater adoption of visibility and detection tools for ongoing assessment, penetration testing, and insight into policy violations and exposures that create increased risk.
Regulation Is Coming, But We Can’t Rely on It
U.S. breach regulations are all over the map—literally. Each state has different rules to follow, and the inconsistency of these laws will continue to create challenges for companies through 2019 and beyond. I expect to see an increase in the fines levied and in some cases even jail time for those who fail to meet the expectations of these laws, particularly as states like California and Massachusetts become more aggressive in their enforcement of these laws. Other states will likely continue this trend in the coming year. Notably the new California Consumer Privacy Act, (CCPA) is going into effect January 1, 2020. This legislation adds several new rights for Californians to know what personal information an organization collects about them, whether it is selling or disclosing their personal information and to whom, to say no to the sale of such personal information, to access their personal information, and to equal service and price even if they exercise their privacy rights. Not only is the idea of compliance with these laws daunting, but actually supporting them has so many levels of complexity. I expect mid-2020 that we will begin seeing fines that will be staggering and at a level that companies may not be able to weather.
On the flip side, regulatory bodies remain unsure of what to do with the Internet of Things (IoT). IoT will continue to expand throughout the remainder of 2019 and into 2020, with over 50 percent of businesses incorporating IoT into their operations. The rate of innovation for IoT devices will continue to outpace the security built into those devices, and it is unlikely that the Federal government regulations will be able to define the laws and fines required to effect change adequately. State-level regulations, like those currently employed for breach reporting, may be able to improve the situation, but will likely fall short of having a significant impact. In some cases, they may actually do more harm than good by building a false sense of consumer confidence regarding the security of devices on the market.
Strides Are Being Made to Close the Skills and Gender Gap With Automation Helping With Productivity
Organizations are always under pressure to improve efficiencies, accelerate attack analysis, and automate incident response, but there are only so many hours in the day—and the skilled talent needed to perform these tasks may not always exist. We will continue to see automation used to correlate attack responses and information sharing, removing slower, manual steps to allow cybersecurity professionals to dedicate more time to remediation and other essential tasks. Automation won’t replace cybersecurity professionals anytime soon, but it can give organizations options to stretch their resources a bit further, allowing skilled professionals to address complex issues, closing the skills gap, and reducing the likelihood of staff burnout.
Unfortunately, there is another gap that continues to persist. Cybersecurity continues to be a male-dominated industry, with women making up just 11 percent of today’s cybersecurity workforce. It is even rarer to see women in leadership roles, as only two percent of CTOs and CISOs are female. This lack of diversity could undoubtedly improve, especially in a field with a severe need for skilled workers. We need to continue to encourage and support women and minorities in their pursuit of a career in cybersecurity. Acknowledging the problem is the first step, and the industry has begun to move in the right direction. I applaud the Women’s Society of Cyberjutsu, amongst other fabulous organizations, that are helping women to both begin a carrer in and retrain themselves to be skilled in cybersecurity. We have a way to go before the gender gap is fully closed, but recent steps are promising in their improvements with diversity and female representation in the field.
Cloud Adoption is Going to Continue at a Fast and Furious Pace
AWS established an early foothold, though Azure is heating up with some fierce competition. I have seen a significant uptick in multi-cloud adoption as well as interest and adoption of container and serverless technologies. Unfortunately, with this adoption, we will see an uptick in cloud breaches. Whether they be from coverage gaps or simple human error, organizations must modify security and add more safety nets inlace to protect the information stored in the cloud better.
5G is Going to Expand the Attack Surface and Create a New Generation of Threats
5G brings with it a tremendous set of benefits, including expanded data capacities, improved connection mobility, greater signal density, and better overall performance and reliability. However, with it comes new risks. Large data volume created by 5G networks will increase the difficulty to detect anomalies in behavior, the mobility of connectivity further eliminates the network perimeter producing a broader attack surface, and more connected devices allow for a larger scale of attacks and consequences. Cloud and endpoint security will need to be end-to-end for the creation of virtual security environments that can travel with mobile-connected devices. Manufacturers must also need to build security into the design during development for continuous protection, as the 5G networks change and evolve. The technology is another attack surface, similar to cloud, that will need to look for stronger scalable detection controls that will alert accurately on unauthorized access or misconfigurations that create risk. This situation will have a widespread impact from medical file transfers, to connected homes, to autonomous vehicles, and more.
One thing is for sure is that the word is predictably unpredictable, and as much as we prepare, it will never be enough. For this reason, I encourage all organizations to have a defense, but also to have an offense that is proactive in detecting and derailing threats before attackers can do harm. Deception is playing this role now for over 50% of the F10 and many, many more organizations. It’s definitely worth a look. And don’t worry you won’t be the first or alone. In the recent IDG Security Priorities Study: Deception ranked #2 in the list of technologies organizations are researching, right after “zero trust” solutions.