June Security Roundup: Predictions Going Forward
We have had a busy month with some very engaging discussions from June’s Boston Security Summit. Every panel had some very interesting insight to share about cyber attackers, AI, intelligence collaboration, insider threats, and more. It was, no doubt, a lot to take in over the course of one day. I wanted to explore a few of these topics as they are relevant to how we in the industry are going to move forward in 2018 and beyond.
Intelligence Collaboration
During the security briefing from Special Agents, Tim Kolk and J.R. Manes tactics from cyber attackers were discussed. More importantly, they also talked about the importance of cyber threat intelligence collaboration.
Essentially this collaboration is an exchange of threat information for all security firms to work together to counter the threat. Attackers have increasingly been organizing online to develop stronger malware together. When it comes to being in sync with peers, attackers are outpacing security professionals by miles (or kilometers). Information asymmetry is often associated with market failures; however, in this case, the out of sync data that security companies act on produces a systemic risk. In order to reduce this risk, the FBI and many other private sector companies have made it clear, we need to get our act together.
Attackers have a very effective tool for collaboration, the internet. Additionally, attackers are able to be more flexible with their partnerships and objectives. When it comes to cyber security though we have a much more complex set of actors we have to work with.
We deal with both private companies seeking to fulfill their mission and the public sector trying to protect the common good. Within each organization is a set of politics too that can either cultivate or inhibit security culture. For these reasons and many more, it is much harder to defend collaboratively than it is to attack.
In 2016, the Department of Homeland Security launched the Cyber Information Sharing and Collaboration Program (CISCP). This program was intended to correct information shortfalls and bring together the public and private sector. CISCP was, for the most part, an improvement and did increase national cyber resilience. However, it was not enough and the private sector has recently taken charge to develop their own threat management program.
Recently at RSA San Francisco major security companies held their first meeting after signing a Cybersecurity Tech Accord. This accord was more than just threat sharing, but included a commitment to develop a strong security ecosystem between major companies, SMEs, developers, civil society, and the public sector.
Local Security Accords?
The Cybersecurity Tech Accord is a step in the right direction, going beyond what the FBI was talking about at the Boston Security Summit. What is so significant about this is that the new ideas present a framework others can use to form their own agreements with each other. Cyber threat sharing is a strong basis for collaboration, but do not stop there. Imagine a cyber security accord intended for the local level. Businesses, community members, and local government alike could agree on their own terms on how they would become resilient together. Such efforts could work in tandem with larger institutions for multiple layers of security.
Threat intelligence collaboration is a great start, but if we are going to become resilient then we need actionable relationships. Let's start with threat intelligence sharing, but then form partnerships with each other so no one is left behind when it comes to security.
The Human Element and GDPR
Ah yes, my favorite topic, insider threats. The Boston Security Summit covered this topic quite well in three areas: human threats, incident response, and organizational risk. Human threats aka insider threats are typically threats originating from people with privileged access to information. This can include employees and any third party organizations you work with. The experts at the summit covered insider threats in great depth.
What I would like to focus on is how insider threats are relevant with the GDPR now in effect. If an insider causes a data breach, that company may be fined up to 4% of its annual revenue.
Insider threats are one of the leading causes of data breaches. The rush to meet compliance could open the conditions for employees to become more negligent of security going forward. Right now is the best time to remind companies of the need to maintain strong internal security practices.
In the midst of all the panic of meeting compliance, there is a need for some gentle reminders about security. Remember, perimeter security should be standard at this point, but securing data assets from employees and contractors is one of the most important things a company can do in today’s world. By focusing on insider threats companies will be better equipped than their peers to meet new compliance that develops around the world.
Cyber Immune Systems? Rise of Automation
The real question when it comes to security trends boils down to: are we ready to trust the machines?
I mean technically we already do for a majority of tasks in our organizations and daily lives. As security becomes a necessity in today’s world we are seeing the development of proactive security. The speakers in Boston referred to this as an immune system to further illustrate how it functions.
Whatever you decide to call it, the latent technology behind this recent development is called machine learning. You’ve likely heard this term if you’ve been around any app developer for more than five minutes. It's really all we talk about around the cooler.
McKinsey has provided a really simple definition of machine learning: “...algorithms that can learn from data without relying on rules-based programming.”
While on the surface this does not seem exciting, it has truly been a massive breakthrough for developers. The learning aspect of machine learning comes from the ability to sort through data, analyze it, then make a decision based on it. All of this in real time. When applied to security, machine learning completely changes the game. Networks acquire the ability to learn its baseline and respond when something threatens that baseline behavior. Additionally, as changes happen in an organization over time the baseline shifts gradually with those changes.
After years of security professionals manually tracking and trying to control threats through human labor alone, this is a godsend. However, there is still a lot of work to be done, as very advanced hackers could also make use of machine learning to better breach an organization.
Trend Micro wrote about this in February, essentially hackers could make their own machine learning algorithm to self-produce malware. The malware produced by the counter-algorithm has demonstrated the ability to bypass networks reinforced with machine learning. While these are exciting times for cyber security, we have a long way to go before machine learning is hackerproof.
For right now, the most familiar automation tool is behavior analytics. It is not perfect, but paired with data loss prevention tools, it becomes a very valuable mix in a security toolkit. In the era of the GDPR, machine learning becomes much more valuable.
Incident Response
There was a panel at the Boston Security Summit lead by John Knies of CenturyLink. They discussed incident response orchestration.
Equifax is now the shining example of what happens when there is a poor execution in response to a data breach. It was a disaster and could have been the downfall of most organizations. With the right tactical mix of smart alerts, automation, communication channels, and crisis leadership any organization can survive a data breach. Not everyone has Equifax’s institutional influence, so for the rest of us, good planning is needed.
What incident response means has changed over the years, now there is much more coordination required. Internally executives, directors, and employees need to all be on the same page. Externally you may need to notify local authorities, Department of Homeland Security, oversight authorities, the media, business partners, and affected parties.
When disaster strikes, a written plan may not be followed as intended during the panic. It is for this reason that companies need to train with data breach simulations. These simulations should be as close to reality as possible. Beyond the plan, using simulations will help companies understand where they may fall short during execution. In addition to planning, companies should get into the habit of informing partners of communication protocol during a data breach.
Now I know among everything else that is involved in business, incident response planning may seem low on the priority list.
Just try to think about incident response like an insurance policy, it will save a company's life when the time's right. Looking forward, it may be time for companies to start requiring incident response plans from partners who work with them in their supply chain. Public defense agencies already require their partners to have an incident response plan in place, the private sector needs to adopt this practice too.
Security is developing fast, but not fast enough to keep up with hackers. As technology continues to develop and adaptation to the GDPR happens, innovation will continue. For now, in the middle of 2018, these are the hot topic areas going forward. Expect another update soon. Discover more of my expert content here.