Changes in Cybersecurity (Part 1)

We're excited to announce Trend Reports by DZone beginning with Application Security! Everyone involved in building applications — from developers to CTOs — should think about security ramifications. This Trend Report will explore what developers feel are the most prominent threats, where corporate priorities lie, and how secure coding practices are being implemented. Keep an eye on your inbox and our homepage on July 22nd to learn more.

To understand the current and future state of the cybersecurity landscape, we spoke to, and received written responses from, 50 security professionals. We asked them, "How do you see the cybersecurity landscape changing?"

Here's what they told us about threat vectors and threats. We'll cover the other things they shared with us in part two. 

Attack Vectors

• There's a major change because the attack vector has changed/increased with the proliferation of SaaS and APIs. Apps are API-based and there has been an adoption of API-first approach. Evolution of this new technology comes with new breaches and incidents.
• Corporate networks are going through dramatic changes with IT revolutions such as cloud, IoT, and BYOD. In this new reality, with countless devices and services that are connected to each other without clear perimeters, traditional authentication solutions that protect individual systems are irrelevant. 
• Two to three years ago, many large companies were being told you need to go to the cloud. Companies did not do because of security reasons. In the last 12 months, these same companies have decided they will move to the cloud. They typically start with one little application they want to run in the public cloud. Security needs to ensure this will run protected and meet compliance requirements. The cloud is alive and well and everyone is adopting it.  
• In our experience, attackers look for the easiest access and low hanging fruit. The attack surface is growing exponentially with the proliferation of IoT devices.
• 1) Let’s take the Internet of Things as an example. The Internet of Things promises to bring everything from microwaves to pacemakers and shipping fleets online, leverage enormous amounts of new data, and ultimately, make our world smarter, easier, and more efficient. As an estimated 50 billion new devices come online in the next 5 years, Gartner Research lists security as the #1 challenge to making the Internet of Things a reality. Why? Because in order to be useful, IoT devices must make real-time bi-directional connections to the Internet, and that type of communication is challenging to secure. Whereas security protocols and best practices for servers, personal computers, and smartphones are well-understood and broadly adopted, security for IoT devices is nascent and rarely sufficient. It’s a hacker’s dream come true. 2) To combat this impending security crisis, we need a robust security model that works across the many different paradigms of device communication. Additionally, the security model should enable devices to be plug-and-play for end consumers — we can assume that if any component of the security model requires consumers to set their devices up and keep their software and firmware up to date correctly, the model is seriously flawed. 3) The crux concept for IoT manufacturers is this: Hardening devices against intrusion is a good first step, but it is nowhere near a complete security model. You must leverage a secure data stream network and its accompanying services to provide enterprise-level end-to-end security for IoT devices. Doing so shifts the primary burden of securing billions of new devices from hardware manufacturers into the network layer, which is far more flexible and robust for ongoing security. With this network-first security strategy in mind, look at and consider best-practice design patterns and tactics for implementing a secure data stream network to enable bi-directional communication for the Internet of Things. Also understand the critical security requirements of such a network, each of which plays a unique role in securing IoT applications and connected devices. 
• One thing we’re seeing is that threats are increasingly honing in on containerized infrastructures. If unchecked, attackers can exploit holes and target new attack surfaces brought on by new and popular container orchestration tools and systems. Obviously, these tools are beneficial to businesses in application development and deployment, but they present new security risks as well. 
• The threat models are really still the same, but the environment has been changing for quite some time.  It's not just about protecting the assets inside your network, it’s about protecting assets wherever they live — in the public cloud, SaaS applications, private cloud. The same security principles apply, we just need to make sure we are applying them regardless of where our computing infrastructure is located. 
• The way business is conducted is changing, and this is having a direct impact on the cybersecurity tools and solutions that organizations need. For example, companies are rapidly adopting BYOD. 85 percent of organizations now allow BYOD for at least some of their stakeholders, including employees, contractors, partners, customers, and suppliers. Enabling BYOD changes an organization’s threat landscape and requires security tools that are different from those used to protect managed devices. To secure data in BYOD environments, companies must employ agentless solutions that offer functionality like single sign-on, multi-factor authentication, user and entity behavior analytics, data loss prevention, and selective data wipe. 
• 1) Cybersecurity has traditionally been about defense-in-depth, perimeter security, and endpoint security. With the cloud, the internet is your corporate network. Physical perimeters are gone. Identity and cloud service configuration are the new attack surfaces. Logical perimeters are defined by resource configuration and identity and access management. 2) Focus your resources on establishing known-good cloud configuration baselines, shifting security left by automating policy checks earlier in the SLDC, and using self-healing infrastructure tied directly to your established baseline to eliminate configuration drift for critical resources. 
• There have been two big evolutions: 1) software-defined and 2) cloud-based services. As security can be delivered by software it can be provided by smaller companies that can provide more specialized service. Build vertical solutions for particular markets like retail. There is greater value in specialization. 
• Cybersecurity is increasingly focused on the data and less on the system or network. Companies recognize firewalls and perimeter security are no longer sufficient. The rise of cloud services and SaaS applications has blurred the network perimeter, so those sort of traditional barriers are no longer the ‘one stop’ solution for protecting a company. The trend is to prioritize the understanding of the data types stored in company systems and to secure the data directly from loss or exposure. 
• With the exponential growth of IoT, all devices now Internet-ready, users, applications and more are accessing a wide variety of channels and devices. Securing the network has never been more challenging than it is today. Analysts are given the impossible task of analyzing all events and alerts, the only conceivable way to actively engage and manage this is through AI. 
• 1) There is a big change happening now with the explosion of the number of devices connected to the Internet. The companies and government agencies are aware that the proliferation of devices and the ubiquity of the Internet of Things (IoT) will drive attacks and malware design. Companies need to become aware of this change and the resulting heightened security requirements. We see some initiatives by the governments already that are meant to drive this message home. 2) One such initiative was recently introduced in California where by law it is forbidden to provide devices with default passwords. It is certain we will see more similar initiatives happening in various parts of the world, driving the companies to tighten security, especially in the IoT landscape. So expect more regulation in IT security over the next years as governments will initiate and pick up laws and rules from each other around the globe. 3) Unfortunately, the pace of the changes is very slow. We can see that in the example of the NIST regulations. The security community had considered the composition rules for passwords outdated for more than a decade now but the NIST recommendations for passwords were only changed last year. It took more than ten years to change the mind of one of the most security-conscious organizations. It will take another decade for these rules to propagate through the industry and by that time they will be outdated once again. From the point of view of the security community, the change must happen much faster, especially now with IoT coming into play quickly. I hope we see some acceleration in the pace of both regulation and acceptance in the industry.
• Increasing adoption of transformative technologies – like serverless, DevOps, IoT and robotic process automation – will expand attack surfaces in 2019 and beyond. Cloud computing, storage, and applications have all become integral to modern organizations, and the cloud footprint amongst the world’s organizations continues to grow. However, the increased speed at which cloud computing and storage allows organizations to spin up new virtual machines, instances, and storage buckets can lead to headaches for both security operations and IT administrators. As cloud computing and storage has become an increasingly popular way of conducting business, a staggering 50 percent of organizations do not have a privileged access security plan to secure cloud instances. This, in addition to the security of DevOps infrastructure as a whole, needs to be prioritized. Most security teams have already established enterprise requirements for securing credentials in traditional IT systems such as Windows. As organizations ramp up adoption of DevOps and cloud, the requirements must ensure enterprise-wide standards cover all environments, including DevOps and cloud. Enterprise security requirements will need to keep pace with DevOps culture: if developers perceive that the requirements are slowing them down, they will be resistant to adopting security measures.

Threats

• The biggest thing has been ransomware. People stepping up their game in taking care of networks so as not to get infected, lose their backups, have servers and other devices locked up. 
• Systems get more powerful, hardware gets faster, cybercriminals use the best technology they can acquire to penetrate and steal data. We're seeing more sophisticated attacks of firewalls. Be mindful of and constantly update infrastructure and procedures. Criminals will not wait for you to patch vulnerabilities. They will exploit every weakness they are able to find.
• High-profile breaches will continue to occur. Only the larger breaches will get the news coverage. 
• Cybersecurity attacks are becoming increasingly sophisticated, especially in areas such as ransomware and spear phishing, where a false email may be tailored to mimic a specific individual and designed to fool the specific person it reaches. Often this will mean an employee receives a spear phishing email that appears to be from their boss or another business leader, includes personalized details, and will instruct the employee to make a corporate money transfer or to click a malicious link. Another major shift to the cybersecurity landscape is due to the implementation of GDPR, which has rewritten the rules for how organizations store and process data, and how diligent they must be in safeguarding it. 
• From the application perspective, we’re seeing second-order warfare with greater sophistication of bots versus bots. Botnet run by the attacker versus smart technology applied by the defender is happening more quickly than humans can respond. 
• Ransomware removed the middle man from the cyber adversary perspective. We see more sophisticated ransomware. We see crypto mining when cryptocurrency prices were high and crypto miners needed processing. Small energy and governments have become the focus of nation states. 56 percent of exploits last year were SMBs. Attackers are finding easier entry points through partners. Target was hacked through an HVAC vendor. 
• So much is going to the cloud that applications that used to be in the firewall are now on the internet accessible to anyone in the world. Zero-day stuff like the Intel flaw. You will see some AI tools turned against you. ML that is being used for defense will be used for an attack. 
• One of the most interesting changes to the cybersecurity landscape in the near future comes with the integration of 5G mobile network technology. The fifth-generation cell technology boasts reduced latency and high data rates, potentially in the 20Gbit range, making mobile devices even more lucrative targets for becoming slaves (or "zombies") as part of a botnet. With about two-thirds of America's approximately 300 million cell phone subscribers using smartphones of some kind, widespread adoption of 5G technology is expected across the country as it becomes available. Very few of us regularly turn off our cell phones, making for a platform with always-on connectivity and speeds that rival or exceed your standard home network connection—in other words, prime real estate for adversaries looking to launch a distributed denial of service attack.

Please see part two for more thoughts on the most important elements of security.

Here’s who shared their insights:

• Josh Mayfield, Director of Security Strategy, Absolute
• Jim Souders, CEO, and Anne Baker, V.P. of Marketing, Adaptiva
• Steven Aiello, security and compliance solutions principal, AHEAD
• Gadi Naor, CTO and Co-founder, Alcide
• Omer Benedict, Senior Director of Product Management, Aqua Security
• Tom Maher, CTO, Asavie
• Gaurav Banga, CEO and Founder, Balbix
• Nitzan Miron, V.P. Product Management, Application Security Services, Barracuda
• Cam Roberson, Director of the Reseller Channel, Beachhead Solutions
• Anurag Kahol, CTO, Bitglass
• Syed Abdur, Director of Product Management and Design, Brinqa
• Laura Lee, Executive Vice President of Rapid Prototyping, Circadence
• Andrew Lev, CEO, Cliff Duffey, Founder and President, Bethany Allee, Vice President Marketing, Cybera 
• Brian Kelly, Head of Conjur Engineering, CyberArk
• Doug Dooley, COO, Data Theorem
• Jason Mical, Cyber Security Evangelist, Devo Technology
• OJ Ngo, CTO, DH2i
• Tom DeSot, EVP CIO, Digital Defense, Inc.
• Chris DeRamus, Co-founder and CTO, DivvyCloud
• Alan Weintraub, Office of the CTO, DocAuthority
• Tom Conklin, CISO, Druva
• Anders Wallgren, CTO, Electric Cloud
• Satish Abburi, founder, Elysium Analytics
• Sean Wessman, Americas Cyber Markets, Sectors and Business Development Leader, EY
• Ambuj Kumar, Co-founder and CEO, Fortanix
• Josh Stella, co-founder and CTO, Fugue
• Kathy Wang, Senior Director of Security, GitLab
• Amith Nair, VP Product Marketing, HashiCorp  
• Mike Puglia, Chief Customer Marketing Officer, Kaseya
• Nathan Turajski, Director of Product Marketing, Micro Focus
• Gary Duan, Chief Technology Officer, NeuVector
• Gary Watson, CTO and Founder, Nexsan
• Stephen Blum, CTO and Co-founder, PubNub
• Chuck Yoo, President, Resecurity
• Roey Eliyahu, CEO and Co-founder, Chris Westphal, Head of Product Marketing, Salt Security
• Sivan Rauscher, CEO and Co-founder, SAM Seamless Networks
• Igor Baikalov, Chief Scientist, Securonix
• Oege de Moor, CEO and Co-founder, Semmle
• Dana Tamir, VP Market Strategy, Silverfort
• Logan Kipp, Technical Architect, SiteLock
• Albert Zenkoff, Security Architect, Software AG
• Tim Brown, V.P. Security Architecture, SolarWinds
• Todd Feinman, Co-founder and Chief Strategy Officer, Spirion
• Tim Buntel, VP of Application Security Products, Threat Stack
• Andrew Useckas, Founder and CTO, ThreatX, Inc.
• Joseph Feiman, Chief Strategy Officer, WhiteHat Security
• Vincent Lussenburg, Director of DevOps Strategy, XebiaLabs
• Robert Hawk, Operations Security Lead, xMatters