[DZone Research] How the Cybersecurity Landscape Is Changing (Part 1)

To gather insights on the current and future state of security, we talked to 47 executives from 43 companies about security in their own organizations and for the clients with whom they are working. Given all of the breaches that have appeared in the news and the enforcement of GDPR, response to this topic was unlike any we have seen for previous security research guides.

We asked them, "How is the cybersecurity threat landscape changing?" Here's what they told us:

Expanded Threat Vectors

• Landscape, terrain, and targets growing exponentially — More to choose from. Verizon breach report 2017-18 they were at the top. We’re seeing threat landscape evolving because adopters and users of the technology are not fully-versed on the technology. Instance creep and drift. Exploitation of naivete. Oracle is buying people from AWS with $10,000 to $50,000 worth of credit, but there are very few people who understand how to secure an Oracle cloud infrastructure. 
• All the work being done Experian effectively said things remain the same. More vectors, harder to use traditional experience. Better know your customer. These are common applications for draft technology. The more you know your customer; the more you can protect them. 
• Each year, network traffic becomes more opaque with the increase in data encryption and SSL pinning across modern applications. The corporate perimeter continues to evaporate with the increase in public cloud services and SaaS adoption. More corporate data is being accessed and stored by third-party applications, particularly with the dependence on mobile and cloud technologies.  The growth of microservices with API connections has created a new threat vector that traditional network and infrastructure security tools are not well suited to deal with. As a result, IT security leaders have begun shifting their efforts away from legacy security appliances that attached to their corporate networks and infrastructure layers. They are increasing their investments and focus toward subscription security services that help to protect applications, data, and users. The need for highly automated AppSec and DevSecOps is required with this increased rate of change in modern software and the impact of trying to protect customer data. 
• The threat surface has expanded significantly over the past five years. The scale is unlike anything we’ve ever seen before with applications, connected enterprises, and Consumerized IT. 84 percent of organizations are including security into contracts with third-party providers. 95 percent of code is being built with open source software. However, reusable code equals reusable vulnerabilities.
• A lot more devices and device-types connected to the internet — Good from a functionality standpoint, but, from a security standpoint, this is a huge risk if not brought online securely. The digital footprint is also increasing, along with the opportunity for physical attacks. This gives adversaries an advantage by seeing and exploiting breadcrumbs. 
• Attackers are focusing on new containerized infrastructures to exploit unknown holes and to exploit new attack surfaces presented by container orchestration tools and systems. 
• Primarily work with enterprises. The number of entry points has exploded. Make sure your secure data is at rest. You know that if someone comes through an open door and get to the data, they won’t be able to use it. 
• With new advanced technologies coming out daily and being adopted by everyone and everything (IoT), the landscape of security threats is only expanding. It’s reaching every corner on earth – your home, your car, your health, and more. IoT devices have become targets of cybersecurity threats. On the corporate level, there are new technologies providing innovative technology to identify and neutralize these threats. 
• 1) One of the more significant changes in the last decade has been the move towards cloud computing, which created new challenges for security organizations as traditional techniques for securing the perimeter were rendered ineffective. 2) Most organizations now have established methods for securing their SaaS applications (or have demanded this from their SaaS vendors).  However, as they make the move to deploying their own cloud-native apps, the architecture has shifted once again, with most modern era applications now being developed using containers to allow for flexibility, scale, and resiliency.  Securing these transient instances, running in the cloud, spinning up and shutting down as needed, requires a more dynamic approach to security. 3) Attackers are also becoming increasingly aware of these new modes of deployment, and we have already seen automated bots specifically seeking out unsecured Docker and Kubernetes deployments. New, container-specific attack vectors will no doubt increase significantly over the next few years.

Speed of Change

• Keeps evolving as technology evolves — Crafty new techniques with ransomware, exploiting vulnerabilities, and exploiting tools. Credential compromise. 
• Things always changing pretty fast — The biggest is the proliferation of insecure IoT devices. The Dyn attack 20 months ago with so many IP enabled cameras with no password protection or default password. The theme played out many times in the past. As teams build and add connected functionality, they don’t understand the security implications. Engineers with great embedded code are clueless with IP code. You see the same with Bose. Engineers don’t know how to code for the specific environment. 
• Constantly changing — Like the development side, the more automation offensive side needs to find vulnerabilities and hack through a system. Cybercrime groups are adopting nation-state techniques and sophistication, integrating into their own malware. Nations coming to protect their businesses. WannaCry appears to have come from North Korea. Nation-level sophistication turned against businesses. 
• Basic application security, including mitigations against the OWASP Top 10 application vulnerabilities, is now fundamental to an engineering organization’s success.  Failure to do so is now unacceptable.  Attacker’s toolkits and capabilities continue to improve and, as the defenders, we must do the same. One of the greatest challenges impacting organization’s today is simply velocity.  As organizations transition to more cloud-based applications and agile development methodologies, the security procedures must move at the same speed of development and the speed of business.  It is no longer acceptable to have archaic and slow security verifications delay deployments. 
  

Legislation

• GDPR, a lot of legislative impact on security protocols and processes — First-time law enforcement enforcing protection and data security around the world. See when there’s a breach. Data security is no longer optional and will be mandatory. 
• The impact to a business is becoming larger, resulting in congressional and parliamentary inquiries. Legislation has amped up. 
• From a legislation point of view around the world, Australia and Europe are developing new legislation. Governments realized the problems where citizen data is stolen and leaked. They have introduced fines and mandatory reporting so companies will take cybersecurity seriously. It’s now fine and must report to the governing body with more serious consequences. Mandatory reports are huge. Looking at recent breaches at the Commonwealth Bank, the breach was not reported for over a year. No more sweeping under the carpet.
• There is clearly an emphasis on IoT and building secure stacks. We are also seeing regulators and standards bodies take a more active role in promoting application security. 
• Every year there are new threats and breaches, but, at the end of the day, the landscape still remains relatively the same. Organizations need to go back to the same principle of removing admin privileges to mitigate advanced threats. This year, GDPR came into effect on May 25^th and without question, that changed the threat landscape. GDPR has brought on stronger compliance laws, but it’s also opened the door for hackers to take advantage of this by scamming users with fake emails to gather personal information. Targeted phishing schemes are becoming more advanced and with the introduction of GDPR, the threat landscape was impacted by that this year.

Here’s who we talked to:

• Jim Souders, CEO, Adaptiva
• Murali Palanisamy, CTO, AppViewX
• Amir Jerbi, Co-founder and CTO, Aqua Security
• Andreas Pettersson, CEO, Arcules
• Dave Mariani, CEO and Co-founder, and Bruno Aziza, CMO, AtScale
• Andrew Avanessian, COO, Avecto
• Nitzan Miron, Vice President Product Management, Barracuda Networks
• Mo Rosen, GM, CA Security, Sam King, GM, CA Veracode, Mark Curmphey, CA SourceClear
• Stuart Scott, AWS Trainer /Cybersecurity Expert, Cloud Academy
• Cliff Turner, Senior Solutions Architect, CloudPassage
• Mark Forrest, CEO, Cryptshare
• Antonio Challita, Director of Product Management, CyberSight
• Doug Dooley, COO, Data Theorem
• Patrick Lightbody, SVP Product Management, Delphix
• OJ Ngo, CTO, DH2i
• Reid Tatoris, Vice President Product and Outreach Marketing, Distil Networks
• Paul Kraus, CEO, Eastwind Networks
• Don Lewis, Senior Marketing Manager, EdgeWave
• Anders Wallgren, CTO, Electric Cloud
• Venkat Ramasamy, COO, FileCloud
• Jesse Endahl, CPO, CSO and Co-Founder, Fleetsmith
• Tom Sela, Head of Security Research and Matan Kubovsky, Vice President R&D, Illusive
• Roy Halevi, CTO, and Co-founder, Intezer
• Darren Guccione, CEO, Keeper Security
• Andrew Howard, Chief Technology Officer, Kudelski Security
• Rajesh Ganesan, VP Product Development, ManageEngine
• John Omernik, Distinguished Technologist, MapR
• James Willet, Vice President of Engineering, Neustar
• Gary Duan, CTO, NeuVector
• Randall Degges, Head of Developer Advocacy, Okta
• Dan Koloski, Vice President, Security and Systems Management, Oracle
• Heather Howland, CEO, Preempt
• Randy Battat, CEO, PreVeil
• Arkadiy Miteiko, CEO, QbitLogic
• Linus Chang, Founder, Scram Software
• Altaz Valani, Research Director, Security Compass
• Ed Adams, CEO, Security Innovation
• Neill Feather, CEO, SiteLock
• Oded Moshe, VP Products, SysAid
• Gaurav Deshpande, Vice President of Marketing, Todd Blaschka, COO, TigerGraph
• Matthew Vernhout, Director of Privacy and Industry Relations, 250ok
• Setu Kulkarni, Vice President of Product and Corporate Strategy, Whitehat Security
• Erik Nordmark, Co-founder and Chief Architect, Zededa