[DZone Research] How the Cybersecurity Landscape Is Changing (Part 2)
We reached out to almost 50 companies and executives about cybersecurity. Here is what they had to say!
Join the DZone community and get the full member experience.Join For Free
To gather insights on the current and future state of security, we talked to 47 executives from 43 companies about security in their own organizations and for the clients with whom they are working. Given all of the breaches that have appeared in the news and the enforcement of GDPR, response to this topic was unlike any we have seen for previous security research guides.
We asked them, "How is the cybersecurity threat landscape changing?" Expanded threat vectors, the speed of change, and legislation were the three most commonly mentioned concerns. Here are some of the other things they told us:
- 1) Intensity and frequency of the attack. 2) The public’s awareness is expanding rapidly. People are losing their jobs as a result of these breaches.
- Botnets are huge — A small handful of a lot of them are active and successful. There is a large movement in government to be DMARC compliant by the end of 2018. Large ISPs push this kind of stuff, so they can discard bad mail. The cost impact of fixing an infected system is much higher than the cost of making the systems so it cannot be infected.
- Increasing cyber-physical concerns — Internet architecture broad attacks from home cameras against the internet infrastructure. These devices may be subject to attack but can be used to make the biggest bot army. The cameras make up the botnet. More things are connected to the network with poor security and plenty of bandwidth. Other things are not well managed, like your smartphone and PC; your home gateway is not. People need automatic software updates on everything.
- Even more paranoid today — A lot of holes in the routers and third-parties. Encrypt and randomize our data. Servers are being hammered by foreign entities. We support government entities and our data is critical, so we provide the highest level of security possible.
- Miscreants and security professional in state of escalation and adaption— Development processing in the underworld are impressive. There are self-built systems to manage their victims. Criminals are not limited by traditional IT processes. We should not be either. We should find a way to make processes fast, easy, and integrated. Go from this idea to test to operation and optimization as fast as possible. If we don’t do this, we cannot win. The value of deploy and test more quickly. A data platform with DevOps is an achievable goal. For InfoSec, this is a must-have.
- In recent years, we have seen a fast shift from malicious attacks towards large-scale financially motivated attacks on private data; however, this in itself is not new. What is unique though is the level of sophistication used by threat actors to get what they want. Unencrypted content that leaves any enterprise is vulnerable and even fragments of data serve those seeking to gain financially as they profile and target attacks. Email is especially useful as typical metadata is visible and content encryption is using tools that are limited in many ways. Many of the tools used today such as S-Mime and PGP are vulnerable, witness the recent e-fail vulnerability.
The implications of this are quite far-reaching. Attackers can easily retain large volumes of email from targeted e-mail users; with EFail if these old messages are stored, and even if the vulnerability is closed, they can still be read in plain text by an attacker. Worse — nobody will know. There are ways to solve this and other issues, of course. Cryptshare solves the key failings of e-mail and uses an encryption method where each and all transactions use unique credentials, limiting the attack surface and where all content, files, metadata, and e-mail content are encrypted. This is important, as the other key emerging trend is the continued acceleration in the power of computers, making brute force attacks faster and cheaper. The emergence of Quantum computing will, of course, make things harder. The answer is to encrypt more strongly, more of the time.
- Don’t expect the cyber threat landscape to get safer anytime soon. Adversaries are constantly using more sophisticated methods to attack enterprises digital surfaces, from mobile to IoT, and the cloud. Defenders should prepare to face self-propagating network-based threats that will be hiding in encrypted traffic. The use of encryption has grown as a way of protecting payloads, but it can also conceal bad traffic from security systems. A recent Cybersecurity report by Cisco found out that threat actors are also using popular cloud services for command and control, making malware very difficult to find with traditional security tools, because it looks like normal traffic. Malware is becoming self-propagating, and ransomware isn’t only for obtaining ransom but also for the purpose of destroying systems and data. The recent Nyetya (NotPetya) threat posed as tax software that was actually something called "wiper malware" that killed multiple organizations' supply chain systems. No matter how much the threat landscape changes, malicious email and spam remain vital tools for adversaries to distribute malware because they take threats straight to the endpoint.
- Cloud security alliance — Digital security analysis kicked off at RSA this year. Vendors help yourself. There is now a touch of humility in the industry. We have to dot all the "I’s" and cross all the T’s. The level of maturity and understanding cryptography is important — state actors, mathematical shifts, and burglars all still get in through the unlocked door. There are a lot of similarities between how burglars work and cyber burglars work. Watch how long it takes to penetrate a system. They will move on to another site if it takes too long. It's encouraging that the discussion is being had and no one is looking for the magic bullet. This is a process and not a feature. Software supply chain, SSO libraries — are you downloading Maven dependencies over insecure connections? The realization that security is quality with a slightly different approach. You are dealing with bad actors. Pen testing, physical digital security — a bug is a bug is a bug.
- The use of cyber warfare tactics by nation-states is growing for a number of reasons. To begin with, as compared to traditional "physical" warfare tactics, cyber-attacks are faster to execute, far less expensive, both financially and in terms of human life, are lower-risk from a political standpoint, and are orders of magnitude easier to obfuscate (e.g. create plausible deniability). Another key factor is the availability of cyber-mercenaries — talented, experienced attackers for hire — and the underground marketplaces where powerful exploits (especially zero-days) can be acquired. This means that even nation-states without particularly well-developed cyberwar capabilities can launch effective cyberattacks with relative ease. These factors make cyberattacks very attractive for both nation-states with established capabilities and factions seeking to "outsource" attacks to cyber-mercs.
- Hackers used to want to show how smart they are. Now, hacks are strategic. Seeing more from state actors. It is far more prevalent today. We have gone from recreation to profession. The tone is changing.
- Huge transformation up the stack and the layers. DDoS Exploits earlier are more layer four exploits increasingly more layer seven DDoS attacks. Mitigation has been focused on the application layer. The firewall doesn’t provide any level of security any longer. Now, mitigation or security is moving to the application level. More coordinated intelligence across multiple platforms to define mitigations and an increase in HTTPS security. Enabling SSL and PLS creates a greater need for analyzing traffic and coordinated mitigation across the board, as well as an increase in encryption and monitoring traffic. We need a coordinated mitigation mechanism.
- When it comes to application security, we’re seeing more automation. Exploit kits try denial of service or scan for known vulnerabilities. No one cares who you are just that you are vulnerable. In the email security space, the reverse is true, more about target attacks and spear phishing to take over accounts.
- The level of automation on what cybercriminals are doing to attack businesses has ramped up. Brought SME in the bullseye of attackers, because it’s so inexpensive to launch a broader attack. Attackers have widened the scope of who’s targeted. There are lots of small companies being compromised every day.
- Most of our time has been spent educating the market. A lot of public discussion around bots (social media). We don’t have to explain it anymore. The types of attack are much more sophisticated. An explosion in the use of data centers. Russian hackers are using data centers in the U.S. 45 percent of all bots are coming from the U.S., because hackers are using U.S. data centers. You cannot block AWS, you would lose too many customers.
- There is a lot in physical security because used to be security firm replaced by an IT department. These people report to a CIO versus physical building manager operation. Last frontier from on-prem to cloud. As such CIO and CISO are pushing cybersecurity much harder, certification for the data center needs to meet standards of public cloud platforms. Public cloud vendors are light years ahead.
- Cyber espionage has become easier for less sophisticated attacker types to gain entry, be it malicious insiders, organized crime groups or money mules. The number of attacks by these groups is increasing as attacking becomes a commodity. The high impact attacks carried out by sophisticated groups often use trivial tools to carry out their operations. While the level of operational art remains high, the more basic tools are used to avoid exposure of sophisticated capabilities that would be ‘burned’ if not needed or to masquerade as a less sophisticated group, avoiding attribution.
- From a customer perspective, realizing that they have invested in a lot of tools on the shelf that is more shelf-ware than active security. Must implement and socialize the tools, operationalize and act on what the tools produce. A tool-based approach is dead on arrival and cannot implement in a sufficiently fast way when looking for an application security platform. We are taking a risk-based approach to cybersecurity. To ensure when you identify a risk or vulnerability, you rate it for mitigation and remediation.
- In 2016 IoT for DDoS attacks. In 2017 and 2018 we hear about application-level attacks to find ways in. It goes in cycles. DDoS things get big and tail off and then get big with the proliferation of online devices easy to hack. Constant shifts and adjustments to attacks that are out there. We need to worry about many different types of attacks – IPV6 DDoS attacks. Opens the door to a different class of IoT devices. Find organizations that aren’t ready to take on those kinds of attacks.
- The biggest change is in the exponential increase in threat sophistication. Whereas in the past we had largely manual, one-off operators and “script kiddos” coming at is via known attack vectors. Now, we have highly-automated, organized hacking syndicates and nation-states using a vast array of AI-enabled techniques to discover and exploit unknown attack vectors. Compounding that issue is the fact that the very assets we are protecting are constantly changing, thanks to our embrace of cloud computing, virtualization, containers, and DevOps.
- I think we’re seeing threats become both more sophisticated and aggressive. Many organizations are unable to keep up. Their security practices and the tools that they are using have simply not matured fast enough, and this is especially true for legacy applications that are on-premises. Similar to what we’re seeing in cloud computing, the cybersecurity field is also facing a skills gap.
- The security threat landscape is shifting from one that is solely focused on preventing threats to one that focuses on what to do with the attacks that get through. Enterprises are evolving from solely taking proactive measures to respond to threats to also explore reactive measures as well. Enterprises are recognizing that traditional security methods like antivirus, firewalls, and other protective approaches are not going to ever stop 100 percent of the attacks from getting through to their enterprise. However, they must stop these attacks where they happen, at their primary point of entry — the endpoint. As a result, a new category of products, called endpoint detection and response, is emerging to detect the issues that make it past these preventative barriers and remediate them rapidly.
- Security as an enabler —it is imperative that we shift security left in the development process and equip the developers with tools and training they need to take ownership of the security. Basically, security should move from being an obstacle to be an enabler. SDLC process: In the Agile/DevOps world, where we see high-speed software development and deployment, legacy security tools, and techniques fall short. We need tools that enable novice developers to reliably build and operate secure applications and APIs. "Continuous security" is essential to go with the CI/CD paradigm, and it works well when security is baked into the pipeline of development and deployment. Developers need to have instant, real-time, accurate feedback on the vulnerabilities in their applications. Fundamental security elements include common platforms and frameworks that handle the basic elements, like authentication, authorization, and data encryption at transit and at rest. We believe that effective security comes from within an application framework rather than a gatekeeping program or firewall outside the application.
- One of the biggest changes recently is the increase in security attacks related to cryptocurrencies. In the last few years, there has been a rise in hackers targeting both companies where cryptocurrency is a core part of their business or product, such cryptocurrency exchanges — the latest of which was Coinrail— as well as companies that have nothing to do with cryptocurrency, But, those whose the cloud infrastructure can be used for mining, as was the case with the recent Tesla hack. Verizon’s annual DBIR report on these and other trends is a great location for more info on these attacks.
- Cyber-attacks are getting more sophisticated and are increasing in frequency thanks to technology developments. With the use of AI, hackers can modify and redeploy malware quickly as a way to remain undetected. The increased availability of dark web exploit kits have made it easier for cybercriminals to target and launch attacks at organizations and consumers alike. While zero-day attacks are the most feared, the ability to deploy an attack in multiple stages — where each stage potentially goes unnoticed and not obvious as to its intention — is what security pros worry about – that an attack in the making can sit in their network unnoticed for weeks and months, just listening and waiting for the right opportunity to move to the next stage. Email security continues to be a key attack vector. Hackers responsible for propagating phishing attacks continue to play on human weakness through social engineering tactics as a way to evade standard gateway-based spam filters.
Here’s who we talked to:
- Jim Souders, CEO, Adaptiva
- Murali Palanisamy, CTO, AppViewX
- Amir Jerbi, Co-founder and CTO, Aqua Security
- Andreas Pettersson, CEO, Arcules
- Dave Mariani, CEO and Co-founder, and Bruno Aziza, CMO, AtScale
- Andrew Avanessian, COO, Avecto
- Nitzan Miron, Vice President Product Management, Barracuda Networks
- Mo Rosen, GM, CA Security, Sam King, GM, CA Veracode, Mark Curmphey, CA SourceClear
- Stuart Scott, AWS Trainer /Cybersecurity Expert, Cloud Academy
- Cliff Turner, Senior Solutions Architect, CloudPassage
- Mark Forrest, CEO, Cryptshare
- Antonio Challita, Director of Product Management, CyberSight
- Doug Dooley, COO, Data Theorem
- Patrick Lightbody, SVP Product Management, Delphix
- OJ Ngo, CTO, DH2i
- Reid Tatoris, Vice President Product and Outreach Marketing, Distil Networks
- Paul Kraus, CEO, Eastwind Networks
- Don Lewis, Senior Marketing Manager, EdgeWave
- Anders Wallgren, CTO, Electric Cloud
- Venkat Ramasamy, COO, FileCloud
- Jesse Endahl, CPO, CSO and Co-Founder, Fleetsmith
- Tom Sela, Head of Security Research and Matan Kubovsky, Vice President R&D, Illusive
- Roy Halevi, CTO, and Co-founder, Intezer
- Darren Guccione, CEO, Keeper Security
- Andrew Howard, Chief Technology Officer, Kudelski Security
- Rajesh Ganesan, VP Product Development, ManageEngine
- John Omernik, Distinguished Technologist, MapR
- James Willet, Vice President of Engineering, Neustar
- Gary Duan, CTO, NeuVector
- Randall Degges, Head of Developer Advocacy, Okta
- Dan Koloski, Vice President, Security and Systems Management, Oracle
- Heather Howland, CEO, Preempt
- Randy Battat, CEO, PreVeil
- Arkadiy Miteiko, CEO, QbitLogic
- Linus Chang, Founder, Scram Software
- Altaz Valani, Research Director, Security Compass
- Ed Adams, CEO, Security Innovation
- Neill Feather, CEO, SiteLock
- Oded Moshe, VP Products, SysAid
- Gaurav Deshpande, Vice President of Marketing, Todd Blaschka, COO, TigerGraph
- Matthew Vernhout, Director of Privacy and Industry Relations, 250ok
- Setu Kulkarni, Vice President of Product and Corporate Strategy, Whitehat Security
- Erik Nordmark, Co-founder and Chief Architect, Zededa
Opinions expressed by DZone contributors are their own.