DZone Research: Security Concerns (Part 2)
DZone Research: Security Concerns (Part 2)
Check out this segment of DZone research on security concerns about the lack of knowledge and governance, as well as the increased speed and efficacy of attackers.
Join the DZone community and get the full member experience.Join For Free
Protect your applications against today's increasingly sophisticated threat landscape.
To gather insights on the current and future state of security, we talked to 47 executives from 43 companies about security in their own organizations and for the clients with whom they are working. Given all of the breaches that have appeared in the news and the enforcement of GDPR, response to this topic was unlike any we have seen for previous security research guides.
We asked them, "Do you have any concerns regarding the current state of security?" Here's what they told us:
Speed/Efficacy of Attackers
- The hackers are getting smarter. Too much is spent on detection and not enough on prevention — Gartner Carta strategic approach.
- Cyber adversaries are using highly automated tactics, leveraging the capabilities of AI along with a number of sophisticated tools and cheap computing power. A recent report from OpenAI points out some of these malicious use cases of AI in the cyber security domain. Use of AI lowers the cost of a cyber-attack by automating certain tasks and more effectively scoping out potential targets. It is now becoming a reality that simultaneously thousands of cascading attacks can be made on an enterprise’s digital infrastructure with little manual involvement. Multi-front cyber war aims at creating chaotic scenarios by sending a combination of fake and real attacks to get to the data. We are much closer to a battle of the machines now than ever before.
- We are entering risky waters. The magnitude of security hacks is increasing. Ransomware attacks more than 250,000 devices in two days. Impacts are getting bigger. We have to think about security by design from day one.
- New developments in terms of cybersecurity present new risks. We will see increased frequency and efficacy of attacks, especially as the number of successful attacks increase over time. Targets already include utility infrastructure and financial services, and cutting-edge scientific knowledge is always a high-interest target. For example, we just saw indictments of individuals associated with the Islamic Revolutionary Guard Corps for cyber-attacks, resulting in the theft of 31 terabytes of academic data and intellectual property. The most alarming new risks pertain to the explosion of Internet-connected devices and facilities — self-driving automobiles, wearables, medical devices, smart electrical grids, etc. Controlled by computer software and, of course, managed by back-end systems that can impact vehicles and devices en masse, the risks associated with cyber warfare actions against devices and facilities, which can cause harm or death to humans, changes the stakes completely.
- We need better standards and methodologies. Inculcate an abstract level of security — standard methodologies and frameworks to begin with.
- Lack of awareness. With the degree of automation and sophistication of attacks, attackers are able to launch probing exercises so broadly and so cheaply that you have to have security in place.
- Security is mostly handled in-house, but the rate at which the bad guys are developing is faster than the rate that the internal security team can handle. You must have automation. You only see the threats that hit your site. You don’t see what a third-party can see with hundreds of sites. Common tools we use tend to be more vulnerable, because we’re leveraging cloud-based infrastructure stacks. If you find a vulnerability in AWS Lambda, it leaves thousands of sites vulnerable.
- 1) Every year, we are seeing attackers that advance their offensive skills and insiders, becoming much more sophisticated and able to conceal their criminal activities. 2) We are also seeing attacks that combine several pieces of malware from different areas in the kill chain, resulting in a much more lethal weapon wielded by attackers. For example, NotPetya from 2017 that coupled Automatic Lateral Movement and Propagation with a piece of ransomware. 3) Another example can be seen in the recent Latin-America bank heists, where attackers covered their SWIFT attack tracks by using MBR wipers. 4) Though this activity is concerning, security teams should not be reactive and wait to be attacked. Rather, they should adopt a more proactive and sophisticated approach, since, after all, it is a game of cat and mouse. 5) Periodically patching systems to latest versions and employing deception technologies are good techniques to prevent and detect these types of attacks.
- The world is changing very quickly, and security threats and resolutions change with it. New technologies provide better solutions, but they also provide new grounds for malicious activities for the attackers. Cloud technology, if properly used, reduces the risk of corporate downtime. Workstation resources are very tempting for digital currency miners. They act in many vectors to find a way to install the mining software. The proliferation of mining software is an underground threat. We already know that the global energy cost of mining is immense, similar to the consumption of a small country.
- Security risks are growing at a pace that’s faster than the industry can react or adapt to. We are still in the catch-up game as hackers discover new exploits and vulnerabilities faster than vendors can fix them. Attacks are getting voluminous, sophisticated, and automated. More focus is needed on laying a strong foundation rather than catching up with each new variant of threat discovered.
- Not putting security first.
- Not protecting data. So many things are happening, it's hard for IT professionals to know where to invest.
- Yes, things are likely to get worse for companies before they get better. The explosion of new software being built in the public cloud infrastructure is creating attack vectors that most companies are ill-prepared to deal with. The lack of security design in most modern applications will lead to more embarrassing exploits of sensitive company data by hackers. The area that companies must get much better soon at securing API-services. We are moving into an API-driven software era and very little has been delivered to continuously identify and remedy vulnerabilities found in these new services via their API connections.
- IoT devices are so bad DDoS attacks will be a lot more common. Botnets.
- We published reports on the coverage of brands and sectors using DMARC – SaaS 1000 top 20 percent are doing, but 80 percent are not. Law firms have 38 percent adoption. E-Retail 15.8 percent. Non-profits are virtually not doing anything at all. University space is mediocre. The impact of crypto lockers and malware depends on who’s on the other end — whether there is honor among thieves as to whether or not data is preserved.
- People are looking for the one thing that says this is secure. SSL is one thing, you still need passwords. Thinking about fit models and how to build, it’s a bit of an afterthought. Putting in default passwords for development that are not replaced before you go live. Ease of use and security are viewed as being at odds, and we have done a poor job of building platforms that do both.
- Reactionary industry. Organizations have to get a handle on data, threats, and their user base and become more proactive to get ahead of threats. The more we can predict, the more we can prevent. Point zero the point money moves from an account the less of a chance to recover the money. The faster you can identify, you can remediate before the money is lost and be able to do things that don’t blow up in your face.
- I have been watching the debate regarding quantum computing with interest. Once available, this will create a paradigm shift in the demands for encryption and the approach taken. We have been watching this for some time, and it is fundamental to our architecture to make brute force attacks less rewarding for attackers. In addition, the stance taken by major vendors of corporate infrastructure (Microsoft, Google, Apple, Amazon) is to create a single vendor lock-in to critical components as a competitive weapon against the others. This is a no-win scenario for all parties. The logical need is for a well-thought, thorough, and engineered solution that is independent of these big monopolistic vendors that can reduce the number of security solutions needed in an enterprise.
- Lack of encryption.
- From an application security perspective, we just finished a report. Observations: 1) the number of serious vulnerabilities has increased year-to-year, due to the rate at which apps being developed and tested for security is increasing. 2) Microservices, API-first development, and, by implication, agile development has become an excuse for not doing the right thing for security due to weekly sprints. Microservices have many more vulnerabilities per lines of code than traditional applications. The developer develops as he wishes. There is not security oversight. Microservices are supposed to be disposable any work done from a security testing you dispose of security testing done on the microservice.
- We're 25 years into the internet and security is still an afterthought. We are seeing more security embedded into the build. Some of the challenges for protocols. The significance of security as an afterthought comes into play every day. The adoption of security for DNS is low. Internet routing inherently trusts each other without authentication, this creates a large attack surface with "man in the middle" attacks. Security around inherent internet protocols is very concerning.
- Most organizations’ current security posture has traditionally been based on rules and manual effort, and that was largely good enough for most of the last 30 years of distributed computing. But, now, thanks to the changes in threat sophistication and application development, security teams cannot rely on these high-maintenance, slow-moving techniques anymore. That means a mindset shift from prevention to agile detect-and-response. Many organizations are struggling with the technical debt of the previous generation of processes and tools and have not prepared to provide the data collection, analytics and automation capabilities to do truly agile detect-and-response.
- CISOs are turning to technology to help them respond to the increasing number of threats, but the security technology landscape is overwhelming and is filled with hundreds of different products and point solutions to tackle different security issues. Also, many of those products are made to solve today’s biggest security issues, but they don’t offer the flexibility to rapidly respond to new and never-before-seen attacks as they arise. As a result, CISOs have to focus on tools that adapt with them and kick off projects to consolidate and integrate multiple security technologies. That means CISOs won’t be looking for individual products but, rather, integrated security platforms that they can implement over time. They also need platforms that deliver the flexibility to rapidly adapt and respond to new threats as they emerge. CISOs want to hear about solutions that feature heterogeneous architectures, APIs, and open-source software that can adapt and evolve with their businesses going forward.
Here’s who we talked to:
- Jim Souders, CEO, Adaptiva
- Murali Palanisamy, CTO, AppViewX
- Amir Jerbi, Co-founder and CTO, Aqua Security
- Andreas Pettersson, CEO, Arcules
- Dave Mariani, CEO and Co-founder, and Bruno Aziza, CMO, AtScale
- Andrew Avanessian, COO, Avecto
- Nitzan Miron, Vice President Product Management, Barracuda Networks
- Mo Rosen, GM, CA Security, Sam King, GM, CA Veracode, Mark Curmphey, CA SourceClear
- Stuart Scott, AWS Trainer /Cybersecurity Expert, Cloud Academy
- Cliff Turner, Senior Solutions Architect, CloudPassage
- Mark Forrest, CEO, Cryptshare
- Antonio Challita, Director of Product Management, CyberSight
- Doug Dooley, COO, Data Theorem
- Patrick Lightbody, SVP Product Management, Delphix
- OJ Ngo, CTO, DH2i
- Reid Tatoris, Vice President Product and Outreach Marketing, Distil Networks
- Paul Kraus, CEO, Eastwind Networks
- Don Lewis, Senior Marketing Manager, EdgeWave
- Anders Wallgren, CTO, Electric Cloud
- Venkat Ramasamy, COO, FileCloud
- Jesse Endahl, CPO, CSO and Co-Founder, Fleetsmith
- Tom Sela, Head of Security Research and Matan Kubovsky, Vice President R and D, Illusive
- Roy Halevi, CTO and Co-founder, Intezer
- Darren Guccione, CEO, Keeper Security
- Andrew Howard, Chief Technology Officer, Kudelski Security
- Rajesh Ganesan, VP Product Development, ManageEngine
- John Omernik, Distinguished Technologist, MapR
- James Willet, Vice President of Engineering, Neustar
- Gary Duan, CTO, NeuVector
- Randall Degges, Head of Developer Advocacy, Okta
- Dan Koloski, Vice President, Security and Systems Management, Oracle
- Heather Howland, CEO, Preempt
- Randy Battat, CEO, PreVeil
- Arkadiy Miteiko, CEO, QbitLogic
- Linus Chang, Founder, Scram Software
- Altaz Valani, Research Director, Security Compass
- Ed Adams, CEO, Security Innovation
- Neill Feather, CEO, SiteLock
- Oded Moshe, VP Products, SysAid
- Gaurav Deshpande, Vice President of Marketing, Todd Blaschka, COO, TigerGraph
- Matthew Vernhout, Director of Privacy and Industry Relations, 250ok
- Setu Kulkarni, Vice President of Product and Corporate Strategy, Whitehat Security
- Erik Nordmark, Co-founder and Chief Architect, Zededa
Opinions expressed by DZone contributors are their own.