Jamie Graves, PhD, co-founder and CEO of ZoneFox, takes a look back at 2016’s cyber threats and explores what the future may hold for cybersecurity.
Cybersecurity is by no means static. It is, in fact, the dynamic nature of this industry – and its threats – that keeps things interesting. It’s been years in the making, but until recently cybersecurity was not really a practice as much as an add-on concept for IT solutions to help ensure that introducing new tech into an environment would not result in compromise. This year has definitely highlighted that to date, nobody is safe from cybersecurity threats.
On that note, however, many have decided to take up the challenge of making the workplace safer for users to get work done without compromising organisational assets. The cybersecurity world will remain dynamic for the foreseeable future, but some elements – of course – will remain the same. Here are some of the big hitters from 2016, as well as a few predictions; the good, the bad, and the ugly, for cybersecurity in 2017.
2016 in a nutshell
The year 2016 has been a wild ride in cybersecurity. Many more vulnerabilities are being classified by Microsoft as critical; in fact, they’re looking at a three-year high for critical vulnerabilities! Ransomware variants are coming out fresh off the press almost daily, bypassing email security appliances and users’ discerning eyes, and affecting thousands of people by the day. The trend of scorning (to some degree) prevention measures, and switching emphasis to detection and response is still alive and well, but 2016 also showed some eye-opening advancements in detection capabilities.
The Internet of Things (IoT) is being leveraged for major-scale denial of service attacks through the now open source Mirai malware. One of the bigger surprises at the beginning of the year, however, has been the lust for organisations to adopt a risk-based cybersecurity strategy without hiring a CISO. Here at the end of 2016, however, the the word ‘CISO’ has become ubiquitous in the industry, and organisations around the globe are scrambling to get one of these cybersecurity unicorns in their bullpen. Times, they are a changin’.
Looking into the crystal ball…
Our next year in cybersecurity looks to be very interesting. On one hand, we have the bad guys who are doing their darnedest to bypass any safeguards put in place by the white knights of cybersecurity in order to extort the innocent. On the other hand, we have focus on machine learning and user entity behavioural analytics (UEBA) features that provide a new level of detection of these attacks for the good guys. Mobile malware will keep going strong in 2017 since phones are still rootable, and we will see more attacks like those leveraging the Mirai malware or various ransomware variants.
One has to wonder: will 2017 be based more on recovery than detection and containment? The chances are slim, but one dark horse may come back to the forefront in the year 2017: prevention.
Conventional prevention measures such as those provided by firewalls, next-generation or otherwise, will not be enough. Prevention, however, goes much deeper. Why are attacks such as the Mirai malware able to thrive in the wild? Because our software and system development practices are currently lacking appropriate cybersecurity controls. Why is ransomware still a threat? Because people will still launch an attachment from an email message they receive, regardless of whether or not they know the sender. In 2017, prevention will be associated with managing vulnerabilities; those of both the technological and the human type.
In 2017, prevention will be enhanced with two initiatives. Static and dynamic application security testing (SAST and DAST, respectively) will become more common in the DevOps world – enhancing (or creating) a secure software development/delivery lifecycle within organisations (and hopefully app stores). Patching system vulnerabilities may still lag, but one can hope that browsers and applications such as Flash and Java will be patched in a timely fashion.
Vulnerabilities of a human nature will be mitigated through regular user awareness training. There are several platforms that provide test-phish emails, as well as remedial training for those who continue to click on links that they should not. Although prevention will become a cyber focal point, we will still need advanced detection. The next year will see even further advancements in UEBA technologies, leveraging machine learning to detect the bad guys – hopefully before they can do too much damage. Containment of ransomware, data theft attempts, unauthorised access, and other unsavoury activities will be made easier with these cutting edge technologies in your arsenal.
Needless to say, 2017 is going to be exciting for cybersecurity practitioners. There are a lot of threats coming our way, as always, but with the advancement of detection tools, emphasis on vulnerability remediation as a prevention measure, regular user education, and the ubiquity of the CISO role and risk-based methodologies… we got this.