Posts

Cybersecurity in the Next Decade – Proficio’s Projections for the 2020s

2019 was another busy year for cybersecurity professionals. There were more security incidents than in any previous year, and they included some of the largest breaches of all time. According to Forbes magazine more than 4.1 billion records were compromised.

Looking forward to the next decade, we expect cyber defenders to still face many challenges. Fueled by the growth of the Cloud, IoT devices, and mobile, the attack surface will continue to grow exponentially. Cybercriminals have been using Machine learning and will expand on its use in the coming year. Nation States will invest more in cyberwarfare to target government, Critical infrastructure, and organizations.

Proficio has been providing our clients managed security services for nearly a decade. Our understanding of the cybersecurity landscape is informed from being both a user and a provider of cybersecurity technology. The following projections define 10 important changes that we see driving the cybersecurity agenda over the next decade:

  1.  AI Gets Real AI Cybersecurity

At Proficio, we have been both experimenting and deploying Machine learning (ML) for years. We think ML is now transitioning out of the early stages of the Hype Cycle into the early stages of broader adoption as a credible cybersecurity technology necessary for a meaningful part of any cyber defense arsenal and playing a significant role for Incident Response (IR) and Security Operations Center (SOC) teams.

There’s been a lot of talk about the potential for ML to replace Level 1 or 2 Security Analysts. We strongly disagree. We see ML as a tool that augments Security Analysts, helping them to identify relationships between seemingly unrelated events, cutting out false positives, and detecting anomalies. Combined with threat intelligence, ML will enable security teams to detect and respond to security incidents faster, more effectively, and with far fewer people than would otherwise be possible.

  1. Automation to the Rescue

Talk to any CISO and it won’t be long before you hear an anecdote that illustrates the cyber skills gap. Conventional wisdom is the shortage of cyber professionals is now measured in millions, and when you peel back this issue, the gap is more complicated by the range technologies used to ensure a strong cyber defense. In addition to Security Analysts, Incident Responders, and SIEM Engineers, organizations are now in need Data Scientists and ML Experts.

We don’t expect the cyber skills gap to go away in the 2020s, but there is light at the end of the tunnel in the form of SOAR (Security Automation, Orchestration, and Response). Proficio was the first MSSP to create a proprietary SOAR platform and today automation plays a significant role in the services we deliver.

SOAR platforms promise to help SOC and IR teams reduce response times, cut down on manual work, and engineer repeatable, semi-automated processes. By creating standardized, repeatable processes — and automating them where possible — SOAR reduces the burden on security teams. In addition, a SOAR platform integrates with other technologies and provides a single orchestration interface for security teams. Instead of learning to use five or more different tools, security engineers need only become accustomed to a single interface that is integrated into their operational processes.

  1. GDPR Goes Global

Since the General Data Protection Regulation (GDPR) came into effect in May 2018, organizations with EU customers have had to step up their data privacy compliance processes and systems.

Historically, the major compliance frameworks (PCI-DSS, HIPAA, ISO27001, etc.) were akin to audit checklists. So long as you ticked off certain requirements — and you could prove it — your job was done. It didn’t matter if you were actually secure, as long as you followed the rules.

But GDPR changed the game. Now, instead of a checklist, organizations are responsible for collecting, analyzing, and acting upon security data to ensure the ongoing protection of sensitive assets. If an organization is breached, and sufficient action wasn’t taken to prevent it, irrespective of any checklist, large fines will follow.

We believe that in the next decade GDPR like regulations will be adopted by most developed nations, and the afore mentioned industry specific compliance regulations will adopt a similar stance and have already started to do so.

  1.  The Cloud is the Thing

In terms of decades, if the 2000s were about defining the perimeter and improving perimeter security controls and the 2010s we same the introduction of evasive techniques and more sophisticated maleware that evolved over time bringing about the need for next generation technologies, including endpoint, firewalls and software defined perimeter controls within virtualized platforms, the 2020s will significantly expand on the extension of the security controls into the cloud as the adoption of cloud and hybrid architectures become more mainstream.

Data and applications have been moving to the cloud for a while now. Not only are cloud environments more complex to secure than local datacenters, they’re also vulnerable to a wider range of cyberattacks. For these reasons, some organizations have avoided a complete move to the cloud in favor of a hybrid approach.

Over the next decade, security and IT leaders will need to look for ways to secure complex, multi-cloud environments while retaining control over how cloud services are consumed. IT will need to find a way to be an enabler within the organization by defining standards that allow for the adoption of cloud technologies and limit shadow IT.

Cloud Access Security Broker’s will continue expand its use as more organizations consume cloud services in all areas of their business operations. This is a key enabler that protects corporate assets and data, reduces the burden on IT, and allows the business to explore new and improved technologies that better enable them.

We expect the compensating controls within big cloud infrastructure platforms — Azure, AWS, and Google Cloud, among others — to mature. This is an inevitable response to a clear business need, as cloud providers seek to keep customers ‘on brand’.

Security leaders will need to ensure that tools being used to secure traditionally hosted data and services also extend to the cloud. This may take time to fully realize because many security tools currently don’t work well in the cloud. However, now that cloud usage has become the norm, security vendors are scrambling to ensure their tools remain relevant, you will also continue to see cloud focused security vendors becoming more relevant and even prominent amongst the startups.

  1.  Marie Kondo for Security Tools

When organizations began to take cybersecurity more seriously, they went on a security tool buying spree resulting in a proliferation of tools that often did not work together. This was made worst by the abundance of Cybersecurity startups that claimed to be the next best thing and were trying to define a new market, which has created significant confusion in the industry compounded by baseless opinions often using marketing and global reach as an indication of effectiveness of a technology.

There were two big problems with this approach. First, it was expensive. Second, it introduced another problem: The hidden cost of resources to manage these tools, a “Best of Breed” purchasing strategy creates unnecessary complexity in the architecture requiring more trained resources to manage all the technologies in alignment with the vendor recommended best practices. This approach generally results in duplication of functionality across technologies and as a result ineffective implementations and underutilization of the investment.

Cybersecurity industry is slowly maturing, organizations are realizing that they can’t solve all security problems by purchasing extra tools. It’s often quite the opposite. They need to simplify their technological footprint while focusing on the other two components of a functional security program: a strong team and effective, repeatable processes.

Similar to Marie Kondo’s approach to simplifying and organizing household belongings, we expect security leaders to see that their teams are better off maximizing the value of a handful of core tools rather than they are using just 5-10% of the functionality of many disparate technologies, we expect smarter purchasing decisions that factor in cross vendor integration capabilities or through consuming technology as a service from an MSSP focusing their buying decision on a business outcome.

5G Globe

  1.  The Rise of 5G

The 2020s will be the decade of 5G. Any time there is a greater than 10X change, you should expect significant related affects. The promise of 5G is to improve mobile data rates and latency by 50 to 100 times. This technology will enable new applications, restructure cloud architectures, and notably be used in mission critical enterprise applications like factory automation, robotics, transportation, and more.

5G will accelerate virtualization, proliferate distributed edge networks, and enable hackers to attack more devices at faster speeds. Cyber defenders will need to respond with new policies, security virtualization, tighter access controls, and approaches to device authentication. Next generation endpoint security technologies will need to be far more effective on mobile technologies being more effective of locking down the OS of the devices and access to the hardware capabilities and apps. Think crypto jacking on mobile devices as an example of an attack type that would become viable.

  1.  The SOC of the Future

A Security Operations Center or SOC is the nerve center where a team of security experts monitors and responds to cyber threats on behalf of their organization. Proficio operates a global network of SOCs and is leader in innovating how SOCs operate for maximum effectiveness.

Over the next decade we expect the way SOCs function to change in a number of ways;

Historically, security event monitoring and response has been log-centered. If a log entry flagged as suspicious, an alert was created and investigated by a security analyst. This approach is problematic when it comes to unknown threats because, until a threat has been seen and reported, there’s no rule to detect it. Unless an organization has an active threat hunting program in place, such threats can go undetected for some time. Keep in mind that the current industry average for mean time to detection of a breach is 200 + days.

We expect SOCs to adopt frameworks like the MITRE ATT&CK which encourages security teams to think in terms of tactics, techniques, and procedures (TTPs). While a new threat may contain hashes, C&C infrastructure, or URLs that haven’t yet been categorized as malicious, only a tiny proportion of threats use completely new and innovative TTPs.

As a result, a security program that’s setup to identify TTPs (rather than specific indicators) is much more likely to identify attacks and breaches.

For many organizations, a fully-functional 24/7/365 operation is essential to ensure the ongoing security of sensitive data and assets. For all but the largest and most profitable organizations, however, building a security function of this magnitude is simply not financially viable. Currently the minimum viable number of resources for an average organization of about 3000 employees, to implement a 24X7 SO operation, is 27, this gives them the minimum viable for shift coverage, and this assumes a well rounded optimized technology stack for security control enforcement and monitoring. The challenge with this is that your resources would only have an effective average utilization of less than 20%, which is not very conducive to staff retention . Add this to the ever-present challenge of the cybersecurity skills gap, and it’s easier to understand why many organizations will turn to Managed Security Service Providers (MSSPs) to supplement the capabilities of in-house resources.

Women represent about a quarter of the cybersecurity workforce. We expect this percentage to increase considerably over the next decade with the consummate benefit of reducing the shortage of cyber professionals and adding diversity.

  1.  More Intelligent Patching

Vulnerability Management is key to a mature security program. However, VM Scans can generate so many vulnerabilities that IT teams only have the resources to patch a fraction of the hosts and devices identified as requiring updates. Sometimes the quantity of alerts can be so overwhelming that it slows down remediation or results in no action at all.

The solution to this challenge is to prioritize based on the risk of a vulnerability being exploited in the context of the criticality of the asset, industry vertical, and level of known activity in the wild. Vulnerability Management needs to become a process that prioritizes based on risk, includes expert advice on the best approach to remediation, and measures and reports on progress.

We see Risk-based Vulnerability Management becoming standard to most organizations over the next decade.

  1.  Don’t Forget Humans are Fallible

Human error is the second most common cause of a security breach. Human errors range from configuration errors on cloud architectures, servers and security devices to failure to follow organizational policies by administrators and users alike.

Humans are not going to change. So, to compensate for this reality we urge IT leaders to prioritize training, process control, and use technology where possible to automate tasks and detect issues resulting from simple mistakes.

  1. In the End It’s All About Risk

It is inevitable that most organizations will experience a security breach at some time. The operational priority for any organization is to quickly detect and remediate a breach.

In the 2020s, we expect IT leaders will increasingly need to explain the magnitude and types of cyber risk that apply to their organizations and provide their executive teams with strategic options to reduce risk.

Shareholders and customers want to understand what organizations are doing to protect important assets and data.

Up until now, security leaders have been forced to spend a huge amount of time preparing reports for board and stakeholder consumption. Many resorted to Excel and manual databases because alternatives weren’t available.

Over the next decade, security leaders will rely on business intelligence dashboards that show the threats facing their organizations and trends by type of attacks and attack targets. These dashboards will summarize the organization’s security posture, identify gaps, and compare risk with that of industry peers in near realtime as apposed to a monthly point in time based on sometimes limited and stale data. Proficio’s ThreatInsight is an example of such a dashboard

2020s: A Decade to Embrace Change

As we wave goodbye to 2019, we are excited about the changes that the next decade will bring and looking forward to helping our clients protect their data and brand.

From all of us at Proficio, we wish you a safe and successful 2020.

 

Happy New Year 2020

 

What Your Business Needs to Know About How to Comply With the GDPR

Data security is a global problem that crosses all international borders, time zones and currencies. Cyber criminals based in one part of the world can freely target companies or individuals across the globe in a matter of seconds. Therefore, your organization’s cybersecurity posture must be agile and able to monitor, detect and respond to incoming threats regardless of the time of day, your nation’s native language or other considerations.

In response to the fast-changing global cybersecurity landscape, legislators in the European Union recently adopted a unified data security law that is intended to help bolster cybersecurity in that part of the world.

GDPR | Proficio

What is the GDPR?

The European Union General Data Protection Regulation (GDPR) is the most significant change to data privacy in the EU in more than two decades. The new law replaces the Data Protection Directive 95/46/EC, which was adopted in 1995, and is intended to standardize data privacy laws across the EU. 

When it goes into effect, the full text of the GDPR will apply the same data security rules and standards for all companies offering goods and services in the EU, both those based in the EU and those located outside the union, but doing business with EU citizens.

When Does the GDPR Go Into Effect?

The GDPR was approved by the European Union Parliament in April 2016 to go into effect two years after that approval. Therefore, enforcement of the new law is expected to begin in May 2018.  Proficio has expert cybersecurity analysts on staff who can help your company gain compliance with the GDPR or any other compliance regulation, such as HIPAA or PCI DSS. 

What Counts as “Personal Data” Under the GDPR?

The GDPR regulates the collection and storage of “personal data.” Under the law, personal data is defined as any information related to a natural person, or “data subject,” that can be used to directly or indirectly to identify that person. Personal data could be a person’s name, an identification number, location data or an online identifier such as a digital advertising “cookie” or an IP address. Factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a person might also constitute personal data under the GDPR.

Sensitive personal data is further defined in the law as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and data concerning a person’s health or sex life. Data relating to criminal offenses and convictions also are treated by the GDPR as sensitive personal information, which is subject to additional protections and restrictions under the new law.

Which Businesses are Covered by GDPR?

It is important to note that the GDPR governs all companies that offer goods and services and covers more than just business or organizations that are based in the EU. (Tweet This Stat!) The GDPR is far-reaching and will apply to companies that are located outside the EU if they offer goods or services to, or monitor the behavior of, EU residents. Therefore, all companies or organizations that process or hold the personal data of data subjects residing in the EU will be covered by the law, regardless of the company’s physical location.

What are the Primary Changes in the GDPR?

The most significant change to data security in the EU contained in the GDPR is extended jurisdiction of the law. The reach of the GDPR is being expanded to encompass all companies processing personal data of EU residents, even those companies based outside of the EU. Driven by recent court cases that were unclear on whether previous data security laws applied to companies based outside of the EU, legislators expressly stated that the law will apply to any processing of data from EU sources, whether or not the company doing the processing is based in the EU.

The penalties for violating the GDPR also have been beefed up, providing for fines up to four percent of a company’s annual revenue or 20 million euros, whichever is greater. Companies that do not have sufficient customer consent to process consumer data or otherwise violate the terms of the GDPR could face stiff fines.

A third major change that the GDPR imposes that was not part of previous EU data security laws is regarding consent. Under the GDPR, companies will no longer be able to use confusing illegible terms and conditions filled with hard-to-understand legal terms. Instead, the request for consent to collect or store personal data must be intelligible and easy to access, using clear and plain language. Consumers must also be able to withdraw their consent as easily as they gave it.

Breach notifications are another major change in the GDPR and will become mandatory when a data breach is likely to result in a risk for the rights and freedoms of individuals. The breach notification must be issued to customers within 72 hours from when the company first became aware of the breach.

What About Brexit and the GDPR?

With the United Kingdom leaving the EU, many questions are being raised about whether residents of England, Scotland, Wales and Northern Ireland will be covered by the GDPR. While the answer remains in flux, the current posture is that if your company processes data while selling goods or services in other EU countries, then compliance with the law would be required for transactions involving UK residents, even after Brexit.

However, if your business activities are limited to the UK, the answer currently is less clear. The UK government has said it will adopt similar or equal data security to what is in the GDPR, but a decision on how the matter will be governed by the UK in a post-EU world is not yet known.

If the matter is not sorted out by May 2018 when the GDPR goes into effect, the old adage of “better to be safe than sorry” would apply and companies would be advised to meet the GDPR requirements for collecting and storing personal information, even for UK residents, at least until a clearer path forward is defined.

What Your Organization Can Do Now to Prepare for the GDPR

The new GDPR rules and regulations don’t go into effect until May 2018, but there are steps that can be taken before then to help prepare your organization to comply with the changes.

  1. Review your current data collection and processing procedures and determine whether your organization is handling data that falls under the GDPR’s expanded definitions for personal data. In particular, be aware of what can be included as an “identifiable natural person” as it relates to the definition of personal data.
  2. If your company or organization relies on consent for gathering personal data, review your current consent mechanisms to ensure they meet the stronger requirements in the GDPR.
  3. Review the data protection language your organization currently uses in HR, IT and other department policies and update them as necessary to reflect the coming changes from the GDPR.