2014 Trends That Will Reshape Organizational Security Written by John Pescatore March 2014 Major Security Happenings in 2013 Page 3 2014–15 Security Predictions Page 5 Impacts and A
Trang 1Interested in learning more about security?
SANS Institute
InfoSec Reading Room
This paper is from the SANS Institute Reading Room site Reposting is not permitted without express written permission.
2014 Trends That Will Reshape Organizational
Security
Copyright SANS Institute Author Retains Full Rights
Trang 22014 Trends That Will Reshape
Organizational Security
Written by John Pescatore
March 2014
Major Security Happenings in 2013 Page 3
2014–15 Security Predictions Page 5
Impacts and Action Page 15
Sponsored by Sourcefire, now part of Cisco
Trang 3“I was not predicting the future, I was trying to prevent it.”1
—Ray BRadBuRy
The realm of cybersecurity is a target-rich environment—there is no shortage of problems to attack There
is also a wide array of security tools, products and services that organizations can invest in to protect those targets What tools will make the most impact this year and next? The goal of this paper is to give security managers information to facilitate focusing their investments on the areas that are mostly likely to impact their organizations and customers over the next several years
One of the few things everyone agrees about on cybersecurity is that it is all about reducing and managing risk The major components of risk are threats and vulnerabilities, and risk levels go through cycles as threats and vulnerabilities wax and wane The major factors that cause those elements to vary are changes in
technology and changes in business processes
This report begins by analyzing the relevant changes in those areas and then derives four key technology trends that will cause the most impact on cybersecurity programs:
• Choose your own IT (CYOIT)
• Increased virtualization and use of cloud and software-as a-service (SaaS)
• Supply chain integrity worries
• The Internet of Things/Everything
Each one of these trends provides new attack surfaces and targets for increasingly-sophisticated cyber bad guys, escalating the risk that organizations will be breached A common factor across these trends is that they cause breakage in our ability to control or monitor the flow of sensitive information into and out of the organization Another is that all are orthogonal to long-standing IT governance practices of standardization and homogeneity: The old mantra of reduce costs, increase control and increase security by reducing the number of different devices, applications and services used will no longer work
What we can say, looking back on 2013, is that those old mantras were not translating into risk reduction Somehow, IT security groups need to deal with new challenges while demonstrating to management that security spending really can enable risk reduction throughout their enterprises—while enabling business
No predictions are perfect, but the most useful ones provide insight into meaningful events that are likely to
happen, rather than indicating what should happen The following sections provide the background, rationale
and advice for realigning organizational security in light of the evolving cybersecurity and business landscape Security managers should compare these trends against their own operational business, technology, threat and vulnerability environments to predict their needs and guide security investments and actions
1 http://theweek.com/article/index/228878/remembering-ray-bradbury-his-most-affecting-quotes
Introduction
Trang 4Introduction (CONTINUED)
Key 2013 Observations
After a short look at the most important security-relevant events of 2013, the paper analyzes these
factors and presents the key findings as influencing IT spending over the next few years and beyond:
• Less control of user devices means that more security, visibility and control will need to be delivered from the network (either the corporate network or through cloud-based security proxying) rather than relying primarily on endpoint software
• Perimeter security does not go away either It will increasingly be delivered in new locations, such
as in virtual data center backplanes and at content delivery networks, web security gateways
and other cloud-based security proxies This will be in addition to, not in place of, delivery at the traditional enterprise perimeter
• As a result of the cloud, bring your own IT and the Internet of Things (IOT) trending in 2013, there will be more demand for persistent data encryption, but implementation barriers will remain high Over the next 18 months, use of data encryption will grow, but it will not come close to reaching the point where it obviates the need for other security controls to prevent disclosures
• Increased evasion by bad guys, as well as increased use of SSL by good guys, drives demand for
on-the-fly decryption Security products and services will increasingly incorporate
hardware-accelerated SSL and IPSec decryption as integral capabilities
• Security at the application level will happen before security at the data level Because threats
change faster than applications, successful deployments of application-level security controls will emphasize integration with dedicated standalone security controls
• Mobile malware will not be a major threat factor, but information leakage through mobile
applications will be Mobile device management and network access control security controls will
be expanded and integrated to mitigate mobile application risk
• Demand for product security testing prior to procurement will increase Industry procurement
practices and regulatory guidance will require security testing be demonstrated prior to purchase for all critical infrastructure procurements within the next 18 months and more broadly by 2017
• The major advances in threats will be increased targeting and customization Threat advances
will lead to improvements in prevention, driving deployment of more rapid internal monitoring, detection and forensics capabilities for security before, during and after an attack
• New frameworks, legislation or regulations will increase reporting burdens on security managers rather than lead to increases in security Advances in security will come from improving the
effectiveness and efficiency of existing controls and freeing budget to invest in evolving to more continuous, next-generation architectures and automated processes needed to prevent, detect and respond to events
Trang 5Predictions form the basis for personal and organizational changes To make any meaningful predictions about the future, it is important to understand the impact of events of the present and the near past In the past 14 months, security issues have made mainstream press headlines, with a steady flow of data breaches reported (see Figure 1)
Figure 1 Data Breaches Within a 14-Month Period Circa 20132
However, four major events in 2013 caused enormous hype that will have major impact on the security trends
we will see in the next 18 months:
Advanced Persistent Threats (APTs) from China
In February 2013, Mandiant released their APT1 report, detailing the activities of Chinese-sponsored cyber espionage attacks.3 While similar financially motivated advanced targeted attacks against businesses have been common since 2008 or so, the association of attacks with state sponsorship by China created an
enormous hype wave that elevated the visibility of such attacks to CEOs and legislators.4
Major Security Happenings in 2013
2 Taken from www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks
3 “APT1: Exposing One of China’s Cyber Espionage Units,” http://intelreport.mandiant.com
4 “Strategies for Dealing With Advanced Targeted Threats,” August 5, 2011, G00215466, www.gartner.com/doc/1760819
Trang 6Major Security Happenings in 2013 (CONTINUED)
Executive Order 13636/PPD-21
Also in February 2013, President Obama signed Executive Order (EO) 13636, “Improving Critical Infrastructure Cybersecurity,” and Presidential Policy Directive (PPD) 21, “Critical Infrastructure Security and Resilience.” In his State of the Union Address that same day, the President said:
America must also face the rapidly growing threat from cyber attacks We know hackers steal
people’s identities and infiltrate private email We know foreign countries and companies swipe
our corporate secrets Now our enemies are also seeking the ability to sabotage our power grid, our
financial institutions and our air traffic control systems We cannot look back years from now and
wonder why we did nothing in the face of real threats to our security and our economy
This lead to a yearlong effort by the National Institute of Standards and Technology (NIST) to get public input on a national “Cybersecurity Framework,” which culminated in the February 12, 2014, releases of the
“Framework for Improving Critical Infrastructure Cybersecurity,” along with a Roadmap document providing
a high-level outline of the plan for evolving and expanding the framework.5 The roadmap indicated that the initial high-priority areas for additional work are authentication, automated indicator sharing, conformance assessment, cybersecurity workforce, data analytics, federal agency/international cybersecurity alignment and supply chain risk management
Analysts estimate this incident will cost Target over $1 billion, whereas Target has publicly estimated that it would have cost $50 million to implement chip and pin technology in the point of sale systems that would have prevented the breach.8 However, Target had rejected the new technology in an earlier trial when it found that it slowed down in-person transactions
5 www.nist.gov/itl/csd/launch-cybersecurity-framework-021214.cfm
6 http://blogs.wsj.com/corporate-intelligence/2013/12/27/targets-data-breach-timeline
7 https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company
8 www.prairiebizmag.com/event/article/id/17645
Trang 72014–15 Security Predictions
The most valuable security predictions are about what will happen, not what should happen What will happen
is bounded by what can happen and is only marginally impacted by what should happen We have all known for many years that users should replace reusable passwords, developers should write software more securely and organizations should value security as a core business requirement and product feature But, over the years very little of what should happen has happened.
Because of the focus on what should happen, most security predictions take the form of statements such as,
“Since major security incident X happened, everyone will radically change to focus on security area Y.” These predictions are inevitably wrong because real-world security programs operate under a number of real world constraints:
• Business and financial realities determine what is considered a business priority and limit radical
In order to do this, we look at four key areas of change over the 2014–2015 timeframe, in order of importance: business and technology, vulnerabilities in products and services, threats by malicious actors and legal/
regulatory demands
Business and Technology
Although most of the press focuses in on threats and attacks, business changes (and business-driven
technology changes) are the leading indicators of coming impacts to security programs For example, back in the 1990s, business demand for personal computing and storage led to many IT organizations standardizing
on Windows to reduce administrative overhead Unfortunately, this trend also had a downside no one
predicted: Too much homogenization of operating systems resulted in denial of service damage by worms, such as Code Red, Nimda, Slammer and Blaster, in the 2001–2003 timeframe.9
The next business trend, demand to reduce the cost of quickly reaching customers, led to the use of email and websites for transmitting sensitive information The demand for speed led organizations to update web applications rapidly and constantly, without taking sufficient time to remove common vulnerabilities, such
as SQL injection and cross-site scripting This has resulted in phishing, drive-by, watering hole and other such attacks becoming a common means of infecting endpoints and getting around perimeter protections
9 www.sans.org/reading-room/whitepapers/malicious/internet-worms-walking-unstable-ground-1229
Trang 82014–15 Security Predictions (CONTINUED)
Gartner’s hype cycles are good sources of information for separating the hype from reality around business
and technology trends The Gartner Hype Cycle for Strategic Business Capabilities, 2013 report shows several
meaningful areas that are either already past the “Trough of Disillusionment” or rapidly moving through it toward the “Plateau of Productivity,” as illustrated in Figure 2.10
Figure 2 Gartner’s Hype Cycle for Strategic Business Capabilities 11
10 www.gartner.com/newsroom/id/2575515
11 Taken from www.gartner.com/newsroom/id/2575515
Trang 92014–15 Security Predictions (CONTINUED)
Business Driving Technology
New technologies frequently result from changes in business practices, where leading-edge suppliers seek to address business needs with innovative products and services Here are just a few of the areas where business
is driving technology changes that will impact security programs:
• Business process outsourcing will continue to drive adoption of software-as-a-service (SaaS) and other cloud-based services
• Supply chain management, traceability and provenance—combined with concerns about technology being compromised or containing backdoors—will increase demand for preprocurement security evaluation of critical IT components
• Mass collaboration will continue to drive the “choose your own IT” trend, as businesses push to allow employees, business partners and customers to create information, make transactions and access data from any device, anywhere
• Mobile commerce will drive both new wireless payment mechanisms and further accelerate the rapid expansion of the Internet of Things because low cost/low power wireless connectivity enables both new revenue models and new approaches to cost reduction, such as advanced energy management and smart buildings
Technology Driving Security
Using the above business trends as the drivers, we believe the following technology trends will have major impacts on security programs over the next 18 months
Choose Your Own IT The consumerization of IT is defined as the ability of nonIT people to acquire, deploy
and use consumer-centric IT solutions to get their jobs done Bring your own device (BYOD) was the first major manifestation of this trend, and surveys show that large percentages of employees today are already buying and using personally owned smartphones, tablets and personal computers (see Figure 3).12
Figure 3 Percent of Employees by Geography Using Personally Owned Devices for Some or All Work Tasks
(from “Bring Your Own Device: The Facts and the Future” Gartner, April 13 2013 Page 10.)
12 “The consumerization of IT-The next-generation CIO,”
www.pwc.com/us/en/technology-innovation-center/consumerization-information-technology-transforming-cio-role.jhtml
Trang 102014–15 Security Predictions (CONTINUED)
However, the term BYOD puts too much focus on the devices themselves
Mobility—getting work done from anywhere at any time—is the business
driver, which leads to much more than just personally owned devices
replacing corporate-owned devices The real security issue is that the
majority of users will use a mixture of a work-supplied device, one or more
personally owned devices—and a vast array of cloud-based services,
ranging from SalesForce.com to DropBox to Facebook To capture the full
impact of this trend, we are using the term choose your own IT (CYOIT).
Mobility and CYOIT have characteristics very different from previous IT waves in two ways:
1 Heterogeneity There will never again be one vendor or one operating system that gains 90 percent
market share There will generally be three major players splitting 70 to 80 percent market share, and most enterprises will have to support all three The three leading vendors or operating systems will change every two to three years
2 App Stores Users of smartphones and tablets have shown they prefer the App Store model over
the chaos of the PC-era “anyone can install anything” model The App Store model actually has many security advantages—if done well by the proprietor If done poorly (results to date are mixed), App Stores represent an enormous attack surface
Increased Virtualization and SaaS/IaaS Virtualization is no longer a trend, it is an IT reality The tipping point
occurred in 2012, when more than 50 percent of the installed enterprise server base was comprised of virtual machines At that time, the majority of new server images were deploying on virtual infrastructure, according
to Gartner Virtualizing a data center is the first step toward a private cloud—72 percent of data center
managers report they will be using the private cloud by yearend 2014, as shown in Figure 4.13
Figure 4 Private Cloud Deployment in 2014 14
The CYOIT trend essentially results in an extended network that includes all endpoints—mobile, virtual or in the cloud,
as well as the data center—and poses new challenges for organizational security
13 “Private Cloud Matures, Hybrid Cloud Is Next,” Thomas J Bittman, www.gartner.com/doc/2585915
14 Taken from “Private Cloud Matures, Hybrid Cloud Is Next,” Thomas J Bittman, www.gartner.com/doc/2585915 , page 5
Trang 112014–15 Security Predictions (CONTINUED)
Once enterprises mature, their use of a private cloud and integration with external SaaS and
infrastructure-as-a-service (IaaS), known as a hybrid cloud, is usually not far behind The same Gartner data center survey reports
that 70 percent say they will be using a hybrid cloud (see Figure 5)
Figure 5 The Use of the Hybrid Cloud Will Increase in the Near Future 15
GigaOM research data shows that 63 percent of enterprises are already using one or more SaaS providers and
45 percent are already using IaaS.16 An IBM reports shows that close to half of SaaS adopters see competitive advantage in addition to cost savings.17
Supply Chain Integrity Calendar year 2013 was a big year for publicity with respect to Chinese APTs and
the Snowden leaks of classified information Both have raised the visibility of supply chain integrity How can
a business be sure that mission-critical technology or cloud services from overseas providers have not been compromised?
The world has flattened, and all business is global business The lure of lower costs from overseas technology and service providers is too powerful for business leaders to resist An illustrative example is when British Telecom chose the Chinese firm, Huawei, as the telecom infrastructure provider for the UK 21st Century Network Upgrade over North American and European providers The UK government decided in 2010 that, while it had strong concerns over Huawei’s connections to the Chinese government, it could not ignore the advantages of Huawei’s proposal over competitive bids Now the UK tests all Huawei equipment for back doors and other malware in search of vulnerabilities or backdoor capabilities prior to deployment and can reject the Chinese equipment if testing reveals anything suspicious Proposed legislation in the US has suggested a similar approach
A Gartner strategic planning assumption captured this trend: “By 2020, at least one consumer product
manufacturer will be held liable by a national government for security vulnerabilities in its product.”18
15 Taken from “Private Cloud Matures, Hybrid Cloud Is Next,” Thomas J Bittman, www.gartner.com/doc/2585915 , page 6
16 dominant-cloud-platform
www.forbes.com/sites/louiscolumbus/2013/06/19/north-bridge-venture-partners-future-of-cloud-computing-survey-saas-still-the-17 www.cloudpro.co.uk/saas/3750/competitive-advantage-not-penny-pinching-is-drawing-firms-to-saas
18 “Security and Risk Management Scenario Planning, 2020,” May 30, 2013 G00250811, Page 2.