2017 Information Security Predictions

As we roll into another new year, information security leaders must focus on tangible improvements.  In 2017, industry regulations will get more difficult and advanced threats won’t be slowing down. Prioritization of security initiatives is still a challenge in most organizations. Information security leaders must focus on incrementally improving, not trying to deal with every risk and gap in their organization, and not chasing every new or “hot” technology.

I’ve been working in IT for almost 20 years and within information security/cyber security for many of those years. I’ve worked as part of internal security engineering and operations teams, as a consultant, and as a leader running a professional services team. What I have realized along the way is, industry predictions are useless to someone unless you can apply them to your current organization or role. With that being said, these are predictions that I believe will have the most relevance to the general information security population out there today.

CYBER INSURANCE ON THE RISE

What does the future hold for cyber insurance? Only time will tell. I believe organizations should be prepared for “acceptable loss” to their organization. Organizations are realizing that transferring some of their risk with insurance is their best bet. We continue to see breaches occur and the return on security investment with security personnel and technologies are hitting some all-time lows. And we will see smaller companies be targeted more. Malicious actors can get their hands on valuable information to enrich the already compromised data they are collecting and combine it with new stolen data to make it more valuable.

As cyber-attacks become more of the norm and the damage from those attacks become more widespread, my bet is that:

• Cyber insurers will cut back on their liability offerings.
• Cyber Insurance companies won’t be issuing out claims so easily.
• Cyber insurers will drive more incentives for customers with proven and effective risk management, better detection and prevention tools, and strong incident response capabilities.

HIGHER ADOPTION RATE OF MSSPs

We continue to hear the same common themes in the industry. Info Sec teams are running lean, lack of properly skilled people to fill their open roles, heavy operational burden of security operations, long time to see value with their technology solutions, too many alerts to deal with, moving more to the cloud, etc. Organizations are not building up their internal security operations talent at the necessary pace. Demand for good information security professionals will grow at a high pace in 2017. 

Enough said? Most internal organizations haven’t figured out a way to clone their people or create enough time in their days to be able to effectively manage Information Security Operations, as it relates to protecting their organizations as things evolve.

If we don’t see a dramatic uptick in managed security services providers and more organizations relying on them, then I would be shocked!

BETTER DETECTION AND RESPONSE CAPABILITIES

Organizations will focus on getting better at the detection of bad things, especially on the endpoint platforms. More effective “EDR” capabilities built for the endpoint need to be able to tie into the holistic security strategy.

Also, newer technology spaces such as the Deception Technologies will enhance malware detection capabilities and may prove harder for the bad guys to carry out successful attacks. This is an area that my ethical hacker friends seem to think will make the job of the attacker harder to perform.

Let’s face it, there are so many security technologies, kind of like when you sit down and look at a Cheesecake Factory menu? So, how can you make a good decision when choosing a new technology investment? What steps can we take towards making security easier to manage, with less noise? Who needs to be involved in the decision making process? What requirements and use cases are most important in supporting IT and the overall business? How can you measure the effectiveness of your technology investments over time?

The industry is spending billions on security technologies, and still seeing breaches continue, so take the time to make the decision an informed and business aligned decision, not a reactive one.

PREDICTION TECHNOLOGIES

Prediction technologies will continue to emerge as the “next best thing since sliced bread” in security. 

• Machine learning, Math modeling, artificial intelligence, behavioral analytics are being built into more detection and prevention technologies and their capabilities over time have been advancing.
• These techniques will become key within an organization’s security operations in helping them anticipate where and when the bad things happen.

The end goal here is that these solutions will be more accurate (i.e. less false positives) and intelligently identify as well as predict attacks by correlating their data to real attacks.

Back when I first watched the movie, Minority Report in 2002, I was pretty jazzed up thinking about how predictive analysis technology could be used could help prevent crimes before they even happened. Well this technique has proven to be effective at predicting information security threats before they were actually carried out. Fast, effective, and pretty darn accurate. That’s what this industry needs more of. No one machine or technology is flawless, but this is getting us closer.

SAFE CLOUD ENABLEMENT AND PROTECTION

As more organizations continue migrations to IAAS/PAAS/SAAS models or currently utilize cloud based services to store their company information in the cloud (their employee, customer or partner data, their intellectual property, their R and D, etc.), the malicious actors will find more ways to access that data.

Technologies that can help secure the cloud workloads and automate provisioning of systems, managed accounts and access, and provide visibility and controls into your data i.e. Cloud Access Security Broker (CASB) will prove to be very valuable as the IT landscape continues to migrate to hosted solutions. Bad actors will look to gain access to credentials of cloud services as one of the primary vectors in. Protect Your Identities (yes, they are your organization’s perimeter). Cloud-based social engineering tactics that will continue to rise in order to gain account credentials.

FOCUS ON PROTECTION OF IDENTITIES

Who’s sick of hearing about security breaches where email phishing or social engineering were used, account credentials were stolen, and credentials were used to carry out an attack? If we improve in the area of Identity Protection, which I’m also lumping in Security Awareness User Training, then we will be in a much better place.

Effective training to help better equip users will prevent social engineering and phishing. A combination of human-interactive and computer-based training seems to be the most effective.

So now let’s talk about solutions as it relates to protecting your users. Focus should be in the areas of:

• Identity and Access Management Centralize identity management and minimize the pain of your user’s related to an extra step when logging in.
• Privileged account management (local and directory services accounts)
• Single Sign On (where it makes sense)
• Better password policies (before the death of passwords)
• "No password" authentication (biometrics, geo location, pictographs, and Bluetooth proximity)
• Multi factor authentication No brainer! Implement it as much as possible, wherever as possible.
• User and Entity Behavioral Analysis Whether it’s getting more from their existing systems, i.e. SIEM, Security Analytics tools, and/or looking a bit deeper into how UEBA vendors, this is a challenge most organizations are having a difficult time tackling.