Interested in learning more about security? SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site Reposting is not permitted without express written permission 2014 Trends That Will Reshape Organizational Security Copyright SANS Institute Author Retains Full Rights Sponsored by Sourcefire, now part of Cisco 2014 Trends That Will Reshape Organizational Security Written by John Pescatore March 2014 Major Security Happenings in 2013 2014–15 Security Predictions Impacts and Action Page Page Page 15 ©2014 SANS™ Institute Introduction “I was not predicting the future, I was trying to prevent it.”1 —Ray Bradbury The realm of cybersecurity is a target-rich environment—there is no shortage of problems to attack There is also a wide array of security tools, products and services that organizations can invest in to protect those targets What tools will make the most impact this year and next? The goal of this paper is to give security managers information to facilitate focusing their investments on the areas that are mostly likely to impact their organizations and customers over the next several years One of the few things everyone agrees about on cybersecurity is that it is all about reducing and managing risk The major components of risk are threats and vulnerabilities, and risk levels go through cycles as threats and vulnerabilities wax and wane The major factors that cause those elements to vary are changes in technology and changes in business processes This report begins by analyzing the relevant changes in those areas and then derives four key technology trends that will cause the most impact on cybersecurity programs: • Choose your own IT (CYOIT) • Increased virtualization and use of cloud and software-as a-service (SaaS) • Supply chain integrity worries • The Internet of Things/Everything Each one of these trends provides new attack surfaces and targets for increasingly-sophisticated cyber bad guys, escalating the risk that organizations will be breached A common factor across these trends is that they cause breakage in our ability to control or monitor the flow of sensitive information into and out of the organization Another is that all are orthogonal to long-standing IT governance practices of standardization and homogeneity: The old mantra of reduce costs, increase control and increase security by reducing the number of different devices, applications and services used will no longer work What we can say, looking back on 2013, is that those old mantras were not translating into risk reduction Somehow, IT security groups need to deal with new challenges while demonstrating to management that security spending really can enable risk reduction throughout their enterprises—while enabling business No predictions are perfect, but the most useful ones provide insight into meaningful events that are likely to happen, rather than indicating what should happen The following sections provide the background, rationale and advice for realigning organizational security in light of the evolving cybersecurity and business landscape Security managers should compare these trends against their own operational business, technology, threat and vulnerability environments to predict their needs and guide security investments and actions http://theweek.com/article/index/228878/remembering-ray-bradbury-his-most-affecting-quotes SANS Analyst Program 2014 Trends That Will Reshape Organizational Security Introduction (CONTINUED) Key 2013 Observations After a short look at the most important security-relevant events of 2013, the paper analyzes these factors and presents the key findings as influencing IT spending over the next few years and beyond: • Less control of user devices means that more security, visibility and control will need to be delivered from the network (either the corporate network or through cloud-based security proxying) rather than relying primarily on endpoint software • Perimeter security does not go away either It will increasingly be delivered in new locations, such as in virtual data center backplanes and at content delivery networks, web security gateways and other cloud-based security proxies This will be in addition to, not in place of, delivery at the traditional enterprise perimeter • As a result of the cloud, bring your own IT and the Internet of Things (IOT) trending in 2013, there will be more demand for persistent data encryption, but implementation barriers will remain high Over the next 18 months, use of data encryption will grow, but it will not come close to reaching the point where it obviates the need for other security controls to prevent disclosures • Increased evasion by bad guys, as well as increased use of SSL by good guys, drives demand for on-the-fly decryption Security products and services will increasingly incorporate hardwareaccelerated SSL and IPSec decryption as integral capabilities • Security at the application level will happen before security at the data level Because threats change faster than applications, successful deployments of application-level security controls will emphasize integration with dedicated standalone security controls • Mobile malware will not be a major threat factor, but information leakage through mobile applications will be Mobile device management and network access control security controls will be expanded and integrated to mitigate mobile application risk • Demand for product security testing prior to procurement will increase Industry procurement practices and regulatory guidance will require security testing be demonstrated prior to purchase for all critical infrastructure procurements within the next 18 months and more broadly by 2017 • T he major advances in threats will be increased targeting and customization Threat advances will lead to improvements in prevention, driving deployment of more rapid internal monitoring, detection and forensics capabilities for security before, during and after an attack • New frameworks, legislation or regulations will increase reporting burdens on security managers rather than lead to increases in security Advances in security will come from improving the effectiveness and efficiency of existing controls and freeing budget to invest in evolving to more continuous, next-generation architectures and automated processes needed to prevent, detect and respond to events SANS Analyst Program 2014 Trends That Will Reshape Organizational Security Major Security Happenings in 2013 Predictions form the basis for personal and organizational changes To make any meaningful predictions about the future, it is important to understand the impact of events of the present and the near past In the past 14 months, security issues have made mainstream press headlines, with a steady flow of data breaches reported (see Figure 1) Figure Data Breaches Within a 14-Month Period Circa 20132 However, four major events in 2013 caused enormous hype that will have major impact on the security trends we will see in the next 18 months: Advanced Persistent Threats (APTs) from China In February 2013, Mandiant released their APT1 report, detailing the activities of Chinese-sponsored cyber espionage attacks.3 While similar financially motivated advanced targeted attacks against businesses have been common since 2008 or so, the association of attacks with state sponsorship by China created an enormous hype wave that elevated the visibility of such attacks to CEOs and legislators.4 Taken from www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks “APT1: Exposing One of China’s Cyber Espionage Units,” http://intelreport.mandiant.com “Strategies for Dealing With Advanced Targeted Threats,” August 5, 2011, G00215466, www.gartner.com/doc/1760819 SANS Analyst Program 2014 Trends That Will Reshape Organizational Security Major Security Happenings in 2013 (CONTINUED) Executive Order 13636/PPD-21 Also in February 2013, President Obama signed Executive Order (EO) 13636, “Improving Critical Infrastructure Cybersecurity,” and Presidential Policy Directive (PPD) 21, “Critical Infrastructure Security and Resilience.” In his State of the Union Address that same day, the President said: America must also face the rapidly growing threat from cyber attacks We know hackers steal people’s identities and infiltrate private email We know foreign countries and companies swipe our corporate secrets Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions and our air traffic control systems We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy This lead to a yearlong effort by the National Institute of Standards and Technology (NIST) to get public input on a national “Cybersecurity Framework,” which culminated in the February 12, 2014, releases of the “Framework for Improving Critical Infrastructure Cybersecurity,” along with a Roadmap document providing a high-level outline of the plan for evolving and expanding the framework.5 The roadmap indicated that the initial high-priority areas for additional work are authentication, automated indicator sharing, conformance assessment, cybersecurity workforce, data analytics, federal agency/international cybersecurity alignment and supply chain risk management Snowden On June 5, the first of many articles appeared based on classified information leaked by National Security Agency (NSA) contractor Edward Snowden Over the rest of 2013, a steady drip of leaks continued, highlighting the extent of NSA and other national intelligence agencies’ Internet surveillance efforts Target On December 19, Target acknowledged reports that the credit card information of tens of millions of Target customers had been stolen from internal systems Subsequent investigations show that the records of approximately 110 million customers were compromised by attackers,6 who first obtained remote access credentials from third-party vendors employed by Target and then used that access to penetrate internal Target point of sale systems.7 Analysts estimate this incident will cost Target over $1 billion, whereas Target has publicly estimated that it would have cost $50 million to implement chip and pin technology in the point of sale systems that would have prevented the breach.8 However, Target had rejected the new technology in an earlier trial when it found that it slowed down in-person transactions www.nist.gov/itl/csd/launch-cybersecurity-framework-021214.cfm http://blogs.wsj.com/corporate-intelligence/2013/12/27/targets-data-breach-timeline https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company www.prairiebizmag.com/event/article/id/17645 SANS Analyst Program 2014 Trends That Will Reshape Organizational Security 2014–15 Security Predictions The most valuable security predictions are about what will happen, not what should happen What will happen is bounded by what can happen and is only marginally impacted by what should happen We have all known for many years that users should replace reusable passwords, developers should write software more securely and organizations should value security as a core business requirement and product feature But, over the years very little of what should happen has happened Because of the focus on what should happen, most security predictions take the form of statements such as, “Since major security incident X happened, everyone will radically change to focus on security area Y.” These predictions are inevitably wrong because real-world security programs operate under a number of real world constraints: • B usiness and financial realities determine what is considered a business priority and limit radical fluctuations in investments • IT programs have large investments in installed technology and user applications that cannot be changed rapidly • L egal and regulatory requirements often force attention and investment in areas that are not effective in dealing with emerging threats In this paper, we use a methodology that tries to focus on what events will cause actual change that will remove barriers to increasing security, reduce the cost (both financial and operational) of deploying improved security controls or increase the perceived gain of improved security in business and consumer sides of security In order to this, we look at four key areas of change over the 2014–2015 timeframe, in order of importance: business and technology, vulnerabilities in products and services, threats by malicious actors and legal/ regulatory demands Business and Technology Although most of the press focuses in on threats and attacks, business changes (and business-driven technology changes) are the leading indicators of coming impacts to security programs For example, back in the 1990s, business demand for personal computing and storage led to many IT organizations standardizing on Windows to reduce administrative overhead Unfortunately, this trend also had a downside no one predicted: Too much homogenization of operating systems resulted in denial of service damage by worms, such as Code Red, Nimda, Slammer and Blaster, in the 2001–2003 timeframe.9 The next business trend, demand to reduce the cost of quickly reaching customers, led to the use of email and websites for transmitting sensitive information The demand for speed led organizations to update web applications rapidly and constantly, without taking sufficient time to remove common vulnerabilities, such as SQL injection and cross-site scripting This has resulted in phishing, drive-by, watering hole and other such attacks becoming a common means of infecting endpoints and getting around perimeter protections www.sans.org/reading-room/whitepapers/malicious/internet-worms-walking-unstable-ground-1229 SANS Analyst Program 2014 Trends That Will Reshape Organizational Security 2014–15 Security Predictions (CONTINUED) Gartner’s hype cycles are good sources of information for separating the hype from reality around business and technology trends The Gartner Hype Cycle for Strategic Business Capabilities, 2013 report shows several meaningful areas that are either already past the “Trough of Disillusionment” or rapidly moving through it toward the “Plateau of Productivity,” as illustrated in Figure 2.10 Figure Gartner’s Hype Cycle for Strategic Business Capabilities11 10 www.gartner.com/newsroom/id/2575515 11 Taken from www.gartner.com/newsroom/id/2575515 SANS Analyst Program 2014 Trends That Will Reshape Organizational Security 2014–15 Security Predictions (CONTINUED) Business Driving Technology New technologies frequently result from changes in business practices, where leading-edge suppliers seek to address business needs with innovative products and services Here are just a few of the areas where business is driving technology changes that will impact security programs: • B usiness process outsourcing will continue to drive adoption of software-as-a-service (SaaS) and other cloud-based services • S upply chain management, traceability and provenance—combined with concerns about technology being compromised or containing backdoors—will increase demand for preprocurement security evaluation of critical IT components • M ass collaboration will continue to drive the “choose your own IT” trend, as businesses push to allow employees, business partners and customers to create information, make transactions and access data from any device, anywhere • M obile commerce will drive both new wireless payment mechanisms and further accelerate the rapid expansion of the Internet of Things because low cost/low power wireless connectivity enables both new revenue models and new approaches to cost reduction, such as advanced energy management and smart buildings Technology Driving Security Using the above business trends as the drivers, we believe the following technology trends will have major impacts on security programs over the next 18 months Choose Your Own IT The consumerization of IT is defined as the ability of nonIT people to acquire, deploy and use consumer-centric IT solutions to get their jobs done Bring your own device (BYOD) was the first major manifestation of this trend, and surveys show that large percentages of employees today are already buying and using personally owned smartphones, tablets and personal computers (see Figure 3).12 Figure Percent of Employees by Geography Using Personally Owned Devices for Some or All Work Tasks (from “Bring Your Own Device: The Facts and the Future” Gartner, April 13 2013 Page 10.) 12 “ The consumerization of IT-The next-generation CIO,” www.pwc.com/us/en/technology-innovation-center/consumerization-information-technology-transforming-cio-role.jhtml SANS Analyst Program 2014 Trends That Will Reshape Organizational Security 2014–15 Security Predictions (CONTINUED) However, the term BYOD puts too much focus on the devices themselves Mobility—getting work done from anywhere at any time—is the business driver, which leads to much more than just personally owned devices replacing corporate-owned devices The real security issue is that the majority of users will use a mixture of a work-supplied device, one or more personally owned devices—and a vast array of cloud-based services, ranging from SalesForce.com to DropBox to Facebook To capture the full impact of this trend, we are using the term choose your own IT (CYOIT) The CYOIT trend essentially results in an extended network that includes all endpoints— mobile, virtual or in the cloud, as well as the data center— and poses new challenges for organizational security Mobility and CYOIT have characteristics very different from previous IT waves in two ways: Heterogeneity There will never again be one vendor or one operating system that gains 90 percent market share There will generally be three major players splitting 70 to 80 percent market share, and most enterprises will have to support all three The three leading vendors or operating systems will change every two to three years App Stores Users of smartphones and tablets have shown they prefer the App Store model over the chaos of the PC-era “anyone can install anything” model The App Store model actually has many security advantages—if done well by the proprietor If done poorly (results to date are mixed), App Stores represent an enormous attack surface Increased Virtualization and SaaS/IaaS Virtualization is no longer a trend, it is an IT reality The tipping point occurred in 2012, when more than 50 percent of the installed enterprise server base was comprised of virtual machines At that time, the majority of new server images were deploying on virtual infrastructure, according to Gartner Virtualizing a data center is the first step toward a private cloud—72 percent of data center managers report they will be using the private cloud by yearend 2014, as shown in Figure 4.13 Figure Private Cloud Deployment in 201414 13 “Private Cloud Matures, Hybrid Cloud Is Next,” Thomas J Bittman, www.gartner.com/doc/2585915 14 Taken from “Private Cloud Matures, Hybrid Cloud Is Next,” Thomas J Bittman, www.gartner.com/doc/2585915, page SANS Analyst Program 2014 Trends That Will Reshape Organizational Security 2014–15 Security Predictions (CONTINUED) Once enterprises mature, their use of a private cloud and integration with external SaaS and infrastructure-asa-service (IaaS), known as a hybrid cloud, is usually not far behind The same Gartner data center survey reports that 70 percent say they will be using a hybrid cloud (see Figure 5) Figure The Use of the Hybrid Cloud Will Increase in the Near Future15 GigaOM research data shows that 63 percent of enterprises are already using one or more SaaS providers and 45 percent are already using IaaS.16 An IBM reports shows that close to half of SaaS adopters see competitive advantage in addition to cost savings.17 Supply Chain Integrity Calendar year 2013 was a big year for publicity with respect to Chinese APTs and the Snowden leaks of classified information Both have raised the visibility of supply chain integrity How can a business be sure that mission-critical technology or cloud services from overseas providers have not been compromised? The world has flattened, and all business is global business The lure of lower costs from overseas technology and service providers is too powerful for business leaders to resist An illustrative example is when British Telecom chose the Chinese firm, Huawei, as the telecom infrastructure provider for the UK 21st Century Network Upgrade over North American and European providers The UK government decided in 2010 that, while it had strong concerns over Huawei’s connections to the Chinese government, it could not ignore the advantages of Huawei’s proposal over competitive bids Now the UK tests all Huawei equipment for back doors and other malware in search of vulnerabilities or backdoor capabilities prior to deployment and can reject the Chinese equipment if testing reveals anything suspicious Proposed legislation in the US has suggested a similar approach A Gartner strategic planning assumption captured this trend: “By 2020, at least one consumer product manufacturer will be held liable by a national government for security vulnerabilities in its product.”18 15 Taken from “Private Cloud Matures, Hybrid Cloud Is Next,” Thomas J Bittman, www.gartner.com/doc/2585915, page 16 ww.forbes.com/sites/louiscolumbus/2013/06/19/north-bridge-venture-partners-future-of-cloud-computing-survey-saas-still-thew dominant-cloud-platform 17 www.cloudpro.co.uk/saas/3750/competitive-advantage-not-penny-pinching-is-drawing-firms-to-saas 18 “Security and Risk Management Scenario Planning, 2020,” May 30, 2013 G00250811, Page SANS Analyst Program 2014 Trends That Will Reshape Organizational Security 2014–15 Security Predictions (CONTINUED) The Internet of Things—Everything A recent SANS Survey on the Internet of Things (IoT) showed that security professionals are already dealing with the first several waves of Internet-connected things and have begun to plan for the challenges of the next wave of more diverse, more complex devices Almost 90 percent of respondents recognized that changes to security controls will be required, with 50 percent believing major (if not complete) enhancements and replacements to many controls will be required.19 Internet-connected computing capabilities related to smart building, industrial control systems and medical applications were the most commonly cited concerns after consumer products While these types of applications not receive much IoT hype in the press, the use of embedded computing in those devices (as opposed to the layered operating systems and applications in PCs and servers that IT is accustomed to managing and securing) will cause major breakage in existing IT management and IT security visibility, vulnerability assessment, configuration management and intrusion prevention processes and controls Reflecting this change, the majority of respondents in the recent SANS “Securing the Internet of Things Survey” expected IoT device manufacturers to take more responsibility for security than security professionals have expected of PC and server hardware and application vendors in the past More than half of the survey respondents plan on doing their own evaluation and testing of devices before allowing them on the corporate network This is a stepping stone or wave prior to the next phase of Internet connectivity, where we expect fivefold growth by 2020 Figure illustrates the waves of growth Figure Internet Growth Occurs in Waves20 19 SANS ”Securing the Internet of Things Survey,” www.sans.org/reading-room/analysts-program/survey-internet-things 20 Taken from Cisco IBSG, 2012, www.cisco.com/web/about/ac79/docs/innov/IoE.pdf, Page SANS Analyst Program 10 2014 Trends That Will Reshape Organizational Security 2014–15 Security Predictions (CONTINUED) All new technologies and business processes invariably come with new (and many old) vulnerabilities Extending the network has significantly increased the surface area of vulnerabilities that can be attacked With every new wave, attackers exploit these vulnerabilities, first impacting systems with simple denial of service and later returning to launch more complex attacks that are financially or politically devastating Vulnerabilities in Products and Services The trends described in previous sections lead to increased vulnerabilities in the following key areas: • F laws in hypervisors and virtual machine management platforms Hypervisors and virtual machine managers offer an obvious single point of catastrophic failure, which is to attackers as honey is to a bee For that reason, the mantra in virtual machine monitor (VMM) design has always been simplicity and small code bases to enable thorough analysis and reduce attack surfaces However, over time VMMs have expanded and grown more complex Numerous vulnerabilities have already been found in VMMs, and more severe ones are likely to be found in the future • C onsumer-driven Internet of Things Manufacturers have rushed the first wave of IoT devices, such as smart cars, wireless baby monitors and even Wi-Fi–enabled light bulbs, to market with little thought of security Many products have shipped with gaping holes, enabling attackers with little skill to easily cause denial of service and moderately skilled ones to compromise other systems on the home network Such compromises are similar to the Target attackers exploiting a third-party heating, ventilating and air conditioning (HVAC) contractor’s access to Target’s network Future attackers will use vulnerabilities in smart building IoT devices to gain access to corporate systems and data • A pp Store process failures Users have come to believe that any application they install from an App Store is safe and secure Numerous studies have shown that many apps have basic security and privacy deficiencies As the number of apps in the App Stores continues to increase, the job of making sure apps are trustable gets harder and mistakes are more likely.21 •T he multiple cloud provider shell game The growth in use of virtualization and cloud services is happening not only at enterprises, but also at service providers It is not unusual to see a SaaS provider who uses an IaaS provider to host its applications and might also use a platform-as-a-service (PaaS) provider as a core component of its SaaS offering This complex integration enables entire new classes of vulnerabilities, such as when the SaaS provider patches a vulnerability (and vulnerability scanners report it as patched) but the underlying IaaS service does not deploy the patch, leaving an open attack path 21 www.technewsworld.com/story/80033.html SANS Analyst Program 11 2014 Trends That Will Reshape Organizational Security 2014–15 Security Predictions (CONTINUED) Threats by Malicious Actors Predicting threats is much like predicting tornadoes: You know they will happen, but where and how strong they will be is anyone’s guess However, there are many sources of threat data that give us a basis for projecting the major security threat trends The Cisco 2014 Annual Security Report shows that Trojans made up almost half of all malware payloads, with iFrames exploits and dropper/downloaders being the next most common Ransomware/scareware make up only percent of the total, but this category has shown strong growth, as illustrated in Figure Figure Malware Categories, by Percentage of Total Encounters, 201322 Hackmegeddon’s analysis of publicly reported attacks shows that financially and politically motivated threats continued to dominate the threat landscape, despite the publicity around state-sponsored attacks We expect this trend to continue through 2015 (see Figure 8) Figure Hacktivism and Cybercrime Dominant in 201323 22 Taken from www.cisco.com/web/offers/lp/2014-annual-security-report/index.html, page 39 23 Taken from http://hackmageddon.com/2014/01/19/2013-cyber-attacks-statistics-summary SANS Analyst Program 12 2014 Trends That Will Reshape Organizational Security 2014–15 Security Predictions (CONTINUED) Verizon’s 2013 Data Breach Investigations Report24 confirmed this analysis, showing that 75 percent of attacks were driven by financial motives Verizon also found that almost 80 percent of intrusions were rated as simple or low difficulty attacks, and two out of three were active for months before being discovered, as shown in Table Table Security Breach Statistics25 Percentage Characteristic 78% Initial intrusions rated as low difficulty 75% Driven by financial motives 75% Categorized as opportunistic attacks 71% Targeted user devices 69% Discovered by external parties 66% Were not discovered for months 54% Involved compromised servers The 2013 Data Breach Investigations Report also confirms that 66 percent of breaches remain undiscovered for months or more, as shown in Figure Figure Percent of Breaches That Remain Undiscovered for Months or More26 The IoT and CYOIT trends discussed in this paper will likely drive that percentage even higher, requiring security programs to make advances in both detection and prevention to reverse the trend The bottom line is that attacks will become more targeted and more evasive, increasing the likelihood that breaches will occur—even where advances in prevention have been made This will drive the need for more continuous capability for monitoring, detection and remediation, as well as for advances in security analytics to prioritize the security critical alerts while reducing false positives 24 www.verizonenterprise.com/DBIR/2013 25 Modified from www.verizonenterprise.com/DBIR/2013, page 26 Taken from www.verizonenterprise.com/DBIR/2013, page 52 SANS Analyst Program 13 2014 Trends That Will Reshape Organizational Security 2014–15 Security Predictions (CONTINUED) Legal/Regulatory/Compliance Issues The final trend relates to changes in the legal and regulatory environment Technology and threats invariably move faster than laws and regulations As a result, changes in this area are rarely, if ever, positive for security Instead, the changes often drive increased reporting requirements, which actually divert resources from security and direct them toward compliance However, security managers can often “surf the compliance wave” to justify funding for investments to close gaps while planning for automation and migration of controls in the future to reduce costs We see the following potential areas of legislation and regulation as the most likely to impact enterprise security programs: • N ational breach disclosure laws In the US, 46 of the 50 states have enacted a widely varying array of breach disclosure laws.27 In reaction to the recent Target breach, new proposals have been introduced in Congress, including setting national standards for database security and nationwide requirements for notifying customers when breaches occur Senators Carper and Leahy have reintroduced previous datasecurity bills, while Senate Commerce Committee Chairman Jay Rockefeller proposed new measures for breach notifications • European Union ISP guidelines In Europe, the European Union issued stringent guidelines to carriers and Internet Service Providers (ISPs) around breach notification, and other efforts are underway to apply breach notification requirements more broadly to all EU enterprises.28 • Cybersecurity insurance policy requirements Businesses have long carried various forms of insurance to limit liability in case of natural disasters, errors and omissions, fraud and so on As CEOs and CFOs have become more aware of the liabilities presented by cyber attacks, the cybersecurity insurance industry has seen strong growth (20 percent per year) in recent years As the cybersecurity industry matures, insurers will place requirements on policy holders to limit their own exposure.29 • P rivacy concerns around the Internet of Things In the US, the Federal Trade Commission has already held public hearings on the privacy concerns around the growing number of personal devices that are joining the IoT While privacy has often taken a back seat to commercial interests in the US, the personal and intrusive nature of the IoT will drive the US to follow a more European path, emphasizing privacy.30 •T he US Executive Order and other frameworks Although the “Framework for Improving Critical Infrastructure Cybersecurity” issued by NIST in response to Executive Order 13636 currently carries no enforcement, the NIST Roadmap indicates, “NIST will help ensure that private and public sector conformity assessment needs are met by leveraging existing conformity assessment programs and other activities that produce evidence of conformity.”31 This indicates that the primary focus will be on adding national framework reporting to existing audits against existing frameworks such as ISO 27001, PCI DSS and others This will lead to some minor growth in reporting requirements but will not drive any significant changes in security programs 27 www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx 28 http://europa.eu/rapid/press-release_IP-13-591_en.htm 29 http://moneymorning.com/2013/03/13/the-cybersecurity-investment-opportunity-everyone-is-missing 30 www.ftc.gov/news-events/events-calendar/2013/11/internet-things-privacy-and-security-connected-world 31 www.nist.gov/cyberframework/upload/roadmap-021214.pdf, page SANS Analyst Program 14 2014 Trends That Will Reshape Organizational Security Impacts and Action This section combines factors from the four areas above to predict the impact on typical security programs/ controls with recommendations for actions All of the trends—business, technical, risk and regulatory—converge at the security point of impact, and each impact requires action Some of the most critical security impacts resulting from these trends, along with the actions that need to be taken, include the following: • I T has less control over the endpoints on both the user end and the datacenter/server ends The use of personally owned devices breaks the old model of installing root level “shims,” such as endpoint protection and configuration management software, on user devices When such devices are used for access, it means that there will be no enterprise security agents on the user device or the server side This trend means that more security visibility and control will need to be delivered from the network (either the corporate network or through cloud-based security proxying) rather than relying primarily on endpoint software However, endpoint visibility and forensics will also be critical in detection and follow-up •T he need for a security perimeter doesn’t go away, but the perimeter must be extended and new delivery mechanisms added The “death of the perimeter” has been declared many times over the past 20 years, as VPNs, wireless access, web services and now mobile devices and cloud computing have complicated the perimeter concept However, the need for trust boundaries and perimeter inspection has not changed Monitoring and enforcement continues to be the most cost-effective approach to reducing attack apertures and risk without unduly burdening the business The increased use of virtualization does not change the need for a separate security control layer, because virtual infrastructure will be no more successful in protecting itself than tradition infrastructure had been Perimeter security will be delivered in new locations, such as in virtual data center backplanes and at content delivery networks, web security gateways and other cloud-based security proxies This will be in addition to, not in place of, delivery at the traditional enterprise perimeter •T here will be more demand for persistent data encryption, but implementation barriers will remain high The loss of control of the user and data center resources used to process and store sensitive information have resulted in calls for “data-driven” security and persistent data encryption However, most of the same issues that caused the failure of most public key infrastructure (PKI) deployments a decade ago still exist—and have, in some cases, been exacerbated Cost-effective deployment of data encryption (think digital rights management) requires some affordable, accurate, trustable source of public keys, or else data encryption can often act as a self-inflicted denial of service event Also, data needs to be decrypted during processing, which provides ample opportunity for compromise (consider the Target incident) Although there are emerging solutions for dealing with these issues, none will be mature, let alone standard, any time soon Over the next 18 months, use of data encryption will grow but will not come close to reaching the point at which it obviates the need for other security controls to prevent disclosures SANS Analyst Program 15 2014 Trends That Will Reshape Organizational Security Impacts and Action (CONTINUED) • Security at the application level happens before security at the data level Even though obstacles remain to fully securing data, the trends discussed previously have actually removed barriers to adding application-centric security to device- and network-centric controls Data center virtualization and the consumption of SaaS are causing IT development and management processes and architectures to focus on application-level flows and governance Performance management has shifted to the application level, both internally on networks via application acceleration platforms and externally using content delivery networks (CDNs) This opens opportunities for consistent application-level security controls to be deployed in those platforms with integration to traditional network level controls, such as firewalls, intrusion prevention, SIEM and other such technologies Because threats change faster than applications, successful deployments of application-level security controls will emphasize integration with dedicated standalone security controls • Increased evasion by bad guys and use of SSL by good guys drives on-the-fly decryption Publicity around NSA monitoring of communications has caused a sharp increase in the use of HTTPS for all web server sessions, not just for logins The realization that advanced targeted attacks and insider attacks often succeed by monitoring internal network traffic has caused an increase in using network encryption on internal traffic Threat developers have also increasingly used encryption to evade detection products Security products and services will increasingly incorporate hardware-accelerated SSL and IPSec decryption as integral capabilities • Demand for product security testing prior to procurement will increase The publicity around Chinese APTs and NSA disclosures has already increased demand for security testing of products as part of procurement App Stores for Apple, Google and Microsoft mobile operating systems have increased the level of security testing done before (and after) applications are published through the App Stores Industry procurement practices and regulatory guidance will require security testing to be demonstrated prior to purchase for all critical infrastructure procurements within the next 18 months and more broadly by 2017 •T he major advances in threats will be increased targeting and customization Just as the major advances in e-commerce center around personalization and customization, threat developers will use similar techniques to overcome advances in detection, as well as any advances in user awareness around phishing and watering hole attacks The use of location-based information increasingly exposed in mobile applications and social networks will be a major threat vector, as will targeting of specific ISPs and cloud-based applications in use by high value targets Threat advances will lead advances in prevention—driving deployment of more rapid internal monitoring and visibility, detection and forensics capabilities—for threat-centric security before, during and after attacks SANS Analyst Program 16 2014 Trends That Will Reshape Organizational Security Impacts and Action (CONTINUED) • Mobile malware will not be a major threat factor, but information leakage through commercial applications will be While the total quantity of discovered malware for mobile devices will continue to grow (especially for the fragmented Android platform), the security capabilities of mobile operating systems combined with the heterogeneous mix of platforms and the impact of App Store curation of applications will mean that the traditional virus/malware threat environment will not reappear However, poorly written mobile applications, free apps that drive revenue through obtaining user information, and malicious or vulnerable applications will get through App Store certification processes and enable information leakage Mobile device management and network access control security controls will be expanded and integrated to mitigate mobile application risk •N ew frameworks, legislation or regulations that emerge will increase reporting burdens on security managers as opposed to leading to increases in security There are no legislative or regulatory efforts within this planning horizon that will make the job of security managers easier or remove obstacles to increasing enterprise security Legislation will continue to move more slowly than technology; business and threats will evolve; and new laws, regulations and frameworks will result in more reporting requirements that divert resources from security Successful security programs will be those that improve security implementation and operations while reducing the cost of demonstrating compliance Advances in security will come from improving the effectiveness and efficiency of existing controls and freeing budget to invest in evolving to more continuous, next-generation architectures and processes SANS Analyst Program 17 2014 Trends That Will Reshape Organizational Security Conclusion Change is always the enemy of security The trends discussed above show that we anticipate advances in business processes and technology to cause major change in IT governance and management These changes will create openings for new vulnerabilities, and new threats will emerge to exploit those vulnerabilities Old threats will not go away—the new threats will be additive Progress in security will be made by reducing the cost of dealing with more mature threats to free up resources for new and innovative approaches to mitigate the new risks New technologies, such as virtualization, cloud services and advances in security analytics, will also provide opportunities for security managers to improve both the effectiveness and efficiency of security controls for maintaining threat-focused security that is visibility-driven and platform-based As pointed out several times in this paper, we expect the major advances in threats to be increased emphasis on targeting and evasion With the detection of attacks frequently occurring long after the initial attack, security programs must look to make advances in all key phases of the breach chain, such as: • Reducing the attack aperture by evolving prevention before attacks • Increasing the speed and accuracy of security response actions during an attack • E volving effective and adaptive processes to identify and remediate security breaches after they have occurred, even though they were not initially detected SANS Analyst Program 18 2014 Trends That Will Reshape Organizational Security About the Author John Pescatore joined SANS in January 2013 with 35 years of experience in computer, network and information security He was Gartner’s lead security analyst for more than 13 years, working with global 5000 corporations, government agencies and major technology and service providers In 2008, he was named one of the top 15 most influential people in security and has testified before Congress on cybersecurity Prior to joining Gartner Inc in 1999, John was senior consultant for Entrust Technologies and Trusted Information Systems, where he started, grew and managed security consulting groups focusing on firewalls, network security, encryption and public key infrastructures Prior to that, he spent 11 years with GTE developing secure computing and telecommunications systems In 1985 he won a GTE-wide Warner Technical Achievement award Mr Pescatore began his career at the National Security Agency, where he designed secure voice systems, and the United States Secret Service, where he developed secure communications and surveillance systems— and the occasional ballistic armor installation He holds a bachelor’s degree in electrical engineering from the University of Connecticut and is an NSA-certified cryptologic engineer He is an Extra class amateur radio operator, callsign K3TN SANS would like to thank its sponsor: SANS Analyst Program 19 2014 Trends That Will Reshape Organizational Security Last Updated: November 9th, 2017 Upcoming SANS Training Click Here for a full list of all Upcoming SANS Events by Location Pen Test Hackfest Summit & Training 2017 Bethesda, MDUS Nov 13, 2017 - Nov 20, 2017 Live Event SANS Sydney 2017 Sydney, AU Nov 13, 2017 - Nov 25, 2017 Live Event GridEx IV 2017 Online, Nov 15, 2017 - Nov 16, 2017 Live Event SANS San Francisco Winter 2017 San Francisco, CAUS Nov 27, 2017 - Dec 02, 2017 Live Event SANS London November 2017 London, GB Nov 27, 2017 - Dec 02, 2017 Live Event SIEM & Tactical Analytics Summit & Training Scottsdale, AZUS Nov 28, 2017 - Dec 05, 2017 Live Event SANS Khobar 2017 Khobar, SA Dec 02, 2017 - Dec 07, 2017 Live Event European Security Awareness Summit & Training 2017 London, GB Dec 04, 2017 - Dec 07, 2017 Live Event SANS Austin Winter 2017 Austin, TXUS Dec 04, 2017 - Dec 09, 2017 Live Event SANS Munich December 2017 Munich, DE Dec 04, 2017 - Dec 09, 2017 Live Event SANS Frankfurt 2017 Frankfurt, DE Dec 11, 2017 - Dec 16, 2017 Live Event SANS Bangalore 2017 Bangalore, IN Dec 11, 2017 - Dec 16, 2017 Live Event SANS Cyber Defense Initiative 2017 Washington, DCUS Dec 12, 2017 - Dec 19, 2017 Live Event SANS SEC460: Enterprise Threat Beta San Diego, CAUS Jan 08, 2018 - Jan 13, 2018 Live Event SANS Security East 2018 New Orleans, LAUS Jan 08, 2018 - Jan 13, 2018 Live Event Northern VA Winter - Reston 2018 Reston, VAUS Jan 15, 2018 - Jan 20, 2018 Live Event SEC599: Defeat Advanced Adversaries San Francisco, CAUS Jan 15, 2018 - Jan 20, 2018 Live Event SANS Amsterdam January 2018 Amsterdam, NL Jan 15, 2018 - Jan 20, 2018 Live Event SANS Dubai 2018 Dubai, AE Jan 27, 2018 - Feb 01, 2018 Live Event SANS Las Vegas 2018 Las Vegas, NVUS Jan 28, 2018 - Feb 02, 2018 Live Event SANS Miami 2018 Miami, FLUS Jan 29, 2018 - Feb 03, 2018 Live Event Cyber Threat Intelligence Summit & Training 2018 Bethesda, MDUS Jan 29, 2018 - Feb 05, 2018 Live Event SANS London February 2018 London, GB Feb 05, 2018 - Feb 10, 2018 Live Event SANS Scottsdale 2018 Scottsdale, AZUS Feb 05, 2018 - Feb 10, 2018 Live Event SANS Paris November 2017 OnlineFR Nov 13, 2017 - Nov 18, 2017 Live Event SANS OnDemand Books & MP3s OnlyUS Anytime Self Paced ... by Sourcefire, now part of Cisco 2014 Trends That Will Reshape Organizational Security Written by John Pescatore March 2014 Major Security Happenings in 2013 2014 15 Security Predictions Impacts... https://krebsonsecurity.com /2014/ 02/target-hackers-broke-in-via-hvac-company www.prairiebizmag.com/event/article/id/17645 SANS Analyst Program 2014 Trends That Will Reshape Organizational Security 2014 15 Security... Program 2014 Trends That Will Reshape Organizational Security 2014 15 Security Predictions (CONTINUED) The Internet of Things—Everything A recent SANS Survey on the Internet of Things (IoT) showed that