We’re now a month into 2018 and, as usual in this industry, things continue to change. New attacks, major vulnerabilities, technologies for defenders, and industry players are the norm. We wanted to take a step back and share a bit about the new things we are tracking for this year.
Government Scrutiny of Privacy / Security Issues Ramps Up
During 2017 there were a number of mega-breaches that generated increasing levels of scrutiny on data security and privacy matters from the public sector. If your organization has a big enough security breach, it seems like you now end up testifying in front of congress (in the US). As a result, it looks like the stage has now been set for cyber legislation – but only if congress can fit this into their agenda.
Meanwhile a very strong data privacy law, known as the General Data Protection Regulation, becomes enforceable in May. This law, passed by the European Union, has ramifications that reach across the globe. The law protects the privacy of European citizens’ data, no matter who is keeping it. That means that any US based businesses that have personal data of EU citizens need to comply or risk hefty fines (up to 4% of global revenue). This has left many businesses scrambling to become compliant because the stakes are high.
Cryptocurrency Cyber Crime Becomes More Varied
In the past the pattern has been that hacks lead to compromise which leads to ransomware, asking for a ransom to be paid in Bitcoin. Things are evolving however – see our blog post on cryptocurrency basics and security fundamentals which talks more about wallet security. On the Cyber Crime side, the high transaction costs and reduced confidence in the privacy of Bitcoin transactions has been pushing cyber criminals to use privacy focused ‘altcoins’ such as Zcash or Monero instead. In some cases hackers are skipping the whole “infection -> ransomware” chain. Instead they opt to use their access to directly infect users systems with cryptocurrency mining programs.
Migration to ‘The Cloud’ Continues – Security Plays Catch-up
Many organizations are continuing to move infrastructure to ‘the cloud’ (aka – someone else’s computer) instead of traditional on-premises systems. This leaves security gaps because in many cases the new technologies are not fully understood. A prime symptom of this problem is the prevalence of Amazon S3 buckets being discovered with permissions that allow unintended access. The data center / cloud industry is also still grappling with the Spectre and Meltdown attacks that we discussed recently – it is yet to be seen what the fallout will be there.
Aside from those areas, the industry is still trying to figure out how to protect digital assets in the cloud. The new reality is that the cloud enables shadow IT to stand up their own systems, outside of the purview of normal IT – and that is a dangerous thing. This has lead to the rise of a new class of software know as CASB – Cloud Access Security Broker. These are similar to traditional DLP (Digital Loss Prevention) software, but more focused on locking down access to cloud providers such as Dropbox and Google Drive. We expect to keep hearing the CASB buzzword more and more over the next year.
Making Existing Data More Useful
Security organizations can potentially fall into the problem of having much more data than they can possibly utilize. On our penetration testing engagements, for example, often times our activity can be found in various logs across the target network, but it isn’t being surfaced to the security staff in a timely enough way to get immediate attention. That’s where a new technology called User and Entity Behavior Analytics comes into play.
The idea behind UEBA is to use software algorithms, potentially including machine learning, to construct a ‘baseline’ for normal behavior on your network. That baseline is then used to detect anomalous behavior. The UEBA software would ingest data from system logs, IDS/IPS systems, and av / endpoint defense products and then create a reliable feed of high quality alerts for SIEM type tools. If UEBA lives up to it’s promise it could make a huge difference for defenders, but these tools are only beginning to be adopted.
In related news, Google parent company Alphabet recently launched a new cyber security startup called Chronicle. While details are still thin, GOOG has said “the information that security teams need to identify and investigate attacks is right there in an organization’s existing security tools and IT systems, but it’s hidden in enormous volumes of data and therefore can’t easily be seen, understood, or used.” That sounds like it could be quite similar to UEBA. Given Google’s skill with cyber security issues, combined with big data type analytics, this could really be a big deal. Google has said that more details will be out in the coming months – so we will see!
What are you tracking?
These are the things that are on the top of our radar as we’re digging into the new year. The constant change is one of the most exciting things about the information security industry, but you have to keep up!