According to Gartner, worldwide spending on information security was expected to reach $71.1 billion in 2014, an increase of 7.9 percent over 2013. Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Based on these numbers it would appear that we have made progress towards a more secure world in the past 12 months. Did we? And what can we expect in 2015?
Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. This sounds crazy, but with every implementation of new technology (especially if connected to the Internet), we create potential new attack vectors for cyber adversaries. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud. Over the last year, we have experienced a wave of cyber security attacks targeting a broad variety of organizations and vertical markets.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. Data breaches at companies such as Target, Home Depot, Staples, Michaels, Kmart, Bebe Stores Inc., eBay, the Montana Department of Public Health and Human Services, and Sony Pictures Entertainment, are just the tip of the iceberg.
So, what can we expect in the next 12 months? Here are my Top Three IT Security Predictions for 2015. They are based on day-to-day collaboration with Global 2000 companies, government agencies, fellow security vendors, industry analysts, and security consultants, as well as primary market research.
1. Direct Network Attacks Are The Least Of Your Worries
In the past, hackers were primarily exploiting vulnerabilities in their target’s network and cyber defense systems to extract data or disrupt business continuity. By improving their defenses against direct network attacks, organizations have been able to counter these efforts and improve their resilience against cyber-attacks. However, since early 2011 the security industry has seen a shift in attack vectors, as hackers turned their focus to the weakest link by exploiting the supply chain to gain “backdoor” access to IT systems.
In 2014, third-party originated cyber-attacks dominated the headlines with data breaches at Adobe, Target, and Neiman Marcus getting everybody’s attention. Going forward, we can expect this trend to accelerate since this attack vector has proven very effective at circumventing the target company’s defense mechanisms. More importantly, this attack strategy opens up untold numbers of vulnerabilities that lay dormant in third-party applications and can easily be exploited. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015.
In addition, the increasing interconnectivity within an organization’s software supply chain poses a huge risk in itself, because even peripheral systems like heating or air-conditioning control systems can be compromised by sophisticated cyber criminals to breach a company’s security perimeter.
In response to these threats, organizations are likely to expand their vulnerability management by leveraging automation tools that aggregate data from a variety of scanners, correlate the data, and then prioritize remediation actions based on an organization’s individual business criticalities.
In addition, organizations will expand the monitoring and management of IT security risks downstream in the supply chain. In 2015, assessing just your top 25 critical vendors will no longer be sufficient. Subsequently, this will change the existing third-party vendor risk management practices, requiring risk assessments to occur as part of the vendor / supplier onboarding process rather than years after the technology / service has been implemented.
Based on the increased risk posed by vulnerabilities in third-party technology, organizations will also turn the table on their suppliers. Instead of using their own security operations teams to assess potential vulnerabilities, companies will mandate that suppliers use independent verification services to test software applications prior to procurement and deployment.
Software vendors will likely have to change their software product life cycle management process, adjusting their engineering methodologies to encompass vulnerability testing as part of the product coding rather than as part of the quality assurance process.
2. New Cyber War Methods Make Your Life Even More Miserable
Cyber-attackers are constantly changing their strategies, always looking for new attack vectors and methodologies that allow them to fly under the radar for an extended time period. In this context, attack methodologies in 2014 increasingly centered on drive-by exploits and social media.
Considering the continuous consumerization of IT, mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Furthermore, the proliferation of mobile “apps” complicates the enforcement of enterprise security standards. Free mobile applications, for example, are a target-rich environment for malware. Another gap in current mobile device security is related to access control, which would set the baseline for allowing these devices to connect to corporate email, web portals, and networks.
Going forward, we can also expect to see phishing attacks moving further away from email and into the social media landscape. By establishing trust relationships on social media platforms, hackers will expand their exploitation capabilities to distribute malware designed to steal passwords and sensitive information.
We can expect organizations to transition their security practices to a more pro-active approach. One of the ways they will do this is by overlaying security, infrastructure, business, and market data with threat intelligence to enable security teams to focus their remediation efforts on those threats that represent the highest risk for their business. For example, many organizations are likely to aggregate critical intelligence from third-party threat intelligence services with other operational IT and security data to continuously assess a company’s risk and compliance posture.
Organizations will also build out their incident response processes to be prepared for worst case scenario incidents. By making incident response a top priority and developing a well-documented policy and process that is understood by stakeholders, organizations will limit or even prevent reputational and share price erosion caused by breaches. Using software to automate and centralize manual incident response management processes will help reduce human error to ensure a timely, well executed response if a data breach occurs.
3. Threat Information Sharing Will Become Necessary for Survival
Cyber criminals have been coordinating their efforts for years and are well-versed in sharing vulnerabilities and attack methodologies. They even have their own online communities where they exchange information. This is unmatched by the commercial and government sectors.
To counter cyber criminals, government and private industry have to work hand-in-hand to quickly dissipate information about threats. The benefits of information sharing have been exemplified by close collaboration between government agencies on counter terrorism intelligence following the 9/11 attacks. Improvements in network consolidation, intelligence integration, and cross-departmental training played a central role in the successful manhunt for al-Qaeda leader Osama bin Laden.
The U.S. government will likely institute measures beyond its current Presidential Directive and NIST Cybersecurity Framework in an effort to finally introduce a formal information sharing database that will be made accessible to a broader group.
2015 will also see further proliferation of vertical market-specific information sharing communities similar to those that already exist in the Financial Services Information Sharing and Analysis Center (FS ISAC) and Red Sky Alliance. These organizations offer intelligence feeds that enterprises can leverage to contextualize threat information within their own security architecture. Considering the targeted campaigns we witnessed in 2014 against the retail and media / entertainment industries, expect to see these sectors establish threat information sharing comminutes as early warning indicators.
In summary, 2015 will prove to be a challenging year for IT security professionals. Threats associated with mobile computing, open source vulnerabilities, social media, and the increasing sophistication of cyber-attack methods will dominate the headlines. In addition to fostering closer collaboration with peers and government agencies, organizations should consider overhauling their approach to security risk management to address the evolving threat landscape. This could involve implementing an end-to-end third-party risk assessment process, augmenting existing security data with threat intelligence to contextualize the findings, and aggregating and correlating different data sources to derive a holistic view of their risk posture.
