Imagine sitting at the end of a fishing pier staring at the ocean on a fine summer afternoon with hardly a breeze in the air. The sea is flat and quiet while you hear the lapping of waves on the beach. You know that beneath that calm surface might well be sharks, jellyfish, eels, manta rays, the Atacama Snailfish, or any number of predators. The sea might look quiet but it is anything but.
The same could be said for an IT security staffer as he or she looks out over a calm and quiet office while all the time knowing hidden just outside its network are cybercriminals, hackers, and script kiddies who are trying to force their destructive ways on a company’s critical business systems.
For IT security teams, that constant battle is made even more difficult because no one knows for sure what type of attacks will be next, meaning security workers have to be ready for anything at any time. Like the Atacama Snailfish, apparently an ancient predator that was only recently discovered nearly 27,000 feet deep on the floor of the Pacific Ocean, cyber predators have a knack for keeping themselves well hidden, only coming into the light if they are identified accidentally.
CISOs and security teams use many types of cyberdefenses, ranging from antivirus and antimalware to threat prevention software; identity and access management software to security appliances such as firewalls, universal threat management systems, and gateways; to a plethora of other hardware and software tools. But with new attack vectors being unveiled by the bad guys all the time, IT security leaders must always be thinking and looking ahead for the next potential security vulnerabilities and attack targets so they can prevent or minimize successful attacks against their businesses.
The questions the cybersecurity leads ask themselves tend to fall within a common set of priorities: Where should IT teams start today? How can IT security leaders prepare themselves and their systems for new kinds of attacks, some of which they’ve probably not imagined before? How can they fight back effectively and protect their company’s key IT assets? How can they stay a step ahead of the bad guys, no matter what shows up at their firewalls and digital doorsteps? In many ways, these are the same questions CISOs ask themselves about zero-day attacks. The difference is, here there are many more variables to consider.
Attacks today are often masked as valid data transmissions or come in as simple emails or messages, fileless attacks that take the form of queries that ask a user to take an action, which if initiated will unknowingly create a breach. This makes some of the latest attacks even more treacherous because they can unleash something that a company’s standard security software and hardware defensive measures fail to identify as malicious.
Creative defenses
The threat landscape has been changing especially quickly in the past few months, says Alessio De Luca, a security consultant and digital transformation manager for Florence Consulting Group in Florence, Italy.
“The most important trend that IT security pros need to recognize is the evolution of malware against signature-based, traditional antivirus systems,” says De Luca. “From fileless malware to zero-day attacks, the traditional analysis of fighting threats already known by antivirus systems is not enough anymore. Unknown threats are the real issue nowadays.”
The clear pattern being seen in IT security today is that static defenses are no longer a reasonable way to protect companies, he adds. Worse, due to the evolving methods used by attackers, the most dangerous new threats will come from apparently valid system processes that take advantage of the trust or familiarity of users.
“Every endpoint should be protected,” says De Luca. “Threats are increasingly moving from the core to the edge of the network.” And to make those endpoints most effective, they should include strong artificial intelligence (AI) and machine learning (ML) features that use algorithms that change and counter in real time when threat landscapes change, he says. “It’s the best option we can choose at the moment to protect companies’ infrastructures.”
AI and ML are powerful and essential up and coming tools in the fight for more secure IT systems because instead of just comparing network activities to a static list of known threats, ML and AI examine user and application behaviors in real time, recognizing suspicious activities even when threats are unknown or processes are masked as valid, says De Luca.
Using AI and ML tools, IT security teams will gain many innovations in the fight against cybercrime. “The growing number of attacks won’t be manageable without the computing power of AI and ML,” he says.
Another nascent trend is the inclusion of more security features at the hardware level, rather than just through software barriers, De Luca says. A breached hardware component will block itself to protect the rest of the network, making it an important tool in a company’s security perimeter.
“There’s no such thing as 100 percent security, which is a truth that IT pros often fail to recognize,” says De Luca. “All that we can do is compartmentalize the company systems into smaller sections and apply the latest innovations to improve the overall security.”
Human-centric security
Not everything in IT security involves hardware and software, notes Steven Durbin, the managing director of the London-based Information Security Forum (ISF), an independent, non-profit global authority on cybersecurity and risk management.
Anticipating tomorrow’s IT security attacks also means understanding human behavior in the workplace, says Durbin. “We know that IT security guys are always trying to just keep the wheels on to keep things going. I think they’re relatively okay with being able to deal with it provided they can anticipate it. The piece they’re not so good at involves the people-centric area, the humancentric security needs. It’s really about trying to understand how people act, respond, and behave.”
In that case, what is needed is a new approach for IT — understanding more about the psychology of their users, says Durbin. That means educating users so they do not continue to click on phishing emails from people they do not know and other common security gaffs, despite constant lectures about avoiding such behaviors.
“That is the root, the really challenging piece, because those skill sets are not natural for an IT security guy or for the CISO,” says Durbin. “Some of the smarter organizations I’m aware of are doing things like hiring psychologists to help them understand how users react and to get a better handle on what might be implemented from a security standpoint in order to get a better level of acceptance from the user community,” he notes.
Emphasizing the point, Durbin adds: “Yes, I mean having such staff in the security department — a trained psychologist,” he says. The ISF is conducting research on this topic along with several universities because it is an issue that more and more companies will likely begin to address, he adds.
That’s right. Durbin thinks more businesses need to hire psychoanalysts to help change the poor IT habits of their users.
“Before you roll out any new piece of a security program, you need to be positioning it with the people who are going to be receiving it and understand how to position it so you get their emotional buy-in,” he says.
The idea, he says, is that users react best to security lessons if the lessons really hit them hard emotionally, like when the lessons relate to protecting their children from online threats. If IT departments provide training in that context, the lessons will hit with much more impact for users and they will remember the lessons and even share them with others at work, he says.
“The whole thing that we’re missing is that people in business are also people in their homes,” says Durbin. “So, if you teach me, or if you give me guidance on how to keep my kids safe online, I will remember that.”
Those connections will help corporate workers bridge that gap between what happens in their workplace and at home and will help achieve a much higher degree of security effectiveness than those that focus solely on the business environment, according to Durbin.
Don’t forget IoT insecurities
As CISOs, CTOs and other IT security leaders plan their strategies, they also must give more attention to another emerging security issue that is affecting every company — the increasing use of internet of things (IoT) devices across the corporate landscape.
“The IoT issue is where the next IT security wave is at,” says Terrill L. Frantz, an associate professor of eBusiness and cybersecurity at the Harrisburg University of Science and Technology in Harrisburg, Penn. “We’re crossing that horizon now. If you think securing a smartphone or a laptop is hard, multiply that by several hundred million or a billion devices that are unique.”
The problem is that all those mostly uncontrolled devices, which do not get regular security updates like computers and smartphones typically receive, are potential security threats to organizations because they can be used as attack vectors.
“There’s not going to be a Microsoft to push out new firmware for these devices,” says Frantz. “In the IoT space, you’ve got anybody writing anything. You have all these devices that are bare-backed on the internet. Think of it as a distributed world of little firecrackers. Each one on its own isn’t a big deal but then you put them all together collectively and a bad guy can make use of that.”
The problem is that business IT leaders are not really paying much attention to this conundrum, says Frantz. “That’s something that will we will see more of down the road. That’s something we are not prepared for — not even close.”
And finding the right answers to solve the challenge is still an unknown, he adds.
“Unfortunately, problem solving usually occurs after a problem occurs,” says Frantz. “We don’t know what these incidents will look like or how to prevent them” since companies have not moved to fully utilize IoT devices and strategies, he says.
“They have to decide what they want to do and then plan how they will use IoT and how to protect against attacks,” he adds. “They don’t have a choice but to do something about it. It’s going to be brought to them whether they like or not in terms of threat prevention and identification. The technical people are becoming aware of it, but it hasn’t filtered up yet.”
Legal issues for tomorrow’s attacks
When it comes to trying to anticipate the security threats of tomorrow, don’t forget to consider the related legal scenarios, says Braden Perry, a cybersecurity attorney with KennyhertzPerry LLC in Kansas City, Mo.
“Cybersecurity, it’s easy in theory to do it,” says Perry. “But if you’re not doing it in practice, it’s absolutely no help to you when it comes to these types of issues.”
Having strong security policies in place and engagement from senior management has been an ongoing mantra in IT for several years, but that also needs to include a company’s board of directors who really need to focus on these types of issues, says Perry. At the same time, executives need to take a new look at their IT departments and become more connected to them in terms of communications, leadership and strategy, he adds.
“In the past IT was one of those basement departments that you didn’t really want to see until something happened,” he says. “That’s no longer the case, especially with breach management, privacy issues and those types of topics which now need to be top of mind for companies. And to do so you need to have that senior management involvement to make sure the entire organization knows that this is the priority.”
A critical step that CISOs and their companies can take is to be more proactive by trying to determine what the next types and vectors of attacks will be, as well as the security trends, so they can figure out how to battle them, says Perry. That means spending money.
“One way is by having good personnel and being able to put out the capital to have that personnel,” he says. “When it comes to the legal department and to IT, those are not ordinary profit centers for a company. You need to make sure that companies are aware that putting resources into those non-profit resource centers will save the company money down the road. If you are lax in those areas, it can really hurt a company from a financial, as well as a reputational, level.”
Perry acknowledges that he still talks regularly with executives at companies where IT security is not taken as seriously as it should be because the company has not yet suffered an attack or that they have endured an attack and just don’t know it yet. Another possibility is that these executives do not have the resources to realize that they already are under attack but they just do not know it yet.
“It seems like it’s common sense, but until they experience an intrusion, a breach or some sort of an issue, many companies don’t really think about cybersecurity in the way that they need to be thinking about it, even today,” says Perry.
“What I’m trying to do is making sure that they are thinking about this in a proactive way where they don’t become the next Home Depot or [one of the] other companies that have [had] mass breaches of information. It really does take proactive activity to get this done,” he adds.
A beacon of hope
When looking for up-and-coming, next-generation IT security analysis tools, IT leaders also should be taking a close look at beacon detection capabilities, which carefully scan network traffic identifying and calling out anomalies, says Joe Sullivan, the principal security strategist for Crossroads Information Security and the CISO for RCB Bank headquartered in Claremore, Okla.
To get ahead of new kinds of IT system attacks, beacon detection is a promising tool, he says. Beacons tell IT teams when an unusual heartbeat is seen within the network traffic, notifying them that something could be amiss and needs their attention, he says.
“It will get pointed out and will rise to the top,” says Sullivan. IT workers can then see they have an infected machine that in the past could have gone undetected.
But while new tools can be helpful, bolstered skill sets and work experience for today’s CISOs, CTOs and other top IT security executives should also be considered.
“For CISOs and CIOs — CISOs especially — the roles are changing, so companies are realizing that if they’re going to hold that position accountable for technical controls that are in place that those leaders need to have better technical skills,” says Sullivan.
In the past, CISOs, CTOs and others were heavy on team and departmental leadership skills and maybe were less experienced and skilled when it came down to technical expertise, he says.
“You’re starting to see companies shift towards having a CISO who is more technically oriented, who has threat hunting experience, forensic experience, incident response experience and more, as opposed to just straight business and finance experience,” says Sullivan. “Absolutely, yes, it’s where we’re going right now and people are slowly starting to realize this. It’s kind of under the radar.”
