By Chris Roberts, Chief Security Strategist, Attivo Networks
Around October or November, we throw the collective fortune darts at the nearest board, wall, or screen to work out how the following year’s going to be in our electronic world.
We’re the digital equivalent of the Farmers’ Almanac.
Yet, how often have we really taken a look back and worked out how accurate we’ve been? How often do we look over our shoulder and assess our success rate and possibly how to improve our accuracy?
So, this year, instead of grabbing the nearest intern, developer, or passing user and practicing the art of extispicy like haruspices on them to work out what we’re going to be looking at in 2020, we’re going to take a look back at some of the 2019 predictions and have a little dig around the Internet to see how well the prognosticators faired.
If one of these predictions is yours or you were the one who copied it, rebranded it, and made it your company’s, then accept the criticism and be a little more careful with how you read this coming years entrails, as there are now consequences. You WILL be held responsible!
So, without further ado, let’s start with some of the cringe worth ones:
Rates of ransomware attacks will fall (Kiuwan)
I’m going to say this hasn’t been the case, and even if it can be found that the actual number of attacks in a country has decreased, then the effects and overall challenges with the attacks has significantly increased, especially in the case of many local, state, and government agencies, let alone the school districts and healthcare facilities. If you look at the statistics being quoted around the “every 14 seconds a business falls victim to a ransomware attack” we’re NOW down to 11 seconds, so this one’s been solidly sunk and we still have to deal with ransomware and all US$11 billion worth of damages.
AI will be a major force in information security (multiple sources for both defense and attack)
Ok, this one’s party true, but unfortunately not in the way we really want to see it. Marketing, sales, and all companies that blink in the night have taken up the cry of “AI will save us!.” As far as the eye can see, it’s a forest of AI marketing, explaining how their solution’s going to solve your problems and cook you breakfast in the morning, and most of it is utter codswallop. At best they’ve created an augmented system of pattern matching rules and assume the recommendations can now be called AI. We won’t even talk about their training models, their update capabilities, or understanding of how to scale and justify an ROI based on cost savings or increased maturity on the security scale. Please do right by all of us, stop throwing good money after bad and really dig into any AI solution to see what actually makes it tick and remember: all that glitters is not gold.
IoT regulations will finally be addressed (Alvarez)
We’ll go with partial credit on this one. Firstly, yes, the regulations are coming and it’s got NIST at the helm. The problem is, various NIST regulations appear to be held up and have been eaten by the “Swamp” or various parties within it. The IoT Cybersecurity Improvement Act (1668) is languishing somewhere in DC, and the Office of Management and Budgets or the Office of Information and Regulatory Affairs has eaten 800-53, which as we all know is one of the backbones of our industry. So, if someone in charge in DC is reading this, can you please finally finish red-lining all the stuff we need? Believe me, you, your friends, families, companies and the entire information security ecosystem will be better off for these things actually getting out of your hands and back to NIST’s and then out to the general population. Until that time, IoT’s a mess, in all likelihood your toaster probably hacked the fridge, which is connected to the Internet and is, therefore, mining cryptocurrency. What a mess.
GDPR will have a significant impact (multiple sources)
If you define a significant impact as making us more aware as to how badly we’re doing in information security then yep, we’ve doubled (or more) the number of breaches being reported. But, the regulation has been absolutely ineffective at levying sanctions, fines, or other legal actions against the companies that still fail to adequately protect our very data. The upside is that a unified front on notification is a good thing; the downside is the sheer volume of notifications simply shows us that we’re not having an impact on stemming the flow of data being stolen, let alone holding the industry or the enterprises accountable for the losses. It will be interesting to see if the U.S. takes note and learns from the colonial cousins across the pond or simply continues to tackle the problem in the patchwork fashion of 50 small independent countries (mostly) united under one flag.
Defenders will think and operate like the attackers (Our own company) and Companies will focus on their cyber hygiene of their own environments (Illusive Networks)
So, taking both Attivo and one of our competitors to task for these ones. It is something we want, something we aim for, and something we would like to see in the industry. More focus on defense, more focus on giving the blue teams some teeth, more time, effort, and budget spent developing the defensive, detection, deception, and proactive arms of the organizations out there…but, the reality is very different. Many companies are struggling to understand what they have, where it is, and what to do with it, all with limited resources and a plethora of regulatory and compliance directives to adhere to. It’s a real problem, and one that needs focus. The time has to be spent on helping to educate organizations, to work with them, develop roadmaps, run training, tabletops, and effectively act as their advocate in the industry. If we can take the time to do this, and we can bring our own industry into line, then, and only then I think we can make a difference and then the defenders will have the time to “think like the attacker” as opposed to firefighting on a daily basis.
Lastly on the 2019 reflections…
A huge shout out to Ray Potter for nailing his comments. He very eloquently stated: “Same sh**, different year” in an article used to pull some of these cringe worthy data points.
So, what have we learned aside from, don’t trust all that you read on the Internet?
Arm yourself with questions, educate yourself or people you trust around you to know what questions to ask. This is especially relevant when faced with newer technologies that are still establishing themselves in the marketplace.
If someone’s coming at you with data, statistics, metrics, and all sorts of theories as to why their solution is the only one, assume those statistics are tainted unless proven otherwise. Too many companies are buying their way to the top of the latest set of charts; too many organizations spend more on marketing themselves as successful than on development making sure they actually are.
Back to basics, a newly overused phrase that we still haven’t taken notice of. Get the simple things taken care of inside the environment before focusing on the blinky lights that do nothing more than mask the underlying issues. Educate the humans, take care of the defaults, the patching, the authentication, the users, their access, and get eyes on the inside of your world–the boundaries of which keep evolving.
Rules and regulations only go so far. They are impractical to enforce if the volume of inbound data exceeds the ability for the regulatory body to actually process. A disjointed approach to the problem will fail and a united “we” approach stands a chance of success, should all parties agree on a path forward.
We have a long way to go. We should take some time to look at 2019, realize what we’ve done, and then in most cases apologize for it and try to make amends in 2020. Our industry is amazing, innovative, creative, and has so much to give, but we are lost. We are (in the words of seven of nine) erratic, conflicted, and disorganized and that means we are not doing the one single thing that this entire industry was created for: we are not protecting our charges.
Make 2020 different.
Disclaimer: The article has been edited in accordance with the guidelines of CISO MAG. CISO MAG does not endorse any of the claims made by the writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same. Views expressed in this article are personal.