Among the top security trends for 2019: Identity is now the default perimeter, privacy continues to be important terrain, and disinformation campaigns will persist.
Attendees of the RSA 2019 conference may be apprehensive about the security landscape and wonder whether there’s any good news to report.
There is: John N. Stewart, Cisco chief security and trust officer—who told last year’s RSA attendees that collective action and mutual responsibility were keys to better security—sees promising signs that defenders are keeping pace with adversaries.
One reason for this trend is that security teams have gotten more support for their work in terms of resources and executive support. Following high-profile incidents such as the 2017 Equifax breach, senior executives are reporting on security to their boards on a more regular basis, according to a recent survey from FS-ISAC. Finally, they are waking up to the dangers of cyberthreats.
“Leadership, boards, and shareholders are becoming more active in not only absorbing that cyber-risk is an important facet of their operations, but also seeing cyber-risk as on par with business and financial risk,” Stewart said on the eve of the upcoming RSA event, which takes place in San Francisco March 4-8. In fact, in a new survey from the Conference Board, U.S. CEOs said their No. 1 concern is cybersecurity, ahead of competition or risk of a recession.
Security teams haven’t gotten a blank check from executives, however. Stewart said that organizations want evidence that cybersecurity investments work.
“There are more metric-driven discussions now,” he said. “Security teams need to prove there are indicators of progress.” This kind of risk management has been around for years in other business functions like IT, according to Stewart, and security teams are now catching up.
1. Identity as the default perimeter. In 2019, getting real about security also means adopting identity as the default perimeter—also known as “perimeter-less security,” Stewart said. With identity and access management technologies, organizations can define policies based on specific users and applications, limiting worker access to only the information they need to do their jobs.
Once someone is identified as a legitimate user, “all things will be driven from that moment on,” Stewart said. “It’s not that anyone is inside the corporate network, it’s that a specific person is inside the corporate network.”
As identity changes moment to moment—such as when someone accesses Wi-Fi in a hotel first with a laptop and then with a smartphone—access can pivot. Stewart explains, “It’s about the role you are playing at that moment.”
2. Privacy: A hot topic for 2019. The publicity surrounding massive data breaches, especially those affecting consumer information, will drive more conversation about how to protect privacy in 2019, Stewart said. He expects more calls for regulation in the U.S., akin to the European Union’s General Data Protection Regulation (GDPR).
“It’s got everything to do with the barrage of attacks in 2018, and the world discovering how little privacy we have with major companies,” he said. “Then there’s the countervailing force, which says privacy had better be the priority for all sorts of big companies.”
3. Disinformation will likely persist. While most of Stewart’s 2019 security trend predictions are good news for defenders and the public, one of them is a big negative: the trend toward disinformation.
From election-influencing to “deep fake” videos that use artificial intelligence to manipulate images, Stewart sees efforts to confuse people’s perceptions of trusted information as a key security threat. “Disinformation is being used as a tool to influence people—and it’s working,” Stewart said.
4. Modern attackers use top tools, too. The 2019 CISO Benchmark Study included predictions about attackers’ growing skill in creating sophisticated malware and evading detection. Stewart said he expects these trends to continue, although defenders’ innovation and faster response and resolution times make it more difficult for adversaries to maintain an upper hand for long.
Defenders and adversaries will continue to learn from each another to try to one-up the other side, however. “There will always be disruptive events on either side,” Stewart said. “The defense team will come up with some magical way to make a big difference, while the hacker team will come up with crazy ways to cause problems.”
What defenders should not do, Stewart advised, is assume that adversaries don’t have access to the same tools that the good guys do. “In 2019, we shouldn’t think the hackers are playing around anymore,” he said. “They’re running AWS [Amazon Web Services]-quality infrastructure on their attacks.”
5. Hiding isn’t as easy as it used to be. The 2019 CISO Benchmark Study noted that adversaries have become more adept at evasion: eluding sophisticated sandbox environments and increasing their adoption of encryption to hide their activity from defenders. Also, cybercriminals use legitimate web-based services such as Google, Dropbox, and GitHub for “command and control” communications— that is, issuing directives to digital devices that have been infected with malware—which makes malware traffic almost impossible to identify.
But Stewart believes adversaries’ ability to hide is diminishing, at least in one aspect. “There are two dimensions to hiding,” he said. “The first is hiding what they’re doing in your network. That ability is reduced. Then there’s hiding who they are—and that’s stayed exactly where it’s been for quite a while.”
Hunting down the “who” in an attack still isn’t easy, thanks to the anonymity of the Internet. “But hiding in a network is really complicated,” Stewart said. “We’ve done so much work in instrumentation and we’re aggregating so much data that we can now put a spotlight on activity, both good and bad.”
Adversaries, being the innovators that they are, are working to get around the detection challenge. “They’re trying to get into your network early — for example, by inserting malware into the supply chain or through phones and devices,” Stewart said. “It’s like they’re saying, ‘I’m not going to break into your network. You are literally going to plug my world into your network.’”
In the year since Stewart told RSA attendees that collective action was the answer to security’s pain points, has he seen progress? He said he believes so, and cites GDPR regulatory agencies that focus on helping companies close their security gaps, instead of just punishing infractions. “The goal is not to hurt a company—it’s meant to be collaborative,” he said.
Stewart said governments need to do a better job of working together on global security challenges and view the web as a global village.
“Our problems are unsolvable without international cooperation,” he noted. “We can’t divide the Internet into chunks and say that it’ll work. The Internet is a collective, whether we want it to be or not—and we have to work on it that way if we want to solve our risk scenarios.”
For more on the top security trends for 2019 and news from RSA, check out our RSA 2019 conference coverage.