It seems like CSOs are always seeing flashing red lights on their security dashboards these days, warning them of another breach or risk of compromise. There are so many security events happening day in and day out that it’s difficult to decide what’s the top priority. That’s a good metaphor for the state of cybersecurity efforts across the globe – we’re in a constant state of flashing red.
That is, if we even see the attack coming, which we increasingly don’t. Recent breach disclosures, once again, show that not only do defenses get bypassed, but malware is also often able to sit inside a compromised network undetected for months collecting and exfiltrating massive amounts of data.
Hardly a week goes by without the announcement of some major breach. It’s gotten so that many attacks don’t even get reported any more unless they are especially spectacular. Did you hear about the recent Taiwanese bank compromise that resulted in US$60 million being stolen? No? Because not too long ago, that sort of thing would have made global news. But not now. The new normal in cybersecurity is that there is no more normal, unless you count that we are getting used to hearing bad news.
Part of the reason for this escalation in cybercrime is that the possible attack landscape is constantly expanding. As an example, as organizations have begun to embrace the Internet of Things, related threats targeting IoT have rapidly evolved. Just one year ago, about 2 percent of global attacks were targeted at mobile devices. Today, that number is close to 10 percent.
IoT has become the next big target for hackers. They are targeting CCTV cameras, IP-based security cameras, DVRs, consumer-grade routers, and printers. These devices are all connected wirelessly to the Internet, creating what we now call IoT. To keep costs low, or simply because manufacturers have not been very careful, consumer grade devices have simply not been developed with appropriate security in place.
Because of their convenience, many of these devices are migrating from homes to small businesses and even inside large corporate networks. Even commercial grade IoT devices, such as monitors or inventory controls are poorly secured and susceptible to compromise. The prevalence of these highly interconnected devices have increased the attack surface exponentially, and as a result, over the past year we have seen millions of compromised IoT devices aggregated by attackers and used to take out individual organizations or even huge chunks of the Internet. And because of the nature of these devices, many can’t even be patched or updated when vulnerabilities are discovered.
IoT is just a part of the problem. In many ways, it’s an extension of a critical BYOD challenge that began a few years ago, and in many organizations hasn’t been fully addressed from a security standpoint. In addition, many organizations are asking their CSOs and security IT teams to navigate a whole range of new technologies, including SDN, the migration to the cloud and several X-as-a-service delivery models. New architectures built using isolated multi-cloud services, for example, often have restricted visibility, complicated management systems, and no way to implement any sort of centralized orchestration or control over security policies or posture. And at the same time, all of these new technologies are creating new avenues of attack.
The other part of the problem is that cybercriminals are just getting better at what they do. When I’m asked about the current state of security when I meet with customers and global public organizations, I say that we’re not only seeing the volume of attacks increasing, but that level of sophistication is increasing at an even faster rate. Hackers are innovative and highly motivated, with sophisticated networks of developers and tools available on the dark web available at their fingertips. As a result, they are building automated and clever techniques into these attacks, including self-learning technologies that allow them to discover and exploit a wide range of vulnerabilities on their own.
All of this sounds like very bad news. And of course, it is. But I’m not trying to create a sense of panic in businesses and other organizations. There is something that can be done about all this, but it is going to require that we think about this problem in a very different way. Isolated security devices and platforms guarding specific network access points may have been enough a decade ago (though that could be debated), but security tools today need to be able to work together as an integrated system designed to span and adapt to the network as it shifts and evolves. In the Part II we’ll talk about how to make that happen.