The start of a new year is always a good time to assess what your team achieved over the past twelve months and prioritize those activities that you believe will make a difference to your company this year. In order to assess your IT security team’s goals and objectives, it helps to review what the experts believe will happen in the broader security market; what your leadership team has set for objectives for the organization; and how your team will do their jobs.
Predictions about the cybersecurity space abound at this time of the year, but I want to share some of my predictions about the trends that will have the greatest impact on your information security operations in 2019.¹
1. Keeping Pace with Increasingly Balkanized Regulation
Businesses of all sizes are increasingly adopting cloud applications and services. This trend isn’t new and will not slow down for the foreseeable future: The percentage of workflows in the cloud will grow from 45% in 2017 to 60% in 2019.
Cloud services are one of the most significant factors stimulating the globalization of business and networks. Global networks enable proprietary and private information to move more easily across national borders, dramatically increasing the number of touchpoints and the number of locations from which data can be accessed.
This dynamic is playing out against the backdrop of increased government regulation, forcing the Internet to mirror the political and commercial contours of the physical world. Today, global businesses deal with a smorgasbord of regulations imposed by all levels of national and local government. In the U.S., all 50 states and Washington D.C. have already adopted laws specifying the requirements for disclosing data breaches. Several states have gone so far as to mandate security measures that will better protect private, personal information.²
Emphasizing the “carrot” over the “stick,” The state of Ohio passed legal safe harbor laws in 2018 to encourage and reward the formation of cybersecurity policies and practices that better protect private information and increase transparency when the inevitable breaches occur.
The EU’s General Data Protection Regulation (GDPR) and similar regulatory approaches in Brazil and India are game-changers that exemplify transformational regulatory approaches. With more GDPR-like regulation emerging in pockets globally, the impact of these regulatory regimes on global business cannot be understated.
2. Threat-Informed Defense
Far too many everyday front-line defenders (IT professionals, developers, system administrators, Level 1-2 NOC/SOC employees, etc.) attempt to secure their networks with little understanding of the attackers, their tools, or their techniques. These defenders are unaware of how attacker tools behave in their specific network, what artifacts these tools may present in their monitoring/logging environments, and how their defenses will fare when subjected to typical attacker plays.
To be blunt, I continue to be amazed at how little defenders understand attacker tools and techniques. When shown attacker tools for the first time, many defenders are simply dumbfounded and react as if what they are seeing is magic. Defending against ghosts is not a recipe for success. Defenders who work in a vacuum unwittingly create a disjointed defensive scheme largely driven by vendor-point technology solutions. This phenomenon is a big reason we are in the mess we’re in today.
The MITRE ATT&CK™ framework — like the Lockheed Martin Cyber Kill Chain® before it — creates a “field of play” for defenders to better understand how attackers function and how their defenses fare when subjected to typical attacker activity. Most importantly, defenders can map their defenses onto ATT&CK to establish and understand “coverage” of their defensive technologies and routinely exercise a full range of scenarios covering the ATT&CK spectrum.
In some corners, MITRE ATT&CK is being embraced by security vendors to help defenders better understand how their tools fit into an overall cohesive scheme. Additionally, joint attacker-defender training exercises (often referred to as “Purple Team” engagements, resulting from combining “Red” attacker and “Blue” defender teams) have exceptional value and should continue to replace the less useful “penetration test” model.
3. Security Accountability
While few would argue the necessity of information security today, information security professionals often struggle to justify their expenses to the business organization. Information security typically falls into the category of what I call “insurance economics,” in that we seek budget that may or may not be effective at reducing institutional risk and may or may not avoid greater loss than the amount spent. We will likely never know, which is why it is a remarkable leap of faith that we ask of our business colleagues!
Similarly, security vendors have a habit of making largely untested claims about the efficacy of their products with few guarantees. They ask their clients to take similar leaps of faith. Security products are often misunderstood and misused, and, as a result, provide little to no security value to an organization. It is essential that the purchaser and the supplier establish a mutual clarity about what the product does (and does not do) and how to measure the efficacy against a very specific set of risks. I expect buyers to increasingly make this a requirement of the purchasing process to hold their vendors accountable for results. Accountability relies on establishing meaningful performance indicators and having mechanisms in place to capture and report on those metrics.
4. Maturing the Information Security Ecosystem
My top predictions for 2019 reflect my strong belief that every organization has to better understand the information security ecosystem they are in and make a commitment to be a better player in that ecosystem.
Regulatory bodies around the world are doing their part to protect their citizens and our customers, as they should. Technology suppliers are investing large amounts of R&D dollars to help you automate your defenses and become more efficient. Your security operations team wants and needs to show results to the business. You can do it by turning to proven best practices from industry leaders and their peers. That’s what we’re all about at the Columbus Collaboratory: enabling communities of like-minded individuals to up their game and strengthen their defenses with the best use of data, people, processes, and technology.
Looking forward to much more of the same with you in 2019!