From LinkedIn to Yahoo, companies fell into the hands of hackers and identity thieves in 2016. Each year, companies seem to make the same security resolutions, only to face roadblocks like skill shortages, time constraints and budget issues, which prevent them from implementing good security practices. Experts recommended companies consider the following trends and predictions for 2017, instead of scrambling to fight off attacks for another year.
Software is vital for society’s well being, since it is critical in all aspects of human lives, whether it’s banking or mobile applications or national infrastructure, said Paul Curran, cybersecurity evangelist for Checkmarx (an application security solution company).
Despite the necessity of software security, companies struggle to implement it into development operations, and rarely do their resolutions turn into a reality, said Curran.
However, as DevOps adoption increases, these companies are forced to find solutions that are “built into the fabric of the enterprise to make it more difficult for attackers to enter the system and gain access to sensitive assets,” said Chandra Rangan, senior vice president of marketing for HPE Security.
Security analytics is a “critical line of defense,” he said, as it can help organizations detect and respond to threats faster to mitigate their risk. Organizations should also change their thinking from an all-or-nothing approach to “one that incorporates protection, detection and response,” he said.
The shift in methodology that comes from DevOps means organizations need to redefine security’s role in the software development lifecycle (SDLC), to “shift left” and implement security early on in the software development stages, instead of leaving it to the very end and in production, said Curran.
This shift-left model presents problems for traditional application security testing (AST) solutions like penetration testing, especially since these solutions address security testing later on in the SDLC, and they cannot be pushed to the development stages, said Curran.
While static application security testing (SAST) solutions can work for a DevOps environment, “Not all SAST products fit the demands presented by the rapid release cycles in DevOps,” said Curran.
This means companies need to find a frictionless, quick-turnaround policy that meets DevOps requirements, which must translate into incremental scanning, partial-code scanning, compiler-free capabilities and tight integration with developer tools, he said.
From perimeter security to the zero-trust model
Many of the tools that keep threat actors at bay focus on the idea of the perimeter security of a network, or the network between the private and locally managed or owned side of a network. Network perimeter security is one way to keep the malicious users out of the environment in the first place, and while it’s important to put network perimeter technologies in place, it’s obvious that sophisticated attackers can easily get past these defenses, said Sam Elliott, director of security product management at IT security firm Bomgar.
HPE Security Services’ CTO, Andrzej Kawalec, said that traditional network perimeter technologies like access and authorization, AV and endpoint protection technologies are no longer enough to protect information throughout its life cycle. Most organizations rely on “building bigger walls or moats to keep attackers out of the castle,” but today’s adversaries can get through the front door or window easily.
“Organizations should focus their efforts on research and reconnaissance, infiltration, discovery, capture and exfiltration or data extraction to learn and understand the cadence and sequence of attacks,” said Kawalec.
This is why more members of the information security community have adopted the stance of assuming hackers are already in the network, since cybersecurity is so pervasive today, according to Elliott. This model is known as the zero-trust model, first proposed by Forrester Research as a way to promote the idea of never trusting any entity, and to always verify the location. This means assuming that anyone in the network, including employees or third-party vendors, should not be trusted.
The idea of the zero-trust model was highlighted in the big data breach of the U.S. Office of Personnel Management (OPM) in September of 2016, which exposed background investigations and fingerprint data of millions of Americans. A report commissioned by the U.S. House Oversight and Government Reform Committee is blaming the OPM for jeopardizing the of its employees, and it detailed a long timeline of the breach, highlighting how the OPM’s information security plans left the agency at risk.
This breach shows the community that there are significant gaps around privileged access and privileged accounts, and the reality is there isn’t much distinction between “insiders” and “outsiders” if the company is implementing the zero-trust model, according to Elliott.
He added that there are many technologies that aim to solve this challenge, and he recommended multi-factor authentication, such as putting a second factor in like a PIN code before logging in to a network or device.
Working to improve developer security skills
Another recommended resolution is for companies to work on their own developers’ or teams’ skills. According to former Symantec CEO Michael Brown, the skill shortage is only going to get worse, because unfilled cybersecurity job positions are on track to increase to 1.5 million by 2019.
Checkmarx’s Curran said the industry can address this issue by “dealing with the underlying problem of poor security within software code.” And companies can also give developers adequate training and the right tools to deliver software that has less vulnerabilities, he said.
“By 2020, we will see more universities introduce secure development courses, and developers will be measured not just on the functionality and the speed of app delivery but also how secure their code is in relation to measurable standards,” said Curran.
Another suggestion for countering the development skills shortage comes from Maty Siman, CTO and founder of Checkmarx. He suggested security teams implement a low-friction process that would be defined together with the security team, allowing them to educate developers about important security issues and avoiding any overlap when possible.
Bomgar’s Elliott agreed that the people and training issue is one reason why companies are failing to address security issues. One of the biggest challenges he highlighted is educating those who are not in the technology industry, and the challenge is getting effective security and practical security that does not interrupt their day-to-day productivity.
Enhancing IoT security
The influx of DDoS attacks this past year should be a sign that it’s vital to pay attention to security IoT devices, according to Curran. He added that “the current playbook for IoT development is still immature.”
“There is not enough attention being paid to securing IoT devices,” he said. “There is a palpable fear that a major category of IoT products embedded within a life-critical application such as health, CNI or automotive is vulnerable to a major attack through negligence in software security.”
Curran predicted that over the next few years, IoT security will be enhanced, especially as industry groups and regulatory frameworks backed by governmental agencies are “likely to expand their role in ensuring that the software embedded with IoT devices adheres to the agreed level of security and compliance.”
Companies can also assess their current security measures for smartphones, and then address the gaps by working with internal and outside service providers that can add a layer of protection for IoT devices. Organizations will need to buckle down and plan for the change that comes with IoT, considering how they can begin to build a secure software development cycle in 2017 and onward, he said.