Sometimes in the maelstrom of cybersecurity battles, it is helpful to step back and see where we came from, where we are, and where we are going. This year, in addition to studying for and passing the CISSP exam, I have been to a bunch of security conferences. I’ve been to MISC.conf, Secure360, B-Sides, and the Tech Security Conference. Here are some highlights and insights I’ve gathered from these events.
Where we came from
- 1980 – In the early days, we relied almost exclusively on anti-virus software installed on individual computers. This classic endpoint security was supplemented with personal firewall software.
- 1990 – This era saw computers and servers becoming connected via local area networks, and this increased the risk of malware infection. To harden these networks we relied on proxy servers, firewalls, and early intrusion detection systems. We began to look for unusual inbound traffic and created rules to block or filter the incoming traffic. This moved the defenses from the endpoints to the network perimeter.
- 2000 – The early years of the new millennium saw the rise of the worm, and in response Microsoft put all other development on hold to harden the Windows XP operating system with Service Pack 2. This is also the beginning of e-commerce, and the development and use of encryption to secure communications and financial transactions.
- 2010 – We began to deploy next-generation firewalls, and security information and event management systems. In addition to defending endpoints and the perimeter, we began to look at outbound traffic and “east-west” or internal LAN traffic for anomalies that might indicate an intrusion.
- 2015 – We saw the rise of the advanced persistent threat and developed countermeasures to defend our networks from them. This battle is still underway.
Where are we now?
- Public Sector and Governement
- Financial Services
- Health Care Organizations
- High level targeted attacks against C-level officers and managers.
- Credential theft.
- Insider attacks including breaches via business partner access.
- Hijack the security layer – exploits use encryption to bypass firewalls.
- New threat vectors from mobile devices and the Internet of Things (IoT)
The average is now 146 days between breach and detection. This is down from 285 days last year, so progress is being made. It takes on average 56 days to respond and recover from a breach.
- Prevention – Set up your network to keep exploits from happening in the first place.
- Detection – Be able to know when exploits and intrusions happen in your network.
- Resilience – This is planning for the intrusion to happen and determining a plan to recover from the inevitable.
Where are we going?
- 90% of all data was created in the last two years. The rate of information growth will only accelerate in the future. This information will need to be stored and secured, and still be able to be found and used when necessary.
- By 2018, 90% of all breaches will be IoT devices. We have already seen botnets mounted on Ubiquiti DSL modems. As we connect more devices to the Internet with little if any security built in, these devices will become attack platforms for exploits that may already be under development.
If you are feeling overwhelmed, you are not alone. The situation on the Internet seems similar to the “Wild West” we know about from the movies. From my point of view, the good guys are starting to take back some ground we lost to the bad guys in recent years. Fasten your seat belts, it’s going to be a bumpy ride.Share