2016: The year we strike back

In an IT-security industry that is rife with 'year of' predictions – the year of spam, the year of the advanced persistent threat (APT), the year of ransomware – there may be some comfort in the observation that, so far, 2016 is turning out to be the year of fighting back.

Just how that fight shapes up, and how effective it is, remains to be seen. But that fight is indeed building as vendors launch new cloud-based services that tap into analytics to bolster security responsiveness; as end-user organisations tap into a growing array of security services and partners; as penetration testing becomes pervasive; and business leaders begin to channel much-needed funding into broad overhauls of information security.

Indeed, in information-security terms much of this year will be spent weighing the repercussions of the government's Cyber Security Strategy (CSS), which updates the previous 2009 policy with a range of policies that will put Australia's government – and, by association, its private sector – on the front foot when it comes to confronting cybercriminals on their own turf.

“That kind of language is the kind of thing we don't hear often enough from the security industry, which talks in threats. More often we should hear the security industry talking about how it can innovate strategically.”

– Garry Barnes, ISACA

“Australia's defensive and offensive cyber capabilities enable us to deter and respond to the threat of cyber attack,” the policy reads, suggesting that Australia's government has finally had enough of cybercriminal activity and isn't going to take it anymore.

That response, as has been made clear in the strategy document and will become evident throughout the rest of this year, will be built around fostering much more intimate collaboration between public and private sectors to boost sharing of breach information, new threats, and collaborative takedown efforts.

This is a key step forward for Australian cybersecurity practices, Garry Barnes, international vice president with global security-industry group ISACA. Barnes says he was “pleased” to note language “around an investment in cybersecurity to enable investment in business.”

“That kind of language is the kind of thing we don't hear often enough from the security industry, which talks in threats. More often we should hear the security industry talking about how it can innovate strategically.”

Such a proactive agenda will shape public and private discourses around cybersecurity planning this year, given the ubiquity of online business – Gartner's CIO Agenda Insights 2016 report found that CIOs expect digital revenues to grow from 16 percent of all revenues to 37 percent.

Throw in growing pressure from an aggressive digital-transformation agenda that is ratcheting up the government's reliance on online interactions: public-sector CIOs in the Gartner study expected digital processes to rise from 42 percent to 77 percent of all processes.

It's clear that the stakes are higher than ever and the thought that a simple targeted attack could bring down critical arms of the government and private sectors – as was seen in recent successful attacks on the likes of the Bureau of Meteorology and Melbourne Health – has now evolved from being an abstract and distant threat, to a clear and present danger.

“In the past few years everyone has been responding to threats by saying that 'we need better malware defences, sandboxes, and all this stuff' – and the bad guys are just going around that,” says Bob Hansmann, director of security technologies with Forcepoint, which recently released its inaugural threat report showing that spam volumes are declining even as the malicious emails increase. In other words, cybercriminals are wasting less time on scattershot tricks and putting more effort into tailoring attacks with personal and convincing details.

“You now have a greater risk from email than we have seen in years,” Hansmann said, noting that a resurgence in the use of macro-laden attachments and other classic attack vectors was also up – with terrifying effect given most employees' continuing poor security practice. “People just aren't paying attention to common good practices around passwords, and the proliferation of apps – which encourage people to click and interact with the world – is making us cavalier about it.”

SMEs in the crosshairs

The threat of humans has already been well documented but it is likely to become even more of an issue this year as cybercriminals respond to the strengthening of defences within large organisations and well-resourced government departments.

Unfortunately, while it might impede cybercriminals' efforts to infiltrate the top end of town, this shift is also likely to have an intended consequence in this and coming years by redirecting cybercriminals towards small and medium-sized businesses – whose relative lack of security budgets and skills makes them sitting ducks for determined outsiders who are more than prepared to take advantage of employees' lax security practices.

“The bad guys are now realising that the really big companies have invested in new defences, so they are going to go where the money is easier, “ says Hansmann.

“Organisations in the midsized market need to realise that if they pop up in any kind of a Google search as being in a country with a good economy, in an industry that's making money – that these and other factors can make them very juicy targets for these criminals.”

A recent SolarWinds study of Australian SMEs' cybersecurity defences suggests that many will be ripe pickings as this shift takes hold over the course of the year – particularly as more SMEs try to formalise security policies that address new cloud services in the same way as they address on-premises systems and threats.

“Everyone has been responding to threats by saying that 'we need better malware defences, sandboxes, and all this stuff' – and the bad guys are just going around that.”

Bob Hansmann, Forcepoint

Cloud technologies were rated as important or extremely important to the long-term business success of 76 percent of SME-sized business respondents – on par with the 77 percent of large enterprises saying the same.

Some 21 percent of mid-sized businesses and 27 percent of small businesses saw this value in the cloud's ability to improve code patching while 84 percent of small businesses and 65 percent of mid-sized companies believed the cloud was crucial in reducing responsibility for underlying infrastructure maintenance. The ability to offload security responsibility is a key part of this, since adoption of cloud-based services enables even small companies to piggyback on service providers' own security initiatives.

Expect this to become an even bigger driver throughout 2016 as businesses realise they can't build and maintain adequate security defences on their own. Indeed, Gartner recently predicted that, given current trends, by 2018 security will be the main reason government agencies embrace cloud services – displacing cost and agility.

This means that SMEs should this year already be considering how they can benefit from cloud services – yet Robbie Upcroft, APAC managing director with security firm Webroot, warns that despite its far-reaching ambitions the government's CSS may not offer enough guidance for their transformation efforts as it should.

The policy “feels very weighted towards the top end of town at the moment,” Upcroft explains, noting that mooted cybersecurity funding for 5000 SMBs is “just a drop in the bucket. SMBs are under just as much threat as some of the larger guys, but typically don't have the wherewithal to protect themselves in the same way that an ASX listed companies would have.”

“If we're talking about a small team of architects in Ballarat, and they get hit by a cybersecurity attack, the likelihood of their business going out of business increases tenfold. We need to think along pretty different lines to help protect SMBs.”

If you can't beat 'em, enjoin 'em

There are many different schools of thought about what this entails: for some, the issue is simply one of better education for users that are still proving remarkably adept at accepting the claims of emails that they have received speeding tickets, registered parcel deliveries, or lottery-ticket winnings.

Yet security experts have been spruiking the benefits of education for years, and users are still making the same mistakes by clicking where they shouldn't – although, in their defence, increasingly sneaky and effective attacks are making it harder to tell email's wheat from its chaff. This reality means that, in today's security climate, the most effective security strategy for businesses no longer relates to blocking all incoming traffic but wrapping enough security around the organisation that even email-borne attacks become too complex and bothersome for outsiders – who depend heavily on economies of scale – to succeed.

“Criminals are obviously trying to seek easier ways to make money,” says Ashish Thapar, managing principal for investigative response with Verizon Enterprise Solutions, whose recently released Data Breach Investigation Report (DBIR) 2016 for the first time included analysis that paints the threat climate in financial and return-on-investment (ROI) terms. Cybercriminals “need to have a very high ROI on their investment,” Thapar explains.

“They are a well-oiled industry that is fully automated and fully geared. If they perceive that it is becoming a little bit difficult for them to get the ROI out of their efforts, they will move on and go after someone else. All you need to do is raise the bar a little bit to make it uneconomical for them to target your organisation.”

This type of least-worst planning is already underway within many Australian companies, according to Aaron Sharp, Verizon's Sydney-based team lead for security services advisors. Sharp has seen Australian companies becoming “more targeted and more efficient” in plotting out the main attack approaches in their organisations, he says, and notes that businesses can dramatically improve their overall security posture by focusing on these areas rather than trying to be comprehensive.

“Trying to mitigate beyond those main attack paths is inefficient,” Sharp explains.“There are so many side branches to protect that organisations can end up chasing their tails. Beyond protecting those main mitigation points, we are recommending that businesses are much better investing their security dollars in well-trained operational staff who are trained to detect these threats and respond effectively to them.”

The perimeter is dead

These recommendations stem from the increasingly common perspective that conventional notions of perimeter security have long ago gone out the window due to the combined effects of the forces of SMAC (social, mobile, analytics and cloud) that Thapar says have changed the structure of organisations so much that “the attack network security perimeter is fading away; that definition of perimeter is gone.”

“Trying to mitigate beyond those main attack paths is inefficient. There are so many side branches to protect that organisations can end up chasing their tails…. Businesses are much better investing their security dollars in well-trained operational staff who are trained to detect these threats and respond effectively to them.”

Ashish Thapur, Verizon Enterprise Solutions

This key idea should guide business cybersecurity planning through 2016, with organisations of all sizes broadly advised to prioritise the implementation of far-reaching consoles with the visibility to integrate operational and threat information from on-premises and cloud systems into a single console powered by applied analytics. This SMAC conceit should be back-of-mind for any CSO and needs to be applied to both external systems and internal threats – particularly in times of tight budgets.

Indeed, despite growing awareness of the security problem, those security dollars remain hard to come by: one recent Vectra Networks survey suggested that just 34 percent of respondents expected they would be getting extra budget to address the growing threats from insider attacks – this, despite 62 percent of respondents saying that such attacks have become a more frequent problem in the last 12 months. For this reason, SMAC architectures need to be backed by far-reaching, highly granular access-control mechanisms that manage data and those accessing it within identity and access management (IAM) frameworks.

Particularly as Internet of Things (IoT) initiatives continue to grow in breadth and relevance throughout 2016, these notions of identity must be baked into emerging next-generation architectures to support long-term operational security.

One key driver for this change is to bolster the relationship between CIOs and their CEOs, who will be crucial in reworking security this year as part of overall strategic efforts.

Respondents to the Gartner CIO Agenda report suggested that this change was already underway, with fewer characterising the CIO-CEO relationship as 'transactional' than in 2014 and more – 50 percent this year vs 45 percent in 2014 – classifying it as a 'partnering' relationship.

A further 23 percent said their relationship was one of a 'trusted ally' – up from 19 percent two years ago. “CIOs are excited about this opportunity but concerned about cutting through organizational policies, processes and politics, as well as the sheer volume and pace of change,” the report notes.

“But if they don't free up time (through delegation and prioritization) and use it to influence and increase enterprise digital savvy, as well as to develop themselves, they will fall under the digital bus.”