Monday, January 11, 2016

Blueprint: What’s Coming in 2016 and Beyond for Cybersecurity

by Vincent Weafer, VP of Intel Security’s McAfee Labs, Intel Corporation

A five-year look ahead at how cybersecurity is likely to evolve

Clouds, devices, and sophistication are three of the big areas that will affect cyber threats and security over the next five years, according to McAfee Labs 2016 Threats Predictions report. Cloud applications, storage, and services are converging with rapid growth in mobile and connected devices to create an ever-expanding attack surface. At the same time, increasing sophistication and sharing among cybercriminals is making attacks more targeted and harder to detect. These issues will drive significant changes in cybersecurity over the next five years, including transformation of the efficiency and effectiveness of defenses, broader threat intelligence collaboration, and sophisticated behavioral analytics.

Criminals follow the money, so as long as we have valuable digital assets, we will have cybercrime. The increasing attack surface gives them more vectors of attack and increasingly valuable assets. The value of personal data is growing rapidly, and is already outpacing payment card info as the prime target. This trend will only continue, as criminals apply big data techniques to build warehouses of personal information for sale.

The increasing sophistication of attackers and malware developers will have an interesting effect, as they develop more targeted and stealthy attacks, but also deliver packaged cybercrime-as-a-service tools to a growing audience possessing fewer tech skills. This commoditization of cybercrime will fuel new waves of personal and customized attacks, with new criminal motivations including embarrassment, harassment, and vandalism.

Security industry response

Our research and predictions dictate some fundamental changes to digital security. Network perimeters, isolated security tools, and file or signature based defenses are a rapidly fading paradigm. Instead, we will need to re-architect the tools to operate more efficiently. Using machine learning techniques, we will improve scanning speeds by identifying trusted processes and focusing resources on suspicious activities. Security in silicon will be necessary, not only to combat the growth of low-level hardware and firmware attacks, but also to protect the billions of devices that may not have sufficient general-purpose computing power to protect themselves. Secure boot, trusted execution environments, tamper protection, active memory protection, and immutable device identity will improve the effectiveness of our digital defenses as we fight attacks that try to go lower in the stack to remain undetected.

Improved defenses will be insufficient unless we take them out of isolation. Sharing and integrating threat intelligence between endpoints, gateways, and centralized analytics will improve detection and significantly speed up correction efforts, quickly blocking new attack vectors and protecting vulnerabilities before they can be exploited in multiple locations. Threat data sharing and collaboration between businesses, governments, industry organizations, and security vendors will also deliver faster and better protections, as threat exchanges expand throughout supply chains, industries, and nations.

Behavioral analytics will augment detection capabilities as the newest weapon for defenders. Baselines for normal behavior and continuous monitoring will quickly separate legitimate activities and identities from suspicious and compromised ones. These products are in their early stages today, but applying skills from big data and other analytics and machine learning research will help them to mature rapidly over the next five years.

Poor integration, talent shortages, and the costs of failure

The lack of integrated security technology, shortage of skilled talent, and rising cost of breaches. These factors will drive increased automation and machine learning, greater simplification of security controls, and predictable funding and insurance models for security operations.

With attacks growing in sophistication and stealth, isolated individual defenses quickly fall behind. Fileless attacks, remote shell exploits, and credential theft are increasing in popularity as ways to evade detection by traditional tools. The speed of these attacks means that response times of minutes or hours leave the system open to compromise and data exfiltration. Machine learning and greater automation are necessary to match defense speed to attack speed. We are seeing steady progress in the ability of systems to translate alerts and behavior into appropriate action, detecting and correcting an attack far faster than a human operator can. At the same time, the automation will notify the operations center of its actions, so that they can begin further investigations and take any additional necessary steps.

Automation and machine learning will also help alleviate the growing shortage of skilled security personnel. Shared threat intelligence, behavioral analytics, and contextual information will enable much better orchestration between the various defense elements. An endpoint under attack will immediately publish that information so that other endpoints and gateways can block the malicious files and addresses. Threat intelligence exchanges will deliver context, scored for trust and quality, and corroborate attack info to reduce false positives. Perhaps more important, these tools will reduce the complexity of security system configurations and operations, easing the transactional burden on security personnel. Whether it is improved default configurations, automated actions based on learned behavior, or intelligently filtered and scored alerts, machines will play a vital role in augmenting the skills and resources of the security team.

Finally, the rising cost of breaches and demand for increased predictability will bring innovations in risk management, investment, and even insurance. As the value of personal data goes up, so does the total cost of a security breach. At the same time, the increasing range of security tools will make it more difficult to plan and budget. Insurance and hedging products will emerge that enable predictable levels of security investments, or limit the organization’s financial exposure to a catastrophic security event. Security as a service will continue to evolve, shifting more of the security budget to operating expenses instead of capital outlays.

Over the next five years, we are going to see some far-reaching changes in digital security, as the perimeter-based models that we have worked with almost since the dawn of the industry are replaced by a more fluid, mobile, and cloudy reality.

For a more detailed look at these and other predictions, download McAfee Labs 2016 Threats Predictions report.

About the Author

Vincent Weafer is a Sr. Vice President of McAfee Labs at Intel Security, where he oversees a team of hundreds of researchers in dozens of countries, as well as millions of sensors around the globe, all dedicated to helping protect Intel customers from the latest cyber threats. He has presented at numerous international security conferences, is the coauthor of a book on Internet security has also been invited to testify on multiple government committees, including the United States Senate Committee on the Judiciary hearing on Combating Cyber Crime and Identify Theft in the Digital Age; the United States Sentencing Commission’s public hearing on Identity Theft and the Restitution Act of 2008; and the United States Senate Committee on Commerce, Science, and Transportation on Impact and Policy Implications of Spyware on Consumers and Businesses.


Got an idea for a Blueprint column?  We welcome your ideas on next gen network architecture.
See our guidelines.