10 Security Predictions for 2018 - Thrive safely on your digital transformation journey - DXC Technology
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
White Paper 10 Security Predictions for 2018 Thrive safely on your digital transformation journey
White Paper
Table of contents 10 Security Predictions for 2018: Thrive safely
Cyberwarfare heats up 2 on your digital transformation journey
Ransomware gains
sophistication 3 The tense battle between cybersecurity defenders and
Patching expectations attackers continues to escalate, yet far too many organizations
feed frustration 4 are still in reactive mode. In 2018, it’s time to get proactive.
Serverless computing
As outlined in DXC Technology CTO Dan Hushon’s recent 6 Technology Trends
skews security 5
for 2018, what’s needed is cyber-resilience. Every organization needs to plan and
IoT blurs the edge 6 practice for attacks and threats, because these incidents will happen.
The CISO deploys an Here are 10 security predictions and DXC’s guidance on the best ways to respond to
army of clones 7 these new challenges in order to secure and protect your enterprise on your digital
transformation journey.
Credential theft gets
automated 8
1. Cyberwarfare heats up
The SOC is dead —
Geopolitical tensions among countries known to have offensive cyber capabilities are
long live the SOC 9
on the rise, and this trend will grow. Rogue nation-states will continue to target the
Cyberattacks go deeper 10 critical national infrastructure and operational technology of their adversaries for
political and financial gain.
Cryptocurrencies come
under attack 11 To limit the impact, enterprises need advance planning. As in any military
engagement, expeditionary activities should be used to inform and set the stage for
future activities. Attackers will use external intelligence to find vulnerabilities; implant
malware for future intelligence; and perform reconnaissance by discovering and
mapping network topologies, asset locations, software inventories and more.
In response, nation-states will update their military doctrines to account for this
new mix of physical and cyberwarfare. Examples include the UK government’s plans
for “full spectrum” operations (including “offensive cyber”)2 and the concept of
“nonlinear or hybrid warfare.”3
DXC perspective
Most organizations will benefit from taking a posture of “assumed compromise.”
Top global risks:
This reinforces the need for defense in depth, in which single points of failure are
Cyberattacks are among them,
minimized, thereby reducing the risk of exposing the organization’s prized assets.
finds the World Economics Forum1
This should be followed by the shaping of a cyber warfare-aware strategy that both
secures the organization and ensures its cyber-resilience.
Organizations should conduct periodic maturity reviews to ensure that their security
capabilities still support their digital strategy and adequately protect against
cyberattacks. By using an agreed-on framework, security teams can not only detect
gaps, but also manage them.
2White Paper
2. Ransomware gains sophistication
The frequency of ransomware incidents is likely to increase. Attackers who succeed
once will attack again, hoping to maximize their returns with larger ransom demands.
With practice, these attacks will grow increasingly sophisticated.
$25+
Ransomware will also become the new standard for covering sophisticated data
thefts. Because ransomware can target below a system’s operating system, thereby
million “bricking” the system and rendering it unusable, ransomware can help remove any
trace of the attacker’s activities on the endpoint. Additionally, ransomware itself
Ransoms paid by ransomware is a plausible financial reason for an attack, which may hide the attacker’s more
victims over the last 2 years4 nefarious motives.
Watch for a new type of ransomware, called “doxware,” which is essentially a form
of extortion.5 Rather than simply attempting to deny access to information through
cryptography, doxware attackers threaten to publicly release personal data unless
the victim pays a ransom.
DXC perspective
Every organization needs to focus on resilience against ransomware. Prevention
techniques include early detection and network compartmentalization. Organizations
must also define response and recovery scenarios.
It’s important to educate employees on how to avoid, recognize and report
ransomware attacks. Special attention should also be paid to endpoint hardening,
traditional antivirus and host-intrusion detection and prevention, incident-response
tooling, and patch management.
3White Paper
3. Patching expectations feed frustration
Rolling out frequent software patches can make high availability a challenge. Yet
patching remains an important part of vulnerability management, even extending to
partners and suppliers. It’s a powerful way for organizations to protect IT systems.
Many organizations will need to modernize their patch-deployment cycles, as the
pace of attacks quickens. Three years ago, the time between a vulnerability being
identified and an exploit becoming operational “in the wild” could be 5 weeks or
more; today it’s just 7 days.
Organizations need to scrutinize application development and provide a consistent
and stable operating environment for automated patching — along with structured
DevSecOps programs, in which security is a foundational part of development.
50%
DXC perspective
Organizations should review their approach to rapid patch deployment and consider
the use of automated updates. Autopatching can cut deployment times, but still requires
downtime and can introduce unpredictability into a system, due to undocumented
Share of IT security pros who
dependencies and glitches.7 In addition, attackers may subvert automatic patch-
say client-side security
patches are being released at
distribution mechanisms, allowing them to introduce malicious software.
unmanageable rates6 Examine patching at the policy level. By categorizing different systems and patching
expectations, system availability will better match vulnerability management.
Patching must move beyond the operating system to the database, core common
software, servers, switches and more. From this broader perspective, a software
patch is one of a number of instruments for shaping and managing the risk-exposure
window. However, most controls do have consequences; in the case of patching,
there is a trade-off of confidentiality, integrity and availability against the risk of lost
productivity due to testing and downtime. Therefore, policy decisions should consider
this risk trade-off.
New technologies and tools can help reduce risk. For example, microsegmentation
used in network virtualization environments lets organizations take a “zero trust”
approach to individual workloads. This creates digital barriers as the default, then
opens up lateral movement only when it’s predefined in a specific workload. Similarly,
techniques such as microvirtualization will let malware run only in a protected “virtual
container” where it can be safely observed, studied and ultimately killed.8
4White Paper
$7.72
4. Serverless computing skews security
Serverless computing is a growing trend in the cloud that radically changes security
billion requirements. With serverless computing, end users no longer manage a virtual
machine (VM) or its operating system.
Predicted market for serverless
computing in 2021, for a 5-year That means users no longer have traditional controls through endpoint and network
CAGR of nearly 33%9 protection, such as host-based intrusion detection, endpoint detection and response,
and file-integrity monitoring. However, support services are growing for serverless
computing platforms, including Amazon Lambda, Microsoft Azure Functions and
Google Cloud Platform Functions.
As more workloads move to the cloud, organizations will shift security spending
toward two emerging areas — target application security, which ensures that the
code is secure and well-written, and cloud service providers (CSPs), which will provide
increased transparency and more granular controls to ensure that operational events
and data-handling logging is available.
DXC perspective
Cloud services users should modify supplier contracts to ensure that expectations
for architectural design blueprints and security controls — such as compliance and
audit APIs, and event log exports — continue to be relevant.
Enterprises should focus on application security, promote DevSecOps development
practices and invest in training and data handling. Best practices for APIs include
utilizing Transport Layer Security (TLS) to protect channels between servers and
clients; authenticating subjects securely; and relying on established standards for
single sign-on, identity federation, the exchange of authorization data, and the
generation of cryptographic material. Also, ensure that regular penetration testing
is done and, where possible, use web application firewalls to inspect and control
method-calls and returned data.
5White Paper
5. IoT blurs the edge
Edge computing, which typically supports high-value, line-of-business activities,
will continue to support the growth of the internet of things (IoT). However, the edge
computing trend will also be a driver for increased attacks because edge systems
are typically excluded from overall monitoring and reporting, creating pockets of
vulnerability. As enterprises increasingly embed IoT sensors and devices into their
physical infrastructure, vulnerabilities will continue to grow.
Only
30%
DXC perspective
Prepare a clear framework for managing the introduction of IoT at scale. Build in
security at the start of any software development project. The alternative — updating
and upgrading already-installed IoT devices — is cost-prohibitive.
Share of organizations that feel
ready to handle IoT security risks10 Check the growth of “shadow IT.” Enterprises should make corporate procurement,
IT and security processes as frictionless as possible to discourage the use of
unauthorized cloud resources by the business and to ensure consistent security
policies and reporting.
Other key approaches include security virtualization and strong cryptographic
controls, which ensure that system attacks are “tamper evident” and limit a
successful breach to a single device.
Similarly, organizations should conduct “war games” that simulate their IoT systems
being compromised, to understand the impact an attack would have. They can
further uncover technical, economic, social and legal ways to improve recovery,
minimize downtime and limit reputation loss.
6White Paper
6. The CISO deploys an army of clones
Chief information security officers (CISOs) are repositioning discrete security groups
and embedding security throughout the operation, with each department having a
person responsible for security — often reporting to a central authority.
Several factors are driving this trend, such as challenges in recruiting highly
experienced, executive-level security specialists. Truly qualified candidates are rare —
and they command impressive pay.12 Maintaining a discrete security team able to
keep up with the pace of change is more and more challenging. Finally, with cloud
adoption growing, infrastructure security is increasingly “baked into” the system,
which means the need for user organizations to provide their own infrastructure
security will diminish. At the same time, new areas of application and identity
security will grow, possibly requiring new resources with different skills.
52%
The CISO organization is being repositioned in the enterprise with a “security by
corporate design” approach. It will borrow tactics from DevSecOps practices, where
security is not a final add-on, but an integral part of every software development
project from the start. Additionally, parts of risk and compliance will become
Share of all companies that embedded in its corporate functions. Security professionals, meanwhile, will shift
employ a CISO11 their focus from IT infrastructure to innovation, digital transformation, identity, data
protection and threat intelligence.
DXC perspective
Before deploying security to functional areas, consider whether information security
is still meeting your organization’s needs. Start by cataloging the components of your
cyber resiliency function, examining operational security, where risk takes place, and
how your third-party suppliers deliver secure services.
Be sure to link security with business functions as you structure communications
and plans, and develop forward-looking security capabilities. Simply understanding
the technical issues isn’t enough. Apply risk management to business issues
and opportunities, and encourage wider use of technology to improve business
productivity.
7White Paper
7. Credential theft gets automated
The credential process, a fundamental part of the Microsoft Windows operating
environment, continues to be a favored entry point for cybercriminals.
Normally, the credential process involves a mechanism for authenticating various
servers and devices on a network. It’s a better way of activating services and calling
on remote resources. To do its work, the system stores volatile memory artifacts
related to each user’s login credentials.
#1
Ranking of credential harvesting
Unfortunately, hackers have known for some time how to gain access to those
artifacts and use them for credential theft, many using a widely available tool,
Mimikatz.14 Primary targets include privileged accounts with access to the greatest
number of infrastructure devices and interfaces.
among hackers’ top post- Hackers are already using automated credential theft to infect authentication
exploitation13 mechanisms. Recent examples such as NotPetya, malicious code that combines
ransomware with the ability to propagate itself rapidly across a network,15 are likely
to reappear in 2018.
DXC perspective
Organizations should strive to make 2018 the year of identity. That means shifting
protection strategies for existing identities and preparing for increasing demand for
IoT-based device identities.
To minimize the ability of hackers to steal Windows credentials, system and network
administrators must adopt new practices, such as using different local passwords
on each system, creating minimal levels of privilege, and avoiding the routine use of
highly privileged accounts.
Privileged account managers can manage large numbers of passwords and help
users avoid the dangerous practice of applying the same password to many
machines. These same tools can help organizations more easily identify attempts at
credential theft. Windows Defender Credential Guard can help to mitigate against
Mimikatz-style pass-the-hash attacks.16
8White Paper
8. The SOC is dead — long live the SOC
Overwhelmed by existing traffic volumes and held back by a shortage of skilled
workers, the average Security Operations Center (SOC) is approaching a state of
crisis. The challenge facing SOCs will only worsen as this trend continues.
The SOC’s mission is vital: detect and respond to all threats. Unfortunately, most
SOCs today fall short. They were designed with just one or two core products,
focused on logging and the control of dedicated environments.
44%
The typical SOC operating model of “monitor and report” limits the ability to
proactively respond to threats. Instead, many SOCs issue the same vulnerability
reports month after month, hoping the problems will be corrected, but desensitizing
the recipients with so much repetition. Many security issues require cross-team
Share of all companies that coordination and control. If the owner of a troublesome machine fails to remediate
have no SOC whatsoever17 the issues, the machine can be left infected for weeks, even months, possibly
exposing the organization to serious breaches.
The introduction of IoT security events will compound these issues. They may have
overriding safety imperatives that require real-time detection, immediate prioritization
and response. Streaming analytics, machine learning and orchestration will no doubt
be part of any solution.
DXC perspective
Smart organizations will create next-generation SOCs and related services by
fostering collaboration between the SOC and the business. Changes to the CISO
organization, mentioned above, should change the SOC, too, helping it forge stronger
connections with the business. Ideally, that includes the use of common incident
management systems, which enable fewer handoffs between teams while providing a
consolidated view.
Security and IT teams must collaborate more effectively — with each other and
with the business. In this way, they can ensure that threat responses are prioritized
according to the objectives of the business, not those of IT.
Automating data collection and analysis is also necessary. These analytics allow
teams to deal confidently with an otherwise overwhelming number of alerts. Similarly,
given rising concern over data breaches, smart organizations will establish connected
hubs of information from which they can share threat indicators and incident
response processes with partners and suppliers.
9White Paper
9. Cyberattacks go deeper
Cyberattacks in 2018 will not only be more numerous, but also more sophisticated.
Criminals will move deeper into the software stack, even into firmware and hardware,
to gain new levels of access while remaining undetected by most defenders. As the
recent Meltdown and Spectre security threats illustrate, the need for trustworthy
cyber resilient systems has never been greater.
52%
To their credit, some government agencies are responding. Recent moves include
the NIST SP 800-193 draft standard, a U.S. government effort to set platform-wide
resiliency guidelines.19 Similarly, the European Commission’s Shield project proposes
a universal solution for dynamically establishing and deploying trustworthy virtual
security infrastructures into ISP and corporate networks.20
Share of organizations that
prioritize security within hardware IT vendors are responding as well. For example, Google’s Titan project aims to build a
life-cycle management that have secure, low-power microcontroller designed with security requirements and scenarios
also reported at least one incident in mind.21 Microsoft and Intel have launched Project Cerberus, an open source
of malware-infected firmware industry standard for platform security.22
being introduced into a system18
DXC perspective
With threat actors diving deeper into the stack, organizations must become aware of
the value of their business assets. Then they can assess both new and old threats they
may face. Finally, they can manage these risks according to their appetite and budget.
Scanning the horizon for new threats and countermeasures is also important. It
should inform an organization’s IT procurement and security strategy, providing for
longer-term protection as threats develop.
10White Paper
1/3
10. Cryptocurrencies come under attack
Cryptocurrencies such as Bitcoin, as well as the underlying blockchain technology,
are extremely disruptive to the finance industry — and extremely attractive to cyber
criminals. Criminals who steal bitcoins have made quite a lot of money in ways that
Share of all Bitcoin exchanges
have been extremely difficult to trace. Cryptocurrencies typically buy and sell illegal
hacked between 2009 and 201523
goods and services, and bitcoin is the currency of choice for ransomware payments.
While an individual’s cryptocurrency balance is theoretically secured by unique
encryption codes, thieves have managed to breach their digital wallets by stealing
passwords. Several attacks on cryptocurrencies have already been reported,
including one theft at Seoul-based exchange Youbit that authorities suspect was
directed by the North Korean government.24 Blockchain’s security also could be
undermined by new and recent theoretical work. For example, researchers have
raised the alarm over possible attacks on Bitcoin and other cryptocurrencies by
quantum computers.25
DXC perspective
It’s getting easier for organizations to utilize blockchain technology. Several CSPs
now offer cryptocurrency services, and new use cases are emerging for many
industries. As a result, blockchain can now be considered part of an organization’s
digital transformation. However, with the industry still adapting and adjusting, security
professionals must constantly monitor the related risks.
In general, cryptocurrencies carry a higher risk than does conventional currency.
These new risks need to be evaluated by an organization’s risk teams in areas including
finance, operations and IT.
Organizations should keep up with the latest technological developments around
cryptocurrencies. They’ll need to understand how advances in areas such as quantum
computing, silicon and algorithm-specific attacks could affect their organization’s
cyber-resilience.
11White Paper
Author
Simon Arnell is security chief technologist, Office of the CTO, at DXC Technology.
He has a background in applied security research and development, and in running
proofs-of-concept for clients. Previously, Simon led the commercialization of the DXC
(legacy HP) DNS monitoring service, pioneering the use of software-defined networks
for rapid incident response and the application of stochastic process modeling and
simulation for strategic security-policy decision support. Connect with Simon on
Twitter @simonarnell, via email at simon.arnell@dxc.com, or on LinkedIn at linkedin.
com/in/simonarnell.
Thanks to the other DXC professionals who contributed to this report: Richard
Archdeacon, head of security strategy, Office of the CTO; Rhod Davies, customer
advocate, managed security services; Sydney Tran, manager, security detection
and investigation services; and Mark Teicher, security architect, managed security
services engineering. Thanks, also, to Jack O’Meara, DXC’s chief information security
officer, for his reviewing assistance.
This report received executive sponsorship from Chris Moyer, vice president and
general manager of security, DXC.
Tweet: @DXC security experts reveal their top 10 security predictions for 2018.
LinkedIn: DXC’s 10 security predictions for 2018: DXC security gurus put their heads
together and came up with 10 predictions for 2018, as well as actionable advice on
how enterprises should respond to the new threat landscape.
12White Paper
References: 15
“NotPetya Technical Analysis — A Triple Threat:
File Encryption, MFT Encryption, Credential
1
Top global risks: World Economic Forum, Theft,” CrowdStrike
Global Risks Report 2016, 11th Edition, 2016
16
“Protect derived domain credentials with
Windows Defender Credential Guard,”
2
“National Security Strategy and Strategic Microsoft Windows IT Pro Center
Defence and Security Review 2015,” UK
Government, Nov. 23, 2015 17
44%: EY Global Information Security Survey
2016-17. 2018
3
“Hybrid war — does it even exist?” NATO
Review Magazine, May 1, 2015
18
52%: ISACA survey via HelpNetSecurity, 2016
4
$25+ million: Google study via The Verge, 2017
5
“What does Doxware mean?” Technopedia
19
“Platform Firmware Resiliency Guidelines,”
U.S. National Institute of Standards and
6
50%: Tripwire, Combating Patch Fatigue, 2016 Technology
20
“Shield: An innovative approach to
7
“Hot-patching and the rise of third-party information security,” European Commission
patching,” Black Hat USA, 2006
21
“Titan in depth: Security in plaintext,” Google
8
Task introspection, Bromium Cloud Platform Blog
9
$7.72 billion: MarketsAndMarkets, 2017 22
“Microsoft’s Project Olympus delivers cloud
hardware innovation at scale,” Microsoft
Azure Blog
10
Only 30%: Black Hat survey, IoT Risks and
Cyber War, 2016 23
One third: U.S. Dept. of Homeland Security via
Bitcoinist.com, 2017
11
52%: CSO: The Global State of Information
Security Survey, 2018 24
“North Korea Is Suspected in Bitcoin Heist,”
The Wall Street Journal
12
“CISO salaries may soon hit £1 million – but
few qualified for top roles,” SC Magazine UK,
25
“Quantum attacks on Bitcoin, and how to
May 22, 2017 protect against them,” Cornell University
Library
13
#1: SANS Institute 6, 2018
14
“He Perfected a Password-Hacking Tool —
Then the Russians Came Calling,” Wired
Learn more at
dxc.technology/
security18
About DXC Technology
DXC Technology (DXC: NYSE) is the world’s leading independent, end-to-end IT services company, helping
clients harness the power of innovation to thrive on change. Created by the merger of CSC and the Enterprise
Services business of Hewlett Packard Enterprise, DXC Technology serves nearly 6,000 private and public
sector clients across 70 countries. The company’s technology independence, global talent and extensive
partner network combine to deliver powerful next-generation IT services and solutions. DXC Technology is
recognized among the best corporate citizens globally. For more information, visit www.dxc.technology.
www.dxc.technology © 2018 DXC Technology Company. All rights reserved. MD_7258a-18. February 2018You can also read
