ESG's Doug Cahill and Jon Oltsik provide their thoughts and predictions on Cybersecurity for 2018.
Read the related ESG Blog: 2018 Cybersecurity Radar Screen (Video)
Announcer: The following is an ESG 360 video.
Jon: Well, Doug, it's 2018, and everyone's done their predictions, write-ups. You've done some. I've done some. And so, let's talk about some ESG predictions for cybersecurity in 2018. And the first one I want to talk about, I've labeled, "Cloud computing chaos." It should have theme music. And it's an area that you really cover. I just think there's a lot of activity, there will be a lot of security issues.
Doug: Yeah, absolutely. And I think when it comes to the cloud, you know, while organizations are taking, you know, advantage of the agility of the cloud, adversaries take advantage of the cloud as well. And last year one of the things we saw in terms of cloud computing was data loss from misconfigured S3 buckets. So I suspect that's gonna continue this year. There's a lot of confusion around the APIs and sort of the access controls that configure those buckets. So there's some technologies coming out to help organizations understand when they do have misconfigured S3 buckets.
Also, we're seeing the use of cloud apps for store and forward campaigns. So, hey, if I can insert a piece of malware into an enterprise file sync and share service, I get a one to many opportunity to propagate that threat.
Jon: It's a good threat vector.
Doug: Especially for the new and unknown, and I know you've been thinking and talking about advanced threats that are zero-days as well.
Jon: Yeah. And it's early January and we've already seen some major, major vulnerabilities. Like the things that are going on with the Intel CPU.
Doug: No kidding.
Jon: We've seen some things with the Dell EMC support software.
Jon: I've seen some things with Western Digital consumer storage drives. And we're in a period where we're writing a lot of software. And unfortunately, a lot of it's not very good software. Or, these kinds of vulnerabilities will happen. So I think the whole notion of vulnerability scanning, patch management, configuration, scanning and configuration changes, that whole component of risk management is really something that it's incumbent upon organizations to do a good job on, because they're going to be adding all this new software and a lot of that software is buggy. A lot of the open source software is buggy.
Doug: There's a lot of it out there.
Doug: So those are all, you know, sort of established, somewhat tried-and-true cyber security technologies that aren't always properly implemented, to your point. But what's new on the horizon? What are some sort of newer, more advanced technologies that are a little bit more sophisticated, a little more adept at detecting these new and unknown vulnerabilities and threats?
Jon: Well, so I've written a lot about something I'm calling advanced prevention. So we've always had prevention control. So we have firewalls that block certain network communications. We have AV that blocks files and things. But what we have...what we've seen over the last few years is a lot more of these kinds of technology. So microsegmentation, for example. The ability to easily or more easily segment your network into much smaller networks, therefore decreasing the attack surface.
Doug: Sort of a least privilege model applied to network infrastructure. Corporate infrastructure.
Jon: Absolutely. We see machine learning. So machine learning on end-points, doing a better job of detection and prevention, and machine learning to pick up anomalies. We see the software defined perimeter, once again restricting that communications path between user and device and application, not even network. So I'm looking for a lot more of that. I mean, we're doing things for detection, but detection's tougher. Detection means analyzing things. And so, if we can do more on the top of it, just to prevent things from happening, I think that's the way we'll go.
Doug: Prevent first, reduce attack surface area, no things are gonna get through. Then you have to detect and respond afterwards.
Jon: And then you can focus your detection and response, and that's easier to do that.
Doug: Sure. So, you know, the buyer in 2018 is still gonna be barraged with a bunch of buzzwords in technologies and product offerings. And there's a lot of...
Jon: You think?
Doug: There's a lot of goodness in there. What happens, from your perspective, in the industry moving forward here? Do we finally start to see some consolidation? Do we start to rationalize product sets, product categories?
Jon: To some extent. I mean, we'll certainly see, or we should see a lot of MNA activity, because you've got some very big companies. They've got the stock markets good. They've got a lot of resources. So they should fill in some holes. But I think what we'll see a lot of is commercial SOAPA offerings. This is kind of an end-to-end architecture, but instead of me putting it together myself, I'm gonna buy a proprietary version from a vendor. And that may not be comfortable because security people have traditionally chosen best of breed, but there's some value to that. So I think, at the very least, large companies are going to explore those options.
Doug: Yeah. I mean, a lot of vendors are talking about platforms. I think it sort of begs the definition of what actually a platform is.
Doug: And one of the things I always look for in a platform, in cybersecurity or in prior IT segments I've worked in is, is it open? So, hey, I want to consolidate these components into a platform because I get synergies there and leverage on operational efficiency. But there's still flexibility to choose best of breed and I can snap that in. And we've been a little short on standards in cybersecurity.
Doug: Sort of in SIEM we had things like CEF and LEEF to be able to propagate alerts into a SIEM. But hopefully, as we see things like SOAPA architectures get standardized, that we have more things like OpenDXL, as an example. That can be standard space and allows companies to sort of snap in their best of breed and they got the best of both worlds.
Jon: Yeah. And you see some of that. I think that the way that has to happen is that the large vendors kind of push the agenda and the market follows. I don't think all the vendors will get together and...as much as I'd like to see it, and collaborate on some open standards. But I think you see this with companies like McAfee with OpenDXL. You see it with Splunk. Just kind of centers of gravity for that.
Doug: You bet. What else is on your radar? What's sort of top of mind for you this year?
Jon: Well, I mean, it's clear that there aren't enough cybersecurity professionals to go around. So we've been looking at the transition from do it yourself, to services. And so, we think that managed services will grow quite a bit. I mean, I just wrote a blog about endpoint managed services. And endpoint used to be the one thing that you would do yourself because it was kind of a turnkey product and you'd hand it off to IT ops. No longer. It's very complex. It's a defense in depth architecture. So I think you'll see CISOs with a portfolio mindset of, "What can I do myself? What do I need help on? And where is there sort of a hybrid where I just need staff augmentation?"
Jon: How about you? What's cooking in Doug World?
Doug: Yeah. So, on my mind is this notion that so many companies now are software companies. Even if you're not really an independent software vendor, you're often running your own code. And code is becoming infrastructure. And the way code is managed is different now. So we talked about the DevOps culture of getting the dev team and the ops team together, and the continuous integration and continuous delivery methodology that's really the backbone of DevOps. I want to see security integrated into that pipeline more. And the more we can integrate security processes and technologies in the dev environment, writing better code, to your point earlier, in the test environment so you're ringing out vulnerabilities, software vulnerabilities and configuration vulnerabilities, and then in production, you're doing auditing and monitoring, everybody's gonna be able to increase...you know, improve their security posture by baking in security.
So there's been a little bit of snarkiness in the market around the term of DevSecOps. I appreciate that, but I think it's a rallying cry to really, you know, bring security closer into the development process, and then the delivery and production process.
Jon: So do you think that that's happening, or do you want that to happen?
Doug: Well, our research...
Jon: Or both?
Doug: Well, both. But our research tells us that it is starting to happen. You know, we did a study this last year on HarborCloud security. We asked about DevOps and DevSecOps. We had 40% of the respondents said they are looking at the security use cases behind DevOps. It's encouraging.
Jon: Well, let's hope that happens in 2018. And we'll be here to predict things as they happen.
Doug: Absolutely. Well, Happy New Year, Jon.
Jon: Happy New Year.