Where is Your Threat Perimeter?

How to identify and defend your business’s threat perimeter

As business transform into agile organizations, the traditional perimeters a company could defend against attack have expanded and become less well-defined. In an age where mobile devices, the cloud and the burgeoning IoT revolution, how does security need to change to protect businesses in this new world of fluid data?

A major question CTOs and CIOs will be asking themselves in 2020, is can they identify where the threat perimeter is across their businesses? The expansion of flexible working, BYOD (Bring Your Own Device) and of course, the use of more cloud-based services, has placed the threat horizon businesses need to manage out of focus.

The Verizon 2019 Data Breach Investigations report makes for sobering reading: The report reveals 52% of breaches featured hacking, a third social attacks, 69% of attacks perpetrated by outsiders with over 70% motivated by monetary gain. Research points to users being significantly more susceptible to social attacks they receive on mobile devices. This is the case for email-based spear phishing, spoofing attacks that attempt to mimic legitimate webpages, as well as attacks via social media.

Speaking to Silicon, Adam Philpott, EMEA President, McAfee said: Security is no longer about the traditional perimeter. Businesses are digitizing at pace. As a result, their attack surface is stretching in all directions – more devices are being connected, more cloud applications are being implemented, and more infrastructure is shifting to the cloud. 5G will continue to exacerbate this. Accordingly, we continue to see ‘de-perimeterisation’ as data moves between devices and the cloud without touching the traditional corporate network.”

Many of the CISOs highlight the risks presented by emerging technologies that are expected to become more widely adopted in 2020. Deloitte cyber risk partner, Peter Gooch, says: “2020 will see more deployment of security automation tools. Where this is done well, it will allow organizations to adapt rapidly to changing attack tactics. Where it is done poorly, it will be more complicated to unpick.

“There will be a drive for more transparency when contracting for cloud services, with vendors required to expose more data and events for consumption by SIEM tools, and to evidence security practices and capabilities closer to real-time. Hackers are increasingly targeting unstructured data to hide and launch attacks, so the priority is to implement robust governance.

“More than 100 companies worldwide will begin testing private 5G by the end of 2020, which could increase the attack surface, making data flow harder to follow and the job of those responsible for securing them more challenging,” Gooch concluded.

Established hardware must not be forgotten as attention moves to the security of mobile devices and hybrid cloud deployments. Indeed, according to the latest research from Forrester, completed for Dell, 63% of those surveyed, responded they had suffered at least one data breach because of hardware security failings.

“A BIOS attack is an exploit that infects the firmware of a PC which controls the functionality of the entire machine,” said Dave Konetski, Fellow and Vice President of Security and client solutions at Dell. “Essentially the BIOS operates as the air traffic control tower of the PC, ensuring all the PC hardware works in concert. Such attacks are difficult to detect and even more difficult to remove as malicious code can persist through reboots and attempts to reflash the firmware.”

Businesses and now even cities need to protect themselves from attack. Recently, New Orleans declared an emergency after the city suffered a cyberattack. With Iran also giving details of a cyber-attack against their state.

Alyn Hockey, VP Product Management at Clearswift, said: “Ransomware remains big business for cybercriminals. The tools for a ransomware attack are becoming increasingly sophisticated and commercially available on the Dark Web, meaning we see more successful attacks like this one. And attacks on governmental organizations are becoming even more common because the data up for grabs is incredibly lucrative. While you can change your password, you can’t change the data stored on you by local government – your date of birth, your home address, or your mother’s maiden name. Because of this, there is better potential for further attacks on individuals in the future.

“In this instance, the City of New Orleans is now in a reactive state, trying to minimize the damage done, which is ultimately shutting down many operations. Unfortunately, there is no silver bullet when it comes to eradicating the chances of a ransomware attack hitting a business, or in this case, an entire city. Still, it is possible and practical for businesses, cities and even countries to take proactive, early steps towards shoring up defences.”

Hockey concluded: “The case of ransomware is a prime example of the need for an approach to cybersecurity centred on People, Processes and Technology. It is vital that businesses not only educate their staff to be fully aware of best practices and the correct procedure to follow in case of an attack but also implement robust, advanced and strategic technology solutions to give themselves the best chance of never needing to pay a ransom in the first place.”

Threat perimeter intelligence

When it comes to the security approaches that will mitigate the risks which dominate in 2020, David Boda, Head of Information Security, Camelot Group, believes ‘back to basics’ is best. “A focus on robust and timely access control and patching will still give the biggest reduction in risk for the majority of organizations across all sectors. These are the two areas that vendors, consultants and end-user organizations should all be talking about.”

Killian Faughnan, Group CISO of William Hill agrees that access control will be necessary – particularly in the next-generation workplace. “Access control is difficult to solve without being either too restrictive or too lenient. Given that in 2020, 35% of our workforce will be Millennials, we need to find the right balance to enable employees in a way that works for them.”

On a similar tack, Peter Gooch thinks convergence will be a crucial trend: “2020 could see several high-profile mergers and acquisitions as well as expansion and formalization of vendors into a more converged world. This is likely to be similar to the ERP revolution that transformed the way many finance and operations teams function and could mean a more efficient operational model for those in cyber.”

Two topics that were ‘hot’ in 2018/2019 are not front of mind with Infosecurity Europe CISOs research this year. One of these is the skills shortage. “We will continue to talk about it,” says Faughnan. “Though I think we may have hit a critical point, and that more companies will begin to recruit from pools of potential security professionals rather than existing ones. It’s easier to teach a developer how to be an application security professional than the other way around.”

There was also less focus on GDPR, probably because the regulation and its impact are no longer the unknown they once were. Paul Watts, CISO, Dominos Pizza UK and Ireland, has observed signs of ‘breach apathy’ and wonders whether 2020 will see a continuation of this trend. “While this could be attributed in part to political distractions, I do think industry seems to be reporting more, but are the public caring less? I’m still reflecting on whether this is a blessing or a curse for CISOs as we move into the next decade,” he commented.

One question that is often pondered at this time of year is whether we’re about to see the ‘mega breach’ that will put high profile incidents like Equifax’s in the shade. “One thing we can never know is: will there be a crazy data breach that turns the world on its head again?”, asks Troy Hunt, Microsoft Regional Director and Founder of Have I Been Pwned and 2019 and recent Infosecurity Europe Hall of Fame inductee. “If we see another incident like Ashley Madison or Equifax, which had a massive and serious impact across tens of millions of people’s lives, this will be a headline-grabber that sticks around for some time. But these things are enormously hard to predict.”

Nicole Mills, Senior Exhibition Director at Infosecurity Group says: “2020 will see the continuation of some long-standing trends, challenges and security risks. For example, many technologies that have been talked about for some time will become more widely adopted, and we need to be ready to implement, use and protect these in an appropriate way.”

What this all means is a new approach to security is needed. Gone are one-dimensional physical barriers, replaced within software networks, all of which require their own approach to security.

Says Joseph Carson, Chief Security Scientist, Thycotic: “A major challenge for the C-Suite in 2020 will be the risk of being held accountable for IT security failures that occur under their watch and guidance. This failure to tie IT security metrics to overall company performance will no doubt hurt CIOs and CTOs. In fact, according to research from Thycotic, when cybersecurity teams do not meet their targets set to them, CEO’s are adversely impacted with longer hours, shareholder pushback, job insecurity and reductions in their bonuses.”

New security

As the security landscape continues to change, CTOs and CIOs will need to spend more to ensure their systems are protected. According to Gartner, endpoint security and risk management for end-users spending will reach $50 billion by 2022. With Morgan Stanley predicting nearly a quarter (24%) of all IT spending by 2020 will be on endpoint security tools.

Also, companies will have to expand their skilled workforces. As the threat landscape expands and diversifies, security skills will likewise have to be adaptable and comprehensive.

Speaking to Silicon, Apricorn’s EMEA, director of sales and operations strategy, Jon Fielding explained: “With the cybersecurity skills shortage biting hard, and an increasing expectation that IT will help drive the goals of the business, security professionals will increasingly need to come from diverse backgrounds. The most effective way to defend a modern business against cyber-threats is to build a diverse security team, equipped with a range of different skillsets and experience – including business acumen, and the ability to communicate, collaborate and lead.

“It may seem counter-intuitive to recruit non-specialists to a specialist role, but when it comes to cybersecurity an understanding of the basic, best-practice fundamentals is most important,” Fielding concluded. “If somebody has a solid foundation in good security hygiene, and they’re willing to learn, the technical knowledge they need can be built from there.

“With four generations working alongside each other for the first time, CIOs will need a new approach to protecting data. They’ll be dealing with a range of different attitudes to security, as well as evolving working practices – in particular, a continued increase in mobility and flexibility. A complex security strategy that attempts to address this diverse workplace with copious models and technologies will only create more risk.”

New networks, as defined by 5G and IoT, will also need to be protected. “Given that the 5G environment is a software-defined network that enables high-bandwidth and low-latency connectivity for users and connected devices, it is expected that the networks will service a wide range of applications and verticals,” says the Trend Micro Security Predictions for 2020 “Threats related to 5G networks will stem from vulnerable software operations (i.e., the 5G network is managed by a potentially vulnerable software or supplier) and the distributed topology they afford (i.e., wider avenues for attacks, a large number of connected IoT devices). Attackers will seek to gain control of the software managing 5G networks to control the network itself.”

What has become clear is the critical drivers for CISOs have changed, as the threat landscape as evolved and, as the perimeter that must be depended has expanded. In their report, Nominet concludes:

“Despite the apparently flawed nature of defences overall, the data showed that CISOs agreed that a lack of resources holds back an effective security posture. More than half of those questioned (57%) said they were suffering from inadequate budgets, and 63% said they were struggling to put in place the right people. Interestingly, however, the leading organizational factor cited as a problem was a lack of senior management buy-in to the advice of security employees, with over 65% saying this was an issue.”

Also, Greg Day, VP and CSO, EMEA at Palo Alto Networks advises: “We are moving towards an ever more interconnected world. Today, many organizations have supply chains, and they are starting to get used to shared security models as they move to the cloud. With 5G and the growth of IoT, that mesh of interconnectivity will only grow as will the complexity of who’s involved in a digital process.

“Shared security models will become shared security ecosystems. Understanding who owns which part and validating you have the right controls in place will only continue to become more complex. As such visibility, automation and the ability to segment will only increase in importance if CISOs are to empower digital transformation.”

The threat perimeter of businesses and organizations is no longer an easily identifiable fixed point within a network space. As flexible working, BYOD, hybrid cloud deployments and the changing state of cyberattacks that are in constant motion, defending the perimeter requires a holistic approach that is flexible and dynamic.

Silicon in Focus

Liv Rowley, Threat Intelligence Analyst, Blueliv.

Liv Rowley, Threat Intelligence Analyst, Blueliv
Liv Rowley, Threat Intelligence Analyst, Blueliv.

Liv Rowley is a Threat Intelligence Analyst at Blueliv, where she focuses on researching the cybercriminal underground. Through her analysis of cybercriminal activity in the deep and dark web, she provides strategic client counsel and adds context to Blueliv’s technical and operational threat intelligence. Her insight and research have previously been referenced in the Washington Post, Wired, and The Times and several other publications.

Has the threat perimeter disappeared? Or has the threat perimeter become fluid instead of a hard barrier CTOs can defend?

Attackers are constantly innovating, so defending an organization against cyberthreats means fighting a fast-moving target. There is no silver bullet when it comes to protecting the enterprise, but there is a range of tools and solutions significantly more advanced than the one-size-fits-all firewall of the past.

What are the key strategies CTOs are using to manage their threat perimeters?

At the enterprise level, it is vital to know who the adversaries are to be able to efficiently defend an organization’s infrastructure. Defending against an ever-more sophisticated threat landscape resonates with business leaders much more strongly these days, and organizations should now be embedding cybersecurity within their operations model from the outset to manage their cyber-risk more effectively. Too often, companies react to threats and are forced to carry out investigations after the event, rather than shutting an attack down before it can have a significant impact.

Companies should seek to design and implement a cybersecurity operations model that aligns with both overall security and business strategies, taking into account a dynamic threat landscape where cybercriminals are often one step ahead.

Most IT teams lack the technology and resource to automate threat collection, correlation and analysis and instead rely on critical infrastructure log data. This data is not provided in real-time, and in a continually evolving threat landscape, the level of cyber-risk remains exceptionally high.

Threat intelligence can be extremely useful in helping to identify threats and protect critical assets. It can help companies determine what is of interest to attackers, where these assets are located, and how they can be accessed. Armed with this intelligence, security teams can put in place appropriate defence measures ahead of time, rather than remaining reactive.

Promoting a culture of cybersecurity awareness is also critical. An ongoing education program, with regular updates, should be encouraged from the top down. Everyone within the business, from the management team down to the newest hires, must understand the risks that they are subject to daily – and there must be regular reminders to abide by security protocols, including BYOD, email hygiene, etc.

What are the current challenges facing CISOs?

Protecting the enterprise against an ever-evolving dynamic threat landscape is no longer the remit of the CIO, CISO or the IT team. Cybersecurity is everybody’s job – but the C-suite and CISO, in particular, is responsible for establishing and promoting an appetite for cyber-risk management across the business.

Ultimately, a strong cybersecurity posture relies on PPT – People, Processes and Technology. If one of these is off-kilter, you’re likely to expose your organization to unnecessary levels of risk. It is every C-level exec’s responsibility to create a strong culture of cybersecurity within the organization, with frequent company-wide training. An influential culture of risk reporting and increased interaction between departments, smoothing the flow of information, can reduce the chance of a breach and mitigate its impact when it happens.

How is the threat perimeter expected to evolve over the next few years?

Cybercriminals will continually look to find ways to bypass traditional security solutions and evolve threats to evade newer technologies too. As the threat landscape evolves, so must the cybersecurity industry.

This means sharing intelligence as far as possible before, during, and after an attack. A reluctance to share this information for fear of reputational damage, legal action, or publicizing vulnerabilities is often to the detriment of us all. In doing so, it enables organizations to proactively identify, mitigate and block attacks more efficiently and effectively.