By Edwin Doyle, Global Cyber Security Evangelist.
At the beginning of each year, CISOs, cyber vendors and other so-called experts are asked to make predictions about the upcoming year. What threats will we need to focus on and how can we stop them. It’s an understandable attempt at controlling the future; if only it were that easy.
There is help on-hand however. In a small step towards the Matrix owning us, it turns out we’re now dependent upon machines, not only because they can perform tasks better than humans, but also because the infinitely expanding internet requires so much more security than in the past. And, we haven’t grown security teams accordingly.
Humans will have to trust machines
Stop checking logs! Machines can look for the outliers, everything else follows the rules. Trust the technology to manage the low-hanging fruit. So, for things like a domain registration in the last three days or a new email domain that just hit the network, a machine can manage the process with greater efficiency and speed than any human.
We’re all aware that there are 3.4 million vacant cyber security-related jobs. Everyone struggles with hiring and getting the budget to hire, so why waste expensive and talented resources on menial tasks? Automate with API-first in mind. We must give up on the idea that humans can manually control all events and changes. This mindset is going to shift in 2023, to handling exceptions versus all events – covering deployments, changes, upgrades, incidents etc.
There’s an API for that!
We are rapidly moving to environments where just about everything can present an API and allows us to automate so much more than before. Humans in organizations and SOC’s however, still operate under the premise they are the only ones who really know what to do and because of that possessiveness they will not let go and put trust in machines and automation. You can see this reflected in SIEM thinking…’If only the logs can end up in my SIEM, then the operator can address all events and sort them out’. The reality is that people are expensive and scarce and they make mistakes and get tired. On top of that, traditional technology and this mindset do not provide for trend analysis and large scale mapping of ingested threat intelligence across the whole estate.
Flip the funnel upside down and operate from a starting point that all is taken care of outside of exceptions. This should free up time for the smart people to think about how they can improve the engine rather than operating it all the time.
We’ve already been down this road with antivirus in its early years. We grew tired of checking every event and we now trust the technology almost 100% when it puts a file in quarantine. The exceptions are most of what operators now handle, since that truly requires intelligence. IPS should have gone that way already but might nudge in that direction this year. Imagine an IPS signature being triggered because of a known CVE and the back-end server is known to be vulnerable. In a fully automated environment the correct patch would be scheduled to be installed during a previously agreed upon time window.
The greatest challenge will be once directives such as NIS2 come into play, we’ll have to tell critical SCADA infrastructure, like an iron melting plant, that we need to stop some IP packets in an automated fashion. Their approach is still all about production first. They are behind the rest of the industry on cyber protections, having been the last to the party getting online. Don’t do what a machine can do!
When it’s cloudy, it rains – Nobody likes the rain
Companies will continue to pull back on public cloud adoption in favor of expanded infrastructure diversity and increased utilization of SaaS services, but these platform changes will continue to drive increased risk for organizations until they mature their security programs. So a focus on disaster recovery planning is a great way to tabletop regular security check-ups throughout the organization as users adopt new SaaS applications.
We’re going to see next-generation, state sponsored, cyber weapons attacking enterprise corporations and countries
Shakespeare got it right… Life is a beautiful tragedy. Cyber weapons now have the potential to replace boots-on-the-ground human lives when countries engage in conflict. That’s progress of a kind. However, the war between Russia and Ukraine is more than a training ground for cyber criminals and terrorists. When the Conti hacking group publicly sided with Russia in this conflict, they were targeted and disbanded, but those individuals and groups involved with Conti have simply regrouped under different names, (Hive ransomware for example) and continued their assault on Western entities.
It’s difficult to see just how governments in this conflict are recruiting specialists for cyber war. Think of the ransomware attack on Colonial Pipelines a few years back. If those threat actors live in either Russia or Ukraine, they would provide a useful skill-set in the war. What do you think a criminal, working with unlimited budget and the strong winds of patriotism at their back to design cyber weapons inflicting the most damage will do with those new skills and weapons after the war? Given their unscrupulous characters, I’d imagine that they’re stealing all those weapons now. And do you think either government has the time to care?
Consolidate to a single point of truth
We will see a consolidation in the cyber security vendor space as IPOs become less attractive and previously inflated valuations get right sized. This shift will pose a challenge in the form of organizational change for many companies that currently embrace a best-of-breed strategy.
Check Point Field CISO, Pete Nicolleti, invented the phrase, “consolidate to a single point of truth.” No matter the standard you follow, that allusive single pane of glass might be better thought of as consolidating to single points of truth. Let the machines do the work bringing those data points to you and assign human skills to each window pane for an intelligent solution.
The only prediction I’ll put money on is that it’s going to be a year of dichotomy. SIM tech is promising to provide trusted data for IoT delivery, while at the same time encryption is in jeopardy of being hacked by quantum computing!
So with that, I wish you the very best new year of your life.
Learn about groundbreaking cyber security ideas, solutions and more – Be sure to attend Check Point’s upcoming CPX 360 event. Register here.