Perimeter-based security mindsets must change as the threat landscape becomes more evolved, says Brian Pinnock, cyber security expert at Mimecast
How much has cloud adoption taken off in the region and what are the bottlenecks?
Earlier in the region, there was a lot of skepticism surrounding cloud adoption. In the last two years or so, there has been a massive interest in it. The challenge here is not just the adoption of the cloud and the infrastructure arrangements that go with it, but also making sure that security keeps up with it. Security practices don’t translate perfectly from on premise to cloud. Because when you shift to the cloud, attention shifts back to the endpoint devices because those are less well protected. Then there are the applications which are sitting outside the organisation’s perimeter and in the cloud. So, the challenge is making sure that the security you get in a cloud world is at the same or a higher standard than the security you enjoyed previously. One way of doing this is ensuring that the security that you get doesn’t just come from the cloud provider alone. It is a security best practice to have multiple layers of security from different vendors.
What needs to change when it comes to adopting effective security measures?
The challenge globally and in the region, is that cyber security at any organisation is usually only barely as good as it needs to be. This is because organisations try and balance perceived risk against cost. The trouble is that many people believe that their existing security is good enough when it isn’t. Their perception of the risk is wrong because what was good enough in the 90s or the early 2000s is no longer appropriate to fully protect you against today’s threat landscape. A lot of the old mindset of the perimeter way of doing security has to change. They don’t understand how much and how fast the threat landscape has actually evolved in the last few years. Just in the last few months, Mimecast has seen a massive increase from the normal baseline of the different kinds of malware attacks in the region as well as the globe.
As an example of this mindset, if you look at the adoption of DMARC, which is the latest email validation standard, which is a way of protecting your brand from possible misuse, Mimecast’s studies show that in this region, about 75% of organizations have no DMARC set up, whatsoever. DMARC is an open standard and has minimal costs associated with its’ adoption. There is just a domain name system configuration that you have to do, there’s some work involved but not a huge effort, to set this up. Of the other 25% of organizations that have adopted DMARC in the region, Mimecast’s research shows that most of them are just skimming the surface and not really utilizing it to its full potential. DMARC is relatively new, but global adoption is taking off in a big way. The reason for this is a global response to the growing threat of brand exploitation by cyber-criminal organisations. The Middle East is lagging the rest of the world when it comes to DMARC adoption. What organizations have to realize is that just as the threat landscape has shifted, so has the security response to it. We’re in the next decade, in the 2020s, and it’s time to move out of that perimeter-based security thinking.
How has the threat landscape evolved?
I’d say there has been three waves, or generations, of the threat landscape evolution. The first wave was the early days of security when people needed only an antivirus or a firewall- and that was pretty much all they needed and this wave lasted for a long time. The kind of attacks we experienced were also relatively basic compared to today’s type of attacks and we became very good at defending against those kind of attacks which were largely targeted at the perimeter of organizations and at the end points. When protection against those became effective, attackers moved on to other things. This brings us to Generation 2. This was largely about how attackers behaved once they got past the perimeter. Attackers used different kinds of tricks to manipulate vulnerabilities such as exploiting databases and using social engineering, which is the exploitation of an organisation’s weakest link, the user. Most organizations at that point had “very squishy” soft internal security. Insider threats remain to this day a serious challenge along with how you prevent attackers from moving laterally once they have bypassed your defences. Unfortunately, most people’s mindsets stop at this point and believe security is simply about protecting a perimeter and detecting and responding to anything that gets past the perimeter security. At Mimecast, we refer to those two generations as your zone 1 and zone 2 security controls -zone 1 being your perimeter and zone 2 being inside your perimeter. But now what’s happening is that you have a zone 3, which is what is happening outside the perimeter, outside of your control.
To be effective at security in zone 3 you need some visibility and some way of stopping those attacks. That’s really what the three generations of attacks look like. Of course, you can break it down into further detail, but this is really how you can think of the threat landscape. In each generation, each time, as an industry, we learned how to detect and prevent each generation of attacks, the attackers simply evolved their attack methods and we had to develop a whole new generation of defences. Most organisations have generation 1 or 2 defences in a generation 3 world.
Why has it evolved this way?
Why this is happening, is quite easy to explain. Almost, everybody is on a journey to cloud and to digital. What this means is that your data becomes easier to find as well as easier to get to because it is in the cloud. At the same time your data becomes much more valuable because it is digital and can be more easily stolen and sold (sometimes sold back to you in the form of a ransomware attack). Then again, we’ve all become very dependent, not only on digital systems, but also on the ecosystems surrounding it-the supply chain. What this means is that you might be perfectly protected but someone in your supply chain might not, and so attackers can use the suppliers to gain entry. So even if your security is up-to-date, you are so tightly integrated with the supply chain, that you also become open to attacks. Then again, with governments fast catching up with this new reality and imposing many regulations in order to try and better protect their citizens, organizations find that they have a lot more to comply with. So you can have a situation where you start out as the victim and end up as the villain. Look at British Airways, for example. They started out as the victim-they lost a lot of client information and data and now suddenly, they are the villain and have to pay a huge fine-all because of a change in regulations. This would never have happened ten years ago. That’s how the whole landscape has changed and how everybody’s got to get their mindset around how security has changed and the different kinds of security that has to be put in around this third generation of attacks. And it’s not just the way the attacks are working, it’s the way we’ve built up our business models-heavily reliant on digital infrastructure.
What are some of the security trends for 2020?
Some of the trends for security in 2020 will be AI, automation and machine learning. The one thing to note is that these will never completely displace the human being, rather these will help lessen the load. One of the biggest challenges you’ve got with security systems is false positives. Machine learning, if implemented correctly, can dramatically reduce your false positives. Another growing trend will be a focus on skills shortage and ways to alleviate this skills shortage. Machine learning is one of those ways. More tightly coupled tools that talk to each other is another way. In this context, we’re starting to see more of security orchestration and remediation tools. These are probably the most important trends. A simplified/consolidated security posture is another thing. This means that you will have your banks and large government organizations with big budgets and security teams having very sophisticated security controls. I think what we’re going to see more and more, is that some organizations will adopt more of a lean IT stance where they say I don’t have the skills as an organization to manage IT and security myself and I lean very heavily on the cloud provider to carry out a combination of managed service and simplification and related things. Tools that fit neatly into this category will do very well. The challenge here is to get organisations to use the security tools they have already invested in to the maximum and try to adopt all relevant features and keep up with the changing configurations needed to defend against an evolving threat landscape.