At the forefront of these next-gen risks is IoT, big data, cyber-physical, and third party/cloud, all of which are just entering the fold. At the same time, a lack of skilled cybersecurity resources, internal user error, and device misconfigurations continue to wear down security teams. As we see more of these recent and ongoing developments, we begin to have a true understanding of how much the threat landscape has really evolved. However, in order for security teams to be effective, they must move beyond simply understanding how security is evolving and learn how to combat would-be attacks.
The cyber-threat landscape is in a constant state of flux – ever expanding, contracting, morphing, and evolving. From a threat perspective, we’re observing attack capabilities advancing at an alarming rate, a development that is forcing those of us on the organisational security side to change our security posture in order to face these new forms of attack.
The landscape of yesteryear included techniques and delivery mechanisms we’re all familiar with, such as Denial of Service (DoS), ransomware, phishing, account compromise, drive-by malware, and a whole host of other vectors. What’s unique about the current threat landscape is that organisational SecOps teams must now consider those traditional attacks plus next-generation risks.
Next-gen threats: How SecOps teams can prepare
The best way to combat next-generation threats? Enlist the help of next-gen tools. By employing next-generation capabilities that might include one, or a combination of tools and techniques, security teams can meet their opponent where they’re at. Here are a few examples:
- Dynamic Security Policy Enforcement – As the security adage says, “compliance is not security.” While meeting compliance standards is necessary as a baseline, it should not be the end goal. Adversaries have access to the same standards security teams do, and the capabilities to identify gaps in the standards to exploit. The ability to dynamically change and deploy incrementally higher levels of security across critical devices as a result of either threat intel or an incident is an extremely valuable asset. For example, increasing security through Zero Trust, which takes the philosophy of ‘trust but verify,’ ups the ante by making it ‘prove your identity before trust is given.’
- Mitre ATT&CK – Given the velocity and volume of attacks, SecOps teams need a framework to protect against and monitor for adversary tactics and techniques based on real-world scenarios. Mitre ATT&CK has gained credibility as the best reference knowledgebase for adversarial emulation and as a measure of defensive coverage.
- AI & Machine Learning – The cybersecurity industry as a whole would likely agree that true AI is not fully ready for primetime. However, many can state confidently that machine learning technology is already being widely used in tools today. Currently, ML is being used to detect anomalous behaviour, termed ‘threat hunting,’ which includes ML algorithms or models created to monitor for odd activities that deviate from previously known behaviour at the entity level (similar to a baseline) at both speed and at scale.
- Automation – Security teams are hard pressed to keep up with the overwhelming volume of events occurring within an organisation each day. The ability to automate repetitive tasks allows the team to focus on activities requiring critical thinking or hands on involvement. Anomaly detection is a basic example of automation that exists today within detection systems, as well as SIEMs. The next phase of automation for security teams is allowing the technology to take over easy to detect events, those with a low likelihood of being false positives, and creating a predefined response to close off the incident, such as blocking an endpoint from the network.
- Application Security – Web-facing legacy systems, DevOps release cycles that have a minimal focus on security, and the value of data collected within apps are all prime examples of would-be goldmines for adversaries. Even if organisations have a dedicated application security function, the focus is normally on apps prior to deployment and into production but are not thought about once they have been released. To help this situation, SecOps teams need the right tools and skills to monitor and protect applications. Runtime application self-protection technologies offer the ability to protect and monitor in-production applications, while alerting the security team of suspicious or blocked traffic through event logs.
- Data-Centric Security – Although not a traditional SecOps responsibility, monitoring the sufficiency of controls in place has, for all intents and purposes, fallen under the jurisdiction of the team. One such control is deploying format preserving encryption for sensitive data to help reduce risk to the “crown jewels” of the organisation and allow the SecOps teams to monitor the controls in place, instead of making assumptions about which systems and data are most at risk. When implemented up front, this is an incredibly valuable security by design solution.
The threats of today are not the same as the threats of last year and the threats one year from now will be even different. To keep up with advanced threats and the pace of innovation driven by the enterprise, it is critical that SecOps teams gain a secure foothold in this new landscape. The path forward needs to include formulating the ‘right for now’ strategy, policies, and procedures and then executing them appropriately. Additionally, it is important for SecOps teams to be constantly re-evaluating their procedures and strategies in place – what worked before might not work now – and making any necessary changes to adapt to the current threat landscape. There is a lot of hard work and planning that needs to be done on the part of the SecOps team, but the future is bright and when the time comes, it will be worth celebrating.
Neil Correa, Security Strategist, Micro Focus