As an incurable risk taker, I risk sounding like the Grinch. ‘Tis the season of predictions, and it is so so easy to predict “more of the same” when it comes to cybersecurity. In retrospect, 2017 is among the worst years for headlines from many large (and previously thought to be security-sophisticated) enterprises. (I will avoid saying the “E” name, fearing CISOs will think I’m trying to sell them a product. I’m not.) But in the true spirit of the season, I will forgo the obvious and predict new and better data security outcomes in 2018.
I suspect 2018 will not be substantially the same as 2017. With each new year and new breach, those of us in security hoped it would be the wake-up call to enterprises, governments and consumers to take security seriously. Plenty of folks do now (have you thanked your IT security team today?), yet we’re stuck in the same paradigm year after year of preventing breaches without considering creative solutions to this hard problem. Breaches won’t be stopped.
Here’s hoping that 2018 is the year folks consider shaking things up and moving beyond the tired methods of bigger, better walls or restricting access to the data people use in their jobs. Researchers are loathe to make predictions—we prefer data-driven decisions—but if I had to read the tea leaves, here’s what I’d say:
The state of security will improve
I believe the state of security will improve, except it’s very hard to scientifically measure that improvement. Empirical evidence will have to do. Either the media will tire and there will be fewer announcements of yet another breach, or security will actually get better. The improvement in security will be driven by better security products, better educated security personnel (and more of them) and improvements in corporate compliance. Better security means making processes and business functions less risky.
GDPR will drive enterprises in the U.S. and other countries toward greater responsibility of their customers’ private data
Europe’s new regulation GDPR has ignited fear in many with its stiff penalties for loss of customer data. One should expect substantial new investments in securing data, reducing the opportunities for sophisticated attackers to succeed and stemming the dreaded red tide of data losses. We’ll see lots of investments in encryption and other data security technologies.
Buyer beware, though. Encryption products, although crucial in many contexts and notoriously hard to use, will fail to stop the problem of data loss. Keys will be lost or stolen (at times by the companies who generate them) and users will be confounded by managing their own keys, hard to do when also trying to manage one’s own passwords.
A better strategy will emerge in 2018: Track your documents to ensure they go where they should go. A new generation of document-tracking technologies will peer beyond the borders of the enterprise, providing a far more valuable security intel than what’s available.
Harmless ‘Hack Back’ using deception will turn the balance in favor of defenders
With the recent proposal of the active defense bill in Congress, some have argued that the tactic of “Hack Back” is the “worst idea in security.” They fear a “wild west” in which corporations take matters into their own hands and may cause unintentional harm. Attribution will remain an unsolved problem. This unimaginative opinion will change. The argument against hack back, or active defense, fails to consider harmless hack back approaches that are based on a knowledge attack on hackers instead of destroying systems or infrastructure.
In 2018, watch for new technologies that will start to turn the asymmetric cybersecurity space into small, but perceptible advantage to us, the defenders. Attackers have enjoyed unfettered access to high-value data, hunting inside our networks for months without fear of being caught and prosecuted. That will change with a new security paradigm that will make attackers pay a dear cost for their hunting and their theft. Data deception is a form of harmless hack back, and it’s key to the new security paradigm that will finally take hold in 2018.
Deception is rooted in warfare and social interactions from the time of Adam and Eve (although I’m not certain who won the patent on the method; probably the snake). Deception security—and in particular data deception—will confound and confuse attackers as to what they stole with little value to be gotten from their quarry uncertain as to the reality of the stolen data. This is a harmless but real defensive strategy that will cause attackers to pay a price for stealing. The cost to them of deciding what is real and what is fake data will finally tip the balance in our favor.
Those enterprises that embrace the “enough is enough” mindset and reject the “status quo” of yet more security based upon prevention will win, with huge stop losses. Attackers will simply steal, no doubt. That is a prediction I’m happy to make. But what they steal won’t be of value if they don’t know what is real and what is not.
In 2018, I predict most CISOs will say to themselves, “Let’s get real,” and feed the attackers with fake data.