What to Expect in Data Privacy Trends for 2018

by Salvatore Stolfo on December 15, 2017

As an incurable risk taker, I risk sounding like the Grinch. ‘Tis the season of predictions, and it is so so easy to predict “more of the same” when it comes to cybersecurity. In retrospect, 2017 is among the worst years for headlines from many large (and previously thought to be security-sophisticated) enterprises. (I will avoid saying the “E” name, fearing CISOs will think I’m trying to sell them a product. I’m not.) But in the true spirit of the season, I will forgo the obvious and predict new and better data security outcomes in 2018.

I suspect 2018 will not be substantially the same as 2017. With each new year and new breach, those of us in security hoped it would be the wake-up call to enterprises, governments and consumers to take security seriously. Plenty of folks do now (have you thanked your IT security team today?), yet we’re stuck in the same paradigm year after year of preventing breaches without considering creative solutions to this hard problem. Breaches won’t be stopped.

Here’s hoping that 2018 is the year folks consider shaking things up and moving beyond the tired methods of bigger, better walls or restricting access to the data people use in their jobs. Researchers are loathe to make predictions—we prefer data-driven decisions—but if I had to read the tea leaves, here’s what I’d say:

The state of security will improve

I believe the state of security will improve, except it’s very hard to scientifically measure that improvement. Empirical evidence will have to do. Either the media will tire and there will be fewer announcements of yet another breach, or security will actually get better. The improvement in security will be driven by better security products, better educated security personnel (and more of them) and improvements in corporate compliance. Better security means making processes and business functions less risky.

GDPR will drive enterprises in the U.S. and other countries toward greater responsibility of their customers’ private data

Europe’s new regulation GDPR has ignited fear in many with its stiff penalties for loss of customer data. One should expect substantial new investments in securing data, reducing the opportunities for sophisticated attackers to succeed and stemming the dreaded red tide of data losses. We’ll see lots of investments in encryption and other data security technologies.

Sponsorships Available

Buyer beware, though. Encryption products, although crucial in many contexts and notoriously hard to use, will fail to stop the problem of data loss. Keys will be lost or stolen (at times by the companies who generate them) and users will be confounded by managing their own keys, hard to do when also trying to manage one’s own passwords.

A better strategy will emerge in 2018: Track your documents to ensure they go where they should go. A new generation of document-tracking technologies will peer beyond the borders of the enterprise, providing a far more valuable security intel than what’s available.

Harmless ‘Hack Back’ using deception will turn the balance in favor of defenders

With the recent proposal of the active defense bill in Congress, some have argued that the tactic of “Hack Back” is the “worst idea in security.” They fear a “wild west” in which corporations take matters into their own hands and may cause unintentional harm. Attribution will remain an unsolved problem. This unimaginative opinion will change. The argument against hack back, or active defense, fails to consider harmless hack back approaches that are based on a knowledge attack on hackers instead of destroying systems or infrastructure.

In 2018, watch for new technologies that will start to turn the asymmetric cybersecurity space into small, but perceptible advantage to us, the defenders. Attackers have enjoyed unfettered access to high-value data, hunting inside our networks for months without fear of being caught and prosecuted. That will change with a new security paradigm that will make attackers pay a dear cost for their hunting and their theft. Data deception is a form of harmless hack back, and it’s key to the new security paradigm that will finally take hold in 2018.

Deception is rooted in warfare and social interactions from the time of Adam and Eve (although I’m not certain who won the patent on the method; probably the snake). Deception security—and in particular data deception—will confound and confuse attackers as to what they stole with little value to be gotten from their quarry uncertain as to the reality of the stolen data. This is a harmless but real defensive strategy that will cause attackers to pay a price for stealing. The cost to them of deciding what is real and what is fake data will finally tip the balance in our favor.

Those enterprises that embrace the “enough is enough” mindset and reject the “status quo” of yet more security based upon prevention will win, with huge stop losses. Attackers will simply steal, no doubt. That is a prediction I’m happy to make. But what they steal won’t be of value if they don’t know what is real and what is not.

In 2018, I predict most CISOs will say to themselves, “Let’s get real,” and feed the attackers with fake data.

— Salvatore Stolfo

Salvatore Stolfo

Dr. Salvatore Stolfo is the founder and chief technology officer of Allure Security. As professor of Artificial Intelligence and Computer Science at Columbia University since 1979, Dr. Stolfo has spent a career figuring out how people think and how to make computers and systems think like people. Early in his career he realized that the best technology adapts to how humans work, not the other way around. Dr. Stolfo has been granted over 73 patents and has published over 230 papers and books in the areas of parallel computing, AI knowledge-based systems, data mining, computer security and intrusion detection systems. His research has been supported by numerous government agencies, including DARPA, NSF, ONR, NSA, CIA, IARPA, AFOSR, ARO, NIST, and DHS.

salvatore-stolfo has 5 posts and counting.See all posts by salvatore-stolfo

2 thoughts on “What to Expect in Data Privacy Trends for 2018”

Pingback: What to Expect in Data Privacy Trends for 2018 - Security Boulevard - DIGITAL COMMANDO
Dave Dittrich
December 16, 2017 at 9:17 pm
Permalink

Hi Sal,

“The argument against hack back, or active defense, fails to consider harmless hack back approaches that are based on a knowledge attack on hackers instead of destroying systems or infrastructure.”

I have to respectfully disagree with this statement. I believe that a more nuanced view of the subject exposes that “active defense” is an inappropriate term and that “hack back” and “active defense” are neither equivalent nor interchangeable terms. I don’t consider deception performed within one’s own network as being “hack back” at all. There is no need to amend CFAA (like the ACDC Act you raise), as long as you only touch systems you own. In terms of the Active Response Continuum, honeypots and deception within one’s own network don’t even fall within the problematic Level 4, which concerns actions taken outside of one’s own network, outside one’s own “zone of authority”, on someone else’s system:

[Dittrich and Himma(2005)] D. Dittrich and K. E. Himma. Active Response to Computer Intrusions. Chapter 182 in Vol. III, Handbook of Information Security, 2005. http://ssrn.com/abstract=790585

As for the problems raised by vague or contradictory terms, see:

Debating the Active Response Continuum: Defining the Terms of the Debate. https://www.honeynet.org/node/1048

As to the ACDC Act, I have evaluated the proposals and find many problems that still need to be addressed:

Thoughts on the Active Cyber Defense Certainty Act 2.0. https://medium.com/@dave.dittrich/thoughts-on-the-active-cyber-defense-certainty-act-2-0-d0b456a56d8b

I hope that helps clarify the discussion.