What We Learned at RSA
Shalabh Mohan | Area 1 Security | Area 1 Security
The biggest conference in cybersecurity was buzzing this year. After all, the industry just had its biggest year ever, but sadly it was for all the wrong reasons. 2016 was another year that gave us plenty of reasons to feel unsafe on the internet. It was revealed that Yahoo had been hacked twice, exposing the information of over a billion users. The World Anti-Doping Agency was hacked, leading to the leaking of health information on dozens of athletes. Then there were the email hacks, which put personal information from victims like Colin Powell, as well as the Clinton campaign’s John Podesta on the web.
RSA should be an optimistic place, and perhaps someday it will be. The cybersecurity industry has always had a tendency to trade on fear and doubt, and that’s part of the dour mood. But the truth is that the industry hasn’t been working effectively. Hacks are growing bigger, and so are their impacts.
Every year has its buzzwords. If you’re keeping an RSA bingo-card, this year was big on “machine learning,” “AI,” “threat detection,” “situational awareness.” It was also big on defeatism.
Both business executives and individual users are on the verge of throwing their hands up over the cybersecurity industry’s continued lack of success. For many consumers of security, it’s become a darkly humorous contest of “how many times our data has been stolen.”
Yet, this is hardly a moment for pessimism. For one, the stakes have never been higher (and of course it’s still always darkest before the dawn). Advances in both cloud computing and data analytics mean that the playing field has been leveled against attackers. If we focus on the source of attacks, not their nuances, devastation and masked actors, we will make real progress in staying safe.
Here are some thoughts on the industry and where it is going.
Phishing is the root cause of cyber-insecurity — and our opportunity
In 2017, companies will reject the nuances of cybersecurity and focus instead on the root cause of more than 95% of all cybersecurity breaches, phishing. Ransomware, business email compromises, and every other named payload du jour have one source: phishing. Phishing, whether delivered via email or web page, is designed to trick users and remains the vector by which attackers must first launch their campaigns.
The solution to phishing is not to treat it as user error but to see it as the source, and to stop it from being delivered, getting in front of users, and giving attackers their first foothold into a network. Training and education do not work; only a new approach that deals with phishing — not spam — and that supports users will succeed.
The Hacks You’ll Hear About in 2017 Have Already Happened
People greatly underestimate how long it takes to find a target, research it, prepare a stealthy attack, and then exfiltrate targeted data. All of the biggest incidents in 2016 started at least a year before they were discovered. So the hacks you’ll read about in the headlines of 2017 are already well underway.
The Yahoo hacks were years old, for instance; one started as early as 2013. Only now is the company catching up, and trying to figure out what was lost. The website building company Weebly, which also admitted it was hacked this year, says it took the better part of a year to realize it had been breached. DropBox, which thought it had dealt with its hack of 2012, figured out in 2016 that 68 million users might have been affected. Someone reading this article has intruders in their system at this very minute, and won’t know about it for months or years.
That also means the security you put down now is what you’ll be patting yourself on the back for in 2020.
Cybersecurity as a System
Security and security products tend to exist on their own: there’s a filter for email, a firewall for web traffic, and a virus scanner for the executables on your computer. 2017 will be the year these pieces start to work together. It’s going to be a huge revolution, on par with battlefield commanders finally being able to use a radio to talk to their different units.
Security orchestration tools will be empowered to make moves based on artificial intelligence and machine learning. Our security has to move faster than our threats, and that means moving faster than people. There’s a strong need in the enterprise for software that distributes the right knowledge to the right people. These people will become command controllers who make more effective decisions to protect their network.
Insurance and Throwing in the Towel
These new trends are superior by dimensions to our existing security, but not everyone will be able to implement them right away. In the immediate future, the biggest benefactor of the confusion and defeatism of the status quo will be cyber insurance. Insurance looks like a good solution for companies that are ready to throw in the towel and say that hacks are inevitable.
While insurance is an important investment for any business, there’s a serious risk of overspending here. Plus, insurance itself is getting smarter too, demanding many of the same best practices that could keep you safe, in order to keep your premiums down.
So, the bad news is that we had a bad year, but the good news is that we’re finally narrowing in on the right approach to solving the biggest pain points in cybersecurity.
