Where is cybersecurity heading and what should security teams focus on in 2019?
We thought it would be helpful to examine the most common cybersecurity predictions for 2019. Business press, trade publications and of course vendors had a lot to say about emerging technology trends, but what predictions or trends will matter most? More importantly, how can security teams and CISOs turn these predictions into advantages for their business?
I sat down with Chris Calvert, industry expert who often says; “if you have a problem with how today’s SOCs work, it’s partially my fault and I’m working to solve that issue!” With over 30 years of experience in information security, Chris has worked for the NSA, the DOD Joint Staff and held leadership positions in both large and small companies, including IBM and Hewlett Packard Enterprise. He has designed, built and managed security operations centers and incident response teams for eight of the global fortune-50.
During our conversation, we discuss questions like:
- Will we see an increase in crime, espionage and sabotage by rogue nation-states?
- How will malware sophistication change how we protect our networks?
- Will utilities become a primary target for ransomware attacks?
- A new type of fileless malware will emerge, but what is it? (think worms)
- And finally, will cybersecurity vendors deliver on the true promise of A.I.?
You can listen to his expert thoughts and opinions on the podcast here!
Want to be better prepared for 2019?
The Respond Analyst is trained as an expert cybersecurity analyst that combines human reasoning with machine power to make complex decisions, with 100% consistency. As an automated cybersecurity analyst, the Respond Analyst processes millions of alerts as they stream. Allowing your team to focus on higher priority tasks like threat hunting and or incident response.
Here’s some other useful information:
We all know the next big IT shift towards AI and intelligent automation is on the horizon. Over the last few years, vendors and press have focused on the human-to-machine automation transformation. Many vendors promise solutions—but often those solutions are complex and not optimized for the channel.
The good news is that cybersecurity is primed and ready for automation now. But the question for Partners remains: How can VARs, Integrators, and MSSPs find the right solution that provides true human-to-machine technology to simplify life for their customers?
Here are 3 cybersecurity trends driving the industry towards automation and 1 simple recommendation that Channel Partners can leverage to get ahead of the game immediately:
Trend 1: Traditional console monitoring is ineffective
Security teams are spending too much time monitoring alerts that are providing little value for their efforts. Sifting through endless alerts with a high percentage of false positives is ineffective at best. It’s causing us to burn-out analysts and puts us in a continuous cycle of hiring and training new analysts. The analysts interviewed for the Voice of the Analyst (VOA) Survey help to inform us on where analyst time is better spent and what activities we should automate first. Automating workflow to increase analyst efficiency is important, but automating level 1 alert monitoring itself? That’s downright disruptive.
Cyentia Institute: Voice of the Analyst Survey, October 2017
Figure 1: We asked analysts to score their daily activities on a number of dimensions. One key finding is that analysts spend the most time monitoring, but it provides low value in finding malicious and actionable security threats. (Download VOA Survey here)
Trend 2: People shortage
Most security teams don’t complain about a lack of tools. They complain about a lack of people. Whether the budget won’t allow or skilled resources are in too high a demand to find (or retain), we’ve reached a point where supply has been outstripped by demand. What choice do we have? Leverage the power of machines to augment our security teams. This is finally possible with the advent of decision-automation tools that can off-load the task of console monitoring.
Bitdefender: CISOs’ Toughest Dilemma: Prevention Is Faulty, yet Investigation Is a Burden, April 2018
Figure 2. People shortage is a significant trend in our industry, forcing us to re-think how we’ll actively monitor our environments.
Trend 3: Too many tools
“Too many tools” is a regular complaint in organizations. Did you know most large organizations have on average 75+ security tools? Small organizations are not far behind. It’s all we can do to deploy these necessary security tools and maintain them let alone reviewing the endless alerts that these tools generate. What’s even more challenging is that we’ve seen an industry trend toward platform-based tools (e.g. SIEM or SOAR) that require engineering resources with the expertise to build and maintain platform content such as correlation rules and playbooks. Many organizations are overwhelmed by this task. In contrast, tools with expertise built-in, intelligent applications if you will, are what’s needed and they will change the way we think about platforms going forward.
Momentum Cyber February 2017 CYBERscape
Figure 3. Most organizations have dozens of tools to deploy and maintain.
An industry transformation is underway: Automation will disrupt the way cybersecurity is performed
We think 2019 will be the year of automation for cybersecurity. Customers will require automation to address the top 3 trends. They need to scale with the growing number of alerts and the increased complexity of monitoring today’s hybrid environments. Adding more people is not the answer. Finding ways to automate to off-load cumbersome tasks typically performed by humans is the answer.
This presents exciting new revenue opportunities for Channel Partners and also explains why we are experiencing increased momentum with: VARs, Integrators, and even MSSP’s. Respond Software is at the forefront of the industry transformation—applying machines to roles traditionally executed by humans.
One simple recommendation to gain a competitive advantage: the Respond Analyst
The Respond Analyst software is a scalable, plug-and-play “virtual analyst” that perfectly complements any security detection tool sale: Channel partners can increase revenue by providing both the tools and the Respond Analyst to monitor them.
This provides a unique selling opportunity for our Partners. Partnering with Respond Software gives customers—especially the mid-size enterprise ($50M-$1Bil revenue) simple solutions with fast results. Partners can also take advantage of recurring revenue, fast installations, and the potential to increase opportunities to sell more sensors.
To all of our potential partners: Please reach out if you’re interested in learning more about our solution and our partner program by registering at our partner page. Here’s an opportunity to bring new value to your customers and join us on our journey to bring automated security monitoring to the world.
For more information, read the Global Channel Partner Program Press Release
We’ve asked the questions before, but we’ll ask it again: how much time does your security team spend staring at monitors? How about investigating false-positives escalated from an MSSP? More importantly, how are small security teams expected to cope with the growing amount of security data?
The world of security operations is changing. Extra processing power combined with faster mathematical computations, means security monitoring and event triage can now be analyzed at machine-scale and speed. With new innovations that leverage decision-automation, security organizations can analyze incidents more efficiently than ever before. Security teams no longer have to tune down or ignore low-signal events. Instead, technologies can now recognize patterns to identify malicious attacks that may have otherwise been overlooked.
So how will these new technologies impact security operations moving forward?
Mike Armistead, Respond Software CEO, recently sat down with Patrick Gray, from Risky Business, to discuss the state of information security today. In the 30-minute podcast, Mike and Patrick shed light on the future of security operations, discussing the limitations of traditional security monitoring/analysis techniques and the power of new technologies, like decision automation to change security forever.
During this podcast you’ll learn to:
- Identify the biggest mistakes security teams make today and how to avoid it.
- Manage the onslaught of data.
- Increase your team’s capacity.
- Stop wasting time chasing false-positives.
Listen to the full podcast, here!
Learn more about what the Respond Analyst can do for you!
Every time I flip a light switch or run water for my daily shower, I’m not thinking of the potential security risks within our power plants or water suppliers. I just take it for granted that the computers working behind the scenes keep things running smoothly.
These computers, also known as Industrial Control Systems (ICS), control the physical world of our most critical infrastructure. They monitor and control the processes responsible for machinery used in power generation and distribution, manufacturing, water treatment plants, HVAC, and many other industries.
The reality is that some of these systems were not designed with security in mind. Historically, these systems were not connected to the Internet or an IT network. They existed in an air-gapped environments, disconnected from all other networks.
The disconnected nature of ICS is quickly becoming outdated. Systems are more connected than ever before and can be accessed remotely by operators. Three trends are increasing the vulnerability of our ICS environments.
Trend 1: Connected IT and Operating Technology (OT) environments are growing.
While these blended environments provide increased efficiency and reduced costs for operators, they also increase the potential for security threats. Threats that occur in OT environments generally originate in the IT environment and then traverse the boundary.
This is complicated by the fact that Industrial Control Systems were not built with security event logging in mind, they receive software updates infrequently, and they often exist within flat networks (where all systems exist in the same network).
Bottom line—if one system is infected, it’s easy to spread the infection to multiple systems.
IT has traditionally focused on securing the confidentiality and integrity of data or services while ICS security has focused on maintaining operational availability and ensuring safety. Given the changing nature of the environments, these responsibilities need to evolve.
Trend 2: Attacks are becoming more sophisticated in critical environments.
There have been numerous examples of nation-states disrupting Industrial Control Systems with cyber attacks. One particularly well-documented example (and worth the read from Wired!) is Russia’s repeated disruption of the Ukrainian power grid. Other examples include:
Trend 3: A shortage of trained security analysts.
There is already a limited population of security analysts, but there is an even smaller population who can triage the combination of cyber and operational threats.
IT security analysts cannot monitor an OT network without understanding how the ICS systems function normally and how they can be exploited. Also, ICS systems often communicate on proprietary network protocols not found in IT environments and therefore, require specialized detection technologies to alert an ICS related threat.
Stop these 3 trends from impacting your ICS environment
The increasing potential for threats, combined with the lack of specialized resources to detect these threats, leave us all vulnerable. The serious attacks on power and water supplies around the world demonstrate the urgency of staying ahead of the bad guys.
Help is on the way. Using Artificial Intelligence (AI) and Machine Learning, Respond Software has partnered with SecurityMatters (recently acquired by Forescout) to provide automated monitoring, decision making, and triage of network intrusions within ICS environments.
Respond Analyst provides 24×7 automated monitoring and triage, without requiring you to hire, train, and operate a team of security analysts. SecurityMatters provides in-depth visibility into ICS environments, classifying assets and detecting threats based on deep packet inspection of industrial protocols. By monitoring both your OT and IT environments, Respond Analyst is able to identify threats crossing that boundary, providing an earlier warning, and increased visibility into the earlier stages of the attack.
The average SOC is no more prepared to solve their cybersecurity issues today, than they were 10 to 20 years ago. Many security applications have been developed to help protect your network, but SOC Design has traditionally remained the same.
Yes, it’s true we have seen advancements like improved management of data with SIEMS and Orchestration of resolutions, but these tools haven’t resolved the fundamental challenges. Data generated from the most basic security alerts and incidents are overwhelming and still plague the most advanced security organizations.
According to a recent article in Computer Weekly, the issue is that most organizations, even with the tools & the know-how, are still getting the basics all wrong.
“Spending on IT security is at an all-time high. The volume of security offerings to cover every possible facet of security is unparalleled…The reason so many organisations suffer breaches is simply down to a failure in doing the very basics of security. It doesn’t matter how much security technology you buy, you will fail. It is time to get back to basics.”.
The article mentions that security operations teams need to focus these four key areas to really see any impact positively affecting their SOC design:
- Security Strategy
- Security Policy
- User Awareness
- User Change
But is it as simple as this?
The answer is a resounding YES!
There is no question that it’s still possible to cover the basics in security strategy and achieve enterprise security results. Our recommendation? Start with the most tedious and time-sucking part of security analyst role — analysis and triage of all collected security data. Let your team focus on higher-priority tasks like cyber threat hunting. It’s where you’ll get the biggest bang for your buck.
If you’re like me, continuously listening to webinars & podcasts to broaden your knowledge of the security industry, emerging trends, and new threats – you’re always looking for reliable, thought-provoking sources to learn and educate yourself.
I guess you could call me a “Security Geek”!
I have always found podcasts to be a phenomenal resource to learn about industry trends and products or services that are revolutionizing how teams operate. Not only do you get a chance to listen to subject matter experts and thought-leaders talk about their industry knowledge, but also learn about an application’s benefits and value it brings to solve everyday challenges.
The best part, they are free learning-sessions from industry experts on new trends and applications you and your team can utilize!
Below are the top 4 podcast channels I frequently visit each week to stay updated on the cybersecurity industry, trends and useful advice – including our new Respond Software podcast.
- The Risky Business podcast, hosted by award-winning journalist Patrick Gray, features news and in-depth commentary from security industry luminaries. Risky Biz is a phenomenal source to stay updated on the latest cybersecurity news on a weekly basis and trends.
- The Unsupervised Learning Podcast series, hosted by cybersecurity professional Daniel Miessler, discusses current cybersecurity news, emerging technologies, and provides opinions and advice on the latest trends in security.
- The Defensive Security podcast, hosted by Jerry Bell and Andrew Kalat provides a fun take on recent security news. One of the intriguing aspects of their podcast is they recommend feedback and advice for business on what they can apply to keep their network secure. Their perspective and input on best practices is very fascinating.
- The Respond Software podcast series covers a wide range of topics and issues – providing a fantastic way to learn about emerging threats and trends, challenges in security operations and opinions from industry experts. One of the primary focuses of the Respond Software Podcast series focuses on the role of humans and technology in the cybersecurity space. The series also features prominent industry leaders like Raffy Marty, VP of Corporate Strategy at Forcepoint. In a recent podcast, Raffy discusses cybersecurity challenges that exist today, what technologies can help improve existing processes and how cybersecurity has changed over the years.
By listening to these podcasts, I have learned a tremendous amount about the cybersecurity industry, trends, threats and new technology that revolutionizes how teams operate.
If you’re waiting for our next podcast to be released and want to learn more about the cybersecurity industry and discover how Respond Analyst can help your team – register for our upcoming webinar on the new Respond Analyst Web Filter Module on November 7th! You will learn how real-time analysis and triage of web filter data, during network and endpoint analysis, gives security teams an edge in reducing response times and limiting the impact of some of the most stealthy attacks!
As the new Product Marketing Manager at Respond Software, I knew when joining the team they were doing some outstanding work. Simplifying the complexity of network security monitoring and triage and giving hope to small security teams working to defend their business.
The hard work and dedication from the team has been paying off!
We are proud to announce Respond Software has been selected as one of the Top 25 CyberSecurity innovators by Accenture Innovation Awards! The 25 leading innovations consist of a diverse batch of cutting-edge concepts, developed by pioneers in our eight global themes. These innovations are reshaping our world and unlocking new value and benefits for all parties.
I tip my hat to the amazing product and engineering teams that have developed Respond Analyst to tackle some of the complexity in security operations.
Thank you, Accenture Innovation Awards for recognizing Respond Software as a top CyberSecurity innovator! We are excited to be a part of such an amazing and forward-thinking group!
I would love to tell you that there was a more formal origin behind the core tenets of the Security Situation Center (SSC), but the truth is, the concept originated from my watching too much Star Trek. I am a huge Star Trek fan, and while watching an episode of the “Next Generation” series, I started thinking about the parallels between navigating hostile cyberspace and the efficiency behind the bridge operations of the Starship Enterprise. While the series is 30 years old, it still captures our imagination, and in this case, gives us some original, innovative ideas we can implement today.
So turn to my day job, when I have Star Trek turned off. My team and I understand in the very near future, that the tedious SOC monitoring and analysis tasks, now performed by analysts, will be managed and processed by AI-based expert systems. In other words, soon there will be the day when it is no longer necessary to put human eyes on glass to monitor security alerts. The transformational possibilities for an operational cybersecurity team of this future reality is extraordinary!
On the bridge of the Enterprise, all personnel have a distinct role and ownership of duties, backed up by team members elsewhere on the ship. They also have many people trained for each role. When you consider the many different situations they expect to encounter, you can quickly see this team is well-prepared, well-trained and confident. They have navigation, engineering, communications, science, medical, tactical, command, and of course, counselor Troy for diplomacy and a little espionage. They are prepared for the unexpected, so they have all options covered. The organizational structure and preparation allow them to hightail it at warp 9 when running from hostile situations, hide, fight, discover, fix, or talk their way out of anything. This feels exactly like what I want my security defenses to be able to do!
The basic Security Operations Center template has many junior people doing the same job. There might be some level of rotation, but that job puts human “eyes on glass” watching alerts or events then deciding which require action and at what level of urgency. This model typically leaves security situation management to an ad-hoc team of incident responders, senior architects, and the management chain. This ad-hoc team occasionally convenes to respond to high profile incidents, which in reality is an additional duty.
The hostility level and risk that organizations expose themselves to by conducting business on the Internet now appear more like a low-level information war than just the occasional malware infection or credit card breach. We know the economics are too powerful not do business on the Internet. However, as the world becomes more digital, perhaps it is time we acknowledge this new reality, leave status quo behind and reorganize to actively defend our companies on the Internet.
Fortunately, there is also some organizational experience, beyond Star Trek to this idea. When I ran an MSSP in the early 2000’s, on a quarterly basis we were able to practice with every new Internet worm. These War Rooms were fueled by sleep deprivation, caffeine, hundreds of millions of dollars in financial losses and lots of grumpy IT and IT security guys and gals. It was management by exception at its worst. When it worked, we managed to recover in reasonable time frames, but we never fixed the root of the problem.
With a Security Situation Center, you have a small team of experienced security personnel whose full-time job is to actively defend the business and then proactively prepare to defend the business. This includes immediate grasp of all of the controls deployed and their current status, the vulnerability status of the entire enterprise, and intelligence on the capability and intentions of bad actors. Just like on the bridge of the Starship Enterprise, these folks are at once leaders and coordinators with the IT and IT security teams that actually make the ship fly.
I’ll surely have more ideas of what a future Security Situation Center will look like. More importantly, I invite you all to comment and provide feedback about how you imagine our industry can push operational security into managing, not only monitoring, situations.
As Captain Picard said so well, “Engage!”
Ed Amoroso @Tag_Cyber has a thing or two to say about SOC design
It’s hard to ignore all the news (bad and good) about self-driving cars these days—but make no mistake, they’re here to stay. Why? It makes sense that humans teach cars and then use the incredible power of automation and computer intelligence to make driving with inherent dangers easier, safer and far more convenient.
So too is the case for SOC analysts, the people who are tasked with looking for and catching the ever-growing cyber risks that bombard the digital landscape every day. In fact, George Amoroso, CEO of Tag Cyber has a lot to say about SOC design in a recent article titled Self-driving SOC.
“If you are going to build a working SOC, then you’d better know (or learn) how to integrate automation into the design. With cyber attacks now approaching automated speeds that far exceed the ability for any human being to track, the only means for SOC teams to keep up with real-time threats is to automate.”—George Amoroso, CEO, Tag Cyber
George should know, he’s an expert on global cyber security.
The Respond Team