CISOs: Disruptive technology trends and how to prepare- Valutrics
In April, high-end audio maker Bose Corp. found itself in the crosshairs of a class-action suit alleging that its Bose Connect app “demonstrates a wholesale disregard for consumer privacy rights and violates numerous state and federal laws,” because it collected information, such as song titles, from consumer devices. Bose scrambled to head off the row, refuting the allegations as “inflammatory [and] misleading,” but noted that the product does collect “information about songs playing on the device” and updated its app to allow consumers to opt out of data collection.
The incident put consumer product makers on notice. Diving into the internet of things (IoT) — or other disruptive technology trends that could compromise sensitive data — must involve the security team.
Bose rival Harman International moved quickly to head off any potential legal jeopardy following the lawsuit announcement Stebila noted that security teams will have to broaden their focus in the future. “For the most part, CISOs are typically responsible for IT security issues, not the end product,” he said. “But with these end products being connected, we have to work very closely with the business units to provide expertise and technology to minimize risks — both to security and the business.”
Emerging technologies are forcing change on enterprise security teams. Digital communication systems involving voice, data and internet connections are rapidly evolving, and organizations must keep pace. Disruptive technology trends such as IoT pose unexpected risk to networks and data security.
Other game-changing technologies — such as machine learning technology, big data and automation — will alter how security gets done within companies, augmenting teams with systems capable of prioritizing critical alerts and taking initial steps to head off attacks with incident response.
Some technologies are too far out to be near-future disruptors. Quantum computing, which promises faster processing and problem-solving than current computer systems, will be a strong disruptor when the technology is practical. In addition to ongoing research at military labs and universities, work on commercial systems is underway at NASA, Google and IBM’s recently established Q division. “When it comes to everything we know today about securing the internet, if we ever get to the point of quantum encryption, then all of our encryption technologies will be obsolete overnight,” said Sebastian Hess, former CISO of global insurance provider American International Group (AIG), who left in May to become CISO at the Isabel Group, an internet banking provider in Brussels.
Yet thinking ahead has definite benefits. Some cryptographers have already suggested ways of making RSA cryptography encryption-proof against future breakthroughs in quantum encryption. Whether those techniques bear out remains to be seen.
1. A complexity of clouds
Nearly every company has integrated cloud computing into their business — whether through purposeful steps to select the best services and provide them to employees or from workers using cloud services without corporate oversight. The average company uses 1,053 cloud services, including sanctioned applications and shadow IT employees adopt without permission, according to Netskope’s June 2017 Cloud Report.
For security teams, however, that means dealing with complexity created “Even for the most sophisticated companies, the adoption of multiple clouds and keeping those clouds secure is rapidly becoming a problem, and very few companies have a good solution,” he said.
Companies should transition from protecting systems to protecting data, Hess advised. “A large issue for most CISOs is, how do you control the security of your outsourced IT environment? I think the real paradigm shift from a security perspective is to shift over to a data-centric approach,” he said.
2. Marriage of the physical and the digital
Whether an organization focuses on manufacturing and infrastructure, like industrial control systems, or on consumer and information technology — such as the internet of things — everything is rapidly becoming connected and potentially accessible from the internet. Already, the industry has seen a variety of compromises of IoT devices, such as the 2015 hacking of a Chrysler Jeep Cherokee’s digital systems — Chrysler issued a 1.4-million vehicle recall — and last year’s massive denial-of-service attacks unleashed “With all of these devices interconnected, there is going to be a surge of cybercriminal activity that will seek out easy targets of opportunity, and only because there has been this carefree approach to cybersecurity,” Stebila said. “The convenience of these products will be a major cybersecurity nightmare.”
The convergence of IT systems and operational technology (OT) means that digital threats no longer just have digital impact. The evolving ability of computer systems to have real, physical effects on the world is changing how companies consider security risks.
“As soon as you connect them together, the OT network will face compromise,” YĆ©pez said. “Your cooling system, your electrical system, your security system [all] run on separate OT networks, and when you connect those through IT networks, it can become a toxic combination.”
Sebastian Hess
There are some benefits, however. When IT practices are applied to OT networks, companies will gain greater visibility into their infrastructure.
And as devices are increasingly incorporated into the organization’s security fabric, information security and visibility actually improve, Hess pointed out. Technologies that combine device information with location data and usage patterns to create a unified credential may also be on the way. “No one argues anymore that we should get rid of passwords,” he said. “The question is how.”
3. The triad of machine evolution
Near the top of everyone’s list of disruptive technology trends is the nuclear triad of machine evolution: machine learning technology, automation and big data. Separately, each field is a significant force in computing. Combined — and often referred to holistically as artificial intelligence — the three technologies are changing every industry and field of engineering.
For information security, the automation of information processing already means that organizations can process more security-event data than ever before. Collecting and processing data on security and network events also promises more consistent visibility into network and user behavior and the ability to continuously monitor systems and react to potential incidents. Adding machine learning technology to these systems can deliver more accurate information and filter out a greater amount of noise. This should free up security analysts to focus on other tasks.
“In the next few years, human input will increasingly not be needed,” Stebila said. “An AI does not need to sleep or eat, so we will be able to reduce the demand for personnel.”
Disruptive technology trends do not go unnoticed Worms, which have been a threat for more than 30 years, were one of the first automated attacks, scanning for vulnerable machines, infecting the systems and then starting all over again.
More recently, scripted attacks such as web injects combined some aspects of automation and expert systems to create a system capable of automatically harvesting credentials from credulous users. “There is not that much time before the cybercriminals [are] fully autonomous,” Stebila said. “We, as CISOs with security programs, have a limited time to really fight back.”
Stebila recommended that CISOs embark on creating their own automated armory of defensive tools. Patching is a good place to start. “The industry is finding that slow patching of systems leaves us vulnerable,” he said. “Many of the vulnerabilities and attacks would hit a dead end if the systems were patched.”
4. Bitcoin — but really the blockchain
Ask a security professional about bitcoin, and usually ransomware — the penchant of the criminal groups behind the attacks for bitcoin — comes up.
Yet the arguable benefits of anonymous digital cash aside, bitcoin has brought a significant technology to the security table: the ledger system, known as the blockchain. The distributed electronic database allows bitcoin — or any other information — to be added to the blockchain ledger and propagated to the network. Each record, or block, of information cannot be changed without impacting the integrity of later blocks. This acts as a way to verify the integrity of the data.
The most obvious application will be a better, and more auditable, way of logging events, said Thomas Hardjono, CTO of the connection science group at MIT.
“Twenty years later and we are still struggling with gaining visibility into what is going on in the network,” he said. “The first, most valuable use case for blockchain in the next two years is basic logging and auditing. Internally, the blockchain system may allow you to provide better logging of events.”
Already, some industries are experimenting with the technology. Nine in 10 government organizations plan to invest in it to help manage and archive civil records and financial transactions Companies can benefit from more transparent supply chains. Shipping giant Maersk found that transporting goods from Africa to Europe involved about 200 interactions with more than 30 people and organizations. In March 2017, IBM announced that it is working with Maersk on a blockchain project to keep such cross-border transactions verifiable, reducing errors and fraud. The blockchain technology is expected to become available to the wider transportation and logistics industry, according to the companies. Meanwhile, Maersk is taking a closer look at its security practices after its operations were disrupted in late June Blockchain is also being used to distribute public keys and tokens for the internet of things, which could bolster authentication and security for those devices, said Diana Kelley, global executive security advisor for IBM. Kelley recommended that CISOs broach the subject of blockchain — and any emerging technology — with other team leaders and department heads: “If finance is looking at using it for payments, then the CISO needs to have those conversations and ask how they can help.”
Richard Seewald
Whenever experts use a crystal ball to see into the future, predictions vary. Richard Seewald, founder and managing partner for Evolution Equity Partners, expects longer investment horizons before some technology trends take hold.
“Blockchain is still early,” he said. “From our perspective, we see it as a technology that will develop over the next five to seven to 10 years, but [is] clearly disruptive to specific segments of the economy. IoT likewise; when you look at the hyperconnectivity that is out there, it’s still limited.”
For the most part, however, security managers need to be aware of which technologies business employees — as well as attackers — are relying on, to prepare their programs for the future.
“When we talk about the unknown technologies, CISOs are going to have to fight fire with fire,” Harman’s Stebila said. “We will have to have a security team in place that can think like a hacker. We are talking, in many cases, about government technologies that are very sophisticated, so we need to have the same sophistication and skill set.”