Resource Center, which began collecting data on major breaches in 2005, reported 781 major compromises in 2015 – the second most recorded during the decade. In addition, many companies have come forward to disclose lesser breaches: Risk Based Security’s Data Breach QuickView Report cited an all-time high 3,930 incidents in 2015, representing more than 736 million records.
As enterprises became more public with their compromises, security researchers spent an increasing amount of time and effort disclosing new vulnerabilities. Over the past decade, a cottage industry has emerged in finding and selling security vulnerability information to interested parties that were willing to pay for them. This "bug bounty" trend has continued to grow in recent years, and many major companies – including Facebook, Google, and Yahoo – now offer such programs as a part of their business. As a result, security vulnerabilities are being discovered and disclosed at record levels today.
With the increasing publicity of security breaches and vulnerabilities, the stigma and secrecy surrounding the security problem have begun to diminish. While companies are still reluctant to reveal the compromises they experience, there is greater acceptance that bad breaches can happen to good companies – and that the sharing of breach and vulnerability information can benefit entire industries. The emergence of information sharing groups within sectors such as financial services, retail, and energy suggests that companies are more willing than ever to admit they have a problem and then share it with others.
Out Of The Data Center And Into The Boardroom
The aforementioned publicity has resulted in another new phenomenon during the last decade: security is now a boardroom issue. Once sequestered into cubicles deep in the data center, IT security managers are now routinely consulted by management in matters of new technology deployment – and perhaps more importantly, business risk. Many organizations now recognize the threat of a breach as perhaps one of the most impactful – and least predictable – risk factors that can affect a large enterprise during the course of a given fiscal year.
While fear of negative headlines was the initial driver behind security’s rise to the boardroom, risk management has become the reason why many CISOs are keeping their seats at the mahogany table. Just as today’s businesses now recognize that they cannot build a single set of castle walls to defend, many are also recognizing that all new business decisions carry a certain level of cyber risk. As a result, today’s security team is tasked not only with defending the data the company already has, but with assessing the potential risk of new business and technology ventures. This trend promises to continue as companies “Internet-enable” a wide variety of devices and applications that previously had no intelligence: the Internet of Things.
The War Between The States
Cybersecurity was an issue for military and defense organizations long before 2006, but in recent years, the role of offensive, state-sponsored hacking activity has become a much larger and more important issue for enterprises as well. While Russian-backed attacks on government systems in Estonia and Georgia in 2007 opened the eyes of some security pros, it was their reach into non-government systems – such as contractors and media outlets – that worried many IT organizations. Subsequent reported attacks by China on Google and other media businesses made it clear that state-sponsored attacks would not be limited to military targets, but extended to targets of business espionage as well.
Today, most savvy IT organizations understand that some foreign governments actually support and fund the process of collecting business intelligence from rival nations through the use of state-sponsored hacking units. While China is the most frequently-mentioned offender, many other countries also conduct their own sorties into foreign business systems – including the developers of Stuxnet, an attack on Iranian systems that clearly served US interests. The result of all this state-sponsored activity is clear: the IT security department must now concern itself not only with financially-motivated attackers, but politically-motivated operatives as well.
Hacktivism Becomes A Thing
As governments were discovering the many useful ways that cybercrime could further their political interests, smaller groups of political activists – and even individuals – were discovering that online attacks were an effective method of raising awareness or making a protest. For several years, the largest of these groups, Anonymous and LulzSec, effectively kept the IT security industry on its haunches, wondering where they would strike next.
Hacktivist groups brought new threats to enterprise defenders, who previously had developed defenses primarily to protect the organization’s financial interests. Hacktivists, largely uninterested in data or financial theft, introduced the industry to new exploits such as distributed denial of service (DDoS), which simply made enterprise systems unavailable, or “doxing,” in which sensitive data and email was captured and published for all Internet users to see. With different methods and motivations than their financially motivated forbearers, hacktivists created a whole new theater of attack and defense for IT security departments to deal with – and those attacks and defenses are now part of any good corporate IT security strategy.
In 2006, the chief defenses for enterprise security were based on "signatures" – the idea that a security system could store all known threats and simply block them when they arrived. Antivirus, intrusion detection systems, intrusion prevention systems, and other tools were generally built on this concept of “blacklisting” any incoming malware or data bearing a known bad signature
Over the course of the decade, however, the growth of new threats that had never been seen or recorded – so-called "zero-day threats" – has skyrocketed, primarily thanks to polymorphic technology that enables malware to be deployed and redeployed in a new version each time, essentially creating thousands of new instances that each constitutes a previously-unrecorded zero-day exploit. While signature-based technology still blocks many known threats, most security pros now recognize a need for tools and strategies such as behavior-based defense, which identifies malware by the way it acts, and whitelisting tools, which enable only known good data and applications while placing everything else in a safe “sandbox” where a determination can be made as to its security.
While it’s popular to state that antivirus is dead – and this sentiment was even repeated by the CEO of Symantec, maker of the world’s most popular antivirus software, in 2014 – most enterprises still use AV technology to help filter out the increasingly-smaller segment of malware that is both known and bad. However, using the term "signature-based" at a security conference continues to be about as well-received as using the term "high fat content" at the local gym.
Encryption Gets Both Good And Bad Names
As enterprises continue to struggle with blacklisting, whitelisting, behavior, and sandboxing, many security proponents are increasingly offering another, simpler strategy: encrypt everything. No matter what defenses you use, they say, attackers are likely to break through them – so the answer is to encrypt all sensitive data, therefore rendering the compromises useless, since the attackers end up with only streams of data that they can’t read. A good deal of promising encryption technology has come and gone over the last decade, much of it hobbled by cost of implementation, impact on performance, or confusion on how to manage the keys that unlock the encrypted data.
While encryption technology continues to improve and become easier to implement, it also has proven to be a double-edged sword because of its availability to attackers as well. In recent years, attackers have successfully penetrated enterprise defenses by simply encrypting their exploits -- and thereby obfuscating them from the view of security tools and IT security professionals. Other cybercriminals are now using encryption as a means of kidnapping enterprise data and holding it for ransom until the victim company pays a premium. IT organizations also are wrestling with legitimate encryption, which can make it possible for employees to hide their activities on corporate networks while limiting the effectiveness of traditional security technology such as deep packet inspection.
What trends will define IT security a decade from now?
There’s no sure way to tell. Today’s behavior-based solutions may give way to some new generation of technology. The current emphasis on forensics and incident response may give way to a new set of prevention tools. The current emphasis on cyber risk might be offset by a new class of cyber insurance. Your guess is as good as ours. The one thing that we know for sure is that, when it comes to security, the only constant is change.