When it comes to IT security, the old saw says, the only constant is change. As Dark Reading looks back over the ten years since its launch in 2006, that maxim seems more accurate than ever.
Like generals fighting a losing battle, security thought leaders and professionals have been forced to change strategies many time over the last decade, often in response to technological and strategic advancements developed by the attackers. While IT itself has evolved quickly, the pace of new security threats has continued to move at even faster speeds, often leaving defenders in firefights that change almost daily. And defense strategies that were once fundamental to the security industry are now being constantly challenged – if not outright rejected -- by the thinkers who once promoted them.
In this feature, we take a look at some of the fundamental sea changes that have occurred over the last 10 years. Perhaps a look at where we’ve been will give us a hint at where we’re going – or at least prepare us for more change in the future.
From Sentries To Detectives
Ten years ago, IT security professionals were often seen as the guards at the gate – the people who were responsible for protecting corporate data and preventing cyber criminals from gaining access to enterprise systems. There was a perception of a defensible "perimeter” for each organization, and a relatively stable set of end user technologies to secure.
Today, the majority of security technologies and strategies assume that the enterprise has already been compromised. There is a heavy emphasis on the use of data forensics to ferret out sophisticated exploits hiding in the infrastructure, as well as incident response tools to detect and remediate compromises as soon as possible. Enterprises’ broader shift to technologies that are outside the IT department’s span of control – including cloud services and user-owned mobile devices – has virtually shattered the perimeter defense concept and forced the security team to spend most of its time searching for threats that have already penetrated the organizational walls.
The Shrinking Skills Pool
In 2006, a significant portion of the security team could be described as system administrators who spent much of their time onboarding new users, maintaining simple access controls, and administering passwords. While there were plenty of security thinkers and strategy architects, the demands on the average security pro were mostly around policy management and internal system defense – and while hiring was not easy, it was often possible to bring in an entry-level system administrator and teach them what they needed to know about more sophisticated threats and defenses over time.
Over the past decade, however, the rapid evolution of online threats – and the negative publicity received by companies that were breached – has generated a nearly-insatiable demand for more IT security talent. Not only does the industry need more bodies – some estimates say that as many as 1.5 million new security jobs will be created over the next five years – but the skills requirement has increased, as enterprises do less simple systems administration and more post-compromise analysis of incoming threats. If current trends are any indication, IT security will continue to remain a negative-unemployment industry for many years to come, and the most skilled people will generate the greatest demand.
The Erosion Of Layered Security
For many of the last ten years, IT security lived and died by the philosophy of "layered security," which holds that an enterprise’s best defense is to challenge the attacker with an array of different defenses – firewalls, antivirus, intrusion detection/prevention, encryption, authentication, and many more – in an effort to discourage all but the most determined attackers. This strategy, sometimes called "defense in depth," encouraged enterprises to purchase and implement a wide variety of security tools and practices, making it difficult for any single-vectored attack to get through.
However, after ten years of buying and deploying new security technologies and breaking new IT security spending records year after year, most security experts are beginning to wonder if the layered security philosophy is the best approach. The incidence and cost of data breaches continue to increase, and some business executives have begun to balk at the notion of continually increasing spending on technology and people without any guarantee of data security. Many enterprises and security experts are rethinking some of the basic precepts of IT security, though a clear new philosophy has yet to emerge.
In 2006, many security strategies were still predicated on the proliferation of viruses and worms such as Love and Code Red, which were designed to infect as many machines as possible and to gain notoriety for their creators. In some quarters, there was still a perception of hackers as teenagers working late at night in their basements, seeking approval from others online.
In fact, by 2006 the cybercrime market had already begun a massive shift toward an organized, underground economy that has continued to grow and flourish over the past decade. Malware developers create and sell their exploits in online forums -- and support their products with upgrades, patches, and even 24-hour customer service. Criminals can rent botnets by the hour, or purchase long lists of valid credit cards at less than a dollar apiece. Recent estimates project that cybercrime costs will reach $2 trillion by 2019, and some law enforcement agencies say organized crime syndicates now make more money from cybercrime than from drugs or prostitution. Clearly, cybercrime is more lucrative than ever – and that trend bodes poorly for tomorrow’s IT security defenders.
Security Goes Public
When Dark Reading was launched in 2006, it carried only a few stories about security breaches, partly because laws requiring companies to disclose such breaches were only just going into effect. With the passage of breach disclosure laws in California – and subsequently, 47 other states – the extent of the cybersecurity problem became increasingly evident. The Identity Theft
Resource Center, which began collecting data on major breaches in 2005, reported 781 major compromises in 2015 – the second most recorded during the decade. In addition, many companies have come forward to disclose lesser breaches: Risk Based Security’s Data Breach QuickView Report cited an all-time high 3,930 incidents in 2015, representing more than 736 million records.
As enterprises became more public with their compromises, security researchers spent an increasing amount of time and effort disclosing new vulnerabilities. Over the past decade, a cottage industry has emerged in finding and selling security vulnerability information to interested parties that were willing to pay for them. This "bug bounty" trend has continued to grow in recent years, and many major companies – including Facebook, Google, and Yahoo – now offer such programs as a part of their business. As a result, security vulnerabilities are being discovered and disclosed at record levels today.
With the increasing publicity of security breaches and vulnerabilities, the stigma and secrecy surrounding the security problem have begun to diminish. While companies are still reluctant to reveal the compromises they experience, there is greater acceptance that bad breaches can happen to good companies – and that the sharing of breach and vulnerability information can benefit entire industries. The emergence of information sharing groups within sectors such as financial services, retail, and energy suggests that companies are more willing than ever to admit they have a problem and then share it with others.
Out Of The Data Center And Into The Boardroom
The aforementioned publicity has resulted in another new phenomenon during the last decade: security is now a boardroom issue. Once sequestered into cubicles deep in the data center, IT security managers are now routinely consulted by management in matters of new technology deployment – and perhaps more importantly, business risk. Many organizations now recognize the threat of a breach as perhaps one of the most impactful – and least predictable – risk factors that can affect a large enterprise during the course of a given fiscal year.
While fear of negative headlines was the initial driver behind security’s rise to the boardroom, risk management has become the reason why many CISOs are keeping their seats at the mahogany table. Just as today’s businesses now recognize that they cannot build a single set of castle walls to defend, many are also recognizing that all new business decisions carry a certain level of cyber risk. As a result, today’s security team is tasked not only with defending the data the company already has, but with assessing the potential risk of new business and technology ventures. This trend promises to continue as companies “Internet-enable” a wide variety of devices and applications that previously had no intelligence: the Internet of Things.
The War Between The States
Cybersecurity was an issue for military and defense organizations long before 2006, but in recent years, the role of offensive, state-sponsored hacking activity has become a much larger and more important issue for enterprises as well. While Russian-backed attacks on government systems in Estonia and Georgia in 2007 opened the eyes of some security pros, it was their reach into non-government systems – such as contractors and media outlets – that worried many IT organizations. Subsequent reported attacks by China on Google and other media businesses made it clear that state-sponsored attacks would not be limited to military targets, but extended to targets of business espionage as well.
Today, most savvy IT organizations understand that some foreign governments actually support and fund the process of collecting business intelligence from rival nations through the use of state-sponsored hacking units. While China is the most frequently-mentioned offender, many other countries also conduct their own sorties into foreign business systems – including the developers of Stuxnet, an attack on Iranian systems that clearly served US interests. The result of all this state-sponsored activity is clear: the IT security department must now concern itself not only with financially-motivated attackers, but politically-motivated operatives as well.
Hacktivism Becomes A Thing
As governments were discovering the many useful ways that cybercrime could further their political interests, smaller groups of political activists – and even individuals – were discovering that online attacks were an effective method of raising awareness or making a protest. For several years, the largest of these groups, Anonymous and LulzSec, effectively kept the IT security industry on its haunches, wondering where they would strike next.
Hacktivist groups brought new threats to enterprise defenders, who previously had developed defenses primarily to protect the organization’s financial interests. Hacktivists, largely uninterested in data or financial theft, introduced the industry to new exploits such as distributed denial of service (DDoS), which simply made enterprise systems unavailable, or “doxing,” in which sensitive data and email was captured and published for all Internet users to see. With different methods and motivations than their financially motivated forbearers, hacktivists created a whole new theater of attack and defense for IT security departments to deal with – and those attacks and defenses are now part of any good corporate IT security strategy.
In 2006, the chief defenses for enterprise security were based on "signatures" – the idea that a security system could store all known threats and simply block them when they arrived. Antivirus, intrusion detection systems, intrusion prevention systems, and other tools were generally built on this concept of “blacklisting” any incoming malware or data bearing a known bad signature
Over the course of the decade, however, the growth of new threats that had never been seen or recorded – so-called "zero-day threats" – has skyrocketed, primarily thanks to polymorphic technology that enables malware to be deployed and redeployed in a new version each time, essentially creating thousands of new instances that each constitutes a previously-unrecorded zero-day exploit. While signature-based technology still blocks many known threats, most security pros now recognize a need for tools and strategies such as behavior-based defense, which identifies malware by the way it acts, and whitelisting tools, which enable only known good data and applications while placing everything else in a safe “sandbox” where a determination can be made as to its security.
While it’s popular to state that antivirus is dead – and this sentiment was even repeated by the CEO of Symantec, maker of the world’s most popular antivirus software, in 2014 – most enterprises still use AV technology to help filter out the increasingly-smaller segment of malware that is both known and bad. However, using the term "signature-based" at a security conference continues to be about as well-received as using the term "high fat content" at the local gym.
Encryption Gets Both Good And Bad Names
As enterprises continue to struggle with blacklisting, whitelisting, behavior, and sandboxing, many security proponents are increasingly offering another, simpler strategy: encrypt everything. No matter what defenses you use, they say, attackers are likely to break through them – so the answer is to encrypt all sensitive data, therefore rendering the compromises useless, since the attackers end up with only streams of data that they can’t read. A good deal of promising encryption technology has come and gone over the last decade, much of it hobbled by cost of implementation, impact on performance, or confusion on how to manage the keys that unlock the encrypted data.
While encryption technology continues to improve and become easier to implement, it also has proven to be a double-edged sword because of its availability to attackers as well. In recent years, attackers have successfully penetrated enterprise defenses by simply encrypting their exploits -- and thereby obfuscating them from the view of security tools and IT security professionals. Other cybercriminals are now using encryption as a means of kidnapping enterprise data and holding it for ransom until the victim company pays a premium. IT organizations also are wrestling with legitimate encryption, which can make it possible for employees to hide their activities on corporate networks while limiting the effectiveness of traditional security technology such as deep packet inspection.
What trends will define IT security a decade from now?
There’s no sure way to tell. Today’s behavior-based solutions may give way to some new generation of technology. The current emphasis on forensics and incident response may give way to a new set of prevention tools. The current emphasis on cyber risk might be offset by a new class of cyber insurance. Your guess is as good as ours. The one thing that we know for sure is that, when it comes to security, the only constant is change.
Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio