There were three trends that characterised cybercrime for most of 2020. First, cybercrime did not take a holiday during the pandemic. Keysight research shows that there was a 62 per cent increase in phishing attacks in 2020 over 2019. Secondly, monetary gain took centre stage as a key cybercrime motivator. There was a huge uptick in the deployment of ransomware starting in June. The second half of 2020 was particularly brutal, with 59 per cent of the attacks occurring during that time frame. Lastly, supply chain attacks hit the headlines with the SolarWinds attack. The supply chain continues to be a weakness since the infamous Target point of sale breach in 2013 brought this type of risk to the forefront. The SolarWinds attack reinforced the need for security architects to adopt a holistic and comprehensive approach.
In the recently released fourth edition of its Security Report, Keysight Technologies discusses the relevant threats expected in 2021. Edited excerpts…
Looking forward, 2021 and beyond
For most of us, 2021 still feels like the extended dance mix of 2020. The SolarWinds breach just added onto the pile of recent IT challenges, including the pandemic-induced rush for remote work, and phishing attacks. However, stepping back and taking a look at the big picture, the narrative has been largely unchanged for years. We are still in a world where cybersecurity is largely immature and looked at from a “how do I prevent it” or “how do I avoid it” perspective. The world needs to look at it from a “how can I detect it and be resilient” perspective. The active breach inside your network is not a matter of if, but when.
2021 is the year that the network security for 100 per cent of enterprises will reach a compromised status, whether the organisations know it or not. The impact of work from home, the move to support remote workers, and the lack of preparedness have offered the bored cybercriminal a plentiful supply of targets. Additionally, cybercriminals have continued to enhance their capabilities. They had a lot of time on their hands in 2020 to work on and improve their tools of the trade. This year will be filled with this realisation as we uncover the artifacts of malicious activity in our networks. The faster we get to the point where we can find them, the sooner will we be able to work on remediating the situation.
Visibility for detection and measurement
Peter Drucker’s quote, “You cannot manage what you cannot measure”, is one of the most relevant, yet underestimated, quotations with respect to cybersecurity. The ability to measure an organisation’s cybersecurity preparedness, and security control efficacy, is essential to making qualified decisions and applying an in-depth security model.
Why is proactive security measurement so important? One reason is that most breaches do not happen due to poor technology. Most of the firewalls, endpoint detection and response products, and network detection and response solutions on the market are actually quite good at detecting or blocking attacks – if configured perfectly. But the complexity of managing dozens of security products, tracking daily changes in the threat landscape, and effectively triaging the millions of SIEM alerts that deluge security operations centre (SOC) teams makes it easy to open up the one gap that attackers need to get in.
Repeatable, comprehensive measurement of the security posture is a critical step in maintaining effective security and maximising value from security investment. The prevalence of breaches caused by simple misconfigurations is amply demonstrated by industry research; Gartner notes that through 2023, 99 per cent of firewall breaches will be caused by firewall misconfigurations, not firewall flaws.
There’s no silver bullet
An organisation’s cybersecurity solution is a mix of many different products. There’s no single solution – the mythical silver bullet that solves all cybersecurity problems. There is a complex set of security controls and policies, which is only as strong as its weakest link. It is therefore critical to be able to identify the weakest link and remove and replace it, or to enhance it so that it can perform as required. This starts with inline security solutions (such as web application firewalls, decryption, and intrusion prevention solutions), but also includes packet analysis solutions (such as data loss prevention and indicator of compromise investigative solutions).
Proactive and continuous assessments
Staying on top of all the moving parts of a complex security deployment is not trivial. Human-based testing regimes, such as penetration testing and red teaming exercises, can certainly help identify specific weaknesses and train SOC teams. However, they tend to be expensive, non-repeatable, and not comprehensive. These two security practices proceed until the first exploitable vulnerability is found, then move deeper into the exploit without checking other security controls.
Combining periodic human-based testing with more comprehensive automated software tools that perform exhaustive and repeatable assessments of tools, teams, and processes can yield a much better return on investment. This will also help deliver much shorter intervals between the opening and remediation of security vulnerabilities.