Security Laboratory

Security Laboratory

Sec Lab: Predictions and Trends for Information, Computer and Network Security

This is an effort to chronicle what a number of really smart people believe the state of the information security industry to be, and where we are going. A lot of the emphasis is on security threats, but we also consider what is working and what good practice is. We hope you will be able to use this in your strategic planning and also as input for your security architecture.

Other Related Articles in Sec Lab: Predictions and Trends for Information, Computer and Network Security


Eric Cole Emerging Threats Summary 2010


Eric Cole, Ph.D.
Version 1.1

Here are the top 11 trends Dr. Eric Cole is tracking:

1) More focus on Data Correlation
Instead of adding more devices to a network, perform data correlation across the existing devices first. Networks are becoming so complex that no single device will be able to give enough insight into what is happening across an organization. To better understand both normal and anomalous traffic, data correlation has to be performed across all critical devices. Each device/server has a piece of the puzzle and only by putting all of the pieces together, can organizations understand what is really happening.

2) Threat intelligence analysis will become more important
Many of the products in the security industry are becoming more commoditized. Many consoles and network devices are very similar in how they work and operate, the key differentiator is having accurate and up to date threat data. Organizations cannot fix every single risk. Therefore as the risks grow, more focus has to be put on the real attack vectors. A growing theme is the defense must learn from the offense. Threat must drive the risk calculation so that the proper vulnerabilities can be addressed. Only with accurate threat data can the avenues of exploitation be fixed.

3) Endpoint security becomes more important

As more and more devices become portable, the importance of the endpoint becomes more critical. In terms of the data it contains, there is little difference between a server and a laptop. A server might have more data but laptops still have a significant amount of critical information. However, the server is on a well protected network and the laptop is usually directly connected to untrusted networks, including wireless. Therefore we need to move beyond traditional endpoint protection and focus on controlling, monitoring and protecting the data on the end points.

4) Focusing in on proactive forensics instead of being reactive

Attacks are so damaging that once an attacker gets in, it is too late. In addition, with technologies like virtualization and SCADA controllers, performing reactive forensics is very difficult, if not impossible. Therefore more energy and effort needs to be put into proactively identifying problems and avenues of compromise before major impact is caused to an organization. With the amount of intellectual property that is being stolen and the reputational damage, proactive is the only way to go.

5) Moving beyond signature detection
Signature detection works because the malicious code did not change and it took awhile for large scale exploitation to occur. While signature detection is still effective at catching some attacks, it does not scale to the advanced persistent threat (APT) that continues to occur. Therefore, signature detection must be coupled with behavioral analysis to effectively prevent and detect the emerging threats that will continue to occur. Since the new threats are always changing and persistent, only behavior analysis has a chance of being able to deal with the malicious attacks in an effective way.

6) Users will continue to be the target of attack
Everyone likes to focus on the technical nature of recent attacks like Zeus and Aurora; but, when you perform root cause analysis, the entry point with most of these sophisticated APT attacks is a user clicking on a link they are not supposed to. After that, the attack became very sophisticated and advanced but the entry point with many attacks is traditional social engineering. Advanced spear phishing attacks that trick the user into performing some action they are not supposed to. While you will never get 100% compliance from employees, organizations are going to put energy into it because they will understand the short and long term benefit.

7) Shifting from focusing on data encryption to key management

Crypto is the solution of choice for many organizations; however, they fail to realize that crypto does not do any good if the keys are not properly managed and protected. Crypto has quickly become pain killer security because organizations are focused on the algorithms and not the keys. The most robust algorithms in the world are not any good without proper management of the keys. Most data that is stolen is from encrypted databases because the keys are stored directly with the encrypted data.

8) Cloud computing will continue regardless of the security concerns

Even though there are numerous concerns and security issues with cloud, you cannot argue with free. As companies continue to watch the bottom line, more companies are wondering why they are in the data center business. By moving to both public and private clouds they can lower costs and overhead; however, as with most issues, security will not be considered until after there are major problems. Attackers will always focus on high payoff targets. As more companies move to the cloud, the attack methods and vectors will also increase at an exponential rate.

9) New Internet protocols with increase exposure

As the Internet continues to grow and be used for everything, new protocols will continue to emerge. The problem is, the traditional model of deploying new protocols no longer works. In the past, a new protocol was developed and would take a long time to achieve mainstream usage. This allowed the problems to be worked out and security to be properly implemented. Today, when a new protocol comes out it is used so quickly that the problems are only identified after there is wide spread use, which quickly leads to widespread attacks.

10) Integrated/embedded security devices
Not only is technology becoming integrated into almost every component, more functionality is being moved to the hardware level. Beyond the obvious implication of having more targets to go over, embedded devices create a bigger problem. It is much harder to patch hardware than it is software. If software has a problem, you can run a patch. If hardware has a vulnerability it will take longer to fix and increase the attack surface. Smart grid is a good example of items 9 and 10 combined together.

11) Organizations will stop relying solely on technology
Many organizations have focused on technology as the primary measure of protecting their systems. If you install a firewall, IPS and endpoint security surely you will be protected. Unfortunately organizations are realizing that almost every company who has suffered a breach had technology installed and they were still compromised. Now please do not get me wrong. It would be extremely difficult to secure an organization without technology, however technology alone will not protect you. Therefore as we go into 2011, we will see more organizations focusing in on making sure they have accurate network diagrams. Data flow diagrams will become critical in order for organizations to understand what they are protecting. Finally data classification will appear on more organization’s roadmap since without any idea of the sensitivity of data, there is no way it can be protected. There are no short cuts when it comes to security and organizations that are successful into 2011, will realize this.