The Gartner Security and Risk Management Summit in Dubai this week provided an update on cybersecurity threats and solutions, offered by analysts from the market research company as well as various security industry experts. Here are some of the important messages coming out of the two-day event.
Company politics can thwart security
In a keynote address, Gartner Research VP, Jeffrey Wheatman, departed from the traditional technical-oriented presentations to cover the politics of cybersecurity. In a region besieged by bad actors, he suggested that internal disputes could hamper progress on the establishment of effective security postures. Security risk management (SRM) leaders, he said, needed to develop techniques to neutralize internal conflict.
Variants in the perception of best practices, capabilities, budgets and other factors could lead to delays in implementation of vital technologies and policies meant to stabilize environments. Wheatman schooled delegates in the “art of the stall”, in uncovering agendas, and in the importance of clear communication and careful deliberation in a region that is home to many cultures and traditions.
“When two waves collide, they cancel each other out,” he said. “Before you say or do anything, ask yourself what good can come from it.”
That Gartner’s keynote speaker chose to focus on an area so far removed from line of business and technology at its cybersecurity summit, is indicative of stymied progression within many regional organizations toward coherent security policies.
Cloud security is even trickier than we think
Web attacks are on the rise, jumping 56% on the previous year, according to Symantec’s CTO and strategist for emerging regions, Sunil Varkey. And that’s not all. One in 10 URLs are malicious; 80% of Web traffic is encrypted and so not subject to analysis – and that is set to rise to 90% in the coming years; and the Internet of Things, including critical infrastructure, is firmly in the crosshairs of cyber-bandits.
“Cloud is the new PC,” Varkey warned, explaining that AI and automation would play huge roles in the battle against the new threats. Cloud connections mean that security professionals must consider whether a session device is inside or outside the corporate perimeter and act accordingly. Failure to have visibility and control of users, information and systems can lead quickly to negative consequences and a loss of trust, and “Trust,” said Varkey, “is the foundation of the digital economy.”
He recommended platform-based cybersecurity that delivered “integrated cyber-defense”, covering endpoints, proxies, email and cloud apps.
AI isn’t the final word
“AI does not exist,” according to Luc Julia, co-creator of Siri, of all things. It’s good to start with a quote, and Mark Horvath, Senior Director Analyst at Gartner seemed keen – in a talk about AI’s role in cybersecurity and risk management – to start with that one, to illustrate a caveat.
“The technology [AI] is still immature; and use cases are not in public view,” he cautioned, while lauding regional efforts to employ AI and automation, such as Dubai Police’s progress in predictive law enforcement and its tentative introduction of robot deputies.
Horvath lamented expectation gaps in AI’s application, especially in the field of cybersecurity, where many corporate stakeholders did not realize that smart technologies were only suitable for certain kinds of problems. Statistics, advanced logic, probabilistic reasoning and optimization techniques – the core of artificial intelligence – only went so far in detecting, mitigating and preventing attacks. And natural-language processing, semantic models and fancy orchestrations, while connecting users amply to security systems, did not, in themselves, offer a catchall for the next WannaCry.
And, Horvath warned, “Attackers like AI too.” Much of the next few years, he predicted, will see an escalating series of AI battles between CISOs and their cyber-nemeses, such as a recent incident he cited in which a spam filter with machine-learning capabilities was outfoxed by AI-based countermeasures employed by attackers. The attackers built their own exemplar model of what kinds of emails penetrate spam-filter barriers by constructing, and then deploying, email after email until a success was attained, and building up a list for later analysis.
Expanding on the model of AI where huge data stores are used to “teach” machines how to behave, Horvath recounted the tale of a deep neural net (DNN) used in autonomous vehicle development that was fooled into thinking a stop sign was a posted speed limit, simply by the addition of two small pieces of tape on the sign. While the error did not always occur, it cropped up in more than half of cases, indicating an imperfection in the system.
“Data can be poisoned,” Horvath said.
So, when procurement of cybersecurity AI begins, Gartner recommends asking the right questions. What algorithms are used and what do they do? What are the compute requirements for successful operation? How does the solution handle personal data in respect of privacy? And how does it integrate into the enterprise in terms of cost, training and workflow?
The cybersecurity landscape keeps changing
Is it time for cybersecurity professionals to hang up their spurs? While the obvious (and correct) answer is “no”, Crowdstrike UK thought it was worth asking because of the dearth of NotPetya, Bad Rabbit and WannaCry incidents in 2019. The company’s EMEA Technology Strategist, Zeki Turedi, set about painting the security landscape for delegates from the point of view of his team of analysts and threat-hunters, who have access to a monitoring system that sifts through 1.5 trillion security events each week.
While malware-free attacks are on the rise (they are now 40% of all incidents, Turedi said), malware still warrants our attention. The year’s big news, however, was outside the Middle East, where the US Department of Justice brought indictments against two Chinese nationals accused of targeting managed-service providers around the world, including several in EMEA, on behalf of the Chinese government’s Ministry of State Security. State actors are classified playfully as animals by Crowdstrike – China is a panda, Russia is a bear and Iran is a kitten (the Persian cat is still maturing, but has claws that are more than capable of giving a nasty scratch). The panda has been busy, according to the company, doing what it has routinely been accused of doing by western governments: appropriating intellectual property for national commercial advantage. North Korea (a unicorn in Crowdstrike’s categorization, because that is easier to illustrate than the Chollima, which is a mythical winged horse) is set to follow in China’s footsteps as it seeks to legitimize itself in the global economy.
But the bulk of troubles are found in e-crime, responsible for an estimated $23 billion in losses worldwide since 2013. The digital criminal element – notorious for its ability to move with the times – is moving with the times. Its share of the overall cyber-incident pool has gone up from 25% to 61%. What is interesting is that the parallel fall in state-actor incidents from 75% to 39% happened without any appreciable change in state-sponsored activity. This suggests a massive surge in e-crime.
Criminals, according to Turedi, have learned from the state actors and moved on from the spray-and-pray tactics of yesteryear, now favoring patient, get-to-know-you approaches. This has led to stealthier campaigns that target fewer victims and ransom demands in the hundreds of thousands of dollars. Vigilance, apparently, is as important in 2019 as it has ever been. And 2020 shows no signs of abatement.