This week we chatted with three security heavyweights to talk about the top security risks and concerns in the upcoming year. The panel of industry experts includes Jeremiah Grossman, Founder of WhiteHat Security and Chief of Security Strategy with SentinelOne, Daniel Miessler, Project Leader: OWASP IoT Security Project and Richard Rushing, CISO at Motorola Mobility.
In this discussion, 2016 is the context.Every year we say this is the ‘year of the breach’ and every year it’s a record number of records breached. 2016 is no different. 2016 has been a busy year for defenders in every organization with assets on the Internet, as well as for attackers.In October we had the largest breach in recorded history Yahoo and we also witnessed the largest DDoS attack as far as we know at 1.2TB Mirai.
Why is this happening?Although application security is at an all-time high regarding spending and resource allocation, security teams still aren’t well enough equipped to prevent these attacks. Across the board, attack surfaces are becoming more complex, and the Internet is becoming less safe.
What’s next for 2017?This blog post will summarize the 5 areas of challenge and opportunity in 2017. To get a deeper analysis of the year to come, you can listen to the full webinar .
1. IoT security is becoming every CISO’s problemIt’s no secret that the use of connected devices is booming in both consumer and business domains. Because this infrastructure has been built so quickly, however, the security requirements and safeguards these devices necessitate are lagging behind.
"The key thing is understanding what gets put into an environment. I think a lot of systems are being deployed when they don't know how all the components link together...and then doing some sort of risk analysis... Until we start having the deeper analysis which might happen at some point in the distant future, you have to segment. You have to separate these systems from what you consider critical towhatever degree that you can." - Daniel Miessler, @DanMiessler
How can we support this? Watch the webinar to learn how from a tactical, systematic, and theoretical perspective.
2. Pen testing gets better in 2017 with the application of the crowdWe've seen the rise of penetration testing over the past several years, and now crowdsourced pen tests are taking the model and the results to the next level. In the next year, this trend will continue...
As organiations begin seeing diminishing returns on pen testing andvulnerability assessment, we'll see more and more turning to the crowd and a more results-based approach to vulnerability identification. B ug bounties improve upon pen tests where organizationsget a "bucket of vulns" for a flat fee with bug bounties you'reonly paying for results, and from a broader testing pool.
“You get to this point where you're not finding things. But you know that you’re not perfect. Therefore there are things to find. I think from a bug bounty perspective, being able to say here's a swath of people... thatwill find issues." - Richard Rushing, @SecRich
Depending on where you are in the maturity model and your organization's specific needs, bug bounties take vulnerability discovery to the next step going beyond pen tests and traditional vulnerability assessment methods. Learn more about what's in store for pen testing economy in the next year.
3. Senior development and engineering leaders will embrace crowdsourced vulnerability testing as part of SDLC
In line with the level of maturity of organizations, security teams and engineering teams now are going to have to geton the same page.
Bounty programs provide more information to engineering teams, helping them better understand why the vulnerabilities were there, and how to avoid making those same mistakes in the future. What it comes down to is upholding standards of quality. More and more we're seeing the developers accepting and embracing that their code has to be tested thoroughly for quality in a multitude of ways, including with the crowd.
Listen to the experts weigh in on the changing relationship between DevOps and the crowdsourced testing model and how it is moving the needle for improved security organizations.
4. Social Engineering, AI and machine learning will change security planning forever, but people will remain a key source of protection
As we've discussed, the volume of vulnerabilities and complexity of attack surfaces have never been greater. In the coming year, we have no choice but to cut down on the noise to make decisions easier and faster, whether that’s to spot more vulnerabilities, identify malware in real time, or mitigate miscellaneous risk.
Machine learning and automation will help both attackers and defenders, and it will be our duty as defenders to make the proper investment to properly leverage machine learning.
“It really is solving a fundamental market problem that we have, which is we simply have too much data coming in to be handled by too fewhumans. There's just too much data to analyze to make really good decisions in day-to-day security.” - Jeremiah Grossman, @jeremiahg
To learn more about unsupervised and supervised learning and how it has the potential to help attackers and defenders, watch the webinar .
5. Crowdsourced vulnerability discovery becomes a mainstream aspect of any security program
2016 has also been a big year for bug bounty programs, and in the next twelve months, this evolution will continue. As more organizations experience the benefitsof bug bounty programs the model will continue to pick up steam.
It is more important than ever that bug bounty programs are integrated into development teams, and that those teams are proactive in welcoming theseprograms into their processes.
There’s an educational processinvolved that many organizations are going through right now. In that process, we'll see more private programs transitioning to public programs, and the environment will become even more competitive for both organizations and security researchers.
Beyond these focus areas, 2017 will be a huge year for security... Breaches will get bigger and more impactful Organizations will work harder to reduce business impact from breaches Consumers will push bottom up, demanding improved device security Regulation and compliance will be even more present Overall, we will have to learn faster, fix faster, and leverage all the tools especially the