VP and Chief Security Officer, EMEA of Palo Alto Networks, Greg Day shares his cybersecurity predictions for the future. Beyond his work there, Greg also sits on the UK National Crime Agency steering committee
Cyber adversaries will extend further into ransomware, OT systems and cryptocurrencies. In recent years we have seen ransomware used for profit. However, RanRan is an example that used concepts of ransomware, not just for profit, but also to identify information that could be used to blackmail victims. While continuing to be financially focused, I believe ransomware will also start to do more data analysis, which means we could see ransoms based on data value, rather than being generic, plus more of both targeted ransomware attacks and those being used for other motives, such as blackmail.
The Dyn DDoS attack leveraged IoT devices to attack traditional computer systems. The volume of OT (operational technology) is growing at pace, whether that is factory systems or automated drones delivering medical supplies in countries like Africa and we have yet to see the impact of such systems coming under direct attack. However, the value to criminals of stealing medical goods will surely mean that they look to break into the IoT or OT system to redirect the goods and this highlights the challenge we are likely to face. The growing commercial utilisation of IoT and OT systems means that, for the adversary, the value of breaching and controlling these types of systems is increasing.
Finally, with the growing popularity of digital currencies, more commonly known as cryptocurrencies, we can expect to see more malware focused on stealing account information to empty these next-generation accounts. The second payment services directive (PSD2) requires payment processors to open access to third parties and as discussions continue around blockchain digital ledgers, it feels as if the financial industry is moving further towards the digital money space. The question is whether adversaries are prepared for this transition – evidence would suggest they are already looking at it.
Cyber attacks’ impact will change. With some of the ransomware attacks in 2017, in which medical facilities were impacted, cyber incidents are now having real-world, physical impact on people. With the growth of digital twinning (creating a digital counterpart to an existing process or system), we can only expect more of the same affecting many more facets of everyday life.
So how does that change cybersecurity? It’s very probable that we will continue to see even more regulation step in to continue to drive baseline security higher and ensure confidence in cyber systems that impact society. The Network Information Security (NIS) Directive, which goes live in 2018, includes a new “digital service providers” category. As cyber has a greater physical impact on society, we must expect to see more categories along these lines being developed, beyond the traditionally defined, critical national infrastructure, or operators of essential services.
In this context, the role of security leaders, such as the CSO, must evolve. If there is harm to citizens due to technology failure, there will likely be public requests to understand if and why there was neglect, who bears responsibility and what relevant actions must be taken.
Consequently, while just a short time ago CSOs were often worried about being fired considering an incident, liability may become more of a concern in the future. Could this lead to CSOs requiring professional insurance in the same way as many medical practitioners do today? Might we see a longer-term requirement for formal qualification and registration to be a practicing CSO, much as others who protect human lives – such as doctors – have today?
Credential theft will target weak collaborative cloud points in the supply chains of all kinds of businesses. Whether it’s because of the cloud or just the dynamic nature of a business, it seems we are only increasing the interconnectivity with our partners, supply chains and customers. The challenge here is working to maintain your own cybersecurity capabilities, while also looking at how to manage the risks that stem from the unknown others (partners, supply chain, etc.).
An IDC session I attended early in 2017 highlighted that the number of information-based industry-collaborative clouds will increase fivefold between 2016 and 2018. As such, while adversaries continue to look for an entry point into the business, it seems likely and logical that collaborative cloud spaces may be their next doorway in. As such, businesses must start to consider what information they include in these spaces, how they validate the use of connected third parties, so they can spot anomalous behaviour and – most importantly – look at how they segregate such connection points from more critical, internal business systems, using methodologies such as the Zero Trust model.
Twenty-year-old first principles are finally reset. Many of the guiding principles in cybersecurity haven’t changed much in 20 years. Typically, practitioners have strived to solve every problem to the best of their abilities, using the best solutions available at the time.
However, significant changes in IT consumption models – dynamic, agile systems that are increasingly disposable in nature and based around subscription billing – mean that businesses will no longer continue to buy and build separate siloed cybersecurity solutions that require significant capital expense and people skills and are based on multi-year cycles. As such, the fundamentals of cybersecurity consumption will change.
Functioning in such dynamic environments requires cybersecurity to be native and automated, to both work and adapt at the same pace. This doesn’t mean we won’t still have choices of technology capabilities and vendors – you only must look at the AWS marketplace to see how this is the case. But this does mean that native security will require dynamic enablement, configuration and transposition. In the past, security often failed as businesses struggled to connect their own insights; in an agile IT world, the importance of having a consistent and integrated point of visibility, combined with automated control, will become critical.
The transient nature of increasingly consumable IT creates a further hurdle, which is that, by the time an incident is discovered, the environment in which it was instigated may no longer exist. As such, you need to be able to understand how and why the incident occurred and what was achieved, when operating in an increasingly regulated world. This will lead to greater demand to maintain historical logging data and for the correlation required to leverage it.
VP and Chief Security Officer, EMEA
Palo Alto Networks