This week we chatted with three security heavyweights to talk about the top security risks and concerns in the upcoming year. The panel of industry experts includes Jeremiah Grossman, Founder of WhiteHat Security and Chief of Security Strategy with SentinelOne, Daniel Miessler, Project Leader: OWASP IoT Security Project and Richard Rushing, CISO at Motorola Mobility.
In this discussion, 2016 is the context.
Every year we say this is the ‘year of the breach’ and every year it’s a record number of records breached. 2016 is no different. 2016 has been a busy year for defenders in every organization with assets on the Internet, as well as for attackers. In October we had the largest breach in recorded history–Yahoo–and we also witnessed the largest DDoS attack as far as we know at 1.2TB–Mirai.
Why is this happening?
Although application security is at an all-time high regarding spending and resource allocation, security teams still aren’t well enough equipped to prevent these attacks. Across the board, attack surfaces are becoming more complex, and the Internet is becoming less safe.
What’s next for 2017?
This blog post will summarize the 5 areas of challenge and opportunity in 2017. To get a deeper analysis of the year to come, you can listen to the full webinar.
1. IoT security is becoming every CISO’s problem
It’s no secret that the use of connected devices is booming in both consumer and business domains. Because this infrastructure has been built so quickly, however, the security requirements and safeguards these devices necessitate are lagging behind.
“The key thing is understanding what gets put into an environment. I think a lot of systems are being deployed when they don’t know how all the components link together…and then doing some sort of risk analysis… Until we start having the deeper analysis which might happen at some point in the distant future, you have to segment. You have to separate these systems from what you consider critical to whatever degree that you can.” – Daniel Miessler, @DanMiessler
How can we support this? Watch the webinar to learn how from a tactical, systematic, and theoretical perspective.
2. Pen testing gets better in 2017 with the application of the crowd
We’ve seen the rise of penetration testing over the past several years, and now crowdsourced pen tests are taking the model and the results to the next level. In the next year, this trend will continue…
As organiations begin seeing diminishing returns on pen testing and vulnerability assessment, we’ll see more and more turning to the crowd and a more results-based approach to vulnerability identification. Bug bounties improve upon pen tests where organizations get a “bucket of vulns” for a flat fee–with bug bounties you’re only paying for results, and from a broader testing pool.
“You get to this point where you’re not finding things. But you know that you’re not perfect. Therefore there are things to find. I think from a bug bounty perspective, being able to say here’s a swath of people… that will find issues.” – Richard Rushing, @SecRich
Depending on where you are in the maturity model and your organization’s specific needs, bug bounties take vulnerability discovery to the next step going beyond pen tests and traditional vulnerability assessment methods. Learn more about what’s in store for pen testing economy in the next year.
3. Senior development and engineering leaders will embrace crowdsourced vulnerability testing as part of SDLC
In line with the level of maturity of organizations, security teams and engineering teams now are going to have to get on the same page.
Bounty programs provide more information to engineering teams, helping them better understand why the vulnerabilities were there, and how to avoid making those same mistakes in the future. What it comes down to is upholding standards of quality. More and more we’re seeing the developers accepting and embracing that their code has to be tested thoroughly for quality in a multitude of ways, including with the crowd.
Listen to the experts weigh in on the changing relationship between DevOps and the crowdsourced testing model and how it is moving the needle for improved security organizations.
4. Social Engineering, AI and machine learning will change security planning forever, but people will remain a key source of protection
As we’ve discussed, the volume of vulnerabilities and complexity of attack surfaces have never been greater. In the coming year, we have no choice but to cut down on the noise to make decisions easier and faster, whether that’s to spot more vulnerabilities, identify malware in real time, or mitigate miscellaneous risk.
Machine learning and automation will help both attackers and defenders, and it will be our duty as defenders to make the proper investment to properly leverage machine learning.
“It really is solving a fundamental market problem that we have, which is we simply have too much data coming in to be handled by too few humans. There’s just too much data to analyze to make really good decisions in day-to-day security.” – Jeremiah Grossman, @jeremiahg
To learn more about unsupervised and supervised learning and how it has the potential to help attackers and defenders, watch the webinar.
5. Crowdsourced vulnerability discovery becomes a mainstream aspect of any security program
2016 has also been a big year for bug bounty programs, and in the next twelve months, this evolution will continue. As more organizations experience the benefits of bug bounty programs the model will continue to pick up steam.
It is more important than ever that bug bounty programs are integrated into development teams, and that those teams are proactive in welcoming these programs into their processes.
There’s an educational process involved that many organizations are going through right now. In that process, we’ll see more private programs transitioning to public programs, and the environment will become even more competitive for both organizations and security researchers.
Beyond these focus areas, 2017 will be a huge year for security…
- Breaches will get bigger and more impactful
- Organizations will work harder to reduce business impact from breaches
- Consumers will push bottom up, demanding improved device security
- Regulation and compliance will be even more present
Overall, we will have to learn faster, fix faster, and leverage all the tools–especially the crowd–to protect the Internet and the ever-growing consumer base. Watch the webinar to get the full predictions:
