2016 Cybersecurity predictions by Palo Alto Networks

No photo availableByGreg Day
7 min read

1) 2016 will reshape perceptions of security in the EU The Network Information Security Directive and General Data Protection Regulation…

2015 was a massive year for the cybersecurity industry, according
2015 was a massive year for the cybersecurity industry, according to Palo Alto Networks which had shared a series of discoveries of malware including XcodeGhost, GunPoder, Dridex and KeyRaider – all of which pose significant threats to the digital economy.

1) 2016 will reshape perceptions of security in the EU
The Network Information Security Directive and General Data Protection Regulation Reform will both have material impact on cyber strategies in 2016. I suspect that by the end of the year both will be on the cusp of going live, but businesses, whether part of critical national infrastructure or those that handle more than the expected 5000 EU citizens’ records, will be required to have security capabilities aligned to current state of the art capabilities, the latter regulation being aligned to their risk profile. Today there is a clear gap between those that do leverage state of the art and those that continue to follow the same old practices many have followed for years. With potential auditing to check capabilities when incidents occur and potential notification, there will be more pressure to keep pace and prevent such instances. All of this will amplify the importance of good cybersecurity in the boardroom. 2016 will be the year for businesses to make the transformation where required.

(2) As Apple Pay and Google Pay and touchless smartphone payments take off, we’ll see a shift in cybercrime, going into the smart phone

In the late 1990s, threat volumes exploded as criminals hooked into online banking and shopping growth. Now, the way in which we spend money is going through its largest transformation in decades, with mobile PAY platforms (in double digits of percentages of users, equating to millions of transactions), Venmo money transfers between friends and eWallets going mainstream. As companies like Braintree enable millions of stores to be able to process payments through these new technologies, we must expect the volume of cybercrime to follow the money. In recent months we have seen new exploits found in Apple iOS to go along with existing growth in Android attacks.

Is this early probing into the complex supply chain that is mobile payment systems?

Just how far this will extend in the future is still not clear, as the scope of smart devices as our digital hub increases with ongoing announcements of the PLAY capabilities to enable media, connectivity and other services via the car. We have recently seen attackers focus on hacking into automotive systems, resulting in major patches. As the opportunity grows we must expect more focus, especially as cybercrime has typically followed the money. Today far less attention is given to preventing incidents on the mobile device, but this is set to change in 2016.

(3) Europe, the supply chain and security
While many have kept focus on the need for state of the art cybersecurity, they remain dependent on the supply chain within. We are only as strong as our weakest link and some of the largest breaches worldwide in the last 12 months have highlighted this. In Europe, outsourcing to complex international supply chains is common. We can expect increasing focus on trying to assess the risks these partnerships create and how businesses prevent them being the weak point of entry. This may involve qualifying shared resource/access and shoring up shared service to minimize risk from wide open connections and validation of communications through them.

At a nation state level, a significant contingent of critical national infrastructure (CNI) is made up of public and private partnerships, leaving many companies concerned about being caught in the crossfire of nation state attacks. As we have also seen growth in such attacks we can expect to see confusion over just what level of security capability is required. Typically the risks, and therefore cybersecurity investment, are lower for a business than critical national infrastructure, but if that business is part of the supply chain for the CNI, confusion on where boundaries lie, what additional capabilities are required and funding models can only be expected as nation state attacks grow, increasing focus on this complex and challenging space.

(4) The changing position of the CSO

Historically the CSO has reported into the CIO, as security was considered a component of IT. However this is changing for a number of reasons, as echoed in our own recent report “Governance of Cybersecurity 2015”, which highlighted that Europe is the only region to show a sizable shift from CISO/CSOs reporting to the CIO, moving from 50% in 2012 down to 33% in 2015. Focus on cyber, its value and its impact is increasingly making it a board-level debate and elevating the investment and engagement, moving the CSO from a technical lead to a business risk leader. In recent times I have seen CSOs reporting either to General Council (tying into the legal implications when security fails), the CFO (due to the commercial implications) and directly to the CEO (due to the significance for the overall business). There is a healthy tension in moving the role away from the CIO, whose primary focus is on enabling IT to make the business operationally effective. Breaking the alignment of investment between the two requirements – which are not linear to each other – and creating a healthy tension between enabling new business capabilities, thus ensuring they do not create undue gaps in risk for the business, will enable a better security practice. For as long as the CSO reports to the CIO there will always be the concern that conflicting interests can impact balanced decisions being taken.

(5) Traditional business networks are shrinking
By end of 2015 we will have three times as many IP-enabled devices active as people, over a zetabyte of data crossing global networks and 90% of the world data having been created in the last two years. Businesses are no longer able to justify the cost to build large, complex networks, and are increasingly looking to outsource, cloudsource and consumerise their IT systems. Business networks are shrinking as organizations shift to become digital entities with only the most rudimentary core networks. Business tools such as CRM, email and file sharing are moving to the cloud. The recent Palo Alto Networks “Application Usage and Threat Report” highlighted a 46% growth in organizations leveraging SaaS resources in the last year alone. Add to this the growing adoption of IoT, devices such as machine-to-machine (M2M) in the workplace and user-purchased wearables, and it’s not surprising to see that IT as we have known it is changing.

As this happens there is a new cybersecurity learning curve: how do you define best practices for shadow IT systems? Simple concepts such as visibility and policy control, through to meeting regulatory requirements, will require state of the art capabilities that function in complex, multi-tenanted and multi-homed environments. Looking to BYOD, we saw uncertainty, then a shift to a model with considerable benefits, highlighting the silent tidal force of momentum that pushes people towards a destination. Despite similar concerns about moving to the cloud and IoT, Europe is heading towards transformational IT and the digital business entity. 2016 will be the year that businesses start to tackle these, whether that’s the simple wearable device, smart business tool or shared cloud resource.

(6) Boundaries of attacks blur
In the last few years there has been a significant focus on APT and nation state attacks, as their impact is typically more significant, yet the boundaries are blurring. Many regular attacks are now leveraging more advanced concepts such as multiple components to avoid detection, taken from the APT attack lifecycle, as well as focusing in on more implicit targets. Cybercrime is leveraging old-school techniques such as EXE infections and macros, and fraudsters are using reconnaissance techniques and targeting for big impact (such as honing in on big fish in the business with whaling techniques). At the same time nation state groups are looking to commercial cybercriminals for both new innovative techniques and undisclosed vulnerabilities that the much larger knowledge pool behind cybercrime drives.

To conclude, we must stop looking to put attacks into categories and focus instead on the methods and motivations of the attackers. The impact of a targeted cybercriminal could be as great as that of a targeted nation state attack, and, depending on the nation or the cybercriminal behind it, the skills and knowledge can be nearly as varied. Both have some exceptional capabilities and equally look to replicate others skills as well as innovating themselves.

(Greg Day is the Chief Security Officer, EMEA, for Palo Alto Networks)

Leave a Reply

Your email address will not be published.

Do you have a story that you think would interest our readers? Write to us editorial@cioafrica.co