Cyber security trends for 2018

Year 2017 was bad cybersecurity year, and it is expected new Cybersecurity Dangers Will Spike in 2018. Security situation was so bad in 2017 that it was though that We’re hitting rock bottom in cyber, but I fear that we have nit yet hit the bottom, and thing will still get worse until they start to get better. Remember that cybercriminals will shift targets and evolve their tactics, techniques and procedures (TTPs) throughout the year. In the age of digital transformation, most businesses processes are connected to the Internet. This not only means a company’s data is potentially exposed, it also means, a company’s customers are exposed. 2o18 will present new and increasing industrial cyber security challenges for facilities operators. Whatever happens in 2018 and beyond, cybercrime will continue to be a problem.

Here is a list of relevant cyber security terms for 2018s:

AI: Artificial intelligence (AI) and machine learning (ML) will be hot in 2018. Both good and bad guys aim to use it for their various purposes.Threat landscape now expands dizzyingly at the pace of hundreds of thousands of new attack variants every day. As the types of attacks broaden and the sophistication level deepens, we humans obviously need some help. Enter data science and supporting technologies that have driven breakthrough advances in security, processing and analyzing all of this data on a scale that is multiple orders of magnitude faster than humans ever could. AI solutions cold possibly help on some of the security problems, but be warned of over-hyping of AI om solutions. We will see many attacks against ‘black box’ machine learning.

Artesanal: Today, security is kind of an artisanal industry. With a total addressable market north of $85 billion per year – and not one player above 5 percent – it is a chaotic industry of niches: Endpoint, AV, Cloud, Network/Infrastructure, Application, Compliance, and the list goes on and on. There is an overwhelming array of choices has given technologists a lot to evaluate, they have not gone far enough to lower the actual security risk facing organizations. In 2018, organizations will start to focus more on outcomes than simply checking all of the boxes with niche security tools.

Attacks: Threat landscape now expands dizzyingly at the pace of hundreds of thousands of new attack variants every day. As the types of attacks broaden and the sophistication level deepens, we humans obviously need some help. Enter data science and supporting technologies that have driven breakthrough advances in security, processing and analyzing all of this data on a scale that is multiple orders of magnitude faster than humans ever could.

Automation: Enterprises will now no longer manually react to cyber events after they happen but will instead use systems to proactively plan and automatically respond. Security Policy Orchestration and Automation to Lead Next-Generation Cybersecurity for Enterprises.

Backups: Understand and backup data. Categorize data based on organizational value. Test that your backup and restore process works.

Behavioral Analytics: Detecting compromises requires monitoring a series of activities over time. A first and imperative step toward ensuring better protection of assets, business and humanity is to assume that everything is connected – and therefore, vulnerable. A second could be to consider investing in a network visibility solution. Behavioral Analytics Enables Verification That Users Are Doing the Right Thing. There are more and more tools to help companies detect anomalous behavior in their organizations.

Blockchain: Blockchain is a continuously growing list of records, called blocks, which are linked and secured using cryptography. It can be describes as an open, distributed ledger that can record transactions between two parties efficiently and in a verifiable and permanent way. The invention of the blockchain for bitcoin made it the first digital currency to solve the double spending problem without the need of a trusted authority or central server. Blockchain, the technology underlying cryptocurrency, is a good example of a community based trust model (if not one completely based on transparency). A blockchain can be used to facilitate secure online transactions. Blockchain technology can be integrated into multiple areas, but it seems that the technology has been often hyped with unrealistic claims. After a surge in the cryptocurrency market in 2017browser-based cryptocurrency mining made an unlikely return, coming back to haunt websites and their visitors – some see unauthorized coin mining in the browser as looming security risk and some see that authorized browser mining could be used for micro-payments.

Breaches: In 2016, breaches cost businesses nearly $4 billion and exposed an average of 24,000 records per incident. In 2017, the number of breaches is anticipated to rise by 36%. The constant drumbeat of threats and attacks is becoming so mainstream that businesses are expected to invest more than $93 billion in cyber defenses by 2018.

Certificates: Facebook Releases New Certificate Transparency Tools that allows developers to search for certificates and receive alerts when a new certificate is issued for their domains. The tool ensures that newly issued certificates that have been logged to Certificate Transparency Logs (CT logs) aren’t mis-used to perform man-in-the-middle attacks.With hundreds of Certificate Authorities (CAs) issuing publicly-trusted TLS certificates for any website out there, a single breach at any CA could result in the mis-issuance of publicly-trusted TLS certificates.

Cloud: Organizations are responsible for ensuring the security of their data, regardless of where that data resides, oftentimes cloud security is still thought of as a different type of security. You Should Question Most Common Cloud Assumptions. The reality is that the approach to cloud security should be no different from the approach to network or endpoint security.

Continuous improvement: With corporate leadership increasingly backing efforts to bolster security protections, companies are committing to security as continuous improvement. Gartner predicts that through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year.

Cyber-soldiers: The US Army will soon send teams of cyber warriors to the battlefield. “Not everything is destroy. How can I influence by non-kinetic means? How can I reach up and create confusion and gain control?

GDPR: Lots of people, whether security professionals or not, are talking about the European General Data Protection Regulation (GDPR) lately. Are you ready for 2018′s privacy rules? If you trade in or with an EU country and record personal data from customers and other folks, then you will be affected by the GDPR. General Data Protection Regulation (GDPR) was approved by the EU Parliament on 14 April 2016. Enforcement date is 25 May 2018 – at which time those organizations in non-compliance will face heavy fines (a fine up to 20000000 EUR or up to 4% of the annual worldwide turnover).The GDPR deadline is fast approaching, and many are still woefully unprepared. The regulation applies if the data controller (an organization that collects data from EU residents) or processor (an organization that processes data on behalf of data controller e.g. cloud service providers) or the data subject (person) is based in the EU. Furthermore the regulation also applies to organizations based outside the European Union if they collect or process personal data of EU residents. In order to be able to demonstrate compliance with the GDPR, the data controller should implement measures which meet the principles of data protection by design and data protection by default. Under the GDPR, the Data Controller will be under a legal obligation to notify the Supervisory Authority without undue delay on issues like data breach. Europe’s General Data Protection Regulation scare season is in full swing and suppliers are pretty much saying “buy our stuff or risk fines up to four per cent of your annual revenues.” If you haven’t done any preparation yet, is it really that bad. You might also need to take GDPR into account in software development. Your business needs to be GDPR-compliant but – and this is the bleedin’ EU – it isn’t as simple as that; there isn’t a single GDPR compliance test. The regulation is non-prescriptive. There is no black-and-white compliant or not compliant state. It’s fuzzy. You can’t verify compliance. However, it is on you to make sure your internal processes and procedures satisfy the GDPR. Anyone selling a perfect GDPR compliance kit is flogging snake oil. They don’t exist.

Holistic: While the cyber danger increases for industrial networks, holistic security is gaining ground.On the defense side, companies are beginning to take a holistic approach to security. We’re likely to see in 2018 the shift to a broader approach to cybersecurity: Protection will become an assortment of defense efforts inside and outside the network. Companies are developing products that include strong built-in security, and they are also addressing security at all levels – cloud, network and device. The holistic solution will take security down to the device level. Examples include new hardware-based security solutions and secure MCUs for IoT devices.

HTTP: Several major browsers have started describing some HTTP connections as insecure as they continue the industry-wide push to promote the use of encrypted HTTPS. Typically the non-secure labelling will occur on pages delivered over HTTP that include forms. Firefox will includes a warning immediately adjacent to the password box itself whenever the page is delivered over HTTP.

HTTP/2: HTTP/2 (originally named HTTP/2.0) is a major revision of the HTTP network protocol used by the World Wide Web. As of end 2017, 23.1% of the top 10 million websites support HTTP/2Most client implementations have stated that they will only support HTTP/2 over TLS, which makes encryption de facto mandatory.

HTTPS: In HTTPS, the world wide web HTTP communication protocol is encrypted by Transport Layer Security (TLS), or formerly, its predecessor, Secure Sockets Layer (SSL). The principal motivation for HTTPS is authentication of the accessed website and protection of the privacy and integrity of the exchanged data. HTTPS was been increasingly used for protecting page authenticity on all types of websites, and several major browsers have started calling HTTP connections insecure. Most major modern websites use HTTPS. Many organizations use HTTPS interception products for several purposes, including detecting malware that uses HTTPS connections to malicious servers. This weakens the end-to-end protections that HTTPS aims to provide.

ICS: In 2017, there was an uptick in organizations implementing ICS security solutions and integrating them with existing tools such as Security Information and Identity Management Systems (SIEM), and Incident Management Systems. In 2018, this trend will likely continue given that ICS networks are generating more and more security alerts, which expose to both IT and executive management the security gaps they need to address. Organizations become more aware of the threats posed to their building management systems (BMS) and building automation systems (BAS). Industrial security frameworks have been gaining popularity over the past few years. ICS technology vendors are going to roll out a new breed of products that will support encryption and other embedded security controls.

Identify: When you have inventory of what you have, you can identify the gaps in your security approach and the capabilities you need to put into place to fill those gaps.

IPv6: IPv6 usage seems to be finally accelerating in 2018. IPv6 has been a “future” since 1998, and an important future since 2007. IPv6 deployments have been increasing and chances are you have already used IPv6 – but haven’t realized it yet. IPv6 deployment is increasing around the world, with over 9 million domain names and 23% of all networks advertising IPv6 connectivity. Network admins will have many concerns about migrating to IPv6 in 2018.IPv& security is somewhat different than IPv4, so you need to learn how to do it correctly. When deploying IPv6, doing everything at once isn’t very likely, so you will have the task so manage the network security at both IPv6 and IPv4 networks for a long time. IPv6 use is increasing, but that does not mean that IPv4 is no way dying. It seems that both of those technologies will co-exist in Internet for a long time., so the default network setting ion the future is the devices had IPv6 address, along with their existing IPv4 address (a technique known as dual-stacking). Many devices are nowadays by default configured like that – so it is possible that you are using IPv6 without knowing of that (if this is good or bad depends if you planned your network to work in this way or not).

Inventory:Understand the computers, networking and applications you have. Understand the landscape of the security tools you have.

Integrate: Many gaps in security are due to an inability for disparate technologies to share information. Integration is key to making sure you get the most from your technology investments.

IoT: IoT lets data aggregators, service providers, tech companies, cities and federal governments monetize data sucked into billions of connected devices.Expect the top IoT agenda in 2018 to be “transparency” for collected data. The implementation of security in many IoT products will not match the pace of advancement of cyberattacks. Improved IoT Security Starts with Liability for Companies, Not Just Legislation.Security experts have always warned us that a network is only as secure as its weakest point. Internet of Things (IoT) means that the number of points in each network is set to mushroom, with Cisco expecting between 50 and 200 billion smart devices to be online by 2020. With the adoption of the Industrial IoT, there’s an explosion of data being produced by the interconnected devices on the factory floor. System engineers face greater challenges today when developing IIoT-capable, network-connected embedded devices. Besides the usual issues, they must deal with security issues, encryption standards, networking protocols and new technologies. IoT system should be addressing security at all levels – cloud, network and device. The holistic solution will take security down to the device level. Examples include new hardware-based security solutions and secure MCUs for IoT devices. It’s quickly becoming common practice for embedded system developers to isolate both safety and security features on the same SoC. The data created by IoT devices is extremely sensitive, ranging from personal biometric information to industrial production data. Encryption and handling of this data is the top priority. The responsibility must fall on the industry to create a robust, versatile security standard for IoT devices. There seems to be going on the The Race for a Universal IoT Security Standard, but that does not get anywhere near ready on 2018. Out-of-date software is a huge vulnerability, so the management of updates should be a part of any security standard. On the bad front, expect more sophisticated ransomware; increased threats due to the Industrial Internet of Things (IIoT); and a serious lack of cyber security skills. For ugly, think ‘red button’ incidents.

Micro-segmentation: Categorize data based on organizational value and then physical or logical separation of networks can be created for different business functions. Network isolation, segmentation and limiting communication between workstations can keep supply chain traffic separate from other internal traffic. This approach can also prevent attacks, like WannaCry and NotPetya, from propagating across networks to reach their intended target.

Mirai: Mirai trojan and it’s many variants have been threat to IoT devices and several Internet services in 2016 and 2017. In 2017 Mirai-makers plead guilty, but this isn’t the end for the now open-sourced Mirai. I expect that we see on 2018 new attempts to create a more potent version of the Mirai malware that threatens to run rampant across the Internet of Many Unsecured Things.

Orchestration: Orchestration is an evolutionary step toward organizational cyber resiliency. ABI Research forecasts that security policy orchestration will hit $1 billion in its global revenues by 2020.

Patching: Vulnerabilities are not a new phenomenon – they are as old as computers. TAnd they need to be fixed. Traditional approaches might not no longer suffice. Instead, according to Gartner, organizations should transform their vulnerability management practices to a threat-centric model, which allows for imminent threat elimination rather than gradual risk reduction. Under this new model, imminent threats are prioritized and remediated first.Gartner predicts that through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year.

Privacy: The data created by IoT devices is extremely sensitive, ranging from personal biometric information to industrial production data. Encryption and handling of this data is the top priority. Common sense guidelines and standards are needed to help engineers create products that respect privacy and give users the rights to their own data.

PSD2: EU-wide Payment Service Directive 2 (PSD2) will open up customer transactions and data to third parties with appropriate consent. Methods and common practices to meet these requirements are not established yet, a potential roadblock for product developers. We meed Consent Management Solutions.

Ransomware: In 2018, we’re likely to see hackers build on the success of brutal attacks such as WannaCry ransomware. The 2017 ransomware attacks set the scene for 2018 protections. Yet it’s the next wave beyond ransomware the worries cybersecurity experts.

Responsibility: People are starting to call companies to take responsibility. EU’s General Data Protection Regulation (GDPR) are being developed to maintain user security and privacy as companies continue to collect our data. The responsibility must fall on the industry to create a robust, versatile security standard for IoT devices. The vision of internet pioneers that a globally connected, transparent world with free access to information is inevitably good seems to be turned out to be at least partially wrong. Some people call that It’s Time for Innovators to Take Responsibility for their Creations. Silicon Valley’s chief executives are nows societal leaders too, oligarchs shaping the very nature of our identities, communications, and relationships (for example immense power wielded by Facebook in the 2016 presidential election). We live in a world where software and algorithms run most every part of our lives—where Google and Facebook control close to 70 percent of all digital advertising, and smartphone penetration is nearing 80 percent. Responsibly disclosing vulnerabilities.

Risk Mitigation: Risk mitigation is a subject that is timeless in the information security field, and it is, in essence, what information security is all about. And if we look at the biggest risks most organizations face, many of those risks relate directly to the loss of sensitive, proprietary, and confidential data. The theft of data that an organization was entrusted with safeguarding will most often cost that organization dearly. You don’t mitigate risk by throwing a bunch of technologies into a data center and hoping for the best. You prioritize the gravest risks to the most sensitive data, and then go about determining how best to protect that data. When you have plan what to do, next the technology is an extremely important component of a security program. Focus on actual disease and not just the symptoms. The Best Security Doesn’t Exclude Users, it Empowers Them.

Supply chain: Keep eye on supply chain and third-party vulnerabilities. These types of attacks have been common in 2017 and will continue to be a fruitful method for cybercriminals in 2018. Hold suppliers to certain standards. Be prepared for intrusions resulting from the compromise of software suppliers.

Transparency: Expect the top IoT agenda in 2018 to be “transparency” for collected data. People will want to know where their data is being moved, who’s using it, and what for. Do You Know Where Your Data Are?

Unhackable: Cybersecurity experts have long preached that the only way to make computers “unhackable” is with on-chip hardware, but no one has done it yet. For many attempts the goal of “hack resistance” appears to hedge a bit on whether truly unhackable hardware is achievable.

Virtual security: Virtual security means that manufacturers claim their products are secure. But in reality they are not.

Vulnerability: Patching is an important part of your defense strategy and failing to do so opens the door wide for adversaries. According to the 2017 U.S. State of Cybercrime Survey, 39 percent of respondents reported that the frequency of cyber security events has increased over the past 12 months. This is reflected in daily news reports about data breaches and newly found vulnerabilities. Traditional mid-sized organizations are faced with an average of 200,000 vulnerabilities across their ecosystem. Vulnerabilities are not a new phenomenon – they are as old as computers. Traditional approaches might not no longer suffice. Instead, according to Gartner, organizations should transform their vulnerability management practices to a threat-centric model, which allows for imminent threat elimination rather than gradual risk reduction. Under this new model, imminent threats are prioritized and remediated first.Gartner predicts that through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year. A new Synopsys survey reveals that customer-facing web and mobile applications are the top security challenge for IT professionals in Asia. They often process highly sensitive information and cyber attacks targeting them are increasing in sophistication. As the use of open source continues to rise, many organizations are putting their toes on the line for a race they are ill-prepared to run - many organizations have no process for tracking open source. Responsibly disclosing vulnerabilities.

When: The myth of being able to detect every breach, insider threat or lateral movement has been punctured. Security teams are realizing they need to prepare themselves for “when” they will be breached, rather than “if.”

Worms: Wormable malware. Some of the biggest cyber incidents in 2017 r evolved around the issue of self-replicating malware that can spread between networks. WannaCry and NotPetya were examples of this. These two types of threats likely to continue into 2018.


HTTP/2 (Wikipedia)

Usage of HTTP/2 for websites

HTTPS (Wikipedia)

Firefox, Chrome start calling HTTP connections insecure

Alert (TA17-075A) HTTPS Interception Weakens TLS Security


Browser-Based Cryptocurrency Mining Makes Unexpected Return from the Dead


Cybersecurity Dangers Will Spike in 2018

We’re hitting rock bottom in cyber — let’s do something | TechCrunch

Virtual Security

Mirai-makers plead guilty, Hajime still lurks in shadows

DARPA Takes Chip Route to ‘Unhackable’ Computers

Another AI attack, this time against ‘black box’ machine learnings

GDPR Portal: Site Overview

General Data Protection Regulation (Wikipedia)

Your palms are sweaty, knees weak, arms are heavy – you forgot about Europe’s GDPR already

Miten GDPR pitää huomioida ohjelmistokehityksessä?

Seven Seas Cybersecurity: Captain, We Have a Problem

In the Words of President Ronald Reagan, “Trust but Verify”

Why You Should Question These Most Common Cloud Assumptions

It’s 2018. Do You Know Where Your Data Are?

Improved IoT Security Starts with Liability for Companies, Not Just Legislation

Smart Factory Connectivity for the Industrial IoT

The Race for a Universal IoT Security Standard

Security Policy Orchestration and Automation to Lead Next-Generation Cybersecurity for Enterprises

The Internet of Things Is Going to Change Everything About Cybersecurity
My Internet Mea Culpa: I’m sorry I was wrong. We all were.

Resolve to Mitigate Your Business’ Digital Risk in 2018

Emerging Trends in Vulnerability Management

Research reveals customer-facing web and mobile apps as top security challenge

Open Source Vulnerabilities: Are You Prepared to Run the Race?

Device Security for the Industrial Internet of Things

GDPR and Open Source: Best Practices

Isolating Safety and Security Features on the Xilinx UltraScale+ MPSoC

ICS Cyber Security Predictions for 2018 – The Bad, The Ugly, and The Good

Threat Modeling the Internet of Things: Modeling Reaper

Engineering for Privacy Requires Standards

How to Make Adversaries Work Harder, While We Work Smarter, in 2018

2018 Predictions: Customers Demand Outcomes to End Balkanization of Security Practices

Facebook Releases New Certificate Transparency Tools

iWelcome and Launch Kantara Initiative Consent Management Solutions Work Group

Open Source Vulnerabilities: Are You Prepared to Run the Race?

U.S. Military to Send Cyber Soldiers to the Battlefield

Machine Learning & Security: Making Users Part of the Equation

Security is Not a Technology Profession

State of IPv6 Deployment 2017

Top 5 Concerns of Network Admins About Migrating to IPv6 in 2018





  1. Tomi Engdahl says:

    Over nine million cameras and DVRs open to APTs, botnet herders, and voyeurs

    Re-branded IP cameras and DVRs sold by over 100 companies can be easily hacked, researchers say.

  2. Tomi Engdahl says:

    Leave no dark corner

    China is building a digital dictatorship to exert control over its 1.4 billion citizens. For some, “social credit” will bring privileges — for others, punishment.

  3. Tomi Engdahl says:

    First UEFI malware discovered in wild is laptop security software hijacked by Russians

    “LoJax” repurposed LoJack anti-theft agent as rootkit that could survive OS re-installs.

  4. Tomi Engdahl says:

    Intel’s commitment to making its stuff secure is called into question
    Security is a process or at least an aspiration

  5. Tomi Engdahl says:

    What to Do and What to Avoid When Implementing Security in the DevOps Lifecycle

    DevOps is redefining the way organizations handle software development. But it’s also challenging security professionals in their efforts to manage digital risk. With that said, there are security teams need to be strategic about how they approach DevOps security.

    Traditional security cultures are always ready to say NO, fail to share information across the organization, and do not tolerate failure. This directly contradicts the DevOps culture, which creates a diverse working environment, empowers teams, enables collaboration and problem-solving, fails fast, and continuously improves. Building a successful DevSecOps program requires security teams to embrace this culture. Security must understand the engineering process and tools that enable DevOps teams to move quickly before contributing.

    Many security teams fail because they do not understand the tools, jump in too quickly, and disrupt the engineering workflow.

  6. Tomi Engdahl says:

    Triangulating Beyond the Hack: Stolen Records Just One Tool in a Comprehensive Kit

    Technical Hacks to Compromise Sensitive Systems Are Just One Tool in a Much Larger Toolkit

    In simpler times, cybersecurity was a fairly straightforward proposition. You had your firewall, your gateway. You monitored traffic and scanned for viruses. The bad guys weren’t even always that bad, per se. Sometimes they were just there for kicks.

    But these are not simpler times. In today’s world of sophisticated criminals, hacktivism, espionage and cyber warfare, threats can come from anywhere, and for a variety of more malevolent reasons than 10 or 15 years ago.

    One of the most pressing security challenges is the way “hacks” are evolving to include more than just an intrusion to an IT system. Yes, hacking into protected information is still a critical concern. And we’re seeing more efforts to triangulate information from separate hacks to increase its value, as well as an evolution of how stolen information is used.

  7. Tomi Engdahl says:

    Tapping into Diversity to More Effectively Mitigate Digital Risk

    This October marks the 15th year of National Cybersecurity Awareness Month (NCSAM). The initiative is described as “a collaborative effort between government and industry to ensure every American has the resources they need to stay safer and more secure online.” As security professionals, we recognize that to more effectively defend against adversaries we must work together and collaborate across groups. But if we don’t take advantage of our true collective strength by embracing diversity and inclusion, we’re compromising our efforts. Inventor of the World Wide Web, Tim Burners-Lee said, “We need diversity of thought in the world to face the new challenges.” How well are we tapping into diversity of thought in the field of cybersecurity?

    Although it may feel like we’ve been beating the diversity drum for a long time, the truth is we still have a long way to go. New research from Cybersecurity Ventures finds that women make up 20 percent of the global cybersecurity workforce. While up from the 11 percent number that has been widely quoted for years, 20 percent is still a far cry from where it should be

  8. Tomi Engdahl says:

    Stop Saying Privacy Is Dead

    Our lives are still rich in personal privacy — and we should fight to keep it that way

  9. Tomi Engdahl says:

    Garrett M. Graff / Wired:
    How US got China to scale back cyber espionage in 2015 by publicly charging Chinese hackers, arresting a spy in Canada, and taking a firm stance in negotiations

  10. Tomi Engdahl says:

    We’re killing off passwords. But are we ready for what will replace them?

    Getting rid of passwords is a good idea, but we need to think through the consequences of the most likely replacement, too.

    Tech security people hate passwords because resetting forgotten passwords is the most tedious job in the world, and also they know everybody else is terrible at password security anyway.

    The rest of us don’t like passwords much either, mainly because the security people won’t let us use our old favourites like 1234 or pa55w0rd. And we don’t like having to remember complicated passwords, so we write them down on a piece of paper, and then lose it. And then we have to go and ask nicely for tech to reset the password. Again.

    Nobody likes passwords. Apart from the hackers who find them, steal them or crack them with ease, that is. That’s because passwords are still the keys to the kingdom in many cases; once a crook has them, there is often little else to stop them doing what they want.

    So what about the next step? Here smartphones are well ahead of the PC world, by using biometrics — fingerprints and facial recognition — as the standard way to log on. Something you have is replaced with something you are.

    Microsoft has already outlined how it plans to kill off passwords in Windows 10 using a combination of multi-factor authentication and biometrics via Windows Hello, a service it says is being used by more than 47 million people.

  11. Tomi Engdahl says:

    Don’t Let Your Guard Down: The Challenges of Phishing

    Even savvy tech users can get nailed by someone actively trying to trick them via a phishing email. What can you do to keep your association’s employees—and your organization’s data—safe?

    Whether a fluke or by skill, I pulled off a pretty impressive trick last week. As of this writing, I am one of two people, out of hundreds, to have beaten an incredibly challenging game with flying colors.

  12. Tomi Engdahl says:

    Making it real—harnessing data gravity to build the next gen SOC

    In our first blog, Diana and I talked about the concept of data gravity and how it could, conceptually, help organizations take a more “cloud-ready” approach to security operations and monitoring. In this post we address the question: “How do we make this a reality in the security operations center (SOC) while we are under increased and constant pressure from motivated threat actors?”

    The answer lies in a new approach to monitoring called Security Orchestration, Automation and Response (SOAR), which is founded upon addressing the challenge of connecting and investigating issues across multiple security platforms. SOAR addresses the challenges of evolving security operations beyond the traditional security information and event management (SIEM) model into one that allows correlation across all the data gravity wells. Core to this is being able to take an event from one system (for example an endpoint like a laptop) and in real-time correlate that across different systems—such as a mail hygiene gateway—in order to build evidence and apply context needed for a fast and efficient investigation. This is something that analysts have historically done manually to investigate an issue: look across multiple different evidence points to find the information behind an event to determine if it’s a false positive or if needs further investigation. Historically deciding what incidents need investigation was left to the SIEM model, but as we discussed in the last blog both the difficulties with false positives and the rules of data gravity make this more difficult to achieve.

  13. Tomi Engdahl says:

    Collection Strategies: The Key Differentiator Among Threat Intelligence Vendors

    The outcome of an intelligence operation depends largely on the data that fuels it. Even the most sophisticated operation will fail to produce intelligence of value if its data is not also of value. This concept highlights the biggest differentiator and most important factor to consider when choosing a threat intelligence vendor: data source coverage and, more specifically, collection strategy.

    What types of sources comprise your collection strategy?

    Most vendors’ collection strategies include Deep & Dark Web (DDW) and open web sources, but the manner in which these sources are often described to prospective customers can be confusing at best and misleading at worst. W

    Sources can and should be described and categorized far more granularly than just DDW or open web. Within each of these broad categories exist numerous types of sources containing highly differentiated data that can make all the difference between a failed intelligence operation and a successful one. These sources generally include:

    - Private or invite-only forums

    - Chat services platforms

    - Illicit marketplaces

    - Payment card shops

    - Paste sites

    - Social media sites

    Given that both DDW and open web sources tend to be poorly delineated in the market, it’s important to understand specifically what sources comprise a vendor’s collection strategy before you decide to become a customer.

    Ask if the vendor has access to sources that map to your IRs, and if the answer is yes, dig deeper with follow-up questions such as:

    - Which of your sources would be most suitable for my IRs and why?
    - Should you lose access to those sources, are suitable backups available?
    - What are some examples of how your collection strategy has supported customers with similar IRs?
    - What are your collection strategy’s most substantial weakness or blind spots with respect to my IRs?

    What role does automation play in your collection strategy?

    Most vendors automate collection to some degree. But when automation plays too little or too large a role in a vendor’s collection strategy, it could signify a red flag. In general, sources that are easier to access are easier to collect data from automatically. Open web sources such as paste sites are a case in point; because these sites are openly, freely, and safely accessible to anyone with internet access, most vendors can and do collect data from them automatically.

  14. Tomi Engdahl says:

    Hiding in Plain Sight: The Dangers of Insider Threats

    With news swirling in response to the Tesla breach in June, Varonis’ Brian Vecci offers four signs of insider threats to watch for at a company.

    Today’s employees are increasingly tech-savvy. They can easily navigate a file server to find valuable files to copy. They’re also likely to use tools, such as personal cloud storage, that could be leveraged to steal critical information. Furthermore, employees often are less loyal to the companies they work for and may not see anything wrong with taking essential files.

    Chances are, you wouldn’t be able to spot a malicious insider at your company.

    You’ve got to look for signs that you’ve been compromised. Here are four signs to watch for:

    “Ghosts” on your network: Ghosts are accounts belonging to former employees that can still access your network. Former employees, especially those who parted on bad terms, may try to log back into company systems, either out of curiosity or to do damage by copying or deleting files.
    Unusual activity during “off” hours: While your employees may make a habit of working in the middle of the night, on weekends, and during holidays, if their work patterns suddenly change, you have every reason to be suspicious. An outsider could be posing as an insider by using an employee’s account to log in, or an insider could be snooping around on your file stores when no one is likely to be watching.
    Suspicious file access: Searching for, viewing, or copying data that’s not relevant to an employee’s job are all signs of possible insider activity. Employees will try to avoid detection at all costs; they may grab a few files to copy or even delete them. Those who can access corporate email accounts for other employees and executives may try to cover their tracks by marking viewed messages as “unread.”
    Saving or printing massive amounts of information: If an employee leaves your company, they may try to take their files with them—perhaps in the mistaken belief that if they did the work, it belongs to them. Alternatively, they could be looking to profit from selling insider information. If they begin taking files, they could also be intent on providing this data to a third party.

    Know that it’s not always an insider at fault – an outside attacker can steal employee credentials. You must lock down your employee data, intellectual property, client lists, and other vital information you wouldn’t want walking out the door. Consider initiating policies prohibiting, for example, the use of personal email on work devices. Try to foster trust with your employees so that when they do click on a phishing attempt, they’re comfortable reporting it to IT immediately.

  15. Tomi Engdahl says:

    3 Public Cloud Security Myths Debunked

    MYTH: “The public cloud is not safe.”

    TRUTH: When public cloud technology was new, there were concerns that it did not provide the requisite levels of security to keep data safe. These concerns were valid as the technology was not yet proven; however, this is no longer the case. Cloud providers now have years of experience, dating back to the early 1990s when modern cloud computing was first introduced. Over the decades, they’ve fine-tuned data and application access, ensuring strong governance, rights management and systems monitoring.

    While the focus for on-premise and cloud-based IT is the same – to ensure application availability and security – cloud providers are able to scale this approach across multiple businesses and geographies. This scale and experience means that public cloud solutions, as long as they are well-managed, can actually prove more secure and reliable than their on-premise counterparts.

    MYTH: “The public cloud is easier to attack.”

    TRUTH: Many enterprises think that embracing the public cloud is tantamount to placing all of their digital eggs in one basket. The concern here is that if the provider is attacked, all access to their data – and therefore the ability to conduct business – could be lost. In most cases, however, a successful attack requires there to be an unpatched vulnerability in order to gain access. As we know, keeping up-to-date with patches is one of the biggest challenges for any organization today.

    A key benefit of the public cloud is that the provider takes the responsibility for patching and monitoring the network, as well as adding extra layers of security to separate internal network systems from externally accessible applications and data.

    MYTH: “In the public cloud, anyone can access my data.”

    TRUTH: One of the biggest concerns people have with public cloud is the worry that they will lose control if they entrust it with their data. By essentially relinquishing a stronghold on the data, there are understandable questions about how secure it could possibly be. However, one of the key benefits that SaaS providers grant is data privacy. In fact, I would go as far to say that data in public cloud is harder for the “wrong people” to access than on-premise data.

    For example, public cloud data is protected by authentication controls, which are constantly monitored by the cloud provider. And remember, it’s not just your data they are monitoring, but it’s many other customers as well.

    The bottom line

    In the end, the biggest truth about security in public cloud is that it provides security at scale. As a single organization, everything you do is at a scale of one. You might learn from peers, monitor systems and patch and update applications, but there is no shared benefit to this approach. And, with the widely-documented shortage of skilled cybersecurity professionals available, it can be hard to keep up.

  16. Tomi Engdahl says:

    A History of Defense-in-Depth; and the Evolution of Data Sharing

    We need a new way to manage access to data. No, not because the “good guys” are losing to Advanced Persistent Threats, nation-state attackers, or whatever term we use to describe the cybersecurity boogey-man du jour. We need a new way to manage access to data because the old ways don’t work in the cloud. The cloud is not evil from a security standpoint, but cloud adoption has introduced two critical shifts to enterprise computing:

    - An environment that is totally accessed and managed from anywhere in the world

    - Empowering users to choose and administer IT solutions, also known as Shadow IT

    In the late 90s, companies started exposing some infrastructure and data to the Internet as we put a lower case “e” in front of everything and sold dogfood online. We had cloud computing back then but we called it Application Service Providers or Managed Service Providers. ASPs and MSPs were niche and expensive. Most attacks came in the form of Worms – malware designed to spread itself and cause disruption instead of steal data. Sensitive data was still only available if you had a remote access account (e.g. Virtual Private Network) and only certain resources were available to users connected remotely.

    Defense in Depth as a Service

    Today, businesses of all sizes are and should be embracing cloud services. We can deploy software with the swipe of a credit card and no one needs to learn how to install, configure or administer it. Reputable cloud providers like Microsoft, Google, and Amazon have massive security budgets, top-notch security personnel, and a level of standardization that legacy businesses cannot achieve. Brilliant.

    Otherwise put, we need proactive and automated checks and balances on cloud access management and information sharing. Accomplishing this requires a few basic steps.

    1. Understand which cloud services users are accessing: This is sometimes called Cloud App Discovery and many companies, including Microsoft, offer it for free.

    2. Understand what data is stored in those cloud services: You can do very basic data discovery using an Internet search engine and keywords, but you’ll need specialized data discovery software for anything more advanced or for data repositories that are not indexed.

    3. Triage the data based on risk tolerance: Use the results from the data discovery to discuss which information is overly exposed based on your acceptance of risk.

    4. Enforce boundaries: The security teams must define and enforce acceptable use of information so users are able to work efficiently provided they’re within the boundaries of enterprise policy.

  17. Tomi Engdahl says:

    Who’s Winning the Cybercrime Battle?

    Although the U.S. Congress must have designated literally thousands of commemorative days, weeks and months, I’m a bit partial to this month’s designation, National Cybersecurity Awareness month, now in its 15th year. Although I tend to think quite a bit on this topic during the other 11 months as well, it does make me pause to reflect on how cybersecurity awareness has evolved over this time period, and contrast that with the evolution of cybersecurity effectiveness.

    In terms of general awareness, I’d say the ongoing battle against cybercrime, once relegated to implausible Matthew Broderick movies, is today a mainstream topic and has woven its way globally into our every-day culture—as the subject of an upcoming new television series, at packed-house scam prevention seminars, and even as a subject for placard-waving flash mobs. My barber is eager for tips on web and email security.

  18. Tomi Engdahl says:

    Seven Security Activities You Should Automate

    Below, I have suggested seven processes that should be automated in order to save valuable time during incident response and security investigation procedures, and help organizations improve their overall cybersecurity posture.

    1. SIEM Escalation
    2. Reputation Lookups
    3. Risk Scoring
    4. Blocking Users
    5. Guided Investigations
    6. Reporting Thresholds
    7. Notifications and Task Assignments


    Like any tool, automation should be implemented with careful consideration. It is true that it can bring value to just about any security team, but the amount of value will depend entirely on how well you match it to your most pressing needs, existing security infrastructure, and organizational procedures. This has been merely a sampling of the processes that can be automated, and with so much innovation currently happening in the industry, it’s worth taking some time to think about what other automated processes also provide you with value.


Leave a Comment

Your email address will not be published. Required fields are marked *