Research Report | Splunk State of Security
Evolution of Cybersecurity
What are the new definitions of cybersecurity?
Cybersecurity is a constantly shifting discipline — and these shifts inform a dizzying array of definitions, tactics and techniques. AI-based tools are used so manual processes can be automated, and so security teams can keep up with the ever-expanding attack surface. These tools help reduce the number of repetitive or irrelevant security alerts so more serious issues can be dealt with by the security operations team. Zero trust security and advanced multi-factor authentication tactics are also taking cybersecurity in a new conceptual and technological direction.
How has cybersecurity evolved?
Cybersecurity emerged and gained momentum in the 1970s. The original principles were built around discovering specific attacks — including viruses, worms or other primitive types of malware — and developing tools to stop them. By the 1980s and 1990s, these types of attacks had become extremely commonplace, to the point where desktop security software (such as Norton AntiVirus and McAfee VirusScan) became essential to stave off attacks arriving via removable floppy disks and, later, through electronic messages and web browsing. By 2000, there were more than 50,000 computer viruses in the wild. And by 2008, those numbers had skyrocketed, with Symantec reporting that that number had topped 1 million.
Over time, attackers became more sophisticated, and their malware evolved from tools that had once been designed to be little more than a nuisance, to code snippets that could cause real damage by deleting files or corrupting software. These attacks have evolved in recent years to become much more nefarious, turning PCs into “zombie” members of a distributed-denial-of-service (DDoS) botnet, encrypting files to demand a cash ransom from the victim in exchange for the keys to decrypt them, and installing surreptitious software on victims’ machines. Malware that runs cryptocurrency mining software while the victim is unaware is one of the most common types of exploits in use today.
In addition to PCs, attackers target file servers, cloud services, and non-traditional computing devices such as security cameras and video doorbells, thermostats and even light bulbs. In one proof-of-concept hack, attackers hacked a refrigerator to reveal a user’s Gmail login credentials.
To mitigate these threats, computer security has evolved in a myriad of ways. Rather than monitoring data traffic for specific snippets of known bad code (known as “signatures”), security tools use a range of detection techniques, proactively watching for suspicious behaviors, and using technologies such as artificial intelligence (AI) and machine learning to predict whether a certain activity is likely to be malicious. Tools that scan the network and identify problems before an attack occurs are also commonplace in the enterprise. Tactics such as zero trust security take the firewall concept even further, presuming that all traffic, whether it originates outside or inside the network perimeter, is inherently dangerous and must be verified before it is allowed.
What are some of the biggest modern cybersecurity threats?
Today, some of the biggest assaults range from extremely sophisticated and targeted to relatively blunt attacks that take a shotgun-like en masse approach in the hopes of reaching a victim. The modern cybersecurity threat landscape includes dozens of common threats. These are a few of the most common ones:
- Phishing attacks – Still one of the most prevalent types of cybersecurity attacks, these social engineering schemes allow perpetrators to masquerade as someone else — often a financial institution or another service provider — in the hopes of separating you from your login credentials. Armed with your password, the attacker can then drain your bank accounts or cause other types of havoc.
- Cloud-based threats – The growth of cloud computing has made this a rich target for cybercriminals who look for ways to infiltrate corporate networks or hijack user endpoints or SaaS services for their own workloads (such as cryptocurrency mining).
- Ransomware – A type of cybercrime that can infect a system or a network, in which cyber attackers encrypt files on the host then demand payment (usually in untraceable Bitcoin) in exchange for the decryption key. Ransomware has been on the rise for years.
- Mobile attacks – Similar to cloud threats, the broad shift from PCs to mobile computing has opened a door for attackers who may be much less on guard against threats when using their phone instead of their computer. Malware-infected apps and phishing attempts can be delivered via text message, voice call or other means.
- Wireless threats – Wi-Fi networks are notorious for their general insecurity. Cellular networks are increasingly using nearby Wi-Fi networks to offload data traffic, so as 5G and other wireless services grow, the risk of an associated exploit grows accordingly.
- IoT-based Attacks – Security flaws in everything from smart home and mobile devices to industrial sensors to medical technologies are opening up broad new avenues for attackers to find a way into your network and gain unauthorized access to your sensitive information.
Understanding Your Cybersecurity Environment
How can organizations better understand their cybersecurity environment?
Understanding your cybersecurity environment and related cyber threats involves following a few key steps:
1. Developing a map of your enterprise assets, including an understanding of all computing systems and all of the enterprise’s data.
2. Ranking these systems and data stores based on their level of sensitivity and how critical they are to business operations.
3. Building a plan and developing technology tools to protect and monitor these systems, and prioritizing security strategies based on the level of risk to each asset.
4. Creating a culture of awareness around cybersecurity that focuses on education, training, and contingency planning for all employees in the enterprise.
What is the difference between security risk and security threat?
Risks and threats are often confused because they are closely related to one another. A security threat is something that can cause damage to a digital asset. Malware, a malicious hacker, or a misconfigured cloud server are all examples of security threats. A security risk opens a potential for damage that can result due to a threat. The avenue by which a threat becomes a risk is known as a security vulnerability, a point of weak security in a computer system.
The discipline of information security is designed to prevent the danger of threats and decrease their severity to minimize the risk of loss to the enterprise.
What are the different types of security risks?
The most common and costly security risks include the following:
- Loss of sensitive data – Sensitive data can include anything of value to an attacker that is present on your network: trade secrets and intellectual property, internal documents and emails, employee and customer information such as Social Security and credit card numbers, as well as patient and medical data. In addition to liabilities from data loss, risk also includes compliance fines and other penalties associated with a breach.
- Compromised systems and computing resources – This includes the risk of a business’s systems being infected with malware and turned into a DDoS zombie, cryptocurrency mining bot, a spam relay, or other malicious threats. These risks essentially put your business directly into the service of the attacker.
- Direct financial loss – A compromised system allows an attacker to gain access to a business’s financial accounts, representing a massive and financially devastating security risk.
Creating a Cybersecurity Strategy
How can organizations improve their security posture?
An organization’s security posture is defined by its overall readiness and preparation level to guard against a cyber attack. There are several cybersecurity measures organizations can take to improve their security posture.
1. Begin with a security audit – Assessing risk lets you identify all of your technology assets and assigns a vulnerability level to each of them based on their underlying technology and importance to the business, allowing you to prioritize the systems most in need of protection.
2. Create a strong security policy – To maximize security and safety, organizations need rules governing how their technology systems are allowed to be accessed by end users. These policies should include rules around password length and reuse; the use of unauthorized equipment, software, and services; protocols for incident response; and points of contact for the cybersecurity operations team.
3. Expand cybersecurity tools – Security posture can be dramatically improved by implementing solutions that can automate large portions of your security defenses, including firewall devices, antimalware, authentication and access management, encryption software, penetration testing and vulnerability scanning tools, intrusion detection software, and network monitoring tools.
4. Monitor service providers – Today’s typical network involves myriad third parties, largely in the form of cloud services. Each of these represents a potential cybersecurity risk requiring the same careful monitoring as if it was part of your own internal network.
5. Track metrics over time – After determining what the key metrics are — total number of discovered vulnerabilities per day, mean time to correct a vulnerability, etc. — the organization can track them over time to determine whether overall security posture is improving or degrading.
6. Implement employee training – The above tactics are useless without dedication to ongoing employee training that ensures workers are aware of and are following the security policies you’ve carefully designed.
What are some cybersecurity frameworks?
There are dozens of security frameworks designed to help organizations develop a strong cybersecurity posture. Some of the most notable and widely adopted include:
- National Institute of Standards and Technology (NIST)IST Cybersecurity Framework — This presidential initiative was designed to enhance the country’s cybersecurity infrastructure, but it has broad applicability to private businesses as well.
- ISO/IEC 27001 and 27002 — A pair of international standards that define a risk-based approach to cybersecurity, with a focus on detecting threats and creating specific controls that should be put into place to secure enterprise systems.
- CIS Critical Security Controls — A set of 20 tactics designed to protect an organization from “known cyber attack vectors.”
- IASME Governance — Billed as an alternative to ISO 2700, which small and medium-sized businesses may find more attainable.
- COBIT — Control Objectives for Information and Related Technologies aims to integrate cybersecurity with other business processes and transformation activities.
What are the best approaches for risk management?
Cybersecurity frameworks like those outlined above specify specific approaches and practices each organization should undertake in order to improve security. This process begins by developing an understanding of the organization’s tolerance for risk. At a large bank, this risk tolerance is likely to be zero, while the cybersecurity risk tolerance of a middle school PTA may be considerably higher. With this tolerance in mind, the organization can then begin to prioritize its specific cybersecurity investments. Whether that involves attempting to decrease risk, eliminating risk entirely, transferring risk to someone else, or simply accepting the risk becomes a strategic question that can be applied on a case-by-case basis.
What are some approaches for secure development?
Software development occupies a particular (and unique) place in the broader cybersecurity landscape. Not only is secure software able to protect the organization’s infrastructure, it is also able to protect any customers who may use externally-facing software tools.
Secure development today is commonly defined by the Security Development Lifecycle, an approach originally pioneered by Microsoft in 2002 and defined by 12 practices. These include:
- Provide training — Get everyone on the same page regarding best practices and security awareness.
- Define security requirements — Determine what standards must be adhered to and what risks the application may face.
- Define metrics and compliance reporting — Set a “bug bar” to define the maximum allowable severity thresholds for security vulnerabilities.
- Perform threat modeling — Develop models to create threat scenarios so developers can more easily identify vulnerabilities.
- Establish design requirements – Determine whether to leverage encryption, authentication, or other needed tools.
- Define and implement cryptography standards — Encrypt everything, especially data stored in the cloud.
- Manage the third-party security risk — External code components represent a unique risk that must be managed separately, so conduct regular risk assessments to understand how your security posture has evolved.
- Use approved tools – Create a list of tools and security checks that developers are authorized to use.
- Perform Static Analysis Security Testing (SAST) – Conduct a security review of source code prior to compilation.
- Perform Dynamic Analysis Security Testing (DAST) – Stress test software for security during run time.
- Perform penetration testing – “White hat” hackers attempt to break an application by uncovering hidden vulnerabilities.
- Establish a standard incident response process – Develop a playbook to deal with new and evolving threats.
Building Security Defenses
What are the most effective cybersecurity tools or next-generation technologies organizations can implement?
Some of the most powerful cybersecurity tools — all of which are considered essential parts of any cybersecurity infrastructure — include the following:
- Firewall – This is the first line of defense against any number of attacks, a network security system that monitors network traffic and serves as a barrier between the enterprise and the internet.
- Anti-malware – These suites (commonly known as antivirus software) typically reside on client PCs to prevent malicious software such as trojans and other APTs from being installed, often via email attachments, malicious websites, or removable media.
- Authentication – This software uses next-generation authentication technologies, whether two-factor authentication or multi-factor authentication, to detect unusual patterns of behavior and ensure people accessing your network are who they claim they are.
- Encryption – If an attacker breaches the network, the best way to protect your enterprise’s data is to ensure it is encrypted, both in storage and in transit.
- Penetration Testing/Vulnerability Scanning – These tools scan your network for vulnerabilities, using the latest known exploits to attempt to bypass your security defenses, and alerting you as to where your systems are weak.
- Intrusion Detection Systems – This works as the perimeter security on your network, monitoring for malicious behavior in real time and reporting any violations to the security operations staff.
- Network Monitoring Tools – In addition to security violations, network monitoring tests for device health, which can help to prevent the downtime attributed to a burst of malicious traffic or simple device failure.
How can organizations get started building cybersecurity defenses?
Organizations can start building cybersecurity defenses by following the advice for improving your security posture and reducing the number of security incidents. Audit your existing hardware, software, and services ecosystem to get a solid understanding of where you stand. Create policies built to protect the systems that are most at risk of attack (including third-party services, such as cloud providers), then acquire the appropriate tools needed to protect those systems. After implementation, develop metrics to track performance and ensure staff are appropriately trained on your policy expectations and the aforementioned cybersecurity tools.
What is the future of cybersecurity?
Cybersecurity continues to grow in importance and size as an industry, both in the United States and around the world. Allied Market Research projects the total value of this industry to hit more than $300 billion by 2027, as organizations continue to fight against increasingly sophisticated and pervasive attacks. Looking ahead, some of the most noteworthy trends include the growth of cloud-based security services in lieu of traditional hardware, increased incidences of insider-based attacks, and updated approaches to security frameworks. The expansion of privacy legislation will further enhance the need for companies to take cybersecurity more seriously — or risk facing costly fines and legal liability when their perimeters are breached.
Research Report | Splunk State of Security
The Bottom Line: High-quality cybersecurity requires ongoing vigilance
The headlines detailing massive damage, data breaches, and financial losses due to cyber attacks tell the story best: The cybersecurity landscape continues to evolve, often in unpredictable and frightening ways. Now more than ever it is critical to understand your security posture and the risks faced by your organization and to learn how to adapt quickly to this ever-changing environment. Building a strong cybersecurity defense requires expertise and attention to shifting conditions and emerging threats, with detailed, real-time security monitoring one of the most essential tactics for keeping your network safe.