Virtualization Technology News and Information
RSAC Advisory Board Predictions: What's Ahead for 2017

VMblog Predictions 2017

Virtualization and Cloud executives share their predictions for 2017.  Read them in this 9th annual series exclusive.

Contributed by RSAC Advisory Board Members

RSAC Advisory Board Predictions: What's Ahead for 2017

Dmitri Alperovitch, Co-Founder and CTO of CrowdStrike Inc.


Enforcement of Norms
This year's election influence campaign marked a new crescendo point in inter-governmental cyber conflict. For a long time, we've focused on the kinetic effects of cyber, but we are now seeing nation states engage in propaganda campaigns and strategic information operations that happen to be conducted through cyber intrusions. Looking ahead, we will likely see the U.S. weigh tougher response options to such activities, not limited to cyber tactics, but also including diplomatic, law enforcement, economic and other policy means.
Replacement of Legacy Solutions
We are beginning to see some indications of a tectonic shift away from legacy solutions as people start thinking about security in different ways and replace those old style security products they've relied on for decades. This has been a slow ball that's been rolling down the hill for a number of years, and it's really picking up momentum heading into 2017 where it will likely reach a critical mass. Fortune 500 companies are really starting to take a totally different approach to how they manage security, and we'll likely to see a similar change in smaller companies. Companies' philosophies are changing and they are starting to think about when they will have an intrusion, not if. They are starting to work to figure out how they can get more visibility across all of their hosts and networks. The shift away from legacy will be to the next gen that's based more on machine learning and advanced behavioral analytics. The industry has been talking about replacing these solutions for 15 years, and now we are finally starting to see the trend accelerate.

Wade Baker, Independent InfoSec consultant & Co-Founder of the Cyentia Institute


First Billion Dollar Loss Event

We haven't had a data breach with confirmed losses exceeding $1 billion. We do have confirmed reports of multi-hundred million dollar losses, and I see crossing the $1 billion loss marker as crossing a line that boards actually may consider material. To this point, even the largest breaches are minor for the victim organizations in terms of percentage of revenue lost. Will 2017 be the year to bump us over that line? Due to an escalating series of one-upmanship's, especially for large DDoS attacks, we could start to see these larger revenue loss attacks.

Increasing Visibility of Cybersecurity

We have started to see increasing momentum up the chain for cybersecurity visibility from the boardroom at large enterprises and within the consumer base. We'll continue to see this shift continue in 2017, especially if it is coupled with high-profile or large-scale attacks.

Todd Inskeep, Principal, Commercial Consulting, Booz Allen Hamilton


Impact of Predictions
During the Interactive Birds of Feather session at RSA Conference 2016, there was a lot of conversation around predictions. People continue to show interest in looking ahead at what's next for the coming year as a check against what they are thinking about themselves. Predictions are an opportunity to look at how the predictions align with current plans, strategies and budget allocations. It's a valuable opportunity for people to take a look as see if they need to add a capability, fill a skills gap or provide a training. 


2017 will be the year we finally start to see some standardization about how security is communicated to boards. Every CISO you talk to is sending a different message to their boards via a different communication method. You'll start to see some standardization here so boards know what is expected from a cybersecurity perspective. Most boards are pretty passive, expect when there is a big breach. A more consistent approach will help the board learn what to look for when they are talking about cybersecurity.

Vendor Supplier Security

Right now if you're a vendor, every company you work with puts you through a lot of audits and answering the same questions over and over. We'll see someone break out of the pack and pull together a consistent methodology that lets you do one assessment and give the answers to all the companies who use your company or service. This will likely look like a platform or database that lots of people can have access to, see when they took the questionnaire and how they are maintaining your controls over time. Historically, the challenge with security audits is you give the vendor your questions and the minute you walk away the security starts to change due to a particular variable (i.e. budget, control). There could be a push here in the insurance industry where you have coverage to help you recover after a breach. Just like you have a preferred auto shop after a car accident, you would have a preferred vendor to assist post-attack.

Threat Intelligence

Five to six years into the threat intelligence craze it still feels like the definition is still all over the map. The desire for actionable threat intelligence will lead to some better codification of some terms for threat intelligence capabilities and services this year. I think we will see a lot more efforts to automate the sharing of threat intelligence and overall set of languages for automation will become a lot more active this year.

Benjamin Jun, CEO of HVF Labs


A rocky road ahead for IoT

Someday we'll look back on the DDoS attacks of 2016 in the same way we look at "quaint" website defacement attacks of the late 90's.  IoT security will become much worse with (1) a lot more devices, (2) connectivity without manual WiFi pairing (think AirDrop for everything), and (3) serious physical consequences when certain devices fail.

At this scale, these problems can't be fixed with recalls or device patching. Look for smarter firewalls and home routers that can isolate individual devices and "patch-in-place" at the network layer. Network Access Control (NAC) will come back into fashion, and even home networks will have local sandboxing capabilities.

Coming full circle - security roles will circulate out of DevOps

More security responsibility will shift outside of DevOps work cells and back to traditional ops roles.  Developers have critical responsibility for backing in security, but deployment security involves observation, system tuning, and detection.  These roles are well suited to dedicated ops teams.

New advances in standardized security definitions are allowing security profiles to be meaningfully shared across both development and operations roles.  And today's container, SDN, and VM environments support finer-grained security control.  Expect security automation tools to help non-developers evaluate, monitor, and manage production systems. 

Wendy Nather, Research Director, Retail Cyber Intelligence Sharing Center (R-CISC)

IoT botnet fallout

The impressment of Internet-connected devices into botnets amplifies two problems: the inability of consumers to add security that their devices should have had to begin with, and the externality of risk - neither manufacturer nor consumer are currently penalized except at a distance, when infrastructure is taken down by collective insecurity. We'll see more pressure to identify and recruit centralized Internet controls to deal with the IoT botnet fallout, such as ISPs filtering traffic, and only then will consumers put enough pressure on manufacturers when their devices stop working.

Attempt to eliminate passwords

Due to account takeover and credential stuffing attacks, someone will try once again in 2017 to eliminate passwords, and they won't succeed. Which is a shame, because the lowly password may be the worst thing we have ever invented. It's as if medical associations all over the world handed out scalpels to laypeople and said, "Here, do it yourself."

Pushback on "blaming the victim" culture

The infosec industry's traditional culture of "blaming the victim" is going to get pushback, and rightfully so. With parties such as cyberinsurance underwriters and government trade organizations trying to determine workable security standards, they're going to discover that there aren't any, other than for a handful of well-defined risk scenarios (see PCI). The waters will get muddier before they get clearer.

Ed Skoudis, Founder, Counter Hack


Politics and Security Collide

Based on recent supposed hacking around the 2016 presidential election, hacking and politics have - and will continue - to collide. This means that some of the unsavory parts of our political parties - both nationally and internationally - will see hacking as a viable method for opposition research. Therefore, political parties and their infrastructure will need to get more involved in the information security space, through regulation and direct participation. This is not just important from a public policy perspective, but is important to keep their jobs during increasingly rancorous election cycles. Over the past decade, we've seen the increasing militarization of cyber space; now, we'll see the politicization of hacking and cyberspace. We'll also likely start to see hacking incidents for attacker to gather Big Data in the form of vast numbers of email messages and files for the upcoming Senate and House elections that will largely unfold from now through at least 2020.

IoT (DDoS and Recall)

We've seen that IoT is a beautiful platform for DDoS - weak, poorly managed systems connected to the Internet in vast numbers - ensuring attacks will continue for a long period of time. Whether it's to knock off political opposition or cause a competitor to have a bad day, DDoS will reach an unimagined level that nearly no one can handle. Based on the vulnerabilities of these IoT devices, we will continue to see these products recalled after attacks. 2017 may very well be the year of the IoT recall.

Published Monday, November 21, 2016 8:03 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<November 2016>