Look Back and Move Forward

I wanted to start out by looking back at your comments from the last time we polled our editorial board in 2009. How have your predictions played out over the last two years?

Raj Samani: (Said that data exfiltration would continue to be one of the biggest concerns)

The recent WikiLeaks story would suggest that I was probably right. For the first 10 to 15 years, this industry was concerned about keeping bad stuff out. Now there is lots of focus on what data is leaving our organizations.

Roger Halbheer: (Anticipated a trend toward a more financially motivated and sophisticated cybercrime economy, driven opportunistically by world events)

It’s kind of an obvious trend that cybercrime goes towards money, and I think this really happened, but around big events? Not so much. There were some [cybercrime events] going on during the World Cup, but [using these events as a driver for cybercrime] seems to have worn out a little bit. It’s always there, but I think this was the case before the internet as well.

Sarb Sembhi: (Foresaw greater sophistication in botnet-type malware)

One word: Stuxnet.

John Colley: (Predicted security’s regard as a top priority would continue to rise despite no significant growth in budget, in addition to saying that the focus would be on protecting data, rather than the network)

Currently we see greater attention being paid to security by senior business managers than at any other time. The emphasis on protecting data continues partly due to the attention the media has paid to high-profile ‘data leaks’.

Hugh Penri-Williams: (Said that sophisticated data theft would overtake simple data leakage, and foretold of personal data being used for as yet unspecified ends)

I’m riding on the WikiLeaks story there, because as far as I’m concerned, that’s much more than the ordinary kind of data leak we’ve had in the past. This is something major, so maybe, if I can claim credit for it, that I had the feeling that something big was on the horizon and, of course, we’re only at the tip of that iceberg.

Gerry O’Neill: (Believed we would see more data breaches involving portable media and devices, and more targeted cybercrime via ever-increasingly sophisticated scams and social engineering)

It was a reasonably accurate stab at what I expected would be forthcoming over the next year or two. Certainly mobile devices have played their part in scattering corporate data around the place in an unintentional way, and that’s only going to get worse. That’s a risk we will still carry with us as we go into [2011]. With cybercrime, we’ve seen finger-pointing episodes around Operation Aurora and Stuxnet. It’s a much more sophisticated world we are moving into, compared with the one we played in before.

Marco Cremonini: (Predicted virtualization and cloud security would be the primary focus of infosec professionals)

Cloud computing is reaching the peak of its hype. Cloud computing security is a widely debated issue, and it is said that it represents one of the most (or the most) critical factor for the adoption of cloud computing. Many believe standards are still lacking and that the quality of security offered by cloud computing providers is unclear. Almost everything that has been said about cloud computing security is a repetition of what we have already heard many times during past years, for distributed computing, outsourcing, web-based services, SOA, mobile computing, etc. Security keeps repeating its warning and it is unclear whether or not it’s a cry wolf issue.

As the global economy continued to rebound throughout 2010, there was a marked M&A uptick – especially during the latter half of the year. Is this a good thing for the security industry?

Hugh Penri-Williams: Because of the difficult conditions, it was quite likely that a lot of the smaller security vendors would find themselves being snapped up by the big guys. The way things are going at the moment, that’s likely to continue in 2011. There are lots of soft targets out there. In general, it’s a good thing [for security] because it increases the number of larger vendors, and their variety, whereas some of the smaller ones may have been at the leading end technology-wise, but not necessarily business-wise. Provided [smaller vendors] got their fare share of the take, I think it’s quite healthy and it’s a natural thing in our particular industry.

Gerry O’Neill: There is an argument that says consolidation will bring with it a consolidation of resources, which may be necessary in a time of financial pressure because smaller organizations may fail otherwise. That consolidated resource can be deployed to find more integrated solutions. I would hope that some consolidation will allow for a smaller number of larger players with greater competence.

Sarb Sembhi: I think the purchase of McAfee was an unusual one. If we look at what has happened to some of the other security vendors…that sort of thing will carry on for sure, but it won’t be on the same scale as McAfee and Intel. When we are talking about big companies buying up smaller ones, we need to be wary of how this affects innovation within the industry. It the past, [this trend] hasn’t always been good. In the future, it remains to be seen.

Marco Cremonini: A wave of M&A has been expected for years in the security field. Many analysts have repeatedly commented that the security market was still in its infancy. The IT security market was showing signs of strain before the economic crises, and the shrinking has been evident. We had years of overhype. Security lacks innovation, dramatically. It was once one of the most exciting – technically and intellectually – in the IT field, and became one of the most conservative market sectors of IT. This, in my opinion, was due to a structurally weak market structure. I expect M&A to continue and I think it’s good for security, because on the one side security is getting more infrastructural and therefore integrated with mainstream IT systems and, consequently, part of large vendors. On the other side, and this is more wishful thinking than expectation, if M&A makes the market more dynamic, with new opportunities for start-ups and innovations, then we should have improvements.

John Colley: This is part of the growth cycle of any industry sector. It is important that there are successful small players in the market, but it is inevitable that if they become successful, then they become targets for acquisition by the major players. As long as there is a good mix of the good and the great, irrespective of size, then we will see a healthy security market.

Roger Halbheer: When it comes to the consumer space, there may be too many players out there for the size of the [security market] space. When it comes to the enterprise space, it looks a bit different. There are still lots of questions surrounding what a good security management monitoring appliance should look like. Everybody tells you that they know what you need, but what that [comprises] is not really clear yet. I anticipate the merging of management and monitoring of security.

Raj Samani: Chose to decline responding to this question, as he is the CTO EMEA for McAfee, which was recently purchased by Intel in the year’s largest security-related acquisition.

One of the major stories in the IT security world was the discovery of Stuxnet. What are your thoughts on this revelation and is its complexity?

Marco Cremonini: This malware is of a professional grade, precisely focused on critical infrastructures, geopolitically oriented, and stealthy. It has changed the playing ground, at least what we know about it publicly.

Gerry O’Neill: It’s a very well orchestrated collection of different attack vectors. It’s the targeting aspect of it that is its success – multiple layers and persistence of attack so that eventually, as an attacker, you get through to your intended target. It’s that type of architecture and design that we haven’t seen before, but the components of it are largely things we have already been dealing with. You could argue that whoever designed and launched Stuxnet has given wide proof of concept for copycats to follow. Most expert opinion is of the view that there is at least a year or more of development effort in this piece of malware.

Roger Halbheer: [Stuxnet was] the most important example of sophistication we saw this year. I would love to understand what’s behind it. It’s not something a 17-year-old teenager writes behind closed doors.

John Colley: Despite all of the hype about Stuxnet and its sophistication, the real story is that it has opened a whole new can of worms. Rather like the original Concept virus in the late 1990s, Stuxnet opens up a whole new area of attack. Not only is it a whole new area, but one that is particularly vulnerable due to the overall lack of security around these systems. Generally they are well protected from the physical viewpoint, but very badly protected from the cyber viewpoint.

Raj Samani: Stuxnet is a doozy. From an industry perspective, we tend to sell through fear, uncertainty, and doubt. Nearly every single security-related story was about doom and gloom [this one included].

Sarb Sembhi: It was definitely targeted; it could target not only SCADA systems, but particular SCADA systems. It seems to have been put together by, not one individual, but several people in the analysis by several anti-malware companies. And each [attack vector] works on a different zero-day exploit.

Hugh Penri-Williams: I think it’s very worrying, but it’s not at all surprising that something like [Stuxnet] has happened. If the wrong people get hold of some of these sophisticated attacks and really use them with a purpose, rather than just prodding, then we could see some major disasters in terms of utilities either in North America or Europe. As a phenomenon, [Stuxnet] is perfectly in line with what myself and many of my colleagues have been expecting.

What is your prognosis for what the security industry will be talking about – and addressing – in 2011?

John Colley: Without doubt, cloud computing, virtualization and data leakage will continue to be issues that need addressing and will receive a high degree of attention, both from the media and from the security industry. However, we need to wake up to the fact that unless we address the human factor in our solutions, our solutions will be ineffective and not provide the protection we need.

Raj Samani: Malware will continue to rise. Sadly, I think it will continue to rise exponentially. Also, we will see more organizations appear in the news regarding major security and data breaches. I would like to say that we will see more collaborative work in the industry. I’m hoping that CAMM [Common Assurance Maturity Model] will demonstrate how things can come together. The number of IP-enabled devices is going to absolutely explode. On the business side, I think the role of the security professional is going to change dramatically. [It] will become one of assurance and communication, becoming a bridge between the outsourcer and the business.

Sarb Sembhi: Access by remote devices – whatever they may be – will bring with them a whole new set of jobs to consider, because we don’t know how secure these things are, or can be. We will see some noise around mobile applications and mobile operating systems. Another trend on the rise, which will continue into 2011, is politically motivated hacker attacks.

Hugh Penri-Williams: We need to get to a point where security considerations start from the smallest common denominator – each person. We have to examine our own behavior first, then look at the tools. How can we best protect that individual from the person outwards, rather than looking at all the [devices] that surround us is one question we will need to consider and address in the near future. This new outlook includes enterprises as well, and includes any individual in the connected world. It’s because the wall between your office and private activity has practically disappeared, especially with the younger generation. The distinction is so blurred now that you cannot rely on people, even in a corporate climate, behaving in a responsible way anymore.

Marco Cremonini: Botnets as a mass-scale phenomenon and the rise of stealthy threats. Botnets are everywhere, tons of data is available, and the nasty effects of botnets have been reported all over the world. This trend is going to progress in 2011, because the problem has reached a critical dimension that needs responses from the industry. However, something important is missing in this picture. We’re all talking of botnets that look like mass products, quite generic, of medium to low quality, and addressed to the widest population. Then there are niche products: targeted, specifically designed, high-quality, efficient, silent and venomous. This trend is critical, and it makes IT security more strategic and requires specifically focused efforts. If we know what happens with mass-grade botnets, then we know almost nothing about what happens with targeted botnets; those that live silently and most of the time within corporate networks, with few interactions with the outside. Corporations should watch within their boundaries.

Gerry O’Neill: We will still be talking about blended, ever-more sophisticated attacks, either by criminal gangs or other parties. They will potentially be long range in their information-gathering stage. We must remain alert of insiders, or ‘sleepers’, within a staff as major players in this respect. The other big area for the upcoming year is that all of our national governments are facing national deficit issues, so there will not be a lot of money around in 2011, or even 2012. So, faced with all these increasing threats, and faced with the needs to finder better, cheaper ways to do business, I think that cloud and third-party issues are going to feature on the agenda. Cloud-related assurance and regulatory issues have the potential to radically change the industry.

Roger Halbheer: Consumerization does not receive enough attention from enterprises. Figuring out how to protect these consumer devices on an enterprise network will be one of the biggest trends, and it is overlooked at the moment.

Always a pleasure to tap the minds of the industry’s finest. Many reminded us that just because the calendar changes, it does not mean the threats necessarily will also. What they highlighted, however, are trends they saw as emerging or, perhaps, as Roger Halbheer pointed out, “overlooked”. Other themes that came up over and over again included the concept of consumerization within the enterprise, the increasing threat posed by the ever-expanding use of IP-connected devices, cloud services, and the smartphone explosion.

The economic hardship being felt by many organizations has begun to let up slightly over recent months, so now, more than ever, those responsible for security must make their voices clear to management as budgets rebound. Welcome to the age of the consumer, as their nifty little toys make their way into your networks. As Symantec chairman John W. Thompson cautioned in a speech this past November: “Don’t fight mother nature. This is the evolution of our industry.”