Cyber security outlook 2020/2021

Cloud View

I am always keen to read what the industry believes the future will hold with respect to cyber security. It might be focussed on threats or advancements in technology outside security or even geo-politically. I am starting to see posts regarding the oncoming capability of quantum computing and it made me think it is time to pen some thoughts.

Many of the security roundups and predictions are published by vendors in the security industry which means there is usually an angle and struggle for independence away from the core purpose of that organisation. I have the lucky perspective not to be concerned with that or getting content past a marketing team with a strong view on what should and shouldn’t be published.

Let us recap on a quite unusual year to date. Many large companies (FTSE 250 size) were, and may still be, concerned with their journey to cloud. Cloud is still such a loose concept but it is settling to mean, in many cases, that the organisation is planning on directly using more public cloud capability. Software-as-a-service is exploding with growth too and I believe both of these hosting models have been accelerated by the onset of the Corona virus. I also believe that many enterprises have had to make rapid decisions to adopt cloud technology and that the delivery may have been necessarily faster than they would have liked.

This leaves risk in two areas. The thinner spreading of risk assurance persons who need to bring overall IT and Information security risk within acceptable levels across both on-premise and cloud, leading in some circumstances to a lack of oversight and consequent treatment of new solution risk. It also means that the opportunity to treat risk in cloud and SaaS solutions may be missed in the scramble to adopt. Who cannot remember the fun everyone had adopting zoom and realising about waiting rooms & passcodes?

In the industry there have been some mega shifts in market power. Symantec, now Broadcom is not centre stage just now and seems to be waiting in the wings for something. At the same time Microsoft has taken the opportunity to strengthen its solutions around information protection and DLP. No coincidence there I would wager. Acquisition has been a key factor in sweeping up already household names. Demisto -> Palo Alto Cortex XSOAR, Puresec -> Part of Prisma, Portshift becoming part of Cisco and Sqrrl becoming part of AWS.

The threat landscape has continued to change and significant blending of previous exploit technologies has resulted in a multiplication of ransomware attacks and how they are born within an organisation. This is playing on the existing fear of the unknown as the world is in lockdown. It translates to a desire to hold on to what we have and in this case, our data.

So what does this add up to? My personal view is that this is bringing about a realisation and a convergence of thought. Where before the weight of investment has been on later stage kill chain technology, which has evolved more towards the endpoint and planned response approaches I see that investment has begun to tip. The majority of investment would now appear to be in cloud technology and for the first time perhaps, the legacy monolithic enterprise security applications may be a second thought when budgets are being formalised. A useful indicator is the job market (something I am familiar with at the moment). There is a commoditisation of cloud security human resource demand. Engineering, architecture and operations personnel in particular.

Nothing new here Phil, we already know that investment in cloud is high right now. Well, yes indeed I am not suggesting people haven’t been putting time and money into cloud approaches. What I am suggesting is that the purpose of that investment is changing. I sense that people are becoming more confident in what cloud technology can offer and the possibility that executing business endeavours is safer and requires less monolithic security solutions. Now the focus is on getting the guardrails in place (more of an IT function but security defined), simplifying authentication and authorisation and ensuring that the telemetry that is generated in cloud can be consumed appropriately.

What this means is that it is not only enterprise companies who can afford to keep their business secure. The scalability and per unit pricing for cloud security is now becoming within reach for all. A democratisation of security approaches can only be a good thing. The leaders may continue to lead but the door is now open for genuine innovation in the security space using building blocks in native cloud technology to kickstart. Remember how dropbox made AWS S3 accessible?

While the security industry is still hyper focussed on detection there is a huge opportunity across the other domains and disciplines such as information protection, quantum computing safe encryption and identification. Also I believe the time is right for another go at identification. Asset identification and classification has failed so many times, maybe now that software defined and labelled environments are becoming more prevalent than traditional structured and unstructured data we have the chance to put this one to bed.

I think we will see a standardisation on the simple around productivity solutions which will further impose identity and authentication pressures but less innovation, more evolution here. I see that all net new applications continue to be born in the cloud and the complexity that this can give rise to result in a scramble to better understand and control cloud to cloud communications. Now there are an infinite number of perimeters to manage, zero trust no longer is the target to reach for but the only sensible way to operate.

Perhaps, from up in the clouds, you really can see more.

The Declarative SOC

Declarative SOC

When our kids were growing up we were terrifically fond of the books by Julia Donaldson and Axel Scheffler.  The phrases from the books have lived on and transitioned into a part of our family vocabulary.  What a lasting legacy they made with that simple pleasure of reading to your children.

One of my favourites was room on the broom and the phrase “The witch tapped the broomstick and woosh! They were gone”. Wouldn’t it be cool if everything was as simple as tapping something and then all of a sudden you were off?

I am writing this post at 05:07 in the morning because I am compelled to consider how we can evolve the CSIRT or Security Operations Centre (SOC) team past the industry of the last 15 years by leapfrogging many legacy solutions that cost time and energy with questionable value.  I also feel that at the moment there are many SME companies who need to do something about being prepared to respond to a cyber incident, yet they have neither the resources, expertise or time to address it.

I was dreaming of a scripted solution that builds itself, is easy to maintain and provides up to the minute visualisation of the current state of security affairs.  It assists with responding to incidents and allows some documentation and metrics for continuous improvement. Most of all these functions are implemented as interpreted code and the resultant resources, save the storage, are ephemeral. A declarative SOC.

What would this Declarative SOC look like in practice though?

It would need to be configurable on public cloud and not cost so much that it could be affordable to small and medium enterprises but could scale to whatever size was required.

It would need to be expressed as a self updating solution that was tolerant of failure  conditions and which could be rebuilt with no loss of state.

It would need to meet a variety of compliance regimes but achieve this by being built and managed in a way that had the hallmarks of prevention so that compliance was a by-product.  We are talking about a solution that is zero trust in use and administration.

Location based threat detection

The way the long eared owl hears is quite incredible. Using asymmetrical placed ears is pretty clever on its own but the way the brain processes this information and converts it is something else entirely.

Long eared owl
Long eared owl

Placing the ears equidistant horizontally and vertically would be best if you wanted synchronised stereo sound. However by design this is not the case for the long eared owl. In this piece from asknature.org owls can hear in 3 dimensions.

The ears are set up so that even changes as small as 3 degrees horizontally can be detected. This detection is tracked by scientists using pupil dilation and then measured in the brain.

Fascinating then that the neurons firing to this detection are locationally mapped in the auditory response area of the brain corresponding to where the sound came from. Activity patterns higher up in the auditory centre of brain corresponding to an object higher up in real space.

In the security space we often look to ensure the clocks of all devices generating audit logs are synchronised. This allows a timeline of events to be generated in an incident on the hunt for attribution. In placing log event collectors the strategy is often aligned with the volume and type of events being collected. The logical placement in the kill chain is therefore often only coincidental and not used expressly as a measurement itself.

What if organising collectors positionally we could assist realtime threat detection. By placing collectors at kill chain boundaries (not just network zone boundaries) and collecting small indicators at scale from these boundary collectors themselves we could build a model of behaviour using collector meta data.

By placing a visual cue aligned to the behavioural changes in this meta data we could assist triage and hunter teams, indicating areas that may require further investigation or tuning. A map set up to blink and then expiry gracefully like the fabulous Isle of Wight sferics information, using blue light initially (see a future post on this phenomenon), could show the ryhthm of normal activity and anomalous behaviour traits.

Introducing Biomimicry

Nature has evolved over millions of years to produce design answers to complex problems. As the evolution of the security threat landscape continues we can seek answers to the most vexing information security challenges using the same design approaches. This is Biomimicry.

To get a great introduction to Biomimicry I cannot top this fantastic video from Janine Benyus.

Biomimicry

We need to look more closely at the amazing feats of biology, chemistry and nature in the wildest sense to examine :

How does nature automate using the most efficient methods and with scarce local resources to achieve brilliance?
How do non-sentient organisms defend themselves against unknowable threats?
How do you process more information than you can focus on to take instinctive action?
How do we build a secure digital future faster than others can tear it apart?

In a series of blog articles I will walk through an intricate design feat, explain in my own words why this design evolved and offer it up to a current security problem such as collecting security information to a central source by studying coral formation.

coral structure
Coral complex structures

Let us build a community of like minded individuals who are similarly inspired to generate a future generation of information security solutions.

Welcome

A no nonsense approach to better security for your company through visualisation and automation.

Cost efficient and simple techniques to get more out of your existing security investment.

Display your situational awareness and build a repeatable, quality cyber response process.