The impact of the COVID pandemic on IT operations in general and cybersecurity in particular has been profound. CIOs and CISOs have been kept on their toes throughout and have a very uncertain landscape ahead of them. There is a lot that they must keep in mind regarding increased threat levels and the measures required to deal with them.
Given that their organisations are transforming themselves digitally, they must also, believes Jeff Wilson, Chief Analyst, Cybersecurity Technology with Omdia, be mindful of the ways in which cloud is remaking the landscape for identifying and stopping attacks.
The world of cybersecurity was already recasting itself pre-COVID, he believes: “In my view there were four intermingling drivers happening at the same time,” he explains. “The first is IT transformation and that is about the move of infrastructure from on premise into more flexible and hopefully cheaper cloud. Second is the evolution of the threats themselves. We don’t live in a vacuum, with criminals waiting for us to make our next advancement in security before they launch new attacks. The attackers are constantly evolving their threats. The third is that most companies are going through a process of reconciliation and consolidation resulting in a mass of solutions. Very few organizations have had the opportunity to step back and question what they really need to protect their infrastructure. The final part of this IT transformation is the addition of mobile and IoT devices.”
Post-pandemic, argues Wilson, it looks like those companies which are being more digital, more agile, more cloud-focussed and more flexible, are going to be the ones having an easier time making the transition to the next phase. The reasons are not hard to come by, Wilson notes ”In 2020, network traffic exploded, and life became more digital. All that traffic has to go somewhere and come from somewhere, and when there is an explosion in traffic there’s an explosion in the requirement for securing that traffic at all layers, whether that’s cloud data centres or the emerging edge.”
Threat levels remain unprecedentedly high, he believes: “Attackers are opportunistic. It turns out that a global pandemic creates a lot of new opportunities to attack. The threats and the risks are changing.”
To broaden the conversation on the lasting impacts of the pandemic, on its impact on cybersecurity and the importance of cloud in the wider picture, Wilson spoke to several leading figures from the world of security.
“When the pandemic started, what we saw initially was that the attack surface expanded overnight,” says Gail Coury, Senior Vice President and Chief Information Security Officer, F5 Networks. “Companies went from having everyone in the office to, overnight, working from home. This meant having to expand their capacity for VPN to protect those environments and doing it very quickly. I think we also saw accelerated attacks for web fraud. To give an example from the US, when COVID relief money was distributed from the federal government into state organizations, we started seeing a huge amount of ‘credential stuffing’. At F5 some of our employees received notice that someone had filed unemployment claims on their behalf, even though they were continuing to work through the pandemic. When we realised that this fraud was occurring, we went to customers and said can we help with putting web services in front of environments to add anti-fraud credential stuffing protections and help fend off attackers. When the pandemic heated up, attackers went home as well. With lots of time on their hands they became very creative.”
Coury says F5 also noted also a huge increase in ransomware, from 6% in 2019 to over 30% in 2020: “It was a huge spike,” she says. “Criminals are looking for the monetary gain that they can achieve from holding companies hostage.”
Craig Connors, VP and CTO for Service Provider and Edge with VMware agrees that attackers have deployed their time to shift their tactics and to try to take advantage of the increase in remote work: “We’ve also got to shift our tactics to protect against that, and that’s where things like SASE and distributed security in the cloud come in. Things that allow us to provide a consistent security experience whether users are in the office or on the road are going to be critical going forward.”
Part of the issue is that the model has changed whereby instead of employees coming to a place and inheriting its security, the security needs to go to them. So believes TK Keanini, Chief Technology Officer with Cisco Security: “That’s why the idea of Zero Trust, which was largely academic prior to the pandemic or popular within niches, is now a reality,” he says. “Zero Trust architecture is the new way forward. And it fits the new way we will all be doing business. Overnight, the Internet has become the network, the cloud the data centre, and identity is now the new perimeter.”
So how did the cyber threat change during 2020? And what does that tell us about the security landscape of the future?
DDoS attacks soared during the disruption, says Darren Anstee, Chief Security Technologist with network performance specialist NetScout. “We monitored over 10 million attacks across the internet through last year, up about 20% on 2019, with a peak in May where we were seeing roughly one attack every three seconds through our Atlas system,” he explains. “Many of those attacks were very complex. We’re not just talking about simple packet bursts and things like that. We’re talking about attacks that are made up of multiple parallel attack vectors that are being driven by attack tools and services that are very easy to find and very easy to use, but generate very sophisticated attacks targeting pretty much whatever you want. We saw the range of attack targets change as well, pivoting more to the kinds of things that we were more reliant on last year – things like streaming services, collaboration tools, ecommerce, healthcare providers, educational establishments offering distance learning. We also saw a big jump in DDoS extortion last year.”
There is plenty of evidence that hackers have organized themselves along the lines of businesses they are attacking, says Coury of F5. She notes also a certain commoditization of threat: “If you want to launch a ransomware attack, for example, you don’t have to build it or understand it yourself,” she says. “There’s so much money to be made in this space. From a CISOs perspective it’s about having a consistent policy, and visibility of everything in your infrastructure. It is hugely challenging for any security professional. How do you manage the budget and how do you get the proper skills in place and what do you do from a technology perspective? The challenge has never been greater.”
With criminals organising like businesses, the job of security professionals becomes to make it expensive for them to achieve their ends, argues Keanini if Cisco Security: “That means making yourself the least attractive target, representing the highest possible cost to their margin,” he explains. “We face an innovation spiral with these guys. We innovate, and we make it harder on them. Then they innovate, making it harder on us. It’s been like that for the past 30 or so years.”
Anstee of NetScout points out that much of today’s threat landscape is not about commercial gain: “If the attacker is a nation state, like North Korea or Belarus. they aren’t motivated by money, and that changes the way that they operate and it changes the way that we have to defend ourselves. That kind of attacker is prepared to keep going until they succeed, and they have a much broader range of tools available to them. They have intelligence resources to figure out what you bought, what you’ve deployed, how you’ve deployed it, and what projects you’ve got going on. They generally have more access to reconnaissance as well, so that when they’re carrying out an attack they can see how effective it was, which bits worked, which bits didn’t work, what technologies we use to block them. It’s very different to defending against commercially motivated attacks.”
So how, for better or worse, has cloud affected the threat landscape? What are the first steps to securing infrastructure, applications and data in the cloud?
“Cloud has changed cybersecurity because of the threats it has created,” argues Connors of VMware. “It has also changed cybersecurity because of the advantages it provides. We have cloud-based security solutions to help us facilitate connecting the multiple clouds, Modern problems require modern solutions. Cloud-based security solutions give us a single point of ingress to multiple clouds, offering visibility and control and allowing us to make sure that we’re able to apply a consistent security posture.”
Enterprises need a consistent picture of what’s going on across the whole environment, agrees Anstee of NetScout: “We need to be able to correlate what’s going on so that we can identify the unusual, identify the new, identify those things that are indicative that something is going wrong.”
Cloud-native is the answer, believes Keanini of Cisco Security: “The reason why businesses are going cloud-native is there’s usually a part of their business where they want to be elastic. If on Monday the entire Internet shows up, they can handle it, and if on Tuesday half of the Internet shows up, they can handle that and they don’t pay for the entire thing. There’s an economics to cloud-native that’s incredibly attractive. And of course there’s more happening at machine scale than at human scale.
“We see more AI and machine learning to be able to react quickly to whatever type of attack may be coming into the environment so that we are not dependent so much on the human factor to be able to respond,” agrees Coury of F5. “We compute everything that’s happening at machine speed, so security has to be there as well. It’s unique time to be a security professional today. I think that we have to adapt and change along with how other technologies are changing. We have to thoroughly understand how technologies and DevOps and agile development and microservices work, and we need to look for solutions that can be consistent with that.”
By Guy Matthews, Editor of NetReporter
Links to the organisations participating in the CxO roundtable are as follows:
Omdia
https://omdia.tech.informa.com/authors/jeff-wilson
Cisco Security
https://blogs.cisco.com/author/tkkeanini
F5
NetScout
https://www.netscout.com/darren-anstee-bio
VMware
https://blogs.vmware.com/sase/author/cconnors/
For further reading on these themes:
https://blog.equinix.com/blog/2019/07/25/distributed-data-security-starting-the-discussion/
https://www.gartner.com/en/documents/3994102/sase-will-improve-your-distributed-security-everywhere
https://www.cisco.com/c/en_uk/products/security/security-reports.html