Ray Pompon, Principal Threat Research Evangelist, F5 Labs, shares insight on 2020 cyber security trends and resolutions
From tech giants and gamers to politicians and retailers, nobody is safe from today’s mutating threat landscape.
2019 was another frenzied maelstrom of cyberattacks, mitigations, pre-emptions and preventions, with the old (phishing and DDoS et al) rubbing havoc-wreaking shoulders with the new (new vistas in cyberwars, automation and AI).
As ever, continuous pressure also begets continuous innovation, and new levels of risk are also driving operational, philosophical and digital transformations across EMEA.
Here are three key cyber security trends we expect to drive both challenges and opportunities in 2020.
Addressing application myopia
Most organisations still can’t tell you what’s going on with their apps at any given time. How many, where they reside, and who is using them, should be fundamental, easily answerable questions.
Total visibility isn’t easy to achieve, of course. Typically, there are seven to nine pieces of technology sitting along the data path between application code and end customer. Each may stem from a different vendor and require two to three internal operations teams to make it work. Good luck moving at the pace and scale modern business requires.
The solution is to deploy and manage applications in a consistent way across all infrastructure silos. Organisations want the flexibility to adopt the best data path elements for their applications. The best way to do this— and to get visibility into code-to-customer pathways — is to leverage a consistent set of multi-cloud application services.
Expect decision-makers to clamour for more application control in 2020 – from development through their entire lifecycle – in order to deliver differentiated, high-performing, and secure digital experiences. Nobody wants to fumble around in the dark.
Application programming interfaces (API) are underpinning innovation and agility in a big way, fuelled by the adoption of cloud services, Software-as-a-Service, serverless and mobile computing.
According to KBV research, businesses will spend $6.2 billion on API management by 2024. At the same time, the 2018 Application Protection Report from F5 Labs found that 25% of surveyed organisations do not use API authentication. 38% reported that they did so “some of the time,” and 37% said it was “most of the time.” This needs to change.
There are different forms of API authentication and a risk-based approach is advised before committing to anything.
Credentials are the keys to the kingdom and must be stored in a secure way, whether via user/password combinations (for machines or human users) or API keys (simplified authentication strings that have specific uses).
Crucially, no APIs should pass unsanitised or unvalidated input to applications – a sure-fire recipe for injection attacks. API credentials must be treated using the principle of least privilege. Role-based access control is recommended.
Once again, it goes without saying that you can’t secure what you can’t see. Every organisation needs to understand where their APIs exist and how they contribute to business operations. Perimeter scans (to get the “hacker’s-eye view”) and in-depth discovery interviews with development and operations teams are instrumental. Get all the details on the table and prepare risk assessments accordingly.
Another way to protect APIs – particularly in the face of automation-driven threats – is to enforce rate limits. This entails setting a threshold on the number of requests accepted by API gateways (lightweight pieces of software running on an application server that manages those connection points for other app services or mobile apps to push or pull data).
Remember, hackers can afford to be patient. They only need to get a password right once to enter an entire API system.
The cloud is your ally!
Believe it or not, with the right skills, tools, and design, a transition to the cloud can represent a substantial security, availability, and efficiency step change.
Defenders need to focus on control objectives, not controls. This means ensuring only authorised users and processes can perform authorised actions, without getting hung up on user accounts, passwords and machine rights.
It is worth noting that cloud systems are often woven together with APIs, ephemeral instantiations, and decoupled services. A ninety-day password policy is not as useful as the tightening of inherited permissions and permissible contexts for a specific service role. Least privilege and permission review are more important than ever. Account lockouts for failed password attempts are not.
Similarly, most cloud environments move responsibility up the stack. Application-aware security tools, like web application firewalls and service event monitoring, become even more important while infrastructure hardening, and network monitoring are often left to the purview of the cloud provider.
The beauty of virtual machines built from scripts is that their inventory and operational characteristics can be completely observable. Change control procedures around operator actions on a server can transform into looking for divergence between running instances and their associated build procedures. This can be completely automated, rapidly shrinking exposure windows for breaches, while also containing attackers’ system access.
High-value systems can be also be isolated and segregated with microservices and refreshed as needed from patched, hardened, and tested models. You don’t “fix” hacked or broken systems, you rebuild them anew from stronger, fresher, tested designs.
To realise these capabilities, organisations need the appropriate expertise to design and operate in the cloud. This means retraining and leveraging external skills, as well as rethinking how applications are delivered.
Any rethink should maintain perspective of what security is trying to do, and the purpose of turning to the cloud in the first place. On the one hand, it is important to ensure the pursuit of confidentiality does not get in the way of application delivery.
On the other, in the long run, security and availability need to function as two sides of the same delivery goal. Ultimately, it’s up to organisations to plan with precision and act accordingly.