2017 was a busy year full of malware attacks and data breaches. Yes, these events caused (at least) their fair share disruption and damage. But as the year draws to a close, our attention should move beyond those immediate consequences in an effort to better understand the facts surrounding how and why the incidents occurred. Indeed, we can use those details to learn from our past mistakes as we move into 2018 and beyond.
Here are the lessons a few of us in the infosec community learned from 2017. We can only hope organizations everywhere internalize all this learning going forward.
Tim Erlin, VP of Product Management & Strategy at Tripwire | @terlin
There used to be some qualitative difference in the breach activities that went on in a given year, but the last few years have all had significant breach activity.
I think we’ve moved past “breaches as events” to breaches being the norm. Their character and details may change, but the industry as a whole has to accept that this activity is continuous. Why is that important? It changes how we mobilize defense. If you build defenses around the idea that there’s a point-in-time event requiring a response, then you focus on different tactics. There’s a ‘surge’ mentality that goes with this approach, one which drives off the idea that work is distributed unevenly.
If you consider breach activity as a more continuous process, then you defend more continuously. This isn’t a binary change. It’s not that it was one way and is now the other. It’s a shifting characterization that demands a shifting defensive strategy.
Tyler Reguly, Manager of Software Development with Tripwire | @treguly
I hate to say it, but 2017 has taught me a pretty dark lesson.
For years, vendors have gotten better about communicating security issues and details related to them, but 2017 was a major step back for some of the largest vendors. Those companies removed the focus from communication and information sharing.
They also stopped providing customers with options. Imagine that you walked into the pharmacy to pick up multiple prescriptions and the pharmacist handed you a single bottle of liquid and said, “I’ve blended everything together. There could be drug interactions, and there are side effects, but I’ll let you discover those on your own. I’ve also removed your ability to pick your own meds.” That’s essentially what some of the largest vendors decided to do this year, and it was rather disturbing to see this giant backward leap.
Michael Ball, CISO at AGF Investents | @Unix_Guru
Going in to 2017, we had already had a taste of the potential damage that ransomware could do. The New Year started quickly with modifications to employee training material that include more detail on phishing awareness, both general and targeted. We also realized that a year in between employee awareness trainings was way too long and broke the course out into its domains. Now we run a quick 15-minute training with 3-4 questions every month just to keep it fresh in the employees’ minds.
We also learned that no matter how well trained our employees are, somebody’s going to click that damn link.
Privileged access management has always been one of my concerns, but in response to the speed that new 0day exploits are being delivered and the ease with which lateral movement happens, we put a strong move to get rid of local admin on endpoints and put in place a program to manage privileged access in the data center. Windows Admins, UNIX/Linux Admins, Network Admins, Database, and Application Admins are now all monitored and controlled for escalated privilege within the data center.
Along those same lines, we’re learning that significant portions of our intellectual property (crown jewels) are moving out to cloud services like ServiceNow, WorkDay, Office365, Concur, ADP, etc. and more of our workforce is connecting to them when outside our perimeter. This creates a situation where I have no visibility into those transactions, and the perimeter thus disappears. CASB is a solution, but we need to get better agreements in place with these service providers to feed relevant logs back to us to complement our own infrastructure and perimeter logs.
And finally, logs. Or SIEM, as it were. We have learned that logs are only as good as what you have chosen to capture, and your incident/event management is only as good as the use cases you have defined. Getting a baseline on “typical traffic” will be next year’s priority, followed by identifying/prioritizing review of that traffic that is outside the norm.
Christopher Burgees, Security Writer | @burgessct
Here we were marching along nicely in 2017. I had thought I had seen it all. Then INFOSEC 2017 arrived, and I realized I hadn’t seen anything yet. It was if the infosec world was saying that they finally had it in hand, and then someone came along and said, “Watch this, hold my beer.”
I saw that keeping your production infrastructure up-to-date with patches and updates really is important. Now every CSO can point to Equifax.
I saw that having a DLP process in place to detect the insider hoarding or stealing really is important. Now every CSO can point to NSA’s three incidents (Martin – 50 terabytes, Winters – NSA sensitive documents printed and spirited away in her pantyhose, and Pho – NSA TAO contractor who collected all the offensive toys of TAO on his home computer) or Google’s Waymo, which saw one of its senior most engineers spirit thousands of documents.
Yes, in 2017, we held the beer and watched data flow out of far too many entities. May 2018 be the year that security is a forethought and not an afterthought.
Maurice Uenuma, Strategic Account Manager with Tripwire | @TripwireInc
Effective cybersecurity requires two qualities: firmness and flexibility.
Where those qualities are applied makes a big difference. The mature cybersecurity professional knows when to be firm and disciplined and when to be open-minded and flexible. Few are able to strike the right balance; most err toward one or the other.
Firmness is necessary in fostering the right mindset, or culture, in an organization since human behavior is a major (arguably the biggest) factor. Discipline in adhering to established best practice frameworks including the CIS Critical Security Controls as the foundation and starting point for a cybersecurity program is key, especially given the “noise” of the marketplace of ideas and products. Firmness is essential to enforcing policies and procedures.
Meanwhile, flexibility is necessary in adapting to new threats since a rigid vulnerability or risk management program will remain oriented towards yesterday’s threats. Open-mindedness is key to considering the possibilities of emerging solutions such as blockchain or artificial intelligence. And flexibility is always needed in balancing the opportunities and risks to the business.
Too often, security leaders may compromise foundational controls or discipline in the name of flexibility while holding fast to a rigid view of the threat environment or refusing to consider emerging technologies.
Success in cybersecurity depends as much on these cognitive functions as it does on policies, procedures, and platforms.
David Bisson, Associate Editor for Tripwire | @DMBisson
For the past few years, I mainly thought of the major credit bureaus in the context of users needing to monitor their credit reports for suspicious activity in the event of a data breach.
I never thought we’d see something along the lines of the Equifax incident. Data breaches pose a threat to every kind of organization, but the risks involved are more severe when that company is responsible for safeguarding the personal information of millions of American and UK consumers.
So much so, in fact, that it’s not worth taking a chance anymore with one’s credit report. I recommend that all users seriously consider placing a credit freeze on their reports with Equifax, Experian, TransUnion, and Innovis. Doing so will help protect their credit even if someone steals their Social Security Numbers (SSN) and other personal information.
Best of all, many states offer this kind of protection for free. Users should also consider opting out of preapproved credit offers and locking down their credit card/bank accounts with notifications for every type of activity and transaction.
Kim Crawley, Information Security Journalist | @kim_crawley
I learned how vulnerable Windows’ Server Messaging Block was, especially in regards to this year’s WannaCry and NotPetya attacks. Related to that, EternalBlue really opened my eyes about how many exploits intelligence agencies may be sitting on.
I think this offensive approach to cyberwarfare is terrible. People who work for intelligence agencies may feel overconfident about their ability to keep cybersecurity exploits and other cyber attack methods to themselves. But quite frequently, they end up on WIkiLeaks. Their exploits may also be shared on IRC or on the Dark Web.
Dan Raywood, Contributing Editor of Infosecurity Magazine | @DanRaywood
From the major stories I’ve covered this year, be it ransomware, politically related, or even Uber’s breach, the one thing I’ve definitely learned is the value of immediacy.
As a journalist, you’re looking to get something put together fast and published with the bare minimum of facts and figures. In these times of “fake news,” it’s easy to pick up the wrong facts and report something incorrectly, so this year, I’ve come to rely on a number of people whose perspective I trust on breaking issues.
The capability to create a breaking news story is something that the journalist needs to do well, as your readers are looking for the insight and explanation of a situation while you are being asked for your perspective also.
So my biggest lesson learned from 2017 is on how to work fast, accurately, and under pressure on something that the world wants to know more about.
Bob Covello, IT Security Director at Security Cove | @BobCovello
The first thing I learned was to never make infosec predictions.
The more important lesson from the year is that, contrary to what many of us think, our friends and family are not so resistant to security.
Despite some of the stories about bad security practices, most folks are very serious about security. The challenge is that they need to understand it before they leap into it.
Think about whether you would allow your doctor to inject you with something without telling you what it is and what it is meant to prevent. Would you participate as a blind test subject?
Most folks just want to know more about how everything we are promoting in security is going to protect them. If we can clearly articulate that, then we will see a shift towards more security. Let’s make that the mission for 2018!
Ben Layer, Principal Software Engineer at Tripwire | @benlayer
This year, I learned it’s healthy to take a step back, re-evaluate things, and make changes if necessary.
I had spent so long working deep in one problem space that I missed a lot of interesting changes in the security industry. I felt I would benefit from something new, so early in 2017, I decided to make a role change. I was able to spend the year working with multiple new technologies, platforms, and languages, and I am happy and refreshed because of it.
Did you learn something infosec-related from the events of 2017? If so, let us know in the comments!