Security Innovation vs Evolution
What makes a security product or service truly innovative?
As an organisation developing a lot of IP and continually seeking to enhance its customer experience by predicting their future security needs, as well as reduce security friction for our current services, we give some thought to this question.
The cornerstone to innovation is creativity. Creation usually requires inspiration, requirements or a need which must be fulfilled (even if that need is not yet known).
So what needs exist in Security services today?
1) Doing more with less - The global cyber threat landscape continues to grow, as does pressure from Customers and Regulators to establish and maintain effective security. Sadly, this nearly exponential trend is not reflected in security investment and budgets.
How do we do more with less in the world of Cyber security?
Risk Alignment & Prioritisation: Working to support your organisations Wildly Important Goals (Risks, Obligations and Objectives), understanding priorities, becoming part of the value chain inside the organisation.
Automation: Anyone who has spent a lot of time in technology understands the value of efficiency gains. Taking repeatable and high-resource tasks and applying automation can often be the difference between an Incident or a Near Miss.
Augmentation and Sourcing: When a security activity requires specialist skills, extended coverage or variable capacity, leveraging partners and service providers can help address gaps inside an organisation. This allows internal security resources to apply the all-important organisational context to security, whilst the heavy lifting is addressed more efficiently.
Culture and Education: Extending the capability of the security team by creating security awareness, broader expertise and champions to strengthen its defences.
Strategic Shift: Integrating risk management principles to consider the right strategy for each security risk (e.g. Shifting from a "Prevent" to "Detect and Respond" for some threats).
2) Predicting our future needs - Whist my personal desire for flying cars has been curtailed by the realisation that this could result in similar issues that we have on our roads but on a broader (and scarier) scale in the air, predicting the future of how we will live, work, and interact with one another and the world around us is based on a sliding scale of probability depending on how far you forecast.
There are however a number of important trends and technologies which we will need to leverage and support from a security perspective. In no particular order these are likely to include:
Augmented reality: The modern-day Virtual Reality, this trend is likely to introduce a number of beneficial but also unexpected impacts to how we view the world. The basic human desire to be able to trust your senses will be impacted by augmented abilities. Cyber security considerations will therefore become increasingly important to improve the trustworthiness of information being presented (e.g. consider a Head Up Display being corrupted in Aircraft).
Artificial Intelligence: As it applies to cyber security, this is really the only short-term answer to the increasing prevalence of cyber security threats. AI will enable better detection and response and adaptable, elastic security defences.
Consumer Autonomous Vehicles: Personal safety and security is easier to manage when people are in the drivers seat, adapting to changing risks and threats, but what happens when we automate this? Security of these devices becomes a combination of design (catering for the normal use-cases whilst foreseeing the likely things that can go wrong) and operational adaptability (event and scenario based decision-making and response).
Internet of Everything, Everything as a Service: Devices and services will blend to the point where most technology will be available as a managed and fully maintained service. This will include many things that we presently do domestically (e.g. Shopping, Laundry, etc). With these changes to how we live will come the need for cyber security. (e.g. Preventing attackers shooting down our home delivered pizza with a DroneGun )
Death of the Password: With large tech companies moving away from passwords, there is likely to be a trend towards Identity as a Service (IDaaS). This will fundamentally change the way businesses interact with their clients.
Cyber Security Conflicts: Whether person vs person, state vs state, company vs company, technology vs technology or any combination thereof, there is likely to be an increasing likelihood of victims and friendly fire in any cyber war. The criticality of the Internet for day to day life will become an increasing concern. Companies with a Cloud-First strategy may quickly fall victim to the impacts of extended outages.
3) Communicating effectively - There is often a communication gap between those in need and those who have the capability to provide. Many times I have been asked to advise on what should an organisation do to improve security.
Unfortunately, security in and of itself is not an answer, as security controls only have value in their impact on risks. Hence, in order to properly understand the need, upfront work is required to understand the risks that security is needed to manage as well as any additional capabilities that security may be able to provide.
In addition to understanding the risks and required capabilities from security, communicating security back to organisations in language that is meaningful, straightforward and relevant is essential. Take two statements as an example:
Example 1 - In order to mitigate the risk of credential loss through malware, we recommend that endpoint controls are implemented on all user devices and that these are enforced through your MDM.
Example 2 - We recommend antivirus software is deployed to protect your information from being stolen or compromised by malicious software (viruses etc).
It's easy to forget that communication should be tailored to an audience, and that the language we use can result in confusion if incorrectly targeted. Taxonomies such as those used in SABSA can often assist in translating security for different stakeholders.
4) Integration, interoperability and standards
Our current security needs also require us to consider integration of security technologies and processes to help avoid unfortunate security situations. The opposing forces of commercial competition and consumer choice and agility have made it difficult to achieve true standardisation amongst some security products (e.g. Firewall rulesets).
Similarly, it is not uncommon for a platform to offer an EIDO (Easy in, Difficult Out) approach to service transition. Unraveling a poor security integration can be challenging. Given the nature of many security products (i.e. Centralised, Tightly Coupled, Complex) and their use (i.e. Compliance, Risk, Operations) its not uncommon to see something as seemingly simple as a desktop antivirus replacement become a project in its own right.
What does it take to innovate in Security?Innovation is considered both a process and an outcome. Here are a few enabling factors that support security innovation:
Consistent understanding of the challenges and issues - supporting the Regulatory, Public, Personal and Organisational desire for innovation in Security.
Competence and technology - derived from investment in science & technology research; new ideas require new thinking, a societal, economic and political environment in which a Think -> Try/Create/Test -> Fail/Adapt/Succeed cycle is supported.
Cybersecurity education and awareness - as noted above, in order to innovate we must better bridge the gap between Security and non-Security stakeholders.
Leverage the old (but not being limited by it) - observing (and ideally avoiding) some of the pitfalls, what new security ecosystem can be created.
Human-centred design - creating ways to safeguard against the common security mistakes in our user communities. We need to make security easier for humans.
Time-based security - acknowledging that security is not an absolute or a commodity (unless you are trading on the stock exchange); moreover, the thinking about security measures needs to mature to recognise that breaches will happen and shift focus away from a "prevention" (fortress-style) security model.
Is it really innovation or just evolution?
Evolution typically involves predictable step-changes. Innovation is all about the new. Whilst a Twist and Shift strategy has been adopted by a number of big tech companies (i.e. take a few disparate needs, combine them, throw a twist on them and shift them to a new market) to support innovation (e.g. combining, a computer, camera, portable music player and phone to create the iPhone).
It is clear that many security strategies which have historically served us well, are nearing the end of their useful lifespan. Here are just a few examples of security measures that are evolving:
Antivirus based on signatures has struggled to cope with dynamic and polymorphic malware that is constantly changing - this has resulted in a shift toward behavioural, reputation checking and sandboxing.
Firewalls which used to help us govern what communications can be performed in and out of a network have had to evolve to address encrypted communications, dynamic addressing, de-perimeterisation (i.e. using the Internet as your network) and a connection from anywhere security model. - this has resulted in Next Generation Firewalls that are more aware of the Application layer and provide functionality to support identity awareness vs reliance on a network address.
System and application access controls which enabled us to determine who has access to what, and logging capabilities to tell us who has accessed what, are more challenging to enforce when the system and network in question is not yours (e.g. in the Cloud) - this has resulted in a new form of security control, the Cloud Access Security Broker or CASB.
Whilst the argument could be made in some cases (based on the degree of change) that these also are evolution, here are a few examples of security innovation:
User and Entity Behaviour Analytics (UEBA) to help baseline what is normal on a system or network and then Prevent, Detect and in some cases Respond to unusual conditions or events. (e.g. Fraud or Data theft)
Quantum Cryptography to enable secure communication using technology that detects tampering or eavesdropping.
Summary and closing thoughts
With every new technology, type of information or way of doing business there will be innovation by someone seeking to subvert these for personal gain or other motivations (revenge, ideology, ego, etc).
Security is not just an arms race, building stronger walls to keep out more determined attackers. Security should provide a state of mind, an awareness and mature consideration of risk. True innovation in security will come from being considered at all stages of the creative process and considering the People and Processes in concert with the technology.
I sometimes wonder whether in the future we will see Cybersecurity threat reports as part of the nightly news helping to communicate issues that affect us all more visible.
Author: Clinton Smith