Director of Communications at Signal Sciences. AR/PR pro by day and an aspiring animal rescuer by night. Formerly @ Citrix, Check Point Software Technologies, and Fleishman Hillard.
This year, we saw some of the biggest cyber attacks in history from WannaCry and NotPetya, to the Equifax breach, affecting thousands of businesses and millions of consumers worldwide. According to Gartner, worldwide enterprise security spending is estimated to total $96.3 billion in 2018, an increase of 8% from 2017.
With the new year just around the corner, it’s time to think about the new threat vectors and security trends for 2018 and how businesses can protect themselves. We sat down with our CSO Zane Lackey to discuss the highlights for the security industry and Signal Sciences, and what to look out for in the new year.
What was the highlight for you, Signal Sciences and the industry this past year?
This year, I’ve seen a number of organizations (that were traditionally very hesitant) embrace and shift towards DevOps, Agile, and cloud, as well as begin the journey to modern development and IT infrastructure methodologies needed for digital transformation. It’s not just the scrappy startups embracing cloud, but large enterprises as well. In spite of what it may seem at first, I strongly view this as a net positive for security. With this fundamental shift, more and more organizations are recognizing the need to make security a real-time, every day part of an agile development culture, which ultimately makes the business more secure.
With this shift, it’s been a breakout year for Signal Sciences. The main excitement has been our explosive growth. We now protect more than 100 billion requests every week, which is more than 50x what some of the largest scale consumer properties see in a month. We’re also very proud to say (the rather unbelievable statistic) that more than 95% of our customers have Signal Sciences in full automated blocking mode with no learning, tuning, or the usual “gotchas” that you expect from legacy approaches.
Regarding application security, where is the industry at now? And where does it need to be in 2018?
The biggest change for all of us defenders out there, whether you’re a CTO, CIO, CISO or anyone in DevOps or security, is going from the traditional software engineering models of Waterfall and data center to newer models, like DevOps, Agile, and cloud. These new approaches have really changed the way we create and deliver software. With a waterfall model, you might release software once every 12 to 18 months. By adopting DevOps, your team can be changing code and launching new versions of software every hour or less. This fundamental shift provides a good model for the direction security needs to go. Security needs to be in real time, and not bolted on at the end as a gatekeeper. It has to be baked into the process from the very beginning.
This isn’t something that’s going to happen overnight, but we are recognizing that the old security model must fundamentally change from “blocker” to “enabler”. An enterprise security program must now answer: “how do we enable the business? And how do we enable the DevOps teams to be security self-sufficient?” That's the only way that we're going to be successful as part of this change.
What are the growing threat vectors that companies should pay attention to in 2018?
Today, and in 2018, the risk will continue to shift from infrastructure to the application layer. Web apps have evolved from providing basic information and ecommerce functionality to the primary way in which businesses interact with their customers. This increase in data and risk at the application layer will continue to shift attackers from targeting the infrastructure layer to the application layer.
The attack patterns have also greatly expanded and will continue to do so in the years to come. Traditionally, you saw application security efforts focused on threats like SQL injections and cross-site scripting (XSS) attacks. Beyond these OWASP injection issues, modern threats now include attacks such as account takeover, business logic abuse, API misuse, bots, and application level DDoS.
It’s critical to not only adapt the way we think about how we defend applications when they change so rapidly, but also, how we defend them across all of the modern threats. This is the fundamental challenge organizations of all sizes will face in 2018.
What other security trends are you particularly excited about in 2018?
The trend that I've been most excited about is when organizations realize that the shift to DevOps, Agile, and cloud, is a net positive for security. As CISO at Etsy, which was one the early companies that invented what we now call DevOps, I went through this shift first hand, and at first, it can be nerve wracking as it seems like a massive loss of control. However, what you come out learning is that the shift to DevOps actually creates a greenfield opportunity for security.
Any development methodology is going to have vulnerabilities.The move to DevOps means increasing the velocity of not only development, but also of security response. If you do it right, the net positive for security is that you really do have the ability to react. Under the old model, if there is a critical vulnerability that gets discovered, that might mean months or weeks to actually address the issue, even in an emergency. Under modern approaches to software development, that same critical vulnerability gets discovered, and because security is baked into the process, it gives you visibility and the speed to fix problems quickly.
And last, but not least, what is a New Year’s resolution every CSO or CISO should add to their list?
Don't get distracted by the headlines of zero-day nation state APT buzzword filled cyberattacks. Instead, know where the real risks are and get the basics right. The shift to the cloud will continue to dominate as a major trend in 2018. Security programs must shift from being focused on the outdated model of a perimeter, to instead focussing on the application layer and endpoint defenses that support modern infrastructure and application decisions.
CISOs and other security professionals must focus on getting the common sense controls in place, like two factor authentication, full-disk encryption, and web protection for the application layer where the risk has shifted to. Don’t stress over the 1 percent nation-state zero-day scenario when it’s the 99 percent of common attacks that end up compromising most organizations.