2012. Been and gone pretty much, in the blink of an eye. Well it's lasted pretty much as long as 2011, give or take, but one thing's for sure, it seems information security became more of a big deal. In my eyes, it always has been a big deal. Security is a default in my opinion, both in my personal and professional life. I fail safe when it comes to processes or technical changes. I believe security is essential, not only for an individual team, system, person or organisation level, but also from an industry and society perspective too.
The Year That's Been
The biggest take away for me, seemed to be that non-security people started to take security seriously. Governments got involved with information security in a big way. The US had several issues with SOPA, the online piracy act and then turned its attention to cyber war, with several policy discussions and hardening of attitude towards the likes of China and Iran, from a cyber security standpoint. October saw the release of a damning report against Chinese network component provider Huawei, indicating the organisation posed a significant threat to the US from an intelligence gathering and supply chain disruption perspective.
The UK got involved too, announcing an investment of £650 million to be spent over 4 years on cyber security research, in partnership with some of the UK's top universities.
'Big Data' again grabbed the headlines at most of the vendor trade shows, with products focusing on data aggregation and advanced intelligence and analytics. Information-centric security response, has become a talking point, with the focus on centralised SIEM and logging solutions being combined with identity and behaviour profiling systems, in order to create a more contextual view of potential threats. The concept is interesting, but again, reactive. Organisations are generating vast amounts of data across all pillars, not just security, and finding even the smallest crumb of competitive advantage within the data mountain is now seen as the holy grail. From a consumer perspective, the topic which consistently caught my attention was the rise of mobile malware, especially concerning smartphones on the Android operating system. The significant rise of Android handsets, simply means an attacker has a greater potential revenue pool to tap into, if a malware app was successful. The rise of dialers, texters and spambots landing on Android devices, seems to be an expected tidal wave in the coming months.
So What's Ahead?
I'm not one for big predictions at all. Technology in general, evolves so quickly, that 12 weeks is an age when it comes to new ideas, iterative development and market changes - and security is no different. However, the main areas I will personally be following with interest though, will be the BYOD/BYOA, personnel, preemptive security and social intelligence areas.
BYOD / BYOA
Bring Your Own Device is a bit 2009, but is now starting to infiltrate into many organisations infosec plans, with several on a version 2.0 implementation strategy. The sheer rise in consumer ownership, of the laptops-in-your-hand style of phones, makes leveraging their capability a cost effective and beneficial internal marketing strategy by many companies. As more and more employees shout for the use of iPad like applications and user interfaces, organisations ultimately have to listen. The biggest concern is obviously security. BYOA (..your own application) is a variation on a theme and I will be looking to see how organisations implement approaches surrounding personal and business data separation, the development and distribution of internally built apps and the logistical and legal implications.
Security Personnel Shortages
2012 saw many independent and non-for-profit research papers being released on the continual shortage of information security professionals. The reports indicated, that the infosec industry will create at least 2 million more jobs within the space due to market demand. The upward trend, is seemingly being driven by more complex architectures such as cloud adoption and BYOD, as well as an increasing focus on compliance. It will be interesting to see, whether there is in fact a shortage of good quality information security professionals, or simply issues within the hiring process, where organisations are unable to articulate and map the skills they require. The salary trends in both the US and Europe will be interesting reading, as will the number of qualified security professionals, especially covering the defaults such as CISSP, CISM, CISA and CEH.
Preemptive security has always been a big interest area for me. Many products in the market today are often focused on the reactive. Analysis tools, post incident investigation and even areas that look to stop the bad stuff from happening could be deemed to reactionary. I have always argued for a longer term shift for security to be more embedded, as a default and preemptive. Areas such as security-by-default operating systems, as recently announced by Kaspersky, or white-listing, push security to an implicit position as a default. Instead of trying to develop an infinite number of signatures to stop a piece of malware or an insider attack pattern, instead, stop everything, unless it's known to be good. Windows 8 for example, in its attempts at boosting security, include a boot-loader feature which stops the OS from loading if tampering has been identified due the use of file hashing.
Social Intelligence & Data Aggregation
Back in September, Google acquired anti-malware start-up VirusTotal. It didn't seem to set the airwaves fluttering, but it caught my eye for several reasons. VirusTotal is an aggregation system, for file and URL scanning. They sit in front of several of the top anti-virus providers and provide a free service either via HTTP or an API, so you can either scan a file natively, or ping over a hash and check whether that file or URL has been involved in any skirmishes. Not very revolutionary, but the focus on aggregation and as-a-service is a powerful notion. Price comparison use a similar approach (air tickets, electronics, insurance) and the application of this approach to more security related arenas is welcome, especially with a general focus on big is better (aka big data) and how processing vast amounts of alerts/vulnerabilities/signatures is key.
Cross-posted from Infosec Professional.