The Future of Cyber Security

Sponsored by

The future of work is remote, now security must follow

Home working has laid open organisations to attacks by opportunist cyber criminals, exploiting weakened security during the coronavirus pandemic

How strange that millions in isolation under lockdown could make the interconnected nature of our world felt so acutely. The response to the public health crisis is having a profound impact on reshaping the future of work, accelerating different approaches to communication and organisation. There's bound to be a tailwind of longer-term effects, and cloud, automation and artificial intelligence will be key for over-burdened IT teams to stay on top of them.

Most obviously, many of us work from home now. Businesses were forced to adapt to a digital-first model to remain operational and that's unlikely to go away. The UK's Department for Business, Energy and Industrial Strategy floated the possibility of a legal right to work from home; Germany is tabling legislation this autumn. Facebook expects more home working in the coming years and Twitter has said employees can work from home "forever" if they choose.

Consequences are already wide reaching, even bending previously held norms around time and space: Red Hat's chief security architect Mike Bursell asserts time zones "no longer exist". Box chief executive Aaron Levie agrees, saying that despite the highly stressful circumstances, the virtual mode of working does bring flexibility and agility, with employees able to collaborate quickly or engage with customers in any place at any hour. This was hardly impossible pre-coronavirus lockdown, but necessity has forced our hand.

More home working was always on the cards, says Richard Brinson, director of cyber security consultancy Savanti, but the speed and peculiar circumstances in which it happened has meant many companies racing to stand up infrastructure to enable safe and reliable home working at the eleventh hour. In some cases, this has exposed the weakness of business continuity plans.

Some firms aren't planning to reopen offices at all, already searching for lower outgoings when lockdown ends to cope with the economic fallout. It's not a case of if there will be changes to our post-COVID-19 working lives, or even when, Brinson adds. They're already being planned.

Digital first

The crisis has accelerated adoption of technologies that might have been on roadmaps, but organisations weren't ready for. Cloud adoption has soared to support remote working, opening a whole new can of worms and meaning security teams have to shoulder even greater pressures, ensuring organisations are operational and secure from a distance and with limited onsite access.

"A major issue when moving a lot more people to home working is companies still have a lot of on-premise or proprietary data centres, servers and systems that need to be accessed," says Brinson. "Either they have to open up holes in the firewall or dramatically increase the number of VPNs [virtual private networks] people are using."

The spike in home working is blowing apart notions of what enterprises look like. Rather than heavily-centralised IT, organisations must cope with large, disparate networks of devices. Brinson says that, given some businesses will be reducing headcount as a result of COVID-19 pressures, the potential for insider threats has increased. Unlike in normality, businesses may struggle to get their devices back without employing fleets of couriers. 

"Everything we talked about for the past two decades is right back at the forefront," adds Levie. “BYOD [bring your own device], consumerisation of IT, video chat, cloud storage: these are the essentials of a remote-work strategy. The things we have taken for granted, some of the earliest innovation in the cloud, are obviously so fundamental."

Automate, automate, automate

Infosec professionals can easily find themselves trapped in Sisyphean games of whack-a-mole, locked into an unending arms race against attackers to stay on top of threats. With working norms overturned, that challenge intensifies. What might have been unusual network traffic no longer is, for example. Thankfully, smarter, machine learning-enabled tools can spot what traditional email security cannot.

There are also steps security professionals can take to help mitigate these threats. "Automate, automate, automate," advises Red Hat's Bursell. Security automation needn't be limited to businesses at the bleeding edge of technology. He says it "means having a process" and "making sure you can step through that easily without everything requiring 15 emails".

“Software has to have security built in by design; it can't be an afterthought”

"Design in the expertise, use the experts and apply their expertise at the right place," says Bursell. "Whether it's ensuring all laptops have disk encryption on – a basic, simple thing to do – it should be the bare minimum and you can automate that."

Brinson expects the growth of the zero-trust model, perhaps epitomised by Google's Beyondcorp implementation, that no network traffic is trusted until it's authenticated.

"We no longer have a castle with walls and a moat," he says, "because everybody's working from their houses. So treating people's identity as the thing that you have to secure, providing the right access to the right people at the right time, is what becomes the really important thing. It doesn't matter how they're accessing, it's a case of making sure it's the right person."

According to Levie, simplicity, usability and best-in-class software will be essential in tightening security across organisations, because employees are time limited for getting to grips with overly complex technologies.

"Software has to have security built in by design; it can't be an afterthought," he says. "It's got to be something that's baked in.”

Fighting back against a new wave of AI attacks

Determined hackers are using artificial intelligence in a bid to steal an advantage, penetrate security and raid businesses

The fight against cyber crime has long been described as an arms race: a relentless battle between cyber security experts and hackers, playing out across an increasingly sophisticated threat landscape.

An example of this is the use of artificial intelligence (AI) in cyber security, with attackers increasingly using AI and machine learning (ML) to probe networks, find vulnerabilities and develop more evasive malware. Indeed, 88 per cent of IT professionals expect AI-based attacks to go mainstream by 2021.

To counter this, organisations are deploying AI to keep one step ahead of malicious actors. This is because AI can analyse threat data much faster than a human, enabling more efficient decision-making and helping to prevent the impact of an attack.

“Machine learning can help recognise behaviour that falls outside ‘normal’ parameters,” explains Ivana Bartoletti, co-founder of Women Leading in AI. “For example, an AI system can learn what ‘normal’ looks like for a particular company and spot an oddity, such as an employee logging in at a very unusual time. If something different is identified, then an automated action can also be triggered.”

Neutralising threats

Put simply, AI relies on user and attack behaviour analytics and network traffic analytics to neutralise a threat before it becomes a crisis. For example, organisations are equipped with a collection of firewalls, networking equipment and end-points. These devices generate millions of lines of logs every hour, which are impossible for security analyst teams to review for anomalies.

“An AI-enabled SIEM [security information and event management] system can digest these logs in real time for patterns in network packets and block them automatically if flagged as a threat,” says Safi Raza, director of cyber security at Fusion Risk Management.

“ML enables AI to monitor user-behaviour and makes billions of probability calculations, detecting a threat before it spreads. These AIs are capable of collaborating with other resources through continuously updating centralised data repositories of known and evolving threats.”

“Companies need smart cyber experts who can use innovative new AI-powered cyber tools to prevent and detect breaches, reduce response times and identify patterns of behaviour”

However, AI in cyber security isn’t restricted to enterprise-sized organisations; it is being used to improve the effectiveness of antivirus software too. The two major issues with any antivirus are false negatives and false positives, says Dr Chuck Easttom of Capitol Technology University, Washington DC, a member of non-profit association for cyber security professionals (ISC)².

“A false negative is when the antivirus software falsely believes a virus is not a virus and allows it through. A false positive is when an antivirus falsely believes a benign file is malware and blocks it,” he says. “ML essentially allows the antivirus to learn from its mistakes and improve its accuracy over time. This reduces both false negatives and false positives.

Silver bullet

Experts agree, however, that AI shouldn’t be viewed as a cyber security silver bullet. It needs to be part of a more complex approach, says Bartoletti. This goes back to cyber attackers themselves using AI to harm companies, for example by introducing bias into a model so it produces the wrong outcome. A thorough analysis of the threat landscape is therefore essential to understand where AI can augment an organisation’s ability to fight cyber crime.

“In a nutshell, companies need smart cyber experts who can use innovative new AI-powered cyber tools to prevent and detect breaches, reduce response times and identify patterns of behaviour. AI in cyber is about augmentation rather than automation,” she says.

Indeed, while many applications of AI involve reacting quickly to threats and speeding up decision-making by human analysts, the ultimate opportunity is for businesses to move from a reactive to a proactive approach to cyber risk, says Saj Huq, programme director at LORCA, the UK government’s cybersecurity innovation programme.

“For example, advanced, sophisticated threats such as polymorphic malware can change their profile; AI can aid with advanced malware analysis, ultimately learning patterns over time and predicting its next move before any damage is done’” he says. “This is the panacea for cyber security: predicting and stopping attacks before they happen.”

Protecting against opportunistic cyber attacks

Malicious actors are attempting to leverage global uncertainty to make their cyber attacks stealthier and more successful.

Companies are spending more and more on security globally

Global spend
Predicted global spend

But despite increased resources, incidents are still occuring -- and business email accounts are particularly vulnerable

Malicious actors are trying 'spoofing' -- high quality email mimicry, ostensibly from trusted sources -- to compromise remote workforces

Spoofing (percentage of all malicious emails) since lockdown

More cyber security leaders are dedicating at least a fifth of their budget to AI, ML or RPA

Commercial feature

AI and security in a global crisis

The pandemic has tested AI’s ability to handle extreme events. In the cyber realm, the battle is still raging

As almost every country around the world focuses on fighting the coronavirus global health crisis, governments are warning of advanced, persistent cyber threats targeting their nation’s most critical organisations and explaining that cyber resilience is a top priority.

Scott Morrison, Australia’s prime minister, is the latest leader to warn public and private organisations of the threat from cyber intrusions. While nation state cyber attacks have been a reality for some time now, these have escalated as global tensions heat up and hacking techniques become more advanced.

What’s more, public services and critical infrastructure providers – healthcare organisations, fire departments, police bodies and energy companies to name a few – have been forced onto the frontline and their vast digital infrastructures have become alluring targets for cyber criminals looking to exploit digital vulnerabilities.

The impact of a successful cyber attack on these institutions is serious and could potentially jeopardise essential services and care facilities, weakening our ability to manage the ongoing pandemic. In the UK, the NHS has already felt the effects of the 2017 WannaCry ransomware attack that locked doctors out of their systems and brought services to a standstill.

As Morrison warned, the hacking campaign has all the hallmarks of a sophisticated and coordinated attack with the aim of penetrating critical parts of government. Attempts to exploit both system and human vulnerabilities using spear-phishing remain persistent.

The potential impact of an attack on critical national infrastructure should not be understated. As smart buildings, connected cities and the Internet of Things continue to grow, vulnerabilities are growing with them, and state sponsored attackers are on the lookout for ways in.

Lines between cyber and physical are blurring and this raises the stakes for all involved, increasing the likelihood of unintentional escalations and further complicating international relations.

In response, the Australian Cyber Security Centre says all businesses must use security patches on “internet-facing infrastructure” immediately.

But, just as national responses to the pandemic have not relied on hand-washing alone, the world has to wake up to the reality that world-class cyber security is more than just updating passwords and patching known vulnerabilities. We must now embrace robust, world-leading cyber security solutions that deploy cutting-edge artificial intelligence (AI) technology.

Cyber criminals are more sophisticated than ever and can deploy more advanced malware that can mutate within an organisation to maximise impact. Any crisis provides fertile ground for attackers; they exploit the weakest link in an organisation and, in current times of stress and under-resource, these weak links are being tested as never before.

In fact, during April 2020, 60 per cent of all advanced spear-phishing attacks sought to take advantage of the pandemic, spreading false information shrouded under the guise of government and trusted health bodies.

Organisations across all industry verticals are susceptible to such attacks. Offensive techniques will continue to become increasingly advanced and the cyber criminals are themselves leveraging AI in supercharged attacks. 

As countries release, or prepare to release, their COVID-19 contact tracing apps, cyber resilience is more crucial than ever. Technology has an important and necessary part to play in tackling the pandemic, but it is not without security and privacy risks and concerns. We should expect attacks against individuals’ devices to rise, as well as campaigns against the centralised servers handling vast amounts of public data.

With such prospects, now is the time to supercharge the cyber defence of our critical digital infrastructure, ensuring the nation is resilient and can prevent data breaches or systems being compromised at the first instance, both at machine speed and in real time.

The good news is there are cutting-edge cyber security innovations out there that work. Indeed, many critical service providers, such as NHS trusts, the London Fire Brigade and energy companies like Drax are using AI to fight cyberattackers.

The pandemic has been a rare, extreme event providing a real-world test of how robust many companies’ cyber defences are. Rule-based defences, relying on predicting what good or bad digital activity will look like based on past events, have struggled. How can they defend the present when it suddenly stops looking like the recent past? Even supervised machine-learning, trained on lots of historical data, has been unable to cope when confronted with “out-of-distribution” datapoints.

Unsupervised machine-learning, on the other hand, is the only technology that has been able to continue to defend organisations amid the chaos. Unsupervised machine-learning has no preconceptions about what good employees do or what hacker activity looks like. It is self-learning and constantly recalibrates its understanding of “normal”.

Now is the time to supercharge cyber defence with advanced technologies and protect our nation’s lifeblood, our healthcare systems and other critical services

When the world turned on its head, with mass remote working happening overnight, AI learnt this new pattern of life for organisations and autonomously continued to fight back against cyber attacks before they did damage.

Strong passwords and patching are important basics, but this is fundamentally insufficient to stop a new generation of hackers determined to wreak havoc with more advanced capabilities. Now is the time to supercharge cyber defence with advanced technologies and protect our nation’s lifeblood, our healthcare systems and other critical services.

Five ways to make cyber security work harder

How to stay ahead of the hackers and protect your organisation online

Although investment in cyber security is at an all-time high, breaches are still a regular occurrence. A significant challenge is the risk of “whack-a-mole” defence trying to keep up with new emerging threats. So what can organisations do to maximise cyber security investment and improve their security posture without having to invest in yet more technology?

1. Security audit

The first question to ask is “What do we have within our IT estate?” Many breaches area caused by weak links that allow hackers to gain a foothold inside the victim’s network and pivot to something more valuable. This could be an old Windows 7 machine missed in the last upgrade or an unpatched web server that is still accessible by the internet. An audit process aided by software tools, which is collated against a physical and virtual inventory, can make sure nothing is overlooked.

2. Penetration testing

A penetration test, or pentest, is where a team of ethical hackers test security theory versus a real-world attack. In most cases, a pentest will examine the edge where an organisation’s IT systems interact with the internet. However, more advanced options can mix real-world techniques such as gaining physical access to hardware within a building, posing as a courier or delivery worker for example, to hack systems. A pentest is non-disruptive and will deliver a report highlighting weaknesses and potential remediations, but this should be done annually at the least to stay ahead of system changes.

3. Patch day

Every day, there are new updates for software applications released by developers. Many of these are to fix security weaknesses. However, it is easy for hard-pressed IT departments to put off patching to a more convenient time. A tip is to block out all IT staff calendars at the same time each week to apply patches. Microsoft is famous for its Patch Tuesday, which occurs on the second and sometimes fourth Tuesday of each month. Developing a similar internal culture will help to make critical patching more likely to happen as planned.

4. Approved software

The best cyber security plans can be scuppered because staff use an unapproved product that is unsecured or even unknown to the IT department. Such shadow IT is most noticeable with file-sharing and collaboration tools, and has been exacerbated by the rise in remote workforces during the coronavirus pandemic. IT departments can deploy tools to detect their usage and block access, but it is often easier to just select an approved set of tools and make them available on request, adding visibility and security instead of fighting the tide.

5. Education, education, education

It is essential to educate staff and publish cyber security guidance that is easy to access and digest. The biggest cause of security breaches are staff who accidentally do something that enables vulnerability within an organisation’s carefully constructed cyber-defences. Accidentally downloading malware, sharing passwords, forgetting to notify IT of an employee leaving; all these can be prevented. Furthermore, cyber security awareness is not a one-shot deal; to stay ahead of constant change, regular updates, potentially using video conferencing, will deliver great value to any security efforts.