5 December 2019

Cybersecurity in 2020: More targeted attacks, AI not a prevention panacea

by James Sanders

Given the proliferation of high-profile attacks in 2019, the security outlook for next year—and the next decade—is filled with potential pitfalls, as challenges persist in maintaining the security profile in enterprises, particularly as security operations teams are spread thinner as attack surfaces widen. 

McAfee CTO Steve Grobman and Director of Engineering Liz Maida--who joined the company through their acquisition of Uplevel Security, a firm that applied graph theory and machine learning to security data--spoke to TechRepublic about the security forecast for 2020. Hackers are increasingly seeking out high-value targets

In contrast to spray-and-pray attacks, relying on port scanning to uncover low-hanging vulnerabilities, an increase in attacks targeting specific industries are anticipated to continue their rise in popularity. "We've seen a good number of ransomware campaigns where the adversaries have done reconnaissance to really understand the critical assets [and] the defenses, and then tailor the attack in order to get into that environment, to demand a higher payment from the victim," Grobman said.


"That really requires a much more sophisticated level of defense for the defenders. The other point that I'd make is...we see the evolution of attacks from just focusing on traditional compute environments, to also focusing on cloud environments. Given that many organizations are shifting key components of their operations into the cloud, it would be natural that adversaries are looking for ways to not only target traditional environments, but also cloud assets," Grobman said. How multicloud increases attack surface

While multicloud deployments may not be optimal from an IT standpoint, large organizations—particularly those with rich M&A histories, are likely to have footholds in multiple cloud providers. This complicates security measures, though solutions exist to address this deployment scenario. 

"A CASB (cloud access security broker) solution allows you to set up a common set of security policies, and have them apply to multiple environments. Similarly, you can do security monitoring and operations at a much lower cost than having to figure out how to instrument each of the cloud environments independently," Grobman said. "You still do have some additional overhead, because you need to have your operators and administrators understand some of the nuanced differences between cloud environments. You end up with some incremental challenges and costs, with every additional provider you add, but at least you can mitigate some of that by using the right technology."

Beware the AI-washing of security products

Artificial Intelligence (AI) is, in 2019, the same as blockchain was in 2018—every startup wants to bolt it onto their current offering in the hopes of attracting venture capital funding. "You can't just apply machine learning and AI on data that hasn't been set up well to begin with. The actual normalization and understanding that the cleanliness of the data has to be there as a foundational layer, before you can actually start applying different algorithms to extract more intelligence from the information," Maida said.

"One of the common things that we have seen is security analysts trying to correlate events from phishing emails, web gateways, endpoint attachment software, et cetera. If you can't actually understand the data within those events, it becomes very difficult to start understanding, [if] are all of these connected with some unique way, that it would actually suggest the presence of a potential malicious actor," Maida added.

"Cybersecurity is a great example, where you might have a company [claim] their AI algorithm is able to detect 99.999999% of threats. They could show you quantitative data to back up their claim. Unless you know all of the exact right questions to ask, you might look at that technology and say, 'Wow, that's amazing'. If you don't ask questions such as, 'What's your false positive rate required to get that detection rate?" Grobman said. "There's a number of, we can almost think of them as data science sins, that are very easy to abuse in order to make things look better than they actually are."

No comments: