05 May Security Is A Constantly Moving Target, Isn’t It Time To Secure The Hardware?

It shouldn’t come as a surprise that cybersecurity is a different beast than it was 10, or even 5 years ago. While traditional cyber threats such as adware and spam emails are certainly still alive and kicking, the threat surface has grown enormously with the advent of IoT, mobility, BYOD, and the cloud. It’s a basic equation- the more interconnected we get, the more devices, the more digital traffic there is, control declines, the more crevices there are for cyber threats to exploit. As an industry analyst who’s been in the tech sector for a long time, I’ve had an up close and personal look at the evolving security. landscape for nearly 30 years. I wanted to spend some time today highlighting the trends I’ve been noticing, and what areas we as an industry need to be focusing on. 

The threat surface has widened and deepened

These new technologies are certainly a net positive in terms of improving agility, innovation, customer relationships, and the bottom line. However, along with these benefits come new, complex ways for cyber-criminals to exploit businesses’ weaknesses. The traditional approach to security was simple and relatively effective—build a strong, software-based perimeter with limited client and data access. However, hybrid IT and the cloud has completely changed the game by pushing IT outside of the physical datacenter. At Moor Insights & Strategy, we’ve been writing about this for a while—we published a few things blog a while back on the need for security to lead the cloud migration. The proliferation of mobile devices is drastically changing data access, doubling or tripling corporate devices, is outside the perimeter and disrupting the top-down hierarchical structure of yesterday. Something we’re seeing more and more of is employees inadvertently introducing risks from 3rd party cloud apps they download—typically with the good intentions of increasing opportunities and efficiency. Mobile solutions from Samsung like Knox and two step hardware-based biometric authentication from Intel, Synaptics have improved the client situation but the risk is never solved indefinitely and that’s only a third of the battle after securing the network and the datacenter.

IT departments are clearly struggling to keep up with the increasing fluidity of data perimeters—a recent cybersecurity survey sponsored by Cisco Systems (which I wrote about in here)  found that a majority of organizations use between 6-50 different security products. This brings up another issue—one can imagine the effectiveness gaps that might arise if all of those disparate products are not functioning completely in concert. The bottom line here, in my opinion, is that we need to be looking at security from a more holistic view—not just from the traditional software standpoint, but with an emphasis on hardware and firmware. Businesses must be protected from out on the edge, all the way down to the very core.

Hardware is the new front line of the battle

The fact of the matter is it’s impossible to truly secure IT without beginning at the hardware level. If hardware or firmware is compromised, the threat can evade detection for a very long time—most security tools simply aren’t looking at that level because the assumption is that they are secure. Turns out, they’re not. We’ve seen some large, high-profile DDoS cyber-attacks recently, driven by IoT devices—cyber-criminals have realized that there’s a big IT blind spot when it comes to hardware and firmware, as well as the supply chain. They know that security efforts are being focused primarily on software, and are beginning to exploit that.

Another scary aspect to this is that hardware/firmware bad actors are often pre-programmed to exploit resources somewhere further down the line—they just lay there undiscovered, biding their time. Some companies are investing in technology to better detect and handle threats once they’re already within the system—HPE comes to mind, with their recent acquisition of Niara (which I wrote about here), a company that specializes in User and Entity Behavior Analytics (UEBA). UEBA uses machine learning algorithms to detect anomalous user behavior within the system—an indicator that something is amiss from the inside. That is an example of the sort of next-generation security measures more businesses need to be looking at in this day and age.

New threat strategies emerging

Traditional cyber attackers primarily perpetrated so-called “smash and grab” attacks—quick, one-and-done crimes of opportunity. There’s been a noticeable shift from that towards more sophisticated, long-term attacks that compromise businesses for extended periods of time, exploiting and extracting resources all the while. This is thought to be connected to the rise of rogue nation states getting involved in the cybercrime game, and it may also be an indicator that larger, more organized criminal elements are at play. It’s an alarming trend that is certainly raising the stakes.

Another strategy on the rise is cybercriminals mimicking the very corporations they’re trying to breach—adopting a middle-management sort of approach, in which they employ certain “brokers” to mask criminal activity. This sneaky approach allows hackers to move more freely, quickly, and avoid detection.

Ransomware is also a fast-growing threat vector—software that is designed to block access to systems until a sum of money is collected. This form of malware traditionally targeted individuals, but it is quickly shifting its gaze towards business—deeper pockets, bigger payoffs. Ransomware-as-a-service (RaaS) is gaining a lot of traction—this is terrifying, because it lowers the barrier of entry so that anyone can commit cybercrimes, no knowledge of coding and hacking necessary. One can imagine the large influx of amateur-hour “hackers” suddenly in possession of all the tools they need to exploit and extort.

Cyberattacks seriously affect the bottom line

The bottom line is that cyberattacks affect the bottom line, and the financial stakes are only growing. Daily hack attempts purportedly led to around $455 billion in costs for the year 2016, according to a report done by the Ponemon Institute that year. The same study found that as a result of DDoS, web-based, and malicious code attacks, the $9.5 million annualized incident cost had risen around 21% since the previous year. It can seriously hurt a business’s livelihood—especially small businesses that are less equipped to bounce back. In fact, many of these small businesses who fall victim to a cyberattack go out of business within 6 months after. If that’s not an argument for getting serious about comprehensive cybersecurity, I don’t know what is.   

Wrapping up

In conclusion, there’s a definite need for comprehensive security solutions that address hardware and firmware, as well as software. The traditional methods just aren’t going to work anymore, now that cloud and IoT are here to stay. Threats are getting more advanced, more insidious, and more expensive, and they will doubtlessly continue to do so—in order to combat this, businesses really do have to be secure from the edge, to the core, and up into the cloud. I think pretty soon we’re going to see a lot of companies begin to shift away from the traditional, myopic software-focused strategies—but time, in this case, could very well be money. It can’t happen soon enough.