The year that is ending was an active one in the security sector. That's hardly unique -- cybersecurity is an inherently dramatic sector, but the year ahead figures to be dramatic as well.
Jason Porter, AT&T's vice president of security solutions, said in this Telco Transformation Q&A that the biggest threat in 2017 will be the scary use of IoT as an attack vector. This was a big story toward the end of 2016, so it likely will be front-page news early in 2017.
There was quite a bit of good news during the year. That, too, figures to continue. For instance, software-defined networks (SDN) emerged as a way to discreetly and selectively protect applications. A new generation of security experts increasingly will be groomed at colleges, universities and other educational venues. Finally, externalization -- the off-loading of security from end users to specialists -- will grow.
Telco Transformation: Before we look ahead, one look behind: How would you characterize 2016 in security?
Jason Porter The obvious outstanding characteristic was the continued theme of new attack types and new attack volumes. The biggest new attack type we saw came later in the year with the use of IoT resources and deployed devices to attack shared services. It expanded the attack landscape for the CESO [Certified Expert Security Officer]. Now you are not just protecting what you're doing but also shared services partners. There are things that are not in your control that you have to worry about.
TT: One of the issues raised in AT&T's view of the year ahead is externalization. Why will this be an issue?
JP: Externalization as a whole really is ramping up. What I've seen is people or organizations that invested in security a few years ago are starting to hit life cycles where leadership is saying, "Whoa, I did not realize this would be a continued investment at that level. I thought we would invest for a little and we would get to [a level of] more efficiency." They didn't count on the shifting threat vectors and new attack types that continually push the investment level required to be at a sufficient security posture. What happened over time is that those organizations started to externalize cybersecurity because they need to be more efficient.
Also, people learned from those stories that there are new entrants who are joining the fray. There's enough history in this market now to realize that going it alone is a very hard road. So instead of the starting with older adage, "It's security… I must own it," they are getting help and advice that says it probably is best to go with someone who already has a head start and many years of investments and has already built platforms and automation. You can't catch up… It is very hard to catch up. Both of those paradigms are really ramping up.
TT: What threat vectors will be particularly scary in 2017?
JP: The biggest one is leveraging IoT end points, especially unsecured, unprotected end points. Having them participate in attacks is a very alarming trend. We've seen a 3,000% increase in IoT vulnerability scans over the last few years.
TT: How is the way in which security is packaged changing?
JP: I think the market has been very heavily focused on products, not solutions. When you are at RSA Security Inc. (Nasdaq: EMC) or Black Hat Inc. [conferences] you are faced with aisles of threat providers, firewall providers and aisles of CASBs [Cloud Access Security Brokers]. All these individual point solution providers are out there facing the CESO.
Really what the CESO needs is a solution that integrates all those things so he can do cross-correlated threat identification, so he can do dynamic and automated response. So I think you'll continue to a trend toward that this year as budgets get tighter in the cybersecurity space and people are no longer allowed to grow in an unlimited manner.
TT: What impact is network virtualization having?
JP: What we are seeing with our deployments of software-defined networks is a significantly improved security position and posture. The ability to add layers of defense by virtualizing security provides a better security posture. It makes time our ally and allows the creation of unique containers for specific applications. So instead of just having a perimeter we now can wrap communities of applications in unique wrappers and establish very specific containers for sensitive applications. We can now see the adversary as they are probing the perimeter. If they get in we watch as they probe the next perimeter. There is always another lock on another door that they have to decipher. This gives us more time to find them and it also gives us added security. For example if you have an application that doesn't need HTTP open, you can wrap the application in a container that does not have HTTP open -- while the perimeter by its essence has to have HTTP open. It takes a well-trained security team to deploy, but we found the advantages to be immense.
TT: AT&T Inc. (NYSE: T) suggests that company's take a "strategic" approach to security investments. What exactly does this mean?
JP: It starts with a good risk-based security approach. It's not just going with the first vendor you met. You start thinking about the things you need to secure most, and go from the highest down so you are sure to protect the crown jewels. It has to be a leadership-led conversation starting at the board and CEO and his table. So it starts with defining what you are securing and where you are making investments. It needs to be strategic conversation. You don't make short-term decisions. You have to understand both the short- and long-term and make your best decisions. Don't jump of the cliff just because it's the thing right in front of you. I think that's paramount.
TT: AT&T also suggests that getting the next generation ready for the challenges will be a noteworthy topic next year. How will this evolve?
JP: I'm excited to see the institutions -- college institutions, vocational programs and even things like military training programs -- have really been invested in security during the last few years. They have caught on to the need for cybersecurity talent. What you see is college programs launching degree programs around cybersecurity. I think you will see a continuation of that over the next few years to where potentially a majority of colleges in the United States will offer a cybersecurity track or program. We hosted a panel at our cybersecurity conference with colleges discussing why they went through it. I see it being pervasive very soon. This is good because there is not enough talent in the defense sector.
I think you are going to see programs get better at it after best practices develop. Training programs will evolve and be much more hands-on. There will be much more active, experience-based training instead of just book knowledge. I think that it's institutions partnering with the industry to do things like internships. This is where you bring in cybersecurity talent for a summer and give them real-world experience; where the rubber meets the road jobs. They take the experience back to their school and the schools get better because they now have people who lived through black hat/white hat situations. So you also get things such as AT&T establishing a security development program where we bring in folks and give them rotations around cybersecurity.
— Carl Weinschenk, Contributing Writer, Telco Transformation