The war between data defenders and data thieves has been described as a cat-and-mouse game. As soon as the white hats counter one form of black-hat malicious behavior, another malevolent form rears its ugly head. How can the playing field be tilted in favor of the infosec warriors? Here are five emerging security technologies that may be able to do that.
- Hardware authentication
The inadequacies of usernames and passwords are well known. Clearly, a more secure form of authentication is needed. One method is to bake authentication into a user’s hardware. Intel is moving in that direction with the Authenticate solution in its new, sixth-generation Core vPro processor. It can combine a variety of hardware-enhanced factors at the same time to validate a user’s identity.
Intel has built on previous efforts to dedicate a portion of the chipset for security functions to make a device part of the authentication process. Good authentication requires three things from users: what they know, such as a password; who they are, such as a username; and what they have, such as a token. In the case of Authenticate, the device becomes the what-you-have.
“This isn’t new,” said Scott Crawford, research director for information security at 451 Research. “We’ve seen this in other manifestations, such as licensing technologies and tokens.”
Hardware authentication can be particularly important for the Internet of Things (IoT) where a network wants to ensure that the thing trying to gain access to it is something that should have access to it.
However, Crawford noted, “The most immediate application for the technology is for authenticating an endpoint in a traditional IT environment — laptops, desktops, and mobile devices using Intel chipsets.”
2. User-behavior analystics
Once someone’s username and password are compromised, whoever has them can waltz onto a network and engage in all kinds of malicious behavior. That behavior can trigger a red flag to system defenders if they’re employing user behavior analytics (UBA). The technology uses big data analytics to identify anomalous behavior by a user.
“There’s a lot of interest in this in the enterprise,” 451’s Crawford said.
"User activity is the number one concern of security professionals."
He explained that the technology addresses a blind spot in enterprise security. “Once an attacker gains entry into an enterprise, what happens then?” he asked. “One of the first things they do is compromise credentials. So then the question becomes, Can you differentiate between a legitimate user’s activity and an attacker who has gained entry, compromised a legitimate user’s credentials and is now looking for other targets?”
Visibility into activity that does not fit the norm of the legitimate user can close a blind spot in the middle of the attack chain. “If you think of the attack chain as initial penetration, lateral movement, and then compromise, theft, and exfiltration of sensitive data, the middle links in that attack chain have not been very visible to enterprise security pros, and that’s why the interest in user behavior analytics today,” Crawford said.
Comparing a user’s present behavior to past behavior isn’t the only way UBA can identify a malicious actor. “There’s something called ‘peer analysis’,” explained Steven Grossman, vice president for program management at Bay Dynamics, a threat analytics company. “It compares how someone is behaving compared to people with the same manager or same department. That can be an indicator that the person is doing something they shouldn’t be doing or someone else has taken over their account.”
In addition, UBA can be a valuable tool for training employees in better security practices. “One of the biggest problems in a company is employees not following company policy,” Grossman said. “To be able to identify those people and mitigate that risk by training them properly is critical.”
"Users can be identified and automatically signed up for the training appropriate for the policies they were violating."
3. Data loss prevention
A key to data loss prevention is technologies such as encryption and tokenization. They can protect data down to field and subfield level, which can benefit an enterprise in a number of ways:
Cyber-attackers cannot monetize data in the event of a successful breach. Data can be securely moved and used across the extended enterprise — business processes and analytics can be performed on the data in its protected form, dramatically reducing exposure and risk. The enterprise can be greatly aided in compliance to data privacy and security regulations for protection of payment card information (PCI), personally identifiable information (PII) and protected health information (PHI).
“There’s been a lot of security spending over the last several years, and yet the number of records breached in 2015 went up considerably over the prior year,” noted 451’s Crawford. “That’s contributing to the surge in interest in encryption.”
However, as John Pescatore, director of Emerging Security Trends at the SANS Institute, points out, authentication plays an important role in data loss prevention.
"There can’t be strong encryption without key management, and there can't be key management without strong authentication."
4. Deep learning
Deep learning encompasses a number of technologies, such as artificial intelligence and machine learning. “Regardless of what it’s called, there a great deal of interest in it for security purposes,” 451’s Crawford said.
Like user behavior analytics, deep learning focuses on anomalous behavior. “You want to understand where malicious behavior deviates from legitimate or acceptable behavior in terms of security,” Crawford explained.
"When you're looking at activity on the enterprise network, there's behavior that's not user behavior but is still malicious. So even if it's looking at behavior, it's looking at a slightly different application of behavioral analytics."
Instead of looking at users, the system looks at “entities,” explained Brad Medairy, a senior vice president with Booz Allen. “Exact business analytics and recent developments in machine-learning models mean we are now able to look at the various entities that exist across the enterprise at the micro to the macro levels. For example, a data center, as an entity, can behave a certain way, similar to a user.”
Use of machine learning can help stamp out the bane of advanced persistent threats, added Kris Lovejoy, president of Acuity Solutions, maker of an advanced malware detection platform. “With its ability to decipher between good and bad software, at line speed, machine-learning technologies will offer a significant boon to security practitioners who seek to decrease time to advanced threat detection and eradication,” she said.
Crawford said he expects investments in deep learning for security purposes to continue. He added, however, that “the challenge for enterprises is there are a lot of companies coming to market with similar approaches for the same problem. Differentiating distinctions from one vendor to another is going to be a major challenge for enterprises in the coming year and beyond.”
5. The cloud
“The cloud is going to have a transformative impact on the security technology industry generally,” Crawford said.
He explained that as more organizations use the cloud for what has traditionally been the domain of on-premises IT, more approaches to security that are born in and for the cloud will appear. On-premises techniques will be transitioned to the cloud. Things such as virtualized security hardware, virtualized firewalls, and virtualized intrusion detection and prevention systems. But that will be an intermediate stage.
“If you think about what an infrastructure-as-a-service provider can do on a very large scale for all of its customers, there may not be the need to pull out all the defenses you need on-prem,” Crawford said. “The infrastructure-as-a-service provider will build that into their platform, which will relieve the need to do that for the individual cloud customer.”
SANS’ Pescatore added that government agencies and private industry have increased the security of their data centers by using IaaS services such as Amazon and Firehost. “The GSA FedRAMP program is a great example of ‘certified secure-enough’ cloud services that make it easier for the average enterprise to have above-average data center security,” he said.
These five should help out the infosec warriors get the upperhand. Any we missed? Which technologies do you suggest will move the needle on information security? Weigh in via the comments below.