Estimated Reading Time: 5 minutes

With having a bit of downtime over the holiday season this year, I had an opportunity to catch up on a lot of my fellow security pundits predictions for 2016. Not too surprisingly, there were countless predictions of major breaches, new ransomware threats, and continuing cyber-militia activities. In fact, depending on who you believe, the next 12 months will be filled with catastrophic infrastructure failures, massive financial breaches, or the disclosure of millions of health care records… Who would’ve guessed?

One thing I did notice in many of these pieces is that very few offered ways to prepare for such calamities. So, rather than trying to predict the sequel to the next Die Hard flick, I figured I’d share some practices and approaches that may help the average Security Exec weather the impending Cybergeddon of 2016.

In the words of the immortal Sun Tsu:
“The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.”

In the spirit of Tsu, I offer some topics to consider when developing your 2016 strategy.

Private Threat Intelligence ‘communities’ will become more prevalent:
There is little doubt that one of the top practices in 2015 was the adoption of threat intelligence. Incorporating real-time data points and attack signatures into your ever-evolving security infrastructure has been a boon to early adopters. It will continue to play out as the technology and practices are refined and adopted by the more mainstream organizations.

But while the traditional security organizations begin to invest in the threat intelligence space, in 2016, those early adopters will begin moving towards shared threat intelligence communities – groups of like-minded organizations who share some specific risk or threat posture who will begin sharing far more specific information amongst themselves. While participation in these communities doesn’t necessarily preclude them from sharing key data points with the broader groups, it will allow a far higher level of reliance out of the gate.

While the various ISAC’s provide this service to many in the critical infrastructure fields, there is still a need for a finer level of trust and control among peer organizations. Smaller, hyper-focused communities will begin to form between trusted organizations to share relevant threat indicators and provide for a trusted information sharing platform.

Cloud Access Security Brokers gain strong adoption:
Long gone are the days of trying to say ‘no’ to cloud services in the enterprise. That said, it is typically the security team’s responsibility to figure out how to integrate such services into the overall IT catalog of the dynamic enterprise – after all, who doesn’t want cheaper and more flexible infrastructure?

Cloud access security brokers (CASB) offer a solid control point (think: modern-day proxy) by which the security team can provide authentication, authorization, encryption, and monitoring to many of the top cloud providers and services. A CASB solution can be either on-prem, or ironically, cloud-based, and typically integrates with the directory services you already have in place.

Depending on the specific needs of the enterprise, either a forward proxy or a reverse proxy model can be introduced, each having their own pros and cons. Many of the solutions now offer integration with various security controls (i.e. activity logs), which allow your operations team to integrate the CASB into the security ecosystem as well. In fact, over the past year or so, most of these offerings have matured into solid choices for enterprises of all sizes, and by all accounts, 2016 should bring a serious ramp-up in the adoption and deployment of CASB solutions.

User behavior analytics will move from cool tool to integrated intelligence:
If I was able to, I’d put user behavior analytics (UBA) up for the ‘Breakout Performance of the Year’ award. Many of the top players in the space not only won some serious deals this year, but they also garnered the attention of many a VC firm. UBA solves a problem that we all have been dealing with for as long as the IT industry has been around: how do we discern the activity of a normal user from that of an adversary using a compromised credential? It sounds simple, that is, until you try to write a Hadoop query for it.

The reality is, any time you involve pesky humans, nothing it really straight-line predicable. It’s all about watching, modeling, comparing to like users, modeling some more, and feeding that back into the model, only to start all over again for weeks and months on end. Many of the current UBA vendors have gone to extensive lengths to develop models and machine-learning algorithms to prototype a user’s behavior and compare that baseline to future activities. While this sounds like something directly out of Ex Machina, the evolution of big data technology coupled with some serious Data Science is actually showing promise.

Finally, in contrast to some of the mistakes that early threat intelligence vendors made, many of the UBA vendors have focused on integration capabilities as well, allowing you to keep your single-pane-of-glass while still taking advantage of the algorithmics of the solution. This integrated approach will provide long term intelligence into the entire ecosystem, enhancing all aspects of the control base.

And since I haven’t gone out on the ledge too far already, how about a few bleeding-edge considerations that will likely start gaining traction throughout 2016…

Blockchains in the workplace:
While most only consider the use of blockchains as a fundamental necessity in the cryptocurrency space, the technology and practices behind them are getting a serious look from the financial industry. Insurance companies, investment firms, and mortgage companies are taking a hard look at implementing blockchain technology as an effort to revamp their back-office processes. These early adopters are driving the adoption of some fundamental practices that will likely take off in 2017.

Fixing the User….. Credential:
It’s simple – everyone’s tired of the user ID & password – and none more so than security execs. We need to get rid of the antiquated method of user identification once and for all. With the continued adoption of Radio-frequency Identification (RFID) and Near Field Communications (NFC), along with the implementation of the fingerprint readers in portable consumer devices, we now have a way to have a fairly high level of confidence that the person logging in is who they say they are.

While admittedly it’s not perfect, there is a valid argument around it being good enough for financial transactions, then why can’t it be good enough to check email? Several large and small companies are working on great solutions that also implement a solid Adaptive Authentication process as well. With any luck, 2016 will see wider adoption of this type of solution with a few fairly big names announcing product suites. This is really something to watch for because we all know that people would turn around and drive home for their phones, but feel perfectly fine without a purse or wallet.

Micro-perimeterization becomes a strategy:
Yes, Virginia, there is still a perimeter..sort of. We’ve all heard ‘The End Of The Perimeter’ death march for years now, while there is some justification to it, I believe it’s far more likely to just shrink rather than die. While ‘The Cloud’ has been a transformative approach to providing infrastructure services, security teams have struggled with how to secure and protect the businesses – many times in spite of themselves.

That said, we are now seeing an evolution in leveraging solutions that not only leverage the cloud model but do so in a way that traditional security approaches failed at. The concept behind micro-perimeterization is leveraging pre-staged virtual machines for various services that automatically include all of the necessary security controls built-in. Need a web server? No problem – here’s a VM with all of the apps you need, firewall/IPS preconfigured, and connectivity to the SIEM already in place. No need to put this behind the legacy corporate firewall since it already has all of the controls built-in. Oh – and a side benefit? No unnecessary intra-perimeter communication, so even if one of the services goes down to an attack, it can’t impact the other services, much like what would happen in a typical enterprise DMZ. Yes security pundits, in 2016, the cloud is our friend… finally.

So there you have it, my take on what 2016 may hold for better or worse. I can’t wait to see what pans out.

Originally posted on

Copyright © 2002-2024 John Masserini. All rights reserved.


Leave a Reply

Your email address will not be published. Required fields are marked *

Chronicles of a CISO