What Makes For Really Good Security Predictions
Each year Trend Micro releases its annual Security Predictions Report. Good security predictions are very difficult to develop, and companies and consumers need to be selective about the security advice they take. What makes a good security prediction? Four key aspects:
1. It is the prime directive that any forecast must have information that you can take action on.
2. Something that already happened or will not happen anytime soon is not helpful. Whereas some action you can take within a timely manner, usually 1 to 2 years is within a timespan of utility. However, if it is too short notice, you cannot take major action either, especially if it requires any procurement or architecture changes.
If it is too far into the future not only will it be of low impact and actionability, but the margin of error increases over time: Technology and threat changes move too widely for any security predictions based to remain likely over the long term.
This timeliness and actionability maps together like this (with a flying car to illustrate the uncertain future – I’m still waiting for my jetpack!):
3. The higher the likelihood, the greater the impact of actionability. 1% likelihood predictions are not useful. 100% likelihood predictions are useful if they have impact on operations or are less obvious, whereas 100% likelihood of an obvious and continuing trend is not.
4. Fact Anchored. The recipe for Fact-Anchored is one part data to two parts of analysis. Analysis and data must be present for a security prediction to be meaningful. Predictions aren’t just statistical exercises, and statistics alone are data – not information. However, predictions must be from analysis based on some observation that is factual, even if anecdotal, and that analysis is what makes it likely, and thus actionable. The good news is that being a very large security vendor, with worldwide locations, and the greatest number of CVEs credited this year to an organization (yup, the biggest) we have a significant pool of data and observations to derive meaningful predictions.
The 2019 Security Predictions Report
This year’s security predictions span the categories of cloud, consumer, digital citizenship, security industry, SCADA/manufacturing, cloud infrastructure, and smart home. I won’t spoil your reading of it, but one of the predictions that jumped out for me was regarding Business Email Compromise (BEC) and how targeted threats will go lower down in the org chart. This makes a lot of sense given that CxOs are getting harder to exploit via BEC. They are becoming more aware of the threat and more BEC safeguards are deployed to protect them. An example of such a safeguard is machine learning to fingerprint executive writing styles, like our Writing Style DNA.
This prediction is quite actionable, especially given there are tools and techniques being deployed to protect the C-suite, that can be expanded to protect their direct reports as this threat pivots.
Give us your feedback on the report, as its value to us is only based upon its value to you.
A Bonus Prediction
Here’s my bonus prediction as an addition to the report and a reward for being a reader of this blog – and a marker that predictions are an ongoing task for us and not just at the end of a calendar year:
Exploits Derived From Reverse-Engineering Patches for Otherwise Undisclosed Vulnerabilities will Triple by 2020.
It is a common misunderstanding that patches related to security are always in response to a publicly disclosed vulnerability or CVE. This is not the case, as many product vendors that are made aware of a vulnerability either through internal means or via a restrictive bug bounty program will patch that vulnerability with little detail and no CVE.
Developing an exploit involves three key steps: Finding a vulnerability, then crafting a working proof of concept, and then an exploit. By reverse engineering patches, attackers can reduce the effort in the first and most resource intensive step, finding a flaw. When a patch related to a vaguely described security issue is made, attackers go from “is there a flaw somewhere?” to “there is a flaw, and there is a patch involving code I could potentially reverse engineer or examine to find it.” Patches are usually scoped to a component or feature, further easing the attacker’s work.
Ethical threat researchers are already employing this technique with considerable success, so it follows that threat actors will use similar techniques. The action to be taken involves providing greater emphasis to patching timeliness, and selecting IPS and AV solutions that have signatures based on reverse-engineering vulnerability sets.