Blog

Those of you in the trenches of cybersecurity likely share a perspective held by many of us at NSS Labs: “the only constant is change.” In other words, as threats continue to evolve, so must the employees who use the data and the products deployed to protect the data. Without evolution, the battle on cybercrime is lost.

At NSS, we are exposed to a broad range of cybersecurity products almost daily, and we have opinions on how these products meet enterprise requirements as well as thoughts on the cybersecurity industry in general. In keeping with NSS tradition, we are sharing some of these opinions, and we hope you’ll find them as interesting to read as they were to write.

“FALSE POSITIVE RELIEF IS ON THE HORIZON THROUGH THE USE OF ADVANCED MODELING TECHNIQUES.” – Will Fisher, Senior Research Analyst

Security technology vendors must walk a fine line between false positives and detection accuracy; the more sensitive a detector is, the more type I errors it will generate. The volume of alerts generated by sensitive instruments designed to detect a growing number of threats is unmanageable for most organizations. If a vendor’s detection engine is highly aggressive, the operational burden associated with hunting down false positives could be costlier than mitigating the malware infection. Additionally, these false positives will shift responder focus away from focusing on the real incidents.

The cyberskills gap (1.8 million predicted in 20221) has led to security vendors offering more and more automated security processes that leverage machine learning and AI technologies (the AI industry is predicted to be a $1 trillion market by 20502). While it is somewhat facetious to expect a security product to have zero false positives, the truth is, improvements in heuristics and behavioral analyses can help considerably. I predict significant relief with the application of advanced modeling in 2019. The vendor that can offer a product that provides excellent security efficacy and reliable performance while minimizing the operational burden will have a significant competitive advantage.

“SSL/TLS DOMAIN-VALIDATED CERTIFICATES WILL BEGIN TO BE CONSIDERED AS HIGHER RISK” – Jason Pappalexis, Managing Director, Enterprise Architecture Research Group

I predict that in 2019, domain-validated (DV) certificates (as opposed to organization-validated certificates and extended-validated certificates) will begin to be considered indicators of elevated risk. Furthermore, within the next three years, cybersecurity technologies that scan web traffic (e.g., secure web gateways [SWGs], next generation firewalls [NGFWs]), and embedded URLs within SMTP traffic (e.g., SWGs) will expand their policies to more precisely control traffic according to certificate type.

Why do I predict this? Many certificate authorities (CAs) offer free DV certificates, primarily in response to the mid-2015 initiative by the open-source certificate authority, Let’s Encrypt. These free DV certificates remove the financial barriers to entry both for legitimate website designers and criminals. Organizational validation (OV) certificates and extended validation (EV) certificates offer lower risk than DV certificates because they require background checks and must be processed manually, both of which are considered important in the effort to reduce crime This also means they take longer to complete and are more expensive. While DV certificates are not on their own indicators of malicious intent, they will be part of the equation potentially as early as the end of 2019.

12017 Global Information Security Workforce Study: Benchmarking Workforce Capacity and Response to Cyber Risk, report can be found here: https://iamcybersafe.org/wp-content/uploads/2017/07/N-America-GISWS-Report.pdf
2Helfstein, S. Investing in Artificial Intelligence and Automation. Morgan Stanley. Available online at https://www.morganstanley.com/ideas/artificial-intelligence-and-automation

“THE FIREWALL REMAINS A CORE ENTERPRISE NETWORK SECURITY CONTROL, BUT EXPECT SOME BUMPS IN THE ROAD AS ITS LIMITS ARE EXPLORED.” – Jason Pappalexis

Enterprises deploy NGFWs as the first and last line of defense for systems that are on premises. Enterprise expectations for their efficacy in protection against threats is high; the largest percentage of respondents in the 2018 NSS Labs Network Security Study (31.1%) indicated the minimum acceptable security efficacy for these devices is in the range of 95 – 99%.

However, enterprise expectations for protection do not appear to be aligned with the reality of protection. NSS test results for NGFW show inconsistent historical average exploit block rates over time: 89.5% in 2012 (NGFW Test Methodology v6.0); 97.2% in 2016 (v7.0), and 92.7% in 2017 (v8.0).3 NSS testing has also revealed specific gaps in detection: a 2018 investigation conducted by NSS revealed that ten leading NGFW products were negatively affected, and some quite significantly so, when exploits delivered by JavaScript were transformed by one or more common code obfuscation techniques and web transport encoding mechanisms.

While NGFWs crossed the chasm long ago, I predict that an increased awareness of gaps in efficacy will drive many enterprises to closely evaluate the capabilities of their NGFWs and either tune where necessary or bolster adjacent technologies.

“SD-WAN TECHNOLOGY WILL OFFER NEW OPTIONS FOR SECURING THE PERIMETER, ACCELERATING THE MOVE TO A CONVERGED EDGE.” – Mike Spanbauer, VP Strategy

Over the last few years, a technology has emerged that is designed to ease the challenges of managing branch to headquarters WAN links as well as the operational challenges associated with provisioning a new site. Software-defined wide area networking (SD-WAN) technology potentially can simplify the way in which administrators manage policies to ensure business resilience and consistent application experiences across WAN links.

In addition to WAN connection feature sets, some SD-WAN vendors are expanding their offerings to include network security technology. At a high level, this potentially reduces the number of appliances at branch sites, which in theory may reduce failure rates and enable configuration parity across all devices. While the market is still relatively young, the appeal is clear. NSS has facilitated a number of enterprise architecture discussions on the legitimacy, efficacy, and value of SD-WAN technology. These discussions include whether the technology is mature enough to collapse WAN link management and security into a single offering.

In my opinion, 2019 will be the year that SD-WAN technology makes it mark, accelerating the enterprise move to a converged edge. And yes, this is bigger than WAN management. The vendors that succeed here will also be challengers in the WAN optimization and load balancing space as well as challenging CPE connection equipment vendors. Stay tuned.

“EXPECT A LARGE IOT CYBER EVENT TO IMPACT US CRITICAL INFRASTRUCTURE” – David Thomason, VP of Enterprise Engagement

IoT security challenges are going to hit a new high in 2019. This will further raise the issue of privacy in the United States as identification of these issues will turn the spotlight on a number of issues, including how the intelligence community exploits IoT vulnerabilities, why these vulnerabilities exist, and why the commercial sector has not developed a satisfactory bolt-on solution to mitigate the vulnerabilities. Pressure may also expand to service providers to provide protection to their customers.

32017 NSS Labs Evolution of Product Testing – Firewall
42018 NSS Labs Investigative Report: The Impact of Code Obfuscation and Web Delivery Encoding on NGFW Scanning Accuracy

I predict an industrial IoT event in 2019 that will impact critical infrastructure. Many predictions were made about an attack on the US electric grid in the wake of the 2016 Ukraine incident. 2019 could be the year those predictions come true. If such an attack should occur, the likelihood of a wide-scale electrical outage is extremely low, but unfortunately, an attack on a single or even a few generation systems could cause an outage that puts human life at risk and thus should not be treated lightly.

Other industries within critical infrastructure that relies on the IoT are easier targets and more likely to be hit. For example, the oil and gas industry is highly dependent on SCADA systems for the operation of refineries, oil platforms, and pipelines. A successfully coordinated attack that causes physical destruction of even a single refinery would at a minimum generate uncertainty and doubt in the industry, and at its worst cause loss of life.

“IN 2019, ORGANIZATIONS SUBJECT TO REGULATORY MANDATES WILL CONSIDER CASBS AS THEY MIGRATE TO THE CLOUD.” – John Whetstone, Research Architect

It’s no secret that organizations subject to stringent regulatory mandates have been inhibited from adopting the cloud. In many cases, this isn’t due to a lack of desire, but rather is the result of factors such as poor visibility into the stored data, who is accessing the data, who is sharing this data, and even limitations in log details from the cloud security products.

To address these challenges, many organizations are turning to cloud access security broker (CASB) technology. CASB products facilitate the governance of cloud services by enabling visibility into what cloud services are being used and how they are being used, applying organizationally defined policies across all cloud services, and by reducing risk associated with malware and data loss/exfiltration in the cloud.

I predict that in 2019, more enterprises subject to regulatory compliance will adopt CASBs as the means to enable their organization’s migration to the cloud. This prediction is supported by a recent NSS Labs study,5 in which 29.2% of the respondents reported that their enterprises were subject to regulatory mandates and have turned to CASB technology to address their challenges. 91.5% of these respondents indicated that their organization’s CASB product was either “extremely effective” or “very effective” at accomplishing goals related to regulatory compliance goals for the cloud. This is a great sign for both enterprises and CASB vendors.

The predictions listed are the opinions of the contributors and do not necessarily reflect positions held by NSS Labs.