While regulatory actions and the move to SaaS have added even more complexity to enterprise IT security, technologies such as AI and DevSecOps offer new forms of relief. We’ll tell you what security pros view as the year’s top trends and offer advice on managing them.
In a recent survey, we asked security managers and architects across multiple industries to rank trends that they believed would be most impactful this year. (For more on this survey, including the methodology, see our white paper.) These four trends led the way: Artificial intelligence/machine learning (AI/ML); the European Union’s General Data Protection Regulation (GDPR); the increasing adoption of DevSecOps and the process of integrating security into the software development lifecycle before an app reaches the traditional testing stage; and the growing movement to use software as a service (SaaS) to meet security needs.
Here we’ll examine survey respondents’ plans in each of these four areas. We’ll also combine our research with that of other industry leaders to provide recommendations.
Six out of 10 respondents called AI a top trend in 2019, with plans focusing about equally on security analytics; security incident and event management; and endpoint protection. Over 50% of those citing AI as a top trend planned to purchase more of this technology in 2019, with implementation split between internal development and buying from a vendor.
AI/ML is emerging as a useful tool as networks and threats grow increasingly complex. Sophisticated attackers can now exploit new vulnerabilities in a matter of minutes. Moreover, enterprises report a shortage of staff skilled in the myriad tools used to respond to as many as 10,000 alerts a day. With studies indicating that analysts can only investigate five to 10 issues per day, AI is an absolute necessity.
All this has resulted in a tendency to view AI as a magic bullet. While pragmatic AI applications such as anomalous user-behavior monitoring and spam/phishing detection are becoming commonplace, keep in mind that the arms race never ends — we know from experience that the bad guys will simply adapt their attacks. While it’s worthwhile, even necessary, to use AI to crunch through massive data sets, merely investing in the technology won’t be enough in the long run.
To get the most from AI, security managers must:
Navigate vendor claims about whether and how AI improves security.
Integrate newer AI tools with existing security databases and analytic platforms.
Arm staff with the skills to use AI (or partner with firms that have such skills).
Recognize and minimize the threat that hackers will use AI to strengthen attacks or to subvert AI security systems.
The European Union’s (EU) GDPR covers more than 500 million citizens in 28 countries. Devising and executing a compliance plan is a significant challenge, as shown by the fact that 72% of respondents’ organizations are affected by GDPR, and 40% listed it as a top trend for 2019.
In our study, implementing business processes for complying with subject access or deletion requests, as well as reviewing and enforcing privacy requirements in third-party contracts, were cited as the most difficult parts of GDPR implementation. Surprisingly, implementing technical measures to achieve compliance was seen as the most straightforward facet; only 6% said they’ve acquired a specific software tool for managing GDPR compliance.
Many companies have taken a wait-and-see attitude, hoping to benefit from the experience of others and assuming it will take time before EU regulators begin fining laggards. This stems from lack of executive buy-in, as well as the natural tendency to procrastinate and lay responsibility for noncompliance at the doorstep of others.
While businesses in the financial services and healthcare industries are familiar with managing regulatory compliance, those in other industries have struggled to meet compliance goals, often relying on the thriving consultancy business that has sprung up around GDPR.
Organizations doing business with EU citizens should:
Fully understand why their businesses collect personal data on citizens; make sure they’re obtaining opt-in permission for collecting and using this data; and explain clearly what it’s used for.
Ensure they have undertaken data protection impact assessments on any high-risk data collected, and report any breaches to relevant authorities within 72 hours.
Embed full lifecycle security by design, to safeguard the private data of citizens if it is collected.
Developers care greatly about security but are under pressure to speed new software to market. DevOps and continuous-integration/continuous-delivery models may require code releases multiple times per week — or even per day. And even when developers attempt to work with security professionals, they don’t speak the same language. Security staff focus on the traditional, collaborative approach of managing code through audit and review, whereas the DevOps paradigm includes the management of infrastructure as code.
These are the problems that DevSecOps, which embeds security throughout the software development, deployment and operations process, seeks to address. It’s no surprise that 49% of respondents listed DevSecOps as a top trend, for which they reported mixed success. On the plus side, they said they were performing some important DevSecOps practices (such as vulnerability scanning and penetration testing before deployment, as well as periodic infrastructure scans and static code analysis), in about half their use cases. However, the use of configuration or control rules to restrict capabilities were not commonplace.
Relatively low adoption levels for DevSecOps practices show that while organizations are trying to embed security in the development process, the security function is still not trusted enough to get out of the way of the business in a pinch. Adopting DevSecOps requires changes in both testing methodologies and culture.
Maximizing the agility and security benefits of DevSecOps requires:
Changes to testing processes, to reflect trends such as the increased immutability of software subcomponents.
Changes to culture, such as more open communication between security and development teams and empowering developers to take responsibility for testing their own code.
The appropriate use of automation to speed processes, especially as they scale.
Cloud-based infrastructure and services often allow organizations to adopt, deploy and scale new capabilities more quickly, cost-effectively, and flexibly than in-house deployments. In our survey, 43% of respondents listed SaaS as a top trend. Two-thirds of respondents are using cloud applications for some aspect of their security, with almost as many (64%) planning to expand such use this year.
What we find troubling is that 54% of respondents are concerned about the dependability of SaaS platforms. Such concerns are warranted, because the data collected by security applications is often among the most sensitive in the organization. Compromised SaaS could even be used to distribute malware to some of the organization’s most sensitive users: the security department itself. With more attackers infiltrating enterprises by masquerading as privileged users, the leakage of credentials belonging to security staffers could result in a difficult clean-up and could lead to deeper access to highly sensitive information.
Some essential precautions around SaaS:
Store encryption keys for data in the cloud separately from the data they protect, so the keys are not under the control of the SaaS provider.
Because many SaaS platforms do not rigorously support user identity management, consider implementing cloud-based identity and access management.
Consider implementing a high-fidelity cloud access security broker with data loss protection functionality, which integrates with cloud applications to prevent data leakage and keep applications free of malware.
While GDPR (and similar mandates) and SaaS may compel organizations to rethink IT security, it’s encouraging that AI/ML and DevSecOps are top of mind in so many organizations. The cat-and-mouse nature of the security challenge will never change, but there are compelling new tools and strategies available.