Former Michigan CISO: Don't Ignore Security PredictionsDan Lohrmann on Why Security Prognostications Are Worth Reviewing
It seems like every vendor in the data security industry makes predictions this time of year. Which ones should you pay attention to? All of them, says Dan Lohrmann, who formerly served as the state of Michigan's CISO and CTO.
See Also: How to Defend Your Attack Surface
"I really view it as something that professionals need to widen their perspectives," Lohrmann says in an interview with Information Security Media Group. "Know what your competitors are saying. Know what all the different cyber companies are saying. And there are huge benefits to your personal career to gain industry knowledge, understand overall trends, expand your horizons; it can benefit you in many ways."
In the interview (see transcript below), Lohrmann also discusses:
- What organizations should be thinking about when it comes to incident response and ransomware;
- What's next for machine learning and AI in cybersecurity;
- New uses for blockchain technology.
Lohrmann led the state of Michigan's cybersecurity and technology infrastructure teams from May 2002 to August 2014, serving in the roles of CSO, CTO and CISO. He currently serves as CSO and chief strategist for Security Mentor Inc., which provides security awareness training.
JOAN GOODCHILD: Sometimes security industry predictions can be met with a bit of fatigue and cynicism. You say that's a mistake. Why?
DAN LOHRMANN: It's really important that professionals in the cyber industry, and in technology as a whole, take some time every year and really read through these predictions. Everyone just thinks of predictions as looking in a crystal ball and picking different topics. But the companies put a lot of time and energy into these predictions.They're very good reports. In fact, many of the predictions ... are given out free and would cost thousands of dollars if you bought the full reports, and the research and the data that goes behind these predictions.
I really view it as something that professionals need to widen their perspectives. Know what your competitors are saying. Know what all the different cyber companies are saying. And there are huge benefits to your personal career to gain industry knowledge, understand overall trends, expand your horizons; it can benefit you in many ways.
Ransomware Will Grow Worse
GOODCHILD: We're going to go over several areas of technology for our predictions today. To start, ransomware. Everyone has this on their list this year.
LOHRMANN: Ransomware is a huge trend that is just exploding. I'm just going to review some of the specific vendor predictions around that.
Trend Micro said: "In 2018, digital extortion will be at the core of most cybercriminal business models, will propel them into other schemes that will get their hands on potentially hefty payouts. Ransomware business models will still be a cybercrime mainstay in 2018. Other forms of digital extortion will also gain ground, and cybercriminals will explore new ways to abuse IoT devices and do ransomware on IoT."
Symantec had three things to say about why expensive home devices will be held for ransom: "IoT devices will be hijacked and used also as DDoS attacks," which is another whole topic. But then, "IoT devices will provide persistent access to home networks." So internet of things and ransomware are coming together.
McAfee says: "Ransomware is going to evolve from traditional PC extortion to IoT, high-network users and corporate disruption." So, threatening disruption if you don't pay up.
Forcepoint notes: "IoT is not held to ransom but instead becomes a target for mass disruption." That is interesting.
There's a point/counterpoint there. Will IoT be held for ransom or not? Different vendors are saying different things. Forrester says: "Cybercriminals will use ransomware to shut down point-of-sale systems." Interesting.
Webroot says: "Backups will not prove enough to stop ransomware attackers. Will find new ways to subvert the strategy of backups." That's fascinating because backups are often one of the number one things in prevention. People say get good backup and make sure you test your backups to mitigate ransomware risks.
Sophos says: "The malware we protect customers from will transcend operating systems. Ransomware in particular will continue to target Android, Mac, Windows, Linux users. Android phones run a modified version of Linux. And those trends will dominate 2018. Ransomware's surge will be fueled by ransomware-as-a-service offered by hackers."
Those are just some of the different vendors. Almost every major vendor had something to say that ransomware is going to grow and it's going to expand.
GOODCHILD: What's the takeaway if everyone thinks that ransomware will indeed persist in a big way for 2018?
LOHRMANN: What is your incident response strategy? What are you going do if it hits you? Don't just think in terms of "Well, we only use X, Y, Z; we only use Windows or we only use Linux. Now they're saying it's going go to impact Android and Mac iOS. We'll see if that happens." But those predictions are saying that people need to be prepared. And people need to have incident response strategies in place.
There's a whole series of different solutions in the market that talk about ransomware and how to avoid it. It seems like almost every vendor thinks it's going to get worse before it gets better.
Machine Learning Expands
GOODCHILD: Next up, machine learning and AI specific to cybercrime and security. What are you hearing for 2018?
LOHRMANN: TrendMicro led with: "Threat actors will ride on machine learning and blockchain technologies to expand their evasion techniques."
Machine learning shows up on probably half to two thirds of the lists that are out there from the major security and the minor vendors as well.
"Cybercriminals will use artificial intelligence and machine learning to conduct attacks," says Symantec.
Imperva, it's their top trend: "Malicious use of AI and deception of AI systems."
Gartner offers an interesting prediction here: "Through 2021, AI-driven creation of counterfeit reality, or fake content, will outpace AI's ability to detect it, fomenting digital trust." Basically digital trust will expand because of AI-driven counterfeit reality.
IBM offers a lot of focus on AI versus AI. The bad guys will have AI, so if you're not using it, you're going be attacked with it.
BetaNews notes: "The AI arms race will begin in 2018." Like we're beginning a new arms race around artificial intelligence. It's showing up on most of the lists as far as both defensive strategies and offensive strategies.
GOODCHILD: And in terms of the offense part of that, where would you advise looking at when it comes to machine learning and AI?
LOHRMANN: Most of the vendors have machine learning as certainly part of their strategies, and they're using AI, for example, introducing AI machine learning into their product suite. IBM is a great example of that, where you get an opportunity to in a number of their different product suites use Watson.
Watson's obviously getting a lot of traction. It's a great solution set they've got there. That's one example of where AI and machine learning is going to start showing up more in different products and services and should be a part of your strategy. Most of the vendors are doing that and are using that.
How much will it really be a game changer in the next 12 months? We'll see. It remains to be seen. But companies are thinking 2018 will be the turning point. I certainly think it will be in the next year or two or three that we see major announcements, major new attacks and defense strategies around AI and machine learning.
New Uses for Blockchain?
GOODCHILD: Our next topic is cryptocurrencies. There's certainly been no shortage of discussion about this in recent months. What are you hearing about cryptocurrency and blockchain in the next year?
LOHRMANN: Symantec said blockchain will find uses outside of cryptocurrencies, but cybercriminals will focus on coins and exchanges. A lot of people were saying blockchain can't be hacked and we always talk about people, process and technology, right? So that crypto, that wallet that you have, the different exchanges, the different processes and policies around that, that's certainly going to be attacked by the cybercriminals, and they're going to go after that.
Watchguard Technologies ... talks about a cryptocurrency crash; a major crash will occur.
Kaspersky Lab talked about cryptocurrencies. It says it's in vogue in the cybersecurity world. If you think about ransomware, with bitcoin payments, you can't track the cash, so it certainly is in vogue in the cybercrime world.
Imperva predicts much more cryptocurrency mining.
Forrester says blockchain will overtake AI in venture capital funding and security vendor road maps. There was talk about using blockchain in voting.
And then Gartner says by year 2020 that the bank industry will derive $1 billion of business value from the use of blockchain-based cryptocurrencies.
GDPR Compliance Outlook
GOODCHILD: Now the next topic we were going to dig into is the EU's General Data Protection Regulation. What's being predicted around GDPR and compliance with GDPR?
LOHRMANN: It's really all over the map, Joan, and it's really a hot topic. Everyone's scrambling to get their GDPR programs in place, all the legal aspects of that. There are a lot of questions around how does this affect U.S. companies. How does this affect companies that are not in Europe? Certainly, it affects all the European companies.
Trend Micro says many companies will take definitive actions on GDPR only when the first high-profile lawsuit is filed.
Forrester says firms too aggressively hunting insider threats will face lawsuits and GDPR fines.
The percentage of compliance will be smaller than most people think; under 50 percent. It depends on who you believe and who you listen to.
This BeyondTrust five-year prediction is interesting. They say GDPR will become untenable and will be not used in five years.
GOODCHILD: What do you think about that prediction about GDPR being untenable in five years?
LOHRMAN: It's really two schools of thought. One is that this thing will take root and then more people will demand that same kind of GDPR framework in the United States, around IoT devices due to all of the data collected. Many think the U.S. is going to go the way of Europe, and that privacy is going to reign the day and there's going to be a backlash about all this data being collected.
The other extreme is a lot of people who say this is too much and there's going to be a revolt, even in Europe, and it will be untenable. It will slow down innovation; it will slow down progress and technology.