Year in ReviewInfosec pros look back on the year

I think we’ve moved past “breaches as events” to breaches being the norm. Their character and details may change, but the industry as a whole has to accept that this activity is continuous. Why is that import-ant? It changes how we mobilize defense. If you build defenses around the idea that there’s a point-in-time event requiring a re-sponse, then you focus on different tactics.

If you consider breach activity as a more continuous process, then you defend more continuously. This isn’t a binary change; It’s not that it was one way and is now the other. It’s a shifting characterization that demands a shifting defensive strategy.

Tim Erlin@terlin

For years, vendors have gotten better about communicating security issues and details re-lated to them, but 2017 was a major step back-ward for some of the largest vendors. Those companies removed the focus from communica-tion and information sharing.

They also stopped providing customers with op-tions. Imagine you walked into the pharmacy to pick up multiple prescriptions and the pharmacist handed you a single bottle of liquid and said, “I’ve blended everything together. There could be drug interactions, and there are side effects, but I’ll let you discover those on your own.” That’s essentially what some of the largest vendors decided to do this year, and it was rather disturbing to see this giant backward leap.

Tyler Reguly@treguly

The New Year started with modifications to em-ployee training that includes more detail on phishing awareness, both general and targeted. We also realized that a year between employee awareness trainings was way too long. Now we run a 15-minute training with 3-4 questions every month just to keep it fresh in the employees’ minds. We also learned that no matter how well trained our employees are, somebody’s going to click that damn link.

Privileged access management has always been one of my concerns, but in response to the speed that new 0-day exploits are being delivered and the ease with which lateral movement happens, we put a strong move to get rid of local admin on endpoints and put in place a program to manage privileged access in the data center.

Michael Ball@Unix_Guru

I had thought I had seen it all. Then INFOSEC 2017 arrived, and I realized I hadn't seen any-thing yet. I saw that keeping your production infrastructure up-to-date with patches and updates really is important. Now every CSO can point to Equifax.

I saw that having a DLP process in place to detect the insider hoarding or stealing really is important. Now every CSO can point to NSA's three incidents or Google's Waymo, which saw one of its senior most engineers spirit thousands of documents.

Yes, in 2017, we held the beer and watched data flow out of far too many entities. May 2018 be the year that security is a forethought and not an afterthought.

Christopher Burgees@burgessct

Effective cybersecurity requires firmness and flexi-bility. The mature cybersecurity professional knows when to be firm and disciplined and when to be open-minded and flexible. Firmness is necessary in fostering the right mindset in an organization since human behavior is a major (arguably the biggest) factor. Flexibility is necessary for adapting to new threats since a rigid vulnerability or risk management program will remain oriented towards yesterday’s threats.

Too often, security leaders may compromise founda-tional controls or discipline in the name of flexibility while holding fast to a rigid view of the threat envi-ronment or refusing to consider emerging technolo-gies.

Success depends as much on these as it does on poli-cies, procedures and platforms.

Maurice Uenuma@TripwireInc

I mainly thought of the major credit bureaus in the context of users needing to monitor their credit reports for suspicious activity. I never thought we’d see something along the lines of the Equifax incident. Data breaches pose a threat to all organizations, but the risks are more severe when that company is responsible for safeguarding the personal in-formation of millions of consumers.

I recommend all users consider placing a credit freeze on their reports. Also consider opting out of preapproved credit offers and locking down credit card/bank accounts with notifica-tions for every type of activity and transaction.

David Bisson@DMBisson

Example diagram of an industrial network that Tripwire can secure and ensure policy / compliance

I learned how vulnerable Windows' Server Messaging Block was, especially in regards to this year's WannaCry and NotPetya at-tacks. Related to that, EternalBlue really opened my eyes about how many exploits intelligence agencies may be sitting on.

I think this offensive approach to cyberwar-fare is terrible. People who work for intelli-gence agencies may feel overconfident about their ability to keep cybersecurity exploits and other cyber attack methods to them-selves. But quite frequently, they end up on WIkiLeaks. Their exploits may also be shared on IRC or on the Dark Web.

Kim Crawley@kim_crawley

From the major stories I've covered this year the one thing I've learned is the value of im-mediacy. As a journalist, you're looking to get something put together fast and published with the bare minimum of facts and figures. It's easy to pick up the wrong facts and report something incorrectly, so this year I've come to rely on a number of people whose perspective I trust on breaking issues.

The capability to create a breaking news story is something that the journalist needs to do well. So my biggest lesson learned from 2017 is on how to work fast, accurately, and under pressure on something that the world wants to know more about.

Dan Raywood@DanRaywood

The first thing I learned was to never make infosec predictions. The more important lesson from the year is that, contrary to what many of us think, our friends and family are not so resistant to security.

Despite some of the stories about bad securi-ty practices, most folks are very serious about security. The challenge is that they need to understand it before they leap into it.

Most folks just want to know more about how everything we are promoting in security is going to protect them. If we can clearly articu-late that, then we will see a shift towards more security. Let’s make that the mission for 2018!

Bob Covello@BobCovello

This year, I learned it's healthy to take a step back, re-evaluate things, and make changes if necessary.

I had spent so long working deep in one problem space that I missed a lot of interesting changes in the security industry. I felt I would benefit from something new, so early in 2017, I de-cided to make a role change. I was able to spend the year working with multiple new technologies, platforms, and lan-guages, and I am happy and refreshed because of it.

Ben Layer @benlayer

For the latest security news, trends & insights…

visit tripwire.com/blogand follow @tripwireinc