Examining the CISO agenda in 2021

CISOs are paid to worry, and there’s a lot to worry about in 2021.

The recent SolarWinds breach, the Capitol break-in, and a series of high-profile hacks are spurring many enterprises to re-examine their security strategies.

We discuss what lies ahead with Yubico’s CISO, Chad Thunberg.

Q: What’s top of mind for CISOs in 2021?

The SolarWinds news is on everyone’s minds because there are so many unanswered questions. The incident will definitely be a case study in 2021, and it highlighted a few things we should immediately think about in terms of how it might apply to our environments. 

The first is that some of the victim companies allowed a highly sensitive piece of infrastructure to communicate to unknown and untrusted websites. Filtering outbound connections can be difficult in highly available and integrated environments, but for a subset of environments, all data flows should be well understood and controlled.

The second is that a well thought out alert, reviewed by a human, was the mechanism that detected a complex campaign. We spend a lot of time deploying and operating complex security technologies, but a subset of activities should be reviewed by experts, which includes manual review of relatively rare but sensitive events.

The third is that we have spent the last decade automating our build process to support frequent updates and deployments. This reliance on automation has reduced the likelihood of human error (as well as amplified our mistakes) but if not appropriately secured, it can provide attackers with a means to hide among the developers. 

Lastly, the use of SAML signing keys likely means the keys themselves were portable. This is another example where we might have rounded a few corners on the most sensitive infrastructure. Keys that are critical to the chain of trust should be protected with hardware-backed solutions that prevent the ability to export or copy the keys out of the environment. This forces the attacker to either avoid using the keys or forces them to perform the attacks in the environment. This should mean that the detective controls in the environment will lead to a higher probability that the attacker will be detected.

The Capitol riot also brings up a lot of security issues. Electronic devices that are exposed to hostile physical access can no longer be trusted. We had a situation where members of Congress and staff had to leave from their desks so quickly that their government mandated screen locks didn’t have enough time to engage, leaving email, documents, and active browser sessions exposed. It’s incidents like this that illustrate the real life impact of what we do in the security business.

Q: How will this translate to strategies and policies this year? 

Organizations should presume that a breach of their internal environment will eventually happen. Too much of our infrastructure is still too soft with a vulnerable center. I’d expect to see a renewed focus in fundamental security principles like “least privilege” and “just-in-time access”. Taking time to verify and validate not only every user who accesses a system, but also every system that accesses a system, and every system that accesses the internet. Segmentation with bidirectional control of information will help control the blast radius.

This “zero trust” approach contrasts with the old turnstile model of security. In that model you would control access to and from the network, then you have guard dogs, ninjas, and metal detectors there to make sure everyone who walks through the turnstile is legitimate.

But something like SolarWinds reminds us all that we can’t rely on the turnstile model anymore, even within the internal network. There will be an increased awareness and adoption of the zero-trust assumption, and strong authentication will be at the core of establishing trust between users, systems, networks, and applications.  

Small companies without big security budgets will look to service providers to come up with out-of-the-box solutions that allow them to benefit from the same level of protection as a major bank, for instance. Today, if you use a YubiKey as part of your ‘sign in with Google’ authentication flow, then the security benefits of that YubiKey are carried through to any service you access with your Google account. I think we’ll see similar Single Sign On (SSO) initiatives from Microsoft or AWS to offer their customers more inherent protection.

I think we’ll also see companies trying to offer a truly seamless, but also highly secure, onboarding experience for their remote employees. I think we’ll see that become more mainstream, with companies shipping a laptop and YubiKey or similar strong authentication device as a complete package to all employees with simple instructions without the need of direct IT support. A lot of the open authentication standards work Yubico is contributing behind the scenes is powering the possibility of workflows like this to exist in the first place. 

A frictionless experience is not a new concept – it’s what security departments are always aiming for — but it will be a growing priority this year as we acknowledge that remote work isn’t going away any time soon. That kind of experience is going to evolve into the consumer market, too.  

Q: What new types of attacks will we see in 2021?

Well, you only see attack innovation when the current attacks are no longer effective. So modern campaigns will keep using all the same approaches that worked before, and they might even do more than one simultaneously. At the less-sophisticated end of the attack spectrum, ransomware will continue to be a significant threat as it’s both easy and effective for the attacker. We’ll also see more incidents of credential theft like the Twitter breach last summer. And then we’ll see more attacks like SolarWinds, which exposed the supply chain weakness. That weakness will continue to be a problem this year until action is taken by enterprises.

Q: What about regulations, given the new incoming administration?

Congress may not be the best entity to write laws about security, but on the other hand, private industry has a poor track record in self-regulating.

We need it, but fear it, too. Regulation tends to raise the minimum bar and is focused on incremental but consistent improvement. Companies that are already doing the right thing become burdened while the worst offenders are dragged into incremental maturity.

The Department of Defense has been pushing CMMC (Cybersecurity Maturity Model Certification) for compliance. Given recent events, CMMC compliance pressure may be turned up. 

With SolarWinds shaping security agendas this year, we can expect a focus on secure supply chains, strong authentication, seamless user experiences, and a re-appraisal of the cloud as it relates to enterprise security.

To learn more about the critical role of strong authentication in a zero trust framework, tune into our on-demand webinar, “Creating an effective authentication strategy for a zero trust world,” with David Treece, solutions architect at Yubico.

Share this article: