Looking to the future of cyber security, endpoints will be redefined, becoming devices of many different kinds, predicts Chris Young, CEO of McAfee.

“Those devices will increasingly connect to applications that are running in the cloud, which will be the key control points for your cyber security architecture,” he told the opening session of the MPOWER Cybersecurity Summit in Las Vegas.

“Those will be the places where you will have to drive your most advanced security capabilities in future if you want to be successful.”

Young also predicted security operations will become a mandate and that getting the most out of those security operations will be critical for any organisation’s ability to deal with a cyber attack.

The next “bold prediction”, he said, is that organisations will increasingly harness automation and orchestration in security operations.

“Whether you have an SOC [security operations centre] or not, you have security operations, so you will have to optimise those through automation and orchestration, advanced analytics, and data science.

“We now have real proof points of data science methodologies being used to drive a better cyber security model and a better set of cyber security outcomes. That will become much less about the potential – it will be the norm in the future,” he said.

Organisations will also think differently about threat intelligence in future, according to Young. “Many will have [threat intelligence] platforms and take multiple threat intelligence feeds, and think about threat intelligence as a currency that is core to how you do business any your cyber security infrastructure.”

Young predicts security management will evolve. “You will be thinking about management as one way to manage a heterogenous environment versus trying to manage multiple silos of security technologies across your environment.”

Another prediction, he said, is that many organisations will move from thinking of an open ecosystem as a “nice-to-have” to thinking about it as a “must-have” with most organisations demanding that everything be open, standards-based, application program interface-driven, and interoperable with every other technology regardless of supplier.

These predictions, said Young, are in part based on the threat landscape. “Like many things in history, the past is the best predictor of where we are going in the future,” he said, which is why McAfee has collected data on publically reported cyber attacks dating back more than 30 years.

This data clearly shows that most attack types never actually go away, but instead change and move, with adversaries evolving their attack styles on a regular basis.

“For example, ransomware is one of the most common attack types that we are concerned about today, but ransoware has actually been around for more than 30 years, with the first attacks appearing in the late ‘80s, but it wasn’t until bitcoin and other cryptocurrencies started to take off and become more usable that ransomware itself also took off,” said Young.

Today’s threats a derivative of the past What this shows us, he said, is simply that today’s threats are usually a derivative of the past. “They are evolving, changing, and in many cases taking on new identities depending on the objective of the adversary and the opportunities that the adversary might seek to advantage themselves around.” However, he said, McAfee is increasingly seeing an increase in attacks that use exploits that go beyond malware. “Some might call these ‘file-less’ attacks that use trusted tools like benign scripting languages like [Microsoft] PowerShell and JavaScript driving this category up by over 1,000% in just the past couple of years.” Another trend is that exploits are blurring. There is no longer a clear distinction between attack types or attackers, said Young. “We are moving form and function, we are inter-changing modes and the attacker is often unknown. We suspect it may be a nation state, but is could also be a cyber crime group or both. Take WannaCry, for example, in form and function, it is as much a worm as it is ransomware,” he said.

WannaCry’s crude monetisation capabilities Another factor indicating WannCry was not really ransomware is that, like NotPetya, it had very crude monetisation capabilities. “The authors of WannaCry did not even connect the user IDs to the bitcoin payment mechanisms, which would actually make it quite difficult to pay them to decrypt, which raises the question whether WannaCry and NotPetya were really ransomware intended to make money, or were they simply designed to for destructive purposes to create chaos, but perhaps they were just testing to see what they could do next,” he said. According to Young, all these objectives are possible, and all point to where cyber attacks are going to go in future, with attackers probing and testing on a large scale to carry out future attacks. “As attack vectors merge form and function, it is increasingly difficult to categorise. Our taxonomies, in many cases, will become less and less relevant because hackers are mixing old and new attack types, and constantly changing their pattern – It changes how we define what we see and ultimately how we have to address them,” he said. It makes things more difficult for defenders, adding requirements from as security architecture point of view, and it means that an organisation has to be focused as much on being proactive as it is on being resilient because both are equally important. “What is true today and even truer tomorrow, is that we must – not just think about – but operate our defences as a whole that is worth more than just the sum of its parts, but not all organisations are doing it that way, focusing instead on the individual part of the cyber security architecture,” said Young.

Making technologies work together With this in mind, he said, when McAfee thought about designing a product portfolio for this future sate, the focus was on making the technologies work across the entire threat defence lifecycle from protection, to detection to correction, and ensuring that any one works better together with others than independently. “Increasingly, the inter-operability between the different defences, the different visibility tools, and the different response tools is going to be required for us to have an effective cyber security model,” said Young, which is the direction the security industry is moving in. “We see other suppliers articulating similar messages, which gives us confidence that our strategy is sound and that we are moving in the right direction, but if we want the threat defence lifecycle to become a reality in our environments, we have to think differently about the architecture behind it.” For this reason, Young said he believes the market is “due for yet another cycle of changes in terms of how we think about cyber security. “That is why I am passionate about architecture, because architecture and principles are the foundation of everything we do in the industry and everything that we have to do as a technology provider to make it real for customers.”

Building on solid foundations The goal, he said, is to have a cyber security model that is built on solid foundations, that can withstand turbulence and that provide the flexibility to adapt to any cyber attack. But in the light of the fact that world is moving to cloud and devices, Young said it is strange that most organisations’ security budgets is still being allocated to network appliances. “I would argue that now is the time to really move our thinking and our effort to where the puck is going, not to where the puck has been in cyber security,” he said. “We have got to move our architectural investment, our architectural focus to where the cyber attacks and where the advanced threats will manifest themselves, which is where the action happens: on the endpoint and applications and data residing in the cloud.” The network is not going to be the logical control point around which to build a cyber security architecture of the future, said Young. “It will increasingly become part of the cloud and you will increasingly need visibility down on those devices to get it right. I know the power of what networks can deliver, but I am also clear-eyed about the limitations,” he said, adding that network traffic is becoming “painfully opaque” with the increased use of encryption by adversaries. For this reason, Young said McAfee is architecting its efforts around the control points on the device and in the cloud. “We see the future of the network as a transport layer, but cloud and endpoints are the target and that is where organisations should put most of their [defence] efforts in the future.” However, as much as technology and architecture matter, he said McAfee sees people as the scarcest and potentially most important resource in any cyber security business and any cyber security team.

Time to think differently But despite the media attention on the cyber security skills shortage, Young said there is a need to start thinking about this problem differently. “The first thing we should do is to stop calling it a ‘problem’ and focus instead on the ‘talent efficiency opportunity’, which is what we are trying to do at McAfee,” he said. According to Young, he frequently hears that keeping first responders up to date on the threat landscape, on the latest skillsets, on how to get the best out of their tools and technology are all huge issues, but these are problems that can be solved. Figures published by Nist [the US National Institute of Standards and Technology] show that in the US alone there are 750,000 cyber security professionals and there are 300,000 unfilled posts. “But if we just made those 750,000 people just 20% more effective and efficient, we could eliminate half of those job openings. “I predict in the future that you will absolutely say that you can improve by 20%, and if you are not sure you can, we will sit down with you and show you where we can help you deliver efficiencies, whether it is with McAfee tools or not, so we will take on the problem with you and help give you a solution,” said Young. “We also need a world where tools do a better job of supporting people, not where people have to do the best job they can of supporting tools, and that is a big part of what we are focused on in our product development process,” he said.