Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth, I'm the Director of the Practice Identity and Access Management here at KuppingerCole Analysts. My guest today is Warwick Ashford. He is a Senior Analyst with KuppingerCole Analysts acting out of the UK. Hi, Warwick. Good to see you.
Hi Matthias, it's good to see you, too. Thanks for having me.
Great to have you. We want to talk about a topic which is really, really tempting to me. We want to talk about future cybersecurity landscape, future cybersecurity threats. And when we talked about that before we just started that recording, you said there's nothing new under the sun. What do you mean by that?
Well, this is something that I like to refer to when I'm talking about cybersecurity, because, you know, preparing for cybersecurity threats in the future can be a really daunting task. But I think that if cyber defenders just understand that there's really nothing new under the sun, they can understand the true nature of the challenge. And where the “nothing new under the sun” comes from, it's actually a biblical quote I discovered. It's from Ecclesiastes, and the whole quote is, What has been will be again, what has been done will be done again. There is nothing new under the sun. And I think that's really useful for cybersecurity, because, you know, we get all these cybersecurity attacks in headlines and they often talk about it being new or sophisticated or something like that. But when you kind of just analyze it, you really realize that a lot of the tools and techniques that are being used, the so-called TTPs of the attacked people are used by malicious actors are things that we've seen before. They're just being applied in new ways and more importantly, to new technology. So that's what, the main point that I'd like to make is that what's changing is not the attack methods. It's the technology. And and I think
the key is that we've got to keep an eye on the technology.
I would fully agree. Every year, and I'm with KuppingerCole now since 2014 and I'm in cybersecurity really for a long time. Every year there are these reports where there come out these threat statistics, and this year in review. And every time when you look at the key things that did happen in the recent year, it's about identity theft, it's about password misuse, it's about credentials being leaked. And these are the main entry doors when it comes to major data breaches and major threats. And this has not really changed, as you said in the news, it always sounds like it's completely different. It's completely new. Maybe it's just the volume that's changing?
Yeah, well, that's the thing it's volume of things that are changing the rate at which it can change and then the new combinations. But I think a successful preparation for future cybersecurity is to focus on how the adoption of new technologies is expanding an organization's attack surface. So how do we protect the data to be found in those technologies? How do we automate as much as possible to keep up with the pace of change in the rate of attacks? And so I think a risk based data and identity centric approach to security with the overall objective of achieving cyber resilience is invaluable in preparing an organization to withstand any future cybersecurity risks.
Right. And when you say resilience, that is also a change in the overall paradigm that you're applying. So it's not only protecting and defending, it's also being prepared for continuing to work in case something goes wrong and something happens. Am I getting that right?
Yes, well, I think we've all seen in the past couple of years, there's this greater realization that, you know, when you've got a determined attacker or there is something that can be exploited, like a vault in software or whatever, attackers will get in. So you've got to be prepared for that. And then you've got to be able to then detect that they're in quickly, contain them quickly, and then get keep the business going. Because, I mean, ultimately, that's the thing that everybody fears is, yeah, sure, you know, and loss of money is a bad thing and loss of reputation is a bad thing. But if your company comes, the operations come to a grinding halt. That's really, that's an existential threat. You can't you can't carry on your business any more. And this is a growing threat because organizations are becoming more and more dependent on IT just to operate. Without IT, there is no business, if you know what I mean.
Right. You said the attack vectors more or less stayed the same. But the technology change. Which are these new technologies? I'm afraid it will be the ubiquitous machine learning AI part.? But what else is there that is really changing the landscape of the technologies that are used to exploit these attack vectors? Well, you know, in 2023, I mean, there are a couple of things that organizations should have on their radar. So as you've already mentioned, AI. But then there's also quantum computing, the proliferation of Internet enabled devices or IoT devices, the accelerated adoption of cloud services, which we've seen since the pandemic, the demand for people to work from anywhere. Also the use of virtual environments and the switch to 5G networks. So, you know, and there's also the evolution of the Internet. We're now talking about things like
Right. And what are the right countermeasures to take when understanding that these are the new technologies that are in use and which vectors will be used as obvious more or less as well. So what would be strategies to apply when it comes to protecting organizations against this? And being prepared for these new types of attacks?
Well, I think, you know, it's just to be aware of these changes that are happening in the business IT environment. Know that they're happening. And then to look at what the implications are in terms of security, how is this expanding the attack surface? And then to do a risk assessment and to try and make sure that before these technologies are being adopted. Because I think oftentimes in organizations there is adoption and then they go, oh, wait, we should we need we should do something about the security. Whereas I think the mindset needs to change and say, well, look, okay, we know these changes are coming. It is highly likely that these changes are coming. So what we need to do is, look at the risks, identify the risks, and then start putting things in place to mitigate those risks. So like, if you talk about quantum computing, for example, it's important for organizations to understand the nature of the threat. How could they data become vulnerable if industry standard encryption algorithms can be tracked and what they can and should be doing now to ensure that they have quantum proof, or at least quantum resistant data encryption systems in place before quantum computing technology matures. So. And then, of course, there's also the risk that threat actors are already collecting encrypted data now with the aim of decrypting it later when quantum computing becomes more widely available. So that's also a concern.
Right. We started that episode with this “nothing new under the sun”. Maybe we can close it with something like “nobody is an island”. I think we are no longer in a situation that each organization can protect itself for itself. Just the security through obscurity and having firewalls, this is all gone. So being in touch with each other, having communication, working together in communities will be most probably a most important measure to take when it comes to protecting yourself and maybe overall society against these upcoming threats. What's your opinion on that and how can we start that discussion?
I think it's important, as you said, to kind of work within communities and across industry and so on, to be to be looking at these threats. I mean, for example, the quantum computing thing is something that several industry bodies have taken up and now are looking at and are helping to foster post, post quantum encryption methodologies. So it's kind of be aware of that and it's just, as you say, making contact with your community. So that's why attending events is important. And we've got an event coming up in November in Frankfurt that's going to be aiming to kind of look at all these new emerging technologies and what the cybersecurity implications of those are. So we're going to be looking at tackling these future cybersecurity threats. Presentations will focus on a wide range of topics, including how AI enables cyber attackers and defenders, securing the autonomous world, securing the cloud, the latest advancements in quantum computing, detecting deepfakes, for example, securing all types of IoT devices, securing business communication channels, securing supply chains, protecting digital identities and securing things in the Web 3.0 and and of course, the metaverse, which we mentioned earlier about virtual environments. And yeah, that's all taking place in Frankfurt in November. And it's called cyberevolution. And the name is a great combination of the threats that we face in the digital world and how we are evolving to address those.
Right. I think coming together and having this discussion is really an important part and also having the right information available. Of course, we at KuppingerCole Analysts are trying to contribute to that and deliver our research also in these areas of cybersecurity in this emerging technology world. I think attending cyberevolution will be an interesting way to move forward, but also to meet people that are like-minded, that have the same issues, that tackle the same problems, and to work also together and starting a community is really an important part there as well. So thank you very much, Warwick, for giving your insight into future cybersecurity threats. That will not be much different from the attack vector, but it will be much more so the bigger hammer. So we need for protection, also a bigger hammer. Thank you very much for being my guest today.
Pleasure, as always. Thanks Matthias.
Thank you and seeing you soon. Latest in Frankfort.
