5 trends in defensive security for 2017

When we started planning the inaugural O’Reilly Security Conference, we did so with a unique focus on defensive security. There are many excellent researchers and leaders working to solve the problems of security today, but what we wanted to do was to get down to the nuts and bolts of building better defenses across the board. The Security Conference and our newsletter have received an enthusiastic welcome from our audience—the defenders. And it’s for you, the defenders, that we offer this look forward at the key trends in 2017.

1. Greater coordination on vulnerability disclosure

The nearly unexpected happened in 2016: the Department of Defense released their vulnerability disclosure policy, putting the government ahead of a vast percentage of private enterprises when it comes to partnering with well-intentioned hackers instead of viewing them as dangerous adversaries. This should serve as inspiration for both more government groups and corporations that would all benefit. On top of that, Katie Moussouris worked with ISO to release a free version of their ISO 29147 standard, providing free best practices for organizations looking to establish their own vulnerability disclosure programs.

2. Threat intel sharing will increase

We hope 2017 will see a strong decline in victim shaming—along with data privacy and concerns over sharing corporate competitive info, this is one of the main reasons organizations fail to share critical threat information. (Here’s a suggested easy first step: Let’s stop calling them “victims.”) Only when we work together will we be able to start upending the dynamic whereby attackers have the upper hand. CISA is by no means ideal, but it is the first in what we hope will be other, better attempts at getting us out of the Nash Equilibrium that we’ve been in up until now.

3. Hackathons will produce new tools and resources

For far too long, the mantra has been that defenders have to anticipate and prepare for every possible attack, while attackers only need to find their way in once. But that is changing, and we expect further developments on this in 2017. Dan Kaminsky released a number of open source tools in late 2016 from a hackathon he organized that aimed to invert the power dynamic for defenders. Instead of playing vulnerability whack-a-mole, Dan is focused on making security easier for everyone out of the gate. Look for more hackathons in 2017 so you can join the effort.

4. Machine learning will continue the march from theoretical to practical for defenders

Machine learning (ML) has been a buzzword in security (and other realms) for years, but beyond the buzz, machine learning holds promise of the ability to reduce noise, filter the massive amount of data becoming available to defenders, and suggest best practice to deal with specific threats. The availability of open source tools, improved models for utilizing ML, and the need to filter big data will encourage security teams to harness predictive modeling to reduce noise, prioritize threats, and efficiently leverage automation.

5. IoT security will evolve

The IoT and its legions of connected devices will continue to complicate the security landscape in 2017. IoT security measures will evolve through regulation, if not by more organic means. As the number of IoT devices continues to grow exponentially, the threats they pose metastasize, especially to critical infrastructure as shown in the October 2016 DDoS attack against Dyn. As most device manufacturers currently have little initiative to build highly secure products, and consumers aren’t choosing devices with security in mind, IoT legislation seems likely in the near future to protect consumers, businesses, and critical infrastructure. The FCC and FTC have both suggested that they’ll be policing IoT security in 2017, though details are murky, especially considering the upcoming change in administration. While legislation will likely take at least two years to be formally enacted, expect the gears to start turning in 2017.