The cybersecurity landscape continues to move at the speed of a caffeinated hummingbird. In a world where everything from a simple email to coordinated attacks on physical devices can lead to serious consequences, security teams need to learn every day. And probably forget everything to learn something new the next day.
Let’s flit from flower to flower and highlight some security predictions for 2019. These will probably change by the second week of January, but that’s just a security practitioner’s life.
Prediction 1: Tools that turn “big data” into “smart data” will develop and grow
The security landscape has no dearth of data, but each tool gives its own set of unique intelligence and security teams are left to manually comb through all this data, correlate across tools to gather context, and find the relevant data points to drive response. Security teams need to avoid “analysis paralysis” and the current product stack isn’t helping.
Security technologies will move to solve this problem, and it’s already started. There’s been multiple recent releases of “ecosystem SIEMs” or “cloud SIEMs” for lack of better terms – tools that collect data across multiple products and sources, aggregate and prioritize them, and then present alerts to security teams for investigation. The Palo Alto Networks Application Framework, Microsoft Security Graph API, and Amazon Web Services (AWS) Security Hub are a few high-profile examples of such products. This trend of data aggregation and contextualization will continue to grow rapidly, and with good reason.
Prediction 2: Cloud security will align strongly with traditional security measures
While cloud adoption has improved organizational agility, reduced products’ time-to-market, and leveled the playing field with respect to computational power, it has also resulted in disparate environments that security teams struggle to monitor on a regular basis. This is especially true if the security teams are isolated from other teams that deal with DevOps, cloud infrastructure setup, and product development. During incident response, it’s also tough to reconcile cloud asset data with data from traditional security tools.
Security vendors and organizations have both realized this, which is why product interconnectivity will grow and security teams will be able to coordinate actions across both cloud and on-premise environments from a small number of consoles.
Prediction 3: Phishing will sadly still be king
There’s no easy solution to this conundrum. Organizations now have as much data about phishing attempts as Santa has about nice and naughty children, but 95% of all attacks on enterprise networks are still initiated by successful spear phishing. Why have sophisticated threat intelligence tools, machine learning models, and predictive analytics failed to move the needle on phishing response?
The answer is that they have moved the needle, of course, but attackers have continued to experiment and evolve their techniques with time to evade security enhancements. Phishing is also the only attack type that relies so heavily on humans as active agents and eventual victims. It only takes one email asking for iTunes gift cards to slip through ironclad organizational defenses, and then it’s all up to Abhishek from Marketing to not be gullible enough to respond to that email.
Busy employees plus smart phishing emails will always equal breaches. Organizations that have realized this would do well to institute regular and measurable awareness programs that minimize the possibility of human error. We already have fire drills, maybe it’s time for some phishing drills as well.
Prediction 4: Once bitten, twice shy; security regulations will solidify
For the past year, organizations have tried to make sense of GDPR and what “being in compliance” means by fumbling through a labyrinth of opinions and interpretations. The guiding principle behind GDPR (giving rights and power back to end users) is laudable and should definitely be followed through even if it results in increased organizational cost and effort. However, the current draft is (as the name suggests) too “general” in nature, with enough grey areas and loopholes for companies to be unsure about their privacy posture.
For 2019, we predict that companies will improve their understanding of security regulations, although we’re still not sure how the journey will look like. Will court and regulatory rulings on GDPR issues start trickling in and act as vital precedent for companies on what steps to follow? Or will the GDPR framework itself be updated and supported with enough details to dispel any lingering discrepancies? Companies will hope it’s the latter, although there are already telltale signs of the former gaining ground.
Prediction 5: Security will be woven into both physical and digital supply chains
If you fall prey to a ransomware attack, the consequences are pretty clear. A big, red, digital padlock appears on your screen and you can’t use critical appliances until you acquiesce to the attacker’s demands. But today’s security attacks rarely signpost their success so explicitly. In an age of connected devices and sprawling product distribution networks, attacks can be insidious and wreak havoc without victims being aware of their presence at all.
There are plenty of recent examples highlighting this trend. Think back to CloudPets – an IoT toy manufacturer – suffering a breach where more than 2 million recorded messages were leaked. Or when ‘spy chips’ were allegedly used by China to infiltrate US companies by exploiting supply chain gaps. Or the well-documented problem of cryptojacking, where processing power is diverted to mine cryptocurrency with minimal side-effects on the surface that security teams can catch. It’s become apparent that no layer of abstraction is safe from attack.
This challenge cannot be addressed in a short time (and certainly not in a blog post). But companies that hitherto adopted a ‘make-do’ attitude with respect to security while focusing on technological advancements will now have to realize that both go hand-in-hand. If a smart device is built from scratch, it also needs to be a secure device from scratch. This will need a robust audit of existing supply chains and considerable investment to refine these supply chains if necessary.
The bottom line is that people love their breakfast too much to tolerate smart toasters suddenly demanding ransoms one morning. So, if any IoT companies are reading this: please weave security into your supply chain. For bread’s sake.
For more cybersecurity content, you can subscribe to Demisto’s blog by visiting the link below. If you're already a subscriber, the same link will take you to our newsletter archives. Have fun!