Month: December 2020
2021 Cyber Security Predictions: A Forecast for the Future
2020 is one for the books. We each navigated life amid a pandemic that brought its own trials, tribulations and a few silver linings. Moreover, 2020 tested IT and cybersecurity professionals: Organizations quickly enabled remote workforces, phishing attempts increased 350 percent, election security was scrutinized, and events like Black Hat USA were held entirely online. I name “unprecedented” as the word of the year.
Many unknowns remain as we shift to 2021. This time of year is a crucial opportunity for those of us in the cybersecurity field to hit pause and reflect on our industry. Based on conversations and observations in 2020, read on for my eight cybersecurity predictions for 2021 on the topics of:
- Balance between automation and human security testing
- Cybersecurity employment trends
- Cybersecurity budgets and priorities
- Compliance-based security versus risk-based security
- A shift in application security practices
- Tackling insider threats
- Pandemic meets cybersecurity
- Securing the external attack surface
2020: one for the books. We’ve each had to navigate life amid a public health pandemic which has come with its own trials, tribulations and even silver linings. Moreover, it was also a year of tests and new experiences for IT and cyber security professionals: Organizations quickly enabled remote workforces, phishing attempts increased 350 percent, election security is being scrutinized like never before, and events like Black Hat USA were held entirely online. At this point, presumably we can all agree that “unprecedented” should be deemed the word of the year.
No one could have predicted the way this year has played out and many unknowns remain as we shift our mindset to the approaching holiday season, and then to 2021. But, it’s important to remember that this time of year is one of the most crucial opportunities for those of us in the cyber security field to hit pause and reflect as an industry. Based on the conversations and observations I’ve experienced throughout the year, below are my eight cyber security predictions for 2021.
Prediction #1
Automation continues to be a priority, but human context will be the key to security program management and success in 2021.
By now, we all understand the value automation brings to any cyber security tool. Yet, in 2021, the human element will be pushed to the forefront of security innovation, specifically for our intellect and ability to add context to cyber security findings. Contextualizing cyber security findings will be an invaluable tool to boost vulnerability remediation efforts in the new year, as the number of vulnerabilities grows exponentially, and context is key to helping us prioritize.
Prediction #2
There will continue to be more cyber security jobs than people to fill the roles.
Cyber security leaders will be challenged by filling roles that require candidates with mid- to senior- level experience – and entry level job openings will continue to be in high demand. Because of this, companies will need to do more with fewer people. This will result in increased adoption of program-level partnerships with third parties or using vendors to fill in-house positions at scale.
Prediction #3
Cyber security budgets are not necessarily going to increase but will be reprioritized.
More dollars will be specifically allocated to cloud security budgets due to the prolonged and, in many cases permanent, remote work opportunities – in other words, a distributed workforce. One exception to stagnant budgets is regulatory drivers. Certain states [e.g. California] and industries [e.g. healthcare] may need to increase budgets to comply with new or changing regulatory expectations.
Prediction #4
There will be more cyber security teams pivoting from a compliance-based security approach to a risk-based security approach.
Financial institutions will continue leading in risk-based security, but we can expect to see increased adoption in the retail industry. This pivot is being triggered by increased visibility into risks and cyber security programs, better documentation, and more efficient opportunities to present risk to the business leaders.
Prediction #5
“Shift left” will become a more widely adopted term and application security practice in 2021.
Shift left, or the practice to discover and prevent problems earlier in the software development lifecycle (SDLC), will narrow the existing gap between development and cyber security teams. A further proof point: in the cyber security testing community, we are seeing the desire for more certifications in application security. In the new year, we should expect to have more discussions around putting greater emphasis on cyber security throughout the entire SDLC.
Prediction #6
Heightened awareness around insider threats and Identity and Access Management (IAM) will continue growing.
In early 2020, Ponemon Institute found that the frequency of insider incidents had tripled since 2016 and that the average cost of an insider threat was $11.45 million. These numbers will continue rising as threat actors increasingly solicit employees to gain access to an organization’s infrastructure and customer data in 2021. Expect to see more organizations increasing adoption of a zero-trust architecture to address this.
Prediction #7
The rate with which technology is developed continues to outpace security; the pandemic continues to drive this narrative.
The adoption of the cloud coupled with demand for convenience through technology innovation amid the pandemic is going to further increase the rate with which technology is developed. An ever-evolving challenge for the cyber security industry, we will need to ensure new technologies are being built with cyber security top-of-mind.
Prediction #8
Cyber security teams will be challenged by defining and securing the external attack surface in 2020.
As the scope of the perimeter continues to expand well beyond a traditional perimeter defense model, adversaries can now gain access through mobile devices, the cloud, and even user identities (e.g., targeting identities themselves as assets to further gain access to data). Teams will need to think strategically to find and remediate vulnerabilities on the external attack surface as the risk heightens.
Recent Posts
What Not to Do When Ingesting and Prioritizing Vulnerability Data for Remediation
I should have known better.
Eleven-some thousand findings, struggling inexorably to transform from scanner output to csv format. It was too late; the scanner tool was on a mission to dump megabytes of data into a spreadsheet and there was nothing I could do to cancel it.
As I sat there staring at the progress counter slowly creep upward, I questioned my life choices up until that point. I’ve been a security practitioner my entire adult life. I’ve (legally) stolen troves of data in many forms. I’ve discovered untold thousands of vulnerabilities in my penetration testing days, most of which didn’t amount to much; inconsequential findings that did not correlate to any meaningful risk to the organization I was testing. I’ve always weighed more the vulnerabilities I knew would net the golden ring, whether it was unauthorized access to sensitive data, privileged access to a network or system, or whatever prize the vulnerability du jour led to.
And yet there I was, wondering what made me even look for that many vulnerabilities. For some reason I enabled all vulnerability checks in the scanner configuration. The scanner categorized most of the findings as “information,” usually mundane tidbits of data more suited for asset inventories than vulnerability management. Of those 11,000 findings, maybe 25 were categorized as high risk, and maybe a few hundred or so as medium risk. After some threat modeling and other consideration, it turned out there were maybe five relevant vulnerabilities that required prioritized action. All those informational findings? No need to worry about those.
Except one. And man, it was a killer.
It was a simple thing, really. The scanner identified something my team and I had taken great pains to disable long ago. I was confident – arrogantly so! – that it was disabled, so I didn’t bother checking the scanner output to see if it was suddenly active again.
I think you can see where this is going.
It wasn’t until later during an internal audit that I discovered I made the mistake of not propagating my vulnerability management strategy wide enough to encompass a critical process in our security program framework: to periodically validate everything that could have the most adverse effect on the business. Thankfully, it was discovered internally but let’s be honest, nobody enjoys internal auditors finding anything at all, much less something significant.
To be fair, how do you sift through 11,000 findings to determine which are important? You don’t. At least, it certainly isn’t using spreadsheets, arguably the most common method of tracking vulnerabilities. Spreadsheets are the devil. Dumping vulnerability data into them leads to headaches and doesn’t provide the kind of tools needed to manipulate and correlate the data to produce meaningful outcomes in managing the vulnerabilities. And besides, it’s unnecessary. This entire approach is inefficient and ultimately unnecessary.
A Scanner is not the Equivalent of a Vulnerability Management Program
The truth is, many organizations consider vulnerability management to be running a scanner with all the checks turned on, and then addressing the high-risk findings. In my experience, this bottom-up approach presents a few problems:
- Scanner policy configurations are not one-size-fits-all. When set to scan for all possible technology vulnerabilities, the scanner can produce an enormous amount of noise in which meaningful vulnerabilities may be missed or ignored. This “spray and pray” method creates more confusion and eventually apathy toward purposeful vulnerability analysis.
- Similar vulnerabilities can pose drastically different risks. A discovered open share on a file server containing HR data may be categorized by a scanner as medium risk, but the actual risk to the business is high or even critical. A discovered open share on a print controller containing fonts or no files at all may also be categorized as medium risk but in fact is a low risk to the business. Without the proper context an organization may treat these two findings as equal and expend the same time and effort (cost) in addressing both when they do not merit equal treatment.
- Measured improvements in security maturity are an expensive undertaking. The costs in terms of money, time, and effort can skyrocket if guardrails aren’t applied to focus the process on specific goals, otherwise it is a continuous game of catching up each time a vulnerability scan is run.
The key is to understand the risks most likely to disrupt the business from meeting its objectives, identify the threats that would cause and amplify those risks, and select the controls most appropriate for managing those threats. The controls should then be regularly measured and audited to ensure they are implemented correctly and are effective in protecting the organization.
In the next blog in this vulnerability management series, we will look at how to align vulnerability management goals to meet the organization’s business objectives, and present considerations for maturing vulnerability management processes into risk-based program strategy.