Zane West | Director Product Management | Proficio
2019 was another busy year for cybersecurity professionals, with more than 4.1 billion records compromised in the first half alone. There were more security incidents than in any previous year, and they included some of the largest breaches of all time.
Looking forward to the next decade, we expect cyber defenders to still face many challenges. Fueled by the growth of the Cloud, IoT devices, and mobile, the attack surface will continue to grow exponentially. Cybercriminals have been using Machine Learning and will expand on its use in the coming years. Nation States will invest more in cyberwarfare to target government, critical infrastructure, and organizations.
Proficio has been providing our clients managed security services for nearly a decade. Our understanding of the cybersecurity landscape is informed from being both a user and a provider of cybersecurity technology. The following projections define 10 important changes that we see driving the cybersecurity agenda over the next decade:
ML is now transitioning out of the early stages of the Hype Cycle into broader adoption as a credible cybersecurity technology necessary for a meaningful part of any cyber defense arsenal and playing a significant role for Incident Response (IR) and Security Operations Center (SOC) teams.
There’s been a lot of talk about the potential for ML to replace Level 1 or Level 2 Security Analysts. At Proficio, we strongly disagree with this idea. We have been both experimenting and deploying Machine Learning (ML) for years. We use ML as a tool that augments Security Analysts, helping them to identify relationships between seemingly unrelated events, cutting out false positives, and detecting anomalies. Combined with threat intelligence, ML enables security teams to detect and respond to security incidents faster, more effectively, and with far fewer people than would otherwise be possible – but it will not be able to completely replace the human element. We anticipate many organizations will follow similar paths in the coming decade.
Talk to any CISO and it won’t be long before you hear an anecdote that illustrates the cyber skills gap. The shortage of cyber professionals is now measured in millions, and when you peel back this issue, the gap is made more complicated by the range of technologies used to ensure a strong cyber defense. In addition to Security Analysts, Incident Responders, and SIEM Engineers, organizations now also need Data Scientists and ML Experts.
We don’t expect the cyber skills gap to go away in the 2020s, but there is light at the end of the tunnel in the form of SOAR (Security Orchestration, Automation, and Response). We’ve developed our own proprietary SOAR platform and automation, which plays a significant role in the services we deliver.
SOAR platforms promise to help SOC and IR teams reduce response times, cut down on manual work, and engineer repeatable, semi-automated processes. By creating standardized, repeatable processes — and automating them where possible — SOAR reduces the burden on security teams. In addition, a SOAR platform integrates with other technologies and provides a single orchestration interface for security teams. Instead of learning to use five or more different tools, security engineers need only master a single interface that is integrated into their operational processes.
When the General Data Protection Regulation (GDPR) came into effect in May 2018, organizations with EU customers had to step up their data privacy compliance processes and systems.
Historically, the major compliance frameworks (PCI-DSS, HIPAA, ISO27001, etc.) were akin to audit checklists. So long as you ticked off certain requirements — and you could prove it — your job was done. It didn’t matter if you were actually secure, as long as you followed the rules.
But GDPR changed the game. Now, instead of a checklist, organizations are responsible for collecting, analyzing, and acting upon security data to ensure the ongoing protection of sensitive assets. If an organization is breached, and sufficient action wasn’t taken to prevent it, irrespective of any checklist, large fines will follow.
We believe that in the next decade GDPR like regulations will be adopted by most developed nations, and other compliance mandates will place a greater responsibility on organizations covered by their regulations.
In terms of decades, the 2000s were about defining the perimeter and improving perimeter security controls; in the 2010s, we saw the introduction of evasive techniques and more sophisticated malware bringing about the need for next-generation technologies, including endpoint, firewalls and software defined perimeter controls within virtualized platforms. For the 2020s, we expect to see a significant expansion on the extension of the security controls into the cloud as the adoption of cloud and hybrid architectures become more mainstream.
Data and applications have been moving to the cloud for a while now. Not only are cloud environments more complex to secure than local datacenters, but they’re also vulnerable to a wider range of cyberattacks. For these reasons, some organizations have avoided a complete move to the cloud in favor of a hybrid approach.
Over the next decade, security and IT leaders will need to look for ways to secure complex, multi-cloud environments while retaining control over how cloud services are consumed. IT teams will need to find a way to be an enabler within the organization by defining standards that allow for the adoption of cloud technologies and limit shadow IT.
The use of Cloud Access Security Brokers (CASB) will continue to increase as more organizations consume cloud services in all areas of their business operations. This is a key enabler that protects corporate assets and data, reduces the burden on IT, and allows the business to explore new and improved technologies that better enable them.
We expect the compensating controls within big cloud infrastructure platforms — Azure, AWS, and Google Cloud, among others — to mature. This is an inevitable response to a clear business need, as cloud providers seek to keep customers “on brand”.
Security leaders will need to ensure that tools being used to secure traditionally hosted data and services also extend to the cloud. This may take time to fully realize because many security tools currently don’t work well in the cloud. However, now that cloud usage has become the norm, security vendors are scrambling to ensure their tools remain relevant. You will also continue to see cloud focused security vendors becoming more relevant and even prominent amongst the startups.
When organizations began to take cybersecurity more seriously, they went on a security tool buying spree resulting in a proliferation of tools that often did not work together. The abundance of cybersecurity startups claiming to be the next big thing – often based on dubious marketing claims – caused security tool sprawl and more confusion in the industry.
There were two big problems with using too many specialized tools. First, it is expensive. Second, it introduces another problem: the hidden cost of resources to manage these tools. A “Best of Breed” purchasing strategy creates unnecessary complexity in the architecture requiring more trained resources to manage all the technologies in alignment with the vendor recommended best practices. This approach generally results in duplication of functionality across technologies, and less effective implementations, and underutilization of the investment in security tools.
Cybersecurity industry is slowly maturing. Organizations are realizing that they can’t solve all security problems by purchasing extra tools; it’s often quite the opposite. They need to simplify their technological footprint while focusing on the other two components of a functional security program: a strong team, and effective repeatable processes.
Similar to Marie Kondo’s approach to simplifying and organizing household belongings, we expect security leaders to see that their teams are better off maximizing the value of a handful of core tools rather than using just 5-10% of the functionality of many disparate technologies. We expect smarter purchasing decisions that factor in cross vendor integration capabilities or through consuming technology as a service from an MSSP focusing their buying decision on a business outcome.
The 2020s will be the decade of 5G. Any time there is a greater than 10X change, you should expect significant related effects. 5G promises to improve mobile data rates and latency by 50 to 100 times. This technology will enable new applications, restructure cloud architectures, and notably be used in mission critical enterprise applications like factory automation, robotics, transportation, and more.
5G will accelerate virtualization, proliferate distributed edge networks, and enable hackers to attack more devices at faster speeds. Cyber defenders will need to respond with new policies, security virtualization, tighter access controls, and new approaches to device authentication. Next-generation endpoint security technologies will need to work more effectively on mobile technologies locking down the OS of the devices and the access to the hardware capabilities and apps. Think crypto jacking on mobile devices as an example of an attack type that would become viable.
A Security Operations Center or SOC is the nerve center where a team of security experts monitors and responds to cyber threats on behalf of their organization. Proficio operates a global network of SOCs and is seen as a leader in innovating how SOCs operate for maximum effectiveness, giving us a unique perspective on this area. Over the next decade, the way SOCs function will change in a number of ways.
Historically, security event monitoring and response has been log-centered. If a log entry was flagged as suspicious, an alert was created and investigated by a security analyst. This approach is problematic when it comes to unknown threats because, until a threat has been seen and reported, there’s no rule to detect it. Unless an organization has an active threat hunting program in place, such threats can go undetected for some time. Keep in mind that the current industry average for meantime to detection of a breach is 200+ days.
We expect SOCs to adopt frameworks like the MITRE ATT&CK framework which encourages security teams to think in terms of tactics, techniques, and procedures (TTPs). While a new threat may contain hashes, C&C infrastructure, or URLs that haven’t yet been categorized as malicious, only a tiny proportion of threats use completely new and innovative TTPs. As a result, a security program that’s set up to identify TTPs (rather than specific indicators) is much more likely to identify attacks and breaches.
For many organizations, a fully-functional 24/7/365 operation is essential to ensure the ongoing security of sensitive data and assets. For all but the largest and most profitable organizations, however, building a security function of this magnitude is simply not financially viable. Currently, a staff of 27 is the minimum viable number of resources for an average organization of about 3000 employees to implement a 24/7 SOC operation. This includes the minimum viable staffing for shift coverage, and a well-rounded optimized technology stack for security control enforcement and monitoring. A challenge with staffing a dedicated in-house team is the under-utilization of staff which is not very conducive to employee retention. Add this to the ever-present challenge of the cybersecurity skills gap, and it’s easier to understand why many organizations will turn to Managed Security Service Providers (MSSPs) to supplement the capabilities of in-house resources.
As more programs are being developed to train in cybersecurity, we anticipate a growth in qualified professionals from a diverse background set, including more woman entering this field.
Proficio CEO Brad Taylor, outlined a vision of the SOC of the future at Splunk .conf19. View the presentation here
Vulnerability Management (VM) is key to a mature security program. However, VM Scans can generate so many vulnerabilities that IT teams only have the resources to patch a fraction of the hosts and devices identified as requiring updates. Sometimes the quantity of alerts can be so overwhelming that it slows down remediation or results in no action at all.
The solution to this challenge is to prioritize based on the risk of a vulnerability being exploited in the context of the criticality of the asset, industry vertical, and level of known activity in the wild. Vulnerability Management needs to become a process that prioritizes based on risk, includes expert advice on the best approach to remediation, and measures and reports on progress.
We see Risk-based Vulnerability Management becoming standard to most organizations over the next decade.
Human error is one of the most common causes of a security breach. Human errors range from configuration errors on cloud architectures, servers and security devices to failure to follow organizational policies by administrators and users alike.
Humans errors are unavoidable, but employers can help to reduce these the risk. To compensate for this reality we urge IT leaders to prioritize training, process control, and use technology where possible to automate tasks and detect issues resulting from simple mistakes.
It is inevitable that most organizations will experience a security breach at some time. The operational priority for any organization is to quickly detect and remediate a breach.
In the 2020s, we expect IT leaders will increasingly need to explain the magnitude and types of cyber risk that apply to their organizations and provide their executive teams with strategic options to reduce risk.
Shareholders and customers want to understand what organizations are doing to protect important assets and data. Up until now, security leaders have been forced to spend a huge amount of time preparing reports for board and stakeholder consumption. Many resorted to Excel and manual databases because alternatives weren’t available.
Over the next decade, security leaders will rely on business intelligence dashboards that show the threats facing their organizations and trends by type of attacks and attack targets. These dashboards will summarize the organization’s security posture, identify gaps, and compare risk with that of industry peers in near real-time as opposed to a monthly point in time based on sometimes limited and stale data. This is why we developed our ThreatInsight dashboard.
2020s: A Decade to Embrace Change
As we wave goodbye to 2019, we are excited about the changes that the next decade will bring and looking forward to helping our clients protect their data and brand.
From all of us at Proficio, we wish you a safe and successful 2020.