2020 was a historic year on numerous levels. It certainly will be one we will never forget, whether because of a global pandemic, conversations around social injustice, a contentious U.S. Presidential Election — or simply massive cyber disruption, as headlined by the SolarWinds breach.
We recognize there are numerous business and technical challenges, but the industry also has never been so aware of the importance of cyber across every critical infrastructure and beyond.
Anne Neuberger, recently appointed NSA Director of Cybersecurity, will join Biden's National Security Council. This appointment strongly indicates that the Biden White House intends to prioritize cybersecurity as a top national security priority. By no means do our predictions represent all of the challenges organizations face, but the following focus areas should give professionals a few insights into what our global customers are facing this year.
Cybersecurity trends in 2021
Customers realizing the value in the current investments
Many of our customers are seeking to rationalize a portfolio of tools across many of their domains, with the ultimate goal of providing more capabilities and strategic value to end users with less cost and complexity. Not many of our customers have well organized databases of information around active security tools, and we also see a mix of satisfied and unsatisfied users across the internal customer base of tools today.
Organizations need to have an ongoing goal of managing costs and avoiding duplicative tools/functionality, a clear articulation of tool rationalization decisions and value, and an integrated roadmap for strategic value realization (including tools, people and processes).
Cyber resilience will be a top priority
As I wrote earlier last year, enterprise cyber resilience is a strategic requirement and a must-have organizational capability. Security and risk management executives must come together to work as a unified team to design, implement and maintain a cyber resilience program to ensure business initiatives become sustainable operations.
When you look at organizational risks, there are too many to count unfortunately, and they could range from horrific natural disasters to man-made disruptions, equipment failure and operational/human errors. As fast as businesses are growing and expanding, these risks are occurring at an increasing frequency as well and turning into business disruptions that impact the viability of the organization.
Doubling down on secure multicloud adoption
As the demand for digital transformation continues, more customers will adopt a distributed cloud approach. Business processes and application workloads will be increasingly distributed across public and private cloud. This multicloud approach does not guarantee improved performance, reduced spending or more importantly, reduced risk. Cloud architecture is also driving organizations toward containerization, which may be “serverless” but is certainly not without vulnerabilities.
Managing data privacy and regulatory requirements across disparate cloud service providers will be a challenge. Data governance will be a hot topic, not only for daily operations but also in the board room. Also, be on the lookout for new variants of ransomware to hit AWS, Azure, Google Cloud and (yes) even Alibaba. With calls for providers to build bridges between their platforms, there will be new vectors for threat actors to build a reputation and make some coin.
More focus on rapid threat detection and response
The work-from-anywhere revolution has dramatically changed enterprise architecture. It has effectively pushed sensitive data and privileged identities into insecure home environments filled with often unmanaged (likely never patched) IoT devices. Does your fridge seriously need a Wi-Fi connection? Anyone worth their salt in security knows that the foundation of any solid threat and vulnerability management (TVM) program has always been robust visibility.
2021 will see some security solutions (e.g. EDR, SASE, UEBA, etc.) invest heavily in new products and capabilities to address these visibility and response challenges; others won’t adapt fast enough and will suffer a loss of relevance and likely market share; and still others will try to ride a history of past success with hopes of being acquired by larger entities looking to quickly fill gaps in their product offerings. Expect the marketing hype to continue, with increased demand on customers and system integrators to filter out the noise to make sense of what solutions deliver the required business outcomes.
This year will challenge practitioners to “level up” their skills and capabilities. Because while visibility is foundational, it’s not always synonymous with being knowledgeable of your fragmented and ever-expanding network. With newly enhanced risks and challenges around every corner, finding the appropriate response to the onslaught of evolving threats is essential. Look for organizations to spend more on both people and technology as they try to size their cybersecurity staff and lean in on automation to help find more hours in the day.
With strict timelines and deliverables, even well-intentioned developers or engineers sometimes follow the path of least resistance. This doesn't bode well for traditional infrastructure requiring these users to VPN into the corporate network to access and expose shared resources. It's particularly concerning given the trends we’ve seen with haphazardly deployed cloud instances left running, abandoned without any sort of lifecycle management strategy to terminate them when they're no longer needed.
Unfortunately, there’s simply not enough expertise in the job force to make every one of these instances secure and conforming to security policy. Some organizations will be caught off guard, with little to no telemetry integrated into the traditional monitoring toolset. This will equate to searching for a needle across multiple diverse and ever-expanding haystacks. Security operation centers will need to rely more on security-focused AI behavior to recognize patterns and identify abnormalities across a distributed cloud architecture.
Look for technologies that offer continuous assessment of cloud compliance and cloud-related workflows to receive significant attention this year, even from industries that have typically been slower to adopt cloud services in general.
Time to innovate while maintaining compliance
The need to rapidly prototype and deliver minimum viable products (MVPs) through the use of agile delivery and cloud computing will produce vulnerabilities in its wake. That’s the dark side of “shadow” innovation — pet projects are rarely designed with security in mind, which means there’s a gap in security control and ongoing inspection. That dark side can be good for job security… or produce a career-altering event.
Either way, expect an increase in cyber risk exposure caused by an ever-changing attack surface. Those who are wise will invest in automation of specific use cases (a scalpel, not a chainsaw) to reduce operational costs, make better use of skilled FTEs and enhance security insights.
On the FTE front, organizations ought not to assume that S3 bucket experience qualifies an engineer to manage a full cloud infrastructure. Like Suzanne Massie told U.S. President Ronald Reagan in 1986, “trust, but verify.” Randomly perform cloud security audits to close gaps and improve your staff.
If a breach doesn’t derail your progress this year, then auditors might be at your heels. The auditing business will skyrocket this year. Changing architectures will require updated documentation, enhanced policies and fancy network diagrams to prove to the auditors that you’ve adapted security operations to accommodate the new work-from-anywhere approach. Expect an increased cost of compliance due to greater scrutiny from regulators.
Mitigating risk while enabling remote work
The phrase “security is everyone’s responsibility” never held more importance than it did in 2020 and will continue to do so in 2021. The advent of remote working that has become a new normal requires additional attention and effort for its sustainability. The biggest hurdle in its path will be cyber threats.
In offices we are protected by a cybersecurity bubble, which is a huge investment by our organizations, and this is not replicated when we work from the comfort of our homes or coffee shops. There are new challenges for security teams to cope up with on top of the large repertoire of preexisting threats.
Let's look at some of the newer challenges that organizations will have to deal with in 2021 and the near future now that there is a large remote worker population:
- Securing and managing the online meet tools and traffic: There has been a sudden burst in the traffic generated by virtual meeting tools like WebEx, Zoom, etc. Unprotected remote desktop protocol (RDP) connections are a major concern for remote workers.
- Change in working hours: With the increase in remote work, there has been a sporadic distribution of work hours and enterprise traffic patterns have changed. The off-work hours that were once available for patching of software and IT changes are now affected.
- Use of personal devices & untrusted networks (shadow IT): With more and more enterprise applications moving to the cloud and users' ability to access these services via the Internet, the IT/security teams are losing control and visibility of enterprise traffic.
The scenarios mentioned above are not new, but their impact has changed with the work traffic inversion. This change requires us to look at possible solutions that help deal with these and other surrounding security risks. Let's look at a few solutions that help shield the organization:
- Multi-factor authentication & SSO: Multi-factor authentication (MFA) will add a resilient blanket of security to the access of tools/services that are associated with work, even when accessed by a personal device. MFA is in general a great practice to enhance security hygiene.
- CASB and VPN solutions: VPN solutions have been the legacy means of creating a secure medium to the protected office network. As the boundaries of work are stretched and more and more official apps reside on the cloud, visibility into this traffic is paramount. CASB aids that need for compliance and assists the organization's security team.
- Compliance policy of official and personal devices: There needs to be a clear policy that is set up and implemented across the organization to enable installation of mandatory applications (e.g. EPP/EDR) aiding security and security patching of devices on its network — and the personal devices of the users. Creating security awareness should be of prime importance.
Security risk mitigation is a gradual process that is achieved by constant evolution of an organization's security team and its compliance by employees. The added challenges that an increased remote workforce creates requires a security-centric approach and deeper participation of employees who can act like the first line of defense. The risk and threat will be eminent and evolving, but we can do our part by being best prepared to tackle it.
Accelerating a flexible Zero Trust Architecture
There has been a paradigm shift in the way that employees work and access the resources required to complete their work. There is a steady increase in users who are working remotely and constantly on the move.
The working model of an organization is moving more towards a cloud-based and Internet-dependent model. The inception of the pandemic has only fueled this growth as an increased number of users continue to work remotely. This growth will only spur in 2020.
Companies are strategizing to accommodate this change and it calls for stronger fortification on the cybersecurity front. This paves the way for Zero Trust Architecture (ZTA).
ZTA revolves around a "zero" level of trust given to a user based on their network, physical location or the ownership of the asset. It gives security teams control and visibility. ZTA focuses on making access control as granular as possible and eliminating unauthorized data access.
ZTA is a journey and not just a solution. It is achieved over phases, and organizations will be pushing forward towards these come 2021. NIST has underlined the following points about ZTA:
- Communication between endpoints must be secure irrespective of the location of devices on the network.
- Every device that is used at/for work must be considered an official device.
- Access to each request must be provided on a request/need basis.
- Authentication shall be enforced for every action/transaction.
- There should be an underlying policy to govern each request.
- There must be a constant evolution of security policies triggered by scrutiny and monitoring.
The above mentioned are just some of the important prerequisites towards the ZTA journey. IEEE states that "Zero Trust will be key to achieving cyber security resilience," and this places ZTA at the crux of 2021 plans of security teams across organizations. Organizations will be building strategies around ZTA fundamentals to deal with the ever evolving security storms to come.
More rigor around data protection and privacy
COVID-19 has forced most organizations to become more dynamic in nature. Faster digital transformation strategies meant that many companies onboarded new technologies to maintain business continuity. The rapid deployment of these technologies meant that most companies lacked the time for proper due diligence. With COVID-19 driving masses of staff into remote working, the difficulties of data tracking have intensified as use of home networks and BYOD have increased.
The increased usage of online or connected services amplifies areas of legal risk for businesses leveraging connected technologies, as well as providers of internet content and services. Gartner predicts that 65 percent of people across the world will have their personal data protected by privacy regulations, compared to 10 percent in 2020. New data protection regimes are in the pipeline, both domestic and international.
Uncertainty over international data transfers will persist. As with privacy concerns, a business’s best first step is to understand its data security landscape including obligations, risks and potential gaps in its program. Despite the increased risk of certain cyber threats, businesses are generally finding that a remote workforce works and are planning to expand or continue remote work arrangements even after the pandemic.
There are several steps that a business can take to harden its security posture. These range from deploying hardware and software solutions across the workforce, to implementing more robust and engaging training protocols.
Safeguard third parties (could be the biggest priority)
The 2020 pandemic has forced organizations to use more technology products and software solutions from a variety of third-party vendors, making then integral part of the organization. As a result, organizations are faced with the dilemma of having to provide the needed access while also guarding against malware and hackers entering through third-party connections. Global organizations today have sophisticated security defenses, and bad actors are beginning to target third-party vendors to gain access to an enterprise’s network.
In a study by BlueVoyant, 22 percent of organizations did not monitor their entire supply chain for good information security, and 32 percent did not reassess their vendors regularly to catch any issues, in addition to integrating new vendors. According to Carbon Black’s 2019 Global Incident Response Threat Report, 50 percent of today’s attacks leverage what they call “island hopping,” where attackers are not only after an enterprise’s network but all those points along the supply chain as well.
With 2020 behind us, it is good time to look back on some of the more prominent third-party breaches of the year and lessons that might be gleaned from other’s misfortunes. With third-party breaches from vendors and other outside entities rising while regulations and laws are enacted to extract ever greater penalties from such breaches, proper third-party risk management is more important than ever.
Maintaining foundational security (should be every year)
Have you achieved the basics in the battle against cybercrime?
Casual and unskilled attackers represent just as big a threat as hacking collectives and state-sponsored cybercrime groups.
The world has come to terms that cybersecurity breaches are inevitable. While it’s true that the skilled and determined hacker will always get through, it’s no excuse not to take the basic precautions that will prevent many, perhaps most, attacks.
Sometimes in our efforts to combat increasingly sophisticated cyberattacks perpetrated by well-resourced hackers, we can become mesmerised by potential threats and pour all our resources into developing stronger strategies and investing into the latest security technologies — all the while neglecting the basics.
Maintaining foundational security is critical, yet we still see many companies with challenges in the following areas:
- Asset management
- Well-documented and comprehensive security processes which underpin the information security policy and standards
- Vulnerability management
- Privileged account management
- Application security
- Network security
- Security awareness training
- Security compliance KPIs
- Security monitoring
- Cyber incident response
- Cyber resilience/BCDR
Simplify digital identity management
Privileged accounts pose a significant risk. Once obtained by hackers, the accounts can be used to access the most sensitive data. We will continue to see efforts in discovery to gain visibility of all privileged accounts including service, functional and nested privileges in order to keep the number to a minimum.
ID admin teams will implement process changes to ensure the use of random, complex initial passwords, as well as ensuring individual accountability for the use of privileged accounts.
Particular attention will be made on the information supply chain: which vendors, suppliers and partners have access to data, and what they are doing to secure it? We should be rethinking authentication and security controls, for example, introducing two-factor authentication in which a password must be combined with biometrics, tokens or some other authentication factor.
Many organizations have only applied rigor on audited systems and neglected others, which increases the risk of compromise and lateral movement to the target systems and/or data. Authorization workflows for the primary controls (user access requests) and secondary controls (attestation) are often inconsistent which increases overhead, inefficiencies and risk.
Close the cybersecurity talent gap
Companies universally are experiencing an unprecedented cyber security skills gap, with some reports estimating there will be 3.5 million vacant cybersecurity positions by 2021. Amidst the COVID-19 pandemic, with a large percentage of the workforce now working from home, organizations are required to secure these networks.
According to a recent study conducted by MaritzCX, 73 percent of respondents reported having had at least one intrusion or breach over the past year that can be directly attributed to a shortage in available cybersecurity talent. The cyber security skills shortage isn’t going anywhere anytime soon, but you can at least take steps to mitigate it.
The most valuable and efficient way to close the cyber security skills gap in your organization is to invest in proper cybersecurity training for all employees. Cybersecurity training has a proven high return on investment, and organizations can no longer afford to suffer the consequences of avoidable breaches. A study recently conducted by (ISC)2 found that to fully address the current skills shortage, 4.07 million workers would need to be added to the talent pool that currently possesses only 2.8 million professionals.
To address these challenges and find the right individuals to build out their security teams, organizations must broaden new-hire channels. While cybersecurity knowledge and experience are important, many candidates with diverse, non-traditional backgrounds like veterans have attributes such as strong critical thinking skills, adaptability and a willingness to keep learning — which are equally important.
Do you have thoughts on our predictions or another area you'll be focusing on this year? Let us know in the comments below.