My predictions for 2020? Here’s the short form:
Bad people will attempt to do bad things with increasing sophistication and scale.
Good people will continue to fight the good fight, often with limited tools and resources.
We will see improvements in tools for protection, detection and response—maybe even some tools that work well with one another.
The C-suite will pay greater attention to privacy and security in an effort to keep shareholder value rising. New regulatory and client pressures may help security teams get the resources they need. We may even see security and privacy become a critical part of the DevOps process.
Combating Burnout in the SOC with Better Tools
Security Operations Center (SOC) teams are burned out with:
- False positives.
- Poorly integrated security tools.
- Lack of visibility into all the relevant data across the enterprise.
Poorly resourced SOC teams are forced to respond to alerts based on off-the-shelf detector settings and signatures that often are irrelevant or completely miss the bad actor. When they respond, they’re often challenged to manually connect the dots to determine if the threat is credible.
Vendors are responding to this crisis in the SOC with tools for security orchestration, automation and response (SOAR). We can expect to see further developments in 2020. SOC engineers working with machine learning can train smart systems to identify normal, legitimate behavior, even as the environment changes.
Systems will automatically string together network, system and application logs to present a story for analysis, rather than an alert on a single anomalous log entry. This means there will be significantly fewer false positive alerts and a much clearer story for SOC analysts to review at first look. As part of a SOAR system, these alerts can also recommend or enact changes in controls to mitigate risks.
Ransomware Gets Scarier and Teams Respond
Infosec professionals used to talk about Advanced Persistent Threats (APTs) as rare but serious threats. APTs were “advanced” because only major criminal enterprises or governments could create them. They were “persistent” because they would linger quietly in the network, gathering intel and silently pivoting from host to host as they gathered administrative credentials and gained control. Because of the level of sophistication, APTs were either:
A: Only threats for major enterprises or institutions; or
B: Beyond the capability of smaller organizations to detect or deter.
APTs are rarely mentioned anymore, because such threats have become commonplace—not just from governments, but also online marketplaces that anyone can use with just a few Bitcoin.
Ransomware began as an unsophisticated, but highly effective tool for extortion. It was easier for victims to pay the ransom than it was to recover files from backups. In 2019, as more firms and municipalities announced they were victims of ransomware attacks, word spread that teams must have effective backups as part of their threat management programs.
Ransomware developers responded with new variants that have all the capabilities of APTs, stealthily moving into networks, gathering intel, and gaining admin access. But now, they go beyond encryption to actually exposing data if the ransom is not paid. Future variants will be ever more advanced (and persistent).
Enterprises must work on comprehensive strategies to mitigate these kinds of risks and plan for their response in case the threat is realized. This is a cross-team effort involving legal, IT, security, privacy, corporate communications and the C-suite, along with advancements in things like SOAR.
The Internet of Things Gets Bigger and More Frightening
The roll out of 5G promises a vastly more connected world with a huge proliferation of Internet of Things (IoT) devices. Within the enterprise, we’ve already seen this proliferation. Everything from cameras to sensors and coffee pots are connected to our corporate networks. In addition, employees now carry a vast number of personal connected devices. These things present serious risks to our networks (and our own personal privacy), as they are poorly supported and rarely secure.
Consider the problem with most IoT devices.
They’re typically manufactured from a variety of sources with minimum expense. When vulnerabilities are discovered, they often can’t be fixed because:
- The devices lack the capability to be patched; or
- The faulty component is manufactured by a sub-sub-sub-contractor who feels no obligation to provide a firmware update.
In the second case, it may not be cost effective for the contractor, or they might be in a different country and not subject to legal or contractual obligation.
Legislators are starting to respond. In California, the IoT Law (CA SB 327) went into effect January 1. In the UK, there is a voluntary code of practice for IoT devices. In the U.S., the National Institute of Standards and Technology (NIST) released a series of publications on security and privacy for IoT devices:
- NISTIR 8259 (draft)
- NISTIR 8267 (draft)
In 2020, we can expect to see vendors respond and improve the security of IoT devices, but this will be a slow process. In the meantime, security and network teams must understand and respond to the unique risks that IoT devices present. (See NISTIR 8228, “Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks.”)
Privacy Is a Big Deal
U.S. state and federal legislators will watch carefully as California, Nevada and Maine begin to enforce their new state privacy laws. Representatives continue to haggle over a federal privacy law. There are still a number of thorny issues to resolve, including:
- A right of private action.
- Whether the federal law preempts state laws.
- How enforcement will be funded
Watch for a proliferation of proposed state laws, many likely based on California Consumer Privacy Act (CCPA) or the EU’s General Data Protection Regulation (GDPR), as well as solid progress on a U.S. federal law in 2020. Both existing and proposed laws have a real impact on IT and security operations, including:
- Specific types of data to protect, typically defining “covered data” and “sensitive covered data.”
- Allowed or prohibited actions on the different types of covered data, typically including limiting processing to only those activities specifically defined at the point of collection.
- Specific rights for individuals whose data your business is managing, potentially including:
- The right to know what data you have or share.
- The right to move or copy their data to another entity (“data portability”).
- The right to correct data.
- The right to restrict or stop the use or sale of their data.
- The right to have their data deleted.
- Requirements for risk assessments.
- Requirements for security and/or privacy executive leadership.
- Your responsibility for ensuring the same data protection and control at all of your suppliers and service providers, all the way down.
Security and Privacy Meet DevOps
There was a rash of articles in 2019 on how best to integrate security into DevOps. Do we embrace DevSecOps or NetSecOps? And how does privacy fit in?
At some point, we need to stop stapling additional three-letter codes on our job descriptions. Instead, we must realize that true continuous delivery means that security, privacy and compliance are core product features that cannot be ignored and must work properly with every product update. “Security by Design” and “Privacy by Design” must be incorporated as fundamental principles.
Regulated entities and those subject to GDPR already understand that these concepts are important. As more states, regulators and clients demand security and privacy, more firms will embrace DevNetSecPriCompliOps or face regulatory fines and lost clients.
DevOps teams must continue to innovate quickly, which means employing best-of-breed solutions from third-party sources. Many (most?) of these third-party sources don’t have the same regulatory or legal requirements for security and privacy. This means that firms must not just manage security and privacy within their own code, networks and containers. They must also realize that they employ third-party elements where they lack the same control.
Firms must instead use tools like zero trust, micro-segmentation and effective monitoring to protect their environments and data. Security and infrastructure vendors understand this, and there will be continued innovation and consolidation.
What Are Your Security Predictions for 2020 and Beyond?
In 2020, bad people will continue to do bad things with increasing sophistication and scale. And good people will continue to fight the good fight. My hope is that, in 2020, the good folks will have tools, resources and laws to help tilt the scales in their favor. What do you think?
Written by: Matthew Todd