8 Cyber Thought Leaders Share Security Trends for the New Year
Cybersecurity trends shift each year as different attacks take hold and technologies adapt to meet the demands of an evolving, connected world. At CIS, we focus on consensus-developed solutions and security best practices that help organizations around the world harden their systems and data. We spoke with some of the security leadership team at CIS to learn what trends they're expecting to see in the new year.
Sean Atkinson, Chief Information Security Officer
Election Security: Given the heightened attention to this election year, the expectation of interference will be prominent in most voters’ minds. The challenges include social media influence, manipulation of voter psychology, and the underlying technology infrastructure making up the voting system.
Privacy Controls: I expect the requirement for privacy programs in most organizations will become a higher priority. With the General Data Protection Regulation (GDPR) being enforced across some state-based privacy requirements, the trend may move the country towards a federal regulation. This may take some time for legislators to define what is to be protected; the California Consumer Privacy Act (CCPA) will start the state-based focus on how to protect citizens’ privacy rights.
IoT Focused Malware: In the past, it’s been trendy for devices to be internet-connected – no matter the purpose of the device. The future may require more thoughtfulness. As we begin to see IoT devices becoming part of everyday life – in the home, car and office – the threat landscape becomes ever-widening and makes the likelihood higher for a targeted attack.
Angelo Marcotullio, Chief Information Officer
Enhanced Backup Strategies: Traditional backup strategies are no longer adequate in corporate environments that extend beyond the traditional on-premises model. Most businesses now have information in multiple cloud environments such as AWS, Microsoft Azure, G Suite, Office 365, and Dropbox. Within these cloud environments, vendors offer different backup and recovery scenarios such as image snapshots, file or block backup, and database backups.
Ransomware is one factor driving businesses to re-evaluate their current backup and recovery system. Once infected with ransomware, a company may find information encrypted on-premises, in the cloud, and in their software as a service (SaaS) environments. If infected by ransomware, businesses are left with two options – pay the ransom or restore from backups. Having a comprehensive and proven backup and recovery system in place is a valuable insurance policy against ransomware.
Identity and Access Management (IAM): Organizations increasingly need an enterprise identity platform – a universal directory to manage all user identity and access regardless of application, employee location, business unit, etc. The ability to provision and de-provision accounts for different applications from a single environment becomes more valuable as remote work increases and the organization grows over time. I predict identity governance trending with the ability to audit and report on who has access to what and what they are doing. Organizations will also be looking for customizable single sign-on that allows for tailored authentication based on the type and sensitivity of the application’s data.
Adam Montville, Chief Product Architect
Increase of Tooling Ecosystems: In 2020, I think we’ll see an increase in the establishment of tooling ecosystems. Some standardization organizations (notably the IETF in their MILE and SACM working groups, the DMTF with its Redfish effort, and NIST with its SCAP 2.0 efforts) have been working to establish standards supporting out-of-the-box interoperability between disparate tools supporting a variety of cybersecurity workflows. Cisco has launched its pxGrid ecosystem, and OASIS has recently established the Open Cybersecurity Alliance, which also seeks to establish a cooperative ecosystem based on Open DXL. This trend will persist as security programs continue to demand increased speed moving from policy to implementation in their environments.
Integration of DevOps Security Model: I suspect we’ll see a continued increase in moving security management away from waterfall approaches to a more effective DevOps model.
Traditional internal and external audit cycles used to be on the order of years. While this has improved to perhaps annually or semi-annually, the outcome is still generally the same; policy, when enacted, does not immediately result in an operational change. We have seen in the marketplace an increased demand to break away from this waterfall-based model into one that leverages the systems development paradigm of agile and DevOps. Speeding policy to implementation demands that we seek to directly tie – to the maximum degree possible – policy to direct operational impact. Some would refer to this concept as governance-as-code. We aren’t quite there yet as an industry, but we are heading down this path, and I believe we will ultimately achieve a positive outcome.
Security and Privacy: Privacy concerns and awareness will continue to increase in importance, which means the balance between security and privacy will continue moving to the forefront.
There were 3,600 regulations relating to privacy introduced globally in 2019, and this global trend will continue. As privacy concerns heat up, so does the natural tension between privacy and security. Even though privacy is really security relating to a specific class of information, there is a tension between enterprise security and privacy relating to some of the information in that enterprise. One thing is certain, the problem will not be solved in 2020 or anytime very soon – imagine trying to get 3,600 jurisdictions to agree on what information is subject to privacy considerations, and then agreeing on how to handle those considerations. The most visible part of the debate could be around the concept of lawful access, which is where law enforcement agencies and governments are lobbying for the addition of backdoors into encryption, communication protocols, and devices.
Thomas Duffy, Senior Vice President of Operations
Ransomware Threats Continue: There was more than 100% increase ransomware incidents reported to the MS-ISAC from 2018 to 2019. It’s expected that this trend will continue into 2020 for U.S. State, Local, Tribal, and Territorial (SLTT) communities. Two important developments leading to this increase were:
- The relationships between certain malware and ransomware variants, such as TrickBot infections leading to Ryuk ransomware infections.
- Cybercriminals targeting managed service providers (MSPs) to push the ransomware out to multiple victims at once
Additionally, cyber threat actors are becoming more successful at targeting more severs/endpoints on a network, critical data, and backups. Along with an increase in reported ransomware incidents, there was also a considerable monetary increase in ransom demands and payments. Cyber threat actors will continue to conduct ransomware attacks as long as it is a profitable endeavor.
Michelle Peterson, Product Owner of CIS Benchmarks
Shared (Security) Responsibility Model: The importance of secure configurations will continue to grow in 2020 as more organizations continue to move to the cloud. Misconfigurations lead to vulnerabilities whether your environment is on-premises or in the cloud. Without this understanding, organizations may not realize security cannot be left solely in the hands of the cloud service provider (CSP). Security is a shared responsibility and the CSP will provide baseline security for the platform as they perceive it, but organizations need to be responsible for their security beyond the provider and what best fits their organizational policies. CIS Foundational Benchmarks for cloud accounts and services will continue to evolve and provide those baseline security configuration recommendations.
Edge Computing (5G): Edge computing is the cloud coming to you where you need it, if not right where you’re using it. It goes beyond distributed computing where the computation of data and storage happens at the location where it is needed and near the source of the data. 5G wireless is a key technology that is driving some of this growth, along with IoT devices such as a camera’s processing analytics to identify an animal or self-driving cars in Las Vegas. The need to process at the edge and the expansion of 5G will drive this technology well into the future providing what we need at the speed of light. Along with this growth, CIS will continue to look at ways to develop and incorporate edge computing, 5G, and IoT into CIS Benchmarks for technology.
James Globe, Vice President of Operations
Tiered Operational Services Engagement Model: SLTT governments have dynamic needs and capabilities which require an agile, responsive approach. Organizations serving SLTT communities need to respond to an evolving cyber threat landscape with context-rich, rather than one-size-fits-all programs.
In order to cultivate creative approaches to cybersecurity challenges, organizations should develop engagement from the bottom up. This bottom-up style also fosters engagement with SLTT organizations, and helps to adjust services to better meet existing risks, capabilities, and priorities.
At CIS, the importance of a tiered MS-ISAC and EI-ISAC member engagement model will be vital in helping members prioritize their cybersecurity efforts. It’s increasingly important to SLTT government entities as they balance thinly spread cyber budgets and their ability to hire and retain skilled talent.
Gregory Carpenter, Product Owner of CIS Hardened Images
DevSecOps: As companies migrate to the cloud in order to take advantage of all of the services and functionality offered, DevOps almost becomes a requirement. With this change in automation, traditional structures between developers, operations, and security have to be eliminated. The shift of security to the left allows it to be integrated into the development pipeline. Teams will begin to develop with security integrated upfront. The challenge is to develop with security, as you cannot work through this automation process implementing security after the fact.
Serverless: As a Function as a Service (FaaS) continues growth in 2020, this execution model takes a block of code and allocates the required resources to run that code. The code is typically executed in the form of a function as alluded to in the service title. While this model often feeds into DevOps and removes the requirement to manage and secure the underlying infrastructure, security still has to be applied to the code. This security is often referred to as governance-as-code and highlights how part of the equation in running your entire application as code via serverless could introduce security concerns.
Tony Sager, Chief Evangelist
5G is a lot more than 4+1: 5G brings the opportunity for vastly greater capacity and capability for businesses and consumers and profound changes in the nature of communications. And like every hyper-hyped new technology, it‘s rolling out faster than we can possibly make sense of the potential security issues. We also have to consider the potential for new security opportunities including a rapid transition to instant Network Functions Virtualization (NFV), Software Defined Networks (SDN), new low latency and alternative IP protocol "slices" to create internets and MAC-NETs on demand, hardware commoditization, virtualized mobile, always-on services, content distribution architectures, and new endpoint discovery services. Other examples include high-security purpose-built architectures and the development of minimally visible and ephemeral communications, making traditional IP flaws obsolete. There are all kinds of opportunities to rethink the current security spaghetti into techniques that could dramatically raise the stakes for attackers and disrupt criminal ecosystems.
Cybersecurity becomes mainstream for enterprise risk decision-making: Cybersecurity is rapidly moving from techno-wizardry into a core concern for business and government decision-makers. But it’s not their only concern, and they must look at cyber-risk as just one component of a spectrum of risk issues like business opportunity, reputation, safety, etc. There’s an emerging industry of scoring and assessment tools, security guidelines, verification processes, etc., to complement traditional compliance-oriented Risk Management Frameworks and governance, risk, and compliance (GRC) methods. Newer approaches, which are often driven by supply chain concerns, try to be: rapid and cost-effective to execute, dynamic and continuous in measurement, more concerned with generating a current operational view based on data and observations (vice document and evidence creation), and more naturally integrated into existing enterprise risk management processes. While this transition is complex and “foggy,” it’s a necessary step that could potentially change the economics of cybersecurity from “buy more magic stuff” to “make intelligent decisions about risk.”
Now that you know what cybersecurity trends you can expect to see in 2020 - what about practices you should stop in the new year? We've collected a list of cybersecurity practices for CISOs and other cybersecurity leaders to break in the upcoming year.