Though 2020 is coming to an end, companies will continue to adjust to the events of the year, with ripples spreading out into every facet of business operations. The distribution of a vaccine will likely bring the year's most noteworthy event, the coronavirus pandemic, to an eventual end, but one impact of the pandemic—a major increase in remote work—is likely here to stay.
For cybersecurity, both the pandemic and remote work have created challenges. This past year, driven by keen interest in every development related to the pandemic, COVID-themed phishing lures have taken off, and a variety of bad actors have used information on topics such as vaccine research to get inside systems. Meanwhile, remote work has resulted in security researchers and attackers focusing on the necessary infrastructure—such as virtual private network (VPN) software—as a target of attack.
Many of those trends will continue into the new year, said Michael Sentonas, chief technology officer for CrowdStrike, a cybersecurity services firm.
"We see the threats going through the roof; a lot of the adversaries see this as a good opportunity. You have one dynamic which has a huge number of attacks ... especially as people access applications from outside the organization far more often than they used to."
—Michael Sentonas
Cybersecurity teams and security operation center (SOC) analysts have had to adapt to the various threats as well as working in a remote cybersecurity team as well. With more cloud infrastructure, exposed VPN appliances, and harder-to-manage user systems, cybersecurity teams will have their work cut out for them in the next year, said Deepen Desai, CISO and vice president of security research at Zscaler, a cloud security company.
"Users will continue to remain prime targets [of] cleverly crafted social engineering campaigns. The goal here is to perform credential theft or system compromise, which can then be leveraged to perform further attacks."
—Deepen Desai
Here are five trends SecOps pros need to prepare for in the new year.
1. Debate over making ransomware payments illegal will heat up
Ransomware has become the de facto standard for cyber criminals to make money from compromises. In the past, desperate companies have often chosen to pay the ransom, but that may cease to be an option in the future.
As a matter of public policy, the most effective way to take on ransomware is to prohibit victims from paying the ransom. The United States may be moving to take that approach, using laws to sanction criminal and terrorist organizations. In October, the US Department of the Treasury's Office of Foreign Asset Control (OFAC) clarified that paying ransom to a sanctioned group could result in penalties against the company making the payment.
Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.
The notice highlights that companies may not have an option in the future to pay ransoms to perpetrators—the cyber criminals and nation-state hackers behind ransomware. Expect the debate to heat up, said CrowdStrike's Sentonas.
"The fastest way to kill this as a problem is to effectively mandate that no one can pay these people. But the counter-argument is that you are punishing the victim, because the risk is, if you have an organization who can't recover, what options do they have?"
—Michael Sentonas
2. Shadow IT rises again due to remote work
Information technology that flies under the radar of the IT department has raised significant issues for companies. Often such technology—whether a wireless router, a development server, or a cloud application—is not well maintained by the employee who installed it, leaving a potential security issue.
A decade ago, the most significant threat was likely a rogue Wi-Fi access point. A few years ago, cloud storage and cloud applications became the greatest risk for most organizations. Now, with a large portion of the office workforce working remotely, their home devices have become the latest shadow-IT attack surface, said Yassir Abousselham, chief information security officer for Splunk.
Security organizations will need to keep an eye on new technologies, with a focus on shadow IT, as everyone faces new challenges during and coming out of the pandemic, Abousselham said.
"Attackers will continue relying on the same tactics with preference for the easiest path to achieving compromise, [whether that is] weak passwords, open public cloud storage, [or some other technical issue.]"
—Yassir Abousselham
Companies should invest in basic security hygiene, focus on automated security measures and checks, and enable stakeholders to take part in the security program, he said.
3. Less access to packet data hinders network monitoring
While preventing breaches is still Plan A for most companies, detecting a breach before the attacker can do significant damage is key to preventing some of the worst forms of cyber attack, including ransomware. Monitoring the network for anomalous activity is a key part of the approach, but the adoption of more cloud services as part of business infrastructure means that more traffic will be encrypted and difficult to monitor for threats, said Mike Hamilton, the former CISO for the city of Seattle and the co-founder and CISO of cybersecurity firm CI Security.
"Attackers are looking to steal data or do damage, so they have to go deep into the network, and that is the opportunity [for defenders] to see their signal. But problematically, we are going to have less and less access to packet data because pervasive encryption is continuing to be rolled out. And the criminals, of course, are using encryption more as well, so it becomes more about the metadata."
—Mike Hamilton
Analysts should develop more visibility and alerts based on metadata and not indicators of compromise that may no longer be visible, he said.
4. Multi-factor authentication (MFA) becomes ubiquitous
With the movement of many business processes and applications to cloud services, the single most effective countermeasure to protect corporate data and infrastructure is incorporating a second, or third or fourth, factor of authentication.
With remote work expected to continue, incorporating MFA into every facet of infrastructure is increasingly important, said Mick Baccio, cybersecurity advisor at Splunk.
"Many employees either don’t think about security on a day-to-day basis, or they actively make decisions that prioritize convenience over secure processes. That just can’t happen in a work-from-home world, so security leaders are now playing catch-up."
—Mick Baccio
5. The United States unfetters its response to nation-state hacking
A bevy of new regulations for cybersecurity will continue to arrive, from requirements for more secure Internet of Things hardware to greater privacy expectations from states such as California. However, the government is also focused on finding ways to cause pain to attackers.
The Cyberspace Solarium Commission report advocated for a more aggressive policy of targeting cyber-attack groups with the aim of making their efforts more difficult. The Trump Administration and the US military adopted this policy, dubbed Defend Forward, as a way to "preempt threats, defeat ongoing harm, and deter future harm" from malicious actors and nation-states in cyberspace on a daily and an ongoing basis, according to a paper by the Hoover Institution.
Most notably used in the run-up to the presidential election to blunt foreign-sponsored disinformation, the policy doctrine could help companies by engaging cyber threats before they become more serious, said CI Security's Hamilton.
"If a country is full of threat actors engaged in crime against us, we need to hit them in the economy," he said. "We need to drop all the legitimate business traffic to that country. The Trump Administration has just scratched the service on this."
Hamilton sees greater cooperation between government and business to fend off larger cyber threats, such as China's industrial espionage and North Korea's financial attacks.
Cyber resilience comes of age
Overall, cybersecurity organizations should expect more mature policies in 2021. At the same time, they may have more responsibilities, including increased requirements to protect data to fewer options in dealing with ransomware.
The post-pandemic world will see bigger shifts for security teams, such as the move from a cybersecurity approach to that of broader cyber resilience. Mark Fernandes, CTO for security at Micro Focus, wrote recently that it's time for the traditional SOC to evolve into an "integrated threat operations center," or ITOC.
He urges SecOps teams to welcome the use of technologies such as AI, ML, and automation, so that your team can focus on what matters. (See TechBeacon's Essential Guide to AI in the SOC.)
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.