Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Incident Response, TDR, Governance, Risk and Compliance, Compliance Management, Privacy, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

A look ahead: Forecasts for 2014

A group of prominent security professionals forecast the significant industry shifts in 2014. Greg Masters compiles the responses.

What threat vectors will be most prominent? Why? 

Sanjay Beri, founder and CEO, Netskope: One of the top threat vectors has always been and will continue to be insiders – typically employees doing malicious things, or people inadvertently causing harm because they don't know how to use applications in the safest way. It also can include people outside the company who, because they have access to internal data, can propagate threats inside the corporate environment. In some of the latest breaches, attackers were getting access to passwords of people who had admin access to a data center. Another vector that will remain popular is international threats, such as espionage and nation-state attacks. The types of attacks can be motivated by politics, competition, terrorism or hacktivism

Jason Bloomberg, president, ZapThink: In 2014, the story won't be any particular threat vector. It will be the sheer spectrum of different types of threat vectors – web, email, social media, Wi-Fi hotspots, social engineering, with new ones being added to the list limited only by the speed of hackers' imaginations.

Josh Chin, executive director, Net Force: Targeted social engineering attacks have and will be the most prominent threat to organizations and users alike. When traditional threat vectors are combined with a social engineering component, these threats evolve into sophisticated tactical attacks with greater success. We saw the evolution of phishing into spear phishing and we continue to see social engineering attack vectors as platforms to introduce new threat variations, including ransomware such as Cryptolocker.

Brian Finch, partner, Dickstein Shapiro: Signature-less and polymorphic threats will continue to dominate as will counterfeit parts that contain embedded malware. While there are defenses for all those threats, they are not widely adopted and so those threats will continue to have a high rate of success.

Our prognosticators

Sanjay Beri is the founder and CEO of Netskope. He holds numerous patents in the areas of networking and internet security, and has led the design and development of software, firmware, and hardware in various industries. 

Jason Bloomberg is president of ZapThink, a Dovel Technologies company. He is a global thought leader in the areas of cloud computing, enterprise architecture and service-oriented architecture. He is a frequent conference speaker and prolific writer. 

Joshua Chin is a founder and managing partner with Net Force with more than 12 years experience in cyber security. His professional focus is directed at strategic and holistic cyber security solutions and digital investigations. He is the first vice president of the Southern California Chapter of the High Tech Crimes Investigator Association (HTCIA), a member of the Open Web Application Security Project (OWASP), and the Information Systems Audit and Control Association (ISACA). 

Brian Finch, a partner in Dickstein Shapiro's Washington, DC office, is head of the firm's global security practice. Named by Washingtonian magazine in 2011 as one of the top 40 federal lobbyists under the age of 40, he is a recognized authority on global security matters who counsels clients on regulatory and government affairs issues. 

Arthur Lessard is SVP/CISO for Universal Music Group, responsible for information security governance, external threat management and security operations for the global organization. This includes protection of intellectual property and other critical business information, as well as leading efforts to protect public-facing properties, such as the company's 2,600+ websites. 

Enrique Salem has more than 25 years of executive leadership experience. Most recently, he served as CEO of Symantec. Prior to that, he served as CEO of Brightmail.

Arthur Lessard, SVP/CISO, Universal Music Group: APT-style threats will continue, which combined with the fact that many of them are zero day now makes them particularly nasty. Of course, “APT” is mostly a buzz word. What I mean by that is any threat from a malicious user base that is persistent and leverages your infrastructure and servers against you. They're not going away.

Enrique Salem, former CEO, Symantec: There's a range of threat vectors that can be used, but the most sophisticated and widely used attacks are those that are highly targeted and handcrafted for a specific employee at a particular company. An attacker can go onto social media sites like LinkedIn and Facebook and build a whole profile for a target. There are tools that aggregate information about people automatically -- that's an attacker's dream. Now they don't have to do much work to get victims to respond and fall into their trap. As companies move to new cloud-based apps, attackers who used to target top executives to get the most privileged access into a company can instead go after the administrator of the cloud apps. 

What security solutions/services will see increased adoption? Why? 

SB: Traditional perimeter protection, such as firewalls and intrusion detection, is increasingly ineffective against most attacks these days. Newer technologies – like application-level protection, sandboxing and heuristic analysis that looks at activities and threats at a deeper level than traditional networking gear – are a burgeoning space because they can stop attacks that AV and other traditional solutions can't. It's not as simple as just looking at a client computer system and spotting something that looks bad, but pouring through data and doing data analysis to detect threats.

JB: Organizations will increasingly look for holistic security solutions. Point solutions that deal with particular threats never provide adequate security, and with the explosion of threat vectors, free and easy hacking tools, and increased vulnerabilities, organizations must take an approach to security that leverages enterprise architecture – holistically covering organization, process, information and technology.

JC: Businesses and enterprises will be spending their money on cloud-based security solutions in an effort to strengthen their security posture while enhancing their detection and response capabilities. The cloud is providing a flexible platform for new security vendors to offer their security solutions at a competitive price. While the cloud is being branded as the solution to all business problems – from computing operations, business continuity and security – there is definitely value in what cloud-based security providers are offering, but not everyone understands the nature of the cloud, and most definitely not all cloud-based security providers are alike.

BF: You will see more uptake of zero-day defenses like whitelisting and detonation chambers. They are increasingly available and working their way into security requirements, which dictates what is purchased. You will also see more endpoint solutions to protect against insider threats. The Snowden scandal has made it clear that data loss prevention is a key priority, and so spending on these tools will rise.

AL: With the growth of cloud services, I think most CISOs have realized that it's here to stay. Rather than rail against its insecurities, some of us have begun looking for ways to use the cloud FOR security. In particular, my group has started to move away from the “stack” of security appliances we're used to implementing at internet connection points – a combination of firewalls, network intrusion detection system (NIDS), URL filtering, etc. – in favor of leveraging cloud resources to perform those functions for users wherever they happen to be (including in offices). There are vendors now that offer those services in a cloud environment, keeping me from having to either put a stack of hardware at every internet PoP or rein in the use of internet PoPs throughout the company, neither of which is palatable.

ES: There are a number of big trends happening today that will drive the adoption of new security solutions: 1) Consumerization of IT, where the end user has more control over the devices and applications they use in the workplace; 2) A significant move to a smartphone or tablet-centric computing environment; and 3) Adoption of cloud apps by businesses of every size, from the largest companies in the world down to the smallest. Given all these trends, the question is: What will people need to protect themselves? We will need solutions that give IT the same level of visibility and governance that they've historically had with more traditional, inside-the-firewall applications. As end users increasingly move to smartphones and cloud apps, the security solutions that will gain traction are those that give IT that control over those threat vectors. Netskope, for example, does this for cloud apps.

What will see declining adoption rates? Why? 

SB: Because they are less effective at stopping threats than newer technologies, solutions like firewalls, IPS, AV gateways and traditional networking gear will see a slowdown in adoption. I'm not saying people won't still have them, but the reliance on them will be diminished. People are spending millions on that software, but they're not catching the threats. This may force downward pressure on those older solutions, as well. It doesn't mean people will throw them out, but they can't be your security strategy. There will be a re-allocation of those dollars to new technologies that deal with the problem at a higher application layer, using heuristics and data analysis. 

JB: I don't believe any category of security solution will decline in 2014. Some will accelerate more quickly than others, but even the laggards will show some growth.

JC: 2014 will see a decline in checklist-based security assessments and audits. They simply are not working. 2013 saw a record number of data breaches, affecting everything from government agencies to midsized businesses to enterprises. Consequently, these organizations are spending thousands of dollars (millions for larger data breaches) on the investigation, clean-up of a security incident and consumer data breach notifications. This does not include money spent to remediate the security issue to prevent a recurrence. Checklist-based security assessments and audits are putting organizations in a reactive posturing instead of a proactive posturing. Checklists are making it easier for organizations to feel safe, and in the process making them complacent. 

BF: Traditional anti-virus tools using blacklisting will suffer in popularity. Companies will always need standard AV tools, but they will be increasingly supplemented by other tools that serve to defeat advanced attacks.

AL: While APT-style threats are a problem, I don't necessarily subscribe to the “APT appliance” mitigation method. I think that the tools that are out there these days, including Splunk, are capable of doing a lot of the correlation promised by APT vendors without the need for a new set of hardware.

ES: Ultimately anything that is PC or Windows-centric is decreasing in adoption and use. There's a move away from the common computing platform that has been entrenched in home and work environments for decades. Since hackers, thieves and spies will go where the users are, anything built around traditional endpoint software will see declining usage. 

Which security lessons will organizations be forced to learn this year? Why? 

SB: The biggest lesson organizations will be forced to learn is that there are huge implications for lacking knowledge of threats to your organization. Enterprises spend millions trying to solve for problems they know about or think they have, but the biggest problem is what they don't know. They are busy protecting their end-users, data and devices that they do know about. But what about applications and data that are sitting somewhere else? Organizations need to learn how to operate in a world where they don't own all the applications, data and devices employees are using, and how they can protect the corporate data when employees are at liberty to use whatever apps they want. The existing technologies don't solve that problem.

Secondly, organizations will learn that the spend in security cannot be about replacement of existing tools. It has to be about how to bring in new tools and use the spend to crunch down the legacy endpoint tools and make room for this solution that will do analysis and understand things at a deeper level. 

Finally, IT and security are enablers of the business. They're not there to shut things down. They are partners and, as result, they'll have a more prominent place in the company. IT will be seen as a big enabler for the company's business. The CSO and the CIO will have a seat at the table because they're enabling a huge transformation in their companies. 

Sanjay Beri, founder and CEO, Netskope 

Jason Bloomberg, president, ZapThink 

Josh Chin, executive director, Net Force 

Brian Finch, partner, Dickstein Shapiro 

Arthur Lessard, SVP/CISO, Universal Music Group

Enrique Salem, former CEO, Symantec

JB: Achieving adequate security is only getting more difficult and expensive, while hacking is getting simpler and cheaper. The bad guys are winning this war.

JC: Organizations must learn that there is no “us versus IT auditors” or “us versus information security people.” There is only “us versus the bad guys.” Whether one is part of the internal information security of an organization or an external auditor/consultant (aka the Good Guys), there is a constant battle between people who are legitimately trying to improve the security posture and readiness of an organization and the decision-makers of an organization. While adversaries are actively adapting to an organization's security defenses to ensure the maximum success, organizations are fighting among themselves. Decision-makers should be fighting the “bad guys,” not their allies. Bad does not discriminate. “Good guys” follow the rules. “Bad guys” do not. 

BF: As the C-suite increasingly realizes the threat posed by cyber attacks, they will expect better results from security investments. And when the inevitable breach or successful attack occurs, the C-suite will be forced to confront the fact that they cannot defeat every attack and will have to occasionally suffer losses.

AL: Actually, I believe the most interesting one that has been learned in the last few years, and which is still being ingested in some corners, is that information security is a component of standard business risks rather than a separate “IT security” line item. Trying to deal strictly with IT security (e.g. AV, server patching) without integrating your security groups with the business lines leaves a huge gap that can hurt the bottom line. A security group that recognizes that information security is simply another type of business risk, and involves the businesses in the risk assessment, mitigation and policy/standards process, is a very valuable tool that businesses have needed for a while. Smart companies have recognized this and moved information security to an appropriate risk repository such as finance or legal.

ES: The most important lesson organizations have to learn is to figure out what is the most important data they need to protect. They need to ask, “Where is the critical information and the intellectual property?” And they have to be focused because they can't properly have that kind of control over all devices, data and offices. That would be expensive and not effective. So they need to figure out what apps and services are most important to their business, what data is going into those systems and whether they have appropriate controls for that data, device or app. 

What will be the most surprising security-related development? 

SB: I think the most surprising development will be, and this is slowly being realized, that the solutions that get 80 to 90 percent of security spend are offering only 30 percent coverage as far as protection. So what companies thought was “keep your lights on” security, or the “must-have” product, if that's taking the vast majority of the budget, they may need to get rid of it or figure out how to do that more efficiently so they can make room for other more effective stuff. That will be a hard thing for people to get their heads around, but they will. 

JB: I predict a “Cyber 9/11” – a single coordinated attack so unexpected and damaging that it changes the world of security (especially cyber security) forever. If not in 2014, then soon.

Sanjay Beri, founder and CEO, Netskope 

Jason Bloomberg, president, ZapThink 

Josh Chin, executive director, Net Force 

Brian Finch, partner, Dickstein Shapiro 

Arthur Lessard, SVP/CISO, Universal Music Group

Enrique Salem, former CEO, Symantec

JC: The most surprising development will be that digital attacks will start having real-life physical consequences. The consequences have thus far largely been limited in the digital world, but we will see an increase of security incidents affecting the physical world. It will be interesting what 2014 brings, especially in the areas of custom-tailored malware or attacks that physically damage or physically impact the lives of people daily.

BF: That old attacks using spear-phishing continue to work quite well. One would think that with all the education about such attacks people would be on the lookout for them, but they will still work and cause significant losses.

AL: That Big Data won't solve all of your problems without the same processes and personnel needed with “Little Data.” To be honest, this shouldn't be a surprise, since we seem to learn this lesson - more data doesn't necessarily mean better security – with every technology advance (e.g. NIDS), but it'll surprise people nonetheless.

ES: A big breakthrough will be the ability to use security solutions that will enable IT to embrace the megatrends including consumerization, cloud and mobility, without taking on too much risk. Next year will be the tipping point for that because there will be tools in the marketplace that allow admins to be more forward looking as opposed to reactive. Companies like FireEye provide real-time threat detection aimed at the more sophisticated attack vectors. 

What effect will the revelations of the NSA's Prism and Bullrun programs – collecting citizens' communications and collaborating with technology companies to build entry points into their products – have on the security industry? 

SB: This is broader than just the security industry. This is about social, political and ethical issues and where do people fall – it's a gray area. But technically, the issue is how do snoops get this data? I think people are realizing that what they thought was sacred and unbreakable may no longer be. There can be teams of people trying to break your encryption, trying to gather data you would never think they could get to. But as you dive into security you realize you should have no assumptions. Don't ever assume something is safe or unbreakable. Security is about reducing risk. You can't let your guard down or assume that “XYZ” will never happen. You need to plan for the worst.

Sanjay Beri, founder and CEO, Netskope 

Jason Bloomberg, president, ZapThink 

Josh Chin, executive director, Net Force 

Brian Finch, partner, Dickstein Shapiro 

Arthur Lessard, SVP/CISO, Universal Music Group

Enrique Salem, former CEO, Symantec

JB: If someone can, then someone will. If someone can collect certain information or hack into a system or launch a successful social engineering attack, then someone will. We are constrained only by possibility, not by laws or governance policies. Organizations will start requesting information on whether the NSA has backdoors in security products, and will likely push for its removal should they exist, but largely it will fade quietly into the background.

BF: It will force security companies to recognize the importance of privacy, especially as buyers ask more questions about privacy safeguards. It will also impact their willingness to participate in information-sharing programs, which will negatively impact security overall.

AL: It's hard to believe that any serious security professional was actually surprised by any of those revelations, but it may get security groups to think more about what information is “leaking” from their networks unbeknownst to them, and it may make some of those technology companies more amenable to sharing information with organizations since they've been caught doing it with the government. On second thought, that latter one is unlikely.

ES: Every company that has access to private information needs to certify and prove to their customers that they are not only more secure than they've been in the past, but are also not taking on any new or unnecessary risks by using these services. Vendors will have to convince customers and businesses that there are no new vulnerabilities as a result of using their solutions or products. There will be that added pressure on vendors to make security more of a selling point. 

What else do you believe will develop in the near future affecting the security industry? 

SB: If you look at any company, the economics of how they operate their business is changing. Why do you think IT and companies in general are looking outside their corporation to leverage cloud-based storage and apps that let them move faster and more economically? The economics of running a business is one of the big things that will affect security. In many cases, the economics point to you giving up your data center and the notion of corporate devices. These economics and the capabilities that can be unleashed from a productivity point of view will drive people to adopt technologies that will lead to new security solutions. 

JB: The Internet of Things is woefully unprotected, and we really have no idea how to protect it. RFID tags are dead simple to compromise. So are Wi-Fi hotspots. What about automobiles? Factory equipment? Traffic sensors? They are all surprisingly vulnerable. 

Sanjay Beri, founder and CEO, Netskope 

Jason Bloomberg, president, ZapThink 

Josh Chin, executive director, Net Force 

Brian Finch, partner, Dickstein Shapiro 

Arthur Lessard, SVP/CISO, Universal Music Group

Enrique Salem, former CEO, Symantec

JC: The vision and direction industry is going toward is embedded computing. Processors, wireless communications and data storage are being incorporated into everything from watches to automobiles. We are seeing an increasing number of embedded devices in our world, including digital signage. With an expected 300x IP traffic growth over the next decade, the number of smart connected devices will only increase, and will only increase the number of challenges the security industry will face. Questions like “How does one defend and protect an automobile that drive itself?,” “How does one defend an intelligent traffic management system?,” or “How does one protect customer information collected from adaptive, personalized digital signage?,” are only the beginning.

BF: Litigation will eventually succeed against security buyers and sellers, forcing companies to think more carefully about what they buy and the terms and conditions in sales agreements. It will also create a bigger push for liability reform and highlight some of the shortcomings of the booming cyber insurance industry.

AL: I'd be surprised if laptops were still a serious market share in five years. The advance of handhelds/smartphones/tablets has gotten to the point that I don't carry a laptop with me when I travel anymore (and I used to religiously lug it along). This shift to the mobile platform has been talked about and anticipated and planned for a while…and I think everyone, both IT and security, are still very much underestimating it.

ES: As cloud and mobile become even more widespread, they will become bigger targets. This means more vulnerability, and more products and services aimed at safeguarding those users. This ultimately puts additional burden on IT departments. However, I think the market is responding to this and that actually 2014 will be the year for an IT renaissance. IT admins who have been resistant to BYOD and struggled to manage the consumerization trend will be able to embrace it on their terms and without alienating end users. This means IT can focus on fighting the real war against attackers and legitimate threats like that instead of battling with end users for control.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.