A group of prominent security professionals forecast the significant industry shifts in 2014. Greg Masters compiles the responses.
What threat vectors will be most prominent? Why?
Sanjay Beri, founder and CEO, Netskope: One of the top threat vectors has always been and will continue to be insiders – typically employees doing malicious things, or people inadvertently causing harm because they don't know how to use applications in the safest way. It also can include people outside the company who, because they have access to internal data, can propagate threats inside the corporate environment. In some of the latest breaches, attackers were getting access to passwords of people who had admin access to a data center. Another vector that will remain popular is international threats, such as espionage and nation-state attacks. The types of attacks can be motivated by politics, competition, terrorism or hacktivism.
Jason Bloomberg, president, ZapThink: In 2014, the story won't be any particular threat vector. It will be the sheer spectrum of different types of threat vectors – web, email, social media, Wi-Fi hotspots, social engineering, with new ones being added to the list limited only by the speed of hackers' imaginations.
Josh Chin, executive director, Net Force: Targeted social engineering attacks have and will be the most prominent threat to organizations and users alike. When traditional threat vectors are combined with a social engineering component, these threats evolve into sophisticated tactical attacks with greater success. We saw the evolution of phishing into spear phishing and we continue to see social engineering attack vectors as platforms to introduce new threat variations, including ransomware such as Cryptolocker.
Brian Finch, partner, Dickstein Shapiro: Signature-less and polymorphic threats will continue to dominate as will counterfeit parts that contain embedded malware. While there are defenses for all those threats, they are not widely adopted and so those threats will continue to have a high rate of success.
Sanjay Beri is the founder and CEO of Netskope. He holds numerous patents in the areas of networking and internet security, and has led the design and development of software, firmware, and hardware in various industries.
Jason Bloomberg is president of ZapThink, a Dovel Technologies company. He is a global thought leader in the areas of cloud computing, enterprise architecture and service-oriented architecture. He is a frequent conference speaker and prolific writer.
Joshua Chin is a founder and managing partner with Net Force with more than 12 years experience in cyber security. His professional focus is directed at strategic and holistic cyber security solutions and digital investigations. He is the first vice president of the Southern California Chapter of the High Tech Crimes Investigator Association (HTCIA), a member of the Open Web Application Security Project (OWASP), and the Information Systems Audit and Control Association (ISACA).
Brian Finch, a partner in Dickstein Shapiro's Washington, DC office, is head of the firm's global security practice. Named by Washingtonian magazine in 2011 as one of the top 40 federal lobbyists under the age of 40, he is a recognized authority on global security matters who counsels clients on regulatory and government affairs issues.
Arthur Lessard is SVP/CISO for Universal Music Group, responsible for information security governance, external threat management and security operations for the global organization. This includes protection of intellectual property and other critical business information, as well as leading efforts to protect public-facing properties, such as the company's 2,600+ websites.
Enrique Salem has more than 25 years of executive leadership experience. Most recently, he served as CEO of Symantec. Prior to that, he served as CEO of Brightmail.
Arthur Lessard, SVP/CISO, Universal Music Group: APT-style threats will continue, which combined with the fact that many of them are zero day now makes them particularly nasty. Of course, “APT” is mostly a buzz word. What I mean by that is any threat from a malicious user base that is persistent and leverages your infrastructure and servers against you. They're not going away.
Enrique Salem, former CEO, Symantec: There's a range of threat vectors that can be used, but the most sophisticated and widely used attacks are those that are highly targeted and handcrafted for a specific employee at a particular company. An attacker can go onto social media sites like LinkedIn and Facebook and build a whole profile for a target. There are tools that aggregate information about people automatically -- that's an attacker's dream. Now they don't have to do much work to get victims to respond and fall into their trap. As companies move to new cloud-based apps, attackers who used to target top executives to get the most privileged access into a company can instead go after the administrator of the cloud apps.
What security solutions/services will see increased adoption? Why?
SB: Traditional perimeter protection, such as firewalls and intrusion detection, is increasingly ineffective against most attacks these days. Newer technologies – like application-level protection, sandboxing and heuristic analysis that looks at activities and threats at a deeper level than traditional networking gear – are a burgeoning space because they can stop attacks that AV and other traditional solutions can't. It's not as simple as just looking at a client computer system and spotting something that looks bad, but pouring through data and doing data analysis to detect threats.
JB: Organizations will increasingly look for holistic security solutions. Point solutions that deal with particular threats never provide adequate security, and with the explosion of threat vectors, free and easy hacking tools, and increased vulnerabilities, organizations must take an approach to security that leverages enterprise architecture – holistically covering organization, process, information and technology.
JC: Businesses and enterprises will be spending their money on cloud-based security solutions in an effort to strengthen their security posture while enhancing their detection and response capabilities. The cloud is providing a flexible platform for new security vendors to offer their security solutions at a competitive price. While the cloud is being branded as the solution to all business problems – from computing operations, business continuity and security – there is definitely value in what cloud-based security providers are offering, but not everyone understands the nature of the cloud, and most definitely not all cloud-based security providers are alike.
BF: You will see more uptake of zero-day defenses like whitelisting and detonation chambers. They are increasingly available and working their way into security requirements, which dictates what is purchased. You will also see more endpoint solutions to protect against insider threats. The Snowden scandal has made it clear that data loss prevention is a key priority, and so spending on these tools will rise.
AL: With the growth of cloud services, I think most CISOs have realized that it's here to stay. Rather than rail against its insecurities, some of us have begun looking for ways to use the cloud FOR security. In particular, my group has started to move away from the “stack” of security appliances we're used to implementing at internet connection points – a combination of firewalls, network intrusion detection system (NIDS), URL filtering, etc. – in favor of leveraging cloud resources to perform those functions for users wherever they happen to be (including in offices). There are vendors now that offer those services in a cloud environment, keeping me from having to either put a stack of hardware at every internet PoP or rein in the use of internet PoPs throughout the company, neither of which is palatable.
ES: There are a number of big trends happening today that will drive the adoption of new security solutions: 1) Consumerization of IT, where the end user has more control over the devices and applications they use in the workplace; 2) A significant move to a smartphone or tablet-centric computing environment; and 3) Adoption of cloud apps by businesses of every size, from the largest companies in the world down to the smallest. Given all these trends, the question is: What will people need to protect themselves? We will need solutions that give IT the same level of visibility and governance that they've historically had with more traditional, inside-the-firewall applications. As end users increasingly move to smartphones and cloud apps, the security solutions that will gain traction are those that give IT that control over those threat vectors. Netskope, for example, does this for cloud apps.
What will see declining adoption rates? Why?
SB: Because they are less effective at stopping threats than newer technologies, solutions like firewalls, IPS, AV gateways and traditional networking gear will see a slowdown in adoption. I'm not saying people won't still have them, but the reliance on them will be diminished. People are spending millions on that software, but they're not catching the threats. This may force downward pressure on those older solutions, as well. It doesn't mean people will throw them out, but they can't be your security strategy. There will be a re-allocation of those dollars to new technologies that deal with the problem at a higher application layer, using heuristics and data analysis.
JB: I don't believe any category of security solution will decline in 2014. Some will accelerate more quickly than others, but even the laggards will show some growth.
JC: 2014 will see a decline in checklist-based security assessments and audits. They simply are not working. 2013 saw a record number of data breaches, affecting everything from government agencies to midsized businesses to enterprises. Consequently, these organizations are spending thousands of dollars (millions for larger data breaches) on the investigation, clean-up of a security incident and consumer data breach notifications. This does not include money spent to remediate the security issue to prevent a recurrence. Checklist-based security assessments and audits are putting organizations in a reactive posturing instead of a proactive posturing. Checklists are making it easier for organizations to feel safe, and in the process making them complacent.
BF: Traditional anti-virus tools using blacklisting will suffer in popularity. Companies will always need standard AV tools, but they will be increasingly supplemented by other tools that serve to defeat advanced attacks.
AL: While APT-style threats are a problem, I don't necessarily subscribe to the “APT appliance” mitigation method. I think that the tools that are out there these days, including Splunk, are capable of doing a lot of the correlation promised by APT vendors without the need for a new set of hardware.
ES: Ultimately anything that is PC or Windows-centric is decreasing in adoption and use. There's a move away from the common computing platform that has been entrenched in home and work environments for decades. Since hackers, thieves and spies will go where the users are, anything built around traditional endpoint software will see declining usage.