Craig Spiezle, executive director & president of Online Trust Alliance (OTA)
Randy Sanovic, owner of RNS Consulting; former general director, information security of General Motors
Rich Mogull, founder of Securosis
Gerhard Eschelbeck, CTO & SVP at Sophos
Daniel Kennedy, research director, TheInfoPro, a division of The 451 GroupQ
What threat vectors will be most prominent? Why?Spiezle (left): I expect to see continued targeting of the trusted supply chain, such as certificate authorities, content providers and the ad-supply chain and others. For example, Epsilon is just the tip of the iceberg. Email marketers are being attacked at increasing velocity. If they can compromise these trusted providers, it is game over downstream. I also expect a continued focus on the compromising of ad servers to serve malicious ads, which are unknowingly served by high trafficked websites (aka “malvertising”).
Sanovic: My first worry would be malicious hackers and bots. The environments that concern me most are mobile computing and social technology. For example, to somewhat secure Facebook could require at least 105 clicks, and most people, including the more technical-oriented, will not get it done. Because of the pervasiveness of mobile computing, and the fact that technological advances continue to outpace reasonable and prudent security fixes, I feel we will not be able to get “user friendly/capable” security solutions implemented in a timely fashion.
Mogull: What's prominent in terms of attacks? The same stuff as today: email and web phishing/social engineering. In the press releases? Whatever the vendors want to sell that you probably don't need: a lot of mobile device and cloud hype. I expect a lot of iOS headlines this year, and a lot of Mac hype. Not that Macs are immune, but the hype will far outweigh the number of people being compromised. And, while cloud security is important, most of what you'll see is “cloudwashing” of traditional security stuff. People will really have to keep hunting for the innovation (which is there, just not from your usual vendors).
Eschelbeck (left): The web is today's platform of choice for communication and interaction, and will undoubtedly continue to be the most prominent vector of attack. Cybercriminals tend to focus where the weak spots are, and use a technique until it becomes far less effective, as we saw with spam mail (which, while still present, is less popular with cybercriminals, as people have deployed highly effective gateways). The web remains the dominant source of distribution for malware – in particular malware using social engineering or targeting the browser and associated applications with exploits. Social media platforms and similar web applications have become hugely popular with the bad guys, a trend that is only set to continue over 2012.
Kennedy: Enterprises are concerned about trends associated with IT consumerization – personnel bringing in their own devices – and how to handle that in all of its manifestations (smartphones, laptops, etc.) while still protecting custodial and intellectual property data.
What security solutions/services will see increased adoption? Why?
Spiezle: Email authentication and hard blocking will gain, as will walled garden/blocking of unprotected PCs.
Sanovic: I think cloud security services will be more in demand, and that will help determine the extent of security technologies applied. The main issue will be cost, and how onerous the computing overhead of such technologies will be.
Mogull (left): Mostly things we've been spending on for the last five years, which still don't work like they should. I'd like to say we'll see increased spending on tools better suited to today's targeted attacks, but I suspect only the leading edge of the market will actually drop cash on those.
Eschelbeck: The rapid inflow of consumer-owned smartphones and devices is causing significant security challenges for many organizations. IT departments are being asked to connect devices to corporate networks and to secure data on these devices, over which they have very little control.
Due to the high degree of mobility, security requirements are plentiful, including enforcement of use policies, corporate data encryption, secure access to corporate networks, productivity/content filtering, and, of course, malware protection. Mobile security and management solutions will likely see significant adoption in 2012. The global nature of these mobile security challenges makes them prime candidates for solutions delivered as services in the cloud.
Kennedy: Both flavors of data leakage prevention (DLP), endpoint and network, top the in-plan implementations we see in our user-based research for 2012. Application-aware, or next-generation, firewalls are a close third.
Which will see declining adoption rates? Why?
Sanovic (left): I think we will see an increasing adoption rate based primarily on the above noted factors.
Mogull: Nothing. We're too scared to drop even worthless products.
Eschelbeck: In 2012, we will continue to see the evolution from traditional Windows-based endpoints to a new generation of form factors, including very lightweight endpoints and tablets. While some development will be incremental, part of this will also come at the cost of traditional desktops, notebooks and laptops. Security technology will follow the same paths, and traditional endpoint security mechanisms will reach their physical limits on these new platforms. The unique nature of these modern form factors requires rethinking of security and defense mechanisms, whereby cloud-based delivery models will play an important role.
Which security lesson will organizations be forced to learn this year? Why?
Spiezle: I see more focus on looking at security and privacy by design in a concerted effort, with a mindset of completing a security impact statement for every business process. Further, data minimization efforts will increase, and data incidents will be required to be reported by the U.S. Securities and Exchange Commission and the Sarbanes–Oxley Act, increasing C-level accountability.
Sanovic: Organizations will be forced to concern themselves with true data protection mechanisms/technologies versus the more current focus on application protection measures/technologies.
Eschelbeck: Security really is about more than Microsoft. While a majority shareholder in the volume of malicious code out there, the PC is not alone anymore, as demonstrated by some of the effective fake anti-virus programs for the Mac. Mobile devices will also fall into this category as we experience a new set of operating systems with different security models and attack vectors.
Kennedy (left): I think virtualization/cloud offerings – and the rapid provisioning they provide for server deployments – is going to catch some security managers by surprise. Even if the public cloud has not taken off in an enterprise sense, both external and internal private cloud deployments are gaining traction. A number of security managers are stating they will use existing security vendor tools to manage this. However, many of these tools are not prepared for the east-west direction of data traffic that will occur in virtualized environments. Further, they may or may not run well in a virtualized offering or may be tied to an appliance, and may not react well to the rapid provisioning capabilities now available either from a licensing or agent perspective.
What will be the most surprising security-related development?
Sanovic: The focus on mobile security will force and drive security solutions in the mobile and social media arenas.
Mogull: If I told you it wouldn't be a surprise. It would also be wrong, so I try not to predict the unpredictable.
Eschelbeck: We are currently seeing daily news of security incidents and exposure of corporate data, whereby the even-more-troublesome security issues could be in critical infrastructure systems. This could easily create alarming surprises in the coming year. We saw attacks on the critical network infrastructure, as well as control systems, but there are many other types of systems, including aviation networks, which could come under focus of cybercriminals. We also continue to integrate and connect technology more and more into our lives – for example, smart grid infrastructure – and such systems could yield attacks that have a new “personal” impact on us.