On deck: Predictions for 2016 and beyond
On deck: Predictions for 2016 and beyond

Paul Shomo, senior technical manager, strategic partnerships, Guidance Software

Expect more breaches where organizations had detected compromise long before data theft, but mishandled the original response. This trend will continue to drive changes in incident response processes and the depth of forensic investigation.

Security analytics products using machine-learning capabilities will begin settling into packaged service offerings as this burgeoning industry realizes the difficulty of building one-size-fits-all algorithms for different organizational datasets

Sandbox-aware malware, which either refuses to cooperate or shows false indicators in controlled environments, will continue to stymie the revival of signature-based endpoint detection

New EU data protection laws and the desire to prioritize defending fewer endpoints with sensitive data will drive demand for data audit and governance solutions.

Haiyan Song, senior vice president of security markets, Splunk

In 2015, cybersecurity touched nearly every aspect of our lives. As we suffered through one cyber breach after the other, it became evident that in order to protect our nation, we first needed to protect our enterprise, our agencies, our schools, our networks and identities. In the internet-connected world, we are only as strong as the weakest link. As we look ahead to the New Year, both government and industry will need to prove we all learned from the security mishaps in 2015.

In the next 12 months, I hope to see both private and public sector reexaming their cybersecurity strategy – from network security to overall enterprise visibility, from behavior analytics to identity authentication and the Internet of Things (IoT). 2015 showed us how important it is to take the right approach and invest in the right technology – now it is time to put those ideas into action.

With that in mind, here are some of my security predictions for the coming year:

Behavioral analysis will expand from an emphasis on user and entity behavior to  business transactions and IoT devices. Behavioral analytics and anomaly detection will be more widely adopted and go beyond analyzing users or entities for security monitoring. As online banking, e-commerce, and IoT continue to grow to be a bigger part of our life, the domain of cybersecurity and business risks are accelerating its convergence. We will see behavioral analysis expand its footprint to leverage machine learning and data science to analyze business transactions and IoT devices to bring better visibility to security and business risks. 

Threat intelligence will be more contextualized for organizations and cybersecurity operations will grow to become a competitive advantage. While security solutions have previously been thought of as a cost or even impediment to the business, in 2016 companies will begin to cite cybersecurity as a competitive advantage. Threat intelligence that is contextualized for an organization, based on its infrastructure and security technology will be more actionable and effective. The more secure a company is, the more confident and strategic an organization can be.

Automation and incident response will grow within security solutions. Security analytics and anomaly detection will focus on automating detection and making responses less dependent on humans. This will let companies detect threats and respond to them without solely relying on hiring and training skilled analysts. Additionally, incident response will become a larger part of organizations' security solutions, including automating the remediation.

The surge in personally identifiable information (PII) compromised and released in the public sphere will lead to new means for improving identity authentication. Since identity and compromised credentials are being used as a new attack surface, I expect to see more innovation in terms of strengthening authentication. There will be an even stronger push to move away from traditional methods such as passwords, even knowledge based authentication. In 2016, authentication will become more sophisticated but also easier to use.

IoT will become a significant threat surface for the enterprise, leading to more physical disruption and new solutions. 
The increasing number of internet-connected systems will create more opportunities for hackers to penetrate into organizations and businesses will have to adapt to manage this new threat surface. Cyber attacks have historically caused little physical damage, but the proliferation of IoT will enable more disruption and actual physical damage instead of just virtual hardware and software disruption.

We will see new IoT solutions emerging that focus on monitoring and analyzing the behaviors of internet-connected devices to determine when something is amiss. These solutions could help enterprises with visibility bridging between segmented Operation Technology (OT) systems and their corporate IT networks to ensure they do not become an easy entry point for cyber intruders.

If 2015 was the year of the breach, 2016 should (and will) be the year of the response.

Dan Srebnick, owner, Technical Merits; former CISO, NYC Department of Information Technology & Telecommunications

Public concern around data breaches and personal privacy converged over the past year. Victims were varied and industries affected included health care, banking, education, government and IT security vendors themselves. Concern over the protection of information collected by government agencies, law enforcement and internet marketing companies increased. While the public has been willing to trade privacy for convenience in the case of mobile devices and applications, the concerns have now reached the desktop with the unprecedented cloud and search integration of the latest Windows release. Yet the nation still lacks bright line governance around culpability for breaches and ownership and privacy of our personal data.

As VoIP telephony has become the de facto standard, we will hear more about the security of our telephone calls. While the U.K. phone hacking scandal involved weak voicemail passwords and caller id spoofing, the public is not going to react well when it comes to understanding that their telephone calls are being transported over the public internet without any kind of encryption. I predict that 2016 will be the year that hacktivist groups will release audio clips of phone calls made by public officials and corporate executives. This will be done to embarrass as well as to demonstrate how easy it is for intelligence agencies to listen in on private conversations.

Russell Stern, CEO, Solarflare

Staffing up: It's not just about IT and Unix experts. Companies are going to be changing their hiring practices and look to bring in security experts – think ex-NSA and DoD. Also expect to see an increase in cybersecurity education efforts, both from academia and the industry, given the dearth of qualified cyberprofessionals

Armed with Big Data: The use of Big Data to aid in the detection of cyberattacks will only get bigger. Data analytics will become the first line of defense offering threat prediction and detection as well as deterrence and prevention.

Don't forget about hardware: Companies cannot just rely on software solutions alone. Hardware must be developed with security in mind.

Herbert “Hugh” Thompson, chief technology officer, chief marketing officer, senior vice president, Blue Coat Systems

Industrialization of ransomware: Many cybercrime groups are running like companies, and they can quickly move to build out a ransomware infrastructure. For most people, it isn't shocking anymore when their credit card data gets stolen. The most frustrating part for most victims of credit card theft is that they've forgotten all the services associated with that credit card, and they now have to go back into lots of websites and update everything. It's a big pain and time intensive, but the damage is typically short-term. This differs from data that might be embarrassing, invasive or harmful to a person. Stolen healthcare data doesn't don't have an expiration date, and we are only just starting to realize the implications of this type of being in the hands of attackers. Today, organized crime groups may steal data that is currently difficult to monetize and furthermore, steal it at a time when there may be less security investments in those sectors (i.e., financial services organization in general are harder to break into because they generally have larger security budgets and security professionals on staff, while the information security budgets of healthcare organizations are typically smaller have been heavily weighted towards compliance). Stealing this type of data, like someone's medical history that does not expire and cannot be reset, unfortunately gives attackers the luxury of time to build an infrastructure to monetize that data.

Tyler Cohen Wood, cybersecurity adviser, Inspired eLearning; former senior intelligence officer and cyber deputy division chief, Defense Intelligence Agency (DIA)

The introduction of new Internet of Things technology creates a whole new set of risks and potential threats to enterprise networks. It is commonplace for employees to use their personal digital devices to connect into corporate networks for greater work connectivity and, as a result, these devices could potentially be used as “hop points” to access sensitive corporate data and specific network hardware. Not understanding the threats that these devices pose, we are introducing new threat vectors into our networks.

Along with this threat, the lack of cybersecurity awareness education from the top down has resulted in two of the worst years for personal and corporate security. A large number of hacks occur by a malicious user gaining access to employee credentials via network-connected digital devices or by malware being introduced into the network by a legitimate user making a simple mistake. When you have a company with a great security awareness education program, you turn what could be deemed as the weakest link into your strongest defense. In 2016, companies will struggle with the same issues.

Yinglian Xie, CEO, DataVisor

If you are a consumer-facing web or mobile app, you are up against a much more numerous and advanced adversary than ever before. Here are some online threat trends we believe we'll encounter in 2016.

Social sites become bigger targets as lines between social and e-commerce blur. As many traditional social networking sites, such as Pinterest, Facebook and Twitter, add “Buy” buttons to their platforms to help monetize their user base, more fraudsters will be attracted to conduct fraudulent transactions on these platforms.

EMV cards and digital wallets to shift more fraudulent credit card attacks online. In 2016, we expect to see a perfect storm that is bound to result in a high level of fraudulent transactions, powered by the following three trends: Significant increase in the number of e-commerce websites and mobile apps; Growing comfort among consumers to transact online; Adoption of EMV cards and digital wallets will move fraud online.

Global O2O wars will increase the rate of user acquisition promotion fraud. The global “land-grab” strategies of online-to-offline (O2O) companies – such as Airbnb, Ola, Didi and Uber – will result in an increasing trend of user acquisition promotion fraud as bad actors take advantage of strong financial incentives and the wide availability of mobile hacking tools, such as mobile emulators and GPS location fakers.

Account takeovers will rise as result of continued large data breaches. Whether it is your health care provider, your university, your favorite retail store or the government, your personal data has probably been stolen by now as a result of one or multiple of these high-profile breaches. In 2016, bad actors will look to monetize these stolen user credentials and credit cards via fraudulent credit card attacks and account takeover (ATO) campaigns leading to further identity theft.

Cyberattackers will move to the cloud. In 2016, we expect to see the continued migration of cyberattack infrastructure to the cloud, as cloud services become more pervasive and cost-effective. Cloud allows cyberattackers to significantly increase the number of attack campaigns they can conduct, attributed to the elasticity and compute capacity of these services, and allows them to easily hide behind legitimate network sources and thus remain anonymous.

Alberto Yepez, managing director, Trident Capital Cybersecurity

New private, sector-specific, threat-sharing networks will emerge as a viable alternative to defend against state-sponsored attacks and cybercrime. Major cyberattacks against critical infrastructure will drive increased government spending and investment in cybersecurity solutions. IoT security will become mainstream as more devices are connected to the internet and the connected car becomes a reality.

Amit Yoran, president, RSA

This year marked a strategic shift from a maniacal focus on prevention, toward greater balance on monitoring, detection, and response capabilities. It's become cliché to say that breaches are inevitable and that faster detection and more accurate incident scoping are the way forward.

2015 saw continued acceleration of threat evolution. What was considered an “advanced” threat in years past has become a commodity today, with sophisticated malware and exploits available for the price of a movie ticket. As troublesome as these observations seem, the most impactful evolution goes almost entirely unreported and misunderstood. The threats that matter most, today's pervasive threat actors are now conducting attack campaigns comprised of multiple exploit methods and multiple backdoors to assure persistence. Incomplete incident scoping has become a critical and consistent mistake made by security teams.

This year was also notably characterized by security vendors claiming to be able to prevent advanced threat breaches when the reality is, they can't. It was characterized by organizations recognizing the need to monitor and defend their digital environments differently, but continuing to center their security programs on the same technologies and approaches they have been using – hoping for a different outcome, but not acting differently.

Here are some of the emerging trends that our industry and organizations need to be ready for in 2016:

  1. Strategic data manipulation and disruption: Organizations will begin to realize that not only is their data being accessed inappropriately, but that it is being tampered with. Data drives decision making for people and computer systems. When that data is unknowingly manipulated, those decisions will be made based on false data. Consider the potentially devastating consequences of misrepresented data on the mixing of compounds, control systems, and manufacturing processes.
  2. Increasing attacks on application service providers: As organizations become more comfortable with the “as a service” model, many of their most sensitive applications and data reside in the cloud. The aggregation of this valuable data from many companies creates an incredibly lucrative target for cybercriminals and cyberespionage. A deeper appreciation of third party risk is needed.
  3. Hacktivism and the attack surface: Per my earlier comment, as cyberattack tools and services become increasingly commoditized; the cost of attacking an organization is dropping dramatically, enabling more attacks that do not have financial gain as the primary focus. Sophisticated hacktivist collectives like Anonymous have been joined by relatively unsophisticated cybervigilantes. Organizations need to realize that financial gain is no longer the only or even the biggest driver of some of their adversaries. Security operations and risk managers should evolve their understanding not only of the threat, but also of what, why, where, and how they are being targeted.
  4. ICS (industrial control systems) pushed to the breaking point: Intrusions into systems that control operations in the chemical, electrical, water, and transport sectors have increased 17-fold over the last three years. The advent of connected and automated sensors aggressively exacerbates these issues. The growth in the use of cybertechnology for terrorism, hacktivists and other actors, combined with the weakness of ICS security generally, combined with the potential impact of bringing down a power facility or water treatment plant (hello, California), makes the critical breach of an ICS in 2016 extremely concerning and increasingly likely.
  5. Shake-out of the security industry: Our industry has been awash in venture capital and as a result, foolish investments have been made in strategies and technologies that are little more than snake oil. As organizations' security programs continue to mature, they are learning that claims of being able to prevent advanced threat breaches are nothing more than fantasy. Expect to see a shake-out in the security industry as organizations maturing understanding of advanced threats increasingly drives their security investment decisions.

Special thanks to the RSA Conference advisory board for contributions from Wendy Nather, Benjamin Jun, Herbert “Hugh” Thompson, Dmitri Alperovitch, and Todd Inskeep. And to all our contributors, thank you.