Security 2019 Predictions (Part 5)
Misconfigured cloud environments get hacked while a large public cloud provider buys a security firm.
Join the DZone community and get the full member experience.Join For Free
Given the speed with which technology is evolving, we thought it would be interesting to ask IT executives about their predictions for 2019. Here's more on what they see in store in the coming year with regards to security:
The DevSecOps era is here — companies should take it seriously. DevSecOps is still being explored, and there are a lot of different approaches. The biggest opportunity here is to move away from a compliance-driven, penetrate-and-patch methodology to one that generates real assurance that our defenses work, they’re configured properly, and they're used in all the right places. That’s where DevSecOps can be truly disruptive.
Another issue is what Developers call “separation of concerns.” With Agile, which drives DevOps, there’s the idea that you can’t test quality in. Quality is baked in with continuous tests against the code. Most development teams haven’t separated security as a concern across the application in a way that it can be controlled, and this testing isn’t baked in through the Continuous Integration system. In many approaches, the continuous integration system may run a static analysis, but that’s neither quality nor security, that’s an automated box-checking rubber stamp.
The state of cloud security. When companies leave the “safety” of their own datacenter or intranet, they’re exposed to new threats. Companies need to do a better job of understanding these threats and adding new protections to their cloud workloads. “Reloading” their stack with modern security defenses like RASP, container security, endpoint protection, and other instrumentation makes this transition much safer.
One of the first strategies companies attempt for cloud migration is named “lift and shift,” which simply takes an application and migrates it up to the cloud provider. This often unintentionally exposes the applications to more users, where the internal application from several years ago with limited maintenance is now available up in the cloud. Without bundling security inside these applications to defend in the new landscape, they are at a greater risk. Another issue is with gluing different services together, where security issues pass between services but a team’s accountability does not.
AI/ML can help but will not move the needle. I don’t think AI/ML gets us very far in security. For threats we understand, like SQL Injection, for example, we are better off using strong detection and prevention technologies where we have confidence in exactly what is being checked. For threats we don’t understand, AI/ML also don’t get us anywhere. We need data to train the models that simply don’t exist for novel threats. There are some corner cases where AI/ML can be very useful, but it’s not going to fundamentally change security.
AI and ML are excellent at pattern recognition or helping pare down with what humans see, but the solution to false positives should be to stop making them, not to hide them with ML.
Technology highlight for 2019. We are seeing a wholesale shift from legacy perimeter defenses and vulnerability scanning to instrumentation-based defenses that run as part of the thing being defended. This is true at every layer of the stack, where we can protect individual workloads by integrating security vulnerability detection and attack prevention directly into each layer. IAST and RASP are the most disruptive here, integrating security directly into custom code applications.
What to look out for in 2019. I think we’ll see two main areas of attack. First, we’ll see increasing attacks on misconfigured cloud environments. Organizations have been slow about ensuring that every cloud deployment is fully automated and continuously monitored. Second, we’ll continue to see application layer attacks, on both custom code vulnerabilities and on vulnerabilities in open source libraries and frameworks.
Software will continue to eat the world as more and more businesses turn themselves into software. In fact, one company in every sector will likely emerge as the “Software Company that Does X,” and they will run away with the market in the 5-10 year timeframe.”
With cloud migrations, I see a level of bill hijacking where hackers attempt to run their services in other companies’ accounts. When you look at crypto-mining and burstable cloud resources, it’s perfect: the hacker gets the coins and the victim pays for the resources. The cloud always has more resources for sale. A recent attack was stealing crypto coins from people again, not making them mine it.
Expect a giant leap for the security industry — not quite. I would be thrilled if this was the year that the security industry buckled down and started to focus on basic blocking and tackling, generating real assurance around the most likely and dangerous attacks. But, probably, it will be another year of knee-jerk reactions and point solutions.
Jim Barkdoll, CEO, TITUS
The silver bullet doesn’t exist. Data protection policies will continue to fail until we abandon "silver bullet" thinking. We continue to see organizations struggle adopting a successful data protection strategy and that will continue through 2019 without a fundamental shift in thinking. While it’s nice and convenient to believe consolidating security solutions to a single proposal that requires few resources will ‘solve everything,’ the reality is this approach doesn’t work. Similarly, going ‘all-in’ on a particular technology (i.e. going ‘all in’ on encryption without deploying complementary solutions), still leaves organizations vulnerable to both external attacks and data mishandling at multiple levels. A comprehensive, multi-faceted approach addressing the work is needed to set up and feed realistic policies that meet an organization’s specific needs.
New names will enter the security market, and they aren’t who you’d expect. Organizations of all shapes and sizes continue to struggle with how to deal with and protect sensitive personal information; however, the problem is particularly pronounced for large, multi-national corporations including Facebook, Google, and even Twitter. Though regulations like PCI and GDPR protect elements of personal data, they aren’t all-encompassing, so look for these behemoths to make a move to acquire security firms as a means of addressing this critical challenge.
The hype of machine learning — actual delivery is suspect. The promise will outweigh reality on artificial intelligence (AI) and machine learning (ML). Any tech vendor worth its salt will want a piece of this market, so we can expect 2019 to yield a flurry of announcements around new AI and/or ML initiatives. That said, it will still take time for this excitement to convert to tangible solutions that will have a positive impact on day-to-day operations.
Regulations, fines, and consequences — good data stewardship is on the horizon. Now that GDPR is being fully enforced, we will see the first big fines and consequences announced related to regulations. This will result in two things – a significant bump in organizations developing best practices to ensure regulatory compliance and data safety, as well as more countries and individual states passing regulations in an effort to keep data safe.
Head in the clouds, don’t fool yourself: the cloud won’t solve access issues, despite continued adoption. As organizations continue to flock to the cloud to take advantage of its ease of use and access controls, they’ll continue to see the same security issues they encountered on-premises. Why? Because without understanding the value of their data and enacting measures to safeguard their most critical information, the same security issues will exist, no matter where the data lies. Though cloud achieves a considerable number of productivity and user convenience goals, it cannot solve data protection challenges in and of itself.
The retail sector is a target; the next major retail breach is looming. Though regulations like PCI safeguard specific pieces of personal information, the retail industry still lags behind other markets (financial services, healthcare) when it comes to pervasive regulations that adequately safeguard personal information. In addition, as retail has small margins, they often do not make significant investments in the security initiatives necessary to avoid a major data breach. It’s been five years since the landmark Target data breach, which many believed would spur significant retail security measures. We’ve yet to see this happen.
Third-party orchestrators will close the security skills gap. It’s no secret one of the key reasons organizations tend to adopt a more reactive approach to security is because of a shortage of skilled security workers. 2019 will see the shortage continue; however, a new class of organization is rising to address this gap – orchestrators. These independent specialists assist organizations in tying together their existing security investments and solutions to realize a truly end-to-end security solution. These orchestrators will see challenges from big vendors looking to capitalize on this trend, however, as those vendors often offer only proprietary solutions, there will continue to be room for these independent firms.
In 2018, we saw the beginning of a shift in security teams becoming more outcome-oriented rather than project-oriented. I believe this trend will gain in popularity in 2019 as more and more companies come to understand that simply completing projects and checking items off a to-do list does not equal improved security. Companies will leverage advanced tools to benchmark risk and focus efforts on taking actions that will be most beneficial to reducing risk.
FOCUS – email security in 2019. Phishing attacks on email will be an even bigger threat to the enterprise in 2019. Cybercriminals are increasingly sophisticated in their attacks methods and traditional software solutions are not adequate protection.
‘Pseudo currency’ email scams will rise dramatically in 2019. The human is likely to interact in such scams, which makes them lucrative for the criminals. Expect to see scams for things like frequent flyer miles.
Security Awareness Training will dim as the trusted prevention method in stopping employees from clicking on phishing emails. Forged emails are too convincing and no amount of training can prevent an employee from clicking an exact replica of a real email. Criminals use tactics like saving an email to HTML and resending so, therefore, the normal cues are not visible to the human eye. This will be one of the biggest attack vectors for 2019 costing millions in monetary damage to organizations worldwide.
Phishing email scam losses will at least double in 2019. Expect to see over $2.5 billion stolen.
AI/ML – email phishing detection. In 2018 computer vision technology powered by deep learning overtook the human and in 2019 AI and ML detection of brand forgery email will exceed human capabilities.
Behavior profiling using AI and ML models will enable a new level of detection of spear phishing emails in 2019. Simply forging an email address or name in the ‘From’ header is no match for anomaly detection algorithms that look below the surface at many hidden signals that can be used to identify unusual and atypical emailing behavior.
Opinions expressed by DZone contributors are their own.