Security 2019 Predictions (Part 6)

Given the speed with which technology is evolving, we thought it would be interesting to get IT executives' thoughts on what's in store for 2019. Here are some additional predictions regarding security:

Brian Rutledge, Principal Security Manager, Spanning

In a recent survey of U.S. workers, almost half of all respondents said they would allow a colleague to use their work computer to complete a task. While letting a work friend use your computer might not seem like a risky move, research has found that insider threats account for most security breach incidents and sharing devices — especially for admin holders — is one way that being polite could put enterprise data at risk. In the new year, businesses should look to double-down on security training — not just with phishing tests and lectures — but also focus more security awareness training on accidental lapses in security, because not all security incidents are from malicious actors. IT leaders should emphasize that employees, should never use shared passwords, enable SIEM (Security information and event management) solutions to centrally log actions by administrators and other users with the keys to the kingdom, periodically audit internal controls and implement tools, where possible and financially feasible, for Privileged Access Management (PAM) instead of using administrative accounts directly.

Derek Choy, CIO,  Rainforest QA

All job interviews for developers will include a question about security experience. Developers who have job interviews next year will see a new question added to the usual list. For the first time, we will see virtually all businesses incorporating questions about security in coding. Engineers applying for jobs should highlight this experience to increase their chances. Deep security knowledge won’t be a requirement for all roles, but DevOps managers will increasingly prioritize those with security experience when they make their hiring decisions. The issue is simply too critical to ignore.

Gary McGraw, Vice President of Security Technology, Synopsys

DevOps is great, except for when it comes to secure design. We’ve been automating security analysis at the code level and pen testing at the application level for over a decade, and that automation is perfectly suited for DevOps. The same cannot be said for design analysis (also called threat modeling). The lack of automation for architectural risk analysis will mean that in many cases it is conveniently left out (oops, we’ll just sweep that under the rug). This is becoming a more tangible problem as DevOps adoption progresses.

That means…

Software design flaws are the new target. Software design flaws will be on the rise as targets of attack. Witness the recent Facebook (and Google+) attacks that led to massive data loss impact. Design flaws are much harder to find and fix than simple bugs. As a result, even very strong software security groups sometimes miss them during review. In my experience, flaws and bugs as software defects split around 50/50. Once the really dumb bugs are gone, that leaves the flaws hanging out there ripe for attack.

Sadly…

In general, software will continue to grow as an attack vector, second only to humans. Software, software, software. As the pile of software grows and its distributed nature becomes even more so, the attack surface grows as well. We are not making less software these days, we’re making more. Now that software has worked its way into the lifeblood of society we have a bigger problem than when it was only the domain of geeks.

For example, your IoT stuff has lots of software in it, leading to the question…

How secure is your IoT stuff? When it comes to security, devices, gadgets, and consumer electronics are NOT secure by default. If your gizmo maker does not mention security, do not assume that the thing you bought is secure.

IoT remains a security disaster waiting to happen. One of the main problems is that there is no way to update the (broken) software and hardware running inside of IoT devices when new security problems are discovered. IoT needs to be secure by design and secure by implementation. Firewalls on the network will not fix this problem

In fact, IoT stuff is only one kind of cloud architecture. And with cloud architecture…

The inventory problem is getting worse. The “inventory” problem (that is, what is running where, who made it, what its constituent parts are) is exacerbated by the move to the cloud and massively distributed architectures. See this article about why that was a problem before https://www.garymcgraw.com/wp-content/uploads/2018/03/inventory-ieee18.pdf. The bad news is, things are going the wrong direction.

So should we all just despair? No, because

Software security is growing. The BSIMM shows that software security is growing as a field. Many more companies are catching on and making progress. Even retail is in the game now. We know what to do. Now, we just have to do it.

Rudolph Araujo, Vice President, Awake Security

In 2019, I believe we will see the first major breach tied to shadow IT made public. This unmanaged infrastructure is risky and on the rise, and to make matters worse, the security team is blind to it. So it’s only a matter of time before these threats begin to manifest themselves.

Bilal Mujahid, Chief Information Security Officer, iManage

As we enter 2019, here are my predictions on what today's modern enterprises will do to better govern and secure their critical information in the coming year and beyond against new and more sophisticated security threats:

• Demand applications that enforce security themselves; enterprises increasingly expect that their applications be built with security in mind. They want applications that can detect and respond to unusual activity even when it looks like an authorized user, provide the ability to wall off sensitive data while encrypting customer data, and enable users to maintain their own security keys.
• Transition more applications and services to the cloud; enterprises, even vast financial firms with nearly unlimited resources, increasingly realize that it is incredibly difficult to effectively secure hundreds of heterogeneous applications and associated infrastructure. A cloud provider has a very homogenous environment and can inexpensively implement many layers of protection.

Sharon Reynolds, Chief Information Security Officer, Omnitracs

IoT security takes center stage. With the increasing connectivity of IoT devices and applications in transportation systems, such as autonomous vehicles and smart cities, security risks move from a digital to a physical space. While identity theft and financial loss are terrible outcomes from cybersecurity attacks, we are now facing threats to physical systems, which can impact the safety of humans (i.e. hackers taking control of a vehicle). In 2019, we will see the conversation growing around the demand for IoT security as the average consumer becomes more aware of the physical threats they may face as a result of connected technology.

Demand for affordable MSSP’s will be on the rise. Small and medium sized businesses are finding it difficult to achieve privacy and security compliance as regulation increases. These businesses also face an increased number of cyber-attacks due to successful monetization of ransomware and extortion by criminal organizations. Smaller companies will need robust cyber security expertise and resources to respond to threats, and with the shortage of available security professionals in the workforce, the only place SMB’s will be able to turn are MSSP’s.

Jesse Stockall, CTO, Embotics

The security vendors have really stepped up their game and container registries now include vulnerability scanning, better capabilities to restrict access to risky containers, and track changes with content signing. In 2019, it will be up to DevOps to make use of these capabilities to bring security teams in to the fold with DevSecOps, as more organizations realize traditional security practices can’t scale.

Colin Britton, Chief Strategy Officer, Devo Technology

Companies need — and are looking for — a security operations center (SOC) in a box. The notion that security information and event management (SIEM) tools and the existing approach to security can protect your enterprise is breaking. If you think that security data is limited to the data coming off firewalls or EDRs, you’re wrong. We had a shift from SIEM to SOAR, and now SOAR is shifting to Security Operations, where an emphasis on automation (not administration) and response (not reporting) are evidence of what CISOs tell me: they wish they had a SOC in a box, a solution most commonly found in SMB and mid-market. Bigger companies are using multiple tools to solve different problems in the security domain, but they don’t have a single source of truthful data or a single pane of glass for outcomes. SecOps needs to adopt a capability model inclusive of all other technologies, where security operations are done at the speed of the analyst, not as a batch job. Security today requires more context, more intelligence and enriched data, than ever before. You need a SOC in box, which I think of as systems that can integrate data from many sources, at scale. The ability to integrate solutions that play well together is more important and valuable for users than just buying the single best tool for the job. The Security Operations market segment is the battleground of the future.

Anthony Di Bello, Senior Director of Market Development, OpenText

Augmented, not automated intelligence, is automation that is already an important part of enterprise security. With machine learning, these systems will evolve from linear automation, to more of a “choose-your-own-adventure” style. Augmented intelligence tools will more effectively present options for security teams based on impact, what stage of attack is detected, and other factors to speed response and remediation time.

Privacy Regulations will drive more transparency — privacy regulations will force vendors to abandon the black-box approach to AI. Vendors will need to be more open about what data is captured and analyzed by security and AI technology. This in turn pushes vendors to focus on more specific and achievable use cases. Enterprise consumers will benefit from more rapid ROI and simpler deployments of emerging technology.

As the Enterprise IoT market matures, vendors will self-regulate with regards to security. Principles like security-by-design will be a competitive differentiator and a must-have for enterprises customers looking to embrace the IoT, but who can’t afford a major security issue. AI and machine learning will play an important role in processing data and securing information from this massive influx of new sensors, machines, and devices. If vendors fail to self-regulate, the government will step in.

Jason Haddix, VP of Researcher Growth, Bugcrowd

2019 Bugs to come access control bugs, security misconfiguration, parsing files. There will be no shortage of vulnerabilities to find in the upcoming year. In 2018, there was a 21% increase in total vulnerabilities reported over the previous year—NotPetya, Meltdown, Spectre, the Equifax Apache Struts bug to name a few.

In software applications, one of the riskiest and difficult vulnerabilities year after year are access control bugs. These are really risky, not easy to code defensively for, and are not protected by any code libraries or frameworks.  Another big bug category, especially as we think about migration to the cloud, is security misconfiguration. We see a lot of incorrectly configured cloud environments, like AWS and Azure, and people leaking data because they misconfigured their data storage - OR they manage their source code in GitHub or git and they’ve misconfigured those permissions, causing anyone on the internet to gain access. As we continue to move to new technology environments, these bugs will be especially prevalent. Lastly, we’ve seen a rise in bugs related to parsing files. In the past year, there have been very critical bugs in open source image libraries that allow an attacker to manipulate code remotely by uploading or editing images.

2019 will be plagued by different flavors of web vulnerabilities and asset management fiascos. Web vulnerabilities are going to continue, although they might come in different flavors with the growth of cloud and IoT. While we’ve been talking about them for years, widespread cloud adoption and IoT devices are finally becoming reality. Unfortunately, security is not built in at the core of these services. For this reason, we’re starting back at the beginning and will likely have to rewind to brutally easy bugs, especially with new computing environments.  Additionally, managing your assets is going to come to a head in 2019. It’s a basic and fundamental thing that application security professionals continue to struggle with. The bigger you are as an organization and the more companies you acquire, the harder it is to manage your assets. The more we move to the cloud, the harder it is to track. These factors will cause a perfect storm in 2019.

Crowdsourced security to evolve due to demand from a skills gap. Moving to new technology environments is going to require more skill and education to combat the new vulnerabilities that may appear, as well as increased crowdsourcing to keep pace with the growing attack vectors. We’re also going to see new inroads into different crowdsourced security applications like forensics, threat hunting, and more. The skill shortage is growing at alarming rates so the industry will need to double down on recruitment and education to continue to build out the security community. Diversity was a big and important topic in 2018 and we’ll no doubt see a strong emphasis on and encouraging and building diversity into the security community in 2019. Next year it’s going to be about the individual contributors and tracking skill sets. We will eventually get to a point where a security professional can work from anywhere. It’s already beginning with many supplementing income or working part-time in the crowdsourced security space. We’re already seeing the shift occur -- the train has left the station.

David Baker, CSO, Bugcrowd

Virtual Cloud Environments: The good, the bad and the (in)security. We are beginning to see a shift to virtual infrastructure - as a result, the perimeter network approach is no longer sufficient to stop attacks. Virtual infrastructure is far more complex than a physical machine infrastructure with networks, workloads and virtual machines (VMs) consistently being set up, torn down and moved around inside of a network. And, because multiple VMs can operate across the same infrastructure, security needs to be added to each virtualization layer. This introduces new, increased security risks and as a result, and require a significant change to IT and security processes. In 2019, we’ll continue to see virtual environments strain the security of our applications. As virtualization technology becomes common practice within the modern IT environment, the need for sound security and risk management at scale increases. 

Orchestration to drive a closer relationship between business and security. To accomplish many of the new data center, virtualization, and cloud tasks, administrators have turned to orchestration for help and automation. Like virtualization, orchestration brings new a set security requirements. If a cyber attacker where to find vulnerabilities in a business’ containerizations and mimic the orchestration engine, the cyber attacker could effectively own every single service in that infrastructure -- reconfiguring admin access, and taking control over the entire business. Orchestration security requires deploying security continuously and with compliance goals, a closer relationship between the business structure and cloud security, and constant analysis and management. Knowing the increased complexity of our infrastructure, we can expect to see a dramatic shift in how security is leveraged and integrated into orchestration over the next year.