Security 2019 Predictions (Part 7)
Breaches continue as threat vectors expand.
Join the DZone community and get the full member experience.Join For Free
Given the speed with which technology is evolving, we thought it would be interesting to get IT professionals predictions about what's going to happen on the security front in 2019. Here's more of what they told us:
Data breaches and security threats will not let up in 2019. As SMBs realize even more how vulnerable they truly are, especially given that at practically any point and time their data could be held ransom and effectively putting them out of business, they will finally take security measures to heart. SMBs, like their large enterprise counterparts, will lock down on a comprehensive backup and disaster recovery solution to protect their business and ensure continuity, while also forming new standardized, block and tackle game plans to keep the business even safer.
Today’s threat landscape is more complex than ever before — any device that cannot be covered by protection software becomes the weakest link — a point of entry for an attacker — and reduces the security posture for the entire enterprise. With IoT devices jumping from thousands to millions within enterprises, organizations are far more exposed than they know. In addition to IoT, true cybersecurity must expand to include Linux, Mac, containers, and cloud in a serious fashion. Together, these are the challenges organizations should be solving within their 2019 agendas.
Cloud service provider will finally collapse under the weight of their lack of automation and insights into what is running on their clouds after another major security breach. This will result in a massive investment in automation to certify and track software running on those clouds. Services that are hosting infections will be automatically shut off by the clouds.
One of the biggest security threats we face today, as users of technology, is the loss of privacy. Sometimes, we lose our privacy because we choose to do so (usually as a tradeoff for convenience or just not reading a user agreement), but many times, it is the result of malicious intent, negligence, or lack of security awareness on the part of vendors who create the applications or devices we use. Although this subject makes headlines all the time and is highlighted in legislation such as GDPR, bad actors still stand to gain a lot of profit through cybercrimes, and so we will continue to see more breaches and leaks of private information in the years to come.
One of the primary trends we’ll see emerging in 2019 is the widespread adoption of Interactive Application Security Testing (IAST). As more and more processes are being moved towards automation, IAST — with it’s ability to automatically test by leveraging your exiting functional testing program and provides an additional set of data points associated with the risk in your web application — will increasingly be seen as a boon to security teams. As the speed and effectiveness of IAST cannot be overlooked, we can expect its use to become very popular as we move through 2019.
In 2018, cybersecurity was more widely accepted as a board level topic and senior executives became more aware about its impact on achieving business goals and brand protection. Looking toward 2019, boards will want to see objective measurement and validation of program effectiveness and will continue to bring on independent cybersecurity advisors or add team members with experience in cybersecurity, putting more pressure on CISOs.
The effectiveness of cybersecurity programs will rely more and more on CISOs and their ability to partner with the board and communicate security needs to them. CISOs that can communicate a clear strategy and a measurable plan will have increased support, as well as funding for key initiatives.
In Gartner’s most recent cross-industry CIO survey, cybersecurity was listed as one of the top three areas of increased technology investment, with 40 percent of survey respondents predicting higher spending in 2019 than in 2018.
Further evidence is in the increase in security spend as a percentage of total IT spending. While still a fraction of total IT spend, security is on the rise, representing 6.2 percent in 2017 vs 5.6 percent in 2015.
Looking at the global cybersecurity market, Gartner  predicts total spend to reach $116B in 2018 (constant currency), a +9.2 percent year over year increase. They also project that this growth will continue in the coming years, reaching $126B in 2019 and $162B by 2022, delivering an 8.7 percent CAGR between 2018-2022.
 Gartner - 2019 CIO Agenda: Cross-Industry Insights, 15 October 2018
 Gartner - Forecast: Information Security Software, Worldwide, 2016-2022, 2Q18 Update, Jul. 2018; current dollar table, Enterprise market
Customers are getting tired of playing cat-and-mouse with attackers. Apple uses protected regions of hardware to secure personal data on iPhones. Similar enclave-based security will become mainstream for sensitive cloud applications as customers demand definitive protection from infrastructure threats.
The security industry has long relied on a blacklist based approach – find out what’s bad and prevent that from happening. Such approaches have shown their limitation with the increased infrastructure complexity. New solutions will evolve ensuing only the activities and applications on an approved whitelist will be allowed access and everything else will be disabled.
The relationship between physical and cybersecurity became increasingly intertwined in 2018. While cybersecurity continues to be a growing focus in all areas of business, physical security measures will become a more important focus of these conversations. Modern cloud-based physical security solutions harness IoT devices and video surveillance cameras for a comprehensive approach to security. However, these systems create massive amounts of sensitive data. In the coming year, the delicate relationship between cyber and physical security will be put to the test. With a growing dependence on cloud technologies, such as IoT sensors, physical security teams need to prioritize cybersecurity strategies and select vendors carefully if they want to do their job — keep people (physically and digitally) safe.
People will remain a problem, and not just from an attacker point-of-view. Finding good staff has been a problem for some years, but this will escalate despite many government efforts to stimulate growth in further education in this area. Demand will continue to massively outstrip supply, and smaller organisations as well as the public sector will suffer disproportionately as they struggle to afford increasingly rare skills. Banks will lead the way in driving up salaries for good security people, but large international organisations will all compete for the best talent. 2019 will be a very good year to get into information security — if you aren’t already there.
Long dwell time of attacks will continue to expose security weaknesses of organizations with data breaches that take a long time between attack and detection. I attribute this to the fact that a large portion of the security industry still relies on manual investigations of data. Hopefully, in late 2019 and early 2020, we will see that the practice moves from human investigation with machine augmentation to machine investigation and human augmentation — thus relieving security organizations from the dreadful dwell time.
Sophistication of attacks to increase: 2018 brought with it some of the most sophisticated attacks seen in some time. Namely Meltdown, Spectre, and their related cousin: Speculative Store Bypass Variant 4. The cat-and-mouse game of attackers developing new techniques and defenders working to detect them predates information security. The breadth and depth of security technology has pushed attackers to find new attack vectors not easily detected, and while 2018 was a banner year, it’s likely 2019 will bring even more sophisticated attacks. The common thread between the three aforementioned attacks is clear: attacking low-level system architecture using mechanisms that work both on local systems and within the cloud. As the costs of deploying infrastructure continue to push more technologies into public clouds, the value of such low-level attacks only increases. The abstraction of deploying cloud-based systems naturally makes detecting these attacks difficult if not impossible for the customer.
Tariff, trade, and geopolitical differences will further fuel espionage-driven attacks on private industry from nation states — especially in the U.S. For physical attacks, we have the military, but in the cyber world, it’s still up to the often underfunded corporation and private citizen to fend for themselves. Interestingly, government, which should help with cyber defense, will further penalize and scrutinize those who are victims of attacks, from other governments, and in the form of fines, lawsuits, and audits.
Nation-state sponsored cyber-attacks have been increasing every year, and this trend is expected to continue indefinitely into the future (at least until a coordinate government response is enacted). One of the reasons is that none of the presidential administrations have taken a stance on the issue. It’s basically free hunting season, with no repercussions at the moment, so from an adversaries point of view: “why not?”
Use of AST-as-a-cloud-service will keep exceeding and eclipsing AST-as-a-tool
By 2022, IDE SAST will become the most frequently used AST technology
By 2022, use of IDE SAST will exceed use of traditional SAST
By 2020, use of SAST will match use of DAST
To better meet DevSecOps requirements, DAST will offer convergence with IAST or SAST
By 2020, IDE DAST will emerge
Through 2020, more than 2/3 of enterprises will adopt SCA.
By 2020, SCA will outrun AST in the rate of adoption, brand, and popularity (not in sales).
In the last year, 70 percent of businesses experienced at least one IT outage in the last 12 months. These incidents were most frequently caused by natural disasters, errors while implementing new technology, ransomware, and IT overloads, respectively. To decrease the risk of outages and disruptions and to improve recovery time when they do occur, we believe that we will see more businesses trying to achieve full IT resilience through a combination of disaster recovery planning and technology, backup in the cloud, and continuous data protection.
Companies need to recruit the right IT talent either in-house or through external consultants and invest in the best IT solutions to stay ahead of the game — whether that's planning for natural disasters or fighting off the latest malware or virus. If they fail to do so, businesses risk being hit by the high costs associated with unplanned IT downtime.
Opinions expressed by DZone contributors are their own.