This year saw dozens of massive data breaches — and 2017 isn’t over yet. It also saw record investments in security startups, with at least 20 in the $40 million and up range. Older IT giants like Cisco and IBM boosted their revenues from newer security businesses as well. With the size and scope of attacks expected to increase exponentially, security spending probably won’t drop anytime soon. Cybersecurity Ventures puts it at a $1 trillion market from 2017 to 2021.
Aside from bigger breaches and more security spending, what should companies expect in the year ahead? SDxCentral talked with industry analysts and other security experts to discuss the changing landscape. Here’s what we think you should keep in mind, from threats to promising technology advances, as we head into 2018.
Year of the CISO/CSO
Companies are starting to take security more seriously as they realize that a breach can cause major damage to its reputation and revenue. Because of this, security is no longer confined to a corner of the IT department. In 2018, expect to see more companies hiring chief security officers (CSOs) or chief information security officers (CISOs) and adding them to the C-suite. “Security organizations, led by the CSO or CISO, are being pulled out of the IT organization and reporting directly to the CSO,” said John Wheeler, a Gartner analyst.
Extortion — Not Chaos — Will be the new Norm
The Mirai botnet in late 2016 that used hundreds of thousands of compromised Internet of Things (IoT) devices to launch a DDoS attack on domain name service provider Dyn was merely a sign of IoT security attacks to come, according to Forrester Research. “We predict that in 2018, there will be more IoT-based attacks, not just DDoS attacks like Mirai, but attacks on both devices and cloud backplanes as hackers seek to compromise systems for ransom or extract sensitive data for monetization,” according to its Predictions 2018: Cybersecurity report. But while attacks to date have been motivated by political, social, or military reasons, Forrester expects these to expand to financial motivations in 2018. “Cybercriminals are already exploring the potential for ransomware targeting vehicles, operational technologies, and even medical equipment.”
Security Will Become Highly Automated — but not 100%
A shortage of skilled security professionals is no longer a prediction — it’s a reality that has been documented by several studies. One of these, a Dimensional Research survey commissioned by Tripwire, found 93 percent of information security professionals are worried about this skills gap. “Security experts are expensive and there are not as many as the industry needs,” Yogesh Kaushik, director, Cisco Tetration Analytics told SDxCentral in an earlier interview. This is where automation, powered by machine learning, fits in. But, as Kaushik said, security can’t be fully automated. “You want to have that human in the loop. But 90 percent of the tasks are very repetitive in nature and they can be fully automated.”
DevSecOps Will Rise
Agility and automation are a couple of the benefits of DevOps, which unifies software development and software operation. In 2018, security will be more tightly integrated into the model, said Gartner analyst Earl Perkins. “We’re injecting security development principals that are consistent with operations principals.” This also gives organizations an opportunity to improve its security posture by automating security, said ESG analyst Doug Cahill. “Integrating cybersecurity processes and controls vis-à-vis the DevOps pipeline then ensures that all new code is delivered as secure code,” he said.
But, cautions PJ Kirner, co-founder and CTO of Illumio, DevSecOps needs to shift from a democratic model where everyone gets a vote, to a more republic model in order to avoid adding risk to business. Developers need to bring their agile development processes and requirements to the table, and security teams need to bring their security expertise, he said. “While these teams have to work together in new ways ultimately, security teams are responsible for doing the right thing.”
AI Security Vendors Will Shift From Hype to Results
Artificial intelligence (AI) was the security buzz word of 2017, as nearly every security startup along with established vendors touted its products’ ability to use AI to prevent and predict attacks. So much focus on machine learning and AI, in fact, that ESG analyst Jon Oltsik, in his Black Hat 2017 wrap-up, wrote “enough about machine learning and artificial intelligence…talk use cases rather than supervised modeling.” We expect the tide to turn in 2018 as customers start demanding results from AI-powered security products. As Kirner said, “Companies selling AI-powered products will need to find a way to start showing results in a quantifiable way, and not simply pitch their solution, and those that do this will be leaders in the industry.”
And Real AI Will be a Security Requirement
When it comes to security products, machine learning and AI will no longer be differentiators, ESC’s Cahill said. “AI and machine learning are going to be expected.” Perkins said he foresees that AI will mature to the point where improved analytics capabilities will dramatically reduce response times. “If we’re able to build this level of capability, things that used to take months will take days, and things that used to take days will take seconds.”
Alternative Approaches to Patching Will be key
By now everybody knows that Equifax had a patch to fix a coding flaw for two months before hackers exploited this vulnerability, which compromised social security numbers and other sensitive data on more than 145 million people. Companies don’t install patches for a number of reasons. It tends to be a manual, time-consuming process. Sometimes the software isn’t compatible with older operating systems and can cause outages in mission-critical work. And often, there are just too many patches to keep up.
This is why Oracle CTO Larry Ellison says companies are “losing the cyber war.” It’s also why Cahill predicts that “approaches to protect an organization against exploit, without having to patch, will gain adoption. Specifically, virtual patching and autonomous patching.” Virtual patching is a security control that looks at the known behavior of an exploit and blocks that behavior, he explained. Autonomous patching is what Ellison talked about with Oracle’s new self-patching database. Which is to say Ellison, not the hackers, will win.