Humans inherently are drawn to predictions because, deep down, we want to believe we have some control over our fate. The reality, though, is that prognostications remain a slippery slope, especially within the information security industry.
Many times, if they’re not overtly obvious or rooted in wishful thinking, they’re pie-in-the-sky. But the real problem is that instead of trying to forecast the next big threat to impact organizations, how large the skills gap will grow or whether security spending will increase or decrease, we should take care of the real problems that sit in front of us, like, right now, at this moment. And if you’re going to worry about the future, then work to create a nimble and flexible program that can adapt as the attack landscape evolves.
So, to take a marginally different slant on this whole end-of-year ritual, we decided to ask four Trustwave SpiderLabs experts to assess the year that was and evaluate whether security professionals are in a better or worse place than they were when it began. We will contractually close with our experts peering into the future and offering their most sensible – sensibility being key – projection of what 2019 will bring, which, as you’ll see, really speaks to that need to get the fundamentals in order before you can fret over any forthcoming calamity. Of course, that didn’t stop one of our researchers to paint a dystopian nightmare that may or may not involve you reluctantly running the local cat club.
Let’s get started.
It’s time to put a bow on 2018. How would you describe the cybersecurity developments of the past 12 months?
Anat Davidi, senior security research manager: I think that from a technical perspective, it’s been a fairly non-chaotic year, at least relative to the perpetual chaos of the cybersecurity industry. It feels to me like this year a lot more happened on the law and regulation front than the technical front, which is important, but less interesting for me as a techie to talk about. Then again, the year started with the Spectre and Meltdown debacle, so maybe everything else just felt smaller in comparison.
Ed Williams, EMEA director: If I were to grade 2018, it would get a C+. Some good work, but lots of room for improvement. Perennial basic issues remain, but we can overcome these issues with hard work and concentration.
Shawn Kanaday, managing consultant – DFIR: 2018 was certainly the year of endpoint detection and response (EDR). There are so many companies now trying to get in that space and developing with a fury. The EDR war plays out on Twitter and at security conferences reminiscent of the old anti-virus company wars.
Mark Whitehead, Americas director: They are ever changing, however, not unique. The same fundamentals apply year in and year out. It is how organizations adapt to the changing landscape and execute on those fundamentals that separate the winners from the losers.
Are we in better or worse shape heading into the new year?
Shawn: In my opinion, we are no worse or better than we ever were. The security tools are getting better, but with the amount to choose from it makes it harder for companies to understand what they really need. Security 101 is still a big problem and fixing those issues often comes free.
Mark: In general, I would say most organizations we consult with are in better shape. However, for most organizations, it takes one external event they cannot control that can change their posture almost instantaneously. That said, they are best served focusing on what they can control.
Anat: That’s always such a black-and-white question. We’re better in some ways and worse in others. We learn how to better secure some existing technology and invent three new technologies with a whole new set of security problems to solve which will probably become 2019’s problem. I always worry that we’re not training enough security professionals and not standardizing/enforcing best practices fast enough to keep up with it all, but for now it seems like we’re hanging in there.
Ed: I’d like to think we’re getting better as an industry and more mature. While this is true for certain areas, we still have a long way to go to get the basics of patching, passwords and policy done across the board at an enterprise level. If there was one area I could put extra focus on, it would have to be defense in depth, making sure there are multiple layers of defense for an organization – which, unfortunately, is easier said than done.
Please whip out the crystal ball for this one: When all is said and done, how will we remember 2019?
Ed: Hopefully this year we finally got a hold of the basics and really make threat actors work for their hacking rights.
Shawn: At the end of 2017, I predicted that ransomware would be ditched for cryptojacking, and we have certainly seen a drop in the number of ransomware attacks and an uptick in cryptojacking. In 2019, I expect Internet of Things (IoT) devices to be the new playground for cryptojacking malware. IoT devices are too fast to market and have next to no security built in, bringing back 20-year-old vulnerabilities.
Mark: New ways to hack into organizations will be discovered, and organizations will be impacted by both new and old techniques. 2019 will be the year of trying to simplify our industry. It has become too complex and a burden on organizations to keep up with the various solutions, venders, threats, terminology, etc.
Anat: The year when your fridge mysteriously ordered 1,337 cartons of milk so you had to live on cereal and pudding for a month and all the neighborhood cats moved in with you.
Should have seen that one coming.
Dan Kaplan is manager of online content at Trustwave and a former IT security reporter and editor.