You and I are living in the middle of an arms race in cybersecurity – can you feel it?
Adversaries are leading the way through constant evolution of attacks via new tactics or techniques, or simply new combinations of old techniques. The good guys reconfigure and retool their threat detection and response capabilities to recognize this new threat vector, which frustrates but typically does not deter the adversaries, who inevitably come back via some other path, And the cycle continues.
Especially troubling is when this week’s or this month’s big breach grabs the headlines, and when the details emerge, it becomes clear that the path into the victim’s house wasn’t a battering ram created specifically for that purpose, but rather a previously unknown weakness in how that front door was constructed years or even decades ago – a now-vulnerable front door which secures not only your home, but thousands or even millions of “homes” (connected systems, in this analogy around the globe. This is our cybersecurity reality.
What does the crystal ball look like for the cybersecurity and risk management world of 2022?
Ransomware tactics will continue to evolve. The “double-extortion” model, where your data is encrypted and the adversary simultaneously threatens to release the data, will persist. Much as there has been every year, there will be new combinations of existing tactics, as attackers continue to innovate in how they run their own revenue-generating business operations for greatest efficiency. Attacks launched from locations not addressed by the US legal system will further complicate response efforts.
Privacy legislation globally will accelerate. Data residency will continue to be an important component at the national level worldwide. Regardless of your corporate size, if you are charged with securing your global organization, be thinking about your own architecture and where the data is collected, where it lives, and where it is handled – these may be three different jurisdictions. The flexibility of your current architecture will become even more important as new privacy regulations are passed and enforced.
The cybersecurity skills gap will only widen. Despite the large number of educational programs and certifications designed to demonstrate proficiency as a cybersecurity professional, those numbers will be outstripped by the quantity of new jobs which must be filled. Smart organizations will relax their “perfect candidate” standards and widen the net to find good people. Do you really think that attackers have “the right security certifications” that you demand of your new hires?
Existing regulations will catch up with the pandemic. Many organizations scrambled to keep moving forward in the chaos that was early 2020, and there were shortcuts and other compromises in that compressed timeframe. Some companies found that their pre-pandemic architecture was built with assumptions about where data is typically handled — and with the remote workforce wave, these legacy data handling practices didn’t keep up with new geographies. What was previously not a compliance issue may be one today. Regulators will start to notice this and take action.
Nation-state actors will continue to prepare the battlefield for future action. Sometimes an attack against critical infrastructure is deployed to cause an immediate effect, but sometimes the attack is carried out simply to leave behind code which may prove useful to the adversary in the future. Nation-states are not petty thieves rattling door handles as they walk around. They are canny and deliberate and are thinking about long-term gain, not short-term disruption.
Social media platforms will become the fastest-growing attack surface. Most stories about cyberattacks leading to kinetic (or physical) outcomes tend to focus on things like car hacking, medical device compromises, and other stunt-hacking proofs-of-concept. But it is today’s social media platforms which represent the biggest, cheapest, and fastest method for an adversary to effect change in the physical world — not by destroying equipment as part of a cyberattack, but in mobilizing humans towards the adversary’s goals. Disinformation, and its skillful development and deployment, will produce real-world physical effects.
These are some of the key areas to keep an eye on for next year. But it’s poor form to offer up a slew of predictions and not to conclude without any actionable ideas of how to recognize and remediate some or all of these challenges. Here are two closing thoughts.
Plan for uncertainty, plan for resiliency. Just because the world we live in seems to be whirling around faster and faster with adversarial attacks and fresh regulatory challenges alike doesn’t give us an option to plant our flag in the ground and defend it at all costs. One of Aesop’s Fables, “The Oak and the Reed,” guides us on this point: in a storm, it is the unbendable tree that is more at risk of failing, whereas the smaller, more nimble reed bends and bounces back. You and your business must remain flexible and adaptable — this is one of the many drivers leading companies to the cloud and its ease of scaling up and scaling out in very short timelines.
You cannot protect what you cannot see. Too many organizations, driven by a check-the-regulatory-box model, decide that “visibility” means being able to collect and aggregate logs from key devices found in their operating environment. That might have been the right answer twenty years ago — but it’s absolutely the wrong answer today. Log-based information — typically, text files which are produced by applications, servers and infrastructure — is operationally useful, but if you are charged with securing your environment and responding to threats both external and internal, you can’t achieve true visibility unless you can peer into your network traffic and the endpoints to and from which that data is moving. Seeing those logs, network and endpoint data together is even harder when your environment is a mix of on-premise, virtualized, and cloud-based tools. Take the time to identify your crown jewels, and prioritize visibility into those assets so that when the time comes, you are confident you have the right set of glasses on and can see absolutely everything you need to make the right remediation decision.