For IT security vendors, bad news can be good news: High-profile data breaches and increasing government regulations can mean increased sales of security products.
2017 brought a steady stream of data breach news, and 2018 can be expected to bring more of the same, as attacks and threats get increasingly sophisticated, requiring more sophisticated responses by vendors in what has become a security arms race.
Not surprisingly, the enterprise security market remains strong. Worldwide spending on information security products and services reached $86.4 billion in 2017, an increase of 7 percent over 2016. In 2018, Gartner expects the market to grow to $93 billion. The security testing market is showing fast growth, as is the security services market.
Meanwhile, Forrester Research forecasts that the endpoint security software market alone will grow 4.5% per year for the next five years, reaching an expected $5.9 billion by 2021. The analyst firm expects that these emerging endpoint security suites will be the main drivers of market growth. Endpoint visibility and control (EVC), in particular, is expected to experience the fastest growth, 23.2% over the next five years. This technology is all about discovering and preventing potential threats. Forrester also predicts healthier budgets: 45% of global security decision makers plan to increase their spending on client threat management, up from 39% in 2015.
- Ransomware plague
- Ongoing extortion
- Search results tampering
- Mobile malware
- Internet of Things botnets
- WSL exploits
- Powershell and polymorphism
- AI security tools
- Third-party breaches
- Think about risk, not compliance
- Prevention rather than recovery
Ransomware is a bit like one of the zombie films where the number of zombies increases exponentially as the virus spreads. Stu Sjouwerman, CEO of security awareness training vendor KnowBe4, forecasts exponential growth of the ransomware plague, especially the "as-a-service" strains.
He predicts a rise in ransomware that exfiltrates data, allowing a second way to ransom through the threat of exposure. Ransomware as a service will continue to grow and be a significant source of attacks next year. These will feed the newbies who want to get in on the crime wave as it makes ransomware easy to do.
"We'll also see custom made ransomware attacks that focus on high-value targets such as hospitals," said Sjouwerman. "These shut down all machines at once and cause massive turmoil. They also demand very high ransoms."
Yet another strain of the ransomware epidemic will be used to shut down point of sale (POS) systems. These attacks block cash in the door, increasing the motivation to pay up. Ransomware will continue to evolve methods for delivery other than email, which is still the top delivery method.
On the subject of ransomware, get ready for fake strains that look like the real thing but are really a distraction. What happens silently in the background is the bad guys are trying to get into the system and use ransomware to distract efforts and attention.
For a complete overview of your IT security options, see How to Achieve an Optimal Security Posture.
It is bad enough to have your data held hostage for ransom, but some new scams are going to create a long-term or lingering extortion situation that can be a nightmare for both organizations and individual internet users. An example from Sjouwerman is a ransomware scam that demands nude photos as payment. Of course, this opens the door for continued blackmail. In a corporate environment this can consist of having to give up your customer database or customer credentials to get your data back. So now your data and your customer's data is exposed. This is the type of thing that could hit legal and accounting offices.
"This is also a type of data breach that requires you to report it on official channels," said Sjouwerman. "You can also expect to see micro ransomware that extorts data one document at a time."
This tactic isn't necessarily new, but you'll see more of it: Search results tampering that lead users to a site that has been compromised with an exploit kit. A current example of this is a security camera called Foscam, said Sjouwerman, which was had vulnerabilities that Cisco reported on. The bad guys got ahold of this data and created a page on this using black SEO techniques to get their pages ranked very high on Google. The second link on Foscam is malicious and infects the machine and sends a person to a bogus site with a fully loaded criminal call center.
2018 will see a shift from hacking computers to hacking smart phones. The big problem with this is that 35% of people now use their smartphone for online banking. These individuals will be the prime targets for fraud. Cybercriminals will use both previously successful and new mobile malware families to steal users' banking credentials in creative ways.
"2017 saw the Svpeng malware reappear with upgraded code including new features with smarter and more devious code. It now works as a keylogger, stealing entered text through the use of accessibility services," said Sjouwerman. "Using this feature allows Svpeng to steal entered text from other apps installed on the mobile device, and grant itself more permissions and rights."
Internet of Things (IoT) botnets will likely play a significant role in 2018, and will be the first to cause major incidents, predicted Bogdan Botezatu, Senior E-Threat Analyst at Bitdefender.
"We expect to see increased activity in the IoT space, as more and more cybercrime groups start spinning off new bots from the Mirai code leaked in 2016," said Botezatu. "These botnets will likely shift from DDoS attacks against commercial entities towards DDoS attacks against critical infrastructure operators. Ransomware will also undergo significant transformation in 2018, when it will likely be equipped with advanced anti-detection capabilities such as GPU-based encryption or algorithms to defeat machine learning classification and detection."
Additionally, Botezatu predicted that the Windows Subsystem for Linux (WSL) will become increasingly exploited in 2018. WSL is a technology that ships with Windows 10 and that can allow a Linux environment to run side by side with Windows. As Windows 10 adoption continues to grow, the WSL will become a significant avenue of attack and cybercriminals will likely rush to capitalize on it.
Powershell manipulation and abuse of open-source tools (or freeware and highly reputable tools) for malicious purposes will see a serious increase in 2018 as both advanced persistent threat (APT) groups and commercial actors will include them in malware toolkits in an attempt to bypass security products.
Polymorphic malware, which can change its signature to evade detection, will also be big, Botezatu predicted.
"Polymorphism as a service will also be a concern in 2018," said Botezatu. "There are a number of extremely well designed polymorphic engines running in the cloud (like the one used by Qbot) and we believe that these engines will be rented by their creators to other malware operators in exchange for a cut of the profit."
We've seen a string of publicly disclosed cloud security incidents in 2017, where organizations were relying on policy-based compliance and configuration scanning tools as key components of their cloud security strategy. Unfortunately, these tools can only tell you what can potentially go wrong. Without any context or impact analysis, it's impossible to identify what is going wrong, and what needs to be immediately fixed.
"In 2018, we will see the end of traditional compliance scanning tools, as they will be replaced by AI-driven approaches that are constantly learning about the environment and pinpointing anomalies," said Varun Badhwar, CEO and co-founder of RedLock. "No IT or DevSecOps team, irrespective of their knowledge or size, is able to scale to keep up with the avalanche of data and required analysis needed to make timely public cloud environment decisions."
Over the past few years, we've seen countless breaches resulting from vulnerabilities within trusted third parties. Hackers accessed Target's network through an HVAC vendor, while Home Depot, Hilton Hotels and Sonic were breached through a point-of-sale (POS) vendor, just to name a few. The volume and impact of these breaches are helping organizations understand that their attack surface now extends beyond their own networks to the third parties with access to their data.
Businesses are going to continue to outsource non-core functions to third parties, which means they need to focus more on risk assessments and real-time risk mitigation in order to uncover weak security controls before any vulnerabilities are exploited. These types of breaches are going to continue to occur, and it's become clear that their impact makes them as much a corporate problem as a security problem.
"2018 will be the year when large enterprises finally start to rein in the risk of their expanding digital ecosystems," said Fred Kneip, CEO of CyberGRX. "But for organizations to effectively reign in the risk presented by their expanding digital ecosystems, they'll need more support from C-level teams and boards."
Faced with headline-generating breaches like Equifax and the public outcry around them, companies will continue to face stronger standards and regulations. High-profile cyberattacks coupled with the May 25 General Data Protection Regulation (GDPR) implementation deadline will put regulatory compliance center stage in 2018. Historically we've seen governments take on the challenge of cybersecurity by proposing and enforcing more regulations. New York, for example, recently became the first state to set minimum cybersecurity standards by which all banks, insurance companies and other financial services institutions regulated by the state's Department of Financial Services must abide, and we'll see more states follow suit this year.
While regulation is a good first step, on its own it's an approach that is destined to fail because companies respond by favoring compliance checklists over adopting a risk-based approach to managing third-party relationships.
"Cyber criminals don't care if you're compliant – they care about getting your data," said Kneip. "The real priority is for organizations to approach cybersecurity with a risk-based approach as opposed to a regulatory compliance-based approach. In 2018, too many companies will learn this lesson the hard way."
As ransomware continues to develop, both in the frequency and in the severity of attacks, we need to shift cybersecurity thinking from "post-attack" recovery to "pre-attack" prevention. Obviously, it is best to prevent attacks altogether. But that is easier said than done.
"With a shift towards prevention, anti-ransomware software will need to go beyond simple detection of ransomware to prevention and will come to the fore as the best practice security technology for businesses and consumers," said Hyder Rabbani, COO of CyberSight.
Ed Bellis, co-founder and CTO of Kenna Security, concurs.
"The security pendulum has swung too far into detect and respond while ignoring predict and prevent," he said. "We believe every organization must do both and do both well."
Organizations will continue to shift to a risk-based approach in order to address security issues that are most likely to result in an incident or breach and that will have the largest impact. Practitioners will transition from lacking the necessary data to make decisions to being buried in this information. Meanwhile, machine learning will continue to play a big role in security but will require human assistance and expert supervision in most areas to help identify the needles in a stack of needles.