Cybersecurity in a Chaotic Time: 2020 Trends and 2021 Predictions
2020 has been a chaotic year. From the far-reaching impact of COVID-19 to the increasing number of data breaches across nearly every sector, the threat landscape continues to intensify and the importance of cybersecurity continues to grow.
The cybersecurity trends of 2020 teach us valuable lessons that are important to understand for the coming year. These trends focused on protection of customer and patient data, political and electoral targeting, essential technologies most at risk, making analytics and intelligence usable, and protecting holistic identities of users.
View this on-demand webinar examining cybersecurity trends and predictions, featuring Fortra thought leaders Bob Erdman and Mike Lynch. Discover key trends, challenges, and projections in both areas of cyber threat and identity governance, and learn what’s to come in cybersecurity for the short- and long-term.
- [Bob] Welcome everybody to our webinar, Cybersecurity in a Chaotic Time. We're going to do a little review of some of the things that we saw happening across 2020 as we finish out our crazy year here and then talk some about what we feel is going to be coming up and affecting all of us in 2021. So my name is Bob Erdman. I am the senior product manager for the cyber threat division and of course, security with Helpsystems. I'm joined today by Mike Lynch. Mike, do you want to introduce yourself a little bit?
- [Mike] Yeah, sure. Thanks Bob. Hey everybody. My name is Mike Lynch and I'm a senior sales engineer and solutions with Core Security where I've been working with our IGA and IAM solutions for the past six years.
- [Bob] Hey, thanks, Mike. With the tools I work with here at our company, I'm very much on our offensive and defensive security solution sides. So everything from penetration testing to anti-virus and network traffic monitoring all the way down the stack from mainframes and IBMI AS/400 type systems to Unix, Linux and Windows.
Accurate 2020 Predictions
1. Fake News & Role of AI
So let's get started and have a bit of a review over some of the things that we expected to see happening across 2020 and maybe some of the things that happened at scales that were much larger than we even thought about. And number one, we definitely were expecting to see a lot more fake news. Doesn't matter what side of the aisle you're sitting on, fake news has been a huge part of what been going on. People calling things fake or not fake, people posting things. And you're starting to see even now a lot of murmuring around some of the protections being provided to these large social media platforms, around how they're regulated based upon how they're trying to start managing content around this. We're seeing a lot more now where major platforms are trying to flag things that they suspect maybe fake to take things down faster than they used to be and start to implement a lot more control around these.
These deep fake impressions that we're seeing, and what that really is, is people altering like personas to make them look like they're either advocating things, or saying things they maybe didn't say. This used to be the domain of big AI. This is starting to become the domain of everybody's favorite graphic card because these GPU units are getting to be so powerful now. The artificial intelligence capabilities that we have at our fingertips, are that we can easily deploy in a cloud system like an Amazon or an Azure, give us the capabilities to do a lot of damage. And I think this is something we'll continue to see evolve over time, especially as threat actors start to take up more and more of these things.
Now we haven't heard as much about compromised political websites yet. We still might. As we all know, the election is still being hotly contested by certain sides. And we may see more and more of these things come out after the fact, as people kind of run down the list. We've certainly seen a lot of chatter around, hey, were people hacking voting machines and were people illegally doing this or that? Whatever that turns out to be in the end, it's definitely been part of what's been in the news cycle for quite some time now. And I suspect for quite some time after this yet, we'll still be hearing about it.
2. Old Operating Systems & Attack Vulnerability
Another thing we talked a lot about was old operating systems, things that were kind of EOL'd and still being used by many organizations. We're still seeing this as an unfortunate trend out there. People don't have the time or the resources or maybe just the desire to upgrade some of these systems. We're still seeing a lot of EOL'd Windows being out there as an example. Things that are easily targeted by malicious actors. Because exploits are out in the wild, they've been well-known, especially as you look at some of the new, more hot targets in the industry. IOT, SCADA, industrial control systems. There's a lot of those platforms that are running on very outdated software because they're deployed and expected to run for a really long time before they're ever touched again. And people are starting to expose more and more of this either on purpose or accidentally out to the internet where they can now be targets of attacks. And it's not just Windows. We see the same thing in the Unix and Linux environments as well, where people are running older versions of the operating systems, maybe not keeping up with their patches as well. And it's making our old exploits that we've come to know and love be super effective again, because now these older systems are more and more often being exposed to the internet where maybe we couldn't get at them a few years ago and now we can easily get at them because of the way services are being pushed out and presented out to people. Mike, you want to take this one?
3. Increased Pressure on Organizations to Protect Consumer Data
- [Mike] Sure. So customer data was a big trend we predicted for 2020. And basically, we always knew there was going to be an increased pressure on organizations to protect customer data. And not just from a compliance or regulatory standpoint, but from the perspective of the impact on the business, from both the financial payout and a loss of customer trust perspective. And the reality is that organizations just can't protect everything. And so they've got to prioritize the most critical data and systems to protect and focus response on that. And if you try to protect everywhere, you're going to protect nowhere. So best practices are to employ roving patrols, layers to your security, and get at the stuff that's most important.
4. IGA & IAM as a Safeguard
You definitely want to use some good pen testing practices to identify vulnerabilities and key systems as well as network intrusion safeguards. And on the identity side, you want to make sure you're automating access controls to key systems, as well as performing periodic access reviews, by managers and application owners throughout the organization. And next slide there. So another area that we identified as a trend, we've seen this in 2020, along the lines of analytics and intelligence and, these have been key topics for the past few years actually. And we've seen increased focus on not just having the analytics and the intelligence but the bigger focus has been on making it usable, right? So that the overwhelming issues like identity governance are easier to manage. And I know Bob, you and I both know machine learning is really very overused word, but I think we need to talk about how machine learning will help us reduce risks. So it's a simple process to look at access and identify risk. And I know lots of organizations have looked at machine learning based solutions or maybe even purchased those solutions. And we'll see more of those organizations continuing to use that technology obviously through the end of this year and definitely into 2021.
5. Ethical & Unethical Automation Skills Improving
- [Bob] I think you're spot on with that Mike. And we're starting to see those same tools and tactics be picked up by the malicious actors as well. Cyber criminals are using analytics and intelligence to help refine their techniques. And we really have to be better than they are at some of these things. Making sure that maybe we are pairing two seemingly meaningless alerts from different sides of our network together and understanding that those two things actually mean something bad to us. And we use tools to do that, machine learning algorithms that understand how to correlate data from across the network, because quite honestly, you can't get enough eyeballs on logs, standard sized enterprise. The volume of data that can come at somebody, there's only so many physical lines that a user can read and only a certain amount of remediations that they can attempt to take in a day. And if you can't just keep scaling and scaling up those bodies, we have to use our machine learning and our computer systems to help augment that and to be able to take a look at those things and quickly process through the noise and get down to the real meat of what people have to be working with. We also talked about a lot of trickier threats. We're definitely seeing the level of sophistication of our threat actors increase. Hackers are getting smarter, they're getting more sophisticated, they're using additional tools like we just spoke about. And we're seeing a resurgence of some of those older threats even that we may have forgotten about as people are moving back to file-less malware, targeting with command and control systems and spending a lot of stealthier time around, inside of the network.
6. Linux Isn't Above Vulnerabilities
We're seeing a lot more targeting of non Windows systems as well. Unix, Linux, AIX. There's been more recent Linux malware being released now. For a long time, everybody kind of sat in their white tower and said, "Linux, can't be attacked. "We're all super secure." I'm a Linux guy. No, that's not true. We've seen a lot more recent now where malware families are porting their systems to Linux and Unix. That's where the good data is in a lot of organizations and they're, of course, going to try and get there. So we've seen some recent attacks like, that were identified in Texas in government departments. Or in kind of Minolta where I think that was a ransom X. That was a traditionally Windows based ransom family that has now been ported down to Linux, Unix. There's definitely been some others across 2020. So people are getting better as threat actors. That means we have to get better as security professionals in defending our solutions.
7. Unethical Hackers Stealing & Utilizing User Identities
And we've seen an increase of the bad guys trying to steal, essentially user's whole identity to gain access to maybe all of their accounts if possible. So as we look at, especially now that more of us are working from home, if somebody can phish you and they can start to mine data from your systems, it's not just maybe that they're going after credentials for a certain system, they may be going after all of your credentials. And I can take what we know, which is a lot of users. Most users tend to reuse passwords and reuse security credentials. If I can capture those from one system, I can now go back and replay those into the network or into other areas to try and reuse those credentials and see what else I might be able to compromise. Maybe it's Dropbox, where I'm dropping files that my IT department doesn't know about or other shadow IT devices. Honestly, maybe it's social media accounts. I want to take over an account and post things. I want to take over an account and try and phish other users that maybe you're connected to, to try and compromise them based upon thinking that it's you. Or sometimes I maybe just want to monetize sales of something like a gaming login or Netflix or some other password that you're using because all of those things are worth learning. And if we can get access to those, we can resell those as threat actors. Some people aren't just looking to necessarily compromise single devices anymore. They are looking to take you over and take over control of everything you have access to, to maximize the amount of profit that they can gain. And that's definitely what they're out for. It's how much profit can we get from doing these things. Also more attention being paid to fringe devices. So this was, got pretty big in 2020 without us knowing that COVID was going to be hitting. But attackers are targeting other things now inside of people's portfolios. IOT devices, cell phones, smart TVs. We've been talking about medical devices for quite some time here at Core Security and health systems. And honestly not maybe had a lot of people listening to it as well as we had hoped they would.
8. Breach of Critical Networks With User Identities
There was just a big recent announcement about, hey, all of these major manufacturers' MRIs are vulnerable to a simple default password attack where default credentials have been deployed everywhere that these have gone in. Many of them are now exposed to the internet. That's an entry point to your healthcare network. So more and more people are starting to see these attacks. It's not just doing a DOS from a big botnet of wifi routers anymore. The more of these devices that are deployed inside of our critical networks, the more attack plane that we're opening up. And we really need to be a lot smarter about how we're protecting those devices, how we're limiting access and how we're watching our networks to look for malicious activity within these devices. Because if I, as an attacker can hide on a security camera, that's great. That gives me an awesome pivot point into the rest of the network. It's not just that I want to see what the camera sees, I want to use that as my foothold to hide inside of those networks. And more and more often, we're seeing that dwell time increasing again, where people are able to move around inside of the network for a really long time and exfiltrate data before they launch something a little more destructive and noisy where people see that they're there. Because of course, ransomware attacks these days are most commonly data breaches first. I'm going to steal all the data I can steal, then it can light the network on fire on my way out. And try and extract a ransom payment to get your data back, get the second ransom payments so I don't publish it and put it up on the open internet. So more and more, we are seeing people starting to pay attention to these fringe devices.
1. Remote Work - Educating Users On Personal Breaches Affecting Professional Devices
So we'd like to get into some 2021 talks and some of the things that we're expecting to be top of mind as we move here into the new year and get rid of crazy 2020. And number one, remote work. And many of us are already doing this. And really in a lot of cases, this is going to become the new normal we think. A lot of teleworkers are really not going to be going back anymore. Companies are seeing that they can successfully use employees in remote locations where they don't have to pay for all of that infrastructure. And they don't have to have people commuting and driving or maybe moving to a new location to work for them. They can open those jobs up and let people work from virtually anywhere. But this definitely is a larger attack surface and an increased device count. Now, essentially everything sitting at somebody's home has a possibility to connect into somebody's network because that wifi that your user is jumping on with their laptop is also the same wifi that their family is using for their Xbox. And if somebody can compromise an edge device, they now possibly have a path, especially, if you're connecting into a VPN to pop down then into the rest of the network. And we need to make sure that our workers are aware of how this is happening. That edge being at someone's house, have we done anything to help them harden those edge routers? Have we given them guidance like disabling remote administration passwords on their wifi routers, patching up firmware, if it's available.
2. Remote Work - Educating Users on Best Practices
Some companies are actually providing that equipment to make sure that they have secure connections and secure options. Or maybe segmenting off the rest of their house, using the guests network functionality to let your kids play on the guest network and you're going to drive your work on the standard network. So definitely things that we can do to help with that attack surface. And then tools that we can use to be able to better monitor, what's going on there. Not just with what's happening across maybe a VPN connection to the office but what else might be happening in the background. Because now if I can phish somebody's personal email and they open that up and look at it on their work laptop, which we know tons and tons of them do because I'm sitting in front of that screen, I'm just going to pop into my email for a minute and see what's coming in. That now may compromise that laptop. Let me start to steal credentials, let me start to connect back into those other systems. And it makes it hard for IT as we try to make it better for our users to do their jobs. So we're going to expose more services that they could connect to without having to maybe jump on the VPN, now we lose some visibility into what those users are doing because they're disconnected from us but they're still utilizing services that we're providing. And we're having to come up with new strategies around how do we see? And maybe we have to put agents on systems. We all hate doing that. Maybe we have to funnel some of that traffic to certain pipes so that we can get better visibility into it. But how do we see what they're doing when they're not connected to the office network all day long but they're still actually using office resources? Mike, I suppose you've probably got some thoughts around this too on your side.
3. Remote Work - IGA Mitigating Risk
- [Mike] Yeah. Bob definitely. I mean, no doubt about it, remote work is here to stay in a significant way. And this really, what it means is that it's more important than ever to make sure you've got a handle on making your employees and contractors, making sure they have least privileged access to your systems and applications, for all the reasons you mentioned. The remote workers, there's less control over their environments by most organizations. So you definitely wanna make sure that you're following least privileged access best practices, so that if there are compromises, you're going to minimize the systems that those remote workers can get to. You want to make sure they only have access to what they need. And improving traditional IGA processes around access provisioning and de-provisioning will be an important part as well as having well-defined processes for periodic access reviews.
- [Bob] Yeah. I think those are great comments. I mean, I used to feel like I was an outlier. I have remote worked for many, many years for a variety of companies. And there wasn't a lot of us two years ago that were doing that. And more and more now, there's people working from anywhere. Somebody wants to take a month's vacation and go somewhere and sit on the beach, they can do that and they can still connect to the office all day long. And they're just going to use whatever wifi is around. So we really have to do a good job of training our user base on how to do things successfully and smartly so that we aren't opening up attack planes that we don't need to be opening up as they're doing those things. Because that can lead to something we wanted to talk about next. Phishing.
4. Remote Work - Phishing
Phishing continues to be the most successful method for malicious actors to gain footholds into environments. And employee education is really the key. Phishing attempts are nearly impossible to block from every inbox. It's super common to see attackers initially gain access through some kind of targeted phishing campaign. And they're using some of those techniques we talked about earlier to make those malicious emails even harder to detect. A spear phishing attack could be very, very targeted these days. These large threat actors are doing their homework. They're doing their intelligence gathering before they start something. And when they want to compromise Bob, they're going after Bob with various specific messages and requests and they know what they want to get after on the backside. It's not like it used to be where I'm just going to send out a million spams. I know 1% of the people that see this are going to click on it and it's going to give me X amount of things to try and play with. They're getting much more targeted these days. And we really want to make sure that we are teaching our employees how to not be susceptible to these types of attacks. We did a survey in 2020 and we saw that, nearly 40% are reporting that they either test annually or never at all. And we think it's really important to teach your users how to avoid phishing attacks and continually retrain and retest them to make sure that they are not starting to slip. And it doesn't have to be some super detailed thing where I went to try and catch everybody.
Generally, we want to look at, making them understand how convincing phishes can be. How do you see what it is? How do you learn to check that banner that comes up that says, this is not an internal email? You should have extra attention to it. Hover over those links before you just blindly click on them. Make sure that you understand where you're going to go when you click on this. And if something doesn't look right, it probably isn't right. It may be a domain that, people are very good at getting doppelganger domains where it looks really close to what you expected to see. I may be trying to get you to enter credentials. I may be trying to get you to download a malicious payload or it may just be trying to take over your browser so I can install a remote keylogger and watch everything you type to get the admin credentials to your mainframe. There's a lots of reasons that we may be going after these users. The generic financial gain, of course, that's the main part, piece behind this but more and more we're seeing more of the nation state style sponsored actors, large threat groups going after these users with phishing. So we think it's super important to work with them, continually train them. If you're not doing it today, start out small. Start out with the easy things, step up that message over time and get people to continue to be looking at this. And then have a plan on the backside as well. So if somebody clicks on a phish, what is your plan? Do you put them into training? Do you wait until they've done it a few different times in a few different testing cycles? How do you deal with that employee education piece on the back end with someone that maybe is continually falling victim to some of these things? And it's going to vary much greatly by what's going on around the world.
5. Phishing Influenced by Current Events
Right now, it's going to be COVID, it's going to be election results in the United States. And any day now, it's going to be vaccine distributions. And it's going to get people clicking. And we want them to be very aware of what it is that they're clicking on because people are going to use those messages to try and target our user bases. Ransomware actors, once they get in are very motivated to stay inside of those targets. The big actor groups are going to spend a lot of time doing their research and digging around the networks. The less skilled actors are going to be employing more and more often now that ransomware is a service model where I'm just going to pay for these tools. I'm going to set them off against what I want to go after. And I'm going to see what happens and just pay back a bit of my financial gain to the guys who wrote the tools. All of this is done, available out there, easily purchased on the internet by anybody sitting in their basement that wants to start trying to make money on it. So it's getting to be more and more of a problem. And I don't see it going away. I think it's going to continue to increase in 2021. The more chaotic the world is the more easy it is for someone to do phishing campaigns and get people to click where they shouldn't be. This sort of might be a little bit controversial but I really think IT is going to get more money this year.
6. Increasing IT's Responsibility, Not Resources
Generally, the message is always, how is IT going to do more with less money? How are they going to do more with less resources? I think we're seeing that shift. And we're starting to see, especially with some of the things around the work from home, the less travel, the realization that maybe 30% of the business travel that we took was really essential, and the rest of it was kind of fun trips to go see somebody. We're going to start to see more and more organizations repurposing some of that in-person spend and bring it down to their technology teams to provide better virtual experiences for those either users, workers, or customers, to be able to do things remotely. For quite some time yet, everything's kind of influx. We may be able to get on a plane but when we land, we may not know if we're going to be able to actually go and do anything or meet with anybody. More and more, we're learning how to do all of this work virtually now. From virtual meetings to virtual conferences, to virtual team outings, with our internal teams. So I think we're going to see more and more some of these budget priorities start to shift in spend and we're going to be getting IT more of these resources. Because like we talked about earlier, remote work is here to stay. We're not all going back. There's going to be a fair number of people that are now going to be permanent work from remote employees. Maybe you're going to have a hotel area, bring people in certain amounts of time, stagger your workforce where we see half the people one day and half the people the other day. A lot of these strategies are being put in place by critical infrastructure already. But I think the money is going to start coming back towards IT. And they're getting, we're already seeing them get more access to resources, more access to people because the business has to operate somehow. And if the business can't operate in person, flying around or coming into an office, the business has to operate virtually. And the money's coming in for these teams to get that virtual infrastructure built up and hardened.
7. Attacks on Healthcare
We're also expecting to see a lot more focused attacks on healthcare. Not great, we don't like to see it but it's definitely happening and it's happening a lot. And it's not always just a major frontline tier one hospital, many times it's the dentist office or the same day surgery or the kidney center down the street because all of those places have interconnections back to those main tier hospitals. And a lot of times they have a lot weaker security. The joint cyber security advisory was issued recently by the Cybersecurity and Infrastructure Security Agency and the FBI and HSS, talking about some of these tactics and techniques that are being used by cyber criminals to target healthcare. We talked about some of the easily breached devices that exist in a lot of these healthcare environments today, as well. Now people are getting money out of this. It's generally ransomware actors going after them. If I can get in and get to that protected health care data, and I can take over a piece of the network that is such critical infrastructure that they know they're going to have a pretty good chance of getting a payout to get that data back. Threat actors are increasingly using new back doors and new ransomware loaders to get their malicious cyber campaigns off the ground.
8. Emails: TrickBot & Anchor
What we'll usually see is some kind of initial compromise like a phish to an employee being used then to drop a payload type solution. So something like TrickBot, that's going to get out and do some evaluation and scanning and then hand back control to drop that malicious payload and people are going to be moving around those networks. TrickBot used to be a banking Trojan primarily. We're seeing those operators now have a full suite of tools to conduct illegal cyber activities. Everything from credential harvesting and pulling out emails to crypto mining and data exfiltration. And then we move on to some of those bigger, those bigger modules. FBI has even observed new TrickBot operators. There's a new module they call Anchor. It's typically being used to attack high profile victims, large corporations. And a lot of times what they're looking to do is pull out data from the systems. And many times that data is really hard to catch. Anchor is a good one at doing that, unfortunately. We can pull data out even through DNS queries. It takes a little longer but it's very hard to detect if you're not looking for it. And then we can get that data out. We can monetize that data. And then we can just start the ransom campaign on the backside. And usually phishing is the first way that gets in. Documents either have malicious links or they have malware embedded inside of them. Emails can appear to be really routine. It can be legitimate business. They're not always as dumb as some of what we see. We see the Gmail message from the quote unquote, president of the company talking about this, we're going to have this great bonus plan and it's super secret. So wire this money over here. And don't say anything because I don't want anybody to know what's coming. We've seen people fall for that, unfortunately, but we don't see it a lot. It's usually a much more targeted, much more legitimate sounding message now because of the amount of homework that people do, the amount of open source intelligence that's available out on the internet for people to look at as well to go after these industries. And we think we're going to continue to see, unfortunately, healthcare be a bigger and bigger target. Mike, do you have anything to comment on this one?
- [Mike] I just say from a monetary standpoint, hackers are going to attack organizations and applications where they feel, they're going to get a large financial gain and the top of that list you've got your health care and financial information continue to be very lucrative money sources for attackers. Also, yeah, I think you kind of mentioned earlier, especially on the outside of some of the major healthcare organizations, a lot of healthcare organizations on the small to medium size level as a whole just aren't, they're not typically on the forefront of IT as it relates to network and secure and system security. So, unfortunately I just think, like we're predicting here, I think healthcare sector is going to continue to be a primary target in 2021 and into the future.
9. Spike in Use of Role Based Access
And one of the other predictions I wanted to talk about today was role-based access. I mean, it's not really a prediction, a new prediction but it's a prediction in the sense that we're going to see more and more people using this. I've talked with a lot of customers and a lot of prospects over the past several years. Everybody talks about role-based access. They want to use it, but they've always looked at it as like a separate option or part of IGA, identity governance and provisioning and de-provisioning. It was a big trend, 2020, that's going to continue to gain traction 2021. And I just think well-defined roles simplify so many parts of the IGA process and they're critical to reducing risk and automating the access provisioning and access review processes. On the provisioning front, roles make assigning and removing access so much easier. We'll continue to see the adoption of roles, with solutions like Core Security's core roll designer, which allows organizations to create their own roles and also makes recommendations on role definitions and role merging and modification, by providing an easy visualization and the intelligent analytics we talked about earlier.
I think the challenge for many organizations is that to a certain extent, they almost have as many roles as they have identities to manage. This is especially true in larger organizations. And so, cleanup of access data is definitely in order. It's also important for organizations to initially focus on low-hanging fruit, right? What are the roles that provide the greatest coverage, right? Maybe there's four or five roles in my organization that cover a large percentage of the employees. Or which roles have the most change and turnover. If I'm a, a financial organization, maybe I'm a bank, maybe in the teller role, I've got a lot of people that come in and out of that role. And so I'm doing a lot of access provisioning and de-provisioning there. And if I'm doing that manually, that's a lot of room for mistakes and security, leaving access around when it shouldn't be. So having roles to find for all of that makes all that much more streamlined and easier to implement. I see way too many organizations who try to kind of boil the ocean, and they take on a role project, right? And they just try to implement all the roles or too many roles at once. And I just don't think that's the way to approach it to be successful.
And then on the access certification front, if you don't have roles defined, then how are you going to know if users have the appropriate access? So performing periodic access reviews becomes much easier with well-defined roles because you can easily see and compare user access against the role to determine what access is most at risk. When you take out all the access that the user should have by defined role and you just focus on access outside of that role, it's much easier to identify risky access. And so the implementation of roles, along with these role definitions also require that you periodically review that role definition as well. So a lot of people review access on a periodic basis. When you define and start using role based access controls, you want to make sure you're periodically reviewing that role definition.
10. Privileged Access Management To Integrate With IGA
All right, so another prediction for 2021. I know approach access management has been around. So it's not a new concept. Basically, privileged access management or PAM as people call it, it allows organizations to lock down privileged accounts in their organization, making sure that access to key systems and applications is controlled, approved and it's auditable. But what we're going to see new here is a greater trend towards basically PAM, obviously, continue to be an important tool for managing risk but we're going to see it more closely integrated with mainstream IGA solutions. So pushing it closer to the business user, but with all the critical controls and access policies kind of locked in to help provide the guardrails. More and more organizations would be looking to implement PAM controls with an eye on integration into the broader IGA arena, rather than looking at it as something totally independent. Yeah, I think in the past I've seen people look at privileged access management and IGA as two separate initiatives and you're going to see those kind of merging together. And they're all going to become part of the same project initiatives for a lot of organizations.
11. Password-less Authentication
Another one, I've heard this talked about for quite a few years, and I feel like it's really starting to gain much more momentum and it's passwordless authentication. Call it what you will, but passwords are nearly as old as mankind. And just as vulnerable to error. In 2021, we're going to see an increased focus on more advanced authentication techniques that can be applied in a more continuous manner to start to see broader adoption of fewer passwords. I mean, it's just too easy to steal credential, for a lot of the reasons you talked about earlier, Bob. Phishing and things of that nature. It's just too easy for these attackers to steal credential, and then gain access to a system or application. And if that application is only password protected, then you've got some big problems there. So we'll continue to see organizations who could span the use of multi-factor authentication. And whether they be for more traditional adaptive authentication to advanced biometric authentication. Including the use of voice and behavioral analysis, we're going to see increased options for non password based authentication expanding in 2021.
12. Cloud Based IGA Solutions
And then, another one to talk about here, cloud security. No surprise. More and more organizations are continually moving to the cloud with different applications. And there's really just no more putting this off. Organizations are moving portions of their IGA strategy to the cloud. Whether it be public or private, SAAS or managed service. And organizations are going to continue to drive the adoption of cloud based IGA solutions. Would still desire to fine tune the solutions to match their business needs and processes but many organizations are going to, select very specific point solutions to move to the cloud, leaving the more complex workflow to be run on premise or at least non SAAS, where they can be easily adapted to business processes. The types of point solutions we see moving to the cloud are more analytics-based, focusing on the governance of access or business critical applications. Starting with an analysis of who has access and should they continue to have access, but with a specific focus on granular entitlements, segregation of duty policy, compliance, et cetera. And as important as that, these application reviews will need to be spun up quickly without services efforts, right? So organizations are growing their number of cloud-based applications in 2021. Core Security offers a cloud-based access review capability from its core certified solution. So this provides organizations the ability to quickly set up access reviews, along with the needed visualization and access intelligence that make it easy for reviewers to quickly see patterns and assess risk. So the output of these reviews allow for auditing of the review process and can also easily tie into more traditional IGA functions and actions like access to provisioning.
13. 5G In the Cloud Opening Malicious Footholds
- [Bob] Yeah, I think cloud's definitely going to keep increasing. We're seeing more and more people getting into the hybrid model. Especially with the new remote workforce, we're having to expose a lot more services from the cloud to let our users operate and do their jobs. We're definitely seeing maybe a transition from some of the more traditional attack paths which is shared libraries, SDKs, different development environment, where malicious actors are maybe trying to insert code into frontline applications to get them out and deployed with malicious things attached to them. And now definitely starting to target cloud infrastructure, targeting management planes. There was a recent example of one of those private cloud providers that got knocked down by ransomware. And it takes down every subscriber that might be using them. And that can be thousands for even some of these smaller boutique type style systems. So it's getting to be a really big deal. I think 5G in the cloud is also going to start to open up a lot of malicious actor footholds as well. So if we think about how IOT and monitoring is going to transition, 5G is going to open up a whole new world with that. There's so much more that can be done with that larger data pipe. But as those things start to be enabled and start to be put up where they are accessible, then, of course some malicious actors are going to be targeting those devices to try and get their new playground going where they can gain a foothold, a person in an environment with a new connectivity method and a larger data path of where they're getting that from.
14. Patch Management More Integral to Risk Management
We also think we're just going to see a lot more of patch management increasingly becoming risk management for a business. When we're thinking like an attacker in our environment and that's really what we want to be doing and we're identifying attack paths to where our crown jewels might be. What are people actually going after when they come in and attack us? What are they trying to get to? If we look at the recent, very targeted attack on FireEye who is a major security vendor, those actors had a very specific goal in mind and they knew what they were going to go after. And it's, they do that to others as well. They do that to us. What are attackers going to be coming after? And how do we use our patch management programs to be much more risk focused? And not just patch management but everything they're doing security wise. How do we use it to reduce the risk to our business and understand what people are actually going after? And organizations are really getting back to more of the basics. Do the right things right. Do the blocking and tackling or whatever you want to call it. How are we re-evaluating the effectiveness of our programs or controls? Because as we see what people are doing and if we just think about patching, we know patches are really hard to keep up with. A medium sized or smaller organization may still have hundreds of patches to do every month, maybe more than hundreds. And a lot of times what we see is people are just going off a CVSS score. I'm going to get everything that's an eight or above. I know I don't have time for seven and below. We're going to get the really risky looking ones and take care of it. But the really risky looking ones if all they're looking at is a score may not be what's really risky to the business. If I can compromise a frontline web server, use that to hop back to a vulnerable database and then use that to pivot into the organization and get to the assets I want to get to, whatever's happening out of that friendly web server is actually the most risky thing to our business when you look at what could happen. And maybe it's not the most risky thing in a score.
So we have to really evaluate how we're looking at these things. It can't just become a numbers game of last month we had X amount of missing patches, this month we have slightly less, hopefully of patches. Look at this management, we're doing great. Management has now come to the realization that the risk to the business is really affected by how we're doing these different processes and these different controls. Show me what the risk to my business was last month. Now show me what my risk to my business is this month and whatever you did to get there. And we want to keep doing more and more of that. So we need to really, really, really start evaluating the riskiness of our assets. Which things we're targeting and prioritizing first and how we're going after those. When we look at defending those, if we're going to just blindly engage a pen test or we're going to sit down and run a tool like Core Impact to start pen testing our environment, are we looking at the same things the attackers are looking at? Are we understanding how someone is going to get into our company, get into our assets, move around and steal things from us or cause damage to us. So we need to more and more really be thinking like an attacker as we're doing these different things and use that to help prevent these attacks. Mike, do you have any comments around that?
- [Mike] Yeah, one thing I just wanted to emphasize. Patch management and identity management work hand in hand. I know we talked earlier about kind of the whole identity, protecting the whole identity and a lot of companies to your point, they can't, patching's hard, right? They can't patch everything. And so a lot of times people might say, "Hey, well, here's a system that's vulnerable, "but I'm not going to patch it "because it's behind a firewall. "And so the firewall is protecting me "from the outside world, "so people aren't going to get into it." But, typical scenario we see is, attacker might gain an initial foothold, using stolen or compromised identity credentials. So, in this case are not attacking the system directly from a vulnerability standpoint, from the outside world, they're going to take a first step of getting hold of an identity. And then, once they've got that and those credentials, and they're inside the network, now those systems without the latest patches that were being protected from another way like a firewall might be easier to gain access to internally. And it's easier now for those attackers to move laterally through the network and in the organization. So there's kind of tandem between, or the relationship between patch management and identity management is pretty strong because, one can be used to leverage the other. So, I think this is usually, the attacker is doing this, until they get to the system or the data they're looking for.
15. Increased Focus on Your Supplier's Cybersecurity
- [Bob] I think those are great comments. I mean, that identity and privilege escalation are some of the primary things that we use when we are testing the defenses of an organization. And we see these types of things and engagements, where I think I've got this great separation from my traditional IT to my PCI IT for an example. But we have somebody who uses a credential on traditional IT and they reuse the credential on the protected side. If we can get it from one side, we just play it right back into the other and we take over both sides. Or we forget that there is an interconnect somehow. There's a management console somewhere to let that guy do both sides 'cause he has feet in both worlds. Some of these kind of less prominent devices that might be giving us interconnections that we're not aware of and allowing these attackers to find ways around the network again. And I think it's not just our own systems we have to worry about. We need to be more critically thinking about our supply chains and our suppliers. So if you are warehousing things, your shipping company is maybe a super critical supplier to your business. How protected are they? What kind of things are they doing? If they are attacked by ransomware, how does that going to affect you and how much risk is that going to put on your business? And that's just one of maybe, dozens or hundreds of suppliers that you have to deal with in your organization. Have you sat down and done a risk eval on those types of vendors maybe that you have to interact with as part of your daily doing business, taking a look at who your most critical entities are that you need to know are going to be there for you? And have you developed those plans of how you're going to deal with something that might affect them? So if, an easy example is that cloud provider. If your cloud provider gets knocked off line, what are you going to do for a day or a week or a month while they try and bring their systems back, if they're able to bring them back? Or if a critical component, one of your suppliers is knocked down and you can't get those, how are you going to deal with that inside of your business? And how are you going to reduce that risk to your business? So it's going to be different for every organization, but it's going to be the same type of method of really sitting down and identifying what those critical things are. Making sure that you have a plan. If they go away on how you're going to handle your business until they can maybe come back. Or if they go away forever, you have a plan of what you do next to be able to protect yourselves.
We do have a little bit of time for questions here. So if you have thought of any questions, you should have a questions panel that you can enter those into. And we'd be happy to take some of those here and answer some of your questions. One other question I saw pop in here right away, which we didn't talk anything about automation.
1. Will Automation Usage Increase in 2021?
a. Automation & Pen Testing
And if we saw any increasing usage of automation especially relating to security here in 2021. I think we will. I think it really leads back towards, what we talked about with some of that machine learning, some of the ability to process logs, to do other things. Automation, RPA tools is a commonly known robotic process of automation, digital botch, digital workforce, whatever you might want to call it. It can be a great time saver if you're doing, maybe something all the time. So I want to automate this process, take out the human intervention piece, make sure that it's always going to happen the same way and do it faster and do it more efficiently. And we see that same type of thing happening in the security world. Automation is not a bad thing. We just need to look at how we're going to use it. For example, doing penetration tests. Never going to get rid of a human worker on that for all aspects, because there's just things that our brains think of that a computer is not ready to do yet. But the initial part of a penetration test, information gathering, hitting known exploits, popping initial credentials, you can automate a lot of that and get a lot bigger scale either freeing up your knowledge workers to be much more targeted in what they do or to make maybe a junior worker much more effective. If we look at things like log mining, our SIEMS, the machine learning that we put around correlation rules and things that we're seeing happening across the network, automation is great for that. We can ingest all this data coming from hundreds or thousands of end points. We can use that machine learning algorithm to rip through that, quickly identify the anomalies and the things that we need to look at and then hand those off to a knowledge worker. And again, make that knowledge worker much more effective in their jobs by using automation to help do the mundane things and just the high volume things that we can't get enough fingers on a keyboard to do them ourselves. So I definitely think it's going to be increasing in the security spaces that I see. Mike, are you seeing the same trends in the identity and IGA type spaces?
b. Automation & IGA
- [Mike] Yeah, yeah, definitely. Especially when it comes to just take access provisioning and de-provisioning for example, which is, which is an IGA best practice. A lot of customers and a lot of prospects that I've talked to are looking to do that around the user life cycle, right? So that as HR is going in and hiring new people and people are leaving the company or being terminated, or as people are changing job roles, moving to different departments or reporting to different managers, in all those changes we know which are easily detectable in an HR system or some kind of a database or authoritative source. And all those can cause the need for access provisioning and de-provisioning. When somebody gets hired, they need to have access to all those initial applications. So automation is really, is really important there. And so we do a lot of that with IGA implementations where we take that part of the provisioning and de-provisioning process and we automate it around the user life cycle. You can still make manual requests for access and approvals and do those things down the line. But that initial set of access, especially if you've got roles, which we talked about earlier, you got well-defined roles, that initial access or access changes, somebody moves to different job roles, that's easy and ripe for automation.
2. What Was the Biggest Surprise of 2020?
a. Curating User Content on Social
- [Bob] We do have a question come in about what was one of the most surprising things that we saw in 2020 in the security side. I guess for me, really the amount of effort that suddenly went into some of these large social media platforms around curating the content from the users. And that was something that I don't think that we had all expected to see. There'd been some rumblings about it and some different things happening, but... And it was generally around some of the more, child trafficking and sex trafficking and things like that that we just would expect to see people trying to rip down from their platforms. But now it's getting to be much more around somebody put a comment X and comment X may be insightful, or it may be trying to get people involved in different ways with fake information. We saw people fighting about vaccination. Should you? Shouldn't you? Fighting about whether this thing was done the right way, this thing was done the wrong way. The way they're starting to try and become a little more editorial in those things, which is now starting to get them in a little bit of regulation trouble, possibly around that. And those platforms have really evolved. And of course, now, if you are in a disagreement side with some of those platforms, we're starting to see a lot of people shift and exit some of the social media platforms. We're seeing them exit some of the media companies and move to other things. And I think that's probably going to increase in 2021. Unfortunately, at least here in the United States, we're somewhat polarized right now around different things. And people are going into their camps, whichever camp that might be and kind of circling their wagons in their own area. And we're starting to see more and more applications and supporting things pop up to foster that segregation unfortunately, rather than bringing more of it together. Mike, did you have any comments from your side on that question?
b. Increased Focus on Role Based Access
- [Mike] Yeah, yeah, the one, I just would say the one comment I would make around that is on the identity side is, because, because of COVID and the increased work from home, was, that was really thrown on a lot of organizations quickly. Right? And they didn't have time to prepare. And so I think to me, the increased focus on role-based access right now that I've got these people working from home and they're accessing the system externally, a lot of companies are putting more attention on, well, let me, I need to really make sure then that those people have the right access and they've got least privileged access just to the systems they need. So that, the way that was kind of thrown upon organizations and to see different organizations react to that, I think has been, it's been interesting to watch and it's something obviously nobody expected this year. As nobody expected the COVID issues. But that's been interesting to me to see how organizations have increased, targeting and focus on embracing those, these privileged and role-based access principles.
- [Bob] Well, we've reached the top of the hour here. So thank you everybody for joining us. If there are already additional questions you have that we didn't get to, we'll definitely get those answered after we end the presentation here. Or you can certainly email us any of the questions that maybe you think of a half an hour from now. We know that happens all the time. So we'll make sure that we get copies of this presentation out. Thank you, Mike, for joining me today on this presentation and thanks to all of you for joining us. We look forward to seeing you in our upcoming webinars in the future. So goodbye for today.
Let's Talk About How We Can Help
Find out how Core Security solutions work to help you detect and remediate access and vulnerability risk. If you have any questions or want to know more about our innovative solutions, let us know.