Monday, November 09, 2015
Security Predictions for 2016 or “Let the internet security prognostication begin”
It’s that time of the year, when security pundits make their security predictions and comment on trends for 2016. Of course, it would be great if the pundits who came out with predictions for 2015 came out with a report card in early 2016.
Trying to predict the future is like trying to drive down a country road at night with no lights while looking out the back window - Peter Drucker
Consolidation in the Security Sector
Look for continued security consolidation as some of the larger vendors utilize the strategy that it is quicker and easier to buy a technology to broaden their security portfolio than to develop the technology internally. At the same time, some larger companies will sell off their (incomplete) portfolio of security products to focus on other sectors. There are rumors, for example, about SonicWall being put on the market by Dell. Of course, FireEye rumors are making the rounds after their Q3 results.
Look for other vendors to analyze the market, do a make/buy analysis and then license missing technology from smaller, more agile, companies.
“If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.” – Bruce Schneier
Bubble Will Burst on Some Newly Public Security Vendors
At some point in time, companies have to generate cash and after working through the wonders and options of tax accounting, companies have to show a bottom line profit. Look for investors getting tired of “but we’re going after market share” and selling their stock. For others, shorting activity will increase. An offshoot of this is that these companies will become less expensive to acquire. Happiness is positive cash flow.
Splitting (breaking?) of Humpty Dumpty. Symantec and Hewlett Packard
Symantec has retired their vision (several years old) of becoming a widely diversified company (begun by John Thompson) and is splitting/divesting into security focused Symantec, and back up and recovery, SDN, and governance focused Veritas. Hewlett Packard has split into two companies. HP Inc. holds the printing and personal systems side of the business, selling printers, scanners, displays, personal computers (laptop, desktop, and tablets), and the supplies and services associated with them. Hewlett-Packard Enterprise will handle the hybrid cloud, servers, storage, converged systems, networking, management software, and the services necessary to run an enterprise. They are both Fortune 100 companies, the latter led by Meg Whitman, and the former by Dion Weisler. Not bad for a company that began in a garage in Palo Alto, selling to Disney.
One of these splits will work out much better than the other one. That one being….Symantec. HP Enterprises, and HP, Inc. are still battleships.
Life is a Breach
There will be at least one major security breach, for a number of reasons. Some companies have still not gotten the memo about cybercriminals, thinking, “It can’t happen to us” and are being slow in their investments. There are a number of bright cybercriminals out there. They design their own methods of attack. They may rent use of a botnet as part of their attack strategy. If the CIO/CEO want to maintain their title, look for full transparency, accepting the blame, laying out the groundwork to prevent this from happening again (hopefully), and protecting their customers. Classic disaster recovery procedure, often not followed.
Cybercriminals Will Broaden Their Target Base
Cybercriminals will increase the number of vertical markets they go after and the size of the typical breach will be smaller. The number of breaches (reported anyway) will decrease. From a CSO Online article - Jody Westby, CEO of Global Cyber Risk, “it is the data that makes a business attractive, not the size – especially if it is delicious data, such as lots of customer contact info, credit card data, health data, or valuable intellectual property.” http://bit.ly/1BcYw8W
The Identity Theft Resource Center (ITRC) reported in October that there has been 606 data breaches recorded through October 13, 2015, and that more than 175 million records have been exposed. The top 4 sectors with respects to incidents, business (39%), health care (36%), banking (10%), and government (8%) 68% of the records exposed were in the health care sector. There were over 780 data breaches in 2013.
We Will Continue to be Our Own Worst Enemy
“Companies spend millions of dollars on firewalls, encryption and secure access devices, and it’s money wasted, because none of these measures address the weakest link in the security chain.”- Kevin Mitnick
A warning from your browser not to visit that site? A found thumb drive? New pictures of (fill in the name of your favorite celebrity) on the web or as an attachment to your email. These are the internet equivalent of wet paint signs. Some people just have to check for themselves. More security aware companies will do more than have people look at a slide presentation on security and take a quiz once a year. They’ll send their own employees phishing emails, among other tactics.
The Wisdom of Crowds
James Surowiecki, in the book “The Wisdom of Crowds”, speculated that large groups of people are smarter than an elite few, no matter how brilliant–better at solving problems, fostering innovation, and coming to wise decisions. In 2016, market share of consumer AV/Malware purchases will probably still continue to be more a reflection of how many “likes” a product receives, rather than how they are reviewed by a PC Publication, or test organizations AV-Comparatives, or AV-Test. Scary. Whom are you going to trust? Your doctor or your Facebook friends?
A Growing use of Something Other Than Passwords
The top 20 list of passwords for 2016 may not vary greatly from 2015, look for more people to use some sort of biometrics or Multi-factor Authentication (MFA), to enhance the security of their devices. This will occur in businesses more quickly than in the consumer marketplace. According to an article in CNET at the beginning of the year, the top 10 passwords of 2014 were 123456, password, 12345, 12345678, QWERTY, 1234567890, 1234, baseball, dragon, and football. If your password looks anything like this, or is your pet’s name, change it immediately. There are a number of articles on creative ways of making up passwords or using different figures you can draw on your keyboard. At minimum, consider reading a few articles and select a method that works for you.
“Showtime” - The Government or a Large Security Vendor will take the Offensive
At some point in time, negotiations just aren’t cutting it. Look for a concerted attack against some cybercriminals, whether they’re independent, being treated with benign neglect in their native country, or being subsidized. This is despite any negotiations taking place with some countries on an international level. Sometimes the best defense is a good offense. “The Darknet: Is the Government Destroying 'the Wild West of the Internet?” is a November Newsweek article that’s an interesting read. http://bit.ly/1MR5kAX
Government Takes the Lead in Sharing of Information between Security Vendors
The bragging right for many security companies is how quickly they identify and react to threats, and update their existing customers almost immediately. They are not going to want to share this information with competitors as quickly. Look for the government to be the driver in information sharing. One question that arises – how open will this table be for all security vendors or will it be a selective group? “Senate passes cybersecurity information sharing bill despite privacy fears.” Washington Post, October 27. http://wapo.st/1KFbFIc
The News of the Death of Endpoint Security Has Been Greatly Exaggerated
To paraphrase a quotation by American humorist Mark Twain. The reliance of AV/malware products on signature files to detect threats has been declining for years. The endpoint is the last line of defense. Technologies relying on heuristics are not the whole solution. Look for endpoints to use such techniques as artificial intelligence and machine learning, whether powered at the endpoint or in the cloud to lead the way. Despite statements by Symantec and others, do not look for AV/malware protection provided at the endpoint either installed their or involving technology in the cloud to disappear anytime soon.
Who will be Among the Top New Innovative Security Companies in 2016?
On November 3, SINET announced their top 16 innovators (revenues under $15 million) for 2015. These companies were: Bayshore Networks, Inc., BehavioSec, Gurucul Solutions, Lastline, Netskope, Onapsis, Inc., Palerra, Inc., PFP Cybersecurity, Pindrop Security, QuintessenceLabs, RedOwl Analytics, Secure Islands, SecurityScorecard, Sqrrl Data, Inc., TaaSera, Inc., Vectra Networks, Inc., You may be hearing from these companies over the course of 2016. Gartner and others will be coming out with their lists.
A mantra for 2016, “Friends don’t let their friends be mindless about security.”