It’s that
time of the year, when security pundits make their security predictions and comment on
trends for 2016. Of course, it would be great if the pundits who came out with
predictions for 2015 came out with a report card in early 2016.
Trying to predict the future is like
trying to drive down a country road at night with no lights while looking out the
back window - Peter Drucker
Consolidation in the Security Sector
Look for continued
security consolidation as some of the larger vendors utilize the strategy that it
is quicker and easier to buy a technology to broaden their security portfolio
than to develop the technology internally. At the same time, some larger
companies will sell off their (incomplete) portfolio of security products to
focus on other sectors. There are rumors, for example, about SonicWall being
put on the market by Dell. Of course, FireEye rumors are making the rounds after their Q3 results.
Look for
other vendors to analyze the market, do a make/buy analysis and then license
missing technology from smaller, more agile, companies.
“If you think technology can solve
your security problems, then you don’t understand the problems and you don’t
understand the technology.” – Bruce Schneier
Bubble Will Burst on Some Newly Public
Security Vendors
At some point
in time, companies have to generate cash and after working through the wonders
and options of tax accounting, companies have to show a bottom line
profit. Look for investors getting tired
of “but we’re going after market share” and selling their stock. For others,
shorting activity will increase. An offshoot
of this is that these companies will become less expensive to acquire. Happiness
is positive cash flow.
Splitting (breaking?) of Humpty Dumpty.
Symantec and Hewlett Packard
Symantec has
retired their vision (several years old) of becoming a widely diversified
company (begun by John Thompson) and is splitting/divesting into security
focused Symantec, and back up and recovery, SDN, and governance focused Veritas.
Hewlett Packard has split into two companies. HP Inc. holds the printing and personal systems side
of the business, selling printers, scanners, displays, personal computers
(laptop, desktop, and tablets), and the supplies and services
associated with them. Hewlett-Packard
Enterprise will handle the hybrid cloud, servers, storage, converged systems,
networking, management software, and the services necessary to run an
enterprise. They are both Fortune 100 companies, the latter
led by Meg Whitman, and the former by Dion
Weisler. Not bad for a company that
began in a garage in Palo Alto, selling to Disney.
One of these
splits will work out much better than the other one. That
one being….Symantec. HP Enterprises, and HP, Inc. are still battleships.
Life is a Breach
There will be
at least one major security breach, for a number of reasons. Some companies have still not gotten the memo
about cybercriminals, thinking, “It can’t happen to us” and are being slow in
their investments. There are a number of
bright cybercriminals out there. They design their own methods of attack. They may rent use of a botnet as part of
their attack strategy. If the CIO/CEO want
to maintain their title, look for full transparency, accepting the blame,
laying out the groundwork to prevent this from happening again (hopefully), and
protecting their customers. Classic disaster recovery procedure, often not
followed.
Cybercriminals Will Broaden Their
Target Base
Cybercriminals
will increase the number of vertical markets they go after and the size of the
typical breach will be smaller. The number of breaches (reported anyway) will
decrease. From a CSO Online article - Jody Westby, CEO of Global Cyber Risk, “it
is the data that makes a business attractive, not the size – especially if it
is delicious data, such as lots of customer contact info, credit card data,
health data, or valuable intellectual property.” http://bit.ly/1BcYw8W
The Identity
Theft Resource Center (ITRC) reported in October that there has been 606 data
breaches recorded through October 13, 2015, and that more than 175 million
records have been exposed. The top 4
sectors with respects to incidents, business (39%), health care (36%), banking
(10%), and government (8%) 68% of the records exposed were in the health care sector.
There were over 780 data breaches in 2013.
We Will Continue to be Our Own Worst
Enemy
“Companies spend millions of dollars
on firewalls, encryption and secure access devices, and it’s money wasted,
because none of these measures address the weakest link in the security
chain.”- Kevin Mitnick
A warning from your browser not to visit that
site? A found thumb drive? New pictures of (fill in the name of your
favorite celebrity) on the web or as an attachment to your email. These are the internet equivalent of wet
paint signs. Some people just have to check for themselves. More security aware
companies will do more than have people look at a slide presentation on
security and take a quiz once a year. They’ll send their own employees phishing
emails, among other tactics.
The Wisdom of Crowds
James Surowiecki,
in the book “The Wisdom of Crowds”, speculated that large groups of people are
smarter than an elite few, no matter how brilliant–better at solving problems,
fostering innovation, and coming to wise decisions. In 2016, market share of
consumer AV/Malware purchases will probably still continue to be more a
reflection of how many “likes” a product receives, rather than how they are
reviewed by a PC Publication, or test organizations
AV-Comparatives, or AV-Test. Scary. Whom are you going to trust? Your doctor or
your Facebook friends?
A Growing use of Something Other Than Passwords
The top 20
list of passwords for 2016 may not vary greatly from 2015, look for more people
to use some sort of biometrics or Multi-factor Authentication (MFA), to enhance
the security of their devices. This will occur in businesses more quickly than
in the consumer marketplace. According to an article in CNET at the beginning
of the year, the top 10 passwords of 2014 were 123456, password, 12345,
12345678, QWERTY, 1234567890, 1234, baseball, dragon, and football. If your
password looks anything like this, or is your pet’s name, change it
immediately. There are a number of articles on creative ways of making up
passwords or using different figures you can draw on your keyboard. At minimum,
consider reading a few articles and select a method that works for you.
“Showtime” - The Government or a Large Security
Vendor will take the Offensive
At some point
in time, negotiations just aren’t cutting it.
Look for a concerted attack against some cybercriminals, whether they’re
independent, being treated with benign neglect in their native country, or
being subsidized. This is despite any
negotiations taking place with some countries on an international level.
Sometimes the best defense is a good offense.
“The Darknet: Is the Government Destroying 'the Wild West of the
Internet?” is a November Newsweek article that’s an interesting read. http://bit.ly/1MR5kAX
Government Takes the Lead in Sharing
of Information between Security Vendors
The bragging
right for many security companies is how quickly they identify and react to
threats, and update their existing customers almost immediately. They are not going to want to share this
information with competitors as quickly.
Look for the government to be the driver in information sharing. One
question that arises – how open will this table be for all security vendors or
will it be a selective group? “Senate passes cybersecurity information sharing bill
despite privacy fears.” Washington Post, October 27. http://wapo.st/1KFbFIc
The News of the Death of Endpoint
Security Has Been Greatly Exaggerated
To paraphrase
a quotation by American humorist Mark Twain.
The reliance of AV/malware products on signature files to detect threats
has been declining for years. The endpoint is the
last line of defense. Technologies relying on heuristics are not the whole
solution. Look for endpoints to use such techniques as artificial intelligence
and machine learning, whether powered at the endpoint or in the cloud to lead
the way. Despite statements by Symantec and others, do not look for AV/malware
protection provided at the endpoint either installed their or involving
technology in the cloud to disappear anytime soon.
Who will be Among the Top New Innovative
Security Companies in 2016?
Good question.
On November
3, SINET announced their top 16 innovators (revenues under $15 million) for
2015. These companies were: Bayshore
Networks, Inc., BehavioSec, Gurucul Solutions, Lastline, Netskope, Onapsis,
Inc., Palerra, Inc., PFP Cybersecurity, Pindrop Security, QuintessenceLabs, RedOwl Analytics, Secure
Islands, SecurityScorecard, Sqrrl Data,
Inc., TaaSera, Inc., Vectra Networks, Inc., You may be hearing from these
companies over the course of 2016. Gartner and others will be coming out with
their lists.
A mantra for 2016,
“Friends don’t let their friends be mindless about security.”