Exabeam’s 2019 Cybersecurity Predictions

When it comes to predicting the future, how do you anticipate the moves of our world’s underground cyber criminals, hackers and rogue nations? While they don’t all agree, Exabeam’s top security sleuths share their predictions for 2019.

Steve Moore,
Chief Security Strategist

Tariff, trade, and geopolitical differences will further fuel espionage driven attacks on private industry from nation states—especially in the US.

For physical attacks we have the military, but in the cyber world it’s still up to the often-underfunded corporation and private citizen to fend for themselves.

Interestingly, government—who should help with cyber defense—will further penalize and scrutinize those who are victims of attacks, from other governments, in the form of fines, lawsuits, and audits.

Barry Shteiman,
VP, Research and Innovation

Long attack dwell times will continue to expose security weaknesses of organizations—with data breaches taking a long time to be detected.

I attribute this to a large portion of the security industry that still relies on manual data investigations.

Hopefully, in late 2019 and early 2020 we’ll see that this practice moves from human investigation with machine augmentation to machine investigation with human augmentation—thus relieving security organizations from dreadful dwell times.

Jeff Nathan,
Principal Researcher

Despite regulations, reporting security incidents will continue to provide limited value.

While regulatory regimes require security incidents to be reported, drawing big-picture conclusions will remain elusive. As industry already struggles to determine which incidents must be reported, no organization exists that might independently look across incident data to help improve the global security posture.

Others have written[1] that while the aviation industry has created incentives to report potential weaknesses in safety systems, no such incentives exist in the information security realm. If a qualified, independent, third-party organization were tasked with analyzing security incidents—and industry provided a way to confidentially share this data—the conclusions drawn could substantially improve global security. But in lieu of such a reporting and investigating ecosystem, many incidents will go unreported, and valuable information from those that are may be buried in disclosures.

Despite increasing pressure from the information security industry and broad consensus regarding the vulnerability of the voting infrastructure, little progress has been made in securing this ecosystem.

While politics have focused on ensuring voters are who they claim to be through so-called voter ID laws, few states have secured their voting infrastructure and have required third-party assessments of voting technology. While vulnerable systems remain in place, 2019 will bring more reports of voting database attacks and irregularities in voting outcomes.

While Congress offered states increased funding for election security in 2018, many lack the leadership that knows best how to spend these funds.

The timing of the funding came too late to impact the 2018 mid-term elections. Unless 2019 brings with it the correct leadership and correctly targeted funding to secure the voting infrastructure, the integrity of America’s democratic election process will remain in question.

Sophistication of attacks will increase.

2018 brought with it some of the most sophisticated ones seen in some time, e.g., Meltdown, Spectre, and their cousin, Speculative Store Bypass Variant 4. The cat-and-mouse game of attackers developing new techniques—and defenders working to detect them—predates information security. The breadth and depth of security technology has pushed perpetrators to find new attack vectors that aren’t easily detected. And while 2018 was a banner year for such incidents, it’s likely 2019 will bring even more sophisticated attacks.

The targeting of low-level system architecture using mechanisms that work both on local systems and within the cloud.

As the costs of deploying infrastructure continue to push more technologies into public clouds, the value of such low-level attacks only increases. The abstraction of deploying cloud-based systems naturally makes detecting these attacks difficult for the customer, if not impossible.

Industrial controls and critical infrastructure will remain highly exposed.

By 2007, the US Department of Energy had affirmative evidence that a cyberattack could destroy power generators and disrupt the nation’s electrical grid.² While dedicated legislation may be stalled in Congress, omnibus legislation has authorized new funding.

However, the sheer scope of critical infrastructure suggests that it requires vast sums of money, coupled with focused expertise to actually secure it. But such expertise is limited in availability and the funds, while seemingly large on paper, turn out to be rather small given the scope of existing systems.

Add to this the pace of connecting disparate industrial controls of all flavors to the internet, and the scope of the problem balloons to an incredible scale. While research efforts continue into building dedicated detection systems, the state of security for industrial control systems remains akin to that of the “good ol’ days” of information security (late 1990s – mid 2000s)—where vulnerabilities were everywhere. But unlike the days of yore, the stakes are much higher and the impact of successful attacks are much more severe.

Stephen Gailey,
Solutions Architect

2019 is as difficult to predict as every other year, but some things do seem interestingly plausible.

Making predictions about the immediate future of information security is easy. Saying “Attacks will become more frequent and their impact will increase” pretty much assures you’ll be 100% accurate. Beyond that, however, it can be somewhat tricky with new technologies, vulnerabilities, and threats constantly emerging.

First, a feature of recent years has been attacks launched by nation states. Again, an easy prediction was that they would increase. But the change in policy of the West and NATO—which went from refusing to comment (for fear that their techniques and intelligence sources might be compromised) to calling out names—seems to be having an effect. Russia finds itself severely impacted by this new approach, particularly with the support new policy is getting from crowdsourced investigators who have exposed large portions of the GRU’s staff.

For the first time in a very long time, we may actually see a lull in nation state attacks—though longer term, the use of cyber warfare seems to be a tempting weapon given its effectiveness (particularly against the more open West). I therefore predict the first half of 2019 will see such a decline, with an increase likely occurring toward the end of the year as Russia regroups and China and other states retrench their operations.

From a defender’s point of view, 2019 appears to be the year of analytics, machine learning, and artificial intelligence (AI). These tools are already available, though their uptake has often been delayed by a failure to match them with appropriate new workflows and SOC practices.

Next year should see some of the posers—those claiming to use these techniques but who actually use last generation’s correlation and alert techniques—fall away.

This will allow the real innovators to begin to dominate, and will likely lead to some acquisitions as large incumbents, who’ve struggled to develop this technology, seek to buy it instead. 2019 is the year to invest in machine learning security startups that demonstrate real capabilities.

Next year will see a continuation and probable acceleration of the IoT trend, what with an increasing number of devices becoming smart and getting connectivity.

Inevitably this will see more hacks and more botnets of previously inert decades. “AI turning on humankind” is likely to be led by refrigerators and smart doorbells, rather than Cyberdyne Systems hunter killers. The challenge here is that vendors who are relatively new to internet-based systems have no history of having to provide built-in security. And the UK government adding voluntary codes is unlikely to do much to improve this situation. This means 2019 will certainly see an escalation in IoT attacks, which will start by controlling single-function technology—either individually as a point of entry, or as part of huge botnets targeting third-parties.

People will remain a problem, and not just from an attacker point of view.

Finding good staff has been a problem for some years, but this will escalate despite many government efforts to stimulate further education growth in cybersecurity. Personnel demand will continue to massively outstrip supply and smaller organizations, as well as the public sector, will suffer disproportionately as they struggle to afford those who possess increasingly rare skills. Banks will lead the way in driving up salaries for top-notch security people, but all large international organizations will compete for the best talent. Next year will be a very good time to enter into information security if you aren’t already there.

My last prediction is a real stretch. 2019 will be the year when we see the first sign of government control of large internet service companies.

Organizations such as Google and Facebook still don’t seem to understand what privacy means. It’s likely that some big fines will be handed out. In addition, I think we’ll see some form of legislative control being put forward, and even breakups being considered. At the very least, I predict at least one prominent CEO will have to step aside sometime in 2019. Controversial, I know, and I may be a year too early with this prediction—but let’s see.

For the latest news, trends, and strategies in cybersecurity, subscribe to Exabeam’s Blog series.

¹ https://scholar.law.colorado.edu/articles/1189/

² https://en.wikipedia.org/wiki/Aurora_Generator_Test