2020 had security teams scrambling. For one, they had to deal with the new pandemic-induced remote workforce. And with digital transformations also front and center because of the resulting organizational shifts, the move from traditional security operations to a cyber-resilience approach also began to take shape.
With 2020 behind us, it's time for security pros to take out their crystal balls and predict what the security landscape will look like this year. Here are 21 forecasts that should be on your team's radar in 2021.
1. Ransomware will continue to evolve and become a commodity
Bob Rudis, chief data scientist at Rapid7, a cybersecurity and compliance solutions and services provider, predicted that "we can be fairly certain ransomware tactics and techniques will continue to be commoditized and industrialized, and criminals will continue to exploit organizations" that are strapped for resources and distracted by attempting to survive in these chaotic times.
Ransomware operators will double down on their experimentation with ransomware business models and cybercriminal business ventures, Booz Allen Hamilton said in its 2021 Cyber Threat Trends Outlook (PDF). Ransomware operators are likely to spend more time in the networks of their targets, it noted, and will attempt to hit multiple organizations simultaneously to drive higher payouts at a faster pace.
Rudis' colleague at Rapid7, IoT research lead Deral Heiland, added that the growing dependence of manufacturers on IoT and industrial IoT technology (IIoT) is creating a high probability that threat actors will move to launch more ransomware attacks on IIoT infrastructure.
As more and more insecure IoT products enter the market, ransomware will continue to affect a wide range of verticals opportunistically. As a result, there will be increasing calls from the public for regulations or legislation to establish minimum standards to prevent the tide of breaches from continuing, predicted Carl Wearn, head of e-crime at Mimecast, maker of an SaaS-based email management platform.
2. Companies that do not embrace the zero-trust security model will pay dearly
"Regardless of where companies are in their digital transformation journey, one precaution all companies should consider to bolster security is a zero-trust model," said Sushila Nair, Vice President of Security Services at NTT DATA Services, a consulting, analytics, digital transformation, and application services company.
"Companies that do not will be headed to the corporate graveyard in 2021 because it is too costly, inefficient, and risky to keep doing business with yesterday's security model," she said.
Jason Lee, CISO at Zoom, explained that with the zero-trust model, employees must be authenticated and validated before given access to appropriate applications and the appropriate level of data.
"As companies look to support a hybrid workforce," he said, "this approach will become even more attractive for security leaders, as it provides continuous checks as to whether employees need access at that time to sensitive data."
Along with the growth of zero trust, there will be increased implementation of Gartner's Continuous Adaptive Risk and Trust Assessment (CARTA) strategy, predicted Rajesh Ganesan, vice president of ManageEngine, an IT management software company. "In the future, all zero-trust solutions will utilize CARTA's continuous monitoring discovery." Among other features, CARTA includes adaptive attack protection and automated device control with dynamic risk assessments and responses, he said.
3. As 5G availability expands, it will pose new risks to organizations
The marriage of 5G networks and industrial control systems and operational technology (ICS/OT) will result in a compounded attack surface and expose underlying flaws in how IIoT networks operate, Booz Allen said in its report. Current ICS/OT environments rely on network segmentation to mitigate cyber risks, but the introduction of 5G technology may reduce the layers of abstraction between network segments and introduce new devices.
"Many organizations continue to think of securing their environments in terms of protecting the 'castle/moat,'" said David Dufour, vice president of engineering and cybersecurity at Webroot, a cybersecurity software company. "But if organizations do not adapt their security practices in 2021 to evolve with 5G technologies, it will present cyber criminals with a field day to exploit the related vulnerabilities."
4. Cloud-based services will come under increased attack
Infrastructure as code (IaC), platform as a service, and software as a service will attract more attention than ever from attackers in 2021.
Amir Jerbi, CTO of Aqua Security, a cloud application security provider, explained that, because DevOps increasingly uses IaC templates to automate provisioning of cloud-native platforms, it is only a matter of time before vulnerabilities in these processes are exploited. "The use of many templates leaves an opening for attackers to embed deployment automation of their own components, which, when executed, may allow them to manipulate the cloud infrastructure of their attack targets," he said.
PaaS will also be a juicy target in the coming year, according to Booz Allen. "Historically, threat actors have targeted shared libraries, software development kits (SDK), and integrated development environments (IDE) as a means to conduct widespread attacks, inserting malicious code into otherwise benign applications," it explained.
"As cloud-hosted development environments become more popular," it continued, "these solutions may attract the same illicit activity that other development tools and resources have seen in previous attacks."
Jamie Zajac, vice president of product at Recorded Future, predicted that growth in SaaS applications in 2021will result in an increased need to protect them. "2FA must be a minimum requirement," she said, "along with antivirus protection and cloud-based backup recovery to ensure data and business continuation."
5. Streaming services will attract more attention from threat actors
With millions of people forced to stay home due to the pandemic, streaming services became more popular than ever in 2020. That popularity is expected to continue in 2021, and with it will come an increase in attention from threat actors. Most of those attacks will take the form of phishing and scam emails, predicted Webroot Security intelligence director Grayson Milbourne.
As an example, he pointed to the 3,065% increase in phishing attacks on YouTube accounts in 2020. "This is interesting because YouTube is owned by Google, and so user account credentials are linked," he said. "Primary email account passwords are the most sought after, as it's easy to access additional accounts once the primary email account has been compromised."
Nevertheless, he added that other streaming services also saw significant increases in attempts to compromise accounts: Netflix increased by 525%, and Twitch jumped 337%.
6. Organizations will become increasingly vulnerable to deep fakes and other synthetic media attacks
Remote collaboration tools will provide cyber criminals with the video and audio samples needed to create virtual duplicates that can be used for AI-enabled social engineering attacks, explained Kevin Peuhkurinen, principal research director for security, risk, and compliance at the Info-Tech Research Group, an IT research and advisory company.
"With no effective technical countermeasures available," he said, "companies will need to invest in awareness of this growing threat."
Audio and video aren't fakers' only domains. There are numerous fake posting bots "participating" on blogs and forums, that are sophisticated enough to push left-wing or right-wing agendas, based on their programming, said Hal Lonas, senior vice president and CTO at the SMB/C business unit at OpenText, an enterprise information management company.
"We know there are foreign governments who experiment with these capabilities to change public opinion and nudge elections to suit their purposes," he said.
7. Machine-learning methods used across industries will be a priority for threat actors
Developing artificial-intelligence-based tools to build malware that can reliably defeat AI-based security solutions will be a priority for actors seeking to remain undetected, predicted Booz Allen.
The underlying data models created using ML algorithms—generated from troves of big data and painstakingly tuned by researchers—will be a prime target for intellectual property theft, it added.
8. AI will play a greater role in application security testing
Rod Cope, CTO at Perforce, maker of a collaboration and version-control platform, said he expects to see AI "watching over the shoulder" of developers writing code to immediately point out possible weaknesses, vulnerabilities, and exploits, then suggest or automatically implement preventative measures.
"Deep learning algorithms will automatically attack web applications and record exploits," he said. "Related algorithms will attempt to automatically patch vulnerabilities and prevent attacks, eventually in real time."
"Developers will learn more about security by observing these virtual battles than they do from online security courses and gamified training," Cope added.
9. More states will enact privacy laws
Although more privacy bills were introduced in 2020 than the previous year, few were enacted, due to the pandemic. "In all likelihood, we'll see more data privacy bills taken off the back burner, and [they will] remain an important issue over the next year," said ManageEngine's Ganesan.
More states may start to pass privacy laws that more closely align with Europe's General Data Protection Regulation, predicted Jung-Kyu McCann, general counsel, and Elizabeth Schweyen, senior manager for global privacy and compliance, at Druva, a provider of SaaS-based data protection and management products for corporations and government agencies.
The pair explained that some GDPR concepts, such as data minimization, purpose limitation, and storage limitation, were incorporated into California's landmark Privacy Rights Act, but privacy regulations continue to evolve in every state. This makes it difficult for companies, which could end up needing to comply with 50 different privacy standards across the United States.
A federal privacy framework could ease this burden, but one is not imminent or even close, they added. More states may start to pass privacy laws that more closely align with GDPR and then, hopefully, the United States will have consistent privacy laws with minor ministerial variations, they said.
10. Organizations will increase their focus on the security and support of remote workers
"As work from home continues, both employers and employees need to stay vigilant in their security behaviors, especially given the dramatic increases in bad-actor activity that we've seen targeting remote workers," said Will Bass, vice president for cybersecurity services at Flexential, a data center and hybrid IT provider.
To help defend against those increasing threats, he said, organizations will see the value in implementing regular security and risk assessments. They will also need to provide ongoing employee cybersecurity training to promote a culture of security and keep their people alert to potential attacks.
"IT departments will also continue to implement technology-based defense measures." These include multi-factor authentication, zero-trust architecture, least privilege access, multi-site backup strategy, and data loss prevention, he said. "A multi-layered, defense-in-depth approach will be critical in 2021 to keep remote workforces secure, maximize defenses, and minimize business risk."
11. Security will start to evolve into a risk-based, vulnerability management service
The very definition of an application is shifting, explained Jason Schmitt, general manager of the software integrity group at Synopsys, which provides technologies for chip design, verification, IP integration, and other purposes.
Today's applications are often a collection of third-party services, APIs, microservices, and cloud-native components and services orchestrated via cloud providers or managed through orchestration platforms such as Kubernetes, he said. To keep pace with that transformation, security services need to be automated and orchestrated as part of the software build and delivery pipeline.
"Security teams will arm developers with 'point of capture' tools and coaching to eliminate vulnerabilities during development and provide policy guardrails for enabling speed," he said.
"Throughout the pipeline, orchestrated security services will automatically reinforce the policy guardrails and enable risk-based vulnerability management for overburdened, under-resourced security teams that are challenged to get in front of cloud adoption," he said.
"As a result," he said, "we'll see increased demand for API security, cloud application security, application security orchestration services, and consolidated risk-based vulnerability management approaches to software risk reduction."
12. A shift to public data centers will heighten the focus on secure data management
Fredrik Forslund, vice president of cloud and data center erasure at Blancco, a data erasure software maker, pointed out that in the second quarter of 2020, spending on public data infrastructure grew over the previous year, reaching nearly $17 billion.
"However, with the benefits come risks," he added. "By failing to review data ahead of a migration—keep what's needed and remove what is not and, crucially, ensure that data is properly sanitized—enterprises will unnecessarily expose sensitive material."
"What’s more, this is exacerbated when the process is accelerated, which has been the case during the pandemic," he continued. "Rushing to the cloud inevitably causes data security issues."
He predicted that those conditions will boost the popularity of data protection officers and increase demand for tools that help manage data in remote environments.
He also expects that cloud services in general will support the global shift to the public data infrastructure, investing in more security to continue fueling cloud growth and to avoid increased risk of exposure.
"Data is under constant external attack, and organizations are seeking ways to increase data security and ensure that access is given only to approved users and applications," added Bill Richter, president and CEO of Qumulo, a provider of a file data platform for multi-cloud environments.
"Organizations will increasingly seek out solutions with built-in encryption and key management that is simple to deploy and easy to manage," he predicted.
13. DevOps and DevSecOps will evolve into 'platform teams' in many organizations
New "platform teams" will take the lead on enterprises' strategy for what has historically been within the purview of cloud operations, predicted Liz Rice, vice president for open-source engineering at Aqua Security, which provides tools to secure cloud-native deployments.
She predicts that the teams will allow application developers to get a higher level of abstraction for cloud operations, security, and development tooling functions.
"This frees the developers to focus on the business application itself, with less concern about the underlying infrastructure often required by DevOps-oriented teams," she said. "One challenge here will be finding the talent able to take this broader architectural view."
14. Companies will start cooperating with each other to foil sophisticated attacks by adversaries
Frank Walsh, vice president of solution architecture at White Ops, which protects companies from bot attacks, said that stopping sophisticated automated attacks will take broader and deeper forms of collaboration.
"Sophisticated automated attacks threaten the integrity of something at the core of humanity—our trust in and dependence on one another," he said. "As we work to solve this problem in 2021, it will require a collective form of collaboration where we work together to use shared intellect and shared strength."
"In 2021," he predicted, "we will see more companies starting to work together to effectively defeat the ability of a million infected devices participating in a sophisticated automated attack."
15. Kubernetes will attract increased attention from threat actors
While there were attacks on Kubernetes deployments in 2020, the threat landscape will evolve in 2021, according to Aqua's Research Team Nautilus.
While some breaches in 2020 were related to unprotected Kubernetes clusters, for the most part the bad actors took advantage of some common security oversights, the team explained.
"More sophisticated attacks have either not yet happened or, more likely, were not noticed," it continued. "With Kubernetes in wider use, that won't be the case in 2021."
16. The COVID-19 contact-tracing app ecosystem will create opportunities for threat actors
Booz Allen explained that many contact tracing apps have been developed with minimal regard for privacy and security. As a result, some insecure apps have been created that are storing personal identifying information in centralized databases.
Adversaries may attempt to surveil users, install data stealing and surveillance backdoors, steal large PII databases, create fake outbreaks, and blackmail and harass users, Booz explained.
"Risks of these threats will likely be highest in countries with high adoption rates, which are typically undemocratic countries that mandate installation under threat of steep civil and criminal penalties," it added.
17. Adversaries will step up their attacks on the software supply chain and on logistics companies
In 2020, software supply chain attacks were largely directed against build features on Docker Hub, Circle CI, and others, as well as crypto-mining, according to Aqua's Team Nautilus.
Bad actors' motives in 2021 will be more sinister, the team predicted, and their techniques will be expanded to include image lookalikes, open-source project takeovers, and typo squatting.
Booz Allen added that the shipping and parcel delivery sectors will also be a hot area for threat actors. It explained that enterprising cyber criminals may leverage the increased public reliance on the shipping sector to infect shippers and their customers.
"The elevated level of shipment notifications may reduce the public's caution regarding delivery notifications, increasing their susceptibility to phishing," Booz Allen said. "Expanded package delivery could make reshipment scams more viable and less likely to be discovered."
18. Traditional endpoint security and VPNs will become obsolete
The Info-Tech Research Group's Peuhkurinen explained that a permanent remote workforce, especially one that is geographically disperse, will drive organizations to adopt bring-your-own-device and bring-your-own-PC strategies, heralding the end of traditional IT endpoint protection.
In the past, "organizations could mitigate the risks" of employee-owned computing devices through the use of virtual private networking software, which could look for and enforce security controls, he said. "But with the growing obsolescence of VPNs, companies will need to come to grips with the growing presence of untrusted devices in their midst."
19. Smart home devices will pose security issues for employers
With so many connected gadgets in the home, "the line between personal and professional devices is blurring, causing a significant increase in overall attack surface," said Juliette Rizkallah, CMO of SailPoint, an identity and access management company.
If you have Alexa, Siri, Google Home, or Amazon Echo set up in your workspace at home, "these devices can and will pick up on any sensitive information you discuss with your colleagues," she said. "The information these smart home assistants collect is going somewhere, and it is not clear what is done with that information once it is in the ether."
In 2021, organizations will have no choice but to tackle the security risks that lie in between, brought on by this blurring of personal and professional lines. "Not only is privacy dead, but the risk exposure has broadened with this shift to remote work and remote learning that has become our permanent reality," she said.
20. Cyber mercenaries will emerge as a strategic weapon for smaller nation-states
Phil Neray, director of Azure IoT and industrial cybersecurity for Microsoft, explained that until recently, nation-states regarded digital strategies as useful tools for cyber espionage, but limited in impact compared to conventional geopolitical tools like kinetic weapons and troops.
"Looking to the year ahead, we see cyber becoming the main instrument for exerting power on the global stage—not just for traditional threat actors like Russia, China, Iran and North Korea, but also for newer and smaller players like Vietnam, Pakistan, and Middle Eastern terrorist groups," he said.
This is changing because sophisticated cyber weapons are now easily bought and sold on the dark web, plus cyber mercenaries loosely associated with other nation-states are now "offering their cyber warfare capabilities as-a-service that can be used by anyone willing to pay for them."
Not only will cyber become a strategic weapon for second-tier global powers, but it will also be weaponized by political groups inside nation-states, said Rapid 7's Rudis. "I can see 2021 being the year when unhinged right- or left-wing groups in America add cyber violence to their menu of operations," he said.
21. The centralized, isolated model of security will be put to rest for good
This was the "somewhat naive approach many organizations first adopted," where a single group would have responsibility for the security of all applications the organization was building, said Synopsys senior security strategist Jonathan Knudsen.
"Time has shown that this approach results in a slow, frustrating process," he said. "Security and development organizations end up at loggerheads, and the end result is applications that are hardly more secure and are slower to market."
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.