Mike Horn is the co-founder and CEO of NetCitadel, Inc.
For the casual observer, security predictions for 2014 might be as simple as declaring “more and scarier threats,” but subscribing to that view is a gross over-simplification. Security isn’t just about tools or attacks, but about the people involved. We see people, process, and technology changing in 2014 within the security industry:
Security analysts become the new rockstars
We repeatedly hear that it takes up to eight years for security staff to develop the skills, insights, and raw operational ability to understand and process security breaches effectively. Some universities have just launched “IT Security” programs in 2013, which is a good start, but we predict that even with the launch of education programs, the curricula will be improperly balanced, with the majority of students and programs focusing on forensics and detection, where many automated tools already exist. Schools have started to recognize this problem, but are not immediately diversifying the education. This leads to a greater shortage of skilled security analysts and further leads to workforce poaching and newsworthy hiring bonuses for security analysts.
Human behavior-based anomaly detection will gain ground
While people don’t like their actions being tracked in the general public, businesses can use employee behavior as a tool for threat identification. If a system has been compromised, it might use an employee’s identity to access systems or escalate privileges. Any change in privileged access patterns is an anomaly worth looking into. As a result, in 2014 companies will start to monitor network access patterns from personnel more aggressively.
The time it takes to mass-develop an exploit will fall, dramatically.
Once new Common Vulnerabilities and Exposures (CVEs) are publicly acknowledged, we expect even shorter times to develop kit-based exploits and widespread release. Just as there are software automation tools for rapid software development, those tools and technologies will be applied more frequently to malware. The speed at which Cutwail developers replaced the BlackHole exploit kit with the Magnitude kit is just a sample of what is to come. In 2014, we’ll see malware development modularized with push-button vulnerability inclusion in an interface as simple as that of Zeus Builder.
Malware developers will harden their attacks with enhanced evasive techniques and tools
In 2013, we saw a confirmation that malware developers could subscribe to “anti-virus detection as a service” tools to make sure that their attacks had no or limited AV detection. At the same time, there was a rise in the benign behavior of malware — creating legitimate files, dropping dozens of non-malicious files, HTTP GET requests to legitimate sites, and more. Of course, if only one out of 100 files was malicious and only one of 15 network calls was malicious, the attackers could run wild security analysts who were busy checking the other 99 files and 14 non-malicious sites.
These more sophisticated threats will drive advances in detection
These will include the human behavior analysis discussed earlier, as well as additional forms of anomaly detection, improved sandboxing, anti-evasion analysis tools, and real-time distribution of new threat data. New detection capabilities will also put pressure on security staff to learn about new technologies as well as evaluate, buy, and implement the technologies they choose. Wait, did we say there was a skills shortage?
New detection technologies will cause a new problem: more security alerts
Individual technologies may provide single source filtering, but security analysts will still be faced with processing security alerts from legacy detection tools as well as from newer detection tools — filtered or not. To solve this problem, security integration and coordination providers will gain ground, as will attempts at open consortia for sharing and processing security data.
Malware infections are the new norm
By the end of 2014, organizations will realize that post-detection security alerts are a fact of life, and that their incident response and containment teams need to catch up. Educators and chief security officers will embrace the fact that detected threats need rapid containment, even before full forensics can be completed.
I am a bit conservative on these views, but forward-looking security teams are probably seeing these trends take shape now and are already preparing.
As CEO, co-founder and chief product officer of NetCitadel, Mike brings over 15 years of experience solving challenging data networking and security problems for enterprises and service providers. It is this experience along with his passion for creating innovative new products that led him to co-found NetCitadel to change the way enterprises think about their network security. Prior to co-founding NetCitadel, Mike held a variety of leadership positions in product management, engineering, and operations at companies including Vidder, Avistar, Level 3, and Virtela Communications. Mike also spent several years consulting for companies ranging from early stage startups to Fortune 500 technology companies on product strategy.