By Michael Yaffe
Its that time of year once again where industry experts across the board are looking into their crystal balls to provide insights into what businesses should be aware of in the information security world over the next year. At BeyondTrust, our Advanced Research labs, which are responsible for identifying the latest trends in enterprise security, have taken some time and identified what they believe will be the top eight pain points and big deals” across the security landscape in 2014. Lets take a look.
For all of the hype and predictions surrounding mobile, virtualization and related threats, the reality is that while those things are important, organizations are still most often compromised simply because of misconfigured and out-of-date traditional workstations and servers. The things that actually work include identifying your vulnerabilities, patching them and reducing your overall attack surface through proper system configuration. The hope for 2014 is that this will be the year of getting back to basics. Like always, new and creative ways of gaining access and stealing information will emerge over the next year, but the most effective and large-scale breaches will still use the traditional methods of attacking organizations as in the past, taking advantage of companies which are still not taking security as seriously as they should be.
Traditionally, security teams have had a tendency to work in a silo, which has led to a disconnect between the people who find the problems and the IT operations people who execute a fix. Fundamentally, they have different roles and use different technologies, but once an attacker gets into an organization, they cross laterally within the business, thus affecting all aspects of IT operations and security. In 2014, there will be a much greater convergence of information technology and information security than ever before. IT pros, server admins and security teams will need to work more collaboratively, sharing data freely in order to successfully manage a healthy security program. This is just as much an operations and political shift as it is security. This effectively prevents duplication of work, consistency of workloads and roles, and more visibility into operations on both sides, greatly decreasing the chances for attackers to compromise sensitive data.
Compliance is already king in security and is one of the main reasons why people buy security technologies these days. 2014 is going to be the year people move beyond just doing compliance and start doing real security. There will be a switch in regulatory standards, such as PCI DSS, from quarterly assessments to a more real-time “actionable” approach. Regulatory standards are advocating this switch and it will become even further embedded as part of normal business routines. This strategy, in itself, is not surprising since government bodies have promoted real-time assessments and continuous monitoring for the last few years. What will change in the next year is the technology used to conduct assessments and provide a real-time, continuous views of when new applications and configurations violate these requirements.
A shift from the prevention mentality to rapid detection is something people are already talking a lot about and there are a number of new startups in this area. This shift will definitely be a continuing trend into next year but it’s important for businesses not to focus on getting better at rapid detection and giving up on prevention. Organizations still need to focus on prevention to cut out the signal from the noise.
Given that most networks continue to have an eroding perimeter, a bigger challenge for people is to know where their assets are or even what an asset is anymore. Is it the remote laptop you don’t know about but employee checks email on? Is it the smartphone that is a PC in your pocket? At what point does the level of access of a home user to corporate resources make their system a corporate asset, and do you know about that asset? The idea of getting to know what and where your assets are will continue to grow in 2014.
Is this user or machine doing something out of the norm from their everyday behavior? In 2014, organizations will have no choice but to start baselining activities and then determining where the bell curve skews. This will serve as the early warning to out-of-the-ordinary behavior internally and take a prevention approach to insider threats, as opposed to a reactionary approach of cleaning up the mess and nursing the reputation.
With the cost of assessments decreasing, organizations will continue to have multiple sources for vulnerability data. Business intelligence tools that consolidate this information, much like a SEIM, will become more important and relevant in the next year.
With the end of life for Windows XP, not allowing administrative rights on the desktop will take center stage in 2014. There will be no logical reason to allow administrative access to desktops for Windows 7 or 8.1, as the native operating system and third-party solutions can allow least privileged access to be maintained on every system. Exceptions will always exist, but this is where the evolution of the operating system and tools come into play. This will help every organization obtain security best practices and comply with regulatory initiatives on the desktop by removing local administrative privileges.
Are there any predictions, trends or insights that weve missed? What do you see for the future of enterprise security in 2014? Feel free to leave your thoughts in the comment section below.
Michael Yaffe is the vice president of marketing at
, a global leader in privileged identity and threat management solutions and a provider of context-aware security intelligence. Y affe has more than 15 years of experience at organizations ranging from start-ups to Fortune 100 companies. Prior to BeyondTrust, he spent more than 10 years with Core Security. Earlier in his career, he held various strategic, product and marketing positions with NTRU Cryptosystems, SHYM Technology and CyberTrust.