It's that time of year: We take stock of the year that was, and look to what's coming next. I thought it would be interesting to turn to various experts within Rapid7 for their own musings on how security, as an industry, did in the past year, and where our industry is headed in 2015. They've kindly shared their perspectives and predictions with us below.
I'm curious what you think—what was the watershed moment for infosec in 2014? What's going to drive conversations in 2015? Comments, retorts, haikus—all are welcome in the comments and on social media.—@mvarmazis
Ross Barrett, Senior Manager Security Engineering (@r3dsl1m3)
Key takeaway of 2014: Marketing your security research became as important as what you actually found. For every ShellShock and Heartbleed there were a half dozen other attempts to market a minor or non-issue as “the next big thing."
2015 prediction: 2015 will see an increase in the surge of “big market” vulnerability disclosure, where vulnerabilities are disclosed in a very careful, coordinated way to maximize media impact for those backing the researchers. We will see a regular marching band of “named” issues with logos and well worded blogs.
Josh Feinblum, VP of Information Security (@thecustos)
Key takeaway of 2014: Traditional business and technological approaches are missing the mark. Companies need to view security as an enterprise problem, not an IT problem, and the security industry must invent new technologies and approaches that can identify reliable indicators of compromise that generate a manageable number of outputs.
What stood out in 2014: The volume, severity, and age of vulnerabilities discovered in broadly deployed open source packages coupled with the significant up-tick of highly visible and increasingly impactful breaches.
2015 prediction: The security industry will focus on making tooling and services more accurate and reliable by improving correlation capabilities across IT and security event sources. The focus will be producing accurate and reliable tooling, especially in the incident detection and response arena. We will see high-profile breaches expand from retail to healthcare, financial service, and media organizations resulting in a continued uptick in efforts to understand and respond to security related risks at the board and executive levels of organizations across all industries.
Tas Giakouminakis, Co-Founder and CTO
Key takeaway of 2014: 2014 was the year our hearts bled for bug bashing poodles, and that trend is likely to continue. Shellshocked security practitioners took the brunt of this as organizations, even those with well-funded programs, struggled to staff appropriately. We’re seeing greater demand throughout the security community to make a dent here. Projects like our own Sonar are giving a view of the software and hardware the Internet is powered by, and researchers like our own folks and Google’s Project Zero are making concerted efforts to find the vulnerabilities that lay dormant within the technology powering our world. We’re also hearing organizations screaming for more trained professionals, and we can only hope the educational community will pick up on this trend and develop the programs necessary to educate students on cybersecurity for tomorrow’s workforce.
It also seems 2014 may well have been the year security finally got a seat at the table. All it took was a CEO losing his job and executives being pulled into senate hearings, but it seems the tide has finally shifted from "how do I get the Board & C-suite to care," to funded security initiatives and a desire to build a program, but the lack of staff to do it.
2015 prediction: We'll continue to see attacks against users, stolen/default credentials, and popular but unpatched vulnerabilities. I’m sure we’ll continue to see these vectors in 2015, and beyond.
Nick Percoco, VP of Strategic Services (@c7five)
Key takeaway from 2014: While it is just at the end of the 2014 year, I think the event that is going to really change the way that 2015 is impacted will be the Sony Pictures breach. To me, this is much more impactful to the minds of corporate executives than the Target breach. The Target breach only affected highly replaceable data (credit card numbers). Sure, the reputation of Target was tarnished during the most important time of the year, but what is going on at Sony Pictures is far worse in my opinion. It is showing the value of protecting internal communications and data on a company’s own employees really is.
2015 prediction: In 2015, more and more executives are going to be asking questions well beyond protecting customer data. They are going to start to focus on their attention on how their internal communications and collaboration can be protected from a leak in the even that an enterprise-wide data breach happens.
Eric Reiners, Senior Director of Products
Key takeway of 2014: Offensive technology is outpacing defensive techniques, which requires us to all think differently about knocking out whole classes of attacks.
What stood out in 2014: Heartbleed and other fundamental flaws in key Internet infrastructure caused us to question the foundation of the internet with regards to the privacy and security of our communications.
2015 prediction: Security teams will need to align further with the business in order to show their value and make forward progress at reducing risk.
Lee Weiner, Senior VP of Products & Engineering (@leeweiner)
Key takeaways of 2014:
- Users are a major risk and weakness in corporations. This is due to how empowered they are, the devices they have access to, the data they can use anywhere anytime. Attackers know this and take advantage of it.
- Credentials are at a crossroads, passwords are being stolen, sold and used to compromise networks and accounts. This needs to be monitored but better yet needs to be addressed. 2 Factor Authentication has been around a long time and there is no better time than now to implement it.
- Credit card data still holds value on the black markets and are still motivating attackers to compromise point-of-sale systems – EMV can’t come soon enough.
- The security skills gap is having a major impact on companies and the industry at large, organizations can’t hire security expertise and are having to outsource more and more
2015 prediction: Lee put together a Whiteboard Wednesday with his 2015 predictions, which you can see right here: http://www.rapid7.com/resources/videos/trends-in-2014.jsp
If you'd like more analysis on how to prepare for a more secure 2015, have a listen to our free 2015 Security New Year webcast.