By Rohit Dhamankar, Vice President of Threat Intelligence, Alert Logic

Mobile Phishing Attacks, MDR and Talent Gaps - Oh My! … Seven Cybersecurity Predictions for 2020

Enterprises will struggle to hire enough cybersecurity talent while failing to heed warnings about outdated operating systems ... Time-worn attack methods will find new targets via messaging apps and mobile devices ... The Internet of Things (IoT) and 5g will solidly push artificial intelligence (AI) and machine learning (ML) into the mainstream - and the industry will right past wrongs by combining AI/ML with human context.

These developments lead our annual cybersecurity "predictions" for the year ahead. Many of these are familiar struggles we've heard in the recent past, but with new twists as we face an increasingly fast-moving threat landscape, complex IT environments and ongoing resource constraints.

To find out more about what's in store - and how to prepare - read on:

Outdated operating systems won't get updates, despite repeated warnings.

At least two-thirds of small and medium-sized business (SMB) devices run Microsoft OS versions that are expired, or will expire by January 2020, according to the Alert Logic Critical Watch Report 2019. The majority of devices run Windows versions that are more than ten years old. Even if they aren't exposed to the internet, these versions make it easy for attackers to move laterally within systems once they compromise a host. Despite repeated warnings from security vendors and the media, companies will keep running outdated operating systems, opening them up to cyber threats.

The "B" in SMB will stand for "bullseye."

SMBs could once take comfort in the fact that they were likely too small for hackers to care about. But the bad guys now do not care about such a distinction. They are focusing on vulnerabilities regardless of company size, with automated, internet-wide scanning enabling them to cast a wide net to target SMBs along with large enterprises. What's more, in addition to the outdated operating systems, three-quarters of the top 20 unpatched vulnerabilities in the SMB space are more than a year old, according to the Critical Watch Report. We predict that SMBs will continue to struggle to keep up with patching and other fundamental cyber hygiene essentials.

Managed Detection and Response (MDR) will outpace spending on MSSP's.

As we exit 2019, the lack of experienced security personnel in the market and the complexity of managing security in heterogeneous environments are driving businesses to improve their security by partnering with outsourced security providers and 24x7 security experts. The focus of businesses increasingly is needing help in identifying damaging threats in their IT environments, quickly - before they can do harm - and then help responding to those threats just as quickly. As a result, resource-constrained businesses and large enterprises looking to bolster their security teams are turning to Managed Detection and Response. According to analyst firm ESG, MDR has already been of adopted by 51% of businesses, with another 42% eyeing MDR services in 2020.  Realtime threat intelligence, 24X7 availability of trained experts, and active response advances are the drivers, supported by cost efficiency and scale. 

As traditional MSSP equipment management and monitoring services plateau, 2020 will be the year that traditional MSSP's and leading MSP's will present new MDR offerings in force. MDR spending growth will outpace not only traditional MSSP services but also very likely security technologies and the IT industry as a whole.

AI and ML will (finally) arrive.

Despite all the headlines in recent years heralding the importance of artificial intelligence and machine learning in cybersecurity, 2020 will mark the true arrival of AI/ML as key components of mainstream security strategies and solutions. With 5G and Internet of Things (IoT) advancements, the resulting volume of data will only be made sense of via number crunching algorithms. Solutions without AI/ML won't be viable and will be left behind in 2020.

Does this mean that machines will replace humans? Far from it, as we will increasingly appreciate the value of "real people" working with technology-produced intelligence to make real sense of decisions made via machine. From AI calling baseball games in place of umpires, medical misdiagnoses or deciding who gets a bank loan or which interviewee gets the job, 2020 will see business and industry incorporating the human element for needed context, in and outside of cybersecurity.

Phishing will still be king - with more modes of delivery.

With the explosion of messaging apps like Snapchat, Facebook and WhatsApp, bad actors have many additional avenues to launch phishing attacks. Thus, these attacks will continue to dominate as an initial compromise method, and will increasingly be delivered through mobile technology as opposed to traditional email exploits. At least one-half of users click on mobile phishing URLs that bypass existing security controls and, since 2011, the mobile phishing URL click rate has grown 85 percent every year, according to research from Lookout.

Cryptojacking will no longer be "a thing."

Sure, hackers won't abandon this entirely but most of them will likely move on to bigger and more valuable targets in 2020. After bitcoin soared to $20,000 in December 2017, cryptojackers compromised machines and massive public cloud environments like Amazon Web Services (AWS) to take central processing unit (CPU) resources and use that power source to surreptitiously mine for cryptocurrency. (They need a large amount of CPU because it takes plenty of processing power to solve the complex, mathematical equations required to create the digital coins.)

But the cryptocurrency market has cooled off considerably, with bitcoin now down to less than $7,500. So cryptojacking has lost some shine off of its "big boom" ROI potential. Cryptomining malware needs to "hide" inside of a computer for a long period to steal enough power to make it worthwhile, so there is a decent chance it could get detected before it can collect enough CPU. In addition, cryptojackers essentially "fly blind" - they target machines without any actual idea whether the machines have the computing power they seek. Most hackers will move on, concluding that they have lower hanging - and more lucrative - fruit to pursue.

The skills gap will encourage greater partnerships between the security industry and higher education.

The current global cybersecurity workforce gap has surpassed 4 million, and the workforce needs to grow by 145 percent to meet demand, according to the 2019 (ISC)² Cybersecurity Workforce Study. To address this, industry leaders will increasingly collaborate with their counterparts in academia via partnerships such as the National Institute of Standards and Technology's National Initiative for Cybersecurity Education (NICE), which brings together leaders from government, academia and the private sector to find ways to improve cybersecurity education, training and workforce development. And cybersecurity providers will team with universities to cultivate SOC analysts and other cybersecurity professionals, even creating simulated SOC's at universities to cultivate those skills for real-world application after students enter the workforce.

Each year the threat landscape grows more and more unpredictable but we do know that enterprises can take a number of proactive steps to best protect themselves. By replacing outdated operating systems, investing in solutions that utilize AI and ML (while not forgetting about the needed human factor!) and partnering with true MDR vendors, they'll position themselves for a greater state of protection in 2020 - and the next decade.

##

About the Author

Rohit Dhamankar is vice president of threat intelligence at Alert Logic. He has over 15 years of security industry experience across product strategy, threat research, product management and development, technical sales and customer solutions. Prior to Alert Logic, Dhamankar served as vice president of product at Infocyte and founded consulting firm Durvaanker Security Consulting.