That time of year again, when people like me with a little space on the Internet try to predict what goodies CyberSecurity Santa will bring for the New Year. Past predictions1 2 3 by your intrepid security guide have been uneven (blame the IETF), but I will do my best to once again prepare you for what’s to come.
- Web application security takes center stage. In the wake of the breach of a certain credit bureau, organizations start adopting web application security tools, services, and practices at a large scale for the first time. In particular, cloud-based web app security will be huge. From WAF to RASP to bot detection, many companies are offering fully- or partially-managed services to help implement better web application security at scale. The reason is that vulnerabilities will always be present, and simply patching them is not a scalable or pragmatic solution.
- DDoS attacks will continue to escalate. In 2017, we saw DDoS attacks eclipse 1Tbps for the first time. We also saw IoT devices with fairly rudimentary vulnerabilities (default passwords!) become easy targets for Mirai, Persirai, and Reaper botnet herders. IoT devices are a prime example of why patching isn’t the panacea we’re led to believe, as these devices often prove difficult or impossible to patch. So much so, that so-called vigilante botnets like BrickerBot and Hajime sought to “fix” those devices proactively. In the meantime, harnessing these huge, dispersed networks of vulnerable nodes will make a 2Tbps+ DDoS attack almost inevitable in 2018.
- With huge data breaches and DDoS attacks continuing to escalate, the notion of cyber-warranties and cyber-insurance will become more mainstream. In particular, cyber-warranties from security vendors will rise to the forefront of discussion. Increasingly, breaches and DDoS attacks are successful despite the use of the latest “next-gen” security technology. Organizations will demand warranties from product and service vendors on best practice configurations which are warrantied to prevent common attacks. The cyber-insurance industry will be driving this demand for vendor warranties to keep skyrocketing premiums under control.
- Adoption of DevOps practices and heavy infrastructure automation continues to accelerate in 2018, but with unintended consequences. Expect some service outages to be the result of automation failures rather than some sort of attack. To quote Ted Dunning (of MapR Technologies and the Apache Software Foundation) misquoting an old adage, “you can automate your way out of work, but you can automate your way out of trouble.”
- Adoption of containers and adjacent management technologies will skyrocket in an effort to make infrastructures easier to patch and remediate. Patching vulnerabilities is largely difficult because of complex dependencies between host operating system, application server platform, and application code. Containers are the most approachable way to decouple these dependencies and make patching as simple as paving and nuking whole application infrastructures.
While it’s easy to become discouraged, it’s worth reminding you that the breach attempts and DDoS attacks that failed never made headlines. Rest assured, we’re improving as an industry of security practitioners, and leveraging new technologies and services to enable a safer Internet each and every day. My InfoSec New Year’s resolution is to get out to more small, local conferences with my peers to share experiences and new ideas. Whether it’s an ISSA or OWASP chapter meeting or the nearest Security B-Sides, these are great events to help us keep a positive perspective on information security.