2020 has come to an end, but the challenges presented continue to impact our lives. While few of us could have accurately predicted the current state of cybersecurity, we did prove successful in our ability to adapt quickly during a crisis. Organizations swiftly modified IT budgets and risk management programs to respond to an entirely new set of regulations and uncertainties. A growing number of us discovered how to plan, execute, and expedite a digital transformation to the cloud. At the same time, others adopted the ability to provide support and critical IT services to the growing remote workforce.

No. 1   Ransomware

We need to move past the “if we get attacked” mindset and adopt a “when we get attacked” level of preparedness. If history and relevant data are indicators, and we at CBI firmly believe they are, 2021 will show a steady increase in the quantity and complexity of attacks executed by external entities. Nearly all industry-leading threat reports presented shared like-minded interpretations and consistent statistics from 2020 data*:

• 70% of breaches originated from external actors
• 45% of these featured hacking techniques
• 17% of these involved insertions of malware
• 86% of these were financially motivated
• 37% of these included stolen credentials
• 27% included ransomware
• 22% were perpetrated by a phishing attack

While ransomware is certainly not the only threat to prioritize in a 2021 security program, it is among the most devastating and has shown signs of steadily increased frequency over the past six years. In 2021, it is imperative to implement proactive ransomware detection, prevention, and remediation capabilities with additional layers of security throughout an organization.

No. 2   Advanced Phishing Attacks

Email is one of the largest and most vulnerable pipelines for malicious actors to enter an organization and compromise its data. 2020 clearly showed that more than 20% of known threats routinely executed some form of an email-based phishing attack against industry networks. Of these email-based phishing attacks, nearly 70% involved the collection of credentials, while 50% involved the acquisition of personal data**. Advanced phishing attacks are growing in sophistication and routinely exploit vulnerabilities on unpatched and misconfigured systems enabling lateral movement within unprotected networks. Sensitive data gathering and subsequent ransomware attacks can significantly impact an organization’s ability to service its customers and maintain operational technologies that drive revenue.

2021 will show a rise in attacks that focus on bypassing two-factor authentication, and deepfakes and dis-information will take center stage. It is our recommendation that organizations develop a strong defensible position for IT security focused on preventing and responding to advanced phishing attacks and business email compromise (BEC) related events. Keep in mind this approach is only partially effective if not coupled with a layered and defensible security strategy.

No. 3   Vulnerability and Configuration Management

Vulnerability and configuration management are two of the most effective mitigating controls an organization can implement. Together these controls can provide a proactive defense against malicious actors, significantly decrease the residual impact of a breach, and reduce the time needed to identify and eventually recover from a security event.

From 2014 to 2017, misconfiguration contributed to less than 10% of security breaches. In comparison, the number of successful security breaches involving misconfigurations from 2017 to the present-day increased by 20%***. This growth represents a 200%+ increase over the last four years.

Hacking attacks commonly take advantage of vulnerabilities on unpatched systems. As noted earlier, a successful phishing/BEC attack is the most common tactic for credential gathering. Once collected, credentials are often used as the fuel to power a hacking attack by targeting improperly patched systems.

Organizations should examine all existing capabilities to consistently scan critical systems and assets for vulnerabilities and misconfigurations. CBI strongly recommends enlisting the aid of a trusted 3^rd party service provider to perform an annual vulnerability test designed to pinpoint, document, and identify recommendations needed to improve capabilities and secure the network.

No. 4   MITRE ATT&CK Framework

Not all organizations require advanced adoption of a centralized threat model. For many with greater than 2,500 employees, CBI recommends a centralized knowledgebase like the MITRE ATT&CK Framework with which IT security personnel can coordinate security event analysis, identification, prioritization, mitigation, and forensics. It is estimated that more than 50% of medium and large-sized organizations**** have already successfully constructed a comprehensive matrix of tactics to classify attacks and assess risk by adopting the MITRE ATT&CK Framework.

Put simply, a MITRE ATT&CK Framework aids organizations in the efficient categorization of events associated with a potential or ongoing security breach. Integrating the framework provides an added advantage to an organization looking to leverage solutions with common security language already baked in. The framework provides organizations with:

• A critical feedback loop to view common vulnerabilities and threats
• Insights into their overall infrastructure
• Enhanced defense and mitigation
• Improved processes, products, and services
• Identification of capability gaps to defend against specific threats

Time is the most proficient opponent in the IT security industry. Anything we can do to reduce the amount of time needed to identify, categorize, escalate, isolate, and prevent breaches will translate directly to an organization’s ability to deliver products and services. Adopting a framework like MITRE ATT&CK is a vital risk mitigation component in an organization’s comprehensive security program.

No. 5   Secure Access Service Edge (SASE)

Secure Access Service Edge consists of several products whose combined goal is to allow users to access applications with the best possible user experience and the highest security level, all depending on the user’s identity. The SASE model includes elements from the following high-level IT security domains:

• Software-Defined Networks (SD-WAN)
• Firewalls
• Cloud Security
• Secure Gateways
• Zero Trust (ZT)

Think of SASE as a form of transportation infrastructure or road used to get users (travelers) safely and expeditiously from one point to another. As we build intersecting roads, we must also install checkpoints to travel from one region to another. Simultaneously, we construct on and off-ramps for accessibility and to connect internal networks to the cloud.

The year 2020 illustrated the power, scalability, and reliability of the cloud. 2021 will provide organizations with exponential growth opportunities that require adopting a services-based infrastructure and reliance on SASE components.

CBI strongly recommends enlisting the aid of an IT security-focused organization to assess an organization’s current environment, align IT recommendations with future growth goals, and assist in the prioritized rollout of a SASE model.

No. 6   Zero Trust (ZT) Principles

If SASE is the road, then Zero Trust is represented by periodic security checks along an organization’s pathway to a more secure environment. Traditional networks enable users to attach devices and access their data, systems, applications, and services. With ZT, verification includes confirming an end user’s identity during multiple critical security queries such as:

• Identification of who is connecting
• Determining the device(s) they are using
• Pinpointing where they are physically connecting
• Discerning which method(s) they are using to attach
• Validating the time of connection
• Challenging the user during the authentication process
• Classification of pattern matches as a known, similar, or previous baseline of behavior

Traditional networks only challenge one of the many possible queries during the connection process. Once a connection has been established and verified, the threat actor may be able to maneuver unchallenged. With a Zero Trust cybersecurity model, the script of traditional network security is flipped. ZT operates under a single rule: “anything connecting to the network should not be trusted by default.” Once connected, ZT principles continue to challenge and verify the connection to ensure a least-privilege model is maintained.

Some of the primary principles and strategies needed to implement a successful ZT model include:

• Network Segmentation: The ability to separate a network into smaller enclaves ensures devices, servers, and services containing sensitive data are isolated from the rest of the network. This process keeps a potential attacker contained within the accessed network segment.
• IT Security Hygiene: The ability to ensure the connection requesting access to a network adheres to a pre-defined minimum-security baseline standard. This significantly lowers the risk to the end-user as well as the organization’s critical assets.
• Vulnerability and Patch Management: The ability to scan any endpoint prior to it connecting to the organization’s network to automatically mitigate vulnerabilities associated with a lack of software patching.
• Continuous Risk Monitoring: Continuously monitoring the state of devices, systems, applications, and services to identify and address security vulnerabilities and act on access privileges in real-time.
• Dynamic Network Monitoring: Controlling and monitoring all traffic to approve access to the network. Assets that do not meet a minimum set of security-based criteria should automatically be shunted to a secure, off-line network. Automated remediation is then applied before allowing access to an organization’s corporate network and assets.
• Data Risk Management: Knowing where sensitive data resides, classifying it based on a set of metrics aligned with organizational goals and objectives, then monitoring for unwanted or unauthorized access.

Zero Trust will become a potent weapon in many IT security arsenals. 2020 has already illustrated a high level of interest in ZT principles, and it will continue to dominate conversations well into 2021.

For more information on ZT Principles, download our whitepaper.

No. 7   Operational Technology (OT)

Operational Technology comprises hardware and software that detects or triggers a change through the direct monitoring of physical devices, processes, and events. In 2021, more and more organizations will realize that the responsibility of protecting their valuable IT assets should include the operational side of their business. Achieving this varies significantly by industry. Healthcare operations include both the systems and processes involved in delivering patient care. Manufacturing operations encompass the equipment involved in the creation and delivery of their product. For the financial industry, operations involve bank teller systems, ATM’s, lending centers, etc. Regardless of the sector, the overall security landscape is increasing.

OT is not a new term.  Gartner first coined it in 2006. Since then, OT’s scope has grown to include new acronyms and phrases such as IoT, IIOT, ICS, embedded systems, etc. These terms have quickly become ingrained in standard security vernacular. In 2021, CISO’s, IT Directors, and Managers will be tasked to combine IT and OT into their overall security program.

A recent SANS ICS Survey***** illustrates the increased importance of OT in a mature cybersecurity program:

• 69% of polled organizations conducted a security audit of their OT/control systems or networks in the past year
• 60% proactively depend on internal resources to respond to an OT threat detection incident, up from 23% in 2017
• Between 2017 and 2019, the time to detect anomalous activity has decreased

One of the most critical aspects of an effective IT security program starts with creating a persistently accurate view of all assets.

The SANS ICS Survey identified the following gaps in asset inventory:

• 64% of responders identified and inventoried over 75% of the servers and workstations in their OT/control systems
• Less than half identified and inventoried OT devices
• Identifying embedded industrial devices is difficult, especially with porous system boundaries

The SANS ICS Survey also included an examination of security budgets. It revealed that many budgets shared between IT and OT have migrated:

• 49% of respondents indicated that their budget is controlled by OT, up 18% since 2017
• 32% of respondents stated that their budget is owned by IT, up 15% since 2017
• 30% of respondents indicated budget control is shared between IT/OT, down 9% since 2017

Examining an organization’s spending habits is a key indicator of concept adoption. CBI predicts that in 2021, organizations will allocate additional resources and budget towards OT security.

No. 8   Data Risk Management

Some may argue that the primary directive for an IT security team is to “protect the data.” While CBI does not disagree, we expand on the definition of “data” in this context. Data should represent the things that an organization prizes above all else. It includes an organization’s brand, reputation, market competitiveness, delivery performance, customer satisfaction, and yes, the actual documentation (a.k.a. data) created to support crucial metrics.

The “data” in Data Risk Management significantly changes when you substitute our expanded definition.

Consider the following:

• Ransomware – Designed to hold critical data hostage
• Keyloggers – Used to capture and exfiltrate keyboard entered data
• Spyware – Used to siphon sensitive personal data
• Phishing Attacks – Trick users into providing credentials to access critical data
• Hacking Attacks – Gain entry into the network to gain unauthorized access to data

All data breaches, by definition, involve data and nearly all threat reports indicate data breaches are increasing exponentially year after year. Not only is the frequency increasing, but the amount of data stolen is rising as well. 2020 was branded the worst year thus far for data breaches. This trajectory will continue far into 2021, cementing an organization’s need to treat “data” as the most critical commodity they own and prioritize the time, money, and effort spent to establish proactive data risk management.

No. 9   Security Awareness Training

There’s an old saying in IT security, “This would be a lot easier if we took the end-user out of the equation.” Humans can be forgetful and can develop bad cyber habits. On top of that, we seem to pass our bad habits onto our co-workers.

No other single control impacts IT security as much as security awareness training. Done effectively and consistently, a security awareness training program can positively impact every cyber priority outlined in this article and nearly every other aspect of IT and OT security.

Verizon’s 2020 Data Breach Investigations Report noted that security awareness training has a positive impact on the following security safeguards:

• Crimeware
• Cyber Espionage
• Lost and Stolen Assets
• Miscellaneous Errors
• Privilege Misuse
• Web Applications

Training employees and stakeholders to identify, prevent, or reduce breaches can positively impact an organization’s overall IT security capabilities. Think of prioritizing an investment in security awareness training as installing a human firewall.

No. 10  Security Orchestration, Automation and Response (SOAR)

Every list of priorities requires a wildcard, and this is ours. Security Orchestration, Automation and Response aids in the validation, prioritization, and response to the hundred and thousands of security events/alarms that IT teams receive every day. Some SOAR platforms have the ability to combine data with case management, standardization, workflow, and analytics to provide competent defense-in-depth capabilities.

SOAR solutions work by:

• Gathering security incident data from the network and placing it in a single location for l investigation
• Supporting case management capabilities to research, assess, and perform additional investigations from within a single case
• Performing highly automated, complex incident response workflows, delivering faster results, and facilitating an adaptive defense
• Providing multiple playbooks with automated steps in response to specific threats
• Performing actional administration within third-party products for a more comprehensive integration

At this point, you might ask why SOAR is on CBI’s list of security priorities for 2021?  We stated earlier that time is our biggest enemy in the IT security industry. Anything we can do to reduce the amount of time needed to identify, categorize, escalate, isolate, and prevent a breach will translate directly to an organization’s ability to deliver products and services. SOAR solutions provide a significant advantage in these areas.

Where to Begin

The cybersecurity priorities mentioned here rely on organizations becoming more proactive in the battle against threats that can compromise their networks and result in data loss. The fundamental goal is to prevent breaches and develop a stronger position to mitigate those that do occur. As new threats emerge and new technologies are built-in response, the overarching priority in 2021 will be positioning the significance of cybersecurity as a whole at the executive level. To accomplish this, you will need a lock-tight business case based on industry trends, peer reviews, and competitive research to take you from what to prioritize to how to do it – CBI can help.

Working with a like-minded partner like CBI can help you keep pace with, even exceed, the speed with which attackers innovate. We deliver flexible, customizable, and continuously evolving solutions, proven over a 3-decade history of successfully helping clients secure their data, IP, and brands. Not only are we continually planning for future threats, but we are also blocking and tackling with more tried-and-true methods for day-to-day cybersecurity needs. Cybersecurity isn’t just something we do—it’s all we do—with a keen focus on preparing your organization from today’s threats, as well as tomorrow’s.

Check out our infographic on this topic!

SOURCES
*2020 Data Breach Investigations Report – Verizon

**Proofpoint Latest in Phishing – January 2020
**FBI 2019 Internet Crime Report
**Verizon Cyber Espionage Report

***Verizon Cyber Espionage Report
***IBM Global Security Report – 2020

****Verizon Cyber Espionage Report

*****Survey ICS 2019 [PDF]