The Looking Glass and the Rearview Mirror: "Are we there yet?"

Welcome to 2019! New Year's Day is often spent reflecting on the previous year's ups and downs while committing to improve the future. Some of our resolutions pan out while others fail spectacularly. If you are like me, the more reasonable and obtainable the resolution, the more likely I am to stick to it. It is when my resolution becomes too grandiose and difficult, that I don't manage to make it through January.

The old adage that "life is a journey, not a destination" rings true in the Cyber Security community. We can never be 100% secure, so we must not confuse this goal as some sort of destination. It is too grandiose a resolution! I have been on the defender journey for over 20 years and my general sense is that we are improving, but so are the attackers. So let's reflect on 2018 and cast an eye on improvement for 2019.

Spectre and Meltdown: What a way to start off 2018! We essentially learned that almost every chip manufactured since 1995 has a memory dump vulnerability. Nearly every laptop, desktop, mobile phone, and other computing devices could be compromised. Scary stuff indeed!

While this was quite the shock to start the year, this was a win for the defenders and researchers. Multiple research groups including Google Project Zero, Graz University of Technology, and various security companies brought this to the attention of chip manufacturers and have continued their research throughout 2018.

GDPR and Data Breaches: Compliance and Regulation drive security measures and are a boon to security companies while being a bane to those companies that are trying to comply. For the record, I am not an ardent believer that regulation makes us more secure. However, in the interconnected world that we live in, I am glad to see that we are starting to take consumer data more seriously. How this plays out remains to be seen, but I predict that the big guys will be ok and the little guys will get crushed. Trying to comply with regulation and then being able to digest a fine is inherently biased in the favor of large companies.

Marriott (500m users), Under Armor (150m users), and Facebook (50+m users) were among the most prominent data breaches this year. This is egregious, persistent, and not likely to stop anytime soon. Consumers have become numb to notifications and everyone on the planet has their credit being monitored for free at this point. Unless GDPR nails a sacred cow to the proverbial cross, I am not optimistic that 2019 bodes any better for us.

OT goes mainstream: For some of us, the warnings that we have been screaming for 10+ years finally took hold. In 2018, we saw the ocean waters get sucked out and now the first waves of the tsunami are coming. 2019 could be quite an interesting year on this front. More investment in the space will attract more attackers and the arms race will escalate quickly. Companies that use a likelihood vs. impact risk model need to increase the likelihood component this year.

With no pride or predjudice for the current administration, the ongoing trade wars will have a negative impact here. It is said that "no one wins in a trade war" and that could equally be applicable if we enter an OT cyber war. There will be no winners. History has taught us that trade wars often lead to kinetic wars and the the intermediate skirmishes are potentially going to be cyber or cyber-kinetic in the modern battle-space.

Supply Chain attacks & MSPs: Q4 gave us some of the most interesting exploits of the year. Bloomberg Business provided, what I feel, is the most interesting story of the past decade or at least since the Mandiant APT1 report. The Chinese PLA were implicated in the ultimate slow and low attack with their supply chain compromise of Supermicro. First came the gasps, then came the denials, then came audits, and then came Bloomberg doubling down on their claims. There is enough mystery and intrigue in this story to fill a library with spy novels.

Speaking of supply chain, how is your security provider supply chain? December brought us news of IBM and HPE being breached. Cloudhopper infiltrated MSPs to steal customer data in an attack that would make Willie Sutton blush. Finally, we hear that a faulty network card brought down service at Centurylink this past week. There is plenty of speculation about the cause, and I am not attributing this to a hack (yet), but can we please design our networks so that a single point of failure cannot bring down 911 service and other important systems?

IoT Attacks: Yes Virginia, your Xbox, Ring Doorbell, and Alexa are security holes. This is not my area of expertise, but I do recognize how quickly the attack surface is growing and the lack of security in many of these devices. With the falling price of Bitcoin, expect hackers to continue to exploit botnets for mining as it is more economical to use other's resources. While not a hack per se, the most interesting "attack" this year had to be at Gatwick airport. I'm still trying to wrap my head around how a drone can shut down an international airport for 3 days during the busiest travel time of the year.

So, 2019: If I were any good at forward looking projections, I would probably be spending 2019 in Bora Bora sipping on cocktails while listening to the waves. However, I can reasonably predict a few things:

1. AI/ML/Skynet: 2018 belonged to the AI/ML marketers. 2019 belongs to the attackers and defenders. While I don't think that we will achieve Artificial General Intelligence or that Skynet will become self aware in 2019, the rise of AI/ML cannot be denied. I say that 2018 belonged to the marketers because every security company provided this word salad in their product descriptions and because 70% of all LinkedIn profiles tried to capitalize on the latest technology zeitgeist. The security companies and think tanks had the head start, but the attackers are close behind. Like the early days of computer virus creation, code fell into the hands of script kiddies who could quickly create variants. Today's AI/ML script kiddies can now take a class on edx.org, grab AI/ML tools from GitHub, and run x generations of their exploits in a matter of days.
2. M&A: Standalone security providers will become rare. VC money that was sloshed around on every possible roulette number in the past 3 years has started to consolidate. Tech stocks were hammered in 2018 and consolidation, acquisition, and life boating comes next. This is a very natural cycle and is good. The winners will have the most cohesive story from the endpoint to the cloud. Entities, data, networks. The story is the easy part, the integration is the heavy lifting and several companies are rising to the top.
3. Cautious, but increased spending: With the bull market slowing and money rotating from stocks to bonds, companies are going to be under increased pressure to rationalize their security investments. The good news is that the C-Suite and Board are now fully in the boat relative to the need for cyber security protections. Now, more than ever, they are in the hot seat if things go wrong. With limited resources, money, and time, companies will need to make sure that they align with the security providers that can compliment their strategy and become mission partners. The successful companies will be the ones that remember that security maturity is a journey, not a destination. They will make realistic resolutions for 2019 and will stay the course!

Best wishes for you, your families, and your companies in 2019! We are all in this journey together. Keep your resolutions strong and achievable!