It is safe to say that 2020 was a year of “the new normal” for everyone, and doubly so for security teams. Not only has the COVID-19 pandemic been a generational touchpoint, statistics show that is it the largest cyber security event in history. Security teams also received an unwelcome Christmas present in the form of the massive supply chain attack against SolarWinds, affecting up to 18,000 of the world’s largest companies. Overall, 2020 has been a year that organizations and security professionals want to put behind them.
With 2021 finally upon us, many in the security industry are looking at what the industry can deliver. With many organizations looking to optimize processes and technologies, this year’s overwhelming themes seem to be both “optimization” and “proactivity”.
One of the biggest emerging trends on the horizon for 2021 is the focus on finding the most value from existing security controls, and not adding on more expensive, and in many cases, redundant toolsets. This improvement is likely to take the form of enhanced threat detection content for their security platforms, increasing precision in security teams’ responses and overall optimization.
What this is likely to look like is vendors focusing on providing meaningful context and guidance around security events including how to analyze and respond to them.
Examples of this could include
• Context-driven detection to identify how far along the cyber kill chain an infection is
• Meaningful and customizable runbooks that show how to respond to an event and help organizations develop per-detection processes
• More abilities for organizations to trust and verify a vendor’s claims around detection
This ensures that teams are not wasting valuable (and frankly, scarce) time and resources trying to “fill in the blanks.”
We identified that organizations were not looking to add “unnecessary” tools to their environment in 2021. However, we can say with certainty that tools enabling visibility on the endpoint were one of the most important security toolsets before the pandemic. Now that the majority of teams are working remotely, endpoint visibility is not just important, it is crucial.
More and more organizations are adopting controls that enable not just alerting, but in-depth analysis, on the endpoint. These technologies can take a few different forms depending upon the needs of the teams. Generally, they are broken down into:
• Endpoint Protection Platforms (EPP) – Often more capable versions of the anti-virus tools already present on many systems. These platforms are attractive for companies as they don’t require “yet another agent” on the endpoints. =
• Endpoint Detection and Response (EDR) – These platforms are often more heavily focuses on endpoint interrogation, and may include better or more advanced logging, as well as digital forensics and incident response (DFIR) capabilities.
• Extended Detection and Response (XDR) – These platforms are similar in nature to EDR platforms, but may also feature tighter integration into security orchestration, automation and response (SOAR) platforms. These can be a great fit for teams that have integrated automation into their workflows.
As home offices globally remain under siege by adversaries, ransomware, and phishing, the focus on the endpoint will be crucial for organizations’ now-dispersed security. This visibility into the endpoint also enables organizations to focus on proactive security.
If some of the larger cyber catastrophes of 2020 have taught us anything, proactive security needs to be the new normal. Security teams can no longer merely trust that an appliance or control is catching 100% of significant cyber threats. This means that security teams in 2021 are going to need to take a more proactive approach where they hunt for threats that have bypassed existing controls.
While organizations will approach this task differently, it is likely to include
• Dedicated Threat Hunting Teams – In 2020, 65% of organizations were conducting at least some basic forms of threat hunting. This is likely to accelerate with larger organizations standing up dedicated threat hunting teams.
• Hybrid Threat Hunting Teams – Not every organization has the resources to stand up their own dedicated hunt teams. However, 93% of organizations believe that threat hunting is, or should remain, a top priority in 2020. Smaller or more agile organizations will likely establish hybrid hunt teams where analysts divide or rotate through threat hunting.
• Managed Threat Hunting Providers – With more organizations facing resource shortages in 2021, companies are looking at economies of scale. More traditional managed security service providers (MSSPs) are going to offer managed threat hunting, enabling companies to benefit from their collective defense.
While it is safe to say that security teams are finally looking at 2020 in the rear-view mirror, the broader infosec community has 2021 to contend with. As teams face new and legacy challenges, there is a clear message that optimization of existing tools and technologies is a clear theme for the upcoming year.