Happy New Year! Whether you’re feeling rattled or relieved to leave 2018 in the rearview mirror, now is your moment to take one deep (and deserved!) breath before launching into 2019. Though the flip of your desk calendar might not exactly result in a discernible change in your day-to-day, the fact is that each new year brings with it shifting opportunities, challenges, trends, and areas of focus.
Fortunately, we at Rapid7 have adhered to one of our favorite seasonal traditions and rounded up some of the best minds in the security industry to predict what they expect to see in 2019. Rapid7’s CEO, Corey Thomas, predicts that people next year will become more aware of mobile spying and compromise, while other predictions revolve around policy changes, breach fatigue, automation, and the need for better security defenses, among other topics.
Here’s what the group had to say:
1. Wendy Nather (aka Madame Bell LaPadula), Head of Advisory CISOs at Duo Security (now Cisco)
In 2019, when the cart comes around and the town crier calls us to “bring out yer dead,” someone will try to heave the still-struggling carcass of passwords onto the pile. Yes, we have WebAuthn and other attempts to replace that memorized character string as the primary credential, and we’ll see some measure of success—but only for the newest and fanciest of applications. If we can’t get rid of SMS as the second factor of authentication (for sundry good reasons), we won’t get the biggest and smallest business applications to make the switch from username/password within a year. It’s still worth doing, though, because passwords are beginning to smell really bad, and the villagers are starting to revolt.
2. Bob Rudis, Senior Director, Chief Security Data Scientist, Rapid7
Rather than focus on the “easy pickings,” my view is that in 2019, we’ll see a larger swath of attackers developing exploits for new/unusual protocols vs. the traditional web/database/SMB/RDP dance they currently do. The pace, progression, and diversity of opportunistic attacks in 2018 also suggests that in 2019, there will be almost no delay between the development of advanced attack tools by sophisticated attackers and their commodity usage by lazy/mundane adversaries. This means organizations will be battling barbarians with laser cannons.
Finally, I’ll go out on a limb and suggest that Microsoft’s announced conversion to Chromium will usher in a new era of attackers super-focused on regularly getting past Google’s Chrome-clad defenses.
3. Matt Scheurer, Systems Security Engineer, First Financial Bank
Upcoming trends include wider adoption of security orchestration, automation and response (SOAR), identity and access management (IAM), and user behavior analytics (UBA). One thing I will be paying the most attention to in this upcoming year is combating social engineering and phishing threats. As far as advice I would give to others, providing that you aren’t starting from scratch, aren’t too behind the curve, and have some level of security maturity in place, implementing new products and solutions should be secondary to improving your security posture by getting back to basics and better leveraging the existing security solutions you already have in place to improve your security posture.
4. Dan Cuthbert, Global Head of Cyber Security Research at Banco Santander
After a great 2018 of many exploring the benefits of pushing left, 2019 is looking like the year it finally becomes BAU. With breach fatigue now a thing we all suffer from, the need to embed security into every facet of business is heard loud and clear by the C-suite. Customers will start to demand usable and secure devices and services, and those not offering basic security will suffer.
5. Jeremiah Dewey, Senior Director - Global Consulting, Rapid7
It seemed that 2018 was the year of the email compromise. Cloud-based email (i.e., Office 365) will continue to be an easy target of opportunity in 2019. Attackers occasionally devise new, clever ways to get in, but there isn’t a need for such ingenuity when the same old entry avenues (such as RDP and SMB open to the world and single-factor authentication) are still available. Ransomware has decreased greatly from its 2015–2017 heyday, but it is still around, and we could see a resurgence if certain factors make it enticing enough for attackers to refocus their attention on it. This is just on the business front—nation-sponsored hacking is a separate topic that I’m sure will be discussed in great detail as we progress through 2019.
6. Chris Nickerson, CEO, Lares
The rapid buzz/adoption of MITRE’S ATT&CK framework will give a much-needed vocabulary for enterprises to describe TTPs used in real-world attacks. This new taxonomy will be the cornerstone of all red, blue, and purple teams—a common language to begin tracking positive improvement and measuring defensive telemetry. Instead of our security tools showing us the “glamour graphs” of how many threats they stopped, we will start to see how many they missed. This will allow the defense to finally capture homefield advantage and measure its blind spots.
7. Harley Geiger, Director, Public Policy, Rapid7
The U.S. completed negotiating the U.S.-Mexico-Canada Agreement (USMCA)—aka “the new NAFTA”—in late 2018, and it still awaits a vote in Congress. If Congress ratifies the USMCA (likely in 2019, it will be the first U.S. trade agreement to include cybersecurity-specific provisions along with other helpful sections on preserving strong encryption and restricting demands for source code review. The Trump administration recently announced its intention to negotiate trade agreements with the EU, UK, and Japan. As the negotiations proceed, expect to see a push for these new agreements to include the cybersecurity provisions from the USMCA, and possibly other provisions that build on them. Their inclusion into USMCA significantly boosts the chances of these provisions in other trade agreements. You can learn more about Rapid7’s stance on cybersecurity in trade agreements here.
8. Chad Kliewer, Information Security Officer, Pioneer Telephone Cooperative, Inc.
Social engineering and phishing will continue to be the biggest problem, and technology can’t patch humans. We have to keep everyone aware and empower them to recognize risks and ask questions. This year, information security professionals have to start showing value to the business and stop being roadblocks, which are only there to be removed or go around.
Also, if we can use AI to protect ourselves, it can be used to attack us, too. Look out!
9. Tod Beardsley, Research Director, Rapid7
I'm going to go out on a dangerously optimistic limb here, and predict that 2019 will see a turn around in the perception of voting machine security, well ahead of the 2020 U.S. elections. Electronic voting machines are a fact of life in all statewide elections, because, despite the current serious security concerns, electronic voting machines do make voting easier, more convenient, and more accessible to all voters. Don't get me wrong, there's a lot of work to be done to win the trust of a deeply skeptical hacker community, and that won't happen by accident. But, I believe that voting machine vendors have gotten the message that they need to go out of their way to earn that trust, and I'm committed to helping them get there.
10. Deral Heiland, Research Lead, IoT, Rapid7
I predict in 2019 we will see a move by the primary vendors of IoT technology to focus on a series of product standards designed to improve the overall security posture of IoT technology. I expect this focus to be on passwords, patch management, communication, and privacy. Once these primary vendors move in this direction to standardize the security of their products, this will help lead others within the industry to follow suit in 2020.
11. Andrea Little Limbago, Chief Social Scientist, Virtru
The “breach fatigue” that for years has enabled consumers to tune out the persistent flow of breach headlines is over. In 2019, people will demand change. The confluence of mega-breaches with eight years in a row of increased internet censorship and surveillance—not to mention the lack of transparency around data collection and third-party access—has sparked a societal movement for greater individual autonomy over their own data. Following Europe’s lead with GDPR and the recent California Consumer Privacy Act, there will be a growing demand for greater privacy protections in the United States, forcing Congress to at least propose some initial federal legislation. Knowing that Congress may be slow to enact meaningful change, people will also demand more intuitive and transparent data protection capabilities and platform policies to take data privacy into their own hands. Usable security may well be the defining feature of 2019. This societal movement reflects a major inflection point and represents a great opportunity for the infosec community to be a productive partner in shaping the future of security and privacy.
12. Eric Reiners, Chief Information Officer, Rapid7
Enterprise IT will adopt agile and lean approaches (maybe not lean startup yet) to deliver the business outcomes needed for digital transformation. What was once a six- to 18-month project window for new technology rollouts will be shortened to two weeks of shippable value. What was once a buy vs. build discussion will assume “buy and integrate” given the amount of prebuilt functionality available with a credit card. This will require greater collaboration between builders and defenders to think about security and compliance during fast design, build, test, and deploy iterations. Security will need to be front-of-mind for builders, and security teams will need to enable builders with self-service tools that fit into a DevOps culture and process. We will also need a stronger monitoring strategy as more and more business solutions will be built on top of tech stacks and source code that are not owned by the organization.
13. Alex Shligersky, Information Security Analyst, Health New England
People are the biggest security problem, so I think in 2019 and in years to come, we must concentrate heavily on security awareness. I will be paying attention to phishing emails, business email compromise (BEC), and spear phishing this year. We also must influence a chance in culture and how companies think about their information security—it is no longer just an IT issue.
14. Shawn Valle, Chief Security Officer, Rapid7
Three things come to mind when I envision 2019. First, more breaches are on the top of my list. We have a long ways to go before we reduce this statistic.
Second, I believe operational security teams will look to leverage automation wherever they can apply it to help monitor, notify, and respond to threats. Automation has existed in multiple forms for many years, but in recent years, many security-focused solutions have launched in the automation space. Automation can be brought into existing security engineering and security operations teams to reduce considerable minutia and administrivia in initial investigations and responses. As this newer capability starts to get better known, I predict more teams will start to dip their toes in the automation waters.
My third prediction is around the cloud security community working with their primary customers and stakeholders to be more transparent and work toward building and continually growing trust. We in cybersecurity (or infosec, as I still often say) are more and more protecting employee and customer data/assets in publicly facing environments (you have all heard of this internet thing, right?) As this data is more easily exposed than ever before and industry regulations are financially/legally requiring us to rapidly acknowledge data losses, the best approach is to transparently communicate with both internal and external stakeholders about what steps we take to protect their sensitive data and how we plan to work with our stakeholders in the event that data is exposed or lost. Providing stakeholders some visibility into how data is protected will lead to more conversations, which is a key piece to building trust. Let’s talk outside our teams a bit more.
15. Rob Graham, Errata Security
It’ll become harder and harder finding an electrical device that isn’t “smart.” Modules with WiFi and TCP/IP stacks, such as the ESP8266, add only a couple dollars to the cost, so it’s economical even for light bulbs. However, since these devices are behind NATs, IPv6, or 5G—and usually only make outbound connections—we won’t see mass hacking consequences like Mirai from them. A light bulb botnet is not anywhere in the near future.
Those companies that survive the next decade are those that can collect the most information, allowing them to improve their products in ways companies in the dark cannot. This makes privacy and cybersecurity synonymous, as companies struggle to fend off government, hackers, and competitors. Smart devices mean literally Orwellian surveillance—the book “1984” had the implausible sci-fi feature of televisions spying on their users, which is now reality. If the government wins the “crypto wars” and mandates backdoors, they’ll come for smart appliances next, mandating access to that information.
It’s your turn!
We’d love to know what you’re expecting to see in the coming year, so hit us up on Twitter (@Rapid7) using the hashtag #Rapid7Predicts to share your own predictions. Also, if you’re interested in seeing how our predictions have stacked up in past years, check out our previously published New Years prediction blogs here: