10 Emerging Cybersecurity Trends To Watch In 2021
A flurry of new threats, technologies and business models have emerged in the cybersecurity space as the world embraced a remote work model where there’s no network perimeter and more applications and data in the cloud than ever before.
Workers Go Home, And The Threats Follow
A flurry of new threats, technologies and business models have emerged in the cybersecurity space as the world shifted to a remote work model in response to the COVID-19 pandemic. The lack of a network perimeter in this new world accelerated the adoption of SASE (secure access service edge), zero trust and XDR (extended detection and response) to ensure remote users and their data are protected.
Adversaries have taken advantage of the complexity introduced by newly remote workforces to falsely impersonate legitimate users through credential theft and have upped the ante by targeting customers in the victim’s supply chain. The ability to monetize ransomware attacks by threatening to publicly leak victim data has made it more lucrative, while employers continue to fend off insiders with an agenda.
The Special Purpose Acquisition Corp (SPAC) craze has made its way into cybersecurity for the first time in 2021, with three vendors agreeing to merge or be acquired by SPACs while a well-known security venture fund stood up its own SPAC. And more cybersecurity startups have notched unicorn valuations of at least $1 billion in the first four months of 2021 than in all of 2019 and 2020 combined.
Keep reading to wise up on what are expected to be the 10 biggest cybersecurity trends in 2021.
Russian foreign intelligence service (SVR) hackers capitalized on architectural limitations in Microsoft’s authentication process to jump from customer on-premise environments into the cloud and cloud applications during the SolarWinds campaign, CrowdStrike CEO George Kurtz alleged. Kurtz said the specific attack vector used by the SolarWinds hackers was first documented all the way back in 2017.
“The threat actor took advantage of systemic weaknesses in the Windows authentication architecture, allowing it to move laterally within the network as well as between the network and the cloud by creating false credentials impersonating legitimate users and bypassing multifactor authentication,” Kurtz said during a Feb. 24 U.S. Senate hearing.
Microsoft President Brad Smith fired back during the U.S. Senate hearing, saying forged identities were relevant in only 15 percent of situations associated with the SolarWinds attack. And in all those cases, the Golden SAML exploit was used to add access capability only after the SVR was already in the network and had obtained access with elevated privileges, according to Smith.
Written premiums for standalone cyber coverage increased by 29 percent in 2020 as firms of all sizes clamor for insurance protection in the face of a substantial increase in network intrusions, data theft and ransomware incidents over the past two years. The broad shift to a remote workforce at the start of COVID-19, coupled with increased intrusions from phishing emails, left companies more exposed.
Cyber incidents have proliferated globally, with Canadian insurers reporting a cyber net claims ratio of 105 percent in 2020, up from 39 percent a year earlier, according to Fitch Ratings. These losses drove rates for cyber coverage sharply upward in the fourth quarter of 2020, with premiums increasing by 11 percent on a year-over-year basis.
The most frequent causes of cyber insurance claims are hacking, ransomware, phishing, and employee negligence, according to AdvisorSmith. Accountants, medical offices, and apartment buildings in possession of customer social security numbers, dates of birth, and other financial or personal information tend to pay the highest premiums for their cyber insurance, according to AdvisorSmith.
Extended Detection And Response (XDR)
Extended detection and response (XDR) centralizes security data by combining security information and event management (SIEM); security orchestration, automation, and response (SOAR), network traffic analysis (NTA), and endpoint detection and response (EDR). Obtaining visibility across networks, cloud and endpoint and correlating threat intelligence across security products boosts detection and response.
An XDR system must have centralized incident response capability that can change the state of individual security products as part of the remediation process, according to research firm Gartner. The primary goal of an XDR platform is to increase detection accuracy by corelating threat intelligence and signals across multiple security offerings, and improving security operations efficiency and productivity, Gartner said.
XDR offerings will appeal to pragmatic midsize enterprise buyers that do not have the resources and skills to integrate a portfolio of best-of-breed security products, according to Gartner. Advanced XDR vendors are focusing up the stack by integrating with identity, data protection, cloud access security brokers, and the secure access service edge to get closer to the business value of the incident.
Insider threats burst back onto the scene in summer 2019, when former Amazon Web Services employee Paige Thompson accessed the personal information of Capital One credit card applicants and customers and stole data from more than 30 other companies. A firewall misconfiguration allegedly allowed Thompson to access folders or buckets of data in Capital One‘s AWS storage space.
Capital One admitted in July 2019 that Thompson had gained access to personal information from 106 million credit card applicants and customers in the United States and Canada. The McLean, Va.-based financial services giant said one million Canadian Social Insurance Numbers, 140,000 U.S. Social Security numbers, and 80,000 linked bank account numbers of Capital One clients ended up being compromised.
Beyond Capital One, prosecutors allege Thompson stole multiple terabytes of data from a variety of companies, educational institutions, and other entities. “Even if she does not have another copy [of Capital One’s data], Thompson’s technical sophistication means that she could commit additional cyber intrusions, thereby likely causing additional hundreds of millions of dollars of damage,” prosecutors said.
The profile of the ransomware victim has moved upmarket since 2020. The victims are no longer the small MSP who runs IT for dentists and local law firms, but the well-monied technology firms that manage the data and web traffic for the top of the Fortune 500. Despite having the funds to hire elite IT professionals and install top-notch security, these channel giants have also been rattled by ransomware.
Vicious ransomware infections hobbled five of the world’s 50 largest solution providers since 2020—Cognizant, CompuCom, Conduent, DXC Technology and Tyler Technologies. The five channel behemoths that succumbed to ransomware since 2020 have combined revenue of $42.78 billion and a joint market cap of $54.36 billion.
The emergence of publicity-hungry, extortion-seeking ransomware operators, such as the group behind Maze, has unleashed an entirely different animal on the IT services industry since 2020. Ransomware groups have embraced a new approach that puts the threat of public dissemination of private company data—rather than merely encrypting stolen files—at the center of everything they do.
Secure Access Service Access (SASE)
Secure Access Service Edge, or SASE, has taken the industry by storm since Gartner debuted the phrase in an August 2019 report, with cybersecurity vendors creating new leadership roles and carrying out major acquisitions to strengthen their position around these emerging technologies.
SASE combines wide area networking, or WAN, with network security functions like secure web gateway (SWG), cloud access security broker (CASB), firewall as a service (FWaaS) and zero-trust network access (ZTNA) to support the dynamic secure access needs of businesses. SASE tools can identify sensitive data or malware, decrypt content at line speed, and continuously monitor sessions for risk and trust levels.
The SASE market crosses previously disparate technologies and demands that vendors be able to deliver these capabilities through the cloud on an as-a-Service basis. It is intended to address the security and networking needs of tomorrow as users, devices, application, services, and data rapidly shift outside the enterprise data center.
Special Purpose Acquisition Companies (SPACs)
For the first time ever, several cybersecurity firms seeking access to the public markets are eschewing the initial public offering in favor of merging with or being acquired by a shell company that’s already public. Secure access vendor Appgate kicked things off in February by agreeing to merge with Newtown Lane Marketing at a $1 billion valuation just a year after Appgate split from data center vendor Cyxtera.
The following month, risk analytics platform QOMPLX acquired two companies and agreed to become a public company via a merger with special purpose acquisition company (SPAC) Tailwind Acquisition Corp at a $1.4 billion valuation. Also in March, network detection and response vendor IronNet Cybersecurity agreed to go public through a merger with LGL Systems Acquisition Corp at a $1.2 billion valuation.
On the buyer side, NightDragon formed a SPAC targeting the cybersecurity, safety, security, and privacy sectors and raised more than $300 million in an early March initial public offering. The SPAC is led by Dave DeWalt (pictured), the founder and managing director of cybersecurity-focused venture capital firm NightDragon and former CEO of FireEye and McAfee.
Supply Chain Attacks
The manual supply chain attack against SolarWinds’ Orion network monitoring platform has sent shockwaves throughout the world, with Russian foreign intelligence service (SVR) hackers compromising nine elite U.S. government agencies and roughly 100 prominent private sector companies through a malicious Orion update.
The SVR first tested their ability to inject code into SolarWinds Orion in October 2019, and then actually put poisoned code into Orion updates downloaded between March and June 2020. Nearly 18,000 SolarWinds customers installed a trojanized version of Orion, but customers could only be targeted for further attack if Orion was installed on a server with access to the internet, according to SolarWinds.
SolarWinds doesn’t know precisely when or how the hackers first gained access to its environment, but the company has narrowed it down to three most likely candidates for initial entry. Initial access most likely occurred through: a zero-day vulnerability in a third-party application or device; a brute-force attack such as a password spray attack; or social engineering, such as a targeted phishing attack.
The funding landscape for cybersecurity startups has gone gangbusters this year, with 14 startups notching valuations in excess of $1 billion through the first four months of 2021 alone. That’s well above the five cybersecurity companies that achieved unicorn status in all of 2020 and the eight that achieved unicorn status in all of 2019, according to PitchBook.
The year started with cloud security vendor Lacework closing a $525 million round and OwnBackup closing a $167.5 million round, and February brought cyber insurance vendor Coalition closing a $175 million round and Plume closing a $270 million round. Then in April, container security vendor Sysdig raised $188 million and threat detection and response vendor Vectra closed a $130 million round.
A whopping eight cybersecurity startups achieved unicorn status in March: application security firm Snyk on a $300 million round; cloud security firm Orca Security on a $210 million round; Feedzai on a $200 million round; Aqua Security on a $135 million round; cloud security firm Wiz on a $130 million round; Axonius on a $100 million round; ID.me on a $100 million round; and Socure on a $100 million round.
The COVID-19 pandemic has accelerated the journey to zero-trust platforms as virtually the world’s entire workforce was shoved outside a defined network perimeter, forcing organizations to secure end users who are working remotely as well as fix anomalies and configuration issues revealed by the new approach, according to Forrester.
A zero-trust approach to security reflects four principles: no user should be trusted by default since they could be compromised; VPN and firewalls can’t do it alone since they just guard the perimeter; identity and device authentication should took place throughout the network rather than just on the perimeter; and micro-segmentation really helps minimize damage from hackers by creating interior walls and locks.
Good zero-trust platforms integrate security functions into nearly invisible tooling, Forrester said, making it so that users have no choice but to operate in a more secure fashion. The most successful zero-trust vendors can layer new functions on top of existing security infrastructure components, meaning that clients don’t have to remove or replace the security investments they’ve already made.