Our Blog | ActZero

2021 Cybersecurity Predictions | ActZero

Written by Chris Finan | Jan 11, 2021 5:00:00 AM

With a new year comes a new set of predictions for cybersecurity. We’ve developed these predictions to help corporate executives and IT leaders of small to medium sized organizations improve their risk management strategies. This has become a yearly tradition for us, and allows you to benefit from the multidisciplinary group of experts we convene each year to develop predictions.

Why trust us?

ActZero is an AI-enabled cybersecurity provider of Managed Detection and Response, so we have lots of experience within the industry, and deep security expertise to facilitate sound predictions. We have a rigorous process of developing predictions with inputs solicited from stakeholders across our company, including research, sales engineering, security engineering, threat hunting, operations, and leadership - and distilling down to the best ones. Finally, each year we debrief on whether our predictions from the previous year came to pass.

Ok, let’s get to the predictions! For a deeper dive into the predictions, or a retrospective on last year’s, check out our 2021 Cybersecurity Predictions white paper here.

Prediction 1: The endpoint becomes the first, and last, line of defense

What we are predicting: Appreciation for the importance of secure endpoints will grow, consistent with this analyst’s assertion that “the stark reality that organized crime-funded cybercriminals are relentless in searching out unprotected endpoints and exploiting them for financial gain.”

Why we are predicting it: First, the inapplicability of firewall and web gateway technologies (for more on this, see predictions two and three below) and the prevalence of SaaS or cloud-based applications, mean that threats are increasingly directed at the endpoint. 

Second, because of the industry shift to detection and response, which was at least in part, a result of network-based solutions like Zero Trust Network Access proving insufficient to prevent cybersecurity breaches. This “security between endpoints” approach, motivated by the BYOD movement occurring within corporate environments, was supposed to yield security independent of the endpoint. However, concessions made by ZTNA vendors have rendered it woefully inadequate. Security expert Adam Mansour goes into detail on the discrepancy between the original conception of ZTNA by John Kindervag, and its representation in the market in his webinar Zero Need for Zero Trust: The Shift to Cloud Security. In a nutshell, ZTNA vendors are treating authorized devices and locations as effectively trusted due to resource constraints — when, in the original formulation, inspection was required to validate.

How we will validate: In 2021, we predict the market will continue to shift away from threat prevention and towards endpoint-centric threat detection and response. We should find evidence of this in reports from industry analysts on the prevalence of such technologies, like EDR or endpoint-conscious MDR offerings. Given our line of business, we think it’s safe to say that we’re ‘putting our money where our mouth is’.

Prediction 2: The Security Operations Center (SOC) Will See a Complete Reformation 

What we are predicting: The SOC as a room full of screens, analysts, and technology connected to a local network, where its size, makeup, and the tenure of its analysts was paramount, will no longer be the goal state for cybersecurity providers, nor organizations’ security programs. This will include new ways for threat escalations to surface to (now-distributed) analysts. And, a change in how people imagine threat hunters connecting to the data center. 

Why we are predicting it: An ongoing transition to WFH will continue in 2021. This will necessitate a shift away from the classic model of a security operations center, as both endpoints and employees (including SOC analysts themselves) are distributed. Some technologies of the “old SOC” such as firewall, IPS, IDS, and SIEM (depending on how and from where one is sourcing logs) are ineffectual in a decentralized working environment. 

If WFH necessitates remote oversight of devices that live at somebody’s house, it could be a tough prospect to stomach. When it comes to security, this isn’t the same as the shift to the cloud, where openness was expected.

How we will validate: We should see cybersecurity vendors (publicly) and other organizations (privately) touting their new model. There will be less emphasis on the once requisite SOC tour. We’ll see a focus on cloud-delivered security capabilities. Each of these will be reflected in the market, in terms of how cybersecurity vendors are showcasing their offerings, how (and where) security analysts are being staffed, and in market data for what technology is succeeding.

Prediction 3: A Cloud Focus Will Leave Some Security Technologies Inapplicable

What we are predicting: We predict organizations will come to treat the cloud as they did their traditional data center. Companies will monitor it like they have monitored their critical assets, and they will secure it by checking vulnerabilities. And SMEs and mid-market enterprises will use identity and inventory services to keep track of devices connecting to the cloud. Technology that isn’t applicable to the goal of servicing a cloud-based remote worker will be ineffective, full stop. The specific technologies we have in mind are firewalls, IPS/IDS, VPN, and CASB.

Why we are predicting it: A recent study of IT decision makers bears this out: 90% of those interviewed believed cybersecurity systems are less effective than they should be: “Ineffective technology has become accepted as normal — and shamefully — inevitable.”  Specifically, Firewalls have a role, but not one that makes sense when you’re looking to secure a WFH-to-cloud setup. Similarly, VPN, IPS and IDS aren’t necessary anymore, with employees using cloud software and infrastructure. Finally, a CASB is also without a valid use case, as it tells you if people are using cloud software on your network, and prevents the use of “shadow IT.” You’re going to be looking to protect transactions from your WFH user to the cloud. A modern security technology should instead allow people to use their cloud apps, and protect their endpoints no matter where WFH takes them.

How we will validate: Not only will we see this reflected in the market, with sales of such technologies dropping, but we’ll also see a corresponding focus on how cloud environments are being monitored, and cloud environment monitoring from vendors within our category. 

Prediction 4: We’ll see a further increase in long-cycle attacks

What we are predicting: We’re already seeing increases in LOtL tactics, but as hackers prove them to be effective, we think we’ll see more. Specifically, through leveraging Living Off the Land tactics. 


Why we are predicting it: Hackers are developing a greater capability to evade detection once inside a network. Take the FireEye incident, for example: the company’s CEO described the attackers as “highly trained in operational security … with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination.” Instead of committing flagrant malware attacks that can trigger alarm bells, bad actors will favor a patient, stealthy approach that allows the freedom of longer dwell times.

Living off the Land (LOtL) operations are one type of long-cycle attack ActZero is watching. LOtL attacks are inherently difficult to identify, as signature-based detection technologies don’t have a file they can identify. Ironically, this new approach is the result of security improvements and the shift to network detection and response, as it is now too easy to spot malicious code.

And the problem will be confounded by the fact that lateral movement is no longer limited to a single organization. WFH has created stepping stones to formerly separate environments, while integrated supply chains offer more direct paths between well-defended companies and their soft underbelly: the suppliers. 

How we will validate: We’ll see this in our own detections, and in those public sources of threat data. We expect this to be demonstrated by researchers and corporate defenders alike.

Prediction 5: We Won’t see a Major Increase in Internet of Things exploits... Yet

What we are predicting:  We don’t expect a major increase in IoT exploits, in the wild. The risk to small to medium-sized enterprises is low (relative to other vectors). So while we expect IoT to continue proliferating in 2021 with little improvement to security, boutique IoT attacks should remain of little interest to hackers, beyond any potential for such attacks to function as stepping stones to other higher-value targets.

Why we are predicting it: IoT is rapidly spreading throughout our workplaces, homes, and public spaces. It’s no secret that the growth of the IoT landscape has outpaced measures to secure it, since the quest for competitive pricing has left many IoT devices with little — if any — security.

At an organizational level, however, the risk posed by IoT attacks should be relatively low in the coming year. This is because niche IoT attacks are simply not profitable and scalable enough for bad actors. Instead, cybercrimes such as ransomware attacks should continue to be more lucrative endeavours. 

How we will validate: Through threat research of our own and others, and keeping an ear to the ground for coverage of such incidents - to see whether, contrary to our assertion, IoT becomes a truly meaningful attack vector.

We hope you enjoyed our 2021 cybersecurity predictions! For more on this topic, check out our whitepaper, where we evaluate 2020’s predictions, go into more detail on 2021’s, and put forward ways MDR can help prepare for the new threats and challenges of the new cybersecurity landscape. Download our white paper here.