As 2022 comes to a close, Fortinet’s Deputy CISO Renee Tarun shares her take on the threat landscape from the past 12 months. And based on these trends, Renee offers some cogent advice on cybersecurity strategies and solutions that can best prepare CISOs for the cyber threats that could be coming in 2023. The following tips and guidance can act as a measuring stick for security leaders to prepare for the year ahead.
Renee: There were a number of cybersecurity trends that really mattered to CISOs this past year. There has been a constant discussion around the threat environment, and it's not going away any time soon. There was a steady, constant stream of threats all year long.
The first one that comes to mind is the targeting of the cloud and Linux. We're seeing more types of malware being developed aimed at these platforms. We haven't seen this much in the past, but attackers are going after more of the cloud-based workloads.
In 2022, we also saw attacks on supply chains continue. This is compelling security teams to do more reviews of their ecosystems.
In the past 12 months, the industry has seen more types of ransomware being developed—along with more destructive malware. We noticed that the criminals who attack organizations with ransomware have changed their strategy a bit. Now, they're wiping data, whether or not the victim pays the ransom. Previously, attackers used to hold data, but now attackers have become more destructive.
At first, the trend was cybercriminals would just encrypt hacked data. Then they changed their strategy when the cyber defenders found ways around that ransomware threat by encouraging organizations to back up data. Then the cybercriminal strategy focused on exploiting stolen data. In other words, the attackers would threaten to expose the organization’s sensitive data to the world if the ransom wasn’t paid. And now ransomware attackers are causing even more pain and embarrassment by using wiperware.
In 2022, we saw a lot more multi-pronged attacks. This is an approach where bad actors would come at organizations with two or more different types of attack techniques. For example, a social engineering attack combined with a distributed denial of service (DDoS) attack. The strategy is to create a distraction in one part of the organization and attack another area on the network at the same time.
In short, it's not just a phishing attack, but now multiple types of attacks simultaneously. You see a lot of these multi-pronged approaches around holidays because people are taking time off and organizations only have skeleton crews. Companies become attractive targets of opportunity when there's less staff and fewer resources to respond to attacks.
Renee: The real challenge for a CISO next year could be having too much to manage, and not enough resources to do so. With economic uncertainty looming, many IT departments may be told there's too much cost going out, such as capital operating expenses. And so, from that perspective, I think many CISOs are going to feel the pressure to consolidate some of the costs and try to help eliminate some of that burden.
CISOs are also thinking more about data loss prevention, and the possibility that departing employees may try to take company assets or intellectual property as they leave if any layoffs need to happen. This is where an organization’s investment in deception technology may pay off nicely because, unfortunately, people might try and scrape things before they leave.
Another topic that is top of mind is the total cost of ownership (TCO). The C-suite needs to know how cybersecurity investments can help their businesses. A CISO’s thought process should be something like: “We can't just throw money at anything cyber. We have to be thinking about our overall spend, and what we’re getting out of it.”
Organizations need to tie their spending on cybersecurity to mitigating risk. And so now is the time for organizations to really be focused on addressing these key questions: Do we really need everything that’s in our environment? Can we simplify things and reduce complexity? How do we do more with less if needed?
This means that a CISO's mindset should be that of preparing to not only prevent and protect, but also defend and respond. This mind shift is going to be important for CISOs and organizations in 2023—and beyond. It may require architecting environments to compensate for this approach.
People, processes, and technology are the fundamentals that organizations need to have in place. You need the best technology, but also organizations need the right people, with the right training. And they still need to have the right processes in place. Also, CISOs must have an incident response plan that is well thought out and tested along with having the right technology for not only monitoring and detection—but responding and being proactive in their efforts versus just being reactive. In short, my advice for CISOs in 2023 is to be proactive in your defense.
Also, I foresee a lot of organizations looking at their cloud journey (a.k.a. digital transformation). During the first two years of the pandemic, 2020 and 2021, a lot of data was thrown up into the clouds—accelerated by the emergence of the hybrid workforce. Now, I think a lot of organizations are going to want to go back and try to get a handle on that shadow IT. They are going to want to take a more strategic approach to how they do some cloud migrations, followed by figuring out how they're going to handle hybrid environments.
I expect next year that organizations are going to be focused on improving the diversity in their workforce. It's really the only way we're going to fill the cybersecurity skills gap. Some will argue there are never going to be enough people, so there’s going to be demand to increase the automation side of cyber defense.
Renee: While 2022 and the previous pandemic years were difficult in many ways, there is some hope and optimism to be found with the growth of artificial intelligence (AI) and machine learning (ML) in cybersecurity. These developments are helping us get ahead of the game versus always being reactive.
In 2023, I foresee more and more CISOs augmenting their cybersecurity technology with real-time threat detection and remediation because unless you've got 300 threat hunters sitting in your environment, it becomes very difficult to keep up with the change in trends. The endpoint is a great example where endpoint detection and response (EDR) is key as work from anywhere continues and endpoints continue to explode. EDR stops threat activity and quarantines it—preventing something like ransomware from getting spread.
And zero-trust network access (ZTNA) is a powerful solution that is growing because it enables consistent, seamless, enterprise-class security across all applications—no matter where they are—and for all users—no matter where they are.
Something else organizations need to consider is looking outside their organization. A DRP service can help organizations obtain an attacker’s view of their environment, and what they can easily discover during the reconnaissance phase.
Renee: If your organization gets hacked, it means you need to start incident response immediately. That means responding by trying to detect and mitigate how the attack happened. To react quickly, organizations need to have a well-thought-out plan with various scenarios that have been tested in advance—because testing out your plan in the middle of a crisis never goes well.
This is important: Don't be too quick to start putting systems back online without really doing the forensic analysis necessary to figure out the details behind the attack. Too many times organizations put things back online just after they’ve been compromised—often not even 15 minutes later and then guess what? They have to take the systems back down due to reinfection or compromise.
When organizations are going through the recovery phase, many are too hastily and don't take the time necessary to figure out how the breach happened and how the malware got on the systems. Often what ends up happening is, an organization will take their backups and restore data and systems and then be compromised again.
Communication is really important in the midst of an attack. Make sure that your board and leadership understand the latest trends and how they can impact your organization. One of the most important items on a CISO to-do list is to communicate effectively with the organization’s board of directors on cybersecurity topics. It is important to have everyone within the organization understand the current cybersecurity trends and what they could mean for the immediate future.