Virtualization Technology News and Information
BlastWave 2023 Predictions: The Boiling Point is Here; Will the Frog Escape the Pot?


Industry executives and experts share their predictions for 2023.  Read them in this 15th annual series exclusive.

The Boiling Point is Here; Will the Frog Escape the Pot?

By Tom Sego, Co-founder and CEO of BlastWave

As the fable goes, a frog will stay in a pot of water as it's brought to a boil. Despite obvious warning signs, it's too late by the time the boiling point is reached. In the same vein, will companies heed 2022's warnings and evolve from detect and patch models to a preventative security approach that stops attacks before they happen? 2023's cybersecurity trends boil down to three questions. What is the threshold that companies will hit before they pivot to Zero-Trust Network Access (ZTNA), phishing-resistant multi-factor authentication (MFA) and software-defined perimeter (SDP) approaches to Zero Trust Architecture (ZTA)? What growth will we see? What will go up in smoke?

Manufacturing ransoms will hit $3 million

In 2022, the average ransom payment was $920,000, growing by 71 percent in the first few months. Manufacturing was even worse, as ransomware payments averaged $2 million. In 2023, the average ransom payment will break $1 million, and the average manufacturing ransom will break $3 million. Manufacturing ransoms are higher because OT security is decades behind, with studies showing that 87 percent of OT security professionals lack visibility into their OT network activities across devices, users and applications. Meanwhile, 78 percent experienced over three cyber breaches in 2022.

Many companies that depend on critical OT infrastructure still use COBOL, including 43 percent of banks. As a result, cybercriminals are now searching job postings to target companies that require COBOL skills. The most common OT attack vectors are vulnerabilities, often leading to ransom demands, while the most common IT attack vector is phishing. OT assets and workstations are low-hanging fruit for hackers because they're often unpatchable, with ICS vulnerabilities rising 50 percent in the past year compared to 0.4 percent in the number of vulnerabilities overall (IBM X-Force Threat Intelligence Index 2022). Manufacturing's resistance to evolve from futile detect and patch models caused it to be the most targeted industry in 2023, taking the mantle from financial services. There is quite a bit of spending on cybersecurity in the IT side, with reports projecting that 11 percent of managed IT services budgets will be spent on security applications over the next year. Unfortunately, many of these security applications cannot secure OT workstations and assets, which are twice as likely to be hacked.

These challenges are further compounded because IT and OT security concerns are different. OT security administrators don't just have to worry about compromised credentials and data. The real catastrophe in an OT security breach results from operational downtime. OT vulnerability has grave consequences for companies in manufacturing, water, healthcare and other sectors, as Gartner predicts that cybercriminals will soon weaponize OT systems to cause bodily harm. Due to the inefficacy of detect and patch security models, OT ransoms will increase despite OT security spending projected to rise at a CAGR of 15.8 percent to $32.4 billion by 2027.

70 percent of companies will implement ZTNA

ZTA adoption can address these issues, and ZTNA that authenticates before allowing connection will accelerate compliance with ZTA requirements as defined by the United States government. Amid the branding hype, companies must remember that zero trust is not a product - it's a framework. Many products that claim zero trust do not meet the five pillars of the Zero Trust Maturity Model defined by the Cybersecurity and Infrastructure Agency (CISA). ZTNA that takes an SDP deployment model approach to ZTA can help companies meet these federal requirements and stop attacks before they happen. Gartner recently stated, "ZTNA is the fastest growing segment in network security." The report estimates that "70 percent of new remote access deployments will rely on ZTNA by 2025." That's conservative amid increases in ransomware payments. ZTNA implementations will hit 70 percent by 2024.

SDP approaches will double in manufacturing

With hybrid work, cloud computing and billions of connected IoT devices, the enterprise security perimeter is disappearing, and business environments are more complex (and vulnerable) than ever before. In manufacturing, these issues are heightened as OT security administrators connect their formerly air-gapped and often unpatchable OT systems to the cloud, with recent reports showing 49 percent are using the cloud to support OT systems. In response, manufacturers will implement SDP approaches that can support full-mesh, peer-to-peer, high-performance connectivity. High-performance security is important, with recent studies showing that 79 percent of employees sacrifice security for speed. We talk about security by design, but this is vulnerability by design - when someone needs something urgently and they work around access controls. 

An SDP deployment model allows companies to transcend network location and underlying configuration to implement Zero Trust Architecture. When the network is your biggest liability, why would you want a network-centric security approach that exposes IP addresses to the public Internet? With network-centric models, access is defined by network location. With SDP, access is defined by lightweight, policy enforcement point (PEP) software on end-user devices, mirroring how hybrid work has evolved. Fortunately, the SDP market is expanding, projected to reach $23.1 billion by 2026. SDP is easier to implement in OT systems than VPNs because it removes the need for digital certificate management, network subnetting and more. SDP can even be implemented as an overlay on the existing network or SCADA system. This approach can also protect legacy OT systems through the use of gateways, even if those systems cannot host a PEP.

Less than half will implement phishing-resistant MFA

2023 will be the twilight year of traditional MFA if the US government reaches its lofty goals. 2022 saw the widespread exploitation of traditional MFA that relies on session-based tokens, one-time passwords, SMS and push notifications, including attacks on Uber, Microsoft and Twilio. Memorandum M-22-09, issued by the Office of Management and Budget (OMB) in January 2022, sets January 2023 as the date that federal agencies must offer a phishing-resistant alternative, and states that traditional MFA must be eliminated by 2024. The CISA recently urged organizations to implement phishing-resistant MFA as well, dubbing it the "gold standard." Seeing as the FBI itself was recently hacked, this timeline seems unrealistic, whether we're talking about government agencies or enterprises.

Unfortunately, experts estimate that up to 90-95 percent of current MFA implementations are not phishing-resistant. Meanwhile, the gulf in adoption of security controls in IT vs OT is substantial. Unlike IT networks, the use of third-party contractors in OT systems increases the risk of exploitation, further highlighting the need for phishing-resistant MFA in OT security. Unfortunately, surveys show that only 18 percent of companies with OT systems enforced even traditional MFA or basic remote access restrictions this past year.

Phishing-resistant MFA ensures secure remote access through passwordless MFA methods, including biometrics coupled with a built-in authenticator and FIDO2 security keys. These methods remove human decisions from the authentication process and reduce human error. The good news? Companies are increasingly implementing phishing-resistant MFA, with GitLab boosting their adoption to 93 percent. Still, I predict that less than half of companies will align with federal goals by 2024.

Too many cooks in the kitchen

Amid 2022's statistics, I have empathy for CISOs that manage complex configurations and policies across multiple cybersecurity products. They're facing hurricane headwinds, and a sea change is necessary. In 2023, companies will implement ZTNA solutions that create a software-defined perimeter including multiple access controls. This will help companies evolve past network-centric, detect and patch security models to achieve a preventative zero trust security approach that stops attacks before they happen. Zero trust is a framework that assumes there is no network perimeter and that there's a malicious actor in your network right now. Today, that isn't an assumption; it's reality. 




Tom Sego is Co-founder and CEO of BlastWave, a leading provider of zero trust networking solutions that help companies stop attacks before they happen. Tom oversees operations for BlastWave's Zero-Trust Network Access solution, BlastShieldTM, and focuses on cross-functional team leadership. Previously, Tom served as Senior Director of WW Sales Support at Apple.

Published Tuesday, January 03, 2023 7:32 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<January 2023>