Most of us have a love-hate relationship with predictions, especially of the cybersecurity variety. On one hand, we all dream to know what the future holds, especially in an industry as volatile as ours. On the other hand, trying to prognosticate cyber is often a futile and trite exercise, with predictions either exaggerating an already existing trend or taking the form of some wild premonition based on little to no evidence. The Catch-22, of course, is that if one’s forecast is too ho-hum, nobody will bother to care.
Still, whenever the calendar nears January, even the cynical among us can’t help but look forward and consider what next year will bring. To that cause, we gathered five of Google Cloud’s security operations experts and asked them to offer their perspective on 2023—while promising to leave the hyperbole on the cutting-room floor. We also asked them to share one practical tip for SecOps teams, no matter their size, to consider implementing next year.
Here we go!
Prediction 1: SOC, meet cloud. Cloud, meet SOC.
Anton Chuvakin, Office of the CISO
I think many of the security operation centers will have to confront the cloud question: How do they deal with expanding cloud environments, various public clouds, multicloud, proliferation of SaaS? We don't have a coherent view about how a typical security operations center has to deal with public cloud environments where they have to monitor for threats, respond to threats, triage alerts to other signals—and to what extent cloud architecture affects their operations. To me, the main thing to watch next year is more organizations actually figuring out how to deal with public cloud computing in their SOC. What is the bridge-building activity? What are the process linkups? What are the tools? What other things should they use to actually have SOC be successful in the cloud? To me, this is both a prediction and a wish and a trend, and I feel like we're behind enough already compared to other teams. So that I think SOCs need to catch up, and next year is the year to catch up.
TIP: I was giving a presentation on "SOC-meets-cloud" the other day and somebody asked, 'What is one thing I should remember?' and my answer was 'Learn IAM (identity and access management), how it's done in the cloud.' It sounds boring. I've met some people who think IAM is about password changes and, of course, that's very wrong. But the point is IAM in the cloud is really impressive, really important and really different from how people have done identity management on premises, and there's a lot more connection to SOC, not just for API abuses and password guessing and credential guessing and other stuff, but for many other reasons. So I think one tip for a SOC in 2023 is to tackle the cloud and specifically learn some of the cloud realities, learn the practices, learn the tools—and from the tools— and do learn IAM specifically, because you will be happy you did. Your SOC mission will be a lot easier once you’ve done this.
Prediction 2: AI advances for attackers
Vicente Diaz, Threat Intel Strategist
As artificial intelligence is becoming more and more available, I think that this is opening the eyes of many people, including attackers and how they can use it in many different ways. They can use it to easily create exploits. They can use it for creating content for phishing and malware distribution. They can use it to develop something new or automatically scan different machines. It’s not that much that artificial intelligence really will change, it's that it will become much more powerful. It's more about opening the eyes of everyone, including attackers, about how they can use AI, as it's becoming available for everyone. So I think that this can change the kind of attacks we will be seeing for next year.
TIP: I'm a big fan of monitoring what's going on and trying to find a good way to use what you are detecting. So my recommendation to succeed is exactly doing that: Which is creating rules to monitor and keeping an eye how different malicious campaigns are evolving. Sometimes we feel like, 'Well, this is just an IoC (indicator of compromise) and something that should be automatically ingested. We don't really need to do much about this.' But I disagree. I think it's important to have this knowledge, first of all in order to prevent, which is the most important thing and to understand if something happens, in which direction we should be running or not. So monitor, keep an eye on how things are evolving, and use this knowledge to protect yourselves.
Prediction 3: The way SOCs are staffed finally changes
Kerry Matre, Group Product Marketing Manager
I think we're going to see organizations change the way that they're staffing their SecOps. Instead of finding people with five years of experience, they're going to have to change the roles. We have a pipeline now of people coming out of college that are skilled but don't yet have that expertise and that experience within security operations organizations. So organizations are going to need to change how they're hiring—how their staffing for these positions—to be able to utilize those students coming out of that pipeline. I think that's going to be enabled by automation and clear process and procedures and just advancements in technology. But it's definitely a shift that needs to be made. We haven't seen it yet, but I think 2023 is the year.
TIP: Always continue learning through formal training or industry conferences or by shadowing others on your team.
Prediction 4: The attack surface gets deeper consideration
John Stoner, Senior Security Strategist
My one big 2023 prediction for SecOps is around attack surface management. So between the continuing march to the cloud and remote work—not just being a two-year anomaly, but something that's here to stay for many organizations—the need to understand an organization's attack service is even greater than before. In 2023, more organizations will be taking a harder look at this and integrating these capabilities into their security operations, and it will become more and more important to understand the broader footprint that they're going to be responsible for defending.
TIP: Know your data. Knowing your data starts with understanding what data you have available to you and what it can tell you with this knowledge. You have a better handle on the kinds of questions that you're able to answer, which leads to more focused use cases and improved expectation settings with leadership as to what you can cover with what you have—as well as awareness of what you can't cover due to a gap in your data. This can also help prioritize additional onboarding of data and use case development for the coming year. If you're moving workloads to a cloud, any cloud, take the time to learn what that data looks like, what normal operations look like, and threat emulation scenarios to see what abnormal might look like as well. Understanding that terrain that your workloads reside in will go a long way to detecting threats. Whether that's through threat hunting or automated detections, know your data.
Prediction 5: Hybrid work didn't hear any bell
Kristen Cooper, Product Marketing Manager
Anywhere security operations is going to continue to be a thing. We're not going to go back to the office in 2023 or anytime soon. We're going to spend our time and divide it between the work at the workplace and the house and coffee shops and everywhere else in between. So this means organizations are going to have to continue to learn how to support that the best way that they can and secure all their employees no matter where they're at. And it also means there's gonna be more stuff to worry about with all of that. So it's gonna be an interesting year, and we'll see where the future takes us with hybrid work.
TIP: Take your vacation. I can't emphasize taking a break enough. You work hard. You've got long days and stressful environments. Take your time off!