A Look Ahead at 2021: SolarWinds Fallout and Shifting CISO Budgets

Solarwinds podcast news wrap

Threatpost editors discuss the SolarWinds hack, healthcare ransomware attacks and other threats that will plague enterprises in 2021.

The new year started off with a bang, with the SolarWinds hack revealed in late December acting as a jarring reminder to companies and U.S. government departments alike that cybercriminals continue to successfully exploit security lapses in technology.

But beyond the SolarWinds supply-chain cyberattack, many future challenges this upcoming year will piggyback on existing issues that began in 2020. That might be ransomware attacks on the healthcare space, an industry already beleaguered by skyrocketing COVID-19 cases. Or, it might be workforce employees starting to trickle back into the office, as more people receive their vaccines – and any unprecedented security challenges this shift might present.

Threatpost editors Tom Spring, Tara Seals and Lindsey Welch break down the top security stories to look out for during this week’s first podcast of 2021.

Listen to the podcast below, or download directly here.

Below is a lightly edited transcript of the Threatpost podcast episode. 

Lindsey Welch:  Welcome to the first Threatpost news wrap podcast of 2021. You’ve got the Threatpost team here today, including myself, Lindsey Welch, Tara Seals and Tom Spring, Tom and Tara, happy belated New Year.

Tom Spring: Indeed, indeed.

Tara Seals: Happy New Year, guys.

Lindsey: Hopefully this year will be better than last. But we’ll see. The SolarWinds hack definitely was kind of a rough start. So we’ll see how how this year plays out security wise.

Tom: Yeah, well, fingers crossed, things can only get better.

Tara: Definitely seems like there are a lot of trends that we can already start talking about. Because even though we all took a holiday break, cybercriminals did not.

Lindsey: Right, right. Yeah, exactly, Tara. I mean, going into the new year, I think we saw a lot of unprecedented trends in 2020, last year, obviously, with COVID-19 shaping the security landscape and all the different threats we faced. That was huge. But I think that that also has a lot of trends that will continue over into this upcoming year. And a big part of last year was remote work and how security shifted because of enterprises moving to a work-from-home model. Tara, I know you had a ton of great enterprise-focused coverage there. So I would really love to see how that continues to evolve in 2021.

Tara: Yeah, definitely. I mean, I think the main thing to realize is that most businesses aren’t just going to get back to business as usual, once we’re all vaccinated, it’s very likely that the work from home footprint will continue to exist. And so companies need to just assume that they’re going to have a large portion of their workforce working from home from here on out. And they’ve got to up their security game. I think in 2020, the biggest challenge obviously was that this happened really quickly, and they had to send people home really quickly. So the security portion of that process lagged behind a little bit, they were playing catch up, just trying to put things into place after the fact. And that opened up a field day for cybercriminals, who certainly took advantage of it. But going forward, they will have had almost nine months out to adjust to this. And with the budgeting cycles,starting back up again, I think that we’re gonna see a lot of investment in cloud security and endpoint security for employee off-site devices and things like that.

Lindsey: I know one subset of that work-from-home threat was how email threats evolved over the year as well. And I know we saw a ton of phishing and spear phishing attacks that were centralized around the not not just enterprise services, like Microsoft Teams, or Office 365, which is kind of the common theme there. But cybercriminals also are focusing in on trends around current event trends, like stimulus payments or job security during the summer. And I’m curious too how this will change this upcoming year; obviously, right now, with vaccines being rolled out, I’m sure that the cybercriminals out there have already wrapped their minds around how they can utilize this as a lure to launch newer email attacks. But just any newer trends or whatever breaks in the coming year, how we’ll see that also play out as well from the attacker standpoint.

Tom: Those are good points, Lindsey. I don’t think that there’s a silver bullet for solving the problem of the vulnerability that your inbox represents or represents to business. And the one thing that we know is that the hallmark of these types of attacks is that they are able to devise clever new unanticipated attack vectors – whether it be phishing, spear phishing, business email compromise, and/or malware – and, with the work from home shift and all of the endpoints that security teams now have to manage remotely, it becomes an enormous challenge to really lock up that inbox bullseye that is anticipated to continue to be a real chink in the armor of any cyber defense.

Lindsey: Yeah, definitely. And I feel like inbox attacks are something that have always been a common threat for businesses and for enterprises. But I do think that there has been more of a focus there over the past year, and hopefully going into this year, on the side of enterprises in terms of employee awareness and education and how they can reinforce security around that via training and other methods. And, another, when I’m thinking about remote work, one thing that I think about in 2021, is, hopefully the return of employees to offices and into workplaces, with this vaccine being rolled out. And I’m really curious what the implication there might be for security, because I think that there’s going to be a lot of other unprecedented security challenges or issues, as employees go back to work – whether it’s companies starting to think about using exposure notification or contact-tracing apps within the workplace – or companies struggling with a hybrid remote/employees working in the office model think. I that there’s just a lot there to think about.

Tara: Yeah, that’s a good point. And what’s interesting, too, is the privacy aspects of all of that, right. So, contact tracing, for example, or, some sort of vaccination proof, which, a lot of workplaces already require proof of certain vaccinations anyway, so it’s not that far out of out of left field. But I think that a lot of people in the digital age are understandably nervous about their personal data. And this is gonna, I think, spark yet another privacy conversation as we go through the course of the year.

Lindsey: Right. And speaking of healthcare data, and vaccines and whatnot, I think another huge security trend in 2020 that is definitely rolling over to 2021 is healthcare security. And we talked a lot about this and our recent eBook at the end of 2020, in terms of the top healthcare security threats, but ransomware has really carved out a space there in terms of what it’s meant for healthcare companies that have been victims of this, and some of the top risks and threats that are facing healthcare companies and hospitals. So that’s kind of a disgusting trend that we’ve, unfortunately been seeing a lot in the latter half of 2020, continuing on to this year.

Tara: Yeah, I mean cybercriminals are opportunistic and don’t have a lot of scruples, as we know. And so I think they just see the healthcare field as this vast playgrounds of legacy equipment, unpatched endpoints, non-segregated networks. There are a lot of entry points there for them. You also have staff that aren’t necessarily trained in security because they’re busy saving people’s lives. So there are a lot of good opportunities there for cybercriminals to get in and then do their financial extortion bit.

Tom: When I think about the healthcare challenge, as I think we all reported, as the pandemic was rearing its ugly head, was that hospitals and healthcare facilities really needed to focus on saving lives and worrying about PPE and worrying about, making sure that they had respirators, and in speaking and interviewing a lot of the healthcare cybersecurity individuals, they complained about a lack of budget, and they expressed concerns about a lack of focus on cybersecurity. Again, to repeat what Tara mentioned, we’re seeing some forecasts that will hopefully translate into reality in terms of cybersecurity budgets now being seen as a bigger priority and bigger cyber-budgets are anticipated for 2021 and hopefully if we can turn the corner on saving lives – which we’re not there yet, obviously – We might be able to start addressing some of the healthcare related cybersecurity concerns that are being exploited by by hackers who really see it as a huge vulnerable, opportunistic target for just extorting exploiting and stealing data.

Lindsey: Right. I think it was this week that Check Point came out with that study that said that cyberattacks on healthcare orgs had increased, I think it was 45 percent since November, which is kind of insane. So, they’re definitely seeing the unfortunate opportunity there. And I think like you mentioned, Tom, it’s going to come down to whether hospitals and healthcare organizations try to foster better cybersecurity budgets and look into those different resources that may help them in the long run, at least proactively defend against these types of threats.

Tom: Yeah, I think I think the issue is definitely resources. I mean, any cybersecurity professional wants to have to be able to put in place a bigger, more robust defense. And again, I think that some of the statistics regarding budgets or increased budgets, you really have to look at pre-pandemic budgets versus 2021 budgets, because budgets dropped significantly, so, a year over a year, jump in a budget, I mean, 50 percent may sound great, but if their budget was cut by 80 percent last year, that 50 percent increase doesn’t really get them to where they need to be. But, I digress, budgets are budgets. And healthcare is  such an important thing today. It’s just concerning.

Lindsey: Well, I mean, speaking of budgets to even beyond the healthcare space, I know, we did some reporting at the end of 2020, on what will top the list of CISO budgets and the top cybersecurity priorities that enterprises will adopt looking to 2021. And, Tara, I know you mentioned towards the beginning of the podcast about cloud security, and how that is going to play into this year. And I know also, application monitoring and mobile threats are some of the other top things that are top-of-mind for security executives going into this new year. What are you guys seeing in terms of some of the other top budget priorities or just top threats or risks to look out for in 2021?

Tara: Well, I think that, for one thing, this idea that we’re just swimming in legions of data, is something that’s been going on for a while, obviously. And it’s just going to continue to snowball going into 2021 in tandem with the focus on the cloud, and enterprises’ digital transformations, right. So whether they’re making applications in house, or they’re buying off the shelf, or whatever it is, they are going to look to communicate with their employees and allow their employees to collaborate in new and different and more productive ways, with a distributed footprint. And so if you think about just the sheer amount of data that is being not only generated by that, but also which has to be protected, people have been telling me that the investments into things like encryption for data in transit, and also, machine learning and artificial intelligence for helping triage threats that come through, are going to be a couple of the top-of-mind investment areas going forward.

Tom: You know to pick up on the theme of automation, artificial intelligence and machine learning. I feel like before the pandemic, these were themes that we were sort of bubbling up pretty quickly in terms of the cyber security community embracing artificial intelligence and machine learning. And again, I think that the Coronavirus, and the pandemic, it just sort of was like a nuclear bomb on good ideas when it comes to rolling out some of these technologies. Never mind the budget. But yes, the idea that artificial intelligence and machine learning can actually be a frontline defense in addressing, at least the first wave of defenses or the first line of defenses when it comes to automating, understanding attacks in real time, real-time mitigation efforts and real-time defenses, some really interesting statistics, and also predictions for the year ahead, in terms of increased volumes of programmatic attacks, and increased programmatic defenses, it’s becomes this sort of artificial intelligence war against the good guys and the bad guys. It will be a very interesting story to see play out in the year ahead. And hopefully, the good guys will stay one step ahead of the bad guys.

Tara: Yeah, you know, it’s really interesting that you mention this arms race aspect of it, because I was interviewing somebody the other day and she was saying that, going into 2021, expect to see cybercriminals using automation, and just super high-end AI stuff to automate spearphishing attacks. And they might not be perfect, they might have a lot of red flags in the email body, let’s say, that would be pretty obvious at first, for someone with any sort of security training, but it’s going in that direction. So if they’re able to do targeted spearphishing at volume for a cheaper cost, then that’s obviously a big problem.

Tom: Credentials in the cloud are also something I feel like we’re going to hear more about and, and being able to protect them amidst more cloud services and more platform-as-a-service migration. And that’s what I’m hearing from some of the experts that I’m talking to in terms of areas of interest, in terms of areas that need greater protection. Especially again, we’re living in this world where the pandemic is driving business processes, and that business process in a distributed campus or distributed infrastructure is all going to the cloud. And yeah, guess what, the bad guys are headed there, too.

Lindsey: Right. Yeah, that’s, that’s a really good point, too. And I think both Tom and Tara, what you both just said, too, is that a lot of what we’re seeing, or we’re going to see in this upcoming year is reminiscent of just the most basic security issues that we continue to face over the past, however many years whether it’s the password problem, or it’s spearphishing, and what that means that just the employee level. So I think that those just aren’t going away anytime soon.

Tom: I feel like we would be remiss if we did not mention SolarWinds, in terms of that impact on supply-chain awareness going into 2021. And, we’ve talked a lot about the themes of 2020 in terms of this expanded reliance on the cloud and a distributed network and platform-as-a-service, applications-as-a-service, and the security implications around all of this. And, I think when a lot of the forecasters and prognosticators were thinking about 2021, it was before the the the impact of the SolarWinds hack had sort of penetrated their consciousness or perhaps it had, but it wasn’t as top of mind. But I do see a lot of people, a lot of weirdness around supply chain, around who are you dependent on? Is that company reliable? Are there automatic updates? Are you protected? And I really feel like we’re going to see a wave of, of, of cybersecurity companies really pushing a better lockdown of supply chains in 2021. I think that a lot of people are grappling with what happened, where it happened, and why, but I think that we’re gonna hear a lot about innovative, interesting solutions that address a very serious problem.

Lindsey: Yeah, and unfortunately, I think that hack is still unwinding, or at least the implications of that are still being revealed. I mean, even just this past week, the Department of Justice came out and said that its Office 365 email servers were compromised as part of that hack. So I think there’s still the impact, that is still yet to be determined, the full impact at least. So I think that’s something we’ll continue to see in the coming weeks, if not months. I mean, it’s huge.

Well, from SolarWinds to healthcare ransomware, we definitely have our work cut out for us this upcoming year in terms of all the security trends that are going to kind of hit the fan there. So, Tom and Tara, thanks for taking the time to come on and discuss what to expect in 2021.

Tom:  It’s gonna be a exciting year. I’m ready for my vaccination. I’m ready for it. I’m putting on my seatbelt. Hopefully, it’s gonna be a good one.

Tara: Yeah, agree. Happy New Year, everyone. And here’s hoping that 2021 will be a little less dramatic than 2020.

Lindsey: Absolutely. And to all of our listeners, thanks for tuning in to the Threatpost podcast. If you have any questions or thoughts or comments of anything that we talked about today, please do shoot us a note and a comment on our Twitter page at @Threatpost and we look forward to hearing from you. Thank you.

Also, check out our podcast microsite, where we go beyond the headlines on the latest news.

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.