Threat Research SOC Security Analytics

Zero Trust Matures, Insider Threat Programs Take Off, and AI Doesn’t Change Things as Much as You’d Think Just Yet: Gurucul’s 2024 Cybersecurity Predictions

At Gurucul, we’re experts in security analytics, machine learning/AI, and applied data science with many decades of combined experience in cybersecurity, working to enable Security Operations Center people, processes and tools. We’re always trying to stay on the cusp of what’s new in the SOC and on the dark web, so we can better help organizations prevent cybercrimes, IP theft, insider threat and account compromise. That makes us well-positioned to predict how certain parts of the security space might evolve in the coming year. Here are five cybersecurity predictions for 2024, developed by myself and the Gurucul Threat Research Team with input from our executive team. 

Mature Zero Trust organizations shift focus to Automation & Orchestration, and Visibility & Analytics pillars

Enterprises that were early adopters of Zero Trust frameworks are now a few years into their journeys and have made progress in the five pillars of Zero Trust: identity, devices, networks, applications & workloads, and data. In 2024, about 35% of these early adopter organizations will move into more advanced stages of Zero Trust maturity across all five core pillars and specifically focus on the overlay pillars: Automation & Orchestration and Visibility & Analytics to build an adaptive Zero Trust framework.

These pillars are different from the five basic ones. They permeate the entire organization and many different IT/IS departments. Building them out requires having visibility into everything happening in the Zero Trust environment, including all of the tools, applications and processes in place to protect the five core pillars. Then they must apply analytics to that data to find out what is working well, where the problems are, and what attacks are happening. Finally, they must automate workflows and orchestrate the responses to adapt to these problems as they arise whenever possible. 

Maturing these two overlay pillars requires new capabilities and technologies like advanced analytics powered by machine learning and AI as well as identity-centric SIEM, UEBA and SOAR capabilities. To power the new visibility and analytics requirements, organizations need to access and consolidate a huge range of data from many sources including general security logs, both cloud and on-prem environments, EDR/NDR/XDR, identity and access management and governance systems, and much more. The automation & orchestration pillar requires high-fidelity detections combined with rich contextual data, and the ability to dynamically prioritize events and alerts accurately in order to automate remediations without interrupting  legitimate business processes in the crossfire.  

AI can improve SOC team efficiency now – and will improve over time

While the adversaries are busy trying to weaponize AI to achieve their goals, the benefit of AI for defenders and the SOC team will be more immediate and more significant. AI will empower Security Operations Center (SOC) analysts with powerful insights into datasets across identity, security, network, enterprise and cloud platforms. Specifically, it will improve SOC team efficiency and help counter the ongoing challenges of limited resources and skill sets, overwhelming alert fatigue, false positives and mis- or unprioritized alerts in the following ways:

  • Provide proactive suggestions for detections and threat hunting queries. 
  • Create new threat content based on recent trends, learnings across customers and industry verticals to dynamically improve or suggest new ML models, queries, reports and more.
  • Auto-triage alerts based on historical triage patterns, investigation notes, types of detection, relevance, and attack trends to automate and suggest key incident response activities with ease including creating custom reports, taking bulk actions, and multi-step workflows.

Cybercriminals are already using AI to make their attacks better – and improve the tactics, techniques and procedures (TTPs) of attacks. But advanced machine learning models that are trained using adversarial AI will be able to combat these new attacks. I say “advanced” models because ML technology in many threat detection products today varies widely in efficacy, especially against AI-based attacks. Organizations should invest in quality, mature ML/AI powered technologies for threat detection and explore how AI can help their SOC teams spend less time investigating (or chasing false positives) and more time eradicating true threats. 

Among companies without an insider threat program, 75% will start to plan, build and budget for a formal insider threat program, with a majority of that growth coming from the SME (Small and Medium Enterprise) market

Recent research shows that more than half of organizations have experienced an insider threat in the past year and 68% are “very concerned” about insider threats as they return to the office or move to hybrid work. 74% say insider attacks have become more frequent, and 74% say they are moderately vulnerable or worse to insider attacks. Overall, companies of all sizes are becoming increasingly aware of the risk of insider threats and addressing the problem. SMEs in particular are taking insider threats much more seriously than in recent years.

Gurucul predicts that in response to these growing concerns, 75% of organizations that have protected data (PHI, PII, etc.), valuable IP, or compliance requirements, but don’t currently have an insider threat program will start planning or building one in 2024. Along with that, Gurucul also predicts that the adoption of insider threat solutions will increase by at least 50% as these programs develop. Some tools enterprises should consider for starting their insider threat program are a next-gen SIEM, UEBA combined with identity and access analytics, and/or a DLP solution to limit data exfiltration.  

This increase in insider attack risk has been driven by two main factors. First, increasing use of the cloud. Detecting insider threats is more difficult in the cloud because defenders don’t have visibility into cloud environments like they do on-prem. Also, security in the cloud is a shared responsibility model where the service provider or IaaS provider controls and maintains some elements of the infrastructure. This lack of control and shared responsibility makes defender’s jobs more complicated. Second, organizations are more concerned about rogue employees motivated by reasons other than money. Many worry about disgruntled employees retaliating, or activist employees engaging with geopolitical and cultural issues in inappropriate ways while at work.

MSSPs and MDRs serving SMBs will grow by 25% YoY as part of a customer-driven push for vendors to provide services rather than just selling products

A strong demand from SMB customers for Managed Security Service Providers (MSSPs) and Managed Detection and Response (MDR) providers will continue in 2024. This market growth is driven mainly by the lack of skilled personnel to manage and maintain the appropriate systems and processes to protect small and medium businesses from cyber attack and ransomware. Ransomware is not just an enterprise problem; nefarious actors try to extort money from businesses of all sizes, and in some cases target SMBs because they know their defenses will be limited. This talent shortage shows every sign of getting worse in 2024.

In response to this demand, service providers will wrap many individual services together to offer packages to their customers to meet their current business needs and help match levels of protection to varying budgets. This means security vendors should create multi-tenant solutions that integrate easily with other security vendors’ products and cover both cloud and on-premise environments. They should also design their products and business practices to work well in a managed services model. This means flexible licensing and billing models and dedicated programs and resources that support this unique go-to-market motion through service providers to satisfy the growing market demand.

2024 will be the year of public-sector attacks and hacktivism

The public sector domain, including the education system, the medical system and public infrastructure, will be a primary ransomware target in 2024. This is because these systems are widely seen as easy targets that offer attackers fame, information and money. Public infrastructure like water and electrical systems around the world will be increasingly targeted by nation-state actors involved in geopolitical conflicts. These systems are not well-protected and offer a huge payoff in terms of the damage and chaos caused by disrupting them. We will also see an increase in hacktivism activities against government agencies and the supply chain that supports them, including DDOS attacks and APT’s.

About The Author

Chris ScheelsChris Scheels, VP Product Marketing, Gurucul

Chris has been aligning people, processes and technology to drive companies forward for over 20 years. He has a decade of cybersecurity experience in product marketing and product management. His passion is helping businesses succeed through the strategic use of technology. Most recently he was helping customers accelerate their Zero Trust journey at Appgate, Inc. His background also includes experience in operations, sales, and new business development.