Data mining the future with security predictions

It has become somewhat of a tradition for information security vendors to pull out their crystal balls at the end of each year and do their best to predict interesting developments and threats for the coming months. It is also becoming a tradition for the security community to greet those predictions with emotions ranging from skepticism to sarcasm but in doing so we may actually miss out on an opportunity to better anticipate developing risks. That said, we need to watch out for hidden agendas embedded in those predictions of course.

Reading through the predictions I’m usually left with the impression that they fall into two categories; “bound to happen’ and “not a chance’. It would be easy to dismiss individual vendor predictions as obvious developments or scaremongering to push an agenda but with increasing numbers of predictions available we now have the option to collect them and look for trends or common themes. Granted, consolidating wild guesses and absurdities from various sources doesn’t magically produce accurate predictions. It may give an indication what best to watch out for in the coming year however.

For this exercise 137 information security predictions from 16 sources across the industry were collected and each prediction was categorized in one of 15 categories. The categories are somewhat arbitrary but I found these to be a good compromise between too broad and too narrow.

Figure 1 shows all prediction categories broken down by source. Besides the obvious observation that Sophos, FireEye and Palo Alto seem to really like making predictions we can also conclude that there may be a slight bias in predictions depending on source. For example, Sophos shows a noticeable prediction bias in the category “malware’, as does FireEye, whereas Mandiant seems to focus in on “state sponsored attacks’. This is expected and merely evidences that the predictions are mainly within the scope of their expertise. I’d mark that down as a positive.

Figure 1. Security predictions 2014 by source (click for large version)

Rearranging the chart by category shows 2014 prediction peaks for “Cloud platforms’, “Malware’, “Mobile workforce’, “Organized crime attacks’, “Vulnerability Management’ and “Other’.

Figure 2. Security predictions 2014 by category (click for large version)

So what does the data tell us? At a high level the breakdown by categories already provides a guideline what areas may deserve some attention in the coming months; not only those mentioned by multiple sources but all of them. After all there was a reason why a prediction was made in the first place whether by a single or multiple sources. The categories showing clustered predictions are of particular interest (even more if you assume your organization may have some issues in those areas already).

Looking at the sample of “Vulnerability Management’ we notice two strong themes – Java and Windows XP. While it is probably obvious to most readers that the end of life (and as such end of security updates) for Windows XP in April 2014 will result in increased risk for their organization, it does illustrate the point. If multiple sources think this will become a problem it’s a good idea to look further into it.

Vulnerability management predictions:

• Browser-based vulnerabilities may be more common
• New heap-spray techniques will emerge because of Adobe Flash’s “click to play” mitigation
• Java zero-day exploits may be less prevalent
• Increase in attacks targeting Windows XP
• Sophisticated tools will enable smart companies to quickly uncover data breach details and react faster
• Dev-Ops Security Integration Fast Becoming Critical
• Cybercrime that Leverages Unsupported Software will Increase
• Legacy problems will escalate
• Windows: The Growing Risk of Unpatched Systems
• Hacking everything
• Attacks leveraging vulnerabilities in widely used but unsupported software like Java 6 and Windows XP will intensify
• Java will remain highly exploitable and highly exploited—with expanded repercussions
• New PC and server attacks will target vulnerabilities above and below the operating system.
• Efficient threat assessment remains a challenge.

Digging a little bit deeper with the help of a “Correlation Wheel’ there are a few additional nuggets that can be found. We quickly see that concepts like “malware’, “attacks’ or “mobile’ show no prominent relationship. This is expected as they are prominent across all concepts and as such are not specific to one particular context.

For “social’ the situation is different. “Social’ shows a co-occurrence with “engineering’ as well as “application’. This provides an indication that concepts of social engineering or social applications have been mentioned in the prediction narrative of our sources frequently which might provide further clues where trends are hidden.

Figure 3. Security predictions 2014 correlation wheel (click for large version)

Lastly, a look at the concept web provides a great at a glance view of the predictions and their relations. The colors for each theme help visually to quickly grasp the big trends for 2014 as seen by the sources.

Figure 4. Security predictions 2014 concept web (click for large version)

In closing I would argue it is well worth paying attention to the security predictions made each year by the more trustworthy public sources. This holds especially true if the data from multiple sources can be collected and correlated to gain additional insights. Data collection itself doesn’t always require manual labour as some consolidated data may already be available to organizations through their professional memberships (e.g. the ISF Threat Analysis Database) or otherwise.

While an overview like this is a good starting point and helps to understand where information risks may be increasing throughout the year it tends to lack in detail and substance. For a deeper dive into threat landscapes reports like ENISA’s Threat Landscape 2013 would be a great lecture and strongly recommended.