The start of the new year is an opportunity to break old habits and reflect on how you can become a better version of your old self. And 2024 is going to be the kind of year that puts us all to the test. If there’s one resolution I can add to your list, it’s to not lose control of your security program.
As William Yeats wrote in the The Second Coming:
Turning and turning in the widening gyre
The falcon cannot hear the falconer;
Things fall apart; the centre cannot hold;
Mere anarchy is loosed upon the world
He describes an old world dying and a new world being born. In 2024, security leaders will face challenges to their leadership and control from multiple directions. But these challenges also contain opportunities, so that leaders who navigate these challenges successfully could finish the year stronger than ever. Here are three areas to hold on tight and stay in control this year.
🤖 The GenAI Blackbox
In the SOC, GenAI is crossing from hype to foundational without becoming any less of a blackbox. This is in contrast to the shift from on-prem to the cloud. That last Big Change™ to the security operation actually provided new opportunities for visibility, with APIs to describe the environment in great detail and virtual snapshots for agent-less scanning.
Not so with GenAI. Consider that Microsoft has reported substantial efficiency gains at early adopters, and Anvilogic has released natural language security data lake investigations—but these SOC assistants depend on models that even their trainers would be hard-pressed to explain. If Tier 1 analysts are using a copilot to operate at Tier 3 level, are they operating at that level successfully? Threat detection and response is an area where a subtle mistake (for example in regex creation or command interpretation) can have significant repercussions.
This is not to say that advances in machine learning can’t be responsibly applied to security operations. But staying in control takes coupling copilot adoption with guardrails, tests and reviews.
Security organizations will find it increasingly important to harness the power of LLMs while mitigating the inevitable hallucinations and errors. Plus, the stakes are about to get higher. Online prediction markets are betting real money that GPT-5 is coming this Fall, and will likely start supporting SOC work shortly after.
🫠 Mega Acquisitions and Startup Fire Sales
A number of major deals shook up the security operations space over the past year. Notable examples include Francisco Partners taking over Sumo Logic and Securonix going with Vista Equity Partners. This trend is expected to continue in 2024.
When a private equity firm puts their money into a software provider, the expectation is that a return on investment will start to materialize on a set timeline. Customers of PE-owned companies need to be vigilant that the beancounter’s financial considerations don’t come at the expense of product capabilities and roadmap plans.
The biggest acquisition of the year, and Cisco’s largest ever, was Splunk. By fronting $28 billion cash, Cisco made it clear that they are serious about cybersecurity. What that means for customers will emerge in 2024. As Splunk provides core infrastructure for many of the world’s largest security operations, leaders need to have a plan B in order to stay in control regardless of where Cisco takes things.
At the shallow end of the pool, cybersecurity startups had a rough 2023 and many are expected to tap out in 2024. After an incredible run that pushed valuations to eye-watering heights, cybersecurity funding dried up and conditions are such that “only the toughest survive.”
For security organizations that have critical initiatives, frozen budgets and an eye to the ML opportunity, startups remain essential for success. Staying in control will therefore require security leaders to perform extra due diligence and procure wisely, with provisions that reduce the risk from a fire sale or liquidation event. These conditions also favor the “connected application” security data lake model, where the solution provider uses the customer’s data platform and lock-in is minimized at the data level.
⚔️ Wartime Madness
The world is ringing in the new year with more conflict than at any time in recent memory. Ongoing wars, demonstrations and counter-demonstrations are sure to bleed into the cybersphere. During times of crisis and heightened uncertainty, staying in control requires a wartime mentality.
Now is a good time to revisit the basics: things like visibility and patching should take precedence over aspirational initiatives. Projects that require a lot of investment with fuzzy outcomes can be delayed in favor of fundamentals like detection coverage.
Attack vectors that favor grassroots or lone-wolf attackers should be threat modeled heavily. For example, Python supply chain attacks that “allow even inexperienced attackers to use them as a platform to spread malware, whether through typosquatting, dependency confusion, or simple social engineering attacks” should be addressed through layered controls.
Security leaders should also take into account the mental impact of global war. Team members may be distracted, depressed or even personally affected by what’s happening outside the SOC. Take control of the situation by recognizing the tumultuous reality all around us, and launching positive initiatives to counter the negativity. 2024 could be the year that security analysts acquire new skills like data science or learn new languages like SQL. Eliminating busywork through automation could help improve the atmosphere of the SOC while also reducing risk from errors.
Wish Us All Luck, We’ll Need It
The signs point to a challenging year where the only certainty is that we’ll be surprised. Whether by the AI we rely on, the providers we buy from or the world we live in, strange stuff will happen. Security leaders should resolve to do what it takes to stay in control through these challenges. With the right approach, we can reach the halfway point of the decade stronger than we started it.