The Cybersecurity Dive Outlook on 2022

If there is one predictable constant in cybersecurity, it's the omnipresence of ransomware. As Mandiant put it best, "There's no end in sight for ransomware."

But don't expect ransomware to continue as we know it today. Mandiant predicts threat actors will develop new ways to gain a profit from ransomware, starting with a shift to globalized attacks.

"Indictments, arrests, seizures of funds, and cyber offensive operations against threat actors and their infrastructure by U.S. law enforcement will cause threat actors to reevaluate which countries they target," said Charles Carmakal, SVP and CTO with Mandiant.

The common thread around these trends is cybercriminals finding a way to manipulate corporate data, and for that problem, there really is no end in sight. As 2022 unfolds, here are four cyberthreat trends to watch: 

Paying ransom won't stop data publication

Paying a ransom probably won't stop threat actors from placing stolen data on the dark web or using it for extortion purposes, Mandiant warned. That's because of infighting in cybercriminal rings.

"Often, conflict arises within these groups as a specific actor may feel like they're not getting paid their fair share," said Carmakal. 

To retaliate, the disgruntled threat actor in the group could decide to publish some or all of the data after the ransom is paid. As greed around ransom grows, expect it to impact post paid-ransom behavior. Individuals could break away from the group and hold the data ransom multiple times. 

"The more this happens, the more it's going to affect the way organizations think about making ransom payments," said Carmakal.

Ransomware as espionage

There has been at least one international cyberattack conducted as an act of espionage in 2022. As tensions between countries escalate, Carmakal also anticipates governments will leverage ransomware in extortion operations.

Threat actors will use masquerading ransom or extortion operations to disguise the objectives of some intrusions, especially when there is conflict between nations.

Attacks on the software supply chain

This year, cybersecurity experts are sounding the alarm on attacks to the software supply chain, especially after 2021 ended with the Log4j flaw. 

"Log4j is not the first or last software supply chain vulnerability, but it is by far the most widespread and easy to exploit weakness that we've seen in many years — including SolarWinds," said Kumar Saurabh, CEO and co-founder of LogicHub. 

The Log4j vulnerability impacted the logging feature of Java, which runs on billions of devices, especially internet of things (IoT) devices, many of which have some form of logging enabled. Seeing how vulnerable these ubiquitous and often ignored codes are in open source software, threat actors will up the ante and go after other forgotten code to exploit.

"What's critical now is careful monitoring of logs from all possible security tools. Unfortunately, many security teams are already flooded with security alerts, and often don't monitor all logs because of excessive storage costs with many SIEM tools," Saurabh. 

It is another type of attack that could be attractive to nation-states looking to infiltrate governments or wreak havoc on the systems that control the critical infrastructure. A powerful zero-day exploit can fetch top dollar on the black market, but it might be worth even more if it remains closely guarded in the toolbox of a sophisticated APT team, including those sponsored by a nation-state, ready to be deployed surgically without attracting too much attention. 

SMBs lack the manpower for in-house monitoring or keeping track of the open source software supply chain. Nor can they analyze or reverse-engineer every software update a vendor sends them. Zero trust models may be the ultimate solution for this style of attack.

"Adopting the ‘assumption of breach' philosophy combined with an asset-based risk management and risk transfer program may be the only way to keep up with the bad guys," said Daniel Schwalbe, CISO at DomainTools.

Quiet attacks

While many cybercriminals tend to pursue high-profile attacks designed for financial gain, threat actors are increasingly trying to infiltrate companies and go unnoticed for a long period of time. These quiet attacks allow cybercriminals to exfiltrate data from servers and endpoints at a slow and steady pace.

In today's hybrid/remote work reality, the information on remote computers is typically less protected, putting it at higher risk for a stealth attack.

"Quiet threats are on the rise because cybercriminals are well aware of the value of data to business and other organizations," said Nigel Thorpe, technical director at SecureAge.

In 2022, expect email and other messaging systems to be the most popular point of entry for these quiet attacks, with the goal of compromising corporate communication systems. Cybercriminals can then infiltrate the corporate network and do damage from the inside without discovery. 

The cybersecurity talent shortage is well-analyzed but less discussed is the search for CISOs with the right expertise and skills to lead a company's cybersecurity programs and team. 

It's not just finding and hiring CISOs but also retaining them that poses a challenge. Two-thirds of current CISOs were hired from outside the company, while a little more than half of them have been on the job for two years or less, according to research by Marlin Hawk.

The high turnover means that organizations are always on the lookout to bring in new cybersecurity leadership, but what exactly are companies looking for in a CISO? 

Executives want a CISO who has leadership skills, technical skills and an aptitude in security, according to Stel Valavanis, founder and CEO for onShore Security. Their first option on this search is to look inside the company — within their own infosec team, if they have one, or from the IT department. 

Those who have cybersecurity certifications, such as CISSP or CISM, or are on the path to earning them, will rise higher within the applicant pool, as these help to fill the security knowledge-base gaps that might otherwise be missing in those who have a stronger IT than security background, Valavanis said. 

If there aren't any qualified applicants on the inside, then the search will go external.

Why is it so hard to find a CISO?

A CISO with the right technical skills is the most difficult to find. "They need a technical background in networks and systems which are already in high demand. Companies are often compromising on technical capabilities in favor of leadership skills," said Valavanis. 

Weak technical skills make it more difficult for a CISO to do one of their most important duties — converting security threats to business risks. Security executives must be able to understand how those threats attack the organization, and then be able to translate that information across multiple departments and business functions. 

Finding a candidate with this level of communication skills — to explain issues plainly to groups as diverse as IT, C-suite, and staff assistants — combined with technical skills can seem like a search for a unicorn. 

Location is always a consideration when looking for new talent. Some organizations focus their CISO search in specific cities or companies, though some CISO candidates don't want to relocate. 

"However, in today's new working environment, organizations are becoming more flexible and finding strong CISOs working remotely," said Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify.

Another concern is the organization's overall cybersecurity reputation, such as a company that experienced a major data breach and fired its CISO. Not every new CISO wants to be the one to clean up the mess, but there are CISO candidates who thrive in turbulent situations.

It is up to the organization to find that CISO who grows stronger in a post-breach scenario — or is otherwise the right person to keep business operations running smoothly in this cyber-tenuous world.

The CISO search

Large enterprises have an advantage in the CISO search.

"Bigger companies use recruiters to poach from others but hiring from within, even grooming over years, is just as common," said Valavanis. 

Many organizations need to do more recruiting from the wider cybersecurity community, not just among people already in leadership roles. A lot of potentially great CISOs are left undiscovered. 

"No one will admittedly say they're against diversity. Yet systemic racism, sexism, or just boys' clubism in general continues to exist," David Spark, producer, managing editor and co-host of the CISO Series, said in a CISO Series post. 

An unwillingness to move outside the organization's comfort bubble limits the number of candidates — so will the pay.

"Salaries are going up for CISOs globally, however, not all CISOs are equal and you will find strong CISOs when you match the salary based on the quality of the skills and experience," said Carson.

The median cash compensation for CISOs rose from $473,000 in 2020 to $509,00 in 2021, according to a 2021 global CISO survey from Heidrick & Struggles. Pay and benefits packages are dependent on factors such as geographical region, IT skills and size of the cybersecurity team. 

Each job is unique

Just like the mantra in cybersecurity is "there is no one-size-fits-all solution," the same can be said for the CISO. It isn't a cookie cutter position.

Not all CISOs are equal and not all businesses are the same. To find the right CISO, it is important to search for a CISO who understands the industry that the organizations operate in.

"CISOs are suffering, and we need them to be successful. In order for a CISO to succeed, we must change our path, and this means potentially rethinking our approach to cybersecurity," said Carson. 

The CISO's role within cybersecurity is not to simply put technology in place for sake of security but to put technology in place that contributes to business success while ensuring cyber risks are either reduced or eliminated.

As U.S. industries and government agencies restart operations after the winter holiday break, security researchers are warning the impacts of the Log4j vulnerability will continue to leave organizations open to potential threats in the coming weeks and months. 

"Exploitation attempts and scanning remained high during the last weeks of December," Microsoft said in an updated blogpost. Attackers have added exploits to existing malware kits and tactics, ranging from coin miners to hands-on-keyboard attacks. 

The Apache Software Foundation released version 2.17.1 of Log4j last week, the latest in a series of updates since the vulnerability was disclosed in December. The newly released fix addresses the risk of remote code execution when an attacker with certain permissions can create a malicious configuration using a JDBC Appender, according to Apache. 

Security researchers say the longer term effects of Log4j are just beginning to play out across the industry.

"As we move into 2022 we are seeing the ripples on the effects of the Log4j critical vulnerability being the new preferred threat vector for cybercriminals," said Chuck Everette, director of cybersecurity advocacy at Deep Instinct.

Log4j downloads on Maven Central surpassed 8 million since the vulnerability was first disclosed, according to Brian Fox, CTO at Sonatype. The latest release 2.17.1 saw the lowest adoption rate of all the releases, as a number of security researchers raised questions about whether the CVE-2021-44832, should have been treated as a full vulnerability. 

Researchers from Checkmarx said the vulnerability created the potential of arbitrary code execution, after a dispute arose over prior claims. 

Most federal agencies have patched or used alternate mitigation methods to resolve the potential exposure to Log4j issues, according to the Cybersecurity and Infrastructure Security Agency (CISA). The agencies had a Christmas Eve deadline to take remediation steps.

"Agencies have reacted with significant urgency to successfully remediate assets running vulnerable Log4j libraries, even over the holiday season, or to mitigate the majority of affected applications identified that support 'solution stacks' that accept data input from the internet," a CISA spokesperson said.

In mid-December, researchers from Mandiant and Microsoft warned that nation-state actors were attempting to use the Log4j vulnerability to launch attacks against potential targets. 

CrowdStrike disrupted an attack against a large academic institution by China-based threat actor Aquatic Panda, according to a blogpost from the security firm. The attack was detected amid suspicious activity involving a VMware Horizon Tomcat web server. VMware issued guidance in December regarding potential Log4j vulnerabilities connected to VMware Horizon. 

"The security of our customers is a top priority at VMware as we respond to the industry-wide Apache Software Foundation Log4j vulnerability," a VMware spokesman said in a statement. The company issued a security advisory on Dec. 10, which includes regular updates and fixes and the firm is encouraging customers to subscribe to its security advisories mailing list.

CrowdStrike researchers declined to provide any specific geographic information or other details on the attacked organization. 

"While we cannot directly state that we are seeing broader use of this particular vulnerability by espionage actors, its viability as an access method is already proven," Param Singh, VP of Falcon OverWatch at Crowdstrike told Cybersecurity Dive via email. 

Aquatic Panda is connected to industrial espionage and intelligence collection and linked to activity starting in May 2020, according to CrowdStrike. Prior targets have mainly involved telecommunications, technology and government entities and the threat actor has relied heavily on Cobalt Strike to launch attacks, including the use of a downloader known as FishMaster, according to CrowdStrike. 

VMware officials noted that any internet-connected service that isn't yet protected against Log4j is vulnerable, and recommended immediate patching.

Companies need to create alignment, from the board level down, to assess the risk of a cyberattack on operational technology, according to Robert Lee, founder and CEO of industrial cybersecurity firm Dragos, speaking on a Dragos-Rockwell Automation webinar in January .  

OT drives revenue for industrial companies and top executives, board members and CISOs must properly allocate resources to make sure those operations are protected and can continue to function in the wake of an attack, Lee said.

CISOs need to decide what are the relevant threats for their particular company and focus on informing senior leadership about those threats, Dawn Cappelli, VP of global security and CISO at Rockwell Automation.

Companies have historically focused on the impact of ransomware and supply chain attacks on information technology but have often failed to account for the potential impact on operational technology, according to the panel. 

"A lot of these companies have a ton of intellectual property," Lee said, "and it's not maintained on an email server. It's in your manufacturing lines, it's in your production environment."

The SolarWinds supply chain attack from 2020 and the historic surge in ransomware attacks forced a renewed dialogue about how cyberattacks can essentially halt production at major industrial firms. 

Some of the most critical ransomware attacks in the U.S. in 2021 involved attacks on IT that forced the temporary shutdown of OT, creating real impacts on production capabilities and having tremendous impact on customers. During May 2021 ransomware attack on Colonial Pipeline, the largest U.S. fuel supplier, the company shut down supply lines for about six days. 

Corporate boards should be informed about potential risk scenarios that may impact certain industries, Lee said. For example, electric utilities should be aware of the 2015-2016 power grid attacks in the Ukraine, while oil and gas companies should have knowledge about the 2017 attacks that hit Saudi Arabia. 

Some CISOs make the mistake of not sharing certain information with board members because it's considered too technical, Lee said. But corporate boards are often very capable of understanding important threat information without getting into the minute detail of everything that happens at the security operations level. 

The tenor for ransomware threats changed as attacks flipped from delivering ransomware through consumer-targeted spam to spreading across networks. The threat of extortion and data exfiltration has yet to wane. 

More than half of CISOs said they were hit by ransomware at least once in 2021, according to a Black Kite-sponsored survey of 250 CISOs. More than two-thirds expect at least one ransomware attack this year. 

Though business leaders are more confident employing tactics to prevent ransomware attacks, confronting risk requires an internal commitment starting from the C-suite down to interns. "Businesses must take acceptable and calculated risks each day — the same applies to cybersecurity," said Theo Zafirakos, CISO of Terranova Security. 

As 2022 unfolds, here are three ransomware mitigation tactics to watch and employ: 

Train, train and train again

Whether negligent or malicious, insider threats are a leading cause of security incidents. Leveraging human behavior is a favored tactic for threat actors, especially when they find loopholes in technological safeguards. 

Companies will continue to invest in their employees, working to evolve  their behaviors to become more cyber-aware.  

"To succeed, organizations must invest in processes and people," said Zafirakos. Companies have put more resources toward training employees on ransomware awareness. This includes ensuring employees know how to report suspicious messages. 

Back to basics

Despite the growing sophistication of ransomware, security controls largely remain within security basics, no matter the tools a company adds. 

Up against more security measures, threat actors pivoted their tactics to turning off mitigation capabilities to deploy ransomware, said Jon Clay, vice president of threat intelligence at Trend Micro.  

This means the security basics have had some modifications. Companies are implementing multifactor authentication for administrative accounts and mission-critical business application accounts. Companies are revisiting patch management strategies so they're based on risk, which takes into account "any vulnerabilities with public proof of concepts and any actively exploited vulnerabilities being patched at once," Clay said. 

Vulnerabilities from ProxyLogon, ProxyShell and PrintNightmare drew ransomware actors last year, according to research from Tenable. Basic VPN vulnerabilities remained a top attack vector, with the potential to linger as forgotten flaws among other highly publicized vulnerabilities disclosed and exploited last year. 

Funds might be recovered

U.S. and international law enforcement pursued one of the most prolific ransomware gangs, REvil last year, and partially recovered funds paid by Colonial Pipeline. Law enforcement will likely become more intertwined in incident response for businesses this year. 

"In fact, this will be the theme for the rest of the decade," said Zafirakos. And given the onslaught of high-profile attacks lately, "the stigma of being victim to ransomware has reduced." 

Industry wants to see more action taken against cybercriminals or nation-state threats, but "they fail in their general deterrence effect to the cybercriminal undergrounds from which they operate," said Ed Cabrera, chief cybersecurity officer at Trend Micro and former CISO of the U.S. Secret Service. This is most obvious in the constant rebranding of threat groups.  

"This is not to say [law enforcement] operations are futile or not effective but rather incredibly effective in developing criminal threat intelligence across the broader criminal underground ecosystem," he said. 

Companies are not federally required to report incidents, which leaves gaps in intelligence for law enforcement agencies. "The vast majority of incident reporting today happens due to legal and regulatory requirements rather than the idea that law enforcement can immediately assist in mitigation," Cabrera said. 

Moving forward, industry wants more collaboration with regulatory agencies in developing realistic cybersecurity mandates. Government needs more insight into how regulations could impact businesses. 

For example, "requiring organizations to disclose an attack before they have a better understanding of the situation may put their networks at risk of other attackers targeting them," said Clay. 

Half of CIOs are prioritizing security management this year, as CEOs push for IT and data security upgrades to reduce corporate risk, according to IDG's annual CIO survey, which included responses from almost 1,000 heads of IT and 250 line of business participants.

Increasing cybersecurity protections is the top business initiative for 2022, especially for IT leaders in the government, education, manufacturing and healthcare sectors. Respondents cited socioeconomic factors for driving focus on security, the report said.

The majority of IT leaders, 76%, expect to be more involved in cybersecurity this year, while maintaining their role as the primary technology decision maker, the report said. This is particularly for CIOs in government, healthcare and manufacturing. Security and risk management skills are also the top skills CIOs are expected to seek this year. 

Without visibility into a company's tech stack, a CISO's ability to defend a network is weakened. Software complexity is a top challenge for CIOs and CISOs. 

The reporting structure between CIOs and CISOs varies. With IT and security demands sometimes at odds, many CISOs report directly to the CEO. However, a direct CIO to CISO rapport gives leaders insights into the network and what is necessary to defend it. 

The majority of CIOs engage with their CEOs more than other C-suite executives, while engagement is evenly split between CISOs and CTOs, a 2021 IBM report found. The survey was based on 2,500 responses from CIOs and 2,500 responses from CTOs between May and September 2021. 

IBM found that cybersecurity is among the shared responsibilities of the CIO and CTO.  

Nearly three in five respondents (57%) cited security improvements as a driver for their budget increases this year, according to IDG. The top technology investments for 2022 are in security and risk management, followed by data and business analytics, and application and legacy system modernization. Upgrades to IT infrastructure came second to security improvements as reasons for budget increases, IDG found. 

The increased focus on cybersecurity can bridge potential technological gaps between IT and the security organization. SolarWinds, for example, is a tool CIOs were likely familiar with, Chris Krebs, former director of the Cybersecurity and Infrastructure Security Agency (CISA), said during a virtual Gartner conference in October. CISOs "may not have had as deep an understanding of the Orion product and platform," the software's criticality in maintaining network operations, Krebs said.

CIOs and CISOs play equal roles in defensive collaboration — each has a responsibility to demand higher security standards from the vendors they work with. CISOs have the responsibility of shedding light on risk, not necessarily security practices for their C-suite counterparts. 

As international pressure grows over Russia's conflict with Ukraine, major U.S. enterprises — particularly those operating critical infrastructure — are in the crosshairs of a nation-state military standoff that could easily spill onto the cyber terrain. 

Russia, largely isolated by the United States and key NATO allies, has demonstrated the will and ability to leverage a sophisticated arsenal of cyber capabilities from its military intelligence arm and a range of proxies from the country's criminal underground.

For private sector companies and critical infrastructure providers in the Ukraine, the U.S. and other western allies, there is a likelihood, if not an expectation, that cyberattacks will accompany any physical conflict. Cyber activity targeting production facilities, data storage centers and intellectual property could sow chaos and weaken resolve among allied nations. 

The Cybersecurity and Infrastructure Security Agency is taking this "very seriously," Jen Easterly, director of the agency told the National Governors Association winter meeting in late January. 

CISA has been working since early December "with our federal partners, our state and local partners and our industry partners to make sure that they're aware of the potential threats," Easterly said.

The National Cyber Security Centre (NCSC) in the U.K. on Friday urged companies to bolster their cybersecurity resilience by patching systems, enabling multifactor authentication, and backing up data, among other steps. NCSC has no specific threat information about attacks on U.K. organizations but is monitoring the situation in Ukraine, according to Paul Chichester, director of operations. 

"Over several years we have observed a pattern of malicious Russian behavior in cyberspace," Chichester said in a statement.

Last month's cyberattacks in Ukraine, including the defacing of multiple government websites, contained the hallmarks of activity the NCSC has seen before. 

The FBI, CISA and the National Security Agency put out a joint advisory in January about potential cyberthreats against U.S. critical infrastructure. CISA also warned U.S. companies to protect their IT systems against destructive wiper malware, which has been used against targets in Ukraine. 

The U.S. assessed total losses related to the NotPetya cyberattack in 2017 at $10 billion, as Russians trained its sites on Ukrainian rivals, according to Dawn Cappelli, vice president global security and CISO at Rockwell Automation.

"NotPetya was launched by Russia and targeted at organizations in Ukraine, but it ended up impacting businesses, including industrial control environments, around the world," Cappelli said. 

Vigilance is necessary in the face of increased threat activity from Russia directed at Ukraine, she said. 

NotPetya cost A.P. Moeller-Maersk, one of the world's largest shipping companies, about $300 million. The attack disrupted operations at 76 ports around the world, including operations in the Netherlands, Spain and Los Angeles. The company had to quickly reinstall more than 4,000 servers, 45,000 personal computers and 2,500 applications. 

Maersk declined to comment on any specific measures they are taking in response to the current warnings, but confirmed the company more generally takes steps to keep its systems up to date. 

"We continue to audit our cybersecurity maturity both internally and with external specialists so we can properly benchmark our programs and ensure we achieve and sustain business advantage," a Maersk spokesman said via email.  

Threat history

Most of Russia's offensive operations against Ukraine since 2014 are linked to a threat actor named Voodoo Bear, an organization likely controlled by the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation, according to CrowdStrike.

Early attacks between 2014-2016 were sparked by custom-delivery malware, which often included a combination of BlackEnergy malware and the KillDisk wiper. Targets included energy providers, media outlets and state-owned financial institutions, according to Crowdstrike.

By 2017, attackers deployed Filecoder.NKH through a supply chain compromise against a Ukraine IT firm. It also deployed XDATA and NotPetya using updates of M.E. Doc, an accounting software used by many firms in Ukraine.

Adam Meyers, senior vice president of intelligence at Crowdstrike, said he doesn't know if Russia is targeting western entities with a direct wiper attack, but cautioned in an email: "Crowdstrike assesses that the potential for a cyber component to increasing hostilities is very likely, but we believe the impact to the West would be the result of collateral damage, not a directed attack."

Russian Foreign Minister Sergey Lavrov reportedly threatened retaliatory measures if the West continued its aggressive steps and failed to meet its security demands regarding its opposition to Ukraine membership in NATO. 

Asked how the U.S. would respond to such threats if they involved a cyberattack, White House Press Secretary Jen Psaki said there was no current information about an imminent threat against the U.S., speaking at a Jan. 26 daily briefing.

The U.S. is prepared for such a threat from any source, Psaki said, and has a series of tools to respond.

The Information Technology Information Sharing and Analysis Center (IT-ISAC) has been monitoring the recent cyber incidents in Ukraine, said Scott Algeier, executive director of the organization, which represents more than 125 companies in the IT, food and agriculture and elections sectors.

The group shares information on threat intelligence and reports regularly on nation-state actors that engage in supply-chain attacks, disrupt critical infrastructure and use cyber to steal core intellectual property. 

"We need to prepare for the real possibility that the techniques being used against Ukraine will be used against the U.S. and others," Algeier said. "Even if their goal is to confine a cyberattack to within the Ukraine, given the interconnected nature of networks, malware can escape the specific target and spread globally quickly."

Looking for the right cybersecurity tools can be, to say the least, overwhelming and confusing. There are so many choices between the types of tools and the companies offering them and acronyms abound.

To top it off, popularity, as much as need, drives cybersecurity tool adoption.

"Tool adoption tends to be driven by headlines. Right now people are concerned about software supply chain issues so tools purporting to solve that are in vogue, even if they ultimately become shelfware," said John Bambenek, principal threat hunter at Netenrich.

But there are trends in cybersecurity tool adoption that will benefit most organizations. As 2022 unfolds, here are cybersecurity tool trends to watch.

The adoption of XDR

One of the hottest security tool trends — and the acronym du jour — is XDR, otherwise known as extended detection and response. 

Companies want more robust detection mechanisms, such as XDR, to manage overall risk in a simpler way, according to Bambenek.

Emerging security technology, including XDR, consolidates different security tools into one platform, eliminating the need to work with tools across multiple vendors, hoping they all integrate smoothly. 

"Companies are seeing tools that offer greater detection and response capabilities focusing on endpoints and cloud workers," said Steven Kent, chief technical officer with onShore Security. 

Increased security efficacy

Nine in ten organizations have adopted new security tools over the past year, according to IDG. It's a trend that will continue to rise, as Gartner predicts end-user spending for information security and risk management will exceed $170 billion this year, up nearly 10% from almost $155 billion last year. 

Threat prevention has long been a priority for organizations, but these tools aren't doing enough to stop attacks. XDR adds much-needed threat detection capabilities.

Within threat detection, one-third of organizations want to improve advanced threat detection and add automation to remediate tasks without involving IT Ops, ESG found.

Organizations are turning to XDR because the solution takes complex attacks and simplifies them, using analytics to identify what the attack is and create an automated response to then block it while in progress.

So why XDR? Companies are overwhelmed with tools that produce security findings, according to Mark Lambert, VP of Products at ArmorCode.

They don't need another scanner — they need a solution that can keep up with the volume of data produced and the increase of threats against the data, Lambert said. XDR is expected to play a major role in 2022 and beyond in improving threat detection.

The zero trust model

IT and security teams want tools that offer endpoint security. XDR is part of that solution, expanding on the more familiar endpoint detection and response (EDR) to move beyond traditional endpoint security, according to Gartner.

The rise of IoT is also driving the desire for better endpoint security. More organizations want tools and solutions that can detect threats to IoT, according to Bud Broomhead, CEO at Viakoo.

"There are more known vulnerabilities aimed at IoT systems than traditional IT systems, but IT-oriented cyber solutions do not work for IoT," said Broomhead.

Addressing these elusive threats will lead more organizations to adopt a zero trust model in 2022. The automated monitoring to detect potential threats of XDR partners well with the verify then trust principle of zero trust.

Spending on XDR solutions is expected to exceed $2 billion by 2028, complementing the rise of threats to technologies like IoT, according to Grand View Research. 

Tools on the way out

For every security tool trending in popularity, there are security tools that have outlived their usefulness. As organizations move more of their business operations to the cloud, there is less interest — or need — for on-premise solutions. Businesses are discarding these solutions in favor of cloud-based security.

But perhaps a more surprising decline is the loss of interest in maintaining or expanding SIEM investment.

"These tools are becoming a digital dumpster and there is awareness that there is not [a] good return on investment," said Bambenek.

As organizations compete on to deliver innovation to the market quickly, and while public awareness of how security breaches and attacks impact everyday life, IT and security teams need to evaluate their options and adopt the right security tools that fit their needs. 

Through it all, the biggest security adoption trend for the coming year is doing more with less and finding tools that offer greater areas of coverage and integration with current security systems.

Building in more robust detection mechanisms such as XDR remains a priority.

"Organizations want to get a better handle on managing their risk by developing informed threat models that they can use to optimize their defenses," said Bambenek.