In the fast-changing world of cybersecurity, the top priorities and predictions from Axonius for 2024 include investing in observability and visibility tools, building cyber resiliency, and navigating the challenges posed by zero-day vulnerabilities and evolving SEC disclosure regulations.
Daniel Trauner, Senior Director, Security at Axonius
There are two core areas where CISOs and CIOs should invest in 2024:
Observability/Visibility Tools
If we can’t fully protect against a breach or cyber incident occurring, we at least need to know that it happened and be able to write rules to detect it sooner or prevent it in the future to avoid repeating mistakes. Knowing all your assets, having good centralization of your logs, and being able to point to the root cause of an incident very quickly maximize your options for response (and likely will contribute to minimizing damage).
Cyber Resiliency
Having a good handle on business continuity and disaster recovery and engaging in tabletop exercises to understand how you would react in specific scenarios will be critical. A lot of companies are not as prepared as they should be because they think they have all the structures in place that they’ll need, but they don’t know how they’ll actually fare amid the stress and potential chaos of a cyber incident. Companies that are able to confidently make statements that they will be able to recover fully in a short amount of time or that they have everything under control will be in the best position over the coming year to survive cyber attacks, especially in the eyes of investors and stakeholders.
Overall, we know we won’t be able to stop every cyber attack in full and we know mistakes happen. The key is for companies to invest in the tools that set them up to learn from mistakes and prevent/prep for them in the future and invest in resiliency exercises and training to ensure cyber incidents are handled well and quickly.
Zero Days Predictions for 2024
While some statistics may suggest a growing number of zero day vulnerabilities, it's important to consider larger trends in the vulnerability space. There's undoubtedly increased interest from organizations in identifying vulnerabilities for both offensive and defensive purposes. More broadly, an increasing reliance on technology by both consumers and businesses with growing emphasis on automation, AI, and connected devices in turn increases the total attack surface across which vulnerabilities are found. This growth in total attack surface is another likely contributor.
In 2024, it will continue to be imperative for professionals to understand the security implications of applying technology to new areas or expanding its existing use. Organizations who neglect to understand their total attack surface and gaps in defenses will have the highest risk of attack in the new year. Keeping a system's attack surface small is one of the best ways to reduce the potential for new vulnerabilities.
While companies that can’t quickly deploy updated patches may be at a disadvantage, security leaders must be prepared to start contextualizing vulnerability issues within their organizations rather than spinning their wheels to patch every single vulnerability that crosses their security landscape. As CVEs continue to be recognized at a rapid pace, organizations must regularly assess their business goals to determine what security issues must be prioritized and how. This method will result in greater risk reduction overall in 2024.
SEC Disclosure Regulations in 2024
There is a lot that is being figured out now about what constitutes a “material” cybersecurity incident, and where the minimum bar should be set when it comes to a company’s security posture. As a result, we’ve seen a large variety in companies’ recent cyber incident disclosures, including both the frequency, level of detail, and even timing.
2024 is likely to be a “reckoning” year – including precedent-setting enforcement actions – as far as drawing some of these lines. I’d like to see some more proactive discussions in this area by the SEC and others vs. relying on “regulation by enforcement.” If regulators and the industry aren’t proactive in this area, we may end up in a situation where companies play it safe and over-disclose information to the point of creating noise that masks truly material incidents. The reality is that every company experiences incidents, and not all of them should require public disclosure.