Each year, I get together with a group of my talented colleagues here at Quest to brainstorm about the key trends for the coming year. Not surprisingly, several of our predictions center around artificial intelligence (AI) and machine learning (ML); I’ll reveal what our experts think is hype versus reality in this fast-moving and critically important area.
But AI is not the only issue that’s driving important IT trends. Indeed, we are seeing a broader increase in the complexity of managing and securing today’s hybrid IT ecosystems, which is made more difficult by global economic challenges and IT talent shortages. These forces are combining to push organizations towards effective, integrated solutions that can enhance cyber resilience — efficiently and cost-effectively. As Gartner puts it, “Increased complexity in security is challenging security practitioners to decide where to focus their efforts. The volume of threats and the disruption they cause will drive interest toward security solutions that help identify and prioritize the most-critical risks and exposures.” (Gartner, “Emerging Tech: Security — The Future of Attack Surface Management Supports Exposure Management”; Ruggero Contu, Elizabeth Kim and Jonathan Nunez; 19 April 2023; ID G00775089)
Let’s dive into the specific trends that our team predicts will be unfolding in 2024.
1. Adversaries will take the lead in the AI battle — but reality is not as bad as the headlines claim.
We are seeing automation in general — and AI and ML in particular — claiming a larger role in cybersecurity, in both offense and defense. Let’s start with how attackers are exploiting AI and what it means for the threat landscape in 2024.
As my colleague Matthew Vinton, strategic systems consultant at Quest, points out, we are already seeing that the advancements in AI and ML are making sophisticated and powerful attacks far more accessible to the masses. In particular, the threat landscape changed dramatically in November 2022 when OpenAI released a free version of ChatGPT, a chatbot based on large language model (LLM) technology. Within five days, more than one million people had become registered users. Now it seems like a new LLM appears every week from Google Bard to the open-source WormGPT (which ZDNet dubbed “ChatGPT’s malicious cousin”) to the upcoming Grok from xAI (which Elon Musk says will have a “rebellious streak”). Perhaps the most obvious way these tools are empowering cybercriminals is by enabling them to quickly collect information and generate text. Indeed, research shows LLMs have slashed the time required to craft “highly convincing” phishing emails from days to mere minutes.
Unfortunately, though, launching an onslaught of compelling phishing emails is just one of the many ways that adversaries are abusing AI. For instance, LLMs now boast capabilities far beyond merely returning text — they can now make API requests, run searches, execute generated code and more. Indeed, the Open Worldwide Application Security Project (OWASP), a nonprofit foundation that works to improve the security of software, brainstormed 43 distinct threats for large language models (LLMs). Their pared-down list of the top ten vulnerabilities for LLMs includes prompt injection, data leakage, poisoning of training data, inadequate sandboxing and unauthorized code execution. By exploiting these vulnerabilities, adversaries can achieve a wide range of goals, such as data exfiltration, remote code execution, privilege escalation and service disruption.
So, it is indeed clear that AI technologies will be an increasingly powerful weapon for a wide range of malicious actors. But before you throw up your hands in despair, consider this perspective from Mike Wilson, distinguished engineer and AI security evangelist at Quest. He acknowledges that in 2024 and the next few years beyond, attackers will likely gain the upper hand in use of AI. For example, big ransomware shops will aggressively exploit the technology to launch more high-profile attacks with a higher success rate.
However, he explains, that’s a far cry from the hype suggesting that AI will empower every person with malicious impulses to become a high-powered cybercriminal. The truth is, using AI effectively requires some significant technical chops. For example, suppose that someone manages to trick Chat GPT into writing a C# program to send a clickable email designed to install malware on the victim’s device. The targeted company’s defenses should easily detect and block this hack. To create something that will actually get past modern defenses, an adversary needs to have a much deeper understanding of software engineering, business applications and their vulnerabilities, and cybersecurity tools and techniques. So, at least for 2024, lack of technical expertise will remain a huge barrier for wannabe hackers.
2. Adoption of AI for defense will progress, but at a slower pace.
Now let’s turn to how AI will be used by defenders to improve cybersecurity in 2024. It’s clear that AI will be on the radar of corporate leaders — in one survey of cybersecurity stakeholders, a full 98% of respondents said they were at least somewhat worried about the cybersecurity risks posed by AI technologies. But how will organizations adapt and improve their defenses?
Bryan Patton, CISSP and principal solutions consultant at Quest, explains that organizations must focus on both proactive risk mitigation and real-time threat detection and response. With the ongoing cybersecurity talent shortage (more on that in a moment!), organizations will be looking for proverbial Easy buttons that streamline and automate these critical tasks, including the following:
- Tools that can identify and even help remediate system and application misconfigurations that are ripe for exploitation by malicious actors
- A solution that maps out attack paths in Active Directory (AD) — chains of abusable privileges and actions that could enable an adversary who has taken over an ordinary user account to take control of the entire IT environment in just a handful of steps — and the choke points they need to mitigate in order to shut down those attack paths
- Tools that speed incident detection and response by analyzing logs, pinpointing true threats and reducing false alerts
Organizations will also be looking to strengthen their approach to authentication and authorization in response to increased use of generative AI and deepfake technology. For example, an adversary successfully used AI to fake the voice of an IT team member and gain a multifactor authentication (MFA) code needed to further their cyberattack on software company Retool. To block such attacks, organizations must double down on a Zero Trust security model. They need to gain a thorough understanding of their critical assets, or Tier Zero, challenge every authentication, access and change around those assets.
3. AI will not be a panacea for the IT talent shortage.
As you may recall, overcoming the IT talent shortage was the core theme of Quest’s predictions for 2022. Back then, we outlined three key factors exacerbating the skills gap — the IT talent shortage, the Great Resignation and the Great Resistance.
We predicted that these realities would drive organizations to the cloud and automated third-party solutions, and those strategies have indeed helped to ease the burden of IT management. However, as Brian Hymer, solutions architect at Quest, points out, the IT talent shortage is proving to be a difficult and long-term challenge that can have costly ramifications. For example, lack of cybersecurity expertise can lead to misconfigurations of critical applications and infrastructure components. Just one misconfigured setting can open the door to a serious breach and all the expensive consequences: extended downtime and lost revenue, costly forensic and repair efforts, steep compliance penalties, lasting brand damage, and more.
As we have seen, counting on AI to supercharge security tools in the near term is a pipe dream. Some organizations are going DYI, using AI to help produce PowerShell scripts and KQL queries to manage and secure their environment more effectively. But this strategy has limited value for the same reason that AI isn’t making every wannabe hacker into a force to be reckoned with: Using AI effectively requires underlying expertise. It’s not helpful to churn out PowerShell scripts if your IT admins don’t have the expertise to understand and troubleshoot them; indeed, you’re just as likely to introduce a vulnerability into your environment as you are to strengthen cybersecurity.
Simply put, there’s just no substitute for having IT professionals with a foundational understanding of the technologies being used in your IT environment. Accordingly, organizations need to continue to look for new cybersecurity talent where they can, while also providing good training for their current teams and incentivizing them to stick around. Interestingly, automating routine tasks is not only valuable for freeing up IT pros to work on more strategic tasks; it also contributes to their job satisfaction.
4. Dream cybersecurity budgets will meet some harsh realities.
Of course, no discussion of cybersecurity can avoid the topic of budget (as much as we might all wish otherwise!). John Hernandez, president and general manager at Quest, offers a proverbial splash of cold water in this area. Constant threat of U.S. government shutdowns and credit downgrades by Moody’s, a growing number of worker strikes, and other macroeconomic headwinds are putting board-level focus back on cost savings. This means cybersecurity budgets aren’t growing at the rate that they did during the pandemic. As a result, CISOs and CIOs will need to prioritize their budget spends in 2024.
What are the actual figures? A recent Osterman Research survey of CEOs and CISOs reports that cybersecurity budgets increased an average of 11% from 2022 to 2023. However, nearly all (94%) respondents said their dream budget would be higher. On average, they say they could put twice as much budget to productive and effective use, with some desiring three to five times as much.
Meanwhile, a report from CSO Online finds that cybersecurity spending increases are starting to taper off in response to factors like global instability and inflationary pressures. It notes that many CISOs even said that their approved 2023 budgets were being cut as part of overall budget tightening. Moreover, among the organizations that did increase their cybersecurity budgets, 80% indicated that the budget increase was driven a security incident, major industry disruption or other extreme circumstances.
Accordingly, we expect that the trend for 2024 to be a shift to a reactionary approach to funding cybersecurity projects. While the most common triggering events will likely be breaches or other incidents that lead to downtime and other costs, there are others. For example, organizations looking to purchase cyber insurance are increasingly being required to complete risk assessments and mitigate security gaps that are uncovered. Another common driver will be audit findings or emerging regulatory requirements, like the new SEC rules on cybersecurity risk, governance and incident disclosure. We have even now seen a cyber attacker file an SEC complaint against its own victim for not disclosing the breach to the SEC!
5. Organizations will be unable to retire old Active Directory servers, so they will need to secure them.
My discussion with my Quest colleagues also dived deeper into some more technical areas. Since Quest is the go-to vendor for just about everything related to Active Directory and Entra ID (formerly Azure AD), we naturally explored the trends in that arena.
First, Richard Dean, senior manager for technical product management at Quest, reflected on how the uncertainty around the economy we just discussed would impact Active Directory environments. He notes that many organizations still rely on legacy applications that require an older Active Directory server, describing these custom and third-party apps as the super glue that keeps older instances of Active Directory present in the IT ecosystem.
These legacy apps often appear on the list of “things we really need to address RSN (real soon now)” — but the tightening of IT budgets that we just discussed will reduce the likelihood that organizations will finally re-write or replace them to the nice round figure of zero.
However, there’s no escaping the reality that the older AD servers those applications depend upon are often out of date, unpatched and even forgotten, which makes them a serious security risk. Indeed, they are easy targets for cybercriminals, who often know AD’s vulnerabilities better than IT teams do and target it relentlessly.
Since budgets in 2024 won’t allow for full AD modernization, organizations will need to take steps to mitigate their risk. They will be looking to implement controls and processes that enable them to lock down those older instances of AD to shield their IT environment from attacks.
6. Organizations will prioritize not just IAM but Active Directory security.
Zooming out a bit, Daniel Gauntner, director of product marketing at Quest, offered some insights into how organizations will approach Active Directory in the context of their identity and access management (IAM) strategy. He points out IAM is indeed a critical layer in security, but it heavily relies on the integrity of the underlying systems. For most organizations today, the backbone for user authentication and authorization is Active Directory.
Accordingly, focusing on IAM while neglecting the security of the underlying Active Directory infrastructure can be a dangerous oversight — it’s analogous to ensuring that users have secure access to their car with a key fob while ignoring the vulnerabilities in the car’s engine and control systems. After all, an attacker who gains access to AD can manipulate user credentials, compromise sensitive data and potentially gain control over the entire domain or forest.
Accordingly, in 2024, organizations will be looking to prioritize both IAM and Active Directory security, as one without the other leaves an organization vulnerable to costly breaches, downtime and compliance penalties. Focusing on both is vital to creating a robust defense against evolving threats. Gauntner cautions that this strategy involves not only strengthening internal cybersecurity controls but hardening the supply chain by choosing software and service vendors that take security seriously.
7. Organizations will expand their strategy to cyber resilience, putting a renewed emphasis on Active Directory recovery.
Zooming out even more, Jason Morano, senior solutions consultant at Quest, predicts that in 2024, organizations will increasingly be expanding their attention from cyber security to cyber resilience. After all, the primary goal for organizations is to keep the business up and running as much as possible, and restore operations quickly whenever necessary, whether system downtime stems from a cyberattack or some other cause, such as an inadvertent misstep by an admin, a hardware failure or a natural disaster.
A vital ingredient in cyber resilience is ensuring that your Active Directory disaster recovery strategy is up to snuff. Simply put, every second that your Active Directory is down, your business is dead in the water — and the costs skyrocket quickly. For example, 66% of the respondents to a Sophos survey said their organization was hit by ransomware in 2023, and a recent Forrester Total Economic Impact report found that a ransomware incident costs on average $730,000 for every hour that AD is offline. An ITIC report pegs the costs even higher, noting that 40% of enterprises say that a single hour of downtime costs $1 million to over $5 million. In a worst-case scenario, losses can reach millions of dollars per minute. (For a kicker, those figures don’t even include any legal fees, fines or penalties resulting from the incident.)
Organizations looking to bolster the resiliency of their IT environments don’t have to start from scratch. There are established cyber resilience frameworks that provide structured best practices and recommended security controls that they can adopt to improve their ability to block, withstand and recover from cybersecurity threats. These frameworks do not list hard-and-fast rules to follow or detail a specific set of technologies or products to implement, so they can be readily adapted to meet an organization’s unique goals and requirements.
8. More organizations will wake up to the reality that Entra ID can be compromised.
On-premises Active Directory has long been the primary identity store and provider of authentication and authorization services for most organizations, so cybersecurity strategy has long centered around it. That remains true even as organizations have embraced the cloud, since most of them have established a hybrid environment in which identity data is synched from Active Directory to Entra ID.
But my colleague Bryan Patton is seeing a notable shift in how Entra ID security is perceived. He notes that early in the adoption of cloud technologies, there were two contrasting views, with some people believing that cloud services are extremely insecure and others holding that they are excessively secure. Now, there is a trend toward a more balanced and accurate viewpoint: Cloud services such as Entra ID offer robust cybersecurity controls, but they are not bulletproof. In other words, there is a growing recognition that Entra ID cannot be neglected in an organization’s cybersecurity and cyber resilience planning.
This shift is at least partly based on real-life experiences and cold, hard numbers. Attendees of The Experts Conference (TEC) 2022 and 2023, for instance, saw just how easy it is for adversaries to steal a token and bypass MFA. And Microsoft just reported in their 2023 Digital Defense Report that over the last year, password-based attacks have increased tenfold and token replay attacks have doubled.
The fact is, Entra ID configurations and attributes are like a bowl of spaghetti noodles in a single-tenant environment, let alone when you have multiple tenants. As a result, admins and other IT pros playing defense have a hard time spotting misconfigurations, suspicious changes and other threats. This lack of visibility will lead to more breaches — which in turn will spur organizations to seek out solutions for finding and remediating both vulnerabilities and threats in progress.
9. Microsoft’s Multi-Tenant Organizations will see rapid adoption — but it must be understood to be a temporary band-aid.
In August 2023, Microsoft launched a new Entra ID solution called Multi-Tenant Organization (MTO). According to Microsoft, an MTO is a set of up to five Entra ID tenants connected together by cross-tenant access policies in order to make it easier for users to share information.
My colleague Becky Cross, technical product manager at Quest, expects to see quick adoption of this feature by organizations that want to achieve quick cross-tenant collaboration and gain some breathing room to plan and execute their actual tenant consolidation. In fact, he reports that Quest is already seeing migration customers who have started using MTO.
However, Cross cautions that while this feature delivers many benefits to business users and accelerates the first phase of an M&A IT integration project, it creates more management headaches for administrators. That is, an organization can quickly get employees from all entities of an M&A deal working together — but keeping separate tenants for the long-term increases security concerns, complexity and costs, since MTO does not consolidate administrative tasks on the back end.
In short, the Multi-Tenant Organization capability gives organizations a quick band-aid and enables them to them punt the more costly consolidation effort down the road. But it is not intended for a long-term interoperability strategy — at some point, the band-aid will fall off due to security concerns and the burden on administration resources.
10. When it comes to M&A, the watchwords for 2024 will be “bargain-hunting” and “anti-trust.”
Last but not least, Richard Dean, senior manager of technical product management at Quest, turned our attention to merger and acquisition (M&A) activity. He notes that the economy has resulted in a mixed bag of distressed and cash-rich companies, with PwC’s 2023 mid-year report on global M&A trends forecasting that mid-market transactions will be dominating the market.
Specifically, distressed companies with flat revenues will look to divest non-core areas of their business to increase the look of their balance sheets; these carve-outs create opportunities for surgical tenant-to-tenant migration projects. Meanwhile, the cash-rich and high-growth sectors will still bring in a few M&A whales, which will create multi-year migration opportunities. Overall, companies are kicking the tires and looking for good deals.
Meanwhile, in July 2023, the Federal Trade Commission (FTC) and the Department of Justice’s Antitrust Division issued a set of proposed merger guidelines for public comment. According to a statement, the proposed merger guidelines are driven by three key goals:
- Reflect the reality of how organizations do business in the modern economy.
- Reflect the full scope of US antitrust laws and prevailing legal precedent.
- Provide a clear and administrable framework that both courts and market participants can apply.
Organizations interested in M&A activity in 2024 will need to remain abreast of the status of these proposed merger guidelines to ensure that their deals meet any approved new standards.
That’s it for Quest’s predictions for 2024! As always, we hope you’ll find them useful in enhancing the security, productivity and cyber resilience of your organization in the coming year.
Hacking Active Directory: Seven lessons from a penetration tester
Discover the most common exploits that hackers use to attack Active Directory — and a pen tester’s best strategies for defending against them.Download Now