Blue Team Predictions for 2023

It’s that time of the year where we see the head lines of predictions for how attacks will change and evolve in the new year. However, cyber defence is improving too, so it’s only fair to make some predictions for the Blue Team and what can we potentially expect to see in terms of cyber defence for 2023.

Making Use of Native AD Controls

More and more defenders are seeing the benefit in using the native Active Directory controls as a means to protect privileged identities. Even with PAM solutions, native AD lock down is still required, and can actually add immense value in preventing privilege escalation and lateral movement. Many security tools are adding AD compliance type checks whether in real-time or on a snapshot basis to their feature list. Locking down AD is not always easy but it’s expected to see blue teams being more aggressive with this in 2023.

XDR is Becoming Real

The benefits of “XDR” are becoming clearer. While the marketing folks drive the XDR message across, the definition will become standardised which is something to look forward to, although I don’t expect everyone to agree on what XDR is even at the end of 2023. The vendors selling XDR platform will continue to add support for 3rd party products, but the list will always be more limited than MDR providers who actually deliver on the “XDR” vision but with a greater number of integrations.

Everybody’s Mind is in the Cloud

Cloud security is an interesting space and may see lots of evolution in 2023. It’s been a long time coming, we see most clients have a cloud presence that is growing, some with a multi-cloud strategy. Many have moved to the cloud anticipating using the native cloud security reporting and controls to help secure their tenant, but this does not seem to have worked out for everyone. The cloud security modules and dedicated products will get more interest in 2023, but possibly budgets will need to be adjusted and real traction will only be seen in the later part of 2023 or early 2024. In any case, secure configuration of tenants will be getting more attention.

SOAR is Moving to Automated Response

While clients are still looking to implement SOAR, as soon as they learn that part of SOAR introduces a risk of impacting business, i.e. isolate CEO’s laptop etc, the resistance starts. In 2022 we have seen clients being more open to accepting this risk, provided the automated response is implemented in a well-controlled manner. We expect to see clients continue to embrace the automated response as it is becoming more evident that it can stop attacks in the early stages. This will still take years though, but the momentum is starting.

NDR Value is Waning

While Network Detection and Response continues to make it on to organisations checklists, we are seeing the pure play NDR providers expand their capabilities beyond NDR. I think the main reason for this is that the value of NDR is waning, specifically as an isolated technology, and NDR providers need to diversify. I expect organisations will start realizing that the high end NDR technologies may not be providing the detection value they initially expected. NDR may be dropped for other more effective security technologies or premium NDR tech may be swapped out for NDR add in modules from other security vendors.

Need to Mitigate a Cyber Risk?