9 More Predictions for 2025

On December 17, the Symantec Threat Hunter Team’s Principal Editor, Dick O’Brien, summarized a year’s worth of in-depth cyberattack investigations into five key predictions outlining the challenges the cybersecurity industry may face by 2025. These forecasts highlight an increase in Russian cyber aggression, an expanding ransomware ecosystem, attackers shifting focus to once-reliable cloud platforms, an uptick in the use of Living Off the Land (LOTL) tools, and ransomware groups extending their operations into new regions.

These valuable insights from prominent threat experts underscore the critical role the Symantec Threat Hunter Team plays for SecOps leaders worldwide. While staying ahead of emerging threats is vital for robust defense strategies, ensuring your protective measures are equipped to counter these evolving risks is equally crucial.

Predictions with solutions from our product experts

At Symantec and Carbon Black, our goal is to deliver enterprise-level security solutions accessible to everyone. The increasing prevalence of cybercrime tools and the rising number of threat actors pose significant risks to organizations of all sizes, making it essential for everyone to benefit from the level of protection typically reserved for large enterprises. To address this, we reached out to our product experts to gather their insights on staying secure against the threats looming in 2025 and beyond. Several experts also shared their own predictions about the challenges ahead.

1. Russian aggressors (and every other kind) will face EDR and application control. 

Attackers can strike from anywhere, but intelligent defenses make all the difference. With Carbon Black’s cloud-native endpoint detection and response (EDR) or Symantec’s on-premise EDR, organizations can detect network connections from Russian IP addresses and sniff out techniques used by criminal operations like Dragonfly targeting critical infrastructure. Application control, pioneered by Carbon Black and its predecessor Bit9, allows only trusted applications and files to run in your environment while helping block malicious code and executables—part of a zero trust posture. Carbon Black App Control can be deployed on-premise or in the cloud to protect assets other solutions don’t, like legacy systems and point-of-sale devices.

2. Ransomware attackers will bank on you having baseline protection. 

Whether their weapon of choice is ransomware or another technique, attackers often make their move based on an assumption that your organization uses basic, table stakes protection. You need to prove them wrong. Protections like Symantec EDR and Carbon Black EDR can detect threat behaviors commonly associated with ransomware—behaviors that other frontline tools don’t pick up. Meanwhile, data loss prevention (DLP) solutions like Symantec DLP prevent access to sensitive data, no matter the attack vector. And data is what ransomware attacks are after.

3. Living Off the Land (LOTL) attacks may have less land to live off of. 

LOTL attacks are on the rise, with threat actors using operating system features and tools to launch ransomware and other attacks. (Nearly half of ransomware attacks from 2021–2023 used LOTL tools.) The latest cybersecurity solutions can help prevent these incursions. One is Adaptive Protection, a unique feature of Symantec Endpoint Security (SES) that automatically blocks anomalous use of legitimate tools and software. In addition, Symantec EDR customers can subscribe to a watchlist of vulnerable and malicious drivers that could be LOTL targets.

4. "Identity" will become the next big domain in data-driven detection and analytical prevention. 

Threat actors are now stealing identities and monitoring behaviors so they can fully masquerade as legitimate users—even ones with elevated privileges. It's getting harder and harder to identify these attacks based solely on tool use, and more and more necessary to incorporate identity and access information into the detection logic. The industry will revisit User and Entity Behavior Analytics (UEBA), guiding it along more integrated and targeted pathways.

5. Correlation will remain the holy grail, but centralization will be nuanced. 

Everyone now accepts that cybersecurity must be data-driven, that a whole new level of telemetry must be collected and that information must be correlated across the domains of network, endpoint, information, identity and infrastructure. Vendors will think outside the box when it comes to centralization, leaning strongly into concepts like intelligent filtering, tiered aggregation and peer-like cross correlation—and will build architectures specialized for cybersecurity.

6. Customers will expect automation and commoditization of last decade’s breakthroughs. 

A few years ago, customers weren’t willing to give management of potentially career-ending operational impact over to advanced analytics, machine learning or AI. But fast-forward to now and customers are asking, “If you can detect with confidence and respond with ease, why haven't you automated all that for us?” They want what was advanced and interactive a few years ago to become built-in and automatic. Vendors that have stored years of structured, curated attack analysis and world-class threat intel will be well-positioned to immediately take advantage of large-language models (LLMs) and deliver that future. Vendors lacking these will struggle.

7. Threat detection and response will consolidate across hybrid environments. 

Hybrid work environments are intensifying the challenge of securing endpoints across diverse on-premises and cloud systems. In 2025, unified threat detection and response systems will become essential. These platforms will need to combine EDR, extended detection and response (XDR) and security orchestration to monitor, detect and remediate threats in real time. The shift leverages automation and threat intelligence to  reduce blind spots across distributed workforces and accelerate response times. Solutions offering deep visibility into endpoint behaviors and integration with broader threat intelligence ecosystems are the ones best poised to address this need.

8. Advanced data loss prevention (DLP) strategies will focus on decentralized workflows. 

The rise of generative AI tools, remote work and decentralized workflows has heightened the risk of inadvertent or malicious data leakage. Organizations will prioritize advanced DLP strategies incorporating context-aware data protection and (as noted above) intelligent user behavior analytics. In 2025, DLP solutions will evolve with natural language processing (NLP) and machine learning, enabling real-time detection of sensitive data sharing across collaboration platforms and cloud services. Proactive measures, like automated redaction and granular access controls, will also gain prominence.

9. Cybersecurity sales channel strategies will shift. 

Traditional sales channels are no longer equipped to handle the complexities of today’s cybersecurity landscape. Organizations increasingly recognize that scaling their channel strategies requires more than just transactional partnerships—it demands a collaborative ecosystem where partners are empowered with the tools, training and insights needed to deliver seamless, integrated solutions through local partners they know and trust. As we move into 2025, a new channel go-to-market model, led by Broadcom’s groundbreaking Catalyst Partner Program, is poised to set a trend that other technology companies will likely follow.

These won’t be the only trends that define 2025, but it’s a safe bet they will land on your radar at some point. When they do, I hope you have the protections in place to meet the challenges of this coming year with confidence and competence.