Category: For technologists

The U.S. Securities and Exchange Commission (SEC) is taking steps to crack down on insufficient cyber risk reporting.

Related: Making third-party risk audits actionable

Seeking to minimize cybersecurity threat effects, the SEC has proposed several amendments requiring organizations to report on cyber risk in a “fast, comparable, and decision-useful manner.”

Worryingly, threats are beginning to outpace organizations’ ability to effectively prevent and respond to them. Leaders are no longer as confident in their organization’s cyber resilience, and employees often lack awareness.

The SEC, in essence, is compelling businesses, public companies and large investment firms to better prepare for inevitable cyber attacks. The new rules urge companies to build more robust cyber risk management programs.

This should provide better visibility into the impact of cyber risk and demonstrate the adequacy of risk mitigation investments.

Many organizations base their risk mitigation programs on standard risk quantification models such as FAIR (Factor Analysis of Information Risk). Cyber risk officers can use FAIR to quantify cyber risk in financial terms, a language familiar to business executives and boards of directors.

Here’s a breakdown of three rule amendments the SEC has proposed:

•Reporting cyber incidents in timely manner. Organizations will have four days to determine the incident that posed a risk and report these to the SEC. However, this functions on the assumption that the organization had previously compiled their loss data and run an analysis to determine financial impact.

•Reporting on ongoing and effects of cyber incidents. Organizations  will be required to update the impact previously disclosed. This suggests that organizations have the capability to aggregate cyber risk scenarios in financial terms and run a current quantitative cyber risk program, such as those based on FAIR.

•Disclosing policies and procedures for risk management. This amendment raises the curtain on policies and procedures for identifying and managing cybersecurity risks. This puts the onus on organizations to demonstrate cyber risk management practices.

Fostering understanding

The proposed amendments add onto existing rules, including requiring companies to disclose how they have been affected by cyber incidents financially. With the increased threat landscape and a surge of public and private sector attacks, stakeholders more urgently need to understand the risk.

Increasingly, cyber risk is seen as business risk, emphasizing the importance of quantifying it in a way that C-level executives and boards of directors can understand and analyze. Reporting cyber risk in financial terms is the most efficient, accurate, and compliant way forward. Based on the new amendments, security teams must rapidly and efficiently report any cyber incidents to boards and the SEC. With this in mind, how can they best do so? 

Vital to required reporting is being transparent about cyber risk: what is a company’s potential loss to the most significant cyber events? For business executives and boards of directors to assess the materiality of events that need to be disclosed, cyber loss exposure needs to be measured in financial terms, dollars and cents.

Implementing the FAIR standard not only provides a transparent approach to estimating cyber risk financially, but also complements major cybersecurity frameworks – including NIST CSF – that only provide a qualitative view of the state of security implementations.Tools now based on FAIR allow organizations to assess and report on cyber risk at scale.

Industry Benchmarking

Sanna

To assess cyber risk posture in context, many boards like to benchmark cyber loss exposure against industry peers. This helps assess whether their company is more effective in dealing with cyber threats than peers and determine if more cybersecurity investments are needed.

Organizations can use cyber risk benchmark solutions based on empirical data that show average loss exposure experienced by companies in similar sectors and similar size, and compare it against their own risk assessments.

Quantitative cyber risk management programs based on standards such as FAIR also allow organizations to demonstrate cybersecurity investment adequacy, another SEC guidance element. This can be accomplished by analyzing and reporting on cybersecurity initiative effectiveness in driving cyber risk to acceptable levels.

Ultimately, all organizations must maintain vigilance when it comes to cybersecurity. Cyber risk constantly evolves, and, being targeted is no longer a matter of if but when. It is vital for organizations to follow SEC recommendations when it comes to reporting material risks and maintaining robust quantitative cyber risk management programs.  A plan should be in place for organizations to effectively mitigate cyber loss exposure to the most likely cyber events.

About the essayist: Nick Sanna is president of the FAIR Institute, a non-profit expert organization dedicated to advancing the discipline of measuring and managing information and operational risk. Sanna also is president and CEO of RiskLens, whicgh supplies cyber risk quantification services.

During the first two decades of this century, virtual private networks —VPNs—served as a cornerstone of network security.

Related: Deploying human sensors

VPNs encrypt data streams and protect endpoints from unauthorized access, essentially by requiring all network communications to flow over a secured pipe.

This worked extremely well for users accessing network resources remotely via their company-issued laptops and immobile home computers. However, VPN pipes have become less efficient with the rising use of personally-owed mobile devices increasing reliance on cloud-centric IT resources.

The sudden spike in work-from-home scenarios due to Coivd 19 quarantining accelerated this trend. I had the chance to ask Chris Clements, vice president of solutions architecture at Cerberus Sentinel, a Managed Compliance and Cybersecurity Provider (MCCP)  about the future of VPNs in a post pandemic world. Below are excerpts of our dialogue, edited for clarity and length.

LW: Post Covid 19, how would you summarize the role VPNs play in security business network today?

Clements: A decade ago having a remote access VPN was the assumed default. Most business applications, especially Microsoft Exchange were on-premise deployments that required a company either opening up access to the whole internet or requiring a VPN connection to the company’s perimeter firewall or dedicated VPN concentrator.

This process was rapidly changing to cloud-based pre-pandemic, but COVID-19 kicked this transition into hyper speed with most of the world moving to work-from-home remote setups.  Despite this, it doesn’t mean that traditional VPNs have no use for businesses.

It’s important to remember that historically VPNs served dual purposes of granting individual users access to corporate networks, but also functioned in larger capacity to set up direct links between remote private networks such as remote sites or business partners.  While I’d be surprised if end user or “road warrior” VPNs returned at scale, there is likely to continue to be a strong need for network to network or “site to site” VPNs.

LW: Will enterprises continue relying on VPNs as a major component of network security, going forward?

Clements: It really depends on the individual organization’s need.  Many companies still rely on business applications that are only available in self-hosted or “on prem” scenarios, and for those organizations remote access VPN connectivity for users will continue to important.

It’s easy to imagine organizations migrating to cloud-hosted solutions for everything going forward, but the reality is that many legacy, on-prem applications aren’t easily ported to the cloud, or are massive sunk costs for organizations potentially costing millions to acquire.

LW: What about SMBs; how does a traditional VPN service fit as cloud migration deepens?

Clements: The current incentives are heavily in favor of more cloud migration and less on-prem deployments.  After all, why deploy and maintain servers and infrastructure gear along with the staff to support them if off-the-shelf cloud services meet your needs at far less cost?  This makes a traditional VPN make less and less sense unless a organization has a specific need.

LW: Who would you rank in the Top 5 suppliers of VPNs used by enterprises and SMB?

Clements: For enterprises and SMBs both you are looking at the traditional market players in the space.  Enterprises are likely Cisco, Juniper, Palo Alto, or Check Point.  For SMB you see more SonicWall and Fortinet.  In each case, these are usually multifunction devices that function as firewalls, IPS, gateway anti-malware, or content filtering.

LW: What differentiates the top suppliers; what’s distinctive about each one?

Clements: Enterprise offerings typically skew more configurable, extensible, and interoperable, while SMB players can be more straightforward to set up and configure.

LW: Can you frame the competitive dynamics?

Clements

Clements: Pricing and features are typically the biggest factors in a customer’s decision on what vendor to choose, although many times organizations default to either what they know or what their MSP supports . . . In competitive situations pricing can sometimes vary significantly, though it depends on the customer’s leverage with their vendor.

LW: What role will VPNs play, going forward, as we move deeper into an interconnected digital ecosystem of cloud-centric services and remote endpoints and devices.

Clements: One place VPNs will continue to exist is in cloud platforms themselves.  Organizations with the need to manage VMs on cloud platforms will still likely leverage built-in VPN services in those platforms to perform administrative tasks.  Otherwise, I think they’ll be limited to the site-to-site or legacy on prem application scenarios discussed earlier.

LW: What are the main differences between how VPN services are delivered in the U.S. vs Europe?

Clements: From a corporate standpoint, VPN is mostly a standardized offering using similar authentication and encryption methods. If we are talking commercial VPN services offered to the public, Europe can offer stricter data protection requirements based on the provider’s legal jurisdiction due to GDPR requirements.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

It’s stunning that the ransomware plague persists.

Related: ‘SASE’ blends connectivity and security

Verizon’s Data Breach Incident Report shows a 13 percent spike in 2021, a jump greater than the past  years combined; Sophos’ State of Ransomware survey shows victims routinely paying $1 million ransoms.

In response, Cato Networks today introduced network-based ransomware protection for the Cato SASE Cloud. This is an example of an advanced security capability meeting an urgent need – and it’s also more evidence that enterprises must inevitably transition to a new network security paradigm.

Guest expert: Etay Maor, Senior Director of Security Strategy, Cato Networks

I had the chance to visit with Etay Maor of Cato Networks. We discussed how Secure Access Services Edge – SASE – embodies this new paradigm. In essence, SASE moves the security stack from the on-premises perimeter far out to the edge, just before the cloud.

This gives security teams comprehensive visibility of all network activity, in real time, which makes many high-level security capabilities possible. For a full drill down on my conversation with Etay Maor, please give the accompanying podcast a listen.

Network security developments are progressing. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

The Deep & Dark Web is a mystery to most in the mainstream today: many have heard about it, but few understand just a fraction of what’s going on there.

Related: ‘IABs’ help spread of ransomware

Planning your roadmap, executing your projects, and keeping an eye on the barrage of ransomware headlines, it’s understandable if you and your team are feeling some anxiety.

Cyber anxiety can indeed be paralyzing, but new software solutions have the potential to become game-changers for IT departments. These automated programs will hunt the Deep & Dark Web for you, trawling through the deepest and dirtiest pools, looking for the next threat that has your name on it.

There are many facets to what I’ll call “The Underground.” It extends beyond the Deep & Dark Web to: unindexed Web forums, messaging boards, and marketplaces, encrypted messaging systems, and code repositories. It is simply impossible for a human analyst to sort through it all.

Additionally, filtering through these channels is made even more difficult due to language barriers, as well as gaining trust and access to these various forums. Having automated tools that can process these various datasets is integral to enriching your team’s intelligence programs, whether you have a well-established team and process, or are just beginning your journey.

Hunting threats

To gain access to message boards and chats on the Deep & Dark Web, cyber professionals carefully cultivate their own personas – a task that takes significant time and practice but is the only way to gain access to hacker communities. Once vetted and accepted, threat hunters will go into these message boards and communities and search for anything connected to your business, for example:

•Corporate login credentials

•Data collections released after ransomware attacks

•Databases with critical IP and/or PII

•Chatter about the best methods to attack your business

Ransomware attacks hit indiscriminately across business categories, from private corporations to government agencies, including schools and universities, hospitals and healthcare providers, financial institutions, and everything in between. There is no safety in size: hackers also target smaller businesses.

The financial losses associated with a hacking incident – not to mention the loss of customer trust and faith in a brand – make for a difficult and expensive recovery.

The rise in Initial Access Brokers (IAB) markets give criminal groups easy access to purchase stolen credentials for a small fee. Hackers use these credentials to try and get a foothold inside a targeted company. The average cost for these credentials is as little as $10.

For example, a hospital that suffered a ransomware attack in 2021, had credentials to its VPN offered for sale in an underground market eight days prior to the attack.

In another example, it was reported that the Lapsus$ Ransomware gang bought and tried several sets of access credentials for T-Mobile, before finding a user with the right level of access to gain their foothold.

Staying vigilant

To help companies understand how they are being discussed and compromised on the Dark Web, the team of threat hunters and intel specialists at Cybersixgill offer a Portal that can be customized to look for any threat on the Underground that’s aimed at a user’s organization.

Liggett

Think of the Cybersixgill Portal as a complex search engine that can reach the deepest depths of the Underground. It continuously crawls through more than 700 forums and marketplaces, and monitors more than 25,000 channels on platforms like ICQ, Discord and Telegram. Every day, Cybersixgill’s Portal brings in more than 7.5 million pieces of information, including indicators of compromise (IOCs), common vulnerabilities and exposures (CVEs), and malicious files.

To each of the hundreds of thousands of CVEs, Cybersixgill’s platform uses machine learning (ML) models to assist companies with patch prioritization. This method reaches beyond the common vulnerability score system (CVSS) which numerically ranks threats, so companies can easily prioritize which one to tackle first. It also integrates with many of the most popular cybersecurity platforms out there, like Crowdstrike, Splunk, Microsoft Azure, and dozens more.

Staying on top of the latest threats can feel overwhelming, but there is no need to be cyber paralyzed. Cybersixgill arms security teams with data straight from the Underground, making it much easier to stop attackers before they cause significant damage.

About the essayist: Brad Liggett is Technical Director, Americas Intel Architects at Cybersixgill a Tel Aviv-based cybersecurity company that supplies scalable, real-time, actionable, contextual, automated threat intelligence.

Specialization continues to advance apace in the cybercriminal ecosystem.

Related: How cybercriminals leverage digital transformation

Initial access brokers, or IABs, are the latest specialists on the scene. IABs flashed to prominence on the heels of gaping vulnerabilities getting discovered and widely exploited in Windows servers deployed globally in enterprise networks.

I had the chance at RSA Conference 2022 to visit with John Shier, senior security advisor at Sophos, a security software and hardware company. We discussed how the ProxyLogon/Proxy Shell vulnerabilities that companies have been scrambling to patch for the past couple of years gave rise to threat actors who focus on a singular mission: locating and compromising cyber assets with known vulnerabilities.

For a drill down on IABs, please give the accompanying podcast a listen. Here are the key takeaways:

Sequential specialists

IABs today jump into action anytime a newly discovered bug gets publicized, especially operating system coding flaws that can be remotely exploited. IABs gain unauthorized network access and then they often will conduct exploratory movements to get a sense of what the compromised asset is, Shier told me.

This is all part triangulating how much value the breached asset might have in the Darknet marketplace. “IABs specialize in one specific area of the cybercrime ecosystem where the victims are accumulated and then sold off to the highest bidder,” he says.

To assure persistent access to, say, a compromised web server, an IAB will implant a web shell – coding that functions as a back door through which additional malicious software can be uploaded at a later time. The web shell sits dormant providing a path for other specialists.

The IAB’s job, at this point, is done; access to the compromised server is now ready for sale to another operative. It might be someone who specializes in embedding droppers – a type of malware delivery tool designed to stealthily install the endgame payload, Shier says.

A dropper specialist, in turn, might deliver control of the primed server to a payload specialist. – an operative who’s adept at, say, carrying out a crypto mining routine that saps processing power. Or the payload might be a data exfiltration routine — or a full-blown ransomware attack.

Teeming criminal activity

IABs are giving an already high-functioning cybercriminal underground a turbo boost. This trend is highlighted in Sophos’ recent adversaries report  based on analysis of 144 incidents targeting organizations of varying sizes in the US, Europe, the Middle East, Australia, the Philippines and Japan. IABs contributed to threat actors dwelling longer before detection: the median attacker dwell time was 15 days in 2021, up from 11 days in 2020.

Sophos’ study of adversary activity found that some 47 percent of attacks started with an exploited vulnerability and 73 percent of attacks involved ransomware. Speaking of ransomware, cyber extortion continues to persist at a plague level.

Sophos’ The State of Ransomware 2022 polling of 5,600 IT professionals in 31 countries reveals that 66 percent of organizations were hit by ransomware in 2021 up from 37 percent in 2020. Meanwhile, some 11 percent of victim companies paid ransoms of $1 million USD or more in 2021, a nearly three-fold increase from and the 4 percent that did so in 2020. And the average ransom payment, excluding outliers, rang in at $812,360.

Clearly, the threat landscape is teeming with criminals leveraging proven tools, tactics and procedures to great effect. Forensic evidence analyzed by Sophos’ analysis sheds light on instances where multiple adversaries, including IABs, dropper specialists, ransomware gangs and crypto miners crossed paths. At times, multiple ransomware gangs targeted the same organization simultaneously.

“The IABs are the clearinghouses for all of this access,” Shier says. “The brokering happens in Darknet markets that specialize in the sale of victims.”

If you know where to look in Darknet markets, he says, you can find access to compromised machines listed by company, type of server and level of access. “This allows you, as a criminal, to really understand what it is that you’re buying,” Shier says. “They’ve even got an escrow system to assure that one criminal is not scamming the other criminals.”

Understanding digital assets

This is the flip side of digital transformation. As enterprises drive towards a dramatically scaled-up and increasingly interconnected digital ecosystem, network attack surfaces are expanding exponentially and security gaps are multiplying.

Cybercriminals are merely feasting on low-hanging fruit. It’s not so much that they’re doing anything terribly innovative. It’s just that there are so many blind spots, and in many ways it’s easier than ever for intruders to gain deep access, steal data, spread ransomware, disrupt infrastructure and attain unauthorized presence for an extended period of time.

Shier

Companies need to understand that every organization using digital assets is a target for an adversary somewhere; these days it can be waves of specialists from several different hacking collectives converging on the same target all at once, Shier says.

Constant monitoring and effective detection and response are more vital that ever. And so is reducing the attack surface by configuring systems wisely and managing vulnerabilities well.

Observes Shier: “First and foremost it is important to understand the systems, tools and software you’re using . . . and understand what are the core aspects of your business that you need to protect. Protect the core business first and then start to look at protecting the things that are supporting the core business. The mitigations might be different, but it really comes down to understanding the business itself.”

This much was made clear at RSAC 2022: the technology and security frameworks to do this are readily available. What’s lacking – and why criminal specialists continue to operate with impunity — is uniform adoption. Things are steadily moving in that direction. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

The identity management market has grown to $13 billion and counting. While intuition would tell you enterprises have identity under control, that is far from reality.

Related: Taking a zero-trust approach to access management

Current events, such as the global pandemic and ‘The Great Resignation,’ which have accelerated cloud adoption, remote working environments, and the number of business applications and systems in use has complicated matters.

As a result, new solutions and features to address identity challenges have emerged. In a sense, this is a positive trend: change makers are innovating and trying to stay ahead of imminent threats.

On the other hand, there’s a good deal of snake oil on the market, making it hard for organizations to realize the value of their tech investments. Last, and perhaps most significant, many solutions don’t work together harmoniously, making it hard for employees to get work done.

When you consider these points, it’s understandable why businesses end up with too many solutions to effectively manage, or simply default to manual, inefficient processes to address identity- and security-related tasks. But for progress to happen, we must first get to the root of why this is happening.

New research from Gradient Flow’s “2022 Identity Management Survey” aims to do this. From the findings, here are five ways leaders can improve their approach to identity management and security.

•Take stock of vendor relationships. A majority (54 percent of survey respondents with IT job functions indicated that they work with several vendors for security functions including identity governance, risk, compliance, single sign-on, PAM, and security operations.

Shaw

It’s reasonable that businesses will work with multiple vendors to address specific security issues. However, leaders would be wise to consider where they can scale back or consolidate. A good first step is to explore new features within existing tech systems in place.

•Reduce unnecessary applications and systems. Using 10 or more business applications weekly is the norm for approximately a quarter of survey respondents. Remote work (think video conferencing and cloud migrations) has only exacerbated the number of systems employees frequent.

Yet over 40% of knowledge workers queried expect a high productivity boost from using fewer applications or systems. Leaders must find ways to streamline tasks or boost functionality to help reduce context-switching’s effect on productivity.

•Prioritize user experience. User experience (UX) was the top challenge across most segments surveyed. Nearly half of respondents indicated that identity solutions need to provide better interfaces and allow people to work productively and securely. Jumping on new tech systems is not the solution.

Rather, leaders should extend functionality within systems employees are already familiar with. This is likely a reason that 47 percent of respondents use IT Service Management (ITSM) or workforce management platforms to govern things like permissions and entitlements. This approach requires no training and frees up IT teams for more important projects.

•Reduce management time. For all segments surveyed, granting, and removing access took a few hours. That’s valuable time lost for onboarding new employees and too much time for your sensitive data to be vulnerable with those on their way out. In terms of identity tasks, this one is fairly cut and dry, and as such, should be automated when possible.

This also gives organizations real-time visibility into who is coming and going, and who does and doesn’t have access to certain company systems and assets in the case of an audit.

•Take AI hype with a grain of salt. In the vein of automation, artificial intelligence (AI) has been heavily hyped up in the technology world, but it may be too early to see the benefits in identity management. While two-thirds of respondents cited using AI, less than a third yielded moderate to high benefits for their efforts.

However, ITSM can help with this, as it provides organizations with the quantity and quality of data needed—that most are lacking—to execute successful AI and machine learning initiatives.

We still have a long way to go to optimize identity management and security, but understanding the triumphs, challenges, tools, and practices to approach it in a more strategic, beneficial way is helpful. With knowledge comes power, and with this research, we have the power to implement better approaches for identity management and beyond.

About the essayist. Jackson Shaw is chief strategy officer at Clear Skye, an Identity Governance and Administration (IGA) software company focused on enterprise identity access and risk management.

At the start of this year, analysts identified a number of trends driving the growth of cybersecurity. Among them: an expanding digital footprint, growing attack surfaces, and increasing government regulation.

Related: Taking API proliferation seriously

Last year saw an unprecedented $21.8 billion in venture capital poured into cybersecurity companies globally. Investors more than doubled down in 2021, increasing investment by about 145 percent.

Based on the early-stage startup pitches we are seeing at Differential Ventures, that trend isn’t going to let up anytime soon. The top drivers of the continued growth of cybersecurity are: the growing need to protect the API supply chain, the inadequacy of existing identity management systems, and the unfulfilled promise of data-driven AI-powered cybersecurity systems.

Securing APIs

The SolarWinds attack made API supply chain security a front-page story in 2020. Major breaches in Parler, Microsoft Exchange Server, Experian, and LinkedIn increased the intensity of concern about API supply chain attacks in 2021. The Log4j vulnerability reported at the end 2021 heightened concern even more. According to Gartner, a threefold increase from 2021.

Given all of this newfound concern for API supply chain security, where are the tools for solving this problem? The current tools are inadequate, brittle, statically rule-based, and require much manual intervention and processing. Every week, we see a new pitch for an API supply chain security startup. Many of them are pre-product and still in the design stage. But they are founded by highly-qualified and experienced cybersecurity experts, and they are likely to transform the landscape of API supply chain security in the coming years.

Improving identity management

Magerman

For a long time, enterprise customers have been dissatisfied with cybersecurity solutions for identity management. Existing systems suffer from clumsy interfaces, overwhelming IT management burden, and oscillations between being too permissive and too promiscuous. COVID-driven remote work caused the problem of identity management systems to become a much higher priority. In addition, the growth of assets stored in digital wallets, as well as the promised growth of the metaverse and other Web 3.0 projects, makes the urgency of more robust and portable identity management systems even more imminent.

Existing tools trying to manage users’ identities and their access permissions are proving inadequate, driving frustrated IT managers to become cybersecurity entrepreneurs. Many of the startups attempting to tackle this vexing problem are offering the promise of data science and machine learning to automate the process of managing identities, although none of them even have the data collected to prove the accuracy and robustness of their proposed solutions.

Still, given the impact data science has had on other areas of software development, it seems likely that in the coming years one or more of these proposed solutions will yield a significant improvement in identity management systems.

Leveraging data science

Nearly every cybersecurity startup pitched to our fund promises artificial intelligence built into their software, powered by data science trained on cybersecurity data. These pitches fall into two categories: pre-product companies and companies with working prototypes of their solutions. The one commonality across nearly all of these systems: they have no data yet to train their models, much less prove that their approaches will lead to improvements over state-of-the-art static systems.

Data science has improved the performance of software in a lot of industries, but it fails in many cases. The only way to know if data science will yield improvements is to collect the appropriate data, annotate it (if necessary), and analyze the annotated data to see if there is information in the data that can reduce uncertainty of phenomena that need to be predicted. If that analysis leads to a positive result, then you still need to train models on that data and figure out how to integrate the predictions from those models into software to produce insights that solve existing problems better than current systems.

With enough ingenious cybersecurity software developers and data scientists collecting data, iteratively building models, and using these models to address vexing unsolved or poorly solved cybersecurity problems, inevitably they will find ways to make meaningful impact on those problems, and some minority of the startups being funded today will have the chance to blossom into unicorns in the coming years.

The recent swoon in public markets for technology stocks may lead one to predict that there will be a lull in funding of cybersecurity solutions, along with a downtick in valuations. However, I believe that the impact of the market correction will be counterbalanced by the growing need for new solutions to many problems in cybersecurity, and by the ingenuity of the new approaches being taken to solve these problems.

About the essayist: David Magerman is a co-founder and managing Partner at Differential Ventures. He was previously at Renaissance Technologies, a quantitative hedge fund management company.

Writing a code can be compared to writing a letter.

Related: Political apps promote division

When we write a letter, we write it in the language we speak — and the one that the recipient understands. When writing a code, the developer does it in a language that the computer understands, that is, a programing language.  With this language, the developer describes a program scenario that determines what the program is required to do, and under what circumstances.

If we make mistakes or typos in the text of the letter, its content becomes distorted. Our intentions or requests can get misinterpreted. The same thing happens when the developer makes errors in the code, resulting in inadvertent vulnerabilities.

Then the operating scenarios of the system become different from those originally intended by the software developer. As a result, the system can be brought into a non-standard condition, which was not provided for by the software developer. Thus, an attacker can manipulate these non-standard conditions for their own purposes.

As an example, let’s take SQL injection, one of the most well-known methods of hacking online applications. Suppose we have an online service, an online bank, for instance. We enter our login and password to sign in.  In a SQL injection attack the intruder inserts malicious code into the lines that are sent to the server for analysis and execution. With a user account, the attacker can bring the system into an abnormal condition and get access to other users’ accounts.

Of course, the developer never intended for the system to be used in such a way. Yet when writing the code, the developer made mistakes that led to the vulnerabilities which made such abuse possible.

More code, more risk

Chernov

Information systems are becoming more complex, therefore, the amount of code is increasing as well. A new mobile app, for instance, requires as many lines of code as a 15-year old Linux kernel. At the same time, nowadays developers seldom write code from scratch. They put in the ready-made code pieces, i.e. microservices assembled in software containers,  and then add 10 to 20 percent more to create the new app.

In turn, the larger the amount of code, the higher the risk of errors that will lead to vulnerabilities. To prove it, I’ll tell you about an interesting case. We have tested a thousand popular mobile apps on a set of parameters, compliance with which, according to our estimates, determines the security of the application.

It turned out that the average security level is 2.2 points out of the maximum 5. The only thing that saves the apps from massive attacks is that exploiting vulnerabilities in mobile applications without going deep into their server part is quite expensive and time-consuming. That’s why not all attackers are ready to do this.

Continuing the analogy of writing texts, in the past, when an author wrote a book or a journalist prepared a newspaper article, their texts used to be necessarily proofread by a copy editor, a person who checked for errors and inconsistencies. Nowadays, copy editors still exist, yet their job has become optional.

The role of automation

The fact of the matter is that people have learned to partially computerize this job, inlining automatic checks into computer programs to detect errors and typos. These automatic checks have gradually become more complex and in-depth. Now the special software checks style and semantics, as well as spelling.

The same thing happened to code writing.  We have got quite smart systems such as program code analyzers that can detect inconsistencies, vulnerabilities, and breaches in the written code.

They can be used in two modes depending on the amount of code. If the amount of the developed code is small, you can run the check in manual way. If we are talking about multi-level code development involving hundreds of developers, and the amount of code written is tens of thousands of lines per day, it is much more effective to run secure development processes (DevSecOps, Secure SDLC) with a code analyzer as their core.

If to explain the mechanism of such processes through the above analogy, imagine a whole workgroup of correctors. They have a hierarchy and algorithms defining the sequence correctors comply with when proofreading, the requirements a text should meet, and the cases when a text must be sent to be revised. The same is true for secure development processes and software before its release.

This is the world of software vulnerabilities we live in today. It requires awareness and diligence to keep secure.

About the essayist: Dan Chernov is CTO of DerSecur which supplies DerScanner, a static app code analyzer capable of identifying vulnerabilities and undocumented features in Google Android, Apple iOS, and Apple macOS.

Reducing the attack surface of a company’s network should, by now, be a top priority for all organizations.

Related: Why security teams ought to embrace complexity

As RSA Conference 2022 gets underway today in San Francisco, advanced systems to help companies comprehensively inventory their cyber assets for enhanced visibility to improve asset and cloud configurations and close security gaps will be in the spotlight.

As always, the devil is in the details. Connecting the dots and getting everyone on the same page remain daunting challenges. I visited with Erkang Zheng, founder and CEO of JupiterOne, to discuss how an emerging discipline — referred to as “cyber asset attack surface management,” or CAASM – can help with this heavy lifting.

Based in Morrisville, NC, JupiterOne launched in 2020 and last week announced that it has achieved a $1 billion valuation, with a $70 million Series C funding round.

For a full drill down, please give the accompanying podcast a listen. Here are my takeaways:

Imposing context

Remediating security gaps in modern networks, not surprisingly, can quickly devolve into a tangled mess. Both the technology and the teams responsible for specific cyber assets tend to operate in silos. And because network security teams lack direct control, coordinating people, policies and infrastructure scattered across the organization has become impossible to get done in a timely manner.

This is more so true as organizations accelerate cloud migration and dive deeper into an interconnected digital ecosystem. Software-defined everything is the mantra and mushrooming complexity is the result. On the flip side, security gaps are multiplying as network attack surfaces expand exponentially. These gaps must be closed or digital transformation will be in danger of stalling out.

Enter CAASM which is designed to make it possible for security teams to impose context on the ephemeral connections flying between things like microservices, virtual storage and hosted services. JupiterOne’s platform, for instance, puts a security lens on discovering, managing and governing all types of cyber assets — from software in development to all aspects of private cloud and public cloud IT infrastructure.

CAASM systems leverage APIs to help security teams gain comprehensive visibility of all components of IT infrastructure be they on-premises or in a private, public or hybrid cloud. This enables the implementation of granular policies that can be enforced, at scale, and that each organization can dial in to boost security without unduly hindering agility.

This is the heavy lifting that’s easier said than done, especially in a massively-distributed, fast-changing operating environment. The pressure bears down on security teams from two directions, Zheng says. They must do as much as they can to directly prevent intrusions; and they must also rally the asset owners to prevent breaches as well as respond with alacrity to security incidents as they crop up.

Smart questions

Connecting the dots and getting everyone on the same page comes down to asking the right questions, Zheng observes. And cloud-hosted, data analytics technology is now readily available to ask smart questions about network security, at scale, and get actionable answers.

Zheng

“The concept is simple, but the execution is not,” he says. The first obstacle is the underlying technology; networking infrastructure components come from hundreds of different vendors, each using a proprietary implementation. Then there’s the issue of having to change the behaviors of the asset owners, many of whom are stuck in a siloed mindset.

JupiterOne’s solution prepares the way by discovering, normalizing and consolidating  basic information about all cyber assets, such as what the asset is, who owns it and who can access it. This creates a scenario where the security team can ask simple questions that can and should be directly answered.

“Know what you have and focus on what matters,” Zheng told me. “It really boils down to that.”

By focusing on common-sense questions, legacy workflows can be altered in a way that keeps pace with a fast-changing digital ecosystem – and recalcitrant asset owners will be more likely to take charge of facilitating remediation, he says.

“We can help provide a workflow that focuses on questions like, ‘How do I fix it?’ ‘Who can fix it?’ ‘How do I notify, assign and track and verify?’ ” Zheng observes. “The security team really is the gatekeeper and the auditor and a consultant, to some extent, to the people who must actually do the work . . . CAASM is not only a data platform and an analytical platform, but also a collaboration platform.”

Solutions at hand

Collaborating to swiftly close severe zero-day security gaps that regularly get disclosed, like Log4J, has become a must-have capability, for obvious reasons. Yet there is a much greater impact CAASM systems could have, going forward. CAASM is one slice of a new security architecture that’s taking shape, one in which companies begin to systematically discover and remediate security gaps – gaps threat actors are proactively seeking out.

Zheng walked me through an example of how easy it is for a security team to overlook gaps created, for instance, in the mixing and matching of cloud resources leased from Amazon Web Services:

“Let’s say you have an internal resource that’s not configured to be public facing by itself. However, you have an external-facing workload that has an authentication policy giving it API level access . . . it could be an instance where you have an Internet-facing Lambda function that’s given access to an internal S3 bucket or DynamoDB table. That’s a specific example of identifying a security gap that you previously didn’t see.”

This technical detail vividly illustrates attack surface expansion in action. There are countless more examples like this. Companies absolutely should begin flushing out security gaps and remediating them. The technology to do this at scale and in a timely manner are at hand.

The sooner closing gaps rises to a standard best practice, the more secure we’ll all be. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

 

Pity the poor CISO at any enterprise you care to name.

Related: The rise of ‘XDR’

As their organizations migrate deeper into an intensively interconnected digital ecosystem, CISOs must deal with cyber attacks raining down on all fronts. Many are working with siloed security products from another era that serve as mere speed bumps. Meanwhile, security teams are stretched thin and on a fast track to burn out.

Help is on the way. At RSA Conference 2022, which opened today in San Francisco, new security frameworks and advanced, cloud-centric security technologies will be in the spotlight. The overarching theme is to help CISOs gain a clear view of all cyber assets, be able to wisely triage exposures and then also become proficient at swiftly mitigating inevitable breaches.

Easier said than done, of course. I had the chance to discuss this with Lori Smith, director of product marketing at Trend Micro. With $1.7 billion in annual revenue and 7,000 employees, Trend Micro is a prominent leader in the unfolding shift towards a more holistic approach to enterprise security, one that’s a much better fit for the digital age. For a full drill down on our discussion, please give the accompanying podcast a listen. Here are key takeaways.

Beyond silos

It was only a few short years ago that BYOD and Shadow IT exposures were the hot topics at RSA. Employees using their personally-owned smartphones to upload cool new apps presented a nightmare for security teams.

Fast forward to today. Enterprises are driving towards a dramatically scaled-up and increasingly interconnected digital ecosystem. The attack surface of company networks has expanded exponentially, and fresh security gaps are popping up everywhere.

What’s more, the rapid rise of a remote workforce, in the wake of Covid 19, has only served to accelerate cloud migration, as well as scale up the attendant network exposures. Unmanaged smartphones and laptops, misconfigured Software as a Service (SaaS) apps, unsecured Internet access present more of an enterprise risk than ever.

“The increased number of these cyber assets means that there’s more cyber assets that can potentially be vulnerable,” Smith says. “This opens up an even bigger and more profitable attack surface that cybercriminals are only too eager to target and exploit.”

Smith

In this hyperkinetic environment, a harried CISO needs to be able to visualize risk from a high level — as if it were moving in slow motion – and then make smart, strategic decisions. No single security solution now does this; there is no silver bullet. And the usual collection of security tools – firewall, endpoint detection, intrusion detection, SIEM, etc. – typically arranged as siloed layers to protect on-premise networks, falls short as well, Smith says.

See, assess, mitigate

In life, solving any complex challenge often comes down to going back to basics. Enterprises can head down several viable paths to start doing this, with respect to network security. Trend Micro is in the camp advocating that a more holistic security posture can be attained through securing three fundamental capabilities.

The first is the ability to see everything. Enterprises need to gain a crystal-clear view of every component of on-premises, private cloud and public cloud IT infrastructure, Smith says. This is not a snapshot; it’s more of a process of continuously discovering evolving tools, services and behaviors, she says.

Observes Smith: “This is about gaining visibility into all cyber assets, internal and external, and answering questions like, ‘What is my attack surface?’ and ‘How well can I see all the assets in my environment?’ ‘How many assets do I have?’ ‘What types?’ ‘What kinds of profiles do my assets have and how is that changing over time?’”

Discovering and continuously monitoring all cyber assets enables the second essential capability: doing strategic risk assessments to gain important insight into the status of their cyber risks and security posture. Need a roadmap? CISOs need only to follow the principles honed over the past 200 years by the property and casualty insurance industry.

It comes down to taking an informed approach to triaging cyber exposures, Smith says. Organizations need better insight in order to prioritize those actions that will help them reduce their risk the most. It helps identify the security controls that should be in place as appropriate for that cyber asset. For example, strong authentication and least privileged access should be essential for sensitive assets but may be unnecessary for benign assets.

The third capability has to do with mitigating risks. Data analytics and automation can very effectively be applied to dialing in the optimum mix of security and agility, at scale. “This is about applying the right controls,” Smith says. “Whether that’s automated remediation action using security playbooks or prioritizing and proactively implementing recommended actions to lower risk.”

Towards holistic security

It’s remarkable – and telling – that Trend Micro got its start in 1988 as the supplier of a siloed security product: antivirus software. The company has evolved to stay in step with the evolution of network architectures and a threat landscape in which threat actors always seem to operate several steps ahead of security teams.

Trend Micro One, its unified security platform, along with its XDR capabilities, represent the latest iteration of its product strategy. Consolidating native Trend Micro tools and services with partner solution integrations will help enterprises put aside their siloed defense mentality and achieve comprehensive security in a powerful way.

“For effective security, you must have protection, detection, and response in place,” Smith says. “And you must have that continuous attack surface discovery and risk assessment so that you are prioritizing your actions and optimizing your security controls appropriately . . . I think that’s why we’re seeing security platforms, in general, gaining traction; because today’s environment requires that holistic approach.”

The rise of security platforms optimized for modern networks is an encouraging development. It’s early; there’s more to come. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)