Category: Guest Blog Post

The U.S. Securities and Exchange Commission (SEC) is taking steps to crack down on insufficient cyber risk reporting.

Related: Making third-party risk audits actionable

Seeking to minimize cybersecurity threat effects, the SEC has proposed several amendments requiring organizations to report on cyber risk in a “fast, comparable, and decision-useful manner.”

Worryingly, threats are beginning to outpace organizations’ ability to effectively prevent and respond to them. Leaders are no longer as confident in their organization’s cyber resilience, and employees often lack awareness.

The SEC, in essence, is compelling businesses, public companies and large investment firms to better prepare for inevitable cyber attacks. The new rules urge companies to build more robust cyber risk management programs.

This should provide better visibility into the impact of cyber risk and demonstrate the adequacy of risk mitigation investments.

Many organizations base their risk mitigation programs on standard risk quantification models such as FAIR (Factor Analysis of Information Risk). Cyber risk officers can use FAIR to quantify cyber risk in financial terms, a language familiar to business executives and boards of directors.

Here’s a breakdown of three rule amendments the SEC has proposed:

•Reporting cyber incidents in timely manner. Organizations will have four days to determine the incident that posed a risk and report these to the SEC. However, this functions on the assumption that the organization had previously compiled their loss data and run an analysis to determine financial impact.

•Reporting on ongoing and effects of cyber incidents. Organizations  will be required to update the impact previously disclosed. This suggests that organizations have the capability to aggregate cyber risk scenarios in financial terms and run a current quantitative cyber risk program, such as those based on FAIR.

•Disclosing policies and procedures for risk management. This amendment raises the curtain on policies and procedures for identifying and managing cybersecurity risks. This puts the onus on organizations to demonstrate cyber risk management practices.

Fostering understanding

The proposed amendments add onto existing rules, including requiring companies to disclose how they have been affected by cyber incidents financially. With the increased threat landscape and a surge of public and private sector attacks, stakeholders more urgently need to understand the risk.

Increasingly, cyber risk is seen as business risk, emphasizing the importance of quantifying it in a way that C-level executives and boards of directors can understand and analyze. Reporting cyber risk in financial terms is the most efficient, accurate, and compliant way forward. Based on the new amendments, security teams must rapidly and efficiently report any cyber incidents to boards and the SEC. With this in mind, how can they best do so? 

Vital to required reporting is being transparent about cyber risk: what is a company’s potential loss to the most significant cyber events? For business executives and boards of directors to assess the materiality of events that need to be disclosed, cyber loss exposure needs to be measured in financial terms, dollars and cents.

Implementing the FAIR standard not only provides a transparent approach to estimating cyber risk financially, but also complements major cybersecurity frameworks – including NIST CSF – that only provide a qualitative view of the state of security implementations.Tools now based on FAIR allow organizations to assess and report on cyber risk at scale.

Industry Benchmarking

Sanna

To assess cyber risk posture in context, many boards like to benchmark cyber loss exposure against industry peers. This helps assess whether their company is more effective in dealing with cyber threats than peers and determine if more cybersecurity investments are needed.

Organizations can use cyber risk benchmark solutions based on empirical data that show average loss exposure experienced by companies in similar sectors and similar size, and compare it against their own risk assessments.

Quantitative cyber risk management programs based on standards such as FAIR also allow organizations to demonstrate cybersecurity investment adequacy, another SEC guidance element. This can be accomplished by analyzing and reporting on cybersecurity initiative effectiveness in driving cyber risk to acceptable levels.

Ultimately, all organizations must maintain vigilance when it comes to cybersecurity. Cyber risk constantly evolves, and, being targeted is no longer a matter of if but when. It is vital for organizations to follow SEC recommendations when it comes to reporting material risks and maintaining robust quantitative cyber risk management programs.  A plan should be in place for organizations to effectively mitigate cyber loss exposure to the most likely cyber events.

About the essayist: Nick Sanna is president of the FAIR Institute, a non-profit expert organization dedicated to advancing the discipline of measuring and managing information and operational risk. Sanna also is president and CEO of RiskLens, whicgh supplies cyber risk quantification services.

The Deep & Dark Web is a mystery to most in the mainstream today: many have heard about it, but few understand just a fraction of what’s going on there.

Related: ‘IABs’ help spread of ransomware

Planning your roadmap, executing your projects, and keeping an eye on the barrage of ransomware headlines, it’s understandable if you and your team are feeling some anxiety.

Cyber anxiety can indeed be paralyzing, but new software solutions have the potential to become game-changers for IT departments. These automated programs will hunt the Deep & Dark Web for you, trawling through the deepest and dirtiest pools, looking for the next threat that has your name on it.

There are many facets to what I’ll call “The Underground.” It extends beyond the Deep & Dark Web to: unindexed Web forums, messaging boards, and marketplaces, encrypted messaging systems, and code repositories. It is simply impossible for a human analyst to sort through it all.

Additionally, filtering through these channels is made even more difficult due to language barriers, as well as gaining trust and access to these various forums. Having automated tools that can process these various datasets is integral to enriching your team’s intelligence programs, whether you have a well-established team and process, or are just beginning your journey.

Hunting threats

To gain access to message boards and chats on the Deep & Dark Web, cyber professionals carefully cultivate their own personas – a task that takes significant time and practice but is the only way to gain access to hacker communities. Once vetted and accepted, threat hunters will go into these message boards and communities and search for anything connected to your business, for example:

•Corporate login credentials

•Data collections released after ransomware attacks

•Databases with critical IP and/or PII

•Chatter about the best methods to attack your business

Ransomware attacks hit indiscriminately across business categories, from private corporations to government agencies, including schools and universities, hospitals and healthcare providers, financial institutions, and everything in between. There is no safety in size: hackers also target smaller businesses.

The financial losses associated with a hacking incident – not to mention the loss of customer trust and faith in a brand – make for a difficult and expensive recovery.

The rise in Initial Access Brokers (IAB) markets give criminal groups easy access to purchase stolen credentials for a small fee. Hackers use these credentials to try and get a foothold inside a targeted company. The average cost for these credentials is as little as $10.

For example, a hospital that suffered a ransomware attack in 2021, had credentials to its VPN offered for sale in an underground market eight days prior to the attack.

In another example, it was reported that the Lapsus$ Ransomware gang bought and tried several sets of access credentials for T-Mobile, before finding a user with the right level of access to gain their foothold.

Staying vigilant

To help companies understand how they are being discussed and compromised on the Dark Web, the team of threat hunters and intel specialists at Cybersixgill offer a Portal that can be customized to look for any threat on the Underground that’s aimed at a user’s organization.

Liggett

Think of the Cybersixgill Portal as a complex search engine that can reach the deepest depths of the Underground. It continuously crawls through more than 700 forums and marketplaces, and monitors more than 25,000 channels on platforms like ICQ, Discord and Telegram. Every day, Cybersixgill’s Portal brings in more than 7.5 million pieces of information, including indicators of compromise (IOCs), common vulnerabilities and exposures (CVEs), and malicious files.

To each of the hundreds of thousands of CVEs, Cybersixgill’s platform uses machine learning (ML) models to assist companies with patch prioritization. This method reaches beyond the common vulnerability score system (CVSS) which numerically ranks threats, so companies can easily prioritize which one to tackle first. It also integrates with many of the most popular cybersecurity platforms out there, like Crowdstrike, Splunk, Microsoft Azure, and dozens more.

Staying on top of the latest threats can feel overwhelming, but there is no need to be cyber paralyzed. Cybersixgill arms security teams with data straight from the Underground, making it much easier to stop attackers before they cause significant damage.

About the essayist: Brad Liggett is Technical Director, Americas Intel Architects at Cybersixgill a Tel Aviv-based cybersecurity company that supplies scalable, real-time, actionable, contextual, automated threat intelligence.

The identity management market has grown to $13 billion and counting. While intuition would tell you enterprises have identity under control, that is far from reality.

Related: Taking a zero-trust approach to access management

Current events, such as the global pandemic and ‘The Great Resignation,’ which have accelerated cloud adoption, remote working environments, and the number of business applications and systems in use has complicated matters.

As a result, new solutions and features to address identity challenges have emerged. In a sense, this is a positive trend: change makers are innovating and trying to stay ahead of imminent threats.

On the other hand, there’s a good deal of snake oil on the market, making it hard for organizations to realize the value of their tech investments. Last, and perhaps most significant, many solutions don’t work together harmoniously, making it hard for employees to get work done.

When you consider these points, it’s understandable why businesses end up with too many solutions to effectively manage, or simply default to manual, inefficient processes to address identity- and security-related tasks. But for progress to happen, we must first get to the root of why this is happening.

New research from Gradient Flow’s “2022 Identity Management Survey” aims to do this. From the findings, here are five ways leaders can improve their approach to identity management and security.

•Take stock of vendor relationships. A majority (54 percent of survey respondents with IT job functions indicated that they work with several vendors for security functions including identity governance, risk, compliance, single sign-on, PAM, and security operations.

Shaw

It’s reasonable that businesses will work with multiple vendors to address specific security issues. However, leaders would be wise to consider where they can scale back or consolidate. A good first step is to explore new features within existing tech systems in place.

•Reduce unnecessary applications and systems. Using 10 or more business applications weekly is the norm for approximately a quarter of survey respondents. Remote work (think video conferencing and cloud migrations) has only exacerbated the number of systems employees frequent.

Yet over 40% of knowledge workers queried expect a high productivity boost from using fewer applications or systems. Leaders must find ways to streamline tasks or boost functionality to help reduce context-switching’s effect on productivity.

•Prioritize user experience. User experience (UX) was the top challenge across most segments surveyed. Nearly half of respondents indicated that identity solutions need to provide better interfaces and allow people to work productively and securely. Jumping on new tech systems is not the solution.

Rather, leaders should extend functionality within systems employees are already familiar with. This is likely a reason that 47 percent of respondents use IT Service Management (ITSM) or workforce management platforms to govern things like permissions and entitlements. This approach requires no training and frees up IT teams for more important projects.

•Reduce management time. For all segments surveyed, granting, and removing access took a few hours. That’s valuable time lost for onboarding new employees and too much time for your sensitive data to be vulnerable with those on their way out. In terms of identity tasks, this one is fairly cut and dry, and as such, should be automated when possible.

This also gives organizations real-time visibility into who is coming and going, and who does and doesn’t have access to certain company systems and assets in the case of an audit.

•Take AI hype with a grain of salt. In the vein of automation, artificial intelligence (AI) has been heavily hyped up in the technology world, but it may be too early to see the benefits in identity management. While two-thirds of respondents cited using AI, less than a third yielded moderate to high benefits for their efforts.

However, ITSM can help with this, as it provides organizations with the quantity and quality of data needed—that most are lacking—to execute successful AI and machine learning initiatives.

We still have a long way to go to optimize identity management and security, but understanding the triumphs, challenges, tools, and practices to approach it in a more strategic, beneficial way is helpful. With knowledge comes power, and with this research, we have the power to implement better approaches for identity management and beyond.

About the essayist. Jackson Shaw is chief strategy officer at Clear Skye, an Identity Governance and Administration (IGA) software company focused on enterprise identity access and risk management.

At the start of this year, analysts identified a number of trends driving the growth of cybersecurity. Among them: an expanding digital footprint, growing attack surfaces, and increasing government regulation.

Related: Taking API proliferation seriously

Last year saw an unprecedented $21.8 billion in venture capital poured into cybersecurity companies globally. Investors more than doubled down in 2021, increasing investment by about 145 percent.

Based on the early-stage startup pitches we are seeing at Differential Ventures, that trend isn’t going to let up anytime soon. The top drivers of the continued growth of cybersecurity are: the growing need to protect the API supply chain, the inadequacy of existing identity management systems, and the unfulfilled promise of data-driven AI-powered cybersecurity systems.

Securing APIs

The SolarWinds attack made API supply chain security a front-page story in 2020. Major breaches in Parler, Microsoft Exchange Server, Experian, and LinkedIn increased the intensity of concern about API supply chain attacks in 2021. The Log4j vulnerability reported at the end 2021 heightened concern even more. According to Gartner, a threefold increase from 2021.

Given all of this newfound concern for API supply chain security, where are the tools for solving this problem? The current tools are inadequate, brittle, statically rule-based, and require much manual intervention and processing. Every week, we see a new pitch for an API supply chain security startup. Many of them are pre-product and still in the design stage. But they are founded by highly-qualified and experienced cybersecurity experts, and they are likely to transform the landscape of API supply chain security in the coming years.

Improving identity management

Magerman

For a long time, enterprise customers have been dissatisfied with cybersecurity solutions for identity management. Existing systems suffer from clumsy interfaces, overwhelming IT management burden, and oscillations between being too permissive and too promiscuous. COVID-driven remote work caused the problem of identity management systems to become a much higher priority. In addition, the growth of assets stored in digital wallets, as well as the promised growth of the metaverse and other Web 3.0 projects, makes the urgency of more robust and portable identity management systems even more imminent.

Existing tools trying to manage users’ identities and their access permissions are proving inadequate, driving frustrated IT managers to become cybersecurity entrepreneurs. Many of the startups attempting to tackle this vexing problem are offering the promise of data science and machine learning to automate the process of managing identities, although none of them even have the data collected to prove the accuracy and robustness of their proposed solutions.

Still, given the impact data science has had on other areas of software development, it seems likely that in the coming years one or more of these proposed solutions will yield a significant improvement in identity management systems.

Leveraging data science

Nearly every cybersecurity startup pitched to our fund promises artificial intelligence built into their software, powered by data science trained on cybersecurity data. These pitches fall into two categories: pre-product companies and companies with working prototypes of their solutions. The one commonality across nearly all of these systems: they have no data yet to train their models, much less prove that their approaches will lead to improvements over state-of-the-art static systems.

Data science has improved the performance of software in a lot of industries, but it fails in many cases. The only way to know if data science will yield improvements is to collect the appropriate data, annotate it (if necessary), and analyze the annotated data to see if there is information in the data that can reduce uncertainty of phenomena that need to be predicted. If that analysis leads to a positive result, then you still need to train models on that data and figure out how to integrate the predictions from those models into software to produce insights that solve existing problems better than current systems.

With enough ingenious cybersecurity software developers and data scientists collecting data, iteratively building models, and using these models to address vexing unsolved or poorly solved cybersecurity problems, inevitably they will find ways to make meaningful impact on those problems, and some minority of the startups being funded today will have the chance to blossom into unicorns in the coming years.

The recent swoon in public markets for technology stocks may lead one to predict that there will be a lull in funding of cybersecurity solutions, along with a downtick in valuations. However, I believe that the impact of the market correction will be counterbalanced by the growing need for new solutions to many problems in cybersecurity, and by the ingenuity of the new approaches being taken to solve these problems.

About the essayist: David Magerman is a co-founder and managing Partner at Differential Ventures. He was previously at Renaissance Technologies, a quantitative hedge fund management company.

What is it about the elderly that makes them such attractive targets for cybercriminals? A variety of factors play a role.

Related: The coming of bio-digital twins

Unlike many younger users online, they may have accumulated savings over their lives — and those nest eggs are a major target for hackers. Now add psychological variables to the mix of assets worth stealing.

Perhaps elderly folks who haven’t spent a lot of time online are easier to deceive. And, let’s be honest, the deceptive writing phishing assaults and other cyber threats today employ are skilled enough to fool even the most trained, internet-savvy experts.

Ever present threats

Some of our elderly may be concerned that any hint of weakness will convince their relatives that they can no longer live alone. Thus hackers rely on them not revealing they’ve been duped. That said, here are what I consider to be the Top 5 online threats seniors face today:

•Computer tech support scams. These scams take advantage of seniors’ lack of computer and cybersecurity knowledge. A pop-up message or blank screen typically appears on a computer or phone, informing you that your system has been compromised and requires repair.

When you contact the support number for assistance, the scammer may ask for remote access to your computer and payment to repair it. Once they get remote access, fraudsters hack confidential details of older adults and scam them. According to the Federal Trade Commission (FTC), seniors lost $500 each on computer tech assistance scams in 2018.

•Internet and email fraud. While surfing the Internet is a valuable skill at any age, some older persons have a slower adoption rate, making them ideal candidates for automated Internet scams common on the web and in email applications.

Pop-up browser windows imitating virus-scanning software will trick users into installing either a false anti-virus program (at a high fee) or an actual virus that will give scammers access to whatever information is on the user’s computer. Seniors are especially vulnerable to such traps since they are inexperienced with the less obvious components of web browsing.

Phishing emails and messages may appear from a company you’re familiar with or trust, and they can appear to be from a credit card company or a bank. Phishing emails may ask for personal information like a log-in or Social Security number to authenticate your account, or they may urge you to share your credit card payment details. Then they steal your personal and financial information using that information.

•Identity-theft. Identity theft can happen online, over the phone, or without the victim’s knowledge by stealing the victim’s information. A criminal exploiting someone’s medical or insurance details to make fraudulent claims is known as medical identity theft.

They can either use the data to charge the services or steal the cash. In each case, the victim is liable for thousands of dollars. Because the scammer’s health records are linked to the victims’ information, it may not be easy to qualify for insurance in the future.

Scams involving the Social Security Administration aren’t new, but they’re becoming more active and dangerous. In this type of attack, fraudsters inform the victim that their Social Security number has been used fraudulently and threaten to put them in jail if they do not comply with specific requests. If they successfully obtain the victim’s PII, they will be able to steal their Social Security benefits.

•Romance Scam. Online platforms are an excellent place for many seniors to connect and interact with new people. However, cybercriminals use this as a playground, and they use these online portals to play with the emotions of older adults.

Solomon

An elderly victim is duped into believing they have a trusting relationship with the actor in this crime. The perpetrator, who may pose as the victim’s grandson or love interest, takes advantage of this connection to persuade the victim to share financial information, give money, purchase expensive presents, or unwittingly launder money. This enormously horrific cybercrime primarily targets older women and freshly widowed individuals.

•Debt relief scams. Seniors often worry about their debts, and fraudsters take advantage of that. They create fake websites to provide debt settlement services. They ask seniors to give their financial details and pay upfront fees.

Be aware, be prepared

Don’t be frightened or humiliated to tell someone you trust if you feel you’ve been a scam victim. You are not the only one, and resources are available to assist you. Doing nothing will aggravate the situation. Keep a list of phone numbers and services ready, such as your local police department, your bank, and Adult Protective Services. They will help you out.

About the essayist: Lyle Solomon has extensive legal experience as well as in-depth knowledge and experience in consumer finance and writing. He has been a member of the California State Bar since 2003. He graduated from the University of the Pacific’s McGeorge School of Law in Sacramento, California, in 1998, and currently works for the Oak View Law Group in California as a Principal Attorney.

Writing a code can be compared to writing a letter.

Related: Political apps promote division

When we write a letter, we write it in the language we speak — and the one that the recipient understands. When writing a code, the developer does it in a language that the computer understands, that is, a programing language.  With this language, the developer describes a program scenario that determines what the program is required to do, and under what circumstances.

If we make mistakes or typos in the text of the letter, its content becomes distorted. Our intentions or requests can get misinterpreted. The same thing happens when the developer makes errors in the code, resulting in inadvertent vulnerabilities.

Then the operating scenarios of the system become different from those originally intended by the software developer. As a result, the system can be brought into a non-standard condition, which was not provided for by the software developer. Thus, an attacker can manipulate these non-standard conditions for their own purposes.

As an example, let’s take SQL injection, one of the most well-known methods of hacking online applications. Suppose we have an online service, an online bank, for instance. We enter our login and password to sign in.  In a SQL injection attack the intruder inserts malicious code into the lines that are sent to the server for analysis and execution. With a user account, the attacker can bring the system into an abnormal condition and get access to other users’ accounts.

Of course, the developer never intended for the system to be used in such a way. Yet when writing the code, the developer made mistakes that led to the vulnerabilities which made such abuse possible.

More code, more risk

Chernov

Information systems are becoming more complex, therefore, the amount of code is increasing as well. A new mobile app, for instance, requires as many lines of code as a 15-year old Linux kernel. At the same time, nowadays developers seldom write code from scratch. They put in the ready-made code pieces, i.e. microservices assembled in software containers,  and then add 10 to 20 percent more to create the new app.

In turn, the larger the amount of code, the higher the risk of errors that will lead to vulnerabilities. To prove it, I’ll tell you about an interesting case. We have tested a thousand popular mobile apps on a set of parameters, compliance with which, according to our estimates, determines the security of the application.

It turned out that the average security level is 2.2 points out of the maximum 5. The only thing that saves the apps from massive attacks is that exploiting vulnerabilities in mobile applications without going deep into their server part is quite expensive and time-consuming. That’s why not all attackers are ready to do this.

Continuing the analogy of writing texts, in the past, when an author wrote a book or a journalist prepared a newspaper article, their texts used to be necessarily proofread by a copy editor, a person who checked for errors and inconsistencies. Nowadays, copy editors still exist, yet their job has become optional.

The role of automation

The fact of the matter is that people have learned to partially computerize this job, inlining automatic checks into computer programs to detect errors and typos. These automatic checks have gradually become more complex and in-depth. Now the special software checks style and semantics, as well as spelling.

The same thing happened to code writing.  We have got quite smart systems such as program code analyzers that can detect inconsistencies, vulnerabilities, and breaches in the written code.

They can be used in two modes depending on the amount of code. If the amount of the developed code is small, you can run the check in manual way. If we are talking about multi-level code development involving hundreds of developers, and the amount of code written is tens of thousands of lines per day, it is much more effective to run secure development processes (DevSecOps, Secure SDLC) with a code analyzer as their core.

If to explain the mechanism of such processes through the above analogy, imagine a whole workgroup of correctors. They have a hierarchy and algorithms defining the sequence correctors comply with when proofreading, the requirements a text should meet, and the cases when a text must be sent to be revised. The same is true for secure development processes and software before its release.

This is the world of software vulnerabilities we live in today. It requires awareness and diligence to keep secure.

About the essayist: Dan Chernov is CTO of DerSecur which supplies DerScanner, a static app code analyzer capable of identifying vulnerabilities and undocumented features in Google Android, Apple iOS, and Apple macOS.

It’s no secret that cybersecurity roles are in high demand. Today there are more than 500,000 open cybersecurity roles in the U.S., leaving organizations vulnerable to cyber threats.

Related: Deploying employees as threat sensors

Meanwhile, 200,000 well-trained and technically skilled military service members are discharged each year.

These individuals have many transferable skills that would make cybersecurity a prosperous civilian career. Yet, there’s still work to be done to make this path more accessible and known among the veteran and transitioning military community.

Fundamentally, cybersecurity professionals identify weaknesses and design systems and processes to protect any organization — government agencies, private companies — from cyberattacks. Veterans have the characteristics that make them ideal for these roles. They’re exceptional at working in high-pressure environments, managing confidential information, solving complex problems and responding systematically.

Better still, cybersecurity jobs offer the individuals who have served our country a fulfilling career. Cybersecurity jobs are always available and offer many options for people who want to work remotely or move around the country for family or career reasons. Plus — they tend to pay well too. The average salary is $116,000 annually plus benefits.

While veterans are well-suited to transition into cybersecurity, there is often a disconnect when raising awareness about these opportunities and outlining paths to entry. Training and certification must become more accessible and hiring criteria must change to encourage veterans to apply for these roles.

For the cybersecurity industry in need of filling mission-critical roles, our responsibility is to make a concerted effort to help place these skilled individuals into jobs.

Koziol

Programs from private companies that focus on hiring veterans, offering free technical training and certification courses and upskilling existing veteran employees into cybersecurity roles could be an answer to our industry’s talent shortage. Including a veteran during the cybersecurity talent recruitment process is one way to create a more inclusive hiring process, as they understand the language, process and skills fellow veterans may have.

This experience can also be helpful when training cybersecurity talent. One example is a training program led by a veteran who once trained military members to prepare for combat. After many years and roles in his civilian life as a cybersecurity professional, he now leads (and built) the entire cybersecurity upskilling and training program for a large government contractor.

Arguably, one of the most critical changes needed will be to adapt hiring practices to help candidates without a traditional college education enter into these critical roles. Stringent job requirements for entry-level cybersecurity positions are some of the biggest hurdles facing those trying to break in — especially veterans who won’t be applying with a traditional college degree or the corporate experience often required.

Loosening these restrictions has been shown to work. A recent survey from Infosec revealed that hiring managers successfully filling cybersecurity roles were considering more inexperienced candidates, actively recruiting diverse candidates and emphasizing attributes like leadership skills, certifications, and communication skills.

Beyond lowering these barriers to entry, a key to placing these individuals in cybersecurity roles is forming partnerships that facilitate hands-on training, certifications, apprenticeships, mentorships and industry connections to help veterans land their first cyber job. And it works.

One student who took a free Security+ Training Boot Camp with Infosec and VetsinTech recently landed a Security Engineer job at a Caterpillar, nearly doubling their previous civilian role salary (as a scientist). Another is using their cybersecurity training as part of a veterans scholarship to advance their career as a law enforcement detective and spearhead the department’s first dedicated cybercrime unit.

These stories show that partnerships between government, private and public are essential to guide veterans into cybersecurity roles with adequate training, certifications, professional connections and opportunities they need to break into the industry.

Many government and non-profit organizations like VetJobs and VetsinTech are doing just this. They provide free cybersecurity training and career development opportunities to transitioning service members, veterans, national guardsmen, reservists and military spouses.

As a security training provider, Infosec has formed partnerships with both of these organizations to provide hands-on certification training to veterans. No matter your organization’s size or type, I encourage you to reach out to them and see how your organization can collaborate to fill these gaps.

To stay ahead of the ever-changing landscape of cyber threats, we must think differently about hiring and training talent. After veterans break into our industry, they often serve as some of the most invaluable cybersecurity employees and leaders.

This is a call to upskill our country’s veterans into the cybersecurity roles we so desperately need.

About the essayist: Jack Koziol is the founder, SVP and GM of Infosec Institute, a cybersecurity education company. He is the author of The Shellcoder’s Handbook. When he’s not keeping the world safe by helping organizations educate their employees, he tries to get his three children to eat their breakfast and get to school on time.

In today’s times, we are more aware of cyberattacks as these have become front-page news. We most recently witnessed this as Russia invaded Ukraine. Cyberattacks were used as the first salvo before any bullet or missile was fired.

Related: The role of post-quantum encryption

We live in an increasingly digitized world where digital footprints are left behind, leaving evidence of nearly everything we do. This enables our adversaries to gain extremely valuable information and to steal, disrupt or even harm with simple keystrokes on a distant computer.

Quantum computers pose yet another looming threat since it has been mathematically proven that quantum computers with enough power will crack all the world’s public encryption. When these computers come online, any company or federal agency that is not upgraded to post-quantum cybersecurity will leave its data vulnerable to attackers. Even worse, data that is being stolen today is sitting on servers in other countries waiting to be decrypted by quantum computers.

Why Now?

It is now more important than ever for companies to share cyberattack and ransomware data with the government to ensure that we can defend and prepare much better than before.

On March 15, 2022, a new bipartisan legislation cyber incident reporting law called the “Cyber Incident Reporting for Critical Infrastructure Act” was passed by Congress and signed by President Joe Biden which requires critical infrastructure leaders in commercial enterprises and government to report cyber incidents to the Department of Homeland Security (DHS) cyber and infrastructure security agency (CISA).

Ransomware payments must be reported within 24 hours, and all cyber incidents must be declared within 72 hours. The reporting requirements, however, will not become effective until CISA provides rules and guidelines for entities that incur cyber incidents. CISA still needs to define which entities are required to report, and when cyber incidents qualify for reporting.

According to Michigan Senator Gary Peters, chair of the Senate Homeland Security Committee, “This provision will create the first holistic requirement for critical infrastructure operators to report cyber incidents so the federal government can warn others of the threat, prepare for widespread impacts, and help get our nation’s most essential systems back online so they can continue providing invaluable services to the American people.”

Sanzeri

At this point, companies and agencies that could be required to report fall under the Presidential Policy Directive 21 which includes these critical infrastructure areas: financial services, food and agriculture, government facilities, dams, critical manufacturing, communications, chemical, commercial facilities, defense industrial base, emergency services, energy, government facilities, healthcare, information technology, nuclear reactors, materials and waste, public health, transportation systems, and water systems.

The bill defines a cyber incident as “an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system.”

Privacy is a concern

Any agency required to report cyber incidents can face shareholder and consumer backlash, and thus they have been hesitant to report breaches. We have seen in the past how many cyber incidents have gone unreported as large brands and agencies try to prevent a degradation of trust. However, in the case of this bill, there are sanctions designed to mitigate problems arising from reporting cyber and ransomware incidents. A partial list of the protections includes:

•CISA will anonymize the reporting entity

•All of the reported information will remain proprietary to the reporting entity if so desired

•Reports cannot be used in enforcement or regulatory actions against reporting entities

Some experts worry that inflexible and inaccurate requirements or expertise/staff shortages could cause confusion and do more harm than good. As with any great plan, success lies in the efficacious execution of tasks to ensure an optimal outcome. However, the tradeoff is that we will have a chance at understanding how our adversaries are targeting government agencies and commercial entities, as well as other critical infrastructure groups, with cyberattacks. If the information flow is timely and accurate, it will allow other entities to protect themselves prior to experiencing an already known but not widely distributed cyberattack type.

Sharing attack intel

This bill was considered urgent by government leaders because our commercial enterprises, federal agencies and suppliers of critical infrastructure have seen increased cyberattacks and ransomware breaches that dramatically affected our nation’s energy and food supplies, while disabling some schools. For example, in 2021 the Colonial Pipeline was hacked, and the company decided to pay $5 million in ransom since most of the East Coast’s fuel supply was shut down.

Panicked East Coast Americans began hoarding gas due to a major disruption in fuel supply. The company did not notify the federal government about the ransomware attack until well after it happened.

Many cyber and ransomware breaches currently go unreported because they create reputational problems for companies and government agencies. After all, who wants to report that they had a breach which has caused critical data or operational losses? For commercial enterprises, this can lead to lawsuits, decreased shareholder value, and a lack of confidence in the brand. For government agencies, leaders must admit cybersecurity failures.

However, if commercial, government and critical infrastructure entities can share information it will help all of us to quickly learn and prepare for such attacks. And, if information about cyber breaches and ransomware attacks is shared quickly enough, we can provide warning to our nation’s largest and most important companies and federal agencies which could mitigate further damage. This is even more urgent as quantum computers will increase our risk of critical infrastructure disruption or failure.

About the essayist: Skip Sanzeri is COO of QuSecure, supplier of QuProtect™, a state-of-the-art, software-based quantum security solution.

According to recent data from Oracle and KPMG, organizations today employ over 100 cybersecurity products to secure their environments. These products play essential roles in detecting and preventing threats.

Related: Taking a ‘risk-base’ approach to security compliance

However, because they generate thousands of alerts every day, this vast sprawl of security sources adds even more work to already over-stretched security teams. It could create a cybersecurity ticking time bomb.

Many organizations have recently undertaken rapid digital transformations in response to the ongoing pandemic and a societal shift toward a “work from anywhere” future. This hybrid model has created exciting opportunities for employees and organizations and significantly raised the security stakes.

Most combine the cloud, Office 365, and Active Directory to store and transfer sensitive corporate data, and they need security solutions to protect their entire environment as it grows and evolves. The once “protective perimeter” surrounding enterprise IT has dissolved, transforming it from a closed environment into one that spans far and wide with copious entry points.

To address this security challenge, organizations are deploying more security products today. This seems to be creating new problems in vendor sprawl, further burdening security teams with more to do. The challenge is that disparate vendors do not represent data in the same way, so there is no correlation between dashboards and metrics.

When organizations have two or three security platforms protecting their environment, security teams must toggle between them and make sense of disparate data sets. This often results in a lack of clarity, inhibiting them from seeing the big picture of what is really happening in their security environment. This is why cyber gangs tend to favor layered attacks. They’re harder to identify across disparate security data sets.

Espinosa

All security technologies have their own alerting systems, requirements for patches and updates, integration needs, user nuances, policy management processes, access control, reporting, etc. This can become overwhelming for security teams, often understaffed and under-resourced, resulting in missed alerts – some insignificant but critical.

Too many tools, too little time

So, how best to overcome this challenge? As organizations’ environments continue expanding, how best to improve security across the entire infrastructure without creating vendor sprawl or overburdening security teams?

One tool picking up prominence is Extended Detection and Response (XDR.)

XDR is one of the latest acronyms to hit the cyber dictionary, and it is a new approach to threat detection and response. It provides holistic protection against cyberattacks across an organization’s entire digital estate, including endpoints, applications, networks, and cloud environments.

While the tool is often confused with Managed Detection and Response (MDR), Security Information and Event Management (SIEM), and Endpoint Detection and Response (EDR), it is very different as it builds upon each offering, rolling them into a single package to help organizations better secure their environments as digital transformation accelerates.

While EDR, MDR, and SIEM provide visibility into specific areas, by choosing just one, organizations are not necessarily improving their overall security posture against potential attack vectors because visibility is still limited to only the area that the solution is monitoring.

With EDR, the solution only looks for threats or security issues impacting organizations’ endpoints. Historically, when organizations’ primary attack vectors were PCs, this would have provided adequate security. However, attacks target multiple different sources today, so threat hunting and protection must secure everything.

XDR meets evolving security needs

Rather than deploying multiple tools from multiple security vendors, XDR combines endpoint, network, applications, and cloud architecture monitoring and response capabilities into one platform, allowing better correlation of security events and freeing security teams from vendor sprawl. With cyberattacks growing year-on-year, organizations simply do not have the manpower or resources to combat threats.

To bridge the gap, holes are plugged with new security products. While these are beneficial in threat detection, most products are from different vendors, which means there is no unified way to receive alerts. This results in strained security teams wasting time navigating through the mechanics of each security tool.

One of the best ways to overcome this issue is through XDR technology, the next evolution in threat detection and response. XDR’s capabilities protect organizations’ entire digital estates as they grow beyond the safety of its perimeter.

XDR can replace multiple toolsets and alerting systems into single, integrated solutions and provide rapid response against threats targeting all organizational infrastructure. Security teams can then identify and investigate alerts quickly from a single source without overburdening them before threats can harm businesses.

About the essayist: Christian Espinosa is the managing director of Cerberus Sentinel a Managed Compliance and Cybersecurity Provider (MCCP) with its exclusive MCCP+ managed compliance and cybersecurity services plus culture program. He also is the best-selling author of “The Smartest Person in the Room.”  Espinosa came to Cerberus Sentinel after the company acquired Alpine Security, a cybersecurity consulting and managed services company he founded. He also has been a white hat hacker and a certified high-performance coach.  

The unification revolution of cybersecurity solutions has started – and managed security service providers are leading the way. Managed security services (MSS) refer to a service model that enable the monitoring and managing of security technologies, systems, or even software-as-a-service (SaaS) products. Here’s more on the various types and benefits of MSS, as well as the state of the MSS(P) market in 2022!

Related: Reviving ‘observability’ to secure complex networks

Fully-managed vs. co-managed

The current unification in the cybersecurity market is driving a massive movement towards fewer vendors, which at the same time means more polarization of either using MSS/MSSP or doing the security work internally.

In terms of Managed Security Services, they can be fully-managed or co-managed. In the case of fully-managed security services, the provider of security services owns the security technologies and maintains and monitors the incidents gathered by these tools and technologies. Fully-managed security services represent, of course, a particularly good bet for budget-conscious companies or for those who lack the internal capabilities to study and handle a wide range of technologies

Co-managed security services best suit those companies that capitalize a variety of security systems but lack the internal security personnel needed to monitor these solutions 24 hours a day, seven days per week. Managed security services providers (MSSP) can help their customers learn more about the capabilities and functioning of each tool, as well as set up the appropriate configuration, allowing their employees to focus on more strategic security objectives.

Tipping the scale favorably

Whether you prioritize cybersecurity or not, cybercriminals will always prioritize (their own) profit, as the attacks described in our 2021 Threat Report prove. Under these circumstances, it’s crucial to understand that MSS can truly help you tip the scales in your favor. Here’s why:

•Managed security services provide round-the-clock monitoring 24 hours a day, seven days a week, and 365 days a year. A significant advantage, because handling business security in-house without the assistance of an outsourced partner naturally necessitates a significant investment in personnel and technology.

•Cyber attacks are increasing at an alarming rate, and cybercriminals are devising new tactics to achieve their unscrupulous goals nearly on a daily basis. Keeping up with new risks, resolving them as soon as they occur, and recovering from incidents identified too late may, as you can certainly imagine, take up valuable resources and cause businesses to lose time, money, and the trust of their clients/partners. Opting for an MSS helps you with all these aspects.

•They ensure increased security maturity and management. MSSPs can help companies quickly implement a robust cybersecurity solution, and also provide them with expert security management without the need to pay for the necessary skills in-house.

•Another significant advantage is compliance support. As new data protection legislation (such as the GDPR and the CCPA) joins current laws, the regulatory environment becomes increasingly complex (like HIPAA and PCI DSS). An MSSP can assist with data collection and report generation to establish compliance during audits or in the aftermath of a possible incident.

But, you may be wondering, what about the hazards of outsourcing cybersecurity? It’s worth noting that there are a few:

•Cybersecurity breaches may originate from the vendor, putting the host company’s information at risk. The greater the reliance, the more likely such a breach will take place.

•Third-party providers may have more access to host company data, leading to greater harm in the case of cyberattacks.

•There may be a lack of understanding of the organization’s particular needs and culture, which could have a significant impact on risk tolerance, security protocols, and user security requirements.

•MSSPs may employ a general security framework, with insufficient flexibility to meet all of the company’s specific demands.

While the benefits of using an MSSP are far more valuable overall (assuming you choose a trustworthy cybersecurity provider), companies might still choose to drop it at a later point – in this case, developing an in-house solution is usually the only other option.

MSSPs in 2022

What happens on the market? Well, as MSSP Alert notes, “In the Americas, the MSSP and PSSP market will reach $18.81 billion by 2024, up from $12.01 billion in 2020.”

Some of the main drivers of this accelerated growth include:

•Advanced threats and risk tolerance. Service providers need to emphasize the effects of advanced persistent threats (APTs) by showing companies their exposure to financial, intellectual property, and confidential information losses […].

•Digital Transformation. MSS/PSS providers must take advantage of digital transformation initiatives by observing clients’ current situations and being trusted advisors through consulting and value-added services to help them embrace digitalization […].

•IoT. Enterprises that embrace IoT technologies to enhance end-user and employee experiences are likely to turn to MSS providers for quick and effective security […].

Kjaersgaard

Other factors that I could add here are the increasing security breaches and sophisticated cyberattacks across organizations, and the new normal brought about by the pandemic and the #WorkFromHome / #WorkFromAnywhere models.  With staff working from all over the world and many of them using their own devices, it’s evident that having a dedicated, experienced team monitoring the cybersecurity aspects for you is critical.

Nonetheless, despite all of the benefits that MSSP provide, the market faces significant challenges:

Customers may be hesitant to incorporate new and unfamiliar solutions into their technological stack, and they may be worried that new technologies would complicate their procedures or user experience.

Similarly, clients may be hesitant to migrate from conventional data protection solutions to cloud-based alternatives that capitalize on the cloud’s advantages.

Last but not least, there are also concerns about rising cybersecurity costs.

Moving forward, the MSSP market should unquestionably prioritize providing a wide range of services (SIEM, MDR, XDR) in a unified, intuitive platform, as well as enhancing dedicated SOCS with all of the necessary technology and human knowledge necessary to monitor and respond to threats 24 hours a day, seven days a week. Having robust SOCs in multiple time zones and geographies improves service delivery resiliency and will soon become a benchmark of superior cybersecurity.

Choosing a provider

Since the MSSP market is rapidly expanding, it may be tough to select the one that best meets your company’s requirements. Here’s what you should be critical about before making a decision:

•Technical capabilities. A good MSSP must have a view of your logs, determining what should be gathered first against what can be collected later. They must be able to pinpoint how they enhance your infrastructure by leveraging Big Data Analysis, Anomaly Detection, and Threat Analysis.

•Onboarding and operational capacity. The MSSP must find the time to correctly put in place your points of contact with their firm, understand your requirements, and explain the mechanisms in place in the event of an alert. A good onboarding procedure employs methodical procedures and precise implementation guidelines.

•Detection, alerts, response. You must be aware of your most valuable assets and high business impact devices and choose a technology that allows you to implement use-cases modeled around them. It’s crucial that critical conditions generate notifications; the alert rules must be adapted to your environment and needs. They must also be classified based on their severity level, and non-critical occurrences should be omitted from notice but nevertheless analyzed.

Before considering MSSPs, IT and security teams should carefully assess which services will be outsourced, then establish the budget and protocols needed for the collaboration with the management. Once your organization has defined its MSSP requirements, explore viable prospects and create a shortlist of providers. Meeting with these suppliers and reviewing client references may be the last step in determining which MSSP is suitable for your organizational requirements.

By utilizing a structured mix of network and endpoint monitoring, behavioral analysis, Machine Learning tools, and threat intelligence, Heimdal’s XDR/SOC acts as a central hub for security intelligence, gathering and dynamically comparing input from multiple sources (endpoints, networks, cloud workloads) to detect threats faster and ramp up response times.

Our XDR solution comprises some of our most critical modules (Threat PreventionPatch and Asset ManagementNext-Gen AntivirusRansomware Encryption ProtectionPrivileged Access ManagementApplication Control), which work together to provide a seamless experience and are available through a unified, intuitive, dashboard, and it can also be used by Heimdal resellers and distributors for their clients.

Large scale enterprises have a strong preference – for obvious reasons – for running XDR / SOC internally and can use the Heimdal suite as their product to do so, but smaller companies increasingly outsource too, where the MSSP then uses a single suite for service.

The choice is yours as a customer, but there are vast opportunities to capitalize on by leveraging one platform, hence giving yourself more time to work with, instead of wasting time correlating data and actions between platforms.

Managed Security Services (MSS) provide a competitive edge to any company that chooses them, regardless of size. Because of the security expertise and extra staffing they transfer, they drive not only cybersecurity but also productivity and profit, especially in the case of unified solutions that can replace multiple vendors.

I’m certain that many enterprises will turn to MSSPs for swift deployment timelines and greater time-to-value on security expenditure, so the MSSP industry will surely expand continuously in the following years, helping customers stay ahead of cybercriminals and focus on what’s really important for their business.

About the essayist: Morten Kjaersgaard is CEO of Heimdal Security

Editor’s note:  This article originally appeared on Heimdal Security’s blog and is reprinted here with their permission.