Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

New Tech

 

RSAC insights: Software tampering escalates as bad actors take advantage of ‘dependency confusion’

By Byron V. Acohido

It’s not difficult to visualize how companies interconnecting to cloud resources at a breakneck pace contribute to the outward expansion of their networks’ attack surface.

Related: Why ‘SBOM’ is gaining traction

If that wasn’t bad enough, the attack surface companies must defend is expanding inwardly, as well – as software tampering at a deep level escalates.

The Solar Winds breach and the disclosure of the massive Log4J vulnerability have put company decision makers on high alert with respect to this freshly-minted exposure. Findings released this week by ReversingLabs show 87 percent of security and technology professionals view software tampering as a new breach vector of concern, yet only 37 percent say they have a way to detect it across their software supply chain.

I had a chance to discuss software tampering with Tomislav Pericin, co-founder and chief software architect of ReversingLabs, a Cambridge, MA-based vendor that helps companies granularly analyze their software code. For a full drill down on our discussion please give the accompanying podcast a listen. Here are the big takeaways:

‘Dependency confusion’

Much of the discussion at RSA Conference 2022, which convenes this week (June 6 – 9) in San Francisco, will boil down to slowing attack surface expansion. This now includes paying much closer attention to the elite threat actors who are moving inwardly to carve out fresh vectors taking them deep inside software coding.

The perpetrators of the Solar Winds breach, for instance, tampered with a build system of the widely-used Orion network management tool.

RSAC insights: ‘SaaS security posture management’ — SSPM — has emerged as a networking must-have

By Byron V. Acohido

Companies have come to depend on Software as a Service – SaaS — like never before.

Related: Managed security services catch on

From Office 365 to Zoom to Salesforce.com, cloud-hosted software applications have come to make up the nerve center of daily business activity. Companies now reach for SaaS apps for clerical chores, conferencing, customer relationship management, human resources, salesforce automation, supply chain management, web content creation and much more, even security.

This development has intensified the pressure on companies to fully engage in the “shared responsibility” model of cybersecurity, a topic in that will be in the limelight at RSA Conference 2022 this week (June 6 -9) in San Francisco.

I visited with Maor Bin, co-founder and CEO of Tel Aviv-based Adaptive Shield, a pioneer in a new security discipline referred to as SaaS Security Posture Management (SSPM.) SSPM is part of emerging class of security tools that are being ramped up to help companies dial-in SaaS security settings as they should have started doing long ago.

This fix is just getting under way. For a full drill down, please give the accompanying podcast a listen. Here are the key takeaways:

Shrugging off security

A sharp line got drawn in the sand, some years ago, when Amazon Web Services (AWS) took the lead in championing the shared responsibility security model.

To accelerate cloud migration, AWS, Microsoft Azure and Google Cloud guaranteed that the hosted IT infrastructure they sought to rent to enterprises would be security-hardened – at least on their end.

NEW TECH: How ‘CAASM’ can help security teams embrace complexity – instead of trying to tame it

By Byron V. Acohido

The shift to software-defined everything and reliance on IT infrastructure scattered across the Internet has boosted corporate productivity rather spectacularly.

Related: Stopping attack surface expansion

And yet, the modern attack surface continues to expand exponentially, largely unchecked. This dichotomy cannot be tolerated over the long run.

Encouragingly, an emerging class of network visibility technology is gaining notable traction. These specialized tools are expressly designed to help companies get a much better grip on the sprawling array of digital assets they’ve come to depend on. Gartner refers to this nascent technology and emerging discipline as “cyber asset attack surface management,” or CAASM.

I sat down with Erkang Zheng, founder and CEO of JupiterOne, a Morrisville, NC-based CAASM platform provider, to discuss how security got left so far behind in digital transformation – and why getting attack surface management under control is an essential first step to catching up.

For a full drill down, please give the accompanying podcast a listen. Here are my takeaways:

NEW TECH SNAPSHOT: Can ‘CAASM’ help slow, perhaps reverse, attack surface expansion?

By Byron V. Acohido

Defending companies as they transition to cloud-first infrastructures has become a very big problem – but it’s certainly not an unsolvable one.

Coming Wed., May 18: How security teams can help drive business growth — by embracing complexity. 

The good news is that a long-overdue transition to a new attack surface and security paradigm is well underway, one built on a fresh set of cloud-native security frameworks and buttressed by software-defined security technologies.

It strikes me that the security systems we will need to carry us forward can be divided into two big buckets: those that help organizations closely monitor network traffic flying across increasingly cloud-native infrastructure and those that help them keep their critical system configurations in shipshape.

There’s a lot percolating in this second bucket, of late. A bevy of cybersecurity vendors have commenced delivering new services to help companies gain visibility into their cyber asset environment, and remediate security control and vulnerability gaps continuously. This is the long-run path to slowing the expansion of a modern attack surface.

“The challenge is that cyber assets are exploding out of control and security teams are having a hard time getting a grasp on what’s going on,” says Ekrang Zheng, founder and CEO of JupiterOne, a Morrisville, NC-based asset visibility platform. “But at the same time, because everything is now software-defined, we actually can approach this problem with a data-driven and an automation-driven mechanism.”

JupiterOne is in a group of cybersecurity vendors that are innovating new technology designed to help companies start doing what they should have done before racing off to migrate everything to the cloud. What happened was that digital transition shifted into high gear without anyone giving due consideration to the security gaps they were creating.

The need to start doing this is glaring; so the rise of specialized technology to get this done is a welcomed development.

Indeed, research firm Gartner very recently created yet … more

GUEST ESSAY: The case for leveraging hardware to shore up security — via a co-processor

By Gopi Sirineni

Cybersecurity has never felt more porous. You are no doubt aware of the grim statistics:

•The average cost of a data breach rose year-over-year from $3.86 million to $4.24 million in 2021, according to IBM.

•The majority of cyberattacks result in damages of $500,000 or more, Cisco says.

•A sobering analysis by Cybersecurity Ventures forecasts that the global cost of ransomware attacks will reach $265 billion in 2031.

The FBI reports that 3,000-4,000 cyberattacks are counted each day.

That’s just a sample of what is obvious to anyone in the industry: we’re in a war with cybercriminals, and we can hardly say we’re winning.

The vulnerabilities of internet security, once mostly a nuisance, have become dangerous and costly. Data privacy breaches expose sensitive details about customers, staff, and company financials. Security software may have been a satisfactory product at the turn of the century, but despite massive levels of investment, many experts now realize that it is not adequate for dealing with contemporary threats.

We reached this point of friction because of the compound effect of two shortcomings. One, security was too often treated as an afterthought by the industry, taking a backseat to a device’s speed, functionality, and design. Security remains an added expense that isn’t easy to market, especially when third-party software solutions have been so widely adopted.

GUEST ESSAY – A primer on ‘WAAP’ – an approach to securing APIs at the web app layer

By Venkatesh Sundar

One could make the argument that Application Programming Interfaces — APIs – are a vital cornerstone of digital transformation.

Related: How a dynamic WAF can help protect SMBs

APIs interconnect the underlying components of modern digital services in a very flexible, open way. This has resulted in astounding innovations in cloud services, mobile computing, IoT systems and agile software development.

However, APIs have gained traction so rapidly and deeply that not nearly enough attention has been paid to the associated security shortcomings. Many organizations, SMBs and enterprises alike, do not understand the scope and scale of their deployments of APIs, much less how to go about effectively securing their APIs.

No surprise: threat actors are taking full advantage. Today, criminal hackers rather routinely leverage loosely-configured and lightly-monitored APIs in two ways: to gain a foothold in the early stages of multi-stage network attacks, and later to encrypt crucial systems and/or exfiltrate sensitive data.

SHARED INTEL: Can Apple’s pricey ‘Business Essentials’ truly help SMBs secure their endpoints?

By Apu Pavithran

Today’s operating system battleground has long been defined by the warfare between the top three players—Microsoft’s Windows, Google’s Android, and Apple’s iOS.

Related: Cook vs. Zuckerberg on privacy

While each of them has its distinguishing features, Apple’s privacy and security are what makes it the typical enterprise’s pick. Tim Cook, CEO of Apple, could be heard stating in the virtual Computers, Privacy, and Data Protection Conference, “Privacy is one of the top issues of the century and it should be weighed as equal as climate change.”

In June 2020, Apple’s intention of expanding in the enterprise space was made evident by the acquisition of Fleetsmith, a Mobile Device Management (MDM) solution for Apple devices. What would unfold next with Fleetsmith on their team was the most anticipated question.

In effect, Apple launched Apple Business Essentials (ABE). Let’s take a look at whether ABE will suffice enterprises’ demands.

Apple eyes SMBs

In recent years, we have seen diverse initiatives, including the Apple Business Manager (ABM) app launched in spring 2018 and Apple Business Essentials (ABE) in 2021, clearly showing Apple’s desire to conquer the enterprise market.