Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

SHARED INTEL: Akamai reports web attack traffic spiked 62 percent in 2020 — all sectors hit hard

By Byron V. Acohido

Some instructive fresh intelligence about how cyber attacks continue to saturate the Internet comes to us from Akamai Technologies.

Related: DHS launches 60-day cybersecurity sprints

Akamai, which happens to be the Hawaiian word for “smart,” recently released its annual State of the Internet security report. As a leading global content delivery network (CDN), Akamai has a birdseye view of what is coursing through cyber space moment-by-moment. In 2020, it saw 193 billion credential stuffing attacks globally, with 3.4 billion hitting financial services organizations — an increase of more than 45 percent year-over-year in that sector.

Meanwhile, threat actors’ siege on web applications surged 62 percent in 2020 vs.  2019: Akamai observed nearly 6.3 billion web app attacks last year, with more than 736 million targeting financial services.

The majority were SQL Injection (SQLi) attacks, which made up 68 percent of all web app attacks in 2020; Local File Inclusion (LFI) attacks came in second at 22 percent. However, in the financial services industry, LFI attacks were the number one web application attack type in 2020 at 52 percent, with SQLi at 33 percent and Cross-Site Scripting at 9 percent.

I had the chance to visit with the estimable Steve Ragan, the Akamai analyst who put together this report. I’ve known Ragan for a long time and greatly respect his work. He’s excellent at putting himself in the shoes of the threat actors. Here are excerpts of our discussion, edited for clarity and length.

Q: The scale of ‘attacks’ in 2020 is astronomical: 6.3 billion web attacks globally; 736 million in the financial services sector. Can you break this down, and put it into a useful context? For instance, what constitutes a single web attack?

A: You’re right. It is astronomical. For Akamai, a single alert is an attack, and a group of attacks could be called a campaign. In 2020, we observed a healthy mix of both attacks and … more

MY TAKE: How SASE has begun disrupting IT — by shifting cybersecurity to the ‘services edge’

By Byron V. Acohido

One of the hottest topics at RSA Conference 2021 taking place virtually this week is the Secure Access Services Edge (SASE) security framework.

Related: Cybersecurity experts react to Biden’s EO

SASE (pronounced sassy) essentially is a roadmap for infusing privacy and security deeply into the software coding that gives life to our smartphones, IoT devices and cloud infrastructure, i.e. at the “services edge,” where all the action is taking place.

Coined by Gartner in late 2018, SASE is gaining momentum as a generational disruptive force. It calls for organizations to start proactively managing the myriad new attack vectors they’ve opened up in the pursuit of digital agility — by embracing a bold new IT architecture that extends network security far beyond the traditional perimeter

However, disruption doesn’t happen without displacement. And at this early stage, things are a bit chaotic. As established and newer cybersecurity vendors scramble to catch the SASE wave, marketing messages have sometimes been less than clear.

From the customer’s point of view, some early-adopter enterprises have experienced buyer’s remorse trying out SASE services that don’t really make the grade, says Mike Spanbauer, security evangelist at Juniper Networks, a Sunnyvale, Calif.-based supplier of networking technology.

“What we’ve heard from out in the marketplace is that a number of SASE solutions that supposedly could deliver everything as promised, were found to be lacking in many capacities,” Spanbauer says.

ROUNDTABLE: Experts react to President Biden’s exec order in the aftermath of Colonial Pipeline hack

By Byron V. Acohido

As wake up calls go, the Colonial Pipeline ransomware hack was piercing.

Related: DHS embarks on 60-day cybersecurity sprints

The attackers shut down the largest fuel pipeline in the U.S., compelling Colonial to pay them 75 bitcoins, worth a cool $5 million.

This very high-profile caper is part of an extended surge of ransomware attacks, which  quintupled globally between the first quarter of 2018 and the fourth quarter of 2020, and is expected to rise 20 percent to 40 percent this year,  according to insurance giant Aon.

Ransomware is surging at at time when the global supply chain is being corrupted from inside out, as so vividly illustrated by the SolarWinds supply chain debacle.

In response, President Biden last week issued an executive order requiring more rigorous cybersecurity practices for federal agencies and contractors that develop software for the federal government. Last Watchdog asked a roundtable of cybersecurity industry experts for their reaction. Here’s what they said, responses edited for clarity and length:

Chenxi Wang, founder & general partner, Rain Capital

The new executive order is a swift response from the administration. It’s refreshing to see a government executive order that understands technology trends such as “zero trust”, is able to delineate “Operational Technology (OT)” from “information technology (IT,)” and can talk intelligently about supply chain risks.

While some of the measures stipulated in the order are considered table stakes like multi-factor authentication, the fact that the order exists will help to raise the collective security posture of products and services. It will not be sufficient to defend against sophisticated adversaries, but it will help organizations on the lower end of the capability spectrum to improve their cyber posture and defense.

Keatron Evans, principal security researcher, Infosec Institute

President Biden’s order was drafted with heavy involvement from actual cybersecurity experts, and this is encouraging. Requiring federal agencies to produce an actionable plan to implement Zero Trust Architecture is … more

GUEST ESSAY: 3 sure steps to replace legacy network security systems — in a measured way

By Jackson Shaw

Keeping up with the pace of technology, information, and the evolving threat landscape is a challenge for all enterprises.

Related: DHS launches 60-day cybersecurity sprints

To make matters more difficult, implementing new security software and processes to address these issues is another big hurdle, often causing disruption—and not the good kind. But with mounting pressure to replace legacy, perimeter-centric defenses with cloud- and hybrid-cloud protection, many organizations are stuck between a rock and a hard place.

It goes without saying that phasing out a legacy system and putting something modern in its place is a substantial undertaking. IT teams are stretched thin as they install the new system while supporting the old one.

Simultaneously, end-users with years of expertise on the old system must suddenly learn a new one. Between potential downtime and retraining an entire organization on new workflows, processes, and user interface, productivity is at risk, and with it, the bottom line.

Take identity management—arguably one of the most important defenses against cyber threats—for example. Companies make significant investments in identity governance and administration (IGA) or identity access management (IAM), only to realize that these siloed, on-premises systems can’t meet the needs of a modern, flexible, cloud-centric, and digital enterprise.

RSAC insights: Introducing ‘CWPP’ and ‘CSPM,’ new frameworks to secure cloud infrastructure

By Byron V. Acohido

A greater good has come from Capital One’s public pillaging over losing credit application records for 100 million bank customers.

Related: How credential stuffing fuels account takeovers

In pulling off that milestone hack, Paige Thompson took advantage of CapOne’s lack of focus on cloud security as the banking giant rushed headlong into leveraging Amazon Web Services. Luckily, Thompson left an easy trail for the FBI to follow and affect her arrest in August 2019.

The lone wolf hacker’s lasting legacy may be that she gave the cybersecurity industry an impetus to double down on its efforts to help enterprises get a grip on cloud security.

A slew of new cloud-security frameworks have gained traction since the Capital One hack. I recently had the chance to sit down with Kevin Simzer, chief operating officer of Trend Micro, to discuss two of them: Cloud Workload Protection Platform (CWPP) and Cloud Security Posture Management (CSPM.) For a full drill down on our conversation please give the accompanying podcast a listen. Here are the key takeaways:

Cloud migration risks

The summer of 2019 was a heady time for the financial services industry. Capital One’s valuation hit record highs at a time when its senior executives bragged on Wall Street about how the bank’s aggressive adoption of AWS-supplied infrastructure would boost both profits and security. In reality, the bank wasn’t paying close enough attention to its shared responsibility for keeping its cloud-stored assets secure.

RSAC insights: Deploying SOAR, XDR along with better threat intel stiffens network defense

By Byron V. Acohido

Much attention has been paid to the widespread failure to detect the insidious Sunburst malware that the SolarWinds hackers managed to slip deep inside the best-defended networks on the planet.

Related: The undermining of the global supply chain

But there’s also an encouraging ‘response’ lesson SolarWinds teaches us, as well.

Reacting to the disclosure of this momentous supply-chain hack, many of the breached organizations were able to deploy advanced tools and tactics to swiftly root out Sunburst and get better prepared to repel any copycat attacks. It was an opportunity to put their security orchestration and automation and response (SOAR) solutions, as well as endpoint detection and response (EDR) tools, to the test.

In that sense, SolarWinds validated the truckloads of investment that has been poured into developing and deploying SOAR and EDR innovations over the past five years. I had the chance recently to visit with Leon Ward, Vice President of Product Management, at ThreatQuotient, provider of a security operations platform with multiple use cases including serving as a threat intelligence platform (TIP). We discussed current developments that suggest SOAR and EDR will continue to improve and make a difference.

For a full drill down on our conversation, please give the accompanying podcast a listen. Here are my key takeaways:

Leveraging richer intel

It was by happenstance that analysts at FireEye, a leading supplier of intrusion detection systems, stumbled into a copy of the Sunburst Trojan ever-so-stealthily embedded in FireEye’s own copy of SolarWinds’ Orion network management software. That was on Dec. 13, 2020.

RSAC insights: ‘SASE’ disrupts networking by meshing security, connectivity at the services edge

By Byron V. Acohido

It’s accurate to say that security has been bolted onto modern business networks.

It also has become very clear that we won’t achieve the full potential of digital transformation without security somehow getting intricately woven into every layer of corporate IT systems.

We’re still a long way from achieving that, but a promising roadmap has emerged. It’s a new model for architecting enterprise IT systems, dubbed Secure Access Service Edge (SASE), a term coined by top security analysts at tech advisory firm Gartner.

I had the chance to visit with Kelly Ahuja, CEO of Versa Networks, a supplier of SASE systems. For a full drill down on our discussion on why SASE could be game changer, please give a listen to the accompanying podcast. Here are the key takeaways:

Connectivity vs. security

Corporate networks exist to connect users to applications. Traditionally this was done by setting up a datacenter at company headquarters, and having employees enter the building and access applications using company-managed equipment. Thus, local area networks, or LANs, were born.

Then along came wide area networks, or WANs, as a means to securely connect several LANs set up in geographically dispersed branch offices. Over time WANs proved to be expensive and inflexible, so they began to be replaced with software-defined wide area networks, or SD-WANs, which offered heightened data-transfer efficiencies.

However, the first-generation of SD-WAN solutions were notable for one key thing: they were solely focused on improving connectivity and did little to account for security.