CSO’s Cybersecurity Summit 2021 was conducted virtually from March 16-18. CSO hosted a variety of seasoned security professionals from the private sector and academia to discuss emerging technologies and trends in the industry and where we go from here to combat an ever-changing threat landscape. Here are my top five takeaways from this year’s summit.
1. An Attack Like SolarWinds Will Happen Again
The SolarWinds attack has been in the news quite a bit since it was discovered late last year. To recap the events of this massive breach at a high level, the SolarWinds hackers understood the software supply chain stack and injected malicious code at the source into a SolarWinds “Orion” software update. The update was then propagated to thousands of companies and government agencies downstream beginning last March. This code gave the attackers a backdoor into these organizations’ IT systems, where they were then able to deploy malware and various other techniques to spy on the systems and remain in stealth mode undetected for months. There are approximately 18,000 SolarWinds customers around the world who received the malicious update, including Microsoft, Intel, FireEye, the Department of Homeland Security, the National Nuclear Security Administration, and various state and local government agencies. US intelligence officials believe that the attack was carried out by members of Russian intelligence, who have been successful in breaching US government systems in the past. A highly sophisticated attack with thousands of organizations impacted, it will likely be some time before the full scope of the attack is completely understood. While the private and public sectors continue to assess the damage and put controls in place to better defend against these types of attacks, both sectors agree that an attack like this will happen again.
Jim Routh, former CISO at MassMutual, spoke about the lessons we can take from the SolarWinds attack and put into practice. First and foremost is good identity access management with complex passwords. Additionally, organizations need to be careful with both public and private source code repositories, as these repositories are known supply chain threat vectors. Routh also advocated for what he calls “Workload Runtime Protection,” which can help organizations implement the appropriate solutions to protect against malicious code at the container and workload level. Though this is still an emerging technology, Routh recommends allocating engineering resources and R&D investment dollars now.
Richard Harknett, Chair of the Center for Cybersecurity Strategy and Policy at University of Cincinnati, also touched on what we can do in the aftermath of the SolarWinds attack. While protecting code at the source is an important step, third-party downstream vulnerabilities are a concern as well and thorough due diligence must be performed on third-party vendors. This should include but not be limited to penetration test results, patching and change management policies, access management, and how the organization protects its code and infrastructure. Organizations should also prioritize their vulnerabilities and be willing to compromise efficiency when necessary and spend the money to protect their existential “crown jewel” priorities (e.g. Intellectual Property). Bottom line, it is our civic duty to work for the public good and to continue the collaboration between the private sector, public sector, and academia in order to proactively and securely protect our systems and data.
2. The Rise of Next-Gen Software Supply Chain Attacks
While some speakers addressed the SolarWinds attack specifically, others discussed the rise of these next-generation software supply chain attacks more generally. The CSO Editors’ panel predicts that we will see more supply chain attacks with increased sophistication and frequency, and that attacks on critical infrastructure (which now includes telecom and data centers) will also increase. We have already seen this with the breach of the water system in Pinellas County, FL in February and the cyberattack on the University of Vermont Health Network last fall.
Michelle Dufty and Ax Sharma from Sonatype discussed the current threat landscape in light of the 430% increase in next-gen open source cyberattacks. We must recognize that the threat landscape has changed yet again. Bad actors used to wait until a vulnerability was identified in an open source component and then target the organizations they knew were using it. Now, they inject the malicious code upstream into a component or dependency at the source before the product is even finished and let it flow downstream to organizations and users who feed the global supply chain.
Here are a few tips for protecting against these attacks:
Configure development tools based on namespace - Don’t allow private dependencies to reside in public repositories.
Identify odd behavior at the source - Implement automated malware detection and isolation technology to quarantine and investigate suspicious components.
Know what’s in your code - Utilize a secure processor such as AMD Secure Processor, which will enable you to access the system in secure boot mode and safely look at the source of the components.
3. Emerging Trends in Identity Security
The expanding attack surface within dynamic environments across sectors has led to increased focus on Identity as a Service. This means adopting a modern identity platform that prevents credential theft, stops lateral and vertical movement, and limits privilege escalation and abuse whether one exists in an on-prem, hybrid cloud, or public cloud environment. Two emerging trends in identity security explored during the summit are Zero Trust and passwordless environments.
The Zero Trust security model disabuses us of the notion that we can trust everything inside of an organization’s network by instead operating from the premise, “Never trust, always verify.” Zero Trust architecture must protect not only the traditional full mesh office environment, but also a remote workforce whose numbers have exploded during the pandemic (something I like to call “meta-mesh cybersecurity” if the phrase has not yet been coined). The goal is to ensure that the right user has access to the right applications and the right data through the principle of least privilege.
General Electric’s Global CISO, Jason Acquaro, demonstrated how GE was able to get to Zero Trust with their in-house development of the MyApps Anywhere solution. MyApps Anywhere allows employees to access the GE environment by securely connecting from a company-issued device from any network. It combines multi-factor authentication, device authentication authorization, and dynamic posture validation, all seamless to the users and scalable. Analytics are utilized to identify user behavior and patterns to further protect against data loss. Hardware-based security is also a critical part of Zero Trust. Continuous validation and hardening should be standard practice. Acquaro told us that this was a large-scale and complex project with many use cases to solve for. An undertaking like this is not for the faint of heart, but the end result was worth it! They were able to build a Zero Trust environment without sacrificing convenience for security.
Snowflake recently converted to a passwordless environment. Their VP of IT Security, Mario Duarte, shared his experience working with Beyond Identity to do so. The change to passwordless solved for several problems, including doing away with a 90-day password reset policy that disrupted employee workflows and freeing up helpdesk and support resources to focus on more strategic problems rather than dealing with password issues. Snowflake’s passwordless environment forces authentication only to endpoints that are trusted devices, including BYOD mobile phones, via an IdP token plus MDM verification method. The endpoints must meet all of the system’s passwordless requirements in order to be able to authenticate (e.g., must be AD-joined, have the correct iOS version, TPM chip, IR camera/fingerprint reader, etc.). Duarte indicated that auditors and compliance seemed to be fine with the company’s use of the passwordless environment once the controls were explained to them. Duarte also said that overall, both executives and employees are happy with the change, as going passwordless has made things easier for everyone.
4. A Call for Open Standards
A call for open security was made by Jason Keirstead, Engineer & CTO, Threat Management at IBM Security. The current state of cybersecurity is unsustainable – there is too much work, too many vendors, too much complexity, and too many alerts. Security tools for hybrid and multi-cloud environments are inconsistent and there is still a need to build more robust industry standards. Keirstead advocates for utilizing open technology in order to learn from our predecessors and collaborate more efficiently to protect our applications, data, and infrastructure. This open security model should be community led, develop open standards for interoperability, value expertise, and foster innovation. Shared data, user experience, and transparency through open security standards will provide security practitioners with faster and more consistent information about threat trends and accelerate innovation in the field through collaboration as well as standardize security tools across sectors. More information about open security can be obtained through the Open Security & Safety Alliance.
5. Cybersecurity is Not Just an IT Problem
Ransomware is expected to attack a business every 11 seconds and cost as much as $20 billion globally by the end of 2021. Social engineering and spear phishing emails are an enormous threat vector, showing us that cybersecurity is not just and IT problem, but a business problem. In fact, the Code42 2021 Data Exposure Report states that 80% of data breaches are attributed to insider risk, either through unknown breaches, leaks, or data exposure, all of which are at an increased risk with the shift to a remote workforce during the pandemic. Companies must commit to creating a "Risk Aware Culture" by instituting company-wide security and awareness training and helping them to understand which security controls are in place for their workflow and why. Mandatory cybersecurity training and periodic phishing tests should be conducted on a continuous basis and keep up with trends so that users understand the threat landscape and know how to protect themselves and the organization against it. Additionally, an Insider Risk Management (IRM) approach that puts automated controls in place to monitor all data, access, and user behavior patterns is key to mitigating risk from both accidental exposure due to user error (insider risk) as well as any threats due to bad actors within the organization (insider threat). Prioritizing, investing in, and executing the appropriate cybersecurity initiatives starts at the top of the organization, but ultimately creating a Risk Aware Culture and getting all employees on board with security awareness is half the battle to protecting your organization.
Comments