Cybersecurity

Sometimes sticking to the basics is the best approach. That’s what CISOs say they will focus on as their priorities in the second half of 2022.

“Regardless of everything else happening in the world, and all the latest shiny baubles in security, it's important to maintain the basics,” said Jon Davis, CISO at Oomnitza.

Those basics include single sign-on, endpoint protection, proper patching, security awareness and training, encryption, and multifactor authentication. 

The reason for making standard security best practices a priority is simple: when you take the easy stuff for granted, Davis said, it opens the door for risks. 

Size matters

In companies with 50-1,000 employees, CISOs considered security hygiene the most critical security priority according to a study by Forgepoint Capital.

The priority is born of resource constraints. These organizations typically lack the budgets to build layers of backups or failovers, according to the report. 

This differed from the smallest organizations, which emphasize talent development and social engineering awareness. Enterprise-scale organizations have prioritized incident response and digital transformation. 

Humans in SMBs play a much more vital role in the organization’s overall security posture than they do in the enterprise. Smaller companies don’t have the budgets available for some of the more sophisticated security systems that large companies bring in. 

That puts the onus on human behavior to keep the network secure. That includes putting more emphasis on security hygiene, such as cyber awareness education to avoid phishing attacks, or encouraging regular use of MFA and better password management. 

Cybersecurity leaders, like all business leaders, want to tackle priorities with an eye toward cost-saving measures. Meanwhile the threat landscape is constantly changing. 

“Right now, my team and I are sticking to basics and working to advance security without having to make more significant investments or add tooling,” said Ryan Davis, CISO at NS1. 

“As the year progresses, we look at our roadmap about where the business operates and what is achievable given the overall economic climate,” Davis said. 

The hybrid workforce

As the world continues to adjust to life with COVID-19, more companies are requiring their employees to return to the office, at least part time. 

The return dates for many of the largest organizations have been fluid, shifting as positive cases rise and fall. Securing the hybrid workforce is an issue that CISOs are prioritizing, especially as they see this as a long-term, if not permanent, work model. 

While many companies are turning to zero trust as a way to offer security for a hybrid workforce, Jason Lee, CISO at Zoom, admitted there is no one-true definition of zero trust. So CISOs are charged with finding the zero trust solution that will work for them. 

Lee’s approach is to protect the person and their devices, no matter where they are. “It’s an end user security strategy that I want to reinforce,” said Lee. 

In tandem, one of Lee’s priorities as a CISO is to come up with ways to better enable his business to work in this new environment. 

One security solution he is pursuing is getting rid of passwords. No one likes passwords, and they open up the company to too many risks. Lee’s favorite approach is to leverage a hard token combined with a biometric, which will offer a secure MFA option (and gives users no choice but to use a second authentication tool) no matter where the user is located.

Engaging leadership

More than 60% of security leaders don’t believe their efforts are fully supported by their organization’s board of directors, according to research by Encore. The same study also found that C-suite leadership doesn’t like to talk about cybersecurity until a data breach occurs. Bringing this leadership on board with cybersecurity issues is a top priority for CISOs as 2022 continues. 

The good news, said Davis, is that leadership is being very responsive to security findings and prioritizing them appropriately. “They are investing wisely into security and security products.”

The government might be pushing this relationship building higher on the priority list. An Executive Order from the Biden administration directs government agencies and all organizations to improve information sharing and take steps to become more cyber resilient. This will require better communication between leadership and CISOs.

At Zoom, Lee is already working on this priority. His company has formed a cyber committee within the board. Lee engages with this committee with a 90-minute meeting quarterly and has regular ad hoc meetings to discuss the latest threats and other security-related concerns. 

Engaging coworkers to meet priority goals

Having security priority goals may help CISOs plan their strategies, but if everyone in the company doesn’t buy in, they likely won’t succeed. That’s why encouraging a proactive partnership for company-wide security is a top goal for Davis. 

To achieve this goal, communication with staff may need to be reframed as “security needs your help to succeed” rather than “security is here to stop you from making mistakes.” 

“This kind of communication is critical to make sure everyone in the company understands their role in achieving our security goals,” said Davis. 

The goal of security priorities is to protect the business from risk. CISOs may set the priorities, but it is up to everyone, from the board of directors to the front-desk receptionist, to make sure those priorities are achieved to meet the No. 1 goal: a successful business. 

Log4j, despite its prevalence and difficulty to find, was exploited at lower levels than experts predicted when it was disclosed in December 2021, the Cyber Safety Review Board said in a post-mortem incident report released Thursday. Secretary of Homeland Security Alejandro Mayorkas delivered the report to President Joe Biden. 

Yet, Log4j is an "endemic vulnerability," likely to persist for years or even decades, the review board said. "The Log4j event is not over." 

Mitigating the vulnerability sucked up resources and contributed to burnout, the report said. As an example of the sheer time investment, one federal cabinet department spent 33,000 hours responding to Log4j across its networks. 

Log4j, which the review board exemplified as a "once-in-a-generation security event," is a perfect storm for businesses. The short line of code that comprises the Java-based logging utility nestles into open source software, making it hard to track.

The vulnerability made it easy for threat actors to take control of compromised systems, and, since it was so difficult to spot without a comprehensive Log4j "customer list," organizations struggled to identify and remediate it, according to the board. 

What made the vulnerability particularly disruptive is that a third party disclosed the flaw before the Apache Software Foundation, which supports Log4j, could create a fix, the review board said. A race between threat actors and companies to exploit or fix the vulnerability ensued.  

Log4j highlighted how the open source community, often composed of volunteers, has inherent risks stemming from resource constraints. In response, the board called for public and private sector stakeholders to create a hub of centralized resources to better support the open source community. 

The board's recommendations echo what the security industry has taken up as a battle cry in the last year: the software industry needs to change to create a better model of vulnerability management.

The problem is, reworking the technology ecosystem will require long-term changes and investments in people and technology. But companies, at a time where people pay a premium for innovation, cannot slow their development. 

Industry is trying, however. Technology companies have pledged $150 million in the next two years to help shore up open source security. The review board, which the Department of Homeland Security launched in February, is an example of a public-private partnership built to review and assess significant security events, offering recommendations for how the public can respond. The Log4j report marks the board's first published security incident review.  

Cyberattacks are a fact of life. Every organization — in fact, anyone with an internet account — has been targeted in some manner, from a phishing email to DDoS website attacks to malicious account takeovers. 

Just as a company purchases insurance to protect from physical theft and other potential loss and damages, organizations need to add protection against the financial aftermath of a cyberattack. 

However, before an organization can purchase cyber insurance, it needs to meet certain criteria. 

"Insurers want to know there is an organized and proactive effort to manage cybersecurity risk," said Travis Wong, VP of risk engineering and security services at cyber insurance provider Resilience.

While insurers may not ask potential clients about specific technology or processes, insurers do want to know how existing technology and internal standards are leveraged in pursuit of an effective risk management effort. 

Claim payouts are costly

Data breaches and other cyber incidents are expensive to insure. The average cost to the insurer for a cyber incident for small and medium businesses (SMBs) is $145,000, according to NetDiligence's Cyber Claims Study 2021 Report, which analyzed incidents that occurred between 2016 and 2020. For large companies, the cost jumps to $10 million. 

Ransomware mitigation costs are even higher, at $256,000 and $16.6 million respectively. 

An analysis of almost 6,000 claims in this year's study showed just how much cyberthreats have increased in recent years, and those attacks are increasing no matter the industry sector or size of the business, according to research from data security and privacy law firm Beckage, included in the NetDiligence report.

In tandem with the rising costs of payouts comes significant rate increases.

On average, cyber insurance rates rose by 89% in the fourth quarter of 2021, according to Risk Strategies' State of the Market 2022 Report. That trend is expected to continue into 2022, which is why insurers are putting a greater emphasis on risk management.

The insurance industry has been under increased pressure amid concerns the Ukraine war and the in prevalence of ransomware will lead to a surge in claims. Nation-state threat actors and criminal ransomware groups have stepped up threat activity targeting critical infrastructure providers, financial organizations and other targets in the U.S. and Europe.

"Most insurance requirements still fall into basic cybersecurity measures, what one would expect every company operating online to have in place," said Jack Kudale, founder and CEO of Cowbell Cyber, which provides cyber insurance for small- to medium-sized enterprises. At minimum, those measures include: 

• Multifactor authentication (MFA)
• Backup
• Incident response plan
• Patching 
• Cyber awareness training for employees

Top concerns for cyber insurers

Proving a client has a secure backup system is a top priority as ransomware is expected to remain a top threat through 2022 and beyond. 

"Cyber insurers are, hands down, most worried about ransomware, especially since doxing has become common. It is the perfect storm for an attack," said Shawn Melito, chief revenue officer at BreachQuest, a digital forensics and incident response provider.

In the midst of a ransomware attack, which can impede operations, businesses may need to: 

• Pay a ransom
• Call in forensics
• Rebuild systems
• Consult PR
• And send breach notifications to clients, regulators, patients or customers. 

The list of costs surrounding a ransomware attack is seemingly endless, expensive for the the insurer and the client. 

But if organizations (and insurers) get caught up on ransomware, they tend to miss other weaknesses that could turn into costly problems. 

"Theft of credentials either through phishing or unprotected assets exposed publicly on the internet remains the predominant approach for cyber criminals to launch an attack," said Kudale. It's why cyber insurers will focus on whether or not cybersecurity best practices are in place.

What insurers want from clients

A cyber insurer's requests are closely aligned with cybersecurity industry best practices. 

"Companies that have been in tune with cyber events and have proactively matured their security programs are ideal insurance partners," said Wong. 

These companies use cyber insurance requirements to build their investment in cybersecurity and also use those requirements as a way to build a compelling business case to convince decision makers and boards of directors of the importance of a strong cybersecurity program. 

As with all cybersecurity systems and insurance options, there is no one-size-fits-all set of requirements.

"In my experience speaking with carriers and observing the approaches some have taken, the focus also depends on the size/maturity of the organization and the types of organizations that the carrier covers," said Melito.

That's because threat actors are able to pinpoint their attacks so well that it is now very rare if they infect random organizations. 

"Regularly now, not only does the attacker know who they have on the hook but have done reconnaissance both online and within the victim's own system to find out exactly how much they can extort from the organization," said Melito.

That ability to pinpoint assets so precisely means threat actors know where the big payoffs are, so they want businesses with the most valuable assets. Sometimes this is determined by business size, but just as often as by industry. These companies will be subjected to more thorough reviews of their security systems and be held to more stringent demands by cyber insurers. 

If companies have a good security system already in place and are willing to take the steps needed to meet the demands, cyber insurers are willing to develop a partnership.

"However, there are still many companies that have not worked to mitigate their cybersecurity risk, which has resulted in difficulty obtaining favorable insurance risk transfer solutions for these organizations," said Wong.

Those are the companies who find obtaining cyber insurance is much more work and much more costly than they planned.

CIOs understand the threat of cyberattacks, but some still are not making the organizational changes to mitigate risk, research from Coleman Parkes sponsored by Venafi shows.

Of the 1,000 CIOs surveyed, 95% said their information security teams have authority over the security controls required to protect software supply chains. But almost one-third of the information security teams do not hold the power to carry out the policies they recommend, according to the report.

The board or CEO instructed nearly nine in 10 CIOs to improve the security of software development.

Software supply chain vulnerabilities command more CIO attention following a series of highly publicized compromises, from SolarWinds to Log4j. These attacks wrangled the attention of the board, leading to larger risk appetites and, of course, more responsibility.

Eight in ten CIOs surveyed believe software supply chain attacks could impact their company, according to the report. 

This security awareness from the highest levels of the company has led CIOs to execute specific strategies to combat vulnerabilities. Over half of CIOs have implemented more security controls and of code signing. Almost half of CIOs are looking at the origin of their open source libraries. 

Despite these initiatives, the root of the problem is grounded in the relationship, communication and collaboration — or lack thereof — between information security and development teams. 

“You still, unfortunately, have organizations where you've got a very dysfunctional relationship. Management hasn't communicated to development the importance and the need for security,” Dale Gardner, a senior director and analyst at Gartner, said. “Maybe security's not taking an appropriate approach to development.”

The divide between the two teams can have critical implications, the report found. Information security teams have little insight into how to approach securing vulnerable supply chains because they don’t have adequate knowledge of what the software engineering teams are doing.

As threats continue to target foundational aspects of software development, communication and collaboration must do the same in order to properly secure each piece of code.

“For CIOs, I think one of the most important things that they can do is [be] the vocal supporter of security efforts,” Gardner said.

Major technology companies are becoming faster at fixing security vulnerabilities, incentivized to close gaps for customers.

Vendors took an average of 52 days to fix security vulnerabilities in 2021, down from 80 days three years ago, data from Google's Project Zero show. 

Between 2019 and 2021, Apple fixed 87% of its bugs in 90 days; Microsoft fixed 76% in the same period. 

"The tech community is getting faster at fixing discovered security issues for a variety of reasons, including advancing DevOps and CI/CD technological advancements, adopting bug bounty programs into the mainstream, embracing open source platforms' security issue tracking, and Project Zero making an impact," said Eylam Milner, director, Argon Technology with Aqua Security.

There is a caveat to this progress. The largest tech companies handle their bug bounty programs differently than smaller or lesser-known companies.

"Companies such as Microsoft, Facebook, Oracle, Mozilla, and Linux are very different in the way they operate, let alone handle security issues, than most software vendors and open source projects," Milner said. 

While the average time to fix a vulnerability has gone down, that could be a bit misleading based on the companies involved. On the other hand, trends like this often have a trickle-down effect that is making a positive impact across the tech industry at large.

"When a large tech company (e.g., Facebook) is forced to fix a security issue in 90 days, this puts the company in a position to innovate with in-house organizational structure, engineering culture, and even new technology solutions," said Milner.

The engineering community at large often mimics big tech innovators, moving forward the way the entire community handles security issue fixing.

Tech companies can only do so much

While the tech industry is getting better at remediating vulnerabilities in a more timely manner, the need to fix problems is not trickling down to the organizations using the software. If a customer lacks urgency in deploying a patch, a flaw can linger. 

Even though members of the security community evangelize the importance of defined security patching processes and procedures as part of an overall security policy, there is still a knowledge gap, according to Matt Carpenter, senior principal security researcher with GRIMM. 

"One of the core components of a good security policy is knowing what technologies/assets your organization maintains, and having regular patching intervals, processes and written procedures," Carpenter said. 

Although companies realize the value of automated updates and regular automated checks and reports for out-of-date machines, less-security mature companies fall behind.

How tech can improve efforts to fix bugs and encourage patching

No matter how good tech companies have become at assessing vulnerabilities, there is always room for improvement. Adding automated application security solutions is key for diving deeper into vulnerability assessment and remediation. 

"It's impossible for software consumers and vendors to handle a large amount of security risk in large codebases without an automated process for detection, remediation and prevention," said Milner. 

The next step is to teach organizations to partner with trusted security companies in a long-term strategy, which helps reduce both risk and cost in the long term.

"For example, each organization should have a Security Architecture Review or similarly Threat And Risk Assessment (TARA) from a trusted and knowledgeable external security company," said Carpenter.

While informative, for assessments to add the most value, organizations should put together an internal security team with a top executive onboard, such as a CSO, CIO or CTO, to act as a liaison with the external assessment group. 

This ensures assessment findings are communicated throughout the company and the necessary remediation steps can happen. 

It's important to have clear strategies for both addressing general asset management, according to Daniel Trauner, senior director of security with Axonius.

"Without an asset management strategy, you might not even be aware that there's a patch to apply," Trauner said.

And if patches aren't applied in a timely manner, the quick remediation time of vulnerability remediation by tech companies won't do much good to prevent attacks

Cybersecurity is the leading obstacle for expanded cloud and multicloud adoption, the top concern for more than two-thirds of IT leaders, according to a study released by Confluera. The company commissioned a survey of 200 IT leaders and medium and large organizations, using an independent research firm. 

IT teams spend over half of their time investigating cybersecurity alerts, however more than half of these alerts are either false alarms or otherwise considered benign threats, according to the report. 

The increased demand for cloud deployments due to remote work, coupled with the heightened pressure on IT security teams amid record job resignations, has led to increased fatigue and job burnout.

Organizations have raised security concerns when they expand the number of cloud deployments. The reliance on a multicloud environment, using some combination of infrastructure as a service (IaaS) providers, including Google Cloud, Amazon Web Services or Microsoft Azure, complicates the security dynamic. 

The report shows 97% of IT leaders are expanding cloud adoption at their organizations as part of internal strategy. Meanwhile, almost 70% of respondents were concerned about consistent security coverage when operating across different cloud platforms.

2021 represented the first full year for many companies in terms of supporting a newly remote workforce, according to Confluera CEO John Morgan. Many IT security officials expected to focus on securing remote devices and insecure network connections, Morgan said. 

"The reality is that IT professionals spend the most time and are most burdened by the adoption of cloud services, which is more of a backend infrastructure," Morgan said via email.

Prior research studies illustrate the complexity of securing a remote workforce, as well as an increasing visibility gap inside of cloud infrastructures. 

A 2020 buyer survey from Gartner showed more than three-quarters of organizations were adopting a multicloud infrastructure. But different providers supporting different sets of policies makes it difficult for many companies to create a consistent security posture, an October 2021 technology trends report from Gartner shows.

"The biggest challenge around the security of multicloud for enterprises is that all cloud providers and services are not providing the same levels of maturity in their features," said Patrick Hevesi, research VP at Gartner. "Then when you factor in large numbers of cloud apps, the complexity of trying to map and secure each of them is overwhelming for the security team."

The increase in rate and severity of cyberattacks has highlighted the disconnect between security leaders and the business they serve. 

To help bridge security gaps across operations, more businesses are looking to decentralize cybersecurity leadership. A decentralized approach allows employees to implement security strategies into everyday operations, which can speed response and hopefully prevent attacks.

The change is "being driven by necessities — the increased sophistication of cybersecurity threats, larger attack surfaces, etc.” said Ron Westfall, senior analyst and research director at Futurum Research. “I think we do need to see tighter implementation of organization-wide, decentralized cybersecurity policies that are driven by the entire C-suite.”

But this shift does not spell the end of the CISO role. The idea is that with cybersecurity leadership spread out, employees can make risk-informed decisions while meeting enterprise needs. 

Gartner found nearly eight in 10 employees would bypass security policies to reach enterprise goals. In return, only one in 10 CISOs trust employees to make informed security decisions independently. 

The goal with decentralization "is to be more embedded into the business, as opposed to only having a centralized security group that may be, at times, far removed from individual business lines, especially for larger organizations,” said William Candrick, a director analyst for Gartner.

However, this means that CIOs will be managing cybersecurity employees across business operations, straining the already delicate communication channels. 

“I would say that is a cost to pay essentially for better cybersecurity implementation at a localized level,” said Candrick.

One way to mitigate this cost is to implement centers of excellence (CoEs). CoEs provide an outlet for better communication and connectivity for the expanding cybersecurity employees.

Another solution is to improve cyber judgment. 

“Our clients take a broad array of approaches to improve cyber judgment,” Candrick said. “This includes turning security policies into self-serve tools, using trust scores to evaluate and improve cyber judgment and embedding cyber risk guidance into existing business workflows.”

Westfall said he suspects that the decentralized approach will pick up momentum as organizations become more familiar with cloud platforms and using more “intelligent” policies.

“They can actually meet this challenge and have more peace of mind at the end of the day, even though they’re transitioning away from their more traditional security approaches,” said Westfall.

Make no mistake, it was all about the cloud.

Mandiant's $5.4 billion price tag was chump change for Google's parent Alphabet, with a stock market value of $1.7 trillion. The acquisition of one of America's leading cybersecurity companies was a cloud play in a race that Google's been losing. 

Google's 10% share of the cloud infrastructure services market trails Microsoft Azure's 21%, and is dwarfed by Amazon Web Services' 33%, according to Synergy Research Group. 

The triumvirate rakes in increasing sums of the $178 billion market to store and protect data for companies around the world. 

Security is just part of the sale's pitch. 

"Let's face it, Google's in a sort of a death race with AWS and Azure in terms of cloud supremacy, right," said Garrett Bekker, a principal research analyst with S&P Global's 451 Research. "To some extent, security is a tool that helps them get there more than an end in and of itself."

Google's gobbling up of Mandiant is the latest in a sector feeding frenzy. There were more than 200 M&A deals last year, with aggregate disclosed deal valuations exceeding $55 billion. In the past five years, there were more than 1,000 cybersecurity M&A deals, data from CB Insights show. 

This week recorded a $616.5 million acquisition, with SentinelOne's plans to add Attivo Networks' identity security to its XDR suite. 

In addition, private equity investors injected almost $27 billion — about $41 million on average — into 823 companies last year, more than double the investment the prior year.

What's curious is who has the appetite and why. 

Of the top 25 M&A deals with disclosed valuations in the past five years, 13 were from private equity and one was venture capital, CB Insights data show. The priciest: a private equity group's $14 billion purchase of McAfee and Thoma Bravo's $12.3 billion deal for Proofpoint. 

But 11 of the acquisitions were shrewd bids from companies buying more innovative and nimble security companies to fortify their toolboxes. Cisco's $2.35 billion purchase of Duo Security in 2018, is a prime example.

There are more than 4,000 cybersecurity companies today, quadruple the number five years ago when 451's Bekker began counting. 

"There's an argument to be made that there's just way too many security vendors," Bekker said. "To some extent it's sort of a natural culling."

Mandiant was ripe for acquisition. The threat intelligence and incident response firm takes center stage in the most high-profile threats — it was the company that found the SolarWinds hack in 2020. It's a boutique firm and the demand is so great, Mandiant has to turn clients away. It saves its resources for the most sensitive of cases, like the Colonial Pipeline ransomware attack last year. 

Once it sold its FireEye products division last fall, it sharpened its incident response focus, but analysts questioned the amount of money Mandiant would have to invest in R&D to compete against larger competitors. Mandiant and Google declined to comment beyond what was already publicly shared.

Melding with Google takes away that concern. Fueled by Google's prowess in analytics, data and AI, the potential for automation Mandiant insights would be a boon for the average firm trying to shore up their security gaps. 

"What people want to buy is confidence," said Peter Firstbrook, VP analyst at Gartner.

"You can't just sell products anymore. It's not enough to just sell software," he said. "You have to sell with it the people that can get the job done because most buyers, they don't even have time to test anything, let alone operationalize it and maintain it." 

Recent data from Panaseer shows companies manage 76 separate security tools on average, up from 64 tools in 2019, according to a survey of 1,200 senior security leaders. 

Mandiant and Google would provide a happy marriage, capitalizing on the security vendors' operational knowledge and understanding of key threat signals. That, combined with Google's data and cloud experience makes for a big opportunity, he said.

But brain drain is one of the primary risks in any acquisition, as key personnel flee or are poached.

"Cloud consolidated infrastructure to deliver economies of scale on computing infrastructure," Firstbrook said. "Mandiant is consolidating the brainpower necessary to run that or secure that into a central location for economies of scale."

The deal is expected to close later this year. Cybersecurity Dive will follow the integration and the race for cloud supremacy.