The Biden administration and its allies are developing new possible sanctions ahead of a series of meetings to defuse the crisis with Moscow.
Almost exactly a year ago, security researchers uncovered one of the worst data breaches in modern history, if not ever: a Kremlin-backed hacking campaign that compromised the servers of network management provider SolarWinds and, from there, the networks of 100 of its highest-profile customers, including nine US federal agencies.
Nobelium—the name Microsoft gave to the intruders—was eventually expelled, but the group never gave up and arguably has only become more brazen and adept at hacking large numbers of targets in a single stroke. The latest reminder of the group’s proficiency comes from security firm Mandiant, which on Monday published research detailing Nobelium’s numerous feats—and a few mistakes—as it continued to breach the networks of some of its highest-value targets.
One of the things that made Nobelium so formidable was the creativity of its TTPs, hacker lingo for tactics, techniques, and procedures. Rather than breaking into each target one by one, the group hacked into the network of SolarWinds and used the access, and the trust customers had in the company, to push a malicious update to roughly 18,000 of its customers.
The new campaign came only months after President Biden imposed sanctions on Moscow in response to a series of spy operations it had conducted around the world.
Back when Stairwell emerged from stealth in 2020, the startup was shrouded in secrecy. Now with $20 million in Series A funding, its founder and CEO Mike Wiacek — who previously served as chief security officer at Chronicle, Google’s moonshot cybersecurity company — is ready to talk.
As well as raising $20M, an investment round co-led by Sequoia Capital and Accel, Stairwell is launching Inception, a threat hunting platform that aims to help organizations determine if they were compromised now or in the past. Unlike other threat detection platforms, Inception takes an “inside out” approach to cybersecurity, which starts by looking inwards at a company’s data.
“This helps you study what’s in your environment first before you start thinking about what’s happening in the outside world,” Wiacek tells TechCrunch. “The beautiful thing about that approach is that’s not information that outside parties, a.k.a. the bad guys, are privy to.”
This data, all of which is treated as suspicious, is continuously evaluated in light of new indicators and new threat intelligence. Stairwell claims this enables organizations to detect anomalies within just days, rather than the industry average of 280 days, as well as to “bootstrap” future detections.
“If you go and buy a threat intelligence feed from Vendor X, do you really think that someone who’s spending hundreds of thousands, or even millions of dollars to conduct an offensive campaign isn’t going to make sure that whatever they’re using isn’t in that field?,” said Wiacek. “They know what McAfee knows and they know other antivirus engines know, but they don’t know what you know and that’s a very powerful advantage that you have there.”
Stairwell’s $20 million in Series A funding, which comes less than 12 months after it secured $4.5 million in seed funding, will be used to further advance the Inception platform and to increase the startup’s headcount; the Palo Alto-based firm currently has a modest headcount of 21.
The Inception platform, which the startup claims finally enables enterprises to “outsmart the bad guys”, is launching in early release for a limited number of customers, with full general availability scheduled for 2022.
“I just wish we had a product to market when SolarWinds happened,” Wiacek added.
In recent years, the private sector has been spurning proprietary software in favor of open source software and development approaches. For good reason: The open source avenue saves money and development time by using freely available components instead of writing new code, enables new applications to be deployed quickly and eliminates vendor lock-in.
The federal government has been slower to embrace open source, however. Efforts to change are complicated by the fact that many agencies employ large legacy IT infrastructure and systems to serve millions of people and are responsible for a plethora of sensitive data. Washington spends tens of billions every year on IT, but with each agency essentially acting as its own enterprise, decision-making is far more decentralized than it would be at, say, a large bank.
While the government has made a number of moves in a more open direction in recent years, the story of open source in federal IT has often seemed more about potential than reality.
But there are several indications that this is changing and that the government is reaching its own open source adoption tipping point. The costs of producing modern applications to serve increasingly digital-savvy citizens keep rising, and agencies are budget constrained to find ways to improve service while saving taxpayer dollars.
Sheer economics dictate an increased role for open source, as do a variety of other benefits. Because its source code is publicly available, open source software encourages continuous review by others outside the initial development team to promote increased software reliability and security, and code can be easily shared for reuse by other agencies.
Here are five signs I see that the U.S. government is increasingly rallying around open source.
More dedicated resources for open source innovation
Two initiatives have gone a long way toward helping agencies advance their open source journeys.
18F, a team within the General Services Administration that acts as consultancy to help other agencies build digital services, is an ardent open source backer. Its work has included developing a new application for accessing Federal Election Commission data, as well as software that has allowed the GSA to improve its contractor hiring process.
18F — short for GSA headquarters’ address of 1800 F St. — reflects the same grassroots ethos that helped spur open source’s emergence and momentum in the private sector. “The code we create belongs to the public as a part of the public domain,” the group says on its website.
Five years ago this August, the Obama administration introduced a new Federal Source Code Policy that called on every agency to adopt an open source approach, create a source code inventory, and publish at least 20% of written code as open source. The administration also launched Code.gov, giving agencies a place to locate open source solutions that other departments are already using.
The results have been mixed, however. Most agencies are now consistent with the federal policy’s goal, though many still have work to do in implementation, according to Code.gov’s tracker. And a report by a Code.gov staffer found that some agencies were embracing open source more than others.
Still, Code.gov says the growth of open source in the federal government has gone farther than initially estimated.
A push from the new administration
The American Rescue Plan, a $1.9 trillion pandemic relief bill that President Biden signed in early March 2021, contained $9 billion for the GSA’s Technology Modernization Fund, which finances new federal technology projects. In January, the White House said upgrading federal IT infrastructure and addressing recent breaches such as the SolarWinds hack was “an urgent national security issue that cannot wait.”
It’s fair to assume open source software will form the foundation of many of these efforts, because White House technology director David Recordon is a long-time open source advocate and once led Facebook’s open source projects.
A changing skills environment
Federal IT employees who spent much of their careers working on legacy systems are starting to retire, and their successors are younger people who came of age in an open source world and are comfortable with it.
About 81% of private sector hiring managers surveyed by the Linux Foundation said hiring open source talent is a priority and that they’re more likely than ever to seek out professionals with certifications. You can be sure the public sector is increasingly mirroring this trend as it recognizes a need for talent to support open source’s growing foothold.
Stronger capabilities from vendors
By partnering with the right commercial open source vendor, agencies can drive down infrastructure costs and more efficiently manage their applications. For example, vendors have made great strides in addressing security requirements laid out by policies such as the Federal Security Security Modernization Act (FISMA), Federal Information Processing Standards (FIPS) and the Federal Risk and Authorization Management Program (FedRamp), making it easy to deal with compliance.
In addition, some vendors offer powerful infrastructure automation tools and generous support packages, so federal agencies don’t have to go it alone as they accelerate their open source strategies. Linux distributions like Ubuntu provide a consistent developer experience from laptop/workstation to the cloud, and at the edge, for public clouds, containers, and physical and virtual infrastructure.
This makes application development a well-supported activity that includes 24/7 phone and web support, which provides access to world-class enterprise support teams through web portals, knowledge bases or via phone.
The pandemic effect
Whether it’s accommodating more employees working from home or meeting higher citizen demand for online services, COVID-19 has forced large swaths of the federal government to up their digital game. Open source allows legacy applications to be moved to the cloud, new applications to be developed more quickly, and IT infrastructures to adapt to rapidly changing demands.
As these signs show, the federal government continues to move rapidly from talk to action in adopting open source.
Who wins? Everyone!
The May 2021 executive order from the White House on improving U.S. cybersecurity includes a provision for a software bill of materials (SBOM), a formal record containing the details and supply chain relationships of various components used in building a software product.
An SBOM is the full list of every item that’s needed to build an application. It enumerates all parts, including open-source software (OSS) dependencies (direct), transitive OSS dependencies (indirect), open-source packages, vendor agents, vendor application programming interfaces (APIs) and vendor software development kits.
Software developers and vendors often create products by assembling existing open-source and commercial software components, the executive order notes. It’s useful to those who develop or manufacture software, those who select or purchase software and those who operate the software.
As the executive order describes, an SBOM enables software developers to make sure open-source and third-party components are up to date. Buyers can use an SBOM to perform vulnerability or license analysis, both of which can be used to evaluate risk in a product. And those who operate software can use SBOMs to quickly determine whether they are at potential risk of a newly discovered vulnerability.
“A widely used, machine-readable SBOM format allows for greater benefits through automation and tool integration,” the executive order says. “The SBOMs gain greater value when collectively stored in a repository that can be easily queried by other applications and systems. Understanding the supply chain of software, obtaining an SBOM and using it to analyze known vulnerabilities are crucial in managing risk.”
An SBOM is intrinsically hierarchical. The finished product sits at the top, and the hierarchy includes all of its dependencies providing a foundation for its functionality. Any one of these parts can be exploited in this hierarchical structure, leading to a ripple effect.
Not surprisingly, given the potential impact, there has been a lot of talk about the proposed SBOM provision since the executive order was announced. This is certainly true within the cybersecurity community. Anytime there are attacks such as the ones against Equifax or Solarwinds that involve software vulnerabilities being exploited, there is renewed interest in this type of concept.
Clearly, the intention of an SBOM is good. If software vendors are not upgrading dependencies to eliminate security vulnerabilities, the thinking is we need to be able to ask the vendors to share their lists of dependencies. That way, the fear of customer or public ridicule might encourage the software producers to do a better job of upgrading dependencies.
However, this is an old and outmoded way of thinking. Modern applications and microservices use many dependencies. It’s not uncommon for a small application to use tens of dependencies, which in turn might use other dependencies. Soon the list of dependencies used by a single application can run into the hundreds. And if a modern application consists of a few hundred microservices, which is not uncommon, the list of dependencies can run into the thousands.
If a software vendor were to publish such an extensive list, how will the end users of that software really benefit? Yes, we can also ask the software vendor to publish which of the dependencies is vulnerable, and let’s say that list runs into the hundreds. Now what?
Clearly, having to upgrade hundreds of vulnerable dependencies is not a trivial task. A software vendor would be constantly deciding between adding new functionality that generates revenue and allows the company to stay ahead of its competitors versus upgrading dependencies that don’t do either.
If the government formalizes an SBOM mandate and starts to financially penalize vendors that have vulnerable dependencies, it is clear that given the complexity associated with upgrading dependencies the software vendors might choose to pay fines rather than risk losing revenue or competitive advantage in the market.
Revenue drives market capitalization, which in turn drives executive and employee compensation. Fines, as small as they are, have negligible impact on the bottom line. In a purely economic sense, the choice is fairly obvious.
In addition, software vendors typically do not want to publish lists of all their dependencies because that provides a lot of information to hackers and other bad actors as well as to competitors. It’s bad enough that cybercriminals are able to find vulnerabilities on their own. Providing lists of dependencies gives them even more possible resources to discover weaknesses.
Customers and users of the software, for their part, don’t want to know all the dependencies. What would they gain from studying a list of hundreds of dependencies? Rather, software vendors and their customers want to know which dependencies, if any, make the application vulnerable. That really is the key question.
Prioritizing software composition analysis (SCA) ensures that when dependencies are analyzed in the context of an application, the dependencies that make an application vulnerable can be dramatically reduced.
Instead of publishing a list of 1,000 dependencies, or 100 that are vulnerable, organizations can publish a far more manageable list in the single digits. That is a problem that organizations can much more easily deal with. Sometimes a software vendor can fix an issue without having to upgrade the dependency. For example, it can make changes in the code, which is not always possible if we are merely looking for the list of vulnerable dependencies.
There is no reason to disdain the concept of SBOM outright. By all means, let’s make the software vendors responsible for being transparent about what goes into their software products. Plenty of organizations have paid a steep price because of software vulnerabilities that could have been prevented in the form of data breaches and other cybersecurity attacks.
Indeed, it’s heartening to see the federal government take cybersecurity so seriously and propose ways to enhance the protection of applications and data.
However, let’s make SBOM specific to the list of dependencies that actually make the application vulnerable. This serves both the vendor and its customers by cutting directly to the sources of vulnerabilities that can do damage. That way, we can address the issues at hand without creating unnecessary burdens.
Founded in 2020, Dustico provides a dynamic source-code analysis platform that employs machine learning to detect malicious attacks and backdoors in software supply chains.
The acquisition will see Checkmarx combine its AST capabilities with Dustico’s behavioral analysis technology to give customers a consolidated view into the risk and reputation of open-source packages, and as a result, a more comprehensive approach to preventing supply chain attacks.
The deal comes amid a sharp rise in supply chain attacks, in which threat actors slip malicious code into a trusted piece of software or hardware. Last December, it was revealed that Russian hackers had breached software firm SolarWinds to plant malicious code in its IT management tool Orion. This allowed the hackers — later identified as Russia’s Foreign Intelligence Service (SVR) — to access as many as 18,000 networks that used the Orion software.
Dustico’s technology, which is similar to that offered by Sonatype, analyses open source packages using a three-pronged approach. First, it factors in trust, providing visibility into the credibility of package providers and individual contributors in the open-source community, and then it examines the health of packages to determine their level of maintenance. Finally, Dustico’s advanced behavioral analysis engine inspects the package and looks for malicious attacks hiding within including backdoors, ransomware, multi-stage attacks, and trojans.
This insight, coupled with vulnerability results from Checkmarx’s AST solutions, aims to give organizations and developers greater insights for managing the risks associated with open-source and the supply chains dependent on them, according to the two companies.
“We’re thrilled to welcome Dustico and its team to Checkmarx as the Israeli tech ecosystem continues to push the boundaries of cybersecurity innovation and talent,” said Emmanuel Benzaquen, CEO of Checkmarx. “Blending Dustico’s differentiated approach to open-source analysis with Checkmarx’s security testing capabilities will bring disruptive value to our customers as they manage the challenges with securing software supply chains.”
The acquisition of Dustico comes after Checkmarx was bought by private equity firm Hellman & Friedman at a valuation of $1.15 billion in March 2020. Prior to this, in 2015, the company was sold to Insight Partners with an $84 million investment.
It has been over three months since Click Studios, the Australian software house behind the enterprise password manager Passwordstate, warned its customers to “commence resetting all passwords.” The company was hit by a supply chain attack that sought to steal the passwords from customer servers around the world.
But customers tell TechCrunch that they are still without answers about the attack. Several customers say they were met with silence from Click Studios, while others were asked to sign strict secrecy agreements when they asked for assurances about the security of the software.
One IT executive whose company was compromised by the attack said they felt “abandoned” by the software maker in the wake of the attack.
Passwordstate is a standalone web server that enterprise companies can use to store and share passwords and secrets for their organizations, like keys for cloud systems and databases that store sensitive customer data, or “break glass” accounts that grant emergency access to the network. Click Studios says it has 29,000 customers using Passwordstate, including banks, universities, consultants, tech companies, defense contractors and U.S. and Australian government agencies, according to public records seen by TechCrunch. The sensitive data held by these customers might be why Passwordstate was the target of this supply-chain attack.
Click Studios sent an email to customers on April 22 warning of a possible Passwordstate compromise, but it wasn’t until Danish security research firm CSIS published a blog post the next day that revealed the existence and the extent of the breach.
CSIS said that cyber-criminals had compromised the Passwordstate software update feature to deliver a malicious update to any customer who had updated their server during a 28-hour window between April 20–22. The malicious update was designed to steal the secrets from customers’ Passwordstate servers and transmit them back to the cyber-criminals.
Read more on TechCrunch
This is how some customers found out about the hack, they told TechCrunch. Many customers turned to social media since Click Studios shut down its blog and forums as a “precaution,” prompting customers to look for other sources of information.
Some believed that the hack was “another SolarWinds,” referring to an incident months earlier at tech company SolarWinds after the network management software it sells to customers to monitor their networks and fleets of devices was compromised. Russian spies had infiltrated SolarWinds’ network and planted a backdoor in Orion’s software update feature, which was automatically pushed to customer systems. That gave the spies unfettered access to sneak around and gather information from potentially thousands of networks, including nine agencies of the U.S. federal government.
But Passwordstate was fortunate in ways that SolarWinds was not. Since new Passwordstate software updates need to be manually installed, many companies evaded compromise simply by luck. Determining whether a server had been compromised was also relatively easy by checking to see if the size of a particular file on the server was larger than it should be; the fix was fairly simple, as well.
Click Studios went public with the breach on April 24 — late on Friday night in the United States — by publishing an advisory on its website. The advisory largely repeated what it emailed to customers the day before, urging them to reset their passwords starting with all internet-facing networking gear, which, if compromised by a stolen password, would allow the cyber-criminals into a victim’s network.
Several customers who spoke to TechCrunch about the hack, including customers with compromised servers, said the Click Studios was largely unresponsive after that.
The IT executive whose Passwordstate server was compromised by the attack said they updated their server during the 28-hour-long attack, but heard nothing from Click Studios besides the mass email warning of the hack. “Everything was just, ‘change your passwords,’” the executive said.
The executive’s company invoked its incident response plan and found logs showing that passwords had been exfiltrated, but found no evidence that the stolen passwords were used. Because the company uses multi-factor authentication, the stolen passwords alone aren’t enough to break into its network. “None of the multi-factor authentication prompts came up that would have if somebody had tried to log in with any of these accounts,” the executive said.
The executive offered to provide its logs to Click Studio in the hope it would help the investigation. In a reply, Click Studios apologized but did not request the logs.
Another compromised customer — a managed service provider — said that the attackers tried to steal the company’s passwords but a glitch stopped the exfiltration in its tracks. The company’s logs showed that the malicious update tried to communicate with the cyber-criminals’ servers using a deprecated encryption protocol, which the server refused to accept. The customer said they offered to provide the logs to Click Studios, which the company agreed to and received, but that the customer heard nothing more from Click Studios after that.
Click Studios published two more advisories that weekend, but customers who asked for more information were only referred back to the advisories. Some vented their frustrations along with their other embattled customers on public forums.
By the following week, Click Studios began asking customers to refrain from posting its correspondence to social media after reports of phishing emails that were similarly worded to the emails sent by Click Studios, but some customers suspected the company was trying to control the fallout.
Months on, some customers said they feel discouraged by the Click Studios’ lack of response and are using what leverage they have to get answers.
Some customers had licenses up for renewal and wanted firm reassurances about the security and resiliency of the software. Before the incident, customers would expect an update every week or two, but Passwordstate updates were on pause indefinitely until the company’s software development line could be secured. Click Studios had a plan to prevent a similar attack in the future, but insisted on customers signing strict non-disclosure agreements before it would say anything about what changes it was making. The non-disclosure agreements also included provisions that barred anyone from revealing the very existence of the agreement.
Click Studios chief executive Mark Sandford has not responded to multiple requests for comment since the incident. Instead, TechCrunch received the same canned auto-response from the company’s support email saying that its staff are “focused only on assisting customers technically.”
In its most recent advisory, Click Studios said as of May 17 the company has returned to “normal business operations,” but has not responded to our more recent emails. Click Studios released a long-awaited update to Passwordstate on August 2 to remove the software update feature that it blamed on the supply chain attack.
Some organizations said they are staying on as customers despite the attack. One said while the incident was scary and that it warranted an investigation, they said the initial reporting was “vastly overblown.” Others expressed some sympathy for Click Studios for what was seen as a rare event that was unlikely to happen again.
“I haven’t lost faith. But this was unpleasant,” said one customer.
You can send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using our SecureDrop.
The Russian state hackers who orchestrated the SolarWinds supply chain attack last year exploited an iOS zero-day as part of a separate malicious email campaign aimed at stealing Web authentication credentials from Western European governments, according to Google and Microsoft.
In a post Google published on Wednesday, researchers Maddie Stone and Clement Lecigne said a “likely Russian government-backed actor” exploited the then-unknown vulnerability by sending messages to government officials over LinkedIn.
Moscow, Western Europe, and USAID
Attacks targeting CVE-2021-1879, as the zero-day is tracked, redirected users to domains that installed malicious payloads on fully updated iPhones. The attacks coincided with a campaign by the same hackers who delivered malware to Windows users, the researchers said.
The investment was led by Liberty Strategic Capital, a venture capital fund recently founded by Steven Mnuchin, who served as U.S. Treasury Secretary under the Trump administration. As part of the deal, Mnuchin will join Cybereason’s board of directors, along with Liberty advisor Gen. Joseph Dunford, who was chairman of the Joint Chiefs of Staff under Trump until his retirement in 2019.
Lior Div, CEO and co-founder of Cybereason, tells TechCrunch that the startup’s decision to work with Liberty Strategy Capital came down to the firm’s “massive network” and the “understanding of the financial and government markets that Mnuchin and Gen. Joseph Dunford bring to our team.”
“For example, the executive order on cybersecurity put out by the Biden Administration recommends that endpoint detection and response solutions be deployed on all endpoints,” Dior added. “This accelerates the importance of solutions like ours in the public market, and Liberty Strategic Capital has the relationships to help accelerate our go-to-market strategy in the federal sector.”
This round, which will be used to fuel “hypergrowth driven by strong market demand,” follows $389 million in prior funding from SoftBank, CRV, Spark Capital, and Lockheed Martin. The company didn’t state at what valuation it raised the funds, but it is estimated to be in the region of $3 billion.
Cybereason’s recent growth, which saw it end 2020 at over $120 million in annual recurring revenue, has been largely driven by its AI-powered platform. Unlike traditional alert-centric models, Cybereason’s Defense Platform is operation-centric, which means it exposes and remediates entire malicious operations. The service details the full attack story from root cause to impacted users and devices, which the company claims significantly reduces the time taken to investigate and recover from an enterprise-wide cyber attack.
The company, whose competitors include the likes of BlackBerry-owned Cylance and CrowdStrike, also this week expanded its channel presence with the launch of its so-called Defenders League, a global program that enables channel partners to use its technology and services to help their customers prevent and recover from cyberattacks. Cybereason claims its technology has helped protect customers from the likes of the recent SolarWinds supply-chain attack and other high-profile ransomware attacks launched by DarkSide, REvil, and Conti groups.
Today’s $275 million funding round is likely to be Cybereason’s last before it goes public. Div previously said in August 2019 the company planned to IPO within two years, though he wouldn’t be pressed on whether the company is gearing up to go public when asked by TechCrunch. However, the company did compare its latest investment to SentinelOne‘s November 2020 Series F round, which was secured just months before it filed for a $100 million IPO.
Microsoft said on Tuesday that hackers operating in China exploited a zero-day vulnerability in a SolarWinds product. According to Microsoft, the hackers were, in all likelihood, targeting software companies and the US Defense industry.
SolarWinds disclosed the zero-day on Monday, after receiving notification from Microsoft that it had discovered that a previously unknown vulnerability in the SolarWinds Serv-U product line was under active exploit. Austin, Texas-based SolarWinds provided no details about the threat actor behind the attacks or how their attack worked.
Commercial VPNs and compromised consumer routers
On Tuesday, Microsoft said it was designating the hacking group for now as “DEV-0322.” “DEV” refers to a “development group” under study prior to when Microsoft researchers have a high confidence about the origin or identity of the actor behind an operation. The company said that the attackers are physically located in China and often rely on botnets made up of routers or other types of IoT devices.
SolarWinds, the company at the center of a supply chain attack that compromised nine US agencies and 100 private companies, is scrambling to contain a new security threat: a critical zero-day vulnerability in its Serv-U product line.
Microsoft discovered the exploits and privately reported them to SolarWinds, the latter company said in an advisory published on Friday. SolarWinds said the attacks are completely unrelated to the supply chain attack discovered in December.
“Microsoft has provided evidence of limited, targeted customer impact, though SolarWinds does not currently have an estimate of how many customers may be directly affected by the vulnerability,” company officials wrote. “SolarWinds is unaware of the identity of the potentially affected customers.”
Microsoft has confirmed it’s buying RiskIQ, a San Francisco-based cybersecurity company that provides threat intelligence and cloud-based software as a service for organizations.
Terms of the deal, which will see RiskIQ’s threat intelligence services integrated into Microsoft’s flagship security offerings, were not disclosed, although Bloomberg previously reported that Microsoft will pay more than $500 million in cash for the company. Microsoft declined to confirm the reported figure.
The announcement comes amid a heightened security landscape as organizations shift to remote and hybrid working strategies.
RiskIQ scours the web, mapping out details about websites and networks, domain name records, certificates and other information, like WHOIS registration data, providing customers visibility into what assets, devices and services can be accessed outside of a company’s firewall. That helps companies lock down their assets and limit their attack surface from malicious actors. It’s that data in large part that helped the company discover and understand Magecart, a collection of groups that inject credit card stealing malware into vulnerable websites.
Microsoft says that by embedding RiskIQ’s technologies into its core products, its customers will be able to build a more comprehensive view of the global threats to their businesses as workforces continue to work outside of the traditional office environment.
The deal will also help organizations to keep an eye on supply-chain risks, Microsoft says. This is likely a growing priority for many: an attack on software provider SolarWinds last year saw affected at least 18,000 of its customers, and just this month IT vendor Kaseya fell victim to a ransomware attack that spread to more than 1,000 downstream businesses.
Eric Doerr, vice president of cloud security at Microsoft, said: “RiskIQ helps customers discover and assess the security of their entire enterprise attack surface —
RiskIQ was founded in 2009 and has raised a total of $83 million over four rounds of funding. Elias Manousos, who co-founded RiskIQ and serves as its chief executive, said he was “thrilled” at the acquisition.
“The vision and mission of RiskIQ is to provide unmatched internet visibility and insights to better protect and inform our customers and partners’ security programs,” said Manousos. “Our combined capabilities will enable best-in-class protection, investigations, and response against today’s threats.”
The acquisition is one of many Microsoft has made recently in the cybersecurity space in recent months. The software giant last year bought Israeli security startup CyberX in a bid to boost its Azure IoT business, and just last month it acquired Internet of Things security firm ReFirm Labs.
The nation-state hackers who orchestrated the SolarWinds supply chain attack compromised a Microsoft worker’s computer and used the access to launch targeted attacks against company customers, Microsoft said in a terse statement published late on a Friday afternoon.
The hacking group also compromised three entities using password-spraying and brute-force techniques, which gain unauthorized access to accounts by bombarding login servers with large numbers of login guesses. With the exception of the three undisclosed entities, Microsoft said, the password-spraying campaign was “mostly unsuccessful.” Microsoft has since notified all targets, whether attacks were successful or not.
The discoveries came in Microsoft’s continued investigation into Nobelium, Microsoft’s name for the sophisticated hacking group that used SolarWinds software updates and other means to compromise networks belonging to nine US agencies and 100 private companies. The federal government has said Nobelium is part of the Russian government’s Federal Security Service.
Illumio, a self-styled zero trust unicorn, has closed a $225 million Series F funding round at a $2.75 billion valuation.
The round was led by Thoma Bravo, which recently bought cybersecurity vendor Proofpoint by $12.3 billion, and supported by Franklin Templeton, Hamilton Lane, and Blue Owl Capital.
The round lands more than two years after Illumio’s Series E funding round in which it raised $65 million, and fueled speculation of an impending IPO. The company’s founder, Andrew Rubin, still isn’t ready to be pressed on whether the company plans to go public, though he told TechCrunch: “If we do our job right, and if we make our customers successful, I’d like to think that would be part of our journey.”
Illumio’s latest funding round is well-timed. Not only does it come amid a huge rise in successful cyberattacks which show that some of the more traditional cybersecurity measures are no longer working, from the SolarWinds hack in early 2020 to the more recent attack on Colonial Pipeline, but it also comes just weeks after President Joe Biden issued an executive order pushing federal agencies to implement significant cybersecurity initiatives, including a zero trust architecture.
“And just a couple of weeks ago, Anne Neuberger [deputy national security adviser for cybersecurity] put out a memo on White House stationary to all of corporate America saying we’re living through a ransomware pandemic, and here’s six things that we’re imploring you to do,” Rubin says. “One of them was to segment your network.”
Illumio focuses on protecting data centers and cloud networks through something it calls micro-segmentation, which it claims makes it easier to manage and guard against potential breaches, as well as to contain a breach if one occurs. This zero trust approach to security — a concept centered on the belief that businesses should not automatically trust anything inside or outside its perimeters — has never been more important for organizations, according to Illumio.
“Cyber events are no longer constrained to cyber space,” says Rubin. “That’s why people are finally saying that, after 30 years of relying solely on detection to keep us safe, we cannot rely on it 100% of the time. Zero trust is now becoming the mantra.”
Illumio tells TechCrunch it will use the newly raised funds to make a “huge” investment in its field operations and channel partner network, and to invest in innovation, engineering and its product.
The late-stage startup, which was founded in 2013 and is based in California, says more than 10% of Fortune 100 companies — including Morgan Stanley, BNP Paribas SA and Salesforce — now use its technology to protect their data centers, networks and other applications. It saw 100% international growth during the pandemic, and says it’s also broadening its customer base across more industries.
The company has raised more now raised more $550 million from investors include Andreessen Horowitz, General Catalyst and Formation 8.
The Biden administration this spring announced an executive order designed to strengthen government cybersecurity defenses in the wake of several major recent hacks, including the SolarWinds, Microsoft Exchange Server and Pulse Secure incidents, which impacted numerous federal agencies and private companies. The order’s importance was underscored by the DarkSide ransomware attack on Colonial Pipeline just a few weeks later.
One key element of the cyber executive order is a “software bill of materials” (SBOM) that vendors would be required to provide as part of the federal procurement process. The SBOM would detail the exact software components utilized in a given product, including any open-source components, making it much easier and faster for federal agencies to determine whether they are subject to a vulnerability uncovered in one of these components.
The SBOM is an important step in shoring up federal cybersecurity, but it’s not enough. Understanding the software components included in various products will help agency security teams react more quickly when vulnerabilities come to light, but in other scenarios, like SolarWinds-style supply-chain attacks that surreptitiously insert software components, its impact is limited.
Establishing standards at the federal level for disclosures about software products will benefit cybersecurity in the private sector, as well as improve the overall security of the software supply chain.
That’s why the Biden administration should extend the cyber executive order to include not only an SBOM, but also “behavior transparency.”
Transparency requirements are not a new concept in technology. Certificate transparency (CT) is a public ledger of all certificates issued by any public certificate authority (CA) that provides a framework for monitoring and auditing CA activity, while Apple’s recently announced App Tracking Transparency allows users to see what activity apps are tracking and opt out. Behavior transparency is a proposed application of this concept to known software behaviors.
The purpose of a behavior transparency framework is to enumerate the expected actions of interest that a given piece of software will take on a device or on the network. This helps security analysts distinguish between expected noise and indications of compromise. This, in turn, can give security teams an advantage in identifying the exploitation of unknown vulnerabilities in any proprietary or open-source software.
The good news is that the enumeration of common software behaviors is already a standard industry practice for external network activity. Most major software vendors, including Meraki, McAfee, Tenable, LogMeIn/GoToMeeting, and my own company, ExtraHop, already publish lists of common product behaviors. Even SolarWinds has documentation describing its network behaviors.
But the Biden administration can help effect critical changes that improve upon this industry practice and improve the overall security posture for public and private organizations alike.
Establish standards for behavior transparency
First, the cyber executive order should form a working group in partnership with representative software and security software vendors, as well as organizations such as MITRE, to create standards for the types of network activity that must be included for full behavior transparency.
At a minimum, this should include things like external network destinations, internal network connection behavior with other software components, and, where applicable, a list of associated network ports and the purposes for which those ports are used. The behavior transparency framework should also include other network behavior, especially (but not limited to) anything that looks like scanning or reconnaissance behavior.
Make behavioral data available to common security tools
Second, the cyber executive order should mandate that known software behaviors be published in a machine-readable format such as JSON or CSV that could be ingested into common security products like security information and event management (SIEM), firewalls, endpoint protection platforms, network detection and response, and change management tools.
This is a crucial distinction from the current model, in which most behaviors are listed on a webpage or in a PDF that isn’t machine-readable. With this change, common security tools could use that machine-readable behavioral data to help build baselines for activity within an organization to more quickly and accurately detect deviations that indicate compromise. Meraki is already doing this by providing its list in CSV format.
Centralize access to behavioral information
Third, the cyber executive order should establish a clearinghouse for behavior transparency data, administered by the Cybersecurity and Infrastructure Security Agency or another appropriate federal agency. The status quo is to hunt around on a vendor’s website, consult their in-product documentation or open a support case to find out about network behavior. If the information provided is incorrect, that’s also a support case.
The current decentralized approach is deeply problematic. Unfettered network access for enterprise software products introduces substantial security risk — Zero Trust frameworks have been established to prevent precisely this — but typical practitioners do not have the time or expertise to individually track down the expected behaviors of each piece of enterprise software they have in the environment. Without centralized access to behavior transparency data, even the best Zero Trust implementations will have major gaps surrounding enterprise software.
A clearinghouse would provide a centralized repository for behavior transparency data, organized by company, product and product version. A forum like GitHub is an ideal mechanism for such a clearinghouse, providing a widely used, centralized repository for this information.
Streamline feedback between users and vendors
Fourth, the clearinghouse should include a mechanism by which product users can easily provide feedback to software vendors. Feedback can be in the form of issues or even pull requests, though the companies should be involved in approving changes. This way, deficiencies in the behaviors can be pointed out in a public forum. Most deficiencies will be for reasons like a product update that wasn’t reflected in the behavior transparency data, though as time goes on, companies will ideally make it a practice to make sure these are kept up to date. But there will also be true positives found.
Protecting the software supply chain with behavior transparency
The SolarWinds software supply chain attack, first disclosed in December 2020, illustrates and underscores the importance of behavior transparency. Prior to December 11, when FireEye first identified the vulnerability in the SolarWinds Orion software, at least two other cybersecurity companies, Palo Alto and Fidelis, identified that their SolarWinds installations communicating with the attacker-controlled “stage 1” avsvmcloud[.]com domain. Palo Alto observed and blocked additional malicious behavior, but at the time neither company determined that the communication with avsvmcloud[.]com itself was suspect. That’s due in large part to the notorious amount of “noise” involved in looking at network data.
But if more organizations had ready access to SolarWinds’ behavior transparency data, as well as a forum in which to compare deviations from the baseline, things might have played out differently.
SolarWinds Orion doesn’t reach out to a lot of external destinations, so when the first stage of the supply chain attack started hitting subdomains off of “appsync-api.eu-west-1.avsvmcloud[.]com,” an analyst on a threat hunt running a SIEM query, or a machine-learning-based EDR or NDR product armed with that information, might have more quickly determined that something was amiss.
Likewise, a low-friction public feedback mechanism could have tipped off SolarWinds and the industry that what seemed like noise in isolation (“appsync-api, seems legit?”) was actually something far more nefarious.
The cyber executive order, alongside the sanctions on Russia, are strong early indications that the Biden administration intends to take a far more proactive approach to cybersecurity. Critical to the success of these efforts will be the partnership the administration forges with private-sector technology providers. Establishing standards at the federal level for disclosures about software products will benefit cybersecurity in the private sector, as well as improve the overall security of the software supply chain.
The Cybersecurity and Infrastructure Security Agency has launched a vulnerability disclosure program allowing ethical hackers to report security flaws to federal agencies.
The platform, launched with the help of cybersecurity companies Bugcrowd and Endyna, will allow civilian federal agencies to receive, triage and fix security vulnerabilities from the wider security community.
The move to launch the platform comes less than a year after the federal cybersecurity agency, better known as CISA, directed the civilian federal agencies that it oversees to develop and publish their own vulnerability disclosure policies. These policies are designed to set the rules of engagement for security researchers by outlining what (and how) online systems can be tested, and which can’t be.
It’s not uncommon for private companies to run VDP programs to allow hackers to report bugs, often in conjunction with a bug bounty to pay hackers for their work. The U.S. Department of Defense has for years warmed to hackers, the civilian federal government has been slow to adopt.
Bugcrowd, which last year raised $30 million at Series D, said the platform will “give agencies access to the same commercial technologies, world-class expertise, and global community of helpful ethical hackers currently used to identify security gaps for enterprise businesses.”
The platform will also help CISA share information about security flaws between other agencies.
The platform launches after a bruising few months for government cybersecurity, including a Russian-led espionage campaign against at least nine U.S. federal government agencies by hacking software house SolarWinds, and a China-linked cyberattack that backdoored thousands of Microsoft Exchange servers, including in the federal government.
In an S-1 filing on Thursday, the security company revealed that for the three months ending April 30, its revenues increased by 108% year-on-year to $37.4 million and its customer base grew to 4,700, up from 2,700 a year prior. Despite this pandemic-fueled growth, SentinelOne’s net losses more than doubled from $26.6 million in 2020 to $62.6 million.
“We also expect our operating expenses to increase in the future as we continue to invest for our future growth, including expanding our research and development function to drive further development of our platform, expanding our sales and marketing activities, developing the functionality to expand into adjacent markets, and reaching customers in new geographic locations,” SentinelOne wrote in its filing.
The Mountain View-based company said it intends to list its Class A common stock using the ticker symbol “S” and that details about the price range and number of common shares to be put up for the IPO are yet to be determined. The S-1 filing also identifies Morgan Stanley, Goldman Sachs, Bank of America Securities, Barclays and Wells Fargo Securities as the lead underwriters.
SentinelOne raised $276 million in a funding round in November last year, tripling its $1 billion valuation from February 2020 to $3 billion. At the time, CEO and founder Tomer Weingarten told TechCrunch that an IPO “would be the next logical step” for the company.
SentinelOne, which was founded in 2013 and has raised a total of $696.5 million through eight rounds of funding, is looking to raise up to $100 million in its IPO, and said it’s intending to use the net proceeds to increase its visibility in the cybersecurity marketplace and for product development and other “general corporate processes.”
It added that “may also use a portion of the net proceeds for the acquisition of, or investment in, technologies, solutions, or businesses that complement our business.” The company’s sole acquisition so far took place back in February when it bought high-speed logging startup Scalyr for $155 million.
SentinelOne is going public during a period of heightened public interest in cybersecurity. There has been a wave of high-profile cyberattacks during the COVID-19 pandemic, with hackers taking advantage of widespread remote working necessitated as a result.
One of the biggest attacks saw Russian hackers breach the networks of IT company SolarWinds, enabling them to gain access to government agencies and corporations. SentinelOne’s endpoint protection solution was able to detect and stop the related malicious payload, protecting its customers.
“The world is full of criminals, state actors, and other hostile agents who seek to exfiltrate and exploit data to disrupt our way of life,” Weingarten said in SentinelOne’s SEC filing. “Our mission is to keep the world running by protecting and securing the core pillars of modern infrastructure: data and the systems that store, process, and share information. This is an endless mission as attackers evolve rapidly in their quest to disrupt operations, breach data, turn profit, and inflict damage.”
Cybersecurity giant FireEye has agreed to sell its products business to a consortium led by private equity firm Symphony Technology Group for $1.2 billion.
The all-cash deal will split FireEye, the maker of network and email cybersecurity products, from its digital forensics and incident response arm Mandiant.
FireEye’s chief executive Kevin Mandia said the deal unlocks its “high-growth” Mandiant business, allowing it to stand alone as a separate business running incident response and security testing.
The move to split the two companies comes almost a decade after FireEye acquired Mandiant, and made Mandia chief executive.
Mandia said: “STG’s focus on fueling innovative market leaders in software and cybersecurity makes them an ideal partner for FireEye Products. We look forward to our relationship and collaboration on threat intelligence and expertise.”
STG managing partner William Chisholm said there is an “enormous untapped opportunity for the business that we are excited to crystallize by leveraging our significant security software sector experience and our market leading carve-out expertise.”
The company said the deal is expected to close by the end of the fourth quarter.
FireEye has become one of the more prominent names in cybersecurity, known for its research into hacking groups — some linked to governments — and its Mandiant unit for responding to major security incidents. Mandiant was called in to help Colonial Pipeline recover from a recent ransomware attack.
In December, FireEye admitted that its own networks had been hacked, a move praised across the cybersecurity industry for helping to speed up efforts that led to the discovery of the SolarWinds espionage attack, later attributed to Russian foreign intelligence.
The Russian hackers who breached SolarWinds IT management software to compromise a slew of United States government agencies and businesses are back in the limelight. Microsoft said on Thursday that the same “Nobelium” spy group has built out an aggressive phishing campaign since January of this year and ramped it up significantly this week, targeting roughly 3,000 individuals at more than 150 organizations in 24 countries.
The revelation caused a stir, highlighting as it did Russia’s ongoing and inveterate digital espionage campaigns. But it should be no shock at all that Russia in general, and the SolarWinds hackers in particular, have continued to spy even after the US imposed retaliatory sanctions in April. And relative to SolarWinds, a phishing campaign seems downright ordinary.
“I don’t think it’s an escalation, I think it’s business as usual,” says John Hultquist, vice president of intelligence analysis at the security firm FireEye, which first discovered the SolarWinds intrusions. “I don’t think they’re deterred and I don’t think they’re likely to be deterred.”
The Kremlin-backed hackers who targeted SolarWinds customers in a supply chain attack have been caught conducting a malicious email campaign that delivered malware-laced links to 150 government agencies, research institutions and other organizations in the US and 23 other countries, Microsoft said.
The hackers, belonging to Russia’s Foreign Intelligence Service, first managed to compromise an account belonging to USAID, a US government agency that administers civilian foreign aid and development assistance. With control of the agency’s account for online marketing company Constant Contact, the hackers had the ability to send emails that appeared to use addresses known to belong to the US agency.
Nobelium goes native
“From there, the actor was able to distribute phishing emails that looked authentic but included a link that, when clicked, inserted a malicious file used to distribute a backdoor we call NativeZone,” Microsoft Vice President of Customer Security and Trust Tom Burt wrote in a post published on Thursday evening. “This backdoor could enable a wide range of activities from stealing data to infecting other computers on a network.”
Microsoft reported that it had detected the intrusion and that the same hackers behind the earlier SolarWinds attack were responsible.
Panaseer, which takes a data science approach to cybersecurity, has raised $26.5 million in a Series B funding led by AllegisCyber Capital. Existing investors, including Evolution Equity Partners, Notion Capital, AlbionVC, Cisco Investments and Paladin Capital Group, as well as new investor, National Grid Partners also participated. Panaseer has now raised $43m to date.
Panaseer’s special sauce and sales pitch amount to what it calls ‘Continuous Controls Monitoring’ (CCM). In plainer English that means correlating a great deal of data from all available security tools to check assets, control gaps, you name it.
As a result, the company says it can identify zero-day and other exposures faster, or exposure to, say, FireEye or SolarWinds vulnerabilities.
Jonathan Gill, CEO, Panaseer said: “Most enterprises have the tools and capability to theoretically prevent a breach from occurring. However, one of the key reasons that breaches occur is that there is no technology to monitor and react to failed controls. CCM continuously validates and measures levels of protection and provides notifications of failures. Ultimately, CCM enables these failures to be fixed before they become security incidents.”
Speaking to me on a call he added: “The investment, allows us to scale our organization to meet those demands of customers with a team of people to implement the platform and help them get tremendous value and to evolve the product. To add more and more capability to that technology to support more and more use cases. So they’re the two main directions, and there’s a market we think of 10s of 1000s of organizations of a certain size, who are regulated or they have assets worth protecting and a level of complexity that makes it difficult to solve the problem themselves. And our Advisory Board and the customers I’ve spoken with think maybe there are barely 20 companies in the world who can solve this problem. And everybody else gets stuck on the fact that it’s a really difficult data science problem to solve. So we want to scale that and take that to more organizations.”
And why did they pick these investors: “I think we picked them and they picked us, we’ve been on that journey together. It takes months to find the best combination. The dollars are all the same when it comes to investors, but I think they can help improve as an organization and grow just like the existing investors do. They give us access and reach into parts of the market and help make us better as organizations as well.”
Bob Ackerman, founder and managing director of AllegisCyber Capital, and co-founder of DataTribe said: ‘The emergence of Continuous Controls Monitoring as a new cybersecurity category demonstrates a ‘coming of age’ for cybersecurity. Cyber is the existential threat to the global digital economy. All levels of the enterprise, from the CISO, to Chief Risk Officer, to the Board of Directors are demanding comprehensive visibility, transparency and hard metrics to assess cyber situational awareness.”
The operator of the system, Colonial Pipeline, said it had shut down its 5,500 miles of pipeline, which takes refined gasoline and jet fuel along the East Coast.
Competition with China, and containment of Russia, were the subtext of the president’s call for action. But casting the struggle as “democracy versus autocracy” oversimplifies what lies ahead.
Russian troops massed on the border of Ukraine, a dissident gravely ill, new sanctions. What’s it all mean?
If the definition of insanity is doing the same thing over and over and expecting a different outcome, then one might say the cybersecurity industry is insane.
Criminals continue to innovate with highly sophisticated attack methods, but many security organizations still use the same technological approaches they did 10 years ago. The world has changed, but cybersecurity hasn’t kept pace.
Distributed systems, with people and data everywhere, mean the perimeter has disappeared. And the hackers couldn’t be more excited. The same technology approaches, like correlation rules, manual processes, and reviewing alerts in isolation, do little more than remedy symptoms while hardly addressing the underlying problem.
Credentials are supposed to be the front gates of the castle, but as the SOC is failing to change, it is failing to detect. The cybersecurity industry must rethink its strategy to analyze how credentials are used and stop breaches before they become bigger problems.
It’s all about the credentials
Compromised credentials have long been a primary attack vector, but the problem has only grown worse in the mid-pandemic world. The acceleration of remote work has increased the attack footprint as organizations struggle to secure their network while employees work from unsecured connections. In April 2020, the FBI said that cybersecurity attacks reported to the organization grew by 400% compared to before the pandemic. Just imagine where that number is now in early 2021.
It only takes one compromised account for an attacker to enter the active directory and create their own credentials. In such an environment, all user accounts should be considered as potentially compromised.
Nearly all of the hundreds of breach reports I’ve read have involved compromised credentials. More than 80% of hacking breaches are now enabled by brute force or the use of lost or stolen credentials, according to the 2020 Data Breach Investigations Report. The most effective and commonly-used strategy is credential stuffing attacks, where digital adversaries break in, exploit the environment, then move laterally to gain higher-level access.
US officials on Thursday formally blamed Russia for backing one of the worst espionage hacks in recent US history and imposed sanctions designed to mete out punishments for that and other recent actions.
In a joint advisory, the National Security Agency, FBI, and Cybersecurity and Information Security Agency said that Russia’s Foreign Intelligence Service, abbreviated as the SVR, carried out the supply-chain attack on customers of the network management software from Austin, Texas-based SolarWinds.
The operation infected SolarWinds’ software build and distribution system and used it to push backdoored updates to about 18,000 customers. The hackers then sent follow-up payloads to about 10 US federal agencies and about 100 private organizations. Besides the SolarWinds supply-chain attack, the hackers also used password guessing and other techniques to breach networks.
Administration officials were determined to draft a response that would impose real costs on Moscow, as many previous rounds of sanctions have been shrugged off.
Chris Inglis will be nominated to the new post as the president fills out his cybersecurity team and the U.S. considers responses to recent attacks.
President Biden has named two former National Security Agency veterans to senior government cybersecurity positions, including the first national cyber director.
The appointments, announced Monday, land after the discovery of two cyberattacks linked to foreign governments earlier this year — the Russian espionage campaign that planed backdoors in U.S. technology giant SolarWinds’ technology to hack into at least nine federal agencies, and the mass exploitation of Microsoft Exchange servers linked to hackers backed by China.
Jen Easterly, a former NSA official under the Obama administration who helped to launch U.S. Cyber Command, has been nominated as the new head of CISA, the cybersecurity advisory unit housed under Homeland Security. CISA has been without a head for six months after then-President Trump fired former director Chris Krebs, who Trump appointed to lead the agency in 2018, for disputing Trump’s false claims of election hacking.
Biden has also named former NSA deputy director John “Chris” Inglis as national cyber director, a new position created by Congress late last year to be housed in the White House, charged with overseeing the defense and cybersecurity budgets of civilian agencies.
Inglis is expected to work closely with Anne Neuberger, who in January was appointed as the deputy national security adviser for cyber on the National Security Council. Neuberger, a former NSA executive and its first director of cybersecurity, was tasked with leading the government’s response to the SolarWinds attack and Exchange hacks.
Biden has also nominated Rob Silvers, a former Obama-era assistant secretary for cybersecurity policy, to serve as undersecretary for strategy, policy, and plans at Homeland Security. Silvers was recently floated for the top job at CISA.
Both Easterly and Silvers’ positions are subject to Senate confirmation. The appointments were first reported by The Washington Post.
Former CISA director Krebs praised the appointments as “brilliant picks.” Dmitri Alperovitch, a former CrowdStrike executive and chair of Silverado Policy Accelerator, called the appointments the “cyber equivalent of the dream team.” In a tweet, Alperovitch said: “The administration could not have picked three more capable and experienced people to run cyber operations, policy and strategy alongside Anne Neuberger.”
Neuberger is replaced by Rob Joyce, a former White House cybersecurity czar, who returned from a stint at the U.S. Embassy in London earlier this year to serve as NSA’s new cybersecurity director.
Last week, the White House asked Congress for $110 million in new funding for next year to help Homeland Security to improve its defenses and hire more cybersecurity talent. CISA hemorrhaged senior staff last year after several executives were fired by the Trump administration or left for the private sector.
When you think of the core members of the C-suite, you probably think of the usual characters: CEO, CFO, COO and maybe a CMO. Each of these roles is fairly well defined: The CEO controls strategy and ultimately answers to the board; the CFO manages budgets; the CMO gets people to buy more, more often; the COO keeps everything running smoothly. Regardless of the role, all share the same objective: maximize shareholder value.
But the information age is shaking up the C-suite’s composition. The cyber market is exploding in an attempt to secure the modern enterprise: multicloud environments, data generated and stored faster than anyone can keep up with and SaaS applications powering virtually every function across the org, in addition to new types of security postures that coincide with that trend. Whatever the driver, though, this all adds up to the fact that cyber strategy and company strategy are inextricably linked. Consequently, chief information security officers (CISOs) in the C-Suite will be just as common and influential as CFOs in maximizing shareholder value.
As investors seek outsized returns, they need to be more engaged with the CISO beyond the traditional security topics.
It’s the early ’90s. A bank heist. A hacker. St. Petersburg and New York City. Offshore bank accounts. Though it sounds like the synopsis of the latest psychological thriller, this is the context for the appointment of the first CISO in 1994.
A hacker in Russia stole $10 million from Citi clients’ accounts by typing away at a keyboard in a dimly lit apartment across the Atlantic. Steve Katz, a security executive, was poached from JP Morgan to join Citi as part of the C-suite to respond to the crisis. His title? CISO.
After he joined, he was told two critical things: First, he would have a blank check to set up a security program to prevent this from happening again, and second, Citi would publicize the hack one month after he started. Katz flew over 200,000 miles during the next few months, visiting corporate treasurers and heads of finance to reassure them their funds were secure. While the impetus for the first CISO was a literal bank heist, the $10 million stolen pales in comparison to what CISOs are responsible for protecting today.
Recent testimony before Congress on the massive SolarWinds attacks served as a wake-up call for many. What I saw emerge from the testimony was a debate on whether the public cloud is a more secure option than a hybrid cloud approach.
The debate shouldn’t surround which cloud approach is more secure, but rather which one we need to design security for. We — enterprise technology providers — should be designing security around the way our modern systems work, rather than pigeonholing our customers into securing one computing model over the other.
An organization’s security needs to be designed with one single point of control that provides a holistic view of threats and mitigates complexity.
The SolarWinds attack was successful because it took advantage of a vast, intermixed supply chain of technology vendors. While there are fundamental lessons to be learned on how to protect the code supply chain, I think the bigger lesson is that complexity is the enemy of security.
The “Frankencloud” model
We’ve seen our information technology environments evolve into what I call a “Frankenstein” approach. Firms scrambled to take advantage of the cloud while maintaining their systems of record. Similar to how Frankenstein was assembled, this led to systems riddled with complexity and disconnected parts put together.
Security teams cite this complexity as one of their largest challenges. Forced to rely on dozens of vendors and disconnected security products, the average security team is using 25 to 49 tools from up to 10 different vendors. This disconnect is creating blind spots we can no longer afford to avoid. Security systems shouldn’t be piecemealed together; an organization’s security needs to be designed with one single point of control that provides a holistic view of threats and mitigates complexity.
Hybrid cloud innovations
We’re seeing hybrid cloud environments emerging as the dominant technology design point for governments, as well as public and private enterprises. In fact, a recent study from Forrester Research found that 85% of technology decision-makers agree that on-premise infrastructure is critical to their hybrid cloud strategies.
A hybrid cloud model combines part of a company’s existing on-premise systems with a mix of public cloud resources and as-a-service resources and treats them as one.
How does this benefit your security? In a disconnected environment, the most common path for cybercriminals to compromise cloud environments is via cloud-based applications, representing 45% of cloud-related incidents analyzed by our IBM X-Force team.
Take, for instance, your cloud-based systems that authenticate that someone is authorized to access systems. A login from an employee’s device is detected in the middle of the night. At the same time, there may be an attempt from that same device, seemingly in a different time zone, to access sensitive data from your on-premise data centers. A unified security system knows the risky behavior patterns to watch for and automatically hinders both actions. If these incidents were detected in two separate systems, that action never takes place and data is lost.
Many of these issues arise due to the mishandling of data through cloud data storage. The fastest-growing innovations to address this gap are called Confidential Computing. Right now, most cloud providers promise that they won’t access your data. (They could, of course, be compelled to break that promise by a court order or other means.) Conversely, it also means malicious actors could use that same access for their own nefarious purposes. Confidential Computing ensures that the cloud technology provider is technically incapable of accessing data, making it equally difficult for cybercriminals to gain access to it.
Creating a more secure future
Cloud computing has brought critical innovations to the world, from the distribution of workloads to moving with speed. At the same time, it also brought to light the essentials of delivering IT with integrity.
Cloud’s need for speed has pushed aside the compliance and controls that technology companies historically ensured for their clients. Now, those requirements are often put back on the customer to manage. I’d urge you to think of security first and foremost in your cloud strategy and choose a partner you can trust to securely advance your organization forward.
We need to stop bolting security and privacy onto the “Frankencloud” environment that operates so many businesses and governments. SolarWinds taught us that our dependence on a diverse set of technologies can be a point of weakness.
Fortunately, it can also become our greatest strength, as long as we embrace a future where security and privacy are designed in the very fabric of that diversity.
Email-management provider Mimecast has confirmed that a network intrusion used to spy on its customers was conducted by the same advanced hackers responsible for the SolarWinds supply chain attack.
The hackers, which US intelligence agencies have said likely have Russian origins, used a backdoored update for SolarWinds Orion software to target a small number of Mimecast customers. Exploiting the Sunburst malware sneaked into the update, the attackers first gained access to part of the Mimecast production-grid environment. They then accessed a Mimecast-issued certificate that some customers use to authenticate various Microsoft 365 Exchange web services.
Tapping Microsoft 365 connections
Working with Microsoft, which first discovered the breach and reported it to Mimecast, company investigators found that the threat actors then used the certificate to “connect to a low single-digit number of our mutual customers’ M365 tenants from non-Mimecast IP address ranges.”
The intelligence agencies missed massive intrusions by Russia and China, forcing the administration and Congress to look for solutions, including closer partnership with private industry.
SolarWinds is back in hot water after a shareholder lawsuit accused the company of poor security practices, which they say allowed hackers to break into at least nine U.S. government agencies and hundreds of companies.
The lawsuit said SolarWinds used an easily guessable password “solarwinds123” on an update server, which was subsequently breached by hackers “likely Russian in origin.” Former SolarWinds chief executive Sudhakar Ramakrishna, speaking at a congressional hearing in March, blamed the poor password on an intern.
There are countless cases of companies bearing the brunt from breaches caused by vendors and contractors across the supply chain.
Experts are still trying to understand just how the hackers broke into SolarWinds servers. But the weak password does reveal wider issues about the company’s security practices — including how the easily guessable password was allowed to be set to begin with.
Even if the intern is held culpable, SolarWinds still faces what’s known as vicarious liability — and that can lead to hefty penalties.
By now, most people know that hackers tied to the Russian government compromised the SolarWinds software build system and used it to push a malicious update to some 18,000 of the company’s customers. On Monday, researchers published evidence that hackers from China also targeted SolarWinds customers in what security analysts have said was a distinctly different operation.
The parallel hack campaigns have been public knowledge since December, when researchers revealed that, in addition to the supply chain attack, hackers exploited a vulnerability in SolarWinds software called Orion. Hackers in the latter campaign used the exploit to install a malicious web shell dubbed Supernova on the network of a customer who used the network management tool. Researchers, however, had few if any clues as to who carried out that attack.
On Monday, researchers said the attack was likely carried out by a China-based hacking group they’ve dubbed “Spiral.” The finding, laid out in a report published on Monday by Secureworks’ Counter Threat Unit, is based on techniques, tactics, and procedures in the hack that were either identical or very similar to an earlier compromise the researchers discovered in the same network.
The proliferation of cyberattacks by rivals is presenting a challenge to the Biden administration as it seeks to deter intrusions on government and corporate systems.
The hackers started their attack in January but escalated their efforts in recent weeks, security experts say. Business and government agencies affected.
First it was SolarWinds, a reportedly Russian hacking campaign that stretches back almost a year and has felled at least nine US government agencies and countless private companies. Now it’s Hafnium, a Chinese group that’s been attacking a vulnerability in Microsoft Exchange Server to sneak into victims’ email inboxes and beyond. The collective toll of these espionage sprees is still being uncovered. It may never be fully known.
Countries spy on each other, everywhere, all the time. They always have. But the extent and sophistication of Russia’s and China’s latest efforts still manage to shock. And the near-term fallout of both underscores just how tricky it can be to take the full measure of a campaign even after you’ve sniffed it out.