Understanding a threat is just as important as the steps taken toward prevention.

Ansh Patnaik, Senior Vice President of Product Management, CyCognito

September 12, 2024

5 Min Read

Source: Zonnar GmbH via Alamy Stock Photo

COMMENTARY

In recent years, software supply chain attacks have moved from the periphery of concerns to the forefront. According to Verizon's "2024 Data Breach Investigations Report," the use of vulnerabilities to initiate breaches surged by 180% in 2023, compared to 2022. Of those breaches, 15% involved a third party or supplier, such as software supply chains, hosting partner infrastructures, or data custodians. 

These statistics come as no surprise, given the impact of several high-profile vulnerabilities in 2023. 

SolarWinds is probably the biggest known example of a software supply chain attack to date. More than 18,000 organizations were affected, with some reports stating the attack cost those affected 11% of their revenue, on average.

Similarly, Okta also experienced a significant breach where threat actors accessed private customer data through its support management system. The breach went undetected for weeks, despite security alerts.

And let's not forget the drawn-out MOVEit Transfer tool attack, which affected more than 620 organizations, including major entities like the BBC and British Airways. Linked to the Cl0p ransomware group, the attack clearly emphasized the urgency of promptly patching vulnerabilities and securing Web-facing applications. 

A very important detail to note is that the ramifications of software supply chain attacks could be enduring, both from a technical threat and liability perspective. In October 2023, nearly three years after the notorious SolarWinds breach, the Securities and Exchange Commission (SEC) charged SolarWinds with misleading investors about its cybersecurity practices and risks. This charge followed a $26 million settlement of a securities class-action lawsuit related to the breach.

But to understand how these attacks occur and how they can be mitigated, it's important to first understand what software supply chain security is.

**Unpacking Software Supply Chain Security**

Gartner defines software supply chain security (SSCS) as a comprehensive framework encompassing the processes and tools necessary to curate, create, and consume software securely, thereby mitigating potential attacks on software or its use as an attack vector. This framework is structured around three core pillars:

1.  Curation: This step is all about evaluating third-party software components to assess their risks and determine if they're suitable for use. By doing this, organizations ensure that only secure and compliant components make their way into the software supply chain.
    
2.  Creation: This shows the importance of secure development practices and protecting both software artifacts and the development pipeline. It involves putting security measures in place throughout the software creation process to guard against vulnerabilities and potential threats.
    
3.  Consumption: This stage focuses on ensuring the integrity of the software by verifying its source, authenticity, and traceability. It ensures that the software being deployed is secure and has not been tampered with or modified without authorization.
    

In simpler terms, SSCS encompasses all the software components used and built into an organization's software, as well as the practices developers employ to write and monitor code post-deployment.

Gartner's efforts in this area are a direct result of what it deems to be an escalating threat. In fact, it projects that the financial impact of supply chain attacks will escalate from $40 billion in 2023 to $138 billion by 2031.

The US government is also taking measures, mandating that its suppliers provide a software bill of materials (SBOM), underscoring the need for transparency and accountability in the software supply chain.

**Building a Software Supply Chain Security Program**

Managing the risk of vulnerabilities during software development relies on two main processes: continuous code scanning throughout the software development life cycle (SDLC) and maintaining a highly automated SDLC to efficiently update, test, and deploy new software versions.

*   Continuous code scanning: It's crucial to implement continuous code scanning throughout the SDLC to catch vulnerabilities early. This involves using both static and dynamic application security testing (SAST and DAST) to ensure that both proprietary and third-party code are secure.
    
*   Automated SDLC: Keeping the SDLC highly automated is key to efficiently updating, testing, and deploying new software versions. Automation helps reduce human error and speeds up the process of identifying and fixing vulnerabilities.
    

Scanning third-party code with source code analysis (SCA) tools is essential in this context. SCA automates the detection and management of risks associated with third-party and open source software components. Here's what SCA can do:

*   Identify software components: SCA tools can pinpoint all the components within a software application, giving you a clear view of the software supply chain.
    
*   Generate software bills of materials (SBOM): SBOMs provide a list of all components and their metadata, helping organizations comply with regulatory requirements and manage open source licenses.
    
*   Scan for vulnerabilities: These tools scan for known vulnerabilities in software components, offering alerts and guidance for remediation.
    
*   Assess risks: They evaluate the risk level of each component, allowing organizations to prioritize remediation efforts based on the severity of the risk.
    
*   Generate dependency graphs: These graphs show the relationships between components, helping to identify potential points of failure or risk.
    
*   Provide remediation guidance: SCA tools offer actionable advice on how to fix identified vulnerabilities.
    
*   Automatically enforce policies: You can set policies to automatically block the use of components with known vulnerabilities or license issues.
    

External exposure management is also playing an increasingly critical role in supply chain security, with organizations adding more third-party services and building more Web apps using third-party components and libraries every day.

**The Future**

The financial impact of these attacks is projected to grow significantly, making it imperative for organizations to act now. 

The key moving forward is first awareness. Understanding the threat is as important as the steps toward prevention. Once this is established, there are ample resources and technologies to equip security teams with the reinforcements to protect their ecosystems.

**About the Author**

Senior Vice President of Product Management, CyCognito

Ansh Patnaik, senior vice president of product management of CyCognito, has more than 20 years of cross functional experience in cybersecurity and data analytics. Most recently, Ansh was director, cloud security products for Google Cloud Platform, and chief product officer for Chronicle, prior to the acquisition of Chronicle by Google. Previously, he was vice president of product management at Oracle Cloud, where he defined and launched its security analytics cloud service offering. Ansh has held product management, product marketing, and sales engineering leadership roles at several market leading software companies, including Delphix, ArcSight (acquired by HP), and BindView (acquired by Symantec).

Rising Tide of Software Supply Chain Attacks: An Urgent Problem

A vendor honeypot caught two attacks intended to leverage the tens of thousands of exposed Selenium Grid Web app testing servers.

Source: Olekcii Mach via Alamy Stock Photo

Threat actors are infecting Internet-exposed Selenium Grid servers, with the goal of using victims' Internet bandwidth for cryptomining, proxyjacking, and potentially much worse.

Selenium is an open source suite of tools for browser automation that, according to data from Wiz, can be found in 30% of cloud environments. Selenium Grid is its open source tool for automatically testing Web applications across multiple platforms and browsers in parallel, used by millions of developers and thousands of organizations worldwide. Its Selenium/hub docker image has more than 100 million pulls on Docker Hub.

Though it's an internal tool by nature, tens of thousands of Selenium Grid servers are exposed on the Internet today. In turn, at least some hackers have deployed automated malware intended to hijack these servers for various malicious purposes.

To gauge the kinds of threats that face these untended servers, Cado Security recently launched a honeypot. As Al Carchrie, R&D lead solutions engineer for Cado Security, remembers, "We deployed the honeypot on a Tuesday, and then we started to see activity within 24 hours."

**Selenium Proxyjacking**

During the research period, two primary threats kept automatically trying to attack the honeypot day after day.

The first deployed a series of scripts, including one labeled "y," which dropped the open source networking toolkit GSocket. GSocket is designed to allow two users behind firewalls to establish a secure TCP connection. In this and other cases, though, threat actors used it as a means of command-and-control (C2).

Two scripts followed, "pl" and "tm," which performed various reconnaissance functions — analyzing system architecture, checking for root privileges, and other functions — and dropped the campaign's primary payloads: Pawns.app (IPRoyal Pawn) and EarnFM. Each of these are proxyware — programs that allow users to essentially rent out their unused internet bandwidth.

Though services like these are sold legitimately, hackers can easily weaponize them for their own purposes. Called "proxyjacking," it involves hijacking an unwitting Internet user's IP to use as one's own personal proxy server for further malicious activities or selling it to another cybercriminal.

"It allows people to hide behind legitimate IP addresses, and the reason for doing that is to try and bypass IP filtering that organizations would put in place," Carchrie explains. "So if you're using Tor to try and anonymize yourselves, organizations might blacklist Tor IP addresses from accessing their infrastructure. This gives them an opportunity. This is the first time I've personally come across proxyjacking being used as the end goal of a campaign."

**More Significant Threats to Selenium**

The second attack snagged by the honeypot was similar in its initial means of infection, but dropped a Golang-based executable and linkable format (ELF) binary. The ELF, in turn, attempted to use "PwnKit," a public exploit for CVE-2021-4043, an old, medium severity Linux privilege escalation bug (CVSS score 5.5).

Next, the malware connected to an attacker's C2 infrastructure and dropped "perfcc," a cryptominer. In this way, it paralleled a different, yearlong campaign revealed by Wiz back in July, which used Selenium Grid as a vector to deploy the XMRig miner.

As Ami Luttwak, CTO and co-founder of Wiz, explains, the same kind of attack can be used to do a lot worse.

"Remember, Selenium runs usually in test environments," he says. "Test environments have proprietary code, and many times from test environments you can actually get access back to either engineering environments or production. So this could be used by a more advanced attacker to start actually attacking the exposed organization."

**30,000 Publicly Exposed Servers**

Being an internal tool by nature, Selenium Grid does not have any authentication to barricade attackers from breaking in. Its maintainers have warned in documentation that it "must be protected from external access using appropriate firewall permissions."

In July, though, Wiz found around 15,000 updated but Internet-exposed Selenium Grid servers. Worse: More than 17,000 were both exposed to the Internet, and running outdated versions. (That number has since dropped below 16,000.) The vast majority of these were based in the US and Canada.

It was only a matter of time, then, before threat actors capitalized on the opportunity. The first documented sign of it was reported in a Reddit post.

"Selenium is built to be an internal service for testing," Luttwak emphasizes. "In most scenarios, it's not supposed to be publicly accessible. If it is, then there is a risk there you have to mitigate."

Carchrie advises, "If you need your Selenium Grid accessible via the Internet, we recommend that you deploy an appropriately configured authentication proxy server in front of the Selenium Grid application using multifactor authentication as well as username and passwords."

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa, and forced to spend the night in jail — just for doing their pen-testing jobs. Listen now!

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Hackers Proxyjack &amp; Cryptomine Selenium Grid Servers

With an immature codebase and a "rather chaotic encryption scheme" prone to failure, the group targets small businesses with custom malware.

Source: Mark Brandon via Shutterstock

A cybercriminal group — or individual — known as "CosmicBeetle" is exploiting vulnerabilities in technologies used by small businesses in Turkey, as well as Spain, India, and South Africa. The goal is to install ransomware that — unfortunately for victims — sometimes has glitches.

Likely based in Turkey, the ransomware attacker operates at a fairly "low level of sophistication" and is currently developing ransomware that demonstrates a "rather chaotic encryption scheme," according to analysis by Slovakian cybersecurity firm ESET. CosmicBeetle often deploys custom ransomware, dubbed ScRansom by ESET, that appears to be under active development with frequent updates and changes.

Because CosmicBeetle demonstrates immature skills as a malware developers, a variety of problems have affected victims of the threat actor's ransomware, says Jakub Souček, a senior malware researcher at ESET, who analyzed CosmicBeetle. In one case, ESET worked with a victim organization and found that the encryption routines executed multiple times on some of the infected machines, resulting in some data recovery failing.

"Seasoned gangs prefer to have their decryption process as easy as possible to increase the chances of correct decryption, which boosts their reputation and increases the likelihood that victims will pay," the report stated.

But for CosmicBeetle, "while we were able to verify that the decryptor — in its most recent state — works from the technical point of view, a lot of factors still come to play, and the more you need \[for decryption\] from the threat actor, the more unsure the situation," he says. "The fact that the ScRansom ransomware is still changing quite rapidly doesn't help."

The relative immaturity of the CosmicBeetle threat actor has led the group to embark on two interesting strategies, according to the ESET report. First, the group has attempted to imply connections with the infamous LockBit cybercriminal group as a way to, ironically, inspire trust in their ability to help victims recover their data. Second, the group has also joined the RansomHub affiliate program, and now often installs that ransomware rather than its own custom malware.

**Opportunistically Targeting SMBs**

To kick off its compromises, the CosmicBeetle group scans for and attempts to exploit a variety of older vulnerabilities in software typically used by small and midsize businesses, such as issues in Veeam Backup & Replication (CVE-2023-27532), which can allow unauthenticated attackers to access the backup infrastructure, or two privilege escalation vulnerabilities in Microsoft Active Directory (CVE-2021-42278 and CVE-2021-42287), which together allow a user to "effectively become a domain admin."

The group is likely not specifically targeting SMBs, but because of the software it targets for exploitation, smaller businesses make up the majority of its victims, Souček says.

"CosmicBeetle abuses quite old known vulnerabilities, which we expect more likely to be patched in larger companies with better patch management in place," he says, adding: "Victims outside of the EU and US, especially SMBs, are typically the result of immature, non-seasoned ransomware gangs going for the low-hanging fruit."

The targets include companies in the manufacturing, pharmaceuticals, legal, education, and healthcare industries, among others, according to ESET's report published on September 10.

"SMBs from all sorts of verticals all over the world are the most common victims of this threat actor because that is the segment most likely to use the affected software and to not have robust patch management processes in place," the report stated.

**Turkish Delight? Not So Much**

Turkey accounts for the most victimized organizations, but a significant number also come from Spain, India, South Africa, and a handful of other countries, according to data collected by ESET from the CosmicBeetle leak site.

While one firm has connected the threat actor to an actual person — a Turkish software developer — ESET cast doubt on the connection. Yet, with Turkey accounting for a larger share of infections, the group is probably from the nation or the region, Souček acknowledges.

"We could speculate that CosmicBeetle has more knowledge of Turkey and feels more confident choosing their targets there," he says. "As for the remaining targets, it is purely opportunistic — a combination of vulnerability of the target and it being 'sufficiently interesting' as a ransomware target."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Amateurish 'CosmicBeetle' Ransomware Stings SMBs in Turkey

The Institute for Security and Technology's UnDisruptable27 project connects technology firms with the public sector to strengthen US cyber defenses in case of attacks on critical infrastructure.

Source: Nico El Nino via Alamy Stock Photo

What would a worst-case scenario look like for your town? The power grid going out, leaving your community without electricity for days on end? Or a disruption to the local water supply? Or a cyberattack on the emergency medical response system and medical facilities, leaving people stranded, without access to care during life-threatening situations? 

These are the kinds of scenarios that UnDisruptable27 seeks to prepare for–cyberattacks against critical infrastructure in local communities across the United States–focusing on four principal areas: water and wastewater; emergency medical care and hospital services; food supply chains; and local power supplies. 

The program is led by the Institute for Security and Technology, a nonprofit think tank that seeks to connect the technology world and the public sector, and kicked off this summer with a pilot program, funded by a $700,000 grant from Craig Newmark Philanthropies as part of the organization’s Cyber Civil Defense initiative. The initial phase will focus on the nexus of water and emergency medical care. The project is spearheaded by Josh Corman, Executive in Residence at IST and co-founder of I am The Cavalry and CyberMedSummit. 

"Whether it’s food or shelter or warmth, everyone relies on infrastructure to live. Bad actors know that, too. This isn’t alarmism. It’s a very real threat our country faces today. It’s all our job to push governments and utilities and companies to be better on this stuff. That means extra work for maybe understaffed IT, and they can get very annoyed with me, okay if it helps prepare for the worst," Craig Newmark says. "In the meantime, I’m putting my money where my mouth is."

The project’s initial phase involves engaging stakeholders and listening to their concerns and limitations, whether they’re financial, technical or a combination of the two, says Megan Stifel, Chief Strategy Officer for the Institute for Security and Technology.

Like the scramble to prepare for Y2K, the UnDisruptable27 initiative benefits from having a tangible timeline, whether any specific threats materialize, Stifel says. 

The call-to-action was spurred by public hearings earlier this year where Congress and U.S. government cybersecurity leaders explored the potential threats to infrastructure posed by China’s Volt Typhoon group or other state-sponsored actors. The project's goal is to make critical infrastructure supporting basic human needs "undisruptable" by 2027. 

"We are seeing more disruptions, larger disruptions, longer disruptions, and more public life- and safety-affecting disruptions. And that's not okay. That trajectory is unsustainable," says Corman. He calls areas like water and power delivery systems and other infrastructure "target-rich and cyber-poor," meaning they represent a massive attack surface, yet lack the resources to adequately protect themselves from cyberattacks. 

"If we see hybrid conflict on top of the disruption trend that we already see, the average citizen is not prepared," Corman says. "We don't want panic and we don't want preppers, but what we do think is no one should be blindsided or surprised by this, and we can make choices between now and an era of potential heightened geopolitical context or conflict context."

To help stress the need and get the public onboard, UnDisruptable27 is taking a page from the natural disaster preparedness playbook and leveraging communications strategies and narrative to influence communities to prepare. 

"We really haven't reached the public, and that's why the public continues to be disrupted and surprised every time there's a Crowd Strike or NotPetya or an Ascension Health," Corman says. "So we're going to go down to meet owners and operators of these critical infrastructure sectors, municipal leadership in the last mile in these communities, and possibly, and probably even citizens directly for this education campaign. And what that means is we have to meet them where they are."

The group chose to initially focus on the intersection of water and health care because it’s already in the public eye, according to Corman. 

One potential resource for local communities could come in the form of help from the Consortium of Cyber Security Clinics, a network of university-based clinics that train students to do direct engagement with under-resourced organizations who need help regarding their cybersecurity maturity. While in its early phases, Corman and UnDisruptable27 will identify areas of need and connect with municipalities and utilities. In later stages, the group hopes to partner with the clinics to connect those needing help with resources. 

Smaller organizations in local communities are incredibly vulnerable, says Sarah Powazek, Program Director of Public Interest Cybersecurity at the UC Berkeley Center for Long-Term Cybersecurity. These under-resourced communities can provide very attractive targets for cyber attackers, and projects like UnDisruptable27 have the potential to have significant impact.

“I think that the most important institutions to protect aren't always the largest. I think we're really missing this network of care at the community level. And I think we're missing a strategy to help them protect themselves in a long term sustainable fashion. And I think that the UnDisruptable project is going to be one of many initiatives that is needed to help serve these institutions,” Powazek says.

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

UnDisruptable27 Project Wants to Shore Up Critical Infrastructure Security

The latest step in a journey to serve cybersecurity professionals in other regions of the world.

Source: End ru99 via Shutterstock

As part of Dark Reading's mission to bring in-depth news coverage to more and more parts of the world where cybersecurity professionals live and work, today we are officially launching a new section dedicated to the Asia-Pacific region.

The Asia Pacific section can be found in Dark Reading Global (aka DR Global), a mini-site within Dark Reading that delivers trusted, informed, and unique news and analysis to cybersecurity professionals around the world, with an initial focus on the burgeoning cybersecurity market and community in the Middle East and Africa.

This latest expansion of DR Global didn't happen overnight. Over the past year or so, we have gradually begun reporting on news specifically affecting cybersecurity pros in the Asia-Pacific region. Like the MEA, many nations in the massive Asia-Pacific region are experiencing rapid-fire digital transformation that is driving a critical need for cybersecurity resources, expertise, and products and services for cyber defenses. As nations within those regions build out and invest in their technology infrastructures, cyber-threat actors are increasingly targeting them with ransomware, cyber espionage, and other cyber threats.

In keeping with Dark Reading's core editorial mission, the new Dark Reading Global Asia Pacific section will provide cybersecurity professionals in that region and worldwide with the best and most in-depth cybersecurity information and trends in order to help them stay up to date, and ideally, ahead of the latest cyber threats.

If there are topics you'd like to see covered in DR Global’s Asia Pacific and Middle East & Africa regions, or if you have news tips you would like to share with our editors, please ping us at \[email protected\].

We want to hear from you and get your feedback.

**About the Author**

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Dark Reading Expands Its Coverage to the Asia-Pacific Region

Business intelligence firm Gartner labels security orchestration, automation, and response as "obsolete," but the fight to automate and simplify security operations is here to stay.

Source: Screenshot of Gartner Chart via Robert Lemos

What Gartner giveth, Gartner can take away.

Seven years ago, analysts at the business intelligence firm coined the term "security orchestration, automation, and response" (SOAR) to describe what they considered a new class of products: integrated security operations that could not only detect threats and issues, but also use playbooks to augment incident responders' efforts and, eventually, completely automate the response.

No wonder, then, that Gartner's labeling of the technology two months ago as "obsolete before plateau" — meaning the category has stalled before becoming a well-established IT tool — created a kerfuffle. Customers inundated the firm with questions on what the designation implied. Vendors in the security automation sector were more blunt.

Any suggestion that SOAR is dead is "the dumbest thing I've ever heard — absolutely asinine," says James Brear, CEO of Swimlane, a provider of security operations automation. "If you just remove the \[term\] SOAR and added the word automation, \[then the assertion\] sounds ridiculous. It's kind of like saying that AI is going away."

SOAR is not the first technology to be assigned Gartner's dreaded "Hype Cycle" designation. In 2022, data meshes became obsolete before reaching the plateau — more formally, the "Plateau of Productivity." In 2020, Gartner slapped the label on demand-driven material requirements planning, a supply chain management approach. Ditto for broadband over powerlines in 2010.

"This premature obsolescence typically results from the emergence of a competing technology — for example, analog high-definition TV gave way to digital high-definition TV," Gartner stated in an explanation of its Hype Cycle model.

In the latest case, labeling SOAR as obsolete comes as the components of the product category have become subsumed by other products and services, while automation is increasingly an expected feature, says Eric Ahlm, senior director analyst at Gartner. Security operations centers (SOCs) required orchestration as a standalone feature to integrate disparate products into a single hub for operations, the analyst explains, and as corporate customers sought out simplified operations, vendors further integrated their services to consolidate SOAR with other products and services.

A parade of mergers and acquisitions highlights the trend. Palo Alto Networks bought Demisto in 2019 and acquired QRadar from IBM earlier this year. Rapid7 bought SOAR firm Komand back in 2017, and SumoLogic acquired DFLabs in 2021.

"There's a lot of different ways to add automation — an efficiency boost or increase scale through automation — without going out and buying a standalone, dedicated SOAR platform," Ahlm says. "That's really what we're calling out — not the end of automation or that it's a dead-end concept — but the field of vendors who sell nothing but dedicated platforms for automation, I don't think ... have a very lively future."

**Wanted: A Simplified Security Hub**

Most companies want a single hub for all of their security information, from which they can manage incidents, conduct investigations, and respond to threats. SOAR was originally envisioned to be that central hub, but strong integration between products, better automation, and a focus on visibility means that other products can now fill that role.

In other words, the central hub does not have to be SOAR. Increasingly, the choice of security operations platform depends on where a business starts out and what core platform it believes delivers most value, Ahlm says. Both extended detection and response (XDR) and security event and information management (SIEM) platforms, for example, are increasingly a security focal point for companies.

The features of SOAR — the integration, visibility, and automated response — have migrated to a variety of security products, says Chas Clawson, field CTO at Sumo Logic, a provider of automated security operations platforms.

"It shows the maturity of the security operations world, when something as critical as automation becomes kind of table stakes, and every solution has to have some flavor of automation," he says. "It's probably long overdue \[because of the\] pain ... from the defender side — analyst burnout and swivel-chair syndrome ... \[from which\] we really need some reprieve."

Sumo Logic has its own SOAR product — Cloud SOAR — which focuses on integrating data streams from different IT devices, security products, and cloud services, along with automation for security operations.

**Still a Strong Case for Better SOAR**

Yet another company behind SOAR is cybersecurity firm Palo Alto Networks, which has doubled down on security automation. The company's security operations center ingests 36 billion events per day — a volume of more than 75 terabytes — with only 10 human analysts. In its use case, the company says its Cortex XSOAR automates the work of 16 analysts and reduces time spent on manual actions by 90%.

"By standardizing and automating time-consuming, manual tasks, SOAR solutions dramatically reduce time spent on incident response," says Gonen Fink, senior vice president of Palo Alto Networks' Cortex and Prisma Cloud products. "While many stand-alone security products will continue to integrate some level of automation, SOAR solutions provide more robust capabilities, orchestrating and automating various actions across an organization's technology stack."

Swimlane has also focused on automating security tasks and incident response, typically for larger companies such as the Fortune 2000. Founded in 2014 — three years before Gartner reportedly created the modern term SOAR — the company's approach is to gather data from all of the IT devices and intelligence from security products and then automate the response to any identified incidents, says Swimlane's Brear.

"The genesis \[of the company was\], 'How can we make the SOC better?'" he says. "If you go back in time, there were a bazillion different tools that the SOC guys were looking at — it's complicated to try to get visibility."

For those reasons, a standalone SOAR platform is a necessary and reasonable approach to security for many companies — and far from obsolete — but customers will continue to need better integrations with common technologies, such as Microsoft and managed detection and response (MDR) platforms, according to analyst firm Omdia.

"Users of security technologies want to have solutions that are easy to use, require minimum training, and can integrate easily," says Elvia Finalle, senior analyst at Omdia. "SOAR vendors will have to continue to adapt to platforms and expand their compatibility with other vendors and solutions."

**AI + Automation = Security Evolution**

While the core use case for SOAR remains strong, the combination of artificial intelligence, automation, and the current plethora of cybersecurity products will result in a platform that could take market share from SOAR systems, such as an AI-enabled next-generation SIEM, says Eric Parizo, managing principal analyst at Omdia.

"SOC decision-makers are \[not\] going out looking to purchase orchestration and automation as much as they're looking to solve the problem of fostering a faster, more efficient TDIR \[threat detection, investigation, and response\] life cycle with better, more consistent outcomes," he says. "The orchestration and automation capabilities within standalone SOAR solutions are intended to facilitate those business objectives."

AI and machine learning will continue to increasingly augment automation, says Sumo Logic's Clawson. While creating AI security agents that process data and automatically respond to threats is still in its infancy, the industry is clearly moving in that direction, especially as more infrastructure uses an "as-code" approach, such as infrastructure-as-code, he says.

The result could be an approach that reduces the need for SOAR.

"When you have this Copilot technology — you've heard the term 'agentification,' \[where\] you've got this agent at your disposal that can do anything that you want — it dilutes the value of SOAR," Clawson says. "Because AI can be an expert coder and developer, and it has access to every API and all the documentation, you can almost just start to interact with systems in a more humanlike way."

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their pen-testing jobs. Listen now!

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

SOAR Is Dead, Long Live SOAR

PRESS RELEASE

SAN FRANCISCO, Sept. 10, 2024 /PRNewswire/ -- appCD, the generative infrastructure from code company, today announced the close of its $12.3M seed round, its new identity as StackGen, and the appointment of Arshad Sayyad as Chief Business Officer. The round was led by Thomvest Ventures, with existing investors, FireBolt Ventures, WestWave Capital, and Secure Octane participating. StackGen will utilize the funding to accelerate product development, enhance its go-to-market strategy, and fuel company growth.

"StackGen represents the next evolution of our commitment to revolutionizing infrastructure from code," said Sachin Aggarwal, Co-founder and CEO of StackGen. "The funding will enable us to meet the growing demand from enterprise customers as we continue to deliver on our vision for the future of infrastructure from code. Our new name encapsulates this vision and mission to provide seamless, full-stack infrastructure solutions that enhance the developer experience and enforce industry standards, while embracing generative AI."

As stated in the Gartner® Hype Cycle™ for Platform Engineering, 2024, "The plethora of cloud infrastructure services across multiple cloud providers makes it difficult for platform engineers and developers to manage infrastructure change at the same pace as application code. Therefore, much like software engineers are productive working with higher-level abstractions using object-oriented programming languages with reusable modules, platform engineers seek similar benefits for improving their productivity and simplifying infrastructure delivery. IfC merges infrastructure and application code into a common programming model and a common programming language. IfC improves development and infrastructure agility by enabling infrastructure to change at the same pace as applications — developers focus on business logic and application architecture while infrastructure code is auto-generated based on organizational standards."

"Ensuring governance and consistency in deployments is crucial. StackGen provides default standardization, embedding consistency, security, and policy guardrails seamlessly into cloud deployments for enhanced application reliability," said Arvind Gidwani, CTO, SAP NS2. "StackGen is providing the necessary compliance and cloud automation at scale to help drive digital transformation."

"I am thrilled to be an investor and board member at StackGen, partnering with repeat founder and CEO Sachin Agarwal and his cofounders, Asif Awan and Arshad Sayyad," said Umesh Padval, Managing Director, Thomvest Ventures. "StackGen is revolutionizing the DevOps market with its Infrastructure from Code platform driving 10x productivity gains for DevOps and SecOps. The strong team, massive market opportunity along with differentiated and easy to use technology met the criterion of our thesis driven investments."

The rebranding to StackGen reflects the company's commitment to providing comprehensive infrastructure solutions that span the entire technology stack.

StackGen has expanded its leadership and go-to-market team with the appointment of Arshad Sayyad, former President of Fidelity Investments India and Managing Director at Accenture, Danielle Cook, CNCF Ambassador and ex-Fairwinds and Ondata, and Lauren Rother, ex-HashiCorp. 

StackGen launched its Dev Edition in March, and has already seen significant interest, with developers rapidly signing up to utilize its cutting-edge solutions. This early success underscores the growing demand for innovative infrastructure from code technologies and sets the stage for continued growth and market penetration.

Gartner, Hype Cycle for Platform Engineering, 2024, Manjunath Bhat, Bill Blosen, 19 June 2024

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, HYPE CYCLE are a registered trademark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

About StackGen  
Founded in 2023 by serial entrepreneurs Sachin Aggarwal and Asif Awan, StackGen (formerly appCD) automatically generates Infrastructure from Code (IfC) based on application code with golden standards applied. Unlike manual Infrastructure as Code (IaC) creation or "golden templates" that quickly become outdated, StackGen generates IaC automatically from the application code, without requiring any code changes, and applies preset standards. StackGen provides seamless, full-stack infrastructure solutions that enhance the developer experience and enforce industry standards. Built for platform engineers and DevOps teams tasked with improving the developer experience and enforcing standards, StackGen reduces software development lifecycle (SDLC) bottlenecks, minimizes liabilities, and eliminates cognitive overload. StackGen is backed by notable venture capital firms Thomvest Ventures, WestWave Capital, FireBolt, and Secure Octane. For further information, please visit www.stackgen.com.

About appCD  
Founded in 2023 by serial entrepreneurs Sachin Aggarwal and Asif Awan, appCD automatically generates Infrastructure from Code (IfC) based on application code with golden standards applied. Unlike manual Infrastructure as Code (IaC) creation or "golden templates" that quickly become outdated, appCD generates IaC automatically from the application code, without requiring any code changes, and applies preset standards. Built for platform engineers and DevOps teams tasked with improving the developer experience and enforcing standards, appCD reduces software development lifecycle (SDLC) bottlenecks, minimizes liabilities, and eliminates cognitive overload. appCD is backed by notable venture capital firms Thomvest Ventures, WestWave Capital, FireBolt, and Secure Octane. For further information, please visit www.appCD.com.

AppCD Closes $12.3M Seed Round and Rebrands to StackGen

PRESS RELEASE

Xiphera, Ltd, a Finnish company designing and implementing hardware-based security solutions, announces a project for developing quantum-resilient Authenticated Boot and Hardware Root of Trust solutions for space-grade semiconductor architectures.

Authenticated Boot and Hardware Root of Trust solutions ensure trust in the digital hardware components and system configurations in space and satellite infrastructures.  Xiphera’s implementations are based on hybrid cryptography – a combination of traditional and Post-Quantum Cryptography (PQC) – thus ensuring the security of the system throughout its life cycle. 

The development project is partially financed by the European Space Agency, as part of its General Support Technology Program (GSTP). The solutions have been designed in close co-operation with Frontgrade Gaisler, a leading Swedish developer of space-grade electronics. Authenticated Boot is planned to be integrated into Frontgrade Gaisler’s space-grade GR765 processor.

The Authenticated Boot and Hardware Root of Trust technologies are productised for general availability in Xiphera’s nQrux® family of Hardware Trust Engines – highly optimised and customisable security solutions for FPGAs and ASICs. The first released product is nQrux® Secure Boot, available immediately for semiconductor and equipment vendors in space technology and other industrial and critical infrastructure sectors.

“The ESA project will increase European digital sovereignty and resilience both in the supply chain and underlying technology. Our IP cores have always been secure by design, and the complex solutions developed in this project require careful system design methodology” says Petri Jehkonen, Xiphera’s Director of Strategic Programs. “In addition to delivering first class cryptographic algorithms and security protocols, the technology we develop must be compatible with space-grade ASIC manufacturing processes. Xiphera’s solutions are designed in pure digital logic without any hidden software components. This benefit is emphasised particularly in space-grade applications, where software components typically require significantly more complicated validation and certification paths.”

“The integration of Xiphera technology in our next-generation GR765 octa-core SoC provides the foundation to build systems that are resilient against cybersecurity threats” says Jan Andersson Nerén, Director of Engineering at Frontgrade Gaisler. “This collaboration allows our customers to meet stricter requirements while minimising impact on development effort. It also allows them to tackle both present and future challenges, including those posed by quantum computing.”

“Security elements are required today in most space systems. Sensitive elements uploaded over the air, such as software, FPGA bitstreams and telecommands need to be authenticated. Mission data, if confidential or of commercial value, must be encrypted. We are looking forward to working with Xiphera to develop quantum-resistant secure IP cores for space processing chips, namely microprocessors and FPGA” says Roland Weigand from Microelectronics Section at ESA. 

About Xiphera

Xiphera, Ltd, designs and implements hardware-based security using proven cryptographic algorithms. Our strong cryptographic expertise and extensive experience in digital system design enable us to help our customers to protect their most valuable assets.

We offer secure and highly optimised cryptographic Intellectual Property (IP) cores, designed directly for Field Programmable Gate Arrays (FPGAs) and Application Specific Integrated Circuits (ASICs) without software components. The broad, fully in-house designed, and up-to-date portfolio, including implementations of Post-Quantum Cryptography, enables cost-effective development projects with fast time-to-market – providing peace of mind in a dangerous world.

Read more: www.xiphera.com

About Frontgrade Gaisler

Frontgrade Gaisler, a Frontgrade Technologies company, is a leading global provider of radiation-hardened microprocessors and IP cores for criticalapplications, particularly in the space industry. The company’s highly integrated SoC processors are known for their reliability, fault tolerance, and radiation tolerance, making them ideal for any space mission or other high-reliability application. Find out more about space computing at www.gaisler.com.

About ESA

The European Space Agency (ESA) is Europe’s gateway to space. Its mission is to shape the development of Europe’s space capability and ensure that investment in space continues to deliver benefits to the citizens of Europe and the world. ESA is an international organisation with 22 Member States. By coordinating the financial and intellectual resources of its members, it can undertake programmes and activities far beyond the scope of any single European country.

https://www.esa.int

Xiphera Develops Quantum-Resilient Hardware Security Solutions for Space

PRESS RELEASE

Darktrace plc (DARK.L), a global leader in cybersecurity AI, announces Poppy Gustafsson will step down as Chief Executive Officer (CEO) with effect from today and Jill Popelka, Darktrace's current Chief Operating Officer (COO), has been appointed as her successor. Jill will assume the role of CEO and will also be appointed to the Darktrace Board of Directors with effect from today.

Jill has more than two decades of experience of driving operational best practices and maturing teams, systems and processes for fast-growing businesses. She previously held senior leadership roles at leading global technology businesses, including Accenture, Snap Inc and SAP SuccessFactors, one of the largest enterprise cloud businesses in the world, which she led as President. Jill joined Darktrace in January 2024 as a Non-Executive Director, before assuming her current role of COO at Darktrace on 1 June 2024.

Poppy Gustafsson, outgoing CEO of Darktrace, said: "Darktrace has been a huge part of my life and my identity for over a decade and I am immensely proud of everything we have achieved in that time. Together we have revolutionised the marketplace for cyber security and brought our AI-powered technology to almost 10,000 customers around the world, keeping them safe from cyber disruption.

This challenge has required tremendous personal and professional commitment from me. With the acquisition of Darktrace by Thoma Bravo nearing its completion and with us having identified an excellent successor in Jill, now is the right time to hand over the reins so Jill can lead Darktrace through its transition into private ownership and beyond. I am profoundly grateful to have had the privilege of leading such an exceptional team and I look forward to remaining engaged in this exciting next chapter of the business as a non-executive director after the transaction completes. I remain Darktrace's number one fan."

Gordon Hurst, Chairman of Darktrace, said: "Poppy is a remarkable leader who has grown and nurtured one of the UK's proudest technology success stories. Under Poppy's stewardship, the business has transformed from a promising collaboration of AI and intelligence experts to a high-growth global leader in cyber security. This has been reflected in the significant value Darktrace has created for its shareholders under Poppy's leadership since its IPO in 2021 and through the acquisition by Thoma Bravo, one of the world's leading investors in software businesses.

"Jill is a proven and highly regarded leader in global technology businesses who has contributed immensely to the Board and more recently in her role as COO. With Poppy stepping down, the Board has implemented its CEO succession plan and is delighted that Jill has accepted the role of CEO. She has the deep sector experience, people leadership skills and energy and passion to lead Darktrace into the next stage of its journey."

Jill Popelka, incoming CEO of Darktrace, said: "Poppy and the team have built something very special. The potential of Darktrace is enormous - our technology has never been more critical to organisations around the world and our AI-native capabilities position us at the forefront of the ever-changing cyber security market. We have an outstanding platform offering, a broad base of customers across the globe, and some of the most talented people working in technology, not least our remarkable R&D teams based in Cambridge and The Hague.  I am excited to partner with the whole Darktrace team to take advantage of the many opportunities we have ahead of us as we embark on this next phase of our journey." 

Andrew Almeida, Partner at Thoma Bravo, said: "We are fully supportive of Poppy and the Board's succession plan. Jill is the perfect leader to build on Poppy's tremendous legacy at Darktrace as it embarks on this next phase of its life given her immense experience of scaling and maturing fast-growing businesses. She cares deeply about people, about serving customers and about creating a company with a sense of mission and purpose at its core. We look forward to working with Jill and the wider team to help elevate Darktrace's place as the essential cybersecurity platform for the changing threat landscape."

The acquisition of Darktrace by Thoma Bravo continues to progress as anticipated. All antitrust and regulatory approvals have now been received, with the exception of one foreign regulatory approval, which is currently anticipated by 28 September 2024. Per the transaction timetable, Darktrace will seek the UKcourt's sanction of the transaction as soon as this final regulatory approval has been received, with the closing of the transaction expected shortly afterwards.  

This announcement is made in accordance with the notification requirement in UKLR 6.4.6R and there are no other disclosures that need to be made under UKLR 6.4.8R relating to the appointment of Jill Popelka.

Poppy Gustafsson to Step Down As CEO of Darktrace; Jill Popelka Appointed Successor

A veritable grab bag of tools used to access critical infrastructure networks are wildly insecure, and they're blobbing together to create a widening attack surface.

Source: Agencja Fotograficzna Caro via Alamy Stock Photo

The exploding demand for remote access into today's industrial control systems (ICS) and operational technology (OT) systems has created a nebulous, Internet-connected attack surface that's too attractive for cyberattackers to ignore. And cleanup is not going to be a simple affair.

Far too many ICS networks are being accessed by employees, partners, suppliers, and customers using a slapped-together mousetrap of tools, leaving these environments woefully exposed while connected to the Internet, according to researchers.

In a new analysis, Claroty's Team82 looked at 50,000 individual remote access-enabled devices running on industrial networks with dedicated OT hardware, and found 55% to have at least four remote access tools (RATs) in their environments. A full third (33%) reported using six or more RATs. Some organizations reported using up to 16 different of them.

Industries represented in the examples examined by the Team82 researchers included pharmaceuticals, consumer goods, food and beverage, automotive, oil and gas, mining, and manufacturing — many of which are considered critical infrastructure sectors.

"Within critical infrastructure, there is sometimes a bigger physical risk associated with a breach, depending on the jeopardized device," says Tal Laufer, Claroty's vice president of products, secure access. "That being said, all organizations with this type of tool sprawl are at risk, since it can create security gaps in their networks for threat actors to exploit."

Making matters even more complicated for cybersecurity teams, the Team82 report found that 79% of the organizations they surveyed have more than two remote access management tools in their environment that don't meet basic enterprise-grade security standards.

"Most of these tools lack the session recording, auditing, and role-based access controls that are necessary to properly defend an OT environment," the Team82 report said. "Some lack basic security features such as multi-factor authentication (MFA) options, or have been discontinued by their respective vendors and no longer receive feature or security updates."

**Cyberattackers Notice Sprawling OT Remote Access Attack Surface**

Adversaries are already well aware of the malicious possibilities that these remote access tools unlock — and have been for several years.

Laufer notes that several massive breaches in recent years have been the result of misconfigured remote access tools, including Colonial Pipeline in 2021 and Change Healthcare earlier this year.

As far back as 2020, analysts at Kaspersky warned about the risk of cyberattacks against remote access tools like TeamViewer and RMS to breach ICS environments. And in January 2023, CISA joined with the NSA to issue a warning that adversaries were launching widespread campaigns against remote management systems like AnyDesk to breach federal agencies.

Those warnings have played out: A threat actor was discovered attempting to drop XMRing cryptominer malware using TeamViewer in May 2023. Likewise, the remote access tool TeamViewer was targeted in failed attempts to compromise systems by LockBit 3.0 ransomware group in early 2024. Similarly, remote access tool production systems were compromised at AnyDesk last February, forcing the vendor to revoke all of its security clearances and reset all Web portal passwords.

Despite these warnings, ICS/OT operators are in a particularly tough spot without a clear path toward protecting themselves. The Team82 findings demonstrate how the sheer number of these tools can easily pile up within an environment, creating an ever-creeping blob of remote access surface area ripe for adversaries to probe for success. As the report detailed, each tool brings along with it its own supply chain weaknesses, often including a lack of basic, best-practice security features like MFA, auditing, and session recording.

Compounding the issue is a basic lack of monitoring, detection, and policy control tooling that works across disparate remote access systems, leaving them open to misconfigurations, as messy policy and control management, the report added.

The report added that managing all these various RATs, and the hardware behind them, is an expensive operational proposition.

**OT Remote Access Cleanup**

Unsurprisingly, the first step on the path to securing remote access for ICS/OT networks is to get a full inventory of the tools that provide access to OT assets, according to the report.

"A critical first step is ensuring you have complete visibility into your organization’s OT network to understand how many and which solutions are providing access to OT assets and industrial control systems (ICS)," Laufer explains.

Next, those solutions that don't meet basic enterprise cybersecurity requirements need to go — pronto.

"From there, engineers and assets managers need to actively eliminate or minimize the use of low-security remote access tools in the OT environment — especially taking into consideration those with known vulnerabilities or those lacking essential security features such as MFA," the researcher stresses.

It's also crucial to develop and require baseline security standards across the organization's supply chain. "Beyond this, security teams should also govern the use of remote access tools connected to OT and ICS," Laufer says. "This can help with alignment of security requirements and expansion of those requirements as needed throughout third parties within the supply chain."

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their pen-testing jobs. Listen now!

Source

DARKReading