The purchase gives IBM access to a new category of products called "data security posture management" for security data in cloud and SaaS repositories.

IBM's purchase of Polar Security for an undisclosed sum on May 16 has focused attention on an emerging market space that, until recently, didn't even have a formal name associated with it.

Polar is among an increasing number of startups — many based in Israel — that offer a new class of tools, built to accomplish "data security posture management (DSPM)." They help organizations discover, monitor, and secure sensitive data across hybrid and multi-cloud environments. To that end, IBM will integrate Polar's technology with its Guardium portfolio of data security products. 

The Polar acquisition is the company's fifth so far this year.

**Data Classification in the Cloud**

The key selling point of products from Polar and companies like it, is their ability to automatically classify discovered data in these environments (in addition to monitoring user access and discovering threats to the data) — so security teams can protect it better. Many of the technologies, including Polar Security's DSPM platforms, are agentless and have the claimed ability to automatically discover sensitive data in minutes and to classify them into categories such as PII, PHI, and PCI.

Gartner, which gave the category its name last year, describes DSPM products as enabling organizations to discover shadow data — structured and unstructured — in repositories across cloud service providers, data lakes, and SaaS environments. The analyst firm has predicted that more than 20% of organizations will deploy a DSPM capability by 2026 because of "urgent requirements to identify and locate previously unknown data repositories and to mitigate associated security and privacy risks.”

IBMs purchase of Polar gives the company immediate access to technology that will help it compete in the market segment with a growing number of pureplay vendors, and vendors expanding into the space from other markets such as cloud security posture management and cloud DLP. Examples of pureplay DSPM vendors include Laminar, Cyera, and Dig, while Wiz, Varonis, Orca — and now IBM — are all vendors that have added DSPM to their technology portfolio over the past year.

**A Vibrant DSPM Market**

Richard Stiennon, chief research analyst at IT-Harvest, says his firm currently tracks over a dozen vendors in the market. "DSPM is a vibrant space with at least 16 players," Stiennon says. 

Polar, which launched in 2021, was in the middle of the pack with about 30 employees at time of purchase he notes, adding, "IBM Tech Fund had participated in the $8 million seed funding, so they have had visibility into Polar for at least 16 months." Among the larger vendors in the space are Wiz, Laminar with about 95 employees, and Cyera with a headcount of some 75, Stiennon says.

A lot of the enterprise interest in the space stems from growing concerns over data exposure in cloud and SaaS environments. Just like shadow IT is a problem, shadow data — or sensitive data in cloud databases, AWS S3 buckets, and other repositories stored across multiple environments — has become a real and pressing problem for many organizations.

"Sensitive data discovery and classification has become a top priority \[for organizations\]," says Justin Lam, an analyst with S&P Global Market Intelligence. A recent survey of technology decision makers that the analyst firm conducted showed that for many organizations, DSPM has become a top technology priority for 2023, he adds. 

"A lot of enterprises are waking up to the fact they need to find out what data they have in the cloud," Lam says. "How do I find out what it is, how risky it is, what kind of non-public info is out there in the cloud. These are all huge concerns."

**IBM's Cloud Security Investment: Triggering a Landgrab?**

Analyst firm Omdia expects the IBM acquisition of Polar to push other technology heavyweights into the space as well. As has often been the case with new technologies, a lot of the initial proponents of DSPM are startups. But that could change quickly as bigger players move into the space. 

"We have seen such landgrabs before — in data leak prevention in the mid-2000's, cloud access security brokers in the mid-2101's, and cloud security posture management later in the last decade," says Rik Turner, analyst with Omdia.

Turner describes the DSPM market as still largely immature or moving just beyond that phase. To date, it has been all about startups, many of them from Israel, raising early rounds of venture capital money and starting to evangelize about DSPM. Until Gartner came up with a name for the category, many of the players in the space were positioning themselves as providing cloud data posture management and DSPM together, he says.

IBM's purchase has raised the profile of DSPM as a technology and potentially puts other cyber industry majors in the market to buy one of Polar's competitors. Already, there are some rumors that Laminar is in talks with a potential buyer or two, Turner says. 

"Now, alongside the startups, we have not only Big Blue jumping in but also CSP vendors like Orca and Wiz, both of whom are adding some DSPM capabilities," Turner notes. "It may be too early to see IBM's acquisition of Polar as the tipping point, but if Laminar does indeed go to one of the bigger beasts, the land grab really will have begun."

IBM's Polar Buy Creates Focus on a New 'Shadow Data' Cloud Security Area

Techniques used in cyber warfare can be sold to anyone — irrespective of borders, authorities, or affiliations. We need to develop strategies to respond at scale.

The Russia-Ukraine war has taught us a lot about cyber warfare. After all, it's the first time ever that a world-class cyber power is simultaneously engaged in a kinetic war. But before we can fully grasp the lessons that have surfaced over the past year, we first have to understand what role cyber plays as part of active kinetic warfare, as well as the criteria that determines its effectiveness.

**Breaking Down Cyber in Warfare**

The main roles of cyber in warfare include: 1) espionage, 2) sabotage, 3) propaganda, and 4) disruptions usually caused by distributed denial-of-service (DDoS) attacks targeting government, electrical, and economic/financial institutions. I believe cyber warfare is two parts information warfare using cyber tactics and techniques and one part cyber warfare with actual destruction.

Cyberattacks with strategic or military implications can include the manipulation of software, data, knowledge, and opinion to degrade performance and produce political or psychological effects. Introducing uncertainty into the minds of opposing commanders or political leaders is a calculatable military objective. Manipulating public opinion to damage an opponent's legitimacy and authority in both domestic and international audiences also is valuable. Some actions may provide only symbolic effect aimed at a domestic audience, but this too is valuable for a nation at war.

So, how can we judge the effectiveness of cyber warfare attacks? My more than two decades of experience serving as an FBI agent taught me that the criteria for success in deploying cyber offensive tactics lies across five areas:

*   Creating chaos
*   Collecting intelligence
*   Driving narratives to shape opinions (disinformation)
*   Inflicting damage to data or ecosystems
*   Stealing/exfiltrating victim data for extortion and/or sale to criminal data brokers

**Cyber Warfare in the Russia-Ukraine Conflict**

Russia has largely been cited as an "aggressor" in its conflict with Ukraine. But it is important to remember that because cyber knows no boundaries, any country or hacktivist group can join the battle with impunity — it is one of the ways cyber is fundamentally different from traditional warfare, and a dynamic that both sides have benefited from and been victimized by.

Russia holds a broad definitional concept of information warfare, which includes intelligence, counterintelligence, deceit, disinformation, electronic warfare, debilitation of communications, degradation of navigation support, psychological pressure, degradation of information systems, and propaganda.

As used by the Russian military, cyber power is a key facet of hybrid warfare and is an important enabler in the Russian political strategy to oppose NATO's expansion and cohesion. Cyberattacks can be targeted specifically toward and with the purpose of eliminating key networks but also can be used as a tool to intensify the fog of war by sowing confusion within command-and-control networks. If local political and military leaders can't get ahead of and develop an accurate estimate of quickly developing events, critical hours or even days can be gained with which an adversary can create facts on the ground that cannot easily be reversed. As part of its military campaign, Russia used myriad cyberattacks against computers in Kyiv, Poland, the European Parliament, and the European Commission prior to rolling tanks across the Ukraine border.

Here are just a few examples of cyber warfare tactics used in the Russia-Ukraine conflict:

*   The Russians targeted Viasat, a US satellite communications company that provided support to the Ukrainian military, with malware designed to erase its data before disabling it. The Russians did not limit the malware's scope, and it affected other ground satellite components, causing hundreds of thousands of people outside of Ukraine to lose electrical power and Internet connection.
*   A cyberattack against the City Council of Odessa, a major Ukrainian port city situated on the Black Sea, was timed to coincide with a cruise missile attack that was meant to disrupt Ukraine's response to Russian forces attacking in the south.
*   Cyberattacks also have been launched against many parts of Ukraine's infrastructure and government and civilian networks, including hospitals.
*   Ukrainian military units have created bogus dating websites for Russian soldiers, coupled with social media platforms, to lure Russian troops to use their personal mobile devices — at which point Ukrainian troops triangulate their location so they can use a drone to drop a bomb on their geolocated positions.

Even though Russia is considered one of the most dangerous cyber-nation-state actors, the use of cyber warfare tactics against Ukraine leading up to and currently during their one-year-old unprovoked war shows that offensive cyber techniques, when used as a separate warfighting domain, does not necessarily offer magic solutions and miraculous shortcuts to achieving strategic military goals. Similar to when the Russian Army deployed cyberattacks against Georgia in 2008 and Syria after that armed conflict, when the Russia-Ukraine war ends, we will have another example for history to judge the effectiveness of Russian cyber-enabled warfare.

**Lessons Learned So Far**

Cyber warfare is real, and it is playing out in various theaters across the world — some visible, as in the Russia-Ukraine conflict, and others behind-the-scenes. There will be many lessons learned from these actions, but here are a few takeaways we have so far:

*   The effects of cyberattacks are difficult to contain when not coupled with kinetic military activity. The effects most always extend far beyond the intended target and can be used more as a strategic weapon as opposed to a tactical or precision weapon.
*   Attribution of cyberattacks is difficult and more easily denied. Cyber warfare sits in a gray zone, as it can be used by state and non-state actors, with fewer inhibitions than kinetic strikes.
*   With the use of non-state or patriotic proxies, cyberattacks are less manpower-intensive than kinetic attacks but certainly require more skills to prepare and execute and can be just as devastating to the victim's infrastructure.

There is no question that cyber power is being wielded as a strategic weapon alongside the use of kinetic force in the Russia-Ukraine conflict. And cyber warfare allows power and force to be democratized and sold on the Dark Web, available to anyone with technical skills — irrespective of borders, authorities, or affiliations. Because of this, we must start to think ahead of the threat and develop strategies to respond to these challenges at scale.

Cyber Warfare Lessons From the Russia-Ukraine Conflict

**Woburn, MA – May 19, 2023 –** Kaspersky researchers have provided further details on the CommonMagic campaign, which was first observed in March targeting companies in the Russo-Ukrainian conflict area. The new research reveals more sophisticated malicious activities from the same threat actor. The investigation identified that the newly-discovered framework has expanded its victimology to include organizations in Central and Western Ukraine. Kaspersky experts have also linked the unknown actor to previous APT campaigns, such as Operation BugDrop and Operation Groundbai (Prikormka).

In March 2023, Kaspersky reported a new APT campaign in the Russo-Ukrainian conflict area. This campaign, named CommonMagic, utilizes PowerMagic and CommonMagic implants to conduct espionage activities. Active since September 2021, it employs a previously unidentified malware to collect data from targeted entities. Although the threat actor responsible for this attack remained unknown at the time, Kaspersky experts have persisted with their investigation, tracing the unknown activity back to forgotten campaigns in order to gather further insights.

The recently uncovered campaign utilized a modular framework called CloudWizard. Kaspersky’s research identified a total of 9 modules within this framework, each responsible for distinct malicious activities such as gathering files, keylogging, capturing screenshots, recording microphone input, and stealing passwords. Notably, one of the modules focuses on exfiltrating data from Gmail accounts. By extracting Gmail cookies from browser databases, this module can access and smuggle activity logs, contact lists, and all email messages associated with the targeted accounts.

Furthermore, the researchers have uncovered an expanded victim distribution in the campaign. While the previous targets were primarily located in the Donetsk, Luhansk, and Crimea regions, the scope has now widened to include individuals, diplomatic entities, and research organizations in Western and Central Ukraine.

After extensive research into CloudWizard, Kaspersky experts have made significant progress in attributing it to a known threat actor. They have observed notable similarities between CloudWizard and two previously documented campaigns: Operation Groundbait and Operation BugDrop. These similarities include code similarities, file naming and listing patterns, hosting by Ukrainian hosting services, and shared victim profiles in Western and Central Ukraine, as well as the conflict area in Eastern Europe.

Moreover, CloudWizard also exhibits resemblances to the recently reported campaign CommonMagic. Some sections of the code are identical, they employ the same encryption library, follow a similar file naming format, and share victim locations within the Eastern European conflict area.

Based on these findings, Kaspersky experts have concluded that the malicious campaigns of Prikormka, Operation Groundbait, Operation BugDrop, CommonMagic, and CloudWizard may all be attributed to the same active threat actor.  

"The threat actor responsible for these operations has demonstrated a persistent and ongoing commitment to cyberespionage, continuously enhancing their toolset and targeting organizations of interest for over fifteen years,” said Georgy Kucherin, security researcher at Kaspersky’s Global Research and Analysis Team. “Geopolitical factors continue to be a significant motivator for APT attacks and, given the prevailing tension in the Russo-Ukrainian conflict area, we anticipate that this actor will persist with its operations for the foreseeable future."

Read the full report about the CloudWizard campaign on Securelist.

In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:

*   Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing it with cyberattack data and insights gathered by Kaspersky spanning over 20 years.
*   Upskill your cybersecurity team to tackle the latest targeted threats with Kaspersky online training developed by GReAT experts
*   For endpoint level detection, investigation, and timely remediation of incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response
*   In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform
*   As many targeted attacks start with phishing or other social engineering techniques, introduce security awareness training and teach practical skills to your team – for example, through the Kaspersky Automated Security Awareness Platform

CommonMagic APT Campaign Broadens Target Scope to Central and Western Ukraine

In an advisory released by the company, Apple revealed patches for three previously unknown bugs it  says may already have been used by attackers.

Three zero-day vulnerabilities — tracked as CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373 — were found in Apple's WebKit browser platform and affect iOS, macOS, and iPad products.

These vulnerabilities affect "iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later," Apple said in one of its new advisories.

CVE-2023-32409 is a vulnerability in which a remote attacker is "able to break out of Web Content sandbox," according to Apple. The vendor said CVE-2023-28204 entails processing Web content that may disclose sensitive information, and CVE-2023-32373 warns that processing "maliciously crafted Web content may lead to arbitrary code execution."

Apple said it's aware that the bugs may have already been actively exploited by threat actors but did not elaborate on any of these attacks.

While Apple reported that two of the three vulnerabilities were reported by anonymous researchers after they were first addressed, one of them — CVE-2023-32409 — was reported by Clément Lecigne, a security engineer in Google's Threat Analysis Group, and Donncha Ó Cearbhaill, a security researcher and hacker in Amnesty International's Security Lab.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Apple Patches 3 Zero-Days Possibly Already Exploited

It's not lack of data that's the problem, but the inability to piece it together to truly understand and reduce risk.

Device diversity, cloud adoption, remote work, and the increasingly complex software supply chain have significantly expanded today's attack surface. But despite increased year-over-year investment in security operations, most organizations only have the resources to address 10% of the millions of issues present in their environments.

Security and risk leaders need to be practical and focus on the small percentage of exposures that represent the most risk to _their_ organization. Security teams already have access to the intelligence they need to power risk-driven vulnerability prioritization, but to harness the full potential of their existing insights, they must first break down barriers caused by existing data siloes.

Everything within the digital ecosystem creates data — from autonomous network and vulnerability scanners to manual spreadsheets. Teams have to understand how each element plays a role in the prioritization decision-making process. They need to consider the threat and exposure management life cycle to explore the strengths, weaknesses, and opportunities for each resource.

**Silo 1: Cyber Asset Management**

There are ample approaches to creating a consolidated inventory of all assets and their associated risk posture: legacy spreadsheets, "traditional" network scanners and IT asset management tools, and cyber asset attack surface management (CAASM) platforms.

Depending on the approach, though, teams may only be looking at the "traditional" attack surface instead of considering everything that would be present in a typical multicloud, decentralized, and well-segmented modern network. While progress is being made in this category, it's still built off point-in-time, state-based insights. The lack of insight into attack behavior therefore impacts their overall effectiveness.

**Silo 2: Threat Detection and Response**

On the other hand, threat detection and response tools are designed to help organizations understand their attack surface from the adversary's perspective through analyzing network, user, and machine behavior. Although the quality of data from security information and event management (SIEM) systems is considerable, alert overload makes it extremely difficult for teams to comb through and extract the most pertinent information.

Additionally, threat detection and response platforms typically only monitor "known" assets for changes, whereas the greatest threat lies with the changes made to unknown assets. So, while these platforms have come a long way to expedite response and remediation, they still lack visibility into exposures beyond typical software vulnerabilities and misconfigurations. Gartner predicts unpatchable attack surfaces will grow from less than 10% of the enterprise's total exposure in 2022 to more than half by 2026.

**Silo 3: Third-Party Intelligence**

There are several ways to gauge the potential impact and exploitability of vulnerabilities, such as the Common Vulnerability Scoring System (CVSS), Exploitation Prediction Scoring System (EPSS), and vendor-specific scoring systems. CVSS is the most common method for prioritizing vulnerabilities.

The greatest risk of relying only on third-party guidance is that it doesn't consider the organization's unique requirements. For example, security teams still have to decide which patches to prioritize in a group of "severely critical" vulnerabilities (e.g., those with a CVSS score of 9.0 or higher).

In this case, it's impossible to make an informed decision using these quantitative methods alone. Factors such as the location of the asset would help teams determine the exploitability of the vulnerability within _their own_ organization, whereas its interconnectivity would give teams an idea of the blast radius — or potential overall attack path.

**Silo 4: Business Insights**

From configuration management databases (CMDBs) to controls and dependency maps to data lakes, this list wouldn't be complete without internal business tracking systems. These resources are critical to threat and exposure prioritization due to their strength in demonstrating the connections between devices and vulnerabilities, as well as the overall business criticality and dependency mapping.

But as enriching as they are, custom databases require a heavy manual lift to not only implement, but also keep current. Therefore, due to the rate at which our environments change, they quickly become outdated, making it impossible to accurately survey security posture changes.

**Change Is Programmatic, Not Tool-Centric**

While each source listed above serves its own purpose and provides a unique layer of valuable insight, none serves as a single source of truth for navigating today's sophisticated threat landscape. That said, they're extremely powerful when they work together, revealing a comprehensive vantage point that enables teams to make better, more informed decisions.

Many of the valuable insights necessary to drive informed, risk-based decisions either get lost in the siloes of enterprise tech stacks or stuck between conflicting teams and processes. Although modern environments require equally progressive security, there isn't a single tool or team that can repair this broken process.

Security leaders need to align their cyber asset intelligence to their primary use cases. That may be through mapping their vulnerability prioritization process using third-party intelligence, business context, and asset criticality, or by targeting specific control frameworks such as NIST Cybersecurity Framework or the CIS Critical Security Controls to use their security data to drive an effective security improvement program.

Data Siloes: Overcoming the Greatest Challenge in SecOps

The data shows how most cyberattacks start, so basic steps can help organizations avoid becoming the latest statistic.

Most ransomware attackers use one of three main vectors to compromise networks and gain access to organizations' critical systems and data.

The most significant vector in successful ransomware attacks in 2022, for example, involved the exploitation of public-facing applications, which accounted for 43% of all breaches, followed by the use of compromised accounts (24%) and malicious email (12%), according to Kaspersky's recently released report, "The Nature of Cyber Incidents."

Both exploitation of applications and malicious emails declined as a share of all attacks compared with the previous year, while the use of compromised accounts increased from 18% in 2021.

Bottom line: Doubling down on the most common attack vectors can go a long way to preventing a ransomware attack. "A lot of companies are not the initial targets for attackers but have weak IT security and \[allowing them to\] be hacked easily, so cybercriminals take the opportunity," says Konstantin Sapronov, head of the global emergency response team at Kaspersky. "If we look at top three initial vectors, which together account for almost 80% of all cases, we can implement some defensive measures to mitigate them, and go a very long way to decreasing the likelihood of becoming a victim."

The top initial vectors cited by Kaspersky match an earlier report by incident-response firm Google Mandiant, which found that the same common vectors made up the top three techniques — exploitation of vulnerabilities (32%), phishing (22%), and stolen credentials (14%) — but that ransomware actors tended to focus on exploitation and stolen credentials, which together accounted for nearly half (48%) of all ransomware cases.

Ransomware took off in 2020 and 2021, but leveled off last year — even dropping slightly. But this year, ransomware and a related attack — data leaks with a goal of collecting a ransom — appear to be increasing, with the number of organizations posted to data leak sites increasing in the first part of 2023, says Jeremy Kennelly, lead analyst for financial crime analysis at Mandiant.

"This may be an early warning that the respite we saw in 2022 will be short-lived," he says, adding that the ability to continue to use the same initial access vectors has helped attacks.

"Actors engaging in ransomware operations haven’t needed to evolve their tactics, techniques, and procedures (TTPs) significantly in recent years, as well understood strategies have continued to prove effective," Kennelly says.

**Unsurprising Trio: Exploits, Credentials, Phishing**

In December 2022, the Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers were commonly using five initial access vectors, including the three identified by both Kaspersky and Mandiant, as well as external remote services — such as VPNs and remote administration software — and third-party supply chain attacks, also known as trusted relationships.

Most compromises are either quick or slow: Quick attacks compromise systems and encrypt data in days, while slow ones are where threat actors typically infiltrate deeper into the network over months, possibly conducting cyber espionage and then deploying ransomware or sending a ransom note, according to Kaspersky's report.

Exploitation of public-facing applications and the use of legitimate credentials also tend to be harder to detect without some sort of application or behavioral monitoring, leading to longer dwell times for attackers, says Kaspersky's Sapronov.

"\[N\]ot enough attention is paid to application monitoring," he says. "Also, when attackers use \[exploitation\], they need to take more steps to reach their goals."

    

Exploitation is the top initial access vector and tends to lead to a quick ransomware attack or longer espionage. Source: Kaspersky

**Tip: Track Exploitation Trends**

Knowing the most common approaches attackers likely will take can help inform defenders. Companies should continue to prioritize vulnerabilities that have exploits in the wild, for example. By paying attention to the shifts in the threat ecosystem, companies can make sure that they are prepared for likely attacks, Mandiant's Kennelly says.

"Due to the velocity at which threat actors can weaponize exploit code to support intrusion operations, understanding which vulnerabilities are being actively exploited, whether exploit code is publicly available, and if a particular patch or remediation strategy is effective can easily save organizations from dealing with one or more active intrusions," he says.

But avoid putting too much emphasis on protecting against specific initial access vectors, as attackers continually adapt to defenses, Kennelly adds.

"The specific infection vectors that are most common at a given time should not broadly change an organization's defensive posture, as threat actors continually shift their operations to focus on whichever vectors prove most successful," he says. "\[A\] decrease in the prevalence of any given vector does not mean it poses a significantly lower threat — for example, there has been a slow decline in the proportion of intrusions where access was obtained via phishing, but email is still used by many high-impact threat groups."

3 Common Initial Attack Vectors Account for Most Ransomware Campaigns

As we share an increasing amount of personal information online, we create more opportunities for threat actors to steal our identities.

The digital world touches everything we do: work, shopping, even your wallet. And the one thing that keeps your digital life secure is your identity. So what makes up your digital identity? Digital identities are broadly defined and include everything from your username and password to your gender, address, and date of birth. Think about it: Every time you input your address into a Web form when shopping online, every time you verify you're 21 or older, and every time you enter a password, you're sharing a part of your digital identity.

We are constantly disseminating the attributes of our digital identities across countless platforms, and this will only expand as we do more things online. However, with the broader adoption of digital platforms, there become more and more opportunities for threat actors to steal these attributes and hijack our digital identities.

**The True Threats of Digital Identity Theft**

In April, the National Council on Identity Theft Protection shared statistics from the first quarter of 2023, alarmingly showing that the Federal Trade Commission (FTC) has already received 5.7 million total fraud and identity theft reports.

So what happens when identity theft or fraud takes place? On the enterprise side, organizations that fall victim to data breaches, malware, or ransomware attacks could face legal repercussions and have to pay affected customers millions of dollars. In addition to monetary penalties, organizations also face reputational damages, which could result in massive business losses.

Individual victims of identity theft or fraud, on the other hand, may experience financial fraud or losses and spend considerable time and money dealing with the fallout. Additionally, some victims will be left with traumatic feelings of violation and anxiety or hypervigilance — similar to what a victim of a robbery may feel.

As we enter the era of Web3, the cybersecurity threats for victims of identity theft are worsening. Now that processes, appointments, and work life are digital, people are constantly sharing the attributes that make up their digital identity. What becomes very dangerous is people sharing their personally identifiable information (PII), such as their Social Security number, driver's license, and address, as this information is exactly what threat actors look for when breaching organizations.

Once threat actors gain access to digital identities and PII they can create synthetic identities — fictitious identities that are created using a mix of real and falsified information. These synthetic identities have the ability to disrupt people's lives and the way they do business. Consider, for example, that AI tools can be used to generate authentic-looking fake passports or ID cards that can bypass authentication and verification platforms. Additionally, ChatGPT can help fraudsters create more believable, native-sounding phishing campaigns, including emails and chat dialogue that trick or coerce users into giving up their authentication credentials.

**How to Stay Secure**

Last year, a Verizon report found that 82% of all breaches involved the human element, which includes social engineering attacks, misuse, and errors. So how do you prevent human error? Education. Empowering employees with the security basics they need and educating them as to what phishing, smishing, and vishing attacks look like can severely cut down on data breach risk. Organizations should also implement security standards for employees and ensure that these standards are taught during onboarding.

Similarly, the best way for consumers to stay secure is to educate themselves on social engineering attacks and remain vigilant when checking emails, text messages, and phone calls. There are plenty of free digital resources available for consumers that cover security basics, such as what to look for when opening a suspicious email, how frequently passwords should be reset, and what to do if you suspect your information has been compromised.

Customers should also be doing their own due diligence and checking to see what data organizations are collecting and what security is being used to protect that data. On the flipside, organizations need to implement responsible data storage practices by only holding onto data they can actually utilize, and having a centralized identity storage system. A centralized identity storage system will take care of internal mapping of various applications and ensure all digital identities are located in a centralized location, cutting down the propagation of these identities through multiple systems within the same organization.

Educating employees and cutting back on data storage are just two minimum standards for organizations. Additionally, organizations must implement secure systems and solutions such as systemized automation, biometrics, and other identity verification methods. This is where identity and authentication converge. Both parties, consumers and organizations, need to ensure there is trust. Consumers need to trust that organizations will keep their digital identity and data secure, while organizations need to trust that consumers are who they say they are.

**The Future of Digital Identities**

Awareness of digital identities is on the rise. It's promising that the US government has made a public statement announcing it plans to prioritize digital identity solutions, though the US remains behind other regions — specifically, the UK and EU.

In 2021, the EU introduced its digital identity framework proposal to create a sole "trusted and secure European e-ID." Additionally, this year European Parliament voted to move forward with creating an EU digital wallet to further protect European identities and transactions. Within the next few years we'll likely see the US follow in the footsteps of the EU and create a one-stop solution for digital identities.

My hope for the future of digital identities is that we create a seamless, trusted, and secure experience. To do this we'll need to implement a system where digital identities are provisioned in a secure way and can only be unlocked with a strong user authentication in place. In this system, instead of sharing every piece of personal information, users would only be disclosing the minimum information required for individual tasks. This would create the ideal environment to build a digitally secure and trusted world.

Keep Your Friends Close and Your Identity Closer

New rules aim to level up the quality of submissions to Google and Android device Vulnerability Reward Program.

Google and Android will now assess device vulnerability disclosure reports based on the level of information that bug hunters provide in order to encourage more comprehensive submissions.

Vulnerability reports submitted to the Android and Google Vulnerability Reward Program (VRP) will be rated as "High," "Medium," or "Low" quality based on these elements, according to Google Security:

*   The accuracy and detail of the vulnerability description
*   Analysis of its root cause
*   Proof of concept
*   Reproducibility
*   Evidence of reachability

Google and Android have also upped the top bug bounty prize to $15,000.

"Additionally, starting March 15th, 2023, Android will no longer assign Common Vulnerabilities and Exposures (CVEs) to most moderate severity issues," the Google Security blog post announcing the VRP changes said. "The CVEs will continue to be assigned to critical and high severity vulnerabilities."

Bugcrowd founder and chief technology officer (CTO) Casey Ellis applauds the effort by Google to define the elements of a high-quality vulnerability disclosure.

"Nothing happens without effective communication. ... The power of crowdsourcing brings with variability in how vulnerability submitters communicate, and the downstream effectiveness of the report at communicating the risk to those who need to fix it," Ellis says, in response to the new VRP rules. "Google stepping up to help educate the hacker community on 'the things which make communication more effective' is an enormous win for both the space and the community itself."

In 2022 alone, Google's VRPs paid out a record-setting $12 million in bug bounties.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Google Debuts Quality Ratings for Security Bug Disclosures

85% of AppSec pros say ability to differentiate between real risks and noise is critical, yet only 38% can do so today; mature DevOps organizations cite widespread impact due to lack of cloud-native tools

**Tel Aviv, May 17, 2023** \- Backslash Security, the new cloud-native application security solution for enterprise AppSec teams, today released a new research study, **Breaking the Catch-up Cycle: The New Cloud-Native AppSec Paradigm Survey Report**, exploring how the state of application security has evolved given the rise of cloud-native application development. The study examines the practices, tools, and needs of CISOs, AppSec managers, and AppSec engineers at enterprise organizations of 1,000 or more employees with mature cloud-native app development environments. 

The study reveals that AppSec teams are stuck in a catch-up cycle, unable to keep up with the increasingly rapid, agile dev pace, and playing security defense via an endless and unproductive vulnerability chase. **Notably, 58% of respondents report spending over 50% of their time chasing vulnerabilities, with a shocking 89% spending at least 25% of their time in this defensive mode.** This costly 'defensive tax' — the cost of employing AppSec engineers who chase vulnerabilities rather than drive a comprehensive cloud-native AppSec program — is estimated to be upwards of $1.2 million annually.

Given the accelerated pace of digital innovation across enterprises of all sizes and the blurred lines between AppSec and CloudSec, enterprise AppSec teams are saddled with solutions that have not caught up to the cloud pace. **As a result, AppSec professionals are losing faith in the prevailing AppSec tools:** 

*   Almost all organizations are seeing a widespread impact of the lack of cloud-native AppSec tools, including growing friction between AppSec and dev teams (39%), jeopardized ability to generate revenue (39%), and inability to retain high-value dev talent (38%) and AppSec talent (35%);
*   94% of respondents cited multiple issues with today’s AppSec technologies; top complaints were the considerable amount of time spent prioritizing findings (48%) and that existing AppSec tools are noisy (45%);
*   SAST and DAST are quickly losing ground, with just 32% of respondents stating that they use either of these prevailing standards extensively.

The report emphasizes the urgent need for a **new AppSec paradigm that maps a clear path to a modern standard for cloud-native AppSec success,** characterized by end-to-end visualization of all microservices, automatic identification and prioritization of real risks, and intelligent triaging and remediation. In assessing the importance of these three key tenets of modern AppSec: 

*   82% agree that automating threat model visualization will help AppSec teams save time and manual labor analyzing cloud-native application risks;
*   91% believe correlating application security risks with the application’s exposure to the outside world, such as via open APIs, is important;
*   91% believe differentiating between general code weaknesses and critical vulnerabilities is important;
*   Eight out of the nine total capabilities that define this new cloud-native AppSec paradigm were ranked as “critical” or “important” by 70%+ of respondents.

**However, the AppSec industry suffers from a massive cloud-native enablement gap.** Across all of the most critical capabilities, respondents reported that enablement is sorely lacking: 

*   85% of respondents say the ability to differentiate between real risks and noise is critical to their success, making it the #1 most important capability; yet only 38% of respondents are enabled to do so;
*   This trend persists throughout, including “correlating security findings to the developer or dev team responsible for the fix” (78% vs. 43%); “meeting compliance standards” (78% vs. 38%); and “efficient triaging between Dev and AppSec” (73% vs. 42%).

"What we're hearing across the board is a message of urgency – we've entered a new, cloud-native reality, and it’s time to put an end to the AppSec catch-up game," said Shahar Man, co-founder and CEO of Backslash. "These outdated AppSec methodologies hamper productivity, innovation and talent retention for both AppSec and dev teams. The cloud-native application development paradigm calls for a new, unified approach to application security that will make the friction between development and AppSec teams a thing of the past, enable enterprises to retain valuable talent, and accelerate innovation and growth."

This report surveyed 300 security professionals specifically tasked with application security for their organization, equally split between CISOs, AppSec managers and AppSec engineers from U.S. companies with 1,000 or more employees. Companies represent a wide range of industries. 

Click here to download the report and learn more. 

**About Backslash Security**

Backslash is the first Cloud-Native Application Security solution for enterprise AppSec teams to provide unified security and business context to cloud-native code risk, coupled with automated threat modeling, code risk prioritization, and simplified remediation across applications and teams.

With Backslash, AppSec teams can see and easily act upon the critical toxic code flows in their cloud-native applications; quickly prioritize code risks based on the relevant cloud context; 

and significantly cut MTTR (mean time to recovery) by enabling developers with the evidence they need to take ownership of the process.

Backed by StageOne Ventures, First Rays Venture Partners, D. E. Shaw & Co., and a roster of security veterans as angel investors, including technology entrepreneur and investor Shlomo Kramer, Ron Zoran (former CRO of CyberArk), and Brian Fielder (General Manager, CTO Enterprise Security at Microsoft), Backslash has been deployed across leading technology organizations and Fortune 100 companies. 

More at https://www.backslash.security/.

AppSec Teams Stuck in Catch-Up Cycle Due to Massive Cloud-Native Enablement Gap

As enterprises adopt multicloud, the security picture has become foggy. Cloud workload protection platforms and distributed firewalls are creating clarity.

As enterprises move more of their business infrastructure into the cloud, they are grappling with the challenges of managing multiple cloud environments. Security firms are tackling multicloud security through increased visibility, cross-platform implementations, or a combination of the two.

On Thursday, cloud networking firm Aviatrix announced its new Distributed Cloud Firewall security platform, which combines traffic inspection and policy enforcement across multicloud environments. The firm uses native cloud platform features and its own technology to give companies a consolidated view into the security of their cloud workloads and the ability to push out the same policies to different clouds, says Rod Stuhlmuller, VP of solutions marketing at Aviatrix.

"The architecture is really what's new, not necessarily the capabilities of each of the features," he says. "It's very different than having to reroute traffic to some centralized inspection point for whatever security capabilities you're talking about — that just becomes very complex and expensive to do."

The vast majority of companies (87%) have moved their information infrastructure to a multicloud architecture, with the lion's share (72%) using a hybrid approach that combines both private cloud infrastructure and public cloud services, according to the "Flexera 2023 State of the Cloud Report." Among the top challenges for enterprises are managing their multicloud architectures and the security of their cloud infrastructure, with 80% and 78% struggling with the issues, respectively, according to Flexera.

    

Security and managing multicloud deployments are two top challenges for companies. Source: "Flexera 2023 State of Cloud Report"

As companies deploy workloads to multiple cloud service providers (CSPs), security can suffer. Because CSPs differ in the way that they handle security policies, inspection of traffic, and deploying workloads, companies can quickly lose visibility into security of their cloud infrastructure, says Patrick Coughlin, vice president of technical go-to-market for Splunk, a data and insights cloud platform.

"Let's say, maybe, you go to Google for your machine-learning tooling and workloads, you go to Azure for your core corporate business services, and you go to AWS for cost-efficient storage and overall data management. You may even have some homegrown applications that are legacy and highly regulated that you need to keep on prem," he says. "But what the security team needs is visibility across all of that, and it's a nontrivial challenge to be able to provide not just that visibility but the ability to investigate across all of that when something goes bang in the night."

**The Multicloud Security Mess**

Initially, many providers created virtual instances of their firewall appliances and set them as gateways to cloud infrastructure, but those virtual firewalls have become increasingly difficult to manage, especially across multiple cloud platforms, says John Grady, principal analyst for cybersecurity at Enterprise Strategy Group.

"Virtual firewall instances have been around for a while, but there's been an acknowledgement over the last couple of years that these deployments can be complex and cumbersome and don't take advantage of the key benefits the cloud offers," he says. "So we've seen a general shift toward more cloud-native network security solutions."

With more organizations using multiple infrastructure-as-a-service (IaaS) solutions from the top cloud companies — Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) — finding a solution to the growing complexity is critical.

Aviatrix, for example, allows companies to create an abstracted policy that can be applied across all the cloud platforms using their native security groups, without the administrator needing to go to each cloud. For companies with proliferating workloads, driven by microservice-based software architecture, the number of containers and virtual machines that need to be updated can skyrocket, Stuhlmuller says.

"It's not that we're putting firewalls everywhere, but we're putting the inspection and enforcement capability into the network into the natural path of traffic, with a \[single management console\] that allows us to do central creation of policy but push that distributed inspection enforcement out everywhere in the network."

Other major vendors that focus on cloud workload security, albeit with differing takes on the technologies, include Palo Alto Networks, Trellix, Trend Micro, Rapid7, and Check Point Software Technologies, according to Forrester Research.

**Saving Money Becomes Paramount**

With uncertain economic times worrying the executive suites, cost savings may be the biggest argument for businesses to consolidate their view of their cloud infrastructure. A security architecture based in the cloud and representing every cloud platform in the same way helps companies more efficiently secure their cloud services, but the approach also has the real benefit of being able to save money, says Andras Cser, vice president and principal analyst at Forrester Research.

"Multicloud security cuts costs," he says. "Organizations do not have to invest in procuring and training for multiple cloud providers' security solutions. They can, instead, use a single provider or cloud provider to source all cloud security capabilities from one tool. This reduces errors, improves security posture, and cuts costs."

In addition, consolidating some features leads to cost efficiencies. Distributed firewalls, for example, have the ability to run network address translation (NAT) and charge per hour, as opposed to many vendors that charge per hour and by bandwidth, according to Aviatrix's Stuhlmuller.

Finally, a simpler approach to security in the cloud helps companies reduce the overhead of securing workloads and allows their security professionals to focus on improving the security maturity, says ESG's Grady.

"Many organizations continue to struggle with the skills shortage and are trying to do more with less," he says. "There's an efficiency benefit with a 'write-once, enforce everywhere' model, as well as time savings from not having to deploy individual instances and the associated cloud infrastructure — such as load-balancers — to support them."

Source

DARKReading