Software teams can now fix bugs faster with faster release cycles, but breach pressure is increasing. Using SBOM and automation will help better detect, prevent, and remediate security issues throughout the software development life cycle.

Rapid development and deployment cycles have long been criticized for the potential to introduce more flaws in software. But the "move fast and break things" adage doesn't hold up in modern environments, which are increasingly being targeted by malicious actors. On the other hand, faster release cycles can also mean patches can be implemented faster — and this is just one factor that is accelerating the rate at which software teams can fix bugs.

As demand for reliable, secure software increases, a number of tactics and technologies have emerged to help teams build, maintain, fix, and secure their applications faster than ever. Approaches such as DevSecOps, bug bounty programs, open source bug reporting, and even Google's Project Zero have had substantial influence on how we secure software. But if identifying and patching vulnerabilities has become easier, why are we still reading about so many breaches? Let's explore.

**New Tactics Accelerate Bug Fixing**

The wide adoption of DevOps solutions and organization workflows, which we've seen in recent years, means faster release cycles of software. In the not-so-distant past, a software company would release an updated version every few months, which would contain fixes for security issues detected and patched in that period. Anything that wasn't yet discovered or fixed would have to wait for the next release in another few months. With DevOps methodology and technology in place, software vendors and open source project maintainers release versions of their product dozens of times a day — when the fix is ready, the product receives it, cutting the time-to-fix dramatically.

Some organizations are going a step further to implement security into development processes. Research from ESG shows that 62% of organizations have a plan or are evaluating use cases for DevSecOps implementation. And those organizations that have already put these processes into place are seeing radical improvements in the speed at which they can identify and remediate vulnerabilities.

Bug bounty programs have also become mainstream. Some platforms allow software vendors to use the power of crowdsourcing to discover security issues in their own products. This flow must be managed with a dedicated framework for bug fixing. And as the discovery of issues grows, the organization is compelled to create better ways to fix them, and the time-to-fix is getting shorter.

Within the open source community, code management solutions such as GitHub, GitLab, and others have a built-in way to report and track security issues so that open source maintainers and users can easily report and follow vulnerabilities that are presented in an open source project. The information is public (on the public projects), and the maintainers and the community feel committed to fixing issues quickly.

A final factor is the impact made by Google's Project Zero. As part of this initiative, Google has a team of security researchers dedicated to studying zero-day vulnerabilities in the hardware and software systems that are depended upon by users around the world. In 2021, Google's Project Zero detected a record 58 zero-day vulnerabilities in the wild.

In addition, most software companies that are presented in Project Zero's data set aren't your ordinary software vendors, and the project forces these major tech companies to fix security issues within 90 days, which results in shifts in engineering culture and organizational structure as the engineering community at large emulates the big innovators.

**Challenges Remain, Affecting Software Security**

Patches for software are often delivered via updates that require a consumer to upgrade to the latest version, a move which can often impact operations. Resolution in a timely manner can even be impossible, in some cases. Companies developing software today are often relying on a high percentage of open source code and many components that create complexity. Upgrading an open source library, which a company relies on throughout its codebase, or a specific version of a docker image, could mean substantial changes across its products. A single security fix might create a massive amount of work for engineering teams. As a result, teams must prioritize bug fixes, and only critical security issues are getting resolved.

**Improvements in Software Security**

Automation is key. It's impossible for software consumers and vendors to deal with a large amount of security risk in large codebases without using an automated process for detection, remediation, and prevention. Prioritizing is also important. A small engineering team could easily find itself overwhelmed with all the potential security issues disclosed, but it usually doesn't affect its software. To determine if applications are affected by security risks, companies need to take a comprehensive approach — from source code, throughout the DevOps pipelines releasing it, and through the production environment in the cloud. Connecting those dots helps engineers properly manage security risks in apps.

Companies should also employ technologies to assess the health and reputation of open source code. Factors to evaluate include quality, maintainability, popularity, and risk for supply-chain incidents. Automated security tools can play a role here as well by preventing risky code from entering the codebase and notifying developers of potentially dangerous packages. Also, employing a software bill of materials (SBOM) can provide transparency into the software components used in applications, accelerate the identification and remediation of potential vulnerabilities, and help achieve compliance with government regulations.

Accelerating Vulnerability Identification and Remediation

Jira, Confluence,Trello, and BitBucket affected.

**BENGALURU, December 13, 2022 —** Researchers at CloudSEK observed that for Atlassian products - Jira, Confluence, and BitBucket, cookies are not invalidated, even if the password is changed, with 2FA (Two-factor Authentication) enabled, as the cookie validity is 30 days. They only expire when the user logs out, or after 30 days.

CloudSEK researchers have identified that this flaw can be leveraged by threat actors to take over hundreds of companies’ Jira accounts. Our records show over 1,282,859 compromised computers and 16,201 Jira cookies for sale on dark web marketplaces. And just in the last 30 days, over 2,937 compromised computers and 246 Jira credentials were made available. In the past 90 days, we have observed at least one compromised computer from a Fortune 1000 company. This is just considering their primary domains, not their subsidiaries. (Check the complete blog) 

The new finding came after Dec 06, 2022, when CloudSEK disclosed a cyber attack directed at the company. During the course of the investigation into the root cause of the incident, the internal investigation team identified that the threat actor gained access to a CloudSEK employee’s Jira account, using Jira session cookies present in stealer logs being sold on the dark web.

CloudSEK is releasing a free tool that lets companies check if their compromised computers and Jira accounts are being advertised on dark web marketplaces.

With over 10 million users across 180,000 companies, including 83% of Fortune 500 companies, Atlassian products are widely used across the globe. And threat actors are actively exploiting this flaw to compromise enterprise Jira accounts.

**Stolen Atlassian Cookies Can Lead to Unauthorized Account Access even if 2FA enabled**

CloudSEK’s investigation shows that cookies of Atlassian products remain valid for a period of 30 days, even if the password is changed and 2FA is enabled. Hence, threat actors can restore Jira, Confluence, Trello, or BitBucket sessions, using stolen cookies, even if they don’t have access to Multi-factor Authentication (MFA), OTP/ PIN. The cookies, by default, expire when the user logs out, or after 30 days.(Check the complete blog)

This is a known issue, and most companies do not consider it to be within the scope of security reporting, because to use this and get into systems, tokens are required.

However, it is no longer very difficult for threat actors to get their hands on these tokens. With the rise in device compromise campaigns, breaches, and password leaks, cookie theft has become commonplace. And cookies are available for sale and one can simply search for a company, buy their logs, find relevant tokens to gain access to their internal systems. In the last 30 days, more than 200unique instances of atlassian.net related credentials/ cookies have been put up for sale on darkweb marketplaces. Given that the credentials were put up for sale in the last 30 days, it is highly likely that many of them are still active.

In the case of Atlassian products, only one JSON web token (JWT) is required to hijack a session i.e._cloud.session.token_. Atlassian JWT (JSON Web Token) tokens have the email address embedded in the cookie. Hence, it is easy to determine which user the cookie belongs to.

You can check if your organization’s data is available for sale on dark web marketplaces here.

Security Flaw in Atlassian Products Affecting Multiple Companies

Former Head of Security at Stripe and Distinguished Security Engineer at Google joins cloud security leader to help scale security excellence across customer base.

**MOUNTAIN VIEW, Calif.****,** **Dec. 13, 2022** **/PRNewswire/ —** Lacework®, the data-driven cloud security company, today announced the appointment of Niels Provos as the company's first Head of Security Efficacy. Provos brings nearly two decades of industry experience in creating healthy engineering teams that build security infrastructure and systems that solve cloud security problems at scale. He puts a particular emphasis on treating security as an engineering problem.

After receiving his PhD in computer science from the University of Michigan, Provos spent over 15 years supporting the development of Google's security and privacy engineering practice, such as helping to establish Safe Browsing which protects over 4 billion devices on the Internet. He then joined Stripe in 2018 as Head of Security where he set Stripe on a path towards a world-class security posture to help build significant trust with customers and to be ready for the public markets. To keep himself balanced and get more people interested in working in the security domain, he also produces cybersecurity-themed EDM tracks under his artist name Activ8te.

"I have helped to build two world-class security organizations and during that time have seen adversaries become more sophisticated and attacks increase in frequency and volume. I deeply believe that every company needs to be enabled to protect their customers' data against threats from outside or inside. That's why my next challenge is being part of a team with the greater mission of helping customers be secure in a more hostile environment," said Provos. "Lacework is in a great position by focusing on customer outcomes that matter to help scale security like no other company before."

"Niels is one of the strongest security-minded leaders in the world with a long track record of building world-class security organizations. He truly understands the challenges security professionals face in today's cloud environments and how to solve them," said Jay Parikh, CEO, Lacework. "Niels will help us continue delivering new innovations in the Polygraph Data Platform, bringing the security excellence he built at Stripe and Google to customers of all sizes and industries."

Provos is another industry leader to join Lacework in recent months, along with CMO Meagen Eisenberg, CFO Andrew Casey, VP of Americas Channels Faraz Siraj, and VP of Global Technical Services Chris Gilbert. In the last year, Lacework was named  to CNBC's Disruptor 50 list, the Forbes Cloud 100, and ranked sixth in Forbes' America's Best Startup Employers 2022 list. Lacework was also recently recognized  as a leader in innovation and growth by Frost & Sullivan in the analyst firm's recent Global CNAPP Radar Report.

**About Lacework** 

Lacework offers the data-driven security platform for the cloud and is the leading cloud-native application protection platform (CNAPP) solution. Only Lacework can collect, analyze, and accurately correlate data — without requiring manually written rules — across an organization's AWS, Azure, Google Cloud, and Kubernetes environments, and narrow it down to the handful of security events that matter. Security and DevOps teams around the world trust Lacework to secure cloud-native applications across the full lifecycle from code to cloud. Get started at www.lacework.com.

Niels Provos Joins Lacework as Head of Security Efficacy

Enterprises can now adopt the industry's most comprehensive Zero Trust Network Access 2.0 to secure access to all applications from any device.

**SANTA CLARA, Calif.****,** **Dec. 13, 2022** **/PRNewswire/ —** In a world where work is now an activity not a place, organizations need to connect a distributed workforce without compromising on security and user experience. Palo Alto Networks (NASDAQ: PANW), the global cybersecurity leader, today announced an expanded partnership that brings together BeyondCorp Enterprise from Google Cloud and Prisma® Access from Palo Alto Networks to provide hybrid users secure and seamless access to applications - SaaS, cloud or on-premise - from managed or unmanaged devices.

Built on the backbone of the Google Cloud network, this comprehensive cloud-delivered Zero Trust Network Access (ZTNA) 2.0 solution enables all users to work securely from anywhere regardless of device type. With Prisma Access, customers get superior ZTNA 2.0 security for all devices, branch offices and applications. BeyondCorp Enterprise Essentials enables secure access to applications and resources for unmanaged devices. Combined threat intelligence and machine learning (ML) automatically detects and remediates threats to users, applications or enterprise data; all powered by the superior performance, planetary reach, and low-latency connections of Google Cloud.

"Legacy VPN and Zero Trust Network Access (ZTNA) 1.0 solutions provide access to users that is too broad and lacks continuous security inspection, putting cloud-first and hybrid organizations at risk," said Kumar Ramchandran, SVP, Products for Palo Alto Networks. "ZTNA 2.0 by Palo Alto Networks secures the modern hybrid enterprise. This partnership will allow organizations to benefit from the performance, scale, and reliability offered by Google Cloud's global network, coupled with the security expertise of Palo Alto Networks" 

"Together with Prisma Access and BeyondCorp, customers will now have seamless access to a Zero Trust security solution built for today's workforce, powered by Google Cloud's innovation, scale, and trusted cloud infrastructure," said Sunil Potti, VP/GM, Cloud Security at Google Cloud. "At Google Cloud, we continue to deliver opinionated solutions with our customers' needs in mind, bringing together innovations from across Google and its ecosystem of partners in easy-to-consume offerings that are backed by Google's unique scale and deep experience."

Palo Alto Networks Prisma Access platform helps transform networking and security to deliver a true Zero Trust that supports both managed and unmanaged devices while delivering consistent protections across the entire enterprise. The industry's only ZTNA 2.0 solution provides deep and ongoing inspection of all application traffic, even for allowed connections to prevent all threats, including zero-day threats, providing secure access for data centers, branch offices and mobile users. Prisma Access is purpose-built on Google's global backbone to secure enterprises at cloud scale.

BeyondCorp Enterprise is based on Google's years of experience with zero trust and provides organizations with a seamless and secure experience for anyone who needs to access applications, cloud resources, and private data hosted on Google Cloud, in third-party clouds, or on-premises. BeyondCorp Enterprise leverages Chrome to provide a secure enterprise browsing solution where agents cannot be installed on devices, providing a simple, yet secure zero trust approach for unmanaged devices.

**About Palo Alto Networks**

Palo Alto Networks, the global cybersecurity leader, is shaping the cloud-centric future with technology that is transforming the way people and organizations operate. Our mission is to be the cybersecurity partner of choice, protecting our digital way of life. We help address the world's greatest security challenges with continuous innovation that seizes the latest breakthroughs in artificial intelligence, analytics, automation, and orchestration. By delivering an integrated platform and empowering a growing ecosystem of partners, we are at the forefront of protecting tens of thousands of organizations across clouds, networks, and mobile devices. Our vision is a world where each day is safer and more secure than the one before. For more information, visit www.paloaltonetworks.com.

Google Cloud and Palo Alto Networks Team to Protect the Modern Workforce

**TAMPA BAY, Fla.****,** **Dec. 13, 2022** **/PRNewswire/ —** KnowBe4, the provider of the world's largest security awareness training and simulated phishing platform, today announced its support of the Metaverse Safety Week initiative.

The Metaverse is designed to transform human engagement and interactions and push the boundaries of commercialization. It is also a whole new world with security risks, vulnerabilities and legitimate user concerns. People currently interested in the metaverse are already being duped by phishing scams peddling fraudulent NFTs, metaverse land-sales and other dubious Web3 projects via social media, Discord channels, email and comments on popular YouTube videos.

Anna Collard, SVP of Content Strategy and Evangelist at KnowBe4 Africa says: "Security issues in the metaverse include trolls, sexual and racial harassment, which are all problems we are faced with right now on most digital platforms, but the immersiveness of VR can have a more devastating effect on their victim's mental well-being. The risks for children are especially high as they are more likely to explore the metaverse before their parents will, exposing them to inappropriate content without us, the parents or caregivers being aware of it."

As an industry we have an opportunity to address these risks proactively and reduce harm to humans and societies by coming together to build awareness and safeguards. This is why KnowBe4 is sponsoring the Metaverse Safety Week, a virtual event, which is an international community effort, led by the XR Safety Initiative, featuring industry leaders from around the world and spanning five days from Dec 10th to Dec 15th, 2022.

The event will explore the challenges of these brave new worlds in critical areas of the immersive ecosystem and ensure that we ask the uncomfortable questions now. It will help to bring to light the opportunities to create a better and safer Metaverse for all, spreading awareness and promoting policies, guidelines and research. It will explore core issues such as bias, transparency and data ownership through art, panels, debates and workshops, bringing global perspectives to advance our shared ecosystem.

Register for the event (https://www.eventbrite.com/e/metaverse-safety-week-2022-tickets-395485727457).

**About KnowBe4**

KnowBe4, the provider of the world's largest security awareness training and simulated phishing platform, is used by more than 54,000 organizations around the globe. Founded by IT and data security specialist Stu Sjouwerman, KnowBe4 helps organizations address the human element of security by raising awareness about ransomware, CEO fraud and other social engineering tactics through a new-school approach to awareness training on security. Kevin Mitnick, an internationally recognized cybersecurity specialist and KnowBe4's Chief Hacking Officer, helped design the KnowBe4 training based on his well-documented social engineering tactics. Tens of thousands of organizations rely on KnowBe4 to mobilize their end users as the last line of defense.

**About the XRSI - XR Safety Initiative** 

XR Safety Initiative (XRSI) is a global non profit Standards Developing Organization (SDO) that promotes privacy, safety, security, and ethics in immersive environments. Founded in 2019 by Kavya Pearlman, known as the "Cyber Guardian," an award-winning cybersecurity professional with a deep interest in immersive and emerging technologies. Headquartered in the San Francisco Bay Area, XRSI currently has over 150 diverse and multidisciplinary advisors from around the globe. The Metaverse Safety Week 2022 (#MSW2022) is an international community effort, a safety awareness campaign, led by the XRSI - XR Safety Initiative, featuring industry leaders from around the world at a week-long conference inside an exclusively created #VirtualWorld.

KnowBe4 Supports Metaverse Safety Week

1Password's annual State of Access report reveals that distracted employees are twice as likely to do the bare minimum for security at work.

**TORONTO****,** **Dec. 13, 2022** **/PRNewswire/ —** 1Password, the leader in human-centric security and privacy, today released its annual State of Access Report, Distraction on overdrive: Security in a time of permacrisis. Based on a survey of 2,000 North American workers, the report explores employees' sentiments and behaviors around cybersecurity and other critical aspects of modern work amid persistent global crises this year, coined 'permacrisis.' The findings reveal that sustained burnout, now paired with high levels of distraction, has critical implications for workplace security.

"While we hope the worst of the pandemic is behind us, world events continue to unsettle and distract employees. Mishaps are inevitable – it's not a case of if world distractions will make employees more vulnerable to human error, it's a matter of when," said Jeff Shiner, CEO of 1Password. "That's why it's vital that businesses take security off people's plates by implementing seamless systems that eliminate the need for human action. The easier we can make security, the less it will become yet another distraction. It's a win-win for employees and companies."

**The Distraction Vortex**  
Workers have faced what can feel like an avalanche of crises and concerns over the past year. From the COVID-19 pandemic to the whipsawing financial markets and inflation, workers conveyed a vivid picture of their distraction on overdrive, with 53% related to economic or monetary concerns.

*   **Unprecedented stress:** 4 in 5 employees (79%) feel distracted on a typical work day, with 1 in 3 employees (32%) saying they're the most stressed they've ever been in their lives.
*   **A perfect storm:** Top distractions include the Covid-19 pandemic (44%), recession/inflation (42%), economic uncertainty (38%), gas prices (34%), and personal relationships (29%).
*   **Missing motivation:** More than 1 in 4 employees (26%) say that distractions from world events make it hard to care about their job. This has major repercussions for enterprise security, with distracted workers more than twice as likely as others to do only the bare minimum for security at work (24% vs. 10%).

**Security is Sinking In**  
Despite high-profile breaches and ransomware attacks generating splashy media headlines weekly, silver linings are evident amid the chaos. Awareness of cyberthreats is increasing, and security automation and systems are making headway, counterbalancing human shortcomings around security.

*   **Rising awareness:** 3 in 4 employees (76%) are aware their individual actions have an impact on their company's overall security, and 82% would care if they caused a security breach.
*   **Trusted tools:** Nearly 9 in 10 employees (89%) now use authentication products or services such as two-factor (2FA) or multi-factor authentication (MFA), biometrics, password managers and single sign-on.
*   **Mythbusting: complexity** **≠ security:** There's a misperception that if security is too easy, it's not safe. Employees are three times as likely to trust two-factor or multi-factor authentication as they are to trust single sign-on (65% vs. 19%).

**Security Slippage**  
Notable security improvements have been made in recent years, but our research shows that bad security hygiene persists in the modern workplace. Poor password habits are still prevalent, and 50% of employees say the biggest threat their company faces is the prospect of employees falling for scams or phishing attempts.

*   **Senior security snafus:** Poor password hygiene is notably worse among employees at the level of director and above, with 49% using personal identifiers in their passwords.
*   **Password reuse:** Despite knowing the risks associated, 1 in 3 employees (34%) reuse passwords.
*   **Same device, different gig:** One in 10 workers (10%) have used their work computers or devices for a side gig or another job – and tech workers are even worse (19%) – making companies increasingly vulnerable to security risks.

**Tech Industry Trouble**  
Workers in the tech, IT and telecom industries reported being far more distracted compared to their non-tech counterparts. Tech workers are nearly twice as likely as others to say distractions make it hard to care about their jobs, and are more than three times as likely to do the bare minimum around security.

*   **Domino effect:** Nearly half (46%) of tech industry workers say that distractions from world events make it hard to care about their jobs – compared to 23% of other employees in other industries.
*   **Distraction dependency:** 39% of tech industry workers say their coworkers are less productive at work because they're distracted by world events – nearly twice as much as workers in other industries (20%).
*   **Phoning it in with workplace security:** 36% of tech industry workers say they only do the bare minimum when it comes to security at work – compared to 11% of employees in other industries.

"Every crisis creates an opportunity for criminals to exploit victims via social engineering as they take advantage of psychological weaknesses. Many of the traditional human vulnerabilities are at greater risk in a time of permacrisis; curiosity, the power of authority figures, manufactured urgency, greed and other weaknesses will continue to be used to the attackers' advantage," said Troy Hunt, strategic advisor at 1Password and founder of Have I Been Pwned. "As the level of sophistication increases, even the most tech-savvy of us can fall victim to a well-crafted attack, and it's our job in the industry to build more resilient systems and tools."

For more information, read the full report.  

**About 1Password**  
1Password's human-centric approach to security keeps people safe, at work and at home. Our solution is built from the ground up to enable anyone – no matter the level of technical proficiency – to navigate the digital world without fear or friction. The company's award-winning credentials management security platform is re-shaping the future of authentication and is trusted by over 100,000 businesses, including IBM, Slack, Snowflake, Shopify and Under Armour. 1Password protects the most sensitive information of millions of individuals and families across the globe, helping consumers and businesses get more done in less time – with security and privacy as a given. Learn more at 1Password.com.

**Methodology**  
1Password conducted this research using an online survey prepared by Method Research and distributed by Dynata among n\=2,000 adults ages 18+ in North America (n\=1,400 U.S. + n\=600 Canada) who work full-time primarily at a computer. The sample consisted of respondents from any department and title within their company. The sample was equally split between gender groups with a balanced spread across age groups. Data was collected from October 14 to October 24, 2022.

Report: 79% of Employees Are Distracted at Work Amid a Year of Permacrisis

Offensive security researchers found 63 previously unreported vulnerabilities in printers, phones, and network-attached storage devices in the Zero Day Initiative's latest hackathon.

Security researchers and hackers demonstrated 63 zero-day vulnerabilities in popular devices at the latest Pwn2Own, exploiting printers from Canon, HP, and Lexmark, and routers and network-attached storage device from Synology and Netgear.

According to Trend Micro's Zero Day Initiative (ZDI), which organized the competition last week, the collection of vulnerabilities earned $989,750 for the offensive cybersecurity specialists competing in the contest. While some attacks chained together a series of exploits to take control of the remote devices, including one that used five vulnerabilities, others found a single security weakness to target, such as the Pentest Limited team, which found a reliable single-click exploit in the Samsung Galaxy S22 mobile phone that required less than a minute to attack.

The Samsung exploit highlighted that significant vulnerabilities are out there to find, says Dustin Child, head of threat awareness at Trend Micro's Zero Day Initiative.

"Just click a link on an affected device and you get owned," he says. "It's a very reliable bug, too. Very impressive research and quite the effective demonstration of why clicking unknown links can be dangerous."

**Focusing on IoT and Mobile**

Pwn2Own started in 2007 as an annual contest connected with the annual CanSecWest conference, but has since branched out into two contests: one focused on computer operating systems and applications, and the other — which includes the latest contest — focused on devices and the Internet of Things.

Over the four days of the contest, offensive cybersecurity specialists discovered a significant number of vulnerabilities in printers and routers from major brands, but also targeted Bluetooth speakers and network-attached storage, ZDI stated in a summary of the contest results.

Because many of the devices are commonly used by small and medium-sized businesses (SMBs), companies should take the results of the competition as a warning, Child says.

"If anything, SMBs should understand that, while they may feel they aren't large enough to be a target, their devices can and will be targeted by threat actors," he says. "At \[this\] time, the attackers are just looking to add nodes to their botnet, but regardless of intent, the devices we rely on for business can be compromised if left undefended."

**Buffer Overflows Continue to Creep In**

Unfortunately, one of the classes of vulnerabilities that continues to represent a fertile field of exploitation for attackers is memory safety vulnerabilities, such as buffer overflows. While major software companies have begun using memory-safe programming languages to prevent memory-related issues, many device-makers are still behind the curve.

Many of the vulnerabilities discovered during the contest were buffer overflows, Child says.

"This form of memory corruption has been known for some time, so we were a bit surprised to see it still prevalent in multiple devices," he says.

Among the most targeted devices were printers, with Lexmark, HP, and Canon printers among those favored by participants. While routers also made up a significant share of targeted devices, they would have seen more abuse this year, except that last-minute patches from Netgear and TP-Link eliminated targeted weaknesses, forcing competitors to withdraw from the competition, Child says.

**Playing the Mario Theme on a Lexmark**

Some of the printer exploits showed additional creativity. In the past, hackers would settle for exploiting a system and forcing it to run Microsoft Paint or call up a calculator application as a demonstration of their potential to run arbitrary code. In the latest Pwn2Own, however, successful hackers displayed Pokemon or another anime character on the small printer control display. 

Perhaps most impressively, the Horizon3 AI team used the system alert sound on a Lexmark printer to play the theme from Mario, even though the device does not have that functionality.

"Since the printer doesn't have a speaker, we didn’t expect it to play a song, but they modulated the frequency of the beep to add the musical function," Child says.

Data management providers Synology and online giant Google both co-sponsored the contest.

Hackers Score Nearly $1M at Device-Focused Pwn2Own Contest

Organizations need servant leaders to step forward and make their teams' professional effectiveness and happiness a priority.

Around the world, employees have been experiencing extreme stress due to the ongoing pandemic, business disruption, and the faster pace of work. 

This is a mental state and lived reality that cybersecurity staffers experience day in and day out. When new hires start work on Day 1, they know what they are signing up for. Most organizations today face an unrelenting fusillade due to the accelerated pace of digital transformation. New threat patterns are emerging, credential compromise is raging, and cybercriminals are cooperating on strategies. 

So, for analysts in security operations centers (SOCs), there's a thrill of the chase and rewards that come with stopping would-be attackers from damaging a company and its customers. However, there are also thousands of alerts to review each day, as well as the agony of defeat when a data breach occurs on their watch. 

**Processes and Technologies Are Improving. Why Are We Still Talking About Stress in Cybersecurity? **

Despite this reality, many teams have best-of-breed platforms at the ready. So, it's actually getting easier for cybersecurity professionals to do their work. Behavioral analytics detect attackers rapidly and separate the noise from signals of malicious behavior, so that analysts can triage alerts faster. With automated workflows, analysts can focus on higher-level duties. A survey conducted by Chartered Institute of Information Security (CIISec) in 2020/2021 found that 53% of analysts said their organization is getting better at protecting the network and recovering from attacks, while 56% said their team was more adept at responding to cybersecurity incidents and breaches. 

**The Many Factors of on-the-Job Stress for Analysts**

First, it's important to acknowledge that working within the cybersecurity industry is inherently stressful. Some 51% of analysts said they're kept up at night by job stress and challenges. Factors include forced cancelation of education events due to the pandemic (66%), overwork (47% work more than 41 hours per week), insufficient budgets (53%), and increased difficulty executing key security processes such as reviews and audits due to remote work. 

Survey results don't capture the distinction between good stress and bad stress. Good stress includes learning new skills, problem-solving on the job, collaborating with teams to track adversaries and respond to threats, and gaining new professional opportunities. Bad stress includes feeling unsupported by organizations and leaders, not having the tools needed to do the job, and experiencing a poor work-life balance. And then there's situational stress, such as trying to execute processes remotely that are better done onsite, such as performing audits. 

**Servant Leaders Can Make a Difference**

Many of the cybersecurity issues raised in the CIISec survey point to a need for strong leadership that proactively identifies and resolves issues. But cybersecurity teams need servant leaders, not those who lead by establishing command and control structures. 

Servant leaders create authority by — you guessed it — serving their employees. Cybersecurity executives of this ilk are concerned about the well-being of the team, regularly checking in with team members on how they are doing, and removing roadblocks that harm operational performance. They'll go to bat with upper management to get an increased budget for new tools and additional staff to smooth out workloads for teams. Servant leaders take turns serving on call to understand work conditions from analysts' perspectives and hold regular team meetings to discuss key trends and issues. They're also likely to look ahead to anticipate market and business developments and reposition their organization to get ready to meet them. As a result, these leaders' teams feel supported. Analysts are not afraid to share problems or new ideas, as they know their leaders will listen, consider them carefully and, most importantly, respond.

Further, servant leaders develop their teams. They understand that cybersecurity analysts want to develop their knowledge and skills to progress their careers. Analysts cited job growth as the No. 1 reason they leave their existing roles and the No. 2 reason they take new jobs; right behind compensation. Respondents named taking training, cross-training across other technical and business areas, and working with experienced staff as high on their wish list for accelerating their careers. 

**Looking Ahead and Prioritizing Growth**

Given that professional development took a back-seat to fighting threats during the pandemic, cybersecurity leaders should push forward with career planning for their teams this year. Some 41% of analysts say their career development plans are only partially planned, while 11% say they aren't planned at all. As a result, firms that excel in these areas can poach staff from less development-oriented firms, building their teams at a time when competition is keen for top talent.

The events of the past two years have put an undeniable strain on cybersecurity teams. Risks have grown, increasing teams' workloads and weakening their sense of control. In addition, budgets haven't kept pace with hiring, training, and tool requirements. 

What organizations need now is for servant leaders to step forward and make their cybersecurity teams' professional effectiveness and personal happiness an important priority. Whether it is simply listening to analysts' concerns, making strategic investments in improving operations, or fostering career growth, servant leaders gain authority by putting others first. With humility, accountability, and consistency, servant leaders create greater organizational cohesiveness, break down barriers to execution, and help their teams outperform, even in the most challenging market and business environments.

The Cybersecurity Industry Doesn't Have a Stress Problem — It Has a Leadership Problem

SIEM and XDE made a lot of promises, but they don't quite live up to the SOC team's standards.

One might think that security teams are automating various phases of the SOC lifecycle, looking forward to saving time and speeding up mean time to detection (MTTD) and mean time to response (MTTR). But in reality, security teams don't have confidence in automation because of too many false positives, poor detection, a lack of complete analytics, and the fact that the analytics available to them are siloed between different detection tools and not linked together effectively.

These factors lead to poor-quality response playbooks from threat detection, investigation, and response (TDIR) solutions that can't be trusted. Without confidence that the response will eliminate the threat without disrupting other important business processes, security teams won't be comfortable with automation in the SOC.

Most TDIR solutions fall short of this confidence threshold because they don't gather enough contextual information around a threat and thus don't customize their response playbook to the situation and their environment. The security analyst will need to manually gather contextual information and decide how to tailor the playbook before passing it off to the appropriate team to implement. That all takes time, which further reduces MTTD and MTTR.

So, what is missing from TDIR solutions that causes this lack of confidence? Let's explore four ways that current SIEM and XDR solutions fail to live up to the SOC team's standards for confidence and context, and some ways they could do better.

**Problem: Can't Automatically Scale to Accept a High Volume of Data**

Being able to ingest as much data from as many sources as possible means the system can provide more context along with alerts and make remediations more targeted. Without this extra data, the response usually is not specific enough for the SOC team to be comfortable proceeding without re-checking everything manually.

Unfortunately, many SIEMs charge based on the volume of data the solution takes in, which creates a trade-off between cost and data. In this situation, getting enough data to help the analyst might be too expensive!

**Solution:** Choose a solution with a different pricing plan, like charging per user and/or per device rather than by data volume. This ensures the cost will stay relatively consistent even if data volumes change significantly (which they often do).

**Problem: Can't Automatically Ingest and Interpret Data from Many Different Sources**

Now that we've established that a high intake of data is essential for increasing the SOC team's confidence in responses, being able to process and sort that data is the second half of the equation. The SIEM must be able to process both structured and unstructured data with some type of data interpretation engine. The more integrations the SIEM has out of the box, the better.

**Solution:** The ability to ingest unstructured data, parse it, and extract useful information from it significantly increases a SIEM's threat detection capabilities. For example, data from HR systems can help identify insider threats and potentially disgruntled employees, but this is generally not structured in a format a SIEM can process.

**Problem: Can't Execute True Machine Learning and Advanced Security Analytics**

True machine learning (ML) capabilities — as in trained ML rather than rule-based ML — make threat detection more accurate, which in turn makes response playbooks more targeted and customized. Threat detection based on trained ML can better detect new and unknown attacks and adjust to changing network behavior without needing to be updated. Rule-based ML is like a flowchart; its inputs and outputs are fixed, and therefore it is limited in its findings and relatively poor in accuracy. When a new, never-before-seen cyberattack appears in the wild, a rule-based detection solution won't be able to detect it until the definitions get updated, which can take days or even weeks depending on how responsive the vendor is.

**Solution:** An ML program should recognize and flag the attack as a potential threat based on contextual data. Better accuracy means the SOC team will be more confident, which means they'll need to do less manual investigating.

**Problem: Can't Automatically Validate Findings and Create Detailed Risk Scores**

The ability to prioritize responses based on risk is the final piece of the puzzle for improving the SOC team's confidence. Many SIEM or XDR products give a generic risk score based on CVE and CVSS scores (if they provide one at all). These scores generally aren't customized to their environment.

**Solution:** More advanced solutions will generate a risk score based on data from vulnerability scanning tools, user access info, HR applications, etc. For example, take a user talking to an unknown external site for the first time. How risky is this? If that external site is known to host malware (identified via reputational services) or that user that was recently put on a performance plan and might have a grudge against the company, the risk is high. On the other hand, a user logging into company resources from an unknown IP address is less risky if that user is working remotely.

Assessing risk in this way is difficult and requires a lot of contextual data, but it allows the SIEM to automatically identify high-risk attacks and helps the SOC team to trust that decision, which means a more streamlined and effective process.

**Improve the Process**

Fast responses are desired in cases with a high-risk security event and a low-impact response. Automating parts of the SOC process and getting better quality data from the SIEM helps the security team assess the context and risk score quickly and confidently. In turn, this means faster responses and a safer organization. But until TDIR solutions can improve in these four areas, security teams will continue to lack confidence in automation in the SOC.

Improve Confidence and Context to Sell the SOC on Automating

Research from Marlin Hawk also shows a 15% increase in CISOs holding STEM-related degrees year-over-year, diversifying the succession talent pool.

**NEW YORK****,** **Dec. 13, 2022** **/PRNewswire/ —** Marlin Hawk—a global executive search and leadership advisory partner—today announced the company's third annual Global CISO Research Report, which provides insights and data based on conversations with CISOs across several industries. Marlin Hawk has tracked and analyzed the profiles of 470 Chief Information Security Officers year-over-year to understand the changing dynamics in this critical leadership position.

Marlin Hawk's research shows the CISO seat to be relatively industry-agnostic—with 84% of CISOs having a career history of working across multiple sectors—with today's CISOs expected to bring more breadth of leadership to their role as they move away from being technical experts.

"Today's CISOs are taking up the mantle of responsibilities that have traditionally fallen solely to the CIO, which is to act as the primary gateway from the tech department into the wider business and the outside marketplace," said James Larkin, Managing Partner at Marlin Hawk. "This widening scope requires CISOs to be adept communicators to the board, the broader business, as well as the marketplace of shareholders and customers. By thriving in the 'softer' skill sets of communication, leadership, and strategy, CISOs are now setting the new industry standards of today and, I predict, will be progressing into the board directors of tomorrow."

Key findings from the report include:

*   **CISO profiles have changed dramatically**—36% of CISOs analyzed with a graduate degree received a higher degree in business administration or management. This is down 10% from last year (46% in 2021). Conversely, there has been an increase to 61% of CISOs receiving a higher degree in STEM subjects (up from 46% in 2021).
*   **More CISOs are being hired internally**—Approximately 62% of global CISOs were hired from another company, indicating a slight increase in the number of CISOs hired internally (38% hired internally compared to 36% in 2021), but a large gap remains in appropriate successors.
*   **CISO turnover rates have declined**—but still remain high with 45% of global CISOs having been in their current role for two years or less, down from 53% in 2021, with 18% turnover year-over-year.

**CISO roles continue to expand beyond technical expertise**

"I would say that you shouldn't have the CISO title if you're not actively defending your organization; you have to be in the trenches," said Yonsy Núñez, Chief Information Security Officer, Jack Henry Associates. "I also feel that over the last eight to 10 years, the CISO role has become a CISO plus role: CISO plus engineering, CISO plus physical security, CISO plus operational resiliency, or CISO plus product security. As a result, we've seen multiple CISOs that have done a great job with cybersecurity, fusion centers, SOC, and leadership. This has paved the way for the CISO office to become a business enabler and also a transformational technology function."

Kevin Brown, a seasoned cybersecurity executive, added, "We have over 100 countries at this point with their own data privacy legislation that makes doing global business in a compliant manner trickier than it used to be. As a result, in most organizations we're seeing a tighter connection and collaborative spirit between data officers, CISOs, legal teams and marketing. CISOs have to be in the know on all priorities for these different sectors of the business so they can take them into account when writing policies—it's a more complex job than it ever used to be."

**More organizations are appointing CISOs from within**

Marlin Hawk's research shows a decrease in the percentage of CISOs hired externally (62%) in the last year, compared to 2021 (64%), indicating a potential shift towards an organization's next CISO already operating inside the business.

Marlin Hawk's James Larkin went on to say, "As the importance of information security has grown, boards of directors, regulators, and shareholders have demanded greater controls, better risk management as well as more people and departments focusing on defending a company and its assets. Fortunately, this has had the positive side effect of creating more internal succession for the CISO position—organizations can look for risk and control focused talent in more places than just the office of the CISO."

"Now candidates are being internally promoted to the role of CISO from IT Risk, Operational Risk Management, IT Audit, Technology Risk & Controls, among others," Larkin added. "Not only does this give regulators more comfort that there are multiple sets of eyes on this at the leadership level, but it has also vastly increased the size of the succession talent pool and is helping to future proof the information security industry as a whole."

**CISO turnover rates are still high for several reasons**

"The not-so-secret secret is that no CISO can accomplish much in one or two years. Most CISOs change roles because of one of three reasons," shares Shamoun Siddiqui, Chief Information Security Officer at Neiman Marcus Group.

"First, their skillset is not up to par, and they get quietly pushed out by the company. Due to the extremely high demand for security leaders, often individual contributors get elevated to the role of CISO, and they get overwhelmed within months. Second, they have an insurmountable task with unrealistic expectations, and there is a lack of support from their peers and from the leadership of the company. The company may be paying lip service to cybersecurity but may not be forward-thinking enough to make it a priority. Third, they just get enticed by a better offer from somewhere else. There is such a shortage of security professionals and security leaders that companies keep offering increasingly high salaries and benefits to CISOs."

Another factor leading to high turnover is poor hiring decisions that are a result of a lack of scrutiny and due diligence in the recruiting process. While the immediate need may outweigh a more thorough vetting, fast tracking a CISO hire can have adverse effects if there are other, more suitable candidates out there.

For more information on the changing CISO landscape, please read the full report here: Marlin Hawk Global Snapshot: The CISO in 2022

**About Marlin Hawk**

For over 15 years, Marlin Hawk has been helping organizations around the world to secure their new generation of leaders. The company uses innovative, disruptive approaches to placing the world's leading and most desirable transformative talent that are based in strategic intelligence and unrivaled research. With a focus on executive search, interim management, strategic intelligence, succession planning and talent planning, the company is the boutique partner of choice at the forefront of transformational change and placing the most positively disruptive talent. Marlin Hawk has experience in financial services, healthcare, consumer products, retail, media, entertainment, sports, industrials, private equity, professional services, and technology sectors. The company has offices in London, New York, Denver, Chicago, Toronto, Dubai, Singapore, and Hong Kong.

Source

DARKReading