Every organization is on a zero-trust journey. Learn about how critical identity is to your security evolution, and how your organization can move forward.

In the face of never-ending threats and continued technology evolution, zero trust has quickly progressed from an intriguing idea and buzzword to a critical business imperative. Regardless of how advanced or how early their implementations are, all organizations are on this journey.

At the core of this zero-trust journey is identity, which serves as the front door to every user interaction, the heart of the remote work security challenge, and the foundation to making zero trust a reality. Recent survey data from Okta backs up that belief, with 80% of all security leaders calling out identity as an important component to their overall zero trust security strategy, with an additional 19% going so far as to call identity "business critical."

**Understanding Zero-Trust Evolution**

The "Okta State of Zero Trust Security Report" introduces an identity adoption model that provides clarity and direction for security practitioners trying to understand where they are in their zero-trust journey. This five-phase model provides companies with a way to understand how their peers are prioritizing identity projects today, and which initiatives they plan to prioritize and focus on over the coming months.

**Phase One: Traditional**

Organizations in the first phase typically are at the beginning of their cloud transformation journey: They're either trying to anticipate the challenges of cloud adoption or they're already experiencing them. These are organizations seeking to add multiple layers of security to their authentication processes to ensure they're giving the right people access to the right resources, including multifactor authentication (MFA) for employees, or connecting the employee directory to business-critical cloud apps.

Okta's report highlights how almost every organization has either begun or is shortly planning to begin this critical step in their evolution, with 95% of respondents stating they plan to complete the first phase of their zero-trust initiatives over the next 12**–**18 months.

**Phase Two: Emerging**

In phase two, organizations typically are leaning more heavily on the cloud while securing and simplifying user access to increase security and productivity. They may adopt new tooling such as MFA for external users, enable self-service factor resets to reduce help desk costs, or automate provisioning and deprovisioning for applications.

Zero-trust and identity-first strategies illustrate the critical need to extend authorization policies and standards throughout an organization's supply and partner ecosystem, and it's here that organizations showed the need for continued progress. The Okta research found that while nearly 80% of respondents have extended SSO for their employees, only 38% of respondents said their companies have extended MFA to external users.

**Phase Three: Maturing**

Maturing organizations experience more complex challenges such as increased compliance and regulatory requirements, a hybrid infrastructure, and the need to support a large, dynamic workforce.

Meeting these challenges means extending and expanding identity and access management (IAM) efforts beyond their employees and legacy network to accommodate a growing world of external users, as well as an expanding cloud or multicloud infrastructure. Organizations are recognizing the priority, with MFA and SSO for infrastructure set to make a significant leap in the next 12**–**18 months, jumping from 31% to 67%, by 2023.

**Phase Four: Elevated**

In the elevated phase, organizations are intelligently consolidating or deprecating any outdated tech and protecting key custom applications they find to be potential security weak points. In their bids to complete their digital transformation, they may add secure access to APIs, deploy proxy tools to modernize legacy technologies, or implement context-based access policies. Progress in this phase has become less streamlined as these projects are prioritized by companies at a disproportionate rate. For instance, roughly half of worldwide respondents already have implemented MFA across user groups (49%) and secured access to APIs (54%), but only 6% have implemented context-based access policies.

**Phase Five: Evolved**

By phase five, organizations have reached the stage where they can shift their focus away from implementing core zero-trust projects toward optimizing user life-cycle management, applying security access to servers, and implementing passwordless access.

Projects in this phase include deploying secure passwordless access across the board or making access decisions at the data layer based on user and device posture. Okta report data shows that nearly 22% of respondents from financial services companies plan to adopt passwordless access options within the coming 12**–**18 months, with 16% of healthcare and software companies not far behind. However, only 7% of government institutions either already have passwordless access in place or are planning to do so.

**The Future of Zero Trust**

The path to zero trust is both evolving and simultaneously continuous, and maturity models like the one details in the Okta report will themselves evolve. What's critical for security practitioners and leaders alike is to work across the IT and security landscape to take stock of business goals and context to prioritize the areas that not only minimizes risk, but drive productivity and efficiency for the organization.

**About the Author**

    

Amanda Rogerson is a change agent who wants to disrupt the way you think about digital security and identity. Having worked with organizations globally across industries in various roles throughout her 20-year career, she is mindful of the impact new security practices have across organizations. As a self-proclaimed nerd, she likes to weave pop-culture references into her discussions to make topics relatable.

New Zero-Trust Maturity Data: Charting Your Own Organization

Organizations relying on multicloud or hybrid-cloud environments without ﻿a true understanding of their security vulnerabilities do so at their peril.

According to the Cloud Security Alliance's 2021 report, "State of Cloud Security Concerns, Challenges and Incidents," 41% of participants were "unsure" whether they had experienced a cloud security incident in the recent year.

And that percentage doubled since 2019.

Cloud security threats are on the rise, and more organizations are using two or more public cloud providers to meet organizational needs. These cloud environments typically host sensitive business and customer data, critical applications, and other high-risk information.

But these organizations are relying more on multicloud or hybrid-cloud environments without a true understanding of their security vulnerabilities, threats, or if an incident had occurred at all.

**Data Protection and Privacy**

Consistent data protection and privacy is difficult to achieve in diverse environments with their own built-in security tools. Many organizations struggle to protect data properly in multicloud environments in compliance with policy and regulatory requirements.

Disjointed environments have different security controls and tools, which makes consistent, ironclad protection a major hurdle.

Cloud management platforms (CMPs) are a viable solution to cloud management and security. With a CMP, administrators don't need to understand the differences between public clouds, but may use a consistent interface to manage both effectively.

This has significant advantages for improving cloud security. IT teams can implement a common security layer within a multicloud environment and then apply the same identity and access

**Visibility and Control**

Achieving visibility and control is difficult under the shared responsibility model and vendor-controlled infrastructure. With this model, the security is divided between the cloud provider and the customer – the cloud provider is responsible for security of the cloud, while the customer is responsible for security of what's in the cloud.

For many companies, this is a considerable challenge for multicloud environments. They don't have visibility and control at the lower layers of their stack and can't deploy traditional solutions, leaving significant gaps in their visibility.

There are several solutions to this problem.

**Enforce policies and data governance:** Companies are responsible for putting policies in place for cloud data ownership and responsibility. Data must be classified to ensure the appropriate security measures are in place.

**Manage Identity and access controls**: Identity and access management in the cloud is more complex than closed environments. Providers typically offer best practices and managed services to help companies with IAM, but the responsibility to use them effectively falls entirely on the company.

**Leverage data security management tools**: These tools are essential to protecting the ever-growing cloud. Scaling increases the complexity and creates hurdles with visibility, and a data security management tool offers a centralized option to manage data and users.

**Prepare for Cloud Adoption**

Multicloud infrastructure comes with incredible benefits for an organization, including reduced costs, greater flexibility and scalability, and management from a cloud provider.

The rapid adoption of the cloud creates vulnerabilities along with opportunities, however. Mitigating threats and risk with innovative security approaches can help organizations achieve security and compliance in multicloud and hybrid-cloud environments.

Facing the New Security Challenges That Come With Cloud

In a widespread campaign, threat actors use a compromised Dynamics 365 Customer Voice business account and a link posing as a survey to steal Microsoft 365 credentials.

An elaborate and rather unusual phishing campaign is spoofing eFax notifications and using a compromised Dynamics 365 Customer Voice business account to lure victims into giving up their credentials via microsoft.com pages.  

Threat actors have hit dozens of companies through the broadly disseminated campaign, which is targeting Microsoft 365 users from a diverse range of sectors — including energy, financial services, commercial real estate, food, manufacturing, and even furniture-making, researchers from the Cofense Phishing Defense Center (PDC) revealed in a blog post published Wednesday.

The campaign uses a combination of common and unusual tactics to lure users into clicking on a page that appears to lead them to a customer feedback survey for an eFax service, but instead steals their credentials.

Attackers impersonate not only eFax but also Microsoft by using content hosted on multiple microsoft.com pages in several stages of the multistage effort. The scam is one of a number of phishing campaigns that Cofense has observed since spring that use a similar tactic, says Joseph Gallop, intelligence analysis manager at Cofense.

“In April of this year, we began to see a significant volume of phishing emails using embedded ncv\[.\]microsoft\[.\]com survey links of the sort used in this campaign,” he tells Dark Reading.

**Combination of Tactics**

The phishing emails use a conventional lure, claiming the recipient has received a 10-page corporate eFax that demands his or her attention. But things diverge from the beaten path after that, Cofense PDC's Nathaniel Sagibanda explained in the Wednesday post.

The recipient most likely will open the message expecting it's related to a document that needs a signature. "However, that isn't what we see as you read the message body," he wrote.

Instead, the email includes what seems like an attached, unnamed PDF file that's been delivered from a fax that does include an actual file — an unusual feature of a phishing email, according to Gallop.

"While a lot of credential phishing campaigns use links to hosted files, and some use attachments, it's less common to see an embedded link posing as an attachment," he wrote.

The plot thickens even further down in the message, which contains a footer indicating that it was a survey site — such as those used to provide customer feedback — that generated the message, according to the post.

**Mimicking a Customer Survey**

When users click the link, they are directed to a convincing imitation of an eFax solution page rendered by a Microsoft Dynamics 365 page that's been compromised by attackers, researchers said.

This page includes a link to another page, which appears to lead to a Microsoft Customer Voice survey to provide feedback on the eFax service, but instead takes victims to a Microsoft login page that exfiltrates their credentials.

To further enhance legitimacy on this page, the threat actor went so far as to embed a video of eFax solutions for spoofed service details, instructing the user to contact "@eFaxdynamic365" with any inquiries, researchers said.

The "Submit" button at the bottom of the page also serves as additional confirmation that the threat actor used a real Microsoft Customer Voice feedback form template in the scam, they added.

The attackers then modified the template with "spurious eFax information to entice the recipient into clicking the link," which leads to a faux Microsoft login page that sends their credentials to an external URL hosted by attackers, Sagibanda wrote.

**Fooling a Trained Eye**

While the original campaigns were much simpler — including only minimal information hosted on the Microsoft survey — the eFax spoofing campaign goes further to bolster the campaign’s legitimacy, Gallop says.

Its combination of multistage tactics and dual impersonation may allow messages to slip through secure email gateways as well as fool even the savviest of corporate users who’ve been trained to spot phishing scams, he notes.

"Only the users that continue to check the URL bar at each stage throughout the entire process would be certain to identify this as a phishing attempt," Gallop says.

Indeed, a survey by cybersecurity firm Vade also released Wednesday found that brand impersonation continues to be the top tool that phishers use to dupe victims into clicking on malicious emails.

In fact, attackers took on the persona of Microsoft most often in campaigns observed in the first half of 2022, researchers found, though Facebook remains the most impersonated brand in phishing campaigns observed so far this year.

**Phishing Game Remains Strong**

Researchers at this time have not identified who might be behind the scam, nor attackers' specific motives for stealing credentials, Gallop says.

Phishing overall remains one of the easiest and most oft-used ways for threat actors to compromise victims, not only to steal credentials but also spread malicious software, as email-borne malware is significantly easier to distribute than remote attacks, according to the Vade report.

Indeed, this type of attack saw month-over-month increases through the second quarter of the year and then another boost in June that pushed "emails back to the alarming volumes not seen since January 2022," when Vade saw upwards of 100-plus million phishing emails in distribution.

"The relative ease with which hackers can deliver punishing cyberattacks via email makes email one of the top vectors for attack and a constant menace for businesses and end users," Vade's Natalie Petitto wrote in the report. "Phishing emails impersonate the brands you trust the most, offering a wide net of potential victims and a cloak of legitimacy for the phishers masquerading as brands."

Unusual Microsoft 365 Phishing Campaign Spoofs eFax Via Compromised Dynamics Voice Account

SolarWinds CISO Tim Brown explains how organizations can prepare for eventualities like the nation-state attack on his company’s software.

On Dec. 8, 2020, FireEye announced the discovery of a breach in the SolarWinds Orion software while it investigated a nation-state attack on its Red Team toolkit. Five days later, on Dec. 13, 2020, SolarWinds posted on Twitter, asking "all customers to upgrade immediately to Orion Platform version 2020.2.1 HF 1 to address a security vulnerability." It was clear: SolarWinds — the Texas-based company that builds software for managing and protecting networks, systems, and IT infrastructure — had been hacked.

More worrisome was the fact that the attackers, which US authorities have now linked to Russian intelligence, had found the backdoor through which they infiltrated the company's system about 14 months before the hack was announced. The SolarWinds hack is now almost 3 years old, but its aftereffects continue to reverberate across the security world.

Let's face it: The enterprise is constantly under threat — either from malicious actors who attack for financial gains or hardened cybercriminals who extract and weaponize data crown jewels in nation-state attacks. However, supply chain attacks are becoming more common today, as threat actors continue to exploit third-party systems and agents to target organizations and break through their security guardrails. Gartner predicts that by 2025, "45% of organizations worldwide will have experienced attacks on their software supply chains," a prediction that has created a ripple across the cybersecurity world and led more companies to start prioritizing digital supply chain risk management.

While this is the right direction for enterprises, the question still lingers: What lessons have organizations learned from a cyberattack that went across the aisle to take out large corporations and key government agencies with far-reaching consequences even in countries beyond the United States?

To better understand what happened with the attack and how organizations can prepare for eventualities like the SolarWinds hack, Dark Reading connected with SolarWinds CISO Tim Brown for a deeper dive into the incident and lessons learned three years on.

    

Tim Brown, CISO at SolarWinds

**1\. Collaboration Is Critical to Cybersecurity**

Brown admits that the very name SolarWinds serves as a reminder for others to do better, fix vulnerabilities, and strengthen their entire security architecture. Knowing that all systems are vulnerable, collaboration is an integral part of the cybersecurity effort.

"If you look at the supply chain conversations that have come up, they're now focusing on the regulations we should be putting in place and how public and private actors can better collaborate to stall adversaries," he says. "Our incident shows the research community could come together because there's so much going on there."

After standing at the frontlines of perhaps the biggest security breach in recent years, Brown understands that collaboration is critical to all cybersecurity efforts.

"A lot of conversations have been ongoing around trust between individuals, government, and others," he says. "Our adversaries share information — and we need to do the same."

**2\. Measure Risk and Invest in Controls**

No organization is 100% secure 100% of the time, as the SolarWinds incident demonstrated. To bolster security and defend their perimeters, Brown advises organizations to adopt a new approach that sees the CISO role move beyond being a business partner to becoming a risk officer. The CISO must measure risk in a way that's "honest, trustworthy, and open" and be able to talk about the risks they face and how they are compensating for them.

Organizations can become more proactive and defeat traps before they are sprung by using artificial intelligence (AI), machine learning (ML), and data mining, Brown explains. However, while organizations can leverage AI to automate detection, Brown warns there's a need to properly contextualize AI.

"Some of the projects out there are failing because they are trying to be too big," he says. "They're trying to go without context and aren't asking the right questions: What are we doing manually and how can we do it better? Rather, they're saying, 'Oh, we could do all of that with the data' — and it's not what you necessarily need."

Leaders must understand the details of the problem, what outcome they are hoping for, and see if they can prove it right, according to Brown.

"We just have to get to that point where we can utilize the models on the right day to get us somewhere we haven't been before," he says.

**3\. Remain Battle-Ready**

IT leaders must stay a step ahead of adversaries. However, it's not all doom and gloom. The SolarWinds hack was a catalyst for so much great work happening across the cybersecurity board, Brown says.

"There are many applications being built in the supply chain right now that can keep a catalog of all your assets so that if a vulnerability occurs in a part of the building block, you will know, enabling you to assess if you were impacted or not," he says.

This awareness, Brown adds, can help in building a system that tends toward perfection, where organizations can identify vulnerabilities faster and deal with them decisively before malicious actors can exploit them. It's also an important metric as enterprises edge closer to the zero-trust maturity model prescribed by the Cybersecurity and Infrastructure Security Agency (CISA).

Brown says he is hopeful these lessons from the SolarWinds hack will aid enterprise leaders in their quest to secure their pipelines and remain battle-ready in the ever-evolving cybersecurity war.

Nearly 3 Years Later, SolarWinds CISO Shares 3 Lessons From the Infamous Attack

Increasing complexity in IT continues to lead to breaches and compromises, highlighting the need for more holistic approaches to cyber protection.

**SCHAFFHAUSEN, Switzerland, Aug. 24, 2022** (GLOBE NEWSWIRE) — Today, Acronis, a global leader in cyber protection, unveiled its midyear cyber threats report, conducted by Acronis' Cyber Protection Operation Centers, to provide an in-depth review of the cyber threat trends the company's experts are tracking. The report details how ransomware continues to be the No. 1 threat to large and midsize businesses, including government organizations, and underlines how overcomplexity in IT and infrastructure leads to increased attacks. Nearly half of all reported breaches during the first half of 2022 involved stolen credentials, which enable phishing and ransomware campaigns. Findings underscore the need for more holistic approaches to cybersecurity.

To extract credentials and other sensitive information, cybercriminals use phishing and malicious emails as their preferred infection vectors. Nearly 1% of all emails contain malicious links or files, and more than one-quarter (26.5%) of all emails were delivered to the user's inbox (not blocked by Microsoft365) and then were removed by Acronis email security.

Moreover, the research reveals how cybercriminals also use malware and target unpatched software vulnerabilities to extract data and hold organizations hostage. Further complicating the cybersecurity threat landscape is the proliferation of attacks on nontraditional entry avenues. Attackers have made cryptocurrencies and decentralized finance systems a priority of late. Successful breaches using these various routes have resulted in the loss of billions of dollars and terabytes of exposed data.

These attacks are able to be launched due to overcomplexity in IT, a common problem throughout businesses as many tech leaders assume more vendors and programs lead to improved security when the inverse is actually true. Increased complexity exposes more surface area and gaps to potential attackers, keeping organizations vulnerable to potentially devastating damage.

"Today's cyber threats are constantly evolving and evading traditional security measures," said Candid Wüest, Acronis VP of Cyber Protection Research. "Organizations of all sizes need a holistic approach to cybersecurity that integrates everything from anti-malware to email-security and vulnerability-assessment capabilities. Cybercriminals are becoming too sophisticated and the results of attacks too dire to leave it to single-layered approaches and point solutions."

**Critical Data Points Reveal Complex Threat Landscape**  
As reliance on the cloud increases, attackers have homed in on different entryways to cloud-based networks. Cybercriminals increased their focus on Linux operating systems and managed service providers (MSPs) and their network of SMB customers. The threat landscape is shifting, and companies must keep pace.

Ransomware is worsening, even more so than we predicted.

Ransomware gangs, like Conti and Lapsus$, are inflicting serious damage.

The Conti gang demanded $10 million in ransom from the Costa Rican government and has published much of the 672 GB of data it stole.

Lapsus$ stole 1 TB of data and leaked credentials of over 70,000 NVIDIA users. The same gang also stole 30 GB worth of T-Mobile's source code.

The U.S. Department of State is concerned, offering up to $15 million for information about the leadership and co-conspirators of Conti.

The use of phishing, malicious emails and websites, and malware continues to grow.

Six hundred malicious email campaigns made their way across the internet in the first half of 2022.

58% of the emails were phishing attempts.

Another 28% of those emails featured malware.

The business world is increasingly distributed, and in Q2 2022, an average of 8.3% of endpoints tried to access malicious URLs.

More cybercriminals are focusing on cryptocurrencies and decentralized finance (DeFi) platforms. By exploiting flaws in smart contracts or stealing recovery phrases and passwords with malware or phishing attempts, hackers have wormed their way into crypto wallets and exchanges alike.

Cyberattacks have contributed to a loss of more than $60 billion in DeFi currency since 2012.

$44 billion of that vanished during the last 12 months.

Unpatched vulnerabilities of exposed services is another common infection vector — just ask Kaseya. To that end, companies like Microsoft, Google, and Adobe have emphasized software patches and transparency around publicly submitted vulnerabilities. These patches likely helped stem the tide of 79 new exploits each month. Unpatched vulnerabilities also tie into how overcomplexity is hurting businesses more than helping, as all these vulnerabilities serve as additional potential points of failure.

**Breaches Leave Financial, SLA Distress in Their Wake**  
Cybercriminals often demand ransoms or outright steal funds from their targets. But companies do not suffer challenges only to their bottom lines. Attacks often cause downtime and other service-level breaches, impacting a company's reputation and customer experience.

In 2021 alone, the FBI attributed a total loss of $2.4 billion to business email compromise (BEC).

Cyberattacks caused more than one-third (36%) of downtime in 2021.

The current cybersecurity threat landscape requires a multilayered solution that combines anti-malware, EDR, DLP, email security, vulnerability assessment, patch management, RMM, and backup capabilities all in one place. The integration of these various components gives companies a better chance of avoiding cyberattacks, mitigating the damage of successful attacks, and retaining data that might have been altered or stolen in the process.

You can download a copy of the full Acronis Midyear Cyberthreats Report 2022 and learn more here.

**About Acronis:**

Acronis unifies data protection and cybersecurity to deliver integrated, automated cyber protection that solves the safety, accessibility, privacy, authenticity, and security (SAPAS) challenges of the modern digital world. With flexible deployment models that fit the demands of service providers and IT professionals, Acronis provides superior cyber protection for data, applications, and systems with innovative next-generation antivirus, backup, disaster recovery, and endpoint protection management solutions powered by AI. With advanced anti-malware powered by cutting-edge machine intelligence and blockchain-based data authentication technologies, Acronis protects any environment — from cloud to hybrid to on-premises — at a low and predictable cost.

Founded in Singapore in 2003 and incorporated in Switzerland in 2008, Acronis now has more than 2,000 employees in 34 locations in 19 countries. Acronis Cyber Protect solution is available in 26 languages in over 150 countries and is used by over 20,000 service providers to protect over 750,000 businesses.

Acronis' Midyear Cyberthreats Report Finds Ransomware Is the No. 1 Threat to Organizations, Projects Damages to Exceed $30 Billion by 2023

Avoid the disconnect between seeing the value in threat modeling and actually doing it with coaching, collaboration, and integration. Key to making it "everybody's thing" is communication between security and development teams.

Threat modeling is a highly effective means of securing software and applications, yet very few organizations actually do it. In today's computing and security environment, however, threat modeling is more necessary than ever.

Cloud-based distributed systems and cross-functional, agile software development teams have replaced monolithic systems built and operated by siloed teams. Along the way, software has become much more complex — and so have the threats. Threat actors have changed tactics to get around traditional means of detection. Many attacks no longer deliver malware, for example, instead focusing on credential compromises. And attackers can sit inside company networks for months before acting. IBM's "Cost of a Data Breach Report" found that it takes an average of 287 days for organizations to identify and contain a breach.

Companies do recognize the need. A 2021 Security Compass study found that 79% of the midsize and large enterprises view threat modeling as a priority, but only 25% conduct modeling during the early design phases. And only 10% perform threat modeling on 90% of the applications they develop.

As an industry, we need to make threat modeling a standard practice in software development, introduced in a way that both development and security teams can work with, and implemented in a way that shows positive results and improvement over time. And it all starts with a word you might not hear a lot in IT ops and security circles: empathy.

**A Cultural Change**

There are a number of reasons for the disconnect between seeing the value in threat modeling and actually doing it, including a lack of communication between security and development teams, and a tendency to give up on threat modeling if initial efforts become muddled and don't produce the desired results.

Too often, security teams can look at applying security controls as a one-way street between them and development teams, as simply a matter of telling developers what to do. But that's starting off on the wrong foot. Organizations need to recognize that each team has skills that the other can learn from. After all, if you put a security pro in the developer space, they'd be lost.

Changing this mindset requires a cultural shift, and it starts with viewing empathy as a value proposition. The human side of this needs to come to the forefront, getting more people involved in enriching our knowledge. Security teams need to appreciate the environment developers work in, under pressure to develop and deliver software rapidly. Dev teams can help security teams understand frameworks such as containers and how to control access, knowledge which can be applied to security policies.

When teams get collaboration going back and forth, they're learning from each other. It will take time to get to that point. It might start in meetings or a process integration, perhaps working through a bit of trial-and-error, and eventually move into tool integration. When they get to the level of maturity where everybody has a basic understanding of each other's domains, they can then move to more advanced levels of threat modeling, such as modeling knowledge bases and creating graphs of concepts that map together.

But it needs a stable process, or it gets expensive and chaotic, resulting in messy people issues.

**3 Steps to Better Threat Modeling**

There are three key elements to creating a collaborative atmosphere.

**Coaching****:** This helps developers understand the importance of threat modeling. It can start with onboarding new employees. Regardless of their background and certifications, don't assume they know how security is handled at your company. Make sure they understand the culture.

**Collaboration****:** A culture of cooperation and collaboration begins with a company's leadership, with a CISO having the attitude of wanting to serve the teams. It can take time, but it should be modeled at the leadership level.

**Integration****:** The elements of cooperation come together working on integrations, which is an ongoing process. The goal isn't perfection, but to improve and evolve over time.

A key to making this approach work is applying metrics, specifically by looking at outcomes, such as "reducing vulnerabilities" — as opposed to trying to grade the details of how individuals work. Outcomes are not a developer or security thing, it's everybody's thing.

I've found in my experience that it's useful to have clear 30-, 60-, and 90-day plans, describing the expected outcome at each stage. The plans should demonstrate incremental growth and be done collaboratively. If These outcomes should be measured, or you end up drifting aimlessly.

**Empathy Is the Key**

As a security community, it's our responsibility to help developers embrace threat modeling. It's not us versus them. We need to get them to think about security, and threat modeling, as part of an integrated approach that evolves over time.

Empathy as a management technique can help create that environment. Some people may think empathy means no accountability — that understanding someone's position and thoughts is somehow soft — but it actually produces the opposite result. It develops the collaboration that we so desperately need.

Why Empathy Is the Key to Better Threat Modeling

Three of the world's leading browsers were measured for phishing and malware protection, with time to block and protection over time as key metrics in test scores.

**AUSTIN, Texas – Aug. 16, 2022** — CyberRatings.org, the nonprofit entity dedicated to providing transparency on cybersecurity product efficacy, has published the results of its 2022 Web Browser Security Test. Google Chrome, Microsoft Edge, and Mozilla Firefox were tested for Phishing Protection and Malware Protection running on Windows 10 and 11.

The Malware tests ran for 24 days with 96 discrete test runs. Phishing tests ran for 20 days with 80 discrete test runs. The reports include measurements of protection against fresh new attacks, consistency of protection over time, and how effective the browser protection was overall.

The ability to warn potential victims that they are about to land on a malicious website or click on a suspicious URL puts web browsers in a unique position to protect the user from an attack. Websites that trick users into downloading malware and phishing campaigns often used for criminal activity have short lifespans, so it is essential that the URL is discovered and added to the reputation system as quickly as possible. A good reputation system must be both accurate and fast to achieve high catch rates.

"Phishing attacks pose a significant risk to individuals and organizations by threatening to compromise or acquire sensitive personal and corporate information," said Vikram Phatak, CEO of CyberRatings.org. "Phishing and Ransomware attacks continue to rise year over year. Consumers should not override the warnings offered by their web browser protection but instead take advantage of the free offering."

*   Malware protection:

*   Microsoft Edge – 97.0%
*   Google Chrome – 88.4%
*   Mozilla Firefox – 84.6%

*   Phishing protection:

*   Microsoft Edge – 91.6%
*   Mozilla Firefox – 90.0%
*   Google Chrome – 89.6%

*   Average time to block a URL from malware:

*   Microsoft Edge 0:56:51
*   Google Chrome 4:46:39
*   Mozilla Firefox 5:18:40

*   Average time to block a phishing URL:

*   Microsoft Edge 0:44:07
*   Mozilla Firefox 1:23:37
*   Google Chrome 2:19:13

The Comparative Test Reports provide detailed results for each product. As a service to the community, CyberRatings.org is providing these reports for free.

**The following browsers were tested:**  

*   Google Chrome: Version 101.0.1210.53 - 102.0.5005.115
*   Microsoft Edge: Version 101.0.1210.47 - 102.0.1254.39
*   Mozilla Firefox: Version 100.0.1 - 101.0.1

**Additional Resources**

*   Follow CyberRatings.org on Twitter
*   Follow CyberRatings.org on LinkedIn

**About CyberRatings.org**

CyberRatings.org is a nonprofit 501(c)6 entity dedicated to quantifying cyber-risk and providing transparency on cybersecurity product efficacy through testing and ratings programs. To become a member, visit www.cyberratings.org

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

CyberRatings.org Announces New Web Browser Test Results for 2022

New research report reveals financial organizations are failing to act despite majority experiencing a firmware-related breach.

**Portland, Ore. – Aug. 23, 2022** – Eclypsium® and Vanson Bourne today released a new report that reveals the financial sector is ill-equipped to effectively tackle the ongoing threat of firmware-related supply chain attacks. In fact, 92% of CISOs in finance believe adversaries are better equipped at weaponizing firmware than their teams are at securing it. Additionally, three out of four acknowledge gaps in awareness concerning the organization's firmware blind spot. Consequently, 88% of those surveyed admit to experiencing a firmware-related cyberattack in the last two years alone.

The Firmware Security in Financial Services Supply Chains report shares insights from 350 IT security decision-makers in the financial sector, specifically those based in the US, Canada, Singapore, Australia, New Zealand, and Malaysia. The findings not only expose the state of firmware security and the lack of preventive controls or remediation tactics, but also shed light on the complacency and lack of awareness regarding current security measures. More alarming is the consensus around little-to-no dedicated investment or resources, and general lack of skills to tackle one of the biggest threats in cybersecurity today. Data shows:

*   Over half (55%) were victims of a firmware-level compromise more than once in the past two years.
*   Almost four in 10 rate data loss (and a GDPR breach) as the leading consequence for an attack; equally ranked is the fear of losing critical security controls.
*   Destruction of critical devices (35%), customer loss (34%) and adversary access to other devices (34%) were all equally noted as a detrimental impact following a firmware-related attack.

"Financial Services organizations are leading targets of cyberattacks. That explains why they are vanguards for adopting new protection technologies, all while under the constant watchful eye of regulators and other industries waiting to follow their lead as they strive to combat ever evolving attack vectors. Yet in the case of securing firmware and the hardware supply chain, we are seeing potential blind spots," said Ramy Houssaini, Global Cyber Resilience Executive. "A shift in priorities is critical if we are going to effectively protect the technology supply chain. Financial organizations must continue to serve as trailblazers and close the firmware security gap."

**Financial Organizations Lack Firmware Risk Insights to Act**

According to the National Institute of Standards and Technology (NIST), firmware level attacks have soared by 500% since 2018, yet 93% of respondents are surprised by the lack of insight into current firmware threats. In the last eight months alone, Eclypsium Research has uncovered major in-the-wild threats, including Intel ME attacks by the Conti ransomware group. Unfortunately, the lack of insight stems from considerable gaps in knowledge of firmware and the supply chain. In fact:

*   Slightly over half (53%) know that their security controls (firewalls, access controls, etc.) rely on firmware, 44% are aware when asked the same question about laptops, leaving 56% uninformed.
*   47% believe they have total awareness of their organization's overall firmware attack surface, 49% are mostly aware. Only 39% say they would be immediately informed if a device had been compromised.

Despite the perceived knowledge, 91% are concerned about the gap in firmware security in their organization's supply chain.

**Misconceptions, Limited Funds and Lack of Skills/Resources are Driving Surge**

Firmware is the most fundamental component of any device and thus, the overall supply chain, yet it remains the most overlooked and dismissed part of the technology stack — creating a perfect catalyst for an attack. Four in five agree that firmware vulnerabilities are on the rise and close to all (93%) state that securing firmware should be an urgent priority. To move the needle, financial organizations nearly unanimously believe an increase in investment and resources is imperative. Positively, respondents anticipate an 8.5% increase in IT security budget dedicated to firmware in the next 1-2 years. In addition to these factors for success, these organizations must also dispel myths around current technologies and methods that are creating a false sense of security, such as:

*   Vulnerability management solutions (81%) and/or their endpoint detection and response (EDR) programs can identify firmware vulnerabilities and assist in remediation (83%).
*   Threat modeling exercises are a reliable source of knowledgeable insight into potential firmware gaps, according to 37% of respondents, 57% state using the process some of the time. Interestingly, 96% report their organization's threat modeling exercises do not match today's threat landscape.
*   12 hours is the average time for IT teams to respond to a firmware-based attack, with respondents attributing lack of knowledge (39%) and limited resources (37%) as the top reasons for the unduly length of time. 71%, though, claim budget is not a factor.

"Based on the onslaught of firmware-related attacks over the recent months, it's evident that adversaries are not having to work hard enough to exploit flaws in the technology supply chain. Unfortunately, our research data represents a regression that is purely driven by lack of awareness and the inaction driven by 'out of sight, out of mind,' " said Yuriy Bulygin, CEO and Co-Founder of Eclypsium. "New government directives and initiatives such as CISA's Known Exploited Vulnerabilities Catalog and its Binding Operational Directive are calls for immediate action to better safeguard the critical firmware layer of the supply chain. Progression might be slow, but we are moving in the right direction."

**ABOUT ECLYPSIUM**

Eclypsium's cloud-based platform identifies, verifies, and fortifies firmware in laptops, servers, network gear, and connected devices. The Eclypsium platform secures your device supply chain by monitoring devices for threats, critical risks, and patching firmware across the entire device fleet. For more information, visit eclypsium.com.

**About Vanson Bourne**

Vanson Bourne is an independent specialist in market research for the technology sector. Their reputation for robust and credible research-based analysis is founded upon rigorous research principles and their ability to seek the opinions of senior decision makers across technical and business functions, in all business sectors and all major markets. For more information, visit www.vansonbourne.com.

Report: Financial Institutions Are Overwhelmed When Facing Growing Firmware Security and Supply Chain Threats

Almost half of teams develop and deploy software using a DevSecOps approach, but security remains the top area of investment, a survey finds.

Software developers and operations teams continue to adopt DevOps and other agile methodologies as well as automation and low-code services, but they still struggle with security, the fallout of the COVID-19 pandemic, and a shortage of skilled security workers, according to a newly published annual survey from GitLab.

DevSecOps results in better code quality, higher developer productivity, and improved operational efficiency, according to the survey of more than 5,000 software developers, operations specialists, and application security professionals. Security still is a problem, however. While more than half (57%) of those surveyed considered security to be a performance metric, nearly the same number said it was "difficult to get devs to actually prioritize fixing code vulnerabilities."

The survey conducted by the toolchain provider underscores that all participants in the development and deployment process still need to improve the communications and relationships between groups, says Johnathan Hunt, vice president of information security and cybersecurity at GitLab.

"Getting developers and security professionals to work better together requires a culture-first approach to software development through the creation of a DevOps culture," Hunt says. "A DevOps platform lends itself well to this approach by granting organizations seamless collaboration across DevSecOps teams, shared ownership of security and compliance, and strategic uses of technologies such as automation and AI/ML."

**Mix and Match**

The survey found that no single dominant approach to software development exists, and most teams use a mix of approaches. While a majority of development teams (47%) used DevOps and DevSecOps, other agile approaches accounted for significant shares as well: 34% of teams used Scrum, 24% used Kanban, and 29% used Lean methodologies. Teams even expanded their use of Waterfall development, with more than a quarter (26%) adopting that approach.

"DevOps teams are not limiting themselves to any one way of working," Hunt says. "They are flexible and willing to adjust their approaches to meet various business and project needs."

The increase in agile approaches to software development and deployment has resulted in faster deployment of software. Seven in 10 survey respondents said their teams deploy at least once every few days or more frequently, a jump of 11 points from 2021. Integrating automated testing, deployment, and security controls into the development pipeline is a key factor in speeding application deployment, with nearly half (47%) of teams asserting that their testing is fully automated today, up from 25% in 2021.

The adoption of low-code and no-code APIs for development has also made teams more efficient. Two-thirds (66%) of survey takers are using at least one low-code or no-code tool in their DevOps practice, a significant increase from the 25% of those surveyed in 2021.

Yet the expanding number of options for development, deployment, and securing of software has resulted in more confusion, leading DevOps teams to look to simplify their pipeline and toolsets, GitLab's study found. While 44% of DevOps teams use two to five tools to manage the software development process, 41% use between six and 10 tools.

"That's a lot of tools, and 69% of survey takers told us they'd like to consolidate their toolchains," GitLab stated in the survey report.

**AI and Machine Learning 'On the Rise'**

Artificial intelligence and machine-learning technologies have seen mixed adoption among developers and application-security specialists. While AI/ML is at the bottom of the list of priorities for developers' future careers, a majority of security pros (54%) said AI/ML will help them most in their future careers. AI/ML particularly suits the security domain. For example, AI/ML systems can be trained to detect and respond to threats, generate alerts, and trigger rule sets.

"But AI/ML is far from falling off of developers' radars. In fact, its use is on the rise," Hunt says, adding: "This is especially helpful when it comes to detecting and defending against attacks and malicious actors, since security professionals cannot watch every packet and connection that transverses a network."

Security continues to take a larger role in the software development pipeline, with 57% of companies shifting security responsibility "left" and making developers more responsible for the vulnerabilities in their code. Yet there is still a ways to go, with a significant number of developers blaming security for delays and the division of responsibility for software security very much in flux.

"While dev and ops are taking on a larger share of security ownership, it's not so straightforward on the sec team," GitLab stated in the report. "In 2020 and 2021, the percentage of security pros who said they were fully responsible for security was roughly the same as those who said everyone was responsible."

DevSecOps Gains Traction — but Security Still Lags

M&A activity in the identity and access management (IAM) space has continued at a steady clip so far this year.

Two recent financial transactions worth billions — both involving private equity firm Thoma Bravo — have highlighted the continued and strong interest among investors and other technology vendors in the identity and access management (IAM) market.

Thoma Bravo last week completed its previously announced purchase of identity security services provider SailPoint Technologies in an all-cash transaction valued at around $6.9 billion. At completion of purchase, the company was delisted from the New York Stock Exchange and stockholders were entitled to receive $65.25 in cash per share of the company's common stock. SailPoint is now a privately held entity.

Earlier this month, Thoma Bravo also announced its intention to acquire federated ID management firm Ping Identity for $2.8 billion. That transaction is expected to close in the fourth quarter. At that time, Ping, too, will go from being a publicly listed company to a private entity under the Thoma Bravo umbrella. Ping's current stockholders will receive $28.50 in cash per share of common stock.

**Substantial Premiums**

Thoma Bravo paid a substantial premium for both firms. The $65.25 per share of common stock that it offered for SailPoint when it first announced plans to acquire the firm in April represented a more than 31% premium on SailPoint's share price at the time. Similarly, Thoma Bravo's offer for Ping Identity represented a premium of more than 63% of the identity vendor's closing share price at the time of the offer in early August.

The premiums reflect the growing value that investors and other technology firms have begun attaching to IAM firms over the past two years. Much of it is being driven by the realization that companies moving to the cloud and supporting more distributed workforces also require new approaches to IAM.

**Cloud Migration Driving IAM Demand**

"Identity is core to digital transformation," says Richard Stiennon, chief research analyst at IT-Harvest. "Enterprises are looking closely at identity because they are moving to a zero-trust approach as they transition to the cloud."

Stiennon says that as enterprises move to the cloud, there is an opportunity for them to consolidate their IAM platforms. New and simpler ways to handle identities and authentication have become available which give enterprise organizations a way to consolidate their identity infrastructures in the cloud, he says.

Accelerated cloud adoption is also giving identity-security vendors a window of opportunity to broaden their footprint in a market that Microsoft has dominated since introducing Active Directory more than two decades ago, Stiennon notes. 

"Thoma Bravo is making opportunistic moves," he says, adding that a recent and general decline in cybersecurity stock valuations has created a great buying opportunity for the company.

"It raised a $22.8 billion fund two years ago, and it is putting that capital to work" through strategic investments like those involving SailPoint and Ping, he says.

**Near Doubling of Market Size in Next Five Years**

MarketsandMarkets has estimated that global demand for IAM technologies will grow from around $13.4 billion in 2022 to some $25.6 billion by 2027. The market research firm has identified several factors as driving this growth including the aforementioned proliferation of cloud-based IAM technologies and services, rapid adoption of hybrid cloud models, and an overall increase in cybersecurity spending post-COVID-19. 

Others, such as Jupiter Research, have estimated similar growth. The analyst firm has predicted that the IAM market will top $26 billion in 2027, driven largely by purchases by small businesses that hitherto have not made big investments in IAM platforms. The growing proliferation of relatively inexpensive software-as-a-service (SaaS) and cloud subscription services for identity management is making it possible for this segment to make these new investments, the research firm said.

Thoma Bravo's latest acquisitions add to the rapid growing portfolio of cybersecurity vendors that the private equity firm now owns. Other major acquisitions in the last few years include Proofpoint, McAfee, LogRhythm, Imperva, Sophos, and Veracode.

However, the company is just one of several that have snapped up IAM vendors just this year alone. Examples of others who have made similar investments include Vectra AI's purchase of identity security and cloud posture management vendor Siriux Security Technologies in January; SentinelOne's March purchase of Attivo Networks for $616 million in cash; and Avast's purchase of SecureKey for an undisclosed sum in April.

Stiennon says there has also been substantial funding activity in the IAM space. So far this year, there has been a total of $1.4 billion invested in 18 identity vendors, he says. 

"Last year saw $2.8 billion in 44 companies, and 2020 saw $2.6 billion in 48 vendors. I expect the pace of investments in IAM to continue at current levels or increase over the next two years," he says. Stiennon estimates there are some 400 vendors in the identity space overall currently. Forty of them have more than 400 employees.

Source

DARKReading