Anywhere work comes with all-around security risks. When HP moved its workforce of 70,000 employees and contractors to a hybrid model, the umbrella of devices it had to protect expanded exponentially.

HP had to ensure that they could:

Meet today’s rising security challenges

Guard employee data

Make layers of security transparent and automated Keep software up to date

Ensure security policy compliance

How HP achieved it

The HP CISO and Security team looked to their own extensive arsenal of services and chose the HP Adaptive Endpoint Management, HP Sure Click Enterprise, and HP Wolf Security components to protect its growing hybrid work environment.

Automated security policies

HP Adaptive Endpoint Management helps automate security updates from the cloud. When a cyberthreat is on the horizon, employees no longer have to wait until they are back on a corporate network—they can get the latest patches and upgrades from anywhere. Adaptive Endpoint Management enabled HP to rationalize its device management practices by streamlining policy management and using a corporate-ready device image.

Vigilant protection for end users

HP Sure Click Enterprise isolates key applications in their own micro-virtual containers—trapping and deleting risky programs, viruses, and malware as soon as the task is closed, keeping them from infecting the PC or network.

Built-in device protections

HP Wolf Security provides hardware-enforced full stack security that works below, in, and above the OS. IT departments are better able to improve lifecycle management as well as incident and disaster recovery while helping security teams minimize risk and increase team productivity—without interruption to employees.

Click here to read the full case study. To find out more about HP’s Workforce Security Solutions click here.

Remote Work, Security

As campus networks continue to evolve, CIOs face a new hurdle in ensuring top-notch security measures. The importance of Wi-Fi technology cannot be understated as visitors and employees rely on it for seamless connectivity while on campus. However, CIOs and their teams are challenged with not only addressing security threats but also troubleshooting an extensive network of personal devices. Protecting enterprise environments has never been more necessary or intricate.

According to a 2021 report by Positive Technologies, 97% of enterprise Wi-Fi networks are vulnerable to attack. The most common vulnerabilities include weak passwords, unpatched software, and the use of insecure protocols.

In a survey of IT professionals conducted by Cybersecurity Insiders in 2020, 84% reported that their organizations had experienced a WiFi-related security breach in the previous 12 months. The same survey found that 60% of organizations do not use encryption to protect Wi-Fi communications, and 53% do not use secure passwords.

The 2021 Verizon Data Breach Investigations Report found that 26% of data breaches involved the use of stolen credentials, which can be obtained through WiFi-related attacks such as phishing or man-in-the-middle attacks.

Overall, these statistics highlight the importance of taking Wi-Fi security seriously in enterprise environments and implementing strong security measures to protect against potential risks.

Thankfully, Passpoint can address some of the top challenges IT leaders are facing today by enhancing security and automatizing time-consuming Wi-Fi management processes.

What is Passpoint?

Passpoint is based on the IEEE 802.11u standard and it is the brand for the Hotspot 2.0 certification program, Wi-Fi CERTIFIED Passpoint®, operated by the Wi-Fi Alliance. It is an industry-wide solution that streamlines Wi-Fi access and eliminates the need for users to find and authenticate a network each time they visit.

Passpoint grants instant, secure Wi-Fi access to users after once-in-a-lifetime provisioning of the Passpoint profile in their mobile device. Then, the enabled devices automatically connect to the organization’s network whenever they arrive at any campus.

Passpoint also enhances security measures without compromising the onboarding process. It uses 802.1X for user authentication and, specifically, the Extensible Authentication Protocol (EAP)-TLS, which supports certificate-basedauthentication —the gold standard of authentication— reducing the risk of cyber-attacks and data breaches.

Finally, Passpoint has the ability to support emerging technologies, such as the Internet of Things (IoT), that are expected to drive the next wave of digital transformation and will require a secure and seamless network infrastructure.

Enabling hybrid work practices

The practice of bringing your own device (BYOD) has been around for years in office spaces and the shift to hybrid work around the world has accelerated the trend. However, employees and visitors face several problems when connecting to traditional enterprise Wi-Fi, such as needing or losing a password, losing connectivity when logging back into a laptop, or onboarding personal devices into the network, thus putting the organization’s network at risk.

The aforementioned onboarding issues can result in a great deal of time wasted—both by users trying to resolve the issues and IT teams trying to help. Fortunately, Passpoint solves these onboarding issues by supercharging the Wi-Fi security and experience in this new highly mobile and agile working environment.

IT teams can quickly onboard all “unmanaged” devices, with peace of mind. By automating Wi-Fi onboarding in a secure way, Passpoint can have a positive impact on IT teams’ morale through improving user satisfaction and increasing productivity, as employees are not wasting time trying to connect to Wi-Fi or troubleshoot connection issues.

Focusing on digital transformation

In today’s fast-paced tech world, it can be overwhelming for CIOs and their teams to stay on top of the latest cloud technologies, virtual reality, and machine learning advancements. They are constantly learning and mastering new skills just to keep up.

By embracing Passpoint, CIOs can safeguard company data while reducing the burdensome tasks of their IT team that can work more efficiently and happily. This way, CIOs can devote their attention to defining and executing higher-value strategic initiatives, aligning their efforts with business objectives.

It is imperative for CIOs to prioritize Passpoint adoption if they wish to expedite their digital transformation journey and prepare their organization for the future.

To find out how Cloud4Wi can upgrade your enterprise Wi-Fi to Passpoint, click here.

Security

In the first use case of this series, Stay in Control of Your Data with a Secure and Compliant Sovereign Cloud, we looked at what data sovereignty is, why it’s important, and how sovereign clouds solve for jurisdictional control issues. Now let’s take a closer look at how data privacy and sovereignty regulations are driving security, privacy, and compliance.

Data Privacy and Security

The EU’s GDPR has formed the basis of data privacy regulations not just in EU but around the world. A key principle of the regulation is the secure processing of personal data. The UK GDPR states that security measures must ensure the confidentiality, integrity, and availability of data (known in cybersecurity as the CIA triad) and protect against accidental loss, destruction, or damage.1

Restricting access to sensitive and restricted data is a crucial aspect of data security, along with ensuring trust and flexibility for portability needs. 

Sovereign clouds are built on an enterprise-grade platform and customized by partners to meet local data protection laws, regulations, and requirements. Locally attested providers use advanced security controls to secure applications and data in the cloud against evolving attack vectors, ensuring compliance with data regulation laws and requirements to safeguard the most sensitive data and workloads.

Protected data should employ micro-segmentation with zero-trust enforcement to ensure workloads cannot communicate with each other unless they’ve specifically been authorized and are encrypted to secure them from foreign access. A multi-layered security approach secures data and applications in the sovereign cloud, keeping them safe from loss, destruction, or damage.

Sovereignty and Compliance

Data residency – the physical location where data (and metadata) is stored and processed – is a key aspect of data privacy and sovereignty regulations Data residency laws require that companies must operate in a country and that data should be stored in that country, often due to regulatory or compliance requirements. For companies that have customer data in multiple countries, it becomes a challenge to keep data secure. A sovereign cloud helps minimize risk and offers more robust controls and trusted endpoints needed to keep data secure and compliant.

In addition, data residency requirements continue to evolve and vary by country or region. Multi-national companies frequently rely on in-country compliance experts to help ensure they’re following the latest rules correctly and to avoid significant fines and legal action. 

With VMware, we provide best-in-class enterprise-grade cloud, security, and compliance solutions that provide the ultimate platform for data choice and control.

“A law can change, and it can change your entire way of doing business,” one Fortune 500 CISO said.2  And with the ever-changing geopolitical landscape, platform flexibility is needed to minimize risk with self-attested, trusted code. VMware provides simpler lift-and-shift portability and interoperability, as well as greater compliance with local laws and regulations.

Faced with changing regulations, it’s not surprising that compliance is a top cloud challenge according to 76% of organizations.3  One reason is a lack of skilled personnel. A recent survey from ISACA found that 50% of respondents said they experienced skills gaps in compliance laws and regulations, as well as in compliance frameworks and controls. Another 46% are dealing with a gap in privacy-related technology expertise.4

With these challenges, it’s not surprising that 81% of decision-makers in regulated industries have repatriated some or all data and workloads from public clouds.5  Some have moved data back on-premises, whereas others are using hybrid cloud architectures. 

With VMware Sovereign Cloud, solutions are provided by locally attested partners who provide full-service, sovereign solutions and ensure that compliance is achieved, implemented and configured. Sovereign cloud meets data residency requirements with local data centers to contain all regulated data, including metadata, and you can respond faster to data privacy rule changes, security threats, and geopolitics with a flexible cloud architecture and knowledgeable local experts.

Learn more about VMware Sovereign Cloud:

Download the Security and Compliance 1 pager

Watch the Sovereign Cloud Overview video  

Find and connect with a Sovereign Cloud Provider in your region

Join the conversation on Sovereign Cloud on LinkedIn

Next, we’ll explore data access and integrity, and how that can ignite innovation.

Sources:
1. UK information Commissioner’s Office, Guide to the General Data Protection Regulation (GDPR) Security, accessed June 2022
2. CSO, Data residency laws pushing companies toward residency as a service, January 2022
3. Flexera 2022 State of the Cloud Report
4. ISACA, Privacy in Practice 2022, March 2022.
5. IDC, commissioned by VMware, Deploying the Right Data to the Right Cloud in Regulated Industries, June 2021

Cloud Management, IT Leadership

In a recent article, we discussed the connection between digital transformation, innovation, and rising IT complexity. And we noted that complexity presents a big challenge to cybersecurity teams. Nevertheless, organizations have armed themselves with a litany of best-of-breed tools to tackle their most pressing security challenges. Many large enterprises use upwards of 40 to 50 tools — all best-of-breed point solutions. This is tool proliferation in the extreme — popularly known as “tool sprawl.”

Bradley Schaufenbuel, the CISO of Paychex, a provider of payroll services for small businesses, says “tool sprawl” has become a major concern for IT and security teams. His own team finds new vulnerabilities from rogue software every day. If that software is not regularly updated, the attack surface grows exponentially.

“Unless the tools are sanctioned and inventoried, security teams are often unaware of their existence,” explains Schaufenbuel. “And a security team cannot secure what it doesn’t know exists.”

They cannot secure it; they cannot effectively manage it; and they cannot control the spiraling costs of maintaining a mismatched portfolio of security tools with overlapping capabilities.

Security tools can breed insecurity

The great irony of all of this complexity is that the very tools designed to protect the security of an organization may present the greatest cybersecurity threat, as the well-publicized SolarWinds hack highlighted in 2021. 

Many CIOs admit the tools in their security portfolio lack integration. According to an IBM study, this creates added cost and even more complexity, which ends up hindering an organization’s ability to detect and respond to breaches.

Moreover, problems with security tool sprawl don’t necessarily begin with IT departments. Instead, many security tools are one-time freeware installations by employees self-servicing their machines. But problems arise when licenses requiring corporations to pay for those applications kick in and block the use of the programs. Few users go the extra mile to actually remove them, creating additional potential cybersecurity vulnerabilities.

“Most security teams with dozens of tools will admit they don’t really know how well they’re working,” comments Chris Hughes, cybersecurity consultant, and university lecturer. “They’re spending a lot on these tools but can’t tell you if they’re getting value out of them. And that’s money they could have shifted to other resources, like bolstering their teams.”

Cost-effective security: certainty without complexity

In principle, companies invest in multiple tools because they have complementary capabilities, and the benefits they produce when assembled are greater than the sum of their parts. But Mark Settle, a former CIO for Okta and BMC Software, believes it often doesn’t work out that way. 

“In practice, tools may have overlapping capabilities, be difficult to administer, and come with underlying security vulnerabilities,” Settle notes.

So, how can IT operations and security teams tame tool sprawl, while reducing costs and protecting their organizations against the multitude of threats that circle them like hungry sharks?

One approach for organizations looking to counter tool sprawl and reduce costs is to deploy a single, authorized platform to handle multiple functions. This can streamline operations and improve security while also eliminating the attraction of shadow IT and rogue software solutions.

A unified platform can cut the cost of running, managing, and maintaining multiple security tools, while:

Improving the ability to cost-effectively meet tightening global regulatory and compliance mandates.

Addressing the pressure to make the right bets strategically when it comes to tooling and security practices.

Deploying patches automatically with greater efficiency.

Reducing the attack surface in the face of trends such as a growing remote workforce.

Meeting the renewal demands of cyber-insurance carriers for stricter mean time to patch and mean time to repair standards.

Consolidating tools without compromising security.

Simplifying the discovery, management, and protection of all assets with the IT estate.

Of course, abandoning tool sprawl for a platform approach, while sensible, will require buy-in from multiple stakeholders. In the meantime, here are three interim steps to improve security:

Scrutinize tool spending. Once an organization has a handle on tools, it needs to evaluate its investment in them. Technologists can become so obsessed with buying the latest and greatest tools they overlook the other tools they’ve already invested in. “Some of the CISOs I know challenge their teams to identify an existing tool that they’re willing to give up before approving the purchase of a new product or service,” says Settle. “That can be a highly effective way of limiting the sprawl.”

Inventory endpoints and software. Schaufenbuel’s team at Paychex did this as part of a larger effort to rationalize tool spending and consolidate its vendors. Some organizations will already have workflow or comprehensive endpoint management platforms deployed to help accomplish this. Also, look for anomalies as part of the process, not just knowing everything that’s installed on a network but also what seems to be installed in a more limited fashion — and why.

Strengthen access. It’s incredibly difficult to accurately assess what’s on a network if devices are not registered. Schaufenbuel recommends giving users an amnesty period to register tools so they can be continually hardened and updated, and if that doesn’t work, aggressively blocking or removing unsanctioned tools from company systems. “If a tool is legitimately useful, insist that it go through a vetting process to become sanctioned,” Schaufenbuel suggests.

Tanium’s Converged Endpoint Management (XEM) platform provides a significant return on investment. For example, ABB Americas’ estimated ROI of its investment in Tanium is $1.75 million.  

Learn more about the benefits of Tanium’s XEM platform and the cost savings it can bring to your organization by signing up for a Tanium ROI report.

Digital Transformation

Gartner projects that spending on information security and risk management products and services will  grow 11.3% to reach more than $188.3 billion this year. But despite those expenditures, there have already been at least 13 major data breaches, including at Apple, Meta and Twitter.

To better focus security spend, some chief information security officers (CISOs) are shifting their risk assessments from IT systems to the data, applications, and processes that keep the business going.

“If you look at security from a purely technical perspective, it’s easy to get lost in, `I need to have this shiny object because everyone else has it,’” says David Christensen, VP and CISO at benefits administration software provider PlanSource. “The reality is often the most popular or well-known new security solution can waste money and slow the business, especially if it doesn’t align with business goals. And even if it helps secure one part of the business, it may not be the part of the business or business process that creates the most risk or is most important.”

Don Pecha, CISO at managed services provider FNTS, agrees, adding: “Each business unit of the company might have unique considerations, and unique compliance, regulatory, or privacy applications, and each business may have unique risks for the board or C-suite to consider.”

Frank Kim, CISO-in-residence at venture capital firm YL Ventures, and fellow at the SANS Institute, cites the case of one CISO who was fired after suggesting costly endpoint detection, and response and incident response programs considered not stage appropriate for such a startup. “Their focus was on survival and revenue growth,” Kim says. “He didn’t realize his job was not just to suggest a bunch of new security capabilities, but business enablement.

A new definition of value

Aligning security with the business goes beyond traditional methods of justifying security spend, such as warning of consequences from hacks or trying to prove ROI. For internal enterprise security teams, Kim says to accept that security is a cost center and demonstrate how the CISO manages total cost of ownership over time. This might include updating CFOs and CEOs on specific cost reduction, such as reducing spend with a security vendor, finding a less expensive product to fill a security need, or improving internal metrics such as the average cost to mitigate a vulnerability, adds Tyson Kopczynski,SVP and CISO at financial services provider Oportun.

Christensen further suggests explaining how security can cut costs or increase productivity. For example, he says, web application firewalls don’t only protect applications but cut networking costs by reducing spurious and malicious traffic. Also, adopting zero-trust architecture and secure access service edge technologies can help boost productivity by freeing users from manually deploying virtual private networks to access resources or interrupt meetings when their VPN fails.  

Kopczynski adds that CISOs can uncover such improvements with questions such as whether their organization is using all the functions in a security tool, if those features overlap with other tools, and whether the organization is paying too much for licenses or for too many licenses. Ways to maximize value include considering tools that perform multiple security functions, or running penetration tests, attack simulations, or offensive security campaigns that prove a tool can repel high impact attacks, he says. For example, he uses the Titaniam encryption engine to support several data protection use cases, as well as security tools provided by cloud providers such as Amazon and Microsoft. “We also look at generic cloud security solutions that provide multiple sets of protections, versus addressing one particular use case,” he says.

At global marketing agency and consulting firm The Channel Company, security considerations are deeply embedded in business strategy and budgeting, says CIO Rik Wright. This ranges from the need to meet the European Union’s GDPR to complying with security requirements from customers.

Averting threats is also part of the security value equation at the firm, which uses managed services provider GreenPages both for infrastructure and to help meet its security needs. Wright says he’s seen some companies spend potentially business threatening amounts up to $20 million after a ransomware attack, so preventing such losses, he says, represents very real value.

Understanding business needs

Aligning security spend with business needs starts with understanding what is most important to business managers.

Kim recommends using a “risk = impact x likelihood” formula, and understanding on a scale of 1 to 10 what your most important processes and assets are. “Your financial data might be a 10 but your HR data might be a seven as it’s not a business differentiator,” he says. “Just using a simple scoring rubric to your risk calculation helps to bubble up what the priorities are.”

Besides business, Christensen says CISOs must also consult IT to understand the administrative burden a new security technology might impose, and all the areas in which a security tool could be used to maximize its value. He uses the Secure Web Gateway from dope.security to not only control access, but to understand what information and Web sites users are accessing, and the potential risks they expose the business to.

Industry standard frameworks can also provide a common language and structure for risk assessment, like the NIST (National Institute of Standards and Technology) cybersecurity framework. “It’s simple enough that it’s not necessary to be a security practitioner to understand it, but it models your maturity and helps to relate that to business stakeholders,” says Christensen, adding it’s also based on industry standards rather than the CISO’s opinions, and is continually updated to reflect new risks.

Different security frameworks are best for different industries, says Pecha. “If I’m in government, I’m going to align with NIST,” he says. “If you’re a global business, use the ISO/IEC 27000 family of standards. It’s not necessary to be certified, but be compliant and understand what the controls are in order to understand your partner’s security needs as well as your own.

Scott Reynolds, senior security and network engineering manager for manufacturer Johns Manville, uses the ISA/IEC 62443 standard to create a common understanding between business managers, security experts and suppliers about common terms such as the “zones” of assets that share common security needs. “This process also shows we agree on the same level of risk for the entire zone, and not just each asset in the zone,” he says. “The weakest link in the zone will impact all the assets within it.”

Over at media creation and editing technology provider Avid Technology, Dmitriy Sokolovskiy, its CISO and CSO, uses NIST’s Cybersecurity Framework to measure the maturity of his security processes, and the Center for Internet Security’s top security controls for specific tactical guidance, which, he says, highlight, low-hanging fruit that businesses can easily address in their infrastructure.

Applying caution with benchmarks

Several CISOs were skeptical about using benchmarks to compare their security spend with others. That’s because, they say, companies may define security spend differently or have different needs. They also say benchmarks often don’t describe how and why organizations allocate their security budgets. As a result, they use benchmarks as a rough guide to budgeting, relying primarily on their own risk assessments.

But Kim warns CISOs against refusing C-level requests for benchmarking. “It’s not unreasonable to ask for a benchmark,” he says. “A chief financial officer couldn’t say, ‘We can’t compare our earnings-per-share with others in the industry.’” Provide benchmarks, he says, but as one part of a wider explanation of how your security spend compares with others, the challenges the organization faces, and how you’re reducing the total cost of ownership of security over time.

CISOs should describe current threats and attacks,” says Pecha, and supply alternatives to remediate them. It’s then up to the board and the C-suite to decide what’s acceptable and what needs to be done to manage the overall risk to the business, he says, because only they have the clout to drive change.

Insisting a business executive formally accept a business risk, even in writing, often convinces them to agree instead to the proposed security spend. When Sokolovskiy has insisted such signoff, “Without fail, so far the business unit was actually driven to lower the risk themselves because they own it,” he says.

A business-focused approach can also spur efforts by security and business teams to identify opportunities to increase efficiency and save money, says Christensen, such as by eliminating redundant systems and processes. “With business alignment, you have no choice but to find unique and innovative ways to solve problems that are generated by how the business operates,” he says.

Application Management, Budgeting, CIO, CSO and CISO, Data and Information Security, IT Leadership, Security

Traditional IT security methods are increasingly flawed and the volume and sophistication of threats continue to increase. According to NETSCOUT, one DDoS attack occurs every three seconds, and the Cybersecurity and Infrastructure Security Agency recently added 66 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, with new common vulnerabilities and exposures (CVEs) growing over 25% year-over-year in 2022. New security methods delivered at the edge of the network, closer to the customer, are emerging as a more effective method for combating the increase in security threats.  

Latest cybersecurity threats expose flaws in traditional security methods

Let’s consider two methods of security for customer data: firewalls and cloud storage. Firewalls are not well suited to protect against modern threats. They’re meant to protect IT infrastructure, servers, and databases. However, when companies only use this security method it’s like leaving the doors and windows of your home open, without motion detectors, alarms, or other safeguards.

Cloud-based storage, while protecting data from local (user-level) loss or destruction, is increasingly attractive to nefarious third parties. According to IBM’s Cost of a Data Breach Report, 45% of data breaches occurred in the cloud. Think about your data center firewall as a safe inside your home, where highly sensitive data is kept. It’s a singular line of defense that, if broken, can be extremely costly. In fact, the average data breach costs $4.3M. If network downtime is involved, it can cost you $9,000 per minute.

The value of edge security

Edge security encompasses a large area that includes more sophisticated barriers, like the gate to your community and alarms on your windows. If a threat is detected, you’re alerted in real-time and can deploy rules instantly at scale with higher accuracy. Edge security products are also more advanced, leveraging AI and other tools to react intelligently to threats. 

For example, edge security products are designed to identify and mitigate various types of attacks that target customer-specific systems and data, such as robust botnet attacks, zero-day threats, credential stuffing, CVEs, or Distributed Denial of Service (DDoS) attacks. It’s even possible to identify bots that attempt to mimic human interactions by leveraging AI/ML and traffic behavioral modeling. This level of security cannot be found outside the edge. 

Bombay Stock Exchange (BSE), India’s leading stock exchange, implemented edge security and now detects threats in real-time, deploys security rules in under 60 seconds and has cut infrastructure costs by more than 50%.

Users have come to expect data privacy everywhere they go. If their trust is lost, consider it a breakup. According to PCI Pal, 83% of consumers will stop spending with an organization immediately after a security breach–and over 21% of those consumers will never return. Edge security products add an additional layer of security, even on top of your cached content, and provide another layer of proven security for third-party SaaS/PaaS partners you depend on. 

Improve SecOps productivity by adding security at the edge

Integrating security operations into the edge also makes it possible to implement safe updates across global domains in minutes. Mature edge products allow you to A/B test or perform virtual patches for all changes by previewing modifications in an audit mode so the impact of the change can be understood before it is applied. Instead of deploying a change and then identifying an error, you can quickly validate or iterate until you see the desired impact, reducing overhead. This is especially important for zero-day exploits where you need to react quickly without jeopardizing business operations. 

Take action

Security attacks are increasing in frequency and could happen to your organization at any time–don’t wait to take action. Consider solutions that incorporate a variety of edge security components. First, protect your physical network using PCI DSS end-to-end encryption. You should also protect your data against Origin attacks using DDoS protection, Origin shield, and DNS Management. Finally, protect your applications with WAAP, Bot Management, and Layer 7 DDoS protection that also shields your APIs.  

Edgio, a leader in edge security, will examine your specific environment and tune our solution to meet your needs. Edgio manages all layers of traffic protection using access control, API security, rate limiters, advanced bot management, custom rules, and managed rules to ensure your security operations team can not only quickly react but also proactively take action against security threats. Learn more about Edgio

Security

Findings from two eye-opening surveys conducted by VMware show that ransomware remains a top concern for enterprises worldwide. As IT and security leaders and chief information security officers (CISOs) look for answers, many are turning to deeper deployment and investment in lateral security tools.

What is lateral security?  It leverages both access control and advanced threat prevention strategies and consists of a set of systematic, omnipresent tools deployed between the perimeter and endpoints. Key lateral security tools include:

Network segmentationMicro-segmentationAdvanced threat prevention capabilities such as intrusion detection/prevention systems (IDS/IPS)Network sandboxes

Network traffic analysis/network detection and response (NTA/NDR

Ransomware By the Numbers

To understand the value of lateral security tools, it’s important to first assess the current state of ransomware. The number of attacks continues to grow unabated, with a 13% increase from 2020 to 2021—a larger increase than the previous five years combined.

This trend was echoed in a 2022 VMware survey of 200 IT and security leaders in North America, Europe, the Middle East, and Africa. Approximately one-third of the survey respondents work for a company with 1,001 to 5,000 employees, one-third represent companies with 5,001 to 10,000 employees, and one-third represent companies with more than 10,000 employees.

Cloud Security, VMware

Findings from two eye-opening surveys conducted by VMware show that ransomware remains a top concern for enterprises worldwide. As IT and security leaders and chief information security officers (CISOs) look for answers, many are turning to deeper deployment and investment in lateral security tools.

What is lateral security?  It leverages both access control and advanced threat prevention strategies and consists of a set of systematic, omnipresent tools deployed between the perimeter and endpoints. Key lateral security tools include:

Network segmentationMicro-segmentationAdvanced threat prevention capabilities such as intrusion detection/prevention systems (IDS/IPS)Network sandboxesNetwork traffic analysis/network detection and response (NTA/NDR)

Ransomware By the Numbers

To understand the value of lateral security tools, it’s important to first assess the current state of ransomware. The number of attacks continues to grow unabated, with a 13% increase from 2020 to 2021—a larger increase than the previous five years combined.

This trend was echoed in a 2022 VMware survey of 200 IT and security leaders in North America, Europe, the Middle East, and Africa. Approximately one-third of the survey respondents work for a company with 1,001 to 5,000 employees, one-third represent companies with 5,001 to 10,000 employees, and one-third represent companies with more than 10,000 employees.

VMware

More than two-thirds (68%) of the respondents reported that their organization experienced at least one ransomware incident (whether successful or not) in the previous 24 months.

Of those reporting attacks, 42% said they suffered at least three incidents (whether successful or not). In addition to attacks on their own organizations, 55% of respondents are aware of three to six peer organizations that suffered at least one ransomware attack in the last 24 months.

Second Survey Focuses on Lessons Learned Following a Ransomware Attack

In a follow-up survey, VMware explored how security professionals whose organization experienced a ransomware incident in the last three years responded to the attack and what they changed in the aftermath. Isolating in on three core areas—people, process, and technology — the findings shed light on where security leaders believe they were underprepared and the steps they planned to take to address their gaps.

While most respondents reported their organizations had identity and access management and server endpoint protection/detection and response technologies in place before the ransomware incident, fewer had segmentation and advanced threat prevention tools deployed.

VMWare

Key Finding: The Flat Network

We interpret the findings on segmentation technologies to mean that a significant portion of the networks within respondents’ organizations was flat—including the area of the network that was hit by the ransomware. Flat networks provide no barrier against attackers that first compromise a lightly defended low-value system and then move laterally to infiltrate higher-value systems.

The bottom line is that network segmentation, micro-segmentation, and other essential lateral security tools were not deployed pervasively, leaving gaps in protection that attackers could exploit. It’s no surprise then that those organizations report an increase in interest in these types of tools after the ransomware incident.

Eliminating the Blind Spots with Lateral Security

As we all know, a successful ransomware attack can be devasting for companies, with an economic, operational, and reputational impact that requires extensive containment and recovery actions to restore systems and data.

Those IT and security leaders who are looking to improve their defenses are placing a sharper focus on the set of tools that make up lateral security. These technologies, when used in concert with each other, can eliminate the blind spots that prevent organizations from detecting threats as they move laterally through the infrastructure.

VMWare

Read our new white paper for a deeper dive into why and how CISOs and other IT and security leaders are deploying lateral security tools to effectively protect their organizations.

Click here to Learn more.

VMware

The post-pandemic reality. Macroeconomic turbulence. Explosive technology innovations. Generational shifts in technological expectations. All these forces and more drive rapid, often confusing change in organizations large and small.

With every such change comes opportunity–for bad actors looking to game the system. Cybersecurity cannot stand still, or the waves of innovation will overrun the shores.

Adversaries continue to innovate. Keeping up–and hopefully, staying ahead–presents new challenges. Here is a short list of recent considerations for CIOs as they work with their teams to shore up their defenses.

Multifactor authentication fatigue and biometrics shortcomings

Multifactor authentication (MFA) is a popular technique for strengthening the security around logins. With MFA, the website or application will send a text message or push notification to the user with a code to enter along with their password.

MFA fatigue or ‘push phishing’ is a popular hack that targets MFA by repeatedly sending the user superfluous, malicious MFA notifications in hopes they inadvertently accept one or simply click to stop the annoying flood of messages.

In other cases, MFA includes a biometric step–reading a fingerprint, scanning a face, and the like. Users appreciate the convenience of biometrics, but they have their flaws as well. 

Sometimes they simply don’t work, perhaps due to a change in contact lenses or a new tattoo. Any spy thriller aficionado will also know it’s possible to ‘steal’ someone’s fingerprint or facial image–and once an individual’s biometric is compromised, there’s no way to change it the way we change passwords.

Security implications of ChatGPT and its ilk

ChatGPT and other generative AI technologies have taken the world by storm, but the combination of their sudden popularity and a general lack of understanding of how they work is a recipe for disaster.

In reality, generative AI presents a number of new and transformed risks to the organization. For example, ChatGPT is eerily proficient at writing phishing emails–well-targeted at particular individuals and free from typos.

A second, more pernicious risk is the fact that ChatGPT can write malware. Sometimes the malware has errors, but with simple repetition the hacker can generate multiple working versions of the code. Such polymorphic malware is particularly hard to detect, because it may be different from one attack to another.

Securing the software supply chain

The Log4j vulnerability that reared its ugly head in late 2021 showed a bright light on the problem of software supply chain security.

Most commercial enterprise software products and nearly all open-source ones depend upon numerous software packages and libraries. Many of these libraries are themselves open-source and depend upon other libraries in a complex network of opaque interdependencies.

Some of these components have professional teams that test and maintain them, releasing security patches as needed. Other open-source components are the result of some lone developer’s moonlighting activities from years past. 

For each open-source component in your entire IT infrastructure, which are the well-maintained ones, and which are the forgotten work of hobbyists? And how do you tell?

Getting ahead of the ransomware gangs

Ransomware is big business for the criminal gangs who have figured out how to capitalize on it. The malware itself is easy to buy on the Dark Web. In fact, there’s a veritable bazaar of ransomware variations, as hackers maneuver to create the most pernicious version.

From the enterprise side, the ransomware problem is multifaceted and dynamic. The malware itself continues to evolve, as do the criminal strategies of the perpetrators. 

The most familiar strategy–encrypting files on servers and then demanding a ransom for the decryption key–is but one approach among many. Other attackers steal data and threaten to release it to the public. Another angle is to target the victim’s backups.

No list of strategies and techniques does the ransomware problem justice, as the bad guys continue to innovate. CIOs and CISOs must remain eternally vigilant.

Managing costs while supporting digital transformation

The Covid pandemic accelerated many digital transformation initiatives as executives struggled to meet the suddenly changing needs of both customers and employees.

Today, economic challenges generate digital transformation headwinds as the needs of customers and employees change once again to address post-pandemic realities.

Cybersecurity budgets are typically caught between these two forces. Given the importance of meeting customer needs on limited resources, how important is cybersecurity?

It’s vitally important, of course – but it’s only one of the many risks CIOs must mitigate. Other risks include operational risk (the risk of downtime), technical debt risk (the risk of failures of legacy technologies), as well as compliance risk.

There’s never enough money to drive all these risks to zero–so how should executives decide which risks to mitigate and how much money and time to spend mitigating them?

Organizations must be able to engineer comprehensive risk management that quantifies each type of risk and establishes risk targets that conform to budgetary and human resource limitations.

This ‘threat engineering’ gives CIOs a justifiable approach to making cybersecurity expenditure decisions while also mitigating the other risks facing the IT organization.

Advice moving forward

This article highlights modern security trends for CIOs that weren’t on anybody’s radar as little as five years ago. Five years from now, the list might once again be entirely different.

Such is the nature of cybersecurity risk management. The risks continue to evolve as adversaries improve their strategies. CIOs must remain vigilant while they leverage state-of-the-art cybersecurity tools and strategies to keep one step ahead of the bad guys.

Read the eBook: Views from the C-suite: Why endpoint management is more critical than ever before

© Intellyx LLC. Tanium is an Intellyx customer. Intellyx retains final editorial control of this article. No AI was used in the production of this article.

Security

Ensuring strong software security and integrity has never been more important because software drives the modern digital business. High-profile vulnerabilities discovered over the past few years, with the potential to lead to attacks against organizations using the software, have hammered home the need to be vigilant about vulnerability management.

Perhaps the most dramatic recent example was the zero-day vulnerability discovered in Apache’s popular open-source Log4j logging service. The logging utility is used by millions of Java applications, and the underlying flaw—called Log4Shell—can be exploited relatively easily to enable remote code execution on a compromised machine. The impact of the vulnerability was felt worldwide, and security teams had to scramble to find and mitigate the issue.

In November 2022, open-source toolkit developers announced two high-severity vulnerabilities that affect all versions of OpenSSL 3.0.0 up to 3.0.6. OpenSSL is a toolkit supporting secure communications in web servers and applications. As such, it’s a key component of the Transport Layer Security (TLS) protocol, which ensures that data sent over the internet is secure.

SBOMs as a solution

One of the most effective tools for finding and addressing such vulnerabilities and keeping software secure is the software bill of materials (SBOM). SBOMs are formal, machine-readable records that contain the details and supply chain relationships and licenses of all the different components used to create a particular software product. They are designed to be shared across organizations to provide transparency of the software components provided by different players in the supply chain.

Many software providers build their applications by relying on open-source and commercial software components. An SBOM enumerates these components, creating a “recipe” for how the software was created.

For example, something like the OpenSSL toolkit includes dependencies that are difficult or, in many cases, impossible for traditional vulnerability scanners to uncover. It requires a multilayered approach to help security teams identify third-party libraries associated with a software package. This is where an SBOM can help.

The U.S. Department of Commerce has stated that SBOMs provide those who produce, purchase, and operate the software with information that enhances their understanding of the supply chain. This enables multiple benefits, most notably the potential to track known newly emerged vulnerabilities and risks.

These records form a foundational data layer on which further security tools, practices, and assurances can be built, the Commerce Department says, and serve as the foundation for an evolving approach to software transparency.

A 2022 report by the Linux Foundation Research, based on a survey of 412 organizations from around the world, showed that 90% of the organizations had started their SBOM journey.

More than half of the survey participants said their organizations are addressing SBOMs in a few, some, or many areas of their business, and 23% said they are addressing them across nearly all areas of their business or have standard practices that include the use of SBOMs. Overall, 76% of organizations had a degree of SBOM readiness at the time of the survey.

The research showed that the use of open-source software is widespread and that software security is a top organizational priority. Given the worldwide efforts to address software security, SBOMs have emerged as a key enabler, it said. Growth of SBOM production or consumption was expected to accelerate by about 66% during 2022, leading to SBOM production or consumption use by 78% of organizations.

The top-three benefits of producing SBOMs identified by survey participants were that SBOMs made it easier for developers to understand dependencies across components in an application, monitor components for vulnerabilities, and manage license compliance.

Key features to consider

SBOMs are a key to quickly finding and fixing vulnerabilities before it’s too late. That’s because they dig deep into the various dependencies among software components, examining the compressed files with applications to effectively manage risk. It might take a software vendor days or weeks to confirm with its developers whether its products are affected or not. That’s too long a window of opportunity in which cybercriminals can exploit vulnerabilities.

With SBOMs, security teams can know exactly where an affected component is being used across applications in use within their organizations.

It’s important for organizations to understand that not all SBOM offerings from vendors are alike. An ideal solution delivers critical, real-time visibility into an organization’s software environments, enabling them to make better-informed decisions to manage risk.

SBOMs should be able to answer questions such as:

Exactly where is a particular software package located?Which open-source dependencies, if any, does an application use?Which version of the software package is running?Do any other applications use the software package?

A key capability includes having the ability to understand every software component at runtime, uncover software packages and break them apart to examine all constituent components without the need to engage the software vendor.

SBOMs should also be able to address any vulnerabilities or misconfigurations found in the various software components; take quick action to mitigate supply chain risk, even removing applications completely across affected endpoints; and optimize an organization’s investments in third-party tools by populating them with granular, accurate and real-time SBOM data.

The takeaway 

Digital businesses today rely on software to support all kinds of processes. In fact, it’s difficult to imagine any company operating without applications. Keeping software secure and reliable is essential for success today.

With solutions such as SBOMs, security teams at organizations can be confident that they have a good handle on all the complexities inherent in the software world, and that they are keeping up on any flaws that need to be addressed to keep applications secure.

Learn how Tanium’s Converged Endpoint Management (XEM) platform can address SBOMs to give your organization real-time visibility—even in the most complex software environments.

Security