Thoughts from a well-seasoned CISO
Cybersecurity is fun. And challenging. And evolving. It bleeds into multiple aspects of our lives whether we like it or not – just like Taylor Swift. Its effects hit you when you least expect it. Like when you’re logging into your favorite streaming service, going to school, or heading to the hospital. The list goes on.
Last year, I wrote a blog with what I thought would be the top three cybersecurity priorities in 2023. I was right about some and wrong about others, but it is interesting to see where the year takes us. I wanted to take a quick second to speak about how things ended up with my 2023 predictions and some of the biggest surprises that I thought came out of it. We will cover down on the 2024 predictions in a separate blog, so we can dissect them next year!
- Review of last year’s predicted priorities
- Risk management
- APIs and Software Supply Chain
- Cloud Strategy
- 2023 Surprises
- CISO’s going to jail for misrepresentation of security standards on quarterly reports
- SEC guidelines around material security incident reporting
- …and then subsequently a ransomware group threatening to tell the SEC if a victim doesn’t pay.
- SOCs are losing the data battle
- AI assisted cyberattacks outpaced AI cyber defense
2023 – Review of last year’s predicted priorities
Third party risk management was a big deal in 2023, especially after we saw the effects of Silicon Valley Bank and Okta. I personally witnessed questions regarding financial solvency on third party risk assessments for Query, which I think was a direct result of SVB.
While I do believe third party risk assessments are important to address glaring red flags, there’s simply no way to tell if a breach happened because of a failure to assess risk appropriately from their questionnaires. Would anyone have placed Okta as high risk? Probably not. Overall, there’s still so much incongruence in regards to third party risk management – can we ever really predict who is going to be hit by some debilitating debacle?
APIs and Software Supply Chain
I may have been wrong about this one. I expected to see more. Maybe AI took the place of API breaches? Or maybe people did protect their APIs? Either way, APIs were not a 2023 cybersecurity trend.
But supply chain management was a big deal. Organizations are starting to mandate a software bill of materials from third parties, which indicates significant importance being placed on the software supply chain. I believe this is where third party risk management needs to focus efforts, because having the bill of materials shares all the systems (and vulnerabilities) they are taking on as a result of working with a particular organization.
Overall, I would give two thumbs up to how the industry has become more aware of cloud strategy.
The pandemic obviously supercharged our implementation of cloud. Organizations had to move quickly, which often meant security was lagging. As we have come to accept that this is now the status quo, organizations have fully dedicated cloud architectures or some form of hybrid cloud architectures. Plus, there are now many startups designed to help organizations realize the risks that surround these complicated cloud infrastructures, adopt multi-cloud solutions, and utilize more native cloud infrastructure and applications.
A lot of this came to a head as we saw AWS announce their general availability of Security Lake and double down on their efforts to standardize around the OCSF data model. The AWS Security Lake creates one centralized location inside their AWS environment for teams to have access to their cloud data without having to ship it, offload it to a SIEM, or offload it somewhere else. This was done to address the need for security teams to have more visibility into cloud telemetry, but recognizing access to security information is challenging given the current, monolithic status quo of centralized security monitoring in the SIEM.
2023 Cyber Security Surprises
CISO’s going to jail for misrepresentation of security standards on quarterly reports
Security professionals are traditionally advocates for harsher penalties for security negligence. This encourages security controls to be taken seriously and become/remain a priority in organizations. But the fallout of SolarWinds was quite the surprise. The SolarWinds’ CISO is facing charges for misrepresenting the security posture of SolarWinds during their quarterly briefs. It is now more than simply being accountable by your boss, but also potential legal indictments.
CISOs are typically, or at least would like to be, honest, upfront, and direct with our leadership regarding security vulnerabilities. We strive to meet regulatory requirements, but compliance does not equal security, and it doesn’t prevent an employee from clicking on a phishing email or someone hacking into your systems and exploiting a zero day, which is always a possibility and out of our control.
This makes for a stretching dichotomy between trying to make a company secure and properly articulating the state of security for your company when you only have a few minutes to brief the board or your CEO. This is an opportunity for CISOs to realign their communication standards with their executive leadership, to not be afraid of an impending job loss if they communicate vulnerabilities and are transparent about what is or isn’t working.
SEC guidelines around material security incident reporting
As mentioned above, security professionals advocate for support in making organizations take security seriously. Our wish was granted this year, specifically to publicly traded companies. The SEC mandated cyber security experience to sit on the board and provided new guidelines in terms of the reporting of material security breaches to the street.
Companies have been successful at hiding their cybersecurity incidents for far too long. With the new laws, we now see just how clever companies are at finding ways to not admit that they had a cybersecurity incident – in fear of public backlash or their stock dropping.
Because of this, I think there will be a wave of stealth filings for security breaches – companies trying to hide their security breaches until the last minute prior to 10K reporting. We’ve actually seen some companies report incidents on their 10K without coverage from mainstream media. For example, Vans quietly reported on their 10K that they had been hit with a material cybersecurity incident that was going to impact their manufacturing. It didn’t make mainstream news, but a group of cyber security researchers found a last minute 10K filing on a Friday afternoon for Vans that mentioned the incident. Before the market closed, their stock dropped.
Most companies recover after the initial stock drop, but it does materially impact the company. Companies have to be more transparent about cybersecurity incidents up front, so that they get past the pain of the stock price dip.
…and then subsequently a ransomware group threatening to tell the SEC if a victim doesn’t pay.
The ripple effect of the new SEC regulation has been even more surprising: a ransomware group threatened to tattle on the company that they had hacked. ALPHV ransomed all of MeridianLink, Inc’s servers and said that if MeridianLink did not pay the ransom, then they were going to tell the SEC. So, now a sort of double jeopardy is a troublesome by-product for the good guys.
Cyber criminals are more brazen. They’re not hiding in the shadows anymore. This is a new chess match for CISOs — how to secure the organization and navigate the waters of disclosure after having a material cybersecurity incident.
SOCs are losing the data battle.
SOCs and CISOs are realizing that security data is becoming unmanageable. I’m a little embarrassed by this one. My company, Query, is right in the middle of this issue so you would think I would have picked this as a trend for 2023! While I and the rest of the Query folks had conviction about this issue, we were surprised by how quickly this became a mainstream concern.
SOCs are struggling with the current volume of information they have at their disposal. We’re seeing more and more information, more and more data, and more and more technology as companies grow. The amount of available data to organizations has grown exponentially because of the number of systems they’ve added or built. Security teams are not positioned to stay up to speed.
Large organizations can and do build enormous data lakes in an attempt to consolidate all of the data, and massive data engines on top of them to try to parse it all. But many/most organizations are not going to be able to process security incidents in an efficient time period given the dispersion and volume of data that exists. They’re not manned for it, and they don’t have the technology to help them. They’re just going to continue to fall behind.
This includes business systems, ecommerce platforms, new business divisions from acquisitions, etc. There’s been a lot of industry consolidation in every vertical and that has created a data debt for most security teams.
In fact, many organizations have no idea where a lot of their data is (shadow sprawl). I think the solution is thinking differently about your security architecture- in a way that focuses on data access and not just security threats. Shameless plug that this is Query’s focus – simplifying search – and we are good at it.
“Everybody’s got a plan until they get punched in the face.” – Mike Tyson
Increase in zero day usage by criminal threat groups vs APTs
Attacks on zero days are becoming more prevalent. Historically, zero days were limited to advanced persistent threat actors (APTs). But criminals are now using zero days further down the attack tree – not just APT groups, but also run of the mill ransomware organizations. This is threatening because most enterprises are not concerned with zero days – there’s just not much you can do to prepare for them.
Cyber criminals have realized this and the fact that zero days are pretty easy to come by. So, they capitalize. Thoroughly exploiting zero days can be extremely lucrative in a short period of time.
Embracing strategies like penetration testing, and working with researchers and bug bounty organizations are going to be your best kind of defense against the commonality of zero day usage. The constant up to the minute pen testing gets you the leverage of the braintrust of a large enough group of individuals who spend their days and nights learning the latest and greatest attacks. It will never fully protect you, but it will get you a step closer.
AI making headlines for assisting cyber attacks over advancements in defense use
AI has bloomed everywhere – not unlike a weed. It is still in its infancy when it comes to cyber security, but that doesn’t stop the bad guys from abusing it. For example, quickly after the initial buzz around OpenAI’s ChatGPT, we saw a FraudGPT malicious chatbot being offered as a service on the dark web. I will talk more about AI for 2024 predictions, but the highlight trend of AI 2023 malicious activity has to be phishing.
We used to say that the best phishing defense is checking for broken English – the Nigerian Prince scams. But AI makes it nearly impossible to detect in many cases. Emails, texts, videos, etc. are slipping through our preset defenses with malicious links and attachments that truly look ‘real.’ We have to fine-tune our configurations and use good judgment with all forms of communication.
The overarching theme of 2023 was that the good guys are being held more accountable than ever while cyber attackers have realized that they are practically unstoppable. Are you ready for it? (2024 Neal’s Version)
So, what did we learn in 2023? Join Query CEO Matt Eberhart and guest CISO Neal Bridges in this upcoming webinar as they discuss the cyber security trends from 2023 and predictions for 2024. Register for our upcoming webinar here.