2022 is a year of rapid development of the network security market, and it is also a key time node for enterprises to evaluate the effectiveness of security project investment, calibrate and optimize security defense strategies and budgets.
In the face of rapidly iterative cyber threats, every CISO has his own method and perspective to summarize and reflect on the coming 2022. Such experience summaries can provide valuable knowledge for future strategic planning, as Sohail, Chief Information Security Officer of Veracode As Iqbal puts it: “If organizations do not intend to learn these lessons and improve their security practices, they will face more stringent security audits and third-party risk assessments, which could have financial, reputational, operational and even compliance consequences for their business. Serious impact."
The following are fourteen lessons learned from cybersecurity in 2022 summarized by CISOs of well-known enterprises and institutions:
1 Prepare security defenses in advance for geopolitical conflicts
The Russo-Ukraine war led to a large number of nationalist hacking groups around the world choosing sides to attack critical infrastructure and organizations of the opposing camp. This has forced many governments to issue guidelines to strengthen their security posture, including the US Cybersecurity and Infrastructure Security Agency. (CISA)'s Shields Up and the UK's National Cyber Security Center (NCSC) for technical support.
Taylor Lehmann, director of the Office of the Chief Information Security Officer of Google Cloud, believes: "Cyber threats related to geopolitical conflicts should have been discussed and planned several years ago, rather than evaluating and strengthening the security posture after the conflict occurs."
“Businesses and organizations often take years to assess security gaps and implement hardening controls, so asking questions early on can be beneficial. We need to acknowledge that protecting organizations from advanced security threats takes a long time (sometimes decades) Work hard," Lehmann added.
2 Threat Actors Proliferate, Hacking-as-a-Service Model Keeps Costs of Attacks Down
According to ENISA, 2022 will see ransomware groups "retiring" and rebranding, with threat groups "increasing in their capabilities in supply chain attacks and attacks against managed service providers." Additionally, the hacking-as-a-service business model continues to gain traction.
“Now anyone can become a cybercriminal, no skills required,” said Mike Hamilton, chief information security officer at Critical Insight. “The alliances and hacking-as-a-service business models employed by cybercriminal organizations have greatly lowered the barriers to entry.”
For example, premium access to the C2aaS platform Dark Utilities is only €9.99. The platform offers a variety of services, including remote system access, DDoS capabilities, and cryptocurrency mining.
3 Untrained employees can bring huge losses to the business
Ransomware attacks increased in 2022, with corporations and government entities the most notable targets. Nvidia, Toyota, SpiceJet, Optus, Medibank, the Italian city of Palermo, and government agencies in Costa Rica, Argentina, and the Dominican Republic are all victims of 2022, further blurring the lines between economically and politically motivated ransomware groups.
Employee security awareness training should be a key part of any organization's security defense strategy because "employees continue to be prime targets for phishing and other social engineering tactics," said Gary Brickhouse, chief information security officer at GuidePoint Security.
4 Governments more aggressively legislating cybersecurity
The US, UK, EU have all strengthened legislation to better protect organizations from cyber incidents. "(Governments) are identifying key security risks, and the trend towards legislative intervention will continue," said Lawrence Munro, chief information security officer at NCC Group.
In the United States, changes have occurred at the federal and state levels. Government agencies are now required to implement security training and follow security policies, standards, and practices. They also need to report security incidents and develop a response plan.
Businesses should adjust their mindset and be proactive in preparing for the upcoming regulations, Munro added. Also, be mindful of the fact that data privacy and security rules are constantly evolving. "Understanding the differences between enterprises and addressing data residency, data sovereignty and data localization requirements is a business-critical business today, and the complexity will continue to increase," Lehmann noted.
5 Open source software should be better tracked
The Log4j security crisis that broke out at the end of 2021 lasted for almost a whole year in 2022, affecting tens of thousands of organizations around the world. According to a recent CISA report, this type of vulnerability involving remote code execution will continue to pose a "significant risk" in the future, as it "will remain in systems for many years, perhaps a decade or more into the future."
"The Log4j vulnerability was a wake-up call for many in the industry, and many organizations were not even aware that the vulnerable software was being used in some of their systems," said Thrive Chief Information Security Officer Chip Gibbons.
While this security issue created confusion, it also provided a learning opportunity. "Log4j is a curse and a blessing," said George Gerchow, Sumo Logic's CSO and senior vice president of IT. "It makes us better when it comes to incident response and asset tracking."
More and more businesses are putting more effort into tracking open source software as they see that "the implicit trust in open source software has taken its toll."
6 More efforts should be made to identify vulnerabilities
Organizations should also do more to address the threat of vulnerabilities in both open and closed source software. However, this is no easy task as thousands of vulnerabilities emerge every year. Vulnerability management tools can help identify and prioritize vulnerabilities found in operating system applications. "We need to understand the vulnerabilities in first-party code and develop a list of vulnerabilities and appropriate measures to manage risks in third-party code," said Iqbal, chief information security officer at Veracode.
According to Iqbal, application security should start on the left side of the software development life cycle: writing secure code from the beginning and managing vulnerabilities up front is very important for application security, and at the end of the day, everything is code. Your software, applications, firewalls, networks, and policies are all code, and because code changes so often, application security must be "built-in" and "shifted left."
7 Companies Need to Do More to Protect Against Supply Chain Attacks
Supply chain attacks are one of the top threats in cybersecurity in 2022, with multiple incidents already hitting the headlines, such as the hacks targeting Okra, GitHub OAuth tokens, and AccessPress. Protecting against such threats will remain a complex process through 2023. “I think the rapid growth of supply chain risk has confused many organizations,” Munro said. “We are seeing a general lack of understanding of the existing ecosystem and threats from the investment to the technology to solve the problem.”
According to Munro, the software bill of materials (SBOM) brings new frameworks and techniques. “There are tools to manage information aggregation, complementary frameworks like Supply Chain Levels for Software Artifacts (SLSA) and technical standards like Vulnerability Exchange or VEX,” Munro said. This all adds to the complexity and challenges for defenders .
"We should also consider how an attack on our hardware supply chain would affect us," Lehmann added.
8 Zero trust should be the core security concept
A Zero Trust initiative is more than deploying technology to manage identities or networks. “It’s a discipline and a culture of removing implicit trust and replacing it with explicit trust when transacting digitally,” Iqbal said. “It’s a synchronized process that requires conduct."
Iqbal added, "Every product or service should support single sign-on (SSO)/multi-factor authentication (MFA), and enterprise and non-production networks should be isolated from the production environment." "Equally important, by associating multiple Signals to authenticate endpoints for an up-to-date security posture, and behavioral analytics for authentication, access and authorization,” he added.
9 Demand for cyber security insurance may continue to increase
In recent years, cybersecurity insurance has become a necessity, but premiums have increased. Additionally, organizations face increased scrutiny from insurance companies to identify areas of risk. "The process is much more rigorous than it used to be, adding time and effort to obtaining cyber security insurance," Brickhouse noted. "Organizations should think of this process as a kind of security audit, prepare ahead of time, and document their security plans and controls. On file, ready for audit."
10 The "Shift Left" Approach to Software Testing Is Obsolete
Matt Rose, chief information security officer at ReversingLabs, argues that it's not enough to just look for risks on the "left" and that developers are only one part of a comprehensive application security program. Risks exist at all stages of the DevOps process, so tooling and investigation must move everywhere within the process, not just to the left. "If organizations only look for problems on the left, they will only find security risks on the left."
A better approach, according to Rose, is to improve security throughout the DevOps ecosystem, including development systems and deployable artifacts themselves. "Supply chain risk and security are becoming more and more important, and if you only look to the left, you miss more risks," he added.
11 Using the wrong tool for the wrong asset
A hammer is not suitable for all nails, such as screws. Halborn co-founder and CISO Steven Walbroehl noted that CISOs need to identify the nuances of the problem and find the right tool for the problem they want to solve. He said: "One of the lessons that security vendors and enterprise users need to learn together in 2022 is that security cannot be generalized, and no solution is suitable for all assets or resources. We should all do our best to find adaptation or application for specific assets. Cybersecurity solutions or services."
12 Enterprises need to understand the complete application architecture
The complexity of technology stacks increases every year, and enterprises must understand their entire application ecosystem to avoid major security breaches. "Applications are growing in complexity with the explosion of open source packages, APIs, internally developed code, third-party developed code, and microservices, all of which correlate with very fluid cloud-native development practices," Rose said : "If you don't know what type of risk to look for, how are you going to find it?"
According to Rose, modern development practices have smaller and smaller chunks of responsibility, and no one person can fully handle security risks in every aspect of an application.
13 Security Should Be a Marathon
Too many non-technical businesses think of cybersecurity as a static, one-off activity that is performed (invested in) once and secure. However, technology is dynamic, so security defenses "are a risk management approach that requires an ongoing effort," Walbroehl said. "Companies should not try to treat cybersecurity as a one-off test."
Walbroehl recommends that organizations identify critical processes and assets, and then determine the level of security exposure they are willing to accept. A good idea, he added, is to prioritize the solutions or processes needed to reduce risk to that level.
14 In 2023, active safety will be king
In 2023, CISOs may be exhausted, and they will again face challenges on all fronts: the war between Russia and Ukraine will continue, some countries may experience severe economic recessions, and the cyber threat landscape will rapidly evolve.
“One of the most important lessons we’ve learned this year is that a rigid passive security strategy puts a company’s competitiveness, financial health and market growth at risk, while proactive security and even predictive cybersecurity operations are becoming the norm,” said Trustwave’s Daniels. The focus of security leaders, in a future driven by complexity and uncertainty, proactive security can more effectively integrate security into the business."