If the past year and a half have taught us anything, it is that there is less and less of a divide between our digital and physical worlds. We look to examples like the SolarWinds, Colonial Pipeline, Microsoft Exchange, and Kaseya breaches, coupled with the new era of remote work, and it is so easy to see how much is truly on the line if we don’t figure out just how to get security right.
Despite the mega-breaches of recent years, a distributed workforce, and increased cloud adoption, not to mention the rapidly changing development paradigms, it doesn’t really appear that much is changing to strengthen security postures. Through our polling on the show floor and via social media – yes, I know it isn’t scientific, don’t @ me – 64 percent of respondents told us that security resources in their organizations have not increased in the last 12 months, with 27% reporting that their companies have opted to shift resources to different security priorities instead of adding more resources.
Whose job is it to fix the supply chain security problem?
During his keynote centered around defending against supply chain compromises, Corellium COO Matt Tait highlighted research from Google Project Zero that shows that halfway into 2021, there have been 33 more 0-day exploits used in attacks that have been publicly disclosed this year. That’s 11 more than the total number from 2020. But he also brought forward an important perspective on whose job it is to solve the supply chain security problem.
“The most important thing to point out is that the government is not going to fix this,” Tait said. “This isn’t going to get fixed by a collection of international organizations, it’s not going to be fixed by the US government, it’s not going to be fixed by federal agencies, it’s not going to be fixed by a consortium of governments. The only way to tackle supply chain intrusions at the scale that’s needed is to fix the underlying technology, and this requires platform vendors to step in.”
However, during a roundtable discussion, RSA Principal Threat Hunter and Black Hat review board member Neil R. Wyler told attendees that when he heard this view, his first thought was that “we’re screwed.”
“Who is responsible for security when everyone is responsible for security?” Wyler said, in reference to the platform vendors.
You can’t secure what you don’t know you have
Pivoting the conversation to an apparently controversial buzzword, security leader Kymberlee Price dove into why businesses need a security bill of materials (SBOM), which she explained is simply the asset inventory of the codebase.
“The incident response team doesn’t know what they don’t know. They don’t know what third-party and open source components are in their enterprise, so they can’t defend it,” Price said. “So something happens and a supplier gets breached, and everyone is running around going, ‘do we use that?’ SBOM is forcing inventory on organizations that are like, ‘oh it’s complicated.’”
“It’s difficult to secure things if you don’t know you have them, so doing asset management is the first part of all of this,” Wyler said. “We’ve been trying to do that for 30 years as well. It sounds like it should be simple, but when you’re acquiring company, after company, after company, and you don’t even know what they had...”
I heard this sentiment echoed numerous times in different briefings throughout the show, and it definitely isn’t the first time I’ve heard this during my relatively short time in the industry. Without a definitive answer to the question, “whose job is security?,” we’re left to determine what the answer is for our own organizations.
Improve your own security posture to help others
While cybersecurity is inherently complex, often paradoxical, and lacks a one-size-fits-all roadmap or solution set for every organization to adopt, there are a few things that can be done today to start strengthening your security posture.
A great place to start is leveraging a discovery tool to get a better sense of all of the web applications in your perimeter so that you can create an inventory. Organizations often have around 40 percent more applications than they realize, resulting from M&A transactions and even marketing activities. With this inventory in place, you’re able to dynamically scan the applications to understand the risk level they present to the organization and prioritize remediation efforts.
Ideally, you will want to integrate and automate continuous discovery and application security testing across the SDLC – and I don’t just mean shifting left. While this strategy is critical to reducing the number of vulnerabilities that make it into production and even selecting the most secure version of an open-source library, not all of the applications you own will be in constant states of development.
The other benefit of integrating and automating security testing is that it helps to alleviate the pressure on small security teams, prioritize remediation for developers, and ultimately reduce human error and burnout. During the event, VMware released a report that shows more than half of cybersecurity professionals surveyed have experienced extreme stress or burnout over the past year, with Haystack Analytics reporting that more than four in five software developers are experiencing workplace burnout, which was made worse by the COVID-19 pandemic. Even your best workers will make seemingly basic mistakes under the extraordinary conditions we’ve been living under.
In our own polling, 44 percent of respondents believe malicious actors are the most significant threat to security, with 33 percent citing human error. It is reasonable to assume that human error is likely to pave the way for malicious actors to mosey on into an organization through that insecure web application, the managed service with overly permissive defaults, or that link that got clicked during a phishing expedition.
No easy answers
Finally, whether it is up to a consortium of governments or corporations to secure our supply chains and infrastructure, be a partner to those seeking to solve the problem. This includes collaborating with security researchers who seek to collaboratively disclose vulnerabilities in your apps or open-source projects.
You may even consider getting your organization involved in efforts like the new Joint Cyber Defense Collaborative that Jen Easterly, the new director for the U.S. Cybersecurity and Infrastructure Security Agency (CISA) described in her keynote speech as an opportunity for different government agencies to partner with the private sector to address an existential threat that impacts all of us.
At the end of the day, a few things were made quite clear at Black Hat USA 2021: no one has the answer to the cybersecurity problem, and we are all in this together.