A study found that ransomware threats are viewed as having the lowest overall perceived likelihood of attack on the edge.

Distributed denial-of-service (DDoS) is the attack method businesses are most concerned about, believing it will have the largest impact on the business.

That was among the chief findings of AT&T's "2023 Cybersecurity Insights Report," based on a survey of 1,418 participants. Theresa Lanowitz, head of cybersecurity evangelism at AT&T Business, calls the perceived risk and rise in concern for DDoS attacks surprising.

"With edge, the attack surface is changing, and taking down a large number of Internet of things (IoT) devices can have significant impact on the business," she says. "The near real-time data created and consumed by most edge use cases make DDoS attacks attractive. By its definition, a DDoS attack will degrade a network and response time."

She adds, "Those who have not invested in DDoS protection are indicating the timing is right to do so."

The study also found ransomware dropped to eighth place out of eight in perceived likelihood of attack type. Yet Lanowitz notes that over the past 24 months, organizations of all types and sizes have invested in ransomware prevention.

"However, ransomware criminals and their attacks are relentless," she cautions. 

Additional analysis suggests cyber-adversaries may be cycling with the rise and fall of different types of attacks.

"Operating systems embedded in edge IoT devices make it more expensive for a financially motivated adversary to target the device with ransomware," Lanowitz says. "It is far more time intensive to write and deploy destructive code for an IoT device running a derivative of a version of Linux than to target a Windows-based laptop."

She explains one of the most pleasantly surprising findings in the report is how organizations are investing in security for edge: Security budgets have become 22% of overall project budgets, equally distributed with strategy.

"We asked survey participants how they were allocating their budgets for the primary edge use cases," she says. "The results show that security is clearly an integral part of edge, and that security is being planned for proactively."

She points to survey results that indicate applications, and the much-needed security for ephemeral edge applications, are part of the broader plan for edge project budgets.

"The expected outcome of what the edge delivers is shifting how organizations budget, plan, and think about focusing on a digital-first business," Lanowitz adds.

Another surprising result from the survey is that globally, the likelihood of a compromise and impact to the business decreased by 28% and 26%, respectively.

"Perhaps this is a case of irrational exuberance, but our qualitative analysis proves that with the edge there is far more communication and collaboration," she says. "Communication, cross-functional work, the line of business leading edge investments, and the use of trusted advisors all play a role in more optimism regarding catastrophic security events."

She adds this also points to the eradication of silos in organization and the reality that teams need to work together.

"Edge computing, with its changing attack surface means the adversaries are seeing things differently," Lanowitz says. "Likewise, businesses must take that same view of an expanded attack surface, potential new threats, or potential increases in existing threats."

**DDoS Threat Persists as International Crackdowns Commence**

The report comes as DDoS attacks continue to make headlines, from German websites getting knocked offline temporarily by the Killnet DDoS to the Serbian government reporting that it staved off five attacks aimed at crippling Serbian infrastructure.

More recently, the pro-Russian hacktivist group KillNet, which launches its campaigns against countries supporting Ukraine, ramped up its daily DDoS attacks against healthcare organizations.

In November 2022, nearly 50 of the most popular platforms available for hire to launch distributed DDoS attacks against critical Internet infrastructure were shut down and their operators arrested in a massive international law enforcement crackdown called Operation Power Off.

DDoS, Not Ransomware, Is Top Business Concern for Edge Networks

Organizations need to remain vigilant and not take the decline as reason to cut back their cybersecurity strategies.

Rising ransomware activity has dominated cyber conversations for the better part of the past decade. Global retail giants and thousands of educational institutions and healthcare providers have been among those to fall victim to rampant ransomware attacks. However, this past year, there has been a surprising number of reports that ransomware attacks are declining. Our recent research at Delinea found that only 25% of the 300 IT and security decision-makers surveyed said they were victims of ransomware in 2022, a significant decrease compared to previous years. Similarly, the recent "SonicWall Cyber Threat Report" showed a 21% decline in ransomware attack volume worldwide last year.

Could this be the light at the end of the tunnel we've all been longing for? While it may be too early to say for certain, there are a few key reasons why ransomware may be on the decline

**Why Is Ransomware Decreasing?**

The most obvious reason is that organizations have learned from their past mistakes and other previous ransomware victims and, as a result, have implemented stronger security tooling and controls to successfully deter or block ransomware attacks. This includes robust threat detection and response, identity and access management, and cloud security mechanisms.

It has also been reported that ransomware attacks may no longer be as fruitful financially as they once were. Research from Chainalysis found that ransomware payments declined substantially in 2022, as more victims refused to pay their attackers. Ransomware attackers extorted approximately $456.8 million from victims in 2022, down nearly 40% from the $765.6 million they had extracted from victims the year before.

The dismantling of prominent ransomware-as-a-service cartel Conti could also account for the decline. Conti was responsible for many ransomware attacks in recent years, but disbanded in May 2022. However, since then, numerous splinter groups and other gangs have emerged, and therefore, Conti's disbandment likely made little impact on the decline. Government agencies around the world have also implemented various initiatives to control the mounting ransomware attacks, which may have caused a reduction in activity. In the US, the White House has created a multiagency ransomware task force and launched the Ransom Disclosure Act in support of reform.

Unfortunately, it's also possible that perhaps ransomware is not decreasing but that the number of companies reporting attacks is. While public companies and organizations that are subject to regulations are required to disclose cyber incidents that jeopardize consumers' personal and other sensitive information, not all have compliance regulations. As a result, they may opt to quietly pay a ransom and conceal the incident. Some ransomware gangs have adapted and moved to target countries that have less protection against ransomware, such as Central and South America, which both experienced some major ransomware incidents in 2022.

**The Danger of the Decline**

Whatever the reasons for the decline, it does not mean organizations are safe. It is critical that organizations do not use the decline as a reason to become complacent and cut back on security controls. Ransomware is, and will always be, a significant risk and concern.

Unfortunately, our report did show that companies are stagnating in their ransomware security controls — fewer organizations are implementing incident response plans and even fewer have budgets allocated specifically to ransomware. This could lead to an increase in attacks, as the focus is taken away from protecting against risks, which in the end amplifies the risk. Despite the decline, organizations must not lose focus, and take the proper steps to protect themselves from ransomware, or unfortunately, we may see an increase in ransomware attacks in 2023, as ransomware gangs are using this period to improve and enhance their variants.

**Protecting Against Ransomware**

One of the most important steps for organizations to take to protect themselves from ransomware is having an incident response plan in place. The plan should outline the steps to be taken in the event of a ransomware attack, including who to contact and what actions to take to prevent further damage. Organizations should also be performing frequent backups, and they should invest in cyber insurance policies that cover ransomware recovery and payments.

It is equally as important, though, that organizations also take a more proactive approach to cybersecurity and invest in the right technologies to prevent ransomware attacks, particularly identity and access controls. Following the principle of least privilege should not be an optional security strategy. By providing users only with the privileges they need, when they need them, attackers are forced to take greater risks, increasing the ability to be detected before they cause more damage. With limited privileges, even if ransomware does gain access to an organization, the damage can quickly be contained.

Unfortunately, we cannot predict the future. But we can hope we continue to see a decline in ransomware as time goes on. This is only possible, however, if organizations remain vigilant and do not take the decline in ransomware as a reason to cut back on their cybersecurity strategies.

The Decline in Ransomware: Does It Actually Increase Risks for Organizations?

The judges appreciated the scale of the problem the startup set out to solve: protecting the integrity of AI systems.

RSA CONFERENCE 2023 – San Francisco – CEO Chris Sestito started his three-minute pitch at Innovation Sandbox on Monday, April 25, with a deepfake video of himself telling the judges not to vote for HiddenLayer, the company he co-founded. Not only did the judges not accede to his request, they crowned the AI security startup as the "Most Innovative Startup 2023" at this year's RSA Conference.

HiddenLayer beat out second-place Pangea and eight other finalists in what host Hugh Thompson called "the most competitive contest yet." One of the judges, Shlomo Kramer, CEO and co-founder of Cato Networks, praised Pangea as addressing the "central category of security" with its block-based application security platform.

But the judges were won over by the importance of securing artificial intelligence (AI). Another judge, Christopher Young, Microsoft's executive vice president, called HiddenLayer's focus area "_the_ problem we're going to face in the next few years."

**What HiddenLayer Digs Up**

That problem is ensuring the health of a company's AI assets.

AI is being used in mission-critical, even life-or-death situations, such as autonomous driving and military analysis. However, AI can only learn from the data it is fed, which means attackers can feed it purposely bad data to get the AI to behave in an unexpected, unwanted manner. And once that training data pool has been poisoned, it's difficult or impossible to scrub — just ask Microsoft, which had to pull the plug on its chatbot Tay when some Twitter users purposely fed it objectionable content.

To guard against insidious techniques, such as data poisoning and adversarial transferability, HiddenLayer relies on AI to protect AI. It employs machine learning (ML) to monitor an ML system's inputs and outputs in order to discern anomalies that suggest adversarial attacks. Sestito called the approach "MLDR" — endpoint detection and response, but for machine learning.

**Judging the Top Competitors**

The competition's judging criteria is as follows: the problem a company sets out to solve, the originality of the solution, the strength of its team, and whether the approach has been validated by the market — that is, is the company making money?

The judges were almost all veterans of the contest: Kramer and Young both served last year, as did Niloofar Razi Howe, senior operating partner at Energy Impact Partners, and Paul Kocher, independent researcher and founder of Cryptography Research. New this year was Barmak Meftah, co-founder and general partner at Ballistic Ventures.

The 10 finalists this year (in reverse alphabetical order): Zama, Valence Security, SafeBase, Relyance AI, Pangea, HiddenLayer, Endor Labs, Dazz, Astrix Security, and AnChain.AI.

Pangea CEO and founder Oliver Friedrichs faced some pointed questions. Kocher flat out asked Friedrichs, "Can your team execute?"

Kocher, who Thompson calls "the Simon Cowell of Innovation Sandbox," asked AnChain.AI CEO and co-founder Victor Fang whether his company's focus on blockchain defense was betting on Web3 succeeding or being an "endless series of disasters."

Endor Labs CEO and co-founder Varun Badhwar earned laughs when he compared the use of open source in enterprise with his surprise twins: in both cases, you have more than you think you do, but at least his twins, unlike open source code, "weren't conceived by strangers on the Internet."

HiddenLayer Nabs Most Innovative Startup Crown at RSAC

Generating an SBOM is easy. It's generating one that's comprehensive and accurate that's hard.

Software is an important part of every business in 2023. And whether you are building it or deploying it, it's absolutely crucial you know more than the potential attackers do about the weak links in your software supply chain.

The future usefulness of software bills of materials (SBOMs) depends on their ability to conform to standards, account for the entire codebase, and allow for interoperability at enterprise scale — something our industry has struggled to do in a uniform way.

Generating an SBOM is relatively easy. But generating a comprehensive and accurate SBOM that conforms to standard specifications and allows enterprises to interoperate with them at scale can be difficult. That's why I coined the term "full Monty SBOM" to describe a comprehensive SBOM solution that provides the content and interoperability needed for its future utility for security, legal, and operational purposes. An SBOM that lacks this comprehensiveness could lead to invalid security or operational assumptions.

**Standardization**

For SBOMs to be universally exchanged and automatically read, their exchange format must conform to a standard specification.

The two standards that the industry is converging on are SPDX and CycloneDX. The goal of these standards is to establish uniformity in output, such that when two different SBOM generation tools are used to produce an SBOM of the same software, they produce the same results. These formats can be tailored to include, exclude, or link to certain information, such as licenses, copyrights, and vulnerabilities, depending on the use case and industry vertical.

It's important to note that SPDX and CycloneDX are just standards describing the structure of an SBOM file. They do not address accuracy or comprehensiveness. If your SBOM generation process or tool feeds garbage into the file, it will produce (nicely formatted) garbage out.

**Comprehensiveness**

In almost any software application, the biggest attack surface consists of open source components. These make up an average of 76% of a software application and are developed by individuals from around the world. Log4j is an example of how a single vulnerability in a single open source component can have a massive global impact. For most organizations, one of the highest priorities in securing their software supply chain and safeguarding information infrastructures is rapid identification and remediation of open source software vulnerabilities.

There is a knee-jerk reaction by many that an SBOM is just an open source software (OSS) inventory. Most software composition analysis (SCA) vendors will produce some type of SBOM that lists the OSS components, with varying levels of transitive dependencies. However, an OSS-only SBOM can leave an organization exposed through vulnerabilities within other types of code that make up its software supply chain.

But a comprehensive — or full Monty — SBOM reveals all of an application's ingredients, which includes custom code, open source components, and third-party non-OSS components. Since vulnerabilities can stem from all types of code and not just open source, this is critical.

**Interoperability**

SBOMs are static documents. Therefore, having one from a software supplier is of limited value if you can't do anything other than inspect it. The real value is in your ability to do something with it — that is, its interoperability — and incorporate it into other life-cycle risk management processes, such as patch management and deployment risk assessments, all at enterprise scale.

Let's look at three common things teams can do with an SBOM that's interoperable: merge, query, and monitor.

*   **Merge:** Automobile manufacturers will often need to aggregate multiple SBOMs produced by several different software vendors, using different standard formats, into a single system SBOM.
*   **Query:** If there is a new zero-day vulnerability in a widely used software component, you will want to query all your SBOMs to determine which of your many software applications contains that specific vulnerable software component. This can be technically daunting when you have thousands of apps that must be examined for about 60 new CVEs per day. Being able to query thousands of SBOMs from one single interface is a key element of interoperability and effective software risk management.
*   **Monitor:** With SBOMs that are designed to be interoperable, teams can integrate them with threat intelligence and vulnerability management systems so that, when a new zero-day vulnerability has surfaced, they can automatically inspect all their existing SBOMs for that specific vulnerability and notify its product life-cycle management system of the risk.

**Not a Silver Bullet**

A full Monty SBOM, albeit incredibly important, is just one small part of software supply chain risk management (SSCRM). Other factors include ensuring that custom code and OSS are free of security weaknesses and known vulnerabilities, that the software is compliant with regulations, and that the development pipeline is secure and tamper-resistant. You expect your food supply chain not to endanger your health; for example, you wouldn't eat cookies containing unknown ingredients, manufactured in a factory open to cross-contamination, in conditions that violated health regulations. So too, you need assurance that your software supply chain is safe for your enterprise.

Whether dealing with cookies or software, ensuring that the product is safe to consume is the outcome of many safety and security processes and periodic testing performed during manufacturing — not simply having an SBOM in place.

Building a Better SBOM

Researchers find 250 million artifacts and 65,000 container images exposed in registries and repositories scattered across the Internet.

Many organizations, including some of the world's largest companies, are at heightened risk of compromise and data theft from misconfigured and poorly secured software registries and artifact repositories, a new study has shown.

Research that cloud-security vendor Aqua Security recently conducted uncovered some 250 million software artifacts and more than 65,000 container images lying exposed and Internet-accessible in thousands of registries and repositories. Some 1,400 hosts allowed access to secrets, keys, passwords, and other sensitive data that an attacker could use to mount a supply chain attack, or to poison an enterprise software development environment.

**Wide Registry Exposure**

Aqua discovered 57 registries with critical misconfigurations, including 15 that enabled an attacker to gain admin privileges with just the default password; 2,100 artifact registries offered upload permissions, which potentially gave anonymous users a way to upload malicious code to the registry.

In all, Aqua found nearly 12,800 container image registries that were accessible over the Internet of which 2,839 permitted anonymous user access. On 1,400 hosts, Aqua researchers found at least one sensitive data element such as keys, tokens, and credentials; on 156 hosts the company found private addresses of endpoints such as MongoDB, Redis, and PostgreSQL.

Among the thousands of affected organizations were several Fortune 500 companies. One of them was IBM, which had exposed an internal container registry to the Internet and put sensitive data at risk of access. The company addressed the issue after Aqua's researchers informed it of their discovery. Other notable organizations that had potentially put their data at similar risk included Siemens, Cisco, and Alibaba. In addition, Aqua found software secrets in registries belonging to at least two cybersecurity firms exposed to the Internet. Aqua's data is based on an analysis of container images, Red Hat Quay container registries, JFrog Artifactory, and Sonatype Nexus artifact registries.

"It's critical that organizations of all sizes around the world take a moment to verify that their registries — whether public or private — are secure," advises Assaf Morag, lead threat intelligence and data analyst at Aqua Security. Organizations that have code in public registries or have connected their registries to the Internet and allow anonymous access should ensure their code and registries don't contain secrets, intellectual property, or sensitive information, he says.

"The hosts belonged to thousands of organizations around the world – ranging by industry, size, and geography," Morag notes. "That means the benefits for an attacker could also range."

**Risky Registries & Repositories**

Aqua's research is the latest to highlight the risks to businesses from data in software registries, repositories and artifact management systems. Development teams use software registries to store, manage, and distribute software, libraries, and tools and use repositories for centrally storing and maintaining specific software packages from within the registry. The function of artifact repositories is to help organizations store and manage the artifacts of a software project such as source code, binary files, documentation, and build artifacts. Artifact management systems can also include Docker images and packages from public repositories such as Maven, NPM, and NuGet.

Often, organizations using open source code in their projects — an almost ubiquitous practice at this point —connect their internal registries and artifact management systems to the Internet and allow anonymous access to certain portions of the registry. For instance, a software development team using JFrog Artifactory as an internal repository could configure external access so customers and partners can share its artifacts.

Threat actors seeking to compromise enterprise software development environments have increasingly begun targeting software registries and repositories in recent years. Some of the attacks have involved attempts by threat actors to introduce malicious code into development and build environments directly or via poisoned packages planted on NPM, PyPI, and other widely used public repositories. In other instances, threat actors have targeted these tools to gain access to the sensitive information such as credentials, passwords, and APIs stored in them.

Aqua's research showed that, in many cases, organizations are inadvertently making it easier for attackers to carry out these attacks by mistakenly connecting registries containing sensitive information to the Internet, posting secrets in public repositories, using default passwords for access control, and granting overly excessive privileges to users.

In one instance, Aqua uncovered a bank with an open registry featuring online banking applications. "An attacker could have pulled the container, then modified it and pushed it back," Morag says.

In another instance, Aqua discovered two misconfigured container registries belonging to the development and engineering team of a Fortune 100 technology company. Aqua found the registries to contain so much sensitive information and afford so much access and privileges for doing damage, that the company decided to halt its research and inform the technology company of the issue. In this case, the security snafu resulted from a development engineer opening up the environment while working on an unapproved side project.

Millions of Artifacts, Misconfigured Enterprise Software Registries Are Ripe for Pwning

Researchers are unraveling the threads connecting two separate, but in some ways overlapping, Russian-language APTs.

Certain campaigns previously connected to the Russian advanced persistent threat (APT) Turla were actually conducted by what appears to be an entirely separate group researchers have named "Tomiris."

Turla (aka Snake, Venomous Bear, or Ourobouros) is a notorious threat actor with ties to the Russian government. Over the years it has utilized zero-days, legitimate software, and other means to deploy backdoors in systems belonging to militaries and governments, diplomatic entities, and technology and research organizations. In one case, it was even linked, through its Kazuar backdoor, to the SolarWinds breach.

Not everything is Turla, though. In a new blog post, researchers from Kaspersky have published evidence that certain attacks previously correlated with Turla were carried out by Tomiris, an entirely different group with different tactics, techniques, and procedures (TTPs) and affiliations.

"We strongly believe Tomiris is separate," says Pierre Delcher, senior security researcher at Kaspersky's GReAT. "It's not the same targeting, not the same tools, not the same sophistication as Turla."

**Separating Turla and Tomiris**

Attribution in cyberspace is difficult. "Highly skilled actors use techniques that mask their origins, render themselves anonymous, or even misattribute themselves with false flags to other threat groups to throw researchers off the track," explains Adam Flatley, former director of operations at the National Security Agency and VP of intelligence at \[Redacted\]. "Often we can only rely on a threat actor's operational security mistakes to find leads on their true identities."

Tomiris is a case in point. Kaspersky began tracking what now appears to have been Tomiris activity three years ago, in a DNS hijacking campaign against a Commonwealth of Independent States (CIS) government. The culprits' hallmarks appeared to be a mix of Russian APT soup. The Tomiris backdoor was discovered on networks alongside Turla's Kazuar backdoor, which itself had parallels to the Sunburst malware used in SolarWinds' breach.

Yet the details connecting Tomiris and Turla never quite lined up. "The implants they deployed were ... well, they sounded off, compared to what we knew about Turla," Delcher says. "So really, there was basically nothing in common, and even the targets were actually not fitting what we knew of past Turla interests."

Targeting is a major clue. "Tomiris is very focused on government organizations in the CIS, including the Russian Federation," Delcher explains, "whereas in the cybersecurity scene, some vendors associate Turla as a Russian-backed actor. That wouldn't make a lot of sense, if a Russian-sponsored actor targeted the Russian Federation."

As recently as this year, Mandiant published research about a Turla campaign in which it admitted, at one point, that there were "some elements of this campaign that appear to be a departure from historical Turla operations." The Kaspersky researchers have, with "medium confidence," assigned these findings to Tomiris operations.

**Connecting Turla and Tomiris**

All this isn't to say there's no connection at all between Tomiris and Turla.

In attacks between 2021 and 2023, Tomiris made use of KopiLuwak and TunnusSched — two of Turla's malicious tools. Because they had Turla's goods, Delcher says, "we strongly believe they might have been cooperating at some point, or they might still be cooperating right now."

Exactly how the groups connect is up for grabs. "They could be running an operation together," Delcher speculates, "or they could rely on a similar supply chain. They could have, for example, asked an independent developer to develop a backdoor, and the independent developer provided it to both Turla and Tomiris."

A more definitive answer will be hard to come by. "The only way to reliably and consistently get accurate attribution," Flatley bemoans, "is to use computer network exploitation techniques that are only legally allowed for government agencies to employ."

**Why This Matters to Businesses**

Distinguishing between threat actors isn't simply an educational exercise, Delcher says. It can help organizations better defend themselves.

For example, an organization affected by or otherwise worried about Turla might see the Kazuar malware and assume it's the work of that group.

"So, you grab all of the Turla IoCs, the technical intelligence, and address it with that assumption," Delcher says. "Of course, this is misguided because if they are not the same actors they won't use the exact same techniques, or the same implants. From the defender's perspective, you don't want to end up confused."

Diligent defenders will do well to pay attention to the subtle differences between groups, but certain principles apply across APTs.

"Elite threat actors will still take the easy way in if it exists, so reducing attack surface with things such as aggressive patch management and implementing MFA on every account possible still goes a long way," Flatley says. Prevention isn't enough against groups like this, though, so advanced detection capabilities and a plan for the worst case scenario are also necessary. "Visibility, married with a well-constructed and regularly practiced incident response plan, can greatly reduce the risk associated with threat actors of all levels."

Tangled Up: 'Tomiris' APT Uses Turla Malware, Confusing Researchers

JumpCloud integrates with Google Workspace to extend enterprise-quality security capabilities to small and midsize organizations.

**SUNNYVALE, Calif.****,** **April 24, 2023** **/PRNewswire/ --** Google Cloud today announced a series of new security alliances to bring more choice, capability, and simplicity to enterprise and public sector IT teams tasked with managing hybrid work at scale.

Google Workspace comes with industry-leading security built into its cloud-native, zero trust architecture. These capabilities combine threat defenses powered by Google AI, client-side encryption, data privacy controls, and simple access to Google Cloud cybersecurity products like BeyondCorp Enterprise and Chronicle Security Operations, to automatically stop the vast majority of online threats before they emerge—while also supporting customers' regulatory and sovereignty needs. Through its ecosystem of cybersecurity partners, Google Workspace can extend these capabilities further by combining them with tools from the industry's leading security companies, enabling customers to adopt comprehensive, secure collaboration solutions to meet their specific security needs as part of a single Google Workspace offering. 

"Global enterprises want to provide their workforces with more effective and secure ways of collaborating, with tools that increase productivity and avoid the vulnerabilities of legacy productivity solutions," said Sunil Potti, VP and GM of cloud security, Google Cloud. "Through its growing ecosystem of security partners, Google Workspace offers the most enterprise-ready platform for hybrid work, providing organizations with confidence and flexibility to work securely."

**Securing Enterprise Workforces with Okta and VMware**

Today, Google Cloud is extending the built-in identity, device, and access management capabilities of Google Workspace through new alliances with **Okta** and **VMware,** enabling large-scale businesses and public sector organizations to provide their workforces with FedRAMP-authorized collaboration and communication tools. Google Workspace works seamlessly with the enterprise-grade identity and access management capabilities in Okta Workforce Identity Cloud and the device and application management capabilities in VMware Workspace ONE, providing organizations with more choice and flexibility in how they enable safer collaboration for their workforce.

*   **Okta's Workforce Identity Cloud** brings Okta's leading identity and access management capabilities to Google Workspace customers, securely connecting employees, contractors, and business partners from any device and any location. Workforce Identity Cloud's flexible rules and policies ensure employees have just the right level of access they need to get their work done. With Okta, employees can use their Google Workspace credentials across more than 7,000 pre-built apps in the Okta Integration Network to reduce password sprawl for increased security.
*   **VMware Workspace ONE** extends VMware's industry-leading unified endpoint management and zero trust access capabilities to Google Workspace. IT teams can manage all Google Workspace apps through VMware's comprehensive platform, which provides users with quick and easy access to business applications and makes it simple for administrators to onboard devices, change configurations, push automated OS updates, and more, without requiring a combination of disjointed third-party solutions. Workspace ONE administrators can also access a collection of device-health dashboards and reports, along with multi-tenancy for management across geographies, organizations, and use cases.

"Identity is the connective tissue between a business's ecosystem of people and the technologies they need to be successful in hybrid and remote work," said Arnab Bose, chief product officer, Workforce Identity Cloud at Okta. "This partnership allows us to bring identity-powered security to Google Workspace customers while giving them an easy button to optimize their employee experiences and increase operational efficiency."

"The rapid shift to hybrid work has highlighted the need for IT teams to do more with less, while simultaneously balancing the increasing demands of security and productivity," said Renu Upadhyay, VP of product marketing, End-User Computing, VMware. "This VMware and Google Cloud partnership unlocks a transformative approach to end-user computing by creating an automated, unified, and secure experience across all endpoints, apps, and enterprise services, no matter where employees work."

**Helping Small and Midsize Organizations Replace Legacy Directory Services with JumpCloud**

**JumpCloud Open Directory Platform** provides customers with an alternative directory service to replace aging Microsoft Active Directory servers that is a modern, cloud-based solution. The platform works seamlessly with Google Workspace, enabling identity workflows and synchronization to thousands of applications, HRIS systems, and cloud infrastructure. It also combines these features with desktop and mobile device fleet management capabilities to ensure secure, frictionless access to applications and other resources from any operating system or location an employee chooses to work from.

"IT teams are looking for solutions that centralize access, device, and identity management. They need easier and more effective ways to secure how work happens," said Greg Keller, CTO and co-founder, JumpCloud. "The Google Cloud and JumpCloud solution gives IT teams a modern and affordable option to securely manage today's work on-prem, in the cloud or on the go. This offering provides IT teams, and channel IT solution providers, a more affordable, best in class alternative to expensive, legacy Microsoft packages."

**Google Workspace's Flexible, Secure Ecosystem**

Google Workspace is committed to offering more choice by providing organizations of any size with the ability to combine purpose-built security tools from its ecosystem of cybersecurity partners. New updates with JumpCloud, Okta, and VMware will build on existing offerings with CrowdStrike, which extends endpoint protection and Zero Trust through the CrowdStrike Falcon platform, and Palo Alto Networks, which extends endpoint protection and Zero Trust through Prisma Access and Cortex XDR. Over the coming year, deeper technical integrations with these partners will expand the joint capabilities available to Google Workspace customers, making it even easier to adopt Google Workspace for organizations with the most rigorous security and regulatory requirements.

Interested customers can learn more here.

**About Google Cloud**

Google Cloud accelerates every organization's ability to digitally transform its business. We deliver enterprise-grade solutions that leverage Google's cutting-edge technology – all on the cleanest cloud in the industry. Customers in more than 200 countries and territories turn to Google Cloud as their trusted partner to enable growth and solve their most critical business problems.

_VMware and Workspace ONE are registered trademarks or trademarks of VMware, Inc. or its subsidiaries in_ the United States _and other jurisdictions._

SOURCE Google Cloud

Google Workspace Extends Enterprise-Grade Security and Device Management for Hybrid Work With Okta and VMware

Websites, cloud services, and API servers are seeing ever more automated traffic — aka bots — forcing companies to find ways to separate the digital wheat from the chaff.

Attackers are increasingly automated, with credential stuffing and automated application attacks surging, making the ability to detect, manage and mitigate bot-based requests increasingly important.

The sector focused on managing bots gained a new player last week, when Edgio — a company formed through a merger of Limelight Networks, Yahoo Edgecast and Layer0 — announced its own bot management offering. The service focuses on using machine learning and the company's Web security capability to allow granular policy controls, and joins other offerings from Web application firewall (WAF) providers and Internet infrastructure providers, such as Akamai, Cloudflare, HUMAN, and Imperva.

The service is not just about warding off increasingly automated attacks: Gaining the ability to see and manage so-called "good" bots — such as search bots and performance monitoring services — is just as important as preventing attacks from "bad" bots, such as credential stuffing attacks and application service attacks, says Richard Yew, senior director of product management for security at Edgio.

"Bot management means not just identifying and mitigating the bad bots, but also identifying and helping customers monitor good bots," Yew says. "You definitely need the security solution ... but you also want visibility to be able to monitor good bot traffic."

While human-originated requests continue to dominate overall Internet traffic, accounting for an increasing share of bandwidth, the total volume of bot requests have increased over time. In 2022, for example, the number of application and API attacks more than doubled, growing by 137%, according to Internet infrastructure firm Akamai. Another major source of bad bot traffic, credential stuffing attacks, accounted for a third (34%) of authentication events, according to authentication service provider Okta.

Requests from automated systems — and not humans — accounted for approximately 42% of all Internet traffic in 2021, the latest data available, according to data from Imperva. (Click here for a larger view of the above chart.)

**Are You a Good Bot or Bad Bot?**

The impact of bots on consumers can be obvious, but the impact of bots on businesses is not always so clear. While bots can hoard inventory, such as causing a shortage in Taylor Swift tickets or the Sony Playstation 5, other arguably legitimate uses include scraping data for competitive advantage or training machine learning systems. Still others are welcomed by most businesses, including search bots for which many companies try to optimize.

Dealing with bots often falls to security, but the threats extend to all facets of a business, says Sandy Carielli, principal analyst at Forrester Research.

"Bot management is not just about security being the decision-makers," she says. "If you're dealing with a lot of inventory-hoarding attacks, your e-commerce team is going to want to say in \[the response\]. If you're dealing with a lot of ad fraud, your marketing team will want to be in the room."

Bot management systems typically boil down to identifying the source of Web or API requests and then using policies to determine what to allow, what to deny, and which requests represent potentially interesting events or anomalies.

**Bots Focus More on APIs**

While the most common type of bot-based attack is credential stuffing, where the bots are used to attempt to use stolen credentials to log into a cloud service, the rise of API traffic has led to a variety of new attacks. Resource consumption attacks, which are a common form of denial-of-service attack, are now being ported to Web application programming interfaces (APIs).

By sending seemingly legitimate or outright fraudulent requests to an API server, an attacker could cause that server to process the request, which could be resource-intensive as more computational power is being made accessible through APIs. Because many of today's most expensive API calls are machine interfaces to machine learning systems, for example, attackers could run up a company's bill by using bots and APIs.

In a way, the bots — and defenses against them — are creating a circular economy, says Patrick Donahue, vice president of product at Cloudflare.

"It's interesting because essentially we're creating AI and machine learning systems to help other AI companies to keep their costs in check, so it's really like machine learning being used to stop machines from abusing other machine learning systems," he says.

**Close to the Edge**

Increasingly, bot management firms are pushing their technologies closer to the edge of the network, not just to protect clients but to catch attacks as soon as possible.

Edgio, as its name indicates, inspects traffic at the edge of the network and only allows "clean" traffic through its network. Requests enter through a point of presence (POP) close to the user — or the attacker — and exit through a POP close to the destination server or cloud service.

The benefit of such an architecture is that it stops attacks before they can impact other parts of the network, says Edgio's Yew.

"The advantage of us being close to the end user is that we're also close to the attacker because, let's face it, a lot of the attackers, they're just compromised devices," he says. "The same computer you use to watch TV and browse the Internet \[is\] probably the same device that's part of the zombie botnet launching any sort of bot attack. So it's very important to have a distributed infrastructure that allows us to run any workload with high performance and low latency."

The model mirrors what other vendors have done as well. Content delivery networks (CDNs), such as Akamai, Cloudflare and Fastly, also use edge servers to provide fast access to content and have adopted bot management features as well.

Bot Management Aims to Tame Attacker Automation

As investigations continue, researchers find confirmation in their suspicions of a sprawling attack affecting multiple organizations.

Just a month after the North Korea-linked APT hacker group known as Lazarus targeted 3CX in a supply chain attack, Symantec's researchers have found that two infrastructure organizations as well as two businesses involved in financial trading were affected in the same attack.

The initial compromise that affected 3CX — also known as the X-Trader software supply chain attack and first discovered by Mandiant researchers — was a supply chain compromise that "spread malware via a Trojanized version of 3CX's legitimate software that was available to download from their website." This breach caused customers to download malicious versions of the company's video-calling software.

As the investigation unfolds with new information, the names of the two critical infrastructure organizations affected have not been revealed, but they are in the power and energy sector, in the US and Europe, respectively. The attack seems to be financially motivated; while North Korea-sponsored threat actors engage in cyber espionage, they also go after funds for the regime. 

If important organizations are being targeted now, it could lead to further exploitation in the future, researchers are warning.

"The impact from these infections is unknown at this time — more investigation is required and is on-going," said Eric Chien, director of security response at Symantec, after stating that the attacks occurred between September and November last year.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Critical Infrastructure Organizations Further Affected in 3CX Breach

Getting a handle on the new risks facing AppSec by low-code/no-code development patterns

As low-code and no-code application development platforms gain more currency among business groups seeking speedy workarounds to long development backlogs, concerns about application security loom.

The low-code movement increases software engineering agility by speeding up the work of developers and enabling nontechnical business users to create their own applications and add new features to existing tools without needing to engage the engineering team. Low-code development offers the kind of elegant simplicity that’s irresistible to executives with big digital transformation aspirations.

But that kind of "it just works" opacity sends shudders down the spines of cybersecurity veterans. Any security professional with experience with emerging tech cycles instinctually understands that there be dragons in the waters that lie ahead for low-code/no-code — even if they’ve not yet mapped out exactly what kind of monsters they’re dealing with or where they are just yet.

Michael Bargury, author of the Low-Code/No-Code OWASP Top 10, will explain the exact nature of some of low-code/no-code's biggest security risks at the RSA Conference in San Francisco. Chief among them are patterns of permissioning that could throw many of the investments that organizations have made in role-based access control and identity management right out the window.

**Low-Code's Expected Explosion**

Low-code and no-code technologies provide graphical user interface (GUI) environments that make it possible to design and deploy applications and new features for fast-evolving business use cases without intensive hand-coding. These technologies include low-code application platforms (LCAP), robotic process automation (RPA), and business process automation (BPA), among others. Recent forecasting by Gartner shows that by next year the LCAP market will have doubled its revenue from 2021 and the broader low-code segment will reach nearly $32 billion.

These low-code technologies are being used by development teams to speed up and scale their work, by teams of developers and business stakeholders to improve collaboration on fast-moving digital initiatives, and by a new class of citizen developers who create their own apps without waiting for development resources.

It's that last group that’s fueling the explosion of low-code and no-code platforms and the use of low-code functionality within broader software-as-a-service (SaaS) application ecosystems. Gartner predicts that the overall low-code market will increase by 19.6% in 2023, with the fastest-growing segment being citizen automation development platforms, which are set to increase by over 30%. Analysts with the firm say that developers outside of formal IT departments already make up well over 60% of the low-code user base, and by 2026 citizen developers and other nontraditional application designers are going to make up 80% low-code users.

"Business technologists and citizen technologist personas are developing lightweight solutions to meet business unit needs for enhanced productivity, efficiency, and agility — often as fusion teams," said Jason Wong, distinguished VP analyst for Gartner in a recent low-code forecast by the firm.

**Low-Code's IAM Bombshell**

In the face of all this growth in low-code technology, Bargury is on a mission to warn security executives of the risks it poses to application security and cybersecurity postures in the near- and long-term. One of the biggest risks is the fact that these platforms are rampantly sharing credentials in order to work around strict access controls built by organizations over the years, says Bargury, co-founder and CTO of Zenity, a startup focused on low-code/no-code security.

"Let's say that you already have a SaaS platform and you've built this low-code platform on top of SaaS. Now business users can create their own applications and share those applications with their teams and other employees to use as well. So what would be the number one thing that would stop them from being able to do that in the enterprise?" Bargury says. "The answer is permissions."

As he explains, if a business user wants to create their own app, they need to get permissions granted to that app to give it access to data stores and to get it to integrate with other systems. And to get that, these citizen developers would traditionally need to wait for somebody from IT to grant that. Not only would these app designers probably hear a lot of "nos" from these teams, but just waiting for the provisioning process to run its course would essentially neutralize the whole agility value proposition of using low-code in the first place.

So, to get around this problem, many low-code/no-code platforms allow business users to build applications using their own credentials and identities. When they share those applications to other users for broader use, those credentials are shared by everyone.

"Let's say I work in finance. I build an application, and I implicitly embed my own identity within that application, and now I'm sharing that application with you," Bargury says. "You are using the app and everything works, and it's fine, you have access to data. But the underlying application is actually still using my identity to provide that access. I call this credential-sharing-as-a-service."

And as he puts it, this is a feature that low-code development platforms are proud of and actively marketing because they enable productivity. But obviously from a security perspective it can quickly turn into a nightmare. It could undermine the integrity of role-based access controls, throw off user and entity behavioral analytics, and create huge compliance risks in the future, says Morey Haber, CSO for privileged access management firm BeyondTrust

"Credential-sharing-as-a-service would impact an organization's ability to accurately provide attestation reporting for all identities utilizing the service," Haber says. "Accounts present from a low-code development platform environment would provide an unknown for accurately who has access, including foreign identities."

Chris Hughes, CISO and co-founder of Aquia, says he has a hard time seeing how low-code platforms that handle permissions in this way could possibly be used in secure coding environments.

"They are just not compatible," he says. "In fairness, this is a new risk that is now being exposed for these solutions, and now that this information is public, it needs to be amplified for all organizations to measure the risk and determine if they are violating any laws by using this type of software."

**Yet Another BYOD Scenario**

For his part, Bargury doesn't believe that blocking low-code development is the answer to these risks.

Security professionals who were around during the advent of the iPhone and other consumer-class devices and cloud services will understand that this wave of low-code development will mirror the same challenges they faced in the first days of bring-your-own-device hype. While AppSec pros have to seek ways to effectively manage these risks, there is no way that they're going to do that by stopping the low-code freight train.

"It's like when people started using mobile, and security teams were like, 'Yeah, nobody will ever use mobile with our company data.' We tried to block it, but it didn't work," says Bargury.

Low-code/no-code technology is already more pervasive in the enterprise than many security professionals even realize, he adds

"There are multiple vendors that are pushing this space forward, but some of them are the SaaS vendors, which are building low-code/no-code into their existing offerings," explains Bargury, pointing to vendors like ServiceNow, Salesforce, Microsoft, and many others that have already pushed these features into their enterprise offerings. "This is a crucial point because it means that nobody gets to choose if they will have low-code/no-code or not because it's already there."

Not to mention the fact that business users and executive sponsors love low-code technologies. Low-code platforms are helping them overcome lengthy application feature request backlogs that have plagued their digital transformation efforts for years. The agility and ROI of low-code is something that security practitioners cannot discount. Just like with BYOD, this is a political battle they can't win, Bargury says.

Much of Bargury's talk at RSA Conference will focus on helping AppSec practitioners understand the kinds of security guardrails they can institute around low-code platforms to make them more compatible with broader security and compliance needs of the business.

This includes better vetting of which low-code technologies are in use within the organization, more scrupulous development of policies and configuration around how low-code platforms orchestrate the provisioning of access within the applications they produce, and more robust black-box testing of applications produced by low-code technology.

"I think the worst approach would be to try and block low code because people will just use something else," he says. "The best approach would be to say, 'Here's a few approved platforms. You can do whatever you want in them. There are automated guidelines to help protect you. We got your back. Don't think about security. You are in finance, you are in sales, do your thing.' That's something that we as security practitioners need to be proactive about."

Source

DARKReading