Major partnership program aims to break down barriers and empower underrepresented groups in cybersecurity across the globe.

**ALEXANDRIA, Va., Nov. 1, 2022 /PRNewswire/ —** (ISC)² – the world's largest nonprofit association of certified cybersecurity professionals – today announced five key global partnerships in support of its diversity, equity and inclusion (DEI) initiative. The partners include the Australian Women in Security Network (AWSN), Cyversity, Blacks United in Leading Technology International (BUiLT), Women4Cyber and Chartered Institute of Information Security (CIISec).

Each partnership has unique objectives and will include support from (ISC)² in areas such as partnership promotion, co-branded and DEI-focused webinars, (ISC)² Certified in Cybersecurity promotion, grants for education and exams, along with co-branded toolkits and guides to assist both leaders, organizations and professionals on their DEI journeys and career development.

"It's no secret that the cybersecurity industry isn't nearly as diverse as it should be," said Dwan Jones, director of Diversity, Equity and Inclusion at (ISC)². "Our mission at (ISC)² is to not only enable individuals from all backgrounds to enter the cybersecurity industry but also to empower and equip them to excel in their positions and continuously grow in their careers. These five organizations have unique expertise and perspectives that will empower us to accomplish that mission and open new and diverse pathways for professionals looking to join the industry globally. Kicking off our DEI partnership program with this group of dedicated organizations is an exceptional opportunity to work together to transform this industry."

**Australian Women in Security Network**

The AWSN is a not-for-profit association and network of people aimed at increasing the number of women in the security community. Founded in 2015, it connects women, who often felt isolated in organizations and tertiary education institutions with like-minded individuals.

"(ISC)² is just the type of organization the cybersecurity industry needs today," said Jacqui Loustau, the founder and executive director of the AWSN. "At the AWSN, we believe partnering with membership organizations is a fundamental way to not only reach women we haven't been able to reach yet but also to introduce them to other women with similar interests, goals and aspirations. That shared passion is what's going to keep women in the field and make them want to share that passion with the next generation."

**Blacks United in Leading Technology International**

BUiLT is the largest community and nonprofit professional organization that focuses on black people in the technology industry. BUiLT is dedicated, with its allies, to increasing the representation and participation of black people in the technology industry by fostering the connection, development, and employment of its members.

"Diversity continues to lag in the tech and cyber industries – and in order to meet the workforce gap head on, we need to create racial equity by helping the black community explore new career possibilities within these fields," said Peter Beasley, executive director and chairman of the board, BUiLT. "Partnering with (ISC)² enables our members to explore new opportunities. It encourages a shift we need – to convert, train and educate adults already in the workforce to meet the open roles in the tech and cyber industries."

**Chartered Institute of Information Security**

CIISec is committed to raising the standard of professionalism in information and cybersecurity. CIISec provides a universally accepted focal point for the information cybersecurity profession. It is an independent not-for-profit body representing between 20,000-30,000 individuals in the information and cybersecurity industry. Governed by its members, it ensures standards of professionalism for training, qualifications, operating practices and individuals.

"Without diversity and inclusion, the industry will stagnate and be left unable to keep up with complex cyber threats," said Amanda Finch, CEO of CIISec. "To attract a pool of diverse professionals into cyber security, the industry needs to highlight the variety of roles available. From forensics to threat intelligence to researchers, there are opportunities out there for everyone. Cyber security can no longer be viewed as a 'boys-only club' where technical skills are valued above all. We need to move away from this and keep creating a culture where everyone can thrive, feel valued and be accepted.**"**

**Cyversity**

Cyversity is a diverse community of cybersecurity professionals whose mission is to achieve the consistent representation of women and underrepresented minorities in the cybersecurity industry through programs designed to diversify, educate, and empower. Cyversity tackles the 'great cyber divide' with scholarship opportunities, diverse workforce development, innovative outreach, and mentoring programs.

**Women4Cyber**

Women4Cyber is an initiative that aims to address the gender gap among cybersecurity professionals in Europe. In pursuing this objective, its main goal is to encourage and promote the skilling, up-skilling, and re-skilling of girls and women toward cybersecurity education and professions.

"These partnerships broaden our reach and open the doors to more women and underrepresented groups who are interested in pursuing a career in cybersecurity," said Clar Rosso, CEO at (ISC)². "We've been making huge strides as an organization in expanding cybersecurity training and education to more diverse groups. These partnerships help further that mission, ultimately addressing the global workforce talent gap we are facing today as an industry. There's only more to come."

In August, Rosso announced (ISC)²'s One Million Certified in Cybersecurity initiative at the Cyber Workforce and Education Summit at the White House. The initiative is a multi-year commitment to deliver free exams and educational resources to one million people looking to enter a career in cybersecurity. Of the one million pledged, 500,000 certifications will go to underrepresented groups, furthering the association's efforts to reduce the global cybersecurity skills gap through greater diversity and inclusion.

To learn more about (ISC)²'s diversity, equity and inclusion initiatives and access available resources, please visit https://www.isc2.org/DEI.

**About (ISC)²**  
(ISC)² is an international nonprofit membership association focused on inspiring a safe and secure cyber world. Best known for the acclaimed Certified Information Systems Security Professional (CISSP®) certification, (ISC)² offers a portfolio of credentials that are part of a holistic, pragmatic approach to security. Our association of candidates, associates and members, more than 235,000 strong, is made up of certified cyber, information, software and infrastructure security professionals who are making a difference and helping to advance the industry. Our vision is supported by our commitment to educate and reach the general public through our charitable foundation – The Center for Cyber Safety and Education™. For more information on (ISC)², visit www.isc2.org, follow us on Twitter or connect with us on Facebook and LinkedIn.

(ISC)² Expands DEI Initiative with International Partnership Agreements

Grant will be used to design reliable method of reducing cybersecurity gaps that lead to data breaches and develop a training course.

**DOBBS FERRY, N.Y., Oct. 31, 2022 /PRNewswire-PRWeb/ —** Mercy College has received a two-year $465,398 grant from the National Centers of Academic Excellence in Cybersecurity (NCAE-C), an arm of the National Security Agency (NSA). The grant will be used by College faculty and staff to design a reliable method of reducing cybersecurity gaps that lead to data breaches and to develop a training course at Mercy College for delivering the technology.

The grant stems from the NCAE-C's mission to create a collaborative cybersecurity educational program to engage experts in the field in solving the rising problem of data breaches. Mercy College has been tasked with addressing the human component in security breaches, especially those involving individuals, such as hackers or former employees, who break through security systems to access sensitive data.

Usman Rauf, Ph.D., assistant professor of cybersecurity, will serve as principal investigator (PI) on the grant. He will be assisted by co-PI, Zhixiong Chen, Ph.D., director of the Cyber Education Center at Mercy College, which has been designated by the NSA and the Department of Homeland Security as a Center of Academic Excellence on Cybersecurity Defense Education.

According to a recent data report from Verizon, up to two-thirds of breaches are not discovered until a year or more after the incident. "By then the damage is done, well before strategies for detection and deterrence are in place," said Rauf, whose 2021 paper on the subject was published in the journal Future Generation Computer Systems. "We propose to develop a system of detecting irregular or unexpected behavior that should be flagged as a threat." Once identified, an automated process will alert the system administrator and other authorities, enabling earlier intervention and minimizing the damage caused by the breach.

In a second phase, the team will design a novel master's level course, Cyber Threat Analytics, that will offer training in observation, analysis, and application. In the pilot program, Mercy College students will use state-of-the-art techniques and pipelines to learn how to detect and manage insider threats in a variety of scenarios. The team also expects to research and publish papers on multiple aspects of cyber threat analytics. "We are confident that the outcomes of this project will be of great benefit to industry and academia," Chen said.

"Mercy is proud to have been awarded a grant from the National Security Administration and for the opportunity to contribute to the advancement of the country's cybersecurity," said Mercy College President Tim Hall. "Through this grant, Mercy also looks forward to giving students the ability to learn in-demand industry skills that will benefit them upon graduation."

**About Mercy College**

  
Founded in 1950 by the Sisters of Mercy, Mercy College is an independent, coeducational college that offers more than 100 undergraduate and graduate degree and certificate programs within five schools: Business, Education, Health and Natural Sciences, Liberal Arts and Social and Behavioral Sciences. The vibrancy of the College culture is sustained by a diverse student body from around the region. The College offers campuses in Dobbs Ferry, the Bronx and Manhattan as well as online offerings.

Mercy College Awarded NSA Research Grant to Develop Cybersecurity Technology

A critical security vulnerability gives attackers a way to compromise thousands of systems at ConnectWise's managed service provider (MSP) customer locations and their downstream clients.

ConnectWise has patched a critical remote code execution (RCE) vulnerability in its ConnectWise Recover and R1Soft server backup manager technologies that could give attackers a way to compromise thousands of the company's managed service provider (MSP) customers — and, in turn, their downstream clients.

In an alert Friday, ConnectWise said it had pushed out an automatic update to both the cloud and client instances of ConnectWise Server Backup Manager (SBM), and it urged customers of the R1Soft server backup manager to upgrade immediately to the new SBM v6.16.4 it released on Friday.

**Severe Bug**

"We have informed our \[customers\] of the fix and encouraged those with on-premises instances of the impacted product to install the patch as soon as possible," Patrick Beggs, CISO of ConnectWise, says in comments sent to Dark Reading. For most organizations using ConnectWise Recover, no further action is required at this point to protect against the vulnerability, but "R1Soft is self-managed; we encourage these \[customers\] to apply the patch quickly," he says.

ConnectWise said it discovered the bug after security vendor Huntress informed the company about the issue and showed proof-of-concept code demonstrating how attackers could exploit the vulnerability to take complete control of affected systems. The company described the bug as one involving "improper neutralization of special elements in output used by a downstream component." The vulnerability exists in ConnectWise Recover v2.9.7 and earlier versions and R1Sof SBM v6.16.3 and earlier versions.

In an Oct. 31 blog post, researchers from Huntress described the issue as tied to an authentication bypass vulnerability (CVE-2022-36537) in a previous version of the ZK Java library, bundled with ConnectWise's server backup manager technology. A researcher from Germany-based security vendor Code White GmbH was the first to discover the vulnerability in the ZK library and report it to the maintainers of the framework in May 2022. Another researcher from the same company discovered that ConnectWise's R1Soft SBM technology was using the vulnerable version of the ZK library and reported the issue to ConnectWise, Huntress said in its blog post. When the company did not respond in 90 days, the researcher teased a few details on how the flaw could be exploited, on Twitter.

Huntress' researchers used the information in the tweet to replicate the vulnerability and refine the proof-of-concept. They found they could leverage the vulnerability to leak server private keys, software license information, system configuration files and eventually gain remote code execution in the context of a system superuser. 

Huntresses' researchers found they would gain code execution not just on vulnerable ConnectWise systems at MSP locations but all on all downstream registered endpoints. A Shodan scan showed more than 5,000 exposed ConnectWise server backup manager instances that were vulnerable to exploits. Considering that most of these systems were at MSP locations, the actual number of affected organizations is likely significantly higher, Huntress said.

**Classic Software Supply Chain Threat**

Caleb Stewart, security researcher at Huntress, says that the exploit chain that he and a trio of other researchers developed and reported to ConnectWise involved three main components: the original authentication bypass in the ZK library, RCE on the SBM, and RCE on connected clients. 

According to Stewart, the researchers spent about three days on replicating the original vulnerability, and then reverse engineering the R1Soft application so it could be abused for a malicious purpose. Exploiting the vulnerability was complicated, Stewart says. "But \[it was\] feasible for someone to find and exploit in a matter of days if they knew what they were looking for."

The vulnerability is another example of why developers and end customers need to be aware of security advisories for all software in their environment, Stewart says. "This is fundamentally a supply chain vulnerability — customer buys R1Soft SBM, which bundles ZK, which is vulnerable," he says. "Once the severity was evident, I think ConnectWise did a great job at getting a patch out quickly."

John Hammond, senior security researcher at Huntress and part of the team that analyzed the flaw, says the weaponized attack chain they developed could have a wide impact. "From an authentication bypass to full compromise, across not just one endpoint but a mass multiple, this is truly a 'point-and-shoot' exploit with the potential for widespread effects," he says.

Beggs from ConnectWise did not directly respond to a Dark Reading question about why the company did not respond to the original disclosure of the flaw by the researcher at Code White. But one issue could have been the fact that the researcher did not disclose it via the company's usual channel for submitting bug disclosures and security concerns.

"We have long vouched for our Trust Center as the most effective channel to submit security concerns," he says, Queries submitted through other channels do not always get the attention they deserve, Beggs notes.

"In this case," he adds, "Huntress did an admirable job of demonstrating just how dangerous this potential vulnerability could have been, treated the issue responsibly by showing it to us directly, and gave us time to update our products."

Patch Now: Dangerous RCE Bug Lays Open ConnectWise Server Backup Managers

On-chip solutions aim to prevent breaches by separating the computing element and keeping data in the secure vault at all times.

Top chip makers Nvidia, Intel, ARM, and AMD are providing the hardware hooks for an emerging security concept called confidential computing, which provides layers of trust through hardware and software so customers can be confident that their data is secure.

Chip makers are adding protective vaults and encryption layers to secure data when it is stored, in transit, or being processed. The goal is to prevent hackers from launching hardware attacks to steal data.

The chip offerings are trickling down to cloud providers, with Microsoft (Azure) and Google (Cloud) offering security-focused virtual machines in which data in secure vaults can be unlocked by only authorized parties. Attestation verifies the source and integrity of the program entering the secure vault to access the data. Once authorized, the processing happens inside the vault, and the code doesn't leave the secure vault.

Confidential computing is not a part of everyday computing yet, but it may become necessary to protect sensitive applications and data from sophisticated attacks, says Jim McGregor, principal analyst at Tirias Research.

The chip makers are focusing on hardware protections because "software is easy to hack," McGregor says.

**Nvidia's Morpheus Uses AI to Analyze Behavior**

There are multiple dimensions to confidential computing. On-chip confidential computing aims to prevent breaches like the 2018 Meltdown and Spectre vulnerabilities by separating the computing element and keeping data in the secure vault at all times.

"Everybody wants to continue to reduce the attack surface of data," says Justin Boitano, vice president and general manager of Nvidia's enterprise and edge computing operations. "Up to this point, it is obviously encrypted in transit and at rest. Confidential computing solves the encrypted in-use at the infrastructure level."

Nvidia is taking a divergent approach to confidential computing with Morpheus, which uses artificial intelligence (AI) to keep computer systems secure. For example, Morpheus identifies suspicious user behavior by using AI techniques to inspect network packets for sensitive data.

"Security analysts can go and fix the security policies before it becomes a problem," Boitano says. "From there, we also realize the big challenges — you have to kind of assume that people are already in your network, so you have also got to look at the behavior of users and machines on the network."

Nvidia is also using Morpheus to establish security priorities for analysts tracking system threats. The AI system breaks down login information to identify abnormal user behavior on a network and machines that may have been compromised by phishing, social engineering, or other techniques. That analysis helps the company's security team prioritize their actions.

"You're trying to look at everything and then use AI to determine what you need to keep and act on versus what might just be noise that you can drop," Boitano says.

**Intel Rolls Out Project Amber**

Confidential computing will also help enterprises build a new class of applications where third-party data sets can mingle with proprietary data sets in a secure area to create better learning models, says Anil Rao, vice president and general manager for systems architecture and engineering at Intel's office of the chief technology officer.

Companies are eager to bring diverse data sets into proprietary data to make internal AI systems more accurate, Rao says. Confidential computing makes sure only authorized data is fed into AI and learning models, and that the data is not pilfered or stolen.

"If you have data coming in from credit card companies, you have data coming in from insurance companies, and you have data coming in from other locations, what you can do is say, 'I'm going to process all of these pieces of data inside of a \[secure\] enclave,'" Rao says.

Intel already had a secure enclave called SGX (Secure Guard Extension), but it recently added Project Amber, a cloud-based service that uses hardware and software techniques to attest and certify the trustworthiness of data.

On its upcoming 4th Generation Xeon Scalable processor, Intel's Project Amber uses instructions called Trust Domain Execution (TDX) to unlock secure enclaves. An Amber engine on one chip generates a numerical code for the secure enclave. If the code provided by the data or program seeking access matches, it is allowed to enter the secure enclave; if not, entry is denied.

**ARM Teams Up With AWS**

At the recent online ARM DevSummit, ARM — whose chip designs are being used by AWS on its Graviton cloud chip — announced it was focusing confidential computing on dynamic "realms" that will order programs and data in separate computational environments.

ARM's latest confidential computing architecture will deepen secure "wells" and make it harder for hackers to pull out data. The company is releasing confidential computing software stacks and guides for implementation in processors coming out over the next two years.

"We're already investing to ensure that you have the tools and software to see the ecosystem for early development," said Gary Campbell, executive vice president for central engineering at ARM, during a keynote at the event.

**AMD and Microsoft Go Open Source**

During a presentation at the AI Hardware Summit in August, Mark Russinovich, Microsoft Azure's chief technology officer, gave an example of how Royal Bank of Canada was using AMD's SEV-SNP confidential computing technology in Azure. The bank's AI model mixed proprietary data sets with information from merchants, consumers, and banks in real time, which helped provide more targeted advertising offerings to its customers.

Confidential computing features such as attestation ensured only the authorized data was mingling with its proprietary data set and not compromising it, Russinovich said.

Nvidia, Microsoft, Google, and AMD are collaborating on Caliptra, an open source specification for chip makers to build confidential computing security blocks into chips and systems.

How Chip Makers Are Implementing Confidential Computing

Dozens of international delegations meet for the second year to share intel, with a goal of stopping ransomware attacks on critical infrastructure.

U.S. officials will meet this week with delegations from more than 36 countries to share intelligence and strategize about how to push back against crippling and costly ransomware attacks against critical infrastructure.

The second-annual ransomware summit will include briefings from intelligence officials on the more than 4,000 cyberattacks that have occurred just over the past 18 months, Biden administration officials told reporters.

In addition to public sector experts, Microsoft and SAP will also contribute their data and analysis as part of their participation in the summit.

Russia, which is the country of origin of many ransomware operations, is not represented at the meetings.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

White House Convenes International Ransomware Summit

A lax API governance strategy can lead to abandoned or overlooked APIs that open up organizations to security threats.

**Question: What is the difference between zombie APIs and shadow APIs?**

**Nick Rago, Field CTO, Salt Security:** Zombie APIs and shadow APIs represent by-products of a larger challenge that enterprises are struggling to tackle today: API sprawl.

As companies seek to maximize the business value associated with APIs, APIs have proliferated. Digital transformation, app modernization to microservices, API-first app architectures, and advancements in rapid continuous software deployment methods have fueled the high-velocity growth of the number of APIs created and in use by organizations. As a result of this rapid API production, API sprawl has manifested itself across multiple teams who leverage multiple technology platforms (legacy, Kubernetes, VMs, etc.) across multiple distributed infrastructures (on-premises data centers, multiple public clouds, etc.). Unwanted entities such as zombie APIs and shadow APIs emerge when organizations do not have the proper strategies in place to manage API sprawl.

Simply put, a zombie API is an exposed API or an API endpoint that has become abandoned, outdated, or forgotten. At one point, the API served a function. However, that function may no longer be needed or the API has been replaced/updated with a newer version. When an organization does not have proper controls in place around versioning, deprecating, and sunsetting old APIs, those APIs may linger on indefinitely — hence, the term zombie.

Because they are essentially forgotten, zombie APIs don't receive any ongoing patching, maintenance, or updates in any functional or security capacity. Therefore, the zombie APIs become a security risk. In fact, Salt Security's "State of API Security" report names zombie APIs as organizations' No. 1 API security concern over its past four surveys.

In contrast, a shadow API is an exposed API or an API endpoint whose creation and deployment were done "under the radar." Shadow APIs have been created and deployed outside of an organization's official API governance, visibility, and security controls. Consequently, they can pose a wide variety of security risks, including:

*   The API may not have proper authentication and access gates in place.
*   The API may be exposing sensitive data improperly.
*   The API may not be adhering to best practices from a security standpoint, making it vulnerable to many of the OWASP API Security Top 10 attack threats.

A number of motivating factors are behind why a developer or app team would want to deploy an API or endpoint quickly; however, a strict API governance strategy must be followed to enforce controls and process over how and when an API gets deployed regardless of the motivation.

Adding to the risks, API sprawl and the emergence of zombie and shadow APIs extend beyond APIs developed in-house. Third-party APIs deployed and utilized as part of packaged applications, SaaS-based services, and infrastructure components can also introduce problems if not properly inventoried, governed, and maintained.

Zombie and shadow APIs pose similar security risks. Depending on an organization's existing API controls (or lack thereof), one may be less or more problematic than the other. As a first step to tackle the challenges of zombie and shadow APIs, organizations must use a proper API discovery technology to help inventory and understand all of the APIs deployed in their infrastructures. Additionally, organizations must adopt an API governance strategy that standardizes how APIs are built, documented, deployed, and maintained — regardless of team, technology, and infrastructure.

Why Are Zombie APIs and Shadow APIs So Scary?

Now mostly recovered, Aurubis said the breach was part of a broader campaign against the metals and mining industry.

Aurubis, a recycler and provider of copper across the world, has assured its customers that an Oct. 28 cyberattack did not stop production, but it did take down the entire company's systems for a time. 

The company has a presence in 20 countries and employs about 6,900 people, according to the Aurubis corporate site. 

As a preventative measure, Aurubis said in a statement, it disconnected its entire IT operations, but smelter sites across Europe and production facilities, including one in Buffalo, NY, maintained operations. Meanwhile, local news station WGRZ in Buffalo reported layoffs at the Aurubis plant in the area following the breach. 

Meanwhile, back at headquarters in Hamburg, Germany, teams are working with authorities to investigate the attack.

"This was apparently part of a larger attack on the metals and mining industry," the company's update on the cyberattack explained. "The primary goal is to keep production and the procurement of raw materials as well as the delivery of metals and products running."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Cyberattack Strikes Global Copper Conglomerate

CTO recognized as cybersecurity influencer for his research and thought leadership.

**SAN FRANCISCO, Oct. 31, 2022 /PRNewswire/** — Normalyze, a data-first cloud security platform, today announced that Ravi Ithal, chief technology officer and co-founder, has been named to the Enterprise Security Tech Cyber Influencer Top 10 List. The Enterprise Security Tech Cyber Influencer Top 10 list recognizes the top cybersecurity influencers providing immense value to the industry with groundbreaking research, visionary thought leadership, and consistent leadership and culture-building accolades.

The rise of cloud computing has increased the complexity of the enterprise attack surface. A recent survey from IDC found that 98% of organizations queried reported at least one cloud data breach in the past 18 months. As a result, security teams don't know where their data resides or its value, leading to difficulty avoiding data breaches. Normalyze's secret sauce is its ability to gather all security stakeholders, from the CISO to the security engineer, to DevOps, in one user interface to discover data, classify it, and prioritize discovery of attack paths that can lead to sensitive information.

"I've been fortunate enough to be part of some industry- and category-defining cybersecurity companies for a couple of decades now and I can tell you that cybersecurity has never been more important for economic and national security as it is now. It's incredibly humbling to be recognized for the accomplishment that led to assembling the smart team at Normalyze," said Ithal. "Cloud data is adding so much complexity right now and I really believe in the work we're doing at Normalyze to share best practices and let people trust their data in the cloud again."

"We need leaders in the cybersecurity industry now more than ever," said Jack Campbell, Managing Editor, Enterprise Security Tech. "The industry is bogged down by the daily cat-and-mouse game with cyber criminals, so we need industry leaders that are forward-looking and have a vision for how we can move the industry forward and solve macro security problems instead of simply firefighting. We're honored to be able to recognize these leaders for the value that they are bringing to the market and their dedication to moving the cybersecurity industry forward."

For more information about the Enterprise Security Tech Cyber Influencer Top 10 List, please visit this page.

**About Enterprise Security Tech**

Enterprise Security Tech is a specialized cyber media company with a global presence. The Enterprise Security Tech blog is a cybersecurity blog written for CISOs, CIOs, and security-minded CEOs that brings together critical news, expert insights, and product information to help security leaders make informed business decisions. Enterprise Security Tech is also home to The Cyber Jack Podcast, which brings listeners the latest cybersecurity insights via security experts from around the industry. For more information about Enterprise Security Tech, visit our website.

**About Normalyze:**

Normalyze is a pioneering provider of cloud data security solutions helping customers secure their data, applications, identities, and infrastructure across public clouds. With Normalyze, organizations can discover and visualize their cloud data attack surface within minutes and get real-time visibility and control into their security posture including access, configurations, and sensitive data to secure cloud infrastructures at scale. The Normalyze agentless and machine-learning scanning platform continuously discovers resources, sensitive data and access paths across all cloud environments. The company was founded by industry veterans Ravi Ithal and Amer Deeba and has several customers, including Corelight, Netskope, and Orkes. The company is funded by Lightspeed Venture Partners and Battery Ventures. For more information, please visit normalyze.ai.

**SOURCE:** Normalyze

Normalyze Co-Founder and CTO, Ravi Ithal, Named to the Enterprise Security Tech Cyber Influencer Top 10 List

At this year’s KubeCon/CloudNativeCon, both development and operations practitioners were tackling different security needs.

As a self-identified movie buff, some movie lines somehow stick with me over the years. One of them is from Ridley Scott's _Gladiator_ (2000), when a Roman senator says, "The beating heart of Rome is not the marble of the Senate, it is the sand of the Colosseum."

That line popped up in my head as I walked around the halls at KubeCon/CloudNativeCon ("KubeCon"), the marquee event for the Cloud Native Computing Foundation (CNCF). To me, the beating heart of cloud-native security is most definitely KubeCon.

This year's North American edition of the event took place last week in Detroit, bringing together thousands of participants on-site plus many others remotely. In addition to the main three-day event, the growing interest in specific projects has led the Cloud Native Computing Foundation to set up various "co-located events" ahead of the main conference.

For the 2022 event, there was not only a specific CloudNativeSecurityCon two-day event but also plenty of security content across other events, including Application Networking Day, EnvoyCon, Policy Day with OPA, ServiceMeshCon, and more, reflecting the wide interest in cloud-native security topics. Interestingly, the CloudNativeSecurityCon event has itself now "graduated" to an independent event to be hosted separately in February.

**Cloud-Native security: Development vs. Operations**

So, where is the current state of cloud-native security conversations? To Omdia, there is a strong bifurcation: development-centric concerns and operations-centric concerns. It is not as helpful to call these "Dev" and "Ops" because team structure is in flux in many organizations: some may have site reliability engineering (SRE) teams, some may call them operations, platform teams, and more.

On the development side of the ledger, three topics of interest are provenance, noise, and exposure.

Provenance asks the fundamental question: Can we trust the integrity of the external component we're incorporating into our software pipeline? While many examples exist, the 2020 SolarWinds attack was a turning point for interest in the integrity of the software supply chain. At KubeCon, there was palpable momentum behind the idea of signing software images: The sigstore project was announced as general availability and is being used by Kubernetes and other key projects.

Noise refers to reducing the number of vulnerabilities that exist in the environment, starting with slimming down the container base images that are being used. This may include using image bases such as Alpine or Debian Slim or considering "distroless" alternatives that are even smaller. The benefit is that these smaller images have minimal footprint and therefore reduced chance of vulnerabilities popping up.

Exposure: For any given vulnerability, how exposed are we as an organization? There is no better example of this in recent industry history than Log4j, of course. This is the realm of discussions on software bills of materials (SBOMs) as it relates to knowing where components may be used either as images sitting in a registry somewhere or running in production. Interestingly, as this essay is being written, there's advance notice that information about critical vulnerabilities in OpenSSL 3.x will be disclosed imminently, which will likely be another good use case for SBOMs — just where is OpenSSL 3.x used in our organization? Given that SBOM coverage is still not widespread, Omdia expects minimal SBOM usage this time around, unfortunately.

Operations teams are naturally focused on providing and operating an increasingly complex underlying platform and doing so securely. The word “platform” is particularly relevant here: There was notable interest in organizing Kubernetes and many of the growing list of CNCF projects (140 as of this writing, between the various stages of project incubation: sandbox, incubation, graduated) into easier-to-consume platforms. Of specific interest to security audiences, projects such as Cilium (using the underlying eBPF functionality) for networking and observability, SPIFFE/SPIRE (for establishing identities), Falco (for runtime security), Open Policy Agent (for policy-as-code), Cloud Custodian (for governance), and others are worth looking into. The expectation is that these projects will increasingly collaborate with "observability" aspects of cloud-native and will also be deployed using practices such as GitOps.

**Reasons for Optimism on Cloud-Native Security**

Where do we go from here? It was abundantly clear that the cloud-native community cares deeply about security and is moving forward full-speed with tackling the many topics around it. The guidance to security teams is to quickly come up to speed on how these different projects and initiatives are being implemented. It's important to note that for many organizations, this will come not in the form of explicitly using the community project (though some will), but rather as part of a packaged platform from vendors such as Red Hat, SUSE, Canonical, and others, or directly from the cloud providers such as AWS, Google Cloud, Azure, Oracle, and others.

Be aware that, in the context of open source usage, there's no such thing as really "free" — even if one chooses to use the vanilla upstream version of projects, there are inherent costs in maintaining those packages and participating in the community development.

Cloud-Native Security Was in the Air at KubeCon/CloudNativeCon 2022

Accelerates the safe recovery from ransomware attacks.

**SANTA CLARA, Calif., and PUNE, India, Oct. 31, 2022 /PRNewswire/** — Persistent Systems (BSE: PERSISTENT) (NSE: PERSISTENT), a global Digital Engineering provider, today announced the launch of a trailblazing solution that enables organizations to recover more quickly from cyberattacks. Together with Google Cloud, the Persistent Intelligent Cyber Recovery (PiCR) solution provides a comprehensive and scalable cyber-recovery approach, allowing organizations to reduce data loss and minimize the negative impact to brand reputation from prolonged downtime. Persistent Intelligent Cyber Recovery is now available on the Google Cloud Marketplace.

Hackers are increasing the frequency and scale of ransomware attacks. They are using continually evolving and sophisticated techniques, which makes recovery from attacks more challenging. These attacks may lead to sensitive data leakage, loss of business, and damage to brand reputation. It is crucial for organizations to not only focus on protection against cyber-attacks but also strengthen their recovery process.

Traditional backup and Disaster Recovery (DR) solutions are not designed for recovery from cyber-attacks. Persistent Intelligent Cyber Recovery includes tailored recovery plans, Persistent IP for finding and remediating malware, and the optional managed services to administer the recovery process. Persistent's solution integrates with Google Cloud to provide a secure recovery environment and Google Cloud Backup and DR for protecting the server images.

Persistent Intelligent Cyber Recovery offers the following benefits:

\-- Reduction in data loss  
\-- Decreased risk of recurrent attacks through the removal of malware  
\-- Faster recovery from ransomware and zero-day attacks (from weeks/months  
to hours/days)  
\-- Potential cyber insurance cost reduction  
\-- Scalable solution depending on enterprise size challenges  
Nitha Puthran, Senior Vice President - Cloud, Infrastructure and Security,  
Persistent:

"The digital environment today is constantly evolving and so are the risks associated with it. We are leveraging our strong relationship with Google Cloud and our product engineering expertise to create an industry-leading solution that allows enterprises to recover faster from cyber-attacks, thereby reducing the impact on their business.

"Persistent Intelligent Cyber Recovery combines strategic planning and the creation of playbooks, integration with Google Cloud services and our own IP to find anomalies that indicate malware, remove the malware, and use automation to set up test and production environments to scale. It takes a services and product mindset to create a solution like Persistent Intelligent Cyber Recovery and Persistent is uniquely positioned in the market to deliver both."

Dai Vu, Managing Director, Marketplace and ISV GTM Programs, Google: "As cyber threats become more prevalent, customers need solutions that can help them quickly address and recover from cyber-attacks. With the Persistent's Intelligent Cyber Recovery (PiCR) solution available on Google Cloud Marketplace, customers can quickly deploy PiCR to their Google Cloud environment and utilize it alongside Google Cloud technologies and capabilities to address cyber-attacks quickly and securely."  
**SOURCE:** Persistent Systems

Source

DARKReading