On-chip solutions aim to prevent breaches by separating the computing element and keeping data in the secure vault at all times.

Top chip makers Nvidia, Intel, ARM, and AMD are providing the hardware hooks for an emerging security concept called confidential computing, which provides layers of trust through hardware and software so customers can be confident that their data is secure.

Chip makers are adding protective vaults and encryption layers to secure data when it is stored, in transit, or being processed. The goal is to prevent hackers from launching hardware attacks to steal data.

The chip offerings are trickling down to cloud providers, with Microsoft (Azure) and Google (Cloud) offering security-focused virtual machines in which data in secure vaults can be unlocked by only authorized parties. Attestation verifies the source and integrity of the program entering the secure vault to access the data. Once authorized, the processing happens inside the vault, and the code doesn't leave the secure vault.

Confidential computing is not a part of everyday computing yet, but it may become necessary to protect sensitive applications and data from sophisticated attacks, says Jim McGregor, principal analyst at Tirias Research.

The chip makers are focusing on hardware protections because "software is easy to hack," McGregor says.

**Nvidia's Morpheus Uses AI to Analyze Behavior**

There are multiple dimensions to confidential computing. On-chip confidential computing aims to prevent breaches like the 2018 Meltdown and Spectre vulnerabilities by separating the computing element and keeping data in the secure vault at all times.

"Everybody wants to continue to reduce the attack surface of data," says Justin Boitano, vice president and general manager of Nvidia's enterprise and edge computing operations. "Up to this point, it is obviously encrypted in transit and at rest. Confidential computing solves the encrypted in-use at the infrastructure level."

Nvidia is taking a divergent approach to confidential computing with Morpheus, which uses artificial intelligence (AI) to keep computer systems secure. For example, Morpheus identifies suspicious user behavior by using AI techniques to inspect network packets for sensitive data.

"Security analysts can go and fix the security policies before it becomes a problem," Boitano says. "From there, we also realize the big challenges — you have to kind of assume that people are already in your network, so you have also got to look at the behavior of users and machines on the network."

Nvidia is also using Morpheus to establish security priorities for analysts tracking system threats. The AI system breaks down login information to identify abnormal user behavior on a network and machines that may have been compromised by phishing, social engineering, or other techniques. That analysis helps the company's security team prioritize their actions.

"You're trying to look at everything and then use AI to determine what you need to keep and act on versus what might just be noise that you can drop," Boitano says.

**Intel Rolls Out Project Amber**

Confidential computing will also help enterprises build a new class of applications where third-party data sets can mingle with proprietary data sets in a secure area to create better learning models, says Anil Rao, vice president and general manager for systems architecture and engineering at Intel's office of the chief technology officer.

Companies are eager to bring diverse data sets into proprietary data to make internal AI systems more accurate, Rao says. Confidential computing makes sure only authorized data is fed into AI and learning models, and that the data is not pilfered or stolen.

"If you have data coming in from credit card companies, you have data coming in from insurance companies, and you have data coming in from other locations, what you can do is say, 'I'm going to process all of these pieces of data inside of a \[secure\] enclave,'" Rao says.

Intel already had a secure enclave called SGX (Secure Guard Extension), but it recently added Project Amber, a cloud-based service that uses hardware and software techniques to attest and certify the trustworthiness of data.

On its upcoming 4th Generation Xeon Scalable processor, Intel's Project Amber uses instructions called Trust Domain Execution (TDX) to unlock secure enclaves. An Amber engine on one chip generates a numerical code for the secure enclave. If the code provided by the data or program seeking access matches, it is allowed to enter the secure enclave; if not, entry is denied.

**ARM Teams Up With AWS**

At the recent online ARM DevSummit, ARM — whose chip designs are being used by AWS on its Graviton cloud chip — announced it was focusing confidential computing on dynamic "realms" that will order programs and data in separate computational environments.

ARM's latest confidential computing architecture will deepen secure "wells" and make it harder for hackers to pull out data. The company is releasing confidential computing software stacks and guides for implementation in processors coming out over the next two years.

"We're already investing to ensure that you have the tools and software to see the ecosystem for early development," said Gary Campbell, executive vice president for central engineering at ARM, during a keynote at the event.

**AMD and Microsoft Go Open Source**

During a presentation at the AI Hardware Summit in August, Mark Russinovich, Microsoft Azure's chief technology officer, gave an example of how Royal Bank of Canada was using AMD's SEV-SNP confidential computing technology in Azure. The bank's AI model mixed proprietary data sets with information from merchants, consumers, and banks in real time, which helped provide more targeted advertising offerings to its customers.

Confidential computing features such as attestation ensured only the authorized data was mingling with its proprietary data set and not compromising it, Russinovich said.

Nvidia, Microsoft, Google, and AMD are collaborating on Caliptra, an open source specification for chip makers to build confidential computing security blocks into chips and systems.

How Chip Makers Are Implementing Confidential Computing

Dozens of international delegations meet for the second year to share intel, with a goal of stopping ransomware attacks on critical infrastructure.

U.S. officials will meet this week with delegations from more than 36 countries to share intelligence and strategize about how to push back against crippling and costly ransomware attacks against critical infrastructure.

The second-annual ransomware summit will include briefings from intelligence officials on the more than 4,000 cyberattacks that have occurred just over the past 18 months, Biden administration officials told reporters.

In addition to public sector experts, Microsoft and SAP will also contribute their data and analysis as part of their participation in the summit.

Russia, which is the country of origin of many ransomware operations, is not represented at the meetings.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

White House Convenes International Ransomware Summit

A lax API governance strategy can lead to abandoned or overlooked APIs that open up organizations to security threats.

**Question: What is the difference between zombie APIs and shadow APIs?**

**Nick Rago, Field CTO, Salt Security:** Zombie APIs and shadow APIs represent by-products of a larger challenge that enterprises are struggling to tackle today: API sprawl.

As companies seek to maximize the business value associated with APIs, APIs have proliferated. Digital transformation, app modernization to microservices, API-first app architectures, and advancements in rapid continuous software deployment methods have fueled the high-velocity growth of the number of APIs created and in use by organizations. As a result of this rapid API production, API sprawl has manifested itself across multiple teams who leverage multiple technology platforms (legacy, Kubernetes, VMs, etc.) across multiple distributed infrastructures (on-premises data centers, multiple public clouds, etc.). Unwanted entities such as zombie APIs and shadow APIs emerge when organizations do not have the proper strategies in place to manage API sprawl.

Simply put, a zombie API is an exposed API or an API endpoint that has become abandoned, outdated, or forgotten. At one point, the API served a function. However, that function may no longer be needed or the API has been replaced/updated with a newer version. When an organization does not have proper controls in place around versioning, deprecating, and sunsetting old APIs, those APIs may linger on indefinitely — hence, the term zombie.

Because they are essentially forgotten, zombie APIs don't receive any ongoing patching, maintenance, or updates in any functional or security capacity. Therefore, the zombie APIs become a security risk. In fact, Salt Security's "State of API Security" report names zombie APIs as organizations' No. 1 API security concern over its past four surveys.

In contrast, a shadow API is an exposed API or an API endpoint whose creation and deployment were done "under the radar." Shadow APIs have been created and deployed outside of an organization's official API governance, visibility, and security controls. Consequently, they can pose a wide variety of security risks, including:

*   The API may not have proper authentication and access gates in place.
*   The API may be exposing sensitive data improperly.
*   The API may not be adhering to best practices from a security standpoint, making it vulnerable to many of the OWASP API Security Top 10 attack threats.

A number of motivating factors are behind why a developer or app team would want to deploy an API or endpoint quickly; however, a strict API governance strategy must be followed to enforce controls and process over how and when an API gets deployed regardless of the motivation.

Adding to the risks, API sprawl and the emergence of zombie and shadow APIs extend beyond APIs developed in-house. Third-party APIs deployed and utilized as part of packaged applications, SaaS-based services, and infrastructure components can also introduce problems if not properly inventoried, governed, and maintained.

Zombie and shadow APIs pose similar security risks. Depending on an organization's existing API controls (or lack thereof), one may be less or more problematic than the other. As a first step to tackle the challenges of zombie and shadow APIs, organizations must use a proper API discovery technology to help inventory and understand all of the APIs deployed in their infrastructures. Additionally, organizations must adopt an API governance strategy that standardizes how APIs are built, documented, deployed, and maintained — regardless of team, technology, and infrastructure.

Why Are Zombie APIs and Shadow APIs So Scary?

Now mostly recovered, Aurubis said the breach was part of a broader campaign against the metals and mining industry.

Aurubis, a recycler and provider of copper across the world, has assured its customers that an Oct. 28 cyberattack did not stop production, but it did take down the entire company's systems for a time. 

The company has a presence in 20 countries and employs about 6,900 people, according to the Aurubis corporate site. 

As a preventative measure, Aurubis said in a statement, it disconnected its entire IT operations, but smelter sites across Europe and production facilities, including one in Buffalo, NY, maintained operations. Meanwhile, local news station WGRZ in Buffalo reported layoffs at the Aurubis plant in the area following the breach. 

Meanwhile, back at headquarters in Hamburg, Germany, teams are working with authorities to investigate the attack.

"This was apparently part of a larger attack on the metals and mining industry," the company's update on the cyberattack explained. "The primary goal is to keep production and the procurement of raw materials as well as the delivery of metals and products running."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Cyberattack Strikes Global Copper Conglomerate

CTO recognized as cybersecurity influencer for his research and thought leadership.

**SAN FRANCISCO, Oct. 31, 2022 /PRNewswire/** — Normalyze, a data-first cloud security platform, today announced that Ravi Ithal, chief technology officer and co-founder, has been named to the Enterprise Security Tech Cyber Influencer Top 10 List. The Enterprise Security Tech Cyber Influencer Top 10 list recognizes the top cybersecurity influencers providing immense value to the industry with groundbreaking research, visionary thought leadership, and consistent leadership and culture-building accolades.

The rise of cloud computing has increased the complexity of the enterprise attack surface. A recent survey from IDC found that 98% of organizations queried reported at least one cloud data breach in the past 18 months. As a result, security teams don't know where their data resides or its value, leading to difficulty avoiding data breaches. Normalyze's secret sauce is its ability to gather all security stakeholders, from the CISO to the security engineer, to DevOps, in one user interface to discover data, classify it, and prioritize discovery of attack paths that can lead to sensitive information.

"I've been fortunate enough to be part of some industry- and category-defining cybersecurity companies for a couple of decades now and I can tell you that cybersecurity has never been more important for economic and national security as it is now. It's incredibly humbling to be recognized for the accomplishment that led to assembling the smart team at Normalyze," said Ithal. "Cloud data is adding so much complexity right now and I really believe in the work we're doing at Normalyze to share best practices and let people trust their data in the cloud again."

"We need leaders in the cybersecurity industry now more than ever," said Jack Campbell, Managing Editor, Enterprise Security Tech. "The industry is bogged down by the daily cat-and-mouse game with cyber criminals, so we need industry leaders that are forward-looking and have a vision for how we can move the industry forward and solve macro security problems instead of simply firefighting. We're honored to be able to recognize these leaders for the value that they are bringing to the market and their dedication to moving the cybersecurity industry forward."

For more information about the Enterprise Security Tech Cyber Influencer Top 10 List, please visit this page.

**About Enterprise Security Tech**

Enterprise Security Tech is a specialized cyber media company with a global presence. The Enterprise Security Tech blog is a cybersecurity blog written for CISOs, CIOs, and security-minded CEOs that brings together critical news, expert insights, and product information to help security leaders make informed business decisions. Enterprise Security Tech is also home to The Cyber Jack Podcast, which brings listeners the latest cybersecurity insights via security experts from around the industry. For more information about Enterprise Security Tech, visit our website.

**About Normalyze:**

Normalyze is a pioneering provider of cloud data security solutions helping customers secure their data, applications, identities, and infrastructure across public clouds. With Normalyze, organizations can discover and visualize their cloud data attack surface within minutes and get real-time visibility and control into their security posture including access, configurations, and sensitive data to secure cloud infrastructures at scale. The Normalyze agentless and machine-learning scanning platform continuously discovers resources, sensitive data and access paths across all cloud environments. The company was founded by industry veterans Ravi Ithal and Amer Deeba and has several customers, including Corelight, Netskope, and Orkes. The company is funded by Lightspeed Venture Partners and Battery Ventures. For more information, please visit normalyze.ai.

**SOURCE:** Normalyze

Normalyze Co-Founder and CTO, Ravi Ithal, Named to the Enterprise Security Tech Cyber Influencer Top 10 List

At this year’s KubeCon/CloudNativeCon, both development and operations practitioners were tackling different security needs.

As a self-identified movie buff, some movie lines somehow stick with me over the years. One of them is from Ridley Scott's _Gladiator_ (2000), when a Roman senator says, "The beating heart of Rome is not the marble of the Senate, it is the sand of the Colosseum."

That line popped up in my head as I walked around the halls at KubeCon/CloudNativeCon ("KubeCon"), the marquee event for the Cloud Native Computing Foundation (CNCF). To me, the beating heart of cloud-native security is most definitely KubeCon.

This year's North American edition of the event took place last week in Detroit, bringing together thousands of participants on-site plus many others remotely. In addition to the main three-day event, the growing interest in specific projects has led the Cloud Native Computing Foundation to set up various "co-located events" ahead of the main conference.

For the 2022 event, there was not only a specific CloudNativeSecurityCon two-day event but also plenty of security content across other events, including Application Networking Day, EnvoyCon, Policy Day with OPA, ServiceMeshCon, and more, reflecting the wide interest in cloud-native security topics. Interestingly, the CloudNativeSecurityCon event has itself now "graduated" to an independent event to be hosted separately in February.

**Cloud-Native security: Development vs. Operations**

So, where is the current state of cloud-native security conversations? To Omdia, there is a strong bifurcation: development-centric concerns and operations-centric concerns. It is not as helpful to call these "Dev" and "Ops" because team structure is in flux in many organizations: some may have site reliability engineering (SRE) teams, some may call them operations, platform teams, and more.

On the development side of the ledger, three topics of interest are provenance, noise, and exposure.

Provenance asks the fundamental question: Can we trust the integrity of the external component we're incorporating into our software pipeline? While many examples exist, the 2020 SolarWinds attack was a turning point for interest in the integrity of the software supply chain. At KubeCon, there was palpable momentum behind the idea of signing software images: The sigstore project was announced as general availability and is being used by Kubernetes and other key projects.

Noise refers to reducing the number of vulnerabilities that exist in the environment, starting with slimming down the container base images that are being used. This may include using image bases such as Alpine or Debian Slim or considering "distroless" alternatives that are even smaller. The benefit is that these smaller images have minimal footprint and therefore reduced chance of vulnerabilities popping up.

Exposure: For any given vulnerability, how exposed are we as an organization? There is no better example of this in recent industry history than Log4j, of course. This is the realm of discussions on software bills of materials (SBOMs) as it relates to knowing where components may be used either as images sitting in a registry somewhere or running in production. Interestingly, as this essay is being written, there's advance notice that information about critical vulnerabilities in OpenSSL 3.x will be disclosed imminently, which will likely be another good use case for SBOMs — just where is OpenSSL 3.x used in our organization? Given that SBOM coverage is still not widespread, Omdia expects minimal SBOM usage this time around, unfortunately.

Operations teams are naturally focused on providing and operating an increasingly complex underlying platform and doing so securely. The word “platform” is particularly relevant here: There was notable interest in organizing Kubernetes and many of the growing list of CNCF projects (140 as of this writing, between the various stages of project incubation: sandbox, incubation, graduated) into easier-to-consume platforms. Of specific interest to security audiences, projects such as Cilium (using the underlying eBPF functionality) for networking and observability, SPIFFE/SPIRE (for establishing identities), Falco (for runtime security), Open Policy Agent (for policy-as-code), Cloud Custodian (for governance), and others are worth looking into. The expectation is that these projects will increasingly collaborate with "observability" aspects of cloud-native and will also be deployed using practices such as GitOps.

**Reasons for Optimism on Cloud-Native Security**

Where do we go from here? It was abundantly clear that the cloud-native community cares deeply about security and is moving forward full-speed with tackling the many topics around it. The guidance to security teams is to quickly come up to speed on how these different projects and initiatives are being implemented. It's important to note that for many organizations, this will come not in the form of explicitly using the community project (though some will), but rather as part of a packaged platform from vendors such as Red Hat, SUSE, Canonical, and others, or directly from the cloud providers such as AWS, Google Cloud, Azure, Oracle, and others.

Be aware that, in the context of open source usage, there's no such thing as really "free" — even if one chooses to use the vanilla upstream version of projects, there are inherent costs in maintaining those packages and participating in the community development.

Cloud-Native Security Was in the Air at KubeCon/CloudNativeCon 2022

Accelerates the safe recovery from ransomware attacks.

**SANTA CLARA, Calif., and PUNE, India, Oct. 31, 2022 /PRNewswire/** — Persistent Systems (BSE: PERSISTENT) (NSE: PERSISTENT), a global Digital Engineering provider, today announced the launch of a trailblazing solution that enables organizations to recover more quickly from cyberattacks. Together with Google Cloud, the Persistent Intelligent Cyber Recovery (PiCR) solution provides a comprehensive and scalable cyber-recovery approach, allowing organizations to reduce data loss and minimize the negative impact to brand reputation from prolonged downtime. Persistent Intelligent Cyber Recovery is now available on the Google Cloud Marketplace.

Hackers are increasing the frequency and scale of ransomware attacks. They are using continually evolving and sophisticated techniques, which makes recovery from attacks more challenging. These attacks may lead to sensitive data leakage, loss of business, and damage to brand reputation. It is crucial for organizations to not only focus on protection against cyber-attacks but also strengthen their recovery process.

Traditional backup and Disaster Recovery (DR) solutions are not designed for recovery from cyber-attacks. Persistent Intelligent Cyber Recovery includes tailored recovery plans, Persistent IP for finding and remediating malware, and the optional managed services to administer the recovery process. Persistent's solution integrates with Google Cloud to provide a secure recovery environment and Google Cloud Backup and DR for protecting the server images.

Persistent Intelligent Cyber Recovery offers the following benefits:

\-- Reduction in data loss  
\-- Decreased risk of recurrent attacks through the removal of malware  
\-- Faster recovery from ransomware and zero-day attacks (from weeks/months  
to hours/days)  
\-- Potential cyber insurance cost reduction  
\-- Scalable solution depending on enterprise size challenges  
Nitha Puthran, Senior Vice President - Cloud, Infrastructure and Security,  
Persistent:

"The digital environment today is constantly evolving and so are the risks associated with it. We are leveraging our strong relationship with Google Cloud and our product engineering expertise to create an industry-leading solution that allows enterprises to recover faster from cyber-attacks, thereby reducing the impact on their business.

"Persistent Intelligent Cyber Recovery combines strategic planning and the creation of playbooks, integration with Google Cloud services and our own IP to find anomalies that indicate malware, remove the malware, and use automation to set up test and production environments to scale. It takes a services and product mindset to create a solution like Persistent Intelligent Cyber Recovery and Persistent is uniquely positioned in the market to deliver both."

Dai Vu, Managing Director, Marketplace and ISV GTM Programs, Google: "As cyber threats become more prevalent, customers need solutions that can help them quickly address and recover from cyber-attacks. With the Persistent's Intelligent Cyber Recovery (PiCR) solution available on Google Cloud Marketplace, customers can quickly deploy PiCR to their Google Cloud environment and utilize it alongside Google Cloud technologies and capabilities to address cyber-attacks quickly and securely."  
**SOURCE:** Persistent Systems

Persistent Launches Cyber-Recovery Solution With Google Cloud

While fewer cloud providers are suffering outages, customers should prepare for the uncommon event, especially when relying on cloud services for security.

When cybersecurity software-as-a-service offerings are impacted by an outage, it can result in a significant disruption, especially if the service protects business-critical portions of a firm's infrastructure. 

In the past two weeks, for example, outages at cybersecurity services firm Zscaler resulted in latency, packet loss, and outages for some businesses. On Oct. 25, a traffic-forwarding issue caused disruptions and packet loss to some of the cybersecurity provider's regional customers. The previous week, the company warned clients that they could experience packet loss due to damage to a transoceanic cable near France.

Unfortunately, many companies weren't prepared. "Took down entire company for several hours this morning," one IT security engineer said on Twitter of the impact on his firm.

While outages of any cloud service can have a dramatic impact on business operations — an Amazon Web Services outage in December 2021 took down swaths of the web for hours, for example — cyberdefenses often have a favored position within a company's infrastructure, making an outage more impactful. A business software-as-a-service (SaaS) application typically only impacts its own user base, whereas cybersecurity SaaS services can often have impacts across applications.

Companies need to be prepared for such outages, even if rare, says Merritt Maxim, vice president and research director for security and risk at Forrester Research.

Zscaler "is not the first cloud outage and won’t be the last, either," he says, adding: "Cloud products and services are not necessarily more susceptible to outages than on-prem equivalents, \[but\] the issue is often that because of this perception, organizations do not properly assess all possible causes of cloud outages and develop mitigation plans in response to these threats."

Indeed, the Zscaler incidents are not unique. In October 2020, an outage affected Microsoft Azure AD, the company's SaaS identity and access management service, blocking businesses and users from connecting to their applications. A year later, a six-hour Facebook outage blocked many users — including some businesses — from using the company's single sign-on technology and slowed many websites when scripts relying on the company's service failed to run.  

**Cloud Outages Increasingly Rare, But Impactful**

Overall, there has been a reduction in the number of significant outages among cloud services, with 60% of operators saying that they have had an outage in the past three years, down from 78% in 2020, according to survey results published by the Uptime Institute.

And compared with on-premises cybersecurity software and appliances, cloud-based services are nonetheless more reliable, says Jim Reavis, CEO of the Cloud Security Alliance, an industry organization.

"Mature cloud providers, including those with cybersecurity offerings, operate much like public utilities that provide on-demand services to large customer bases," he says. "They are generally very reliable, which is why their intermittent failures, like public utilities, are newsworthy."

For that reason, the two disruptions weathered by Zscaler stand out — as does companies' unpreparedness for them.  

"Things will happen as long as humans and nature are involved," says Misha Kuperman, senior vice president of cloud operations and ecosystem at Zscaler. He adds, "With the right tools, we can deliver more reliability and work around such incidents, as we have done on multiple occasions."

**Building in Cloud Security Redundancy**

Businesses also should ensure that they realize the cloud security and reliability is a shared responsibility model. Cloud providers — including cybersecurity services based in the cloud — are responsible for their infrastructure, but companies should architect their cloud or hybrid infrastructure to handle outages.  

Companies that know their cloud vendor's architecture will be better prepared for outages, says CSA's Reavis.

"It is important to understand how the provider achieves redundancy in its architecture, operating procedures including software updates, and its footprint of global data centers," he says. "The customer should then understand how that redundancy satisfies their own risk requirements and if their own architecture takes full advantage of the redundancy capabilities."

Business customers should also regularly re-evaluate their technology landscape and risk profile. While network and power failures — and natural disasters — used to dominate resilience discussions, malicious threats such as ransomware and denial-of-service attacks are often more likely to dominate discussions today, says Forrester's Maxim.

"Understanding the evolving risks and their respective impact on business is an imperative to prioritize the risks that you'd want to mitigate," he says. A business impact analysis conducted with internal teams "allows you to create tiers for application criticality that help determine if the default resilience of cloud services is enough — or if you need a more robust solution."

Zscaler's Cloud-Based Cybersecurity Outages Showcase Redundancy Problem

When looking at the scale and scope of worldwide cybercrime, password attacks are the most commonly observed type of threat in a given 60-second period.

Cybercrime is big and still growing bigger. It is often difficult to fully grasp the impact online attacks have had over the past decades. We used data from various Microsoft-owned properties and a mix of external sources to illustrate the scale and scope of worldwide cybercrime. Our comprehensive report on malicious activity highlights what is happening around the world within any given 60-second window.

**Cyberattacks Vary By Type and Focus**

If we’ve learned anything from our examination of last year’s online attacks, it’s that security teams need to be prepared to defend against a wide variety of threats at all times. According to RiskIQ, acquired by Microsoft in 2021, password attacks were far and away the most commonly observed type of threat, clocking in at 34,740 per minute. However, we also saw 1,902 Internet of Things (IoT) attacks and 1,095 distributed denial-of-service (DDoS) attacks during the same 60-second time period.

The threat picture gets even more complex the deeper we dive into internal Microsoft security data. We most commonly blocked email threats, identity threats, and brute-force authorization attacks for our customers.

When we examined a broad range of market data, we uncovered even more attacks. In 2021, seven phishing attacks occurred every minute, one SQL injection attack every two minutes, one new threat infrastructure detection every 35 minutes, one supply chain attack every 44 minutes, and one ransomware attack every 195 minutes. All of this comes together to create a tangled cybercrime landscape that security teams have to contend with.

**What Is the True Cost of Cybercrime?**

Cybercrime is a highly disruptive force, estimated to cause trillions of dollars in damages globally every year. The cost of cybercrime comes from damage done to data and property, stolen assets — including intellectual property — and the disruption of business systems and productivity.

Here’s a breakdown of how much cybercriminals cost businesses and consumers in 2021 per minute:

*   Worldwide economic impact of cybercrime: $1,141,553

*   Global cybersecurity spend: $285,388

*   E-commerce payment fraud losses: $38,052

*   Global ransomware damages: $38,051

*   Total cost of business email compromise: $4,566

*   Amount lost to cryptocurrency scams: $3,615

*   Average cost of breach: $8

*   Average cost of malware attacks: $5

How should enterprises guard against the disruptions and financial losses that come with a cybersecurity breach? They should start by understanding the full scope of the digital landscape that needs to be protected.

**What Should Organizations Expect?**

Threat actors are getting savvier about the tools and methods they use for evading detection, bypassing security systems, and perpetrating attacks. In 2021 there were 79,861 new hosts and 7,620 new IoT devices every minute. Likewise, we discovered 150 new domains, 53 new active LetsEncrypt SSL certificates, and 23 new mobile apps created in the same time period. Each of these additions can potentially act as a doorway for threat actors.

Cloud migrations, new digital initiatives, and shadow IT all widen the attack surface. At the enterprise level, that can mean a vast estate spanning multiple clouds and massively complex ecosystems. Meanwhile, cheap infrastructure and flourishing cybercrime economies grow the threat landscape that organizations, in turn, must track. Organizations need to ensure they’re one step ahead by creating a more holistic cybersecurity strategy that protects their operations on all fronts.

To gain control of this dynamic threat landscape, security teams must keep a pulse on new and emerging threats, the latest cybercrime tactics, and the leading tools at their disposal. Microsoft tracks more than 43 trillion signals every day to develop dynamic, hyper-relevant threat intelligence that evolves with the attack surface and helps us to detect and respond to threats rapidly. Our customers can access this intelligence directly to create a deep and unique view of the threat landscape, a 360-degree understanding of their exposure to it, and tools to mitigate and respond.

A Cyber Threat Minute: Cybercrime’s Scope in 60-Second Snapshots

How to solve the software vulnerability problem across the entire SDLC.

In the opening keynote of the 2022 Black Hat security conference, Chris Krebs, the former Department of Homeland Securities cybersecurity director, stated that security is going to get worse before it gets better. Why? Krebs said that "software remains vulnerable because the benefits of insecure products far outweigh the downsides." Rather than ensuring security, the focus across the software development life cycle (SDLC) is beating the competition to market. In fact, innovation is often seen at odds with security — the former believed to be fast-paced and productive, and the latter a roadblock that stifles quick-moving application development. This view is proving to be outdated in the current threat landscape.

With cyberattacks on the rise, the software supply chain is a popular target for cybercriminals who recognize the huge disruption they cause when infecting insecure code. For example, the now infamous Log4Shell vulnerability posed such a risk because the open source Log4j is so commonly used across software applications and online services worldwide, and exploiting the vulnerability requires very little expertise. More recently, the 25,000 malicious plug-ins found across WordPress sites highlight the cybersecurity risk that many businesses face, despite believing they were using secure applications and programs within their websites.

Innovation and security must therefore be viewed through a single lens; one is not possible without the other. Even more importantly, security can no longer be the responsibility of one siloed team. It must be a priority for everyone across the SDLC.

**The AppSec Dilemma**

Despite increased investment into application development, the same importance isn't being applied to security. In such a competitive space, first movers tend to get the reward. Those that enter the market with their "first viable product" are likely looking at how this product can serve customers, not how it can be used securely. With these high expectations, code demands on developers have increased 100 times over the past 10 years, with 92% feeling pressured to write code faster. Pair this with the fact that 53% have no professional secure coding training, while the number of new vulnerabilities within the NIST National Vulnerability Database has increased by over 200% in the past several years, and it seems we're in something of an application security dilemma.

However, it is not an unsolvable dilemma. The solution requires a complete switch-up in the way that many view coding and innovation, with a specific focus on the mindset of the people. It puts security first and recognizes that it's OK to be slower to market if the end product is more secure. According to Boehm's law, "the cost of finding and fixing a defect grows exponentially with time" — a concept that can benefit the bottom line of organizations that prioritize security from the start.

Establishing this security-first mindset is crucial — not just for the development team, but for everyone who plays a role within the SDLC. Product and project managers, DevOps, user experience (UX) designers, and quality assurance (QA) professionals will all influence the end result and therefore need to recognize the current dilemma for application security and how this challenge can be overcome.

**Getting Integrated Education Right**

If teams do not understand _why_ a security-first mindset is so important within application development, they are never going to buy into _how_ it can be achieved. Integrated and continuous application security education for the whole development organization has therefore never been more important. For those creating the code, it is important to deliver foundational learning before hands-on exercises that speak directly to the issues they face on a daily basis. This developer-specific education should be run in parallel with foundational and advanced application security training programs for those with roles in the SDLC that may not necessarily need hands-on expertise. These kinds of initiatives will empower the whole team to think differently, make more informed decisions, and integrate security across every aspect of development.

Yet it is important that organizations understand that application security constantly evolves and changes. Building a security-minded team who apply key AppSec principles at every step of the development cycle can't be accomplished with a "one and done" training program. To ensure teams maintain this security-first mindset, a continued and evolving educational program is key.

Many organizations engage teams by acknowledging and celebrating security champions, who lead a shift in security behavior across the team. By offering incentives or rewards to those that are consistently applying security best practices in their day-to-day work, they encourage champions to engage others and organically influence change. For example, by measuring results — like the number of vulnerabilities in a code before and after training programs — and recognizing success, it is also far easier to get buy-in from the board and justify investment on secure coding education to the decision-makers.

Innovating fast and beating the competition to market while also putting security first is possible when the people of the SDLC make security a top priority. In fact, as the number of vulnerabilities grows and cyberattacks show no sign of slowing down, coding securely is a must for any application to be successful. As long as the entire SDLC is considered in continuous, bespoke, and measurable education initiatives, security does not _have_ to get worse before it gets better.

Source

DARKReading