Here's what that means about our current state as an industry, and why we should be happy about it.

In a recent report, Forrester analysts warned of a looming major security breach at a large enterprise in 2023 rooted in business users using low-code/no-code (LCNC). The first part of this prediction is, unfortunately, a shared industry assumption: It would be surprising if we had an entire year without major headline security breaches. But the second part — forecasting that this major breach would be the result of business users, aka citizen developers, using LCNC — is an extraordinary attempt to wake up the security community before it's too late.

This prediction is so powerful since it comes in strong contrast to the tendency some security teams have to treat apps built by business users as toys or POCs rather than critical infrastructure. This assumption, warns Forrester, is wrong and will lead to dire results. In recent years, LCNC has become a reality in the enterprise, and business users have been building impactful apps that large organizations now rely on — with or without the security team's knowledge.

To understand why Forrester is issuing this warning, we must unpack its underlying assumptions. Doing so will show that it is full of new information about the analysts' reading and assumption of the market, which the reader is free to evaluate.

**When a Security Breach Becomes a Major Headline**

Consider the factors it takes for a security breach to become a major headline. First, obviously a breach needs to occur. While this assumption is trivial, note that it relies on an underlying assumption that hackers are focusing their efforts on LCNC apps and finding success in breaking them. For hackers to focus their efforts on LCNC, the perceived reward needs to be big enough compared to the perceived difficulty — which means hackers must be convinced that LCNC holds significant business data or facilitate important business workflows for them to be a worthy target. Success in breaching LCNC apps means that hackers can exploit either platform or app-level vulnerabilities to own these apps. 

Since business users are not security experts and often lack guidance, this is unfortunately an easy assumption to make. In fact, in a case documented by the Microsoft Detection and Response team, an APT group used live-off-the-land on some LCNC to remain hidden and persistent within a multinational organization for more than six months while defenders were actively trying to kick them off. In another case last year, a simple misconfiguration resulted in almost 40 million confidential records being exposed to the Internet.

Second, the breach must involve business-critical apps or data; otherwise the story just won't be as interesting for a major headline. The criticality of the app or data needs to be rooted in the business' value proposition for it to be obvious to every external security practitioner that this will have significant business impact on the breached company. LCNC and citizen development has grown significantly in recent years, delivering on its promise of empowering business users to address their own needs. Business-led development has become a strategic initiative in some organizations. Many large organizations have a dedicated group of admins who manage and operate these LCNC citizen development platforms, which are sometimes called Centers of Excellence.

Third, the breach needs to be detected. A breach could be announced publicly by hackers willfully publishing it to hurt the breached company or push the company to yield to the hacker's demands. It could also be detected inside the breached company if business-critical apps have stopped working or security teams have identified it. In any case, breach detection comes seven months after hackers had their initial successful access, on average. Doing the math, and considering the predicted headlines are to come in 2023, this means that hackers may have already breached business-critical LCNC apps.

Lastly, and again trivially, the breach needs to be publicized. Of course, any organization that suffered a major breach would be happy if the news of its unfortunate event did not reach major news outlets. Assuming that the breached organization would work against it, and that not all major breaches are reported on, this means that next year should bring far more than one major security breach resulting from business users building with LCNC.

Unpacking the Forrester prediction for 2023 reveals a set of assumptions about the world we live in now. Business users are building business-critical apps with LCNC. Hackers are acutely aware of and have probably developed dedicated tools and exploits to breach such apps across the industry. Some security teams are probably dealing with a detected breach at this very moment.

**Why We Should Be Happy About the Prediction**

While discussing a predicted major breach feels gloomy and pessimistic, the larger message is positive: Business users are succeeding in moving the needle in the enterprise using LCNC and solving problems on their own.

There has long been a gap between business users who can articulate the problems they need solved to do their job better — thus making the business stronger — and IT teams that are failing under the pressure and have limited capability, which renders them unable to meet most of those requirements. LCNC is the latest development trying to bridge that gap by empowering business users to address their problems as they see fit. The business empowerment goal, part of IT decentralization, has been pursued by endless innovation waves, including productivity tools like Office, application generators, visual coders, and lately RPA and LCNC. As we saw above, this prediction is predicated on the amazing fact that LCNC is actually succeeding in empowering business users, and that they in turn succeed in changing business outcomes.

Like every new technology, LCNC comes with a new set of challenges. While we've been successful at leveraging LCNC for business impact, we haven't been as good at making sure those apps, the identities they use, and the data they handle are secure. This will not be an easy task, as security teams are not used to monitoring and guiding business users and the apps they develop. However, our role as security teams is to enable the business, and the business clearly shows it wants LCNC.

Major Security Breach From Business Users' Low-Code Apps Could Come in 2023, Analysts Warn

Check out our slideshow of 10 fun games and toys that teach programming principles, electronics, and engineering concepts to get kids ready to hack the planet.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Time to Get Kids Hacking: Our 2022 Holiday Gift Guide

Organizations that use the consensus principles can significantly improve their cyber resilience without raising costs, MIT research shows.

**Geneva, Switzerland/Nov. 16** — As the World Economic Forum’s annual Cybersecurity Summit concluded today, research conducted by MIT Cybersecurity at MIT Sloan (MIT CAMS) found that the cyber risk oversight principles (consensus principles) developed by the Forum in conjunction with the Internet Security Alliance (ISA) and the National Association of Corporate Directors (NACD) “demonstrates that organizations that use the consensus principles can significantly improve their cyber resilience without raising costs.”

The MIT research used a grounded control theory and system dynamics built on significant research in the field, including interviews with CISOs which has been validated over the years at a Fortune 500 company analyzing a wide range of cyber risk challenges. MIT CAMS used a simulation-added approach to understand organizational behavior when adapting the consensus Cyber Risk Principles.

The research used a scientifically grounded simulation methodology to explore the behavior of CEOs who followed the traditional model and compared it to that of an aware CEO who followed the consensus principles. The research found “a significant difference when comparing the strength of defensive posture represented by the number of cybersecurity incidents and compromised assists. The CEO who follows the principles is predicted to have 85% fewer incidents.

Moreover, a CEO who followed the principles was more “cyber conscience,” has gone further to foster resilience, is pro-active in anticipating cyber threats, knows how their technology drives their business, and focuses on maintaining business performance.

ISA President Larry Clinton noted that this study was the second independent verification of the Principles; utilizing improvised organizational cybersecurity, citing the previous PWC research, which also found organizations who used these principles had better cyber risk management, closer alignment between cyber and overall mission goals, and helped to foster a culture of security.

“I’m not aware of any of the set of best practices regulations or frameworks that has been independently assessed and verified using multiple independent methodologies as have these core principles,” Clinton said.

An abstract of the study based on NACD reporting can be found here https://isalliance.org/?p=12291.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

MIT Research Documents Effectiveness of Consensus Cyber Risk Oversight Principles

New study identifies critical focus areas for portfolio companies to reduce cyber risks and costs associated with breaches.

**NEW YORK, Nov. 21, 2022 /PRNewswire/** — BlueVoyant, an industry-leading cyber defense company that combines internal and external cybersecurity, today released a new report, highlighting cyber risks impacting private equity portfolio companies. The study found IT management was a top concern, with many portfolio companies struggling with IT hygiene, potentially leaving them susceptible to costly breaches.

"When it comes to private equity portfolio companies, we see a wide range of cyber defense postures," said Dan Vasile, vice president of strategic development at BlueVoyant. "Cybersecurity as a subset of risks is sometimes overlooked. This analysis confirms the need to prioritize cyber defense in order to protect portfolio company value. The private equity space is beginning to get on track. However, we must button up the entire process to protect those vulnerable entities, as well as ramping up cyber defense against less easily exploitable but equally damaging threats."

BlueVoyant analyzed 780 portfolio companies from private equity-backed firms, with the majority headquartered in the U.S., but including companies across Europe and around the globe. Key survey findings include:

*   19% of examined portfolio companies are exposed via "Zero Tolerance Findings" discovered in their internet-facing, publicly accessible footprints. BlueVoyant defines zero tolerance as critical known findings that are easily exploitable by malicious actors and are commonly associated with successful ransomware attacks. Should these vulnerabilities be exploited, it could lead to loss of data and service availability, translating into customer distrust and financial loss.
*   More than 70% of the critical internet-facing findings are related to IT hygiene.

"It is imperative that private equity firms effectively monitor their digital ecosystems by continuously monitoring their portfolio companies to quickly remediate any issues and overcome any cyber attack financial impacts," says James Tamblin, vice chairman, strategic development at BlueVoyant. "Without proper cyber risk management, these companies can face costly repercussions, especially if improvements in IT hygiene are not made."

To maintain cyber vigilance within private equity firms, BlueVoyant recommends proactively working within portfolio companies to reduce cybersecurity risk and avoid the costs associated with breaches. Working with portfolio companies to improve IT management practices to current standards is key, as well as establishing a prioritized risk reduction program, and continually assess for any weaknesses in their real-time risk posture.

BlueVoyant's study used digital "footprints," the mapping of an organization's external-facing network assets, registered IP addresses, and internet hosting presence to gain comprehensive visibility into any given organization's attack surface using a combination of artificial intelligence and machine learning. The full research report, "Private Equity: A Look at Portfolio Company Cyber Risk," is available online here.

**About BlueVoyant**

BlueVoyant combines internal and external cyber defense capabilities into an outcomes-based platform called BlueVoyant Elements™. Elements is cloud-native and continuously monitors your network, endpoints, attack surface, and supply chain plus the clear, deep, and dark web for vulnerabilities, risks, and threats; and takes action to protect your business, leveraging both machine learning-driven automation and human-led expertise. Elements can be deployed as independent solutions or together as a full-spectrum cyber defense platform. BlueVoyant's approach to cyber defense revolves around three key pillars — technology, telemetry, and talent — that deliver industry-leading cybersecurity to more than 700 clients across the globe.

Visit www.bluevoyant.com

SOURCE: BlueVoyant

BlueVoyant Research Reveals Private Equity Portfolio Company Cybersecurity Challenges

Cyber Risk Index report highlights elevated risk as organizations struggle with visibility.

**DALLAS, Nov. 21, 2022 /PRNewswire/** — Trend Micro Incorporated (TYO: 4704; TSE: 4704), a global cybersecurity leader, today announced that 32% of global organizations have had customer records compromised multiple times over the past 12 months as they struggle to profile and defend an expanding attack surface.

The findings come from Trend Micro's semi-annual _Cyber Risk Index_ (CRI) report, compiled by the Ponemon Institute from interviews with over 4,100 organizations across North America, Europe, Latin/South America, and Asia-Pacific.

Customer records are at increased risk as organizations struggle to profile and defend an expanding attack surface.

**Jon Clay, VP of threat intelligence at Trend Micro**: "You can't protect what you can't see. But with hybrid working ushering in a new era of complex, distributed IT environments, many organizations are finding it difficult to eradicate growing security coverage and visibility gaps. To avoid the attack surface spiraling out of control, they need to combine asset discovery and monitoring with threat detection and response on a single platform."

The CRI calculates the gap between organizational preparedness and the likelihood of being attacked, with -10 representing the highest level of risk. The global CRI index moved from –0.04 in 2H 2021 to –0.15 in 1H 2022, indicating a surging level of risk over the past six months.

This trend is also reflected elsewhere in the data: the number of global organizations experiencing a "successful" cyber-attack increased from 84% to 90% over the same period. Unsurprisingly, the number now expected to be compromised over the coming year has also increased from 76% to 85%.

Some of the top preparedness risks highlighted by the index report are related to attack surface discovery capabilities. It is often challenging for security professionals to identify the physical location of business-critical data assets and applications.

From the business perspective, the biggest concern is the misalignment between CISOs and business executives. Based on the scores given by the respondents, "My organization's IT security objectives are aligned with business objectives" only has a score of 4.79 out of 10.

By addressing the shortage of cybersecurity professionals and improving security processes and technology, organizations will significantly reduce their vulnerability to attacks.

Dr. Larry Ponemon, chairman and founder of Ponemon Institute: "The CRI continues to provide a fascinating snapshot of how global organizations perceive their security posture and the likelihood of being attacked. The stakes couldn't be higher in the face of stiff macroeconomic headwinds. Respondents pointed to the high cost of outside expertise, damage to critical infrastructure, and lost productivity as the main negative consequences of a breach."

To read a full copy of the latest _Cyber Risk Index,_ please visit: www.trendmicro.com/cyberrisk

Overall, respondents rated the following as the top cyber threats in 1H 2022:

1.  Business Email Compromise (BEC)
2.  Clickjacking
3.  Fileless attacks
4.  Ransomware
5.  Login attacks (Credential Theft)  
    

**About Trend Micro  
**Trend Micro, a global cybersecurity leader, helps make the world safe for exchanging digital information. Fueled by decades of security expertise, global threat research, and continuous innovation, Trend Micro's cybersecurity platform protects hundreds of thousands of organizations and millions of individuals across clouds, networks, devices, and endpoints. As a leader in cloud and enterprise cybersecurity, the platform delivers a powerful range of advanced threat defense techniques optimized for environments like AWS, Microsoft, and Google, and central visibility for better, faster detection and response. With 7,000 employees across 65 countries, Trend Micro enables organizations to simplify and secure their connected world. www.TrendMicro.com.

SOURCE: Trend Micro Incorporated

A Third of Global Organizations Were Breached Over Seven Times in the Past Year

Improved cyber hygiene keeps users and their identities, devices, and data more secure and reduces the organization’s risk exposure.

Did you know that October was Cybersecurity Awareness Month? Comprehensive cybersecurity education is an important part of strengthening cyber defenses for governments, businesses, and individuals. It is increasingly important for everyone to have access to actionable, engaging resources that can help them level up their cybersecurity practices.

To that end, the Be Cyber Smart Kit helps organizations and consumers be cyber smart through shareable videos, infographics, and more. Keep reading for tips to keep you and your organization secure all year round.

**Your Best Password Is You**

Did you know that password attacks were the most commonly observed type of threat in 2021, clocking in at 34,740 attacks every minute? Today’s hackers don’t break in — they sign in. That’s why we encourage our customers to use passwordless sign-in methods, physical security keys, and biometrics whenever possible. They are more secure than traditional passwords, which can be stolen, hacked, or guessed. They can also greatly reduce the risk that comes with having to create and secure multiple unique passwords for all of your organization’s various accounts.

If you do use passwords as part of your sign-in process, here are five tips for making them as strong as possible:

*   Create a password that is at least 12 characters long (but 14 or more is better).

*   Use a combination of uppercase letters, lowercase letters, numbers, and symbols.

*   Don’t choose a word that can be found in a dictionary or is the name of a person, character, product, or organization.

*   Pick something significantly different from your previous passwords — and never reuse the same password for multiple sites.

*   Choose passwords that are easy for you to remember but difficult for others to guess.

Once you’ve created your password, keep it as secure as possible. Hackers will often target companies by attempting to trick individual employees into revealing their security logins. You can better protect your organization against password attacks by updating passwords frequently, encouraging employees to access websites only through trusted links, and reminding employees not to share their credentials via insecure channels like email or instant messages.

**Protecting Identities, Devices, and Data**

Along the same vein as increasing password attacks, we’re also seeing a rise in identity theft. The days of easily identifiable spam emails are quickly slipping away. Today’s threat actors are growing savvier when it comes to stealing identities to hack into devices and networks.

Many of us know to be skeptical of messages that include links or come with attached files, especially when the sender asks for personal information. But it bears repeating that you should never open an unexpected attachment, even if it appears to be coming from a trusted person or organization. If an employee is concerned that the message is important, encourage them to reach out to the sender directly — either by calling them or going to the organization’s official website for their contact information.

When part of a legitimate request, personal information should ideally be shared in real time — either in person or over the phone. It is recommended that you use encryption tools when sensitive information absolutely needs to be shared via email. Employees should also be wary of sending system definition files through insecure channels because attackers can use them to breach your digital landscape, corrupt organizational processes, and make your environment more vulnerable.

We recommend organizations strengthen their cybersecurity by installing software updates as soon as they are released. Many app, browser, and operating system updates contain security fixes for currently active issues, so installing them promptly is an important part of maintaining the latest security standards. You can further reduce your company’s attack surface by eliminating unnecessary Internet connections, restricting open ports, and using scanning tools to check your digital environment for potential weaknesses.

Ultimately, while Cybersecurity Awareness Month might only last 31 days, promoting the importance of a secure online environment is a year-round job. It comes down to all of us being cyber defenders — whether we represent a global corporation, a family-owned business, or even an individual consumer. Let’s be cyber smart together!

#BeCyberSmart All Year Round With Educational Resources From Microsoft

Threat actors are becoming only more sophisticated and determined.

Current approaches to managing operations and security made sense at the time they were established, pre-cloud and pre-digital transformation. Now, with networked multicloud environments, both digital operations and security are far more complex. And even in the digital world, people and teams want to protect their turf. According to IBM's most recent cyber-resilience report, the top three reasons why cyber resiliency has not improved are:

1.  Inability to reduce silo and turf issues
2.  Fragmented IT and security infrastructure
3.  Lack of visibility into applications and data assets

These are all operational issues.

Operations has been fragmented, with responsibilities scattered across lines of business, including IT, finance, sales and marketing, DevOps, and SecOps. Chief information officers (CIOs) scramble to make sure information is available to those who need it while trying to stay compliant with business and data policies. Meanwhile, chief information security officers (CISOs) focus on protecting assets and data from loss and threats across the entire business. All organizations face a daily flood of data across the multitude of tools and systems they rely on to run their businesses — and yet that data is siloed too.

At the same time, threat actors are increasingly sophisticated and determined. Ransomware is practically a legitimate business — perpetrators have "customer" help desks and arrange payment terms for their victims. Adding tools and people to address security doesn't scale and can no longer solve operational and security issues effectively. The status quo of siloed operations is just not sustainable.

According to IBM's research, the average midsize enterprise runs more than 45 security tools — and that's not to mention those for monitoring applications, the network, and cloud operations. Most are designed for a unique function, which they may do exceedingly well. But together, they can become a management nightmare or be ignored, which is a shame, since their data is valuable. It doesn't make sense to have so many tools yet limit data you ingest — and you also need that data over time to discover potential issues before damage occurs.

**Security and Operations Must Join Forces**

It's time to think differently about approaching both operational integrity _and_ security. Start by considering what ops and security organizations have in common:

1.  **Availability:** Ops is responsible for ensuring business systems and information are available to all who need access. Security teams are responsible for ensuring the right data is available to the right people at the right times on the right devices.
2.  **Risk:** The ops view of risk focuses on keeping everything up and running to avoid downtime and poor performance that kill business productivity and efficiency. Security organizations view risk in terms of data loss, manipulation, and damage to the business.

What if digital operations and security shifted from operating separately — working in silos, managing a lot of tools, duplicating efforts — to working together on a shared data and analytics platform? And what if that platform made them more effective at delivering on their common objectives of providing availability across infrastructure and assets while reducing risk?

Digital ops and security share a common goal of keeping the business operating securely at optimal capacity. To succeed in this shared mission, you need to create a cohesive "digital + security" approach, supported by a team that collaborates and optimizes the resources at hand — both human and machine.

**Security and Operations Need a Common Operational Picture**

For many companies, the cost of running operations takes a disproportionate share of budgets, leaving less to spend on innovation and growth. And it's not helping reduce risk (of downtime or breaches). The only solution is to accelerate digital transformation by shifting focus from worrying about risk to preventing it. And the only way to do that is converging _all_ your operations and security data into a common platform.

Merging ops and security with an information-sharing platform enables fully secured, reliable, and convenient enterprise operations.

By ingesting and analyzing all your operational and security data, you can ultimately derive a common operational picture (COP). From there, you need to connect the dots across ops and security data to gain the context and intelligence necessary to successfully manage risk. Applying advanced analytics and machine learning, organizations can then identify pre-incident situations, rank them by business risk, and correlate them with sufficient context for proactive resolution. 

Ops and security can 100% work together. By doing so, CISOs and CIOs gain insights and can prove damage avoided — which means they can show "goals saved" and quantify value.

Better Together: Why It's Time for Ops and Security to Converge

The company emerges from stealth with an automated security remediation product identifies and remediates cloud misconfigurations.

Some of the most common issues in cloud security involve misconfigured systems. Cloud servers may be mistakenly configured to allow anyone on the Internet to access the data. The firewall rules may have inadvertently created a hole big enough for a threat actor to slip through. These kinds of issues trip up enterprises on a regular basis because securing cloud infrastructure is labor-intensive and security operations rely heavily on manual processes to manage the complex environment.

Enter OpsHelm, a cloud security startup which came out of stealth with its automated security remediation product on Thursday. The product monitors the IT environment looking for cloud misconfigurations and makes it possible to fix the issues in a seamless way. The tool integrates with common enterprise communications tools such as Slack or Microsoft Teams and informs the security operations team of the issues as they are found. The team can address the issues and the tool learns what actions should be taken so that it knows how to handle the situation the next time that issue comes up.

"Companies attempt to solve this problem with enhanced visibility into their cloud infrastructure, yet this isn't enough--they are still stuck doing the time-consuming triage and remediation with their limited team resources," Andrew Peterson, co-founder and CEO of Signal Sciences and an investor in the company, said in a statement.

The company says OpsHelm can detect and fix common cloud issues such as misconfigurations, overly permissive firewall rulesets, potential data exposures, unmanaged resources in Infrastructure as Code (IaC), credential sprawl, and unsecured assets exposed to the Internet.

"For example, if S3 buckets are routinely exposed when you stand up new programs, you can eliminate all exposed S3 buckets in seconds and ensure that any new ones are instantly locked down the second they are exposed," Bill Gambardella, OpsHelm CEO and co-founder, wrote on the company's blog. Gambardella was previously COO at Leviathan Security Group and previously ran security at Sprout Social. Other members of the founding team include OpsHelm CTO Kyle McCullough, who was a platform engineer at Sprout Social; COO Bob Bregant and founding engineer Lee Brotherson.

At the moment, OpsHelm integrates with Google Cloud Platform and Amazon Web Services. Support for Microsoft Azure is “coming soon.” Currently in public beta, general availability is expected early next year, the company says.

New Startup OpsHelm Tackles Cloud Misconfigurations

Your journey to zero trust can be perilous if you are using legacy equipment that wasn’t designed for it. Begin the transformation where it makes the most sense for your organization.

Digital transformation is a journey, and much like any adventure, a bit of preparation can go a long way in driving a successful outcome. Preparing for any adventure includes determining where you want to go, deciding on the best way to get there, and gathering the equipment, services, and supplies you’ll need along the way.

An IT transformation journey typically begins with application transformation, where you move applications out of the data center and into the cloud. Then, network transformation becomes necessary to enable users to access applications that are now widely dispersed—moving from a hub-and-spoke network architecture to a direct connectivity approach. This, in turn, drives a need for security transformation, where you shift from a castle-and-moat security approach to a zero-trust architecture.

While the aforementioned order is typical, there are a few different ways to achieve similar outcomes. You should begin your journey toward zero trust wherever you feel most comfortable or prepared. If it makes more sense for your organization to begin with security transformation before app transformation, you can.

**Assess Your Equipment**

Castle-and-moat security architectures, leveraging firewalls, VPNs, and centralized security appliances, worked well when applications lived in the data center and users worked in the office. It was the right equipment for the job at the time. Today, though, your workforce works from everywhere, and applications have moved out of the data center and into public clouds, SaaS, and other parts of the internet. Those firewalls, VPNs, and legacy security hardware stacks were not designed to meet the needs of today’s highly distributed business and have outlived their usefulness.

To grant users access to applications, VPNs and firewalls must connect users to your network, essentially extending the network to all your remote users, devices, and locations. This puts your organization at greater risk by giving attackers more opportunities to compromise users, devices, and workloads, and more ways to move laterally to reach high-value assets, extract sensitive data, and inflict damage on your business. Protecting your highly distributed users, data, and applications requires a new approach—a better approach.

**Mapping the Best Route**

When it comes to security transformation, innovative leaders are turning to zero trust. Unlike perimeter-based security approaches that rely on firewalls and implicit trust and provide broad access once trust is established, zero trust is a holistic approach to security based on the principle of least-privileged access and the idea that no user, device, or workload should be inherently trusted. It begins with the assumption that everything is hostile, and grants access only after identity and context are verified and policy checks are enforced.

Achieving true zero trust requires more than pushing firewalls to the cloud. It requires a new architecture, born in the cloud and delivered natively through the cloud, to securely connect users, devices, and workloads to applications without connecting to the network.

As with any significant journey, it’s helpful to break your way to zero trust into various legs that clearly define the path while keeping the ultimate destination in mind. When considering your approach, seven essential elements will enable you to dynamically and continuously assess risk and securely broker communications over any network, from any location.

Using these elements, your organization can implement true zero trust to eliminate your attack surface, prevent the lateral movement of threats, and protect your business against compromise and data loss.

These elements can be grouped into three sections:

*   Verify identity and context
*   Control content and access
*   Enforce policy

Let’s take a closer look.

    

Source: Zscaler

**Verify Identity and Context**

The adventure begins when a connection is requested. The zero-trust architecture will begin by terminating the connection and verifying identity and context. It looks at the who, what, and where of the requested connection.

**1\. Who is connecting?** The first essential element is to verify the user/device, IoT/OT device, or workload identity. This is achieved through integrations with third-party identity providers (IdPs) as part of an enterprise identity access management (IAM) provider.

**2\. What is the access context?** Next, the solution must validate the context of the connection requester by looking into details such as the role, responsibility, time of day, location, device type, and circumstances of the request.

**3\. Where is the connection going?** The solution next needs to confirm that the identity owner has the rights and meets the required context to access the application or resource based on entity-to-resource segmentation rules—the cornerstone of zero trust.

**Control Content and Access**

After verifying identity and context, the zero-trust architecture evaluates the risk associated with the requested connection and inspects traffic to protect against cyber threats and the loss of sensitive data.

**4\. Assess risk:** The solution should use AI to dynamically compute a risk score. Factors including device posture, threats, destination, behavior, and policy should be continually evaluated throughout the life of the connection to ensure the risk score remains up to date.

**5\. Prevent compromise:** To identify and block malicious content and prevent compromise, an effective zero-trust architecture must decrypt traffic inline and leverage deep content inspection of entity-to-resource traffic at scale.

**6\. Prevent data loss:** Outbound traffic must be decrypted and inspected to identify sensitive data and prevent its exfiltration using inline controls or by isolating access within a controlled environment.

**Enforce Policy**

Before reaching the end of the journey and ultimately establishing a connection to the requested internal or external application, one final element must be implemented: enforcing policy.

**7\. Enforce policy:** Using the outputs of the previous elements, this element determines what action to take regarding the requested connection. The end goal is not a simple pass/not pass decision. Instead, the solution must constantly and uniformly apply policy on a per-session basis—regardless of location or enforcement point—to provide granular controls that ultimately result in a conditional allow or conditional block decision.

Once an allow decision is reached, a user is granted a secure connection to the internet, SaaS app, or internal application.

**Securely Reach Your Destination**

Your journey to zero trust can be perilous if you’re trying to get there with legacy equipment that wasn’t designed for it. While finding a solution that enables true zero trust may at first seem daunting, begin where it makes the most sense for your organization, and let the seven elements outlined here serve as your guide.

_Read more_ _Partner Perspectives from Zscaler._

Charting the Path to Zero Trust: Where to Begin

Although the group relies on good old phishing to deliver Royal ransomware, researchers say DEV-0569 regularly uses new and creative discovery techniques to lure victims.

It generally starts with malvertising and ends with the deployment of Royal ransomware, but a new threat group has distinguished itself by its ability to innovate the malicious steps in between to lure in new targets.

The cyberattack group, tracked by Microsoft Security Threat Intelligence as DEV-0569, is notable for its ability to continuously improve its discovery, detection evasion, and post-compromise payloads, according to a report this week from the computing giant.

"DEV-0569 notably relies on malvertising, phishing links that point to a malware downloader posing as software installers or updates embedded in spam emails, fake forum pages, and blog comments," the Microsoft researchers said.

In just a few months, the Microsoft team observed the group's innovations, including hiding malicious links on organizations' contact forms; burying fake installers on legitimate download sites and repositories; and using Google ads in its campaigns to camouflage its malicious activities.

"DEV-0569 activity uses signed binaries and delivers encrypted malware payloads," the Microsoft team added. "The group, also known to rely heavily on defense evasion techniques, has continued to use the open-source tool Nsudo to attempt disabling antivirus solutions in recent campaigns."

The group's success positions DEV-0569 to serve as an access broker for other ransomware operations, Microsoft Security said.

**How to Combat Cyberattack Ingenuity**

New tricks aside, Mike Parkin, senior technical engineer at Vulcan Cyber, points out the threat group indeed makes adjustments along the edges of their campaign tactics, but consistently relies on users to make mistakes. Thus, for defense, user education is the key, he says.

"The phishing and malvertising attacks reported here rely entirely on getting users to interact with the lure," Parkin tells Dark Reading. "Which means that if the user doesn't interact, there is no breach."

He adds, "Security teams need to stay ahead of the latest exploits and malware being deployed in the wild, but there is still an element of user education and awareness that's required, and will always be required, to turn the user community from the main attack surface into a solid line of defense."

Making users impervious to lures certainly sounds like a solid strategy, but Chris Clements, vice president of solutions architecture at Cerberus Sentinel, tells Dark Reading it's "both unrealistic and unfair" to expect users to maintain 100% vigilance in the face of increasingly convincing social engineering ploys. Instead, a more holistic approach to security is required, he explains.

"It falls then to the technical and cybersecurity teams at an organization to ensure that a compromise of a single user doesn't lead to widespread organizational damage from the most common cybercriminal goals of mass data theft and ransomware," Clements says.

**IAM Controls Matter**

Robert Hughes, CISO at RSA, recommends starting with identity and access management (IAM) controls.

"Strong identity and access governance can help control the lateral spread of malware and limit its impact, even after a failure at the human and endpoint malware prevention level, such as stopping authorized individual from clicking on a link and installing software that they are allowed to install," Hughes tells Dark Reading. "Once you've ensured that your data and identities are safe, the fallout of a ransomware attack won't be as damaging — and it won't be as much of an effort to re-image an endpoint."

Phil Neray from CardinalOps agrees. He explains that tactics like malicious Google Ads are tough to defend against, so security teams must also focus on minimizing fallout once a ransomware attack occurs.

"That means making sure the SoC has detections in place for suspicious or unauthorized behavior, such as privilege escalation and the use of living-off-the-land admin tools like PowerShell and remote management utilities," Neray says.

Source

DARKReading