New CrowdStrike Falcon platform integration delivers multi-cloud visibility and protection of data assets with layered malware detection and file scanning to stop modern attacks.

**TEL AVIV, Israel****,** **April 25, 2023** **/PRNewswire/ --** Dig, the cloud data security leader, today announced its new technology integration with CrowdStrike, a leader in cloud-delivered protection of endpoints, cloud workloads, identity, and data. The Dig Data Security Platform integrates with the CrowdStrike Falcon platform to deliver real-time visibility and control of cloud data assets for accurate discovery of sensitive data and security posture gaps. Dig is the first-in-the-market Data Security Posture Management (DSPM) solution combining malware detection with Data Leak Prevention (DLP) and real-time Data Detection and Response (DDR) for securing data assets across storage services in the cloud.

"Organizations rely on the ability to upload large amounts of data to the cloud. But it is too easy for them to lose track of what they have. Unmonitored and unsecured data is too easily infected by malware. Unless detected, it evolves into a ticking time bomb that threatens business processes and operations," said Dan Benjamin, CEO and Co-Founder of Dig Security. "The Dig integration with CrowdStrike's malware detection and file scanning capabilities across cloud data stores helps customers benefit from comprehensive data asset visibility and security across all enterprise cloud stacks."

Legacy point malware detection solutions only scan cloud storage buckets and fall short of comprehensive protection. The integration protects cloud data assets from malicious content with complete malware scanning from the CrowdStrike Falcon platform across: all cloud storage buckets, such as Amazon Simple Storage Service (Amazon S3), Azure Blob Storage, and Google Buckets; FileStores and other unstructured data stores that live in the cloud; and other IaaS, PaaS, and DBaaS providers, including Databricks, Oracle Cloud, and Snowflake.

The Dig Data Security Platform is recognized as the industry's first and only solution to combine data security posture management (DSPM), data loss prevention (DLP), and data detection and response (DDR) capabilities into a single platform. It is easy to implement, cloud-scalable, and highly efficient for today's security teams. Dig enables enterprise cloud and security teams to produce immediate insights using its agentless cloud native solution that delivers a short setup time, zero maintenance, and comprehensive, automated response at scale.

The new integration builds on an existing partnership between CrowdStrike and Dig, who is a CrowdStrike Falcon Fund portfolio company. A cross-stage investment fund, the CrowdStrike Falcon Fund is the largest corporate venture arm in the cybersecurity industry. The program is designed to build an ecosystem of next-generation security leaders that share a common mission through a unique combination of investment and deep technical integrations.

"As more and more companies are moving to the cloud, there is a natural increase in cloud exploitations and compromise of critical cloud infrastructure. As a result, we have deepened our partnership with Dig Security, an innovative Falcon Fund leader in data security and DDR, to address this challenge," said Gur Talpaz, vice president of corporate development and head of Falcon Fund at CrowdStrike. "In our mission to stop breaches and make cloud data inherently secure, it's critical we continue collaborating with companies like Dig to provide customers with real-time data visibility, protection and control across all clouds and all data stores."

For more information about Dig and CrowdStrike's integration, visit here, meet with Dig at RSA, or stop by the Dig booth (#5273) in the North Expo during RSAC 2023 from April 24-27, 2023, at the Moscone Center in San Francisco, CA.

**About Dig Security**

Dig Security helps organizations discover, classify, protect, and govern their cloud data.

With organizations shifting to complex environments with dozens of database types across clouds, monitoring and detecting data exfiltration and policy violations has become a complex problem with limited fragmented solutions. Dig's cloud-native and completely agentless approach re-invents cloud DLP with DDR (Data Detection & Response) capabilities to help organizations better cope with cloud data sprawl. Dig was founded by three cyber security veterans from Microsoft and Google and is backed by Team8, SignalFire, Felicis, CrowdStrike, Okta Ventures, CyberArk Ventures, and Merlin Ventures. Visit us at https://www.dig.security/.

SOURCE Dig Security

Dig Security Announces New Integration With CrowdStrike

**SAN FRANCISCO****,** **April 25, 2023** **/PRNewswire/ --** BlackBerry Limited (NYSE: BB; TSX: BB) and Solutions Granted today announced an extended partnership, naming the leading cybersecurity services provider a Master Managed Security Services Provider (MSSP), enabling it to better scale and meet the growing demand for cybersecurity services among small and medium-sized businesses (SMBs).

"Solutions Granted has been honored as BlackBerry MSSP Partner of the Year for North America for five consecutive years and we're excited to take our partnership to the next level by crowning them as our top Master MSSP," said Adam Enterkin, Chief Revenue Officer, Americas, BlackBerry Cybersecurity. "BlackBerry is dedicated to increasing its focus on MSSP partners to ensure they're set up for success. Endpoints are proliferating, and so are the cyberattacks against them. Our extended partnership with Solutions Granted will help hundreds of small and mid-size businesses continuously adapt to an ever-changing threat landscape."

As a 'Master MSSP', Solutions Granted will be better positioned to help its own partners to deliver Managed Detection and Response (MDR) and other Managed Security Services to their mid-market and SMB clients.  In partnership with BlackBerry and heavily leveraging the Cylance® AI-powered portfolio, Solutions Granted helps thousands of clients secure their environments and prevent attacks. By working with Solutions Granted, MSSPs and managed service providers (MSPs) can offer industry leading managed security, without making the significant investment of building out their own security operations center (SOC).

CylanceENDPOINT™ is among the solutions it helps managed service providers (MSPs) deploy to clients, either as individual managed services or integrated into a SOC-as-a-service offering.

"BlackBerry's support for our business model provides the flexibility we need to continue to meet customer demand and provide the best possible product support for their business needs," said Michael E. Crean, Chief Executive Officer, Solutions Granted. "We value the investment BlackBerry is making in our partnership and know this will go a long way in setting up our customers for success."

To learn more about BlackBerry MSSP Partners, visit blackberry.com/us/en/partners/mssp-partners.

**About BlackBerry**

BlackBerry (NYSE: BB; TSX: BB) provides intelligent security software and services to enterprises and governments around the world.  The company secures more than 500M endpoints including over 215M vehicles.  Based in Waterloo, Ontario, the company leverages AI and machine learning to deliver innovative solutions in the areas of cybersecurity, safety and data privacy solutions, and is a leader in the areas of endpoint management, endpoint security, encryption, and embedded systems.  BlackBerry's vision is clear - to secure a connected future you can trust.

BlackBerry. Intelligent Security. Everywhere. 

For more information, visit BlackBerry.com and follow @BlackBerry.

_Trademarks, including but not limited to BLACKBERRY and EMBLEM Design are the trademarks or registered trademarks of BlackBerry Limited, and the exclusive rights to such trademarks are expressly reserved.  All other trademarks are the property of their respective owners.  BlackBerry is not responsible for any third-party products or services._

**About Solutions Granted Inc.**

Solutions Granted is a Master Managed Security Services Provider (Master MSSP). They offer cybersecurity solutions to North American MSPs and MSSPs and are committed to delivering solutions without requiring minimums, commitments, or long-term contracts. They proudly offer many security layers as well as a 24x7 U.S.-based Security Operations Center (SOC). Over the past several years, Solutions Granted has emerged as a clear leader in the channel, by winning countless awards including the CRN Security 100 list, Top 100 MSSP List, Top Global MSSP List, and BlackBerry MSSP Partner of the Year. Learn more at https://www.SolutionsGranted.com.

BlackBerry Extends Partnership With Managed Security Services Provider (MSSP) to Ensure SMBs are Set Up for Cyber Success

CISOs and cybersecurity teams will play a key role in hardening artificial intelligence and machine learning systems.

RSA CONFERENCE 2023 – San Francisco – As enterprises and government agencies increasingly weave artificial intelligence (AI) and machine learning (ML) into their broader set of systems, they'll need to account for a range of risk resilience issues that start with cybersecurity concerns but spread far beyond those. 

A panel on April 24 at RSA Conference 2023 composed of distinguished AI and security researchers examined the problem space of AI resilience, which includes weighty issues like adversarial AI attacks, AI bias, and ethical application of AI modeling.

Cybersecurity professionals need to start to tackling these issues both within their organizations and as collaborators with government and industry groups, panelists noted.

"Many organizations will look to integrate AI/ML capabilities of their core business functions, but in doing so will increase their own attack surface," explained panel moderator Bryan Vorndran, assistant director at the FBI Cyber Division. "Attacks can occur in every stage of the AI and ML development and deployment cycle, models, training data, and APIs can be targeted."

The good news is that there is time to ramp up into these efforts if the community begins work now.

"We have a really unique opportunity here as a community," said Neil Serebryany, CEO of CalypsoAI. "We're aware of the fact that there is a threat, we're seeing early incidents of this threat, and the threat is not full-blown yet."

The 'yet' is the operative word, he emphasized, and his fellow panelists agree. The field of risk management is in a place with AI similar to where cybersecurity was with the Internet in the 1980s, said Bob Lawton, chief of missions capabilities for the Office of the Director of National Intelligence Science and Technology Group.

"Imagine if it's 1985 and you knew the challenges that we were going to face in the cyber domain now, what would we as a community, as an industry do differently 35 years ago, and that's exactly where we're at with AI right now," said Lawton. "We have the time and space to get it right."

Specifically when it comes to direct attacks against AI systems by adversaries, the threats are still very rudimentary, but that's only because the attackers are only putting the work they need to in order to achieve their objectives right now, said Christina Liaghati, AI strategy execution and operations manager for MITRE Corporation.

"I think we're going to see many more of the malicious actors having a higher level of sophistication of these attacks, but right now they don't have to, which I think is what's really interesting about this space," she told the audience.

Nevertheless, she warned that organizations can't treat the risks lightly. The interest of threat actors to increase their sophistication and knowledge of AI models will only keep growing as it is embedded into systems they can profitably attack. And this is just as true of smaller organizations using simple ML models in financial systems as it would be for government agencies using it in an intelligence capacity.

**Everyone Is at Risk**

"If you're deploying AI in any environment where any actor might want to misuse or evade or attack that system, your system is vulnerable," she said. "So, it's not just super advanced tech giants or anybody that's deploying AI in a massive way. If your system is in any kind of consequential environment and then you incorporate AI and machine learning into that broader system of systems context, you could be exposing it in new ways that you're probably not thinking about or necessarily prepared for."

The challenge with AI for many cybersecurity executives is that addressing these risks will require they and their teams gain a whole new set of knowledge and parlance around AI and data science.

"I don't think that AI assurance at its core is a traditional infosec problem," Serebryany said. "It's a machine learning problem that we're trying to figure out how to translate into the infosec community."

For example, hardening the models requires understanding of key data science metrics like recall precision accuracy and F1 scores, he said.

"So I think it's kind of incumbent upon us to be able to figure out how to take these underlying ML concepts and research and translate the parlance, the concepts and the standard operating procedures within a soft context that makes sense within the infosec community," he said.

At the same time, Liaghati said to not discount the security basics as AI/ML models and systems will be deployed in the context of other systems for which security teams have decades of experience managing risk. The principles of data security, application security, and network security are still extremely relevant, as are standard risk management and OpSec best practices.

"So many of those are just good practices. It's not just a big, fancy adversarial layer or being able to patch a data set. It's not necessarily that complicated," she says. "Many of the ways that you can mitigate these threats are just thinking about the amount of information that you're putting out within public domain on what models you're using, what data you're using, where it's coming from, \[and\] what the broader system context looks like around that AI system.

AI Experts: Account for AI/ML Resilience & Risk While There's Still Time

**AUSTIN, Texas – April 25, 2023 –** Global security leader Forcepoint today extended the depth and breadth of its Data-first SASE (Secure Access Service Edge) offering with the launch of Forcepoint Data Security Everywhere. Forcepoint is simplifying enterprise DLP management across cloud, web and private apps and streamlining compliance wherever hybrid workers store, access and use confidential information.

The company is also bringing to market Forcepoint ONE Insights thatenables users to quickly visualize and quantify the financial value of security efficacy delivered by Forcepoint solutions. Forcepoint ONE Insights’ visualization console presents key performance indicators such as adoption, data and threat protection, policy violations, performance, and risk.

“Data isn’t the new oil; it is the new air. Literally everything runs on data today and our lives and livelihoods depend on it. Before today, securing data required a mishmash of point solutions. Forcepoint is taking the lead in solving this problem with Forcepoint Data Security Everywhere,” said Manny Rivelo, CEO of Forcepoint. “We’re deliveringenterprise-wide data security plus the power and flexibility of Forcepoint ONE SSE to keep data safe at all times, even after it is accessed.Comprehensive data security is a critical capability within our Data-first SASE solution, providing the visibility and control organizations need to protect their data and simplify Zero Trust security.”

In two years, humanity's collective data will reach 175 billion terabytes -- the number 175 followed by 21 zeros. This data includes everything that powers business and consumers’ day-to-day lives. It is accessed and used by hybrid workforces on corporate endpoints and personal devices such as phones and tablets to do their jobs. Forcepoint Data Security Everywhere is a direct response to the reality that business productivity depends upon people having the ability to safely and efficiently use data anywhere.

By connecting Forcepoint Enterprise DLP to the Forcepoint ONE Security Service Edge (SSE) platform, customers can extend a new or existing enterprise DLP policy, including its advanced classifiers, data fingerprinting, and enforcement settings, to the web and cloud. A unified security policy from Forcepoint protects sensitive data across all channels, including endpoints, websites, cloud services, networks, email and private apps.Forcepoint’s data-first approach goes far beyond basic data protection that is often built into SASE solutions. By classifying data and organizing it into different groups rather than relying on hardcoded patterns, Forcepoint data security policies can be written once and enforced everywhere to automatically handle new instances and types of sensitive data.This end-to-end enforcement is ideal for organizations with cloud-based applications or distributed workforces.

**Key Benefits of Enforcing Data Security Everywhere**

*   Adds Forcepoint ONE SSE channels to Forcepoint Enterprise DLP, protecting data across any website, cloud application, and web-based private applications. 
*   Applies new or existing DLP policies across CASB, SWG, and ZTNA channels. 
*   Simplifies DLP management by leveraging over 1,600 out-of-the-box classifiers, policies and templates enabling granular enforcement for files.
*   Gives security operations center (SOC) and IT teams complete incident reporting and forensic information from a single management console.

Forcepoint Data Security Everywhere is immediately available direct from Forcepoint and through the company’s global network of channel partners.

**AI-powered Data Visualization with Forcepoint ONE Insights**

Further extending the value-added capabilities of Forcepoint ONE, in late Q2 2023 the company will unveil Forcepoint ONE Insights, formerly code-named Symphony, which provides economic value and advanced security analytics for real-time insights into an organization's security status.

Forcepoint ONE Insights technology, included with all Forcepoint ONE subscriptions, uses machine learning and artificial intelligence to analyze security data from multiple sources, such as network traffic, endpoint devices, and cloud applications. Using the at-a-glance visualization, security teams can identify potential threats more quickly, reducing the risk of data breaches. They can also see in real-time dashboards showing the economic value and ROI of their use of Forcepoint ONE.

**Meet Forcepoint Experts at RSA 2023**

During the week of RSA, April 25-27, the company will provide hands-on opportunities with Forcepoint Data Security Everywhere and Forcepoint ONE Insights at the Forcepoint Experience Center on the fourth floor of the St. Regis San Francisco. Organizations that want to learn more and get demos can request a meeting.

**Additional information**

*   Read the Data Security Everywhere blog \[link\]
*   Read the Forcepoint Insights blog \[link\]
*   Learn about Data-first SASE
*   Learn about Forcepoint ONE, FlexEdge Secure SD-WAN

**About Forcepoint**

Forcepoint simplifies security for global businesses and governments. Forcepoint’s all-in-one, truly cloud-native platform makes it easy to adopt Zero Trust and prevent the theft or loss of sensitive data and intellectual property no matter where people are working. Based in Austin, Texas, Forcepoint creates safe, trusted environments for customers and their employees in more than 150 countries. Engage with Forcepoint on www.forcepoint.com, Twitter, and LinkedIn.

Forcepoint Delivers Data Security Everywhere, Extending DLP Policies From Endpoints to the Cloud

Full packet capture and log monitoring directly on SASE nodes maintains enterprise-grade security, no matter where the data originates.

**SAN FRANCISCO** **— April 24, 2023 —** NetWitness, a globally trusted provider of threat detection and response technology and incident response services, today announced  the launch of direct Secure Access Service Edge (SASE) packet integrations with several market-leading SASE vendors, including Palo Alto Networks (NASDAQ: PANW), Broadcom, a Symantec company (NASDAQ: AVGO), and Netskope. The new integrations enable NetWitness to deliver unparalleled network visibility across the enterprise. The news comes on day one of RSA Conference 2023, where NetWitness will be demonstrating the technology at booth number 5744.

With hybrid/remote work environments becoming ever more common, SASE is the gold standard network technology that enables modern workforces to interact with corporate resources wherever they are - securely.  By performing full packet capture and log monitoring directly on SASE nodes and combining them with all on-prem, cloud, and SaaS sources, NetWitness can maintain enterprise-grade network security, no matter where the data originates. Featuring better security, including encryption and Zero-Trust access, SASE offers major benefits to today’s distributed organizations. 

“I certainly think companies want to be proactive with their network security, but until now it’s been very difficult to do,” said Ken Naumann, CEO of NetWitness. “The landscape has gotten exponentially more complex over the years with hybrid work and third-party cloud providers. Data is now originating from, well, everywhere. Examining those data logs after the fact is like closing the barn door after the horse has already left the stable. You’re losing if you’re not doing it in real time - when it actually matters.”

Network edge security has historically created numerous blind spots for important security technologies that perform threat analysis, detection, and response. Traditional network and security architectures were not designed for the new work environment, where data and traffic come from all over the globe and hundreds, if not thousands, of different devices. This has led to visibility issues for network managers, who have traditionally relied on VPN and proxies to solve the problem. Unfortunately, routing everything to specific points increases difficulty and network costs, and presents a massive scaling issue.

NetWitness’s integrations overcome these issues and restore full visibility to critical SASE data. A SASE architecture converges networking and security functions in the cloud to securely connect users, things, and applications and deliver an exceptional experience, anywhere.  

In 2019, Gartner announced SASE as the future state of network security. Since then, the SASE landscape has evolved quickly, with SASE networking and security components being delivered from a single vendor as a way to create seamless, secure access that extends across on-premises to the cloud.  

For more information, visit www.NetWitness.com or visit booth 5744 at RSA Conference. 

**About NetWitness**

NetWitness provides comprehensive and highly scalable threat detection and response capabilities for organizations around the world. The NetWitness Platform delivers complete visibility combined with applied threat intelligence and user behavior analytics to detect, prioritize, investigate threats, and automate response. This empowers security analysts to be more efficient and stay ahead of business-impacting threats. For more information, visit netwitness.com.

NetWitness Partners With Palo Alto Networks, Broadcom to Launch SASE Packet Integrations at RSA Conference 2023

Ultimately, AI will protect the enterprise, but it's up to the cybersecurity community to protect "good" AI in order to get there, RSA's Rohit Ghai says.

Threat actors armed with artificial intelligence (AI) tools like ChatGPT can pass the bar exam, ace an Advanced Placement biology course, and even create polymorphic malware. It's up to the cybersecurity community to put AI to work to combat it.

RSA CEO Rohit Ghai used the opening keynote of this year's RSAC in San Francisco, Calif. to call on the cybersecurity community to use AI as a tool to work on the side of "good." First, that means putting it to work on solving cybersecurity's "identity crisis," he said.

To demonstrate, Rhai called up onto the screen a ChatGPT avatar, one he called "GoodGPT."

"Calling it 'good' is somehow personally comforting to me," he added. He then asked it basic cybersecurity questions.

While "GoodGPT" spat out a sequence of words culled from a veritable ocean of available cybersecurity data, he went on to explain there are critical cybersecurity applications for AI far beyond simple language learning, and it starts with identity management.

"Without AI, zero trust has zero chance," Ghai said. "Identity is the most attacked part of the attack surface."

It's no big secret the security operations center (SOC) is overwhelmed. In fact, Ghai said the industry average timeframe to identify and remediate an attack is about 277 days. But with AI, it's possible to manage access in the most granular terms, in real time, and at the data level, creating a framework that is truly based on the principle of least privilege.

"We need solutions that ensure identity throughout the user lifecycle," he added.

During this year's RSA, Ghai said there are at least 10 vendors selling AI-powered cybersecurity solutions positioned as a tool that will help human cybersecurity professionals. Ghai characterized the current pitch as AI-as-a-copilot. But that framing belies the reality, he warned.

"The copilot description sugarcoats a truth," Ghai said. "Over time many jobs will disappear."

The role of humans, he explained, will evolve into creating algorithms to ask important questions, along with supervising AI's activities and handling exceptions.

"It's humans who will ask those questions which have never been asked before," he said.

Ultimately, humans and enterprises will have to rely on AI to protect them.

"And the cybersecurity community can protect 'good' AI," Ghai added.

'Good' AI Is the Only Path to True Zero-Trust Architecture

Video explanation of the Jaguar Tooth vulnerabilities with Matt Olney, J.J. Cummings and Hazel Burton.

Tuesday, April 25, 2023 13:04

Cisco and Talos are continuing to track and research a series of ongoing cyber attacks and espionage targeting out-of-date and unpatched network hardware.

In this video, Hazel Burton interviews Matt Olney and J.J. Cummings from Talos to discuss the “Jaguar Tooth” campaign the U.K. government and other global intelligence agencies recently disclosed. J.J. and Matt were at the forefront of Talos’ research into these campaigns and have spent years providing advice to customers and users about the importance of network hygiene and resilience on the perimeter.

Jaguar Tooth is an example of a much broader trend of sophisticated adversaries targeting networking infrastructure to advance espionage objectives or pre-position for future destructive activity.

“What happened in this case, is that we had a series of incidents that we worked...and put some pieces together. What we were seeing multiple threat actors in sustained campaigns going after router infrastructure in a similar way,” Olney says in the video. “They were targeting different devices, but they were most successful in out-of-date hardware and end-of-life software.”

Watch the video above to learn more about Talos’ research into these campaigns, advice on steps to take if you believe you could be the target of one of these attacks, and a broader overview of the importance of network hygiene.

Organizations that fail to update their hardware and software will both be more likely to be a victim of unpatched security vulnerabilities but also will have fewer tools to combat adversaries. Cisco customers can check their version of software to see if any known vulnerabilities exist in it here. You can learn more about Cisco Trustworthy Technologies here. Several related resources, tools, and services can be found at The Trust Center here.

Video: Everything you need to know about ongoing state-sponsored attacks targeting network infrastructure across the globe

The judges appreciated the scale of the problem the startup set out to solve: protecting the integrity of AI systems.

RSA CONFERENCE 2023 – San Francisco – CEO Chris Sestito started his three-minute pitch at Innovation Sandbox on Monday, April 25, with a deepfake video of himself telling the judges not to vote for HiddenLayer, the company he co-founded. Not only did the judges not accede to his request, they crowned the AI security startup as the "Most Innovative Startup 2023" at this year's RSA Conference.

HiddenLayer beat out second-place Pangea and eight other finalists in what host Hugh Thompson called "the most competitive contest yet." One of the judges, Shlomo Kramer, CEO and co-founder of Cato Networks, praised Pangea as addressing the "central category of security" with its block-based application security platform.

But the judges were won over by the importance of securing artificial intelligence (AI). Another judge, Christopher Young, Microsoft's executive vice president, called HiddenLayer's focus area "_the_ problem we're going to face in the next few years."

**What HiddenLayer Digs Up**

That problem is ensuring the health of a company's AI assets.

AI is being used in mission-critical, even life-or-death situations, such as autonomous driving and military analysis. However, AI can only learn from the data it is fed, which means attackers can feed it purposely bad data to get the AI to behave in an unexpected, unwanted manner. And once that training data pool has been poisoned, it's difficult or impossible to scrub — just ask Microsoft, which had to pull the plug on its chatbot Tay when some Twitter users purposely fed it objectionable content.

To guard against insidious techniques, such as data poisoning and adversarial transferability, HiddenLayer relies on AI to protect AI. It employs machine learning (ML) to monitor an ML system's inputs and outputs in order to discern anomalies that suggest adversarial attacks. Sestito called the approach "MLDR" — endpoint detection and response, but for machine learning.

**Judging the Top Competitors**

The competition's judging criteria is as follows: the problem a company sets out to solve, the originality of the solution, the strength of its team, and whether the approach has been validated by the market — that is, is the company making money?

The judges were almost all veterans of the contest: Kramer and Young both served last year, as did Niloofar Razi Howe, senior operating partner at Energy Impact Partners, and Paul Kocher, independent researcher and founder of Cryptography Research. New this year was Barmak Meftah, co-founder and general partner at Ballistic Ventures.

The 10 finalists this year (in reverse alphabetical order): Zama, Valence Security, SafeBase, Relyance AI, Pangea, HiddenLayer, Endor Labs, Dazz, Astrix Security, and AnChain.AI.

Pangea CEO and founder Oliver Friedrichs faced some pointed questions. Kocher flat out asked Friedrichs, "Can your team execute?"

Kocher, who Thompson calls "the Simon Cowell of Innovation Sandbox," asked AnChain.AI CEO and co-founder Victor Fang whether his company's focus on blockchain defense was betting on Web3 succeeding or being an "endless series of disasters."

Endor Labs CEO and co-founder Varun Badhwar earned laughs when he compared the use of open source in enterprise with his surprise twins: in both cases, you have more than you think you do, but at least his twins, unlike open source code, "weren't conceived by strangers on the Internet."

HiddenLayer Nabs Most Innovative Startup Crown at RSAC

Researchers find 250 million artifacts and 65,000 container images exposed in registries and repositories scattered across the Internet.

Many organizations, including some of the world's largest companies, are at heightened risk of compromise and data theft from misconfigured and poorly secured software registries and artifact repositories, a new study has shown.

Research that cloud-security vendor Aqua Security recently conducted uncovered some 250 million software artifacts and more than 65,000 container images lying exposed and Internet-accessible in thousands of registries and repositories. Some 1,400 hosts allowed access to secrets, keys, passwords, and other sensitive data that an attacker could use to mount a supply chain attack, or to poison an enterprise software development environment.

**Wide Registry Exposure**

Aqua discovered 57 registries with critical misconfigurations, including 15 that enabled an attacker to gain admin privileges with just the default password; 2,100 artifact registries offered upload permissions, which potentially gave anonymous users a way to upload malicious code to the registry.

In all, Aqua found nearly 12,800 container image registries that were accessible over the Internet of which 2,839 permitted anonymous user access. On 1,400 hosts, Aqua researchers found at least one sensitive data element such as keys, tokens, and credentials; on 156 hosts the company found private addresses of endpoints such as MongoDB, Redis, and PostgreSQL.

Among the thousands of affected organizations were several Fortune 500 companies. One of them was IBM, which had exposed an internal container registry to the Internet and put sensitive data at risk of access. The company addressed the issue after Aqua's researchers informed it of their discovery. Other notable organizations that had potentially put their data at similar risk included Siemens, Cisco, and Alibaba. In addition, Aqua found software secrets in registries belonging to at least two cybersecurity firms exposed to the Internet. Aqua's data is based on an analysis of container images, Red Hat Quay container registries, JFrog Artifactory, and Sonatype Nexus artifact registries.

"It's critical that organizations of all sizes around the world take a moment to verify that their registries — whether public or private — are secure," advises Assaf Morag, lead threat intelligence and data analyst at Aqua Security. Organizations that have code in public registries or have connected their registries to the Internet and allow anonymous access should ensure their code and registries don't contain secrets, intellectual property, or sensitive information, he says.

"The hosts belonged to thousands of organizations around the world – ranging by industry, size, and geography," Morag notes. "That means the benefits for an attacker could also range."

**Risky Registries & Repositories**

Aqua's research is the latest to highlight the risks to businesses from data in software registries, repositories and artifact management systems. Development teams use software registries to store, manage, and distribute software, libraries, and tools and use repositories for centrally storing and maintaining specific software packages from within the registry. The function of artifact repositories is to help organizations store and manage the artifacts of a software project such as source code, binary files, documentation, and build artifacts. Artifact management systems can also include Docker images and packages from public repositories such as Maven, NPM, and NuGet.

Often, organizations using open source code in their projects — an almost ubiquitous practice at this point —connect their internal registries and artifact management systems to the Internet and allow anonymous access to certain portions of the registry. For instance, a software development team using JFrog Artifactory as an internal repository could configure external access so customers and partners can share its artifacts.

Threat actors seeking to compromise enterprise software development environments have increasingly begun targeting software registries and repositories in recent years. Some of the attacks have involved attempts by threat actors to introduce malicious code into development and build environments directly or via poisoned packages planted on NPM, PyPI, and other widely used public repositories. In other instances, threat actors have targeted these tools to gain access to the sensitive information such as credentials, passwords, and APIs stored in them.

Aqua's research showed that, in many cases, organizations are inadvertently making it easier for attackers to carry out these attacks by mistakenly connecting registries containing sensitive information to the Internet, posting secrets in public repositories, using default passwords for access control, and granting overly excessive privileges to users.

In one instance, Aqua uncovered a bank with an open registry featuring online banking applications. "An attacker could have pulled the container, then modified it and pushed it back," Morag says.

In another instance, Aqua discovered two misconfigured container registries belonging to the development and engineering team of a Fortune 100 technology company. Aqua found the registries to contain so much sensitive information and afford so much access and privileges for doing damage, that the company decided to halt its research and inform the technology company of the issue. In this case, the security snafu resulted from a development engineer opening up the environment while working on an unapproved side project.

Millions of Artifacts, Misconfigured Enterprise Software Registries Are Ripe for Pwning

Getting a handle on the new risks facing AppSec by low-code/no-code development patterns

As low-code and no-code application development platforms gain more currency among business groups seeking speedy workarounds to long development backlogs, concerns about application security loom.

The low-code movement increases software engineering agility by speeding up the work of developers and enabling nontechnical business users to create their own applications and add new features to existing tools without needing to engage the engineering team. Low-code development offers the kind of elegant simplicity that’s irresistible to executives with big digital transformation aspirations.

But that kind of "it just works" opacity sends shudders down the spines of cybersecurity veterans. Any security professional with experience with emerging tech cycles instinctually understands that there be dragons in the waters that lie ahead for low-code/no-code — even if they’ve not yet mapped out exactly what kind of monsters they’re dealing with or where they are just yet.

Michael Bargury, author of the Low-Code/No-Code OWASP Top 10, will explain the exact nature of some of low-code/no-code's biggest security risks at the RSA Conference in San Francisco. Chief among them are patterns of permissioning that could throw many of the investments that organizations have made in role-based access control and identity management right out the window.

**Low-Code's Expected Explosion**

Low-code and no-code technologies provide graphical user interface (GUI) environments that make it possible to design and deploy applications and new features for fast-evolving business use cases without intensive hand-coding. These technologies include low-code application platforms (LCAP), robotic process automation (RPA), and business process automation (BPA), among others. Recent forecasting by Gartner shows that by next year the LCAP market will have doubled its revenue from 2021 and the broader low-code segment will reach nearly $32 billion.

These low-code technologies are being used by development teams to speed up and scale their work, by teams of developers and business stakeholders to improve collaboration on fast-moving digital initiatives, and by a new class of citizen developers who create their own apps without waiting for development resources.

It's that last group that’s fueling the explosion of low-code and no-code platforms and the use of low-code functionality within broader software-as-a-service (SaaS) application ecosystems. Gartner predicts that the overall low-code market will increase by 19.6% in 2023, with the fastest-growing segment being citizen automation development platforms, which are set to increase by over 30%. Analysts with the firm say that developers outside of formal IT departments already make up well over 60% of the low-code user base, and by 2026 citizen developers and other nontraditional application designers are going to make up 80% low-code users.

"Business technologists and citizen technologist personas are developing lightweight solutions to meet business unit needs for enhanced productivity, efficiency, and agility — often as fusion teams," said Jason Wong, distinguished VP analyst for Gartner in a recent low-code forecast by the firm.

**Low-Code's IAM Bombshell**

In the face of all this growth in low-code technology, Bargury is on a mission to warn security executives of the risks it poses to application security and cybersecurity postures in the near- and long-term. One of the biggest risks is the fact that these platforms are rampantly sharing credentials in order to work around strict access controls built by organizations over the years, says Bargury, co-founder and CTO of Zenity, a startup focused on low-code/no-code security.

"Let's say that you already have a SaaS platform and you've built this low-code platform on top of SaaS. Now business users can create their own applications and share those applications with their teams and other employees to use as well. So what would be the number one thing that would stop them from being able to do that in the enterprise?" Bargury says. "The answer is permissions."

As he explains, if a business user wants to create their own app, they need to get permissions granted to that app to give it access to data stores and to get it to integrate with other systems. And to get that, these citizen developers would traditionally need to wait for somebody from IT to grant that. Not only would these app designers probably hear a lot of "nos" from these teams, but just waiting for the provisioning process to run its course would essentially neutralize the whole agility value proposition of using low-code in the first place.

So, to get around this problem, many low-code/no-code platforms allow business users to build applications using their own credentials and identities. When they share those applications to other users for broader use, those credentials are shared by everyone.

"Let's say I work in finance. I build an application, and I implicitly embed my own identity within that application, and now I'm sharing that application with you," Bargury says. "You are using the app and everything works, and it's fine, you have access to data. But the underlying application is actually still using my identity to provide that access. I call this credential-sharing-as-a-service."

And as he puts it, this is a feature that low-code development platforms are proud of and actively marketing because they enable productivity. But obviously from a security perspective it can quickly turn into a nightmare. It could undermine the integrity of role-based access controls, throw off user and entity behavioral analytics, and create huge compliance risks in the future, says Morey Haber, CSO for privileged access management firm BeyondTrust

"Credential-sharing-as-a-service would impact an organization's ability to accurately provide attestation reporting for all identities utilizing the service," Haber says. "Accounts present from a low-code development platform environment would provide an unknown for accurately who has access, including foreign identities."

Chris Hughes, CISO and co-founder of Aquia, says he has a hard time seeing how low-code platforms that handle permissions in this way could possibly be used in secure coding environments.

"They are just not compatible," he says. "In fairness, this is a new risk that is now being exposed for these solutions, and now that this information is public, it needs to be amplified for all organizations to measure the risk and determine if they are violating any laws by using this type of software."

**Yet Another BYOD Scenario**

For his part, Bargury doesn't believe that blocking low-code development is the answer to these risks.

Security professionals who were around during the advent of the iPhone and other consumer-class devices and cloud services will understand that this wave of low-code development will mirror the same challenges they faced in the first days of bring-your-own-device hype. While AppSec pros have to seek ways to effectively manage these risks, there is no way that they're going to do that by stopping the low-code freight train.

"It's like when people started using mobile, and security teams were like, 'Yeah, nobody will ever use mobile with our company data.' We tried to block it, but it didn't work," says Bargury.

Low-code/no-code technology is already more pervasive in the enterprise than many security professionals even realize, he adds

"There are multiple vendors that are pushing this space forward, but some of them are the SaaS vendors, which are building low-code/no-code into their existing offerings," explains Bargury, pointing to vendors like ServiceNow, Salesforce, Microsoft, and many others that have already pushed these features into their enterprise offerings. "This is a crucial point because it means that nobody gets to choose if they will have low-code/no-code or not because it's already there."

Not to mention the fact that business users and executive sponsors love low-code technologies. Low-code platforms are helping them overcome lengthy application feature request backlogs that have plagued their digital transformation efforts for years. The agility and ROI of low-code is something that security practitioners cannot discount. Just like with BYOD, this is a political battle they can't win, Bargury says.

Much of Bargury's talk at RSA Conference will focus on helping AppSec practitioners understand the kinds of security guardrails they can institute around low-code platforms to make them more compatible with broader security and compliance needs of the business.

This includes better vetting of which low-code technologies are in use within the organization, more scrupulous development of policies and configuration around how low-code platforms orchestrate the provisioning of access within the applications they produce, and more robust black-box testing of applications produced by low-code technology.

"I think the worst approach would be to try and block low code because people will just use something else," he says. "The best approach would be to say, 'Here's a few approved platforms. You can do whatever you want in them. There are automated guidelines to help protect you. We got your back. Don't think about security. You are in finance, you are in sales, do your thing.' That's something that we as security practitioners need to be proactive about."

Tag

#cisco