Adaptive Shield | Akamai | Sonar | Varonis
Q1. What are some of the biggest challenges organizations face in using SSPM data to mitigate cyber risk in a measurable way? What is Adaptive Shield's approach in helping overcome this challenge?
The biggest challenge organizations face in mitigating cyber risk from SaaS apps is acquiring data from these apps, owners, users, and devices, and then analyzing it in a way to categorize risk and determine their security posture.
The Adaptive Shield SSPM platform enables a holistic, centralized view of security and potential threats on organizations’ SaaS stacks, by automatically monitoring a broad pool of data on the state of app security configurations and identifying potential risks.
Information is categorized by the level of risk severity and includes a prioritized mapping of risks for automated remediation or instructions for the security team to guide the app owners. These insights also enable mapping for industry standards and frameworks.
Over the past year, we have also enhanced Adaptive Shield’s ability to collect and analyze data indicative of a compromise. Identity fabric continues to protect SaaS applications even in the event of a breach or insider attack.
Those could include things like a user gaining access from an IP address that had a large number of failed access attempts before the successful login or a user uncharacteristically accessing a SaaS app in the middle of the night. Any threats that are detected appear in the Threat Center, together with a severity level to aid in prioritization with enough data for the incident response team to conduct a thorough investigation.
Q2. What advice would you give to CEOs of organizations that are considering implementing an SSPM platform? Where and how do they begin, especially in organizations that might be using a large number of SaaS apps?
As the number of apps in organizations grows exponentially, the SaaS stack is a highly vulnerable attack surface by threat actors into an organization’s data.
While SaaS vendors keep improving security controls, the complexity of applications and their settings exposes enterprises to misconfigurations and mistakes. SaaS app admins are not security people but hold the keys. For security teams, it’s hard to protect what you are not aware of.
An SSPM comes in to close the widening security gap in the SaaS stack, allowing organizations to invest in an efficient monitoring system focused on real risks..
But keep in mind that an SSPM is not just another cyber security platform. The organization needs to be prepared to accept a new security paradigm that involves higher collaboration and commitment across teams.
Before developing a SaaS security program, you should map your landscape and understand your unique security requirements. This helps create the foundation for your security plan. In addition, identify the regulatory and compliance requirements that impact your business.
To launch an SSPM program, security teams should begin by integrating a few critical apps into the system. Adaptive Shield makes it easy by supporting 150 SaaS apps out of the box.
As a first step, appoint one single owner from the security team who will be responsible for the program coordination and identifying stakeholders. Next, define applications for a pilot. Choose some of your most critical applications that significantly impact your business from different departments, for example, Sales, Marketing, Legal, Finance, and R&D. This way you can exercise collaboration between the app owners and the security functions. A pilot should be conducted over approximately three months.
Finally, define short-term goals, to get some quick wins and start improving your posture, look for high-risk failed security checks that impact a small number of employees.
Q3. What was Adaptive Shield's main focus at Black Hat Europe 2023? What were customers and organizations at the event most interested in hearing about from your company?
At Black Hat 2023 we had an opportunity to continue educating the market on emerging security threats around SaaS apps and how to manage them efficiently and effectively with the SSPM.
Customers and prospects we spoke with at the event are concerned about threat actors' increasing sophistication. They are worried that this will lead to more data leakage and data theft. The high volume of apps and settings, and the need for security teams to understand different settings in hundreds of apps, is leading to more human error in configurations, which exposes the data even more.
Beyond proactive tools to monitor and ensure the security of SaaS applications, our customers were very interested in hearing about new technology that can detect suspicious activity, especially around identity and insider threats, and to head off data breach attempts. Our new ITDR capabilities add this critical layer of identity fabric protection for an SSPM solution for complete coverage. It enables users to detect suspicious patterns like mass downloading or deletions, or when there is any indication of compromise within the stack.
Q1. What kind of security challenges does the growing adoption of distributed cloud services and edge computing pose for organizations? How is Akamai positioned to help organizations address these challenges?
The cloud gives an opportunity to create large amounts of infrastructure quickly and easily - leaving it exposed to the possibility of substandard security configurations being applied to it. Because of the ease of use of cloud services, customers might become negligent in terms of their security. Common lapses of vulnerability can also cause security issues, such as company employees leaving remote desktop protocols open to the internet. Users can run the Remote Desktop Protocol client on their laptops at home to take over their desktops in the office. The protocol is often left untouched by IT teams, which exposes organizations to attacks and, ultimately, credential abuse.
As organizations take more services from the hyperscalers, leveraging the different benefits they each can offer, a larger problem is presented; that of creating a unified security policy across all assets. Having a cloud agnostic platform that spans across all on-prem and cloud services allows companies to reduce complexity in their security platforms without compromise.
Q2. What do you perceive as the biggest requirements for preventing credential misuse, reuse and sprawl in environments that span on-premises, hybrid and distributed cloud environments?
Cloud has allowed the rapid growth of massive amounts of new servers to be used for development and production which greatly helps in reduced time to market for new products and apps. Conversely, security and frequently, credential oversight, are omitted from the planning process. This leads to far too many “admin” accounts with common passwords as they are easy to quickly deploy, leading to duplicate accounts scattered across your network—guess one and you can guess many. Far too often admin accounts are used excessively, and the age old concept of “least privilege” is left by the wayside. Effective IAM and PAM are needed to ensure that organizations do leave themselves open to abuse due to account credentials like Administrator & Password123
Q3. What were some of the biggest takeaways for Akamai from its participation at Black Hat Europe 2023? What were some of the top-of-mind issues/concerns for customers and attendees at the event?
We were particularly struck by Joe Sullivan's address on the current digital transformation era and the challenges posed by a regulatory landscape driven by enforcement. His call for a personalized Incident Response Plan resonated deeply, prompting us to think carefully about the necessity to customize our approaches to the unique challenges that each organization faces.
There were a number of other talks that generated some great buzz that really addressed some of the most important and top-of-mind issues for attendees also. These provided fascinating insights around new vulnerabilities and injection techniques. Examples for this include: a presentation on a set of vulnerabilities in UEFI that allowed researchers to execute code before the loading of the operating system, which is a very powerful capability for an adversary, and a talk on a new set of code injection techniques on Windows that abuse the "Thread Pool" Windows feature, which were not were all not detected by any EDRs. It was a great event with a lot of truly insightful material shared.
Q1. How would you describe the vulnerabilities that you most frequently encounter these days compared to the type of vulnerabilities you used to discover a few years ago? What, if anything, does it reveal about the state of software security?
As part of our vulnerability research efforts, the Sonar R&D team looks for only critical vulnerabilities in open-source software, so we don't have insights on the full OWASP Top 10. We've still noticed that the most important projects have a much better security posture and most of them are now scanned by SAST tools and are subject to more scrutiny.
However, we still found many exploitable bugs in the interface between the software and its dependencies. Such third-party components are usually ignored by tools and even security auditors who think about them as black boxes! As a result, we developed deeper SAST for Sonar, which follows code flows across dependencies, yielding many new vulnerabilities.
These are not new classes of code vulnerabilities, but only the usual suspects: SQL Injections, Command Injections, etc. Only this time, they are often hidden deep enough to evade the eyes of security-conscious developers. While these still creep up, the fact that we are now able to (and have to!) catch bugs and issues more deeply in software today reflects how most companies are now able to systematically detect and address unsafe code patterns to make their software more robust.
Q2. What has been the biggest impact of practices such as DevOps and DevSecOps on the software vulnerability landscape in recent years? How might attacks on code repositories and software supply chains be complicating secure software development practices?
One of the biggest impacts of “shift left” practices has been the ability to identify and fix defects as early as possible in the development process. While we’ve benefitted from “shift left” for quite some time now, we’re seeing the tools we use broadening their focus to include the right side of the deployment lifecycle. We are still performing the development and testing up-front to improve software quality, but we’re also seeing this “shift right” where tools like SonarLint in the IDE and SonarQube and SonarCloud in the CI/CD pipeline help identify issues that won’t actually manifest until the software is deployed in staging or production. With this, teams are increasing the speed of software development and further reducing the risks of software failures.
As AI-powered coding assistance gains popularity, it's mission critical that organizations take a hard look at how their code is developed and ensure that at all phases their software is secure. Discovering security issues as early as possible is what “shift left” is all about, and protecting yourself against issues that won’t eventuate until later in the deployment lifecycle is what is being referred to here as “shift right”. All of this, looking at the left and the right, supports Clean Code — code that is consistent, intentional, adaptable, and responsible, leading to software that is secure, reliable, and maintainable.
Clean Code isn’t just about measuring code quality as a way to increase the ease of working with code for the future, the security part is big there in detecting bugs, code smells, and vulnerabilities before they get into production. This is the ultimate in shift-left approaches, but it’s not just about the code we write, it’s about what happens to that code next.
Q3. What were some of Sonar's goals and objectives at Black Hat Europe 2023?
At Black Hat Europe this year, we were able to engage in dynamic talks and demos about how security is deeply rooted in software code and how important it is for organizations to focus on their codebase health for secure software delivery. Black Hat Europe allowed us to spread awareness of the Sonar brand and solution while educating the security community on the value of “Clean as You Code.”
Ultimately, we left excited and motivated about the future of software development and cybersecurity. Especially amid the AI hype and increased adoption of generative AI tools for code assistance. We can expect that productivity will improve and development cycles will become faster, but the approach to AI-generated code must be ‘trust but verify’. AI models are only as good as the data on which they are trained. This means that this code can contain bugs and security issues, just as human-written code. It’ll be important that code still be reviewed against Clean Code best practices.
Q1. What new data security challenges are generative AI technologies posing to enterprise organizations? What should they be doing to stay ahead of the threat?
Businesses want to introduce AI to realize productivity gains, but CISOs are pumping the breaks on generative AI rollouts. They're concerned about data security. Generative AI tools are designed to surface information based on every piece of data an employee can access. In many companies, that means thousands or even millions of files in SaaS apps, emails, cloud infrastructure, databases, and on-prem storage. And many of those files contain sensitive information about the company or employees.
Generative AI makes the job of a malicious insider easier than ever before. A corrupt insider could easily leverage AI tools to zero in on a company's business or financial plans, and most organizations would not have a clue they've been compromised. Organizations rolling out AI tools on their websites and customer portals are also at risk. Imagine your employee PII or PHI data appearing in a search query made by someone outside the company — if the proper controls are not in place, data can be exposed to not only employees but outsiders as well.
To avoid the potential pitfalls of generative AI, enterprises must ensure they have a handle on data security posture — and this means knowing what data you have and what is sensitive, ensuring only the right people can access that data, and detecting when abnormal behavior or access occurs.
Q2. How can DSPM platforms help organizations quantify their data risk exposure in an actionable manner? What are your recommendations for organizations on how best to use DSPM platforms for risk quantification and management?
Data security posture management provides visibility into your data, its location across SaaS apps, IaaS, hybrid NAS devices, databases, on-prem and hybrid environments, who has access, and how it's used. DPSMs enable organizations to understand and limit their blast radius — all the potential damage an attacker can do if they compromise your environment — and show you everything that is happening with your data.
Data security posture management is gaining in popularity, and understandably so. Every breach is about one thing and one thing only: data. But it's not enough to know where information is exposed and at risk — you must be able to use automation to lock down your data and keep it secured over time.
Q3. What were some of the top-of-mind security issues for customers and other organizations that Varonis interacted with at Black Hat Europe 2023? Were there any common themes or trends that you observed at the event?
A couple of topics were regularly discussed. First is the loss of control over who has access to data, sites, objects, etc. Collaboration tools, such as Teams and Salesforce, have allowed businesses to share data with one another and no longer require IT's involvement to set up that access. While this has sped up the time it takes to provision access for employees, it means IT and security are left in the dark when it comes to understanding the over-exposure of sensitive assets. Businesses want to control high-risk sharing links that provide access to everyone within the whole organization, and prevent the wrong individuals from accessing data they don't need to do their jobs.
Second, with the explosion of SaaS, IaaS, and PaaS services, IT and security are struggling to understand how to measure and control their risks across the cloud. New platforms mean new technology to learn — and most IT organizations cannot keep up. Understanding misconfigurations, whether accidental or malicious, and remediating them was a top-of-mind conversation during the show.
