How new CISOs should take on today’s growing threatscape

So, you’re a new CISO (or you’ve just hired a new CISO) who has the opportunity to turn around a long-standing tech stack. You’d like to make that legacy stack more resilient, especially as cyberattacks become a bigger distraction every day. Where do you start? 

A good first step is to evaluate your new company’s current tech stack. See where the weaknesses are and how your team’s roadmaps can strengthen them. As a new CISO, chances are you’re going to inherit a legacy tech stack. One of your greatest challenges getting started is going to be securing IT infrastructure in a threatscape that continues to automate faster than defenses are being created. 

Unfortunately, only 40% of enterprises say they are evolving in response to the changing threatscape, with 60% acknowledging they are running behind. It’s also good to keep in mind that cyberattackers are quicker, more ingenious and faster than ever in adopting new automation techniques that execute breaches on APIs, deploy ransomware and target software supply chains. 

Don’t let the splashy news of high-profile attacks distract you from the business of securing your new company – remember that cybersecurity is a marathon, not a sprint.

Consolidate security vendors 

The first challenge you’ll probably face as a new CISO is consolidating vendors to achieve greater efficacy and improved efficiency. A recent survey by Gartner [subscription required] found that 65% of organizations pursuing or planning to pursue consolidation expect to improve their overall risk posture and resilience. Your consolidation plans should also include improved real-time system integration with threat intelligence that’s contextually accurate. 

Roadblocks new CISOs face in achieving consolidation include the many digital transformation, virtual and hybrid workforce projects that were underway before you arrived. 

Below are suggestions for consolidating security vendors to address the three key cyberthreat areas of ransomware, automated API attacks and software supply chain vulnerabilities.

Threat 1: Ransomware attacks

Ransomware is one of the fastest growing criminal enterprises. CrowdStrike’s 2022 Global Threat Report found that ransomware incidents jumped 82% in just a year. Ransomware-as-a-service (RaaS), combining ransomware and distributed denial of service (DDoS) attack strategies, is an example of how advanced attackers have become. In March, the FBI issued a joint cybersecurity advisory, Indicators of Compromise Associated with AvosLocker Ransomware, explaining how one of the many RaaS groups work.  

Ransomware attacks are so pervasive that 91.5% of malware arrives over encrypted connections. In addition, Ivanti’s Ransomware Index Report Q1 2022 found a 7.6% jump in the number of vulnerabilities associated with ransomware compared to the end of 2021. Ivanti’s analysis also found 22 new vulnerabilities tied to ransomware (bringing the total to 310). Nineteen of those are connected to Conti, one of the most prolific ransomware gangs of 2022. 

So this is a key area for new CISOs to address, quickly. Did you know that cyberattackers’ delivery method of choice is cloud enterprise software? Looking to capitalize on how widely distributed cloud or SaaS-based enterprise software applications are, ransomware attackers rely on advanced encryption techniques to remain stealthy until they’re ready to launch an attack. In addition, ransomware attackers regularly attempt to bribe employees of companies they want to breach. 

To start, it’s a good idea to revisit how effectively your new organization’s identity access management (IAM) and privileged access management (PAM) systems are secured. Both are targets for cyberattackers who want access to those servers so they can control identities network-wide. 

Next, as a new CISO pursuing the goal of consolidating vendors, it’s a good idea to know the ones who can help you reduce overlap in your tech stack. Fortunately, there are providers of ransomware solutions that are doubling down on R&D spending to add more value to their platforms. One example is Absolute, whose Ransomware Response builds on its successful track record of delivering self-healing endpoints by relying on Absolute’s Resilience platform. 

Additionally, CrowdStrike’s Falcon platform is the first in the industry to support AI-based indicators of attack (IOC) and was announced at Black Hat 2022 earlier this month. These AI-powered IOCs rely on cloud-native machine learning models trained using telemetry data from the CrowdStrike Security Cloud and expertise from the company’s threat-hunting teams. 

FireEye Endpoint Security is another example of a vendor that’s adding value by consolidating more functional areas. FireEye uses multiple protection engines and deployable customer modules to identify and stop ransomware and malware attacks at the endpoint. 

Sophos Intercept X relies on deep-learning AI techniques combined with anti-exploit, antiransomware and control technology to predict and identify ransomware attacks. Absolute, Cohesity, Commvault, CrowdStrike, Druva, FireEye, HYCU, Ivanti, McAfee, Rubrik, Sophos and others are doubling their R&D efforts to thwart ransomware attacks that originate at the endpoint while consolidating more features into their platforms.   

Threat 2: Automated API attacks 

Cyberattackers are becoming experts at using real-time scan and attack technologies. Malicious API calls rose from a monthly per-customer average of 2.73 million in December 2020 to 21.32 million in December 2021, according to Salt’s State of API Security Q1 2022 Report. In addition, Google Cloud’s The State of API Economy 2021 report shows that the rapid growth of the web and mobile APIs created for new apps is fueling a fast-growing threat surface.

Automation techniques are becoming more commonplace as hackers look to scale API attacks across as many unsecured APIs as possible. Cyberattackers are also looking for APIs with little-to-no defined authentication, including those that don’t have added security for authorizing access requests. As an incoming CISO, conducting an audit of where API security is in your organization is essential. Knowing if and how APIs are being monitored or scanned is key. 

Google’s research found that employee- and partner-based APIs are also a significant risk. Microservices traffic often uses APIs that aren’t documented or secured. Postman’s 2022 State of the API Report reflects how rapidly API architectural styles are changing, further complicating API security. The Postman study found that REST dominates the developer community, with 89% of survey respondents saying it was their preferred architecture, followed by Webhooks, GraphQL and gRPC. As a new CISO, you’ll need to drive your team to show how current and planned API security can also adapt or flex for rapidly changing supporting architectures. 

VentureBeat asked Sandy Carielli, principal analyst at Forrester, what organizations should look for when evaluating which API security strategy would work best for them. “There are an ever-growing number of API security offerings available – traditional security tools like web application firewalls (WAFs) and static application security testing (SAST) that are extending to address APIs, API gateways, and many specialty API tools,” Carielli said. “We also see tools like service mesh, application shielding and microsegmentation addressing API security use cases. The market has done a bit of consolidation, with some WAF vendors acquiring specialist tools, but it’s still confusing,” she said. 

Carielli advises new CISOs in the process of reviewing their API strategy to “work with the dev team to understand the overall API strategy first. Get API discovery in place. Understand how existing app sec tools are or are not supporting API use cases. You will likely find overlaps and gaps. But it’s important to assess your environment for what you already have in place before running out to buy a bunch of new tools.”

Threat 3: Software supply chain attacks  

Verizon’s latest report shows that third-party supply chain partners are responsible for 62% of system intrusion events. In addition, it’s common knowledge after the recent series of high-profile supply chain attacks that cyberattackers know how to infect malicious code in widely used open-source components.

Criminals routinely target cloud providers, managed service providers, and operations and maintenance companies serving asset-intensive industries. The goal is to infect their software supply chains using compromised open-source components with wide distribution, as the Log4j vulnerability did. 

VentureBeat asked Janet Worthington, senior analyst at Forrester, what’s holding organizations back from improving software supply chain security. She cited “a lack of transparency into what software organizations are buying, acquiring and deploying is the biggest obstacle in improving the security of the supply chain. The U.S. Executive Order [14028] called attention to our nation’s lack of visibility into the software supply chain and mandated that NTIA, NIST and other government agencies provide guidance for a more secure future. Government agencies, and more and more private sector [organizations], require transparency into the software they purchase during the procurement process and throughout a product’s lifecycle.” 

Worthington said that, due to current and new security regulations, “Organizations will need to provide information not only on direct suppliers but also their suppliers’ suppliers, tier-2, tier-3 and tier-n suppliers. In the software world, this means having an inventory of your direct and indirect dependencies for any software you use, create, assemble and package.”

As the new CISO in your organization, you can make a quick positive impact by requiring security teams to create software bills of materials (SBOMs) for products, services and components that contain software, firmware or hardware to gain the visibility and control they need to keep supply chains secure. Worthington advised that an SBOM that “provides a list of the components for a product is the starting point. Don’t wait until you are asked to supply an SBOM to generate one; this will be too late.” 

She continued: “Shift left and include SBOM generation into your software development lifecycle. Software composition analysis [SCA] tools can generate SBOMs, provide visibility into component licenses, find and remediate vulnerable components and block malicious components from entering the SDLC. SCA tools should be run at multiple stages of the lifecycle.” 

“Once you have visibility into the building blocks of your supply chain,” Worthington said, “you begin to understand the security posture of the individual components and take the needed action.”

A suggested sequence for designing in resilience 

Ransomware, malicious API calls and software supply chain attacks reflect how real-time the threatscape is becoming. As you know, legacy tech stacks can’t keep up, and that’s especially the case in API and supply chain security. One of the most urgent tasks you have as a new CISO is to build ransomware, API and supply chain attack playbooks if they’re not already in place. 

Of the three threats, unprotected APIs present a significant threat to software supply chains. Defining an API security strategy that integrates directly into devops workflows and treats the continuous integration and continuous delivery (CI/CD) process as a unique threat surface is one priority that you need to deal with in the first 90 days of your role. 

Finally, as a new CISO, API detection and response, remediation policies, risk assessments and API-usage monitoring are essential tools you will want to re-architect your tech stack.