The Gately Report: Cybersecurity Big Part of VMware Multicloud Strategy, First CCPA Fine, Rising Cyber Insurance Costs
ISC2 is taking aim at the global cybersecurity workforce gap.
![Strategy compass Strategy compass](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/bltfea08f594f5f2736/652419ded319c632ec40ac74/1-Strategy.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
Channel Futures: How can VMware with Nvidia and Dell Technologies enable zero-trust security?
VMware’s Chad Skipper: They own the silicon and the platform. So we’re working with Nvidia and Dell to be able to expand that infrastructure so that we can build upon it from a services standpoint. So think of workloads, think of virtual desktop environment, think of the Tanzu service mesh that we have. And then from there, enabling those multicloud tendencies around the workloads and VDIs, and then performing the security layer on top of that.
CF: Are there increasing opportunities for VMware partners when it comes to security? And if so, can you give some examples?
VMware’s Ambika Kapur: For us, it’s important to work with a large partner network. Security, even though we make it really easy, is still a consultative sell. Customers are trying to piece together a larger environment for themselves. So partner services run anywhere from just consulting on what they should be deploying to getting them up and running with those services. And some of our customers even need help for those services to be managed for them. So it really depends. Customers don’t come in one size. People have different needs. They’ve adopted different models for themselves. So VMware has a pretty vast partner network to help with all of those, depending on where our customers kind of fall into that.
Skipper: And I would say that our partners are looking at us to be that security trusted advisor. So they’re looking at us to come in and help them with their services that they are building for their customers and augment that with our solutions. At the same time, bringing those solutions with a security trusted advisory relationship so that we can not just enable the partner, but the customer from a security mindset perspective.
CF: What’s your take on the current threat landscape? And how is VMware addressing and helping with that?
Kapur: It … used to be that when you thought about security, you thought about it going into places. It was I put it at the perimeter, so that’s where your next-generation firewalls went, and then protect the endpoints, whether it’s devices that individuals are using or the workloads that live in the data center. But if you look at what’s been happening on the threat landscape recently, you’re seeing a lot of threat actors using techniques that get them past the perimeter defenses and the endpoint defenses, and getting into the networks. And what’s even scarier is that you’re increasingly seeing threat actors not just getting in — breaking in, and stealing something and leaving — but breaking in and staying within your networks. If you look at some of the recent attacks, especially something like log4j, a very sophisticated vulnerability, we speak to a lot of customers, and I’ve yet to meet a customer who says that their network was immune from it. But at the same time, what is the big thing that happened with log4j? What movie script got stolen? What 250-gig credit cards got removed from somewhere and exfiltrated? The point is, we don’t know.
And so we feel like what these threat actors are doing is they’re getting into networks, staying there and probably will launch an attack when they figure out what they want to do. So against this landscape, it’s becoming increasingly important to move beyond just the perimeter and the endpoints, but actually start to secure all that stuff that is in the middle. And to do that, you really have to build an end-to-end view. So you’ve got to understand what the user’s behavior is, the device that they’re using, the network they’re traversing, the application they are accessing, and the data that they interacted with. And we feel as VMware, we have a unique advantage because of where we sit in the infrastructure to be able to do that really well. So a big focus for us is … we feel lateral security is the new battleground. Finding these threat actors that, in a zero-trust world, you have to believe they’re already within your network, and getting them out there or stopping them from wreaking havoc before they actually do something within their network. And we do this both for traditional applications that are VMware-based, but also modern applications that are containers, Kubernetes-based.
CF: How are threat actors exploiting remote desktop protocol (RDP)?
Skipper: Every organization that I know of uses RDP. Threat actors are using the same way as network administrators, as they’re using it just to log in remotely to another machine. Then they’re using things like Samba service to laterally move malware, remote-access trojans, onto a database server, as an example. They don’t immediately ransom that. What they’ll end up doing is using obfuscated command and control channels over DNS because everybody uses DNS, it’s such a great tunneling protocol outside of the network. They’ll exfiltrate that data outside of the network. Then they will ransom that device database. And this is what we call a double extortion. So now I’ve got your data exfiltrated out. I can sell that out on the dark web to third parties plus ransom your endpoint. So there’s RDP being a way that people move laterally as well as Samba service, but also the third one we’re seeing is “pass the hash.” So once a threat actor is actually getting onto the box, they’re using remote access trojans and they’re able to steal credentials. Then they use those credentials as a pass-a-hash technique over Kerberos to actually log into that system. So my point is with all of that threat activity out there, you have to have the visibility into every packet and process within your multicloud in order to take those anomalies to determine if they’re [a security risk].
CF: What are your partners’ biggest security pain points and how is VMware helping them?
Skipper: So it really depends on the vertical. If we take a look at the financial [sector]… the biggest thing that they’re concerned about is what they call Kronos attacks. So threat actors are actually able to infiltrate into the banking environment, and they’re laying in wait and they’re stealing data. And they’re changing time stamps to manipulate the market. A threat actor coming in to a financial system, looking at all that data, knowing their pre-financial reports and possibly going off and shorting the market. And that’s exactly what the financial industry is looking at VMware to do, especially in the application world or multiple apps, give them visibility into those threat actors in order to stop those types of things.
In the hospital-medical aspect, their concern is about ransomware. They have lots of systems within their organization, within the hospital, and the last thing that they need is the entire thing being ransomed. That’s going to impact life support systems. That’s going to impact not just elective surgeries, but critical surgeries when your systems are completely under attack. And then secondly, they’re also concerned about the exfiltration of personally identifiable information (PII). So those are just two examples from those big verticals that we’re seeing.
Kapur: And what are partners trying to do? They’re trying to build solutions, look across vendors, build solutions and solve real problems for their customers. Eventually as they see these things happening with their customers in different verticals, they turn to folks like us to give them these cutting-edge solutions to build out the portfolio that they can then offer customers. So that’s where we come in. And as we deliver more of these unique services, we’re just finding that we are becoming more present in the total set of capabilities that they’re able to offer their customers.
CF: How are things like the war in Ukraine and economic uncertainty impacting customers and partners’ cybersecurity needs?
Kapur: The geopolitical environment has everybody on guard. We have customers that have massive amounts of intellectual property. We have customers that are sensitive in different ways. So everyone is … on high alert. And it goes back to the kind of attacks that I was talking about. When attackers are getting into your network, you don’t even know they’re there. You don’t know what they’re going to do or when they’re going to do it. So there’s definitely that level of awareness and people are concerned in this environment. Even attacks on physical infrastructure in countries and other things that have already taken place. So there is that heightened attention there. And then we also have situations where customers might have been deployed in environments where it became riskier for them to have operations, and they’ve had to move their operations very quickly out of that, and they’ve turned to us to help them do it. So there is that heightened awareness for sure right now.
Skipper: We just recently had another report come out, the Global Incident Response Threat Report. It was a survey of industry professionals from the security perspective. They have seen heightened attack vectors since January. We also have seen the resurrection of Emotet, which is a botnet. So that has been resurrected and it has been used against the West. And one of those areas is hermetic wiper. We saw that come out in the late January-February time frame. That came from the Ukraine. And that hermetic wiper was specifically meant to wipe everything. They didn’t want a ransom. They just wanted to take it off. We’ve seen an increase of unknown vulnerabilities in zero days in 2021 alone. If you take a look as an example, last Christmas it was log4j. That’s the skeleton key across network. We don’t know anybody that has not been impacted by log4j. So all of those combined, we are absolutely seeing an increase in adversary activities. And as an example, since January alone, VMware Contexa is telling us that we’ve seen over 75 million exploit attempts against log4j, by far the highest that we’ve seen across any other attack vector.
CF: When it comes to security, what can partners and customers expect from VMware in the months ahead into 2023?
Kapur: I think it goes back to the philosophy of where we want to engage when it comes to security. We’re not just trying to build a better mousetrap for technologies that exist there. What we’re really trying to do is take the unique architectures we have to solve for gaps that exist in the industry. So I started out by saying security has gone into places it needs to go to protect everything in the middle, the lateral movement and the lateral security. So that’s the kind of thing we’re doing. We’re taking our ability to provide differentiated assets in places where we can differentiate and close those gaps. So I think as you look forward, it’s really expecting more of the same, meaning we’ll continue to make advances there. One of the tech previews that we are announcing is not only can we look at connections and see what conversation is taking place on it, we’re now building and bringing in things like business logic, and API sequencing to say, if typically a transaction takes place for … a shopping app where somebody comes in, they buy something, they put it in the cart, they place the order and then they pay for it, if we don’t see that exact sequence being followed, we’ll be able to flag that. So it’s just advances in that because security is not something that’s static. You don’t build a solution once and then say, “OK, I’ve got a solution forever.” It’s a cat-and-mouse game. The attackers know what kind of prevention capabilities you have. They keep evolving their attack techniques and you’ve got to keep responding to that or even stay ahead of the game, not just be reactive, but start to anticipate the kind of things they might do. So in the areas we play, especially areas like lateral security and endpoint protection, you’re going to see us continue to advance some of these vectors.
In other cybersecurity news …
This week, Sephora became the first company to be publicly fined for violating California’s Consumer Privacy Act (CCPA).
California Attorney General Rob Bonta announced a settlement with Sephora over allegations that it violated the CCPA, requiring the company to pay $1.2 million in penalties and comply with certain terms.
The attorney general alleged that Sephora failed to disclose to consumers that it was selling their personal information, it failed to process user requests to opt out of sale via user-enabled global privacy controls (GPCs) in violation of the CCPA, and it didn’t cure these violations within the 30-day period currently allowed by the CCPA.
“Technologies like the GPC are a game-changer for consumers looking to exercise their data privacy rights,” Bonta said. “But these rights are meaningless if businesses hide how they are using their customer’s data and ignore requests to opt-out of its sale. I hope today’s settlement sends a strong message to businesses that are still failing to comply with California’s consumer privacy law. It’s been more than two years since the CCPA went into effect, and businesses’ right to avoid liability by curing their CCPA violations after they are caught is expiring. There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled GPCs.”
Tim Mackey is principal security strategist at Synopsys Cybersecurity Research Center.
“The collection of personal data, and its potential sale to third parties is an example of a software supply chain,” he said. “In this case, one that is based not on the software used to create an application, but instead on the data collected, used and processed by that application. Where a problematic software library introduces potential risks for the business, problematic data processing not only introduces potential risks to the business, but also its customers. While the fine Sephora is receiving is nominal, the California AG is setting precedent that annual reviews of data sharing arrangements are expected as routine for businesses, and that data-sharing relationships must hold data partners accountable to the privacy protections in CCPA.”
September marks the fourth annual National Insider Threat Awareness Month (NITAM). It was launched by the National Counterintelligence and Security Center (NCSC), the National Insider Threat Task Force (NITTF), the Office of the Under Secretary of Defense Intelligence and Security, the Defense Counterintelligence and Security Agency, and the Department of Homeland Security.
NITAM is an annual, month-long campaign to educate government and industry about the risks posed by insider threats and the role of insider threat programs. The campaign seeks to encourage government and private industry employees to recognize and report behaviors of concern, leading to early intervention and positive outcomes for at-risk individuals and reduced risks to organizations.
Don Boxley is CEO and co-founder of DH2i. He said work from home (WFH) led to an exponential increase in cybersecurity attacks, not just from external cybercriminals, but from malicious internal bad actors as well.
“And what makes the internal threat even more dangerous is that many of these bad actors are armed with knowledge of confidential internal security procedures, which adds to their ability to cause serious harm to your organization,” he said. “We saw quite a bit of this at the start of the pandemic when people were first sent home virtually overnight to work. Many organizations were forced to depend upon their VPNs for network access and security, and then learned the hard way that VPNs were not up to the task. It became clear that VPNs simply were not designed or intended for the way we work today. Both external and internal bad actors could, were and are still exploiting inherent vulnerabilities in VPNs. Instead, forward-looking IT organizations have discovered the answer to the VPN dilemma. It is an innovative and highly reliable approach to networking connectivity – the software defined perimeter (SDP). With SDP, organizations can ensure safe, fast and easy network and data access while slamming the door on potential cybercriminals.”
This week, ISC2 launched three initiatives to address the global workforce gap by making cybersecurity careers accessible to more people globally.
These initiatives aim to break down barriers and creating new pathways into the cyber workforce.
Clar Rosso is ISC2’s CEO.
“We are facing a growing global cybersecurity workforce gap of more than 2.7 million people,” she said. “One of the most persistent cybersecurity staffing challenges organizations around the world experience is being able to identify entry-and junior-level candidates with the right skills and aptitude to learn and grow on the job. At the same time, early career hopefuls are unable to demonstrate their understanding of cybersecurity concepts and gain the attention of hiring managers.”
These three initiatives include:
ISC2 Certified in Cybersecurity. The newest certification is now operational for ISC2 entry-level certification. More than 1,500 pilot participants who passed the exam are on their way to full certification and ISC2 membership.
ISC2 Candidate Program. The new candidate program is for individuals considering a career in cybersecurity. Upon enrollment, ISC2 will be their guide, partner and advocate every step of the way as they achieve their career goals. This creates a free pathway to gain access to resources and benefits, as well as discounts on all certification education courses.
ISC2 One Million Certified in Cybersecurity opens enrollment. On the heels of ISC2’s announcement at the White House last month that the association has pledged to provide free, entry-level cybersecurity certification exams and self-paced educational program courses to 1 million new professionals starting a career in cybersecurity, the association is announcing that enrollment is officially open. This initiative will expand and diversify the workforce by helping to break down barriers (cost, resources, accessibility, experience level, etc.) traditionally keeping people out.
“The global cybersecurity workforce shortage is an issue we can no longer just talk about,” Rosso said. “It’s time for decisive action. We look forward to welcoming our One Million Certified in Cybersecurity participants to our community as ISC2 candidates and soon as new certified members of our association.”
The cost of cyber insurance for organizations will go up in the next few years, according to Fitch Ratings.
Cyber insurance has estimated annual premiums of $8 billion-$10 billion. Industry experts expect that to reach up to $22.5 billion by 2025, as demand for coverage expands with recognition of threats.
The United States is the largest cyber insurance market with nearly $5 billion in statutory direct written premiums and 74% annual premium growth in 2021.
“Cyber risk is a growing critical concern for organizations and public entities globally, as utilization and dependence on information technology and digital devices expand,” according to Fitch. “Threats from network intrusions, malware and phishing activity continue unabated. Recent growth in ransomware incidents provide a need for new protection and defensive tactics.”
Sounil Yu is JupiterOne‘s CISO.
“A good day in security is when nothing bad happens,” he said. “A well-run security program may have many days with no loss events that convey the risk reduction value of the program. Thus, calculating some form of value from security expenditures becomes necessary for security leaders to differentiate luck from skill. The massive increases in cyber insurance this year, resulting from waves of successful ransomware attacks, represents the gross miscalculations of likelihood made by most insurers. In other words, those who are highly incentivized to use rigorous actuarial methods to calculate the value of security controls, still got it quite wrong.”
John Bambenek is principal threat hunter at Netenrich.
“It has always been the easy button to mitigate business risks through insurance,” he said. “In fairness, no one has a winning formulation against ransomware and prosecutions aren’t going to solve the problem, so few other truly viable options are available. I would strongly prefer organizations investing in stronger detection and prevention technologies. However, the decision to insure and to harden the tech stack are not mutually exclusive. I have no guarantees I can offer my customers and any vendor who does is a charlatan, so cyber insurance is here to stay.”
The cost of cyber insurance for organizations will go up in the next few years, according to Fitch Ratings.
Cyber insurance has estimated annual premiums of $8 billion-$10 billion. Industry experts expect that to reach up to $22.5 billion by 2025, as demand for coverage expands with recognition of threats.
The United States is the largest cyber insurance market with nearly $5 billion in statutory direct written premiums and 74% annual premium growth in 2021.
“Cyber risk is a growing critical concern for organizations and public entities globally, as utilization and dependence on information technology and digital devices expand,” according to Fitch. “Threats from network intrusions, malware and phishing activity continue unabated. Recent growth in ransomware incidents provide a need for new protection and defensive tactics.”
Sounil Yu is JupiterOne‘s CISO.
“A good day in security is when nothing bad happens,” he said. “A well-run security program may have many days with no loss events that convey the risk reduction value of the program. Thus, calculating some form of value from security expenditures becomes necessary for security leaders to differentiate luck from skill. The massive increases in cyber insurance this year, resulting from waves of successful ransomware attacks, represents the gross miscalculations of likelihood made by most insurers. In other words, those who are highly incentivized to use rigorous actuarial methods to calculate the value of security controls, still got it quite wrong.”
John Bambenek is principal threat hunter at Netenrich.
“It has always been the easy button to mitigate business risks through insurance,” he said. “In fairness, no one has a winning formulation against ransomware and prosecutions aren’t going to solve the problem, so few other truly viable options are available. I would strongly prefer organizations investing in stronger detection and prevention technologies. However, the decision to insure and to harden the tech stack are not mutually exclusive. I have no guarantees I can offer my customers and any vendor who does is a charlatan, so cyber insurance is here to stay.”
At this week’s VMware Explore, the company shared its strategy emphasizing all things multicloud, and cybersecurity is a big part of that effort.
That’s according to Ambika Kapur, vice president of VMware‘s Networking and Advanced Security Business Group. VMware’s multicloud strategy includes moving from a cloud-first to a “cloud-smart” approach.
During VMware Explore, VMware highlighted its networking and security efforts to support cloud operations. The projects include:
Northstar, for multicloud networking, security and holistic visibility.
Trinidad, for advancing VMware’s API security and analytics.
Watch, for multicloud networking and security via advanced app-to-app policy controls.
We spoke with Kapur and Chad Skipper, global security technologist at VMware, to learn more about the company’s cybersecurity strategy.
Multicloud, Cybersecurity Hand in Hand
Channel Futures: The theme of VMware Explore is all around multicloud. How does security fit into that?
VMware’s Ambika Kapur
Ambika Kapur: So a lot of what we are talking about is multicloud and across cloud services. And when you look at networking and you look at security, and at least for a large part of our portfolio, they go hand in hand. It’s just another cross-cloud service. So the idea is you should have the ability to run your applications wherever you deem is right to run them. And services like networking and security should be able to just follow along with the applications no matter where they are.
VMware’s Chad Skipper
Chad Skipper: We want to also embed and take security across that multicloud. We also talked about the smart cloud. Given our visibility of where we are, we want to enable essentially being able to see the connections and all the conversations so that we can better detect the threat actors that are continually evading the perimeter and then live within the organization, live within your networks. We’ve seen upwards of 197 days without being detected. So that’s where we want to come into from that perspective, visibility to the multicloud.
See our slideshow above to learn more about VMware and cybersecurity, and more cybersecurity news.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like