The Gately Report: Snyk Partners Crucial in Improving Supply Chain Security
A ransomware attack against Enzo Biochem is impacting millions of patients.
![Synk partners improving supply chain security Synk partners improving supply chain security](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt5ddfe17d06e82097/6523f80e516eeb675af5fa47/Supply-Chain.jpg?width=700&auto=webp&quality=80&disable=upscale)
docstockmedia/Shutterstock
Channel Futures: Snyk and Dynatrace have formed an alliance to make software delivery more secure. What’s the status of that alliance? Will partners be impacted by this?
Snyk’s Manoj Nair: We have multiple phases. If you look at what Dynatrace does, they’re doing observability and they’re actually monitoring the deployed application. And we are now able to give a signal from Snyk to Dynatrace where Dynatrace is able to show their customers and users that these containers were scanned by Snyk.
One of the problems with supply chain security is you don’t know what ends up in the cloud, and you don’t know which things actually went through the proper pipeline and security introspection before deployment. We’re connecting the pre-deploy world to the post-deploy world. There are multiple phases that will connect the signal back into Snyk, so Snyk customers can know more about what’s actually running in their production deployments and use that to do prioritization. So there’s a lot of value that comes from these bidirectional connections. It’s a strategic partnership and there’s a long roadmap behind it.
From a partner perspective, the value is to think about the thousands of Dynatrace enterprise partners and enterprise customers, and if you’re a partner that’s already working with Dynatrace, the ability to help that customer with the transformation of their workloads to cloud has just become easier. One of the things that holds back cloud transformation that these partners are trying to do is the concern around security and the concern about how to scale my security program now that everything is exposed in the cloud. And that’s part of the answer that the partners are now able to take advantage of Snyk and the integration of Snyk with Dynatrace, and being able to go back to their Dynatrace customers to introduce Snyk.
Photo courtesy: alphaspirit.it/Shutterstock
CF: What sort of growth has Snyk experienced in the past year and what role are partners playing in that growth?
MN: We started as what people call a product-led growth, bottom-up company, growing with smaller companies, and rapidly expanding into enterprise over the last several years. We have everyone from the biggest companies in the world, the biggest of the big banks, the biggest of the big tech companies, all of them using Snyk. So it’s across industries now. We actually grew 100% year over year last year, but our growth in the enterprise was almost double that. Obviously a lot of it is coming from partners who are working with us in the enterprise space. I don’t think we’re sharing the partner percentage split, but some of our big partners had a significant impact on that rapid growth in the enterprise, especially.
Photo courtesy: ChristianChan/Shutterstock
CF: What’s the status of Snyk’s partner programs? Any enhancements, expansion and/or new benefits coming for partners in the months ahead?
MN: We recently launched some partner certifications, but we are going to be unveiling more over the next few months from a partner perspective. In the June-July time frame is where we’re targeting the next wave of enhancements. There are definitely some more interesting, unique things from a partner program perspective that are planned.
Photo courtesy: Atstock Productions/Shutterstock
CF: What are you hearing from partners in terms of their needs?
MN: We work with both the security channel partner community, the biggest ones and different regional ones, and also the SI community. When you think about a broader transformation, there are all the things a partner can bring value to the customer ahead of the technology and tool. And a lot of that for our customers is the people part of it. They say, “I get it, I love it, but how am I going to transform? I might have thousands of apps and tens of thousands of developers, and how exactly do we programmatically make that happen with a small staff and small team, and the process and the methodologies around that?” Partners are looking to add value and we’re giving them the APIs, the flexibility, the playbooks and the certification, and empowering them to add that extra value that our joint customers are looking for.
Photo courtesy: Ivelin Radkov/Shutterstock
CF: Is Snyk being impacted by economic uncertainty? And can it help partners that are being impacted by economic uncertainty?
MN: All companies and all people around the world are looking at the economic situation. And we are typically more proactive about that. What are the things we can do differently? What can we do to be more efficient? And we can help partners with the consolidation that our customers are looking for. We are a platform. Typically customers have four, five or six technologies to get that set of capabilities. Getting it as a holistic platform really gives the partner the benefit of being able to go to the customer and say, “Not only am I reducing your risk from your application posture and supply chain, but I’m actually helping improve productivity and at a lower ROI.”
And that lower ROI and better total economic value are something that customers are looking for. That’s what I would say the partners need to focus on in this economy. How do you help customers who are trying to do more with less? Maybe when the economy was great, you had a little bit more funding flexibility and you could afford lots of different tools. But lots of different tools means lots of different people trying to triage the issues from those tools. And what we’re doing is making it easy and correlating all these issues so you’re focused on fewer issues, you’re focused on real risk, and we’re letting developers innovate faster. Innovating faster means your customers can grow their top line. Very few tools can say that. So that’s a great message for the partner to build around when they think about app security and all the complexity around it.
Photo courtesy: alphaspirit.it/Shutterstock
CF: What do you find most dangerous about the current threat landscape?
MN: I went through a nation-state breach when I was at RSA. That was a long time ago and before people knew what advanced persistent threats (APTs) and supply chain attacks mean. These things that were very sophisticated 10-12 years ago now are mainstreamed. There’s a good data point that I saw from Forrester research from 2022, where supply chain attacks have now become the No. 1 entry point into any company. It used to be phishing. Now they’re more sophisticated so they’re able to use the fact that your software is exposed and your IP is exposed because you’re trying to go digital, and that’s a potential entry point. Security teams didn’t have the chance or need to understand what the developer teams were doing. It was all a black box. Well, it can no longer be a black box.
So what we’re doing is building the bridge between security teams and making it easier for them to know what’s happening on the developer side, and also encouraging the developer teams and helping them to fix faster. It’s not just about audit, find, create a backlog and then maybe fix the critical issues or the high issues, and then ignore the rest. You don’t need a critical or a high issue to necessarily penetrate an enterprise. So how do you make it easy for people to just fix it simply and automatically?
We introduced something called Auto-Fix. And that’s now able to give you a highly accurate fix for the code you’re writing so you don’t have to ever worry about finding the issue after the fact. So that’s making it easier to fix on the developer side … and software supply chain risks are going to come down.
Photo courtesy: FOTOKITA/Shutterstock
CF: Are we seeing any overall improvement in supply chain software security?
MN: There is hope. We’re doing some value studies, trying to understand what’s happening with our customers who actually do all the right things. I’ll give an example of log4shell. Ninety-one percent of our customers were not only able to find it, but fix it in 48 hours or less. So think about that versus people who were not having that kind of tool chain and the upper security tooling, the stories of vacations canceled, spending a month finding these things and then many months fixing it. So there are examples where we can show it can be much better.
Another example I’d give is we made our entire portfolio available for the whole world to use for free for a month. We called the event the Big Fix. And we had a lot of technology companies like Atlassian, ServiceNow and Dynatrace join this event to get the word out. We had thousands of developers going and trying to find issues in open source. We had a target to find and fix 200,000 issues in that month and we did a lot more than that. Over a half-million issues were found and fixed in that period. And that was another great example of how we’re bringing the community together to make the world around us safer.
It’s not any one company. I don’t think it’s any one tool. It’s a combination of people, from partners and technology vendors, and the customers, and security professionals and developers working together to continue to make the situation better.
Photo courtesy: megaflop/Shutterstock
CF: What can make the biggest impact in terms of supply chain security?
MN: The big one for me is just the culture change and education. That’s where I think the partners can help their customers the most. There is a better way. It’s not just, continue with the same and newer versions of the same. When I go and talk to customers about this fix culture, you can see the light go off because security has always been finding issues. And then all these new tools come out and all they do is light up the Christmas tree. There are more lights and more lights, and eventually this thing falls. And so the ability to have that culture change conversation and flip that conversation to fixing — it’s everyone’s job, not just the security professionals out there, I think that’s the big thing, the education and getting the word out there.
How do you tackle supply chain security? It’s a culture change. And culture changes are harder, but that’s the opportunity. Let’s change it from a finding-and audit-based culture to fixing-based culture.
Photo courtesy: enciktepstudio/Shutterstock
In other cybersecurity news …
Huntress has discovered active exploitation attempts against the MOVEit Transfer software application.
MOVEit Transfer is a managed file transfer (MFT) solution developed by Ipswitch, a subsidiary of Progress Software, that allows enterprises to securely transfer files between business partners and customers.
“While this is still an emerging threat and not every detail is known, the current understanding is that there is a severe vulnerability in the MOVEit Transfer web application front end that offers attackers further access,” said John Hammond, Huntress’ senior security researcher. “Some security vendors suggest this weakness is a structured query language (SQL) injection vulnerability, but HTTP logs seem to suggest an unrestricted file upload vulnerability.”
Huntress has identified fewer than 10 organizations with this MOVEit Transfer software in our partner base, he said. However, Shodan, a search engine designed to map and gather information about internet-connected devices and systems, suggests that there are over 2,500 servers publicly available on the open internet.
Zane Bond, head of product at Keeper Security, said zero-day vulnerabilities are a significant cybersecurity risk that leave software open to exploitation, which can lead to data theft, system compromise or other malicious activities.
“In this case, an attacker may be able to infer information about the structure and contents of a MOVEit Transfer database, or even alter or delete database elements,” he said. “Organizations must take a proactive approach to regularly update software and immediately patch vulnerabilities that can be exploited in cyberattacks. The first step for administrators utilizing MFT should be to patch the vulnerability or take the service offline until it can be patched, especially now that it is public knowledge. While not every attack can be prevented, steps can be taken to mitigate the access of cybercriminals and minimize impacts on systems, data and operations. The most effective method for minimizing sprawl in an attack … is by investing in prevention with a zero-trust and zero-knowledge cybersecurity architecture that will limit, if not altogether prevent, a bad actor’s access.”
Photo courtesy: wk1003mike/Shutterstock
Biotechnology company Enzo Biochem, which manufactures and sells DNA-based tests to detect viral and bacterial diseases, confirmed in a Securities and Exchange Commission (SEC) filing that it was hit by ransomware attack that exposed the clinical test information of nearly 2.5 million patients.
“On April 11, the company became aware that certain data, including names, test information and Social Security numbers, was accessed, and in some instances, exfiltrated from the company’s IT systems as part of this incident,” it said. “The investigation of this incident and the assessment of its impact is ongoing. However, the company identified unauthorized access to or acquisition of clinical test information of approximately 2.47 million individuals. The Social Security numbers of approximately 600,000 of these individuals may also have been involved. The company is evaluating whether its employees’ information may have been involved. The company will provide notice to the individuals whose information may have been involved, as well as to regulatory authorities, in accordance with applicable law.”
Dror Liwer, co-founder of Coro, said health care-related organizations are among the most coveted targets for cybercriminals because of the rich, current data they maintain about individuals, which can be easily monetized.
“Because of this sensitive data, three cybersecurity pillars must be zealously maintained: protection, automation and awareness training,” he said. “Buying great cybersecurity isn’t enough. Automation must be used to offset the shortage in cyber personnel, and continuous awareness training and simulation must be part of the strategy, since in most cases human error is the attacker’s entry point.”
Chris Hauk, consumer privacy champion at Pixel Privacy, said unfortunately, the number of data breaches and ransomware attacks on the medical-related industry continues to climb.
“Breaches of medical information are always concerning, especially when it includes Social Security information as we’re seeing with this incident,” he said. “Affected customers will want to stay alert for phishing emails, texts and phone calls from the bad actors of the world, as they use the information they’ve already gleaned to gain access to additional personal and financial information. Customers will also want to keep a close eye on their credit, making sure no new accounts are opened in their name, and that their accounts are not being accessed by the wrong people. I strongly suggest affected folks take advantage of any credit or identity monitoring services that are likely to be offered by Enzo Biochem. If they do not offer free monitoring, customers should also check with their bank or credit card issuers, as they often offer free credit and identity monitoring.”
Photo courtesy: Billion Photos/Shutterstock
CrowdStrike recently posted on Reddit that bad actor Spyboy is promoting an all-in-one tool called Terminator that can allegedly bypass 24 antivirus, extended detection and response (XDR) and endpoint detection and response (EDR) platforms, including Windows Defender, on devices running Windows 7 and later.
The price for Terminator ranges from $300 for a single bypass to $3,000 for an all-in-one bypass.
However, CrowdStrike said Terminator it’s just a fancy bring your own vulnerable driver (BYOVD) attack. In BYOVD attacks, threat actors abuse vulnerabilities in legitimate, signed drivers to achieve successful kernel-mode exploitation and disable defense solutions. A driver is software that interfaces a hardware device with an operating system.
To use Terminator, one must have administrative privileges on the targeted systems and have tricked the user into accepting a user account controls pop-up that will be displayed when running the tool.
However, researchers discovered that Terminator just drops the legitimate, signed Zemana anti-malware kernel driver into the C:WindowsSystem32 folder, and then loads it to use its kernel-level privileges to kill off the user-mode processes of AV and EDR software running on the device.
Roy Akerman, co-founder and CEO of Rezonate, an identity-centric security platform, said Spyboy’s claim created anticipation and anxiety among cyber defense teams as “tampering with security controls may leave organizations vulnerable and unaware, assuming protection is in place and active.”
“Organizations who use an EDR solution that only has usermode agent need to take further actions to avoid any exploitation and elimination of that agent,” he said. “If kernel mode agent is available, a check to make sure configuration is properly listed is a priority.”
Photo courtesy: Usa-Pyon/Shutterstock
CrowdStrike recently posted on Reddit that bad actor Spyboy is promoting an all-in-one tool called Terminator that can allegedly bypass 24 antivirus, extended detection and response (XDR) and endpoint detection and response (EDR) platforms, including Windows Defender, on devices running Windows 7 and later.
The price for Terminator ranges from $300 for a single bypass to $3,000 for an all-in-one bypass.
However, CrowdStrike said Terminator it’s just a fancy bring your own vulnerable driver (BYOVD) attack. In BYOVD attacks, threat actors abuse vulnerabilities in legitimate, signed drivers to achieve successful kernel-mode exploitation and disable defense solutions. A driver is software that interfaces a hardware device with an operating system.
To use Terminator, one must have administrative privileges on the targeted systems and have tricked the user into accepting a user account controls pop-up that will be displayed when running the tool.
However, researchers discovered that Terminator just drops the legitimate, signed Zemana anti-malware kernel driver into the C:WindowsSystem32 folder, and then loads it to use its kernel-level privileges to kill off the user-mode processes of AV and EDR software running on the device.
Roy Akerman, co-founder and CEO of Rezonate, an identity-centric security platform, said Spyboy’s claim created anticipation and anxiety among cyber defense teams as “tampering with security controls may leave organizations vulnerable and unaware, assuming protection is in place and active.”
“Organizations who use an EDR solution that only has usermode agent need to take further actions to avoid any exploitation and elimination of that agent,” he said. “If kernel mode agent is available, a check to make sure configuration is properly listed is a priority.”
Photo courtesy: Usa-Pyon/Shutterstock
Snyk partners can be instrumental in improving overall supply chain security by fostering a fixing-based culture instead of a find-and audit-based culture.
That’s according to Manoj Nair, Snyk’s chief product officer. Snyk‘s platform allows organizations to scan, prioritize and fix security vulnerabilities in their own code, open source dependencies, container images and infrastructure as code (IaC) configurations.
Earlier this year, ServiceNow made a $25 million strategic investment in Synk. This followed Snyk closing a $196.5 million Series G funding round.
Providing More For Snyk Partners
Snyk’s Manoj Nair
“We have a bunch of things that we’re working on with the partner community, both the SI partners, the bigger ones, and also the channel partners,” Nair said. “We’re helping them with better programs on working with us, but also the knowledge base and training, and partner certification that allows them to take some of the expertise we have built over the years with DevOps and DevSecOps, and how you become developer-aware security. How do you help transform your customers who are trying to make this change from a traditional audit-oriented approach to app security, to more modern developer security aspects. So there’s that certification and training investment, too.”
Many partners are utilizing Snyk‘s partner certification, he said.
“So it’s programs, it’s the reach, and it’s also now helping get our partners the right enablement and context required so they can do the value-added services,” Nair said. “A lot of our customers need help. It’s not just the tool. This is the process change. This is thinking about, how do I make that culture change? And those are all value-added opportunities for our partners that we’re now enabling them to succeed in.”
See our slideshow above for more for Snyk partners and more cybersecurity news.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like