In cybersecurity, and across the entire technology sector, we’re used to riding the rollercoaster of the hype cycle. What’s promised as the next big thing today may be thrown into the dumpster of irrelevance tomorrow.
After a technology hits what Gartner calls the "Peak of Inflated Expectations," will it languish in the "Trough of Disillusionment," or power through to reach the "Plateau of Productivity?"
When SC Media sat down with three cybersecurity leaders to reflect on developments over the past year, a trio of trends and technologies stood out as having real and lasting impact on how the industry moves forward in late 2023 and beyond.
(Editor’s Note: This feature is part of SC Media’s special 2023 SC Awards coverage. You can view the full list of winners here.)
Passwordless authentication hits an ‘inflection point’
Some technologies present as great ideas but, for a variety of reasons, they languish in the background for years until they eventually fade away or — sometimes — they win the market over.
Passwordless authentication is one of those concepts that is finally having its day in the sun after Apple, Google and Microsoft came onboard last year, expanding their support for the passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium.
“With the prevalence of work from home, with the prevalence of BYOD, you can no longer trust the devices that people are logging in from,” said Josh Cigna, enterprise solutions architect at Yubico.
“Being able to secure nonrelated accounts on those devices really will help the overall footprint and the overall goal of securing the internet,” he said.
“The work that the FIDO Alliance has done to roll out passkeys, really positioning them as a strong way for consumers to start using and leveraging that strong PKI authentication, I think that is a really good step forward.”
Cigna said Apple, Google and Microsoft’s embrace of the concept, building the technology “at a fundamental level” meant consumers would have better options to protect themselves.
“In this space, a high tide raises all boats and any type of mass adoption of this technology really only furthers the overall goals of the cybersecurity industry: to make it easy, make it reliable, make it secure and protect people.”
Fran Rosch, CEO at ForgeRock, said passwordless technology was “at an inflection point” with major corporates, including large banks and retailers, moving forward with plans to adopt what is a much more convenient and secure posture.
“People are trying to build loyalty with their customer base, make it easier to enroll. So passwordless is here now for both consumers and employees. Passkeys are a big part of it. Device authentication is a big part of it.”
Weak links in the supply chain
With compromised credentials being such a goldmine for threat actors, security teams have good reason to spend a lot of their time ensuring those credentials remain secure, and that staff don’t fall for phishing attacks or other methods that leak login details.
But, as usual, the adversaries are always on the lookout for a work-around that circumvents an organization’s strongest security efforts and, in 2023, they have increasingly shifted their focus to finding weak links in the supply chain.
Awareness of the significance of the risk posed by supply chain insecurity has grown since 2020 when attackers installed malware on SolarWinds’ Orion Network Management Products, resulting in the company unknowingly issuing trojanized updates to its vast customer base.
“The change we’ve seen this year is a big increase in malicious actors attacking supply chain and contractors, who you don’t spend so much time training and managing,” said Rosch.
“Fifty-two percent of all of these breaches were related to compromised credentials of vendors and contractors, and not your employees. So you have to really take it much more broadly than we have in the past,” he said.
“It only takes one compromised credential for most threat actors to get in, spread out, expand, [deploy] ransomware, whatever it is, and we spent so much time on our own employees. We've got to start looking at these vendors and contractors who don’t care as much about our companies as we do — we’ve got to make sure we lock them down as well.”
When assessing supply chain security considerations, organizations need to take into account less obvious potential risks such as web applications and APIs, said Brian McHenry, vice president of product management for web applications and API security at F5.
“In almost every case, when you load a website in your browser, it’s actually composing that experience from API calls to dozens, if not hundreds, of different APIs and if you go to Google.com, or to Amazon.com, it’s not all from Amazon, or all from Google, that are being loaded,” McHenry said.
“[Content] is being loaded from lots of third parties, so there’s a supply chain of APIs as well that you need to ensure is being secured.”
The same consideration needs to be given to JavaScript.
“All the JavaScript components you use to make a web application, not all those JavaScript components are necessarily yours. And sometimes some get loaded from an API call,” said McHenry.
“Supply chain really has a lot of different implications when it comes to security.”
Help is available, however, with frameworks such as Cybersecurity Supply Chain Risk Management, or C-SCRM, devised by the National Institute of Standards and Technology (NIST) as a systematic process to help enterprises manage cybersecurity risks throughout the supply chain, including software artifacts.
“In order to fulfill those new NIST guidelines, you’re going to need to start looking at your supply chain and forcing those third-party folks to do better as well,” said Cigna.
The good and the bad of generative AI
If there has been one development that’s disrupted the technology scene more than any other this past year, it’s undoubtedly been generative AI. For the cybersecurity industry, the biggest concern related to gen AI is that it has enabled hackers to expand their malicious toolkits.
Rosch said ForgeRock is seeing the evil side of AI deployed against its larger customers, which include big banks and global ecommerce and media companies.
“They’re really seeing the attacks get that much more sophisticated as cyber criminals are leveraging these large language models. Deep fakes and phishing and impersonation attacks have gotten much more effective — tricking people to give out valuable information,” he said.
“We’re also seeing some of these AI tools being able to guess your next password before you do. Even as you’re asking to change it, they know you well enough that they know what you’re changing your password to.”
The result is that AI is “fundamentally reducing trust on the internet, because you can no longer trust what you see, you can no longer trust people’s credentials,” Rosch said.
But on the positive side, security teams have the ability to respond — to “fight fire with fire” — using the same AI technology threat actors are using against them.
That involves collecting and analyzing user and device behavior signals to more accurately recognize legitimate users on their networks, and give them frictionless access while, at the same time, blocking malicious actors, Rosch said.
“AI is really shaking things up, both making the attacks more effective, but also giving us new tools [to] protect the enterprise.”
McHenry said the same opportunity — to use AI to fight back against attackers — existed in the application security arena.
“When it comes to application security, there’s a lot of nuance. There’re different styles of application, different coding languages, different stacks. That means that every application needs a different type of security, different policy,” he said.
“AI and ML are something that F5 and other companies are using to ease the creation of application security policy, and help to profile the application, understand what good looks like, so that you can have application layer security in front of all of your applications and APIs, not just the precious few that you happen to have the engineers to devote to it.”
McHenry said AI could help security teams deal with the cybersecurity sector’s skill shortage problem.
“Generative AI has the potential to provide virtual SOC and virtual threat and analysis-type functions to help assist those less staffed teams, find the key threats, find the key vulnerabilities and provide actual remediation guidance. So really, looking forward to that development with gen AI on the good guys’ side, it’s not all bad news.”
With F5 predicting the number of APIs available on the open internet with balloon from around 200 million today to approximately 2 billion by 2030, McHenry also sees AI as a potential solution to the problem of dealing with the security implications of “API sprawl."
“I really don’t think there's any other way to keep pace with something that's going to grow from 200 million to 2 billion in the next few years, other than to make use of AI and machine learning,” he said.
(Editor’s Note: This feature is part of SC Media’s special 2023 SC Awards coverage. You can view the full list of winners here.)