Why SASE will benefit from faster consolidation of networking and security

Join top executives in San Francisco on July 11-12, to hear how leaders are integrating and optimizing AI investments for success. Learn More

Seventy-five percent of enterprises are pursuing vendor consolidation, up from 29% just three years ago, with secure access service edge (SASE) experiencing significant upside growth as a result. SASE is also proving effective at improving enterprise security postures by providing zero trust network access (ZTNA) at scale.

CIOs tell VentureBeat SASE is getting traction because of its potential to streamline consolidation plans while factoring in ZTNA to the endpoint and identities. 

“If I have five different agents, five different vendors on an endpoint, for example, that’s much overhead support to manage, especially when I have all these exceptional cases like remote users and suppliers. So number one is consolidate,” Kapil Raina, vice president of zero trust, identity, and data security marketing at CrowdStrike, told VentureBeat during a recent interview.

Nearly all cybersecurity leaders have consolidating tech stacks on their roadmaps  

Leading cybersecurity providers, including CrowdStrike, Cisco, Fortinet, Palo Alto Networks, VMware and Zscaler, are fast-tracking product roadmaps to turn consolidation into a growth opportunity. Nearly every CISO VentureBeat spoke with mentions consolidation as one of their top three goals for 2023.


Transform 2023

Join us in San Francisco on July 11-12, where top executives will share how they have integrated and optimized AI investments for success and avoided common pitfalls.

Register Now

That’s a point not lost on cybersecurity industry leaders. Cynet’s 2022 survey of CISOs found that nearly all have consolidation on their roadmaps, up from 61% in 2021. CISOs believe consolidating their tech stacks will help them avoid missing threats (57%) and reduce the need to find qualified security specialists (56%) while streamlining the process of correlating and visualizing findings across their threat landscape (46%).

At Palo Alto Networks’ Ignite ’22 conference last year, Nikesh Arora, Palo Alto Networks chairman and CEO, shared the company’s vision for consolidation — and it’s core to the company’s strategy.

Nikesh added that “customers are actually onto it. They want the consolidation because right now, customers are going through the three biggest transformations ever: They’re going to network security transformation, they’re going through a cloud transformation, and [though] many of them don’t know [it] … they’re about to go to a security operations center (SOC) transformation.” Ignite ’22 showed Palo Alto Networks doubling its R&D and DevOps teams fast-tracking Prisma SASE with new AI-based enhancements.

With a common policy framework and single-pane-of-glass management, Prisma Access is designed to secure hybrid workforces while also providing enterprises with a clear path to consolidating network and security tech stacks, which is what CIOs and CISOs are looking for. Source: Palo Alto Networks Prisma SASE Overview

SASE grows when network and security tech stacks consolidate 

Legacy network architectures can’t keep up with cloud-based workloads, and their perimeter-based security is proving to be too much of a liability, CIOs and CISOs tell VentureBeat anonymously. The risk levels rise to become board-level concerns that give CISOs the type of internal visibility they don’t want. In addition, the legacy network architectures are renowned for poor user experiences and wide security gaps. Esmond Kane, CISO of Steward Health, advises: “Understand that — at its core — SASE is zero trust. We’re talking about identity, authentication, access control and privilege. Start there and then build out.” 

Gartner’s definition of SASE says that “secure access service edge (SASE) delivers converged network and security-as-a-service capabilities, including SD-WAN, SWG, CASB, NGFW and zero trust network access (ZTNA). SASE supports branch offices, remote workers, and on-premises secure access use cases.

“SASE is primarily delivered as a service and enables zero trust access based on the identity of the device or entity, combined with real-time context and security and compliance policies.”

Foundations of SASE

Gartner developed the SASE framework in response to a growing number of client inquiries about adapting existing networking and cybersecurity infrastructure to better support digitally driven ventures.

Enterprises are on the hunt for every opportunity to consolidate tech stacks further. Given SASE’s highly integrated nature, the platform delivers the opportunities CIOs and CISOs need. Combining network-as-a-service and network-security-as-a-service to deliver SASE is why the platform is capitalizing on consolidation so effectively today.

Integrating network-as-a-service and network-security-as-a-service into a unified SASE platform provides real-time data and insights and defines every identity as a security perimeter. Unifying networks and security also strengthens ZTNA, which can scale across every customer, employee, supplier and service endpoint. Source: Gartner, The Future of Network Security Is in the Cloud, August 30, 2019

To become more competitive in SASE without committing all available DevOps and R&D resources to it, nearly all major cybersecurity vendors rely on joint ventures, mergers and acquisitions to get into the market quickly. Cisco’s acquisition of Portshift, Palo Alto Networks’ acquisition of CloudGenix, Fortinet’s acquisition of OPAQ, Ivanti’s acquisition of MobileIron and PulseSecure, Check Point Software Technologies’ acquisition of Odo Security, ZScaler’s acquisition of Edgewise Networks and Absolute Software’s acquisition of NetMotion are just a few of the mergers designed to increase SASE vendors’ competitiveness. 

“One of the key trends emerging from the pandemic has been the broad rethinking of how to provide network and security services to distributed workforces,” writes Garrett Bekker, senior research analyst, security at 451 Research, part of S&P Global Market Intelligence, in the 451 Research note titled “Another day, another SASE fueled deal as Absolute picks up NetMotion.” Garrett continues, “this shift in thinking, in turn, has fueled interest in zero-trust network access (ZTNA) and secure access service edge.”

SASE’s identity-first design further accelerates consolidation  

For an SASE architecture to deliver on its full potential of consolidating network and security services to the tech stack level, it must first get real-time network activity monitoring and role-specific ZTNA access privileges right. Knowing in real time what’s happening with every endpoint, asset, database and transaction request to the identity level is core to ZTNA. It is also essential for continually improving ZTNA security for distributed edge devices and locations. 

ZTNA secures every identity and endpoint, treating each as a security perimeter with multiple digital identities that need constant monitoring and protection. 

SASE is helping close the gaps between network-as-a-service and network security-as-a-service, improving enterprise networks’ speed, security and scale. ZTNA and its related technologies protect endpoints. The increasing number of identities associated with each endpoint increases the risk of relying on legacy network infrastructure that relies only on perimeter-based protection. This is one place SASE and ZTNA are proving their worth.

Identities, access credentials and roles are central to SASE, which is supported by the diverse array of technologies depicted in the above circular diagram. Source: Gartner, The Future of Network Security Is in the Cloud, August 30, 2019

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.

Defining endpoint security in a zero-trust world

Join top executives in San Francisco on July 11-12, to hear how leaders are integrating and optimizing AI investments for success. Learn More

Attackers strike at businesses with identity theft as their top goal. CISOs and CIOs told VentureBeat they’ve seen spikes in identity-driven attacks in the first three months of 2023. 

Getting identity right is core to a robust zero-trust framework. It takes endpoint resilience, improved sensing and telemetry data analysis techniques, and faster innovation at protecting identities. 

Control identities to control the company 

By capitalizing on gaps in cloud infrastructure to find weak or unprotected endpoints, it’s not surprising that there’s been a 95% increase in attacks on cloud infrastructure, with intrusion attempts involving cloud-conscious threat actors tripling year over year. From cybercriminal gangs to state-funded advanced persistent threat (APT) groups, attackers know that defeating just one endpoint opens up an organization’s infrastructure to credential, identity and data theft.

CrowdStrike’s 2023 Global Threat Report identified why identities are under siege. They’re among an organization’s most valuable assets, rich with personal data that commands a high price on the dark web. CrowdStrike’s Intelligence Team found a disturbing trend of attackers becoming access brokers, selling stolen identities bundled in bulk for high prices on the dark web.


Transform 2023

Join us in San Francisco on July 11-12, where top executives will share how they have integrated and optimized AI investments for success and avoided common pitfalls.

Register Now

Cloud security and endpoint security are delivering the most value in enterprises today, with enterprises sharing on a recent PwC survey that these technologies deliver the most value. SOURCE: Based on PwC’s 2022 Global Digital Trust Insights with analysis by Statista. 

Endpoint attacks spike early in 2023 

The proliferation of cloud and endpoint attacks is making 2023 a more challenging year than many CISOs bargained — and budgeted — for. CISOs in the banking, financial services and insurance industries told VentureBeat, on condition of anonymity, that attacks on every type of endpoint have quadrupled in just four months. Data they can capture shows cloud infrastructure, Active Directory, ransomware, web application, vulnerability exploitation, and distributed denial of service (DDOS) attacks spiking sharply in the last 120 days.     

2023 is already a year more challenging than CISOs expected because of added pressure to consolidate tech stacks and keep budgets under control (or reduce them) while dealing with a spiking growth rate of attacks. CrowdStrike’s cofounder and CEO, George Kurtz, was prescient when he explained during his keynote at the company’s Fal.Con event in 2022 that “the reality is people are exploiting endpoints and workloads. And that’s really where the war is happening. So you have to start with the best endpoint detection on the planet. And then from there, it’s really about extending that beyond endpoint telemetry.” 

CISOs told VentureBeat their consolidation plans for endpoint security and endpoint detection and response (EDR) are now cloud-based for the most part. Having endpoint security, EDR, and extended detection and response (XDR) based in the cloud solves several challenges related to their on-premises counterparts, the greatest being ongoing maintenance and patching costs. Leading vendors providing XDR platforms include CrowdStrike, Microsoft, Palo Alto Networks, TEHTRIS and Trend Micro

Resilient and self-healing endpoints are table stakes 

Defining endpoint security in a zero-trust world must start by recognizing how quickly endpoint protection platforms and identity management systems are converging. Every enterprise’s network endpoints have multiple digital identities, starting with those assigned by apps, platforms and internal systems accessed from the endpoint to the device’s identity. 

Cloud services are forcing the overlap of endpoint protection platforms and identity management. For example, Microsoft Azure’s App Service supports assigning several user-assigned identities to a specific application, which adds greater complexity to the range of identities supported by endpoints. The same holds for devices. Cisco’s Identity Services Engine (ISE) can define endpoint identity groups by their authorizations. These services reflect what’s happening quickly in the market — identities are quickly becoming core to endpoints. 

CISOs need better visibility into every identity an endpoint has. Zero-trust frameworks and a mindset of least-privileged access are needed. Those needs are driving the following in enterprises’ endpoint strategies today:

Continuously monitor and validate

It’s central to getting zero-trust frameworks solid and scalable, and the telemetry data is invaluable in identifying potential intrusion and breach attempts. The goal is to monitor, validate and track every endpoint’s real-time data transactions to help identify and respond to potential threats. Leading vendors providing this capability include Cisco’s SecureX, Duo, and Identity Services Engine (ISE); as well as Microsoft’s Azure Active Directory and Defender. CrowdStrike’s Falcon platform, Okta’s Identity Cloud, and Palo Alto Networks’ Prisma Access solution are also vendors providing continuous monitoring for enterprise customers today.

Harden endpoints

It’s common knowledge that attackers scan every potential open port and endpoint an enterprise has, hoping for just one to be either unprotected or misconfigured. Absolute Software’s 2021 Endpoint Risk Report found that over-configured endpoints are just as vulnerable as not having any endpoint security in place. Absolute’s research found 11.7 security controls per device, with the majority containing multiple controls for the same function. 

Self-healing endpoints help reduce software agent sprawl by delivering greater resilience. By definition, a self-healing endpoint will shut itself down and validate its core components, starting with its OS. Next, the endpoint will perform patch versioning, then reset itself to an optimized configuration without human intervention. 

Absolute Software, Akamai, Ivanti, Malwarebytes, Microsoft, SentinelOne, Tanium, Trend Micro and many others have endpoints that can autonomously self-heal. Absolute Software is noteworthy for providing an undeletable digital tether to every PC-based endpoint that continuously monitors and validates every endpoint’s real-time data requests and transactions.

Absolute’s Resilience platform is noteworthy for providing real-time visibility and control of any device, on a network or not, along with detailed asset management data. Absolute also invented and launched the industry’s first self-healing zero-trust platform designed to deliver asset management, device and application control, endpoint intelligence, incident reporting, resilience and compliance.

Automate patch management

Hardened, self-healing endpoints are becoming indispensable to IT, ITSM and security teams, who are all facing chronic time shortages today. “Endpoint management and self-healing capabilities allow IT teams to discover every device on their network, and then manage and secure each device using modern, best-practice techniques that ensure end users are productive and company resources are safe,” said Srinivas Mukkamala, chief product officer at Ivanti, during a recent interview with VentureBeat.

He continued, saying, “Automation and self-healing improve employee productivity, simplify device management and improve security posture by providing complete visibility into an organization’s entire asset estate and delivering automation across a broad range of devices.” 

CISOs have said their teams are so overwhelmed with workloads focused on protecting employees, systems and, in manufacturing, entire factories, that there’s not enough time to get patch management done. Ivanti’s survey on patch management found that 71% of IT and security professionals felt patching was overly complex and time consuming, and 53% said that organizing and prioritizing critical vulnerabilities takes up most of their time. 

Given how critical it is to get patch management right, taking a data-driven approach can help. Another innovation that several vendors are using to tackle this problem is artificial intelligence (AI) and machine learning (ML). 

Ivanti’s Neurons platform relies on AI-based bots to seek out, identify and update all patches across endpoints that need to be updated. Ivanti’s Risk‑Based Cloud Patch Management is noteworthy in how their platform integrates the company’s Vulnerability Risk Rating (VRR) to help security operations center (SOC) analysts take risk-prioritized action. Ivanti had discovered how to provide service-level agreement (SLA) tracking that also provides visibility into devices nearing SLA, enabling teams to take preemptive action. 

Additional vendors offering automated patch management solutions include Broadcom, CrowdStrike, SentinelOne, McAfee, Sophos, Trend Micro, VMWare Carbon Black and Cybereason.

Kill lateral movement and reduce the attack surface

Having a breach mindset is key to getting stronger at zero trust. Assuming intrusion and breach attempts are inevitable is a strong motivator for IT and cybersecurity teams to sharpen their zero-trust security strategies, skills and knowledge. The goal is to make zero trust an integral part of an organization’s muscle memory. 

The best way to accomplish that is by resolving to get zero-trust initiatives and strategies in shape. That includes getting microsegmentation — a crucial component of zero trust, as outlined in the NIST’s zero-trust framework — in place. Microsegmentation divides networks into smaller, isolated segments, reducing a network’s attack surface and increasing the security of data and resources. 

Certain microsegmentation vendors can also quickly identify and isolate suspicious activity on their networks. Of the many microsegmentation providers today, the most innovative are Airgap, AlgoSec, ColorTokens, Illumio, Prisma Cloud and Zscaler Cloud Platform.

Of these, Airgap’s zero-trust isolation platform adopts a microsegmentation approach that treats each identity’s endpoint as a separate entity and enforces granular policies based on contextual information, effectively preventing any lateral movement. AirGap’s architecture includes an autonomous policy network that scales microsegmentation policies network-wide immediately.

Endpoint security in a consolidation-first era

2023 is becoming a much more challenging year than CISOs and their teams expected. The spiking attacks and more advanced phishing and social engineering attempts created using ChatGPT are stressing already overworked IT and security teams. At the same time, CISOs are facing budget constraints and orders to consolidate their tech stacks. Against this background of tighter budgets and more breaches, becoming more resilient with endpoints is where many start.

“When we’re talking to organizations, what we’re hearing a lot of is: How can we continue to increase resiliency, increase the way we’re protecting ourselves, even in the face of potentially either lower headcount or tight budgets? And so it makes what we do around cyber-resiliency even more important,” said Christy Wyatt, president and CEO of Absolute Software, in a BNN Bloomberg interview.

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.

How threat intelligence helps SecOps prevent cyberevents before they happen

CISOs tell VentureBeat they’re looking to get more value from security operations (SecOps) by identifying threats rather than analyzing them after an event. Gartner’s direction is that “SecOps’ goal is to create proactive risk understanding and enable threat exposure reduction as well as detection of, and response to, cyber events that negatively affect the organization.” 

SecOps teams need help to get out of a reactive approach of analyzing alerts and intrusion, breach and botnet events after they’ve occurred. As a first step to solving this challenge, enterprise security teams and the CISOs that lead them are pushing for greater real-time visibility. In addition, tech-stack consolidation, a strong focus on minimizing costs, and the need to stand up remote SecOps locations faster than on-premises systems and their infrastructure allow are driving SecOps teams’ need for threat intelligence and more real-time data. 

Improving SecOps with real-time threat intelligence 

For SecOps to deliver on its potential, it must start by reducing false positives, filtering out inbound noise, and providing threat intelligence that triggers automated detection and remediation actions. In short, SecOps teams need threat intelligence providers to interpret and act on inbound packets immediately, finding new ways to capitalize on real-time data. Fortunately, the next generation of threat intelligence solutions is purpose-built to provide post-attack analytics, including forensic visibility across all events.

The National Institute of Standards and Technology (NIST) defines threat intelligence as “threat information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes.” NIST mentions threat intelligence in their NIST SP 1800-21, NIST SP 800-150, and NIST SP 800-172A standards. 

Leading vendors include Centripetal, whose CleanINTERNET solution operationalizes cyberthreat intelligence at scale by combining automated shielding, advanced threat detection (ATD) and dedicated teams of human threat analysts. Centripetal’s customer base includes government agencies, financial institutions, healthcare providers and critical infrastructure providers. 

“Threat intelligence, if you apply it properly, can become a highly effective tool to determine automatically who should come into your network and who should not, and thus gives an organization risk-based control,” said Centripetal’s CEO, Steven Rogers. 

There are more than 75 vendors in the threat intelligence market today, including CrowdStrike, Egnyte, Ivanti, Mandiant, Palo Alto Networks, and Splunk. All strive to strengthen their threat intelligence as core to their ability to contribute to their customers’ SecOps needs. 

Centripetal’s architecture is noteworthy in its use of artificial intelligence (AI) and proprietary algorithms to aggregate, filter, correlate, detect, triage and analyze thousands of global feeds at massive scale and machine speed. AI acts as an orchestration technology in their platform, coordinating threat intelligence feeds and enforcement algorithms and simultaneously reporting to both Centripetal’s internal cyberthreat analyst team and that of the customer. 

Centripetal’s CleanINTERNET architecture provides the data needed to stop threats before they access company networks. Source: Centripetal.

Scaling threat intelligence in the enterprise

VentureBeat recently sat down virtually with Chuck Veth, president of CVM, Inc., to learn how enterprises are putting threat intelligence to work and how his firm helps their implementations scale. CVM, an IT services firm with more than 30 years of experience, is a two-time winner of Deloitte’s CT Fast 50. Chuck’s firm implements and supports Centripetal and is a leading reseller to enterprise and government accounts. Presented here are selected segments of VentureBeat’s interview with Chuck:

VentureBeat: What challenges do your customers face that led you to contact Centripetal to be a reseller for them?

Chuck Veth: “The challenge to enhance cybersecurity is constant. We first learned about Centripetal from one of our accounts. After evaluating it and presenting it to our customers, we realized that the CleanINTERNET service is an excellent final layer of security for public-facing networks. We look at it as a necessary insurance policy. When you turn on CleanINTERNET, it gets used thousands of times a minute.” 

VB: Keeping with the insurance analogy, can you expand on how you see the value Centripetal provides?  

Veth: “It’s not like car insurance; you can do the math easily on asset protection insurance. It’s more like the car insurance component that covers damage to the occupants, which you typically don’t think about when you’re evaluating car insurance. You’re thinking about your car. But the truth is, car insurance is really there for the people because they’re irreplaceable. When thinking about network security, you mainly approach it from the packet inspection perspective. Centripetal’s CleanINTERNET service works from a completely different perspective. It is determining if the remote IP address is a threat actor; if it is, it blocks it. You need to use this perspective as well; the cost of missing a threat actor can close your business.”

VB: What are some of the most valuable lessons learned regarding how Centripetal provides greater threat intelligence of your shared customers with them? 

Veth: “One of the most exciting outcomes of having the Centripetal CleanINTERNET service is its ability to separate a threat actor from a non-threat actor on some very common pathways of the internet. HTTPS traffic travels on port 443, HTTP on port 80, and email travels on port 25, et cetera. Years ago, when some services lived on relatively unique ports, they were easy to monitor for an attack. Today it’s harder as the industry has moved to a world that lives on a handful of ports, like 443, using SSL certificates.  

“For example, individuals on private networks often turn to public proxy server websites to avoid corporate filtering, such as blocking day trading. The user connects to the proxy service, and it connects their browser to the day trading site. All the user needs to do is find a proxy service that is not blocked by their company firewall. Bad actors often operate these proxy services as they can track every detail of the online activity.” 

VB: That’s the danger of using a proxy service that isn’t verified to visit a site your company has blocked. How does threat intelligence help identify the threat and protect infrastructure? 

Veth: “Centripetal is looking at the IP address and saying, ‘I have a list of billions of IP addresses that are known to be operated by threat actors.’ It’s a different way of looking at things. And, to do it correctly, Centripetal compiles real-time information from hundreds upon hundreds, even thousands, of threat intelligence feeds. And that’s the secret sauce of the Centripetal CleanINTERNET service. They are normalizing the data from thousands of real-time threat intelligence feeds to say, ‘Hey, this particular site popped up in three or four different threat intelligence databases. And for us, that is a sign that it is a threat actor. And so, we’re going to block it.’”

VB: What’s your favorite example of how effective Centripetal is at uncovering bad actors’ attack strategies that are cloaked to avoid detection?  

Veth: “One day, we got a note from our Centripetal security analyst, ‘…this threat actor’s trying to communicate with this customer – it’s a known threat actor operating out of Europe – it’s this IP address….’ We’re an IT firm, so we looked up the IP address, and the IP address was at a hosting facility in New York.

“And we’re like, ‘What? Why did our security analyst tell us that this IP address was in this foreign country when one of our staff found that it’s in New York?’ We browsed to the IP address. It was a hosting company in New York that only takes payment via cryptocurrency and requires no audit to host on its service. So any host can sign up for this service with no authentication. But the Centripetal device knew that this site, although hosted in New York, was a threat actor from a foreign country. This would have never been blocked by geofiltering, but the Centripetal service was able to identify it and block it.”

How threat intelligence enables zero trust  

Having threat intelligence add value in a zero-trust framework requires identifying and classifying threats before they gain access to a corporate network. Interpreting every data packet and then evaluating its level of risk or trust is essential — while factoring in and correlating to all known global threat feeds in an adaptive, customizable service. Identifying and classifying threats before they reach the network is core to the future of threat intelligence and the ability for SecOps to migrate to a zero-trust framework.

Threat intelligence needs to do the following to increase its value to zero-trust initiatives: 

Enforce zero trust by inspecting every packet of bidirectional traffic

Vendors are setting service goals that center on their ability to shield their customers’ organizations from all known attacks. Each of the competing vendors in threat intelligence is taking a different approach. 

Continually improve the real-time visibility across the known threatscape

Most threat intelligence vendors are more focused on analyzing the data from previous events. A few have proven exceptional in using machine learning algorithms to look at predictive patterns in traffic and attack data. What’s needed is a threat intelligence system that can aggregate the data of every inbound packet, then correlate the analysis results with known threats. Centripetal compares each packet’s contents to all available cyberthreat indicators in real time, using thousands of global threat feeds to support their single, fully managed service. 

Reduce false positives, inaccurate alerts and events by verifying every access attempt before it gets inside the corporate network

A core tenant of zero trust is to assume the network has already been breached and the attacker needs to be contained so they can’t laterally move into core systems and do damage. Leading threat intelligence system providers are applying machine learning algorithms to reduce the noise from external networks, filtering out extraneous data to find the actual threats. Besides contributing to the zero-trust initiatives of an organization, it helps reduce the burden on the security operations center (SOC) in having to clear false positives and alerts.  

SecOps must improve at delivering business-driven outcomes based on real-time data insights, learning to be more adaptive and quicker to respond at scale. As part of the next generation of threat intelligence solutions, companies like Centripetal support SecOps teams by specializing in providing threat intelligence to reduce false positives, filter out inbound noise and trigger automated detection and remediation actions.

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.

Experts predict how AI will energize cybersecurity in 2023 and beyond

Check out all the on-demand sessions from the Intelligent Security Summit here.

AI and machine learning (ML) are becoming attackers’ preferred technologies, from designing malicious payloads that defy detection to writing customized phishing emails. The recent GoDaddy multiyear breach has all the signs of an AI-driven cyberattack designed to evade detection and reside in the company’s infrastructure for years. 

Attackers rely on AI to avoid detection 

Cybercriminal gangs and sophisticated advanced persistent threat (APT) groups actively recruit AI and ML specialists who design malware that can evade current-generation threat detection systems. What attackers lack in size and scale, they more than make up for in ingenuity, speed and stealth.

“I’ve been amazed at the ingenuity when someone has six months to plan their attack on your company — so always be vigilant,” Kevin Mandia, CEO of Mandiant, said during a fireside chat with George Kurtz at CrowdStrike’s Fal.Con conference last year. 

Nearly three-quarters (71%) of all detections indexed by CrowdStrike Threat Graph were malware-free intrusions. CrowdStrike’s Falcon OverWatch Threat Hunting Report illustrates how advanced attackers use valid credentials to facilitate access and persistence in victim environments.


Intelligent Security Summit On-Demand

Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.

Watch Here

Another contributing factor is the rate at which new vulnerabilities are disclosed and the speed with which adversaries can operationalize exploits using AI and ML. 

Attackers are using ChatGPT to refine malware, personalize phishing emails and fine-tune algorithms designed to steal privileged access credentials.

As Shishir Singh, CTO of cybersecurity at BlackBerry notes: “It’s been well documented that people with malicious intent are testing the waters, but over this year, we expect to see hackers get a much better handle on how to use ChatGPT successfully for nefarious purposes; whether as a tool to write better mutable malware or as an enabler to bolster their ‘skillset.’ Both cyber pros and hackers will continue to look into how they can utilize it best. Time will tell who’s more effective.”

In fact, a recent survey by BlackBerry found that 51% of IT decision-makers believe there will be a successful cyberattack credited to ChatGPT within the year. 

Vendors trying to keep pace with the AI arms race 

Amazon Web Services, CrowdStrike, Google, IBM, Microsoft, Palo Alto Networks and other leading cybersecurity vendors are prioritizing investment in AI and ML research and development (R&D) in response to increasingly complex threats and requests from enterprise customers for new features.

Charlie Bell, Microsoft’s EVP for security, compliance and identity and management said of AI’s role in cybersecurity: “It’s basically having the machinery to just continuously go fast, especially in ML. All the model training, data stuff and everything else is a super-high priority. Microsoft has a tremendous amount of technology in the AI space.”  

CrowdStrike’s many new announcements at Fal.Con last year, along with Palo Alto Networks’ Ignite ’22, illustrate how effective their DevOps and engineering teams are at translating R&D investment into new products.

Amazon Web Services’ hundreds of cybersecurity services and Microsoft Azure’s zero trust developments reflect how R&D spending on AI and ML is a high priority in two of the largest cloud platform providers. Microsoft sunk $1 billion in cybersecurity R&D last year and committed to spending $20 billion over the next five years on cybersecurity R&D (beginning in 2021). Microsoft’s security business generates $15 billion annually.

Ivanti’s continual stream of new announcements, including those at RSA and many successful acquisitions followed by rapid advances in AI development, are cases in point. Each of these cybersecurity vendors knows how to translate AI and ML expertise into cyber-resilient systems and solutions faster than competitors while fine-tuning the UX aspects of their platforms.

CrowdStrike’s efficiency at translating its R&D investments into new products exemplifies the breadth of new announcements made at every year’s Fal.Con event, which was noteworthy for its introduction of Threat Graph, Asset Graph, CNAPP and XDR. Source: CrowdStrike’s research and development (R&D) expenses from FY2017 to FY2022, Statista

Predicting where AI will improve cybersecurity 

AI and ML are defining the future of e-crime, with cybercriminal gangs and APT groups ramping up AI hacker-for-hire programs and ransomware-as-a-service while expanding their base of AI-enabled cloaking techniques — and more. It’s why security teams are losing the AI war

These factors, combined with the continued resiliency of cybersecurity spending, lead to optimistic forecasts about investment in AI. VentureBeat has curated the most interesting forecasts, noted below:

AI-based behavioral analytics are proving effective at identifying, shutting down malicious activity

Core to the zero trust frameworks that organizations are standardizing today is real-time visibility and monitoring of all activity across a network.

AI-based behavioral analytics provides real-time data on potentially malicious activity by identifying and acting on anomalies. It’s proving effective in allowing CISOs and their teams to set baselines for normal behavior by analyzing and understanding past behavior and then identifying anomalies in the data. 

Leading cybersecurity vendors rely on AI and ML algorithms to personalize security roles or profiles for each user in real time based on their behavior and patterns. By analyzing several variables, including where and when users attempt to log in, device type, and configuration, among others, these systems can detect anomalies and identify potential threats in real time.

Leading providers include Blackberry Persona, Broadcom, CrowdStrike, CyberArk, Cybereason, Ivanti, SentinelOne, Microsoft, McAfee, Sophos and VMWare Carbon Black.

CISOs and CIOs tell VentureBeat that this approach to AI-based endpoint management decreases the risk of lost or stolen devices, protecting against device and app cloning and user impersonation. With these techniques, enterprises can analyze endpoint protection platforms (EPPs), endpoint detection and response (EDR), unified endpoint management (UEM) and transaction fraud detection to improve authentication accuracy.

Behavior-based machine learning models built into Microsoft Defender, Advanced Threat Protection, can shut down credential-theft attack chains. The graphic shows how multiple behavior-based protection layers disrupted the attack. Source: In hot pursuit of elusive threats: AI-driven behavior-based blocking stops attacks in their tracks, Microsoft Security Blog.

Endpoint discovery and asset management is today’s most popular use case

IBM’s Institute for Business Value study of AI and automation in cybersecurity finds that enterprises that are using AI as part of their broader strategy are concentrating on gaining a more holistic view of their digital landscapes. Thirty-five percent are applying AI and automation to discover endpoints and improve how they manage assets, a use case they predict will increase by 50% in three years. 

Vulnerability and patch management is the second most popular use case (34%), predicted to increase to more than 40% adoption in 3 years.

These findings indicate that more AI adopters are looking to the technology to help them achieve their zero trust initiatives.

How strongly AI adopters focus on protecting endpoints and identities reflects how high a priority zero trust is to AI adopters. Source: AI and automation for cybersecurity report, IBM Institute for Business Value | Benchmark Insights, 2022.

IT teams need AI to deliver vulnerability and patch management productivity gains

In an Ivanti survey on patch management, 71% of IT and security professionals said they see patching as overly complex and taking too much time away from urgent projects. Just over half (53%) say that organizing and prioritizing critical vulnerabilities takes up most of their time.

Leading vendors with AI-based patch management solutions include Blackberry, CrowdStrike Falcon, Ivanti Neurons for Patch Intelligence and Microsoft.  

“Patching is not nearly as simple as it sounds,” said Srinivas Mukkamala, chief product officer at Ivanti. “Even well-staffed, well-funded IT and security teams experience prioritization challenges amidst other pressing demands. To reduce risk without increasing workload, organizations must implement a risk-based patch management solution and leverage automation to identify, prioritize and even address vulnerabilities without excess manual intervention.”

Ivanti’s approach uniquely uses contextual intelligence derived from ML to streamline patch deployments. Ivanti Neurons Agents run independently on a set schedule, eliminating the need for time-consuming inventory techniques that waste IT teams’ time. Ivanti Neurons for Patch Intelligence helps enterprises reduce the time-to-patch, offloading manually-intensive tasks that IT teams would otherwise have to do.

Ivanti has created the ability to measure service-level agreements (SLAs) compliance for patch management. CISOs and CIOs can tell from viewing a Patch Intelligence dashboard which devices exceed their SLAs and which patch types are needed, and track known vulnerabilities. Source: Ivanti Endpoint Security Now Integrates with Ivanti Neurons for Patch Intelligence, October 27, 2021

Using AI to detect threats leads Gartner to use cases for AI in cybersecurity

Gartner categorized AI use cases by comparing their business value and feasibility. Transaction fraud detection is the most feasible use case, and it delivers high business value. File-based malware detection is considered nearly as feasible and also delivers strong business value.

Process behavioral analysis also delivers substantial business value, with a medium feasibility level to implement. Finally, abnormal system behavior detection delivers high business value and feasibility; Gartner believes this solution can be successfully implemented in enterprises. (Source: Gartner, Infographic: AI Use-Case Prism for Sourcing and Procurement, Refreshed October 14, 2022, Published March 30, 2021.)

AI-based Indicators of Attack (IOAs) are a core catalyst driving the projected rapid growth of the AI-based cybersecurity market  

The market size for AI in cybersecurity is predicted to be $22.4 billion in 2023 and is anticipated to reach $60.6 billion by 2028, reflecting a compound annual growth rate (CAGR) of 21.9%. Increasing the contextual intelligence of IOAs with AI is one of the core catalysts driving the rapid growth of AI in the broader cybersecurity market.

By definition, IOAs focus on detecting an attacker’s intent and trying to identify their goals, regardless of the malware or exploit used in an attack.

Conversely, an indicator of compromise (IOC) provides the forensics needed as evidence of a breach occurring on a network. IOAs must be automated to deliver accurate, real-time data on attack attempts to understand attackers’ intent and kill any intrusion attempt. 

CrowdStrike, ThreatConnect, Deep Instinct and Orca Security are leaders in using AI and ML to streamline IOCs.

CrowdStrike is the first and only provider of AI-based IOAs. According to the company, the technology works in conjunction with existing layers of sensor defense, including sensor-based ML and existing IOAs, asynchronously.

The company’s AI-based IOAs combine cloud-native ML and human expertise on a common platform, which was invented by the company more than a decade ago. CrowdStrike’s approach to AI-based IOAs correlates the AI-generated IOAs (behavioral event data) with local events and file data to assess maliciousness.

“CrowdStrike leads the way in stopping the most sophisticated attacks with our industry-leading indicators of attack capability, which revolutionized how security teams prevent threats based on adversary behavior, not easily changed indicators,” said Amol Kulkarni, chief product and engineering officer at CrowdStrike. 

One notable achievement of CrowdStrike’s AI-powered IOAs is their identification of more than 20 adversary patterns that had never been seen before. These patterns were discovered during testing and implemented into the Falcon platform for automated detection and prevention.

The ability of AI-powered IOAs to detect emerging classes of threats faster than traditional methods has been highlighted as a critical benefit of this technology. Source: CrowdStrike

AI-based Indicators of Attack (IOAs) fortify existing defenses using cloud-based ML and real-time threat intelligence to analyze events at runtime and dynamically issue IOAs to the sensor. The sensor then correlates the AI-generated IOAs (behavioral event data) with local and file data to assess maliciousness.

International Data Corporation (IDC) says AI in the cybersecurity market is growing at a CAGR of 23.6% and will reach a market value of $46.3 billion in 2027

Another IDC survey found that cybersecurity is a top investment area across all regions; however, demand varies. Forty-six percent of North American respondents identified cybersecurity as a priority, driven by high levels of investment in cloud applications and infrastructure. In contrast, only 28% and 32% of EMEA and Asia/Pacific respondents, respectively, identified cybersecurity as a top investment area.

Global market for AI-based cybersecurity forecasted to grow from $17.4 billion in 2022 to $102.78 billion in 2023, attaining a 19.43% CAGR

Precedence Research found that fraud detection and the anti-fraud segment of the cybersecurity AI market accounted for 22% of global revenues in 2022. The research firm predicts AI’s fastest-growing areas will include battling fraud, identifying phishing emails and malicious links, and identifying privileged access credential abuse. Its study also found that increasingly complex cloud infrastructures comprised of multicloud and hybrid cloud configurations drive the need for AI-based cybersecurity solutions to protect them.

Source: Precedence Research, Artificial Intelligence (AI) In Cybersecurity Market

Detection dominates AI use cases today 

AI delivers its potential when integrated into a broader zero trust security framework designed to treat every identity as a new security perimeter. The most robust use cases for AI and ML in cybersecurity began with a clear vision of what the technology and its solution protect. AI and ML-based technologies are proving effective at scaling to secure each use case when it’s an identity, either as a privileged access credential, container, device or a supplier or contractor’s laptop. 

Detection dominates use cases because more CISOs and leading enterprises know that becoming cyber-resilient is the best way to scale cybersecurity strategies. And with the C-suite expecting risk management reductions to be measured financially, cyber-resilience is the best direction forward. 

Additional sources of information:

Bloomberg, Microsoft’s New Security Chief Looks to AI to Fight Hackers: Q&A, September 23. 2022

Capgemini, Reinventing Cybersecurity with Artificial Intelligence: The new frontier in digital security podcast 

Gartner’s Market Guide for AI Trust, Risk and Security Management, January 2023

IBM, AI Guide for CISOs, Artificial intelligence (AI) for cybersecurity

McKinsey & Company, The unsolved opportunities for cybersecurity providers, January 5, 2022

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.

Ransomware attackers finding new ways to weaponize old vulnerabilities

Check out all the on-demand sessions from the Intelligent Security Summit here.

Ransomware attackers are finding new ways to exploit organizations’ security weaknesses by weaponizing old vulnerabilities.

Combining long-standing ransomware attack tools with the latest AI and machine learning technologies, organized crime syndicates and advanced persistent threat (APT) groups continue to out-innovate enterprises.

A new report from Cyber Security Works (CSW), Ivanti, Cyware and Securin reveals ransomware’s devastating toll on organizations globally in 2022. And 76% of the vulnerabilities currently being exploited by ransomware groups were first discovered between 2010 and 2019.

Ransomware topping agenda for CISOs, world leaders alike

The 2023 Spotlight Report titled “Ransomware Through the Lens of Threat and Vulnerability Management” identified 56 new vulnerabilities associated with ransomware threats in 2022, reaching a total of 344 — a 19% increase over the 288 that had been discovered as of 2021. It also found that out of 264 old vulnerabilities, 208 have exploits that are publicly available. 


Intelligent Security Summit On-Demand

Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.

Watch Here

There are 160,344 vulnerabilities listed in the National Vulnerability Database (NVD), of which 3.3% (5,330) belong to the most dangerous exploit types — remote code execution (RCE) and privilege escalation (PE). Of the 5,330 weaponized vulnerabilities, 344 are associated with 217 ransomware families and 50 advanced persistent threat (APT) groups, making them extremely dangerous.

Ransomware attackers actively search the dark web for 180 vulnerabilities associated with ransomware. In the last quarter of 2022, these groups used ransomware to exploit 21 vulnerabilities. Source: 2023 Spotlight Report: Ransomware Through the Lens of Threat and Vulnerability Management

“Ransomware is top of mind for every organization, whether in the private or public sector,” said Srinivas Mukkamala, chief product officer at Ivanti. “Combating ransomware has been placed at the top of the agenda for world leaders because of the rising toll being placed on organizations, communities and individuals. It is imperative that all organizations truly understand their attack surface and provide layered security to their organization so they can be resilient in the face of increasing attacks.”

What ransomware attackers know 

Well-funded organized-crime and APT groups dedicate members of their teams to studying attack patterns and old vulnerabilities they can target undetected. The 2023 Spotlight Report finds that ransomware attackers routinely fly under popular vulnerability scanners’ radar, including those of Nessus, Nexpose and Qualys. Attackers choose which older vulnerabilities to attack based on how well they can avoid detection. 

The study identified 20 vulnerabilities associated with ransomware for which plugins and detection signatures aren’t yet available. The study’s authors point out that those include all vulnerabilities associated with ransomware that they identified in their analysis during the past quarter, with two new additions — CVE-2021-33558 (Boa) and CVE-2022-36537 (Zkoss).

VentureBeat has learned that ransomware attackers also prioritize finding companies’ cyber-insurance policies and their coverage limits. They demand ransom in the amount of the company’s maximum coverage. This finding jibes with a recently recorded video interview from Paul Furtado, VP analyst, Gartner. Ransomware Attacks: What IT Leaders Need to Know to Fight shows how pervasive this practice is and why weaponizing old vulnerabilities is so popular today.

Furtado said that “bad actors were asking for a $2 million ransomware payment. [The victim] told the bad actors they didn’t have the $2 million. In turn, the bad actors then sent them a copy of their insurance policy that showed they had coverage.

“One thing you’ve got to understand with ransomware, unlike any other sort of security incident that occurs, it puts your business on a countdown timer.”

Weaponized vulnerabilities spreading fast

Mid-sized organizations tend to get hit the hardest by ransomware attacks because with small cybersecurity budgets they can’t afford to add staff just for security.

Sophos‘ latest study found that companies in the manufacturing sector pay the highest ransoms, reaching $2,036,189, significantly above the cross-industry average of $812,000. Through interviews with mid-tier manufacturers’ CEOs and COOs, VentureBeat has learned that ransomware attacks reached digital pandemic levels across North America last year and continue growing.

Ransomware attackers choose soft targets and launch attacks when it’s most difficult for the IT staff of a mid-tier or small business to react. “Seventy-six percent of all ransomware attacks will happen after business hours. Most organizations that get hit are targeted subsequent times; there’s an 80% chance that you will be targeted again within 90 days. Ninety percent of all ransomware attacks are hitting companies with less than a billion dollars in revenue,” Furtado advised in the video interview.

Cyberattackers know what to look for

Identifying older vulnerabilities is the first step in weaponizing them. The study’s most noteworthy findings illustrate how sophisticated organized crime and APT groups are becoming at finding the weakest vulnerabilities to exploit. Here are a few of the many examples from the report:  

Kill chains impacting widely adopted IT products

Mapping all 344 vulnerabilities associated with ransomware, the research team identified the 57 most dangerous vulnerabilities that could be exploited, from initial access to exfiltration. A complete MITRE ATT&CK now exists for those 57 vulnerabilities.

Ransomware groups can use kill chains to exploit vulnerabilities that span 81 products from vendors such as Microsoft, Oracle, F5, VMWare, Atlassian, Apache and SonicWall.

A MITRE ATT&CK kill chain is a model where each stage of a cyberattack can be defined, described and tracked, visualizing each move made by the attacker. Each tactic described within the kill chain has multiple techniques to help an attacker accomplish a specific goal. This framework also has detailed procedures for each technique, and catalogs the tools, protocols and malware strains used in real-world attacks.

Security researchers use these frameworks to understand attack patterns, detect exposures, evaluate current defenses and track attacker groups.

APT groups launching ransomware attacks more aggressively

CSW observed more than 50 APT groups launching ransomware attacks, a 51% increase from 33 in 2020. Four APT groups — DEV-023, DEV-0504, DEV-0832 and DEV-0950 — were newly associated with ransomware in Q4 2022 and mounted crippling attacks.

The report finds that one of the most dangerous trends is the deployment of malware and ransomware as a precursor to an actual physical war. Early in 2022, the research team saw escalation of the war between Russia and Ukraine with the latter being attacked by APT groups including Gamaredon (Primitive Bear), Nobelium (APT29), Wizard Spider (Grim Spider) and Ghostwriter (UNC1151) targeting Ukraine’s critical infrastructure. 

The research team also saw Conti ransomware operators openly declaring their allegiance to Russia and attacking the US and other countries that have supported Ukraine. We believe this trend will continue to grow. As of December 2022, 50 APT groups are using ransomware as a weapon of choice. Among them, Russia still leads the pack with 11 confirmed threat groups that claim origin in and affiliations with the country. Among the most notorious from this region are APT28/APT29.

Ten new APT Groups started operating last year, each concentrating on a specific strain of ransomware they’re using to weaponize long-standing vulnerabilities worldwide. Source: 2023 Spotlight Report: Ransomware Through the Lens of Threat and Vulnerability Management

Many enterprise software products affected by open-source issues

Reusing open-source code in software products replicates vulnerabilities, such as the one found in Apache Log4j. For example, CVE-2021-45046, an Apache Log4j vulnerability, is present in 93 products from 16 vendors. AvosLocker ransomware exploits it. Another Apache Log4j vulnerability, CVE-2021-45105, is present in 128 products from 11 vendors and is also exploited by AvosLocker ransomware.  

Additional analysis of CVEs by the research team highlights why ransomware attackers succeed in weaponizing ransomware at scale. Some CVEs cover many of the leading enterprise software platforms and applications.

One is CVE-2018-363, a vulnerability in 26 vendors and 345 products. Notable among those vendors are Red Hat, Oracle, Amazon, Microsoft, Apple and VMWare.

This vulnerability exists in many products, including Windows Server and Enterprise Linux Server, and is associated with the Stop ransomware. The research team found this vulnerability trending on the internet late last year. 

CVE-2021-44228 is another Apache Log4j vulnerability. It’s present in 176 products from 21 vendors, notably Oracle, Red Hat, Apache, Novell, Amazon, Cisco and SonicWall. This RCE vulnerability is exploited by six ransomware gangs: AvosLocker, Conti, Khonsari, Night Sky, Cheerscrypt and TellYouThePass.

This vulnerability, too, is a point of interest for hackers, and was found trending as of December 10, 2022, which is why CISA has included it as part of the CISA KEV catalog.

Ransomware a magnet for experienced attackers

Cyberattacks using ransomware are becoming more lethal and more lucrative, attracting the most sophisticated and well-funded organized crime and APT groups globally. “Threat actors are increasingly targeting flaws in cyber-hygiene, including legacy vulnerability management processes,” Ivanti’s Mukkamala told VentureBeat. “Today, many security and IT teams struggle to identify the real-world risks that vulnerabilities pose and, therefore, improperly prioritize vulnerabilities for remediation.

“For example,” he continued, “many only patch new vulnerabilities or those disclosed in the NVD. Others only use the Common Vulnerability Scoring System (CVSS) to score and prioritize vulnerabilities.”

Ransomware attackers continue to look for new ways to weaponize old vulnerabilities. The many insights shared in the 2023 Spotlight Report will help CISOs and their security teams prepare as attackers seek to deliver more lethal ransomware payloads that evade detection — and demand larger ransomware payments.

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.