Cloud CISO Perspectives: Late April 2023

Welcome to the second Cloud CISO Perspectives for April 2023. This is our first month moving to a twice-monthly cadence, with a guest column today from my friend and the CEO of Mandiant, Kevin Mandia. 

Mandiant, the company Kevin founded in 2004, was acquired by Google last year. At the RSA Conference 2023 in San Francisco this week, Mandiant and Google Cloud had a unified presence at cybersecurity’s largest event for the first time. 

We’re excited to bring our joint capabilities, products, and expertise together to help our customers better defend their organizations against today’s rapidly-changing threat landscape. In his column below, Kevin discusses the challenges of the past year and how the security community is responding.

As with all Cloud CISO Perspectives, the contents of this newsletter are posted to the Google Cloud blog. If you’re reading this on the website and you’d like to receive the email version, you can subscribe here.

 — Phil Venables

The view from RSA Conference 2023: Responding to the evolving threat landscape

By Kevin Mandia, CEO, Mandiant – Google Cloud

Each year, the RSA Conference provides the backdrop for discussions on the issues shaping cybersecurity, and never was this more important than in 2023. In my RSA Conference keynote, I talked about the challenges of the past year and how the community is responding.

Conflict and macro-economic pressures fostered the evolution of cyber attacks — as well as new approaches that will help address an increasingly challenging threat landscape.

The Mandiant team — now part of Google Cloud — brings a particularly valuable perspective to these developments shaping the future of cybersecurity. Our consultants have responded to more than 1,000 cyber intrusions in the last year, and together with our threat intelligence analysts, we are investigating and analyzing the latest attacks and threats, and learning how best to respond to and mitigate them.

The reach and resources of Google Cloud — and their commitment to innovation exemplified with this week’s cloud security AI news — promises to further enable our unified team to make an even greater impact on our understanding of today’s threat landscape. Together, we can also deliver more insights into the attacker techniques and the defenses that should be employed by security operators.

In my keynote, I provided some details on the work of our consultants, which took place across 53 countries in 2022. We conducted 1,163 intrusion investigations, discovered 588 malware families, identified 913 new threat groups, and found 265 new threat groups via investigations. We also witnessed a rise in cyber espionage from nation-state-backed actors.

I reported on the state of zero days — vulnerabilities that were exploited in the wild before a patch was made publicly available. Mandiant identified 55 zero-day vulnerabilities exploited in 2022. While this is lower than the record-breaking 81 zero days exploited in 2021, it still represents a 200 percent increase compared to 2020. Chinese state-sponsored cyber espionage groups exploited more zero days than other cyber espionage actors in 2022.

On a positive note, we saw a decrease in the global median dwell time, which is calculated as the median number of days an attacker is present in a target’s environment before being detected. This number continues to drop year-over-year, down to 16 days in 2022. This is the shortest median global dwell time since we began reporting on this measure of cybersecurity effectiveness, a marked improvement over median dwell time of 21 days in 2021 and 24 days in 2020.

We also observed that organizations were notified of breaches by external entities in 63 percent of incidents, up from 47 percent the previous year. 

This tells us that, while we continue to face significant challenges, our industry is getting better at cybersecurity and organizations globally have made progress in strengthening their defenses. But we cannot let our guard down. We have seen that attackers do not rest — and that they are increasingly sophisticated and well-funded. 

We are also finding that attackers have caused bigger impacts with fewer technical skills, resulting in extortion, data theft, stolen intellectual property, and significant reputational damage. This speaks to another trend: the increasing involvement of board directors and senior executives who are traditionally called on to address these organizational risks. Board directors and business leaders are increasingly interested in becoming better educated on the cyber risks they face, better informed on the latest attacker trends to drive security investments, and ultimately better prepared for cyber threats. 

This creates another challenge: While CISOs are well-versed in cybersecurity, other senior leaders often lack the understanding needed to address the challenges their organizations face today. Communications with executives are often ineffective due to a disconnect between the material presented regarding unique threats and risks to the organization, along with meaningful metrics, key performance indicators, and expected outcomes. 

Even the most experienced CISOs benefit from outside perspective and assistance with high-priority projects and breach management to ensure mission success, and the cybersecurity community needs to provide board directors and business leaders with the support they need. We must help them gain knowledge of vital cybersecurity concepts so they can bolster CISO capabilities and enable them to become more involved in assessments of breach response proficiency.

Here are some fundamental questions and conversations that boards and leadership should address with their CISOs:  

Are we prepared to detect and respond to the most common malware, exploits, and initial infection vectors such as phishing? 

What is our protocol when we are notified by a third-party that we are potentially compromised? 

Have we taken steps to harden our systems against destructive and disruptive attacks? 

How prepared are we to deal with the financial threats most relevant to our organization?

How are we minimizing the risk of social engineering and other similar threats from reaching our employees? 

What programs do we have to protect our employees, especially executives and highly visible employees, from these types of attacks? 

How would we react if proprietary information or a client’s personally identifiable information was stolen and used as extortion against us? 

Do we have full visibility into exactly how our organization is using the cloud, and are we testing our cloud architecture deployments?

What are we doing to track and patch vulnerabilities in our networks? 

How are we using current threat intelligence to inform decisions?

Organizations must remain vigilant and relentless in their efforts to enhance their cybersecurity posture with modern cyber defense capabilities in order to combat today’s evolving and sophisticated adversaries. 

I shared one more encouraging reality: Organizations know more about the topology, the infrastructure, and the vulnerabilities of their own networks. These are advantages they should use to prevent, detect, and recover from attacks.

With this knowledge — and the frontline insights, expertise, and innovation we can bring to the battle — organizations can improve their cyber readiness. 

Google Cloud + Mandiant news from the RSA Conference

At the RSA Conference in San Francisco this week, we led and participated in more than a dozen panels, hosted at least four events, and discussed how we can improve security for all in countless conversations. We also made announcements centered on our new Security AI Workbench and Confidential Computing. 

Why AI: Can new tech help security solve toil, threat overload, and the talent gap? At Google Cloud, we believe that machine learning and artificial intelligence can significantly lighten the burden of — and possibly even eliminate — security’s thorniest problems. Here’s how.

Supercharging security with generative AI: We introduced Google Cloud Security AI Workbench and how it will be integrated into Google Cloud. Security AI Workbench is an industry-first, extensible platform powered by a specialized LLM, Sec-PaLM, that leverages our unsurpassed security intelligence, including Google’s visibility into the threat landscape and Mandiant’s frontline intelligence on vulnerabilities, malware, threat indicators, and behavioral threat actor profiles. Read more.

Introducing AI-powered insights in Threat Intelligence: Learn how we plan to use Security AI Workbench to bolster Mandiant Threat Intelligence. Read more.

Empowering threat analysis with generative AI: Security AI Workbench has already been integrated into VirusTotal, with our new Code Insight. Read more.

Introducing AI-powered risk summaries in Security Command Center: Security AI Workbench will bring generative AI to Security Command Center Premium’s new attack path simulation. Read more.

Introducing AI-powered investigation in Chronicle: Chronicle Security Operations customers will be able to search security events and interact conversationally with the results, all without learning a new syntax or schema, thanks to Security AI Workbench. Read more.

API abuse detection powered by machine learning: We’re making it easier to detect API abuse with the introduction of Advanced API Security abuse-detection dashboards, powered by machine learning. Read more.

Google Cloud expands its security partner ecosystem: We’re opening our security products to integrations with partners, and offering new plug-ins for other vendors’ tools. Read more.

Accelerating cybersecurity resilience with Accenture: Accenture’s Managed Detection and Response service is now powered by Chronicle Security Operations, Mandiant Threat Intelligence, and will take advantage of Security AI Workbench. Learn more.

How Google and Intel make Confidential Computing more secure: Google Project Zero partnered with Intel to audit Intel TDX’s hardware and firmware security, the technology that makes confidential computing possible. Read more.

How Confidential Computing can transform cloud security: Confidential Space is now in general availability, and our Confidential Computing services are widely available across 80% of Google Cloud regions — and growing. Read more.

Oh SNP! VMs get even more confidential: We’ve added more hardware-based security protections to Confidential VMs, including memory integrity and register state encryption. These have been built into our next generation Confidential VMs featuring AMD Infinity Guard technologies like Secure Encrypted Virtualization Secure Nested Paging (SEV-SNP) technology, which are now available in private Preview on general purpose N2D machines. Read more.

Google named a Leader in Forrester Wave™ IaaS Platform Native Security: Forrester Research has named Google Cloud a Leader in The Forrester Wave™: IaaS Platform Native Security, Q2 2023 report. Read more.

In case you missed it

Here are the latest updates, products, services, and resources from our security teams: 

Get ready for Google Cloud Next: Discounted early-bird registration for Google Cloud Next ‘23 is open now. This year’s Next comes at an exciting time, with the emergence of generative AI, breakthroughs in cybersecurity, and more. It’s clear that there has never been a better time to work in the cloud industry. Register now.

M-Trends 2023: Why business leaders need to read this year’s in-depth report: Mandiant’s annual M-Trends report has arrived for 2023. Here’s three key lessons that can help business leaders better understand the security and threat landscapes. Read more.

3CX software supply chain compromise: In March 2023, Mandiant Consulting responded to a supply chain compromise that affected 3CX Desktop App software, the first time Mandiant has seen a software supply chain attack lead to another software supply chain attack. Read more.

I hate IAM (but I desperately need it): While Identity Access Management brings headaches, it can also enable much stronger policies for securing your cloud infrastructure. Want to learn how to maximize its benefits and minimize the stress? Read more.

Take control of your supply chain with Artifact Registry: Remote and virtual repositories from Google Cloud Artifact Registry can help add assurance to your software supply chain. Here’s how.

Chrome’s Secure Enterprise Browsing adds new protections: Google Chrome’s Secure Enterprise Browsing adds three new capabilities for data loss prevention (DLP), new extension risk assessments, and two new security event notifications. Read more.

Google Cloud Security Podcasts

We launched a weekly podcast focusing on Cloud Security in February 2021. Hosts Anton Chuvakin and Timothy Peacock chat with cybersecurity experts about the most important and challenging topics facing the industry today. Earlier this month, they discussed:

At RSA: How to protect your organization amidst political turmoil: We’re seeing more cyber activity taking place in the context of geopolitical events. Shanyn Ronis, head of the Mandiant Communication Center, and John Miller, head of Mandiant Intelligence Analysis, discuss at the RSA Conference how best to understand threat intelligence and how organizations can know when they’re successful. Listen here.

How small teams can take an engineering-centered approach to cloud: What does it mean to adopt an “engineering-centered approach” to cybersecurity for a small organization? We discuss this approach with Maxime Lamothe-Brassard, founder of LimaCharlie. Listen here.

To have our Cloud CISO Perspectives post delivered twice a month to your inbox, sign up for our newsletter. We’ll be back at the end of the month with more security-related updates.