The enterprise security world is complex and confusing where we want to believe in the possibility of clean linear solutions for asymmetrical problems. Learning from past history and our current challenges should be enough of a lesson in the failure of security processes and products not delivering in their attempts to make the day-to-day routine of security professional lives easier. Each year we see more vendors with technology solutions and buzzwords that rarely live up to their hype and customers willing to believe or gamble for the chance at more visibility, lower business risk, or the chance to close a security gap.

Buzzword bingo

Let’s go through some historical examples.

“Big Data” has been a boon to cybersecurity from the aspect of providing the ability to aggregate and store voluminous and disparate data sets. Still, getting value from that stored data has been problematic. Storing data has become more trivial, but making sense of all that data still challenges us today.

“Security Orchestration” was supposed to be another savior of cybersecurity by automating away mundane tasks and supplementing security teams’ bandwidth to make the hard decisions easier. The reality is these solutions were too difficult to be implemented by most customers because their technical interfaces required more software engineering skills than security skills. This created more opportunities in the security services industry than in enterprise security, with MSPs being more than happy to provide python developers to their customers to make their expensive and unwieldy orchestration solution work.

“ML/AI” – don’t even get me started. While there are hopeful pockets of activity in the security industry here, a good majority of security vendors are more interested in applying AI/ML-themed marketing sheens on the product rather than actually putting useful working ML/AI in the product.

Video Games and Cybersecurity

“Cloud Security” suffered from rampantly fast public cloud adoption by businesses and left enterprise security teams, and vendors for that matter, in the familiar position of playing from behind. Enterprise security teams scrambled to catch up with their business counterparts in securing the gaps created by cloud adoption. Initial cloud security vendors rushed to market trying to provide products to address these gaps, but many ended up with a narrow focus on product functionality or fell into the trap of trying to support multiple cloud service providers, which diluted the offering or made it unable to scale.

There are more examples, of course, but regardless of the security gap trying to be filled by a solution, the attention paid to helping the human behind the keyboard with better design and usability has always been overshadowed by more and better technological solutions with the focus on detection, integration, automation, and other security product ‘check boxes’ to increase their revenue.

Learning from outside cybersecurity

From a design and usability perspective, it’s important to understand what is happening outside of cybersecurity to learn valuable lessons which can be adapted for our purposes. If you look outside of the cybersecurity realm you’ll find many examples where design and usability are key to the success of the industry.

Why is this important to enterprise security? If cybersecurity tools were less designed to look like Microsoft Office applications and more designed to enable the user would interest and engagement with the tool increase?

Another perspective to think about comes from academic researcher Lori Norton-Meier in a 2005 article where she said, “The video game has the potential to push an individual to learn and think cognitively, socially, and morally. Players actively create new virtual worlds; participate in complex decision-making; and think reflectively about choices that were made, including the design of the game.”

Let us remove video game references and insert cybersecurity terms and see how it reads:“Cybersecurity has the potential to push an individual to learn and think cognitively, socially, and morally. Security teams actively investigate networks; participate in complex decision-making; and think reflectively about choices that were made, including the design for the defense of their network.”

If someone told me the second quote, but not the first, I’d find the statement insightful. How much of this quote is relevant to:

• What we expect of our more experienced enterprise security professionals, and

• How we can better teach and upskill our less experienced enterprise security professionals?

Another perspective comes from a 2018 McAfee cybersecurity survey. Out of 300 managers and 650 security professionals, it was found that 92% believed skills fostered by video games – such as tenacity, logic, and predicting hostile strategies – could make the gaming community an ideal, untapped reservoir of candidates for the current staffing shortages in enterprise security.

The company providing internet services for Belgium’s parliament, government agencies, universities and scientific institutions said Tuesday that its network was under cyberattack, with connections to several customers disrupted.

Belnet said in a statement the attack “is still in progress and takes place in successive waves. Our teams are working hard to mitigate them.” The company has around 200 customers.

Two hours later it said “the effect of the attack seems to be diminishing,” but provided no other details.

A new variant of the Buer malware loader has been detected, written in Rust. The original version is written in C. Rust is efficient, easy-to-use, and an increasingly popular programming language – Microsoft uses it, and joined the Rust Foundation in February 2021.

Researchers at Proofpoint identified the new variant in early April 2021, and named it RustyBuer. Like Buer, it works as a downloader to distribute other malware to compromised systems. The most likely reason for the development of a Rust variant is to evade anti-malware detections that are based on features of the malware written in C.

Embattled VPN technology vendor Pulse Secure on Monday updated an “out-of-cycle” advisory with patches for four major security vulnerabilities, including belated cover for an issue that’s already been exploited by advanced threat actors.

The most serious of the four issues — CVE-2021-22893 — covers multiple memory corruption flaws in the Pulse Connect Secure product that could allow remote, unauthenticated code execution attacks via license server web services.

When Pulse Secure released its initial advisory for the bug on April 20, FireEye reported seeing this and three other Pulse Secure VPN appliance vulnerabilities being exploited as an initial access vector by at least two sophisticated threat actors. The CVE-2021-22893 flaw was the only zero-day — the other three Pulse Secure vulnerabilities believed to have been used in these attacks (CVE-2019-11510, CVE-2020-8243 and CVE-2020-8260) were patched in 2019 and 2020.

The attacks described at the time by FireEye were attributed to two threat groups: UNC2630, which targeted defense industrial base companies in the United States and which has been linked to the Chinese government and a group tracked as APT5; and UNC2717, which targeted global government agencies but which hasn’t been linked to any known threat group.

FireEye has identified several new malware families associated with the exploitation of Pulse Secure VPN appliances. This malware includes trojans, backdoors and web shells tracked as SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, PULSECHECK, HARDPULSE, QUIETPULSE, and PULSEJUMP.