InfoSec Insider

2022: Supply-Chain Chronic Pain & SaaS Security Meltdowns

Sounil Yu, CISO at JupiterOne, discusses the growing mesh of integrations between SaaS applications, which enables automated business workflows – and rampant lateral movement by attackers, well outside IT’s purview.

If 2021 was the Year of Supply-Chain Pain, 2022 will be the Year of Supply-Chain Chronic Pain (or something worse than pain). This past year, the pain was felt in two significant ways: through the supply chain disruptions caused by COVID-19, and through the many security breaches that we saw in our key IT suppliers.

Many organizations have been caught off guard by the pervasive and long-lasting repercussions of the supply-chain crunch from COVID-19, exacerbating other supply-chain bottlenecks further downstream, and causing headaches for consumers and missed revenue targets for major corporations. These disruptions are expected to continue through 2022 and beyond.

In a similar way, we should see pervasive and long-lasting repercussions from the many supply-chain security breaches that we suffered through in the last 12 months.

Infosec Insiders Newsletter

We saw how the attacks against SolarWinds and Accellion (both discovered towards the end of 2020), the compromise of Microsoft Exchange shortly thereafter, and the compromise of Codecov were just a launching pad for subsequent attacks against those who were dependent upon these providers.

Throughout 2021, we saw a constant drumbeat of bad news on this front, and ENISA predicts that we may end up seeing four times the number of attacks in 2021 by the time it’s over than we saw in 2020. Like COVID-19 supply chain disruptions, these attacks are not isolated events. We won’t really know the full ramifications of these attacks for some time, but we should anticipate several nasty security-related disruptions as the compounding effects from the 2021 supply-chain compromises rear their ugly head in 2022.

The Need for Improved Governance of SaaS Applications

Most organizations already have a huge dependency on software-as-a-service (SaaS) apps – a trend that was famously accelerated by the shift to a remote workforce during the COVID-19 pandemic. And even though some of the workforce may be returning to the office in the New Year, it is likely that the shift to SaaS applications will continue unabated, if not accelerate, in 2022 thanks to the business agility that is gained through their use. However, this change creates a growing imperative to effectively manage risks from the usage of SaaS applications since our corporate data will follow those applications.

SaaS applications have vastly increased the attack surface; they’re ripe for exploitation due to mass adoption across many organizations. This enables attackers to concentrate their efforts on a handful of SaaS providers to simultaneously impact large numbers of their customers. For instance, in July a ransomware attack paralyzed 1,500 organizations by compromising SaaS-based software from Kaseya, which is used for remote IT management. Experts agree that the Kaseya hack set off a race among criminals searching for similar vulnerabilities.

Obviously, we should expect hackers to continue their attacks on major SaaS platforms with widespread adoption. If the bad guys do uncover vulnerabilities among such high-profile SaaS providers, the resulting exposure to vast amounts of user data could be extremely damaging. It seems clear that this risk from unprotected SaaS apps will continue to present a serious concern for security well into 2022 and beyond.

Beware the Weakest Links of the Business Application Mesh

With the rise of SaaS adoption, we have witnessed the parallel development of a “business application mesh,” which enables organizations to build custom business logic across multiple, disparate SaaS applications. This mesh also enables transitive trust relationships to be created that enable data to move among these SaaS applications without a central authority that has visibility into or governs the movement of this data.

In the past, our IT architecture enabled the enterprise to have a view of how users were interacting with multiple different applications, while remaining at the center of the interactions. But with the business application mesh in place, SaaS applications are connected to each other directly without the enterprise being at the center. GitHub is now automated to interact with Slack on behalf of my organization, for instance. Jira is connected directly with Salesforce. Hubspot sends data to a myriad of other SaaS applications.

The growing network of integrations enable automated business workflows and data exchange. However, this mesh also allows for lateral movement by attackers, and it is largely outside of the purview of the enterprise. In 2022, we should anticipate a number of major breaches stemming from the lack of controls in monitoring these interconnected data paths among SaaS applications.

We can’t be sure if any one widget in the mesh is more vulnerable than any others. But we do know that each component added to the mesh introduces new vulnerabilities. When all that complexity gets added together, it has a multiplier effect on the attack surface with each additional component. The aggregate of the extended mesh becomes the sum of your attack surface – an ever-expanding source of vulnerabilities.

Adding a Vocational Track to Broaden Security Career Paths

Within the cybersecurity industry, the prevailing mindset is that security practitioners are professionals. Thus, a direct consequence of this mindset is that a college degree is required for many cybersecurity jobs. A recent ISC2 report indicates that 86 percent of the current cybersecurity workforce has a bachelor’s degree or higher. Furthermore, a quick search on Indeed.com shows about 46,000 cybersecurity jobs, of which 33,000 (more than 70%) require a degree.

However, many cybersecurity practitioners I know would rightfully argue that a college degree isn’t needed to do most jobs in cybersecurity, and strict adherence to this requirement disqualifies many deserving candidates. But removing the requirement for a college degree begs the question: Are these actually professional jobs, or should they be recast as vocational jobs?

I would argue that these jobs may need to be seen as vocations instead of professions. Although many cybersecurity workers take pride in their professional status, many of their jobs (and thousands of unfilled cybersecurity jobs) are really vocational in nature and could be filled by those with the appropriate level of vocational training. In vocational schools, students focus almost entirely on learning the skills of their trade. By immersing themselves in a particular field, students practice tangible skills they will need and can apply to the workplace. Furthermore, this period of training can happen at an accelerated pace that produces qualified candidates in one to two years, if not within a shorter timeframe.

The security industry has been challenged on multiple fronts over the course of the COVID-19 pandemic. Crippling supply-chain disruptions, massive ransomware attacks, repeated vendor breaches and a shortage of available talent have all combined to make the jobs of security teams much more difficult. Security leaders will need to remain vigilant and strategic to face down these compounding threats in the coming year and beyond.

Sounil Yu is CISO at JupiterOne.

Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite.

Suggested articles