📡 Cybersecurity Innovation Pulse #28: SEC Fumbles; CVSS v4; ATT&CK v14; Small Language Models for AppSec; Product Releases and More!

Covering Oct. 26th - Nov. 2nd

Nov 02, 2023

Welcome to Issue 28 of the Cybersecurity Innovation Pulse! I'm Darwin Salazar, your compass to the dynamic world of cybersecurity innovation. Each week, I deliver the latest on product debuts, groundbreaking innovations, strategic collaborations, and other developments at the intersection of innovation and cybersecurity. Digging these updates? Subscribe and get the intel delivered straight to your digital doorstep, ensuring you're always in the loop 🚀

Intro 🫱🏼‍🫲🏽

It’s November and I’m back in the saddle feeling refreshed after the Cyversity conference in Orlando, FL! Tons of new developments in the security industry this past week as you may already be very well aware of if you’re not living under a rock. Yes, I’m talking about the SEC charges against SolarWinds and its CISO, Tim Brown. Though not really related to innovation at all, and probably the opposite of it, I still felt that its significance should be highlighted here so let’s to dig into it.

🛰️Industry Innovation 🛰️

SEC Charges on SolarWinds and its CISO for SUNBURST Attack

The Securities and Exchange Commission’s (SEC) decision to bring charges against SolarWinds and its former CISO over security failures related to the 2020 SUNBURST attack has sent chills down the spines of the CISO community. No, I’m not mincing words. The fact that CISOs can be held liable for security failures they point out but failed to get the executive board’s support to address has led security executives to reconsider their employment contracts, lawyer retainers, and whether they even want to continue being CISO at a publicly traded company.

This comes as the SEC recently implemented a four-day disclosure requirement for “material” security incidents. There seems to be a disconnect between the SEC, reality, and the security community. This is not good for security, innovation, or anything else.

Source: VentureBeat

Introduction of CVSS 4.0 by FIRST

The Forum of Incident Response and Security Teams (FIRST) unveils CVSS 4.0, a new version of the Common Vulnerability Scoring System (CVSS) which last had a major update 8 years ago. The world has changed much since then.

The updated framework provides supplemental metrics for Safety (S), Automatable (A), Recovery (R), Value Density (V), Vulnerability Response Effort (RE), and Provider Urgency (U). They’ve also added new severity ratings for Base (CVSS-B), Base + Threat (CVSS-BT), Base + Environmental (CVSS-BE), and Base + Threat + Environmental (CVSS-BTE). You can read the full CVSS v4.0 specification document down below.

Source: FIRST

MITRE Releases ATT&CK v14 w/ Updates for Enterprise, Mobile and ICS

MITRE rolls out ATT&CK version 14, which enhances detection coverage for its Enterprise, Industrial Control Systems (ICS), and mobile frameworks. Just on the Enterprise side, this update introduces 15+ new techniques. Full release notes down below.

Source: MITRE

MIT, Cohere for AI, and Others Introduce Platform for Audited AI Datasets

Researchers from MIT, Cohere for AI, and 11 other institutions launched the Data Provenance Platform, to address data transparency and lineage issues in AI by tracking and filtering audited datasets for ethical, legal, security, and transparency standards. This initiative comes as a response to the "data transparency crisis" in AI, given the rapid adoption of AI technology trained on diverse, often poorly documented datasets. The platform played a crucial role in auditing and tracing nearly 2,000 of the most extensively used fine-tuning datasets, downloaded tens of millions of times, forming the foundation for significant advancements in NLP.

This is the most extensive audit of AI datasets to date. You can look at the results and interact with the audited datasets here.

Source: VentureBeat

🤺Tradecraft Innovation🤺

Small Language Models (SLM) for Application Security

In his LASCON23 talk, my dear friend Louis Barrett demonstrated what’s possible with fine-tuned SLMs applied to securing software development using MosaicML and HuggingFaceH4. This is a technical deep dive that spurred many ideas in me. Hopefully, it does the same for you! No video, just slides and vibes.

Source: LASCONs Sched

Unit42 Details the EleKtra-Leak Cryptojacking Campaign

Image 2 is a diagram of the Operation CloudKeys architecture. Three GitHub icons point to a VPN. From the VPN an arrow points to the threat actor. Three nested boxes demonstrate the architecture: AWS cloud > Honey organization management AWS account, Honey AWS account. Inside the Homey AWS account is the IAM and designed policy, as well as three availability zones. From one of the availability zone is the XMR and the Drive encrypted payload. — Threat Actor Architecture.

Palo Alto Networks' Unit 42 sheds light on an active campaign where publicly exposed AWS IAM keys are being leveraged to create EC2 instances and used for cryptojacking. The campaign has been active for more than two years. Great work by Unit42.

You can read the full report and how to detect and mitigate against this campaign below.

Source: Unit 42 by Palo Alto Networks

🛸Product Innovation🛸

Orca Streamlines Cloud Security with Amazon Bedrock Integration

Orca integrates with Amazon Bedrock to generate remediation code

Orca Security deepens its integration with AWS by introducing support for Amazon Bedrock. Orca will leverage Bedrock’s capabilities to streamline its detection and automated remediation capabilities. This is Orca’s third integration with an AI engine including ChatGPT and Azure’s OpenAI.

Source: SiliconANGLE

Backslash Security Launches Application Security Posture Management Platform

Backslash Security announces the availability of its Application Security Posture Management (ASPM) platform. Seems like a fairly robust product and mentions that they’re the only SAST and SCA solution that combines attack patch and reachability analysis which they do via their ‘cloud-context’ engine. Cool stuff.

Source: SiliconANGLE

P0 Security Secures $5M Funding and Debuts Flagship Product for Secure Cloud Access

P0 Security recently raised $5 million in funding and GA’d its product aimed at ensuring secure cloud access for developers. Think human and machine cloud identity coverage at a very granular level with Slackbot support for Just-in-Time and Time-bound access.

Source: SiliconANGLE

Apple Enhances iMessage Security with Contact Key Verification

Apple introduced Contact Key Verification to iMessage, a feature aimed at bolstering security by verifying the identities of message senders.

Source: SecurityWeek

Conclusion

That's all for this week! I hope you found this issue insightful. Your feedback shapes the future of this newsletter, so drop me a line on what resonated with you or what you'd like to see more of. If you believe others can benefit from these insights, share the love and encourage them to subscribe. Every week, I dive deep into a sea of headlines to curate the most pivotal stories in cybersecurity innovation just for you. Your continued support is a testament to the value this brings. Catch you in the next issue!

The Cybersecurity Pulse (TCP)

Discussion about this post