📡 Cybersecurity Innovation Pulse #34: Time to Consider A Quantum Risk Strategy?; WEF be WEFING; Snyk Bolsters Runtime Capabilities; and More!
Covering Jan. 11th - Jan. 18th
Welcome to Issue 34 of the Cybersecurity Innovation Pulse! I'm Darwin Salazar, Product Manager at Monad and a former Detection Engineer. Each week, I distill the latest and most exciting developments + trends in cybersecurity innovation into digestible, bite-sized updates. If you’re serious about staying at the forefront of the latest in the cybersecurity industry, make sure to hit the “Subscribe” button below to get my insights delivered straight to your inbox every week 📩 🚀
Time to Consider A Quantum Risk Strategy?
While most of our attention has been on AI over the past year, the threat of quantum-based attacks continue to grow. It’s only a matter of time until attackers get their hands on quantum computing. Its why CISA, NIST, and NSA created this Post-Quantum Cryptography Preparedness Guidance and why just this week, Accenture and SandboxAQ announced that they’ve formed a partnership.
“Accenture and SandboxAQ are currently helping a global nonprofit health organization mitigate its quantum risk. They are taking a multi-phased approach to enhance the organization’s quantum security strategy and discover the most at-risk uses of cryptography across its networks, third parties and vendors as well as their public networks in more than 100 countries.” - DarkReading
SandboxAQ raised $500M last year and is quickly becoming the go-to quantum readiness player. Accenture employs 740,000+ and serves clients in 120+ countries. Having witnessed the partnership beast 1st-hand at Accenture, I can say that when they move on something, it’s because there is strong signal and opportunity there.
Other Quantum News
IBM’s SecurityIntelligence releases their CISO’s Guide to Accelerating Quantum-Safe Readiness based on the CISA, NIST, and NSA guidance mentioned above.
Quantinuum raises $300M @ $5B pre-money valuation. JPMorgan Chase, one of their largest customers, led the funding round and was joined by Honeywell, Amgen, and Mitsui & Co.
AI, Misinformation and Upcoming Elections
Misinformation/disinformation grabs the top spot in the World Economic Forum’s (WEF) Global Risks Report 2024 list while cyber ‘insecurity’ comes in at 4th. Billions across the U.S., Britain, India, Mexico, and Pakistan are set to vote over the next 2 years.
With that, OpenAI has also announced how they plan to prevent misuse of their systems to sway elections. Deepfakes seem to be the biggest concern, but chatbots based on OpenAI are also being used in political campaigns so ensuring those produce accurate information is also a concern.
A good weekend read is George Orwell’s “1984”.
Wiz’s “State Of AI In The Cloud 2024” Report
I always look forward to reports from Wiz’s research team. They have a widespread footprint in organizations across the globe and they provide a sober look at the numbers on bleeding edge topics like multi-cloud adoption, AI, and more.
Their most recent report, State Of AI In The Cloud 2024, is no exception. It highlights how much enterprise use of managed AI services has blown up over the past year. To no surprise, Azure the leading cloud provider for AI services. It is the main investor
However, it also highlights that most of organizations are still in an exploratory phase with 38% “actively using managed AI services” or having >50 AI model instances deployed.
tl;dr - 2023 was just the intro. 2024 will see so much more real-world use of AI in the wild.
Snyk Acquires Helios
Snyk has agreed to acquire Helios, a startup specializing in runtime security and observability for cloud apps. This will enrich Snyk’s AppSec platform with runtime insights, providing customers with end-to-end app discovery and risk-based prioritization to improve security + compliance across their apps.
Wiz Launches AI-SPM for OpenAI
Wiz has added support OpenAI support to their Security Posture Management (AI-SPM) solution. This enables better visibility and security within AI pipelines, protecting against data exposure and misconfigurations. The release announcement does a great job of detailing the protections added with support.
JFrog & Amazon SageMaker Integration
JFrog has announced an integration with Amazon SageMaker to streamline machine learning development workflows. This collaboration seeks to apply DevSecOps best practices to machine learning model management, ensuring that models are immutable, traceable, secure, and compliant with regulatory standards throughout the development lifecycle.
Skyhigh Security's AI-powered DLP Assistant
Skyhigh Security has released an AI-powered Data Loss Prevention (DLP) Assistant designed which simplifies the data classification process. This is likely to become a tablestake feature for data security solutions, imo.
CI/CD Attacks and PyTorch Supply Chain Compromise
Researchers at Praetorian recently discovered a new type of CI/CD attack that could have led to a significant supply chain compromise of the popular PyTorch ML framework and companies like Meta, Google, and Lockheed Martin. The attack exploits GitHub repositories with self-hosted runners to execute arbitrary code without authorization (!!), potentially allowing for the uploading of malicious releases or modification of the main repository branch.
This could’ve gotten pretty ugly if exploited by malicious actors. Kudos to John Stawinski IV and Adnan Khan. The link down below goes in-depth on how they discovered and exploited the vuln.
Source: John Stawinksi’s Personal Blog
Sophisticated macOS Infostealers
New research from Malwarebytes has found that macOS infostealer, Atomic Stealer, has gotten updates which introduce payload encryption capable of bypassing Apple's built-in XProtect detection system 😀
Bye For Now!
Nos vemos la próxima semana! 🚀