Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Cybersecurity Snapshot: 6 Things That Matter Right Now

Cybersecurity Snapshot Aug 26

Topics that are top of mind for the week ending Aug. 26 | The “platformization” of hybrid cloud security. Budgeting guidance for CISOs. Tackling IT/OT cybersecurity challenges. Tips for complying with HIPAA’s cybersecurity rule. A roundup of patches, trends and incidents to keep an eye on. And much more!

1 - IDC sees shift to “platformization” of hybrid cloud security

Expect cloud workload security offerings to evolve from being siloed products into becoming integrated components of broader security and IT platforms in the next two years. That’s according to IDC’s “Worldwide Cloud Workload Security Forecast, 2022-2026.” 

What’s driving this “platformization” shift? A search for simplicity by security teams, as digital transformation extends organizations’ attack surface, complicating the protection of increasingly hybrid and multi-cloud IT environments.

“Separate and disconnected offerings to support applications developers, security practitioners, or cloud operations will give way to comprehensive solutions to address the complexity that customers bring upon themselves,” reads the report.

IDC predicts that the “platform reality” will materialize by 2024 in this market, which it defines as products that protect three software-defined compute environments – virtual machine software, containers and cloud system software.

Meanwhile, organizations will spend $5.1 billion globally on cloud workload security software in 2026, up from $2.2 billion last year, a compound annual growth rate of 18.5%, according to IDC.

(Source: IDC “Worldwide Cloud Workload Security Forecast, 2022-2026: Complexity Drives the Market Up and to the Right”, Doc # US49522022, August 2022.)

More information about cloud security:

2 - Survey: Cyberattacks are #1 business risk

It wasn’t that long ago that CEOs and board directors viewed cybersecurity as one of many technology areas with a somewhat weak and unclear impact on the business. Not anymore. 

The latest proof comes from a PwC survey of 722 U.S. business leaders in which respondents ranked cybersecurity as – wait for it – the top business risk for their organizations.

Snapshot #8 -- image 1
Specifically, 40% of all respondents listed it as a “serious” risk, while 38% labeled it a “moderate” risk. 

Among the different categories of business leaders, board members are the most worried about cybersecurity: 51% of them ranked it as a “serious” risk.

Moreover, 84% of respondents said they’re either acting on or closely monitoring policy areas related to cybersecurity, while 79% are revising or enhancing their cyber risk management.

Recommendations include:

  • Incorporate cybersecurity into the agendas of the C-suite and the board, and view it as a business issue, not purely a technology one.
  • Have a security awareness program in place to train employees on cybersecurity practices.
  • Ensure cybersecurity considerations and plans are part of all business initiatives.
  • Use data to regularly assess and analyze your cybersecurity risks.

More information:

3 - Cybersecurity help for healthcare companies

Healthcare organizations looking for guidance on how to comply with the security rule in the U.S. Health Insurance Portability and Accountability Act (HIPAA) now have a new resource, at a time when this industry faces intensifying attacks from cybercriminals.

A new draft publication from the National Institute of Standards and Technology (NIST) goes deep into how to protect patients’ electronic records in accordance with the HIPAA security rule.

Snapshot #8 -- image 2a

Specifically, this document, which revises a NIST guide from 2008, maps the HIPAA security rule to NIST’s Security and Privacy Controls for Information Systems and Organizations (NIST SP 800-53) framework.

Readers will find guidance, templates, tools and more, on topics including:

  • Risk assessment and risk management
  • Telehealth/telemedicine guidance
  • Mobile device security
  • Cloud services
  • Ransomware and phishing
  • Education, training and awareness
  • Medical device and medical Internet of Things (IoT) security

More information:

4 - Forrester: Budget guidance for CISOs

Budget planning season is here for many organizations, so what should CISOs and other security and risk management leaders be focusing on for 2023? Forrester has some suggestions for them on how to best allocate their cybersecurity budgets.

For example, among the key cybersecurity areas Forrester recommends prioritizing are:

  • API security
  • Cloud workload security
  • Multifactor authentication
  • Security analytics
  • Zero Trust network access
  • Crisis simulation exercises

It also suggests evaluating and experimenting with emerging technologies such as extended detection and response, attack surface management and privacy-preserving technology.

For more details, check out the blog “New Security & Risk Planning Guide Helps CISOs Set 2023 Priorities” and the full report “Planning Guide 2023: Security & Risk,” which is available to Forrester subscribers and for purchase.

More information about cybersecurity budgeting:

5 - Good news and bad news about IT/OT convergence

The draft report about the cybersecurity issues of IT and OT convergence from the U.S. National Security Telecommunications Advisory Committee (NSTAC) is out. Good news or bad news first?

Ok, the bad news: There’s plenty to do to properly protect the converged IT/OT systems of critical infrastructure facilities. The good news? The U.S. has the technology and the knowledge to fix the problems. All that’s missing is a sense of urgency.

Key findings from the report, which has been sent to the White House:

  • IT/OT convergence cybersecurity challenges aren’t new. But this would be new: Prioritizing the allocation of required resources to implement solutions.
  • Organizations are confused about what cybersecurity protections they need. Why?
    • The government hasn’t provided clear guidance.
    • They lack visibility into their OT environments.
    • Some lack enough staff and money, especially smaller ones.
  • There’s essential legacy OT equipment that wasn’t designed to be connected to the internet.
  • IT and OT teams are often siloed. They must be brought together to better secure converged IT/OT environments.
  • The government and the private sector rarely include cybersecurity capabilities among the requirements of OT products they’re shopping around for.
  • There’s not enough cybersecurity education and training available to the staff of critical infrastructure providers.

So what can be done? Recommendations include:

  • The Cybersecurity and Infrastructure Security Agency (CISA) should require civilian branch departments and agencies of the U.S. government to maintain a real-time, continuous inventory of all OT assets. 
  • CISA should ensure that agencies include cybersecurity provisions in their OT procurement requirements.
  • CISA and the National Security Council should develop and implement “interoperable, technology-neutral and vendor-agnostic” mechanisms for sharing sensitive information.

For more information:

6 - Quick takes

And finally, a roundup of vulnerabilities, trends, news and incidents you might be interested in.

  • Google said it blocked the largest HTTPS DDoS attack on record. Launched in June, it reportedly peaked at 46 million requests per second.
  • Twitter’s former head of security is alleging that the company is plagued by significant cybersecurity problems. Twitter brushed off the allegations, saying they’re inconsistent and inaccurate. 

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Tenable.io Web Application Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web Application Scanning trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.cs Cloud Security.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable.io Container Security

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try Tenable Lumin

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable.io Vulnerability Management, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable.cs

Enjoy full access to detect and fix cloud infrastructure misconfigurations and view runtime vulnerabilities. Sign up for your free trial now.

Your Tenable.cs Cloud Security trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.io Web Application Scanning.

Contact a Sales Rep to Buy Tenable.cs

Contact a Sales Representative to learn more about Tenable.cs Cloud Security and see how easy it is to onboard your cloud accounts and get visibility into both cloud misconfigurations and vulnerabilities within minutes.

Try Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Promotional pricing extended until December 31st.
Buy a multi-year license and save more.

Add Support and Training