Dec 16, 2021
0 0

2022: Supply-Chain Chronic Pain & SaaS Security Meltdowns

Written by

Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
Sounil Yu, CISO at JupiterOne, discusses the growing mesh of integrations between SaaS applications, which enables automated business workflows – and rampant lateral movement by attackers, well outside IT’s purview.
If 2021 was the Year of Supply-Chain Pain, 2022 will be the Year of Supply-Chain Chronic Pain (or something worse than pain). This past year, the pain was felt in two significant ways: through the supply chain disruptions caused by COVID-19, and through the many security breaches that we saw in our key IT suppliers.
Many organizations have been caught off guard by the pervasive and long-lasting repercussions of the supply-chain crunch from COVID-19, exacerbating other supply-chain bottlenecks further downstream, and causing headaches for consumers and missed revenue targets for major corporations. These disruptions are expected to continue through 2022 and beyond.
In a similar way, we should see pervasive and long-lasting repercussions from the many supply-chain security breaches that we suffered through in the last 12 months.

We saw how the attacks against SolarWinds and Accellion (both discovered towards the end of 2020), the compromise of Microsoft Exchange shortly thereafter, and the compromise of Codecov were just a launching pad for subsequent attacks against those who were dependent upon these providers.
Throughout 2021, we saw a constant drumbeat of bad news on this front, and ENISA predicts that we may end up seeing four times the number of attacks in 2021 by the time it’s over than we saw in 2020. Like COVID-19 supply chain disruptions, these attacks are not isolated events. We won’t really know the full ramifications of these attacks for some time, but we should anticipate several nasty security-related disruptions as the compounding effects from the 2021 supply-chain compromises rear their ugly head in 2022.
Most organizations already have a huge dependency on software-as-a-service (SaaS) apps – a trend that was famously accelerated by the shift to a remote workforce during the COVID-19 pandemic. And even though some of the workforce may be returning to the office in the New Year, it is likely that the shift to SaaS applications will continue unabated, if not accelerate, in 2022 thanks to the business agility that is gained through their use. However, this change creates a growing imperative to effectively manage risks from the usage of SaaS applications since our corporate data will follow those applications.
SaaS applications have vastly increased the attack surface; they’re ripe for exploitation due to mass adoption across many organizations. This enables attackers to concentrate their efforts on a handful of SaaS providers to simultaneously impact large numbers of their customers. For instance, in July a ransomware attack paralyzed 1,500 organizations by compromising SaaS-based software from Kaseya, which is used for remote IT management. Experts agree that the Kaseya hack set off a race among criminals searching for similar vulnerabilities.
Obviously, we should expect hackers to continue their attacks on major SaaS platforms with widespread adoption. If the bad guys do uncover vulnerabilities among such high-profile SaaS providers, the resulting exposure to vast amounts of user data could be extremely damaging. It seems clear that this risk from unprotected SaaS apps will continue to present a serious concern for security well into 2022 and beyond.
With the rise of SaaS adoption, we have witnessed the parallel development of a “business application mesh,” which enables organizations to build custom business logic across multiple, disparate SaaS applications. This mesh also enables transitive trust relationships to be created that enable data to move among these SaaS applications without a central authority that has visibility into or governs the movement of this data.
In the past, our IT architecture enabled the enterprise to have a view of how users were interacting with multiple different applications, while remaining at the center of the interactions. But with the business application mesh in place, SaaS applications are connected to each other directly without the enterprise being at the center. GitHub is now automated to interact with Slack on behalf of my organization, for instance. Jira is connected directly with Salesforce. Hubspot sends data to a myriad of other SaaS applications.
The growing network of integrations enable automated business workflows and data exchange. However, this mesh also allows for lateral movement by attackers, and it is largely outside of the purview of the enterprise. In 2022, we should anticipate a number of major breaches stemming from the lack of controls in monitoring these interconnected data paths among SaaS applications.
We can’t be sure if any one widget in the mesh is more vulnerable than any others. But we do know that each component added to the mesh introduces new vulnerabilities. When all that complexity gets added together, it has a multiplier effect on the attack surface with each additional component. The aggregate of the extended mesh becomes the sum of your attack surface – an ever-expanding source of vulnerabilities.
Within the cybersecurity industry, the prevailing mindset is that security practitioners are professionals. Thus, a direct consequence of this mindset is that a college degree is required for many cybersecurity jobs. A recent ISC2 report indicates that 86 percent of the current cybersecurity workforce has a bachelor’s degree or higher. Furthermore, a quick search on shows about 46,000 cybersecurity jobs, of which 33,000 (more than 70%) require a degree.
However, many cybersecurity practitioners I know would rightfully argue that a college degree isn’t needed to do most jobs in cybersecurity, and strict adherence to this requirement disqualifies many deserving candidates. But removing the requirement for a college degree begs the question: Are these actually professional jobs, or should they be recast as vocational jobs?
I would argue that these jobs may need to be seen as vocations instead of professions. Although many cybersecurity workers take pride in their professional status, many of their jobs (and thousands of unfilled cybersecurity jobs) are really vocational in nature and could be filled by those with the appropriate level of vocational training. In vocational schools, students focus almost entirely on learning the skills of their trade. By immersing themselves in a particular field, students practice tangible skills they will need and can apply to the workplace. Furthermore, this period of training can happen at an accelerated pace that produces qualified candidates in one to two years, if not within a shorter timeframe.
The security industry has been challenged on multiple fronts over the course of the COVID-19 pandemic. Crippling supply-chain disruptions, massive ransomware attacks, repeated vendor breaches and a shortage of available talent have all combined to make the jobs of security teams much more difficult. Security leaders will need to remain vigilant and strategic to face down these compounding threats in the coming year and beyond.
Sounil Yu is CISO at JupiterOne.
Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite.
Share this article:
More than 1.8 million attacks, against half of all corporate networks, have already launched to exploit Log4Shell.
“Owowa” stealthily lurks on IIS servers, waiting to harvest successful logins when an Outlook Web Access (OWA) authentication request is made.
SAP’s still feverishly working to patch another 12 apps vulnerable to the Log4Shell flaw, while its Patch Tuesday release includes 21 other fixes, some rated at 9.9 criticality.

This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
There’s a sea of unstructured data on the internet relating to the latest #cybersecurity threats. Join Threatpost’s…
6 days ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.


Article Categories:
Cloud Security

Comments are closed.