Black Kite Review: RSAC 2023
RSAC 2023 showcased leading innovations in cybersecurity solutions, talks, and discussions. The conference’s annual theme sums it up best: “Stronger Together.” In other words, collaboration and communication are the keys to successfully defending your servers and assets from malicious attacks.
RSAC 2023 was a top-tier arena for cybersecurity professionals to put their heads together to stop bad actors in their tracks. With ransomware risk growing exponentially, security pros must act fast to mitigate its potentially disastrous effects.
Our own research at Black Kite found that ransomware attacks accounted for 27% of all reported third-party breaches in the last year — and that the number of ransomware victims rose by 160% from March 2023 to April 2022.
That’s why Black Kite’s Senior Vice President, Cyber Risk Evangelist Jeffrey Wheatman and Head of Research Dr. Ferhat Diybiyik were eager to attend this year and keep tabs on the latest cybersecurity movements and trends. In this blog, we’ll explore both Jeffrey and Ferhat’s takeaways from RSAC 2023 so your teams can take the right steps to properly defend your supply chains.
Ferhat’s Takeaway: AI Will Become Cybersecurity’s MVP if Done Right
ChatGPT took center stage at RSAC 2023. That comes as no surprise to me, as innovations in AI keep making tidal waves throughout the cybersecurity world.
At Black Kite, we’re already on top of this trend. We began developing a cyber-aware AI in our platform months before the ChatGPT craze because we recognized AI’s potential to revolutionize third-party risk management processes. The fact of the matter is that AI will become cybersecurity’s most valuable player if we can nail down the right mechanics.
For example, AI can help automate threat detection and response, allowing organizations to quickly identify and neutralize potential threats — without expending unnecessary resources. Organizations can also use AI to analyze vast amounts of security data, uncovering insights into patterns and trends. Those insights can help improve security practices and make identifying potential vulnerabilities a lot easier.
Using AI to analyze and process massive volumes of data will be particularly helpful for third-party risk management (TPRM) programs, as organizations can leverage these tools to gain clearer insights into the cybersecurity health of their existing and potential partners.
Plus, AI and large language models have the potential to significantly streamline compliance. AI models can automatically parse complex regulatory documents — thereby extracting information and mapping it to the right compliance requirements, standards, and frameworks.
These language models can also generate comprehensive reports, which enable stakeholders to more efficiently understand and act upon findings and developments in compliance. That bridges the gap between technical and non-technical teams, ensuring a more unified approach to risk management.
Ferhat’s Takeaway: Bad Actors Are Getting Ahead of AI
Unfortunately, TPRM programs aren’t the only outfit making use of AI. Bad actors are studying AI/ML techniques with malicious intent — and they’re studying rigorously.
As a result, many sophisticated threat actors can employ evasive techniques, such as Artificial Intelligence Fuzzing (AIF), to evade AI/ML security blocks and processes. That means organizations must innovate beyond what bad actors are now capable of to boost their walls of defense.
Jeffrey’s Takeaway: Watch Out for AI That’s Too Good To Be True
I have a slightly different take from my colleague on AI. I saw a lot of banners touting AI — but very little explanation as to how AI would provide actual value for the potential buyer. It’s important within the AI craze that organizations don’t get swept up by unclear benefits and too-good-to-be-true promises.
Here’s my honest advice: Don’t buy a tool just because it has AI in it or, even worse, because it just says that it has AI and doesn’t make any attempt to prove or demonstrate it. AI will be a helpful tool in modernizing TPRM programs for sure, but it’s key that organizations buy the right kind of AI that enables the right automated processes.
Jeffrey’s Takeaway: Communicating Risk to Boards and Stakeholders Comes Down to Engagement
New SEC regulations requiring boards of publicly traded companies to have cyber expertise on them are likely the main driver of concerns around communicating risk at upper levels of leadership.
As always, it’s critical for CISOs to have a healthy level of board engagement — otherwise, TPRM risk efforts will stall and fall by the wayside. One panel I saw, entitled “Do Better: Board-Level Accountability in Cybersecurity,” provided great insight for both CISOs and board members on how to adapt to the changing threat landscape. This session largely covered board accountability for cybersecurity and risk management and how investing in strong TPRM and cybersec upfront can reduce financial loss in the long run.
Another session called “Telling Fairy Tales to the Board: Turn Attack Graphs into Business Stories” was a particularly fun and engaging way to think about the current threat landscape — and how to communicate risks to stakeholders.
In this discussion, a few pros from Orca Security used the story of Little Red Riding Hood as a blueprint for developing better stories for boards. They demonstrated, beat by beat, how to take simple cybersecurity or cyber risk issues and transform them into compelling narratives that anybody — no matter their level of technical expertise — can understand.
But enough of me rambling; here’s my big takeaway: Healthy communication with board members and stakeholders is essential when building out a TPRM program. That means CISOs and their TPRM teams must transform data points into compelling stories that inspire action.
Ferhat’s Takeaway: Ransomware Rears Its Ugly Head
The threat landscape is growing — and it’s growing fast. 2023 saw cybercriminals become more innovative with their methods and strategies than ever before. Organizations and their TPRM programs must follow suit and shift their mindsets to a proactive — rather than reactive — approach.
One session in particular demonstrated the need for security professionals and managers to rethink their TPRM methods. Led by Craig Jones, Director of Cybercrime at Interpol, this discussion highlighted a gradual global shift in focus from post-breach scenarios to preventing cybercrime from happening in the first place.
The idea is to invest more resources before the boom (or attack) rather than after. This means avoiding risky business moves and ensuring that potential partners hold the same security standards as your organization.
Jones also highlighted the importance of keeping an eye on small companies and software vendors. These companies and vendors are oft-overlooked but prime attack surfaces for bad actors.
Ferhat’s Takeaway: Using Black Kite’s Ransomware Research
What I heard at the conference regarding ransomware further reflected the findings in our own research at Black Kite. Ransomware risk is a big problem — and it needs an immediate solution.
Black Kite’s first annual Ransomware Threat Landscape Report™, released during RSAC 2023, found that ransomware groups tend to target companies with annual revenues of around $50 million to $60 million. Ransomware groups usually attack these companies’ third-party vendors and steal client information for extortion. We also found that US companies were the most targeted in the world, accounting for 43% of the ransomware attacks we studied.
It’s important for security teams to keep in mind that responding to ransomware threats is like handling a disease. The best treatment is to take steps to avoid getting sick in the first place. The same idea goes for TPRM programs. They must be proactive — not reactive — to be successful.
Ferhat’s Takeaway: Supply Chain Risk — A Gordian Knot
As organizations become more digitally connected, they increasingly see supply chain risk as a top-of-mind concern. This was abundantly clear at RSAC 2023.
One session, titled “Detecting and Reacting to Supply Chain Vulnerabilities — a Maritime Perspective,” illustrated how bad actors can interrupt workflows in transportation systems by hacking cargo management systems at seaports. These interruptions make it easier to pursue criminal activities such as weapons smuggling or human trafficking.
What does that mean for supply chain risk? That the collateral and potential fallout of reaches extends beyond just finances. In fact, Gartner predicted that by 2025 bad actors will start using ransomware to kill or harm human beings, which means that developing new, successful security strategies is an absolute must.
Ferhat’s Takeaway: Managing Third-Party Access to Sensitive Data
A talk I saw by Jenko Hwong also illustrated the evolving concerns in supply chain risk. This session, titled “The Dark Underbelly of Third-Party Application Access to Corporate Data,” highlighted how third-party apps and vendor ecosystems heavily influence organizations.
For example, an average of 440 third-party applications have access to an organization’s Google data. However, a majority of those applications might not have any business value or reason for accessing an organization’s sensitive information and systems. This underscores the need for security teams to standardize the proper authentication settings within their third-party cyber risk management programs.
Jeffrey’s Takeaway: Engaging With Software Supply Chain Management
Software supply chains are a new hot topic in the cybersecurity realm — and there was plenty of content on managing the risks therein. The agenda I saw was chock-full of sessions on the topic, so I picked the following discussions as major highlights:
- “Scaling Software Supply Chain Source Security in Large Enterprises”: This took a sometimes painfully dry topic and made it engaging and practical. The session was packed with actionable advice for companies (large and small, despite the name) on how to mitigate risk at scale, including operationalizing a software bill of materials (SBOMs).
- “Running in the Shadow: Perspectives on Securing the Software Supply Chain”: This panel discussed the existing challenges facing developers, CISOs, and policymakers alike when trying to secure the supply chain. It also covered how these usually disparate groups can harmoniously work together to achieve great results. That all points back to the bigger conference theme — ”Stronger Together.” Cyber defense is stronger when all departments and employees work together to achieve a common goal.
Here’s the bottom line: Supply chain risks have the potential to wreak unprecedented levels of havoc across multiple industries. TPRM programs must consistently monitor and perform regular security checks on their vendors’ cyber postures.
Nip Third-Party Risk in the Bud
RSAC 2023 highlighted the need for continued innovation around risk management, AI/ML, and collaboration in the TPRM space. In all the sessions our Black Kite team attended, one theme was abundantly clear: It’s sink or swim for third-party risk management programs. Adaptation is a must.
The conference’s annual theme sums it up best: “Stronger Together.” In other words, collaboration and communication are the keys to successfully defending your servers and assets from malicious attacks.
After all, a chain is only as strong as its weakest link.
That makes breach prevention a team effort. To successfully block bad actors’ modern methods of destruction, organizations must collaborate to strategically implement automation, monitor access and authorities granted to their partners, and take a proactive rather than reactive approach to potential attacks.
Want to learn more about how third-party breaches changed in the past year? Check out Black Kite’s 2023 Third-Party Data Breach Report to find out about the threat landscape’s most significant shifts.