Zero Trust

The year in review: Supply chains unlink, ransomware surges, a government embraces Zero Trust, and hybrid work endures

Dec 22, 2021
year in review

This year saw continuing cyberattacks, crippled supply chains, and double extortion. At times, it felt like the bad guys had the upper hand. But as we near 2022, I find hope in the promise of more-diverse industry governance, the potential of Zero Trust to weaken ransomware business models, and the agility provided by new methods to secure hybrid workforces.

The supply chain is only as cyber-secure as its weakest link

The year began with yet more fallout from the catastrophic SolarWinds data breach. Authorities first detected the “SUNBURST” cyberattack in December 2020, and linked it to (allegedly) state-sponsored threat actors in Russia.

Perhaps what was most troubling about the hack is the extent it exposed vulnerabilities in the entirety of enterprise supply chains. The Zscaler Zero Trust Exchange – among its many service value-added benefits – eliminates the risk of post-breach lateral movement within a corporate network. In the case of the SolarWinds breach, hackers were able to embed malware code within the company’s network and monitoring platform software. In that way, they gained access not just to SolarWinds company systems, but all the systems connected to all the SolarWinds customer machines employing the Orion platform. Customers who weren’t protected with a Zero Trust Architecture were immediately compromised.

Here at Zscaler, we responded immediately with expert guidance and detailed technical deconstruction of the attack. In addition, we launched a SolarWinds security assessment program.

New year, new CXO Revolutionaries media channel

In April, Zscaler launched the CXO Revolutionaries program, a site, forum, and community of and for CXO leaders driving digital transformation in their organizations. The CXO Revolutionaries program aims to empower, foster, and connect global tech CXOs.

Since its inception, the CXO Revolutionaries program has grown to include several dozen current and senior CXO leaders sharing thought leadership content with the broader community. The site has become a go-to destination for insightful news, articles, podcasts, and forum contributions.

The Colonial Pipeline breach proves the VPN risk to infrastructure is very, very real

In May, we all witnessed a devastating cyberattack that crippled U.S. petroleum infrastructure. Apparently, the entirety of fuel distribution operations along the United States mid-Atlantic seaboard was vulnerable to one leaked VPN password.

Among the larger issues raised by the Colonial Pipeline breach  – for instance, the troubling reality that wide-scale industrial operations are easily disrupted because of the weak security of the systems supporting them – is the terrifying extent to which VPNs can threaten business continuity. We must keep saying it: By their very design, VPNs are vulnerable to attack and introduce extreme risk to an organization. For the sake of preventing the next Colonial Pipeline, it’s time to put VPNs out of their (and our) misery.

The U.S. Federal Government finally embraces Zero Trust

On the heels of the Colonial Pipeline attack and in rather uncoincidental timing, the Biden Administration issued an executive order with the lofty mission to improve the nation’s cybersecurity.

Under the terms of the EO, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) will design and produce a federal cloud service governance framework. The EO also calls for stricter protections for supply-chain operations (protections that Zscaler already provides, by the way). More encouraging is the Biden Administration’s willingness to employ Zero Trust best practices. That commitment to Zero Trust was also made evident in the National Institute of Standards and Technology’s (NIST) August 2020 codification of a Zero Trust Architecture standard. (Spoiler alert: The NIST standard basically describes the cloud-based architecture of the Zscaler Zero Trust Exchange.)

The temporary shift to a hybrid workforce didn’t turn out to be so temporary

We’re nearing the end of the second year of living in a COVID world. In 2020, Organizations were forced to pivot – quite aggressively, as it turns out – to a fully-remote workforce. All faced challenges. But those that embraced Zero Trust had a smoother go of it.

In the past year, we’ve seen the “new new” way of work evolve from fully remote to hybrid, with IT leaders supporting a mix of on-premise and remote workers. My colleague Lisa Lorenzin described this adjustment as a second “rebalancing.” As she noted, we continue to see accelerated digital transformation as organizations race to accommodate new operational realities. Agility is no longer just a best practice for securing the modern workforce. It’s a mandate. And what’s unequivocally clear is that Zero Trust is the best (and frankly, only viable) path forward.

Green security: Zscaler operations are now fully-powered by renewable energy

Just last month, Zscaler announced an incredible milestone: Its global data centers and offices are now 100% powered by renewable energy. The company achieved its green credentials by investing in directly-purchased renewable energy and renewable energy credits (RECs) for its offices and 150+ data centers that run the Zscaler Zero Trust Exchange. The impact to customers isn’t trivial: Organizations that switch to Zscaler from legacy appliance-based security infrastructure have the potential to reduce emissions by 75% or more.

The November announcement was just one of several “green” initiatives Zscaler pursued this year. In June, we held our inaugural “green security” event, a CXO Summit series event titled “Reducing the IT Carbon Footprint: The Case for Green Security.” In sessions for both North America and EMEA regions, IT leaders from Sunbelt Rentals, Caesars Entertainment Corp., Mondi Group, and SGS discussed the positive impact digital transformation had on their respective enterprise carbon footprints.

The ransomware business model has matured to a frighteningly “professional” extent

This year saw a sustained onslaught ofsuccessfulransomware attacks on high-profile enterprise targets. Cybersecurity pundits often sound like a broken record with ransomware coverage, but the truth is that ransomware continues to plague us because 1) it works and 2) it’s incredibly lucrative for threat actors.

Earlier this year, the Zscaler ThreatLabZ security research team released its annual ransomware assessment, “ThreatLabZ Ransomware Review: The Advent of Double Extortion.” Among the report’s more jarring findings was evidence of the rise of shared “Ransomware-as-a-Service (RaaS)” models. Threat actors (like the cybercriminals behind the DarkSide ransomware variant) build the ransomware service infrastructure and farm out the attacks themselves to smaller partner hackers. The RaaS model greatly expands the criminal web of cybercrime, bringing smaller players into the space. In addition, RaaS operations carry new risks for smaller enterprises: In the past, threat actors focused their attention on bigger targets, but expansion to smaller partners also means wider targeting of the SMB sector.

Threat groups are also “doubling-down” on their extortion: demanding a ransom to unlock stolen and encrypted proprietary data, and then ransoming it again under threat of public release. (Often they generate a third revenue stream by selling it anyway.)

In the ransomware report, the ThreatLabZ experts outline best practices for countering the ransomware threat. It bears repeating: An organization’s best defense against ransomware is to remove the cybercriminals’ incentive completely by adopting a Zero Trust solution like the Zscaler Zero Trust Exchange.

Women’s representation in cybersecurity continues to improve, but there’s still far to go

First, the not-so-good news: We all work in an industry that is woefully undiverse. The good news: Companies are prioritizing diversity, equity, and inclusion, and we’re making progress. But there’s still far to go.

Cybersecurity organizations that engage diverse perspectives provide more comprehensive solutions to strengthen a universal security posture. I’ve said it before, and I say it again: In 2022, I don’t want a seat at the cybersecurity table for an underrepresented voice. I want seats. 

We’re all in the cybersecurity fight together, and only by listening to each other can we work together to prevent the next big attack. In a year often characterized by the darkness of cyber chaos, I look to a brighter 2022 with a renewed, shared commitment to thwarting the bad guys. It is easier said than done, however, and I empathize with security leaders facing concurrent challenges such as burnout, churn, and the continued havoc caused by the COVID-19 pandemic on both the professional and personal sides. I urge everyone to lead with a healthy dose of positivity, understanding, and empathy as these human traits are what matter most.

What to read next 

With no end in sight for ransomware, experts zero in on solutions

Challenging generations-old beliefs key to advancing women in technology

What boards need to know: How identity and context underpin zero trust security