Most times, when you’ve detected questionable activity on a device, the answer is simple: pave and reimage. When it comes to threat actors in your infrastructure, it’s a bit different and protecting supply chains and critical infrastructure is now imperative. Break-fix or mitigate is now combat and protect.
With so many new threats, the call for action for every business is not only necessary, but also foolish to sit idle, expecting current safeguards to be enough. MITRE, CISA, and Microsoft have all called for or launched new initiatives to help businesses build more resilient and robust cybersecurity.
Let’s review these new guidelines to understand more about them.
A Call to Action
Cybersecurity & Information Security Agency (CISA), Microsoft and MITRE are all putting out a call to action. While each has a specific initiative, they are all seeking to secure environments to keep organizations, employees, and customer information safe from cybercriminals.
holding software developers accountable for the vulnerabilities threat actors leverage to carry out their cyberattacks. This call for action comes ad-hoc to the work cybersecurity professionals have been doing to help developers establish more secure software development infrastructures.
US Cybersecurity & Information Security Agency (CISA)
In December 2023, CISA announced its Secure by Design initiative, which calls on developers to ensure the principals under the initiative are implemented at every phase of each product’s development to reduce exploitable flaws before they reach the public marketplace.
Additionally, it requires developers to ensure their products are securely configured and safe right out of the box. These should include multifactor authentication (MFA), single sign-on (SSO), and logging, without any additional cost.
In its May 8th press release, CISA announced that 68 international software manufacturing leaders committed to working to design more secure products by following the CISA’s Secure by Design initiative.
The software development organizations participating in CISA’s Secure by Design initiative are pledging to show quantifiable advances towards seven goals in the next 12 months. In doing so, CISA says they are not only securing the technology that critical infrastructure depends on, but they are also helping to protect American consumers.
The organizations taking the pledge commit to the goals set by CISA for these security protections:
Multi-factor authentication (MFA)
Demonstrate business actions taken that will measurably increase the use of multi-factor authentication across products within the next 12 months.
Default passwords
Reduce the use of default passwords across products within 12 months.
Reducing entire classes of vulnerability
Within the next 12 months, demonstrate the steps taken to lower the prevalence of vulnerability classes in all products.
Security patches
Within the next 12 months, demonstrate the techniques and steps taken to enhance the prompt installation of security patches.
Vulnerability disclosure policy
A vulnerability disclosure policy for each of the company’s products should be developed and published within the next 12 months.
CVEs
Show transparency in reporting vulnerabilities over the course of the next 12 months.
Evidence of intrusions
Showcase improvements in the next 12 months to allow customers to collect proof of cybersecurity breaches related to product use.
According to the CISA website, the pledge aims to enhance and expand upon current best practices for software security. These consist of industry and worldwide best practices, as well as software created by CISA, NIST, and other federal agencies.
Microsoft: Secure Future Initiative
In November 2023, Microsoft launched its Secure Future Initiative to help organizations prepare and defend themselves against the unending line of cyberattacks that continue to evolve and scale.
Microsoft says the Department of Homeland Security’s Cyber Safety Review Board (CSRB)’s findings regarding the Storm-0558 cyberattack clearly show how severe cybersecurity attacks are becoming.
The Secure Future Initiative
To guide the process of its initiative, Microsoft has set three security principles.
- Secure by design
- Secure by default
- Secure operations
With the six prioritized security pillars, Microsoft has aligned with them to provide more visibility into its overall initiative. According to Microsoft’s Secure Future Initiative site, these include:
1. Protect Identities and Secrets
Reduce the risk of unauthorized access by implementing and enforcing best-in-class standards across all identity and secrets infrastructures, as well as user and application authentication and authorization.
2. Protect tenants and isolate production systems
Protect software assets and continuously improve code security through governance of the software supply chain and engineering systems infrastructure.
3. Protect networks
Protect Microsoft production networks and implement network isolation of Microsoft and customer resources.
4. Protect engineering systems
Protect software assets and continuously improve code security through governance of the software supply chain and engineering systems infrastructure.
5. Monitor and detect threats
Comprehensive coverage and automatic detection of threats to Microsoft production infrastructure and services.
6. Accelerate response and remediation
Prevent exploitation of vulnerabilities discovered by external and internal entities, through comprehensive and timely remediation.
Microsoft concludes that it has implemented this initiative to earn and maintain trust with its customers. Further, it feels a deep sense of responsibility to do its part to keep the world safe and secure. Continuing to improve and adapt to the changing landscape of cybersecurity is job one for Microsoft.
MITRE: Solving Problems for a Safer World
In January 2024, a nation state threat actor compromised over 1700 organizations, and MITRE was one of them. The nation state threat actor leveraged zero-day Ivanti Connect Secure, that is used by organizations to connect to many trusted networks. They bypassed multifactor authentication by using remote session hijacking. MITRE revealed the attack on its Networked Experimentation, Research, and Virtualization Environment (NERVE) in April 2024, with blog posts containing all the details.
Despite following best practices, US Government (CISA) advice, and the vendor’s instructions to upgrade, harden, and replace its Ivanti system, they still fell short of resolving the vulnerabilities and protecting its network.
On May 24th, MITRE concluded its investigation with a call to action. Under its mission of “Solving problems for a safer world,” MITRE says solutions to combat threats must be more sophisticated. To that end, MITRE is calling on the industry to:
- Advance Secure by Design principals to make hardware and software secure right out of the box.
- Operationalize Supply Chains by utilizing the software bill of material ecosystems. Doing so will provide greater understanding of the threats in upstream software.
- Deploy zero-trust architectures that include not only multifactor authentication but also micro-segmentation of networks.
- Adopt adversary engagement as a routine part of cyber defense to provide both detection and deterrence to adversaries.
Finally, MITRE says we need to keep up with the advances being made by threats and the new techniques being used by threat actors by developing new security solutions. Working together, the industry can develop and deploy these.
Final Thoughts
Although the “calls to action” sound reasonable and are good ideas, developers don’t create vulnerabilities on purpose. Software companies do spend time trying to design secure products.
The threat landscape is just too large for the crowd to solve. This is like crowdsourcing a moon landing. We don’t see the landscape shrinking without a different kind of federal investment into securing our nation’s businesses and infrastructure from cyber threats.
What that looks in practice, we’re not certain. Should secure endpoints for SMBs be a public good? Our experts say they just don’t know.