Happy New Year! It’s January 2023 and I am excited to share the next edition of the “CIO Two Cents” newsletter with you all. Read on for insights from me, Yvette Kanouff, Partner at JC2 Ventures, into what is on the mind of CIOs at this moment in time.

Cybersecurity remains a top risk for businesses in 2023.

We lose sleep over the worry we’ll be the target of tomorrow’s ransomware attack that risks damage to customer data, confidential information, brand reputation, and more. So, we diligently search through seemingly never-ending lists of new innovations and best practices to enhance our arsenal of cybersecurity countermeasures and ensure proper compliance and risk management. We implement endpoint protection, security information and event management (SIEMs), security orchestration, automation, and response (SOARs) – yet none of these actions help to make us feel much better about our ability to withstand the next cyberattack… the threats are changing every single day, and we are all worried about existing threats, as well as the next zero day attack. At the same time, CIOs are barraged with a constant need for run-the-business work that needs to be prioritized.

One thing that is of particular concern to me is the patching problem for legacy systems. The easy thing to say is ‘just move to cloud’. I am guilty of saying this all the time. Any CIO with significant legacy systems will tell you this is easier said than done, given the complexity of transitioning some of these large, integrated systems to a modern solution. Many industries, like government, banking, and financial institutions, still rely on legacy systems despite the many promises and security benefits of the cloud.

So, what do we do in the interim, until we complete our modernization? This problem is especially difficult when CIOs are faced with end-of-support notices, constant patching, lack of in-depth telemetry and more.

Endpoint protection and response (EDR) continues to be critical to businesses. As we all know, EDR platforms protect us by finding known threats that come in through the endpoint, investigating potential threats with tools such as anomaly detection, behavioral analytics, and responding with the help of threat intelligence and data analytics. An EDR deletes malware, stops attacks, isolates systems, and many other things to help stop an attack at the endpoint instead of letting it penetrate further. There are some great EDRs in the industry – I’m sure you all have your favorite.

Then there is Extended Detection and Response (XDR), which helps unify our individual security tools beyond the endpoint (e.g., Cloud, network, SIEM, external data) to deliver even more detection and telemetry. AI is used in many EDR and XDR solutions these days. XDRs in particular are a nice addition to our industry because we get “one pane of glass” for telemetry analysis and response. If we want more, there are MDRs, where we can have a managed detection and response environment (i.e., monitoring, detection, and response as a service).

Even with great EDR vendors like Crowdstrike, TrendMicro, SentinelOne, Microsoft, and more, plus SIEM vendors like Microsoft, IBM, Splunk, Securonix, Exabeam, and others, one thing I find missing is great solutions to the legacy problem I mentioned earlier. How do I protect what’s not in the cloud? Many companies need to protect legacy workloads.

Organizations should demand a deeper layer of protection for workloads to manage application dependencies and components during runtime to maintain provenance, integrity, as well as authorization to protect against known and unknown zero-day vulnerabilities. It’s the unknown (i.e., tomorrow’s zero-day exploit) that I’m interested in, and I want that protection with zero dwell time (i.e., the time in which an attacker has free reign once they manage to penetrate a system). Most of us measure the days between security patch availability and update installation. This vulnerable time gives hackers an opening to attack. What’s more, many legacy systems no longer receive patches for security vulnerabilities – a cause for even more concern. These scenarios help explain why we must take a proactive approach to thwarting the cyberattack of tomorrow, regardless of the age of our digital infrastructure, and we must focus on bring the unprotected dwell time down to milliseconds instead of days.

Consequently, I am looking at startup innovations that address host protections and application Intent. This comes at security a very different way, looking at the integrity of the implementation of files, memory, and more. If the application’s intent is broken, then we can take business rule steps such as stopping the application, traffic, alarming, allow-listing, etc.

This is how Virsec, a JC2 Ventures investment, protects workloads, which is a really neat way of creating customized security. They run Breach and Attack Simulators (BAS) to try to infiltrate a workload itself, looking at workload design and purpose from the developer – if the developer’s intent is broken, then it’s something potentially malicious. With some legacy systems that can no longer (or simply don’t) get patched, workload protection becomes immensely important. There are 560K new malware detected daily, Virsec’s testing has shown that they stopped attacks at double the rate of EDRs (high 90% vs. mid 40%) with close to zero dwell time. The company targets modern workloads, but at the same time, it happens to offer a fabulous solution for our legacy system problem. Since there are few options available in this space, at least we have a solution that helps us with the “can’t-patch” issue until we can migrate our servers and applications to the cloud or otherwise.

There are not a lot of other solutions specific to legacy systems. There are certainly firewalls and upstream products, but I think focusing on the legacy server attack surface is something we cannot ignore. In the modern cloud space, we have application security solutions, but that doesn’t help our aging on-prem systems. Digitizing is always a goal, but we still have to manage the older platforms until then.