Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Best Practices

 

SHARED INTEL: What it takes to preserve business continuity, recover quickly from a cyber disaster

By Byron V. Acohido

To pay or not to pay? That’s the dilemma hundreds of organizations caught in the continuing surge of crippling ransomware attacks have faced.

Related: How ransomware became such a scourge

The FBI discourages it, as you might have guessed. What’s more, the U.S. Conference of Mayors this summer even passed a resolution declaring paying hackers for a decryption key anathema.

Yet there are valid arguments for what scores of municipalities and businesses caught with their networks frozen by extortionist hackers have been compelled to do: pay the ransom demand. Tech industry consultancy Forrester has even seen fit to issue guidance to help companies figure out whether paying the ransom demand might actually be their best option.

That pay or not to pay debate aside, there’s a more central question raised by the ransomware plague. Company decision makers need to be asking themselves this: just how good is their organization’s business continuity and disaster recovery preparedness?

This issue is in Mickey Bresman’s wheelhouse. Bresman is co-founder and CEO of Semperis, an identity-driven cyber resilience company based in the new World Trade Center in Lower Manhattan. Semperis helps companies running Microsoft Windows-based networks preserve and protect Active Directory, or AD.

AD is the administrative software that directs access to servers and applications across the breadth of Windows in tens of thousands of companies and agencies. As such it variably gets caught in the crossfire of ransomware strikes. It’s here that Semperis is helping companies build resiliency. I had the chance to visit with Bresman at Black Hat 2019. For a full drill down, please give a listen to the accompanying podcast. Here are key takeaways:

An attack scenario

Due to the ubiquitous use of Windows networks, Active Directory functions as the keys to the kingdom all across enterprise networks — in 90 percent of organizations. Hackers recognize this and so AD has become a favorite target. Here’s a scenario for how AD is factoring into ransomware attacks: …more

MY TAKE: The case for assessing, quantifying risks as the first step to defending network breaches

By Byron V. Acohido

It’s clear that managed security services providers (MSSPs) have a ripe opportunity to step into the gap and help small- to medium-sized businesses (SMBs) and small- to medium-sized enterprises (SMEs) meet the daunting challenge of preserving the privacy and security of sensitive data.

Related: The case for automated threat feeds analysis

Dallas-based Critical Start is making some hay in this space — by striving to extend the roles traditionally played by MSSPs. The company has coined the phrase managed detection and response, or MDR, to more precisely convey the type of help it brings to the table.

I had the chance to meet with Randy Watkins, Critical Start’s chief technology officer at Black Hat USA 2019. Since its launch in 2012, the company has operated profitably, attracting customers mainly in Texas, Oklahoma, Louisiana and Arkansas and growing to 131 employees.

With a recent $40 million Series A equity stake from Bregal Sagemount, and fresh partnerships cemented with tech heavyweights Microsoft, Google Chronicle and Palo Alto Networks, among others, Critical Start is on a very promising trajectory. It wants to grow nationally and globally, of course.

Even more ambitiously, the company wants to lead the way in pivoting network security back to a risk-oriented approach, instead of what Watkins opines that it has all too often become: a march toward meeting controls-based checklists. We had a fascinating discussion about this. For a full drill down, give a listen to the accompanying podcast. Here are excerpts, edited for clarity and length:

LW:  What’s the difference between taking a ‘risk-oriented’ versus a ‘controlled-based’ approach to security?

Watkins: Security really is the art of handling risk. We used to enumerate the risks that exist inside of an organization, try to assign a value to the impact it would have, if that risk was exploited. And then we’d assign either mitigation or acceptance or transference of the risk, based on potential impact and the probability that it would happen. …more

SHARED INTEL: Threat actors add a human touch to boost effectiveness of automated attacks

By Byron V. Acohido

Trends in fashion and entertainment come and go. The same holds true for the cyber underground.

Related: Leveraging botnets to scale attacks

For a long while now, criminal hackers have relied on leveraging low-cost botnet services to blast out cyber attacks as far and wide as they could, indiscriminately. Over the past 18 months or so, a fresh trend has come into vogue. It essentially involves applying hands-on human cleverness to the task of extracting highest value from assets gained in the automated sweeps.

British antimalware and network security vendor Sophos refers to this new tactic as “automated, active attacks.” Sophos Senior Security Advisor John Shier broke it down for me. We met at Black Hat 2019. For a full drill down, give a listen to the accompanying podcast. Here are the key takeaways:

Human touch

It has long been common practice to use botnets to blast out wave after wave of e-mails carrying tainted PDFs or Word docs, or a web link pointing to a booby-trapped page – and seeing who would bite. Lately, progressive criminal rings are taking a page out of the playbook of nation-state sponsored APT strikes — by adding more human nuances to their attacks.

“They may discover their targets through some sort of automated technique, which gets them a toehold into the company, or they might just simply go to Shodan (search engine) to discover open, available RDP hosts,” Shier told me. “Once they’re in the front door, now the humans get involved.”

Related: How ransomware became a scourge

Specialists get assigned to poke around, locate key servers and find stealthy paths to send in more malware. They’ll take more manual steps to encrypt servers, exfiltrate data – or do both.

“Cyber criminals are getting into the environment, elevating privileges as much as they can and moving laterally to other segments of the network,” Shier says. “And then, instead of encrypting one or two or ten machines, they’ll encrypt everything.”

The wave of catastrophic ransomware attacks that wrought tens of millions in recovery costs for the cities of Baltimore and Atlanta and prompted numerous small cities to pay six figure ransoms for decryption keys is a prime example of this, Shier says. …more

MY TAKE: Peerlyst shares infosec intel; recognizes Last Watchdog as a top cybersecurity influencer

By Byron V. Acohido

Sharing intelligence for the greater good is an essential component of making Internet-centric commerce as safe and as private as it needs to be.

Related: Automating threat feed analysis

Peerlyst is another step in that direction. Started by infosec professionals, Peerlyst takes the characteristics of B2B communications we’ve become accustomed to on Twitter and LinkedIn and directs it toward cybersecurity.

By signing up for Peerlyst, company decision makers focused on mitigating cyber risks, as well as vendor experts, academics and independent researchers, are provided with a personalized feed of content based on specific interests, as well as the topics and people you follow.

One fresh resource issued this week is a new eBook: 52 Influential Cyber Security Bloggers and Speakers, a …more

SHARED INTEL: Here’s one way to better leverage actionable intel from the profusion of threat feeds

By Byron V. Acohido

Keeping track of badness on the Internet has become a thriving cottage industry unto itself.

Related: ‘Cyber Pearl Harbor’ is upon us

There are dozens technology giants, cybersecurity vendors, government agencies and industry consortiums that identify and blacklist IP addresses and web page URLs that are obviously being used maliciously; and hundreds more independent white hat hackers are doing much the same.

This activity results in a rich matrix of overlapping threat feeds that, if all of the slices could somehow be combined, would present a heat map of an Internet throbbing with malicious traffic that unceasingly changes and steadily intensifies. Many of the badness trackers do, in fact, publish their blacklists for the greater good. This intel often gets leveraged by firewall suppliers who tap into a small selection of what they figure to be the most helpful threat feeds to configure their products.

Centripetal has gone several steps further. This 10-year-old cybersecurity services vendor pulls in threat feeds from some 90 plus sources, assigns a team of cybersecurity analysts to make sense of this intel, and then makes the output of this heavy lifting available to companies to help them better defend their networks. Byron Rashed, Centripetal’s vice president of marketing, broke this down for me. We had a chance to visit at Black Hat 2019. For a drill down of our conversation, give the accompanying podcast a listen. Here are key takeaways: 

Effective blocking

Centripetal’s CleanINTERNET service is built around correlating and analyzing threat feeds pulled in from some 90 commercial, government and open-source entities. The heavy lifting Centripetal does on behalf of its customers involves correlating billions of threat indicators to derive a set of robust correlation rules that, in turn, become the basis for which traffic is allowed to enter – or leave — a customer’s network.

This rule enforcement is done at Centripetal’s RuleGATE Threat Intelligence Gateway in such a way that minimizes false positives yet doesn’t sacrifice performance. Centripetal also delivers a Splunk-based SIEM (some clients opt for integration into their existing SIEM) that enables the client and Centripetal’s team of cyberthreat analysts to view events and work directly …more

MY TAKE: Poll shows senior execs, board members grasp strategic importance of cybersecurity

By Byron V. Acohido

A singular topic has risen to the top of the agenda in executive suites and board rooms all across the planet: cybersecurity.

Related: Security, privacy fallout of IoT

A recent survey by Infosys, a tech consulting and IT services giant based in Bangalore, India, quantifies the degree to which the spotlight has landed on cybersecurity in large organizations.

Infosys polled 867 senior officials from 847 firms in a dozen industries, each with at least $500 million in annual revenue; the companies are based in the US, Europe, Australia or New Zealand. Some 83% of respondents said they viewed cybersecurity as critical to their organization, while 66% of the companies reported having implemented a well-defined cybersecurity strategy.

What jumped out at me was that 60% of C-level executives and 48% of board members indicated they actively participated in formulating cybersecurity strategy. Just five years ago a participation level like this was more of an optimistic hope, than anything else. At least that’s what I took away from a memorable fireside chat I had, back then, with the late Howard Schmidt, former White House Cybersecurity Advisor under Presidents Bush and Obama.

Last week, I had the chance to sit down with Vishal Salvi, Infosys’ chief information security officer. We met at the Infosys Americas Confluence conference in Scottsdale, AZ, and had a well-rounded discussion about the drivers behind this new board-level awareness – and the going forward implications. For a full drill down, please give a listen to the accompanying podcast. Here are a few key takeaways:

Time to execute

Salvi walked me through other survey findings illustrating how pervasively a cybersecurity consciousness has taken hold in the upper echelons of the corporate sector. According to the Infosys poll, these items are on the front burner:

•The top concerns faced by enterprises are hackers and hacktivist (84 percent), low awareness among employees (76 percent), insider threats (75 percent), and corporate espionage (75 percent)

•Challenges in building a security aware culture combined with embedding security into design affects nearly two thirds of enterprises

•Across industries, cybersecurity is consistently viewed as critical in an enterprise’s digital transformation journey. Manufacturing emerged at the top (87 percent), followed by energy and utilities (85 percent), and banking, financial services and insurance (83 percent.) …more

NEW TECH: Baffin Bay Networks takes a ‘cloud-first’ approach to securing web applications

By Byron V. Acohido

Hear about the smart toaster that got attacked three times within an hour after its IP address first appeared on the Internet?

That experiment conducted by a reporter for The Atlantic crystalizes the seemingly intractable security challenge businesses face today.

Related: How 5G will escalate DDoS attacks

Caught in the pull of digital transformation, companies are routing ever more core operations and services through the Internet, or, more precisely, through IP addresses, of one kind or another. This trend has greatly expanded the attack surface for malicious botnets to automatically probe and infiltrate company networks, at scale. And in a double-whammy, the efficacy of legacy cybersecurity defenses — which were deployed, at great expense, mainly to protect on-premises data centers – by many measures is rapidly eroding.

I had the chance to discuss this with Joakim Sundberg, founder and CEO of a cybersecurity startup, Baffin Bay Networks, based in Stockholm, Sweden. We met at Black Hat USA 2019,  where Baffin Bay touted its cloud-first, full-stack suite of threat protection services.  For a full drill down on our conversation, give a listen to the accompanying podcast. Here are my key takeaways:

Formula for poor practices

Launched in 2017, Baffin Bay has attracted VC funding of $6.4 million and grown to 42 employees, winning customers in leading media firms, financial services companies and government agencies in the Nordics.

“We’ve been in production about 19 months and we have a 100 percent retention rate,” Sundberg told me. “We’re protecting about 220 different brands, everything from companies with two people and an app, to big European banks.”

There’s room for Baffin Bay’s cloud-first approach to security because in today’s cyber threat landscape, low hanging fruit – like the smart toaster — does not go unnoticed by threat actors for very long. The business equivalent of the toaster probe might well be two categories of automated attacks: Distributed Denial of Service (DDoS) attacks and SQL injection (SQLi) hacks. Both DDoS and SQLi have been around for quite some time, are well understood and, by now, should be well defended. …more