Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Privacy

 

RSAC insights: Deploying SOAR, XDR along with better threat intel stiffens network defense

By Byron V. Acohido

Much attention has been paid to the widespread failure to detect the insidious Sunburst malware that the SolarWinds hackers managed to slip deep inside the best-defended networks on the planet.

Related: The undermining of the global supply chain

But there’s also an encouraging ‘response’ lesson SolarWinds teaches us, as well.

Reacting to the disclosure of this momentous supply-chain hack, many of the breached organizations were able to deploy advanced tools and tactics to swiftly root out Sunburst and get better prepared to repel any copycat attacks. It was an opportunity to put their security orchestration and automation and response (SOAR) solutions, as well as endpoint detection and response (EDR) tools, to the test.

In that sense, SolarWinds validated the truckloads of investment that has been poured into developing and deploying SOAR and EDR innovations over the past five years. I had the chance recently to visit with Leon Ward, Vice President of Product Management, at ThreatQuotient, provider of a security operations platform with multiple use cases including serving as a threat intelligence platform (TIP). We discussed current developments that suggest SOAR and EDR will continue to improve and make a difference.

For a full drill down on our conversation, please give the accompanying podcast a listen. Here are my key takeaways:

Leveraging richer intel

It was by happenstance that analysts at FireEye, a leading supplier of intrusion detection systems, stumbled into a copy of the Sunburst Trojan ever-so-stealthily embedded in FireEye’s own copy of SolarWinds’ Orion network management software. That was on Dec. 13, 2020.

RSAC insights: Sophos report dissects how improved tools, tactics stop ransomware attack

By Byron V. Acohido

A new report from Sophos dissects how hackers spent two weeks roaming far-and-wide through the modern network of a large enterprise getting into a prime position to carry out what could’ve been a devasting ransomware attack.

Related: DHS embarks on 60-day cybersecurity sprints

This detailed intelligence about a ProxyLogon-enabled attack highlights how criminal intruders are blending automation and human programming skills to great effect. However, in this case, at least, they were detected and purged before hitting paydirt, demonstrating something that doesn’t get discussed often enough.

Enterprises actually have access to plenty of robust security technology, as well as proven tactics and procedures, to detect and defuse even leading-edge, multi-layered attacks. It’s clear to me that cybersecurity technical innovation and supporting frameworks, which includes wider threat intelligence sharing, are taking hold and making a material difference, albeit incrementally.

I had a lively discussion with Dan Schiappa, Sophos’ chief product officer, about this. For a drill down, please give the accompanying podcast a listen. Here are the key takeaways:

Exploit surge

ProxyLogon refers to the critical vulnerability discovered in Microsoft Exchange mail servers early this year. Criminal hacking rings have been hammering away at this latest of a long line of zero-day flaws discovered in a globally distributed system. The pattern is all too familiar: they marshal their hacking infrastructure to take advantage of the window of time when there is a maximum number of vulnerable systems just begging to be hacked.

RSAC insights: CyberGRX finds a ton of value in wider sharing of third-party risk assessments

By Byron V. Acohido

The value of sharing threat intelligence is obvious. It’s much easier to blunt the attack of an enemy you can clearly see coming at you.

Related: Supply chains under siege.

But what about trusted allies who unwittingly put your company in harm’s way? Third-party exposures can lead to devastating breaches, just ask any Solar Winds first-party customer.

So could sharing intelligence about third-party suppliers help?

With RSA Conference 2021 technical sessions getting underway today, I sat down with Fred Kneip, CEO of CyberGRX, to hash over the notion that a lot of good could come from more systematic sharing of the risk profiles that large enterprises routinely compile with respect to their third-party contractors.

For a full drill down on our discussion, please give the accompanying podcast a listen. Here are the key takeaways:

The genesis of risk-profiles

It turns out there is a ton of third-party risk profiles sitting around not being put to any kind of high use. Back in the mid-1990s, big banks and insurance companies came up with something called “bespoke assessments” as the approach for assessing third party vendor risk.

This took the form of programmatic audits. In order to get the blessing of financiers and insurers, enterprises had to set up systems to get their third-party suppliers to fill out extensive risk-profile questionnaires; and this  cumbersome process had to be repeated on a periodic base for as many contractors as they could get to.

CyberGRX launched in 2016 as a clearinghouse for companies to pool and share standardized assessment data and actually analyze the results for action. The idea was to benefit both the first-party contractors and the third-party suppliers, Kneip says. Thus, the Fortune 1,000 companies who collected and consumed the security profiles of major suppliers could see and analyze that data in aggregate and thus conduct a much higher level of risk analysis.

MY TAKE: How consumer-grade VPNs are enabling individuals to do DIY security

By Byron V. Acohido

Historically, consumers have had to rely on self-discipline to protect themselves online.

Related: Privacy war: Apple vs. Facebook.

I’ve written this countless times: keep your antivirus updated, click judiciously, practice good password hygiene. Then about 10 years ago, consumer-grade virtual private networks, or VPNs, came along, providing a pretty nifty little tool that any individual could use to deflect invasive online tracking.

Consumer-grade VPNs have steadily gained a large following. And over the past two to three years, adoption has climbed steeply.

It only recently dawned on me that this rise in popularity of VPNs is probably directly related to the chaotic social unrest, not to mention the global health crisis, we’ve all endured over the past few years.

We’ve become accustomed to hunkering down. As part of this mindset, more consumers are subscribing to a personal VPN service which they use to shield themselves from disinformation sweeps and to protect themselves from Covid 19-related hacks and scams.

SHARED INTEL: Report details how cyber criminals leverage HTTPS TLS to hide malware

By Byron V. Acohido

Google was absolutely right to initiate a big public push a couple of years ago to make HTTPS Transport Layer Security (TLS) a de facto standard.

Related: Malicious activity plagues the cloud services

At the time, in the spring of 2018, only 25 percent of commercial websites used HTTPS; today adoption is at 98 percent and rising. Far beyond just protecting websites, TLS has proven to be a linchpin of network-level communications across the board.

Guess who else has been leveraging TLS? Threat actors quickly figured out how to adapt TLS to their purposes. An intelligence report released today by Sophos illustrates just how widely TLS has come to be used by cyber criminals to hide their malicious activity.

From January through March 2021, TLS concealed 45 percent of the malware Sophos analysts observed circulating on the Internet; that’s double the rate – 23 percent – seen in early 2020, Dan Schiappa, Sophos’ chief product officer, told me in a briefing. TLS, he says, is increasingly being used to cloak a wide array of the operational steps behind the most damaging attacks of the moment, namely ransomware attacks and massive data breaches.

This surge in TLS abuse has shifted the security community’s focus back to a venerable network security tool, the firewall.

MY TAKE: GraphQL APIs rev up innovation – but also introduce a potential security nightmare

By Byron V. Acohido

The software developers who are creating the coolest new mobile apps have a secret weapon. It’s called GraphQL.

Related: How APIs expand the attack surface

GraphQL is a leading-edge approach to deploying APIs, the software conduits that mesh together all of the digital services we use every day and have come to take for granted.

Like every other Internet breakthrough, GraphQL comes with a security tradeoff. A big one. API deployments — and API security vulnerabilities — have been exploding exponentially for the past decade. It should come as no surprise that businesses have glommed onto the data sharing and monetizing benefits of APIs while overlooking the security ramifications of APIs left unprotected.

Now along comes GraphQL, touted as a pathway to new horizons of business agility and user experiences, but also introducing a vast new tier of security exposures – all at the API level. Going forward, what we do about API security, generally – and these new GraphQL data exposures, in particular — will determine the level of privacy and security – or insecurity – we’ll all have to live with.

Quixotically, GraphQL comes to us courtesy of Facebook. In 2015, the social media giant released GraphQL as an open source project. “GraphQL was our opportunity to rethink mobile app data-fetching from the perspective of product designers and developers,” wrote Facebook’s Lee Byron in a blog post. “It moved the focus of development to the client apps, where designers and developers spend their time and attention.”

We’re still early in the adoption curve for GraphQL, but adoption appears to be on a steep trajectory. At the data layer,

ROUNDTABLE: Mayorkas’ 60-day cybersecurity sprints win support; also a prove-it-to-me response

By Byron V. Acohido

The Biden Administration is wasting no time fully re-engaging the federal government in cybersecurity.

Related: Supply-chains become top targets

Homeland Security Secretary Alejandro Mayorkas has assumed a very visible and vocal role. Mayorkas has been championing an extensive portfolio of initiatives to rally public-private collaboration to fend off cyber criminals and state-sponsored threat actors.

The need is great, of course. The Solarwinds hack and Microsoft Exchange breach, not to mention the latest rounds of massive thefts of personal data from Facebook and LinkedIn demonstrate this in spades.

Mayorkas announced a series of 60-day sprints to quell ransomware and to bolster the cyber defenses of industrial control systems, transportation networks and election systems. Mayorkas also pledged to increase the diversity of the Cybersecurity and Infrastructure Security Agency’s workforce, noting that roughly a third of CISA’s workers are part of minority groups.

This reminds me of how President Obama used his bully pulpit back in 2015 to promote accelerated sharing of threat intelligence and to push for a consumers’ bill of rights for online privacy.