Comment

JOE NELSON JOINS SECUVANT AS VICE PRESIDENT OF MANAGED SERVICES

Salt Lake City, UT (August 3, 2017) – Secuvant, an independent cyber security risk management and managed detection and response firm, today announced that Joe Nelson has joined the company as Vice President of Managed Services. Joe has over 20 years of experience in technical project management and IT operations with amazing skills and experience adding efficiencies to complex processes. Joe will be working directly with Secuvant clients to deliver Secuvant’s enterprise grade cyberMDR Managed Detection and Response services along with Secuvant’s unique risk management program based on the Secuvant Cyber-7™.

“Joe brings an amazing operational skill set to Secuvant managed services that will help our clients see the true business value of cyber security,” said Todd Neilson, President and COO of Secuvant. “Joe’s client facing skills, process automation experience and technical ability is the right combination to deliver on the high-touch model our clients are used to. Joe allows Secuvant to manage our hyper-growth while maintaining an excellent client experience.”

Prior to joining Secuvant Joe spend over twelve years as an Enterprise Network Service Manager for the LDS Church managing global network projects, driving excellence into life-cycle programs and mapping service improvements and demand management. Joe has a technical background as an engineer as well, spending time at Cutthroat Communications and Avalanche Net Wireless.

“This is a great opportunity for me to join a fast paced, fast growing company in the dynamic cyber security space,” said Joe. “Secuvant has something special and unique in how we offer security services that is based on business risk, and not just throwing tools at the problem. I am looking forward to working with Secuvant’s current clients to achieving excellence using the Cyber-7™ methodology, along with helping new companies get real business value as they join Secuvant’s managed services.”

About Secuvant: Secuvant is unique in its product-independent, vendor-agnostic approach to cyber security, uniquely focusing on the Secuvant Cyber-7™ business priorities. Secuvant is one of the fasting growing companies in Utah providing business-driven cyber security solutions to the SMB market, including gap and risk assessments, risk management programs, and a complete managed detection and response service, delivered from its state-of-the-art security operations center. Secuvant provides a complete team, tools, technology and processes, and in most cases, all for less than the cost of hiring internal resources.

# # #

If you would like more information about this topic, please contact Jeff Smith, EVP Business Development at 855-SECUVANT or email at JSmith@Secuvant.com.

Comment

Comment

CYBER SECURITY EXPERT AND ATTORNEY MATT SORENSEN JOINS SECUVANT AS CISO & VP OF RISK MANAGEMENT

Salt Lake City, UT (July 27, 2017) – Secuvant, an independent cyber security risk management and managed detection and response firm, today announced that Matt Sorensen has joined the company as its new Chief Information Security Officer and Vice President of Risk Management. Matt brings 17 years of security experience, over 17 professional certifications in cyber security and 6 years as an Attorney to Secuvant. Sorensen will be leading the Secuvant cyberRPM practice that is focused on bringing real value to businesses through Secuvant’s unique Cyber-7™ risk management methodology.

“Having someone as skilled and well respected as Matt join the Secuvant management team is nothing short of incredible,” said Ryan Layton, CEO and co-founder of Secuvant. “Matt has a very unique combination that is rare to find in cyber security, that being business, legal and technical. He has proven to many businesses and their executives that he is the go-to guy when it comes to cyber risk advisory, and now he can add the Secuvant Cyber-7 methodology that just puts client benefits over the top.”

Prior to joining Secuvant Matt was an attorney with Holland and Hart in Salt Lake City, focused on managing data breach events, overseeing incident response and investigation teams for clients and helping commercial data breach victims prepare civil claims against negligent data custodians and processors. In addition, Matt has worked for the LDS Church as an IT Compliance Officer, US Bank and Bank of America in information security roles and in KPMG’s risk advisory practice. “Secuvant starts by helping executives understand that security is a business risk and not just a technical one,” said Matt. “I am excited to deliver value to our clients using the Cyber-7™ process which is like nothing I’ve seen before. That is what attracted me to Secuvant. The way they help businesses address growing security threats while enabling revenue and lowering risks and costs, is unique in the marketplace.”

About Secuvant: Secuvant is unique in its product-independent, vendor-agnostic approach to cyber security, uniquely focusing on the Secuvant Cyber-7™ business priorities. Secuvant is one of the fasting growing companies in Utah providing business-driven cyber security solutions to the SMB market, including gap and risk assessments, risk management programs, and a complete managed detection and response service, delivered from its state-of-the-art security operations center. Secuvant provides a complete team, tools, technology and processes, and in most cases all for less than the cost of hiring internal resources.

Comment

Comment

Why Automation isn't everything in Cyber Security

Everything is becoming more automated, but what does this really mean or look like for SecOps? How do you evolve with automation while still keeping your analysts?

Secuvant MSSP

By Kumar Saurabh, Contributor, CSO

With the latest advancements in automation and AI, many CISOs are recognizing the potential for automation to transform security operations. Given the way many technology vendors hype their solutions, you could be forgiven for thinking humans should be removed from security flows to the greatest extent possible. But, you would be wrong!

On the contrary, security analysts are not only an important part of the security process, they are THE most important part. So, when you think of automation, you should think of it not as a way of replacing security analysts, but rather as a way of empowering them to do more of what they do best. This is an important distinction.

More automation does not mean a smaller analyst role

The fact is, automation is not a panacea. Certainly, the early and rudimentary forms of automation our industry has seen in the past decade have fallen short of their promise. SIEM systems allow you to collect lots of log data, but the growth in data means ever-increasing amounts of backlog to process. Those same systems, with their inflexible, rules-based approach to threat detection, overwhelm analysts with torrents of false positives.

To make things worse, there are still far too many false negatives and intrusions that get by undetected. No matter what an automation vendor tells you, humans are still the absolute best at identifying previously unknown threats. However, we just can’t do it at scale.

Solving the cybersecurity crisis can’t start with the assumption humans should be automated out of the system - in fact, it should be quite the opposite. In an ideal configuration, human analysts are at the center of everything, supported with advanced automation tools that can make sense of the torrents of data being generated and allowing them to make the types of nuanced decisions that will take a very long time to yield to technology.

Uniting analyst and machine

Some new generation solutions are purely focused on AI and machine learning. The promise is you turn it on in your environment and after a few days of the system learning on its own, it will be able to detect all the bad stuff. However, these systems suffer from a fatal flaw: missing the business context, adaptability and explainability needed to be truly effective.

What do human analysts know better than any system or, more importantly, any intruder? They know their own environment and the enterprise context, as well as having an intuition about how their system operates and what is normal versus what is questionable. Humans also adapt quickly to fast changing conditions and can always explain why they did something. On the other hand, humans cannot scale and could struggle with mistakes and inconsistencies. Machines, as we know, are exponentially faster and consistent.

The ideal system is still one that unites analyst and machine, augmenting the intelligence of a security analyst with the automation scale of a machine. To achieve this, we need the right kind of automation.

There are different types of automation. As explained by Harvard Business Review, basic robotic process automation handles routine and repeatable tasks, and can only scale some of the motions of an analyst, but cannot scale intelligence. Cognitive automation, on the other hand, can handle decision making around the severity of an alert by evaluating the full context of all data surrounding an event. Cognitive automation by itself, however, is not sufficient. To avoid pitfalls of a “blackbox,” automation needs to be complemented by analysts’ input and feedback on a continuous basis. Technology that supports a human-centric approach to automation

Recent, new technologies now make it possible to play to analysts’ strengths far more effectively. The next generation of automation technology allows analysts to feed their tribal knowledge about context and environment easily into the machine learning system, without requiring large training data sets. In addition to drastically increasingly efficacy, this allows a properly designed system to adapt and evolve flexibly as context and environment change. The analyst is in charge and the machine dutifully mimics and executes what the analysts would do, only at extreme scale.

The right automation

Security automation doesn’t mean removing analysts from the equation. Instead, good security automation is about empowering your analysts to force multiply their efforts, aiding them to be more productive and satisfied in their jobs, and freeing them to tackle the most challenging threats. With the right technologies and processes in place, your secops dream team can become a tag team of expert human security analysts plus virtual security analysts powered by cognitive automation.

Comment

Comment

HTTPS scanning in Kaspersky exposed Users to MITM attacks

From: CSOOnline.com by: Lucian Constantin

Security vendor Kaspersky Lab has updated its antivirus products to fix an issue that exposed users to traffic interception attacks.

The problem was found by Google vulnerability researcher Tavis Ormandy in the SSL/TLS traffic inspection feature that Kaspersky Anti-Virus uses to detect potential threats hidden inside encrypted connections.

Like other endpoint security products, Kaspersky Anti-Virus installs a self-signed root CA certificate on computers and uses it to issue "leaf," or interception, certificates for all HTTPS-enabled websites accessed by users. This allows the product to decrypt and then re-encrypt connections between local browsers and remote servers.

Ormandy found that whenever the product generates an interception certificate it calculates a 32-bit key based on the serial number of the original certificate presented by the website and caches this relationship. This allows the product to present the cached leaf certificate when the user visits the same website again instead of regenerating it.

The problem, according to Ormandy, is that a 32-bit key is very weak and an attacker could easily craft a certificate that matches the same key, creating a collision.

He described a possible attack as follows: "Mallory wants to intercept mail.google.com traffic, for which the 32bit key is 0xdeadbeef. Mallory sends you the real leaf certificate for mail.google.com, which Kaspersky validates and then generates it's own certificate and key for. On the next connection, Mallory sends you a colliding valid certificate with key 0xdeadbeef, for any commonName (let's say attacker.com). Now mallory redirects DNS for mail.google.com to attacker.com, Kaspersky starts using their cached certificate and the attacker has complete control of mail.google.com."

This implies that the attacker -- Mallory in Ormandy's example -- has a man-in-the-middle position on the network that allows him to redirect the user accessing mail.google.com via DNS to a rogue server under his control. That server hosts and presents a certificate for a domain called attacker.com.

Under normal circumstances the browser should display a certificate error, because the certificate for attacker.com does not match the mail.google.com domain accessed by the client. However, since the browser will actually see the interception certificate generated by Kaspersky Anti-Virus for mail.google.com, and not the original one, it will establish the connection without any error.

The 32-bit key is so weak that certificate collisions would also occur naturally during normal browsing. For example, Ormandy found that the valid certificate used by news.ycombinator.com has the same 32-bit key calculated by Kaspersky Anti-Virus as the certificate for autodiscover.manchesterct.gov.

According to the researcher, Kaspersky Lab pointed out that there is an additional check being performed on the domain name in addition to the 32-bit key. This makes attacks harder, but not impossible.

"We were able to come up with alternative attacks that still worked and Kaspersky resolved it quickly," Ormandy said in an advisory made public Wednesday. The company fixed the issue on Dec. 28, he said.

Security vendors justify their SSL/TLS interception practices through a legitimate need to protect users from all threats, including those served over HTTPS. However, their implementations have often resulted in security issues. That's because performing certificate validation correctly is not easy and is something that browser vendors themselves have perfected over many years.

Comment

Comment

4 Information Security Events that will Dominate 2017

From: CSOonline.com By: Thor Olavsrud

As with previous years, 2016 saw no shortage of data breaches. Looking ahead to 2017, the Information Security Forum (ISF), a global, independent information security body that focuses on cyber security and information risk management, forecasts businesses will face four key global security threats in 2017.

"2016 certainly lived up to expectations," says Steve Durbin, managing director of the ISF. "We saw all sorts of breaches that just seemed to get bigger and bigger. We lurched from one to another. We always anticipate some level of it, but we never anticipate the full extent. I don't think anybody would have anticipated some of the stuff we've seen of late in terms of the Russians getting involved in the recent elections."

The ISF says the top four global security threats businesses will face in 2017 are the following:

  1. Supercharged connectivity and the IoT will bring unmanaged risks.
  2. Crime syndicates will take quantum leap with crime-as-a-service.
  3. New regulations will bring compliance risks.
  4. Brand reputation and trust will be a target.

"The pace and scale of information security threats continues to accelerate, endangering the integrity and reputation of trusted organizations," Durbin says. "In 2017, we will see increased sophistication in the threat landscape with threats being tailored to their target's weak spots or threats mutating to take account of defenses that have been put in place. Cyberspace is the land of opportunity for hacktivists, terrorists and criminals motivated to wreak havoc, commit fraud, steal information or take down corporations and governments. The solution is to prepare for the unknown with an informed threat outlook. Better preparation will provide organizations of all sizes with the flexibility to withstand unexpected, high-impact security events."

The top four threats identified by the ISF are not mutually exclusive. They can combine to create even greater threat profiles.

Supercharged connectivity and the IoT bring unmanaged risks

Gigabit connectivity is on the way, and it will enable the internet of things (IoT) and a new class of applications that will exploit the combination of big data, GPS location, weather, personal health monitoring devices, industrial production and much more. Durbin says that because connectivity is now so affordable and prevalent, we are embedding sensors everywhere, creating an ecosystem of embedded devices that are nearly impossible to secure.

Durbin says this will raise issues beyond privacy and data access: It will expand the threat landscape exponentially.

MORE ON CSO: 6 products that will protect your privacy "The thing for me with 2017 is I describe it as an 'eyes-open stance' we need to take," Durbin says. "We're talking about devices that never ever had security designed into them, devices that are out there gathering information. It's relatively simple to hack into some of these things. We've seen some moves, particularly in the U.S., to encourage IoT manufacturers to engineer some level of security into their devices. But cost is an issue, and they're designed to link."

Durbin believes many organizations are unaware of the scale and penetration of internet-enabled devices and are deploying IoT solutions without due regard to risk management and security. That's not to say organizations should pull away from IoT solutions, but they do need to think about where connected devices are used, what data they have access to and then build security with that understanding in mind.

"Critical infrastructure is one of the key worry areas," Durbin says. "We look at smart cities, industrial control systems — they're all using embedded IoT devices. We have to make sure we are aware of the implications of that."

"You're never going to protect the whole environment, but we're not going to get rid of embedded devices," he adds. "They're already out there. Let's put in some security that allows us to respond and contain as much as possible. We need to be eyes open, realistic about the way we can manage the application of IoT devices."

Crime syndicates take quantum leap with crime-as-a-service

For years now, Durbin says, criminal syndicates have been operating like startups. But like other successful startups, they've been maturing and have become increasingly sophisticated. In 2017, criminal syndicates will further develop complex hierarchies, partnerships and collaborations that mimic large private sector organizations. This, he says, will facilitate their diversification into new markets and the commoditization of their activities at the global levels.

"I originally described them as entrepreneurial businesses, startups," Durbin says. "What we're seeing is a whole maturing of that space. They've moved from the garage to office blocs with corporate infrastructure. They've become incredibly good at doing things that we're bad at: collaborating, sharing, working with partners to plug gaps in their service."

And for many, it is a service offering. While some organizations have their roots in existing criminal structures, other organizations focus purely on cybercrime, specializing in particular areas ranging from writing malware to hosting services, testing, money mule services and more.

"They're interested in anything that can be monetized," Durbin says. "It doesn't matter whether it's intellectual property or personal details. If there is a market, they will go out and collect that information."

He adds that rogue states take advantage of some of these services and notes the ISF expects the resulting cyber incidents in the coming year will be more persistent and damaging than organizations have experienced previously.

New regulations bring compliance risks

The ISF believes the number of data breaches will grow in 2017, and so will the volume of compromised records. The data breaches will become far more expensive for organizations of all sizes, Durbin says. The costs will come from traditional areas such as network clean-up and customer notification, but also from newer areas like litigation involving a growing number of partners.

In addition, public opinion will pressure governments around the world to introduce tighter data protection legislation, which in turn will introduce new and unforeseen costs. Reform is already on the horizon in Europe in the form of the EU General Data Protection Regulation (GDP) and the already-in-effect Network Information Security Directive. Organizations conducting business in Europe will have to get an immediate handle on what data they are collecting on European individuals, where it's coming from, what it's being used for, where and how it's being stored, who is responsible for it and who has access to it. Organizations that fail to do so and are unable to demonstrate security by design will be subject to potentially massive fines.

"The challenge in 2017 for organizations is going to be two-fold," Durbin says. "First is to keep abreast of the changes in regulations across the many, many jurisdictions you operate in. The second piece is then how do you, if you do have clarity like the GDP, how do you ensure compliance with that?"

"The scope of it is just so vast," he adds. "You need to completely rethink the way you collect and secure information. If you're an organization that's been doing business for quite some time and is holding personally identifiable information, you need to demonstrate you know where it is at every stage in the lifecycle and that you're protecting it. You need to be taking reasonable steps even with your third party partners. No information commission I've spoken to expects that, come May 2018, every organization is going to be compliant. But you need to be able to demonstrate that you're taking it seriously. That and the nature of the information that goes missing is going to determine the level of fine they levy against you. And these are big, big fines. The scale of fine available is in a completely different realm than anyone is used to."

Brand reputation and trust are a target

In 2017, criminals won't just be targeting personal information and identity theft. Sensitive corporate information and critical infrastructure has a bull's eye painted on it. Your employees, and their ability to recognize security threats and react properly, will determine how this trend affects your organization.

"With attackers more organized, attacks more sophisticated and threats more dangerous, there are greater risks to an organization's reputation than ever before," Durbin says. "In addition, brand reputation and the trust dynamic that exists amongst customers, partners and suppliers have become targets for cybercriminals and hacktivists. The stakes are higher than ever, and we're no longer talking about merely personal information and identity theft. High-level corporate secrets and critical infrastructure are regularly under attack, and businesses need to be aware of the more important trends that have emerged in the past year, as well as those we forecast in the year to come."

While most information security professionals will point to people as the weakest link in an organization's security, that doesn't have to be the case. People can be an organization's strongest security control, Durbin says, but that requires altering how you think about security awareness and training.

Rather than just making people aware of their information security responsibilities and how they should respond, Durbin says the answer is to embed positive information security behaviors that will cause employees to develop "stop and think" behavior and habits.

"2017 is really about organizations having to wake up to the fact that people do not have to be the weakest link in the security chain," Durbin says. "They can be the strongest link if we do better about understanding how people use technology, the psychology of human behavior."

Successfully doing so requires understanding the various risks faced by employees in different roles and tailoring their work processes to embed security processes appropriate to their roles.

Comment

Comment

New Cybersecurity Guidelines for Medical Devices Tackle Emerging Threats

From: The Verge By: Rachel Becker

Today, the US Food and Drug Administration released its recommendations for how medical device manufacturers should maintain the security of internet-connected devices, even after they’ve entered hospitals, patient homes, or patient bodies. Unsecured devices can allow hackers to tamper with how much medication is delivered by the device — with potentially deadly results.

THE RECOMMENDATIONS ARE LARGELY TOOTHLESS

First issued in draft form last January, this guidance is more than a year in the making. The 30-page document encourages manufacturers to monitor their medical devices and associated software for bugs, and patch any problems that occur. But the recommendations are not legally enforceable — so they’re largely without teeth.

The FDA has been warning the healthcare industry for years that medical devices are vulnerable to cyberattacks. It’s a legitimate concern: researchers have managed to remotely tamper with devices like defibrillators, pacemakers, and insulin pumps. In 2015, FDA warned hospitals that the Hospira infusion pump, which slowly releases nutrients and medications into a patient’s body, could be accessed and controlled through the hospital’s network. That’s dangerous to patients who could be harmed directly by devices altered to deliver too much or too little medication. It also means poorly-secured devices could give hackers access to hospital networks that store patient information — a situation that’s ripe for identity theft.

“In fact, hospital networks experience constant attempts of intrusion and attack, which can pose a threat to patient safety,” says Suzanne Schwartz, the FDA’s associate director for science and strategic partnerships, in a blog post about the new guidelines. “And as hackers become more sophisticated, these cybersecurity risks will evolve.”

“AS HACKERS BECOME MORE SOPHISTICATED, THESE CYBERSECURITY RISKS WILL EVOLVE.”

The FDA issued an earlier set of recommendations in October 2014, which recommended ways for manufacturers to build cybersecurity protections into medical devices as they’re being designed and developed. Today’s guidance focuses on how to maintain medical device cybersecurity after devices have left the factory. The guidelines lay out steps for recognizing and addressing ongoing vulnerabilities. And they recommend that manufacturers join together in an Information Sharing and Analysis Organization (ISAO) to share details about security risks and responses as they occur.

Most patches and updates intended to address security vulnerabilities will be considered routine enhancements, which means manufacturers don’t have to alert the FDA every time they issue one. That is, unless someone dies or is seriously harmed because of a bug — then the manufacturer needs to report it. Dangerous bugs identified before they harm or kill anyone won’t have to be reported to the FDA as long as the manufacturer tells customers and device users about the bug within 30 days, fixes it within 60 days, and shares information about the vulnerability with an ISAO.

This attempt to secure medical devices is just the beginning, says Eric Johnson, a cyber security researcher and dean of the Vanderbilt University business school, in an email to The Verge. The FDA’s Schwartz agrees, writing in a blog post: “This is clearly not the end of what FDA will do to address cybersecurity.”

Comment

Comment

What 2017 Has In Store for Cybersecurity

From: CSO Online By: Gage Skidmore

There is much uncertainty surrounding the security industry for 2017, and according to experts in the field, a lot of the trepidation is directly connected to what the nation’s next president will do.

Here's what security vendors and analysts are predicting for the year ahead.

John B Wood, CEO of Telos Corporation, cites a need for cooperation between the government and the private sector. President-elect Donald Trump took a break from his “thank you” tour to meet with tech executives to smooth over a contentious time between the two sides during his campaign.

“President-elect Trump has been vocal about the need for a stronger and more aggressive cyber security posture, and I’m confident that he’ll work with leading members of Congress. Many non-political cyber experts throughout the government, various agency CISOs and [Federal Chief Information Security Officer] General Touhill will also be great resources to further refine cyber security policies to protect U.S. interests in the face of constantly changing threats,” Wood said.

He also noted the renewed focus on U.S. Cyber Command. The President-elect has promised to eliminate the threat of defense sequestration and to spend more on the military. “This needs to include working to roll back the budget caps for defense spending and providing additional resources for cyber security, including more money for U.S. Cyber Command, which I believe is grossly underfunded,” Wood added.

Speaking of funding, Wood does not believe that a change of administration will automatically lead to a change in regulatory policy.

“Although there will certainly be a big push by the Trump administration to roll back or modify overly burdensome regulations, I don’t see this affecting cybersecurity regulations, like the NIST Cyber Security Framework that has been developed in consultation with the private sector,” he commented.

Reuven Harrison, CTO and co-founder of Tufin, a provider of network security policy orchestration solutions for enterprise cybersecurity, said the thought of a Trump administration inevitably failing to uphold regulations will keep IT departments tossing and turning at night. “If Trump implements his deregulation promises, and penalties for non-compliance with industry-wide security regulations are relaxed, security teams will need to be self-disciplined to maintain a high level of security by turning to outside resources for security best practices,” he said.

Carson Sweet, co-founder and CTO at CloudPassage, said privacy will take center stage over security.

“Trump’s administration will create a fundamental shift in concerns as it pertains to security. There’s a new sheriff in town, and many posit that he has less regard for privacy concerns than the current administration. Case in point, Trump supported the FBI in its battle with Apple over iPhone privacy and security,” Sweet stated. “If this new administration demonstrates in their policies a value for law enforcement and intelligence access over citizens’ privacy, they’ll double or triple down on the government’s right to inspect data. The impact of such a reality would extend to the use of online services, cloud providers, even personal computing devices and IoT.”

What that impact would be is very hard to know, but it’s safe to bet that it won’t be positive, he said. The wars around PGP and personal encryption come to mind (anyone remember the Clipper chip?).

John Bambenek, threat systems manager at Fidelis Cybersecurity, said he never would have predicted last year that we would be talking about the DNC and hacking of elections.

“Ransomware will be on the upswing and evolve in new unforeseen ways. It will be more targeted and focus on more valuable targets as we saw with healthcare. And it will continue to attack new, more damaging industries like we recently witnessed with San Francisco BART and Muni,” he said.

While 2016 found the election under scrutiny because of alleged hacking by foreign powers, 2017 will continue the trend of identity theft and ransomware.

Forrester predicts that within the first 100 days, the new president will face a cybercrisis. The momentum of winning the election gives new presidents the public's support to follow through on key initiatives of their campaigns. However, the 45th president will lose that momentum coming into office by finding the administration facing a cybersecurity incident.

Forrester suggests that the administration prepare for nation-states and ideologies looking to disrupt and degrade. They believe the U.S. should be on the lookout for China, North Korea and Iran.

“Political ideologies use electronic means to both recruit and spread information. DDoS attacks using IoT devices are becoming a common means of disrupting operations for companies or individuals that threat actors disagree with. A company can become a target not just because of its size or global presence but also because of its political donations or public statements. If you’ve never factored geopolitical concerns into your security risk analysis, you ignore them at your own firm’s peril.”

Civilian “casualties” in the Cyber Cold War

Corey Nachreiner, CTO at WatchGuard Technologies, follows Forrester’s way of thinking. “Whether you know it or not, the cyber cold war has started. Nation-states, including U.S., Russia, Israel, and China, have all started both offensive and defensive cyber security operations. Nation-states have allegedly launched malware that damaged nuclear centrifuges, stolen intellectual property from private companies, and even breached other governments' confidential systems. Countries are hacking for espionage, crime investigation, and even to spread propaganda and disinformation.”

"Trump’s administration will create a fundamental shift in concerns as it pertains to security." -- Carson Sweet, CTO, CloudPassage

He believes 2017 will be much of the same: Behind the scenes, nation-states have been leveraging undiscovered vulnerabilities in their attacks, suggesting that these countries have been finding, purchasing, and hording zero-day flaws in software to power their future cyber campaigns.

“In other words, the nation-state cyber cold war is an arms race to discover and horde software vulnerabilities — often ones in the private software we all use every day,” he said.

Comment

Comment

Experts Predict 2017's Biggest Cybersecurity Threats

If 2016 was the year hacking went mainstream, 2017 will be the year hackers innovate, said Adam Meyer, chief security strategist at SurfWatch Labs. Meyer analyzes large and diverse piles of data to help companies identify emerging cyber-threat trends. "2017 will be the year of increasingly creative [hacks]," he said. In the past, cybersecurity was considered the realm of IT departments, Meyer explained, but no longer. As smart companies systematically integrate security into their systems, the culture hackers too will evolve.

"Cybercriminals follow the money trail," Meyer said, and smart companies should adopt proactive policies. Ransomware attacks grew quickly, he said, because the attacks are "cheap to operate, and many organizations are not yet applying the proper analysis and decision-making to appropriately defend against this threat."

SEE: How risk analytics can help your organization plug security holes (Tech Pro Research)

It's equally cheap to identify internal vulnerability to hacks and to apply preventative best practices, Meyer said. But for many companies it's not as easy to understand the cybersecurity threats most likely to impact business. To help, TechRepublic spoke with a number of prominent security experts about their predictions for near-future cybersecurity trends likely to impact enterprise and small business in 2017.

Cyber-offense and cyber-defense capacities will increase - Mark Testoni, CEO at SAP's national security arm, NS2

We will see an increased rate of sharing of cyber capabilities between the commercial and government spaces. Commercial threat intelligence capabilities will be adopted more broadly by organizations and corporations... High performance computing (HPC), in conjunction with adaptive machine learning (ML) capabilities, will be an essential part of network flow processing because forensic analysis can't stop an impending attack. HPC + adaptive ML capabilities will be required to implement real-time network event forecasting based on prior network behavior and current network operations... [Companies will] use HPC and adaptive ML to implement real-time behavior and pattern analysis to evaluate all network activity based on individual user roles and responsibilities to identify potential individuals within an organization that exhibit "out of the ordinary" tendencies with respect to their use of corporate data and application access.

Ransomware and extortion will increase - Stephen Gates, chief research intelligence analyst at NSFOCUS

The days of single-target ransomware will soon be a thing of the past. Next-generation ransomware paints a pretty dark picture as the self-propagating worms of the past, such as Conficker, Nimda, and Code Red, will return to prominence—but this time they will carry ransomware payloads capable of infecting hundreds of machines in an incredibly short timespan. We have already seen this start to come to fruition with the recent attack on the San Francisco Municipal Transport Agency, where over 2,000 systems were completely locked with ransomware and likely spread on its own as a self-propagating worm. As cybercriminals become more adept at carrying out these tactics, there is a good chance that these attacks will become more common.

As more devices become internet-enabled and accessible and the security measures in place continue to lag behind, the associated risks are on the rise. Aside from the obvious risks for attacks on consumer IoT devices, there is a growing threat against industrial and municipal IoT as well. As leading manufacturers and grid power producers transition to Industry 4.0, sufficient safeguards are lacking. Not only do these IoT devices run the risk of being used to attack others, but their vulnerabilities leave them open to being used against the industrial organizations operating critical infrastructure themselves. This can lead to theft of intellectual property, collecting competitive intelligence, and even the disruption or destruction of critical infrastructure. Not only is the potential scale of these attacks larger, most of these industrial firms do not have the skills in place to deal with web attacks in real-time, which can cause long-lasting, damaging results. This alone will become one of the greatest threats that countries and corporations need to brace themselves for in 2017 and beyond.

Industrial IoT hacks will increase - Adam Meyer, chief security strategist at SurfWatch Labs

Internal threats will increase - James Maude, senior security engineer at Avecto

As organizations adopt more effective strategies to defeat malware, attackers will shift their approach and start to use legitimate credentials and software - think physical insiders, credential theft, man-in-the-app. The increased targeting of social media and personal email bypasses many network defenses, like email scans and URL filters. The most dangerous aspect is how attackers manipulate victims with offers or threats that they would not want to present to an employer, like employment offers or illicit content. Defenders will begin to appreciate that inconsistent user behaviors are the most effective way to differentiate malware and insider threats from safe and acceptable content.

SEE: Threat intelligence: Forewarned is forearmed (Tech Pro Research)

A big part of the challenge with cyberattacks is how businesses think threats can be filtered at the perimeter. Be warned that this is not the case. Attackers are aware of how to directly target users and endpoints using social engineering. The industry needs to be more proactive in thinking about how to reduce the attack surface, as opposed to chasing known threats and detecting millions of unknown threats. With an increasingly mobile workforce and threats coming through both personal and business devices and services, the impact of perimeter defenses has decreased. Security needs to be built from the endpoint outwards.

Business security spending will increase - Ed Solis, Director of Strategy & Business Development at CommScope

Security is part of every business and IT discussion these days and it will only become more intense in 2017. We see an increase in the demand for video for surveillance, both for government and private businesses. This issue includes physical security—securing the building, people, and assets—as well as network and data security... In 2017, security conversations will continue to intensify around not only securing data and networks but physical security as well-think buildings, people, and assets. We also expect to see an increased demand for video surveillance across the public sector and private business.

SEE: Cybersecurity spotlight: The ransomware battle (Tech Pro Research)

Security will no longer be an afterthought - Signal Sciences' Co-Founder & Chief Security Officer, Zane Lackey

2017 will be a critical year for security, starting with how it's built into technology. DevOps and security will change the way they work together as they realize the need to integrate with each other in order to survive. With IoT on the rise, security will continue to be the primary obstacle preventing consumers from fully welcoming connected devices into their homes and lifestyles. Consumers and businesses are getting smarter and security vendors will be held more accountable in keeping them safe.

Comment

Comment

When Antivirus Fails, what to chose to help

From: Securitybrief NZ by: Kane Lightowler http://bit.ly/2hplRiD

The ineffectiveness of traditional antivirus (AV) , which catches less than half of noteworthy malicious events, is causing untold damage to organisations worldwide. The harm is unnecessary as next-generation antivirus (NGAV), the natural evolution of AV, will protect computers from the full spectrum of modern cyber attacks.

So let us re-think endpoint defences and provide a checklist of items to consider while making the decision to transition to NGAV.

Traditional antivirus was designed and built before the cybercrime explosion, and the speed at which tools and techniques are now changing. Modern attacks often utilise techniques that leverage built-in tools and scripts, much different from the days where attacks were almost always malicious binaries.

Beyond considering the kinds of attacks, organisations need the ability to protect themselves quickly rather than waiting for their vendor to push out signatures, hoping that the endpoints receive an update before that malicious email lands in employees’ inboxes.

To reduce cyber risk, IT needs an endpoint-security approach that goes beyond malware and incorporates next-generation features that target the tactics, techniques and procedures frequently used by both mass scale opportunistic attackers and advanced threats specifically targeting an organisation.

The following checklist will help IT to assess the capabilities of a current antivirus solution and provide guidance for migrating to a more mature posture. While an organisation might have unique requirements or constraints, the list will ease their shift to next-generation anti-virus.

#1 Full range of protection

Modern attackers generate malware faster than traditional AV stops it. They are mastering techniques that don’t even require malware. An endpoint security solution should protect against all attacks, not just threats that involve running a malicious executable. Beyond the initial execution blocks, there should be strong protection against particularly useful adversarial techniques like thread injection and ram scraping.

In evaluating an NGAV solution, make sure it protects against:

Known malware and variants including malware-based ransomware Obfuscated, evasive or previously unknown malware Compromised (exploited) legitimate software (Flash, Silverlight, etc) Malicious scripts and interpreted code like PowerShell, Visual Basic, Perl, Python, Java Memory-resident and file-less attacks Document-based attacks (PDFs and macros) Remote login attacks and the malicious use of valid software (living off the land).

#2 Extensible cloud security intelligence and analytics

As attackers evolve and adapt their tactics and techniques, organisations need to employ new analytic capabilities and attack intelligence to properly defend themselves – without having to redeploy security infrastructure. An NGAV should feature:

A cloud backend for high-powered analysis and the application of vendor intelligence Multiple inspection engines that focus on reputation, behaviour, and event relationships Configurable detection sensitivities to prioritize important events and reduce unnecessary alerting Open and extensible threat feeds for third-party attack intelligence and for leveraging security investments already made Community-based intelligence sharing and the network effect of benefiting from attacks other users witness. **

#3 Visibility and context into attack and detection events**

After an attack attempt, IT needs to understand what happened so they can contain and control the situation, prevent further damage and improve the overall security posture. The right context helps to do all that quickly and easily. If each attack doesn’t make for stronger defence, we recommend a reconsideration of IT’s approach. An NGAV solution should provide:

Insight into how the threat started, even before it was detected (root cause) Visibility into where else in the organisation this threat might exist (scope) Guidance on what’s needed to recover and how to close gaps (education and maturity) Data sharing data within the ecosystem (SIEM, etc) (integration and automation).

#4 Integrated rapid-response

Not every attack can be prevented. Skilled attackers can use stolen credentials and native system tools such as PowerShell to infiltrate a machine without using malware. These attacks can still be detected, and when they are IT needs to be able to respond quickly.

An NGAV solution should make it easy to: delete malware or temporary files across the organisation; stop network activity for a specific process; quarantine a system and isolate it from the network; and blacklist files from executing anywhere in the environment.

#5 Lightweight operations

We have all experienced antivirus grinding our computer to a halt while it scans the drive. Thankfully, those days are gone. Next-generation antivirus should be lightweight on the system and easy to administer so it doesn’t slow users down.

#6 A platform that grows with assets, users, systems and teams

Different assets require different strategies for protection. Servers, for example, don’t change often and have highly restrictive protection policies. Meanwhile, developers need more flexibility. A solution should adapt to the organisation’s needs and be part of a platform that provides a growth path to a better security posture over time.

An NGAV should be part of a platform that provides: group-based policy that applies different security strategies to different systems; an upgrade path to advanced incident response and threat hunting for SOCs and IR teams; an upgrade path to default-deny and lockdown policies for sensitive or high-risk systems; and an upgrade path to app control, device control, and file integrity monitoring for servers and critical systems.

Comment