Taking A Holistic Viewpoint On Enterprise Cyber Safety

Mitigate Deeper Issues Rather Than Bandaging Symptoms

In cyber safety, sometimes short-term fixes are used without in-depth analysis into the root cause of the issue.

An organization feels certain symptoms—numerous vulnerabilities on systems or poor cyber practices of people within their organization—and often looks to bandage solutions such as tools and technologies to fix its issues, without conducting a truly in-depth analysis of what these symptoms might reveal regarding underlying causes.

Instead of thinking about what can be done to mitigate the deeper issues, the focus is just on the immediate symptoms.

Getting At The Root Cause

Thankfully, there is a common strategy for getting to the heart of the issue. We need to use a holistic and integrative approach to do a root-cause analysis on what the factors are that create the symptoms, then determine the best approach using a holistic view of what is needed and integrating a variety of aspects to form a well-designed solution.

Let me break this into smaller parts specifically in the example of a healthcare organization that is concerned about cyber safety. Using the mind-body-energy connection that is well known in the healthcare field, for the “mind” aspect, let’s consider the mindset of an organization, its leaders, and its staff. How is cyber safety and security regarded in the organization? Is it thought of as a barrier to the mission, or an enabler of the mission? Do all the roles, stakeholders, users, and leaders look only to the CISO or their teams to solve their cyber gaps, or do they feel that everyone has a role in cyber?

In this example, an organization’s tools and technologies will stand in as the “body” aspect. Are each of the tools an organization deploys truly analyzed for all the capabilities a tool offers? How many of a tool’s functionalities are actually being used? How many tools does the organization have that all seem to do similar things and how effective are these tools? Are the tools and the results they achieve measured across a standard baseline for effectiveness or efficiency?

Building A Culture That Supports Cyber Safety

For the largest and most important aspect of this connection, let’s look at the “energy” or culture of the organization. The energy of the organization is the culture, which always starts with its leadership. Are diversity and inclusion factored into the organization, including its cyber teams? What is the level of social and emotional maturity within the organization and its people? Are staff provided with training and opportunities to learn emotional intelligence or interpersonal communication skills? Is there freedom to innovate and bring creativity into the workplace? Last but not least, are staff empowered to do the right thing even when no one is watching?

All of these aspects make up a robust and comprehensive cyber safety program in any organization:

  • Empowering people with the right skills, knowledge, support, and opportunities and embedding cyber into everyone’s roles;
  • Looking at technical solutions using a holistic view to truly provide effective and impactful solutions (instead of bandage solutions);
  • And taking a community-centered approach to cyber within an organization and between organizations so that everyone understands their role in protecting and safeguarding the mission.

There are many ways to ensure that cyber is factored into every aspect of an organization. We must include security in every step of a system’s lifecycle. Systems include anything that is purchased that is considered “IT,” such as computerized systems, medical instruments/devices, applications, networks, servers, workstations, etc. Cyber security reviews and analysis must be built into the procedures starting from the acquisition stage, through implementation and operation, and at the disposition stage. This will ensure that security concerns and risks are captured and mitigated from the beginning all the way through the end and help avoid sudden surprises and reactive measures.

Another aspect of ensuring cyber is embedded into everyone’s roles is to make sure that each role within an organization is properly trained on how to do its jobs in a secure manner, provided opportunities to learn on the job, and also have opportunities for commercial training.

Taking A Bird’s Eye View

Lastly, as technology progresses and gets more complex, we must take a moment to pause and step back to look at things from a holistic viewpoint. Too often, people are running towards the next newest thing or the next “shiny” tool or technology that everyone else is using, assuming that it will be a magic bullet or cure for all the concerns. It will be in our best interest as healthcare organizations to take a step back and look at the big picture, to dig deep and find the root causes of our concerns so that we can truly effect positive changes in cyber throughout our organizations.


read more

4 Reasons Why Passwords Are Becoming A Thing Of The Past

Passwordless Authentication Is Enabler Of The Future

The platform economy is changing how companies interact with customers. Enterprises need to connect with their customers efficiently to successfully and rapidly match the latter’s wants and needs with services and products. Being able to authenticate users to enable efficient and effective interaction with organizations is vital to business strategies of the future.

Password-based consumer authentication was initially designed for employees, not customers or clients. User experience was not a concern. Today, in the age of fingerprint readers and facial recognition, people expect a seamless customer experience, and passwords are becoming a key factor in poor customer retention rates. Furthermore, from setup to reset and decommission, password management is costing companies millions of dollars per year.

In terms of cybersecurity, weak password management is central to the entire criminal ecosystem. Passwords are difficult to secure and most cyber breaches stem from weak or stolen passwords. A breach of a single platform can impact millions of individuals and interconnected enterprises. Credential stuffing attacks, where criminals use stolen credentials leaked and shared online, represent nine in 10 login attempts on major retail sites.

Digital trust is a precondition for unlocking the promise of the platform economy. The World Economic Forum Centre for Cybersecurity is actively working to improve authentication, a pillar of cybersecurity, to ensure a secure digital future for everyone. In collaboration with the FIDO Alliance, the World Economic Forum has launched a white paper on Passwordless Authentication: The next breakthrough in secure digital transformation, which proposes six core principles for transition to a password-free future. Here’s why:

Better User Experience

Authentication is the entry point to an online service. Passwordless authentication replicates how people in the real world recognize one another by using techniques such as biometrics, based on inherent physical attributes or who we are. It is customer-centric and eliminates issues such as the common struggle of typing complex passwords on a foreign keyboard. In the near future, users will be able to authenticate onto any platform via the devices they carry with them everywhere. Ultimately, an enhanced user-centric experience also results in stronger security, as users are much less likely to try circumventing cumbersome processes.

Robust Security

Login credentials to bank or social media accounts are on sale on the dark web for as little as $7. This is not just an issue for the individual user whose identity has been compromised – the unchecked rise of digital criminal activity is driving global cybercrime to unprecedented levels, and is undermining trust in government institutions. The digital economy is also enabling new waves of serious organized crime.

Passwordless authentication eliminates a long list of attack vectors, from credential stuffing to phishing attacks. When companies transition to new authentication solutions, they reduce their exposure to data breaches. Passwordless solutions require no personal information to be stored or transmitted over the internet; the risk of online fraud and identity theft is therefore greatly reduced. Furthermore, most passwordless authentication leverages two distinct authentication factors, providing more robust secure guarantees than a single password.

Improved Interoperability

The interoperability of authentication solutions unlocks value. Interoperability allows new users to access certain services, existing users to transact more broadly and digital services to offer their users new ways to transact. Applying a standards-based approach means that the implementation work is largely completed, and service providers can get started faster on their path to passwordless authentication. It greatly reduces development time and unlocks access to new markets that are adopting certified solutions. It allows for international compatibility and expansion.

Regulations such as GDPR impact businesses serving European users, regardless of where the business is registered. Passwordless authentication facilitates compliance with such international regulations, which is key to expanding digital businesses across geographies.

Reduced Costs

Enterprises often struggle to balance security with business realities. Not only does passwordless authentication improve security, the user experience and interoperability, it reduces business costs and improves revenues by boosting productivity and brand perception.

According to a recent survey, employees spend more than 10 hours each year managing their passwords. This represents over $5 million a year for a company of 15,000 employees. With standards such as those developed by the FIDO Alliance, password administration is significantly simplified – and, most notably, cuts costs associated with call centres. Two and a half months is the average time that company IT staff spend resetting internal passwords, at an estimated cost of up to $70 per password reset. One study found out that businesses spend $1 million annually in helpdesk costs alone to deal with password resets.

Looking at global cyber-risks, 4 in 5 breaches involve weak or stolen passwords, and the average cost of every breach is $3.92 million. When there are no passwords for criminals to steal, the possibility of illegitimate access to a company’s networks is significantly reduced, which translates into lower insurance premiums.

The parameters of authentication are much broader than passwords alone. Accurate and reliable authentication is the essential foundation of digital trust. It is an enabler of cybersecurity in the digital economy and of the Fourth Industrial Revolution. In other words, passwordless authentication is an enabler of the future.

Source:- https://www.cshub.com/security-strategy/articles/world-economic-forum-4-reasons-why-passwords-are-becoming-a-thing-of-the-past

read more

The Immediate Impact Of AI In The Security Operations Center (SOC)

Artificial intelligence (AI) is poised to make rapid advancements and its impact is already being felt in many aspects of the enterprise organization.

And no surprise, cyber-attackers are leveraging machine learning and other AI-related technologies to carry out more frequent and more sophisticated attacks.

As these technologies proliferate, however, the dilemma becomes how the tools can shape the future of cyber security – and specific practices as they relate to the enterprise. For example, will AI streamline incident response and pare down the exorbitant number of notifications that a security team fields on a daily basis?

AI resources will likely enhance enterprise and consumer security, and change the tech ecosystem. But what role does the InfoSec officer play in this digitally augmented world? Where do the needs of each intersect and how will that shape cyber security’s trajectory?

Is Machine Learning Mature Enough For Mission-Critical Enterprise Workflows?

While AI is the glossy new solution that C-level executives may be after, it is still embryonic and in proof-of-concept stage even in the most tech-savvy organizations. How quickly will that phase change, and progress toward more uniformity?

Basic automation tools are capable of gathering and organizing data into reports that human agents can then use to forecast and plan. With machine learning, that data can be analyzed by AI at a rate of speed and accuracy far greater than humans are capable of. The analysis and actions taken maintain a human-in-the-loop process. In the end, automation is helping humans make data-driven and more accurate business decisions.

Despite some glowing reviews of AI projections in the workspace, the technology must still evolve and advance. It is accompanied by a plethora of challenges, some of which include the security team’s knowledge base and the prospect of data overload.

Market Report Describes Crossover Opportunity

Cyber Security Hub developed a special report to dissect this crossover – between today’s AI solutions and their immediate impact within the security operations center (SOC). AI and machine learning capabilities beyond the cyber security sphere may have already encountered rapid growth (automation, weapons guidance, threat intelligence, etc.), but as it stands within the enterprise, they currently augment, reduce overhead and serve as an added layer of defense, which sit behind various other tools.

Read the full market report, “Cyber Security & AI: Intersecting Needs With Innovation,” for no cost. The report discusses the need for AI in cyber security, accepting change in process and mindset with data-driven insights, and the road ahead for use of AI in both offensive and defensive security activities.


read more

The Value Of Separating Compliance And Enterprise Cyber Security Goals

The General Data Protection Regulation, a mandate from the European Union (EU), went into effect May 25, 2018. The regulation is comprehensive insofar as protecting data and information security practices at the enterprise level. Somewhat similar opt-out legislation, the California Consumer Privacy Act (CCPA), went into effect January 1, 2020.

Those who are not compliant with these laws run the risk of receiving steep fines. To provide some background on the GDPR regulation, Cyber Security Hub created a market report offering end-user “best practices” and stack GDPR up against other international measures on compliance. Further, it provides insight on separating compliance measures and technical, security-driven events in the enterprise.

Cooperation Is Key To Data Privacy Transformation

While the GDPR reveals numerous challenges for multinational organizations, it underscores the importance of interdepartmental communication and cooperation.

Due to its broad scope, GDPR requires “complete transformation” within the organization. Data privacy and cyber security law expert Jamal Hartenstein said, “Cooperation and engagement of senior management, and forming the right team will be key to successful GDPR maturity.”

As its effects trickle down to various business units, different departments may need to document a process-flow diagram of how data traverses their enterprise, Hartenstein said.

The broad nature of the regulation demands attention from customer service technicians, network management employees, public affairs, backup and disaster recovery employees, the legal department, and more.

Similarly, Glenda Lopez, Director of Global Risk and Compliance at The Henry M. Jackson Foundation for the Advancement of Military Medicine said that “the overall culture of an organization embracing security and the rapid changes is key.”

She continued: “People, process and technology are crucial to maturity as security has tentacles and touches everything within an enterprise. Security practices should not be soiled. It has been and always will be an enterprise-wide job and involves the entire organization.”

Compliance Versus Security

With the expanding workload of today’s chief information security officer (CISO) and other members of the security team, it’s tough to draw a line in the sand between security operations and compliance measures. In order to be compliant, one must have a calculated security posture.

In order to be tightly buttoned-up, one must be compliant with the governing frameworks and mandates. In order to reach both optimal security and compliance, one must thoroughly understand the organization’s risk profile.

This is a complex and evolving territory in the security space – and it extends far past the CISO, up the corporate ladder to the board and even employee base.

Still, Hartenstein advocated a careful delineation between the two. He said that compliance measures and technical, security-driven events are not of similar inception. Compliance measures check off regulatory check boxes. Conversely, security-driven events are applicable to enterprises even without exposure to compliance laws.

“It’s not safe to assume or associate ‘compliance measures’ with what would be adequate technical security to protect either your prized data, or consumer data,” Hartenstein said. “The difference is that regulatory bodies are indeed in place to protect consumer data. Compliance exists as a floor, a minimal standard, a barrier to entry. Technical, security-driven events in an enterprise should be aimed to surpass (not just meet) the bar that regulators set.”

Separating Security And Compliance Goals

The cyber expert warned against approaching security and compliance under the same strategic goal or business objective.

While objectives for the two seem outwardly similar, they are vastly different at the organizational level. “Compliance measures may limit your liability in court or mitigate the threat of litigation, while technical security measures are aimed to actually protect your data or address risks unique to your enterprise.” For strategic planning purposes, the two must be firmly distinguishable.


read more

Hackers are making personalised ransomware to target the most profitable and vulnerable

Once a piece of ransomware has got hold of your valuable information, there is very little you can do to get it back other than accede to the attacker’s demands. Ransomware, a type of malware that holds a computer to ransom, has become particularly prevalent in the past few years and virtually unbreakable encryption has made it an even more powerful force.

Ransomware is typically delivered by powerful botnets used to send out millions of malicious emails to randomly targeted victims. These aim to extort relatively small amounts of money (normally £300-£500, but more in recent times) from as many victims as possible. But according to police officers we have interviewed from UK cyber crime units, ransomware attacks are becoming increasingly targeted at high-value victims. These are usually businesses that can afford to pay very large sums of money, up to £1,000,000 to get their data back.

In 2017 and 2018 there was a rise in such targeted ransomware attacks on UK businesses. Attackers increasingly use software to search for vulnerable computers and servers and then use various techniques to penetrate them. Most commonly, perpetrators use brute force attacks (using software to repeatedly try different passwords to find the right one), often on systems that let you operate computers remotely.

If the attackers gain access, they will try to infect other machines on the network and gather essential information about the company’s business operations, IT infrastructure and further potential vulnerabilities. These vulnerabilities can include when networks are not effectively segregated into different parts, or are not designed in a way that makes them easy to monitor (network visibility), or have weak administration passwords.

They then upload the ransomware, which encrypts valuable data and sends a ransom note. Using information such as the firm’s size, turnover and profits, the attackers will then estimate the amount the company can afford and tailor their ransom demand accordingly. Payment is typically requested in crypto currency and usually between 35 and 100 bitcoins.

According to the police officers we spoke to, another popular attack method is “spear phishing” or “big game hunting”. This involves researching specific people who handle finances in a company and sending them an email that pretends to be from another employee. The email will fabricate a story that encourages the recipient to open an attachment, normally a Word or Excel document containing malicious code.

These kind of targeted attacks are typically carried out by professional groups solely motivated by profit, though some attacks seek to disrupt businesses or infrastructure. These criminal groups are highly organised and their activities constantly evolve. They are methodical, meticulous and creative in extorting money.

For example, traditional ransomware attacks ask for a fixed amount as part of an initial intimidating message, sometimes accompanied by a countdown clock. But in more targeted attacks, perpetrators typically drop a “proof of life” file onto the victim’s computer to demonstrate that they control the data. They will also send contact and payment details for release of the data, but also open up a tough negotiation process, which is sometimes automated, to extract as much money as possible.

According to the police, the criminals usually prefer to target fully-digitized businesses that rely highly on IT and data. They tend to favor small and medium-sized companies and avoid large corporations that have more advanced security. Big firms are also more likely to attract media attention, which could lead to increased police interest and significant disruptions to the criminal operations.

How to protect yourself

So what can be done to fight back against these attacks? Our work is part of the multi-university research project EMPHASIS, which studies the economic, social and psychological impact of ransomware. (As yet unpublished) data collected by EMPHASIS indicates that weak cyber security in the affected organisations is the main reason why cyber criminals have been so successful in extorting money from them.

One way to improve this situation would be to better protect remote computer access. This could be done by disabling the system when it’s not in use, and using stronger passwords and two-step authentication (when a second, specially generated code is needed to login alongside a password). Or alternatively switching to a virtual private network, which connects machines via the internet as if they were in a private network.

Email filters and anti-virus software containing dedicated ransomware protection are vital. Companies should also regularly backup their data so it doesn’t matter if someone seizes the original. Backups must be tested and stored in locations that are inaccessible to ransomware.

These kind of controls are crucial because ransomware attacks tend to leave very little evidence and so are inherently difficult to investigate. As such, targeted ransomware attacks are not going to stop any time soon, and attackers are only likely to get more sophisticated in their methods. Attackers are highly adaptive so companies will have to respond just as smartly.


read more

From proof-of-concept to exploitable

Exploitability assessment of vulnerabilities is important for both defenders and attackers. The ultimate way to assess the exploitability is crafting a working exploit. However, it usually takes tremendous hours and significant manual efforts. To address this issue, automated techniques can be adopted. Existing solutions usually explore in depth the crashing paths, i.e., paths taken by proof-of-concept (PoC) inputs triggering vulnerabilities, and assess exploitability by finding exploitable states along the paths. However, exploitable states do not always exist in crashing paths. Moreover, existing solutions heavily rely on symbolic execution and are not scalable in path exploration and exploit generation.

In this paper, we propose a novel solution to generate exploit for userspace programs or facilitate the process of crafting a kernel UAF exploit. Technically, we utilize oriented fuzzing to explore diverging paths from vulnerability point. For userspace programs, we adopt a control-flow stitching solution to stitch crashing paths and diverging paths together to generate exploit. For kernel UAF, we leverage a lightweight symbolic execution to identify, analyze and evaluate the system calls valuable and useful for exploiting vulnerabilities.

We have developed a prototype system and evaluated it on a set of 19 CTF (capture the flag) programs and 15 realworld Linux kernel UAF vulnerabilities. Experiment results showed it could generate exploit for most of the userspace test set, and it could also facilitate security mitigation bypassing and exploitability evaluation for kernel test set.


Due to the success of automated vulnerability discovery solutions (e.g., fuzzing), more and more vulnerabilities are found in real world applications, together with proof-of-concept (PoC) inputs. As a result, more and more human resources are spent on assessing vulnerabilities, e.g., identifying root causes and fixing them. It thus calls for solutions to automatically assess the severity and priority of vulnerabilities.

Vulnerability assessment, especially exploitability assessment, is important for both defenders and attackers. Attackers could isolate exploitable vulnerabilities and write exploits to launch attacks. On the other hand, defenders could prioritize exploitable vulnerabilities to fix first, and allocate resources accordingly. Moreover, defenders could learn from the exploits to generate IDS (Intrusion Detection System) signatures, to block future attacks.

A straightforward way to assess a vulnerability is analyzing the program state at the crashing point, i.e., the instruction leading to program crashes or security violations, which could be caught by a sanitizer . For example, Microsoft’s !exploitable tool inspects all instructions in the crashing point’s basic block, and searches for known exploitable patterns, e.g., control transfer instructions with tainted targets. HCSIFTER takes an extra step to recover the data corrupted by heap overflow, enabling the program to execute more code after the crashing point, and thus provides more reliable assessments. However, these solutions rely on heuristics to determine the exploitability of vulnerabilities, and thus are inaccurate sometimes. Moreover, they could not provide exploit inputs to prove the exploitability.

The ultimate way to assess the exploitability of a vulnerability is generating a working exploit. But crafting an exploit is typically regarded as a time-consuming manual process requiring security knowledge.

Several prototype approaches to automatically generating exploits have been proposed. Sean Heelan proposed a prototype in his thesis, using dynamic analysis and symbolic execution to generate exploits for classic buffer overflow vulnerabilities. AEG and Mayhem provide end-to-end systems to discover vulnerabilities and automatically generate exploits when possible, for source code and binary respectively. Q (Schwartz et al. 2011) and CRAX  could generate exploits for binaries given PoC inputs. However, these solutions are insufficient and could only solve a small number of problems. For example, machines developed in CGC could only solve in total 26 out of 82 challenge programs in the Final Event. Most solutions could not exploit heap-based vulnerabilities.

For OS kernel which has higher complexity and scalability, it is not suitable for fully-automated exploit generation. This is mainly due to the fact that state-of-the-art program analysis techniques have many limitations. However, we can still use semi-automated techniques to facilitate exploitability evaluation by easing the process of exploit crafting.

There are several challenges need to be addressed for both fully-automated and semi-automated exploit generation:

Challenge 1: Exploit derivability issue As pointed in , once memory corruption vulnerabilities are triggered, the victim program’s state machine turns into a weird (state) machine. Exploitation is actually a process of programming the weird machine to perform unintended behavior. It is extremely important to set up the initial state of this weird machine in order to exploit it.

However, PoC inputs (e.g., provided by fuzzers) could corrupt some data and lead weird machines to non-exploitable initial states. For example, the program may exit soon after the crashing point due to some sanity checks. So, AEG solutions have to search for exploitable states not only in crashing paths taken by PoC inputs, but also in alternative diverging paths. In OS kernel, the diverging paths cause different kernel panic. Generating an exploit for a kernel UAF vulnerability also needs to vary the context of a kernel panic and explore exploitability in them.

This is known as exploit derivability, one of the core challenges of exploitation

Challenge 2: Symbolic execution bottleneck Existing solutions heavily rely on symbolic execution to explore program paths (e.g., for vulnerability discovery), or perform reasoning (e.g., for test case and exploit generation). AEG and Mayhem utilize symbolic execution to explore paths reachable from the vulnerability point and search for exploitable states, able to mitigate the aforementioned exploit derivability issue. However, symbolic execution has scalability issues and performs poorly in exploit generation.

First, it faces the path explosion issue when exploring paths, and consumes too many resources even when analyzing only one path. Second, it gets blind to certain exploitable states after concretizing some values. For example, it has to concretize symbolic arguments of memory allocations and symbolic indexes of memory access operations in a path, in order to model the memory states and enable exploring following sub-paths. But the concretized values could lead to non-exploitable memory states.

To solve the exploit derivability issue, we must search exploitable states in diverging paths not only crashing paths. However, symbolic execution which is heavily used in existing solutions has several severe challenges, and is not suitable for path exploration or exploitable state searching, especially for heap-based vulnerability or UAF in OS kernel So instead of symbolic execution, we use fuzzing to explore diverging paths.

First, we use dynamic analysis to analyze the vulnerabilities and collect some runtime information in the crashing path. In addition, we inspect corrupted memory objects (denoted as exceptional objects), and objects that can be used to locate the exceptional objects. Then we use oriented fuzzing to search alternative diverging paths for exploitable states based on the information collected before. Finally, we try to synthesize new EXP inputs to trigger both the exploitable states in diverging paths and vulnerabilities in crashing paths. In certain cases, we can directly generate working exploits. But it is not guaranteed. The complexity of OS kernel is far beyond the ability of current constraint solver. For OS kernel, it is not for the purpose of fully automating exploit generation. Rather, we leverage a lightweight symbolic execution to explore exploitability under different contexts.

Results We have build a framework Revery, able to generate working control-flow hijacking exploits for userspace programs. We also build a framework FUZE, able to evaluate the exploitability of kernel Use-After-Free vulnerabilities.

We evaluated Revery it on 19 CTF (Capture The Flag) programs. It demonstrated that Revery is effective in triggering exploitable states, and could generate working exploits for a big portion of them. More specifically, Revery could generate exploits for 9 (47%) out of 19 programs, while existing open source AEG solutions could not solve any of them. Furthermore, it could trigger exploitable states for another 5 (26%) of them.

We implement FUZE on a 64-bit Linux system by extending a binary analysis framework and a kernel fuzzer. Using 15 real-world kernel UAF vulnerabilities on Linux systems, we then demonstrate FUZE could not only escalate kernel UAF exploitability but also diversify working exploits from various kernel panics. In addition, we demonstrate FUZE could even help security analysts to craft exploits with the ability to bypass broadly-deployed security mitigation such as SMEP and SMAP.


read more

Anomaly Detection in SOC – Friend or Foe?

Lots of security vendors talk about integrating innovative techniques using Artificial Intelligence. In cybersecurity, this often boils down to supervised or unsupervised anomaly detection of measures attributes. However, in many cases there is a big gap between the identification of anomalies and transforming them into actionable data.

There are lots of buzzwords floating around cybersecurity: machine learning, artificial intelligence, supervised and unsupervised learning … In many cases these advanced technologies are based on anomaly detection. This makes a lot of sense since it’s hard – even impossible – to anticipate an attacker’s behavior. Also, in many cases there is not enough classified data to distinguish between benign and malicious events.

How Is Anomaly Detection Used in Cybersecurity?

Various behavioral anomaly detection techniques are used in almost every aspect of cybersecurity. For example, anomaly detection is extensively used in UEBA (User and Entity Behavioral Analytics), NTA (Network Traffic Anomaly), Endpoint operational anomalies etc. An anomaly can mean things like : “Too many failed logins” in UEBA, “A lot of traffic sent from A to B” (where typically it sends much less) in NTA, a process that executes another process that looks like a statistical anomaly in endpoint protection etc.

Anomalies can be strong indicators of malicious activity but, in many cases, anomalies can be triggered by unexpected but legitimate actions. While anomalies are a powerfully tool for threat-hunting they might be a burden on SOC analysts who are focused on addressing threats as part of their incident response.

Since there is a significant cost associated with false positive alerts, due to the time needed to investigate them, we should be very careful when flagging anomalies as security alerts in SOC. While some security devices do a great job of filtering out false positives, many simply dump all or many anomalies in the laps of security analysts for further investigation.

How Can SIEM Platforms Help Separate Valuable Anomalies From Noise?

When combining multiple sources of anomalies and other security signals such as alerts from IDS, EDR, mail security or any other product, the challenge is to automatically find the connections and merge those events into actionable information. Such information must separate the high-risk incidents from the noise. SIEMs that attempt to do so need to also show the evidence and provide analysts with the root-cause and the potential flow of an attack. This saves valuable time in the deeper investigation that will require the forensics data typically stored in the SIEM.

For example, consider an indication of network anomaly where host A sent a lot of data to host B, when typically they do not communicate. This may be an indication of data exfiltration, but it can also be the result of various legitimate scenarios (e.g. unexpected but legitimate  file sharing). If following this event there is an indication that node B scanned the network, or there is indication that files were encrypted at an unusual rate, this should raise the severity of the security incident. If other indications are available for the entities involved, such as IDS alerts, of node A or B, this would strengthen the case that all these singular events together tell a truly high-risk attack “story.”

This automatic fusion of anomalies and other events must be a key feature in the next generation of SIEMs that will direct SOC teams to deal with high severity alerts, rather than investigate loads of anomalies.

read more

Security Predictions for 2020

In this year’s Cyber Security Predictions, the WatchGuard Threat Lab has imagined the top cyber attacks we’ll see in 2020 and has provided tips for simplifying your approach to stopping them. Even though the threats coming at you won’t be any less intense, complicated, or difficult to manage, 2020 will be the year of simplified security.

1. Ransomware Targets the Cloud


  • Ransomware is a billion-dollar industry.
  • Overall volume of ransomware is down, but targeted ransomware against vertical industries is on the rise.
  • In 2020, targeted ransomware now tries to infect consolidated cloud assets, such as file stores, S3 buckets, and virtual environments.

Ransomware is now a billion-dollar industry for hackers, and over the last decade we’ve seen extremely virulent strains of this malware wreak havoc across every industry. As with any big-money industry, ransomware will continue to evolve in order to maximize profits. In 2020, we believe ransomware will focus on the cloud.

Recently, untargeted “shotgun blast” ransomware has plateaued with attackers showing preference for targeted attacks against industries whose businesses cannot function with any downtime. These include healthcare, state and local governments, and industrial control systems.

Despite its far-reaching damages and soaring revenues, ransomware has largely left the cloud untouched. As businesses of every size move both their servers and data to the cloud, it has become a one-stop shop for all of our most important data. In 2020, we expect to see this safe haven crumble as ransomware begins targeting cloud-based assets including file stores, S3 buckets, and virtual environments.

Security Tips: Do you have cloud security? Virtual or cloud UTM? Asking these questions is where to start. Use advanced malware protection to detect evasive malware. More importantly, consider new security paradigms that allow you to implement security controls, like advanced malware protection, in cloud use cases. Finally, the cloud can be secured, but it requires work. Make sure you’ve hardened your cloud workloads. For instance, investigate resources for properly securing S3 buckets.

2. GDPR Comes to the United States


  • California has passed the California Consumer Privacy Act (CCPA).
  • A national Consumer Data Protection Act (CDPA will not pass in 2020).
  • In 2020, 10 or more states will pass laws like California’s CCPA.

Two years ago, the General Data Protection Regulation (GDPR) came into force, protecting the data and privacy rights of European Union citizens. As of yet, few places outside the EU have similar laws in place, but we expect to see the United States (U.S.) come closer to matching it in 2020.

GDPR boils down to placing restrictions on how organizations can process personal data, and what rights individuals have in limiting who may access that data, and it has already shown teeth. To date, companies have been fined millions of euros for GDPR violations, including massive €50 million and £99 million judgements in 2019 against Google and Marriott respectively. While the burden placed on companies can be intense, the protections provided to individuals are massively popular.

Meanwhile, the U.S. has suffered a social media privacy plague the last few years, with no real GDPR equivalent to protect local consumers. As organizations like Facebook leak more and more of our personal data, which bad actors have used in everything from targeted election manipulation to unethical bounty hunting, U.S. citizens are starting to clamor for privacy protections like those enjoyed by our European brothers and sisters. So far, only one state, California, has responded by passing their California Consumer Privacy Act (CCPA), which goes in effect in early 2020.

Though the same senator who passed CCPA in California has proposed a Federal Consumer Data Privacy Act (CDPA) bill, we don’t think it will gain enough support to pass nationwide in 2020. However, we do expect more and more states to jump onto California’s bandwagon, and pass state-level consumer privacy acts of their own. In 2020, we anticipate that 10 or more states will enact similar laws to California’s CCPA.

Security Tips: There isn’t a specific security tip for this prediction, but you can still take action. Contact your local congressperson to share your opinion on regulations to protect your privacy. Meanwhile, consider the lack of regulation here when sharing your private information online and with social networks.

3. Voter Registration Systems Targeted During the 2020 Elections


  • Though voting machines are hackable, adversaries won’t spend much time targeting them.
  • However, external threat actors will go after state and local voter databases with the goal of creating voting havoc and triggering voter-fraud alerts during 2020 elections.

Election hacking has been a hot topic ever since the 2016 U.S. elections. Over the last four years, news cycles have covered everything from misinformation spread across social media to alleged breaches of state voter systems. During the 2020 U.S. presidential elections, we predict that external threat actors will target state and local voter databases with a goal of creating voting havoc and triggering voter fraud-alerts during the 2020 elections.

Security experts have already shown that many of the systems we rely on for voter registration and election day voting suffer from significant digital vulnerabilities. In fact, attackers even probed some of these weaknesses during the 2016 election, stealing voter registration data from various states. While these state-sponsored attackers seemed to draw the line by avoiding altering voting results, we suspect their previous success will embolden them during the 2020 election, and they will target and manipulate our voter registration systems to make it harder for legitimate voters to submit their votes, and to call into question the validity of vote counts.

Security Tips:

While there isn’t a specific cybersecurity tip for this prediction, we do have some voter preparedness tips in the event this prediction comes true. First, double-check the status of your voter registration a few days before the election. Also, monitor the news for any updates about voter registration database hacks, and be sure to contact your local state voter authority if you are concerned. Be sure to print out the result of a successful voter registration, and bring you ID on election day, even if technically unnecessary.

4. During 2020, 25% of All Breaches Will Happen Outside the Perimeter


  • While working remotely can increase productivity and reduce burnout, it comes with its own set of security risks.
  • A quarter of all network compromises or data breaches will involve off-network assets.

Mobile device usage and remote employees have been on the rise for several years now. A recent survey by WatchGuard and CITE Research found 90% of mid-market businesses have employees working half their week outside the office. While remote working can increase productivity and reduce burnout, it comes with its own set of security risks. Mobile employees often work without any network perimeter security, missing out on an important part of a layered security defense. Additionally, mobile devices can often mask telltale signs of phishing attacks and other security threats. We predict that in 2020, one quarter of all data breaches will involve telecommuters, mobile devices, and off-premises assets.

Security Tips: Make sure you’re as diligent implementing off-network protection for your employees as you are perimeter protection. Any laptop or device that leaves the office needs a full suite of security services, including a local firewall, advanced malware protection, DNS filtering, disk encryption, and multi-factor authentication, among other protections.

5. The Cybersecurity Skills Gap Widens


  • Universities and cybersecurity trade organizations are not graduating qualified candidates fast enough to fill the demand for new information security employees.
  • The cybersecurity skills gap grows by 15%.

Cybersecurity, or the lack of it, has gone mainstream. A day doesn’t seem to go by where the general public doesn’t hear of some new data breach, ransomware attack, company network compromise, or state-sponsored cyber attack. Meanwhile, consumers have also become intimately aware of how their own personal data privacy contributes to their own security (thanks, Facebook). As a result, it’s no surprise that the demand for cybersecurity expertise is at an all-time high.

The problem is, we don’t have the skilled professionals to fill this demand. According to the latest studies, almost three million cybersecurity jobs remained unfilled during 2018. Universities and cybersecurity trade organizations are not graduating qualified candidates fast enough to fill the demand for new information security employees. Three-fourths of companies claim this shortage in cybersecurity skills has affected them and lessened their security.

Unfortunately, we don’t see this cybersecurity skills gap lessening in 2020. Demand for skilled cybersecurity professionals keeps growing, yet we haven’t seen any recruiting and educational changes that will increase the supply. Whether it be from a lack of proper formal education courses on cybersecurity or an aversion to the often-thankless job of working on the front lines, we predict the cybersecurity skills gap to increase an additional 15% next year. Let’s hope this scarcity of expertise doesn’t result in an increase in successful attacks.

Security Tips: While the available cybersecurity workforce won’t appear immediately, you do have options to help create and manage a strong cyber defense. Taking a long-term view, you can work with your local educational institutes to identify future cybersecurity professionals so that you might fill your open roles first. In the short term, focus on solutions that provide layered security in one solution, or work with a managed services provider or managed security services provider to whom you can outsource your security needs.

6. Multi-Factor Authentication (MFA) Becomes Standard for Mid-sized Companies


  • 2020 will bring increased adoption of MFA among mid-sized companies.
  • We’ll also see wide-spread adoption among all service providers, and even privileged or admin accounts at all businesses.

We predict that multi-factor authentication (MFA) will become a standard security control for mid-market companies in 2020. Whether it’s due to billions of emails and passwords having leaked onto the dark web, or the many database and password compromises online businesses suffer each year, or the fact that users still use silly and insecure passwords, the industry has finally realized that we are terrible at validating online identities.

Previously, MFA solutions were too cumbersome for mid-market organizations, but recently three things have paved the way for pervasive MFA, both SMS one-time password (OTP) and app-based models, among even SMBs. First, MFA solutions have become much simpler with cloud-only options. Second, mobile phones have removed the expensive requirement of hardware tokens, which were cost-prohibitive for mid-market companies. And finally, the deluge of password problems has proven the absolute requirement for a better authentication solution. While SMS OTP is now falling out of favor for legitimate security concerns, app-based MFA is here to stay.

The ease of use both for the end user and the IT administrator managing these MFA tools will finally enable organizations of all sizes to recognize the security benefits of additional authentication factors. That’s why we believe enterprise-wide MFA will become a de-facto standard among all midsized companies next year.

Security Tips: This tip is simple – implement MFA throughout your organization. Everything from logging in to your laptop each day to accessing corporate cloud resources should have some sort of multi-factor authentication tied to it.


  • Wireless carriers that manage 4G and 5G networks often hand off calls and data to Wi-Fi networks to save bandwidth, particularly in high-density areas.
  • In 2020, flaws in this cellular to Wi-Fi handover process will allow attackers to access the voice and/or data of 5G mobile phones.

The newest cellular standard, 5G, is rolling out across the world and promises big improvements in speed and reliability. Unknown to most people, in large public areas like hotels, shopping centers, and airports, your voice and data information of your cellular-enabled device is communicated to both cell towers and to Wi-Fi access points located throughout these public areas. Large mobile carriers do this to save network bandwidth in high-density areas. Your devices have intelligence built into them to automatically and silently switch between cellular and Wi-Fi. Security researches have exposed some flaws in this cellular-to-Wi-Fi handover process and it’s very likely that we will see a large 5G-to-Wi-Fi security vulnerability be exposed in 2020 that could allow attackers to access the voice and/or data of 5G mobile phones.

Security Tips:

Most mobile devices don’t allow the users to disable cellular to Wi-Fi handover (also known as Hotspot 2.0). Windows 10 currently does, however. If unsure, individuals should utilize a VPN on their cellular devices so that attackers who are eavesdropping on cellular to Wi-Fi connections won’t be able to access your data. For businesses looking to enable Hotspot 2.0, make sure your Wi-Fi access points (APs) have been tested independently to stop the six known Wi-Fi threat categories detailed at http://trustedwirelessenvironment.com. If the APs block these threats, attackers cannot eavesdrop on the cellular to Wi-Fi handoff.

SOURCE: https://www.securitymagazine.com/articles/91442-security-predictions-for-2020

read more

High Performance Anti-Spam

It should offers world-leading third party anti-spam plug-ins that provide relevant, continuous and real-time spam detection that is dynamically adjusted against new spam identification and circumvention techniques.

Anti-spam should reduces threat incidence in the form of phishing attempts, spyware and adware installations, promotes a safe workplace by controlling porn spam, in addition to enhancing enterprise productivity by protecting mail systems from spam.

It is compatible with all major mail systems, with black and white lists, text identification of spam and regular and frequent updates.

Advanced Spam Filtering

A future-proof solution, anti-spam offers advanced protection against the constantly evolving tactics of spammers. Anti-spam’s advanced heuristics monitor suspicious email traffic to determine spam probability based on weighted and contextually evaluated characteristics, studying the body of the message for words and word patterns typical to spam. Mail filtering is based on policies and rules set by mail size, attachment type, attachment names and keywords too.

Creation of approved sender lists both at the gateway and the mail server help administrators improve the accuracy and effectiveness of spam filtering over time and provide more customized filtering to each user.

Real-time Spam Detection

Anti-spam offers maximum spam detection with low false positives through relevant, continuous and real-time spam detection that is dynamically adjusted against new spam identification and circumvention techniques. Suspicious gray mail messages can be routed to mail server-side folders for end-user review.

High Flexibility

Policy-based configuration offers great flexibility, allowing administrators to easily assign variable catch sensitivities based on spam category and user groups, despite the complexity of the heuristics rules.

Flexible filter actions with options to delete, quarantine, tag or more enhance the flexibility, reflecting individual interpretation, tolerance levels and expected disposal options. Filter actions can be assigned based on spam likelihood and rate of accuracy.

Apart from the solution’s own black lists, the administrator has the flexibility to create its own black and white lists for accepting or rejecting a message as spam.

High Scalability

Designed to process and analyze large messaging volumes at high throughput rates to meet the needs of global enterprises, the anti-spam solution offers high scalability.

Centralized Management

Ease of installation, ease in

defining and managing policies are some of anti-spam’s centralized management’s benefits. Blended analysis and reports with relevant spam statistics such as spam volume, volume by category, accuracy and effectiveness, comprehensive reporting and auditing offer another layer of intelligence in threat management, enabling refinement of rule sensitivity and disposal options.

read more
Contact on Chat !
Would you like to have Threat ResQ !