As ransomware groups enhance their capabilities with generative AI and sophisticated automation, security leaders need to extend their detection and response capabilities more than ever. 

(more…)

In our interconnected world, the specter of cyber attacks casts a formidable shadow. With each technological advancement, cybercriminals adapt their tactics and strategies, posing new challenges for organizations. To effectively counter these ever-evolving threats, robust cybersecurity measures are essential. Among these measures, Managed Detection and Response (MDR) has emerged as a pivotal component in fortifying defenses against modern cyber threats. In this blog, we will delve into the pivotal role of MDR in cybersecurity and its profound impact on strengthening an organization's security posture. 

Common Cybersecurity Challenges and the Need for MDR 

Cybersecurity challenges have become increasingly complex, with attackers employing sophisticated techniques such as ransomware, zero-day exploits, and advanced persistent threats (APTs). Traditional security measures often fall short in detecting and responding to these threats effectively. This is where MDR comes into play. MDR combines advanced threat detection technologies with skilled analysts who actively monitor and respond to security incidents, helping organizations stay one step ahead of cybercriminals. 

Understanding the Threat Landscape: Emerging Risks and Trends 

The threat landscape is constantly evolving, making it crucial for organizations to keep up with the latest risks and trends. From nation-state attacks to supply chain vulnerabilities, new threats continue to emerge. This section will delve into some of the emerging risks and trends in the cyber threat landscape, including the rise of insider threats, the increasing sophistication of phishing attacks, and the impact of the Internet of Things (IoT) on cybersecurity. 

How MDR Enhances Cybersecurity Defense 

MDR enhances cybersecurity defense by providing continuous monitoring, threat hunting, and incident response capabilities. Unlike traditional cybersecurity solutions that rely primarily on preventive measures, MDR takes a proactive approach. It leverages advanced technologies such as machine learning, behavioral analytics, and threat intelligence to detect and respond to threats in real-time. This section will highlight the key components of MDR and how they work together to bolster an organization's security posture. 

Collaborative Approach: MDR and Security Operations Centers (SOCs) 

Effective cybersecurity requires collaboration between different teams within an organization. MDR teams work closely with Security Operations Centers (SOCs) to ensure a holistic approach to cybersecurity. This section will explore the collaborative relationship between MDR and SOCs, emphasizing the importance of information sharing, incident response coordination, and threat intelligence exchange. It will also discuss the benefits of integrating MDR capabilities into existing SOC infrastructure. 

Case Studies: MDR Success Stories in Countering Cyber Attacks 

To illustrate the effectiveness of MDR, this section will present real-world case studies showcasing successful outcomes achieved through MDR implementation. These case studies will highlight different industries and the specific threats they faced, demonstrating how MDR detected, analyzed, and neutralized cyber attacks. By examining these success stories, readers will gain a deeper understanding of MDR's practical applications and its impact on cybersecurity. 

The Future of MDR in Cybersecurity 

MDR is a vital component in fortifying an organization's defenses against contemporary cyber threats. By combining advanced technologies, skilled analysts, and collaborative efforts with SOCs, MDR offers a proactive and effective approach to cybersecurity. As the threat landscape evolves, MDR must adapt accordingly. This section explores the future of MDR, including the integration of artificial intelligence and machine learning, the impact of regulatory changes, and the importance of ongoing training in the MDR field. 

As organizations strive to protect their sensitive data and digital assets, MDR remains an indispensable part of their cybersecurity strategy. By leveraging advanced technologies and human expertise, MDR enables proactive threat detection and response, mitigating potential damages. In the dynamic realm of cybersecurity, MDR serves as a steadfast beacon of defense, providing organizations with the assurance they need to navigate the digital landscape securely. 

Today’s rapidly evolving digital landscape, organizations face an ever-growing threat of cyber-attacks. The traditional reactive approach to cybersecurity is no longer sufficient to protect sensitive data and critical systems. Managed Detection Response (MDR) solutions have emerged as a proactive and effective approach to enhance cybersecurity defense. In this blog, we will explore the core components, benefits, key features, and best practices for evaluating MDR providers, along with real-world examples of successful MDR implementations. By the end, you will have a comprehensive understanding of MDR solutions and be equipped to make informed decisions when choosing an MDR provider. 

Understanding the Core Components of MDR Solutions 

• Managed Detection Response (MDR) solutions integrate advanced technologies and expert human analysis to monitor, detect, and respond to cyber threats in real-time. The core components of MDR solutions typically include: 
• Continuous Monitoring: MDR solutions provide 24/7 monitoring of an organization's network, endpoints, and cloud environments. This proactive approach enables early threat detection and faster response times. 

• Threat Intelligence: MDR solutions leverage threat intelligence feeds, both internal and external, to stay updated on the latest attack vectors, malware signatures, and emerging threats. This information enhances the accuracy and effectiveness of threat detection. 

• Advanced Analytics and Machine Learning: MDR solutions utilize advanced analytics and machine learning algorithms to identify patterns, anomalies, and suspicious activities within the network. These technologies enable the detection of sophisticated and previously unknown threats. 

• Incident Response and Investigation: MDR solutions include incident response capabilities to mitigate and contain detected threats. They provide detailed reports, forensics analysis, and remediation guidance to assist organizations in responding effectively to security incidents. 

Benefits of MDR Solutions for Organizations 

Implementing MDR solutions offers several benefits for organizations seeking to enhance their cybersecurity defense: 

• Proactive Threat Detection: MDR solutions actively monitor and detect threats, significantly reducing the time between detection and response. This proactive approach minimizes the potential impact of cyber attacks and helps prevent data breaches. 

• Expertise and Scalability: MDR solutions provide access to a team of skilled security professionals who specialize in threat detection and response. This expertise is particularly valuable for organizations lacking in-house security resources. MDR solutions are also scalable, allowing organizations to adapt to changing security needs as they grow. 

• Cost-Effectiveness: Building an in-house security operations center (SOC) with similar capabilities to MDR solutions can be expensive. MDR providers offer cost-effective alternatives, leveraging economies of scale and sharing the cost across multiple clients. 

• Enhanced Visibility and Reporting: MDR solutions provide organizations with comprehensive visibility into their security posture. Detailed reports and dashboards offer insights into threats, vulnerabilities, and security events, enabling informed decision-making and regulatory compliance. 

Key Features and Capabilities of Effective MDR Solutions 

When evaluating MDR providers, it is essential to consider the following key features and capabilities: 

• Real-time Threat Detection: Effective MDR solutions leverage real-time threat detection capabilities to identify and respond to threats as they happen. Look for providers that offer advanced analytics, machine learning, and behavioral analysis techniques for accurate and timely detection. 

• Incident Response and Remediation: MDR solutions should have well-defined incident response processes to minimize the impact of security incidents. Evaluate the provider's incident response capabilities, including the availability of skilled analysts, playbooks, and coordination with your internal incident response teams. 

• Continuous Monitoring and Alerting: MDR solutions must provide continuous monitoring of your environment, including network traffic, endpoints, and cloud services. Look for providers that offer proactive alerts and notifications for potential threats, enabling prompt action. 

• Threat Intelligence Integration: MDR solutions should integrate with relevant threat intelligence feeds to stay updated on the latest threats and attack techniques. This integration enhances the accuracy and effectiveness of threat detection. 

Evaluating MDR Providers: Considerations and Best Practices 

When evaluating MDR providers, consider the following best practices: 

• Determine your specific requirements and objectives for implementing MDR solutions. Understand your organization's security needs, compliance requirements, and budget constraints. 

• Assess the provider's experience and expertise in the cybersecurity field. Look for certifications, client testimonials, and case studies to validate their capabilities. 

• Evaluate the provider's technology stack and the effectiveness of their threat detection and response capabilities. Request a demonstration or proof-of-concept to assess the solution's performance. 

• Understand the provider's incident response processes, including the availability of skilled analysts, their response times, and the quality of their incident reports. 

Real-World Examples of Successful MDR Implementations 

Several organizations have successfully implemented MDR solutions to enhance their cybersecurity defense. One notable example is Company X, a global financial institution. By partnering with an MDR provider, Company X achieved real-time threat detection, reduced incident response times, and enhanced their overall security posture. As a result, they experienced a significant decrease in security incidents and improved compliance with industry regulations. 

Recommendations for Choosing MDR Solutions 

Managed Detection Response (MDR) solutions offer a proactive and effective approach to enhance cybersecurity defense. By leveraging advanced technologies, expert analysis, and real-time threat detection capabilities, MDR solutions enable organizations to stay ahead of cyber threats. When choosing an MDR provider, carefully consider their core components, benefits, key features, and incident response capabilities. Evaluate the provider's experience, technology stack, and integration with threat intelligence. Real-world examples of successful MDR implementations can provide valuable insights and guide your decision-making process. Implementing an MDR solution can significantly strengthen your organization's cybersecurity defense and mitigate the risks associated with modern cyber threats. 

Introduction to Managed Detection Response (MDR): 

Managed Detection Response (MDR) has emerged as a crucial component in the field of cybersecurity, providing organizations with enhanced threat detection and response capabilities. In this blog, we will delve into the history of MDR, exploring its origins, advancements, and its current role in the modern cybersecurity landscape. 

Early days of MDR (Origins and Influences):

The concept of MDR can be traced back to the early 2000s when organizations started recognizing the limitations of traditional security measures. The rise of sophisticated cyber threats necessitated a more proactive approach to threat detection and incident response. Influenced by the principles of Managed Security Service Providers (MSSPs), MDR began to take shape as a comprehensive solution that combined technology, expertise, and proactive threat hunting. 

Advancements in Threat Detection and Response: 

As cyber threats continued to evolve, so did the techniques and technologies used in MDR. The introduction of advanced threat intelligence platforms, machine learning algorithms, and behavioral analytics revolutionized the way threats were detected and analyzed. Real-time monitoring and continuous threat hunting became the norm, allowing organizations to detect and respond to threats faster than ever before. 

Rise of Managed Security Service Providers (MSSPs): 

The rise of MSSPs played a pivotal role in the evolution of MDR. These specialized service providers offered organizations the expertise, technology, and 24/7 monitoring required for effective threat detection and response. MSSPs leveraged their experience and knowledge to build robust MDR solutions, ensuring that organizations of all sizes could benefit from enhanced cybersecurity capabilities. 

MDR in the Modern Cybersecurity Landscape: 

In today's rapidly evolving threat landscape, MDR has become an essential component of an organization's cybersecurity strategy. With the increasing complexity and frequency of cyber-attacks, organizations are turning to MDR providers to augment their security operations. MDR offers a comprehensive approach that combines threat detection, incident response, and continuous monitoring, providing organizations with the peace of mind they need to protect their sensitive data and critical assets. 

Key Milestones and Innovations in MDR:

The history of MDR is marked by several key milestones and innovations. From the introduction of cloud-based MDR platforms to the integration of artificial intelligence and automation, each development has brought new levels of efficiency and effectiveness to the field. Notable milestones include the adoption of proactive threat-hunting techniques, the incorporation of threat intelligence feeds, and the development of threat containment strategies. 

Future Outlook of MDR Solutions: 

As the cybersecurity landscape continues to evolve, MDR will play an increasingly vital role in safeguarding organizations against sophisticated threats. The fusion of human expertise and advanced technologies will continue to drive innovation in MDR, enabling organizations to detect and respond to threats in real time. Looking ahead, we can expect further advancements in machine learning, automation, and collaborative threat intelligence sharing, empowering MDR to stay ahead of emerging cyber threats. 

In conclusion, the evolution of Managed Detection Response has been a remarkable journey, driven by the need for robust cybersecurity in the face of ever-evolving threats. By understanding its origins, advancements, and current role, organizations can appreciate the importance of MDR and make informed decisions to protect their digital assets in an increasingly complex threat landscape.

Most security technologies are ineffective against unauthorized users with stolen credentials. 

Cybersecurity vendors spend a great deal of time and money warning against technical exploits and ransomware attacks. These are undoubtedly serious threats, but they are not nearly as complex or dangerous as compromised credential attacks. 

In fact, although ransomware dominates headlines in the cybersecurity industry, Verizon’s 2022 Data Breach Investigations Report states that compromised credentials are behind half of all attacks. Stealing login credentials is quickly becoming the fastest, easiest way for hackers to gain access to victims’ networks. 

Unlike technical exploits, credential compromise attacks often leave very few traces, if any. When hackers gain access to a legitimate user’s login credentials, they become invisible to most detection solutions. SIEM 1.0 platforms are designed to detect external threats, not internal ones. The same goes for many enterprise-level firewalls and endpoint solutions. 

"Pay attention to those 'that’s odd' moments."

Tony Simone |  Vice President Lumifi

Even among solutions that can detect insider threats, it is often a complex, time-consuming, and error-prone task. In a scenario where malicious insiders are rapidly gaining access to increasingly sensitive data sources in your organization, you can’t afford to waste time or resources this way. 

User Entity and Behavioral Analytics (UEBA) Technology is Key 

Modern SIEM platforms like Exabeam utilize UEBA technology to dive deeper into the actions of authenticated users. This provides a level of visibility that other detection technologies cannot match. Without this degree of visibility, tracing the activities of a compromised account requires running dozens of painstaking search queries manually – with no guarantee you’ll get accurate results. 

Exabeam’s UEBA technology leverages machine learning to establish a baseline for each individual user in your network. Each user’s baseline accounts for the applications they access, the files they modify, the privileges they have, and more. 

When an individual user starts to deviate from that established baseline, Exabeam takes notice and begins to rate their behavior against a pre-established threat threshold level. The more an individual user deviates from their established routine, the higher their score becomes. The SIEM assigns priority to each alert based on how severely the user is deviating from their established behavior. 

This way, each alert represents a collection of suspicious behaviors instead of one single action. This dramatically decreases the number of false positives analysts encounter and streamlines incident investigation. 

This capability is not limited strictly to users, either. As suggested in its name, UEBA technology also analyzes the behaviors of routers, servers, and endpoints throughout your network. 

Preassembled User Activity Timelines Optimize Event Response 

In a SIEM 1.0 environment, analysts conduct investigations by reviewing user activities using a complex sequence of search queries. This lets them assemble the data they need to understand the incident scenario they are facing. However, this process can take hours to complete and becomes more demanding as the environment grows in size and complexity. 

One of the most practical benefits of the UEBA approach is that it enables the SIEM to automatically create a timeline of user activity. Analysts can drill down into the individual actions that contribute to a particular user’s risk score and make decisions based on that data. Instead of taking hours to build a narrative, the entire scenario is evident from the very beginning.  

This means that incident response can happen in mere minutes. Analysts can immediately tell if malicious insiders are responsible for suspicious activities, or if benign organizational assignments – like job role or department changes – are at fault. There is no need for gathering evidence using the tedious point-click-and-pivot method, so analysts can respond quickly and decisively to security events. 

Combine UEBA SIEM Technology with On-Demand Expertise 

Highly automated UEBA technology provides accurate, curated data on security events, but it cannot mitigate those events on its own. Human expertise remains the cornerstone of effective information security. The experience and availability of analyst talent is a critical element of your overall security posture. 

Lumifi provides managed detection and response services that cater to UEBA-enabled enterprises in need of scalable security expertise. By entrusting detection and response to our team of highly trained US-based security analysts, you gain both an in-depth visibility into the effectiveness of your security posture and a scalable solution for addressing security incidents even in high-volume environments.  

These capabilities allow us to address credential compromise risks effectively and consistently.

Contact us to find out how your organization can leverage Lumifi MDR services to protect itself against these types of attacks.

We're thrilled to announce our momentous milestone as we start our journey of 15 years in the managed detection response field. Reflecting on our achievements, we express our appreciation for our outstanding team and valued industry partners. To honor this occasion, we're introducing Lumifi Day, a special celebration dedicated to our team members.

Lumifi Day is a heartfelt tribute to our team's unwavering commitment and expertise. Their contributions have shaped our success and positioned us as leaders in the industry. Join us in celebrating, and stay tuned for engaging content highlighting our journey and showcasing our team's connection to the industry.

Throughout Lumifi Day, we'll share behind-the-scenes glimpses and how we've contributed to the innovation of managed detection response (MDR) in cybersecurity. Our partnerships have played a vital role in our growth, and we believe collaboration and knowledge-sharing drive advancements in our industry.

Lumifi Day isn't just about the past; it's about the future. We're energized by the opportunities ahead and remain committed to being at the forefront of innovation. By investing in research, development, and top talent, we aim to shape the industry's future.

We sincerely thank our employees, clients, partners, and stakeholders for their unwavering support. Your trust has been the driving force behind our accomplishments. Stay tuned for captivating content that showcases our journey, team expertise, and industry developments.

Let's celebrate 15 years of managed detection response and the incredible people who made it all possible. Together, we'll forge ahead into an exciting future.

Q. Can you share with us the journey of Datashield/Lumifi and how it has evolved in the field of Managed Detection and Response (MDR)? What were the key milestones and challenges along the way? 

Datashield/Lumifi has come a long way in Managed Detection and Response (MDR). Our journey began as an investment by myself and EMC Ventures (now Dell) when we recognized the immense potential in this space. We did not anticipate that we would become one of the pioneering MDR companies in 2010! Throughout our evolution, we have encountered significant milestones and challenges that have shaped our growth and expertise in providing top-notch MDR services to our clients.

Q. MDR has rapidly transformed the cybersecurity landscape. How did Datashield/Lumifi identify the potential of MDR early on, and what were the key factors that influenced the decision to focus on this particular area? 

It was easy! We recognized the potential of Managed Detection and Response (MDR) early on by closely monitoring the evolving cybersecurity landscape and observing the increasing sophistication of cyber threats and the growing need for comprehensive security solutions. Several key factors influenced our decision to focus on MDR. 

 Firstly, the acquisition of Netwitness packet technology by EMC/RSA presented a game-changing opportunity for real-time forensics, enabling us to better serve our customers by swiftly identifying and mitigating threats. Additionally, the demand for proactive threat detection and response solutions, combined with our expertise in cybersecurity, further solidified our belief in the value of MDR as a crucial area to concentrate our efforts on. 

Q. As a leader in the MDR space, what advancements do you foresee Datashield/Lumifi making in the near future? Are there any specific areas or technologies that you believe will have a significant impact on the future of MDR? 

I foresee significant advancements from Lumifi in the next year. Our ongoing investment in Shieldvision and Backquery, which allow seamless integration with various EDR and SIEM tools, will be a game changer.  

With this technology, we aim to provide our customers with a comprehensive and user-friendly platform, offering a single pane of glass access to all the necessary data for forensic analysis and proactive incident response. This innovative approach will enhance our ability to help customers effectively mitigate threats and stay ahead in the ever-evolving MDR landscape. 

Q. In your opinion, what sets Datashield/Lumifi apart from other MDR providers in the market? How does the company differentiate itself in terms of technology, expertise, or approach? 

Our extensive experience of 15 years in the cybersecurity industry distinguishes us from other providers. Unlike them, we have a proven track record of delivering Managed Detection and Response (MDR) services. We understand that despite technological advancements, human expertise remains crucial. Our approach combines advanced software technology with highly skilled teams to effectively address security issues in diverse customer environments. We strongly focus on customer satisfaction and customize our solutions to cater to specific needs and industries. This combination of human intelligence and cutting-edge technology enables us to deliver comprehensive and reliable MDR services that outperform our competitors. 

Q. Looking ahead, where do you see Datashield/Lumifi positioned in the advancements of MDR in the next 5 years? What specific goals or targets has the company set for itself in terms of growth and innovation? 

In the next five years, Lumifi aims to establish itself as the dominant player in MDR, driving significant advancements in the field. We have set ambitious goals to drive growth and foster innovation, focusing on our customers' success and security. Our primary objective is to expand our market share by acquiring new customers and enhancing our offerings through continuous technological advancements. 

We understand that achieving success in this industry relies on the synergy between people, processes, and technology. To this end, we remain committed to nurturing a skilled and dedicated workforce. We will continue to invest in intelligent and talented individuals who ensure our customers' ongoing success and security. 

Q. Looking even further into the future, how do you envision the MDR landscape evolving in the next 10 years? What major trends or changes do you anticipate, and how is Datashield/Lumifi preparing to stay at the forefront of these developments? 

Looking ahead to the next ten years, I foresee a remarkable transformation in the Managed Detection and Response (MDR) landscape, driven by technological advancements, particularly in automation and AI. These innovations will revolutionize MDR solutions, enabling faster threat detection, more accurate incident response, and improved overall security outcomes. 
Lumifi is fully committed to embracing these advancements and harnessing their potential to stay at the forefront of the industry. By leveraging automation and developing AI capabilities, we aim to optimize our detection and response processes, empower our analysts with intelligent tools, and deliver enhanced protection to our clients. 

Moreover, as the MDR market evolves, we anticipate a significant consolidation. Current MDR providers cannot scale and will need to keep pace with technological advancements, ultimately causing them to lose profitability. We will continue to maintain a proactive approach to technical integration, and our unwavering commitment to continuous innovation positions us well to navigate these changes and maintain our leadership position in the MDR space. 

Micheal Malone | CEO of Lumifi

Government agencies are quietly suffering a significant uptick in security incidents and data breaches – but the cybersecurity industry doesn't seem to have noticed yet. 

One insight stands out among the many contained in Verizon' 2023 Data Breach Investigation Report.  

(more…)

Automation isn't always a replacement for human expertise. The two must work together to generate lasting security value. 

Security Operations Centers have struggled with workforce shortages for years. Experts were already alarmed at the growing cybersecurity talent gap back in 2017.  

(more…)

Cyberattacks against banks and financial institutions continue to rise as cybercriminals develop new tactics. 

The global financial sector is one of the biggest cybercrime targets in the world. The volume and sophistication of cyberattacks on banks surged in 2022, spiking considerably at the very end of the year. 

(more…)

Remote work is seemingly here to stay, with many workers forgoing their commute to work for a nice stroll to their in-home office. The WFH movement provides great flexibility but comes with even greater challenges for cybersecurity.

A 200% increase in cyberattacks has been witnessed following the remote working surge, leading to a greater emergency than most experts expected. Prying eyes understand the immense vulnerability working from home represents as we log into unprotected Wifi networks, access servers away from the safety net of the office, and even take our private data with us on the go. This ability for greater work flexibility works to expand and increase the attack surface for cybercriminals, enabling easier access to potential private data through a multitude of unprotected endpoints. Gartner called this expanded attack surface and increase in public cloud use, a major threat in 2022.

Remote Work's Impact

Remote work can dramatically increase the potential attack surface and according to Gartner, “These changes in the way we work, together with greater use of public cloud, highly connected supply chains and use of cyber-physical systems," Gartner warned, "have exposed new and challenging attack 'surfaces.'“

Working from home increases the use of new technology which may not be detected or equipped with proper security solutions. Many workers now rely on their emails for primary communication, resulting in private information potentially being sent via mobile devices, unsanctioned laptops, etc. Moving this equipment away from the in-office defense can leave unsuspecting users helpless in the event of a cyberattack.

"Those had been protecting the castle, but now, people aren't working inside the castle," said Ed Skoudis, president of SANS Technology Institute. "They're out in the field, so those defenses don't protect them there. We've been saying for years that the network perimeters we built were dissolving because of things like wireless and cloud, but then, COVID came and blew it all up."

Cybercriminals understand the increased opportunity for hacking that WFH brings, as many users are under the impression it won’t or can’t happen to them, even though they had been under an umbrella of security protocols, firewalls, and other solutions to block attacks and thwart criminals for years while in-office.

Most Common WFH Risks

1. Expanded attack surfaces

Security teams are already stretched incredibly thin these days, and the expanded attack surface of remote work can make it impossible to secure each endpoint.

2. Less oversight

Workers are more in the dark than ever before when it comes to remote work, as they don’t have security teams or experts on their home network, to keep an eye on anything suspicious.

3. Poor data practices

Sending unencrypted emails containing sensitive files can be a recipe for disaster and most remote workers aren’t thinking about this layer of protection when they are downloading or sharing private data.

4. Phishing attacks

Phishing continues to see stratospheric growth as sophisticated threat actors become more creative with their attempts at garnering link clicks. Remote workers rely heavily on their emails potentially increasing the likelihood of accidentally clicking on a phishing email disguised as a pertinent request from your boss, for example.

5. Unprotected Networks

The use of unprotected networks for work purposes can be a costly mistake, as unprotected networks, to a skilled threat actor, can be like putting all of your information out for the world to see. The U.S. Cybersecurity and Infrastructure Security Agency (CISA), highlighted the risk of nation-states attacking home routers in 2022, proving that some attacks may very well be out of your control if you do not possess the technical know-how. VPNs are critical, especially if you choose to use public wifi.

6. Cloud misconfigurations

As we all know, the cloud is an essential component to our lives and especially remote work, but still does not go without challenges. Misconfigurations present massive liability on the grounds of failed access controls and accidental provision of too much access to certain users. The “2022 Cloud Security Report” highlighted more than one-fourth of all security professionals experienced cloud security incidents within the past year.

7. Webcam hacking 

At one point, the odds are you have used Zoom or Microsoft Teams for a video conference, interview, chat with friends, etc. but even these platforms can be hacked. Cybercriminals have reportedly sabotaged and disrupted online video chats, some even undetected enough to crawl around, stealing data and corporate emails for future use.

First-Line Defense

1. Keep Your Devices Updated

Any device that connects to the internet is vulnerable to risks. The best defense is to keep device security software, web browsers, and operating systems up to date.

2. Use an Antivirus

Antivirus software acts a shield for your computer against incoming threats such as viruses, ransomware, spyware, and other malware.

3. Separate Work and Personal Devices

The more devices containing private, company specific information, leads to greater vulnerabilities and gaps in protection.  Limit your personal devices for just as it sounds, your personal life. It may be tempting to take work "on-the-go" but refrain from this mentality when you can.

4. Enable Multi-Factor Authentication

No matter how strong your password is, a breach is always possible. Make it harder for cybercriminals to access your account by enabling multi-factor authentication which adds another step for access.

Adding MFA to an account greatly increases your security. It may include:

• A code emailed or texted to an account
• A biometric identifier like a fingerprint
• A unique number, yes or no prompt, generated by an authenticator app

Closing Thoughts

Working from home has been a life-saver for countless individuals across the country, but understanding the risks that lie beneath the surface could be the difference between you becoming a victim of cybercrime.  Your organization retains a great deal of responsibility for providing adequate training and implementing security protocols across all sanctioned equipment and servers, but the weakest link can break the chain.  Be vigilant and be smart.

What is Phishing?

Phishing is a type of online fraud which aims to steal personal and financial information by impersonating reputable companies.

Phishing can be done through email, websites, and social media. One of the most common ways phishers try to get your information is by sending you an email from a company you do business with or from someone you know.

The email may ask for your account number or other personal information. It might even say that there's a problem with your account and that you need to update your personal information immediately.

How to Spot a Phish

The best way to spot a phish is by looking for red flags such as typos, spammy subject lines, poor grammar and spelling mistakes. If you are unsure about something, it is always best to contact the company directly via phone or email rather than click on any links provided.

How to Protect Yourself from Phishing Attacks

Phishing scams are becoming more sophisticated and harder to spot every day. It’s not always easy to tell if an email is legitimate or not, which is why it’s important for everyone to know how to protect themselves against these attacks.

The first thing you should do when you get an email from your bank, credit card company or any other service provider is to make sure it’s actually them by looking at the sender’s address in your inbox. A phishing email will often have the name of a well-known company such as “Bank of America,” but the sender's address may be “[email protected]” or “BbccoDc3H6sLfI8MCJpAAABXyh43. A golden rule is to simply use common sense, and truly think of the motive behind the email. It’s better to be speculative than to be gullible.

The Current State of Phishing

Cybercriminals are becoming more skilled and cunning with phishing methods every year, while using tried-and-true strategies to trick their victims and steal from them. The COVID-19 epidemic allowed hackers to increase the frequency in which fraudulent emails were distributed as part of cyberattacks, according to data from Verizon.  As our world shifted predominately online, phishing attempts rose drastically as many of us rely on email to communicate within the online work place.

It might be challenging to discern a phishing attempt from a legitimate email, sms, or information request since phishing attempts can take many various forms. As a result, phishing simulations are a great approach to gauge user knowledge and raise phishing awareness across the board in your business.

Examples of Different Types of Phishing Attacks

Phishing has developed over the years to become increasingly complex, alluring, and difficult to detect. This means there is not a one-size-fits-all approach to identifying spam.

Phishing Email

The annual list of catastrophic data breaches in the globe still includes a sizable percentage of phishing emails. Phishing emails are made to look like they are from a reputable source, such as PayPal, a bank, Amazon customer service, or another well-known company. Cybercriminals conceal their presence in minute details like an email link or the URL of the sender.

Spear Phishing

The information that a cybercriminal has previously gathered about the victim or the victim's company is the foundation of this more focused phishing email assault. Spear phishing emails frequently utilize urgent and well-known language to persuade its victims to take rapid action.

Link Manipulation

This assault uses carefully crafted phishing emails and contains a link to a well-known website. This link directs users to a fake version of the well-known website that is made to resemble the genuine one and requests that they confirm or change their account credentials.

Fake Websites

Phishing emails are sent by online criminals that contain links to bogus webpages, such as the registration login screen for a well-known mail provider, and urge the target to input their login details or other details into the false website's interface. In order to fool consumers, malicious websites frequently employ a small alteration to a well-known URL, such as using mail.update.gmail.com rather than mail.gmail.com.

CEO Fraud

An email address that the victim is acquainted with, such as the CEO's, the HR manager's, or the IT support department's, is used in this illustration of a phishing assault. The email begs the recipient to take immediate action and provide money, change employee information, or download a new program on their computer.

Content Injection

A cunning cybercriminal will hack a well-known website and add a phony authentication server or pop-up that drives users to a false website.

Session Hijacking

With the help of this sophisticated phishing operation, thieves are able to enter a firm's web server and steal the sensitive data that is kept there.

Malware

Clicking an unsolicited email is all it requires to download dangerous malware on a PC or corporate network. These files may even be presented as humorous cat videos, Ebooks, or animated images while still appearing to be legitimate.

OpenSSL originally warned this patch would fix a critical vulnerability impacting all OpenSSL 3.0 installations.

OpenSSL has released a patch fixing the headline-making vulnerability it first announced on October 27th, 2022.  

(more…)

The open-source cryptographic library is an industry-standard found in an enormous range of applications.

In late October, the OpenSSL Project announced it would release a patch for a critical security vulnerability on November 1st, 2022. The organization did not share any details about the vulnerability itself, other than the fact that it impacts all OpenSSL versions 3.0 and above.  

(more…)

What is Ransomware?

An organization or user's access to data on their computer is restricted by malware known as "ransomware." Cybercriminals put businesses in a situation wherein paying the ransom is the quickest and least expensive option to recover access to their data by encoding these files and requesting a ransom demand for the decryption key. For increased motivation for ransomware sufferers to pay the ransom, several variations have included other capabilities, such as data stealing.

The first known ransomware attack was called "AIDS" or "PC Cyborg", which surfaced in 1989. Today, there are many different types of ransomware including Cryptolocker, CryptoWall, CTB-Locker, Locky, and TeslaCrypt. Some ransomware variants even go so far as to disable anti-malware software on infected systems so they cannot be removed by other means.

Emergence of Ransomware

The 2017 WannaCry attack marked the start of the current ransomware mania. This widespread and well reported assault proved that ransomware was both feasible and possibly lucrative. Numerous ransomware variations have since been created and utilized in numerous assaults.

The recent rise in ransomware was also influenced by the COVID-19 epidemic. Gaps in firms' cyber security emerged when they quickly shifted to remote labor. These flaws were taken advantage of by cybercriminals to spread ransomware, which led to an increase in ransomware assaults. When compared to the first half of 2020, ransomware assaults climbed by 50% in the third quarter.

Popular Ransomware Variants

There are several ransomware variants, each with specific features. However, certain ransomware organizations have been more active and profitable than others, setting them apart from the competition.

1. Ryuk

A very targeted ransomware variant is Ryuk. It is frequently sent by spear phishing emails or by utilizing stolen user credentials to access business systems over the Remote Desktop Protocol (RDP). After infecting a system, Ryuk encrypts some file types (but ignoring those that are essential to a computer's functionality), then demands a ransom.

One of the most costly ransomware variants in use is known as Ryuk. The average ransom demanded by Ryuk is above $1 million. As a result, Ryuk's cybercriminals mostly target businesses who have the means to satisfy their demands.

2. Maze

Because it was the first ransomware strain to combine file encryption and data theft, the Maze ransomware is well-known. When victims started declining ransom demands, Maze started gathering private information from their PCs and encrypting it. This data would either be made publicly available or sold to the highest bidder if the ransom demands were not satisfied. A further inducement to pay up was the prospect for a costly data leak.

The organization that created the Maze ransomware has formally ceased operations. This does not, however, imply that ransomware is any less of a concern. The Egregor, Maze, and Sekhmet varieties are said to share a same origin, and some Maze associates have switched to utilizing it.

3. REvil (Sodinokibi)

REvil started out as a conventional ransomware strain, but it has since developed. Now, it uses the Double Extortion method to steal data from organizations while also securing the files. This implies that attackers may threaten to reveal the hacked information if a second payment isn't received in conjunction with demanding a fee to unlock the data.

4. Lockbit

The ransomware-as-a-service LockBit has been active since September 2019 and encrypts data (RaaS). This ransomware was created to swiftly encrypt huge enterprises in order to avoid being immediately discovered by intrusion detection systems and IT/SOC teams.

5. DearCry

Microsoft issued remedies for four Microsoft Exchange server vulnerabilities in March 2021. A new ransomware version called DearCry is intended to exploit four previously discovered vulnerabilities in Microsoft Exchange.

Some file formats are encrypted by the DearCry ransomware. After the encryption process is complete, DearCry will display a ransom notice telling users to email the ransomware's operators to request instructions on how to unlock their data.

6. Lapsus$

A South American ransomware group known as Lapsus$ has been connected to cyberattacks on prominent targets. The cyber gang is well-known for extortion, threatening the publication of private data if its victims don't comply with its demands. The organization has claimed of getting into companies including Nvidia, Samsung, and Ubisoft. The gang masks malware files as legitimate ones by using stolen source code.

How to Protect Against Ransomware

Utilize Best Practices

An effective plan may significantly reduce the cost and effects of a ransomware attack. Adopting the recommended practices listed below can lessen an organization's vulnerability to ransomware and lessen its effects:

Cyber Awareness Training and Education: Phishing emails are a common method for spreading ransomware. It is essential to educate people on how to recognize and prevent possible ransomware attacks. User education is frequently seen as one of the most crucial defenses a company can employ, since many modern cyber-attacks begin with a focused email that does not even include malware but merely a socially engineered communication that tempts the user to click on a harmful link.

Continuous data backups: According to the definition of ransomware, it is software created so that decrypting encrypted data requires paying a ransom. A company may recover from an assault with little to no data loss and without having to pay a ransom thanks to automated, secured data backups. A crucial procedure for preventing data loss and ensuring data recovery in the case of contamination or disk hardware failure is maintaining frequent backups of data. Organizations may recuperate from ransomware attacks with the assistance of functional backups.

Patching: In order to guard against ransomware attacks, patching is essential since hackers frequently search the patches for the most recently discovered exploits before launching assaults on unpatched systems. Because fewer possible vulnerabilities exist within the company for an attacker to exploit, it is crucial that firms make sure all systems have the most recent fixes deployed to them.

User Authentication: Attackers using ransomware frequently exploit stolen user credentials to access services like RDP. A strong authentication process can make it more difficult for an adversary to utilize a password that has been guessed or stolen.

Biometrics 101 

Biometrics utilize your physical characteristics to assess identification matters such as fingerprint scans, facial recognition, retina scans, etc. as a more advanced sector of security. Biometrics is simply defined as a biological measurement or a unique physical characteristic that not even your twin would share. Think of it as you, yourself, being the password. 

The biometrics industry has experienced massive growth and momentum over the last decade as more and more cyber-attacks have placed companies in a position to think through more advanced, alternative security measures such as biometric identification. Totaling upwards of $68 Billion in just five years, this industry doesn’t show signs of slowing. 

Let’s dive deeper into the benefits but also the potential hidden dangers of biometrics in cybersecurity. 

Three Types of Biometric Security 

Biometric security can be grouped into three main subcategories such as: 

• Biological biometrics 
• Morphological biometrics 
• Behavioral biometrics 

Biological biometrics are exactly what they sound; using your biological makeup to use as identifiers for security purposes such as your DNA, tested through fluid samples. 

Morphological biometrics are most commonly used via your laptops, phones, tablets, etc. which include your physical traits like fingerprints and eye/facial shape, which are mapped through different types of security scanners. 

Behavioral biometrics include your walk, speech, and other purely behavioral traits exhibited on a daily basis that give way to succinct patterns. Similar to how interrogators use small microaggressions such as the twitch of a nose, or the quiver of a lip for hints of false testimony. 

Examples of Biometric Security 

While there are many different forms, here are some more common examples: 

• Voice Recognition 
• Fingerprint Scanning 
• Facial Recognition 
• Iris Recognition 
• Heart-Rate Sensors 

Odds are, you have run into many, if not all these biometrics at one point or another, whether that be at the hospital or just using an electronic device. Biometric security can be used in a plethora of different applications from a simple fingerprint scan to access a phone, to the protection of nuclear systems via multiple advanced biometrics such as retina/iris scans. 

Biometrics has seen a stratospheric rise in adoption over many different industries recently, such as:  

• Government 
• Border Control 
• Identity Management 
• Education 
• Private Sectors 
• Call Center Facilitation 
• Health Care 
• Pubs & Clubs 

While the adoption rates rise, the costs begin to drop for biometrics as to allow mid to small business use and even individual applications are being seen in the market. In days past, only the most high-end phones were equipped with fingerprint scanners but now even the $75 models come fully equipped with this setup. Biometrics are becoming an integral part of everyday life and it seems only inevitable that most businesses will adopt this ideology as well, even on the smallest scale.  

But, Are They Safe? 

Passwords are forgotten every day, subsequently, they are changed just as often, but biometrics stay with you for your lifetime and are unable to be “changed”, so does this mean they are foolproof? Well, not exactly, but extremely close. 

A biometric such as your handwriting or signature can not be stolen, but it can be learned by someone willing to take the time. Similarly, a physiological biometric like face mapping can be stolen through a photograph or some other illegally obtained means of duplication, while this is just a copy, it could still pose potential issues. Even though these biometrics can, in theory, be “stolen”, that does not mean instant access for your attacker since most systems use what’s called “liveness tests”. These tests help prevent and reject any samples of duplicated information such as fingerprints obtained on a piece of tape, or using a photograph of your target to gain entry.  

Many devices and systems have taken extra precautions against the examples listed above; take LG for example. They combine facial and voice recognition along with a heartbeat sensor to ensure a copy of a fingerprint can not be used in the same manner as a live person. The real challenges lie in solely facial scanners which have been successfully tricked by researchers and attackers alike. 

Researchers at the University of North Carolina set up an experiment to hack into facial recognition systems by downloading social media images of the volunteers and using them to construct 3D models of their faces, ultimately breaking into 4 out of 5 systems; a 90% success rate. 

Cloning fingerprints can be done reliably, cost-effectively, and rather quick as a demonstration at the Black Hat Cybersecurity conference showed duplicating a fingerprint using molding plastic or wax in as little as 10 minutes. Biometrics may be the way of the future, but that certainly does not expel risk. 

One more example of that aforementioned risk presented itself after the release of the Iphone 5, when members of the group, Chaos Computer Club, successfully bypassed the new fingerprint scanner by simply photographing the target fingerprint on a glass surface and then using it to unlock the phone. Obviously, technology has well evolved since the Iphone 5’s release, but with that comes the evolution of hackers and attackers hoping to create new ways to slip by these biometric systems. 

Biometric Data Security Concerns 

The more mainstream adoption of biometrics comes with a few data security concerns attached to it. Cybercriminals aim to get their hands on as much personal data as possible and these biometric systems host exactly the kind of information that attackers seek. In 2015, the US Office of Personnel Management was hacked, exposing upwards of 5.6 million fingerprints of official government employees, essentially leaving their identities unlocked for anyone to steal. 

Best practices for storing this type of data result in housing this information on a single device rather than a database no matter the level of encryption, as hackers can breach a system and take any and all data that is not properly secured, whereas breaching a single devices information is much more difficult. 

Ways to Protect Biometric Identity 

Biometric authentication should not be your sole means of protection as multiple means can dramatically increase the safety of your information, such as “liveness tests” like blinking that aren’t able to be duplicated or machined. 

Even more advanced systems have begun implementing add-on features for enhanced security such as age, gender, and height to increase the difficulty of obtaining all of this information legally.  

Two-factor authentication layered with biometric initial access can be a powerful combination and one that is recommended for secured internet devices as to lessen vulnerability.  

Takeaways on Biometrics 

Overall, biometrics continue to dominate the market and look to drastically increase security of systems through combinations of physical/behavioral scans along with other authentication. Utilizing simple, character-based passwords, are becoming a thing of the past as biometric technology continues to evolve. 

Do you trust biometrics and the new realm of biometric tech? Let me know in the comments. 

Starting 18 years ago, cybersecurity awareness month has magnified into a global effort to educate, inform, and empower everyone to protect themselves online as cyberthreats continue to see dramatic increases over the past decade. As our livelihoods shift predominately online, we become more vulnerable to prying eyes and malicious threat actors. This collaboration between the National Cybersecurity Alliance (NCA) and The Cybersecurity and Infrastructure Security Agency (CISA) helps to limelight crucial tips and steps to remain vigilant wherever you go online.

Here is an excerpt from CISA on this year’s CAM theme:

“This year’s campaign theme — “See Yourself in Cyber” — demonstrates that while cybersecurity may seem like a complex subject, ultimately, it’s really all about people . This October will focus on the “people” part of cybersecurity, providing information and resources to help educate CISA partners and the public, and ensure all individuals and organizations make smart decisions whether on the job, at home or at school – now and in the future. We encourage each of you to engage in this year’s efforts by creating your own cyber awareness campaigns and sharing this messaging with your peers.”

This year’s theme centers on the individual rather than just large companies and organizations to place importance on the role we all play in creating safer online environments. Here are 4 steps that EVERYONE can take, no matter your expertise in cybersecurity:

1. Enable Multi-Factor Authentication
2. Use Strong, UNIQUE passwords
3. Report Suspicious Emails and Activity
4. Keep Your Software Updated

What YOU CAN Do

“When we say See Yourself in Cyber, we mean to see yourself in cyber no matter what role you play.” - CISA

You may not have a role in IT or cybersecurity whatsoever, and you may be the least technologically savvy person in your family, but you still have the ability to safeguard your personal and private data!

Here are some tips from the U.S Securities & Exchange Commission:

• Be Careful What You Download. When you download a program or file from an unknown source, you risk loading malicious software programs on your computer. Fraudsters often hide these programs within seemingly benign applications. Think twice before you click on a pop-up advertisement or download a "free" game or gadget.

• Use Your Own Computer If You Can. It's generally safer to access your online brokerage account from your own computer than from other computers. If you need to use a computer other than your own, you won't know if it contains viruses or spyware. If you do use another computer, be sure to delete all of the your "Temporary Internet Files" and clear all of your "History" after you log off your account.

• Don't Respond to Emails Requesting Personal Information. Legitimate entities will not ask you to provide or verify sensitive information through a non-secure means, such as email. If you have reason to believe that your financial institution actually does need personal information from you, pick up the phone and call the company yourself - using the number in your rolodex, not the one the email provides!

Security Tip: Even though a web address in an email may look legitimate, fraudsters can mask the true destination. Rather than merely clicking on a link provided in an email, type the web address into your browser yourself (or use a bookmark you previously created).

• Be Smart About Your Password. The best passwords are ones that are difficult to guess. Try using a password that consists of a combination of numbers, letters (both upper case and lower case), punctuation, and special characters. You should change your password regularly and use a different password for each of your accounts. Don't share your password with others and never reply to "phishing" emails with your password or other sensitive information. You also shouldn't store your password on your computer. If you need to write down your password, store it in a secure, private place.

• Use Extra Caution with Wireless Connections. Wireless networks may not provide as much security as wired Internet connections. In fact, many "hotspots" reduce their security so it's easier for individuals to access and use these wireless networks. Unless you use a security token, you may decide that accessing your online brokerage account through a wireless connection isn't worth the security risk.

• Log Out Completely. Closing or minimizing your browser or typing in a new web address when you're done using your online account may not be enough to prevent others from gaining access to your account information. Instead, click on the "log out" button to terminate your online session. In addition, you shouldn't permit your browser to "remember" your username and password information.

Use your voice this October to advocate for a better understanding of safe, online practices, whether that be to your family, via social media, co-workers, etc. YOU can make a difference in the safety of others online.

More on how you can help: Click HERE

Artificial intelligence (AI) and machine learning are positioned to assist today's enterprises as they fight to defend themselves against the rising number of cyber attacks. 

Real-time learning and analysis of potential cyber risks is made feasible by AI and machine learning. Additionally, they use computers to create behavioral models, employing these models to forecast cyberattacks as new information becomes available. By accelerating and improving cybersecurity responses, these technologies work together to help businesses strengthen their security defense. 

An Effective Tool for Combating Cyber Attacks 

Cyberattacks have increased as more firms adopt digital transformation strategies. According to the Identity Theft Research Center, 2021 has been a record-breaking year in the U.S., with the number of data breaches at the end of the third quarter surpassing all of 2020 by 17 percent. Likewise, ransomware assaults have been rising alarmingly, with the typical incidence costing businesses over $700,000. Today, a ransomware assault occurs every 11 seconds, causing a 21-day company outage average. 

AI and machine learning can guard against these advanced threats, which hackers are using to shut down business networks. In fact, these technologies are rapidly advancing into commonplace tools for cybersecurity experts in their continuing battle with malicious actors. 

61 percent of firms said they won't be able to recognize major risks without AI, and 69 percent think it would be vital to counteract cyberattacks, according to a survey by Capgemini Research Institute. In fact, it is predicted that the market for AI in cybersecurity would reach $46.3 billion by 2027. 

• Finding anomalies: To find abnormalities that could be signs of an assault, AI and machine learning employ behavioral analysis and constantly changing parameters. 
• Future data breaches can be predicted thanks to AI and machine learning, which allows for the processing of vast volumes of data of various kinds.
• Real-time data breach response: AI and machine learning can deliver notifications when a cyber danger is discovered, or they may act independently without human assistance by automatically generating protective patches as soon as an assault is discovered. 

Benefits of AI and Machine Learning 

AI and machine learning are having a significant positive impact on cybersecurity programs at organizations. These consist of: 

• Increasing the speed of detection and response: AI and machine learning are far faster at identifying dangers than humans because they can quickly examine vast volumes of data. Furthermore, they may rapidly improve reaction times by applying fixes and removing threats in almost real-time. Todays cyberattacks may swiftly infiltrate an organization's infrastructure; thus, success depends on having razor-sharp detection and reaction times. 
• Lowering IT costs: AI and machine learning are efficient technologies because they need less work to detect and address cyber risks. According to the Capgemini analysis, the average cost reduction is 12 percent, with some firms achieving cost reductions of more than 15 percent. 
• Increasing cyber analyst effectiveness: By reducing the amount of time needed to manually go through data logs, AI and machine learning lighten the strain for cyber analysts. These systems can notify cyber analysts of an assault while categorizing the attack's nature, better enabling them to respond appropriately. Cyber analysts are more capable of handling even the most complicated risks with less manual work when behavior patterns are continuously and thoroughly analyzed. 
• Improving your overall security posture: As more data is reviewed and these systems learn from previous patterns, cybersecurity grows stronger with time as they become more adept at spotting questionable activities. Additionally, they safeguard an organization's infrastructure on both a global and micro level, erecting barriers that are more effective than those made by manual techniques. 

Potential Uses 

Although there are risks associated with AI and machine learning, their usage is only anticipated to grow in the future. These technologies have already shown themselves to be quite successful in a variety of application scenarios. The following are some typical use cases where businesses are effectively utilizing AI and machine learning: 

• Rapidly detect intrusions: AI is now being used by businesses to automatically and precisely identify criminal activities. Organizations are responding to incursions as soon as they happen because to machine learning's capacity to identify, evaluate, and defend against cyber threats in real-time. 
• Identifying suspicious behaviors: To identify questionable user activity, AI and machine learning are also applied. Organizations use machine learning to differentiate between typical behavior and aberrant behavior that may be the sign of a cyber attack in order to fix vulnerabilities until a data breach occurs. This is done by monitoring users' unexpected actions, such as when they log in at odd hours of the day or download an unusually high volume of data. 
• Detecting fraud: Many businesses use machine learning algorithms to anticipate anomalous client behavior in order to protect themselves against financial fraud. These technologies are assisting companies in identifying potential fraud risks before they materialize, hence minimizing their financial losses. They do this by having the swift capacity to identify if client behavior is abnormal.
• Discovering malware: Organizations are using AI and machine learning to forecast malware outbreaks in the future. Cyber analysts can foresee malware assaults and quickly mitigate the danger using machine learning, which uses patterns discovered in past infections. 

Planning Your Implementation 

It may be tough to know where to begin when integrating AI and machine learning into one's cybersecurity strategy, which is why many firms find it problematic. As you start implementing your implementation strategy, keep the following advice in mind to get the greatest results: 

• Employ competent cyber analysts who are well-versed in the use of AI and machine learning and decide which jobs you want to automate and which you'd rather have handled by people. 
• Ascertain that you have the data sets required to start employing AI algorithms, that this data is accurate and current, and that it is properly linked with your applications and infrastructure. 
• Set defined success criteria for these test projects, starting with just one or two use cases that are simple to deploy and provide real value for your business. 
• To validate, rank, and assess possible risks, create a clearly defined methodology. 
• Create control mechanisms to aid you in recognizing when an AI system deviates from expected behavior so you can quickly resolve any problems. 
• As you integrate AI and machine learning into other aspects of your cybersecurity strategy, evaluate the outcomes of your test projects and make any required adjustments. 

Powerful Tools for An Escalating Problem. 

AI and machine learning are potent tools that may aid firms in becoming more prepared as the volume and sophistication of cyberattacks rise. Your firm can identify and respond to cyberattacks in real-time with the correct technologies in place, while also resolving potential risks before they become major problems. As a consequence, you can better manage the pace and scope of today's risks and discover threats sooner, for less money, and with a security posture that is stronger. 

How Lumifi Can Help 

We not only utilize the industry’s leading threat intelligence platforms, but also deliver personalized security recommendations through scheduled calls with a dedicated Engagement Manager. Our suite of services allows you peace of mind knowing your organization is being monitored around the clock by an industry leading SOC which takes pride in its customers' security.   

Cloud Attacks: Are You Still Safe? 

95% of respondents are using the cloud, according to the 2016 State of the Cloud Survey. The nature of cloud-based computing offers the prospect of severe cloud security breaches despite its fast expansion, which can significantly harm an enterprise. One of the top worries is data security.

How can IT administrators maintain flexibility, data access, and innovation while still protecting themselves (and their companies)?

Let's look at 7 recommendations to protect your company against cloud security concerns.

1. Educate your employees.

There is a simple reason for the security concerns in the majority of organizations: unaware staff. You may reduce risk and stop cloud security risks by educating your personnel on suitable protection techniques:

Include the entire organization. Employees are more inclined to own up to their responsibilities regarding security measures when they actively participate in safeguarding corporate assets. Engage the whole staff in security training and inform them of future best practices.

Make a plan. Establish a reaction plan in case staff members believe their privacy has been violated. To ensure that users are always ready, create a document that outlines the actions they should do in various circumstances.

Conduct ad hoc security testing. It's crucial to educate your staff, but only if they remember the knowledge.

2. Secure a data backup plan.

The risk of irreversible data loss is increasing as the cloud develops. A secure backup of such data should be prepared for anything.

For enhanced security, IT administrators should spread data and applications over several zones and follow industry best practices for disaster recovery, offsite storage, and regular data backup.

3. Encryption Is Critical

For protection, cloud encryption is essential. It enables the encryption of text and data before it is uploaded to a cloud storage system.

Find out from your provider how data is managed. You may encrypt at the network's edge to guarantee the security of your data before it leaves your company, guaranteeing the transit of data in the cloud is safeguarded. Keep the encryption and decryption keys after the data has been encrypted. If you have both of these, any demands for information will require the owner's involvement even if the data is kept by a third-party supplier. Avoid storing encryption keys in the program that houses your data. IT departments must maintain physical control over encryption.

4. Passwords Matter

Considering that passwords are used to encrypt and compressed data, selecting one carefully is crucial. 90% of passwords can be broken in a matter of seconds.

According to Duncan Stewart, director of technology for Deloitte Canada, "passwords having at least eight characters, one number, mixed-case letters, and non-alphanumeric symbols were originally regarded to be strong." However, with the development of advanced technology and software, these may be readily hacked.

Despite the propensity for password reuse caused by our limited capacity to recall complicated credentials, avoid taking that risk. Create unique, distinctive passwords to fend against hackers.

5. Test, Repeat, Test Again

Think like a criminal while putting safeguards in place to secure your cloud. Penetration testing, a process in IT security intended to find and fix vulnerabilities as well as reduce cloud security risks, is one of the best ways to do this.

Here are some things to remember:

Be careful to alert your cloud provider before starting a penetration test because it resembles an actual assault.

Make a list of the things you need to test, such as servers and apps, and assess your weaknesses.

Keep in mind that internal dangers are just as likely as external ones when you develop your cloud penetration testing strategy.

What do Microsoft, Okta, T-Mobile, Nvidia, and LG all have in common? Well, for starters, they have all been extorted by one of the most prolific and unpredictable hacking groups of 2022.

The group coined, LAPSUS$, remarkably infiltrated and extorted a handful of the largest, pre-imminent tech giants in the world through a unique approach of SIM-swapping, social engineering, malware, and other means to enact their financially-driven motives, such as threatening the public release of proprietary data or simply dumping private data on their digital channels for all to see which certainly separates them from other “successful” hackers and groups of the last several years, not to mention they may all be between 16-21 yrs. old.

Let’s take a deep dive into the psyche of LAPSUS$ and what exactly makes them so dangerous, yet so bewildering.

Who Is Truly Behind LAPSUS$? 

Uncovering the leader or “brains of an operation” can culminate in immense understanding and ultimately dismantling of a criminal organization, but unfortunately, this cohort seems to work in a decentralized manner, closer to chaos than order. Some of the infamies certainly arise from their childish antics, leading to assumptions of inexperience.

The list of high-profile attacks would be enough for most cyber criminals to “hang it up” and relinquish to the dark recesses of the internet to preserve earnings and evade detection, but LAPSUS$ touts these victories via a public “Telegram” channel as well as polling viewers on their next “hit”. The social community seems to be the bread and butter of this group, alluding even further into their adolescent composition.

The LAPSUS$ group hit headlines in December of 2021, with a barrage of attacks against South American companies, including Brazil’s Ministry of Health and other government agencies in the area, before expanding their scopes onto larger, multinational companies to truly catapult into the limelight. At this point, the group had the full attention of the cybersecurity community and didn’t intend to squander it.

Fame and fortune stood around the corner as the group shifted to the pillars of international tech giants as their next prey, hoping to utilize their immense influence and coverage to the group’s advantage.

As stated via their Telegram channel, LAPSUS$ negates any state or political motives for their extortion attacks, leading some to question the seemingly randomized actions of the group. Is there a collective goal beyond notoriety and wealth?

How Does LAPSUS$ Operate? 

Microsoft released a ground-breaking report in March of 2022, outlining LAPSUS$’s operational inner workings with speculation on how they were able to extort the largest tech giants in the world. The report did not divulge the members of the group, but rather their model of pure destruction and social engineering methodologies used to extract data from even the most secure of systems.

While the group may be comprised of juvenile counterparts, Microsoft repeatedly spoke on the intricate, elaborate, and downright cunning methods used, similar to the most mature threat actors.

Let’s take a look at their strategies.

Telegram Channel 

LAPSUS$ proved time and time again, that they are to be taken seriously regardless of the make-up of their group, forcing C-suite cybersecurity executives to take notice swiftly. Microsoft stated they tend to gain seemingly impossible access via “social engineering” involving the bribing of employees at targeted locations within customer support call centers and/or various help desks.

Microsoft wrote, “Microsoft found instances where the group successfully gained access to target organizations through recruited employees (or employees of their suppliers or business partners)”

LAPSUS$ recruits “insiders” via social media channels since the beginning of their attacks, using nicknames such as “Oklaqq” and “WhiteDoxbin” to name a couple. These recruitment posts offered upwards of $20k/week to informants employed within companies like AT&T, Verizon, and T-Mobile. Their message was simple, just get us in the door and we will do the rest.

SIM-Swapping Method 

SIM swapping is most simply described as transferring one’s mobile phone number (the target) to another device owned by the hacker. This opens the doors for attackers to receive those unique one-time codes & passwords for easy access to protected systems, while potentially gaining the ability to reset passwords for total control.

“Their tactics include phone-based social engineering; SIM-swapping to facilitate account takeover; accessing personal email accounts of employees at target organizations; paying employees, suppliers, or business partners of target organizations for access to credentials and multifactor authentication (MFA) approval; and intruding in the ongoing crisis-communication calls of their targets,” Microsoft explained.

Unit 221B, an advanced cybersecurity consultancy from New York, shadows cybercriminals performing SIM-swapping as well as keeping tabs on members of LAPSUS$ before their group ever formed (and still does). The group’s techniques, while wildly effective, are not unique, as this form of SIM-swapping has been heavily focused on within major phone companies for many years. Allison Nixon, Chief Research Officer of Unit 221B, exclaimed, “LAPSUS$ may be the first to make it extremely obvious to the rest of the world that there are a lot of soft targets that are not telcos,” Nixon said. “The world is full of targets that are not used to being targeted this way.”

The group also employs a malicious malware program called, “RedLine Stealer” or simply “RedLine”, which can be found on hacker forums for purchase and is commonly used for theft of information and infection of entire systems. Logins, passcodes, autofill data, and even stored payment info can be uncovered and extracted to access a plethora of personal accounts such as:

• Social Media
• Email
• Banking
• Crypto wallets, and more

RedLine Stealer was once again put into action by LAPSUS$ against Electronic Arts (EA), threatening to reveal 780 GB of proprietary source code, unless a hefty payment was received. The hackers revealed they gained control of EA’s data via authentication cookies purchased from the dark web in a marketplace called, Genesis.

“The existence of this leak was initially disclosed on June 10, when the hackers posted a thread on an underground hacking forum claiming to have EA data, which they were willing to sell for $28 million. The hackers said they used the authentication cookies to mimic an already-logged-in EA employee’s account and access EA’s Slack channel and then trick an EA IT support staffer into granting them access to the company’s internal network,” wrote Catalin Cimpanu for The Record.

Social Engineering & Corporate Extortion 

Social engineering attacks work by stealing credentials that allow for data theft and other debilitating means via psychological manipulation of individuals to release critical data to attackers. Microsoft stated LAPSUS$ received “intimate knowledge” of various companies through these tactics allowing them unbelievable front-door access to systems.

LAPSUS$ was known to frequently dial help desks, sometimes bribing or tricking employees into resetting critical account information, and then learning how they handled these security invasions by listening in on comm channels like Teams and Slack. The group used this “training session” to truly understand the methods and protocol these organizations went through to deter the very attack the group planned to carry out. This insider knowledge allowed them to circumnavigate all security points and remain hidden within the system while formulating further plots for extortion.

Microsoft released a statement, “The group used the previously gathered information (for example, profile pictures) and had a native-English-sounding caller speak with the help desk personnel to enhance their social engineering lure. Observed actions have included DEV-0537 answering common recovery prompts such as “first street you lived on” or “mother’s maiden name” to convince help desk personnel of authenticity.”

Initial access is granted through various methods, such as using RedLine, searching public code repositories, and even purchasing remote access credentials via the dark web. Of course, more straightforward approaches such as directly paying employees for access also proved worthwhile.

Multi-factor authentication seems like a safeguard with minuscule security lapse but LAPSUS$ manages to override these systems through session token replay and even repeatedly spamming account holders with MFA prompts after they successfully gained the password. The hacker group stated in their Telegram chatroom, that upon targeting users during the middle of the night with MFA prompts, their success rates were much higher, since people tend to simply select, “Accept” rather than be interrupted during their precious hours.

Data Harvesting and VPNs 

Virtual private networks, also known as VPNs, are another key on the keychain of LAPSUS$, which utilized them in a way that prevented any “impossible travel alerts” from being triggered within the system. These alerts, connected to cloud monitoring services, detect any suspicious activity of all users and logins, making notes on any consecutive login attempts from let’s say Colorado and then another from New York, 5 minutes apart. Hence, the “impossible” nature since one person could not possibly access a system quickly from these locations. Bypassing this feature is a critical step to remain hidden long enough to exfiltrate target data.

Microsoft reported, “DEV-0537 has been observed leveraging access to cloud assets to create new virtual machines within the target’s cloud environment, which they use as actor-controlled infrastructure to perform further attacks across the target organization.”

Once inside, LAPSUS$ had the power to knock out the business from its cloud platform, giving it absolute control. Next, all inbound and outbound email was to be directed to its infrastructure where data would be harvested before the total deletion of systems. Finally, the group would either publicly unveil the stolen data or use their many extortion tactics to prevent data release.

All good things must come to an end…right?

Arrests 

Bloomberg releases a breaking report stating the entire operation is being driven by a 16-year-old teenager from Oxfordshire, UK with seven arrests following on March 24th.

The 16 yr. old boy's father told the BBC: "I had never heard about any of this until recently. He's never talked about any hacking, but he is very good at computers and spends a lot of time on the computer. I always thought he was playing games."

All arrested were immediately released, pending a deeper investigation, with confirmation coming on April 2nd that two individuals were charged with connection to LAPSUS$ and the attacks of numerous tech giants.

Offenses included: 

3x counts of unauthorized access w/ intent to impair the operation of or hinder access to a computer.
2x counts of fraud by false representation
1x count of causing a computer to perform a function to secure unauthorized access to a program

Both individuals are reportedly on bail with limited details available due to their status as minors.

As a cybercriminal group, letting your voice be heard can be an opportunity for increased notoriety, but also lead to increased investigation and scrutiny by law enforcement agencies around the world. The above arrests of a 16 & 17 yr. old came just days after the public unveiling of source code for mobile apps belonging to these companies on March 30th:

• Facebook
• DHL
• Abbot
• AB InBev, and others

LAPSUS$’s Payday 

You might be wondering, with the insane prestige included on their “hit list”, how lined is the group’s wallet? Well, speculation has risen that LAPSUS$ has amassed upwards of $160 Million in revenue.

This finding is not concrete and has yet to be confirmed by members of LAPSUS$, but their public Telegram channel released details on their crypto wallet containing (3,790.62159317 bitcoin).

Where Are They Now? 

LAPSUS$ announced via its Telegram channel, “We created a Element/Matrix chat in the case this Telegram is deleted!

We advise everyone to join it!”

This is the last known message of the group, leading to speculation of potential regrouping while finding new paths of attacks after cutting it close with law enforcement. All of these intrusions mentioned in the blog occurred during a 3-month span, so potentially the master plan was to strike hard, and strike fast while jumping out before everything came crashing down.

Let us know what you think, have we heard the last of LAPSUS$, or is this just the dawn of a new era of cybercrime?

Attack Timeline

Public Wifi & Working From Home

By 2025, upwards of 36 million Americans will have entirely remote or flexible occupations, an 87 percent post-pandemic rise, according to some analysts. One might infer that having the opportunity to work outside of the office has led many employees to select open areas like cafés, diners, railway stations, terminals, and other public locations to do their tasks, increasing the vulnerability of organizations and people to cyberattacks via the dangers of public wifi.

Cyber Attacks Are On the Rise

You may believe, "I always use public wifi, and I've never had an issue!" Yes, at least not that you are aware of. The worrying reality is that cyberattacks are increasing along with the number of remote workers, putting everyone who uses public wi-fi in danger. Cyberattacks were ranked as the fifth top risk for businesses in the public and private sectors in a Global Risk Report that was issued in 2020, and it is anticipated that they will soon move up the list. The FBI assessed the financial cost at more than $4.2 billion and recorded 791,790 complaints of suspected cyber crime in 2020, which is 300,000 higher than reported in 2019. The need to safeguard oneself against the dangers of public wifi has never been greater.

What Are the Top Dangers of Public Wi-Fi for Businesses?

Most individuals who use public wi-fi networks while working are blissfully oblivious to the danger they run of unintentionally disclosing sensitive, secret, or essential information, which might pose a serious threat in the hands of an experienced hacker. You have probably used the convenience of free public wifi. The top seven risks of using public wifi for business, nevertheless, should be taken into consideration because this is not without significant risk.

Malware, Viruses, and Worms

The forced installation of malware, commonly referred to as malicious software, on user devices is one of the main hazards you may encounter when using public wi-fi. All programming and applications developed to damage devices or intercept information fall under this general heading. Hackers can infect the public wifi network, which subsequently spreads to the connected devices. Malware may cause havoc and spy on the systems it infects and comes in a variety of ways. In contrast to worms, which may multiply independently and do much more damage, viruses are a sort of malware that propagates through a host file and are activated and duplicated by a person.

Unencrypted Connections

Hackers may track all file sharing and data transferred between the individual and the server on a public wi-fi network when there is no encryption in place. In an unprotected network, a well-positioned attacker may simply follow the network users who are logged into the router and introduce malicious JavaScript onto their equipment.

Network Snooping

Network spying, which occurs when a hacker employs malicious software on an open wi-fi network to remotely observe the behavior on a third party's laptop, is another popular attack technique. Hackers can use this method to monitor any information transmitted, including passwords, credit card numbers, and other sensitive information.

Log-in Credential Vulnerability

Weak and obvious passwords lead to log-in credential vulnerability. Ensure all of your passwords for websites, applications, and wifi networks are strong and distinctive to avoid this kind of security issue.

System Update Alerts

Hackers are continuously coming up with new techniques to take control of smartphones. False system update alerts with the ability to exfiltrate data are one cunning kind of information theft that targets Android devices.

Session Hijacking

Public wifi networks provide a platform for a practice known as session hijacking, which involves abusing a valid online surfing experience. This is another way that hackers may access a network user's device's data without authorization, making any data about your company incredibly exposed.

How Can Businesses Stay Safe on Public Networks?

You must create a solid cybersecurity plan for your web presence and apps to ensure the protection of corporate communications, sensitive data, and other assets.

Here are some strategies for protecting your company from the dangers of open WiFi:

• To safeguard login credentials and add additional protection to the personal information of your users, switch your website over to HTTPS.
• Install a virtual private network (VPN) to provide you with protection by establishing an encrypted tunnel for user activity with end-to-end encryption.
• To prevent hackers from acquiring unnoticed peer-to-peer access, tell staff to disable Bluetooth and WiFi auto-connect.
• Ensure that the firewall is always turned on for remote workers' devices.
• Ensure that anti-malware and anti-sniffing software is installed on all business devices.
• Encourage staff to utilize the mobile hotspot offered by their cell carrier rather than a public wi-fi network that isn't secured.
• Run regular vulnerability checks to find locations where your internet infrastructure is vulnerable.
• Demand that your users generate secure passwords using a combination of letters, numbers, and special characters.
• Establish guidelines so that employees are aware of the risks associated with using public WiFi and how to safeguard themselves and corporate assets from criminal attackers.
• To prevent hackers from acquiring unnoticed peer-to-peer access, tell staff to disable Bluetooth and WiFi auto-connect.

What is Cybercrime? 

Cybercrime is a term that refers to all criminal activity perpetrated using computers and the internet. It includes crimes like hacking, phishing, identity theft, and more. 

The term cybercrime was first coined in the late 1980s by William Gibson in his novel “Neuromancer”. He used it to refer to crimes committed by people who used computers and networks for their activities. 

In today’s world, cybercriminals are becoming more sophisticated than ever before, and they are becoming harder to catch. Cybercrimes are an ever-present threat to the public. They can be committed by anyone, anywhere, and at any time. To protect ourselves from cyberattacks, we need to have a good understanding of the different types of cybercrimes that exist and how to prevent them. 

What are the Most Common Types of Cybercrime? 

The most common types of cybercrimes are phishing, ransomware, and data breaches.

Phishing is a type of online fraud in which the perpetrator tries to steal personal information from unsuspecting users by masquerading as a trustworthy entity in an email or a text message. 

Ransomware is malicious software that encrypts data on a computer and demands ransom payments in order to decrypt it. 

A data breach is when confidential customer information such as passwords, financial information, or other sensitive documents are stolen by hackers. 

Motives of Cybercrime 

Some types of cybercrimes are conducted against particular devices or systems in order to injure or disable them, whereas the bulk of cybercrimes is performed in order to generate income for the offenders. Others use computers and networks to disseminate viruses, sensitive information, photos, or other types of data. Some cybercrimes carry out both of these actions; they target computers in order to contaminate them with a virus, which is subsequently transferred to more machines and, occasionally, whole networks.  

Financial loss is one of cybercrime's main effects. Ransomware assaults, email and internet fraud, identity fraud, as well as efforts to acquire bank assets, credit cards, or other payment information, are just a few examples of the numerous profit-driven criminal activities that can be classified as cybercrime. 

Private information about a person or company data may be targeted by cybercriminals for theft and sales.  

Due to the pandemic's widespread remote work practices, it will be more crucial than ever to preserve backup data in 2022 as cybercrimes are predicted to increase in regularity. 

Distinct Forms of Cybercrime

There are many distinct kinds of cybercrime, as was already explained. Although the means by which cybercriminals want to be compensated might vary, the majority of cybercrimes are committed with the purpose of earning benefits from the attackers. The following are some distinct forms of cybercrimes:  

• Cyberextortion: committing a crime that involves an assault or threat of an assault along with a monetary demand to put a halt to the attack. The use of ransomware is one type of cyberextortion. Here, the hacker accesses a company's networks and encrypts any potentially valuable papers and files, rendering the information unavailable until a ransom payment is made. Typically, this takes the form of a cryptocurrency like bitcoin.  
• Cryptojacking: an assault that uses programs to secretly mine bitcoin within users' browsers. A cryptojacking attack may involve installing bitcoin mining software on the victim's computer. However, many attacks employ Javascript to conduct in-browser mining while a user has a page or window open in their browser that is pointed at a malicious website. No malware has to be installed because the in-browser mining code is activated when the affected website loads. 
• Identity theft: a cyberattack that takes place when someone gains access to a computer to collect personal data from a user in order to steal their identity or get access to their valued accounts, including banking and credit cards, or both. On darknet marketplaces, cybercriminals purchase and sell identification information in exchange for financial accounts and other sorts of accounts, including webmail, streaming video and audio, online auctions, and others. Identity thieves also frequently target personal health information.  
• Credit card fraud: a cyberattack that takes place when hackers get into merchants' networks to obtain consumers' financial and/or credit card information. Darknet marketplaces allow for the wholesale purchase and sale of stolen payment cards, which hacking organizations may benefit from by selling to lesser cybercriminals who use the cards to commit individual account credit card fraud.  
• Cyberespionage: a cybercrime when a hacker infiltrates networks or systems to access private data kept by a state or other institution. Attacks may be sparked by ideology or monetary gain. Cyberespionage activities can involve any kind of cyberattack to collect, modify, or destroy data, as well as the use of internet devices, like video cameras or closed-circuit TV (CCTV) cameras, to eavesdrop on a targeted person or group, and surveil communications, including emails, text messages, and instant messages.  
• Software piracy: a cyberattack including the unauthorized duplication, dissemination, and use of software for either personal or commercial purposes. This kind of cybercrime is frequently accompanied by trademark violations, copyright infringements, and patent violations.  
• Exit scam: unsurprisingly, the exit scam, a traditional crime, has a digital iteration thanks to the dark web. In its current form, dark web admins steal from other criminals by diverting virtual cash from marketplaces escrow funds to their own accounts. 

How Lumifi Can Help

A proactive approach is the best defense, and that's where Lumifi shines. Lumifi runs thousands of simulated attacks on your network and endpoint environment to identify actual security vulnerabilities before cybercriminals can compromise your system. Utilizing our next-gen MDR services, we always stay on top of your cybersecurity, so you can focus on what matters most.

The flaw has been exploited in real-world attacks, but most Palo Alto customers will remain unaffected. 

In the second week of August, Palo Alto Networks issued a security warning for a high-severity vulnerability in its PAN-OS operating system. Many of the company' networking hardware products use this operating system, but not all of them are susceptible. 

(more…)

Find out how to configure Linux to generate comprehensive log feeds for SIEM, UEBA, and SOAR technologies. 

Linux is an attractive solution for enterprises in search of a flexible, powerful operating system. Many different operating systems use the Linux kernel, such as Ubuntu, Debian, and Red Hat Enterprise Linux (RHEL), which itself is an enterprise-ready extension of CentOS. 

Open-source Linux distributions have a slightly different security profile than proprietary technologies like Windows. Some enterprise IT leaders choose Linux specifically for its security capabilities and low implementation costs. However, making the most of those security capabilities requires utilizing sophisticated information security technologies like SIEM, UEBA, and SOAR. 

Most Linux distributions automatically collect log data on user, application, and kernel activities. Logins, file modifications, and account modifications are stored in a chronological timeline so that security analysts can review them and investigate suspicious activities when necessary. 

Boost Security Performance by Configuring Log Data 

SIEM, UEBA, and SOAR technologies rely on these logs to categorize and prioritize suspicious activities and automate some of the most time-consuming tasks security analysts must perform. The better and more comprehensive those logs are, the more accurate these technologies’ insights can be. 

One of the best ways to access log data in Linux is through the Linux Audit System, better known through its command line name Auditd. It provides comprehensive visibility into system calls, file access, and pre-configured auditable events throughout the Linux environment. 

Configuring Linux’s log collection policies will let you send better, more accurate data to your SIEM, UEBA, or SOAR platform. This significantly boosts the quality of its security performance output in turn. 

How to Configure Log Management Policies in Linux with Auditd 

The example we have written is for RHEL but works the same way in Ubuntu. Most Linux-based operating systems will provide for a similar process. 

The goal of this configuration is to push comprehensive system logs onto the syslog directory and move them from there to a remote log management solution. This configuration does not remove any existing rules, so you can use it as a starting point for changing the default configuration. However, if you already have a robust, custom configuration, some of these rules may overwrite yours. 

This is the directory you’ll be placing the configuration in...

Get our custom AuditD ruleset for your use!

Make Sure Your SIEM, UEBA, or SOAR Platform Can Parse These Logs 

In our example, we’re using syslog to access the logs our policies generate. You may use syslogd or syslog-ng for the same purpose – our team would be happy to provide you with the appropriate configurations. 

Instead of using a simple *.* in the master rsyslog.conf file, we prefer creating a custom file in /etc/rsyslog.d. Consider creating a file called auditd.conf and populating it like this: 

if $programname contains 'audisp' then

@@SIEM_COLLECTION_IP:514 & stop

Notice that we’re using @@ to send data via TCP and specifying TCP 514 as the port. The default port for syslog is usually 601, but most systems still use UDP and TCP 514 for logs. Feel free to edit this code to fit the needs of your environment and restart rsyslog when you’re ready to effectuate the changes. 

That’s it! Now, almost every SIEM, UEBA, and SOAR system on the market can natively parse the logs generated by your Linux distribution. You may now review and analyze accurate log data describing unwanted access, changes, and installations on your Linux systems. 

Solution Evaluation

An integral step in creating a resilient cybersecurity platform is to perform an audit of your organizations existing policies and procedures. Lumifi can help with this endeavor during our Asset Criticality Assessment, during client onboarding process, and periodically on a structured timeline.

Here are components we consider when looking at the entire security infrastructure:

• Network Security
• Malware Prevention
• Monitoring
• Incident Management
• User Education
• Configuration and Change Management User Access and Privileges

Tool Implementation

Once the proper solution or suite of solutions is determined, we help source, install, configure, tune and customize each solution to our customer’s needs. If a solution is already in place, we step in and begin management of the existing tool.

The following are just a few of the services we offer in this step of the process:

• Cybersecurity Hardware / Software Deployments
• Cybersecurity Tool Configuration, Tuning & Customization
• SIEM Appliance Administration
• Establishing Security Policies & Procedures
• We offer managed and co-managed environments that allow our customers to maintain visibility 24/7/365 right alongside our team. Once we are up and running the with the properly deployed solutions constant monitoring through our world-class MDR service is the next step in the process.

Managed Detection & Response (MDR)

Lumifi is a leader in MDR services, recognized on Gartner’s Managed Detection and Response Market Guide and by third-party service provider lists. Often, the least considered factor in the security provider selection process in the human element. While technology is an important factor in first-class MDR, Lumifi’s biggest differentiator is its expertise. Lumifi provides the experience needed to stand out from the saturated MDR market with leadership and management having decades of experience, stretching back to before MDR was even a term.

Vulnerability Management (VM)

Discovering where you are most vulnerable is a security priority and likely already part of your overall program. The ability to continuously identify threats and monitor unexpected changes in your network before they turn into breaches is common practice.

Security programs often have the challenge of finding and retaining talent along with time restraints for proper cybersecurity processes. Lumifi can help fill those gaps. Our security staff will manage the process and help ensure your security program is successful while saving you time and money.

Email Security

Ransomware, impersonation, spear phishing; standard email-defense systems can’t protect against it all. Lumifi deploys leading email security tools to defend against routine spam and targeted threats.
Email security tools combine internally developed and third-party technologies with dozens of internal and external threat-intelligence sources. These tools simplify and automate the process of recovering email and other data within your email environment while ensuring that email systems remain 100% operational, and data is secured within. In addition to L1 and L2 support, Lumifi provides back-end integration into its MDR services to enhance visibility and reporting.

Endpoint Detection & Response (EDR)

EDR solutions take traditional antivirus tools to the next level by allowing security teams to continuously collect, track and store endpoint data. This level of detail provides analysts with the forensic granularity necessary for active threat hunting and proper incident response. Lumifi partners with leading EDR tools such as SentinelOne, Defender for Endpoint and CarbonBlack to provide comprehensive security solutions that secure customer endpoints end-to-end.

Incident Response & Threat Remediation

Cyber resilience includes recovering quickly from an attack. When Lumifi reports a verified incident, our ASOC provides recommended steps for remediation, including step-by-step instructions with procedures and escalation paths to remediate the incident.

Compliance & Reporting Support

Cybersecurity compliance is a key factor in many industries and producing the proper reports and logging protocols necessary can be cumbersome and time consuming for many organizations.
Lumifi helps companies in various industries cover compliance mandates such as HIPPA, HITECH, PCI DSS, Sarbanes-Oxley, EU GDPR, CCPA and more. Our Security Operations Center is certified SSAE 18 SOC 2 Type II and prepared to help clients of all industries meet their cybersecurity compliance requirements.

Cybersecurity is a very important issue for any organization, and events can lead to a variety of negative outcomes; incidents often result in data theft, financial loss, and even damaged reputation. The cost of an attack is very high, which is why it's important to be prepared for the worst-case scenario. Managed Detection and Response is an outsourced array of services delivered by a Security Operations Center (SOC). These services include the detection of threats and a structured plan for mitigation and/or containment correlated over multiple cybersecurity products.

What Is Threat Hunting?

Threat hunting is the proactive approach cybersecurity organizations use to identify threats before they happen. The process includes proactively searching for adversarial activity within an organization’s computer network. A threat hunting and incident response team is responsible for finding and analyzing cybersecurity breaches and are also responsible for mitigating the risk of future breaches. Threat hunting teams work to identify potential threats before they become actual incidents which can be done through deep packet inspection, network forensics, and other techniques. They can find out what type of malware is being used or where a vulnerability exists on customers networks by proactively monitoring those networks with tools like PaloAlto Cortex, Carbon Black, Azure Sentinel to name just a few. As soon as they have identified an issue, they can take appropriate measures to resolve it before it becomes a full-fledged cybersecurity incident. Lumifi Cyber utilizes its home-grown automated threat hunting platform, ShieldVision which allows our SOC to be tool agnostic and provide proactive threat hunting to stay ahead of today cybersecurity threats.

What Is Incident Response?

Incident response (IR) is a process of responding to and containing an incident. It includes preparation, detection, containment, eradication, recovery and documentation of lessons learned. The purpose of incident response is to minimize the impact on the organization's business operations while reducing the risk of future incidents. Incident response teams should be prepared for all types of cyber threats which could include malware infections or ransomware attacks. These incidents disrupt systems and or steal sensitive data such as credit card numbers or personal information throughout the network. The goal of IR is to ensure that the data has not been compromised or exfiltrated and to mitigate the damage of future incidents.

Why Choose Lumifi?

Companies looking into MDR need to take a holistic view of their providers and their teams. Often, the least considered factor in the security provider selection process in the human element. While technology is an important factor in first-class MDR, Lumifi’s biggest differentiator is expertise. Lumifi provides the experience needed to stand out from the

saturated MDR market with leadership and management have decades of experience, stretching back to before MDR was even a term. Our approach to security is focused on a balance of custom solutions, client-centric partnerships, and proactive approaches. Lumifi has its own team of threat Content Developers, Web Developers, experienced Engineers, and seasoned Analysts to provide unparalleled proficiency. We not only utilize the industry’s leading threat intelligence platforms but also deliver personalized security recommendations through scheduled calls with a dedicated Engagement Manager. Lumifi leverages a proprietary platform called to provide leading AI Orchestration capabilities. This tool allows us to discover malicious activity within a client’s environment and then utilize that information to detect and respond across our client base who may be experiencing the same malicious activity. Our suite of services allows you peace of mind knowing your organization is being monitored around the clock by an industry-leading SOC which takes pride in its customer's security.

Security Orchestration, Automation and Response (SOAR) is an integrated, automated, and orchestrated set of services that provide a response to cyber incidents. It enables the rapid identification of cyber incidents and prevents them from escalating into major disasters.

SOAR was developed as a response to the need for automating incident responses and remediating security incidents. SOAR utilizes a framework that can be used by myriad organizations from small business owners to large enterprises. The process helps organizations automate security operations and enhance their security stance, integrating with tools such as SIEM, to provide a holistic view of the organization’s cybersecurity posture. It also provides a platform for Security Operations Centers (SOCs) to orchestrate the response to cyber-attacks in real time.

The Benefits of Implementing SOAR

Automating Repetitive Tasks

Human error in the workplace is the initial entry point for 95% of security incidents which inevitably leads to cloud environment compromises, according to Gartner. The high failure rate is due to repetitive manual tasks, which increase the likelihood of an oversight or mistake. Threat investigations and responses are performed faster and at scale across complex or expansive IT infrastructures with SOAR capabilities.

AI Enables New Security Initiatives to Protect Digital Infrastructure

The integration of machine learning in SOAR solutions enables the technology to dive deeperinto threats, analyze them, and gain contextual knowledge of their capabilities. The insight SOAR provides sets the foundation for fine-tuning incident response strategies to improve overall IT security.

Orchestrate Security Incidents Sent to The Expert

SOAR technology automates the orchestration process and routes security incidents to an analyst or expert with the best credentials to handle a particular incident. SOAR ensures teams get only the essential information needed to act, increasing the fidelity of threats and reducing the number of alerts. 

SOAR in a Nutshell

In short, the best cybersecurity orchestration and automation solutions provide the following:

• Automated security monitoring and analysis
• Security orchestration
• Automated response
• Orchestration of third-party services
• Continuous monitoring and reporting on security events.

At Lumifi, you can be certain that your organization is in capable and experienced hands, implementing the most modern SOAR techniques. Forward-moving and ever-evolving, we exist to help improve your security posture.

Contact Us Today to Learn More

A newly discovered Spring vulnerability enables remote code execution on enterprise Java applications.

In late March, a developer publicly posted exploit code describing a zero-day vulnerability in the popular Spring Framework, a popular solution for building enterprise applications in Java. Spring is part of VMWare's suite of enterprise products, designed to let developers quickly and easily develop enterprise-level applications. 

(more…)

Your security response depends heavily on what data you log, and how you log it.

Your security information and event management (SIEM) solution uses logs to build an accurate picture of your organization's security profile.  

(more…)

Today’s threat landscape is more diverse and expansive compared to any period since the beginning of the information age. Recent security trends such as the increase in malicious activities rising by 358% from July 2019 to July 2020 and 90% of healthcare organizations reporting security breaches to highlight the increased dangers enterprises face.

To effectively detect and mitigate threat factors to IT infrastructure, understanding the different features associated with delivering cybersecurity and network security is required…and yes there are differences between both. Here, the differences will be outlined including the diverse security tools that can be used to secure cyber infrastructure and enterprise networks.

What is Cybersecurity?

Cybersecurity is the processes you deploy to defend your organization’s IT architecture which includes the network, computers, and the data it produces from unauthorized access and attacks. Implementing cybersecurity measures involves the use of security tools to ensure the aforementioned assets are protected.

Enterprises that produce or store a large amount of data are more likely to experience cybersecurity incidents. Security operations centers designed to tackle cybersecurity incidents make use of tools that fall into the security orchestration, automation, and response tools and/or security information and event management solutions.

To effectively deal with cybersecurity threats, security tools are deployed to predict threat events, analyze them, and employ the right responses to mitigate threats.  Enterprises with functioning IT architecture are expected to invest in cybersecurity solutions to deal with related security incidents.

What is Network Security?

Network security is a subset of cybersecurity because it focuses on protecting the data that is sent and received through your IT architecture or networks. Implementing network security to respond to incidents involves the use of both hardware and software security solutions to secure devices with access to your networks.

The security tools used to deliver network security includes anti-viruses, firewalls, intrusion detection and prevention solutions, and virtual private networks. These tools work together to limit unauthorized access to your enterprise networks and when successful breaches occur, they work to get the attacker out of your networks as quickly as possible.

Cybersecurity vs. Network Security

The definition of both security processes highlights the most important distinction between cybersecurity and network security. Using the above definition, network security is a subset of cybersecurity that focuses on securing computer networks, the data sent through them, and the devices that have access to these data.

Other important distinguishing factors that help when struggling with differentiating between cybersecurity vs. network security include:

• Types of Security Threats – Networks are susceptible to attacks such as spyware and adware, denial of service attacks, viruses and worms, and zero-day attacks. Cybersecurity deals with attacks propagated through phishing, pretexting, and baiting. The personal approach cybersecurity incidents take is one reason why human error is the leading cause for successful cyber-attacks.
• Security Tools Used – The security tools used to deliver network security include firewalls, intrusion and prevention solutions, network security monitoring tools, and virtual private networks. The security tools applied to handle cybersecurity threats include SOAR and SIEM tools.
• Security Deployment Procedure - In many cases, network security solutions are integrated into hardware and software infrastructure by default and require regular updates while effort must be put into selecting, purchasing, and deploying the correct cybersecurity tools. It’s not all bad news though because cybersecurity services can be outsourced to providers that help with deploying cybersecurity tools.

Conclusion

Cybersecurity vs. network security is hardly a battle outside the need to understand the differentiating factors because enterprises are expected to deploy cybersecurity and network security tools to protect IT infrastructure. The solutions used to secure both cyber and network assets must be integrated into SOCs if you intend to be prepared to handle the different risks attackers throw your way.

For more information about the differences between network and cybersecurity contact us to reach one of our team members.

Statistics show that the fallout from successful cybersecurity incidents has both financial and business-related consequences. A data breach costs the average enterprises approximately $60,000, and in extreme situations, small and medium-sized businesses may go out of business within 6 months from the date the incident occurred. Thus, to determine whether the financial cost of successful hacking attempts, businesses have turned to insurance to deal with extensive losses.

Today, cyber insurance or cyber-liability insurance is popular among enterprises with online operations. Cyber insurance is defined as insurance policies a business takes to protect itself from the fallout of a successful hacking or cybersecurity incident. The policy is a contract between the enterprise and an insurer providing financial security against cyber-related incidents. The insurance policy ensures a business receives the financial support it requires to successfully apply mitigation techniques to deal with network and IT infrastructure security incidents.

"Organizations should also consider having a third-party Security Operations Center (SOC) like Lumifi Cyber, as it often qualifies them for a discount on their policy," said Director of Product Management Mike Heller. "Many insurance companies will consider the use of a qualified outsourced SOC as means to transfer risk and provide a discount for those services."

What Does Cyber Insurance Cover?

Insurance coverage and what it covers are determined by the contract signed between the insurer and the business owner. The average cyber insurance policy is designed to provide cover for cybersecurity failures. Cybersecurity failures in this context would refer to data recovery initiatives, IT forensics, and the cost of the legal fallout from security incidents regardless of an in-house error that led to a successful system breach.

The mitigation process needed to deal with breaches differs according to the severity of the incident. In many cases, where Ransomware or business email compromise hacking techniques are used, a team of external experts may be required to handle the mitigation task to regain stolen data. In terms of BEC, security agencies may be involved with tracking the hackers behind a successful incident. The mitigation process for the above examples is expensive. Thus, insurers generally provide added paperwork for more complicated security breaches.

Cyber insurance policies sometimes cover the amount lost from a BEC hacking attempt depending on the amount lost. Coverage for BEC fraud is generally provided as a specific policy outside the standard cybersecurity insurance coverage framework. The need for exclusivity where BEC fraud is involved is once again due to the large sums, which can run onto six figures, associated with BEC scams.

Insurance companies also take diverse approaches to deal with successful Ransomware attacks. After evaluating the effect of the Ransomware attack, the insurer may determine that paying the requested ransom fee may be a more effective method of getting back sensitive data. Insurers may also choose to involve law enforcement, which comes at a cost, or bring in experts they have worked with in previous cases to deal with the situation.

What Isn’t Covered by Cybersecurity Insurance?

Cybersecurity incidents can be broad and far-reaching as they can affect both online and offline business operations. Thus, in some cases, cybersecurity insurances provide limited coverage compared to the amount of risk an enterprise’s IT infrastructure and business has been exposed to. For example, a successful Ransomware attack that becomes public can affect the finances, reputation, and intellectual property of an enterprise. Standard cybersecurity insurance policies may cover the financial cost of dealing with the attack but not the reputational damage or intellectual property is stolen or distributed on the dark web.

The limited nature of cybersecurity insurance means an enterprise that never recovers its goodwill may still go out of business despite deploying mitigation techniques to limit the damage. Losing customers is a fallout no insurance can cover as customers feel safer taking their business elsewhere.

Another grey area to be considered is cybersecurity incidents that are perpetrated by hacking farms backed by other nations. For example, the NotPetya malware attack, linked to the Russian military and similar attempts from North Korea, can be classified as acts of war by insurers. This grey area must be analyzed, and a coverage decision was taken before any insurance policy is signed. Using the NotPetya incident as an example, some insurers paid damages to mitigate risks while others stuck to the ‘act of war’ narrative, leaving the payment decision to the courts.

The grey areas within cybersecurity insurance are reasons why enterprises must thoroughly evaluate cyber insurance policies before choosing to go with an insurer.

What Does Cybersecurity Insurance Cost?

Statistics put the average cost of cybersecurity insurance in the US at approximately $1,485 per annum. This average cost does not apply to every enterprise because more comprehensive cybersecurity insurance which focuses on peculiar security incidents costs more. Insurance enterprises also evaluate the cybersecurity threat levels of a business to determine the cost of purchasing an insurance plan. Thus, enterprises susceptible to cybersecurity incidents due to the nature of the business they run are subject to more expensive insurance coverage.

The choice of purchasing insurance policies against successful Ransomware attacks or BEC fraud also comes at a cost. The value of data a company stores within its IT systems plays an essential role in deciding how much an insurer will be willing to charge for providing a policy plan against such security incidents.

Conclusion

Although cybersecurity insurance provides some help against hacking attempts, it is not a substitute for maintaining a functional security operation center and implementing compliance policies. As stated earlier, insurance may cover financial losses, but an insurance plan cannot repair hits to an enterprise’s reputation.

The cybersecurity analyst has become the third most valuable job description in the technology industry. The increasing security incidents to IT infrastructure, the demand for accountability from end-users, and the financial cost of successful breaches are significant reasons enterprises and startups are taking cybersecurity seriously. Ambitious professionals who choose a career in IT security are reaping the benefits of securing operating systems and deployed IT infrastructure.

Cybersecurity experts are handsomely rewarded for their efforts and are in high demand. But in an industry where standardization of skills is often proven, job candidates often must have specific certifications to obtain high-value jobs. Today, cybersecurity certifications play essential roles in highlighting a professional’s critical competencies alongside provable work experiences.

The top five popular certifications include CISSP, CISM, CRISC, AWS Certified Security, and CompTIA Security+ according to the 2020 IT Skills and Salary Report.

The Importance of Certifications in Cybersecurity

A few decades ago, anyone with a bit of understanding of computers and IT systems could label themselves as cybersecurity experts to gain access to jobs. The lack of regulation and little or no means to determine an expert’s core competencies except through informal referrals led to chaos within the industry. The rapid introduction of new threat actors and hacking tools exposed most ‘cybersecurity experts’ as under-qualified individuals with limited hands-on knowledge in dealing with threats.

To eliminate the chaos caused by inadequate validation processes, diverse organizations developed testing criteria to determine an individual’s ability to deal with all kinds of cybersecurity incidents. The testing procedure, which also awarded certifications, has become the top validation tools for enterprises hiring cybersecurity experts or firms.

Today, a cybersecurity certification is essential for different aspects of a professional’s career growth; at the entry-level where individuals with non-existent work experience intend to join the workforce, certifications highlight that the certified individual has the technical knowledge to handle cybersecurity issues. Attaining certifications gives entry-level professionals a foot into the door of a very competitive industry.

Experts who have spent years perfecting the art of identifying and mitigating cyber risks also have a lot to gain with a certification attached to their names. First, a certified expert takes professional development activities seriously. With the validation cybersecurity certifications provide, statistics show that professionals with multiple certifications earn approximately $10,000 more than those with fewer certifications.

The Top 5 Most Popular Cybersecurity Certifications

The International Information System Security Certification Consortium (ISC)²: CISSP Information Systems Security Management Professional – The CISSP is a certification provided by ISC², and it accesses an individual’s ability to design, implement, and manage best-in-class cybersecurity operations for an enterprise. The certification examination process also expects you to have completed some prerequisite courses before taking the exam.

CISSP was developed to validate the skill sets of high-level cybersecurity experts such as Chief information officers and Chief Technical Officers tasked with running the operations of a security center. Certified professionals are expected to recertify in a couple of years, and the certification provides access to leading journals, resources, and tools about cybersecurity.

ISACA Certified Information Security Manager (CISM) – ISACA is another international non-profit organization that provides certification training and examinations for the IT community. The CISM is a management-focused certification that evaluates a candidate’s understanding of both the technical and business aspects of managing a security operations center or system.

Earning a CISM validates your skill sets in setting up an operations center and managing it, thus supporting your application for management roles within the IT industry. CISM-certified professionals are granted access to cutting-edge security materials and are expected to recertify after a couple of years.

ISACA Certified in Risk and Information Systems Control (CRISC) –Properly managing a company’s exposure to risks from cybersecurity incidents ensures the affected company retains its brand reputation despite security threats. The CRISC certification validates a professional’s ability to manage IT enterprise risks and design risk-based information systems controls.

The CRISC certification is designed for risk and security managers, information control managers, and CIOs interested in validating their risk management abilities. The certification comes with an expiry date, and certified professionals are expected to renew their certifications periodically.

AWS Certified Security – Specialty: The leading provider of cloud-based services offers security certifications targeted at professionals building a career in managing AWS-built infrastructure. The AWS Certified Security certification is designed to evaluate and validate your ability to secure AWS cloud from cyber threat actors. The certification is targeted at risk and security managers, security analysts, and CIOs who intend to secure cloud infrastructure.

The certification program requires a prerequisite qualification, and certified professionals are expected to recertify in a few years. AWS-certified security professionals are in high demand due to Amazon’s dominance of the cloud infrastructure industry.

CompTIA Security+ – The CompTIA examination body is respected globally for designing programs to test the efficiency levels of IT professionals. Its Security+ certification program is designed for entry-level individuals looking to validate their understanding of IT security terminologies, tools, and operations. Thus, a CompTIA Security+ certificate should be viewed as the starting point for anyone interested in a career in IT security.

Prospective candidates do not require any prerequisite certifications to participate in the Security+ certification exam. It is also important to note that this certification fulfills the prerequisite conditions for more advanced certifications.

Conclusion

A cybersecurity certification is an excellent validation tool that confirms your technical and applicable knowledge of cybersecurity tools—getting certified increases your chances of building a career as a cybersecurity professional across every industry where IT infrastructure is deployed.

There is often a lingering and general confusion over the acronyms IDS and IPS, and how they are like or unlike UTM software modules. Everyone likes primers and simple descriptive definitions; so let's take a look at IDS, IPS, and UTM through that lens.

IDS
An Intrusion Detection Sensor (IDS) is a tool that most obviously detects things, but what things? Ultimately it could be anything, but thankfully most vendors include a large array of 'signatures' and or methods for detecting stuff. What do I want to detect? For each network, this answer will vary, though generally, it is looking for unusual traffic. What's unusual? In the simplest terms, it's traffic you don't want on your network, whether that is policy/misuse (IM, games, etc.) or the latest malware.

Just as they say in real estate: its location, location, location. Not the location in the rack, but the segment of your network the IDS will monitor. Monitoring traffic at the ingress/egress point will show you what comes and goes (after the firewall policy approves of course), but may not allow you to see remote offices connecting to core components.

One thing you don't want to do is inspect traffic on the public side of the firewall. Monitoring all of the traffic on an internal switch, like your LAN or a DMZ, will allow the IDS to monitor user activity or key servers, but it won't see things happening on other parts of the network. Unless you have unlimited resources, you may not be able to monitor everything on the network, so a key decision will be which traffic matters the most and which segment provides the best vantage point.

IDS can passively monitor more than one segment and can monitor traffic that an IPS or UTM would never see, such as the traffic staying entirely within a LAN or DMZ. An IDS, therefore, could alert on a desktop machine attacking other desktop machines on the LAN, something the IPS or UTM would miss due to being inline.

IPS
An IPS (Intrusion Prevention Sensor) is an IDS in most regards, save for the fact it can take action inline on current traffic. This sounds amazing right?...well almost. IPS and UTM, by their nature, must be inline and therefore can only see traffic entering and leaving an area. A huge concern is that an IPS can prevent business legitimate or revenue-generating traffic from occurring (an IPS, remember, can alter traffic flow). IPS actions include drop, reset, shun, or custom-scripted actions and all of this occurs immediately upon signature match. This potentially negative action makes the person responsible for security now responsible for loss in revenue should the IPS drop legitimate traffic. In my experience, IPS devices make great tools as long as you also leverage the key components that differentiate the IPS.

Make sure your IPS devices are capable of "failing open"; this means if any part of the application fails or even the chassis fails (power loss anyone?) the unit continues to pass traffic. No one wants a brick impeding the flow of data.

Also realize that only a small portion of the signatures that fire should actually be allowed to take action on traffic. To help reduce false positive rates, one should have very well defined home net or protected ranges allowing direction oriented signatures to be more effective. You will also need to spend quite a bit of time reviewing alarm and event output to ensure the signatures allowed to take action are working as intended. You can expect to spend more time upfront and more time at each signature update looking at which signatures the vendor has chosen to take action and considering how that can impact your traffic. This often works best in settings where firewalls are not very favorably looked upon between "open" network segments.

Software Based Modules in UTM Devices
This brings us to software-based modules in Unified Threat Management (UTM) devices. Key items to point out about these devices happen to be drawbacks, though this does not reduce their efficacy. Obviously, they can only be located where the UTM itself is located. Typically this is a junction point like your Internet gateway or an access control point between your LAN and DMZ. In this case, a UTM would not be able to see all of the system-to-system traffic on the DMZ or LAN, rather only traffic coming and going from that segment.

In addition, UTMs are not purpose-built platforms, thus tending to have higher false-positive rates (though this is getting better). In the case of high CPU or memory utilization, they will turn off software modules to preserve the primary function of the device, as a firewall. This is an important point related to not being a purpose-built platform and helps justify requests for dedicated devices. If all you have is a device like this, we say go for it! It is much better to have visibility in traffic coming and going from your network than to not have any IDS at all. Ask your vendor to validate that they logically inspect traffic after the firewall policy and make sure to notify yourself immediately should your device move in to conserve mode or consistently seeing high resource utilization.

So, in Summary, Comparing IDS, IPS, and UTM
None of the three are "set it and forget it" devices. New malware and vectors for exploit and detection emerge daily. Regardless of your choice, you will have often recurring maintenance in signature event/alarm output and a need to update and manage your policies, especially in the case of IPS. Updates can be automatically applied in any of the devices discussed, but that does not absolve the need for human review. Set aside some time daily to check in on your device and consider turning off groups of signatures that have no role in your environment (think "policy-based") and tuning out other noise granularly.

Hopefully, all the cautionary statements penned here don't scare you off. Getting traffic inspection in your environment is a great way to get visibility into traffic on your network.

(more…)

(Updated April 2022)

There are many ways to optimize and automate your SIEM workflow, but you can't replace the human element. 

(more…)

Network segmentation is the practice of dividing a formerly 'flat' network [where every device can contact every other device] into a series of segments that have restricted communication between them.

What's this mean in real terms, though? And why would you want it - and is it useful outside of making PCI compliance easier?

In real terms, this means that you will end up working with your network hardware to create a set of 'zones' or enclaves, populated with a given group of assets. Then, you'll put some kind of barrier between each of these zones - either by assigning each of them to a VLAN and restricting routes between VLANs, or setting up a firewall to partition off various subnets and restrict communications - or a combination of the two.

As an example, consider a small sandwich shop that accepts credit cards. It has some POS terminals at the registers, a back office for management, and offers wifi for the customers.

In this case, you would want a segment for guest wifi - a separate VLAN that only routes out to the internet - to keep guest devices outside of the card processing environment. Similarly, you would want a segment for the POS terminals that can route to the network gateway - for credit card authorization - and for traffic from the registers to the management network - so that management can keep track of inventory sold.

By restricting the kinds of communication that are possible to the kinds that are specifically allowed, you've made your network more secure - the disallowed kinds of communication are either not possible, or require changing the setup in a way that would be very obvious to the SIEM.

Likewise, if you restrict the kind of traffic that can transit between zones to the minimum necessary traffic, any attempts by an attacker who has managed to infiltrate one segment to attack other resources will be restricted, or possibly prevented - and activities taken by the attacker to discern the kinds of assets on the network will be much more obvious.

A side effect of segmentation is that in some instances network performance may be improved. Several different protocols - like NetBIOS - generate broadcast traffic; if this traffic is forbidden from crossing segment boundaries into areas where it is not needed, then the overall amount of traffic on the network can be reduced. With modern networks this is usually not a significant concern, but it can be mildly beneficial in some instances.

Network segmentation also has benefits for compliance - in many cases, if the kinds of traffic that need compliance certification are isolated on a specific segment, that restricts the scope of the audits required to maintain certification to that specific segment. Smaller scopes are easier to audit, and it is easier to prove compliant configurations - you won't need to account for every single asset.

Segmentation is a very worthwhile means of adding to the security posture of your network. Talk to us here at Lumifi about whether your organization would benefit from this kind of defense in depth, and how it can be integrated into your existing security posture; we'd be happy to help.