On-demand Exabeam Expertise Unlocks SIEM Value for AECOM

Lumifi helps organizations solve complex SIEM deployment problems and maximize the value

Our Customer: AECOM is a publicly traded critical infrastructure consultancy and Fortune 200 member with 50,000 employees located around the globe. As one of the largest companies in the United States, AECOM plays a major role in building skyscrapers, mass transit terminals, concert halls, and everything in between.

The company has worked hard to achieve recognition as the World’s #1 Most Admired Company, securing Fortune magazine’s top spot for three consecutive years. With a pipeline full of multi-billion-dollar projects of government customers, AECOM can’t afford any less than the highest standards of credibility and security.

By the time AECOM reached out to Lumifi, it had spent two years working with a provider to successfully deploy its Exabeam SIEM. The organization was stuck in the development phase and could not get the SIEM platform to ingest all of AECOM’s global data sources correctly. AECOM couldn’t achieve holistic visibility into its security posture, leaving its organization exposed to sophisticated attacks while its security team poured resources into a never-ending development process.

AECOM’S Security Challenges: As a market-leading infrastructure consultancy managing some of the world’s largest projects, AECOM regularly faces incredibly sophisticated attacks from a wide range of sources. Managing these projects responsibly requires deep visibility into security risks, machine learning-enabled automation, and User Entity and Behavioral Analytics (UEBA) technology. The Exabeam platform provides all of these capabilities. However, the process of completing such a large implementation is complex. AECOM’s previous security provider did not have the product expertise necessary to ensure streamlined deployment.

AECOM needed SIEM expertise to leverage Exabeam to deliver on several core needs:

UEBA-Enhanced Insight
Log Management & Analysis
24×7 Security Operations
Custom Rules & Dashboards
Orchestrated, Automated Threat
Response Playbooks

Successful SIEM Implementation with Unlimited Visibility and Customization Lumifi was instrumental in turning AECOM’s stalled SIEM deployment around, enabling the company to gain a unified, central view of all security events – including both internal and external threats, cloud activity, and on-premises vulnerabilities. After spending two years stuck in the deployment phase, AECOM was able to finally leverage the full power of Exabeam. In two months, Lumifi has accomplished more than the previous two years of trial-and-error with a less capable vendor. Lumifi’s product expertise helped AECOM deploy a detailed model of normal user and asset behavior in Exabeam. This model provides constant, real-time information on the risks of insider threats and credential-based attacks. Lumifi became an extension of AECOM’s Security Operations Center, providing Exabeam expertise on-demand, 24×7 detection and response, and custom rules, models, reports, and dashboards.

The Results:

True 24×7 visibility and behavioral modeling for every user and asset in the organization’s IT infrastructure.
Successful integration of AECOM’s existing security tools into a consolidated Security Orchestration, Automation, and Response (SOAR) platform.
Ongoing customization to refine AECOM’s detection and response capabilities and adapt to a constantly changing threat landscape.

Technology Description:

MDR
Exabeam

Thank you for the service that Lumifi has provided over the last year to AECOM! Lumifi provided the services AECOM needed to keep the organization safe. You have helped us bridge a gap that continued to widen on us, and we appreciate the talent and work that Lumifi put into it. Lumifi has the grit and passion necessary to provide valuable MDR services in some of the toughest environments. I would absolutely recommend working with Lumifi they bring a lot of value to the table.

- - Paul Dial, CISO, AECOM projects.

Transparent Talent Gap Management Made Simple with MDR for BankPlus

Our Customer: BankPlus is one of the most reputable regional banks serving the US Southeast. In 2021, Forbes placed it in the Top 25 ranking of the World’s Best Banks, citing its trustworthiness and high-quality digital services. For more than a century, residents of Mississippi, Alabama, and Louisiana have come to expect retail and commercial banking excellence from BankPlus. With more than $4 billion in total assets and 79 financial centers, BankPlus understands the role best-in-class security plays for its customers.

Shareholders were rightly concerned when the bank’s Chief Technology Officer and Director of Information Technology both announced their retirements. Losing two critical members of the senior security team would expose the bank to unknown security risks.

Even if the organization successfully replaced its security leaders immediately, it would still have to navigate a delicate onboarding and transition period.

BankPlus’ Security Challenges: BankPlus had been leveraging Lumifi’s Managed Detection and Response services, including our legacy ELK Logger, since 2019. More recently, the bank needed expert-level guidance and management for its security operations, threat detection, and SIEM management capabilities. By working with Lumifi, BankPlus successfully managed this transition period while leveraging true 24/7 security visibility into its security operations. Outsourcing core security services to Lumii allowed the financial institution to make better use of its SIEM solution and expand its security capabilities at a fraction of the cost of a single full-time employee. BankPlus had three key issues that they needed to resolve with Lumifi’s MDR service:

Long-Term Logging Solution
Custom Tuning for Alarms
24×7 Security Operations

Results: The Lumifi Difference After their first engagement, BankPlus immediately saw Lumifi’s value and expertise because their SIEM was finally functioning as it should. By leveraging Lumifi’s expertise, their SIEM was configured correctly, and alarms were now escalating when was truly appropriate, thus providing accurate security visibility into their environment

True 24×7 security visbility within the BankPlus environment for a franction of the cost of 1 full-time employee
Saving BankPlus’ exsting SIEM prevented “rip and replace” costs
An outsourced SOC saved the organization significant time and money, taking the pressure off internal staff

Technology Description:

Lumifi has assisted BankPlus in both building and supporting a scalable big-data platform for our log management and cyber visualization needs. This has allowed internal technology and risk teams to place time and resources on other critical areas of the organization.

Lumifi has been a true partner, and a real extension to our team. Their SIEM and Security Operations knowledge has been, and continues to be very impressive. They add value to our team and we look forward in continuing to work with them on current and future projects.

- Todd Stringer | Vice President & Information Security Officer

SOC Cost Analysis: Ultimately there are two paths to achieve a strong Information Security posture. Build it in-house, or outsource it. Both options have their pros and cons. On the following page is a SOC Cost-Benefit Analysis to outsource managed security services or build a security team in-house.

How MXDR Pro Enables Scalable Security Growth for Vensure HR

The Organization: Vensure HR is a professional employer organization that provides human resources services for small and midmarket customers. Consistently delivering the full suite of payroll administration, risk management, and employee development services demands scalable security solutions with advanced detection and response capabilities In July 2020, Vensure chose Lumifi as its managed detection and response provider, trusting our team to secure a constantly changing set of endpoints against internal and external threats. The company needed 24×7 detection and response services but could not feasibly build and staff its own security operations center for the purpose. Over time, Vensure upgraded its partnership with Lumifi, adding hundreds of new endpoints and signing up for advanced threat detection capabilities.

The Challenge: Human resources firms constantly onboard new users and must continuously monitor their performance to ensure customer satisfaction. They must also process a great deal of sensitive data, from employee histories to payroll information. To do this, HR providers like Vensure offer an implicit guarantee of their employees’ fundamental trustworthiness.

Delivering on that promise is not always easy. High throughput can strain security resources and lead to operational underperformance. Not only does Vensure have to protect against a wide range of external threats, but it must also be prepared to detect and mitigate internal threats as well.

A run-of-the-mill SIEM 1.0 solution would not do. Vensure needed a solution that would continuously validate the actions of authorized users – like new employees – and trigger alerts when it discovered suspicious activity. At the same time, Vensure’s enterprise growth strategy is heavily reliant on acquisitions. The company is purchasing companies and integrating their teams on a monthly basis. These new teams require a standardized security framework that is flexible enough to respond to their unique risk profiles.

To maintain its reputation as a trustworthy HR service provider, Vensure needs to monitor a constantly fluctuating user base and constantly expand coverage to new users and endpoints. As an in-house solution, this would essentially mean exposing the company to unmanageable costs that amplify as the organization grows.

Vensure needed a managed detection and response solution that could scale to meet its needs while driving down costs as the company grows.

The Solution: Vensure knew they needed to rely on Machine Learning and UEBA to gain real security visibility and after testing several SIEM platforms they decided to leverage Exabeam. Upon working with Exabeam, Vensure found Lumifi and immediately saw value in our MDR service.This enabled the company toleverage user entity and behavioral analytics (UEBA) to manage security processes more efficiently while providing analysts with machine learning-enabled insights on insider threats and malicious activity. By November 2020, Vensure had already grown beyond its original MDR deployment and needed to secure an additional 530 endpoints with Palo Alto Cortex XDR. This gave Vensure’s security team unlimited visibility into every aspect of endpoint user activities as the user count grew significantly. Lumifi’s Glass Box approach ensured the company could easily see every part of its security system in action. Vensure soon discovered that its security posture would be significantly improved with the addition of curated real-time threat intelligence. In April 2021, the company added Anomali Threat Stream to its security capabilities, providing security operations personnel with curated, in-depth threat intelligence fit to meet Vensure’s specific risk profile. Thanks to its acquisition-oriented growth strategy, Vensure expanded rapidly during this time. The company added an additional 620 users in June 2021. This rate of growth continued all the way through to the following year, prompting Vensure to renew its contract in July 2022 and upgrade its service yet again. Vensure’s MXDR Pro subscription consolidates extended detection and response capabilities with threat intelligence and UEBA insights in a single package.

The Results: Vensure leveraged the pandemic-era pivot towards remote work to significantly grow its business, and successfully continued that growth trajectory during the post-pandemic era. This growth would not have been possible without a scalable solution for detecting security threats and mitigating risks. Lumifi’s combination of flexible, highly qualified expertise and Glass Box visibility enabled Vensure to grow its user base without worrying about the cost of expanding its security infrastructure.

Through Lumifi, Vensure gained 24×7 monitoring and response capabilities with a heavy focus on log management and analysis. It never had to lock its data into any proprietary software or entrust vital security tasks to Mystery Box technology.

Vensure saves more than 70,000 information security employee hours per year, equating to millions of dollars in payroll expenses.

It can safely grow its core business securely in the knowledge that Lumifi’s security team is ready to monitor user activities, investigate incidents, and mitigate risks on its behalf.

Planning for enterprise growth can take time. It requires a considerable amount of research and relies on deep knowledge of the specific capabilities different technologies offer. At the same time, it is necessarily constrained by budget and involves considerable risk. If it turns out that today’s technology doesn’t meet tomorrow’s needs, it will have to be replaced.

These are problems that organizations of all sizes confront because growth is a goal that every organization shares. The solution, however, is almost always unique to the organization at hand. Information security leaders who rely on the experience and expertise of a reputable service provider like Lumifi can identify the right solutions for their growth story without having to risk that growth on trial-and-error.

Technology Description:

Fayetteville Public Works Commission Relies on Lumifi to Extend SOC Capabilities

Lumifi expands the utility provider’s ability to secure its OT infrastructure and mitigate cyberattack risks

The History: The Fayetteville Public Works Commission (FAYPWC) provides municipal water, power, and sewer services to over 120,000 people in North Carolina. As the public utility sector faces increasing cyberattack threats, FAYPWC needed to establish a robust, multi-layered security posture that protected its operating technology from compromise.

Like many public utility providers, FAYPWC did not have its own security operations center in place when they contacted Lumifi. When high-profile ransomware attacks on utility providers started making headlines, the organization’s leadership decided to build its SOC capabilities. However, building and deploying an in-house SOC would be prohibitively expensive, requiring the organization to pass on costs to customers.

FAYPWC contacted Lumifi to develop and implement an SOC-as-a-service solution that would act as an extension of the organization’s existing IT team.

The utility provider needed to mitigate highly advanced threats while leveraging SIEM expertise on an ongoing basis. It needed to accomplish these tasks in a stakeholder-friendly, cost-effective way.

SIEM technology granted the team deep insight into security events impacting the organization while supporting powerful third-party integrations to serve its unique security risk profile. The SIEMs favorable pricing structure helped keep overall costs low.

The Challenge — OT Security Demands Additional Layers and Features: SIEM solutions provided FAYPWC with a cost-effective solution to monitoring a wide range of data-generating log sources throughout its IT infrastructure. However, the organization still wanted to close the security gaps around its operating technology. For a public utility provider like FAYPWC, effective multi-layered security means bridging IT and OT infrastructure together.

The organization needed a SIEM platform capable of performing in-depth analysis of user behaviors across its entire network. The platform needed to catch advanced persistent threats as well as credential based attacked and malicious insiders. SIEM platform that captures and collects log data from every user and asset on the network. This makes it the ideal choice for complex IT/OT environments where small, barely noticeable configuration changes can dramatically impact operational security.

SIEM key features made it the best choice for FAYPWC’s security risk profile:

Full Support for Third-Party Integrations
Extensive Log Management Capabilities
Support for Highly Customized Rule sets
Robust Automated Incident Response
Unlimited Visibility into Core Security Operations

SIEM Expertise Paves the Way to Operational Security Excellence: Lumifi played a vital role transforming FAYPWC’s security infrastructure and enabling it to consistently detect sophisticated attacks throughout its network. Our SIEM specialists helped the utility provider implement SIEM solutions, enabling high-performance security at a fraction of the cost of building out its in-house SOC capabilities.

FAYPWC was looking to build a relationship with a trustworthy security partner who could help it close its security gaps. Lumifi’s commitment to unlimited visibility and collaborative security helped identify those gaps and implement solutions that address them effectively.

Lumifi’s SIEM expertise helped FAYPWC develop a model that represents normal user behavior throughout the FAYPWC network. This model serves as a valuable point of reference for monitoring real-time user behaviors and assessing the risk of insider threats and credential based attacks.

As an extension of FAYPWC’s security operations center, Lumifi provides 24×7 managed detection and response services with customized rules, reports, and dashboards delivered through the SIEM platform.

The Results:

Unlimited visibility into FAYPWC user behaviors with detailed modeling for every user and asset in the organization’s network.
Successful deployment of a remote security operations center staffed with professional analysts equipped with industry leading detection and response tools.
Ongoing customization efforts to refine FAYPWC’s security posture in response to emerging threats facing the public utility sector.

Lumifi Looks to Buy MDR Providers

Cost-Effective Log Management: What Log Data Does Your SIEM Need?

Optimize your SIEM implementation by avoiding redundant analysis and focusing on the highest-value log data first.

Deciding which logs to analyze is an important step in the process of SIEM implementation. Every organization must answer this question based on its own network infrastructure, security posture, and risk profile.

(more…)

Compromised Credential Attacks Are Top Cause of Data Breaches

The use of stolen or compromised credentials remains the most common cause of a data breach. It was responsible for 19% of breaches studied by IBM in 2022. The reason? These attacks are relatively easy to plan and execute.

(more…)

Protect Your Security Budget Against Economic Risks with MDR

Security leaders are increasingly being asked to do more with less. In-house capabilities don't scale fast enough to keep up.

Business leaders are cutting costs across the board in preparation for a potential recession. Business units that were used to receiving ample funding are hitting limits to near-term growth. Organizations that used to fund ambitious growth targets for tech integration and cybersecurity are starting to cut back.

(more…)

Phishing Among Top Cyber Threats Targeting Financial Services

(more…)

A Malicious Insider Attack Poses Costly and Silent Threats to the Finance Industry

(more…)

EDR vs XDR – Which is the Best Solution for Your Business?

Both technologies provide endpoint protection, but with different levels of sophistication.

For years, endpoint detection and response (EDR) has formed the backbone of many enterprise cybersecurity solutions. EDR technology enables greater visibility into systems, allowing security professionals to detect threats from file-less attacks, document-based malware, and zero-day exploits.

(more…)

Incident Response in Exabeam: How to Create Playbooks and Automate Security Incident Resolution

Learn how to use the platform's security orchestration, automation, and response (SOAR) solution to quickly investigate and resolve security incidents.

Exabeam enables security teams to automate their response to security incidents, dramatically reducing the time and resources required to mitigate active attacks. The platform's Incident Responder lets analysts automate time-consuming tasks when investigating incidents and neutralizing attacks, enabling organizations to immediately respond to threats in real time.

(more…)

Keep Your Digital Footprint in Step with Your Information Security Needs

Every online action you perform involves sharing a bit of data – over time, that data can add up.

Successful organizations and influential people rely on the public Internet to promote their brands, ideas, and products. A significant amount of time and energy goes into building a brand, and most of it is spent online.

(more…)

How to Create a Ransomware-Ready Disaster Recovery Plan

Data disasters come in all shapes and forms, and enterprises need to have multi-layered contingencies in place.

A good enterprise disaster recovery plan protects against a wide variety of scenarios. It must ensure business continuity – or provide a plausible roadmap for it – in case of natural disasters, human errors, and malicious cyberattacks.

(more…)

How to Access and View Event Logs Using Exabeam in Linux

Examining event and endpoint logs is the first step towards building comprehensive customized rulesets.

Many information security leaders have significant deployments on open-source operating systems based on the Linux kernel, and for good reason. Linux distributions like Debian and Ubuntu have a reputation for visibility and security at a price that's impossible to beat – they're 100% free.

(more…)

The 3 Types of Firewalls: What Is the Most Secure Type of Firewall?

We'll chat more in detail further along here, but right away, we want to tell you what the three types of firewalls are:

(more…)

What Is SOAR Security?

The SOAR in SOAR security stands for:

(more…)

How to Configure Your Windows Audit Policy to Optimize SIEM Performance

You can significantly improve Windows' log reporting capabilities with a few key changes.

Your SIEM works by collecting log data from across the enterprise IT environment. The more detailed and comprehensive these logs are, the more accurate its insights will be.

Although Windows has a basic set of log reporting capabilities built in, the operating system's out-of-the-box configuration isn't quite optimal for advanced SIEM users. Streamlining audit policies lets enterprise security professionals enjoy improved alarming, reporting, and compliance outcomes. It's a vital step towards achieving best-in-class security using an SIEM solution in a Windows environment.

Lumifi has continuously refined its approach to Windows Audit Policy configuration since 2015. Our SIEM experts regularly refine their methods in response to real-world feedback and implementation data. This document is the result of years of cumulative insight into what works best when deploying an advanced SIEM solution in an enterprise Windows environment.

(more…)

How to Alleviate Alert Fatigue When Enterprise Security Needs Keep Growing

Cybersecurity leaders prioritize security event management efficiency now more than ever.

Security analysts receive messages and alerts all day long. It' a core part of the job.

(more…)

How Advanced MDR Helps with Security Detection and Response of 7 Common Threats

677.66 million. That's the number of cumulative detections of newly-developed malware applications worldwide in 2020. If you think your organization's basic antivirus software can keep up with this constant barrage of attacks, well, it's simply not possible.

(more…)

EDR Endpoint Protection: What It Is, How It Works, and Its 5 Benefits to Businesses

The average IT department manages thousands of endpoints, each coming with a very real risk of cyberattack. From laptops and servers to IoT devices and digital assistants, hackers are constantly on the lookout for an open door to infiltrate.

(more…)

Lumifi's Complete Guide to Information Security Managed Services

Companies must protect important and sensitive data no matter its form. So, what is information security?

It includes everything from making sure digital information is protected against hackers to assuring a physical filing cabinet full of billing information is defended against thieves.

(more…)

New Federal Standards Prioritize Logging to Detect, Prevent, and Remediate Cybersecurity Incidents

The Federal government has defined new standards for cybersecurity event logging systems.

On May 12th, 2021, just days after the headline-making Colonial Pipeline ransomware attack, the White House issued an executive order on improving the nation' cybersecurity.

(more…)

Improving Visibility and Preventing a Miss - Part 3: Custom PowerShell Rules

A major risk for a SIEM or SOAR is not effectively using key PowerShell logs collected.

We talked about the risk of incorrect and empty logs or lack of logging required for advanced detection, and once you have them we cannot assume machine learning and modeling behavior will detect everything.

(more…)

Update on PrintNightmare & Kaseya Ransomware

Over the 4th of July weekend, two breaches were brought to Lumifi's attention pertaining to PrintNightmare and Kaseya.

Details on PrintNightmare

While you likely do not have Print Servers exposed to the world (we hope not), we also wanted to note that we are aware of this and have diligently reviewed detection methodology. POC code has been found, so our recommendation is to disable all Microsoft Print Spooler Services and ensure you have this patch applied.

This is a remote code execution vulnerability that affects the Windows Print Spooler, which has CVE-2021-34527 assigned to the vulnerability. An attacker can use this vulnerability to run arbitrary code with SYSTEM privileges. This could give an attacker full access to the system, leading to administrative privilege and lateral movement in the environment.

While, in theory, the Print Spooler should only be run if needed, it is always enabled by default. Microsoft released security updates on June 8, 2021, that should be applied to mitigate this vulnerability.

If you cannot apply this patch immediately, we strongly advise that you turn off all print spoolers following the process documented here.

Other Resources for PrintNightmare:

https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability

https://www.tenable.com/blog/cve-2021-1675-proof-of-concept-leaked-for-critical-windows-print-spooler-vulnerability

(more…)

Improving Visibility and Preventing a Miss - Part 2: Custom PowerShell Collection

A worrisome risk for a SIEM or SOAR is not collecting key logs used or required for the advanced modeling in today's platforms.

In our experience, incorrect/empty logs or lack of logging required for advanced detection (as we discussed in the first post on this topic), is obviously bad, yet failing to pick them up and sticking to collecting in just System, Security, Application leaves machine learning and modeling missing key items to with which to model behavior.

How to Collect Key PowerShell Logs

Beyond the basic logging configured in the previous blog, we will also need to be collecting these Powershell logs from these locations:

WMI-Activity/Operational Logs

5857 - Indicates time of wmiprvse execution and path to provider DLL
5858 - Query errors, the data include the error code in the element ResultCode and the Query that caused it under the element Operation
5859 - EventFilter class
5860 - Registration of Temporary (5860) and Permanent (5861) Event Consumers
5861 - Registration of Temporary (5860) and Permanent (5861) Event Consumers

Microsoft-Windows- WinRM/Operational

6 – WSMan session initialized
8 – WSMan session deinitialization
15 – WSMan session deinitialization
16 – WSMan session deinitialization
33 – WSMan session deinitialization
91 – Session creation
168 – Records authenticating user

PowerShell/Operational Logs

4103 – PowerShell Module Logging
4104 – PowerShell Script Block Logging
8193 – Session Created
8194 – Session Created
8197 – Session Closed
40961 – Records the local initiation of PowerShell and associated user account
40962 – Records the local initiation of PowerShell and associated user account
53504 - Records the authenticating user

Windows PowerShell Logs

400 – ServerRemoteHost session starting
403 – ServerRemoteHost session ending
800 – Includes partial script code

(more…)

F5 BIG-IP Vulnerabilities

Twelve days ago, F5 announced several security vulnerabilities that went primarily overshadowed by the Exchange/Hafnium situation.

It's important to understand that some of these are critical, remote command execution-level vulnerabilities that require nothing more than an attacker to connect to an F5 BIG-IP device.

For those devices, being positioned "in front of" web server clusters is standard, so they are often exposed to the Internet on purpose.

There are already indicators that various attackers are scanning for these devices and exploiting them once found. Other security researchers have seen attacks that resulted in the theft of authenticated session tokens, meaning that they could impersonate administrators and control or reconfigure the devices. Some existing malware has already been repurposed to act on these vulnerabilities.

(more…)

MDR Service Delivery Options

Organizations of all sizes rely on managed security service providers (MSSPs) to deliver managed detection and response (MDR) and additional cybersecurity services at scale. Understanding the various service options can save your organization money and resources.

The difference in technology and its usage is the primary differentiating factor between MDR providers. While some rely on proprietary software to deliver contextual threat detection and response capabilities, others use an assortment of technological solutions to protect enterprise networks and architecture.

Lumifi provides a breakdown of four different options. If you have questions or are looking for specialized advice, contact us today for a no-cost consultation.

Full-Stack Technology Service Providers

Vendors that determine the technology to use in protecting a customer’s IT architecture fall under the category of a full-stack technology service provider.

In this category, providers choose the best solutions to protect a customer’s architecture, often utilizing their preferred vendors and architecture. Clients with limited experience or resources for threat detection and response take advantage of the provider’s proprietary services that a full-stack provider can deliver.

Full technology stack providers generally use a multifunction network security monitoring (NSM) sensor or appliance and an EDR agent. A mixture of other tools and software for threat hunting and investigation solutions are also applied to produce useful telemetry and gain insight into security incidence. The result is a threat detection and response framework which enables near real-time or automated responses.

Lumifi has been in the Managed Detection and Response space since before the term was coined. We can provide a full-stack approach to clients looking for a complete, holistic solution to their cybersecurity needs.

Custom Monitoring and Threat Detection Service Providers for Cloud, Hybrid and IoT Architecture

Enterprises that use custom architecture such as cloud services or IoT applications require specially built systems for their IT ecosystem. Some MDR vendors use custom tools to provide reliable threat detection and response services for customers not using standard on-premise architecture to meet this demand or need.

To offer services protecting the multi-cloud, cloud, and IoT infrastructures, MSSPs make use of a host of proprietary tools and partner with specific vendors such as cloud access security brokers to ensure expansive networks remain protected. Providers can also use add-ons such as incident monitoring add-ons for SCADA systems and IoT devices and networks.

Customers who require vendors who fall under this category are generally organizations with expansive IT infrastructure. Thus, customers rely on MDR to provide a high-performing security framework that considers the different technologies within their enterprise systems.

Lumifi also provides our proprietary technology, SHIELDVision, a SOC force multiplier. Engineered and developed by top software developers and analysts, SHIELDVision is an orchestration tool that provides insight into your network, advanced ticketing, alerting, and the added benefit of querying multiple client networks at once to protect all.

Managed Point Solutions Providers

Managed Endpoint Detection and Response (EDR) is often confused with Managed Detection and Response (MDR). But MDR providers provide a more holistic approach to network monitoring.

Only hiring an MSSP for managed point solutions is a small part of a full security offering. Only hiring for managed point solutions does not protect networks from advanced threats and other network devices such as IoT devices.

Customers who use managed point solutions generally request this service as an add-on to support available threat detection and response frameworks.

Bring Your Own (BYO) Technology Stack

Organizations intending to purchase their security stack in-house or already have infrastructure fall into the Bring Your Own (BYO) Technology Stack category. Alternatively, MSSPs can provide consultation and guidance for businesses with legacy systems looking to purchase brand new technologies and manage them, in part, in-house.

It is important to note that compatibility is key for this category of businesses. By requiring their preferred vendors and technology stack, an organization’s MSSP must interface seamlessly with their security stack and infrastructure.

Lumifi has partnered with industry leaders in every area of network security. We also have a research and development team that is continuously working on integrating new products and threat detection technology.

Conclusion

The four categories highlighted do not summarize each category and service needed for hiring an MSSP. There are many options and models, but the above are common delivery styles.

Lumifi understands this and can act as a consultant, architect, and technician. From a fully outsourced SOC to a co-managed environment, our company can provide services on a spectrum. Our US-based security operations center includes a range of professionals to help throughout the process. From our no-pressure sales team, experienced security architects and solution engineers, L1-L3 analysts, innovative research and development team, and high-touch white-glove customer support team. Discover the Lumifi difference.

FireEye Breach - Our Observations

Cybersecurity Firm, FireEye Experienced a Major Breach in December of 2020

Castra actively investigated for deeper, specific information from our sources about how FireEye detected such a sophisticated, persistent, nation-state backed novel attack on their network and systems. This likely was the most frightening and impactful breach that we have seen happen all year.

(more…)

What is Microsoft Defender for Endpoint and How Does it Work?

Microsoft Defender for Endpoint, formerly known as Microsoft Defender Advanced Threat Protection, provides enterprise-level protection to endpoints to prevent, detect, investigate, and respond to advanced threats.

The platform provides preventative protection, post-breach detection, automated investigation, and response to possible threats or breaches in security.

Whether your company is considering implementing Microsoft Defender for Endpoint or already has it installed, contact Lumifi for a no-cost consultation to see how we can help your organization improve its security posture.

Core Features

Threat and Vulnerability Management

Being able to identify, assess, and remediate weaknesses is key to a healthy security program. Microsoft Defender for Endpoint can discover vulnerabilities and misconfigurations in real-time. These features can help bridge the gap between Security Operations (SecOps), Security Administration (SecAdmin), and IT Administration (ITAdmin).

Attack Surface Reduction

Use Microsoft Defender for Endpoint to close gaps to reduce your organization’s risk. Features include Hardware-based isolation, application control, exploit protection, network protection (requires Microsoft Defender Antivirus), web protection, controlled folder access, and network firewall.

Next-Generation Protection in Windows

Utilize machine learning, big data analysis, threat resistance research, and the Microsoft cloud infrastructure to protect endpoint devices on your network. Next-generation protection features behavior-based real-time antivirus protection, near-instant cloud-delivered blocking, dedicated protection, and product updates.

Endpoint Detection and Response (EDR) Capabilities

Defender for Endpoint continuously collects behavioral cyber telemetry. Data is stored for up to six months; analysts can travel back in time to the start of an attack. See rich details within a dashboard with forensic abilities for analysts to remediate threats and their affected areas.

Automation

Microsoft Defender for Endpoint includes automated investigation and remediation (AIR) capabilities. When properly installed and tuned, these features can reduce the alert volume and increase response time.

Secure Score

A Secure Score for devices is visible in the threat and vulnerability management dashboard. The scores can give organizations a high-level view of their device configuration and overall strategy.

Microsoft Threat Experts

Defender for Endpoint organizations can also use Microsoft Threat Experts, a managed threat hunting service. Their suite of experts can collaboratively help threat hunt within your environment.

Lumifi offers competitive pricing and unparalleled customer support, and threat hunting capabilities. Learn More

Run Attack Simulations

Another one of the program’s features is an evaluation lab, which allows the user to run attack simulations.

To choose the details of the simulation you want to run, go to the security center and select the ‘evaluation lab’ option. Then select ‘set up lab.’ Here you can choose your configuration option based on the task you’re trying to accomplish, which can be spending more time on each device or investigating larger-scale attacks, so opting to add more devices to the simulation.

There are three options: adding three machines for 72 hours each, four machines for 48 hours each, or eight machines for 24 hours each.

Ultimately, you can choose which type of simulation you want to run, but the program offers three categories to add to your simulation: Microsoft simulations, the files or script run on machines, one powered by attack IQ, and one powered by SafeBreach. Microsoft recommends installing both attack IQ and SafeBreach, both of which require particular software installed on the device.

Throughout the simulation, you can view the status, checking virus, and threat protections that were discovered. According to Microsoft, some more sophisticated or involved attacks may trigger an “automated investigation.” You may also view more details, alerts, machines, and evidence found during this investigation.

Other Powerful Features

Another benefit of the software is the ability to preview new features and provide feedback. Features included in the ‘preview release’ are web content filtering, device health and compliance reports, information protection, and an option to onboard Windows server 2019.

To launch these features most effectively, Microsoft Defender for Endpoints collects data from devices, including file data, process data, registry data, network connection data, and device details. This information is used to identify indicators of attack within your organization, alert you if possible attacks were identified within your organization, and provide a view into existing threats on the network.

Minimum Requirements

There are some minimum requirements for adding devices to the software.

The software requires one of the following licensing options: Windows 10 Enterprise E5, Windows 10 Education A5, Microsoft 365 E5, Microsoft 365 E5 Security, or Microsoft 365 A5.

If your organization plans to use the software on a Windows server, you must also have one of the following licensing options on that device: Azure Security Center with Azure Defender enabled or Defender for Endpoint for Servers (one per covered server). According to the Microsoft website, you will also want to have either Google Chrome, Internet Explorer 11, or Microsoft Edge.

Installation

Once you have ensured that you have met all of the minimum requirements, you’ll want to decide which format of Microsoft Defender for Endpoint will be appropriate for your organization: cloud-native, co-management, on-premise or evaluation, and local onboarding.

Next, choose which device you want to onboard: Windows, macOS, Linux Server, iOS, and Android.

Finally, configure the capabilities of the program to maximize the benefits for your company. These include detection and response for impacted devices, next-generation protection, and attack surface reduction, according to Microsoft’s website.

Next, choose which device you want to onboard: Windows, macOS, Linux Server, iOS, and Android.

Pricing

Microsoft offers pricing per user, which offers coverage of up to five concurrent devices of that user.

Companies can add Defender for Endpoint to Macs, Windows 7, Windows 8.1, or Windows 10 devices, regardless of whether they’re corporate or personally owned devices. This is particularly useful for organizations utilizing the Bring-Your-Own-Device (BYOD) policies.

Microsoft recommends personally owned devices having both antivirus software and Microsoft Defender Advanced Threat Protection. Cell phones can be enrolled on the software by using Microsoft Intune, which is a cloud-based management system specifically for cell phones and enabling conditional app-based access.

Microsoft Defender for Endpoint offers a free trial and several different pricing plans from $10 per user per month up to $57 per user per month. For more information, visit microsoft.com/en-us/microsoft-365/compare-microsoft-365-enterprise-plans.

Conclusion

Microsoft Defender for Endpoint, formerly known as Microsoft Defender Advanced Threat Protection, has been an industry standard for endpoint protection platforms. The advantages of Defender for Endpoint range from ease of integration with other Microsoft security tools to the pricing model.

Lumifi works closely with Microsoft to integrate their products into our managed security services. Our expert security professionals can install, tune, and create advanced filtering for our customers, on top of our world-class 24/7 eyes on glass service.

Behavioral Indicators of Insider Threat Activity

Contrary to popular beliefs, an insider threat is not always a security risk within an organization's immediate perimeter. Current employees and managers aside, an insider threat could be a former employee who had access to specific information, a third-party consultant, or a business partner.

In any case, malicious insiders account for about 38 percent of cyber breaches worldwide between 2012 and 2017, according to statistical reports.

Root Causes of Insider Threats Worldwide

Source: Statista

Malicious and cooperative insiders, combined with negligence, are at the core of 81 percent of all data breaches cases during the period, which makes insider threats the top cause of cybersecurity breaches across organizations of all sizes and all industry verticals.

Industry research shows that close to 20 percent of all employees have access to all sensitive data within an organization, which means anyone who knows how an organization's network resources and IT ecosystem works is a potential insider threat. It is even more true for individuals who have, or had, access to sensitive corporate data and know where it resides and what data protection is in place.

The average overall cost of a cybersecurity breach due to an insider threat stands at $11.45 million, according to the Cost of Insider Threats 2020 report by IBM. Thus, insider threats and ransomware emerge as one of the most severe cyber threats organizations face on a global scale.

While preventing insiders from siphoning out sensitive information is a very demanding challenge, there are methods to mitigate the risks associated with malicious and cooperative insiders and detect suspicious or abnormal behavior that indicates an insider may be attacking an organization's business-critical systems and sensitive data.

Groups and Types of Insider Threats

We should highlight that an overwhelming 62 percent of insider threats are related to data exfiltration, followed by misuse of access privileges with 19 percent. Thus, insider threats are mostly about accessing data and systems and then siphoning out the respective databases or sensitive files.

Most Common Types of Insider Threats

Source: Statista

There are two major types of insider threats at the top-level: intentional or malicious insiders and unintentional ones. Unintentional insider threats are generally categorized as 'Pawns' while malicious insiders are 'Turncloaks.' We can further categorize those two types into at least four individual categories of insider threats:

Pawn

Any employee can turn into a pawn by clicking on a malicious link in a corporate email or making another mistake that enables a bad actor to penetrate the organization's perimeter. Other pawns are victims of advanced hacking tactics that involve social engineering to trick a person into visiting a malicious website or sharing credentials with a bad actor.

Turncloak

Any insider who is stealing data or securing access to systems for a third party is a turncloak. A turncloak has legitimate access to corporate networks, data storage systems, endpoints, and cloud-based systems.

Goof

Goofs are not exactly malicious insiders but do not follow the security rules and policies, resulting in more significant cybersecurity risks. Employees trying to bypass the established procedures for access to data or connected systems fall into this category, and they are the main insider threat risk, with over half of all insider threat incidents occurring due to negligence or ignorant behavior by in-house users.

Collaborator

As opposed to a goof, a collaborator is a malicious insider who intentionally steals data or sabotages an organization's operations. Most insider threat collaborators work in cooperation with or under the influence of competitors or nation-state actors, looking for sensitive data and access to critical business systems.

Lone Wolf

A lone wolf performs his malicious work without being in collaboration with any third party. The lone wolf deliberately steals information or sabotages its operations without being manipulated or otherwise forced by a third party.

Whatever the root cause for such a malicious behavior might be, organizations can look for insider threat behavior patterns and clear signs that a user is acting as a harmful insider.

How to Detect Insider Threat Behavior

Indicators of possible insider threat activity fail into two categories: digital warning signs and behavioral abnormalities.

Digital Warning Indicators:

Downloading or accessing substantial amounts of data
Accessing sensitive data that they do not need to perform their core job
Starting to access data that they have never accessed before
Requesting access to resources not needed for their primary job function
Using unauthorized storage devices such as flash memory, USB sticks, etc
Browsing the corporate network in search of sensitive data
Copying files containing sensitive data frequently
Transferring sensitive data outside the organization by email or another communications channel

Behavioral Warning Indicators:

Trying to bypass any security measures in place
Working extra hours very often and thus staying in the office during off-hours
Accessing networked resources while on vacation, sick leave, or on holidays
Extreme interest in subjects and projects outside of the scope of their job position and function
Displaying any vulnerabilities that could be exploited by bad actors: drug or alcohol addictions, financial troubles, unpredictable behavior at the workplace

Digital warning signs are far more reliable when analyzing insider threat risks and detecting abnormal behavior. Nonetheless, managers can consider behavior prediction theories to help an organization detect insider threats at an early stage.

Behavior Prediction Theories

General Deterrence Theory: A person commits a crime when benefits offset action costs
Social Bond Theory: A person commits a crime if there are no solid social bonds of attachment, commitment, involvement, and belief
Social Learning Theory: A person commits a crime if he/she binds with malicious peers
Theory of Planned Behavior: Predicting a person's malicious behavior is based on assessing attitude, subjective norms, and perceived behavior control towards crime
Situational Crime Prevention: Malicious can occur whenever a motive and opportunity are in place

None of these theories is a silver bullet to detect insider threats, but a combination of practices and methods used by each theory may prove an excellent tool for preventing some typical insider threats from occurring.

Behavior prediction theories can be of help in avoiding creating circumstances resulting in increased insider threat levels. However, an organization needs to be prepared to deal with insider threats, both preemptively and to be prepared to provide an adequate response to any cases of malicious insider actions.

Countering Insider Threats

The fight with insider threats starts with the initial hiring interviews. Organizations need to create a healthy work environment that minimizes the risks of malicious insider behavior and educates their employees to avoid becoming unintentional insider threats or pawns.

Other countermeasures may include:

Monitoring files and activity on all core digital resources within the organization
Keeping track of all sensitive data and identify where sensitive files are located
Implementing a zero-trust policy and adopt a least privilege model for access to data and digital assets
Employing advanced security analytics tools featuring machine learning and AI capabilities to detect abnormal behavior
Building a culture of IT security awareness across the organization and train the employees to avoid common cybersecurity mistakes

The abovementioned techniques and methods are the building blocks of a broader framework to deal with insider threats and other cybersecurity risks and involves multiple cybersecurity tools.

Tools to Fight Insider Threats and Other Cybersecurity Risks

Insider threats do not exist in a vacuum, and organizations should address the risks associated with bad insiders along with a plethora of other cybersecurity risks concerning malicious software, Denial of Service attacks, ransomware targeting corporate machines, and any other threats.

Organizations can take advantage of five categories of tools to mitigate the risks associated with cyber threats and insider threats, including:

User Activity Monitoring (UAM) to track the actions and activities of users and detect signs of insider threats
Data Loss Prevention (DLP). DLP tools control how users interact and protect data at rest, in motion, and in use, through deep content analysis
Security Information and Event Management (SIEM) to collect and aggregate logs from networked devices in a centralized place for analysis. SIEM also equips organizations with rulesets to respond to detected abnormal behavior
Analytics tools with machine-learning and statistical capabilities to generate alerts on anomalous behavior and abnormal user actions
Digital forensics tools to perform an in-depth analysis of successful data breaches or leaks

Whatever a tool or combination of tools an organization may deploy, the focus should be on adopting data-centric and not system-centric cybersecurity.

Conclusion

Every organization should be creating and running a program to counter insider threats while adopting a security policy to mitigate insider threat risks and other major cybersecurity threats.

A combination of thoughtful implementation of behavior prediction theories and the adoption of tools to detect digital warning signs is optimal. Adopting a basic insider threat protection program is affordable even for small organizations, while it is a major prerequisite for sustainable IT security in an environment in which every employee is a potential insider threat.

Why User Education is #1 in Cyber Resilience

Statistical data shows that over one-third, or 36 percent, of ransomware infections happen due to a lack of cybersecurity training across organizations across all industry verticals. Another 30 percent of the ransomware infections worldwide materialize because of weak user passwords, while 25 percent are due to poor user practices, according to managed service providers (MSPs) surveyed.

Over 50% of Ransomware Attacks Succeed Due to Bad User Education and Practices

Source: Statista

It all starts with educating organizations from the bottom up on cybersecurity, beginning with the basics.

User Education and Cyber Resilience

A simplified definition of cyber resilience is a method and framework measuring how well an organization can cope with cyberattacks or data breaches while retaining business continuity. Cyber resilience is a preventive measure that ensures the organization's core processes are still operational should a cyber-attack penetrates the perimeter defenses and how to prevent this from happening in the first place.

Organizations need to educate and train their employees to minimize human error and bad user practices to an acceptable minimum since these are the two weakest points in any cyber-defense strategy.

It all starts with the basics: if users are unaware of cyber-threats and how they work, they cannot spot one or avoid poor security practices. Furthermore, uneducated and untrained employees won't respond appropriately once they detect malware in action or when they see suspicious account or application behavior.

The cost of letting uneducated and inexperienced users accessing business-critical systems and networks, especially in increasingly remote workforce environments, is always high. Human error and harmful practices such as weak passwords and connecting from insecure Wi-Fi networks are the scenarios every hacker in the world are trying to exploit to their best benefit.

A single ransomware infection due to a weak user password or a user using a public Wi-Fi hot spot for work can ruin an average enterprise's business and paralyze its operations for weeks.

Therefore, organizations must make every effort to educate their employees on the basics of cybersecurity. Training should include how to spot phishing emails, detect unusual app and account behavior, and to respond to any actual or possible cyber threat they happen to see.

How to Train Employees for Cyber Resilience

Building a cybersecurity culture and training employees in IT best practices should not be an expensive or daunting task for the average enterprise. It is a cultural transformation problem, not necessarily investing heavily in security tools or lengthy and unpopular training programs.

In the end, having a working and practical culture of cybersecurity is all about creating a security-conscious mindset that prevents cybersecurity incidents from occurring by minimizing human errors and bad user practices.

The researchers at the Massachusetts Institute of Technology (MIT) have developed a framework reflecting the best practices of organizations that have managed to build excellent cybersecurity culture through educating and training their leadership and users in a security-aware way of working.

Source: MIT

The framework above pertains to the overall approach toward a more secure corporate IT environment, showing the basic components of a transformational mindset that result in better cybersecurity for all stakeholders.

While each organization should draft a cybersecurity training strategy that best fits its particular needs, there are certain IT security areas, which every educational program should address.

Passwords and User Access Credentials

Stolen, shared, and hacked passwords or other user access credentials are by far the most common way for bad actors to get access to sensitive corporate data or networks. The problem is that even if organizations force their users to enter strong passwords, the users still have dozens of other online accounts, which can cause problems if only one of them is compromised.

Passwords and login/sharing credentials are the first lines of defense, and as such, any training program should start with the basics of password protection.

Email, Chat, and Messaging Protection

Phishing emails are another critical attack vector with a high percentage of successful cyber-attacks relying strictly on email penetration to access essential business systems. Training employees to recognize phishing attempts on all communication channels is crucial for building a strong cybersecurity culture.

Malware Prevention and Response

An organization cannot tell employees what applications to install at home, but users should be aware that installing and running unauthorized software on corporate machines is a bad practice. Furthermore, employees must train to respond immediately to any malicious app behavior and contact the IT support and security team.

Removable Media and Mobile Devices

Removable media are another source of possible troubles when IT security is concerned. At least two confirmed successful cyber-attacks on heavily guarded facilities such as nuclear power plants occurred using infected removable media.

Organizations should also educate their employees about the hazards of connecting their mobile devices to corporate computers as virtually any personal mobile device has multiple apps installed, and each of them is a potential security risk.

Physical Data and Lost Devices

Educating employees about the cybersecurity risks should not leave the problem with physical security aside. While most business-critical data is stored in digital format, organizations still use paperwork in their daily operations, and employees should be trained to follow a clean-desk policy in the office.

Likewise, a lost or stolen device can cause a lot of trouble if there is sensitive information inside or if credentials enable a third party to login to corporate digital resources.

An organization can successfully run a Bring-Your-Own-Device (BYOD) policy, but there is still a need to educate the users not to connect their devices before scanned for malware and report any stolen or lost device.

Building a culture of updating and patching employees' mobile devices is another best cybersecurity practice.

The list of training and educational programs an organization can run to enhance its employees' overall cybersecurity awareness does not end there. Any organization has its specific areas to address and improve, as cybersecurity is a very far-reaching one while cyber threats and penetration methods evolve rapidly.

Conclusion

Industry reports such as the Annual Cost of Cybercrime Study by Accenture and Ponemon Institute show that malicious insiders are involved in cyberattacks resulting in organizations incurring losses averaging $1.6 million in 2018.

What is worse than a malicious insider though is a team of employees who are not aware of cybersecurity basics and where each team member is both a risk and a potential source of malware infection or compromised credentials.

With all types of cyberattacks on the rise, and with people-based attacks reporting the highest rate of growth, employee training and adoption of IT security educational programs should move to the top of the list for any organization aiming to secure their IT environment.

As cyber-threats are evolving and bad actors change their methods by the changing cyber-defense practices, organizations should adopt a flexible training approach with training programs running while being continuously updated to include new cyber threats and familiarize employees with the latest best cybersecurity practices.

Ready to take your cybersecurity strategy to the next level?

VensureHR

Lumifi provides Vensure with scalable, on-demand security services that unlock real value.

Human resources firms constantly onboard new users and must continuously monitor their performance to ensure customer satisfaction. They must also process a great deal of sensitive data, from employee histories to payroll information. To do this, HR providers like Vensure offer an implicit guarantee of their employees’ fundamental trustworthiness.

At the same time, Vensure’s enterprise growth strategy is heavily reliant on acquisitions. The company is purchasing companies and integrating their teams on a monthly basis. These new teams require a standardized security framework that is flexible enough to respond to their unique risk profiles.

Vensure needed a managed detection and response solution that could scale to meet its needs while driving down costs as the company grows.

Learn how Lumifi was able to scale Vensure's environment to meet its continual organizational growth. Read the full case study, now.

Best Practices for Vulnerability Management

One can broadly define vulnerability management as a set of processes and procedures to identify, analyze, and manage vulnerabilities across a critical service's operating environment.

This broad definition extends to IT systems and infrastructure, which are now as critical as power generation facilities and resource gathering operations. Keeping in mind the growing number and sophistication of cyber-attacks against organizations of all sizes and across any industry vertical, any enterprise should have a program to detect and proactively reduce risks associated with cybersecurity.

What Is Vulnerability Management?

Today's best practices for vulnerability management require organizations to continuously scan for vulnerabilities in their systems instead of the historical approach of performing a vulnerability scan once in a half year or less often. The cyber-threats environment is a fast-developing one and requires organizations to take a holistic view if they are to make informed decisions about the most critical vulnerabilities and remediate the risks originating from such vulnerabilities.

All definitions, including one by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), divide the vulnerability management process into four stages, as shown below:

The Vulnerability Management Process

Source: CISA

As you can see, the above definition is all about strategy and not patching specific kinds of vulnerabilities as you can have weak points in any computing system or one of their infrastructural components. Thus, we can say that vulnerability management is a critical component in planning for the appropriate implementation of controls and the management of risks associated with cybersecurity.

Scanning for Vulnerabilities

Vulnerability management is often confused with software patching and vulnerability scanning. While scanning for vulnerabilities and patching them are critical components of vulnerability management, it is more of a concept and an action plan for detecting and remediating cybersecurity risks and threats.

Such a complex strategy cannot be run manually, and that is why organizations implement sophisticated tools to scan for vulnerabilities across their business-critical IT systems. Those automated tools can detect various vulnerabilities and take automated actions to remediate the risk or generate alerts for the organization's IT team.

A report by the SANS Institute shows that 85 percent of the organizations surveyed worldwide say they are running automated tools for vulnerability management.

Use of Automated Vulnerability Management Tools Worldwide

Source: Statista

There is no abundance of vulnerability scanners on the market as cybersecurity is one of the most rapidly growing IT industry markets. Proprietary and open-source vulnerability scanners offer a collection of cybersecurity tools and features such as:

Network mapping for a visual representation of network assets such as endpoints, servers, and mobile devices
Web inspection for evaluating the security of web applications
Defect tracking for tracking issues to their source
Perimeter scanning to search for cloud vulnerabilities or weaknesses in connected digital assets
Black box scanning for imitating an external attack on critical resources using testing tools for SQL injection or analyzing XSS
Compliance monitoring for generating alerts about data quality and violations of regulatory requirements
Threat intelligence for detecting common threats and taking remediation actions
Risk scoring and risk analysis to prioritize security risks, vulnerabilities, and compliance issues
Extensibility and integration capabilities to implement additional features and functionalities

You can find even more features in advanced vulnerability scanning software by known vendors such as IBM or McAfee. The list of reliable vulnerability scanners can be extended to include:

Nessus
IBM Security QRadar
Acunetix Vulnerability Scanner
Qualys Cloud Platform
InsightVM (Nexpose)
Netsparker
Amazon Inspector

With so many products on the market, organizations should carefully assess each vulnerability scanner's capabilities before deciding on adopting it. Furthermore, different vulnerability scanners can produce very different results while scanning the same resource or network.

You cannot rely solely on vulnerability scanners for your cybersecurity defenses, as you need a holistic approach that combines passive and active protection, including research and remediation against unknown threats.

Furthermore, the vulnerability management process extends beyond scanning for cybersecurity gaps and involves automated and manual actions to respond, quarantine, and remediate known and unknown threats targeting your organization's IT ecosystem.

The Vulnerability Management Process in Detail

We can start by providing a more complex definition of how the vulnerability management process works. We have already mentioned that there are four phases of vulnerability management:

Research and plan
Scan for vulnerabilities
Define remediation actions
Implement remediation actions

You can rescan as a component of the process, but it belongs to the vulnerability management process's research and plan stage.

Below, you can see how the entire process works by combining automation and manual vulnerability response actions.

How the Vulnerability Management Process Works

Source: ServiceNow

The above chart represents the vulnerability management process in action, and now we will focus on the individual stages through which the process goes.

Preparation and Research

During the preparation and research phase, your security team defines the scope of the vulnerability management process. That being said, a recommended approach is to start small – by scanning a few selected systems and parts of the network – before you proceed with complex scans of your entire IT infrastructure.

Your teams should also agree on which systems and endpoints will be included in the vulnerability scanning process and excluded, regardless of the reasoning behind such a decision.

In any case, you should plan for external scanning to be performed to get visibility about how your cyber defenses look like from the outside. It means that you need to prepare for internal and external scanning and define the scans' exact scope to be conducted.

Your organization should cover as many assets as possible because limiting the vulnerability scanning scope may result in leaving critical security gaps unaddressed.

Vulnerability Scans

After an organization had completed the planning stage, the time comes to run the actual scans for vulnerabilities within the context of the defined scope and types of vulnerabilities to be detected.

During this stage, your cybersecurity team needs to identify the overall number of vulnerabilities across the organization's systems and determine the severity of risks associated with those vulnerabilities.

While you are running scans on your selected IT systems, you can also identify which endpoints and networked components are experiencing excessive loads and take actions to prevent eventual overloading in the future.

Define Remediation Actions

Once the organization's cybersecurity team had analyzed the detected vulnerabilities across the tested systems, they need to plan for and define which remediation actions will be taken in each case. The process involves deciding whether patches will be applied or specific systems will be reconfigured to remove the vulnerabilities.

All risks need prioritization, especially if there is no immediate solution to a specific vulnerability due to patches not being available or specific system configuration requirements.

Implementation of Remediation Actions

Implementing remediation actions should follow a strict procedure in which all detected vulnerabilities are being patched following the drafted vulnerability management action plan.

In implementing the planned remediation actions, your team needs to define alternative steps and procedures where the planned actions prove to be ineffective.

The organization's cybersecurity team completes the process by rescanning the systems included in the vulnerability management process to ensure all risks are mitigated, and no known vulnerabilities are left unpatched.

The rescanning process should be continuous if your organization wants to maintain an acceptable level of protection against hackers being able to exploit known and possible vulnerabilities.

Conclusion

The vulnerability management process is very complex and may involve thousands of machines to scan for existing vulnerabilities and secure against newly emerging vulnerabilities. While an organization running a network of less than a dozen computing devices can cope with vulnerability management challenges, adopting an enterprise-grade process for vulnerability management is usually impossible without having a dedicated team of cybersecurity experts.

One possible solution is to conduct thorough research for a vulnerability-scanning platform that best suits the needs of the organization and then contact a managed security services provider (MSSP) who can implement and maintain the solution in the long run.

The number of vulnerability scans required to complete on hundreds of in-house machines and cloud-based assets is beyond the average organization's capability. Furthermore, hundreds of specific settings can configure and adjust for the vulnerability management process to produce feasible results, so assistance by an expert MSSP is more than advantageous at any stage of the vulnerability management process.

Lumifi has helped organizations create and improve their vulnerability management programs.

Learn More

What is Microsoft Azure Traffic Manager?

bal regions and secure an optimal level of availability and responsiveness for your services.

How Azure Traffic Manager Works

Azure Traffic Manager is directing client requests to the most suitable service endpoint by using a DNS (Domain Name Server). The load balancer examines the health of the endpoints and then applies a traffic-routing method to distribute the traffic.

Below is a sample of a client connection through Traffic Manager.

Client Connections through Traffic Manager

Source: Microsoft

Your Internet-facing endpoints may operate inside, or outside Azure and Traffic Manager is able to take advantage of several automatic failover models. It will route your traffic even in a scenario in which an entire Azure region is experiencing operational failure.

Once you have your Traffic Manager up and running, you get the following core functionalities:

Distribution of traffic by selecting one of several traffic-routing methods.
Uninterrupted monitoring of endpoint health and automatic endpoint failover.

The main advantage is that you can choose between a variety of routing methods for your traffic.

Routing Methods in Traffic Manager

Your organization needs to have the ability to select how your traffic is distributed and which endpoints will have priority in delivering your services. You can take advantage of one of the following traffic routing methods.

Priority routing: You select which endpoints have priority for traffic and which backup endpoints will route traffic in case of failover.
Weighted routing: You allocate a traffic cost and then distribute traffic evenly among groups of different weighted endpoints.
Performance routing: You route your traffic based on network latency and as result, you direct users to the node that offers the best performance.
Geographic routing: You direct users to endpoints by detecting the geographic location of the DNS respective request. Users are directed to the nearest endpoint, which ensures speedy service and compliance with data traffic regulations if data is supposed to circulate only within a specific geographic region.

Multivalue routing: This is available for IPv4/IPv6 endpoints only.
Subnet routing: You can route specific IP ranges to designated endpoints based on the IP addresses from which requests are coming.

Whatever method for traffic distribution you are using, Azure Traffic Manager performs continuous monitoring of the health of your endpoints using either HTTP, HTTPS, or TCP protocols.

Core Features of Traffic Manager

Azure Traffic Manager provides your network administrators with several core features to distribute your traffic seamlessly across Azure regions.

Better Application Availability and Performance

Traffic Manager enables you to continuously monitor your endpoints with automatic endpoint failover, which results in higher availability of your business-critical applications.

You get higher application responsiveness across your cloud services or websites running in geographically distributed by directing traffic to the endpoint with the lowest network latency for each specific client.

No Service Maintenance Downtime

With Traffic Manager, you can direct your traffic to endpoints of your choice and avoid downtime for websites during periods of planned maintenance.

Mix Hybrid Apps

You can use Traffic Manager across various hybrid cloud and on-premises deployments, including the “burst-to-cloud,” “migrate-to-cloud,” and “failover-to-cloud” use-case scenarios as it provides support for non-Azure endpoints.

Usage in Complex Deployments

You can combine multiple traffic-routing methods to use Traffic Manager in increasingly complex deployment scenarios that require flexible and sophisticated routing rules.

How Much Does Azure Traffic Manager Cost?

When you create a Traffic Manager profile, you need to know Traffic Manager that service billing consists of several components. Those include:

The number of received DNS queries.
The number of monitored endpoints.
The number of real user measurements.
The number of data points used to generate Traffic View outputs.

You can view a sample service pricing in the table below.

Source: Microsoft

There are also services fees for traffic view, which is an optional service, and a pricing component for real user measuring, which is also activated at the user's discretion.

Conclusion

Azure Traffic Manager is a flexible load-balancing solution, which offers plenty of features and methods to route your traffic in a way you deem most appropriate. Endpoint health checking and automatic failover capabilities ensure that your users will never experience downtime or service unavailability due to endpoint failures or planned maintenance.

Interested in Microsoft Azure?

Lumifi has helped clients successfully implement Microsoft Azure Sentinel.

What is Microsoft Azure Security Center?

Azure Security Center by Microsoft is a solution that provides unified security management across hybrid cloud workloads. It offers threat protection for data centers within both cloud workloads and on-premises. The platform also works with hybrid clouds that are not part of the Azure ecosystem.

The Azure Security Center is designed to resolve a pressing problem when your organization migrates to the cloud. The cloud customer has to take more responsibilities when upgrading to Infrastructure-as-a-Service (IaaS) as compared to cloud solutions like Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS), where the cloud service providers take care of most tasks related to securing the network and the services.

What Is Azure Security Center?

When moving to an IaaS solution, securing your environment means you need to secure your network ecosystem and services moving to the cloud in a new way as you take responsibility for processes your cloud provider was taking care of within a SaaS or PaaS environment.

Azure Security Center offers a unified platform to secure and manage fast-changing workloads and cope with the challenges of securing your hybrid cloud workloads.

The platform helps your organization by:

Enabling your team to have a clear view of the status of your resources after assessing your environment. Such an assessment gives you an insight into whether your resources are secure
Generating security alerts and providing threat prevention recommendations. Security Center consciously monitors your workloads to detect security rules violations
Provisioning services automatically since the Security Center is a native part of the overall Azure solution. This way, you can deploy Security Center seamlessly within your Azure-powered environments

With Azure Security Center, organizations can control the security of an ever-growing number of services under constant threat by a growing number of sophisticated malware.

How Azure Security Center Works

There is no need to specifically deploy Security Center if your organization is already using Azure. Security Center natively monitors and protects Azure PaaS services such as Service Fabric, SQL Database, SQL Managed Instance, and your storage accounts.

Security Recommendations and Alerts

The tool also protects non-Azure Windows and Linux servers, on which you run services in the cloud or on-premises. Security Center auto-protects also virtual machines running in such environments. The protection of your systems is materialized by Security Center installing the Log Analytics agent on all virtual and physical machines.

After that, Security Center processes and analyzes the events it collects from the agents and from Azure to deliver custom recommendations on how to secure your workloads. It generates security alerts for your IT security team to assess and ensure no malicious code is attempting to penetrate your perimeter.

Security Policies Enforcement

Once you have Azure Security Center up and running, you start getting security recommendations and security alerts that help you harden your network security in the cloud.

This way, your team can more easily identify the required measures to take and adopt the recommended security-hardening measures across your entire IT ecosystem, including servers, end-points, data services, and business applications you are running.

Security Center enables you to enforce your specific security policies across diverse environments consisting of non-Azure servers, Azure virtual machines, and Azure PaaS services. Thus, you can ensure that all devices and services are operating in compliance with your security policies and the recommended security best practices.

As organizations witness new subscriptions created regularly, Secure Center offers a feature that identifies and labels Shadow IT subscriptions. Such functionality enables your team to quickly spot new and uncovered subscriptions and take immediate actions to ensure those are covered by your policies to be compliant and protected.

Discovery of New Resources

A mid-size or large organization runs dynamic workloads where new resources are being deployed day in and day out. Automated resource discovery is one of the Security Center features, allowing you to check if any new resources comply with the security best practices in place.

Security Center generates lists of recommendations on what you need to fix and enhance to protect your digital assets better.

Source: Microsoft

Once Security Center finds new resources deployed across your workloads, it assigns them a score for security and groups the recommendations into security controls to make it easier for you to prioritize what security measures you should implement most urgently.

Mapping Your Network

Azure Security Center creates a network map for your network, showing your workloads' topology and enabling you to check if each node is configured as required for maximum security.

Source: Microsoft

Having a complex network topology requires your team to have such a tool at their disposal to have the full picture of the available network connections and evaluate the possible weak points. A network map is indispensable when you need to find network nodes where unwanted connections may enable a bad actor to penetrate your perimeter.

Pro-Active Threat Protection

Although security recommendations and network maps are considered the most powerful Azure Security Center features, the solution would not have been complete without offering capabilities to protect your digital assets against cyber threats proactively.

Secure Center can identify and prevent threats at the IaaS layer as well as PaaS in Azure. It offers the same protection for non-Azure servers across your networks.

The tool features forensics capabilities enabling your team to investigate how and where an attack originated, how it evolved to spread across your network, and how the attack affected your resources.

Security Center integrates natively with Microsoft Defender Advanced Threat Protection to automatically protect your Windows and Linux machines. You can automate application control policies on server environments to get adaptive application controls and thus take advantage of end-to-end app approval listing across your Windows servers. The entire process is entirely automated, so you need not create rules and check for violations.

Once you have these security features running, you get protection for:

PaaS protection: Detection of threats against Azure services such as Azure App Service, Azure SQL, Azure Storage Account, and others. Integration with Microsoft Cloud App Security's User and Entity Behavioral Analytics (UEBA) enables you to detect abnormal behavior on your Azure activity logs
Brute force attacks protection: You can limit access to virtual machine ports and prevent unnecessary network connections. Secure Center enables you to enforce secure access policies on selected ports for specific authorized users and, in the meantime, set a limited access time period for specific IP address ranges or individual IP addresses
Data services protection: You can assess Azure SQL and Storage services for possible security holes and get recommendations on how to mitigate security risks
IoT and hybrid cloud workloads protection: You can take advantage of Defender for IoT for adaptive and intelligent threat protection and response. This tool protects your workloads running on edge clouds, on-premises, in Azure as well as other clouds

Since Azure Security Center is part of a broader product offering, organizations can easily integrate it with other solutions such as Microsoft Cloud App Security and Windows Defender Advanced Threat Protection. At the same time, native integration is available for Azure Policy and Azure Monitor logs.

Summary of Azure Security Center's Core Features

In short, Azure Security Center features the following core capabilities:

Unified security management on-premises and across various Azure and non-Azure clouds
Threat detection for Azure services, networks, servers, and virtual machines
Adaptive and automated application controls
Centralized security policy management to comply with internal policies and regulatory frameworks
Prioritization of security recommendations and alerts to take immediate measures concerning the most critical vulnerabilities
Continuous security assessment for machines, networks, storage and data services as well as applications running across organizations' environments

Pricing tiers start from around $15 per node per month.

Conclusion

Azure Secure Center is suitable for small and large organizations alike. It offers pricing tiers calculated on per-node usage i.e. you pay on a pay-as-you-go basis. You can add as many as you want servers, app services, SQL databases, storage transactions, IoT devices, and other services.

What you get is a unified security control and security management center whose unique product proposition is the delivery of continuous recommendations about security vulnerabilities and security best practices across your networked resources and cloud workloads.

The integrated security solutions enable your IT security team to pro-actively detect and investigate threats and abnormal behavior while dissecting the full history and impact of a cyber-attack.

Interested in Microsoft Azure Sentinel?

Lumifi has helped countless clients implement Microsoft Azure Sentinel.

RSA Cloud Security Solutions

RSA Security LLC is one of the leading providers of network security services focusing on encryption and data security. Launching their services back in 1984, they are a global security company gradually transforming their business to protect organizations in the cloud.

Cloud security is not just a growing business but also an irreversible trend in cybersecurity. Virtually any organization must perform at least part of its operations in the cloud. The transition to cloud-based operations has been occurring for over a decade, but organizations still struggle to adopt adequate cloud protections—even while cyber threats grow in sophistication.

The market for cloud computing services reports tremendous growth in the past three years, tripling revenues from $8 billion to $26.3 billion in the third quarter of 2019. It is a vast and lucrative market driven by an ongoing cloud transformation. This market also boosts the growth and demand for cloud security services as data becomes the most wanted and valuable commodity for hackers.

Booming Cloud Services Market Requires Better Cloud Security

Source: Statista

RSA cloud security solutions are among the market products your organization should undoubtedly consider when planning for a secure transition to the cloud and heading toward a successful digital transformation.

What Kind of Cloud Defenses RSA Offers

RSA does not develop a single cybersecurity product. Their core business is data and identity protection through the development of encryption standards and related security technologies.

The company offers a suite of cybersecurity tools, which helps organizations define their IT security policies and implement those policies and rules in fields such as:

Setting application and user access policies in cloud environments
Performing security and threat monitoring in the cloud
Managing the security, resiliency, and compliance risks when using third-party cloud services
Benchmarking cloud security measures in place against industry standards and best practices.

The company's Risk Framework for Cloud Transformation is specifically useful when an organization needs to assess its existing cloud security capabilities and benchmark those capabilities against a set of established industry standards and best practices. Their cloud security service also assesses one's abilities to mitigate and manage the risks associated with transferring and running business operations in the cloud.

Cloud Security Challenges RSA Tries to Address

The three most common risks associated with doing business in the cloud:

Failure to comply with regulations such as HIPAA, GDPR, PCI DSS, etc
Identity theft while using a service or platform
Malware infections and data breaches

As more businesses move to the cloud there will continue to be emerging threats. Those include the need to secure access to multiple cloud services and guarantee secure cloud access on numerous and different mobile devices. Endpoints have expanded to include servers, personal computers, IoT devices, and workstations.

Both the growing use of mobile devices to access corporate networks and cloud services and the adoption of Bring-Your-Own-Device (BYOD) policies are only two factors preventing security teams from having a comprehensive view of their cloud environments. RSA cloud security solutions try to resolve the problem by enabling in-house security teams to have the whole cloud ecosystem picture before them and pro-actively seek and detect threats.

As cloud adoptions grow both in members and business functions they serve, it is getting harder for an organization to correctly identify and assess all the associated risks to apply proper risk mitigation measures. A consistent security approach is business-critical in a cloud environment in which one has multiple and intertwined services running simultaneously.

Specific Cloud Security Solutions by RSA

The nature of the cloud computing service models and the varied provider and client infrastructures eliminates the possibility of having an all-in-one cloud security platform that solves all the problems and cloud security challenges.

No leading cybersecurity services provider offers a silver-bullet solution for cloud security, and RSA is not an exception to that rule. Instead, they develop and manage several cloud-based tools to protect both access to cloud services and secure data stored in the cloud. Their overall product offering also includes tools for risk evaluation and risk mitigation in the cloud.

RSA Archer Suite

RSA Archer Suite runs as a Software-as-a-Service (SaaS) or on-premises platform that helps organizations manage multiple dimensions of risks associated with the cloud.

The solution aims to apply all the same taxonomies, policies, and metrics to all risk data, resulting in better efficiency and increases visibility for all stakeholders.

It offers an integrated risk management platform from which teams can manage cloud security and regulatory compliance risks. Those capabilities enable organizations to make informed decisions on managing cloud risks in the specific context of their business operations.

RSA NetWitness Platform

RSA NetWitness Platform is a security tool to collect and analyze data from multiple sources such as service logs, packets, net flows, and endpoints. The platform collects data from physical, virtual, and cloud computing systems.

The platform applies threat intelligence when processing the data it collects and applies the respective business context to the findings. Thus, it aims to achieve faster threat detection and incident response, which prevents malware from spreading across corporate networks and minimizes the risk of massive data breaches and data loss incidents.

RSA SecurID Suite

RSA SecurID Suite is RSA's answer to the ever-growing number of ID thefts over the Internet and in the cloud. The tool secures compliance with multiple data security standards and regulations by verifying the user identities for accounts accessing both on-premises digital assets and corporate data and services in the cloud.

It uses multi-factor authentication combined with identity governance and lifecycle controls without making access to cloud assets over-complicated. Those capabilities enable organizations to maintain secure access across complex cloud ecosystems and in a dynamic user context.

RSA Risk Frameworks

RSA Risk Frameworks is not a software solution for cloud security but a service offering, which proposes to evaluate an organization's preparedness to face the cloud security challenges and maintain safe operations in the cloud. The unique product offering covers four areas of cloud risk mitigation: cyber incident risk, third-party risk, dynamic workforce risk, and multi-cloud risk. The RSA team also comes out with a detailed roadmap for filling any security gaps identified in the evaluation process.

Conclusion

The cloud has never been a safe place, as bad actors have always preferred to target cloud-based services because a single successful data breach gives them access to multiple accounts, login credentials, and a variety of sensitive data.

The challenges of running secure business operations predominantly in the cloud are coming from two directions. The growing complexity of hybrid business models and IT architectures, combing on-premise, and cloud-based systems are getting harder to manage and oversee. Besides, the number and complexity of cyber threats increase, seeking to exploit the slightest vulnerability in a connected network.

The need for implementing feasible cloud security measures is critical for an organization's business continuity strategy, and protecting both cloud-based services and on-premise systems that connect to the cloud is a matter of business survival.

Is your organization looking into RSA services?

Google Chronicle vs Splunk

Alphabet’s announcement concerning the inclusion of big-data security into Chronicle led to a 5% drop in the value of Spunk’s shares and sparked a debate on which security information and event management (SIEM) tool supplies better options.

As with many comparisons, a definite answer on which SIEM tool is best is one that comes with many grey areas as each security tool comes with features that excel in diverse ways. To ease your decision-making process while ensuring the comparative analysis used is fair to both industry giants, the following criteria will be used:

Collaboration and Social Business Intelligence: This criterion refers to the capacity of a SIEM tool to collaboratively generate user data across social networks and platforms to receive business insight.

Cloud Business Intelligence: As more enterprises rely on the cloud, virtual networks, and application to run specific operations, access to cloud BI is an important feature for SIEM tools.
Mobile Exploration and Authoring: This criterion focuses on the ability to generate and deliver content to mobile devices while taking advantage of the features of mobile devices.
Analytics, Dashboard and Interactive Visualization: Ease of use for both technical and non-technical individuals is an important consideration for enterprises. This criterion focuses on the interactive support each tool provides.
Platform Administration: This criterion focuses on the tools both options offer for administration, monitoring, and reporting security incidents.
Customer Experience: Feedback from security teams that have used both options play a key role as it has hands-on information about the performance of the specified SIEM tool.

Collaboration and Social Business Intelligence

Splunk supports log collection from all types of assets which include devices, networks, supporting security tools, and social media platforms to generate accurate security data and reports. Thus, if you have multiple log sources consisting of related data, Splunk automates the correlation and triangulation needed to make sense out of a multitude of security-related data.

Chronicle offers extensive features for extracting security data from enterprise security telemetry regardless of the data size the enterprise generates. This simplifies the threat hunting and discovery process across collaborative networks for security teams.

Cloud Business Intelligence

Splunk enables security teams to turn operational-wide security intelligence into enterprise activities. The operational-wide security takes into consideration private, public, and hybrid cloud architecture. Splunk’s approach to cloud BI is vendor-neutral and it can be deployed as a SIEM tool across a variety of cloud platforms. Splunk offers an Enterprise Security Product which ensures continuous monitoring while supporting near real-time incident responses for discovered threats. Splunk Enterprise Security solution also provides investigation capabilities and threat intelligence through advanced data analytics and machine learning.

Alphabet’s interest in Chronicle means it’s traditionally a part of Google Cloud and it acts as the SIEM tool for most Google Cloud applications. Chronicle is built on core Google infrastructure which means it offers infinitely scalable storage features for capturing cloud data and evaluating them to receive threat intelligence. The threat detection features Chronicle offers is backed by Google Cloud Security expert teams and their in-house threat intelligence platform VirusTotal. Chronicle is also vendor-neutral and can be deployed within varying cloud architecture.

Mobile Exploration and Authoring

Splunk Mobile is one of the captivating suites of features the SIEM tools offer security teams and enterprises for monitoring and managing security incidents. With Splunk Mobile, both technical and non-technical users have access to a simplified mobile dashboard which eases the process of decision making. Authorized decision makers can take specific actions right from the Splunk Mobile application based on received alerts and reports.

Chronicle offers mobile exploration features and extensive authoring capabilities to security teams. Although there’s no dedicated mobile app, Chronicle supports authoring for individual devices and leverages the cloud to ensure reports can be accessed and actions taken using authorized devices from any location. Splunk has been in the SIEM game decades before Chronicle’s entrance but the recent release of Chronicle’s Back Story shows that consumers should expect more mobile exploration features soon.

Analytics, Dashboard, and Interactive Visualization

Like most Google-backed initiatives, Chronicle attempts to ease the process analytics and threat intelligence through automation. The automated analytics incentives Chronicle offers include automatic threat detection and analysis using its VirusTotal tool and an analytical engine to discover both known and unknown threats. The SIEM tool also relies on Uppercase, a threat signal solution that provides built-in threat signals with every discovery. Chronicle offers an interactive dashboard which can be customized to showcase the results of its automated analytics and provide insight into security incidents.

Splunk also provides a customizable dashboard and makes use of features such as asset investigator, statistical analysis powered by Splunk Enterprise Security, visual anomaly detection, and protocol intelligence for its analytics. Where visualization and interaction are concerned, Splunk offers a Natural Language Platform which allows security teams to analyze collected data through voice searches. Splunk also offers visualization options such as the Splunk Mobile and Splunk TV to provide security teams with diverse ways of accessing security data.

Chronicle’s automated analytics is a feature that many enterprises with non-technical experience consider as an important criterion when choosing a SIEM tool. Splunk’s multiple visualization options and customizable dashboards are selling points for its SIEM offerings. Thus, both SIEM options do excellent jobs with analytics and visualization.

Platform Administration

Chronicle is basically a plug and play SIEM solution for enterprises looking to get started with securing endpoints without the need for any technical knowledge. Chronicle helps security teams connect the dots to a security incident and discover related activities without having to take any actions. The entire solution is turnkey, and its functions require no management from you.

Splunk requires some configuration and setup to determine administrative responsibilities and security actions. Many security teams believe the configuration flexibility Splunk offers helps with customizing threat detection and response strategies. The process of creating a dashboard is quite user-friendly but a learning curve exists for customizing dashboards.

Customer Experience

Feedback from end-users of both SIEM tools highlight their impact on discovering threats in enterprise IT infrastructure. The positive feedback for Chronicle generally focuses on the ease of use it offers and its ability to automate threat detection and incident response. The affordable subscription rates associated with chronicle is also a plus for many end-users. In terms of negative feedback, the limited visualization options Chronicle offers have proven to be a challenge for security teams.

Positive feedback on Splunk is centered around its extensible features and threat detection and incident response capabilities. The negative feedback concerning Splunk focuses on the difficulties with configuration and the cost of using the services it offers. In conclusion, Splunk still offers more SIEM features and capabilities compared to Chronicle while Chronicle is easier to use and more affordable for enterprises looking for a best-in-class SIEM tool to enhance security strategies.

Which is best for your organization?

Decisions on which cloud SIEM works for your organization is rarely made in a vacuum. If you are looking for experienced engineers, make sure to contact Lumifi for a no-cost consultation.

Our MDR offerings go hand-in-hand with SIEM offerings and are compatible with both Splunk and Chronicle.

Mimecast: Outlook Plugin

Mimecast is a security company that offers solutions for corporate users to secure their email communications along with threat detection technologies.

Mimecast Outlook Plugin is a tool that works on Microsoft Exchange servers to protect your email platform within the widely used Outlook platform, covering a variety of threats.

How the Mimecast Outlook Plugin Works

Mimecast for Outlook enables users to access Mimecast email protection and other security services inside the Outlook interface.

Unlike other email protection services, the Mimecast Outlook Plugin connects you to cyber defenses beyond spam filtering. It also protects you against spear-phishing attacks, impersonation attacks, internal email threats, and ransomware threats.

Mimecast Targeted Attack Protection detects spear-phishing threats both inside and outside your perimeter while neutralizing brand imitation outside your perimeter.

While guarding you against impersonation, the solution also connects you to tools that monitor your internal email communications to detect compromised email accounts and accounts that are being taken over.

The Outlook Plugin also unlocks Mimecast features that detect ransomware before the malicious code breaks into your systems and finds malicious internal emails.

Features of the Mimecast Outlook Plugin

Apart from connecting you to the Mimecast’s security platform, the Outlook Plugin provides you with additional email continuity and regulatory compliance features.

Users can archive messages and search within extensive message archives containing both files and documents. There is an option to report potential spam to Mimecast and manage blocked and permitted senders.

The solution allows you to send and receive email messages even during periods of service outage and switch between multiple accounts you are permitted to manage.

System administrators can specify messages, attachments, or message types that are assigned a special status and are not delivered directly to a user’s email box. Those messages are kept in quarantine in a space called Hold Queue. Then, the user can perform specific actions to retrieve, permit, or block the messages in the queue, if the recipient considers the respective message is safe.

Conclusion

Mimecast Outlook Plugin connects enterprise users to a complex set of email protection tools that work in the content of the Microsoft Exchange server and the familiar Microsoft Outlook email messaging platform. It arms you with some unique features such as protection against impersonation and monitoring of internal email accounts for breaches.

Google VirusTotal Overview

Lumifi has been working with leaders in malware detection and threat intelligence for years. As we launch our cloud-native Managed Detection and Response offering with Google Chronicle, we are also integrating with VirusTotal.

Read our comprehensive guide to VirusTotal and its free and enterprise features.

What is VirusTotal?

Google’s VirusTotal is a web-based scanner that utilizes over 70 antivirus scanners and URL/blacklisting services, among other tools, to extract signals from uploaded content. VirusTotal accepts files, URLs, and is searchable.

Submissions can be made via public web interface, desktop uploader, browser extension or programmatic API.

Upon submitting content to VirusTotal, basic results are shown to the submitter and shared with examining partners who use the results in their own systems. Submissions contribute directly to the VirusTotal security community.

History

VirusTotal was created by Spanish security company Hispasec Sistemas, launched in 2004. It was acquired by Google in 2012 and was moved under Chronicle in 2018.

Results & Real-Time Updates

VirusTotal tells users whether they have submitted a malicious file and will also display each engine’s detection label. Some engines will provide additional information such as if a given URL belongs to a certain botnet, which brand is targeted by a phishing site, etc.

VirusTotal uses the latest signature sets to detect malware. As soon as a contributor blacklists a URL it is immediately reflected in user-facing verdicts.

Community

A unique aspect of VirusTotal is its community features. Data is not only ingested from various antivirus engines, scanners, file inspection tools, URL analyzers but the VirusTotal community.

Their platform allows the antivirus industry, security professionals, malware researchers, and more to collaborate. The system works on a vote and reputation score to help provide the most reliable and helpful answers.

Joining the community gives members a VirusTotal public API so they can write scripts to automate scans and lookups.

Users will be able to rate and place comments on files and websites. Comments range from disinfection instructions to reverse engineering reports.

Contributors

While VirusTotal is an independent product from Google, it aggregates information from many industry services like antivirus products, domain scanning engines, behavioral analysis solutions, and file characterization tools.

VirusTotal is independent of any one agency or product. It makes clear that they are not tied to any companies or individuals in any way to provide unbiased results. They also do not claim responsibility for false positives by any of the resources.

You can find a complete list of contributing products here.

Enterprise Features

Chronicle now offers enterprise features with VirusTotal. While the licensing can get quite expensive, the features greatly aid in threat hunting and forensic investigations.

VirusTotal Intelligence

VT Intelligence boasts huge scale search engine capabilities, having been built on Google’s infrastructure, with in-depth profile characterization of malware. Users are able to search VirusTotal’s 2.4 billion file dataset in record speed.

VirusTotal Hunting

VT Hunting uses YARA and the VirusTotal database to track the evolution of certain threat actors, malware families, and automatically generate IoCs.

Users can get notified whenever a YARA rule matches and receive in-depth information on matches, including pertinent files for offline study.

VirusTotal Graph

Visualize VirusTotal’s massive database with VT Graph. Analysts can see connections between files, URLs, domains, IP addresses and other items for investigations.

The tool creates icons to easily visualize file types, countries, and other visual cues to detect patterns and aid in investigations.

VirusTotal Monitor

VT monitor allows users to scan files periodically against the latest antivirus signature sets. They are able to receive alerts when one of their tracked files changes.

VirusTotal Premium API

The VT API allows users to automate certain reports and tasks by generating API access to VirusTotal. The premium API has the following advantages over the public API:

Pick a request rate and daily quota
Reports extra data like VBA code stream warnings, source metadata, ExifTool output, IDS output for recorded network traces, etc.
Includes metadata exclusive to VirusTotal such as first submission date of a given file, list of file names associated to a submission, submission countries, prevalence, etc.
Gives access to behavior details around files produced by executing Windows Pes, DMGs, Mach-Os, and APKs in a virtualized sandbox environment
Exposes whitelisting and trusted source information
Allows users to perform complex search sample queries
Exposes file clustering and similar search calls
Enables the download of submitted samples for further research, along with network traffic captures they generate upon execution and detailed execution reports
Strict License Agreement (SLA) that guarantees availability and readiness of data

Google Chronicle + Lumifi

Lumifi has been providing best-in-class managed detection and response services for over a decade. Our newest cloud-native solution with Chronicle is a continuation of our dedication to providing white glove consultative services with world-class results.

We have assisted our clients in using cloud-native solutions for a hybrid or complete cloud architecture. Choosing an MSSP with a consultative approach will ensure your organization picks the solution that best fits your business operations and future goals.

Partnering with Google gives our talented team of security engineers and analysts access to unparalleled threat intelligence and forensic abilities within our clients’ networks. Queries are speedy and increase efficiency. Chronicle and Lumifi are also aligned with the MITRE ATT&CK framework.

If your organization is considering Google Chronicle, contact us for a no-cost consultation to see if Lumifi is right for you.

We have experience migrating, building from scratch and hybridizing cloud security as well as serving as a complete outsourced SOC or co-managed environment.

SentinelOne: Security Integrations

SentinelOne is known for its AI-driven endpoint security protection platform (EPP). The lightweight agent integrates with leading security tools and platforms. Their team regularly announces partnerships and development with best-in-breed tools.

API-First Approach

SentinelOne was created with an API-first approach, made to interface seamlessly with leading security tools. Their current automation integrations include SonicWall, Fortinet, Splunk, QRadar, LogRhythm, Demisto, Phantom, and even Alexa.

Lumifi understands the importance of API integrations. Our SHIELDVision orchestration tool aggregates data and logs across our clients’ environments to help find zero-day exploits. Being able to integrate with SentinelOne enables us to take our service one step further in the cloud.

Security information and event management (SIEM)

SIEM tools are one of the most powerful instruments for providing in-depth context around a network’s security. SentinelOne’s EPP integrates with cloud-native solutions like Google Chronicle.

Chronicle Integration

Google’s cloud-based SIEM has been a silent giant in the cloud security realm. Lumifi is working with Chronicle to provide data stewardship and compliance support to clients, even in the sub-100 employee count.

Learn more about our Cloud-Native MDR Services here.

SentinelOne also lists Splunk, Sumo Logic, LogRhythm and IBM QRadar as SIEM integrations.

Threat Hunting and Orchestration Tools

SentinelOne on its own has a dashboard that aggregates and compiles data streams from across an organization’s network.

Lumifi takes SentinelOne to the next level with our cloud-native managed detection and response service. We utilize our proprietary automation and orchestration tool, SHIELDVision, to act as a force multiplier to provide 24/7/365 real-time alerting. It integrates with SIEM, Endpoint, Email and Firewall solutions.

Through our multi-source intelligence feed integrations and in-house threat content team, SHIELDVision allows our ASOC to be nimbler and more efficient than our competitors.

Our technology allows us to threat hunt across multiple client environments for potential vulnerabilities. We are also able to perform forensic analysis and investigations for clients regarding a breach or vulnerability.

User Endpoint Clients

Here is a list of user endpoint clients that SentinelOne integrates with:

Windows XP, 7, 8, 8.1, 10
Mac OSX 10.9.x, 10.10.x, 10.11x, macOS
12x macOS 10.13 (High Sierra)
CentOS 6.5, 7.0, 7.2
Red Hat Enterprise Linux 6.5, 7.0, 7.2
Ubuntu 12.04, 14.04, 16.04, 16.10
openSUSE 42.2

Server Endpoint Clients

Here is a list of server endpoint clients SentinelOne integrates with:

Windows Server 2003, 2008, 2008 R2, 2012,
2012 R2, 2016
CentOS 6.5, 7.0, 7.2
Red Hat Enterprise Linux 6.5, 7.0, 7.2
Ubuntu 12.04, 14.04, 16.04, 16.10
SUSE Linux Enterprise Server 12SP1
Oracle Linux 6.5 - 6.9, 7.0+
Amazon Linux (AMI) 2016.09+, 2017.03+

Virtual Environments

Here is a list of virtual environments that SentinelOne integrates with:

Citrix XenApp, XenDesktop
Microsoft Hyper-V
Oracle VirtualBox
VMware vSphere
VMware Workstation
VMware Fusion
VMware Horizon

The Lumifi Difference

SentinelOne’s Singularity platform offers powerful integrations. From deployment to management, Lumifi has been able to help our clients utilize SentinelOne’s full potential. Our team of security engineers can assist with advanced tool tuning and deploy custom runbooks to run SentinelOne even more efficiently.

Powerful tools only work as well as the people wielding them. Lumifi has a direct partnership with SentinelOne to provide scalable cloud security 24/7/365.

If your organization is considering SentinelOne, make sure you partner with the best in managed security service providers. Lumifi has been a part of the industry for over a decade and is still on the forefront of cybersecurity solution architecture and management.

What are Managed Security Services?

The use of managed services is growing as organizations struggle supervising multiple sophisticated software systems and advanced corporate networks. One specific area of company outsourcing is the implementation and management of cyber defenses to protect digital assets against ever-evolving security threats.

Managed Security Service Providers (MSSPs) address several business-critical issues organizations face when it comes to cybersecurity. A managed security service provider can assist in creating and deploying complex security infrastructure, managing platforms and tools, performing incident response, and providing continuous 24/7/365 monitoring.

The market for managed security services continues to grow due to an increased complexity of modern cyber security systems that requires adoption of well-thought security policies, incident response planning and recovery strategies. The managed security services market reports an impressive growth from $1.8 billion in 2011 to over $6 billion in 2019.

Source: Statista

Organizations hire third-party service providers to manage their cyber security operations due to lack of expertise and knowledgeable employees to handle a growing number of evolving cyber threats. Businesses must continuously protect against bad actors, but often only large enterprises can properly build and staff a security operations center enough to compete with MSSPs.

Security Salaries

Often companies will make the mistake of only counting the cost of building a Security Operations Center (SOC) by the fees associated with constructing a facility and purchasing licenses for best-in-class software and solutions.

By only counting the physical needs, it discounts the cost of experienced, trained security professionals.

The average security engineer costs $99,834 per year, according to Glassdoor
The average cost of an information security analyst is $98,350 per year, according to U.S. News
The average cost of a Security Operations Center Manager is $99,102 per year, according to Salary.com

Good talent is hard to find...and keep. The SANS Institute’s 2019 SOC survey found that 57.7 percent of SOCs said the lack skilled staff.

Leading MSSPs will provide talented, experienced security engineers, analysts, and managers.

MSSP vs MSP: What’s the difference between a Managed Security Service Provider and Managed Service Provider?

Managed Security Service Providers (MSSPs) offer Security-as-a-Service solutions to organizations and businesses of all kinds.

The rise of managed services began some two decades ago with Managed Service Providers (MSPs) who offered services to install and maintain business software solutions such as email services, cloud platforms and a variety of business software. MSPs focus on operations and primarily deal with the maintenance of business systems remotely or in-house.

MSSPs focus on security and generally do not provide additional services such as support and maintenance of business systems like Enterprise Resource Planning (ERP) software, Customer Relationship Management (CRM) systems, or network administration.

The primary role of a MSSP is to make sure an organization’s systems are safe and compliant with cyber security standards and best practices.

While managed service providers take care of updating and patching the software, a managed security provider performs these tasks at larger scale.

An MSSP can help a company’s security team make better security decisions by patching and updating all software systems, auditing an entire digital environment, and collecting vital operational data.

	Managed Security Service Provider (MSSP)	Managed Service Provider (MSP)
Focus	IT Security	IT Administration
Objectives	Secures hardware, software and business systems	Ensures easy use of digital assets
Management	MSSP deal with all security threats. Implements measures for remediation, early detection and recovery	Manages essential systems and administration of networks
Security Measures	Protects against existing malware and analyzes new threats to provide proactive cyber defenses	Deals with updates and patches
Risk Mitigation	Analyzing current and possible vulnerabilities on a regular basis	Risk mitigation is limited to installing patches and updates
Security Level	Advanced to very advanced	Basic to medium

Managed service providers focus on usability and performance, while MSSPs focus on all aspects of security.

An MSSP begins with an evaluation of a company’s digital assets and existing security tools. The security service provider then consults on gaps across the system and can suggest solutions, including implementation of hardware and security software. Only after security gaps are filled will an MSSP be able to provide reliable, continuous service to protect an organization from advanced and sophisticated cyber threats.

Top MSSPs will also proactively find and research the latest cyber threats and identify possible threats such as viruses, Trojans, ransomware and spear phishing email campaigns.

Strategic and Everyday Solutions by MSSPs

Once the initial evaluation by an MSSP is complete, a managed security provider may deploy, configure and manage several technologies such as:

Security Information Event Management (SIEM) platform
Endpoint Protection Software
Cloud Security tools
Email Security
Intrusion Prevention Systems (IPS)
Identity Access Management (IAM)
Privileged Access Management (PAM)
Data Loss Prevention (DLP)
Vulnerability Scanning
Threat Intelligence

Other services and solutions within a MSSP offering can cover areas such as deployment and management of virtual private networks (VPNs), firewalls, antivirus suites, anti-spam, web content filtering, and patch management.

Along with the deployment and management of security technologies MSSPs can offer a wide array of consulting services to draft and implement a thorough cyber security policy.

Each company requires unique data validation and tuning in order to run efficiently and reduce alert noise. Turnkey or one-size-fits-all solutions can do more harm than good for a company. It is of utmost importance to have a cyber-security strategy that is tailored to the needs of your organization.

Companies must make sure to hire MSSPs that have experience with companies of all sizes and industries.

Additionally, it is important for enterprises to use MSSPs that are tool-agnostic and can integrate data seamlessly across all technology solutions, requiring experienced security engineers.

A competent MSSP can help a company reach their strategic security goals, such as:

Risk assessments and gap analysis
Active threat hunting
Resilient policy development and risk management
Solution/tool research and requisition
Reporting, auditing, and compliance
Training and education

Some MSSPs specialize in a combination of specific security services while others offer the full range of services related to securing complete protection against cyber threats.

Why Hire a Managed Security Service Provider?

Leading organizations must have a proactive approach toward cyber security. Currently, only multinational and large corporations have shown to have adequate resources to implement resource efficient and cost competitive in-house security operations.

An organization whose primary business is not cyber security will always lack expertise, even if they can hire expert IT staff. Cyber threats are evolving rapidly, with each day bringing new viruses and malware and new firmware and software vulnerabilities.

Unless companies are prepared to make hefty investments in hardware, software and expert cybersecurity analysts, they should outsource business critical tasks to an MSSP that can:

Assess specific needs and requirements, deploy and manage cyber security tools 24/7/365
Continuously search for vulnerabilities across an IT ecosystem, and actively hunt for threats
Provide immediate response to any incident such as preventing the spread of malware across a system leading to loss of critical business data
Help with regulatory compliance in the field of privacy, security and data protection (HIPAA, CCPA, FINRA, Sarbanes-Oxley, etc.)
Implementation of custom plans for data recovery to secure business continuity in case of ransomware or data breaches

Unlike MSPs which usually operate at local or regional level, MSSPs have global operations which allow them to see the big picture of evolving threats and vulnerabilities your systems may have.

Conclusion

Globally, the average cost of a data breach is $3.92 million and takes an average of 279 days to detect and contain a data breach, according to an IBM/Ponemon report. In the United States alone it costs $8.9 million on average for a data breach and 245 days to detect, on average.

These are frightening figures even for a multinational corporation, not to mention small to medium sized enterprises.

These figures suggest organizations can cope with today’s cyber threats by choosing between two options: building a strong in-house security team that will likely cost in the millions or outsource your security operations to a leading MSSP equipped with multiple security engineers, analysts, and developers for much less.

The Lumifi Difference

Lumifi has been a leading managed security services provider for over a decade. But we don’t let our experience stand alone, we also hire and retain top talent in order to stay ahead of the curve. Our security engineers and analysts are monitoring our clients’ networks 24/7/365 from our US-based SOC 2 Type II facility. Our engagement team provides unparalleled high-touch service and our product management team ensures we provide integrations with the world’s leading security technologies.

If you are looking to hire the best in managed security service providers contact us today.

VIDEO: Remote Workforce Roundtable Interview with Greg Foss

The full interview with Greg Foss, Senior Threat Researcher at VMware Carbon Black an endpoint protection focused cybersecurity solutions provider. The interview is around the recent shift to a remote workforce due to the COVID-19 pandemic. Topics of the interview include the marketing hype, addressing a remote workforce and moving forward with the Coronavirus implications.

https://www.youtube.com/embed/LyeyP6icI4Q

Questions Include:

What has changed for your organization and how are you dealing with it?
What have been the biggest pain points from customers and how are they addressing them?
How has a sudden increased remote workforce impacted risk for your customers?
Have you noticed any common trends to mitigate this risk?
What are the do’s and don’ts?
As the world gets more accustomed to working remote, how do you see the landscape of cyber security changing?
How does your solution change?

As always, Lunifi strives to be a leader in thought and innovator in the managed cybersecurity space. If you have any questions about how to secure your business during this time, make sure to contact us for a no-cost remote security consultation.

What is a VPN?

A virtual private network (VPN) enables two or more devices to submit and receive data using a secure private connection over a public network such as the Internet.

VPNs use a technology called "tunneling" to establish a secure connection between an organization's network and an outside network through the insecure environment of a public network such as the Internet.

Tunneling is a process that allows a VPN to both encrypt an organization's data in transit and retain its integrity, preventing a man-in-the-middle from reading and changing data packets' content while traveling over a public network. VPN tunneling also enables private browsing by connecting a user to websites through a VPN tunnel.

This connection method, in turn, hides the user's actual IP address and does not reveal the location and computer address to potentially malicious actors monitoring the online space.

What Is VPN Tunneling?

A concise definition of VPN tunneling should emphasize that a VPN tunnel creates an encrypted link between a computer or a mobile device and an outside network. Usually, the connection between the two networks occurs over a public network on which data travels unencrypted by default, including the actual data transmitted and meta-data such as the network and computer address, hardware and software identifiers, and other information.

Sharing meta-data with the outside world and transferring unencrypted data is not a safe practice, as it makes users vulnerable to data snooping, man-in-the-middle attacks, and targeted cyber-attacks.

The process of creating and maintaining a VPN tunnel solves the above problems by hiding the actual IP address, encrypting the data users exchange with an outside network, and transporting it securely using methods to re-packet data in transit.

The Architecture of a VPN Tunnel

Source: OpenVPN

As the diagram shows, a VPN tunnel is a communications concept rather than an engineering method to connect two remote machines using specific hardware and software.

VPN tunneling is a method whose core concept is the encapsulation of data to insulate data packets from other data in the transfer over a network while making the data unusable to unauthorized third parties by encrypting it. Data encapsulation also works as a method to make data packets look like any unencrypted data sent over the Internet and thus avoid unnecessary attention.

How Does VPN Tunneling Work?

Organizations cannot have a physical VPN tunnel as it uses the same IT infrastructure they are using for other networking purposes. Instead, they must employ hardware, software, and encryption technologies to work together in transmitting data over a network and between two locations.

The two main concepts behind VPN tunnels are data encapsulation and data encryption.

Encapsulation works by hiding data packets inside other packets, which in turn enables a VPN software to make data undetectable while browsing the Internet. It works as camouflage for data by making it unrecognizable as sensitive data in transit over the network.
Encryption in VPN tunneling ensures only the user and the intended recipient can read the data you exchange over the network. It works as a data vault – even if someone identifies it as a vault, only the user and those provided with a key can enter the data vault and see what is inside.

Encapsulation and encryption can work on a single machine and without connection to an outside network. When a user comes to the point of transmitting encapsulated and encrypted data packets, they need network protocols to carry data over the network.

Not All Protocols are Equal

VPN tunneling utilizes many protocols that are not equally efficient in securing your data traveling over a public network, however.

Protocols such as Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP)/Internet Protocol Security (IPSec) and Internet Key Exchange (IKEv2)/Internet Protocol Security (IPSec) are all protocols widely used for tunneling. They are considered slightly outdated and offer less security as compared to a few other network protocols.

Secure Socket Tunneling Protocol (SSTP) and OpenVPN protocol are considered the most secure protocols for building VPN tunnels that are available to the public.

VPN Models

Once an organization agrees on the protocol to use for VPN tunneling, they need to establish a model for initiating a VPN connection. They can select between two main types of VPN tunneling, which are known as 'Voluntary' and 'Compulsory' tunneling.

Voluntary tunneling requires the user to send a request to a VPN server, and then the server creates a VPN tunnel in which the user's device is treated as the tunnel client.
Compulsory tunneling requires a VPN server to create a dial-up access server, which is the tunnel client, for a remote access server to accept and manage connections via the VPN connection.

The choice of a network protocol and connection method for VPN tunneling depends on the specific use-case scenario, but in any case, organizations need to have reliable encryption algorithms in place and adopt measures to enforce the use of a VPN connection.

Conclusion

The concept of VPN tunneling depends on an organization's choice of network protocol to transfer your data in a secure manner and the ability to hide their digital address and configuration details.

Current cybersecurity practices show SSTP protocol and OpenVPN protocols provide high-grade encryption and secure data transfers in the context of a VPN tunnel. OpenVPN network protocol is open source, which allows for fast identification and remediation of possible bugs and vulnerabilities while both SSTP and OpenVPN are hard to block by third parties.

Finally, organizations should be aware that VPN tunneling is efficient only in combination with a resilient cybersecurity strategy that includes managed detection and response, endpoint monitoring, and threat intelligence to combat the corruption of end-user machines.

What is Email Encryption?

Encryption is a method to cypher data that a user sends and receives, as well as data that resides on endpoints and servers.

Any organization must handle Data at Rest and Data in Transit, the former being the data stored on corporate endpoints and servers while Data in Transit representing any message or document employees exchange between offices and with partners and customers.

Email messages make the bulk part of Data in Transit for any organization and securing the content of email messages is not only a matter of common sense but a necessity.

Data protection legislation such as HIPAA, HITECH, Sarbanes-Oxley and GDPR require email encryption to be implemented as a standard business practice across a variety of industry verticals.

Email encryption is the method to turn plain text messages into cipher text that only a person with the appropriate cypher code can decrypt and read upon receipt. Both the email sender and the recipient must share the same encryption key to respectively encrypt and decrypt the message.

Encryption Keys for Email Encryption

A main characteristic of a cyphering code, or algorithm, is to make sure that the email message is unreadable by a third party, even if it falls into the wrong hands. A best-in-class encryption algorithm encrypts your email messages at a level of cyphering that requires many years for a bad actor to decrypt even the simplest message.

How PGP Email Encryption Works

Source: Wikimedia Commons

Email encryption works with asymmetric and symmetric keys with both methods offering similar security level but operating in different ways.

Asymmetric encryption involves a public encryption key anyone can use to encrypt a message and then a private encryption key with which to decrypt the message. The encryption process works by the holder of the private key releasing the public key online or sending it to other users, who then can use to encrypt email messages.

Although the encryption key resides on a public network such as the Internet, only a recipient who has the decryption key can read email messages encrypted with it. An organization can safely place a public encryption key in an asymmetric encryption scenario and then any customer or partner can take advantage of it to send encrypted messages only authorized employees can decipher and read.
Symmetric encryption is using a single key to encrypt and decrypt data. Both the sender and the recipient share the same key to communicate through encrypted email messages.

A software encrypts the message on the sender’s machine and then the recipient’s machine uses the same encryption key to run a decryption procedure and make the email message readable.

Both symmetric and asymmetric encryption offer an acceptable level of security for the average corporate user while deciding which encryption method requires evaluation of multiple factors involved in complex email encryption and email usage use-case scenarios.

Is Symmetric or Asymmetric Encryption Better?

Asymmetric keys used to have a length of 1024 bits before but after several major cyber-security incidents in the past, asymmetric keys now have 2048 bits. A bad actor would need all the computing power now available on Earth and would still need more than 10 billion years to crack an email message cyphered using the RSA asymmetric encryption algorithm, which is widely used to secure business communications.

Symmetric keys also vary in size, but the most common length is 128 bits or 256 bits. Using a secure 256-bit symmetric encryption makes an organization’s communications largely immune to brute force attacks if the encryption key is safe.

Asymmetric keys are bigger and much harder for an attacker to crack the code with which a user encrypts email messages. Encryption feasibility, however, is not only a problem of code’s length but also computational power needed to respectively encrypt and decrypt data. There is also the problem of how to distribute the encryption key to recipients in a way to that keeps them safe.

Symmetric keys are a more bearable computational burden as they are smaller compared to asymmetric keys and still provide an acceptable encryption standard. Encryption is a resource-consuming process. Teams should not underestimate the computing power required to deliver proper email encryption. In this respect, symmetric key has the edge over the use of asymmetric keys.

But symmetric encryption introduces data security risks associated with the exchange of encryption keys between an organization and stakeholders, especially if they reside outside a secure networked perimeter.

Asymmetric encryption eliminates the problem for secure exchange of cyphers by enabling users to freely distribute a public encryption key to anyone and keeping their private key safe within their organization.

Whether to implement symmetric or asymmetric encryption depends on the specific use case and the resources available. Some emailing solutions that use Secure Sockets Layer (SSL) technology for establishing an encrypted link between a mail server and a mail client take advantage of a hybrid cryptosystem that employs both symmetric and asymmetric keys.

Methods for Email Encryption

Organizations usually deploy a gateway-based method for email encryption, in which a specific software operates on the corporate network and is responsible for encrypting and decrypting email communications.

In a client-based model, an encrypting application is running on the sender’s machine and the sender is responsible for cyphering each email he or she sends.

While the client-based model is more flexible, it requires specific attention from employees who should observe applicable company procedures for encrypting one or another message. The gateway-based model treats each email as sensitive information and applies the chosen method of encryption to every email message.

Regardless of the selected approach toward email encryption, the cyphering software relies on one of three types of encryption to code the email traffic:

SMTP STARTTLS is a server-to-server method that relies on SSL certificates. It is the usual method for email providers to secure the content of the email messages passing through their servers.
S/MIME, or Secure/Multipurpose Internet Mail Extensions, is a method that uses email certificates and should be implemented on the user endpoint. This is person-to-person method for email encryption.
PGP, or Pretty Good Privacy, is another person-to-person method for email encryption, where users take care of email encryption. PGP does not use certificates but public keys and features both inline PGP and PGP/MIME.

An organization will typically deploy a solution that relies on either S/MIME or PGP for email encryption. The S/MIME is a standard developed by RSA Data Security, Inc. and requires an organization to obtain a unique security certificate from a Certificate Authority (CA) or from a public CA.

This email encryption standard secures email communications in terms of authentication, message integrity and non-repudiation. It combines a digital signature with encryption to secure an organization’s email traffic.

PGP and its derivative OpenPGP standard both authenticate the sender of an email message and encrypt the text inside the message body. Using PGP in corporate environment requires a software client running on an endpoint or a plug-in. PGP relies on both public-key cryptography and symmetric key cryptography to deliver authenticated and coded email messages.

Conclusion

Having encrypted email communications is both a matter of securing corporate data flowing over public and private networks and of regulatory compliance.

Securing data flowing through the means of email encryption is mandatory for both small and large organizations operating across multiple industry verticals such as financial services, healthcare, payment processing, e-commerce operations and others.

As organizations often use email to exchange sensitive documents such as financial reports, customer information, contracts, vendor agreements, employee medical information or board meeting minutes, adoption of an email encryption solution is a mandatory part of a wider strategy to both secure crucial communications and protect business-critical data.

How a SOC Handles Credential Harvesting

Dealing with credential harvesters has its perks. Day in and day out I get to personally observe how sophisticated a phishing website can be.

Some websites are so elaborate that only a trained analyst can identify them, while others are so obvious no one in their right mind would fall for it. Either way, if it looks suspicious just follow the “POST”.

The “POST” method is one of the many ways the HTTP protocol sends data. The “POST” method is used to submit data to the webserver, which is commonly used to modify a change in state on the server. This is frequently used when logging into your account on another website.

Knowing this, and the using the ingenious “Network” resource in your browser, you can see where you are sending that “POST” request, or more likely, what credential harvester you are giving your username and password to.

Recently, Lumifi's ASOC investigated a credential harvester infrastructure set up by a malicious actor who forgot to use ACLs (Access Control Lists) on their webserver. Because they neglected implementing this important security feature, we were able to navigate backwards through the webserver directories to discover a text file containing a large repository of submitted credentials.

** All data shown below has been sanitized. See the end of the article for a full list of all artifacts that have been changed.

Identification Phase

The reported email:

While reviewing the email, it was identified that the sender (chuck.mallory[@]gmail[.]com) tried to convince the recipient (alice.faythe[@]outlook[.]com) that they missed a phone call and a voicemail is ready for them to listen to if they click on an embedded link.

Embedded link: hXXps://sub-domain[.]badguydomain[.]com/page/index[.]html#alice[.]faythe[@]outlook[.]com

The Initial email received:

Accessing the phishing site

Once we clicked on the link in our sandbox environment, our browser opened and went to a credential harvesting website masquerading as an Outlook login page. Viewing the URL in the browser, we can see that it is not a domain associated with Microsoft. Knowing this, we used Mozilla’s developer tools by clicking the “F12” key and then clicked the Network tab. Instead of using the recipient’s email (which can be seen in the URL), I used an email address that had no association to the recipient’s address and entered in a fake password. After selecting the “sign in” option, the browser then sent multiple GET requests to badguydomain[.]com. However, there was one POST request that was sent to a different domain credential[.]dumping[.]com.

Accessing the credential dumping site

With this HTTP request being observed, we decided to go directly to the webpage hXXps://credential[.]dumping[.]com/page/bridge[.]php.

The webpage presented a blank webpage with no information. I then decided to work backwards through the webserver directories to identify what shares are left open for external users to view. Fortunately, the threat actor failed to secure what shares and files the public can access.

The list of submitted credentials

After clicking on “express.txt”, I could see all the credentials that were captured. This allowed me to identify and notify our customers and some non customers of the compromised email accounts.

This also allowed us to investigate further to see what clients made POST requests to credential[.]dumping[.]com. We then made the appropriate containment and eradication steps by having the affected accounts’ passwords changed, blocked both the credential harvester and the credential dumping site, and finally removed email from all mailboxes.

List of affected email accounts. All told, more than 400 accounts were in this list.

Credential Harvesting Lessons Learned

This is just one of many standard investigation procedures we follow at Lumifi. We pride ourselves on not only identifying threat vectors but investigating thoroughly to discover any and all resources a threat actor may use against a victim. Occasionally, as seen above, this can lead to interesting discoveries and meaningful insights.

Are you interested in Lumifi's threat analysis and ASOC capabilities?
Contact Us Today

**Please see the list of edited items below:
- Senders email address
- Recipients email address
- Details in the email
- Credential harvesting domain
- Submitted credentials domain
- List of affected email accounts, password, location, and IP

What is SCADA and IoT?

Learn about the difference between SCADA and IoT systems and how they work and compare to one another.

What are SCADA systems?

Supervisory control and data acquisition (SCADA) systems have been used for decades to monitor and control production facilities or equipment across industries such as oil and gas refining, energy distribution, water management, waste control and telecommunications.

SCADA systems are in use as a major tool for controlling industrial equipment since the 1960s.

A SCADA system works by collecting data from local and remote sensors and sending data to a centralized command-and-control location from where central computers control remote machinery or plants.

What are IoT systems?

Internet of Things (IoT) systems have emerged recently. IoT systems offer a level of automation within a machine-to-machine communication framework in which machine learning and artificial intelligence usually play a role.

IoT systems include interrelated devices that have unique identifiers (UIDs) and transfers data over a network without interaction.

How do SCADA and IoT work together?

While SCADA systems are standard with industrial systems, IoT adds features and functionality where SCADA ends.

SCADA and IIoT (Industrial Internet of Things) concepts and their overall system architecture face cybersecurity challenges since they are a likely target for advanced hacking groups. Control systems for industrial use are also a desired prey for government-backed hackers, which poses real challenges to the security of SCADA and IoT industrial control systems.

Cyberthreats to SCADA and IoT Systems

SCADA systems usually manage Industrial Control Systems (ICS), which in turn manage machines and other industrial equipment used in industries as varied as oil and natural gas, energy and water utilities, chemical and pharmaceutical, food and beverages, car and aircraft making and durable goods manufacturing. The same is true for industrial IoT networks, which are rapidly expanding across multiple industry verticals.

These are mostly critical industries that operate complex industrial equipment networks, often across continents. If your organization operates a SCADA or an IoT control system, you should be prepared for cyber-attacks coming from three directions:

Groups of hackers that want to plant ransomware on your systems
Competitors who are employing bad industrial espionage practices
Nation state actors who are after your sensitive data or plan for taking over your business-critical production management tools under a more complex scenario.

An industrial control system will never be free of threats as it appeals to many bad actors. The number of identified SCADA vulnerabilities averages between 47 and 467 a year, according to a report by Trend Micro.

Number of SCADA Vulnerabilities Found per Year

Source: Trend Micro

The number of IoT vulnerabilities is even larger when factoring in IoT systems’ untested architectures and the lack of widely adopted standardization, which in turns results in endpoint devices that are vulnerable to various cyber threats.

The existence of zero-day vulnerabilities - which are yet undiscovered vulnerabilities for anyone to exploit - is a pressing issue. Even if an organization operates in a perfect competitive environment, in which corporate espionage does not exist, critical industries and their control systems will always be a target for government-backed attacks and hackers looking for profiteering.

The claim that SCADA systems, and industrial IoT systems to a lesser extent, are not public networks and are thus harder to attack is not valid. Successful cyberattacks on oil drilling operations and nuclear power generation facilities are documented in the Middle East. Additionally, penetrations into energy distribution networks are documented in Europe (in Ukraine), in which case the attackers managed to switch off a few towns and regions off the grid.

These attacks involve both online methods and spear-phishing techniques as well as spread of Trojan malware through portable devices such as infected USB sticks.

Common Attack Vectors

Industry reports show about 40% of all industrial sites have at least one direct connection to a public network such as the Internet. This means that almost half of industrial sites offer the means for an attacker to test their cyber defenses and possibly penetrate their systems.

Bear in mind that many SCADA systems are still using out-of-support operating systems such as Windows XP and many IIoT systems rely on outdated firmware or insecure third-party components.

With the majority of industrial sites having at least one remotely accessible device, other attack vectors include exploiting vulnerabilities such as:

Connecting to a device using a serial interface
Using pre-set passwords or SSH keys for firmware
Capturing of plain-text passwords across ICS networks
No account lockout policies in place
Manipulating the code execution flow of a device to get access to sensitive data

A few years ago, Kaspersky Lab reported that WannaCry malware was used to penetrate the ICS systems of manufacturing companies, oil refining facilities, smart-city infrastructure and electricity distribution networks.

The attack demonstrates how bad actors penetrate a SCADA or an IIoT system that runs within a well-protected industrial network, but where organizations have servers and workstations that are connected to several subnets inside the organization.

How WannaCry Can Infect an Industrial Control System

Source: Kaspersky Lab

In an ideal world, no devices within a SCADA or an IIoT network will have a direct connection to the Internet, but the chance is good for at least one device to connect to at least two subnets inside an organization’s perimeter, which in turn enables an intruder to reach their ICS from the outside.

Never underestimate the risk of someone attaching an infected device to one of your systems inside the shielded perimeter. Under this scenario, an organization may have no connection to the outside world and no data will leak outside the network, but still may see their data and systems encrypted by ransomware.

Protecting SCADA, IIoT and IoT Systems

The U.S. President’s Critical Infrastructure Protection Board provides guidelines for improving the cyber security of SCADA systems, which highlights the importance of securing industrial control systems.

Recommended actions include disconnecting unnecessary connections to a SCADA network but you should be aware that - while such an isolation is theoretically possible in a SCADA architecture – IoT control systems might include connections to smart homes and smart offices, which are communicating over the Internet. In fact, IoT networks are operating exactly this way if they are not closed IIoT networks, which can be penetrated through a targeted cyber-attack.

A working cyber-security strategy to protect your SCADA, IIoT or IoT networks should involve the following measures:

Securing the perimeter by preventing unauthorized access to a systems and subsystems
Patching all known vulnerabilities and updating all software in place
Restricting logical and physical access to core networking equipment and control modules
Implementing a solution to monitor network connections
Installing antivirus software and firewalls on all points where IoT networks connect over public networks such as the Internet
Use file integrity checking software to ensure the system files are not modified by an intruder
Ensure redundancy for critical components and implement redundant networking solutions for both hardware and software

Another factor to consider is regulatory compliance, as IoT implementations may involve processing sensitive personal data that is protected under the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS) or any other law that concerns data privacy and security. The same applies to SCADA systems if an organization collects personally identifiable data from consumer metering devices, for instance.

Conclusion

Securing a SCADA or IIoT network share the same concept of encapsulating the perimeter and not allowing outside connections to business-critical systems. When organizations have to deal with a typical IoT network such as a smart office, they need to make sure that a firewall and an antivirus suite guard against undesired connections and malicious software.

Businesses should always be on alert for unknown vulnerabilities as both SCADA and IoT software and devices have zero-day security holes. Adopting a solution that automatically applies patches and updates solves part of the problem since teams also need to monitor all inbound and outbound connections all the time.

A cybersecurity strategy for protecting SCADA or IoT networks is not a one-time endeavor, teams need to plan carefully what cyber defenses to implement at the very start and then adopt measures to keep threat protection running effectively in the long-term.

Sarbanes-Oxley Act Overview

The Sarbanes-Oxley Act (SOX) was enacted in 2002 following a series of corporate scandals involving large public companies in the United States. The main goal of the legislation was to restore the trust in the U.S. financial markets and prevent public companies from defrauding their investors.

The law, also known as the “Public Company Accounting Reform and Investor Protection Act” and the “Corporate and Auditing Accountability, Responsibility, and Transparency Act” was introduced by U.S. Senator Paul Sarbanes (D-MD) and U.S. Representative Michael G. Oxley (R-OH).

The legislation’s most well-known article is Section 404, which aims at increasing the control role of boards of directors and the independence of third-party auditors who certify the accuracy of corporate financial statements. The law also stipulates that directors and officers who put their signature under corporate financial statements should bear personal legal responsibility for the accuracy of the respective corporate disclosures.

Following the adoption of Sarbanes-Oxley, a top executive in a large public corporation has a strong motivation to certify fair and accurate company disclosures as otherwise he/she faces between 10 to 25 years in prison along with hefty financial penalties. Other penalties include a ban on taking positions as a C-level officer at a public company.

What is SOX 404?

The provisions of Section 404 read:

“Directs the SEC to require by rule that annual reports include an internal control report which: (1) avers management responsibility for maintaining adequate internal control mechanisms for financial reporting; and (2) evaluates the efficacy of such mechanisms. Requires the public accounting firm responsible for the audit report to attest to and report on the assessment made by the issuer.”

The law does not exist in a vacuum and businesses need to look at other SOX sections to fully understand its meaning and intent. These articles include SOX Section 302 and SOX Section 906, which are part of the Corporate Responsibility and the White-Collar Crime Penalty Enhancements titles of SOX, respectively.

SOX 404 deals primarily with the annual evaluation of internal controls and procedures for financial reporting while Section 302 requires CEOs and CFOs to certify in person the accuracy of periodic financial statements. Section 906 asks for CEOs and CFOs to certify that company’s financial statements and attendant disclosures are fair and comply with the Securities and Exchange Commission disclosure requirements.

Therefore, Section 404 of the SOX aims at establishing a framework for periodic assessments of the internal control mechanisms for financial reporting and forces the public accounting firms which perform the auditing to also evaluate the report on the assessment made by the publicly listed corporation.

In short, Sections 302 and 906 speak about the personal responsibility of C-level executives in public corporations and establish criminal penalties for failing to fulfil these requirements while SOX 404 introduces a procedure for recurring internal controls evaluation and makes it mandatory for companies to include an internal-control report in their annual report.

While SOX 404 consists of only two sentences, it has long-lasting implications on both public U.S. corporations and foreign companies whose stocks are traded on the U.S. stock exchanges.

How Sarbanes-Oxley Affects U.S. and Foreign Businesses

SOX extends to all public companies in the United States, small businesses including, and extends to wholly-owned subsidiaries and foreign companies that are listed on U.S. stock exchanges and conduct business there. Sarbanes-Oxley Act also governs the way accounting firms operate when they audit companies that must comply with SOX.

When SOX was adopted, a number of foreign companies with a dual listing on a U.S. stock exchange, and having more than 500 U.S.-based investors, delisted and continued operating as private companies. Many U.S.-based small businesses were also puzzled on how to comply with the strict regulations of SOX.

A large publicly traded company in the US usually hires an outside consultant to make sure its internal control mechanisms follow the SOX regulations. A small public company has the same obligations to maintain a system of internal controls for ensuring it provides reliable financial statements.

At the time, the U.S. Securities and Exchange Commission (SEC) issued a statement saying that SEC does not have specific rules that tell smaller public companies how to do this. Instead, they recommend small public companies to consult the internal control framework by the Committee of Sponsoring Organizations of the Treadway Commission.

In any case, all public companies operating across the United States should be prepared for the Public Company Accounting Oversight Board to inspect the audits of their financial statements by an outside accounting firm for compliance with SOX 404 and Sarbanes-Oxley.

Businesses should also be aware that demonstrating compliance with Section 404 of the Sarbanes-Oxley Act is considered the costliest part of meeting the SOX requirements as compliance involves also adherence to strict data security and document management policies.

Data Security SOX Compliance Requirements

Performing extensive internal control tests and including an internal control report with their annual audits is just the tip of the iceberg for companies complying with SOX. The Sarbanes-Oxley Act encourages corporations to centralize, automate and optimize their financial reporting processes and procedures.

Companies that are subject to SOX compliance, should develop, implement and maintain comprehensive data security policies and then enforce these policies if they are to meet all the requirements set by SOX.

For instance, a company should protect all financial records it stores and utilizes during normal operations. Corporations should also maintain documentation that provides proof that they comply both with the law and in addition measure SOX compliance objectives, taking corrective measures if necessary.

SOX auditors evaluate four internal controls that are part of the yearly SOX audit. Those are:

Physical and electronic controls over access to sensitive financial data
Working protections against data breaches
Presence of SOX compliant off-site backups of financial records
Existence of change management policies as far as company financials are concerned

Conclusion

SOX compliance is not only mandatory for public companies, but has long-lasting effect on a company’s development plans and investment in new technologies. The best way for a company to demonstrate and maintain SOX compliance is by adoption of a data-centric software platform that finds and tags sensitive financial data, helps manage usage rights and permissions and prevents data breaches and accidental data leaks.

While SOX compliance comes with certain financial burdens for corporations, it also makes their financial data more predictable and improves cross-functional communication across the company. A SOX compliant company has easier access to funding on the financial markets and builds rapport with stakeholders in a natural way.

If a business intends to implement SOX requirements in full, they company will also be safer from cyber-attacks and the ensuing damages from a data breach which are usually in the range of hundreds of thousands or millions of dollars in remediation and legal claims from customers.

Is your business looking to become Sarbanes-Oxley compliant?
Contact Us Today

How to Deploy: Carbon Black (CB) Defense Sensor

Carbon Black (CB) Defense is a distributed process monitoring tool for threat detection across enterprise networks. The Carbon Black sensor executes data capturing activities to discover suspicious activities that occur within a network. Once deployed, the CB Defense sensor stays on and always collects data that can be categorized and analyzed for suspicious activities

To deploy the Carbon Black Defense Sensor, the following information applies:

Supporting Operating Systems

The operating systems supported by the CB Defense sensor include all functional Windows operating systems and the MacOS.

Internet Connection

A functioning internet connection is needed for the deployment. This is because the sensor must be registered with the CB Defense servers to achieve a successful installation. The sensors can connect to the Defense servers through:

A static configured proxy
A direct connection over TCP/443
Auto-detection of a proxy
Admin Permissions

CB Defense sensors requires permission for new installations which are done manually.

Other permissions include a bypass to functional firewalls which allows outgoing connections to the CB Defense domain over TCP/443.

A bypass in the firewall which allows outgoing connections to the CB Defense alternate port.

Activation Code

An activation code is needed during the installation process. The application code can be found in the enrollment page and it expires after 7 days.

Configuration Management Tools

In different situations, you may need an endpoint management tools to assist with installing the Defense sensors. These tools can be Casper for Mac or SCCM for Windows

Steps to Deploying (CB) Carbon Black Defense Sensors

Steps to Performing an Unattended Installation of CB Defense Sensors:

The steps outlined here focus on an unattended installation of the Windows Sensor.

The items to have before beginning the deployment include:

A downloaded sensor installation kit – Attention should be paid to the version that corresponds to the Windows operating system that will host the sensor.
The company’s registration code

Step 1

Start the processes by opening an elevated and running the ‘/q’ command outlined below:

msiexec.exe /q /i CbDefense-setup.msi /L*vx log.txt <CbDefense_msi_command_options>

The first command code shown below should be used if a specific policy group has already been created in the console.

msiexec /q /i C:\Users\UserFolderName\Desktop\installer_vista_win7_win8-64.msi /L*vx log.txt COMPANY_CODE=12345678 GROUP_NAME=Phase1

The second command code shown below should be used if a specific policy group has not been created. The code will install the sensor and assign it to a policy group that has been previously created which installs the sensor in a by-passed state.

msiexec /q /i "C:\Users\UserFolderName\Desktop\installer_vista_win7_win8-64.msi" /L*vx log.txt COMPANY_CODE=12345678 GROUP_NAME=Phase1 BYPASS=1

Step 2

This launches the installer and the 6 digit company code will be requested to continue the installation process.

Step 3

If the code is correct, then the installation process will continue until its completion. You can then follow the prompts to complete the task.

How to Install CB Defense Sensors Using SCCM

The System Center 2012 Configuration Manager (SCCM) is used to deploy Defense sensors across all versions of the Windows operating system. To start the process, the following installation suites or tools will be needed:

CB Defense sensor – any version will work
Microsoft Windows
SSCM

Step 1

The first step is adding the CB Defense Sensor Application through the SCCM configuration manager. Open SCCM Configuration Manager.
In the Software Library select Overview > Application Management > Applications
Right Click on Applications and Select "Create Application"

Step 2

On the General Page select "Automatically detect information about this application from installation files:
Type: Windows Installer (*.msi file)
Location: Accessible share that contains the Sensor msi file
Then Select "Next"

Step 3

On the Import Information Page there should be a message that says "Application information successfully imported from the Windows Installer"
Select "Next"

Step 4

On the General Information Page add the required COMPANY_CODE install parameter and the /L*vx C:\pathname\msi.log parameter to ensure the verbose msi install log is created in your specified location. Any other optional command options specified in CB Defense: How to Perform an Unattended Installation of the Windows Sensor can also be added at this point Select "Next"

Step 5

On the Summary Page select "Next"

Step 6

On the Completion Page Select "Close"

Step 7

Right Click on the "Cb Defense Sensor Application" you just added and select "Properties"

Step 8

Select the "Deployment Type" tab
Select the "Deployment Type" you have configured for Cb Defense select "Edit"

Step 9

Select the "Programs Tab" to change the uninstall command from msiexec /x "installer_vista_win7_win8-xx-x.x.x.xxxx.msi" to %ProgramFiles\Confer\uninstall.exe /uninstall <Company Deregistration Code> if the "Require code to uninstall sensor" is enabled on the Policy and you want the option of being able to uninstall the sensor using SCCM

Step 10

Select the "Detection Method" tab
Select the "Detection rule" configured
Select "Edit Clause"

Step 11

Change the "Setting Type" to "File System"

Step 12

Set Path to %ProgramFiles%\Confer, File or Folder name to RepUx.exe
Select "The file system setting must satisfy the following rule to indicate the presence of this application"
Configure MSI Property "Version", Operator "Greater than or equal to", and Version should be the currently install Cb Defense sensor version.

Step 13

Select "OK" to save changes to the Detection Rule
Select "OK" to save changes to the Detection Method
Select "OK" to save changes to the Deployment Type

Deploy CB Defense Sensor Application

Step 1

Right click on the "Cb Defense Sensor Application" and select "Deploy"

Step 2

On the General Page select "Browse" for the Collection field.

Step 3

From the drop down choose "Device Collections" and choose a collection of devices to deploy to.

Step 4

Select "Next"
User-added image
On the Content Page select "Add" to add a Distribution point then select "Next"

Step 5

On the Deployment Settings page select Action "Install", Purpose "Required", and "Next"

Step 6

On the Scheduling Page choose deployment schedule and select "Next"

Step 7

On the User Experience Page choose preferences and select "Next"

Step 8

On the Alerts Page choose preferences and select "Next"

Step 9

Review the Summary Page to confirm settings are correct and select "Next"
On the Completion Page select "Close"

How to Perform an Unattended Installation of the Mac Sensor

To deploy the Defense senor on Mac operating systems, the following items will be needed:

The CB Defense sensor suite
All versions of the Mac operating system.

Step 1

The CB Defense sensor for macOS comes in a DMG file format. Start the process by extracting the installation package and the installation script.

Step 2

Mount the disk image in a virtual location using the hdiutil command. The location should be one you remember and the command for mounting the disk can be found below:

Step 3

Create a copy of the files ‘CbDefenseinstall.pkg’ and ‘cbdefense_install_unattended.sh’ located within the mounted disk image. Paste the copied files at the installation target on the Mac device been used.

Step 4

Run the installation command remotely and replace the ‘COMPANY_CODE’ string with the provided company code that came with the CB Defense sensor. Follow the prompts to complete the process.

Note: The two files copied in step 3 are required by the target machine for installing the Confer Sensor Software. This is why they must be correctly copied without missing a single letter.

Why Phishing is Still a Problem

Is Phishing Still a Problem?
The short answer is yes. The long answer is that it is a growing problem for businesses each day which requires greater defense.

Phishing is the most popular attack vector for criminals and has grown 65% in the last year, according to Retruster.

Lumifi is here to explain phishing, how attacks have affected businesses, how this form of cybercrime is growing, and how to defend against them.

Phishing Definition: Phishing is a cyber attack that uses email as its method of attack. The objective is for the recipient to believe the message is legitimate and to click a link, open an attachment.

Malicious links will lead to a website that often steals login credentials or financial information like credit card numbers. Attachments from phishing emails can contain malware that once opened can leave the door open to the attacker to perform malicious behavior from the user’s computer.

The term “phish” is a reference to the act of fishing, throwing a hook and hoping to catch something juicy.

Who is phishing?

Due to their low bar of skill required to launch, phishing is a popular choice for cyber criminals. Many of them use phishing kits, which include all the technical materials needed to launch a phishing campaign.

More advanced phishing methods like spoofing (pretending to send emails from a legitimate source), spear phishing (personalizing emails to target specific people), and whaling (targeting high-level executives) remain popular and are even harder to detect by eye alone.

Who is targeted?

Phishing targets individuals and private citizens each day. Additionally, cyber criminals will target businesses.

Business email compromise (BEC) scams accounted for over $12 million in losses last year, according to Retruster.

Contrary to popular belief, phishing attacks are being launched on small and medium-sized businesses with shocking regularity. And while the most common industries targeted are Software-as-a-Service and Webmail organizations, social media and e-commerce industries also top the list.

Businesses targeted by phishing

Here are some of the biggest phishing attacks recorded, according to The SSL Store:

Tech giants Facebook and Google were scammed $100 million between 2013 and 2015 through an elaborate fake invoice scam.

U.S. drug company Upsher-Smith Laboratories lost over $50 million in just three weeks in 2014. Attackers impersonated the company’s CEO and were able to convince the company’s accounts payable coordinator to make nine wire transfers.

Higher education wasn’t immune from phishing. MacEwan University in Canada had $11.8 million taken in 2017 when phishers imitated construction companies and sent fake invoices.

Lasting effects of Phishing

Beyond monetary damages, businesses who are breached lose public trust and must work to secure their databases.

Many companies are required to notify their customers of a breach, pay regulatory fines, and lose customers as a result.

How to defend against phishing attacks

Use advanced tools

Do not rely on built-in spam filters and junk folders to catch malicious emails. Using a secure email gateway in your organization will increase your defenses and automatically follow policies and playbooks that will prevent certain emails from even reaching your employees’ emails.

While this does not provide coverage for current breaches or remediation, gateways are just the first line of defense against a breach.

Require Two-Factor Authentication (2FA)

By requiring two-factor authentication, email users must verify their identity in a second form (i.e. text message, mobile app, or security token). This helps prevent unauthorized users from accessing an email account without the second form of authorization and can warn legitimate users that someone is trying to access their account and to update their credentials.

Create a password policy

Password hygiene (changing and creating strong passwords) is more important than ever. Requiring employees to change their passwords often and follow strength guidelines makes credential stealing more difficult. Criminals looking to use credentials they stole or purchased off the dark web will find that because passwords change often, their outdated credentials will lapse and provide no value.

Of course, this doesn’t help against current credentials shared, but can prevent breaches in the future.

Educate employees

Above all, educate your employees and coworkers. Providing education and training around password hygiene, common phishing techniques (identifying spoofing and suspicious messages), and the effects of phishing scams will communicate the importance of email security.

Conclusion

There is no single solution or strategy to fight phishing campaigns. If your organization has questions about how to create a truly resilient email security environment and manage your cybersecurity, contact us for a hassle-free consultation.

Successful Password Policies for Organizations

Learn some of the basic considerations when establishing a strong password policy for your organization. Find out some of the best practices and industry standards when it comes to user access and a password policy framework.

Most places of business require that their employees access their facilities by using a key or key card. In many ways, passwords are the keys by which employees access their workplace network. With physical office keys or card readers, proper policies and procedures must be implemented to ensure that unauthorized access does not occur. The same holds true with successful password policies for organization.

Cyber security as a topic of discussion is growing more popular each day due to the increasing number of attacks and breaches that occur. Companies are not the only victims, but entire cities as well. Such attacks often begin by a cyber criminal stealing passwords from unsuspecting or untrained employees. Typically, a thief only needs a single opening to access everything of value in a place of business. Similarly, once a hacker has control of a single key (or log in credential), they can then exploit that entry point to access a company’s entire network. This is especially true and escalated if this access gained is to one of the system administrator’s accounts.

Here are 9 key dimensions of a good password security framework that you can implement in your organization:

Use Complex Passwords: This may seem basic. But simple passwords are easily compromised. Enforcing complexity requirements is a good first step in stopping brute force hacking attempts. You can require that all users create passwords that do not reference the user’s legal name or username. Robust passwords also utilize combinations of characters, numbers, as well as upper- and lower-case letters.
Set Minimum Password Length: You can boost the robustness of passwords within your organization, by setting a minimum character length. A common practice is a minimum of eight characters. A minimum character length of 14 characters is become a better standard.
Utilize Passphrases: Domain administrators’ accounts require greater protection. In such cases, passphrases (with a 15-character minimum length) are easier to remember and type, but harder to gain access to.
Mandatory Password Resets: For greater protection, it is common to have minimum reset periods. This can also be varied for more critical functions within the organization.
Restrict Password Reuse: Recycling is good for the environment, but not for your company’s password management! Choosing to enforce the password history requirement will limit how often an old password can be used. Setting minimums, such as the previous 5 passwords not being allowed can help avoid the overuse of “favorite” ones.
Set Minimum and Maximum Password Age Limits: Sometimes employees will temporarily change a password and then switch back to a familiar one. Requiring each password to be held for three to seven days eliminates this issue. However, your IT support should be available to change compromised passwords when the minimum age limit isn’t met. Setting a maximum password age limit also helps with network security. Usually, this is set anywhere from 90 days for passwords to 180 days for passphrases.
Establish Password Audits: You will need to track your team’s compliance with the password security policy. An audit will monitor password modifications to ensure compliance and to highlight and correct weak access points.
Send Reminders: Your team is likely to forget to comply with the company’s password policy on their own. Send email notifications to remind them to change their passwords before they expire.

Additional Considerations for a Good Password Security Policy

We believe on top of all these basic tips you really need to keep track of two elements to develop an effective password security policy for your organization.

TRAINING

It is essential to train everyone on your team on how to establish and maintain strong passwords. Not only should this training be a mandatory part of the on-boarding process for new employees, but for existing employees as well. Your company's IT department (or service provider) will be able to help you set the security requirements to ensure only robust passwords are accepted. Cybersecurity should be a part of your organizational culture to ensure full adoption and application of best practices.

TOOLS

The second element is the tools that are available to you and your team. As mentioned before, passphrases can be used to boost the complexity requirement. However, it can be difficult to remember unique, robust passwords (or passphrases) for every portal that is accessed. So in such instances, electronic password managers can be worth the investment. Password managers store each user’s passwords for all their websites and enable safe automatic logins. Your passwords are encrypted in a secure virtual vault with a single key, a master password. This master password is the only thing you need to remember for all your websites and portals.

Therefore, the training and tools dimensions work together to help you coordinate your team to become aware of and consistently practice good password security requirements.

TWO FACTOR AUTHENTICATION

Another item to consider while not covered here is the adoption of Two- Factor Authentication (2FA) to pair with a strong password policy. By implementing 2FA it requires an employee to use an additional device or verification point to validate that they are actually trying to login utilizing a valid password. It is one extra step in helping to create a strong security posture.

Get a Customized Password Security Framework

Creating and implementing a comprehensive password security policy will help secure your organization’s assets. We believe that it’s far better to take preventative action to prevent and prepare for possible breaches, rather than to expend considerable resources trying to figure out what happened after the fact. At Lumifi we offer our premier Cybersecurity Resilience Platform to all our clients.

Improving Visibility and Preventing a Miss - Part 1: Mandatory PowerShell Logging

One of the greatest risks for a SIEM or SOAR platform is missing that one event that helps with accurate detection.

In general, misses can occur for several reasons, although in our experience, misses mostly stem from incorrect/empty PowerShell logs or merely a lack of logging required for advanced detection.

(more…)

Microsoft Releases Notice of More RDP Vulnerabilities

Two more security issues announced surrounding Remote Code Execution against Remote Desktop Services (RDP).

Microsoft released a notice today concerning two vulnerabilities, which would result in a Remote Code Execution vulnerability against the RDP. These are being tracked under CVE-2019-1181 and CVE-2019-1182. This is akin the previous vulnerability that we notified you on, CVE-2019-0708, aka Bluekeep.

This vulnerability targets the more recent versions of Windows:

Windows 7 SP1
Windows Server 2008 R2 SP1
Windows Server 2012
Windows 8.1
Windows Server 2012 R2
Windows 10, including server versions

Like the previous mentioned vulnerability, these attacks would be ‘wormable’, similar to how the ‘WannaMine’ and other malware variants used the Eternal family of exploits to wreak havoc and still continue to be used laterally in networks.
While currently there is no active exploits against these vulnerabilities and Microsoft has not seen these exploits being utilized in the wild, Lumifi recommends patching systems as soon as possible. The immediate focus should be systems that have RDP exposed to the internet. Customers who have automatic updates enabled should be protected by these patches already.

Lumifi's Content team will continue to monitor these exploits and create alerts surrounding any possible exploitation of these vulnerabilities.

You can find a reference for patching from Microsoft at the following link:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1182

‍

CVE References:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1181
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1182

Everyone Wants to Be a Penetration Tester

There is a lot more to cyber security than just hacking...

So… Everyone wants to be a penetration tester!

Lately I’ve been speaking at events, conducting interviews, mentoring new security professionals and students and every single person when asked how they want their career to progress or what they are interested in doing, like clockwork every single person says, “penetration tester”. Maybe I’m the only one, but this is a huge pet peeve of mine!

Penetration testing is the hot topic due to the popularity of Mr. Robot, Edward Snowden, and TV shows depicting hacking that gives the wrong impression. Even YouTube and video games such as Fortnite has bread this idea of a “hacker” to the younger generation that think it’s cool to do.

Don’t get me wrong, Pentesting is a great skill but there is a lot more to cybersecurity than pentesting… Pentesting is the act of attempting to “hack” into systems as a way of testing security. It can help you get a good understanding of attacks and how they are conducted but there is also boring and monotonous work associated with it like any other job.

So why does this bother me? I mean, it is getting people interested in cybersecurity, right? A good penetration tester can be a major asset, but everyone has this fantasy of hacking into something. For example, see the ever-famous meme of two people hacking while typing on a single keyboard on NCIS. How cool is that?!?! Did my sarcasm come through on this blog post?

There isn’t enough education on all the various skills and jobs available in cybersecurity. One major issue is that most of these positions people post want people with a thousand years of experience with hundreds of certifications and can do everything including fart rainbows… According to ISC2 the job gap has grown to over 3 million jobs; in order to fix this, we need to be spending more time and effort educating. We need to hire professionals with experience and then allow them time to train and educate others. To be a security professional all you need is analytical skills, the ability to think critically, and a desire to learn.

At Lumifi along with seasoned security professionals we try to hire both college graduates and IT people with various backgrounds such as desktop engineers, database administrators, network engineers, and system administrators. As the security hire gap increases, we have to think outside of the box and have better training programs. First a good culture fit is important and secondly someone eager and open to learning new skills. We also pride ourselves in having a pretty high percentage of female security professionals. The industry also needs to focus on training younger people, we need to get involved in school programs on training cybersecurity.

No matter the position, you may find that other areas interest you besides hacking the planet! Yes, I know it’s an old reference and a lot of people maybe haven’t seen the 90’s hacker movie… If you’re interested in cybersecurity learn about ethical hacking/red team but also learn about forensic investigations, detection and blue team, application security, network security, risk analysis, auditing, and other subjects. For individuals wanting to get into cybersecurity do your research and understand all of the fascist of cybersecurity and be open minded, there is a place for you to learn and grow your skills out there.

The True Cost of Information Security

In-House vs. Outsourced SIEM Management: Discover the True Cost of IT Security (Updated November 2022)

Your SIEM management needs will grow over time. Can your information security team follow suit?

Security information event management is one of the pillars of effective information security. Capturing and investigating event logs lets security operators detect and respond to threats in real time.

(more…)

Block Threats with Lumifi & Netshield

Lumifi can now combine the power of Netshield's active blocking with AlienVault's USM and immediately block rogue devices AND monitor egress network traffic to effectively block malicious behaviors like malware and phishing.

Through the power of Netshield's Network Access Control (NAC), Lumifi can offer unrivaled protection for the inside of your network. Firewalls are a necessity for protecting networks against outside threats. However, today' biggest threats come from the inside of the network. By leveraging Netshield, Lumifi can secure your network while enabling the adaptability and flexibility required to support workforce mobility and business continuity.

It starts with visibility. An explosion in the number of devices attempting to connect to every network, including smart IoT devices and mobile and other BYOD, demands effective asset detection to know what is on the network so devices cannot hide. But visibility is only the first step.

Once seen, threats must be blocked. Devices that don't belong must be quarantined. When human behavior inside the network launches malware, phishing, and other types of threats, those devices must also be blocked to protect your data and your business. Go beyond monitoring and reporting with intelligent, automated, instant threat blocking.

Finally, stay ahead of threats with network auditing for common threats and vulnerabilities. By utilizing Netshield, Lumifi can conduct a comprehensive, detailed scan of every device on your network allowing us to stay ahead of threats and prepare for external audits and other reporting.

Gartner – Why do companies need Network Access Control?

Response to Audit Findings - "Many organizations pass through third-party security assessments...the most common finding is the ability to connect to internal infrastructure with no identification of the device...which increases the risk of internal attacks by unauthorized devices."

Improve Network Visibility - "Network Access Control can...reduce the risks associated with noncompliant devices."

Incident Response - "When an alert occurs, an automated mechanism will remove the endpoint." IoT Proliferation "IoT devices...used in large-scale...series of distributed denial of service (DDoS) botnet attacks"

Why Does Lumifi Prefer Netshield?

Most NAC solutions are designed for the needs and budgets of a large enterprise. Netshield is different. Like Lumifi, they believe that a limited budget and limited staff should not require a compromise in having comprehensive network security. Our services deliver a powerful mix of functionality and value. Optimal network security requires layers of interlocking protection, and Netshield provides many critical security elements in an affordable and manageable solution.

Network Visibility

Instant ID: Operating at Layer 2, Netshield instantly identifies every device that is connected or attempting to connect to your network, including physical, virtual, mobile, and IoT. Netshield creates a comprehensive inventory, profiling and classifying each device on a network - devices cannot hide from Netshield.

Agentless: Netshield sees every device without the need for an agent. Agent-based solutions can take months and hundreds of hours of staff time, and agents cannot even be loaded on most IoT or private devices. Virtually every new Netshield deployment identifies assets that were not listed on the original asset inventory. The first step in trusting your network is knowing what is on your network.

How: Netshield' Asset Detection Engine looks at ARPs and ARP requests along with DHCP requests and IP traffic to identify devices on the network whether wired, wireless, IoT, BYOD, or Virtual.

Network Access

Rogue Devices Denied: You determine which devices are to gain network access. Those devices not trusted - whether known or newly entering the network – are blocked until access is granted.

New Devices Seen Immediately: With billions of IoT and BYOD devices, along with guests, contractors, and more, rest assured none will enter your network unnoticed, and none will have access unless you trust them, including devices spoofing a MAC address.

How: The Blocking Engine prevents untrusted/known-bad devices from participating on the network by sending a small stream of traffic to block a device while all other devices on the network segment are prevented from seeing the blocked device.

Threat Blocking

Zero-Day Malware & Phishing: Devices attempting to connect to outside command and control servers that are identified as bad actors trigger an alert and are instantly blocked – a Machine Time response to stop Machine Time threats to your network.
Anomalous Behavior via Integration: Netshield seamlessly integrates with multiple log analysis, SIEM, and A/I driven threat detection tools to block the behaviors they flag as dangerous, based upon your rules for balancing security and business continuity.
TLD and Site-Specific Blocking: Netshield also allows for identification of high-risk destinations and blocks access accordingly.

How: The Malware Detection Engine monitors egress traffic looking for connection attempts to known Malware and Phishing sites. When such traffic is detected, the Blocking Engine is then triggered to instantly isolate the offending device and using switch integration can shut off the port or move the device to a quarantine VLAN. Multiple public and private lists of known bad sites are combined and uploaded every three hours to provide zero-day protection.

Vulnerability Auditing

Common Vulnerabilities and Exposures (CVE) Scanning: Netshield interrogates every device on the network and produces a detailed report of vulnerabilities and exposures. This report includes comprehensive reporting for every scan by device along with investigative and educational tools for background on the specific CVEs and remedies.

How: The on-board Auditing Engine executes thousands of scripts to identify Common Vulnerabilities and Exposures (CVE) by probing devices for open ports, default logins and settings, vulnerable applications and more. Over 8 thousand scripts are employed with new scripts regularly added as new vulnerabilities are discovered.

Additional Features

Comprehensive Reporting – All incidents, levels of criticality, and historical data.
Cyber Insurance of up to $250,000 (US deployments only) – Our ability to stop data breaches is backed by a cyber insurance policy underwritten by Assurant, a global leader in insurance with over $30 Billion in assets.
Global Manager – Seamlessly manage multiple locations and trust devices across multiple locations from a single pane of glass.
Non-inline Deployment – Connects typically to a top-level switch the same as other devices and does not represent a single point-of-failure on your network.
Vendor Agnostic – Netshield easily works with and integrates with virtually all network vendors including switch integration.
Active Directory Integration – Access to the appliance via AD credentials along with mapping of AD logins to devices.
Supports Multiple Physical and VLAN Segments.

Top 5 Cybersecurity Steps to Take in 2019

Cross Posted from Net Friends

Author(s):: Net Friends

(more…)

Shadyware ... Malware or Legit Software

What's the difference between malware and legitimate software?

Just as malware is often purported to be legitimate software, legitimate software sometimes uses unethical marketing and operating practices. Some folks term this "Shadyware." It is marketed as useful software, which it may be in part, but it also contains annoying or harmful functionality that negatively impacts the user' security.

The line between malware and legitimate software can sometimes be a very fuzzy and grey one. Due to (mostly) lawyers and their ilk, programs that straddle the line between useful and malicious are referred to as PUPs - potentially unwanted programs.

Part of the problem we are dealing with lies with the very usefulness of computers, and the versatility with which they may be programmed. Behavior that is helpful in one context (e.g. detecting password fields and storing their contents, which is necessary for the operation of password managers) can be harmful in other contexts (e.g. keyloggers, which use the same functionality, but send this information to someone else for typically malicious purposes).

Further, techniques that are developed in one area can also be repurposed for malicious activities in another. For example, shims, which are small programs that fit on the interface between other programs and encrypt everything written to disk, and are a necessary part of many data-at-rest protection solutions, can be repurposed for malicious activities (same thing, but sending the key offsite so criminals can hold your data for ransom).

There are numerous examples of techniques that have been adapted from the legitimate market to the malicious one. Given this, it is perhaps not all that surprising that some members of the 'legitimate' market have similarly been tempted into using the malicious market's techniques.

Sadly, many examples of this kind of turnabout-is-fair-play operation are out there, and some of these have become very prominent in recent months.

For instance, late last year, the "eFast Browser" specifically tried to hijack the preferred browsers of users, removing associations to the legitimate Chrome/Chromium browser and replacing them with the eFast version - a variant on Chrome that was specifically built to pop up ads, some of which directed users to even more malware. You may recall that such display ads can themselves also frequently lead to problems .

Recently, very similar behavior has been seen on the part of 'legitimate' security vendors. An example of this is Comodo. When users install the company' product, it installs a replacement 'Chromodo' browser to replace Chrome. This is similar to the eFast switch, in that it installs the duplicate browser in order to bypass certain protections that Chrome has in place to prevent malware from executing - but which can also prevent certain 'traditional' antivirus hooks from being used to monitor web usage.

Comodo has also been implicated in providing another attack surface by installing a VNC server - a kind of remote desktop provider - onto machines that it's installed on. This is a tactic used in those "Indian Tech Support" scams, where purported 'support personnel' try to convince you to pay them to fix problems with your computer that either don't exist or which they caused in the first place.

The motivation for rolling out a whole-browser replacement is very similar in both the cases of eFast and Comodo. The security built into today's browsers prevents older tactics from working, so they're forced to fool users into using replacement browsers instead in order to be able to keep performing the same actions.

This isn't entirely new behavior, but there have been several recent examples of antivirus software overstepping bounds and re-opening vulnerabilities that application developers had carefully closed to protect users.

Who Watches the Watchmen?
Incidents like this blur the line between malware and 'legitimate' software, especially when the motivation behind the software' behavior is the same for both illegal and legal actors. Both the antivirus industry and the scammers are after your money, both of them recognize that certain tactics are effective for maintaining the persistence of their software on your computer, and both of them realize that advances in computer security by the industry at large are threatening their preferred business models.

The reputable part of the antivirus industry still offers some benefits to users, in that it manages to prevent known infections from taking hold - but this benefit is being eclipsed somewhat by both advances in operating system and browser technologies that also work to prevent infections from taking hold, and the actions of less reputable members of the industry.

Unfortunately, the public perception of the reputable part of the antivirus industry ends up becoming tainted by the actions of the unethical part. In a case of "one bad apple spoils the whole barrel", this causes people to be more and more reluctant to install and maintain antivirus software on their systems.

This, in turn, reduces profits for AV vendors and causes them to seek revenue more aggressively using other means, which may ultimately result in once-reputable companies following the examples above, and adopting the malicious practices of the very actors that their products are trying to defeat.

It's a vicious cycle, and one which is likely to continue for some time.

Is An Antivirus Still Worth It?
That's become a difficult question. Ten years ago - even five years - I myself was fully recommending it for everyone, business and personal users alike.

However, as of late, I've become much more cautious. Leaving aside questions of compliance, the fact of the matter is that antivirus has become less and less useful overall, both due to the ways in which the threats have evolved, and the ways in which operating system and application vendors have chosen to mitigate them.

Regularly pushed updates are commonplace now. Reputable vendors typically push updates on a monthly basis, and sometimes (in the case of web browsers especially) even more often. Given that the overwhelming majority of successful infections of people's computers are via vulnerabilities that have been patched but not applied, the single most effective measure that a user or administrator can take is to make sure that their operating system and all applications are properly patched on a regular basis.

After all, if malware attempts to exploit a vulnerability that isn't there, it won't be able to succeed regardless of whether antivirus software is present or absent.

This approach should be combined with certain "best practice" hygiene measures: taking and verifying regular backups; implementing "least privilege" controls, like group policies to prevent users from changing configurations; segmenting networks (if appropriate - it is for businesses, but not necessarily for home); installing and using password managers; installing and maintaining an adblock plugin for browsers or sinkholing ads on the network.

The more you implement such practices, the more dramatically the likelihood of being exposed to a live threat drops, and those threats that do manage to get through will be contained more easily.

In such environments, antivirus software becomes either largely redundant, or if it's one of the examples given earlier, a product that actually undermines security, because it nullifies some of the best-practice hygienic measures listed above.

However, many home users and far too many businesses do not follow these best practices. They put off updates for months (or even years!). They let everyone have an administrator account with unfettered access. They leave their networks flat and wide-open. They don't make regular backups. They allow ads to display. In these situations, where basic hygiene is being ignored, an antivirus program would still have relevance, as there's nothing else in the environment that is providing any security whatsoever.

So while an antivirus is probably not needed in a network that is well-maintained and administered, there are still many networks out there that are not maintained or administered properly. Thus, in limited cases, it may well be appropriate to rig a browser with telltales and have it call home, because those environments are hazardous enough that the increased attack surface of an antivirus program is far eclipsed by the bad practices of the users.

Conclusion
Shadyware is fuzzy, grey and not at all lovable. Shadyware, unlike standard PUPs, is more than just inconvenient. It misleads the user, and increases their risk by disabling security features while telling the user they're helping. While not excusing the bad conduct of the vendors listed above, we do see some perspective as to why they do it and why they are able to get away with it. Infosec professionals have the responsibility to call out bad behavior by vendors as well as educating less-knowledgeable users about issues such as Shadyware.

(more…)

Adblocking

Adblocking is becoming a more and more contentious topic in recent days. Publications, understandably, do not want people to block ads - they derive much of their revenue from them. Users find them to be intrusive and often feel that they impede their usage of a site; and, given the recent meteoric rise of malvertising, ads can often become downright dangerous. Where is the balance between the desires of publishers and the safety of users?

Malvertising is the way that criminals leverage ad delivery networks to push their malware onto end users. This is made possible by both the multiple parties involved in the delivery of ads (which involve the publisher's server to the ad network to the delivery edges, to the people buying the ad space, to the companies that market ads, and finally to consumers), and the complex nature of the network itself.

Ad networks are built to streamline operations as much as possible, to ensure that money gets from point A to point B quickly and efficiently, with as little friction as possible.
Ad networks have chosen to prioritize the speed of ad auctions and capability of delivery, as well as the feature set of ads, over everything else - and understandably so, since this is what makes them money. The faster and more feature-rich an ad can be delivered, the more it is worth to a publisher (for whom it is a 'premium' client) and to a business purchasing the space (because it's a 'premium' ad slot).

The spread of these 'feature rich' ads then becomes something of an arms race - after all, how is a plain old text or simple picture ad going to get noticed when your competitor has figured out how to get auto-playing video to load over the content, and made sure that viewers have to take positive action to dismiss it?

But these feature-rich ad slots amount to remote code execution capability. They allow an ad provider to execute any program they want to within the browser environment of the consumer.

Ad networks, of course, claim that they want to ensure the safety of customers and insist that they 'inspect' ads - but the prevalence of malvertising in the market provides many examples to the contrary.

How do criminals bypass the checks that ad networks have supposedly put in place to prevent this? Often, it is accomplished by compromising the accounts of 'trusted' ad buyers. Businesses buying ad space are no better or worse at securing their credentials than any other user; they can lose control of their ad accounts just as often as anyone else loses control of a Facebook account or an email inbox.

Once the account has been compromised, the 'trust' that the ad network has in the client can be used by the malvertiser to speed their revisions to the original ads past verification - it would be prohibitively expensive, after all, to have someone manually review every change to an ad for every purchaser of ad space. Automatic review can be fooled fairly easily as well - signature-based detection fails if there's any change in the malicious payload. Manual review can also fail easily enough if the malvertiser sets up a page that looks like a legitimate one, and then changes the content after it has passed review.

So how can this be changed?
On one side, ad networks seem to want to change this by fighting against adblockers - entering an arms race where they try to detect adblockers and either obstruct them or guilt people into disabling them.

On the other side are the various programmers who either despise the ad-cluttered user experience and those concerned with security, who are very highly motivated.

This is not a fight that the ad networks are likely to win.

Alternatively, ad networks could try to work with the adblockers - for instance, by delivering known-safe ads.

The only way to really guarantee safe ad delivery is to vastly restrict the content to plain text or static pictures only, with regularly audited links to specific whitelisted domains. Then Ad networks should also provide random spot checks afterwords as well, to ensure ongoing compliance.

Sure, these ads are not nearly as interesting or "premium" as the feature-rich ads that are desired, but a 'boring' ad that is delivered is far superior to a feature-rich ad that is blocked and is never shown.

Ad networks need to judge what is more important: making their ads intrusive and feature rich, or accepting that users need a safe browsing experience and require assurance from the networks that their computer will not be damaged by malicious ads.

As far as my networks are concerned, my terms are simple: if you cannot ensure that your ad network is delivering safe content, then I will block you by any means available. This isn't negotiable - the safety of my users comes far before the profitability of your network in my estimation. If you can guarantee that you will only show static pictures and text, with carefully vetted and audited links, then I'll unblock.

This is not a negotiation, mind - these are the terms that any decent administrator will demand. After all, the ad networks need my users a lot more than my users need any ad networks.

Egress Filtering: A Valuable Part of Your Multi-layered Security Posture

The concept has become increasingly important as cloud infrastructure expands throughout the enterprise IT network.

(Updated May 2022)

(more…)

Four Pillars of Information Security

Every organization is working hard to possess a "strong security posture." But what does that mean? A strong security posture, means you possess a healthy quantity and quality of Information Security Experts (Human Beings) and Information Security Tools (Technology/Products). Information Security Experts are leveraging Information Security Tools to prevent attacks before they happen, protect the organization in case an attack does happen, detect attacks that go unnoticed, and respond accordingly.

(more…)