The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

More and more, people are completing the entire real estate transaction process online. From searching for properties to signing documents, online convenience can make the process easier and more efficient. However, with all of this activity taking place on the internet, it is important to be aware of the potential security risks that come along with it. Here are the eight common cybersecurity issues that can arise during the purchase of real estate online and how you can protect yourself against them.

1. Cybercrime

This is, unfortunately, the world we live in – and it makes sense, given the large sums of money involved. Cybercriminals may attempt to hack into the system and gain access to private information. They may even try to interfere with the transaction process itself, delaying or preventing it from taking place at all.

To combat this threat, make sure you are using a secure online platform when completing the transaction and be sure to only provide personal information when necessary.

When you are completing a real estate transaction online, a lot of your personal information will be requested. This can include anything from your address and phone number to your bank account information. If this information is not properly secured, it could be at risk of being accessed by cybercriminals.

To keep yourself safe, it is important to know what to look out for. You should watch for the commonly attempted ways that remote real estate buyers might be targeted and understand what you should do in the event of a breach.

2. Data breaches

Buying real estate remotely involves a number of different tools, like online payment gateways and other web services. All of these tools can be vulnerable to data breaches, which means that hackers could gain access to your personal information stored on their servers. To protect yourself, research a service’s security standards before providing any sensitive information or look for an alternative if the security measures are inadequate.

Always make sure you are observing best practices during and after an online purchase, which include doing things like updating your passwords as appropriate and monitoring your credit cards for any suspicious activity. By following these tips, you can help ensure that your online real estate transaction is secure.

3.  Phishing scams

These are attempts to obtain your personal information by pretending to be a legitimate source and they are on the rise. Be sure to only provide your information on secure websites and look for signs of legitimacy, such as “https” in the web address or a padlock icon in the URL bar.

Phishing scams that target real estate buyers might include emails, text messages, and voicemails asking you to provide your credit card details or other personal information to make a purchase. Make sure to always look for signs of legitimacy before providing any sensitive information.

They might also include bogus emails from lawyers or other professionals with malicious links or attachments. Be sure to only open emails from verified sources and never click on suspicious links.

4. Malware threats

Malicious software can be used to steal your personal information, such as banking credentials and passwords, or to install ransomware that locks you out from accessing your own files. To protect yourself from malware, make sure to install trusted antivirus and anti-malware software on your computer. Additionally, make sure to always keep your operating system up to date with the latest security patches.

5. Identity theft

Identity theft is a growing problem online and can be especially dangerous for real estate buyers. Hackers may use stolen information to gain access to your bank accounts or other financial resources, making it important to protect all your personal information from potential thieves. Make sure to use secure passwords, avoid public Wi-Fi networks, and never provide sensitive information over email.

This is especially pressing in an age where people are so much more mobile and global than they ever have been. Real estate transactions can be conducted from airports, coffee shops and all manner of unsecured wireless networks, which demands extra vigilance when it comes to cybersecurity.

6. Website hacking

Hackers can also gain access to websites and steal information stored on them, including user data. To protect yourself from website hacking, make sure that the websites you use have strong security protocols in place. Additionally, look for signs of legitimacy such as a padlock icon in the URL bar and verify any third-party links or attachments before clicking on them.

If you are dealing with a real estate agent that uses a website, make sure it is secure and they have taken proper precautions to protect your data.

7. Social engineering attacks

Social engineering attacks are when hackers use psychological tactics to get you to reveal confidential information or take some sort of action. For example, they may send fraudulent emails that appear to come from a real estate agent asking for your personal details or credit card numbers. Make sure to always verify the source of any emails before taking any action.

The best way to identify a social engineering attack is to look for suspicious language, attachments, or links in the email. If anything looks out of the ordinary, it's best to delete the message and report it to your security provider.

You can always take extra steps to protect yourself, like using two-factor authentication when logging into accounts or working with a cybersecurity professional. By staying vigilant and taking proactive measures, you can help ensure that your online real estate transactions are secure.

8. Having weak passwords

Another common cybersecurity issue is having weak passwords. Make sure to use strong passwords when creating any accounts associated with your real estate purchase. You should also change your passwords on a regular basis and never reuse old passwords or share them with anyone else.

Using a password manager can also help you keep track of all your different passwords and store them in a secure place. If you're dealing with an agent, ask them to use strong passwords as well, and make sure that they keep all of your personal information safe.

Conclusion

Real estate transactions are increasingly taking place online, which can create potential security risks if proper precautions aren't taken. By following best practices and being aware of the common cybersecurity issues associated with purchasing real estate online, you can help ensure that your transaction is secure. With a bit of extra effort and knowledge, you can rest assured knowing that your online property purchases are safe and secure.

The post 8 Common Cybersecurity issues when purchasing real estate online: and how to handle them appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

“Why are you here if you cannot decrypt our data?” This is how people sometimes react to the arrival of the external incident response team. In this article, I will try to answer this question, but at the same time, I am going to describe the stages of incident response, list the main mistakes that play into the hands of hackers, and give basic advice on how to respond.

Let's start by defining what a security incident is. Although the concept is straightforward, various companies may interpret it differently. For instance, some companies may consider incidents to include situations such as a power supply failure or a hard drive malfunction, while others may only classify malicious actions as incidents.

In theory, an incident is a moment when some kind of undesirable event occurs. In practice, the definition of an “undesirable event” is determined by each company's own interpretation and perspective.

For one organization, the discovery of a phishing email is what requires investigation. Other companies may not see the point in worrying about such incidents. For instance, they may not be concerned about a phishing email being opened on an employee device in a remote location not connected to the main infrastructure since it poses no immediate threat.

There are also interesting cases here. For example, online traders consider a drop in the speed of interaction with the online exchange by 1% to be a serious incident. In many industries, proper incident response steps and cybersecurity in general, cannot be overestimated. But if we are talking about serious incidents, then most often, these are events related to the penetration of an attacker into the corporate network. This annoys the vast majority of business leaders.

Incident response stages

While the interpretation of certain events as security incidents may vary depending on various factors such as context and threat model, the response steps are often the same. These response steps are primarily based on the old SANS standard, which is widely used by many security professionals.

SANS identifies six stages of incident response:

1. Preparation
2. Identification
3. Containment
4. Eradication
5. Recovery
6. Lessons learned

It is important to note that the external response team is not immediately involved in this process.

Preparation

Preparation involves properly aligning organizational and technical processes. These are universal measures that should be implemented effectively across all areas:

• Inventory networks
• Build subnets correctly
• Use correct security controls and tools
• Hire the right people

All this is not directly related to the external response team and, at the same time, affects its work significantly. The response is based on preparatory steps. For example, it relies heavily on the log retention policy.

Each attack has its own dwell time – the time from an attacker entering the network until their activity is detected. If the attack has an extended dwell time (three-four months) and the logs are kept for seven days, it will be much more difficult for the investigation team to find the “entry point.” The required data will no longer be available. If such a situation arises, the response team can take action, but the likelihood of achieving a 100% successful outcome is significantly reduced.

Identification

This stage is entirely based on how well the preparation was done in the first stage. If everything is done correctly, there is a good chance that you will discover something in advance that can potentially lead to an unacceptable event.

Even primitive and basic steps can greatly increase the likelihood of early detection of a cyber threat. By building your own Security Operations Center (SOC) or engaging a capable third-party provider and implementing effective monitoring practices, you can greatly improve your chances of detecting potential security incidents. Careful preparation allows you to detect an attack in its early stages before the attacker has done any harm.

Ideally, the response process should be initiated at this stage. Alas, in practice, there are many cases when the sad consequences of an attack are the only thing due to which the incident is detected. Everything goes along the logical chain: preparation is terrible, detection and analysis fail, and an incident occurs. And the investigation, in this case, turns out to be a non-trivial task.

Containment

This stage is performed in close cooperation between the external response team and the customer. IT personnel often simply reboot computers before the external incident response team arrives. Yes, this is also a containment method, although not the most elegant.

The problem is that this deprives the response team of a lot of important data. And what is more important, it does not always work. Today hackers rarely use just one technique to achieve persistence. They usually employ Remote Desktop Protocol (RDP) for lateral movement, and stopping them is not always easy. Therefore, joint analytics are vital to understand which connection is legitimate and which is not. When the external response team and their customers work together closely, it becomes simpler to understand the situation and develop effective tactics to contain specific threats.

Eradication

At this stage, it is generally expected that the incident response team has already provided the customer with an incident analysis, including malware analysis, indicators of compromise, etc. A thorough process of scanning the network is in progress, followed by the removal of all detected anomalies.

Recovery

At this stage, a consistent and accurate restoration of the customer's IT systems is carried out. It implies not just recovering from backups but also the reactivation and testing of information security tools.

Usually, restoring protections is a fairly simple task. The fact is that attackers, as a rule, act just by bypassing protection mechanisms. They get administrative privileges and, if possible, “turn off” security solutions. Yes, hackers can use malware that interferes with Windows logging or disrupt Critical Event Management, but such cases are relatively rare.

Although not a common occurrence, some attackers may leave bookmarks to enable repeated attacks. It is vital to remain vigilant and check for such bookmarks, even in the case of a seemingly straightforward attack.

Lessons learned

It may seem that the incident response team's main task is to restore everything to its previous state, but this is a simplification. The response team is invited for a different purpose. Its tasks are to understand:

• The attack vector used by the hackers.
• The specific entry point used to gain unauthorized access to the IT systems.
• A detailed timeline of how the attack progressed.
• Identification of potential prevention measures that could have been implemented at different stages.
• Recommendations for addressing the root cause of the incident to prevent future attacks.

The answers help give better recommendations. For example:

• If the attack started with phishing, it is advised to set up an email sandbox, adjust spam filters, and train employees.
• If a vulnerability is to blame, changing the updatepatch and network monitoring procedures is recommended.

Why is the final stage so important? First, most attacks are not very inventive. Actually, they are formulaic. Therefore, you can draw conclusions from one attack and prevent a dozen similar ones.

Second, the hackers usually come back. Here is a real-life example. The IR team identified an entry point, studied that PC, and found that some files were encrypted a year before the incident. It turned out that the customers were aware but did not pay attention to the incident since the first time, it caused almost no damage. As a result, a second attack occurred through the same entry point. This time, hackers spent a little more of their time and encrypted everything and destroyed the entire domain.

Third, without adequate response procedures, it is impossible to enhance security awareness training and incident detection, which serve as the bedrock of a company's security system.

How to improve security

Basic knowledge is important

The basic things you probably already know about are already cool and very useful. Every year, thousands of companies fall victim to attacks due to the most banal reasons. The most common cases are the exploitation of unpatched vulnerabilities. The second common thing is phishing.

So, a significant number of potential security issues can be mitigated by prioritizing effective patch management, maintaining an accurate inventory of infrastructure, and providing staff with training in digital hygiene.

There are a lot of organizations that have already done all the basic things. However, it does not guarantee the complete absence of incidents. They can be recommended to run penetration tests. However, you need to “grow up” to this kind of thing. It makes no sense to conduct penetration testing when only 20% of the infrastructure is covered with Intrusion Detection and Response (IDRIDS) solutions.

Follow trends and industry reports

Numerous security reports and news can tell you what tools and attacks hackers use. This way, you can establish relevant security criteria for your company. The reports often provide specific recommendations on how to protect from a particular attack. One of the best sources for such information is MITRE ATT&CK Matrix.

Do not panic, and do not do rash things

A typical mistake is to reboot all the computers involved in the attack. Yes, there are urgent situations when this is crucial, but, if possible, please make copies of infected machines. This will enable you to preserve evidence for any subsequent investigation.

In general, do not act impulsively. Quite often, upon discovering encrypted files, employees immediately disconnect the power supply. This approach is akin to gambling. Nothing can be guaranteed after that. Yes, the encryption stops, and you can probably save several untouched files. On the other hand, such an abrupt stop corrupts the disc and data affected by the encryption process. Even if the security community comes up with a decryptor or you pay a ransom (which is not recommended), restoring data whose encryption has been interrupted may not be possible.

Contacting the experts

Is it possible to cope with an attack on our own? Yes, if you have well-established procedures. Mitigation efforts can be prioritized. It is not very difficult to protect mobile devices, implement multi-factor authentication, or set efficient patch management procedures. From a financial standpoint, relying on backups and minimizing recovery time can be an acceptable strategy. However, when it is essential to stop the attack promptly, determine the exact nature of the incident, understand who is to blame, and chart an effective course of action – there are no alternatives – call the external response team.

The post Insights from an external incident response team: Strategies to reduce the impact of cybersecurity attacks appeared first on Cybersecurity Insiders.

Firewall optimization (also known as firewall analysis) is the process of analyzing and adjusting the configuration and policy set of a firewall to improve performance and security. This process involves reviewing and corelating log data and device configurations, identifying potential vulnerabilities and weaknesses, and providing recommendations for remediation. Performing these processes is complex, which is why tools like firewall analyzers are useful. They offer automation, visualization, and alerting to provide recommendations that can be used to reduce the risk of attack.

What is the business impact of firewall optimization?

Firewall optimization is important because it can help organizations improve their overall security, performance, and compliance, while also reducing costs and improving decision-making. This can ultimately contribute to better overall business performance. Firewall optimization can have a positive impact on a business's overall network security and performance.

Some of the key benefits include:

• Improved security: Analyze configurations and log data to identify potential vulnerabilities and threats in the network and provide recommendations for remediation. This can help to reduce the risk of successful cyber-attacks and data breaches.
• Better performance: Improve overall network performance by identifying and addressing bottlenecks and inefficiencies in the firewall configuration. This can result in faster network speeds, more reliable connectivity, and better overall performance.
• Compliance: Comply with relevant regulations and standards, such as PCI DSS and HIPAA, by providing regular compliance reports and identifying potential compliance issues.
• Cost savings: By identifying and addressing inefficiencies and bottlenecks in the firewall configuration, firewall optimization can also help reduce costs associated with network maintenance and troubleshooting.
• Improved decision-making: Have a better understanding of the network security posture and the capabilities of the firewall. This allows organizations to make more informed decisions about their security strategy, and to better allocate resources for security initiatives.

How is firewall optimization different from firewall management?

Firewall optimization uses software tools like a firewall analyzer to find weaknesses and vulnerabilities in network attached devices. The inspection includes analyzing configurations and log data from security devices, such as firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS).

The primary features of a firewall optimization include:

• Log analysis: Review log data to understand utilization trends over time and recommend ways to enhance the performance of the firewall without compromising security.
• Configuration analysis and compliance reporting: Review running configurations of firewall devices regularly and include features for generating reports that show compliance with relevant regulations and standards, such as PCI DSS and HIPAA.
• Security analytics: Analytics capabilities allow users to visualize and analyze data from firewalls. This can help to identify trends and patterns that may indicate potential security threats.
• Alerting: Alerting features that notify users when potential threats or vulnerabilities are detected.
• Integration with other tools: Some firewall analyzers can be integrated with other security tools, such as vulnerability scanners or intrusion detection systems, to provide a more comprehensive view of an organization's security posture.
• Multi-vendor support: Firewall analyzers can support multiple firewall platforms. This can be useful when migrating from one firewall platform to another, to help clean the ruleset of any vulnerabilities and test configurations prior to deployment.

A firewall management platform, on the other hand, is a comprehensive tool that helps organizations to manage, configure, and monitor their firewalls. It includes features like firewall policy management, threat detection and management, asset discovery, and security analytics. The primary features of a firewall management platform include:

• Policy management: Allows users to create and manage firewall policies, which define the rules for allowing or blocking network traffic.
• Asset discovery: Discover and inventory assets on a network, including servers, workstations, and other network attached devices.
• Security analytics: Analytics capabilities that allow users to visualize and analyze data from firewalls. This can help to identify trends and patterns that may indicate potential security threats.
• Monitoring: Monitor network traffic and alerting users when potential threats or vulnerabilities are detected.
• Integration with other tools: In addition to firewall analyzers, some firewall management platforms can be integrated with other security tools, such as a Security Incident and Event Manager (SIEM) to provide a more comprehensive view of an organization's security posture.

One of the main differences between firewall optimization and the firewall management platform is the scope of their capabilities. Firewall optimization is focused on the performance and configuration of the firewall, by analyzing the running configuration and log data from firewalls, even in environments with multiple vendor firewalls.

Another difference is the level of control on a device that the tools provide. A firewall analyzer provides insights, recommendations, application traffic flows, and may even have device configuration and management capabilities. A firewall management platform, on the other hand, provides granular control over firewalls, including the ability to create and manage firewall policies and to monitor network traffic.

How does firewall optimization work?

Firewall optimization uses a firewall analyzer tool to provide visibility into the security posture of a network by identifying potential threats and vulnerabilities, and by providing recommendations for remediation.

The process of firewall analysis typically involves the following steps:

• Data collection: The firewall analyzer collects log data and device configurations from the security devices on the network. This data may include information on network traffic, firewall rules, and security events.
• Data analysis: The firewall analyzer then analyzes the collected data to identify potential vulnerabilities and threats in the network. This may include identifying open ports, misconfigured firewall rules, or unusual network traffic patterns.
• Reporting and visualization: The firewall analyzer generates reports and visualizations that provide a detailed overview of the network's security posture. These reports may include information on compliance with relevant regulations and standards, as well as recommendations for remediation.
• Alerting: The firewall analyzer may also include alerting features that notify security teams when potential threats or vulnerabilities are detected.

Some firewall analyzers can also be integrated with other security tools, such as vulnerability scanners or intrusion detection systems, to provide a more comprehensive view of an organization's security posture.

Firewall optimization best practices

It is not uncommon for organizations to question if both a firewall analyzer and firewall management platform are necessary for improved network security. Firewall analyzers provide a strategic and operational view of the network security environment across multiple vendors. This contrasts with the firewall management platform’s operational and tactical capabilities which are vendor specific.

In addition, firewall analyzers can provide value for non-operational roles in an organization, such as auditors. Auditors can collect the information they need without having to access the firewall management platform directly or involve the operations teams who administer the platform.

Conclusion

Overall, firewall optimization using firewall analyzer tools and firewall management platforms are important for the network’s health and security. While they serve different purposes, they also complement each other with their unique capabilities. Organizations that need visibility into the performance of the network along with recommendations for improving the firewall security should consider a firewall optimization strategy that incorporates both capabilities.

AT&T Cybersecurity Consulting has more than 20 years of experience increasing network security and performance using its firewall optimization programs. Learn more about the benefits and best practices of implementing a firewall optimization strategy that incorporates both firewall analyzer tools and firewall management platforms. Contact us today to get started.

The post What is firewall optimization? appeared first on Cybersecurity Insiders.

Some of the biggest prevailing challenges in the cybersecurity world over the last year have been those revolving around securing the software supply chain across the enterprise. The software that enterprises build for internal use and external consumption by their customers is increasingly made up of third-party components and code that can put applications at risk if they aren't properly secured.

It's a problem that cuts across every industry, but manufacturers are feeling it especially acutely because they're tasked with securing not only the software supply chain but the physical supply chain as well. It's a very layered risk issue for manufacturers for two big reasons.

First of all, the things that manufacturers produce today are increasingly connected and more software dependent than ever before. They depend on a host of specialized silicon and digital components that are invariably produced by third-party manufactures themselves, creating a nested chain of third-, fourth-, and Nth-party dependencies that are difficult to track, let alone manage risk against.

Secondly, the factory floor itself is a part of the supply chain that is becoming more intricately converged with the IT network and which is highly dependent on third-party equipment, software, and remote connections.

Given these factors, it becomes clear that managing cybersecurity risk across the supply chain will require manufacturers to carefully attend to the risk brought to the table by their third-party suppliers and contractors. And on the flip side, many manufacturers who provide components to clients who are also manufacturers must stay vigilant as security standards rise for what it takes to get their products in the door elsewhere.

“As I've been doing in-depth interviews for our AT&T Cybersecurity Insights Report and also doing customer calls, one of the things I've observed about manufacturers in the supply chain is that even when they're smaller—say, 50- to 100-person shops—they're still saying, 'Security is critical to us,'” says Theresa Lanowitz, security evangelist for AT&T. “They know they need to be doing everything they can to abide by their customers' security guidelines, external rules and regulations, and mitigating the risk required to keep the entire supply chain secure.”

It's an issue that cybersecurity experts at AT&T like Lanowitz and those at Palo Alto Networks have increasingly been collaborating on to help manufacturing customers address across their organizations. The following are some tips they recommend for manufacturers managing third-party cyber risk in the supply chain.

Risk scores and signals matter

Because digital components and hardware are so woven into the products that supply chain providers deliver to their manufacturing clients, risk scores and signals matter more than ever. According to Dharminder Debisarun, worldwide industry security architect for manufacturing, Internet of Things and transport at Palo Alto Networks, it's up to companies determine what their risk appetite is for their providers—depending especially on what they're delivering to the supply chain—and start finding ways to get transparency into that.

“Ask yourself, 'What's our risk appetite for suppliers that we work with?'” he says. “You want to know that before you engage with them. Then there needs to be some kind of framework or certification that says 'Hey, this company is secure enough to do business with’.”

He says some governments have provided that kind of grounding—for example in Germany the automotive industry relies on the TISAX certification to prove out baseline security proficiency. Barring that, the growing world of third-party risk management monitoring is another place to start getting transparency. Ultimately, the goal is to do third-party screening of every bit of coding or connectivity delivered by suppliers into a manufacturer's supply chain or production streams.

Supplier contracts need to account for cyber risk

Even more important, says Debisarun is that manufacturers ensure that their cyber security standards are enforced contractually.

“You can only work this out contractually. You need to have cybersecurity and cyber risk requirements embedded into all the supplier contracts you put in place,” he says. “It's something manufacturers should really consider doing.”

Some of the things that should be enforced include disclosure of big security incidents or material software vulnerabilities, how remote access is established and maintained between supplier and manufacturer, how and when security audits or certifications are provided, and so on.

Managing third-party risk on the factory floor

Meantime, because the actual manufacturing capability of organizations is so intertwined with third parties, managing factory floor vendors securely is crucial. Debisarun explains that the assembly line floor today is almost never managed by the manufacturer itself.

“It's going to be an assembly line floor run by Siemens or Rockwell or ABB. And when these assembly lines are delivered by these giants of the manufacturer ecosystem, they will never allow the customer to do maintenance on that assembly line,” he says, explaining that big vendors contractually require that they handle the maintenance on this equipment.

In most cases, this requires remote access—especially now in this post-COVID world.

“At which point the manufacturer is flying blind,” he says.

This highlights the importance of setting up mitigating controls like secure remote access and Secure Access Service Edge (SASE) architecture that creates a pathway for the manufacturer to at least control the traffic in their network. At the core of SASE is Zero Trust Network Access (ZTNA 2.0) which combines fine-grained, least-privileged access with continuous trust verification and deep, ongoing security inspection to protect all users, devices, apps, and data everywhere – all from a simple unified product. This is an integral and oft-forgotten part of managing third-party risk in the manufacturing world.

Architect and collaborate – with resilience top-of-mind

Finally, organizations should be architecting their supply chain and coordinating their vendor management to keep cyber resilience top-of-mind. According to Lanowitz, the key is remembering the concept of eliminating 'single points of failure.'

“If you are a major car manufacturer, for example, and you're using tiny suppliers to help you build out your cars, you want to make sure that if they go out of business, if there's a fire in their plant, or their operations are interrupted by ransomware, you're not going to need to stop your assembly line waiting for them,” she says.

Debisarun agrees, explaining that every manufacturer should have a plan B and C for when cybersecurity events at suppliers create downstream impact.

“If one supplier breached, how long should you wait to it's resolved?” And that basically comes back to the contracts you are signing—the plan needs to be built into that so you aren't dependent on one supplier's readiness to handle a cyber event or a physical event,” he says.

The post Third party Cybersecurity risks in securing the supply chain appeared first on Cybersecurity Insiders.

Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Extended Detection and Response customers.

Executive summary

As we move towards more automation, we should remember the risk of over-automating, or at least make a conscious decision to accept the risks. This is especially important in automating response actions, which left unchecked could wreak havoc with day-to-day business operations.

The alarm

One evening after normal business hours, an alarm came in indicating a software package attempting to execute on a server was auto-mitigated by SentinelOne. The software package was behaving in a way that was taken as attempting to evade detection by the SentinelOne agent and therefore rated as “Malicious” by the SentinelOne Artificial Intelligence logic. Since the server on which the software package was attempting to execute had a “Protect” policy applied, the auto-mitigation steps for a dynamically detected “Malicious” rating included killing and quarantining the process.

A “policy” setting in SentinelOne is the defined level of automated response activity the endpoint detection and response tool (EDR) has permission to perform for each grouping of assets. Whereas a “Detect” policy will create an alert that can be managed for post-investigation response actions, a policy setting of “Protect” will take automated response actions. The intrusion level of those automated response actions can be customized, but they all perform an automated action without a person looking at the situation first.

The below image is for an alarm for malware which ended up being process automation software

but nonetheless was automitigated (process killed) by SentinelOne as shown in the log excerpt below.

The business impact

The next morning, with business hours back in full swing, the customer reached out to us concerned about the result of the automated response action. The customer stated that the software package is a critical part of their business infrastructure and should never be stopped from executing. The software had been running on that same server the prior several months, since entering SOC monitoring.

The customer questioned why after several months with the SentinelOne agent running on the server did the agent suddenly believe the software package was malicious. We were not able the answer the question specifically since the decision-making behind identifying and rating a process as “Malicious” versus “Suspicious” or benign is a proprietary logic.

What we could state is that any EDR solution worth its price will continually update indicator of compromise (IOC) signatures. Any worthwhile EDR solution will also include not only static detection but also behavior-based dynamic detection. In the case of SentinelOne, there is the pre-execution behavior analysis that allows for process termination pre-execution as well. And of course, any software package run on a server is subject to updates for security, efficiency, or product feature upgrades.

Taken as a whole, it means any endpoint being protected is a very dynamic battleground with the potential for an updated software package that did not trigger IOC rules yesterday triggering tehm today. Or a non-updated software package may suddenly be identified as potently malicious due to updated machine learning IOC behavior analysis. Remember when JNDI calls were considered benign?

Lessons learned

Just as we learn the CIA security triad is a balancing act between confidentiality, integrity and availability, there is a balance to be struck between the use of immediate automated response actions and the slower reasoning of human evaluation prior to response actions. An EDR solution will immediately and infallibly carry out the policy which it has been programmed to implement, but in a ruthless fashion. A human evaluation will take longer, but it can consider prior history, the validity of the triggering IOCs in context, and the nuances of how selecting one response action over another might impact your overall business.

Automation, machine learning, artificial intelligence, and the like have their place. Their benefits will no doubt increase as technology develops. But the human component will always be necessary. The MXDR SOC and our customers (being the humans that we are) must work together to define the critical assets and business processes that should never be touched by automated intrusion. We must also work together to find the space in your environment where those swift and ruthless automated response actions are an advantage. And it is a very human decision to conclude how much risk we can tolerate in each implementation.

The post Stories from the SOC  – The case for human response actions appeared first on Cybersecurity Insiders.

Read the previous blog on Governance of Zero Trust in manufacturing in the series here.

Manufacturers are some of the most ambitious firms on the planet when it comes to harnessing the power of edge technology to modernize their businesses. As they make plans in 2023 to  enhance business outcomes through the use of technologies such as 5G and IoT, manufacturers should also increasingly be called to innovate in the spheres of governance and cyber risk management.

OT-IT convergence drives manufacturing modernization

The convergence of operational technology (OT) on the factory floor with information technology (IT) is nearly synonymous with manufacturing modernization. OT-IT convergence enables new digital processes, remote connections, and smarter operations. It's a business outcome-oriented transformation that executive stakeholders have future success pinned upon.

Recent studies from AT&T show that manufacturers are investing in initiatives  such as smart warehousing, transportation optimization and video-based quality inspection at such a rate that the industry is advancing ahead of energy, finance, and healthcare verticals when it comes to edge adoption today.

But to reap the business benefits from these investments, manufacturers need to recognize and attend to the cyber risk realities that are part and parcel with this inevitable convergence.

Cybercriminals are increasingly targeting industrial control system (ICS) technologies that are the bedrock of the OT ecosystems. Attackers have learned to take advantage of ICS hyperconnectivity and convergence with the IT realm to great effect. Last year's warning from the federal Cybersecurity and Infrastructure Security Agency (CISA) attests to this, as do high-profile attacks last year against tire manufacturers, wind turbine producers, steel companies, car manufacturers, and more.

Reducing risk through Zero Trust

One of the most promising ways that manufacturers can begin to reduce the risk of these kinds of attacks is through the controls afforded by a Zero Trust architecture. From a technical perspective, Zero Trust unifies endpoint security technology, user, or system authentication, and network security enforcement to prevent unrestrained access to OT or IT networks—and reduce the risk of unchecked lateral movement by attackers. With Zero Trust, access is granted conditionally based on the risk level of users (or machines, or applications). It's a simple, elegant concept that requires careful execution to carry out.

Thus, when looking at building a zero-trust strategy, ZTNA 2.0 solutions have a role to play in helping apply more effective controls at the application level that are responsive to account takeover attempts. ZTNA 2.0 combines fine-grained, least- privileged access with continuous trust verification and deep, ongoing security inspection to protect all users, devices, apps, and data everywhere – all from a simple unified product.

Most importantly, too, is that Zero Trust requires business stakeholder input and collaboration to get right. Just as business stakeholders in manufacturing drive the push to the edge and the push for all nature of digital transformation and OT-IT convergence, they've got to be intimately involved with Zero Trust initiatives to spur success.

“Technology can come and go, but what manufacturers are really after are business outcomes,” says Theresa Lanowitz,  head of cybersecurity evangelism for AT&T. “That's where we need to focus when it comes to Zero Trust—at its core it needs to be driven by the business, which really sets the North Star for Zero Trust governance.”

Zero Trust should be owned by business stakeholders

At the end of the day, Zero Trust projects should be owned by the business, agrees Dharminder Debisarun, worldwide industry security architect for manufacturing, Internet of Things and transport at Palo Alto Networks, who says that when his group is approached by manufacturers interested in building out Zero Trust infrastructure, the team always turns conversations back to the business basics.

“People bring us in and say 'We want to do Zero Trust, how can you help?'” Debisarun says, explaining that they're usually starting with very technical deployment questions about elements like Secure Access Service Edge (SASE) and remote access management. “We usually take a step back then and ask, 'Why do you want to do Zero Trust? What's the business goal for it?'”

Similarly, Debisarun says they try to involve business stakeholders into collaborative risk discussions before getting into the meat of architectural design. That step back will hopefully get a manufacturer focused on doing risk assessments and other business alignment activities that will shape the way risk is managed—based on business goals, rather than narrow technical specifications. It will also get the entire team thinking about how the value of OT and IT assets are determined and establish the roadmap for where and how Zero Trust security technologies are deployed over time.

Business stakeholders have the most prescient and intimate knowledge of the emerging business conditions, regulatory demands, partnership agreements, and supply chain considerations that are going to impact risk calculations. This is why business ownership is the cornerstone and foundation for Zero Trust governance.

When manufacturers direct the security team with an eye toward  business outcomes, these technical executors are less likely to take a tools-only approach to technology acquisition to engage in reactionary spending based on the latest breach headlines. Incremental improvements will be built up around security controls that manage risk to the most critical operational processes first, and also around the processes and systems most put at risk by new innovations and business models.

The post Governance of Zero Trust in manufacturing appeared first on Cybersecurity Insiders.

We’re so excited to announce our 2023 Partner of the Year awards. These annual awards recognize AT&T Cybersecurity partners that demonstrate excellence in growth, innovation, and implementation of customer solutions based on our AT&T USM Anywhere platform.

AT&T Cybersecurity’s 2023 Global Partner of the Year award goes to Cybersafe Solutions! Cybersafe Solutions experienced incredible growth in 2022 and we’re thrilled to be partnering with their team to help customers orchestrate and automate their security.

In addition to Cybersafe Solutions as our Global Partner of the Year, we’re proud to recognize seven other partners who demonstrated excellence in 2022. See below for the full list of winners and their feedback regarding their partnership with AT&T Cybersecurity.

Global Awards:

Global Partner of the Year: Cybersafe Solutions

“I am humbled and honored to accept AT&T's 2023 Global Partner of the Year Award. Throughout our partnership, we have worked together to develop a comprehensive solution that enables Cybersafe to continuously monitor our customers' networks to identify and mitigate threats rapidly. Sincere thanks to the entire AT&T team on contributing to this success.  We are truly excited for what the future holds!”

-Mark Petersen, Vice President of Sales

Growth Partner of the Year: Xerox

New Partner of the Year: Arete Advisors

“Arete is honored to be named AT&T Cybersecurity’s New Partner of the Year. Our complementary partnership combines unique threat intelligence from AT&T’s USM Anywhere SIEM platform with Arete’s XDR platform to provide our clients with faster threat detection and greater clarity. We look forward to a future of continued growth together as we work to transform the way organizations prepare for, respond to, and prevent cybercrime.”

-Joe Mann, CEO

Distributor of the Year: Ingram Micro

“The cybersecurity threat landscape is growing in complexity—calling for greater collaboration across the IT channel ecosystem and between MSPs and their customers to stay secure. Together with AT&T Cybersecurity we are empowering channel partners with the knowledge and solutions needed to better protect their house and their customers from cyber attacks. It is an honor to be recognized three years in a row as AT&T Cybersecurity’s Distributor of the Year.”

-Eric Kohl, Vice President, Security and Networking

Regional Awards

These awards recognize partners that had the highest sales bookings in each of the 4 regions during last year.

North American Partner of the Year: Coretelligent

“We are honored to be recognized as AT&T Cybersecurity’s North American Partner of the Year and look forward to our continued partnership and delivering leading-edge security solutions to our shared clients. Coretelligent and AT&T Cybersecurity are a best-in-class pairing that provides the robust and secure cybersecurity management and monitoring that enterprises need to defend against the extreme threats of today’s cyber landscape.”

-Kevin J. Routhier, Founder and CEO

EMEA Partner of the Year: Softcat

“We are thrilled to be announced as AT&T’s Cybersecurity EMEA Partner of the year for 2023. We’ve thoroughly enjoyed working with AT&T of the course of the past year and we’re so thankful that our dedication has paid off. We’d love to thank everyone at AT&T and Softcat who has worked with us on various projects during this period.”

– Aoibhín Hamill, Cyber Managed Services Advisor

APAC Partner of the Year: Vigilant

“We are thrilled and honored to receive the prestigious AT&T Cybersecurity APAC Partner of the Year award! This recognition is a testament to our team's hard work and commitment to delivering exceptional cybersecurity solutions to our clients. At Vigilant Asia, we strive to be at the forefront of innovation and this award affirms our efforts. Here’s to more partnership success!”

-Victor Cheah, CEO

Latin American Partner of the Year: GMS

“GMS is thrilled to be named Latin American Partner of the Year for 2023. Having previously garnered this distinguished award, our partnership with AT&T Cybersecurity only gets stronger as time goes on. AT&T’s continued innovation is central to our value proposition, and we feel privileged to work so closely with a company that shares our commitment to providing optimal security for our customers throughout the Andean region.”

-Esteban Lubensky, Executive President

The post AT&T Cybersecurity announces 2023 ‘Partner of the Year Award’ winners appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Integrating Cybersecurity in UX design

The digital landscape has ensured a wider range of businesses has access to a truly global marketplace. On one hand, this helps bolster a thriving entrepreneurial ecosystem. However, it also means there is a significant amount of competition. If your company’s website or mobile application doesn’t provide a stellar user experience (UX), consumers are able and willing to go elsewhere.

Yet, in the online environment, UX is not your only consideration. There are various threats your business and consumers face from cyber criminals. Therefore, when developing your online tools, you need to adopt effective protections. Unfortunately, many businesses struggle with implementing strong security that doesn’t also disrupt the UX.

Your best approach here is usually to integrate cybersecurity with UX design. So, let’s explore why and how you can achieve this.

How are UX and Cybersecurity related?

One of the mistakes too many businesses make is assuming that UX and cybersecurity are separate aspects of the digital infrastructure. They can certainly have independent intentions to an extent with different goals and actions to achieve these goals. Yet, understanding how they are closely related is the first step to effective integration.

In some ways one can’t — or, at least, shouldn’t — exist without the other. A good example of this is the application of web design in high-stakes sectors, like telehealth care. There are two core types of telehealth services; asynchronous care and synchronous (live) care. While there is a difference here in how patients interact with the medical professional, both types involve the collection and storage of sensitive data. It’s certainly important from a UX perspective to make both asynchronous and live processes as simple and convenient as possible for patients. Yet, this simplicity shouldn’t sacrifice the security of the data.

Clear and strong security protocols give consumers confidence in the system and the company they’re interacting with. This applies to not just healthcare industries but also eCommerce, education, and supply chain sectors, among others. Similarly, consumers may be more likely to adopt more secure behaviors if they can see how it feeds into the convenience and enjoyment of their experience. This means that the UX development process must involve security considerations from the ground up, rather than as an afterthought.

How can you plan effectively?

As with any project, planning is essential to the successful integration of cybersecurity and UX design. An improvisatory approach that involves tacking security or UX elements onto your site or app doesn’t result in a strong development. Wherever possible, your best route is to bring both the UX departments and cybersecurity professionals together in the planning process from the outset. Each department will have insights into one another’s challenges that benefit the project as a whole.

Another key part of your planning process is researching and analyzing your users’ behavior concerning the types of online tools you’re developing. Work with business analytics professionals to understand in what ways security factors into your target demographic’s preferred online experiences. Review what the common security behavior challenges are with your consumers and what experiential elements prevent them from implementing safe actions. This then enables you to create the most apt UX and security arrangements to meet your consumers’ needs.

Importantly, your team needs to plan with balance in mind. They need to make certain that as far as possible, security doesn’t interfere with UX and vice versa. For instance, you may be able to design multiple layers of encryption that require minimal user interaction to activate. Whatever you approach, you must build thorough testing into the planning process. This shouldn’t just be to review efficacy and strength, but also to establish whether there are imbalances that need to be corrected.

What tools can you use?

You should bear in mind that integrating UX and cybersecurity isn’t just a case of developing a unique site or app. Finding this balance is a challenge that businesses have been seeking to address throughout the rise of our digital landscape. This means that there are some existing tools that you can incorporate into your more tailored approach.

Artificial intelligence (AI) is increasingly popular here. Even small businesses can access AI tools that take care of many elements of a website and mobile application development. These tools not only save companies time in coding, but they can also make more secure sites by mitigating the potential for human error. Indeed, AI-driven security monitoring software can scan networks in real-time, responding to threats quickly and effectively without disturbing the user experience.

Aside from AI, adopting a single sign-in, multi-factor authentication is a common tool to adopt. This approach provides maximum security by requiring users to authenticate using more than one device. However, it's important not to disrupt the user flow by ensuring this is a one-time action that allows them to access various aspects of your online space. You should require further authentication only when they navigate away from the site, utilize a new device, or attempt purchases over a certain threshold.

Conclusion

Integrating UX and cybersecurity is not always easy. It’s important to understand that these elements need to coexist to achieve the most positive outcomes. From here, thorough planning that involves collaboration from both security and UX professionals is key to achieving a good balance. Remember that tools like AI and multi-factor authentication can bolster your ability to create a safe service that users enjoy interacting with.

The post Integrating Cybersecurity in UX design appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

When strategizing a security approach for the coming year, many solutions will cross a CISO’s desk, all useful in covering some part of the network. Organizations must scrutinize every layer and each solution to make sure their security stack runs efficiently while still boasting a Defense-in-Depth approach. There cannot be an overload of alerts, the learning curve must be worth the cost, and all solutions must integrate with each other. Not surprisingly, the search can be tedious, complex, and confusing.

Broadly speaking, cybersecurity defends the network and the devices on that network. Both are key and must be protected. Endpoint security and response includes “not only the automated monitoring and detection of threats on the endpoint, but also a combination of autonomous and manual investigation, remediation, and response.” While not every tool will make the cut, here are seven reasons why Endpoint Detection and Response (EDR) should not be ignored.

1. Cybercriminals aren’t ignoring endpoints. It’s not surprising that in a recent study, 76% of IT decision-makers reported their company use of endpoint devices has gone up. This can include workstations, servers, tablets, smartphones and a host of IoT devices like cameras, smart speakers, and lighting. However, it is equally unsurprising that bad actors have capitalized on this gain, and consequently, 79% of IT teams have seen a rise in endpoint-related security breaches.
2. The cyber talent crisis creates the need for autonomous response on the endpoint. With an increase of both endpoints and endpoint-related attacks, a proportional increase in endpoint security measures is needed; unfortunately, the ongoing cyber talent deficit hamstrings those efforts and makes whatever qualified cybersecurity experts are available difficult to attain for many small to medium-sized businesses. Endpoint security solutions use automatic investigation and monitoring techniques to spot threat 24/7/365 and often respond autonomously to mitigate them. This cuts back significantly on the work remaining for already-strapped security teams to do.
3. EDR offers cloud-based security for end-user devices. One of the primary security problems facing fast-expanding, digitally native, and mid-transition companies is how to secure both on-premises and cloud-based assets. Endpoints, while not in the cloud, connect to it and bad actors can use vulnerabilities in device software to pivot to the rest of your network. State of the industry endpoint security platforms can deploy patches and run reboots from the cloud and offer enterprise-wide centralized cloud management.
4. Remote device security trends downward as workers mix personal with professional. The rise of BYOD has been significant and ubiquitous in the wake of the remote-work migration, and a study by Gartner revealed that over 50% of workers used their own laptop or smartphone for work activity. Interestingly, a Ponemon study indicated that 67% of respondents reported that personal mobile devices have negatively impacted their company’s security posture, and 55% cite smartphones as the most vulnerable endpoint in their organization.
5. EDR secures email. As many as 91% of all breaches begin with a phishing email. Email servers are a widely exploited endpoint. Endpoint security solutions can clean email messages before they reach the network, isolate and investigate links, and alert users when sensitive data is about to leave the organization.
6. Firewalls are not foolproof. While having a firewall is a best practice, it only represents one part of a defense-in-depth approach. Firewalls are susceptible to misconfiguration, and their signature-based policies miss new exploits that recompile their code or use fileless malware. Additionally, freshly spun-up domains can cause many malicious sites to slip by undetected, and the popularity of this method is rendering firewalls even more ineffective. Not having an additional layer of defense directly on the endpoint device can be problematic as these trends continue.
7. EDR can proactively prevent zero days from entering your network. Macros used to be the loose cannon of inboxes, infecting the victim device directly upon opening. While Macros are largely disabled by default now, malicious code (largely HTML) still lurks in attached documents that only require a bit of social engineering to get the user to click. By sandboxing email attachments and vetting them for safety prior to opening, email security tools can prevent zero days from detonating on your network.

Remote work leaves endpoints more exposed than ever, vulnerable to human error and consumer-side attacks. Cybercriminals continue to target firmware, and the shortage of qualified cybersecurity professionals can leave various parts of the network at risk. Struggling SOCs can offload some of the burden of network monitoring as EDR solutions autonomously investigate and respond to incidents on the endpoint. Next-generation EDR tools can aid ongoing security measures by collecting data at the source.

Keeping EDR an integral part of a Zero Trust security strategy will be ever more imperative as time goes on and threats continue to evolve. Cybercriminals aren’t lessening their attention to the endpoint, so organizations shouldn’t either.

The post 7 reasons why Endpoint Security and Response shouldn’t be ignored appeared first on Cybersecurity Insiders.

In 1999, the United States began to shape its QIS strategy. The first document on file is a Scientific and Technical Report (STR) entitled: “Quantum Information Science. An Emerging Field of Interdisciplinary Research and Education in Science and Engineering.” This is the first report of an assortment of publications that help establish the US QIS strategy. To date, 55 publications contribute to the overall US strategy to advance QIS and quantum applications. These documents consist of Scientific and Technical Reports (STR), Strategy Documents, Event Summaries, and the National Quantum Initiative Supplement to the President’s Budget.

To begin, STRs are fundamental sources of scientific and technical information derived from research projects sponsored by the Department of Energy. On an annual basis, the US has released roughly 3.5 QIS reports (on average) since 1999; consequently, these publications make up 65% of the strategic documents related to QIS. Scientific and Technical Reports describe processes, progress, the results of R&D or other scientific and technological work. Additionally, recommendations or conclusions of research, original hypotheses, approaches used, and findings are also included. Scientific and Technical Reports have proven to be highly beneficial to researchers. STRs regularly include more comprehensive or detailed information than scholarly papers or presentations since STRs include experimental designs and technical diagrams.

Continuing, released in 2009, the National Science and Technology Council (NSTC) released the first QIS Strategy Document entitled “A Federal Vision for Quantum Information Science.” NSTC has the aim of articulating clear goals and a vision for federal service and technology investments, focusing on information technology, and strengthening fundamental research. This interagency document set conditions to coordinate federal efforts in QIS and other related fields. Furthermore, the strategy documents establish clear national goals for service and technology investments in information technologies and health research industries.

Additionally, in 2018, a Summary of the 2018 White House Summit on Advancing American Leadership in Quantum Information Science was published as an Event Summary. Event Summaries are published by the National Quantum Coordination Office (NSQO). Event summaries provide an executive summary of key engagements related to QIS. With six summaries published to date, the current theme revolves around events that promote leadership, education, outreach, and recruitment in the field of QIS. The summaries prove to be very advantageous since they provide a read-out document that can be archived to capture event background, discission topics, key takeaways, agency funding/research award announcements, next steps, and an event conclusion.

Furthermore, the National Quantum Initiative (NQI) Act, which became law in 2018, ensures the annual release of the National Quantum Initiative Supplement to the President’s Budget. This is the final document to reference which contributes to the US QIS strategy. The supplement details the current year’s efforts, progress, and budget for the National Quantum Initiative Program, along with, projecting a budget for the next fiscal year. The supplement also provides an analysis of the progress made toward achieving the goals and priorities of the NSTC Subcommittee on Quantum Information Science (SCQIS).

Since 1999, the US began charting a way to address QIS. Vision, strategy, R&D, agency coordination, funding, and QIS promotion efforts have been consistent. The strategy has also accelerated in the last five years. As advances in Quantum Science materialize, the US continues to make strides in coordinating across the Federal government, academic institutions, and industry. 21 different agencies in addition to Nobel Laureates and international partners are invested in the US strategy to address all aspects of Quantum Science. With certainty, there is a race to clearly understand all aspects of QIS and the impact it can have on our society. The US displays an inclusive, wide reaching, firm, and consistently accelerated strategy due to developments in QIS. US strategy and efforts toward QIS places the US on a path to lead the world in QIS. Simply put, the US strategy encompasses a whole of government approach, along with, collaborating with industry, academic institutions, and allies worldwide to bring to life the remarkable potential in how QIS can change the way citizens live, work, and understand the world.

“As new technologies continue to evolve, we’ll work together with our democratic partners to ensure that new advances in areas from biotechnology to quantum computing, 5G, artificial intelligence, and more are used to lift people up, to solve problems, and advance human freedom.” – President Biden

 

SECDEF Executive Fellowship Homepage

US Army Homepage

Army War College Homepage

Find Your Army Career

The post Guiding publications for US strategy on Quantum Information Science (QIS) appeared first on Cybersecurity Insiders.