Author: Jane Devry

The NPD breach, one of the most significant cybersecurity incidents in history, exposed the personal data of nearly three billion people, including Social Security numbers, addresses and email addresses. A cybercriminal group carried out the breach called “USDoD,” which claimed responsibility for the attack. The breach occurred in December 2023 but was only confirmed by the National Public Data (NPD), a data broker that collects information from public sources for background checks, in August 2024. The NPD also admitted that it had accidentally published its own passwords online, making the breach worse.

The breach has sparked outrage and concern among the public, lawmakers and experts, who have criticized the NPD for its lack of transparency, accountability and security. The NPD is facing a lawsuit from a consumer advocacy group, which accuses the company of violating the privacy rights of millions of Americans. The breach has also raised questions about the adequacy of the U.S. laws and regulations that govern personal data collection, use and protection, especially by data brokers that operate with minimal oversight and disclosure. The breach has also exposed the vulnerability of the consumers, who may not be aware of how their data is collected, stored and shared, and who may face the risk of identity theft, fraud and scams.

Several cybersecurity experts from different companies have shared their insights and opinions on the NPD breach and its implications. Clyde Williamson from Protegrity emphasized the need for organizations to protect the data they exchange with consumers and comply with privacy laws. He also pointed out the inadequacy of U.S. laws in handling citizens’ personal data and the need for regulatory standards for data brokers. Kiran Chinnagangannagari from Securin expressed alarm over the silence of the NPD until the breach included leaked social security numbers. He also stressed the need for organizations to evaluate and ensure the cybersecurity practices of their partners and third-party vendors. Ayan Hadler from Traceable AI suggested using intent-driven risk management, which looks at how users behave after getting onto the platform and what they are going after, to reduce the risks posed by weak KYC measures.

Clyde Williamson, Product Management, Innovations, Protegrity

“Organizations rely on the exchange of data for their vitality. Consumers share their personal identifiable information (PII), like Social Security numbers and emails, with the expectation that businesses will protect this data and comply with privacy laws to prevent unauthorized access. In this case, National Public Data (NPD) scraped individuals’ PII from public sources for use in background checks, leaving people unaware if their data was accessed and emphasizing growing concerns regarding customer trust in businesses and their ability to secure their data. 

Notably, this breach wasn’t announced for a week; it only came to light and led to a lawsuit earlier because the company didn’t disclose it. Further, it’s still unclear whether they intentionally avoided sharing details of this breach or just discovered it themselves. This highlights the inadequacy of U.S. laws in handling citizens’ personal data, which are not equipped for the challenges of the 21st century. Data brokers like the NPD also aren’t held to the same regulatory standards as institutions like the Payment Card Industry (PCI), where they’re obligated to conduct annual audits and controls around credit card data. As things stand now, the US has no such obligations.

Most likely, a lot of the stolen data set is from one of our most vulnerable demographics: senior citizens and their families. A popular scam has a threat actor pretending to be a lawyer with bad news for the senior – their family member is in trouble and needs money. And why wouldn’t a grandparent believe them if they had valid PII to validate their credibility? These scammers don’t have to open credit in someone’s name to ruin lives. They just need to know how to use the information stolen to empty a caring family member’s bank account.

As breaches and attack surfaces continue to grow, relying on class action lawsuits for negligence cannot be the best option. Organizations must prioritize transparency and enhance their efforts to de-identify sensitive data to protect consumer information. They must move beyond traditional defense mechanisms and adopt regulator-recommended data protection strategies like encryption and tokenization. These methods render data useless to attackers, making it impossible to steal and use maliciously. By implementing these protections, businesses can diminish the value of stolen data and mitigate the long-term effects of ransomware attacks or fraudulent activities.”

Kiran Chinnagangannagari,  Chief Product & Technology Officer, Securin

“In the wake of the staggering National Public Data breach, which compromised millions of records on U.S. citizens, the silence from the company until the breach included leaked social security numbers is nothing short of alarming. This breach underscores the profound risks posed by mass data aggregation and sheds a harsh light on the glaring gaps in corporate responsibility when managing and communicating such incidents. The fact that such enormous volumes of personal data are accessible to companies and private investigators, and now the deep and dark web, raises severe doubts about how well-protected our information truly is. This breach lays bare the minimal oversight over who gains access to this data—and what happens afterward.

This breach should also serve as a wake-up call, emphasizing the critical need for organizations to rigorous or stricter regulations and better enforcement. Companies must be held accountable, not just for evaluating the cybersecurity practices of their partners and third-party vendors. It’s no longer enough to trust that data handlers have robust defenses—organizations must proactively ensure that every entity in their supply chain is equipped to prevent such catastrophic breaches. It’s time for their cybersecurity practices but for those of every entity they do business with. The stakes are too high to allow this negligence to continue.”

Ayan Hadler, Sr. Product Manager, Traceable AI

“When fraudsters have access to key personal details needed to bypass KYC on nearly all American consumers, the question is who to trust anymore? This is where intent-driven risk management shines. Intent-driven risk management looks at how users are behaving “after” getting onto the platform and what are they going after, negating a lot of the risks injected through brittle KYC measures.”

 

The post Experts Weigh In on the NPD Breach and Its Implications appeared first on Cybersecurity Insiders.

Microsoft 365 has become a cornerstone of modern business operations, providing a suite of tools that facilitate communication, collaboration, and productivity. 

With its widespread adoption, Microsoft has invested heavily in building robust security features to protect users from various cyber threats. These built-in features include multi-factor authentication (MFA), data loss prevention (DLP) policies, and advanced threat protection (ATP). However, in today’s increasingly complex threat landscape, these native security measures may not be enough on their own.

To ensure comprehensive protection, organizations should consider supplementing their security strategy with third-party Microsoft 365 total protection tools. These tools can offer additional layers of defense, advanced threat detection, and more granular control over your environment.

In this article, we’ll explore key threat protection strategies that can help secure your Microsoft 365 environment effectively.

1. Enhance Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA) is one of the most effective ways to secure your Microsoft 365 environment. By requiring users to provide two or more forms of verification before granting access, MFA significantly reduces the risk of unauthorized access due to compromised credentials. 

While Microsoft 365 offers built-in MFA, you can enhance it by using third-party tools that provide more flexible authentication methods, such as biometric verification, hardware tokens, or context-based authentication that adapts to user behavior.

2. Implement Advanced Threat Protection (ATP)

Advanced Threat Protection (ATP) in Microsoft 365 is designed to protect against sophisticated threats like phishing, malware, and zero-day attacks. However, relying solely on Microsoft’s ATP might not cover all bases. 

Third-party total protection tools can complement ATP by offering real-time threat intelligence, sandboxing for unknown files, and machine learning algorithms that detect and respond to emerging threats. These tools can also provide additional visibility into threat vectors that are not fully covered by Microsoft’s native solutions.

3. Utilize Data Loss Prevention (DLP) Policies

Data Loss Prevention (DLP) is crucial for protecting sensitive information from being accidentally or intentionally shared outside your organization. Microsoft 365 includes built-in DLP policies that help prevent data leaks. 

However, these policies may need to be supplemented with third-party solutions that offer more granular control and better integration with other security tools. 

For example, third-party DLP tools can provide more detailed reporting, automated remediation actions, and integration with other platforms like cloud storage services to ensure that sensitive data remains secure, regardless of where it is stored or shared.

4. Strengthen Email Security

Email is a common entry point for cyberattacks, and securing it should be a top priority. Microsoft 365 includes several email security features, such as anti-phishing and anti-spam filters. 

However, third-party email security solutions can enhance these features by offering more advanced capabilities like AI-driven threat detection, encrypted email communication, and automated incident response. These tools can also integrate with other security solutions to provide a more cohesive defense against email-borne threats.

5. Monitor and Respond with Security Information and Event Management (SIEM)

Monitoring your Microsoft 365 environment for suspicious activities is critical to identifying and responding to threats in real-time. Microsoft provides basic logging and alerting capabilities, but a third-party Security Information and Event Management (SIEM) solution can take this to the next level.

SIEM tools aggregate and analyze data from multiple sources, including Microsoft 365, to detect anomalies and provide actionable insights. These solutions often include automated response capabilities that can mitigate threats before they cause significant damage.

6. Apply Conditional Access Policies

Conditional Access policies in Microsoft 365 allow you to control how users access resources based on certain conditions, such as location, device compliance, or risk level. While these policies are powerful, third-party tools can extend their functionality by offering more sophisticated risk assessments and the ability to enforce more granular access controls. 

For example, third-party solutions can enforce conditional access based on user behavior analytics, allowing you to dynamically adjust access rights based on real-time risk assessments.

7. Integrate Endpoint Detection and Response (EDR)

Endpoint Detection and Response (EDR) tools are essential for identifying and responding to threats on individual devices. While Microsoft 365 includes endpoint security features through Microsoft Defender, third-party EDR solutions can provide more comprehensive protection. 

These tools offer advanced threat hunting capabilities, automated incident response, and integration with other security tools to ensure that your endpoints are continuously monitored and protected against evolving threats.

8. Ensure Comprehensive Backup and Recovery

Data loss can occur due to various reasons, including ransomware attacks, accidental deletions, or hardware failures. While Microsoft 365 includes basic backup capabilities, third-party backup and recovery solutions can offer more robust protection. 

These tools provide more frequent backups, longer retention periods, and more flexible recovery options, ensuring that your data can be restored quickly and completely in the event of a disaster.

9. Implement Zero Trust Security Model

The Zero Trust security model operates on the principle of “never trust, always verify.” This approach assumes that threats can come from both inside and outside the network, and it requires continuous verification of user identities and access privileges.

While Microsoft 365 supports Zero Trust principles, implementing a full Zero Trust model often requires third-party tools that can enforce strict access controls, continuous monitoring, and micro-segmentation across your entire IT environment.

10. Conduct Regular Security Audits and Assessments

Regular security audits and assessments are essential to ensure that your Microsoft 365 environment remains secure. While Microsoft offers some auditing tools, third-party solutions can provide more in-depth assessments, including vulnerability scans, compliance checks, and penetration testing. 

These assessments help identify potential security gaps and provide actionable recommendations to improve your overall security posture.

Conclusion

Securing your Microsoft 365 environment requires a comprehensive approach that combines the platform’s built-in security features with additional protection from third-party tools. By implementing these strategies, you can create a robust defense against a wide range of cyber threats.

Remember, the goal is to create a layered security approach that addresses the unique challenges of your organization while ensuring that your Microsoft 365 environment remains secure, compliant, and resilient against evolving threats.

 

The post Comprehensive Threat Protection Strategies for Microsoft 365 Environments appeared first on Cybersecurity Insiders.

Cyber incidents are escalating in frequency and severity as hackers across the globe continuously seek vulnerabilities to exploit. They are looking for a way into your network and access your business’s most valuable assets. When attackers reach their goal, whether fully or partially—essentially when their attempts succeed—it indicates a failure of the security measures in place. It means the controls you had to protect against such attacks were either insufficient or ineffective. 

As an organization under constant  threat from malicious actors, safeguarding your data is crucial. Allowing an easy way for attackers is not an option; you must take proactive steps to secure your information.  The most effective approach begins with strengthening your organization’s internal controls. Enhancing these controls is vital, but understanding the roles of correlation, risk mapping, and mitigation is equally important. 

What Makes an Internal Control Effective

Internal controls are measures your organization takes to defend your business from various risks. From a cybersecurity perspective, internal control refers to the technical or non-technical controls placed and implemented within your environment that protect your organization’s digital assets from unauthorized access, modification, or destruction.

There are three types of controls that should be implemented: Preventive, Detective, and Corrective.

Preventive controls aim to stop accidents before they occur, Detective controls are designed to identify and alert you to potential threats as they happen, and Corrective controls focus on responding to and mitigating the damage after an incident has occurred. Together, these controls form a comprehensive defense strategy against cyber threats.

Preventive Controls

Preventive controls focus on stopping security issues before they happen. Strong internal controls strategy concentrate on preventing problems before they occur, acting as a shield against potential threats. These measures are crucial for reducing the chances of security incidents and protecting valuable information.

Here are some key preventive measures:

• Firewalls act as a barrier, keeping your internal network safe from outside threats and stopping unauthorized access. 
• EDR helps organizations respond quickly to cybersecurity incidents by detecting and mitigating threats on servers, desktops, laptops, and mobile devices.
• Access control systems make sure that only the right people can reach sensitive information, based on their job roles.
• Password policy is a non-technical control that is developed and enforced to ensure strong passwords are used and are regularly updated, making it harder for unauthorized users to get in.
• Encryption protects data by scrambling it so that only those with the correct key can read it, keeping sensitive information safe.
• User training programs educate employees about cybersecurity best practices, helping them spot and avoid potential threats.

Detective Controls

Once you have taken care of the preventive measures, the next step is to address the detective controls. These controls involve monitoring and analyzing data and information to identify any suspicious activity or patterns. They also include conducting thorough investigations into any incidents or breaches that occur. Crucially, these detective controls are instrumental for identifying security incidents in real-time, enabling a swift response to limit potential damage. Here are a few examples:

• Intrusion Detection Systems (IDS): These tools keep an eye on network traffic for any suspicious activity and send alerts if someone tries to access the system without permission.
• SIEM (Security Information Event Monitoring) collects logs from various devices in your environment and gives you an interface to monitor these logs and catch any unusual or unauthorized actions by users, allowing for quick identification of potential security issues.
• Security Audits and Compliance checks are thorough reviews of internal controls and associated procedures to find potential gaps.

Corrective Controls

Lastly, corrective controls are crucial in mitigating the damage from security incidents and preventing their recurrence.  These controls are implemented after an incident has occurred and aim to correct any exploited weaknesses or vulnerabilities. Corrective controls can also include forensics investigations to determine the cause of the incident and procedures for recovering from the incident and restoring systems to their previous state.

Key examples include 

• System backups, which ensure that essential data and systems are regularly copied and stored, allow for quick restoration during a cyberattack or system failure. Backups ensure continuity of business operations and minimize incident impact.
• Disaster recovery plans also contribute significantly, providing a clear roadmap for an organization’s recovery from significant security incidents or disasters, thereby maintaining smooth business operations. 
• Incident response procedures outline the steps an organization will take to address security breaches, helping to minimize their impact and reduce the likelihood of future occurrences.

Some technological controls encompass aspects of all three control types. For example, Security Automation primarily falls under Corrective controls but also has aspects of Preventive and Detective controls.

• Corrective Control: SOAR automates the response to security incidents, helping to contain and remediate threats quickly after they are detected.
• Detective Control: It also plays a role in identifying and analyzing threats through automated detection mechanisms.
• Preventive Control: By integrating and automating security processes, SOAR can also help prevent threats by proactively addressing vulnerabilities and reducing the time it takes to respond to potential incidents.

How Does Correlation Improve Cybersecurity?

Correlating internal network traffic with external threat data is vital for any cybersecurity strategy. If you’re not doing it, you’re missing out on essential insights that could keep your organization safe. 

Collecting vast amounts of threat data won’t win the war on cybercrime. The real challenge is making sense of that data and turning it into actionable intelligence. That’s where threat intelligence and its correlation with internal data come in. It gives you a deeper understanding of your threat landscape, helps you spot new threats, and assesses the severity of those threats with all the threat intelligence feeds.  

Threat intelligence usually comes in structured feeds filled with Indicators of Compromise (IOCs). These feeds often include additional contexts like Tactics, Techniques, and Procedures (TTPs) used by the attackers, threat categories, and attribution. 

The security monitoring and automation tools compare threat feeds and network logs, which can significantly cut down detection and response times by identifying patterns and relationships in the data, helping spot active attacks, prioritizing significant threats, and adjusting defenses to prevent future incidents.

When executed effectively, threat correlation offers a range of benefits, including more comprehensive coverage, better prioritization of threats, faster incident detection, and ongoing improvement of defenses.

Mapping and Mitigating the Risks 

Risk mapping is identifying and visually representing potential threats to your organization. This helps you understand the likelihood and impact of different types of attacks. For instance, you might map out risks like phishing attacks, insider threats, or ransomware. By categorizing these risks, you can better assess which areas of your business are most vulnerable and require more robust protection.

Consider a scenario where ransomware is a significant concern for your organization. A risk map might highlight the critical systems and data most likely targeted. With this information, you can implement targeted defenses, such as enhanced encryption, regular backups, and user training focused on avoiding phishing emails that often deliver ransomware.

The most effective way to visualize risks is to use your assets to generate a numeric score for each threat. Then, use that score to handle the most important alerts and cases first.

Once risks are mapped, the next step is mitigation, i.e., taking action to reduce their potential impact. Mitigation strategies can vary depending on the type of threat and its severity. If your risk map identifies phishing as a high-priority threat, mitigation might involve several strategies:

• Implementing email filtering to block suspicious messages
• Conducting regular employee training to recognize phishing attempts
• Enforcing multi-factor authentication adds an extra security layer for access to sensitive systems.

Essential best practices for effective cyber risk mitigation are not just reactive measures; they are proactive steps toward understanding what needs to be protected. They start with inventorying and assigning a specific numeric value to all IT assets, such as systems, applications, data, and users. 

Mapping your attack surface is crucial to identify weak points and potential breach areas while monitoring for vulnerabilities and prioritizing remediation based on risk, which is essential to stay ahead of threats. 

Developing a strategy for early detection and swift recovery ensures business continuity in the face of incidents. Some key aspects include: 

• Continuous monitoring and adaptation to changes in the threat environment. In the face of emerging risks, the proactive approach remains relevant and effective. 
• A tightened internal control system, security training, and skilled personnel can bolster defenses. Employee security awareness is vital to long-term success. 
• Finally, leveraging AI and automation to enhance efficiency and improve response times, creating a more robust cybersecurity framework.

The Bottom Line: Building a Strong Cybersecurity Ecosystem

Improving your organization’s cybersecurity requires a well-rounded strategy. Start by ensuring complete coverage of internal controls, focusing on prevention, detection, and correction. Connect your internal data with outside threat information to better understand and prepare for potential risks. 

Lastly, Identifying risks and creating specific plans to manage them will strengthen your defenses, ensuring your security keeps up with changing threats. These steps will provide you with a solid framework for future cyber threats.

 

The post Enhancing Internal Controls: Correlation, Mapping, and Risk Mitigation appeared first on Cybersecurity Insiders.

One-time passwords (OTPs) have become a cornerstone of modern cybersecurity, offering an additional layer of protection for online accounts. However, as enterprises rely more heavily on OTPs to safeguard sensitive data and applications, attackers have also stepped up their efforts to bypass these defenses. The rise of mobile malware specifically designed to steal OTPs is a significant concern, and Zimperium’s zLabs team has been closely monitoring this alarming trend.

Since February 2022, zLabs researchers have tracked a large-scale, Android-targeted SMS stealer campaign. The team has identified over 107,000 malware samples, highlighting the persistence and sophistication of the attackers behind this campaign. This in-depth research reveals not only the technical complexity of the malware but also the deceptive strategies used to infect devices.

The infection process typically begins with the victim being tricked into sideloading a malicious application. This can happen through deceptive advertisements that mimic legitimate app stores or via automated Telegram bots that communicate directly with targets. Once installed, the malicious app requests SMS message read permissions, a high-risk permission on Android that grants access to sensitive personal data.

Next, the malware connects to its Command and Control (C&C) server, which orchestrates the attack by executing commands and collecting stolen data.

Once the connection is established, the malware begins its primary mission: harvesting OTPs. It silently monitors incoming SMS messages, intercepting OTPs used for account verification. This enables attackers to bypass security measures and gain unauthorized access to sensitive accounts and data.

The distribution methods for this malware campaign are particularly concerning. Attackers use a variety of deceptive tactics to lure victims into downloading and installing malicious software. These tactics include malicious advertisements that mimic trusted sources and Telegram bots that pose as legitimate services. By appearing trustworthy, these methods successfully trick users into compromising their devices. In one notable example, victims interact with Telegram bots when searching for unofficial or free Android applications. The bot requests the user’s phone number and then sends a customized malicious APK that embeds the phone number within it. This allows attackers to further target the victim and personalize their attacks, ultimately stealing and selling sensitive information for financial gain.

Zimperium’s zLabs researchers have observed several evolving techniques used to establish C&C channels. Initially, the malware leveraged Firebase for C&C connections, but attackers have since switched to using GitHub repositories to share C&C details. These repositories contain JSON files with URLs to the C&C servers. Additionally, GitHub is used to distribute malicious APKs, further demonstrating the attackers’ adaptability. Once the victim’s device registers with its configured C&C server, the malware begins stealing personal information, including SMS messages and phone details. This information is then transmitted to the C&C server, where it is collected and potentially sold or used for further attacks.

The scale of this malware campaign is staggering. zLabs researchers have discovered over 107,000 unique malware applications, indicating a prolific campaign targeting a vast number of global victims. Most of these samples (over 95%) are unknown or unavailable in common repositories, highlighting the attackers’ ability to evade detection. The campaign has targeted OTP messages across over 600 global brands, affecting users in 113 countries, with Russia and India being the primary targets. Researchers identified 13 C&C servers used to steal and leak SMS messages from victim devices and linked a vast network of roughly 2,600 Telegram bots to this campaign.

While the exact motives behind this campaign remain unclear, financial gain is a likely driver. zLabs researchers uncovered a connection between a website, fastsms.su, and one of the malware samples. This site offers a range of services for a fee, including phone numbers and OTP interception. The use of cryptocurrency as a payment method further supports the financial motive, as it helps conceal the attackers’ identities.

The proliferation of mobile malware designed to steal OTPs poses a significant threat to both individuals and organizations. The sheer scale and sophistication of this campaign underscore the need for robust enterprise mobile security solutions. Zimperium’s Mobile-first platform is ideally suited to protect against these evolving threats. By leveraging machine learning, behavioral analysis, and deterministic techniques, Zimperium’s platform ensures comprehensive threat detection and mitigation, helping organizations stay one step ahead of cybercriminals. Sophisticated campaigns like this one introduce a variety of security risks that can be mitigated with a comprehensive Mobile Threat Defense (MTD) solution. Proactive measures, such as those offered by Zimperium, are essential for understanding risk exposure and protecting sensitive information from evolving, polymorphic malware campaigns. All customers who have deployed Zimperium’s MTD solution are protected from this dangerous and evolving malware campaign, ensuring their devices and data remain secure.

 

The post The Growing Threat of OTP-Stealing Malware: Insights from Zimperium’s zLabs appeared first on Cybersecurity Insiders.

Security Information Event Management (SIEM) technology has come far over the past two decades. SIEM is a critical part of threat detection and response in a world where Gartner identifies the challenge of managing security exposures in a constantly evolving threat environment as a top 2024 cyber security trend. The promise of SIEM is the ability to accurately identify early signs of a cyber attacker’s activity, understand its impact, and provide actionable insights for mitigation. Many challenges, including recent M&A activity, have delayed this promise. So, how can we overcome these challenges to realize the benefits of SIEM effectively?

The Role of SIEM 

The category, coined in 2005 by Gartner, is the gathering, analyzing, and presenting of network and security information, external threat data, and vulnerability management. While SIEMs are often used to meet compliance mandates for centralized log monitoring, their capabilities extend to enhance threat coverage and security operations. 

In today’s disperse networking environment, including remote users, cloud infrastructure, and Software-as-a-Service applications, SIEMs are now and must be more than organizing security events from perimeter defense tools. A comprehensive SIEM can be looked at as a toolbox through which other security technologies become more effective. With complete insight, presented clearly and straightforwardly, security analysts make informed decisions on their organization’s security. 

A Closer Look: The Threat Landscape and a Shift in SIEM 

IT environments are ever-changing. As threat actors become more sophisticated, so do the challenges of finding hidden exploitable vulnerabilities, exposing organizations to successful intrusion, leading anywhere from ransomware to data exfiltration and botnet infestation. When left unchecked, these vulnerabilities can have significant repercussions. Driven by financial and political gain, cybercriminals are constantly innovating and sharing their tools. According to the Verizon 2024 Data Breach Investigations Report, 14% of breaches involved the exploitation of vulnerabilities as an initial access step, almost triple the amount from the 2023 Report. Another recent report cited that three in four companies were at risk of a material cyberattack, and in 2024, cybercrime will cost the US more than $452 billion.

Impacts of SIEM Market Consolidation

In an industry that requires constant innovation to keep a level-playing field with attackers, the recent market consolidation challenges security analysts. Two SIEM providers are merging, and two more SIEM companies were acquired this year alone. Security analysts were already overworked and facing ‘alert fatigue,’ and to make matters worse, they are now navigating through new vendor contacts, contracts, and possible product sunsets and migrations. While these customer-facing disruptions may last for the next two years, the SIEM market is still dynamic, with organizations, such as the mid-enterprise, often seeing the benefits of SIEM for the first time. 

Delivering on The Promise of SIEM  

If the promise of SIEM is the ability to accurately identify early signs of an attacker’s activity, understand its impact, and provide actionable insights for mitigation, how do we overcome the market interference and evolving threat landscape to realize these benefits? Through constant innovation. 

Innovation does not always equate to more product releases or more feature sets; it means delivering new ways to solve problems, such as:

• Improving the analyst experience and usability through intuitive workflows to create positive experiences for overworked security analysts
• Collaborating with partners with like-minded goals and integrating with other systems and technologies to establish a comprehensive defense strategy
• Applying breakout technologies, such as GenAI and machine learning, where applicable, to augment the security analyst (not replace)
• Automating steps to remove the obstacles that impede meeting security and compliance objectives

While the SIEM market has served us for almost two decades, SIEM technology continues to  mature and evolve. In a market heavy with distraction, it’s key to focus on continuing to find ways to innovate towards delivering SIEM’s intended promises.

 

 

 

The post The SIEM Market is Ripe with Consolidation, But are We Delivering on its Intended Security Promise? appeared first on Cybersecurity Insiders.

While it’s true that most businesses understand the importance of identity security, the sector has evolved considerably in recent years. Five years ago, remote work was relatively rare—now it’s practically the norm. What’s more, a growing number of businesses are turning to third-party providers for critical services like workforce management, cybersecurity, and dozens of other services. This is all powered by Software-as-a-Service (SaaS) and Secure Access Service Edge (SASE) adoption. As cloud (and multicloud) environments become increasingly common and businesses open their application infrastructure up to a growing number of third parties, the number of identities in use has also grown exponentially. 

A rising percentage of these identities that are taking on more prominent roles can be classified as machine identities. As more and more processes become automated, they need to be able to talk to one another using viable credentials. Cloud applications, robotic process automation (RPA) solutions, service accounts that are used to access servers and databases, and countless other nonhuman entities need identities of their own in order to communicate effectively and function correctly. Applications need to share and access data. Cloud workloads need to start up and shut down. The modern digital landscape is extremely dynamic—a big change from older, more monolithic servers. There are often thousands of containerized workloads present within a system, rather than a single program. This has dramatically increased the number of identities in use. The volume of identities in use today and the scope of the security threats that businesses face mean automation isn’t just helpful: it’s mandatory. 

The other half of this equation is the fact that data generated by (and accessed by) these identities has also exploded. Even ordinary user identities now have more complex data access needs, with the line between “sensitive” and “non-sensitive” data becoming increasingly muddied. The ability to manage access across both structured and unstructured data has become essential. Traditionally, many organizations simply ignored the problem of data access, instead focusing exclusively on application access. But ultimately, it’s data that needs to be secured—and turning a blind eye is no longer an option. 

Understanding the Threat to Identity 

What makes identities particularly vulnerable right now? For starters, while businesses increasingly recognize that attackers are targeting identities, there are still relatively few protections in place. Malware detection solutions have become extremely adept, which has made it harder for attackers to use traditional attack vectors. That’s a good thing—but it has forced attackers to look for other ways to break into their victims’ environments. Many do this by exploiting identities, and it’s easy to understand why: any security or IT professional will tell you that human beings are the weakest point in any system. It’s a lot easier to trick someone into handing over their username and password than it is to evade modern malware detection solutions. Think of it like stealing a key instead of breaking a window. An attacker who gains access using a legitimate identity will be a lot harder to detect than one who breaks in. 

This isn’t just idle speculation. The most recent Verizon Data Breach Investigations Report (DBIR) highlights the fact that 68% of breaches involve a non-malicious human element, such as an employee falling victim to a social engineering attack. The report also notes that stolen credentials have played a role in 31% of all breaches over the past 10 years—and last year alone, they were present in 38% of breaches. These findings underscore the fact that attackers have zeroed in on identities as a vulnerability they can easily exploit. Phishing attacks are becoming increasingly effective (especially as attackers leverage generative AI tools to craft more convincing emails), and as security tools become better at recognizing and blocking malicious attachments, attackers are instead tricking users into giving away their own information. According to the DBIR, it takes the average phishing victim just 28 seconds to enter the requested data after falling for a scam, and just 20% of users successfully identify and report phishing emails. Those are worrying numbers. 

It’s worth noting that there are relatively simple solutions like multifactor authentication (MFA) that make it significantly more difficult for attackers to use compromised credentials. Yet while organizations understand the value of MFA, relatively few of them are using it. In fact, an alarming number of big businesses—including those in highly regulated industries—operate without MFA. Unfortunately, organizations can often be distracted by innovative new security solutions when they would be better served by shoring up their fundamentals. Failing to prioritize straightforward solutions like MFA makes attackers’ lives easier and gives them an unnecessary advantage.

Ransomware and Supply Chain Attacks Still Reign Supreme

Of course, social engineering is far from the only identity-related attack vector today’s adversaries use. Ransomware continues to dominate the attack landscape, and threat actors regularly leverage compromised identities to elevate their own privileges and gain access to more important systems (such as those associated with data backups). Far too many organizations today prioritize easy internal access over security, overprovisioning identities with more entitlements than they actually need. This makes an attacker’s job painless, allowing them to move laterally throughout the network, often undetected, accessing (and encrypting or stealing) a broad range of data. The more lax an organization’s entitlement policies, the more information an attacker will have access to—and the more damaging a breach is likely to be. 

Third-party attacks also continue to make headlines across nearly every industry. The SolarWinds breach was a wake-up call for many organizations, driving home the far-reaching impact that supply chain attacks can have. In the years since that incident, attacks on companies like Okta and MOVEit have only further highlighted the danger. Today’s businesses don’t just need to worry about their own identities—they need to worry about their partners, vendors, SaaS providers, and others, too. A single compromised identity with just a little too much access can cause serious problems—not just for you, but for your entire partner ecosystem. At a time when the average cost of a data breach is nearly $10 million in the US, the need for strong identity security has never been felt more keenly. 

Automation Is an Essential Part of Modern Identity Security 

Manual identity management might have been possible at one point—but those days are long gone. Doing so would require spreadsheets with hundreds of thousands of records, correlated across entitlements from every system. Microsoft Excel maxes out at one million rows—and you’d need at least that many to manage all the identities and entitlements at even a modest-sized company. And that doesn’t even factor in the personnel resources that would be required to keep track of identities and permissions across the organization. It might take a dozen people weeks or months just to catalog all of the identities in use—and by the time they were done, the information would be outdated anyway. The modern digital landscape moves quickly, and that means identities need to be managed in real time if organizations want to adequately protect themselves. 

Fortunately, cybersecurity automation has come a long way in a relatively short span of time. Today’s organizations don’t need to rely on diligent employees manually managing their identities—modern solutions can seamlessly identify and correlate identities and entitlements in a fraction of the time (and without the pesky challenge of human error). What’s more, they can do it instantly, monitoring how identities behave and what data they typically access, allowing them to eliminate unused permissions or recommend adding additional permissions where appropriate. This helps ensure that organizations adhere to the “principle of least privilege,” granting identities only the minimum access they need to perform their essential functions. That means that if an identity is compromised by an attacker, that attacker will only be able to access the systems essential to that identity’s function. This makes it significantly more difficult for attackers to move throughout a network, limiting the potential damage they can inflict in an attack.

The ability to learn what “normal” behavior looks like for identities also helps organizations identify anomalies or potential attack activity. Modern identity solutions can notify security personnel if an identity repeatedly attempts to access unauthorized systems or data, or if an identity is provisioned outside the standard process. This makes it difficult for attackers to operate unnoticed, even when they gain access using legitimate user credentials. In today’s threat landscape, perimeter protections aren’t enough, and a robust identity solution cannot stop monitoring identities at the moment of access. Instead, they need to monitor how those identities behave over time—what systems and data they access, when they access it, and from what location. The result is a real-time identity management system that can grant access privileges in a responsive and dynamic manner while also identifying potential attack activity as it occurs.

The First Steps Toward Strong Identity Management

One of the great things about improving identity security is that you don’t need to do everything at once. Every small step in the right direction can make the organization more secure and resilient against today’s attackers. One of the first (and most crucial) steps an organization can take is to implement multifactor authentication (MFA). No, MFA isn’t perfect, and yes, determined attackers can find ways to circumvent it. But it’s important to remember that what attackers usually want is an easy score—and adding additional friction can often prompt them to seek out a different target. It may sound simple, but it’s critical—and effective. Security awareness training also goes a long way. It’s not enough on its own (people still make mistakes, after all), but educating users on basic digital hygiene can help them not only understand how to protect themselves better, but also understand why it’s important. 

Finally, implementing a truly modern identity solution is critical. Not so long ago, identity management solutions had a reputation for being difficult and time-consuming to implement, leading many organizations to drag their feet. That is no longer the case—and it hasn’t been for a while. Thanks to modern automation capabilities powered by AI and machine learning, the process of inventorying systems and users and correlating their access needs across the organization can be completely extremely quickly. Modern solutions can quickly identify birthright roles and demonstrate where there are opportunities to safely add or remove privileges. This can significantly reduce the time to value for organizations, especially at a time where the cyber labor shortage is causing headaches across many industries. Automation can also address the tedious process of integrating applications into the identity solution—referred to as onboarding—significantly reducing time to value.

It’s increasingly important to make sure identities can securely access the systems and data they need, and today’s identity solutions streamline the implementation process to deliver new efficiencies quickly. It’s not just about security anymore—modern identity management offers clear productivity gains as well. 

Identity Security Means Safer Data, Greater Productivity 

Attackers are smart. They understand that identities are vulnerable, and that poor identity management can allow them to leverage a single compromised identity into a significant breach. But today’s organizations don’t need to do it alone. Identity management and security solutions have come a long way over the past several years, automating the process of discovery and allowing organizations to keep up with evolving access and entitlement needs effectively in real time. What’s more, these solutions can monitor for suspicious activity from existing identities, enabling organizations to more reliably and accurately detect and remediate attacks in progress. By modernizing their approach to identity management and security, organizations are able to not only keep their data safer than ever, but enable exciting new productivity gains as well.  

 

The post Modernizing Identity Security Amid an Evolving Threat Landscape appeared first on Cybersecurity Insiders.

The expectation of cyberattacks targeting the Olympic Games was widespread. Earlier this year, Mandiant released a report identifying likely attackers as nation-state-affiliated groups from Russia, China, North Korea, and Iran. Cisco anticipated an eightfold increase from the 450 million cyberattacks that Japan’s capital faced in 2020/21. While the accuracy of these projections and their counting methods can be debated, significant cyberattacks on the Games were indeed expected. As the Games now draw to a close, where do we stand?

So far, only a few major incidents have been recorded. These include a ransomware attack on a Parisian museum, an attempted sabotage of the rail network that slightly disrupted travel schedules, and a coordinated attack against the fiber network. The Games have also had to contend with two other significant risks: hacktivism, primarily through denial-of-service attacks, and cyber fraud, including phishing and social engineering targeting brands associated with the Games. More than 338 websites selling fake tickets were identified so far. In total, 68 cyberattacks have been recorded since the start of the Olympic Games.

The ransomware attack on the museum’s shops had no direct impact on the Games. It was carefully timed to occur over a weekend when cybersecurity defense operations were presumably understaffed. However, the 15-member cybersecurity team successfully averted a crisis. The Games have closely collaborated with France’s ANSSI (National Cybersecurity Agency) to protect against such threats.

On May 13, in the buildup to the Games, the Police Prefecture, albeit well-intentioned, inadvertently highlighted potential gaps in the Games’ security preparation through a press release. The announcement of an online platform to generate QR codes for access to the Olympic perimeter caused public confusion and emphasized the need to strengthen security awareness and communication. The introduction of QR codes has, naturally, opened avenues for phishing and social engineering, although no significant incidents have been reported thus far.

If the Olympic Games conclude without a major incident, it will be considered a success, especially given the history of the Games, which is fraught with incidents and attacks. The tragic assassination of participants during the Munich Games in 1972 remains a stark reminder of the vulnerabilities that such high-profile events face. Despite their image as a global and peaceful gathering, the Games have always been a stage for political tensions, with athletes from conflicting nations competing peacefully.

The French have meticulously prepared for these Games. In 2022, the French agency ANSSI was assigned the mission of securing organizations involved in the planning and implementation of the Games. Serving as the single point of contact, ANSSI coordinates a civilian task force known as the National Coordination for the Security of the Olympic Games and Other International Sporting Events (CNSJ). Collaborating with over 700 organizations, the agency has focused on protecting the Games through a five-fold strategy: enhancing cyber threat intelligence, securing digital infrastructure, protecting sensitive data, raising awareness about cyber risks and threats, and preparing an incident response plan. This comprehensive approach included an extensive awareness campaign, the provision of best practices and guiding principles, and even a free security exercise kit.

The Olympic Technology Operations Center (TOC) has performed commendably so far. However, it won’t be until after the Games that we fully understand the extent of what may have been happening behind the scenes, beyond the 68 averted attacks that have been communicated. In Tokyo, organizers identified 400 potential attacks. Although the Paris Games are not over yet, all involved stakeholders—including the IOC, COJOP, ANSSI, Orange, Cisco, and Atos—have collaborated effectively to ensure the Games’ security.

Sources

Infosecurity Magazine | How France is Protecting the 2024 Olympics from Unprecedented Cyber-Attacks

The Connexion | Paris Olympics ticket scams: 338 websites identified for resale fraud 

 

The post The Olympic Games have been protected from cyber-attacks so far appeared first on Cybersecurity Insiders.