Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label CISO. Show all posts
Security Issues
CISO CVE vulnerability CVEs Cyber Security Hacking News Information Security IT Security Security Issues

Cisco Fixes Critical CVE-2024-20418 Vulnerability in Industrial Wireless Access Points

 

Cisco recently disclosed a critical security vulnerability, tracked as CVE-2024-20418, that affects specific Ultra-Reliable Wireless Backhaul (URWB) access points used in industrial settings. These URWB access points are essential for maintaining robust wireless networks in environments like manufacturing plants, transportation systems, and other infrastructure-intensive industries. The vulnerability allows remote, unauthenticated attackers to perform command injection attacks with root privileges by exploiting the device’s web-based management interface. 

This vulnerability results from inadequate validation of input data within Cisco’s Unified Industrial Wireless Software, specifically affecting the web management interface of URWB access points. By sending specially crafted HTTP requests, attackers could exploit this flaw to execute arbitrary commands with root-level access, potentially leading to unauthorized control over the device. This level of access could compromise critical network infrastructure, posing serious risks to businesses relying on URWB technology for uninterrupted connectivity. The vulnerability specifically impacts Cisco Catalyst models IW9165D, IW9165E, and IW9167E when URWB mode is enabled. 

For users concerned about their device’s security, Cisco advises checking vulnerability status by using the “show mpls-config” command in the command-line interface (CLI). If the command confirms URWB mode is active, the device may be vulnerable to potential attacks. Cisco’s Product Security Incident Response Team (PSIRT) has stated that it is not aware of any instances of this vulnerability being actively exploited in real-world scenarios. However, given the nature of this vulnerability, Cisco urges users to update their devices promptly to mitigate the risk. Currently, Cisco has not issued workarounds for this issue. 

As a result, companies relying on these models are advised to stay alert for firmware updates or patches that Cisco may release to resolve the vulnerability. The lack of a temporary fix underlines the importance of applying any future updates immediately, especially as remote exploitation could have significant consequences for the affected systems. For organizations using these Cisco models, securing network access and strengthening device-level defenses can be critical in mitigating potential risks. Limiting access to the web-based management interface, monitoring device activity, and conducting frequent security audits are some proactive steps administrators can take. These actions may help limit exposure while waiting for Cisco’s permanent fix. This incident serves as a reminder of the evolving threat landscape in industrial and operational technology environments. 

As organizations adopt more wireless technologies to improve operational efficiencies, the need for robust cybersecurity practices is crucial. Regularly updating network devices and addressing vulnerabilities promptly are fundamental to protecting systems from cyber threats. Cisco’s disclosure of CVE-2024-20418 underscores the vulnerabilities that even the most reliable industrial-grade devices can exhibit. It also highlights the critical importance of proactive device management and security measures in preventing unauthorized access. Industrial environments should consider this a timely reminder to prioritize cybersecurity protocols across all network-connected devices.
Read more »
security leaders
AI Attacks AI cybersecurity CISO Cyber Security Cyberattack threats Ransomwares security leaders

The Cybersecurity Burnout Crisis: Why CISOs Are Considering Quitting

 

Cybersecurity leaders are facing unprecedented stress as they battle evolving threats, AI-driven cyberattacks, and ransomware. A recent BlackFog study reveals that 93% of CISOs considering leaving their roles cite overwhelming job demands and mental health challenges. Burnout is driven by long hours, a reactive security environment, and the increasing complexity of threats. Organizations must prioritize support for their security teams through flexible work options, mental health resources, and strategic planning to mitigate burnout and retain talent. 

The Rising Pressure on Cybersecurity Leaders The role of the Chief Information Security Officer (CISO) has drastically evolved. They now manage increasingly sophisticated cyberthreats, such as AI-driven attacks and ransomware, in an era where data security is paramount. The workload has increased to unsustainable levels, with 98% of CISOs working beyond contracted hours. The average CISO adds 9 hours a week, and some are clocking over 16 hours extra. This overwork is contributing to widespread burnout, with 25% of CISOs actively considering leaving their roles due to overwhelming stress. The high turnover in this field exacerbates existing security vulnerabilities, as experienced leaders exit while threats grow more sophisticated. 

CISOs face ever-evolving cyberthreats, such as AI-powered attacks, which are particularly concerning for 42% of respondents. These threats use advanced machine learning algorithms to bypass traditional security measures, making them hard to detect and neutralize. Additionally, ransomware is still a major concern, with 37% of CISOs citing it as a significant stressor. The combination of ransomware and data exfiltration forces organizations to defend against attacks on multiple fronts. These heightened risks contribute to a work environment where cybersecurity teams are continually reactive, always “putting out fires” rather than focusing on long-term security strategies. This cycle of incident response leads to burnout and further stress. 

Burnout doesn’t just affect productivity; it also impacts the mental health of CISOs and security teams. According to the study, 45% of security leaders admit to using drugs or alcohol to cope with stress, while 69% report withdrawing from social activities. Although some prioritize physical health—86% allocate time for exercise—many CISOs are still struggling to maintain work-life balance. The emotional toll is immense, with security professionals experiencing the pressure to protect their organizations from increasing cyberthreats while facing a lack of sufficient resources and support. 

To combat the burnout crisis and retain top talent, organizations must rethink their approach to cybersecurity management. Offering flexible work hours, remote work options, and additional mental health resources can alleviate some of the pressure. Companies must also prioritize long-term security planning over constant reactive measures, allowing CISOs the bandwidth to implement proactive strategies. By addressing these critical issues, businesses can protect not only their security infrastructure but also the well-being of the leaders safeguarding it.
Read more »
Ransomware
CISO cyber theft Cyberattacks Cybersecurity Data Breach Deloitte Ransomware

Cyber Theft Hits Providence School District Data

 


On Friday, Providence Public School officials were on their way to finalizing an agreement about credit monitoring for the district's teachers and staff following a recent ransomware attack on the district's network that affected teachers and staff last Friday. Then, over the weekend, information about the theft of data from Providence Public School District (PPSD) was shown on a regular website with a video preview. 

A cybercriminal group called Medusa appears to have taken control of the dark web ransom page where the 201 gigabytes of data from the CIA were allegedly leaked by cybercriminals in September, simply because they can access it through any internet browser. The district hired an undisclosed "vendor with expertise in cyber-security" to conduct an ongoing analysis of the network and audit it on behalf of a third-party IT agency. 

This cyberattack was reported to the FBI, the Department of Homeland Security, and the Rhode Island State Police. It took the district until now to disclose the nature of the security breach, as there has been a tight-lipped stance on the matter. On Sept. 11, IT staff was instructed to shut down the entire network as a result of abnormal activity that was detected, and they wouldn't be able to provide any further details. More than a week has passed since teachers and students were unable to access online curriculum, email, or use computers. 

As the district works on forensics to determine what caused the breach, a credit monitoring agreement has been finalized with a vendor not yet identified and a letter containing information about how staff can access these services is being written for distribution to employees “very soon,” district spokesperson Jay G. Wégimont said in a letter to staff. According to BCC spokesperson Brian Hodge, the Rhode Island Attorney General’s office still has not been officially notified of the data breach and is awaiting formal notification from the company.

Upon confirmation of a breach of personal information, any municipal or government agency must notify the Attorney General's office, credit reporting agencies, and individuals affected by the breach within 30 days of the incident. In a letter from Superintendent Javier Montaez to the Providence School Board on Sept. 25, the PPSD first used the term "unauthorized access" to refer to the breach, though the term "breach" was also used in the public statement that the Providence School Board issued on September 18.

It is "encouraging" that the Providence school district is informing potentially affected employees and finalizing the credit monitoring contract as soon as possible, spokeswoman Anthony Vega said in an email sent to Rhode Island Current on Tuesday, that he received from the mayor. It was reported in an e-mail sent by a spokesperson for the Providence City Council that the council would not be able to comment. Despite requests for comment, the governor's office did not get back to the Guardian with a response. 

Despite repeated requests for comment from Rhode Island Current, Rogel has not responded to any of those requests. There seemed to be a discrepancy between the school board president's use of the term "breach" and that of the district's official language which avoided stating the exact nature of the problem. The PPSD community was informed on Sept. 12 that the district's network had experienced "irregular activity," which ultimately led computer staff to cut off internet access to the district's offices and schools across the district. 

There is still a large lack of broadband availability in Providence schools, aside from a fleet of WiFi hotspots that are being deployed to provide connectivity in the absence of a main network. There was a letter from PPSD to residents sent on Sept. 16 informing them that a forensic analysis was still being conducted and that no evidence had been found that PPSD data had been compromised.  

However, Medusa appeared to claim credit for the "irregular activity" on Monday by posting a message to their publicly accessible ransom blog claiming 41 watermarked, sometimes partially obscured screenshots that preview the contents of the 201 gigabytes of data that the hackers claim to have stolen. The hackers also included identifying information — including serial numbers of employee cell phones and parent contact information — that helped identify the content of the data.   

Medusa ransomware is an extremely dangerous malware that works quietly in the background after it has penetrated a system and accumulated exploitable data. Once the bounty has reached a sufficient amount, the database will encrypt the files to prevent users from accessing them. Ransom notes are then sent to victims demanding that they pay a ransom in exchange for the release of their files. There has also been a growing trend of "double extortion", where the hackers are not only stealing files but are also selling or releasing the data to the public if they do not receive payment.   

A ransom page indicates that, in exchange for a payment of $1 million, PPSD can retrieve or delete its data. An additional day would be added to the timer if $100,000 was paid. Based on the hackers' countdown timer, the deadline for submitting the hack will be Sept. 25 in the morning.  Deloitte, however, released a report on Monday showing that state-level IT officials and security officers are unsure about the budgets that will be allocated to their state's telecommunications network infrastructure due to the uncertainty around it. 

"The attack surface is increasing as state leaders become more reliant on information when it comes to operating government itself as the use of information is becoming more central," Srini Subramanian, a principal at Deloitte & Touche LLP, told States Newsroom in an interview. Chief information security officers (CISOs) face an increasing number of challenges, and they have to make sure that the IT infrastructure survives ever-increasing cyber threats posed by hackers. This difficulty was reflected in the survey results, which revealed that almost half of all respondents did not know their state's cybersecurity budget, which resulted from these challenges. Around 40% of state IT officers reported that they needed more money to comply with regulations or meet other legal requirements to comply with government regulations. 

Those findings were confirmed this year by a report published by Moody's Ratings in 2023, which scores and analyzes municipal bonds. Robust cybersecurity practices can reduce exposure to threats to the enterprise, but initiatives that are difficult to implement and take resources away from core business functions may pose a credit challenge, according to Gregory Sobel, a Moody analyst and assistant vice president.

One study by Moody's also revealed that 92% of local governments have cyber insurance, an unprecedented two-fold increase over the last five years, according to Moody's. It is important to note that the popularity of this system did come with higher rates: a county in South Carolina went from paying a $70,000 premium in 2021 to a $210,000 premium in 2022 for this system. Aside from the higher costs, there are also stricter stipulations on risk management practices that need to be followed before a policy can be paid, such as better firewalls, consistent data backups, and multi-factor authentication, all of which make it difficult to get it to pay out. 

During an email exchange with Rhode Island Current, Douglas W. Hubbard, CEO of Hubbard Decision Research, a consulting firm, and the author of “How to Measure Anything in Cybersecurity Risk,” informed the paper that schools should make use of the low-cost, free, or shared resources available to them to manage cyber risk more effectively.
Read more »
Marketing
Advertising CISO Cybersecurity influencers Marketing

Why Trust Drives the Future of Cybersecurity Marketing

 




With the changing nature of threats in cyberspace becoming sharper by the day, business houses are seen as shy about entrusting their precious data to the cybersecurity firm of choice. Shallow, flashy, and blanket marketing tactics that worked a few years ago are increasingly losing their impact. It is against this backdrop that demand for trust-based marketing continues to increase within the precincts of the cybersecurity industry.


Role of Trust in Cybersecurity Marketing

Unlike manufactured goods, cybersecurity services offer safety and security. It is the customers-again, usually major decision-makers like CISOs or CTOs, though-with their wallets, on companies that demonstrate real acumen and trustworthiness. More specifically, as threats increasingly complicated nature, those companies need to be perceived as forward-thinking in terms of embracing and addressing new threats.


Tacky ad campaigns and blanket marketing initiatives will have a hard time breaking into the space needed to develop that feel of trust. Cybersecurity customers will respond less to bright colours and more to the content marketing strategy: one that focuses on distributing utility-laden articles, case studies, webinars, and other materials that can inform.


This strategy enables companies to reach maturity with credibility as a thought leader, comforting clients that they are one step ahead of cyber threats.


Flaws of the Old Advertising Model

Traditional advertising is, therefore, ineffective for many in cybersecurity. Ads are saturated, and the "fatigue" caused by overexposure leads potential clients to dismiss or simply ignore them. Added to increasing scepticism surrounding inflated or erroneous advertisements, especially within cybersecurity, can cause damage. Customers want to see authentic, transparent marketing approaches. Approaches that are not authentic fall short within an industry where trust is paramount.


In response to the above issues, many firms now rely extensively on recommendations from key industry personalities. Here is where influencer marketing comes in as one of the most effective ways through which brands can reach customers based on authentic and knowledgeable voices.


Industry Experts Influence

Those authentic influencers in cybersecurity will bring a specific value by discussing insights with followers who trust their words already. Companies engaged in cybersecurity will then have the chance to reach the stakeholders when they team up with such influencers. This is how they come into audiences that are more open to the knowledge of solutions that the company has. These influencers can help dilute complex information, which may make it accessible to a client and, consequently, reinforce the authority of that brand in the field.


Challenges of Choosing the Correct Influencers

It is even more challenging than in other sectors to select the right influencer because the industry demands very high expertise and credibility. In identifying influencers, companies need to consider those whose audiences are high-level decision-makers with a real interest in cybersecurity solutions. The number of followers is irrelevant; reputation and history of creating relevant, correct content are critical. Misaligned partnerships waste resources, but more importantly, they can affect the reputation of the brand if the influencer lacks credibility.


Simplify this: many companies use influencer marketing platforms. They vet influencers, understand engagement metrics, and help companies reach the right influencers-that is, reach CISOs, CTOs, or other key decision-makers.


Technology for Influencer Marketing Optimization 

For instance, there is Presspool.ai that offers platforms whereby the companies in cybersecurity can connect with verified influencers. Through data-driven insights for effective engagement, it works on spotting effective influencer partnerships, which then these systems identify influencers who have audiences that benefit the brand's objectives when using them based on an analysis of engagement data.


This data-driven approach helps firms track the performance of each campaign in real-time. Conversion and engagement levels evaluate the performance of every campaign, thereby enabling companies to target with maximum effect and guarantee a high return on investment. These insights make influencer marketing efficient and scalable.


Influencer Marketing: The Future Focus for Cybersecurity

With careful usage, influencer marketing creates great benefits for cybersecurity businesses. It brings them closer to the most intent clients-by those who are looking for cybersecurity-through a trusted voice. Here's an example; if a highly respected influencer supports a product then his followers will look and consider the solution much more seriously because it has been reviewed by a respected voice.


Additionally, these influencers teach potential clients the deconstructed version of complicated cybersecurity concepts and facilitate building credibility toward the brand as a thought leader. Not only will this create trust but also will make the clients perceive the company as an industry leader committed to the ongoing advancement of cybersecurity.


Authenticity and Analytics Are the Keys

This is a world of cyber security and a traditional ad won't work and the clients look for real voices. Here, influencer marketing can fill the gap so that a company may establish meaningful relationships through the voice of trusted figures as it changes their approach of establishing credibility in the field.

Influencer marketing platforms, through real-time data, will make these partnerships measurable and adaptable to a trust-based marketing approach rather than an ad-centric approach. Trust is now the bed on which influencer marketing will play a major role in shaping cybersecurity marketing for the future.


Read more »
Ransomwares
CISO Cyber Security cybersecurity solutions Healthcare Healthcare Cyberattacks IT Infrastructure Ransomware attack Ransomwares

Preparing Healthcare for Ransomware Attacks: A 12-Step Approach by Dr. Eric Liederman


Dr. Eric Liederman, CEO of CyberSolutionsMD, emphasizes that healthcare organizations must be prepared for ransomware attacks with a structured approach, describing it as akin to a “12-step program.” He highlights that relying solely on protective measures is insufficient since all protections have the potential to fail. Instead, planning and creating a sense of urgency is key to successfully handling a cyberattack. 

According to Liederman, organizations should anticipate losing access to critical systems and have a strategic recovery plan in place. One of the most important components of such a plan is designating roles and responsibilities for the organization’s response. During an attack, the Chief Information Security Officer (CISO) essentially takes on the role of CEO, dictating the course of action for the entire organization. Liederman says the CISO must tell people which systems are still usable and what must be shut down. 

The CEO, in this situation, plays a supporting role, asking what’s possible and what needs to be done to protect operations. A significant misconception Liederman has observed is the assumption that analog systems like phones and fax machines will continue functioning during a ransomware attack. Often, these systems rely on the same infrastructure as other compromised technology. For example, phone systems that seem analog still resolve to an IP address, which means they could be rendered useless along with other internet-based systems. 

Even fax machines, commonly thought of as a fail-safe, may only function as copiers in these scenarios. Liederman strongly advises healthcare institutions to conduct thorough drills that simulate these kinds of disruptions, enabling clinical and IT staff to practice workarounds for potentially critical outages. This level of preparation ensures that teams can still deliver care and operate essential systems even when technological resources are down for days or weeks. 

In terms of system recovery, Liederman encourages organizations to plan for bringing devices back online securely. While the need to restore services quickly is essential to maintaining operations, the process must be carefully managed to avoid reinfection by the ransomware or other vulnerabilities. Given his extensive experience, which includes almost two decades at Kaiser Permanente, Liederman advocates for resilient healthcare IT infrastructures that focus on readiness. This proactive approach allows healthcare organizations to mitigate the potential impacts of cyberattacks, ensuring that patient care can continue even in worst-case scenarios.
Read more »
Technology
advanced technologies Artifical Inteliigence CISO Technology

CISO Role Expands as Cybersecurity Becomes Integral to Business Strategy

Over the past decade, the role of Chief Information Security Officers (CISOs) has expanded significantly, reflecting cybersecurity’s growing importance in corporate governance and risk management. Once primarily responsible for managing firewalls and protecting data, CISOs now play a critical role in shaping business strategies and aligning cybersecurity with broader company objectives. 

This evolution is underscored by increasing industry investment, as Gartner predicts that global spending on security and risk management will rise by 14.3 per cent this year, surpassing USD 215 billion. CISOs are no longer viewed solely as technical experts. 

Today, they are seen as strategic business leaders, responsible for driving business success by mitigating cyber risks and enhancing security measures to support long-term goals. 

As Saugat Sindhu, Partner and Global Head of Advisory Services for Cybersecurity & Risk Services at Wipro Limited, explains, “CISOs can shift from being seen as technical experts to strategic business leaders by building awareness and translating technical risks into business terms that are understandable for board members and executives.” 

This shift is essential for gaining leadership buy-in and ensuring that cybersecurity supports overall business growth. Emerging technologies such as generative AI are further transforming the CISO’s role. A recent ISC2 survey found that 88 per cent of cybersecurity professionals believe AI will significantly impact their roles, either now or in the near future. 

CISOs must continually educate themselves and their teams to stay ahead, integrating advanced technologies into cybersecurity strategies to strengthen security and drive business goals. To successfully transition from a technical to a strategic role, CISOs should adopt three key strategies.  

First, they need to shift from being purely “tech guardians” to becoming enablers of business growth, understanding how cybersecurity can help their companies gain a competitive edge. Second, they must build strong partnerships with senior leaders like the CFO and CRO to integrate cybersecurity into the company’s risk management framework and secure the necessary resources. 

Finally, CISOs should foster a culture of continuous learning and awareness across the workforce, ensuring all employees are equipped to handle emerging cyber threats.
Read more »
technology modification
AI Systems AI technology CISO data security GenAI Technology technology modification

Navigating AI and GenAI: Balancing Opportunities, Risks, and Organizational Readiness

 

The rapid integration of AI and GenAI technologies within organizations has created a complex landscape, filled with both promising opportunities and significant challenges. While the potential benefits of these technologies are evident, many companies find themselves struggling with AI literacy, cautious adoption practices, and the risks associated with immature implementation. This has led to notable disruptions, particularly in the realm of security, where data threats, deepfakes, and AI misuse are becoming increasingly prevalent. 

A recent survey revealed that 16% of organizations have experienced disruptions directly linked to insufficient AI maturity. Despite recognizing the potential of AI, system administrators face significant gaps in education and organizational readiness, leading to mixed results. While AI adoption has progressed, the knowledge needed to leverage it effectively remains inadequate. This knowledge gap has decreased only slightly, with 60% of system administrators admitting to a lack of understanding of AI’s practical applications. Security risks associated with GenAI are particularly urgent, especially those related to data. 

With the increased use of AI, enterprises have reported a surge in proprietary source code being shared within GenAI applications, accounting for 46% of all documented data policy violations. This raises serious concerns about the protection of sensitive information in a rapidly evolving digital landscape. In a troubling trend, concerns about job security have led some cybersecurity teams to hide security incidents. The most alarming AI threats include GenAI model prompt hacking, data poisoning, and ransomware as a service. Additionally, 41% of respondents believe GenAI holds the most promise for addressing cyber alert fatigue, highlighting the potential for AI to both enhance and challenge security practices. 

The rapid growth of AI has also put immense pressure on CISOs, who must adapt to new security risks. A significant portion of security leaders express a lack of confidence in their workforce’s ability to identify AI-driven cyberattacks. The overwhelming majority of CISOs have admitted that the rise of AI has made them reconsider their future in the role, underscoring the need for updated policies and regulations to secure organizational systems effectively. Meanwhile, employees have increasingly breached company rules regarding GenAI use, further complicating the security landscape. 

Despite the cautious optimism surrounding AI, there is a growing concern that AI might ultimately benefit malicious actors more than the organizations trying to defend against them. As AI tools continue to evolve, organizations must navigate the fine line between innovation and security, ensuring that the integration of AI and GenAI technologies does not expose them to greater risks.
Read more »
Vulnerability Operations Center
CISO Cyber Security IT Security Operations Vulnerability Operations Center

The Need For A Vulnerability Operations Center (VOC) in Modern Cybersecurity


 

Many organisations tend to focus on immediate threats, prioritising the detection and mitigation of the latest vulnerabilities. However, this approach overlooks a broader issue: many cyberattacks exploit vulnerabilities that have existed for years. In fact, 76% of vulnerabilities targeted by ransomware were identified more than three years ago, highlighting a critical gap in long-term security strategies.

Why VOCs Matter

To effectively address this gap, organisations should adopt a more centralised and automated approach to vulnerability management. This is where a dedicated Vulnerability Operations Center (VOC) comes into play. A VOC serves as a specialised unit, either integrated within or operating alongside a Security Operations Center (SOC), with the primary task of managing security flaws within the IT infrastructure. Unlike a SOC, which focuses on real-time threat alerts and incidents, a VOC zeroes in on vulnerabilities—identifying, prioritising, and mitigating them before they escalate into serious security breaches.

What Is a VOC?

Creating a seamless connection between a SOC and a VOC is crucial for effective cybersecurity. This integration ensures that vulnerability data is quickly and efficiently passed to threat response teams. The process begins with appointing a team to set up the VOC, overseen by the Chief Information Security Officer (CISO) or another senior security leader. Given the scope of this initiative, it should be treated as a major security operations project, with clear roles and responsibilities outlined from the start.

Connecting VOC and SOC

The initial step involves using vulnerability assessment tools to evaluate the organisation’s current security posture. This assessment helps to identify existing vulnerabilities across all assets. The next phase is to aggregate, clean, and organise this data, making it actionable for further use. Once this dataset is established, it is integrated into the SOC’s security information and event management (SIEM) systems, thereby enhancing the SOC’s ability to monitor and respond to threats with greater context and clarity.

Focusing on Risk

An essential component of VOC operations is moving beyond just technical vulnerability assessments to a more risk-based prioritisation approach. This means evaluating vulnerabilities based on their potential impact on the business and addressing the most critical ones first. Automating routine SOC tasks—such as regular vulnerability scans, alert handling, and patch management—also plays a vital role. By implementing automation tools that leverage the VOC’s data, SOC teams can focus on more complex tasks that require human intervention, improving overall efficiency and effectiveness.

Continuous Improvement

Once the VOC is fully operational, the focus should shift to continuous improvement and adaptation. As new vulnerabilities and trends emerge, the SOC must update its monitoring and response strategies to keep pace. Establishing feedback loops between the SOC and VOC ensures that both teams are aligned and responsive to the incessant development of threats.

Building a Strong Policy

Moreover, a strong policy and governance framework is necessary to support the integration of the VOC and SOC. Security teams need to define clear schedules, rules, and Service Level Agreements (SLAs) for addressing vulnerabilities. For example, vulnerabilities like Log4j, which are widely exploited, should trigger immediate notifications to SOC teams to ensure a swift response.

The Future of Security

While setting up a VOC may seem challenging, it is a critical step towards addressing the persistent vulnerability issues. Unlike the current reactive approach, a VOC allows for a more proactive, risk-based management of vulnerabilities across IT and security teams. By moving beyond the outdated, piecemeal strategies of the past, organisations can achieve a higher level of security, protecting their assets from both old and new threats.


Read more »
Security
CISO Cyber Security Data Private Equity Safety Security

The CISO: A Cornerstone of Private Equity Success

 


In the dynamic landscape of private equity, the Chief Information Security Officer (CISO) has emerged as a critical player. Beyond safeguarding digital assets, the CISO is instrumental in driving business growth and ensuring regulatory compliance.

The CISO's role extends far beyond technical expertise. They are strategic architects, designing security frameworks aligned with business objectives. Proactive risk identification and mitigation are paramount, requiring a deep understanding of the evolving threat landscape. Effective communication of security posture to leadership is essential for securing buy-in and support.

  • Operational Excellence and Incident Response
Day-to-day security operations, from policy enforcement to incident management, fall under the CISO's purview. Building a resilient organization capable of weathering cyberattacks involves meticulous planning, employee training, and a robust security operations center (SOC).
  • Governance, Compliance, and Culture
Navigating a complex regulatory environment is a core competency for CISOs. Ensuring adherence to standards like GDPR and CCPA while fostering a security-conscious culture is vital. Effective third-party risk management and transparent reporting to stakeholders are essential for maintaining trust.
  • Overcoming Challenges
Balancing security with business agility, scaling defenses with company growth, and managing the impact of security changes are ongoing challenges. CISOs must be adept at finding innovative solutions to these complex issues.
  • Security Teams in a Portfolio Context
Private equity firms often manage diverse portfolios with varying risk profiles. Centralized oversight, shared resources, and a risk-based approach are essential for effective security management across the portfolio.

By operating as strategic partners, CISOs can significantly contribute to the long-term success of private equity firms and their portfolio companies.
Read more »
Security Audit
Bank Security bfsi CIO CISO Cybersecurity PenTesting Security Audit

The Importance of Whitelisting Scanner IPs in Cybersecurity Assessments


In the realm of cybersecurity, ensuring the safety and integrity of a network is a multifaceted endeavor. One crucial aspect of this process is the regular assessment of potential vulnerabilities within the system. As a cybersecurity professional, our work revolves around identifying these vulnerabilities through automated scans and red team exercises, meticulously recording them in a Bugtrack Excel sheet, and collaborating with human analysts to prioritize and address the most critical issues. However, a recurring challenge in this process is the reluctance of some customers to whitelist the IP addresses of our scanning tools.

The Role of Whitelisting in Accurate Assessments

Whitelisting the scanner IP is essential for obtaining accurate and comprehensive results during security assessments. When the IP address of the scanning tool is whitelisted, it allows the scanner to perform a thorough evaluation of the network without being hindered by security measures such as firewalls or intrusion detection systems. This unrestricted access enables the scanner to identify all potential vulnerabilities, providing a realistic picture of the network's security posture.

The Reluctance to Whitelist

Despite the clear benefits, many customers are hesitant to whitelist the IP addresses of cybersecurity vendors. The primary reason for this reluctance is the perception that it could expose the network to potential threats. Customers fear that by allowing unrestricted access to the scanner, they are inadvertently creating a backdoor that could be exploited by malicious actors.

Moreover, there is a prevalent falsity in this approach. By not whitelisting the scanner IP, the results of the security assessments are often incomplete or misleading. The scanners may miss critical vulnerabilities that are hidden behind security measures, resulting in a report that underestimates the actual risks. Consequently, the management and auditors, relying on these reports, task the IT team with addressing only the identified issues, leaving the undetected vulnerabilities unaddressed.

The Illusion of Security

This approach creates an illusion of security. The customer, management, and auditors may feel satisfied with the apparent low number of vulnerabilities, believing that their network is secure. However, this false sense of security can be detrimental. Hackers are relentless and innovative, constantly seeking new ways to infiltrate networks. They are not deterred by the same security measures that hinder our scanners. By not whitelisting the scanner IP, customers are effectively blinding themselves to potential threats that hackers could exploit.

The Hacker's Advantage

Hackers employ manual methods and conduct long-term reconnaissance to find vulnerabilities within a network. They utilize a combination of sophisticated techniques and persistent efforts to bypass security measures. The tools and strategies that block scanner IPs are not effective against a determined hacker's methods. Hackers can slowly and methodically map out the network, identify weaknesses, and exfiltrate data without triggering the same alarms that automated scanners might. This means that even if a scanner is blocked, a hacker can still find and exploit vulnerabilities, leading to potentially catastrophic breaches.

The Need for Continuous and Accurate Scanning

Security scanners need to perform regular assessments—daily or weekly—to keep up with the evolving threat landscape. For these scans to be effective, the scanner IP must be whitelisted to ensure consistent and accurate results. This repetitive scanning is crucial for maintaining a robust security posture, as it allows for the timely identification and remediation of new vulnerabilities.

The Conference Conundrum

Adding to this challenging landscape is the current trend in cybersecurity conferences. Instead of inviting actual security researchers, security engineers, or architects who write defensive software, many conferences are being hosted by OEM vendors or Consulting organizations. These vendors often showcase the users of their security products rather than the experts who develop and understand the intricate details of cybersecurity defense mechanisms. This practice can lead to a superficial understanding of security products and their effectiveness, as the focus shifts from in-depth technical knowledge to user experiences and testimonials.

Conclusion

In conclusion, the reluctance to whitelist scanner IPs stems from a misunderstanding of the importance of comprehensive and accurate security assessments. While it may seem counterintuitive, whitelisting these IP addresses is a necessary step in identifying and addressing all potential vulnerabilities within a network. 

By embracing this practice, customers can move beyond the illusion of security and take proactive measures to protect their networks from the ever-evolving threats posed by cybercriminals. The ultimate goal is to ensure that both the customer and their management are genuinely secure, rather than merely appearing to be so. Security measures that block scanner IPs won't thwart a dedicated hacker who uses manual methods and long-term reconnaissance. Thus, comprehensive vulnerability assessments are essential to safeguarding against real-world threats. Additionally, there needs to be a shift in how cybersecurity conferences are organized, prioritizing the inclusion of true security experts to enhance the industry's collective knowledge and capabilities.

--

Suriya Prakash and Sabari Selvan

CySecurity Corp 

Read more »
Wipro Ltd
Business CISO Cyber Security Generative AI Wipro Ltd

Why Every Business is Scrambling to Hire Cybersecurity Experts


 

The cybersecurity arena is developing at a breakneck pace, creating a significant talent shortage across the industry. This challenge was highlighted by Saugat Sindhu, Senior Partner and Global Head of Advisory Services at Wipro Ltd. He emphasised the pressing need for skilled cybersecurity professionals, noting that the rapid advancements in technology make it difficult for the industry to keep up.


Cybersecurity: A Business Enabler

Over the past decade, cybersecurity has transformed from a corporate function to a crucial business enabler. Sindhu pointed out that cybersecurity is now essential for all companies, not just as a compliance measure but as a strategic asset. Businesses, clients, and industries understand that neglecting cybersecurity can give competitors an advantage, making robust cybersecurity practices indispensable.

The role of the Chief Information Security Officer (CISO) has also evolved. Today, CISOs are responsible for ensuring that businesses have the necessary tools and technologies to grow securely. This includes minimising outages and reputational damage from cyber incidents. According to Sindhu, modern CISOs are more about enabling business operations rather than restricting them.

Generative AI is one of the latest disruptors in the cybersecurity field, much like the cloud was a decade ago. Sindhu explained that different sectors face varying levels of risk with AI adoption. For instance, healthcare, manufacturing, and financial services are particularly vulnerable to attacks like data poisoning, model inversions, and supply chain vulnerabilities. Ensuring the security of AI models is crucial, as vulnerabilities can lead to severe backdoor attacks.

At Wipro, cybersecurity is a top priority, involving multiple departments including the audit office, risk office, core security office, and IT office. Sindhu stated that cybersecurity considerations are now integrated into the onset of any technology transformation project, rather than being an afterthought. This proactive approach ensures that adequate controls are in place from the beginning.

Wipro is heavily investing in cybersecurity training for its employees and practitioners. The company collaborates with major universities in India to support training courses, making it easier to attract new talent. Sindhu emphasised the importance of continuous education and certification to keep up with the fast-paced changes in the field.

Wipro's commitment to cybersecurity is evident in its robust infrastructure. The company boasts over 9,000 cybersecurity specialists and operates 12 global cyber defence centres across more than 60 countries. This extensive network underscores Wipro's dedication to maintaining high security standards and addressing cyber risks proactively.

The rapid evolution of cybersecurity presents pivotal challenges, but also underscores the importance of viewing it as a business enabler. With the right training, proactive measures, and integrated approaches, companies like Wipro are striving to stay ahead of threats and ensure robust protection for their clients. As the demand for cybersecurity talent continues to grow, ongoing education and collaboration will be key to bridging the skills gap.



Read more »
SIEM
CISO Cyber Security Cybersecurity regulation data security DHS Digital Privacy EDR SIEM

The Indispensable Role of the CISO in Navigating Cybersecurity Regulations

 

With evolving cyber threats and stringent regulatory requirements, CISOs are tasked with ensuring the confidentiality, integrity, and availability of an organization’s digital systems and data. This article examines the regulatory landscape surrounding cybersecurity and explores effective strategies for CISOs to navigate these requirements. CISOs must stay updated on regulations and implement robust security practices to protect their organizations from legal consequences. 

The SEC has introduced rules to standardize cybersecurity risk management, strategy, governance, and incident disclosures. These rules apply to public companies under the Securities Exchange Act of 1934 and include both domestic and foreign private issuers. Companies are required to promptly disclose material cybersecurity incidents, detailing the cause, scope, impact, and materiality. Public companies must quickly disclose cybersecurity incidents to investors, regulators, and the public to prevent further damage and allow stakeholders to take necessary actions. 

Detailed disclosures must explain the incident's root cause, the affected systems or data, and the impact, whether it resulted in a data breach, financial loss, operational disruption, or reputational harm. Organizations need to assess whether the incident is substantial enough to influence investors’ decisions. Failure to meet SEC disclosure requirements can lead to investigations and penalties. The Cyber Incident Reporting for Critical Infrastructure Act (CIRCA) mandates that companies report significant cyber incidents to the Department of Homeland Security (DHS) within 24 hours of discovery. 

CISOs must ensure their teams can effectively identify, evaluate, validate, prioritize, and mitigate vulnerabilities and exposures, and that security breaches are promptly reported. Reducing the organization’s exposure to cybersecurity and compliance risks is essential to avoid legal implications from inadequate or misleading disclosures. Several strategies can strengthen an organization's security posture and compliance. Regular security tests and assessments proactively identify and address vulnerabilities, ensuring a strong defense against potential threats. Effective risk mitigation strategies and consistent governance practices enhance compliance and reduce legal risks. Employing a combination of skilled personnel, efficient processes, and advanced technologies bolsters an organization's security. Multi-layered technology solutions such as endpoint detection and response (EDR), continuous threat exposure management (CTEM), and security information and event management (SIEM) can be particularly effective. 

Consulting with legal experts specializing in cybersecurity regulations can guide compliance and risk mitigation efforts. Maintaining open and transparent communication with stakeholders, including investors, regulators, and the board, is critical. Clearly articulating cybersecurity efforts and challenges fosters trust and demonstrates a proactive approach to security. CISOs and their security teams lead the battle against cyber threats and must prepare their organizations for greater security transparency. The goal is to ensure effective risk management and incident response, not to evade requirements. 

By prioritizing risk management, governance, and technology adoption while maintaining regulatory compliance, CISOs can protect their organizations from legal consequences. Steadfast adherence to regulations, fostering transparency, and fortifying defenses with robust security tools and best practices are essential for navigating the complexities of cybersecurity compliance. By diligently upholding security standards and regulatory compliance, CISOs can steer their organizations toward a future where cybersecurity resilience and legal compliance go hand in hand, providing protection and peace of mind for all stakeholders.
Read more »
Ticketmaster
CISO cyber threat Data Breach MFA Santander ShinyHunters Ticketmaster

Ticketmaster and Santander Breaches Expose Cloud Security Flaws


Recent data breaches at Ticketmaster and Santander Bank have exposed major security vulnerabilities in the use of third-party cloud storage services. These breaches highlight the urgent need for robust security measures as more organisations move their data to the cloud.

On May 20, Ticketmaster experienced a data breach involving a third-party cloud storage provider. The breach, disclosed in a regulatory filing by its parent company Live Nation Entertainment, compromised the data of approximately 550 million customers. This stolen data, including sensitive personal information, was reportedly put up for sale on a Dark Web forum by a group known as "ShinyHunters."

Just a week earlier, on May 14, Santander Bank revealed a similar breach. Unauthorised access to a cloud-hosted database exposed data belonging to customers and employees, primarily affecting those in Spain, Chile, and Uruguay. ShinyHunters also claimed responsibility for this breach, offering the stolen data—which includes 30 million customer records, 28 million credit card numbers, and other sensitive information—for sale at $2 million.

Both breaches have been linked to Snowflake, a renowned cloud storage provider serving numerous high-profile clients like MasterCard, Disney, and JetBlue. Although Snowflake acknowledged recent malicious activities targeting its customers, an investigation by Mandiant and CrowdStrike found no evidence of a vulnerability or breach within Snowflake’s own platform. The attackers apparently exploited single-factor authentication credentials obtained through infostealer malware, highlighting the importance of robust authentication measures.

David Bradbury, Chief Security Officer at Okta, stressed the importance of implementing multi factor authentication (MFA) and network IP restrictions for securing SaaS applications. However, he pointed out that attackers are increasingly bypassing MFA by targeting post-authentication processes, such as stealing session tokens. This highlights the need for additional security mechanisms like session token binding.

Michael Lyborg, CISO at Swimlane, emphasised the shared responsibility model in cloud security. While cloud providers like Snowflake offer best practices and security guidelines, it is ultimately up to customers to follow these protocols to protect their data. Lyborg suggested that enforcing MFA and adopting a zero-trust security model by default could enhance data protection by a notable measure.


Challenges in Enforcing Security Standards

Patrick Tiquet, VP of Security and Architecture at Keeper Security, argued that while uniform security measures might enhance protection, they could also limit the flexibility and customization that customers seek from cloud services. He noted that some organizations might have their own robust security protocols tailored to their specific needs. However, the recent breaches at Ticketmaster and Santander highlight the dangers of relying solely on internal security measures without adhering to industry best practices.

The breaches at Ticketmaster and Santander serve as critical reminders of the risks associated with inadequate cloud security measures. As organisations increasingly transition to cloud-based operations, both cloud providers and their customers must prioritise robust security strategies. This includes implementing strong authentication protocols, adhering to best practices, and fostering a culture of security awareness. Ensuring comprehensive protection against cyber threats is essential to safeguarding sensitive data in the digital age.


Read more »
Social Engineering
CISO Cyber Security Healthcare Healthcare Industry healthcare sectors patient data protection Social Engineering

Strengthening Healthcare Cybersecurity: A Collaborative Imperative

 

In recent years, cyberattacks have surged, putting every segment of the nation's healthcare system—from hospitals and physician practices to payment processing companies and biomedical facilities—under stress. These attacks disrupt patient care and cost the industry billions. Erik Decker, Vice President and Chief Information Security Officer (CISO) at Intermountain Health, emphasized the need for an "adversarial mindset" to counter these sophisticated threats during a recent U.S. News and World Report virtual event. 

Decker, who also chairs the Joint Cybersecurity Working Group of the Healthcare Sector Coordinating Council, highlighted that cybercriminals aim to maximize profits swiftly, targeting vulnerable points within the healthcare sector. Marc Maiffret, Chief Technology Officer of BeyondTrust, explained that attackers typically infiltrate through three primary avenues: social engineering, misconfigured devices, and risky third-party connections. Social engineering often involves phishing emails or impersonation calls to service desks, where attackers request the enrollment of new devices using compromised credentials. 

Misconfigured devices exposed to the internet also provide easy entry points for attackers. The third method involves exploiting unattended remote access systems. Once inside, cybercriminals often target active directory and administrator workstations to gain critical credentials. To bolster defenses, Decker highlighted that the Department of Health and Human Services offers resources and voluntary cybersecurity performance goals developed with the HSCC’s Joint Cybersecurity Working Group. 

Zeynalov described Cleveland Clinic's approach of understanding the business thoroughly and aligning cybersecurity measures with healthcare needs. His team visited various locations to map the patient journey from admission to discharge, ensuring that protections are seamless and do not hinder patient care. Incident response planning is crucial. Maiffret advised against overly imaginative scenarios, favoring practical preparedness. Decker recommended establishing clear command structures and regularly simulating attack responses to build effective "muscle memory." “Your event that happens will never happen according to the way you planned it. 

For smaller, financially constrained hospitals, Zeynalov advocated for shared defense strategies. The Biden Administration’s 2025 fiscal year budget proposal allocates $1.3 billion through HHS to support cybersecurity adoption in under-resourced hospitals, reminiscent of the electronic medical records stimulus from the American Recovery and Reinvestment Act. 

Ultimately, the panelists emphasized a collaborative defense approach to withstand sophisticated cyber threats. By pooling resources and strategies, the healthcare sector can enhance its resilience against the ever-evolving landscape of cybercrime. This shared defense strategy is crucial, as Decker concluded, “We cannot do this stuff individually, trying to stop the types of organizations that are coming after us.” By uniting efforts, the healthcare industry can better protect itself and ensure the safety and trust of its patients.
Read more »
irda
Banks bfsi CIO CISO Cyber Security insurance irda

Enhancing Cybersecurity: Automated Vulnerability Detection and Red Team Exercises with Validation Scans



In today's digital age, cybersecurity has become a top priority for organizations of all sizes. The ever-evolving landscape of cyber threats necessitates robust and comprehensive approaches to identifying and mitigating vulnerabilities.

Two effective methods in this domain are automated vulnerability detection and red team exercises. This article explores how these methods work together, the process of recording identified vulnerabilities, and the crucial role of human analysts in prioritizing them.

Automated Vulnerability Detection:

Automated vulnerability detection tools are designed to scan systems, networks, and applications for known vulnerabilities. These tools leverage databases of known threats and employ various scanning techniques to identify potential security weaknesses. The benefits of automated detection include:

1. Speed and Efficiency: Automated tools can quickly scan large volumes of data, significantly reducing the time needed to identify vulnerabilities.

2. Consistency: Automated processes eliminate the risk of human error, ensuring that every scan is thorough and consistent.

3. Continuous Monitoring: Many automated tools offer continuous monitoring capabilities, allowing organizations to detect vulnerabilities in real time.

However, automated tools are not without their limitations. They may not detect new or complex threats, and false positives can lead to wasted resources and effort.


Red Team Exercises:


Red team exercises involve ethical hackers, known as red teams, who simulate real-world cyber attacks on an organization's systems. These exercises aim to uncover vulnerabilities that automated tools might miss and provide a realistic assessment of the organization's security posture. The advantages of red team exercises include:

1. Real-World Scenarios: Red teams use the same tactics, techniques, and procedures as malicious hackers, providing a realistic assessment of the organization's defenses.

2. Human Ingenuity: Human testers can think creatively and adapt to different situations, identifying complex and hidden vulnerabilities.

3. Comprehensive Assessment: Red team exercises often reveal vulnerabilities in processes, people, and technologies that automated tools might overlook.

Recording and Prioritizing Vulnerabilities:

Once vulnerabilities are identified through automated tools or red team exercises, they need to be meticulously recorded and managed. This is typically done using a bugtrack Excel sheet, which includes details such as the vulnerability description, severity, affected systems, and potential impact.

The recorded vulnerabilities are then reviewed by human analysts who prioritize them based on their severity and potential impact on the organization.

This prioritization is crucial for effective vulnerability management, as it ensures that the most critical issues are addressed first. The analysts categorize vulnerabilities into three main levels:

1. High: These vulnerabilities pose a significant risk and require immediate attention. They could lead to severe data breaches or system compromises if exploited.

2. Medium: These vulnerabilities are less critical but still pose a risk that should be addressed promptly.

3. Low: These vulnerabilities are minor and can be addressed as resources allow.

Machine-Readable Vulnerability Reports and Automated Validation:

Once the vulnerabilities are prioritised and added to the bugtrack, it is essential to provide customers with the information in a machine-readable format. This enables seamless integration with their existing systems and allows for automated processing. The steps involved are:

1. Machine-Readable Format: The bugtrack data is converted into formats such as JSON or XML which can be easily read and processed by machines.

2. Customer Integration: Customers can integrate these machine-readable reports into their security information and event management (SIEM) systems or other security tools to streamline vulnerability management and remediation workflows.

3. Automated Remediation and Validation: After addressing the vulnerabilities, customers can use automated methods to validate the fixes. This involves re-scanning the systems with automated tools to ensure that the vulnerabilities have been effectively mitigated. This is done using YAML scripts specifically added to the vulnerability scanning tool to scan. Output is analyzed to see if a vulnerability is fixed.

Network and Application Vulnerability Revalidation:

For network level vulnerabilities, revalidation can be done using the Security Content Automation Protocol (SCAP) or by automating the process using YAML/Nuclei vulnerability scanners.

These tools can efficiently verify that the identified network vulnerabilities have been patched and no longer pose a risk.

For application level vulnerabilities, SCAP is not suitable. Instead, the bugtrack system should have a feature to revalidate vulnerabilities using YAML/Nuclei scanners or validation scripts via tools like Burp Suite Replicator plugin. These methods are more effective for confirming that application vulnerabilities have been properly addressed.

Conclusion:

Combining automated vulnerability detection with red team exercises provides a comprehensive approach to identifying and mitigating security threats.  Automated tools offer speed and consistency, while red teams bring creativity and real-world testing scenarios. Recording identified vulnerabilities in a bugtrack Excel sheet, providing machine-readable reports, and validating fixes through automated methods ensure that resources are effectively allocated to address the most pressing security issues.

By leveraging these methods, organizations can enhance their cybersecurity posture, protect sensitive data, and mitigate the risk of cyber attacks. As the threat landscape continues to evolve, staying proactive and vigilant in vulnerability management will remain essential for safeguarding digital assets.

The entire vulnerability monitoring with the automated machine-readable format for validating has been implemented in DARWIS VM module.

-----------
Suriya Prakash & Sabari Selvan
CySecurity Corp 
www.cysecuritycorp.com
Read more »
Security
Antiphish Banks bfsi CISO phishing Phishing and Spam Security

Case Study: Implementing an Anti-Phishing Product and Take-Down Strategy


Introduction:

Phishing attacks have become one of the most prevalent cybersecurity  threats, targeting individuals and organizations to steal sensitive information such as login credentials, financial data, and personal information. To combat this growing threat, a comprehensive approach involving the deployment of an anti-phishing product and an efficient take-down strategy is essential.

This case study outlines a generic framework for implementing such measures, with a focus on regulatory requirements mandating the use of locally sourced solutions and ensuring proper validation before take-down actions.


Challenge:

Organizations across various sectors, including finance, healthcare, and e-commerce, face persistent phishing threats that compromise data security and lead to financial losses. The primary challenge is to develop and implement a solution that can detect, prevent, and mitigate phishing attacks effectively while complying with regulatory requirements to use locally sourced cybersecurity products and ensuring that take-down actions are only executed when the orginization is phished/imitated.


Objectives:

1. Develop an advanced anti-phishing product with real-time detection and response capabilities.

2. Establish a rapid and effective take-down process for phishing websites.

3. Ensure the anti-phishing product is sourced from a local provider to meet regulatory requirements.

4. Implement a policy where take-down actions are only taken when the orginization is phished.


Solution:

A multi-faceted approach combining technology, processes, and education was adopted to address the phishing threat comprehensively.


1. Anti-Phishing Product Development

An advanced anti-phishing product from a local cybersecurity provider was developed with the following key features:

Real-time Monitoring and Detection:

Utilizing AI and machine learning algorithms to monitor email traffic, websites, and network activity for phishing indicators.

- Threat Intelligence Integration:

  Incorporating global threat intelligence feeds to stay updated on new phishing tactics and campaigns.

- Automated Detection of Brand Violations: Implementing capabilities to automatically detect the use of logos, brand names, and other identifiers indicative of phishing activities.

- Automated Response Mechanisms:

Implementing automated systems to block phishing emails and malicious websites at the network level, while flagging suspicious sites for further review.

- User Alerts and Guidance: Providing immediate alerts to users when suspicious activities are detected, along with guidance on how to respond.


2. Phishing Website Take-Down Strategy

We developed a proactive approach to swiftly take down phishing websites, ensuring a balance between automation and human oversight, and validating the phishing activity before take-down:

- Rapid Detection Systems: Leveraging real-time monitoring tools to quickly identify phishing websites, especially those violating brand identities.

- Collaboration with ISPs and Hosting Providers:

Establishing partnerships with internet service providers and hosting companies to expedite the take-down process.

- Human Review Process and Validation of Phishing Activity:

Ensuring that no site is taken down without a human review to verify the phishing activity, preventing erroneous takedowns/rejections.

- Legal Measures:

Employing legal actions such as cease-and-desist letters to combat persistent phishing sites.

- Dedicated Incident Response Team:

Forming a specialized team to handle take-down requests and ensure timely removal of malicious sites, following human verification.


Results:

1. Reduction in Phishing Incidents: Organizations reported a significant decrease in successful phishing attempts due to the enhanced detection and response capabilities of the locally sourced anti-phishing product.

2. Efficient Phishing Site Take-Downs:

The majority of reported phishing websites were taken down within 24 hours, following human review and validation of phishing activity, minimizing the potential impact of phishing attacks.


Conclusion:

The implementation of an advanced, locally sourced anti-phishing product, combined with a robust take-down strategy and comprehensive educational initiatives, significantly enhances the cybersecurity posture of organizations. By adopting a multi-faceted approach that leverages technology, collaborative efforts, and user education, while ensuring compliance with regulatory requirements to use local solutions and validating phishing activity before take-down actions, organizations can effectively mitigate the risks posed by phishing attacks. This case study underscores the importance of an integrated strategy, ensuring automated systems are complemented by human oversight, in protecting against the ever-evolving threat of phishing.


By

Suriya Prakash & Sabari Selvan

CySecurity Corp

Read more »
XDR Firm
CISO Cyber Security IBM Palo Alto Networks Software XDR Firm

IBM's Exit from Cybersecurity Software Shakes the Industry


 

In an unexpected move that has disrupted the cybersecurity equilibrium, IBM has announced its exit from the cybersecurity software market by selling its QRadar SaaS portfolio to Palo Alto Networks. This development has left many Chief Information Security Officers (CISOs) rethinking their procurement strategies and vendor relationships as they work to rebuild their Security Operations Centers (SOCs).

IBM's QRadar Suite: A Brief Overview

The QRadar Suite, rolled out by IBM in 2023, included a comprehensive set of cloud-native security tools such as endpoint detection and response (EDR), extended detection and response (XDR), managed detection and response (MDR), and key components for log management, including security information and event management (SIEM) and security orchestration, automation, and response (SOAR) platforms. The suite was recently expanded to include on-premises versions based on Red Hat OpenShift, with plans for integrating AI capabilities through IBM's Watsonx AI platform.

The agreement, expected to close by the end of September, also designates IBM Consulting as a "preferred managed security services provider (MSSP)" for Palo Alto Networks customers. This partnership will see the two companies sharing a joint SOC, potentially benefiting customers looking for integrated security solutions.

Palo Alto Networks has assured that feature updates and critical fixes will continue for on-premises QRadar installations. However, the long-term support for these on-premises solutions remains uncertain.

Customer Impact and Reactions

The sudden divestiture has taken the cybersecurity community by surprise, particularly given IBM's significant investment in transforming QRadar into a cloud-native platform. Eric Parizo, managing principal analyst at Omdia, noted the unexpected nature of this move, highlighting the substantial resources IBM had dedicated to QRadar's development.

Customers now face a critical decision: migrate to Palo Alto's Cortex XSIAM platform or explore other alternatives. Omdia's research indicates that IBM's QRadar was the third-largest next-generation SIEM provider, trailing only Microsoft and Splunk (now part of Cisco). The sudden shift has left many customers seeking clarity and solutions.

Market Dynamics

This acquisition comes at a pivotal time in the cybersecurity industry, with SIEM, SOAR, and XDR technologies increasingly converging into unified SOC platforms. Major players like AWS, Microsoft, Google, CrowdStrike, Cisco, and Palo Alto Networks are leading this trend. Just before IBM's announcement, Exabeam and LogRhythm revealed their merger plans, aiming to combine their SIEM and user and entity behaviour analytics (UEBA) capabilities.

Forrester principal analyst Allie Mellen pointed out that IBM's QRadar lacked a fully-fledged XDR offering, focusing more on EDR. This gap might have influenced IBM's decision to divest QRadar.

For Palo Alto Networks, acquiring QRadar represents a significant boost. The company plans to integrate QRadar's capabilities with its Cortex XSIAM platform, known for its automation and MDR features. While Palo Alto Networks has made rapid advancements with Cortex XSIAM, analysts like Parizo believe it still lacks the maturity and robustness of IBM's QRadar.

Palo Alto Networks intends to offer free migration paths to its Cortex XSIAM for existing QRadar SaaS customers, with IBM providing over 1,000 security consultants to assist with the transition. This free migration option will also extend to "qualified" on-premises QRadar customers.

The long-term prospects for QRadar SaaS under Palo Alto Networks remain unclear. Analysts suggest that the acquisition aims to capture QRadar's customer base rather than sustain the product. As contractual obligations expire, customers will likely need to transition to Cortex XSIAM or consider alternative vendors.

A notable aspect of the agreement is the incorporation of IBM's Watsonx AI into Cortex XSIAM, which will enhance its Precision AI tools. Gartner's Avivah Litan highlighted IBM's strong AI capabilities, suggesting that this partnership could benefit both companies.

In conclusion, IBM's exit from the cybersecurity software market marks a paradigm shift, prompting customers to reevaluate their security strategies. As Palo Alto Networks integrates QRadar into its offerings, the industry will closely watch how this transition unfolds and its impact.




Read more »
Technology
Artificial Intelligence CISO Hybrid Cloud Private Cloud Technology

AI Enables the Return of Private Cloud

 

Private cloud providers may be among the primary winners of today's generative AI gold rush, as CIOs are reconsidering private clouds, whether on-premises or hosted by a partner, after previously dismissing them in favour of public clouds. 

At the heart of this trend is a growing recognition that in order to handle AI workloads while keeping costs under control, organisations will eventually rely on a hybrid mix of public and private cloud. 

"With how fast things are changing in the data and cloud space, we believe in a hybrid model of cloud and data centre strategy," claims Jim Stathopoulos, SVP and CIO of Sun Country Airlines, who joined the regional airline from United Airlines in early 2023 and acquired a Microsoft Azure cloud infrastructure and Databricks AI platform, but is open to future IT decisions.

Controlling escalating cloud and AI expenses and minimising data leakage are the primary reasons why organisations are considering hybrid infrastructure as their AI solution. Most experts agree that most IT leaders will need to choose a hybrid approach that includes on-premises or co-located private clouds to provide cost control and data integrity in the face of AI's resource requirements and critical business concerns about its deployment. 

According to IDC's top cloud analyst, Dave McCarthy, private cloud platforms such as Dell APEX and HPE GreenLake, which provide generative AI capabilities, as well as co-locating with partners such as Equinix to host workloads in private clouds, could provide a solution to enterprise customers. 

“The excitement and related fears surrounding AI only reinforces the need for private clouds. Enterprises need to ensure that private corporate data does not find itself inside a public AI model,” McCarthy notes. “CIOs are working through how to leverage the most of what LLMs can provide in the public cloud while retaining sensitive data in private clouds that they control.” 

Generative AI changes the cloud calculus 

Somerset Capital Group is one company that has chosen to go private to run its ERP software and pave the path for generative AI. The Milford, Conn.-based financial services corporation moved data to the public cloud over a decade ago and will continue to add workloads, particularly for customer-centric apps. Somerset's EVP and CIO, Andrew Cotter, believes that the company's important data, as well as any future generative AI data, will most likely run on its new hosted private cloud. 

"As we are testing and dipping our toes in the water with AI, we are choosing to keep that as private as possible," he says, noting that while the public cloud provides the horsepower needed for many LLMs today, his firm has the option of adding GPUs if needed via its privately owned Dell equipment. "You don't want to make a mistake and have it ingested or used in another model. We're maintaining tight control and storing it in the private cloud." 

Todd Scott, senior vice president of Kyndryl US, recognises that AI and cost are important drivers driving organisations to private clouds. 

Buying into the private cloud

Analysts believe that private cloud spending is on rise. According to Forrester's Infrastructure Cloud Survey in 2023, 79% of the almost 1,300 enterprise cloud decision-makers polled claimed their companies are developing internal private clouds that will include virtualization and private cloud management. Over a third (31%) of respondents are creating internal private clouds employing hybrid cloud management technologies such as software-defined storage and API-consistent hardware to make the private cloud more similar to the public cloud, Forrester added.

IDC predicts that global spending on private, dedicated cloud services, which comprise hosted private cloud and dedicated cloud infrastructure as a service, would reach $20.4 billion in 2024 and more than double by 2027. According to IDC, global spending on enterprise private cloud infrastructure, which includes hardware, software, and support services, will reach $51.8 billion in 2024 and $66.4 billion in 2027. 

While those figures pale in comparison to the public cloud's projected $815.7 billion in 2024, IDC's McCarthy views hybrid cloud architecture as the future for most organisations in this space. According to McCarthy, the introduction of turnkey private cloud products from HPE and Dell provides customers with a private cloud that can be run on-premises or in a co-location facility that offers managed services. Private clouds may also help organisations better control their overall cloud costs, but he emphasises that both have benefits as well as drawbacks. 

“Enterprises are in a bit of a pickle with this,” McCarthy added. “Security concerns are what is driving them to private cloud, but the specialised hardware required to do large-scale AI is expensive and requires extensive power and cooling. This is a problem that companies like Equinix believe they can help solve, by allowing enterprises to build a private cloud in Equinix datacenters that are already equipped to handle this type of infrastructure.”
Read more »
Subscribe to: Posts (Atom)