Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Security Data. Show all posts

The Power of Security Data lakes: How CISOs can drive accountability


How CISOs can use security data lakes to drive accountability

In today’s digital age, data is the new oil. It is the lifeblood of businesses and organizations, and its protection is paramount. Cybersecurity threats are rising, and CISOs are under immense pressure to ensure their organization’s security posture is robust. Security data lakes are emerging as a powerful tool that can help CISOs and other security leaders drive accountability.

What are security data lakes?

Security data lakes are an architecture that lets security leaders consolidate security data regardless of quantity and variety, making it possible to drive real accountability across their organization. Security data lakes help achieve this in two ways:

Separate storage from computing, which makes it cost-effective to store security data at scale and for longer periods.

Make security data part of a company’s general-purpose analytics platform, which allows for additional context and delivering insights via standard reporting tools.

How can CISOs use security data lakes to drive accountability?

CISOs employing security data lakes should think about accountability, a powerful way to improve their overall security posture. Here are three examples of how security data lakes help CISOs and other security leaders drive accountability:

Evaluate vendors with cold, hard data

Most companies select and evaluate security vendors based on simple criteria, like whether they support certain data sources and applications. A lack of information keeps decision-makers from evaluating vendors on more meaningful factors like threat detection performance or vulnerability prioritization accuracy. 

Security data lakes let teams identify gaps between the insights vendors provide and what an organization actually experiences. Analyzing data from a ticketing system, for instance, lets the team see how many threats detected by a vendor were false positives or how many vulnerability findings are irrelevant. 

A security product may work great in one company’s environment but less well at another firm. If the team can measure performance across the metrics that matter to the company, it can work with the vendor to help them improve — or determine that the company needs a better tool.

Illuminate flawed processes

If remediation teams don’t address vulnerabilities quickly enough on a consistent basis, access to historical data helps uncover those problems and identify processes that may need updating to help them work more effectively.

Identify the root cause of incidents

Security data lakes can hold teams more accountable by consolidating security data regardless of quantity and variety, making it possible to drive real accountability across an organization. 

By analyzing historical incident response data, teams can identify patterns in attack vectors or vulnerabilities that led to incidents. This information can be used to improve incident response processes or identify areas where additional training is needed. 

Espionage Group Suspected of Intruding Asian Nation's Power Grid

 

Earlier this year, cyber attackers targeted an undisclosed Asian country's national power grid using ShadowPad malware, commonly associated with entities linked to the Chinese government, according to cybersecurity experts. 

While Symantec did not explicitly attribute the incident to China, they identified the group as RedFly, who infiltrated the network for up to six months, siphoning credentials and targeting multiple computers. 

ShadowPad, which first emerged in 2017, has also been linked to the APT41 hacking group, which researchers have connected to China's Ministry of State Security and the People's Liberation Army. In recent years, various China-linked groups have employed ShadowPad for cyber-espionage activities.

The attack's initial signs emerged on February 28, when ShadowPad was deployed on a single computer, Symantec reported. The malware reappeared in the network on May 17, indicating that the hackers had maintained access for over three months.

Over the following week, the attackers worked to broaden their access to storage devices, collect system credentials, and conceal their tracks. They utilized the legitimate Windows application oleview.exe to gain insights into the victim's network and move laterally.

Dick O'Brien, principal intelligence analyst at Symantec Threat Hunter, expressed concern about the escalating trend of hackers targeting critical national infrastructure (CNI) with malware. He highlighted that attacks on CNI are particularly worrisome due to the potential for serious disruption, and emphasized that this incident is part of a broader pattern.

Experts warn that the frequency of attacks on CNI organizations has risen over the past year, posing a heightened risk of disruptions to power supplies and essential services during times of heightened political tension.

While Symantec has not observed disruptive actions from RedFly, they acknowledge that such actions have occurred in other regions, underscoring the potential threat.

ShadowPad has been identified in cyberattacks on seven electricity grid management facilities in Northern India, as well as Pakistani government agencies, a state bank, and a telecommunications provider. Critical industries in various countries across Asia and Europe have also been targeted with ShadowPad and other malicious tools.

Designed as a successor to Korplug/PlugX, another popular strain among some Chinese espionage groups, ShadowPad briefly appeared on underground forums, making it challenging for researchers to attribute all instances of its use directly to China-based actors.

Cybersecurity Companies Offer Technology Stack Incorporating Zero Trust Edge

 

The rapid surge in cyberattacks delivering destructive payloads, including ransomware, is due to organisations' complacency with legacy IAM, VPN, and perimeter-based network security systems.

CISOs tell VentureBeat that hardware-based systems, which were never intended to guard beyond perimeters, are incapable of detecting the current ransomware and malware-free attacks and have thus become a liability. 

CrowdStrike's latest research shows that 71% of all detections indexed by CrowdStrike Threat Graph are malware-free, demonstrating how dangerous it is to rely on legacy technology that cannot identify the most recent threats.

From solo attackers to large-scale operations funded by organised crime and nation-states, every attacker understands that legacy VPN, endpoint, and perimeter technologies cannot see a malware-free attack, attack plans, or payloads.

The more siloed security systems are, the more likely it is that an attacker will gain access and remain unnoticed, in some cases for years, because an organisation relied on perimeter protection for too long and was infiltrated. Today's primary targets for attackers are healthcare and industry because even a minor hiccup can cost lives and potentially destroy a corporation.

The Zero Trust Edge Solutions Landscape, Q2 2023, published by Forrester Research, provides insights and useful analysis on how CISOs can transition away from unsafe legacy tech stacks that rely on obsolete perimeter security methodologies and better secure their IT infrastructure with Zero Trust Edge (ZTE).

According to Forrester's research, the primary drivers of ZTE adoption include the trend to remote work and distributed assets, enhanced business speed, and disruptive vendors offering integrated network/security, as well as profiles of 22 of the market's leading suppliers. 

The report includes Barracuda Networks, Cato Networks, Cisco Systems, Cloudflare, Cradlepoint, Forcepoint, Fortinet, Google, HPE Aruba Networking, Huawei, iBoss, Juniper Networks, Lookout, Menlo Security, Netskope, Nokia, Open Systems, Palo Alto Networks, Sophos, Versa Networks, and VMware Zscaler.

Cloud, IoT, and remote-work gaps must be filled immediately.

Attackers are out-innovating companies in the most critical areas, beginning with endpoints and moving to gaining control of identities and privileged access credentials. Gaps in legacy tech stacks, long known internally within organisations but not prioritised for repair, are as much to blame as the increasing sophistication of social engineering techniques, especially the growing popularity of pretexting used by attackers to mislead victims. 

Attackers are aware that IT teams struggle with cloud configuration, frequently leaving entire instances and accounts open. IoT is another source of concern; remote access has allowed thousands of organisations around the world to be hacked.

The design aims of the Zero Trust Edge (ZTE) centre on offering tech stack consolidation, lowering risks and costs, and boosting visibility and control across IT infrastructures. ZTE is growing popularity among CISOs, whose top priority is often to consolidate from too many vendors while enhancing efficacy and bolstering security postures.

The goal for CISOs is to consolidate their legacy firmware and hardware systems, as well as software-defined wide area networking (SD-WAN), secure web gateway (SWG), and cloud access security broker (CASB) vendors, into a more integrated, adaptive architecture supported by a core set of vendors.

Defining Zero Trust Edge

Forrester defines ZTE as “a solution that combines security and networking functionalities — such as software-defined WAN (SD-WAN), cloud access security broker (CASB), Zero Trust network access (ZTNA), and secure web gateway (SWG) — that a single vendor can deliver and support in any combination of cloud, software, or hardware components.” Leading use cases include improving application performance, cloud secure access, visibility, and cloud management require integrated networking and security.

"ZTE is a disruptive and high-stakes architecture," writes Forrester analysts, alluding to ZTE's ability to solve numerous important problems while simultaneously unifying four fundamental technologies into a cohesive architecture solution.

Early ZTE pilots are yielding promising results in terms of safeguarding remote workforces, boosting distant site security and dependability via different connectivity options, optimising networking, and enabling more efficient security administration. Transitioning ZTE's discrete components to cloud-based managed and monitored services, according to CISOs and their pilot teams, frees up localised hardware and systems to optimise workloads even further locally.

By selling tech stack consolidation, ZTE presents a significant opportunity for cybersecurity vendors to drive new revenue growth. Legacy network security measures, according to CISOs, have failed to sufficiently secure today's distributed systems with remote workers and cloud-based services. According to one CISO, legacy perimeter systems are equivalent to not having a system deployed at all because they are beyond the point of blocking threats devised less than a year ago. 

Legacy network practises have caused gaps in organisations' capacity to secure resources, continuously enhance efficiency, and respond quickly to new digital business initiatives. ZTE addresses these issues by integrating security and networking capabilities into a unified, cloud-delivered architecture.

Top vendors are capitalising on ZTE's potential to integrate point solutions into a single product consumed as a service, according to Forrester's ZTE research. This is consistent with CISOs' buying preferences for simplified operating expense (OPEX) models. 

According to Forrester's Security Survey, 2022, an estimated 78% of organisations choose to acquire or consume aggregated features as a service. According to Forrester's analysts, the major vendors' aspirations to deliver a whole turnkey package are ambitious, and "the idea of having a single architecture for all security solutions on an opex basis will be compelling for the SMB/midmarket." Forrester warns that companies providing ZTE are still working to overcome limits in their primary domains.

With CISOs prioritising IT stack consolidation, ZTE has the potential to be the next viable development of security infrastructure. According to CISOs running pilots, ZTE is delivering quantifiable advantages in operations performance, more effective endpoint and identity security, and lower costs as a result of standardising on a unified architecture. The market dynamics indicate that ZTE is the new revenue engine that cybersecurity providers require.

Top ZTE applications

Forrester highlighted six key use scenarios in which ZTE provides the highest value. Underpinning them all is a significant emphasis on enhancing network performance and reliability while increasing cyber-resilience.

Banking and financial industry CISOs tell VentureBeat that ZTE's use case of giving cloud-secure access and securing virtual work teams utilising Zero Trust Network Access (ZTNA) is already part of their pilots. Every pilot VentureBeat has learned of is collecting real-time and historical network statistics to assess visibility and observability advantages.

In addition to the core use cases, Forrester found four additional Zero Trust Edge use cases that CISOs are less interested in yet exhibit meaningful vendor differentiation. End-to-end visibility and governance are provided across all network segments.

Credential mapping unifies user identities across systems, making it easier to implement access policies. Unauthorised access detection and prevention safeguard against credential tampering and insider threats. Acceptable use policies are extended by web content filtering from external sites.

ZTE represents a watershed moment in the way businesses safeguard their virtual teams and remote workers, assets, cloud environments, and expanding IoT networks.

Legacy approaches to network, device, endpoint, and identity security, according to CISOs, can't keep up with the speed and complexity of cyberattacks. ZTE provides a cloud-centric paradigm that may be consumed as a service and paid for as an operating expense by combining networking and security.

The difference of scope and tactics used by the 22 ZTE vendors mentioned in this study to offer consolidation on their platforms demonstrates how various the enterprise needs are that each is attempting to fulfil. According to VentureBeat, the initial ZTE pilots are fulfilling expectations by supporting new digital-first revenue efforts while plugging gaps in tech stacks that have previously led to intrusion and breach attacks. 

Forrester forecasts that larger companies would use a multivendor approach in the near term, merging best-of-breed ZTE components from market leaders highlighted in their analysis. ZTE's main value proposition of simplification and consolidation makes it a viable option for SMBs and midsize firms looking to standardise on a uniform architecture.

The demand for a solution that can tackle the most difficult multicloud and hybrid cloud security concerns, as well as support remote work and zero trust programmes, is growing. ZTE is well positioned to benefit from these market dynamics.



Ransomware Attack Compromises Indigo Employees' Data

 

As per Indigo Books & Music Inc., a ransomware attack compromised the data of current and former employees at Canada's largest bookstore chain. Indigo said in a statement on its website that the February 8 breach left no evidence that customers' personal information, such as credit card numbers, had been accessed, but that "some employee data was." 

The Toronto-based retailer announced that it has contracted with consumer reporting agency TransUnion of Canada to provide employees free credit monitoring and identity theft protection credit monitoring and identity theft protection to employees for two years. Customers can still not make online purchases except for "select books" after Indigo shut down its website and app due to a "cyberattack" last week.

When the incident started more than two weeks ago, Indigo could only process in-store cash purchases, but some of its services, such as over-the-counter credit and debit payments, exchanges, and returns, have since been revived. The company hired third-party experts to probe and resolve the issue, but the incident was not publicly acknowledged as a ransomware attack affecting employees until this week.

“Both current and former employees are being notified that their information may have been impacted,” the statement reads.

Data breaches have become common in the corporate and public sectors, with Canadian retailers experiencing an increase in cyberattacks in recent months.

Late last year, Sobeys' parent company, Empire Co. Ltd., experienced a security breach. Customers were unable to fill prescriptions at the chain's pharmacies for four days after the incident in November, and other in-store functions such as self-checkout machines, gift card use, and loyalty point redemption were unavailable for about a week.

Empire later stated that the attack would cost $25 million after insurance recoveries. 

In January, the Liquor Control Board of Ontario experienced a "malicious" cybersecurity incident that disrupted online sales, and a ransomware attack disrupted operations at Toronto's Hospital for Sick Children in December.