Enterprise Security Weekly #237
1. Cyber Hat Trick: How Ransomware Gangs Exfiltrate, Encrypt & Exploit – Matt Cauthorn – ESW #237
Exfiltrate. Encrypt. Exploit. In 2021, ransomware attackers moved beyond exfiltrating and encrypting data to extract a ransom, working to compromise the victim’s build server to introduce an exploit through which to launch large scale attacks. VP of Cloud Security Matt Cauthorn joins Security Weekly to walk through the lateral movements these attackers use to pull off the Cyber Hat Trick.
This segment is sponsored by ExtraHop Networks.
Visit https://securityweekly.com/extrahop-rsac to learn more about them!
In an overabundance of caution, we have decided to flip this year’s SW Unlocked to a virtual format. The safety of our listeners and hosts is our number one priority. We will miss seeing you all in person, but we hope you can still join us at Security Weekly Unlocked Virtual! The event will now take place on Thursday, Dec 16 from 9am-6pm ET. You can still register for free at https://securityweekly.com/unlocked.
Matt Cauthorn is responsible for all security implementations and leads a team of technical security engineers who work directly with customers and prospects. A passionate technologist and evangelist, Matt is often on site with customers working to solve the complex and mission-critical business problems that Fortune 1,000 and global 2,000 companies face. After years spent helping customers tap into the value offered by network-based analytics, Matt has been able to bring fresh thinking to security threat detection. Prior to ExtraHop, Matt was a Sales Engineering Manager at F5 and before that he started his career in the trenches as a practitioner where he oversaw application hosting, infrastructure, and security for five international data centers.
2. The State of CyberSecurity Ops in a Ransomware Filled Hybrid Work World – David Finger – ESW #237
Ransomware is flourishing and our endpoints are scattered outside the corporate network. Visibility is a challenge in this age of decentralized corporate assets.
Our discussion today will explore the problem from two sides. On the endpoint, where much of the battle against ransomware tends to be fought, is prevention a lost battle? Regardless of hopes for better prevention, it is clear that the ability to detect and respond is as important as ever, so we'll discuss how security operations should be positioning themselves.
This segment is sponsored by Fortinet.
Visit https://securityweekly.com/fortinet to learn more about them!
SC Media debuts its all-new SC digital experience, fully integrated with Security Weekly podcast content and more. The new site increases the scope and scale of original content resources from editorial staff, contributors, and the far-reaching CyberRisk Alliance network. Visit www.scmagazine.com to check out the new look!
David Finger has spent more than 14 years in the enterprise security space, currently at Fortinet and previously with Trend Micro, ProofPoint and Sana Security among others. His direct customer engagement spans security challenges and solutions from endpoint and server through gateway and cloud, for both threat and data protection, all around the world.
3. Corelight Smart PCAPs, Shifting Left, Tenable AD Security, & Tube Vulns – ESW #237
In the Enterprise News, Armis Identifies Nine Vulnerabilities in pneumatic tubes, Corelight Introduces Smart PCAPs, SolarWinds disputes lawsuit, Code42 and Rapid7 Partner, and more news from this week at BlackHat 2021!
CyberRisk Alliance, in partnership with InfraGard, has launched the Critical Infrastructure Resilience Benchmark study. Measure your readiness for ransomware by completing the survey and getting your score. Visit https://securityweekly.com/CIRB to take the survey
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
- 1. Tenable Helps Organisations Disrupt Attacks with New Active Directory Security Readiness Checks" Organisations can immediately use the checks to assess their exposure to a range of risks, including Kerberoasting attacks, poorly configured or managed passwords and vulnerable encryption protocols. From there, security teams can take remedial action to close these potential attack paths before they are used against them." - This is great but 1) I want to automate fixing them as best I can 2) I want to know once the control has drifted back to a vulnerable state 3) I still need lots of monitoring as some things in AD can't be easily fixed (This is not Tenable's problem or fault, though I think they can do better in #1 and #2).
- 2. Join the panel: Shifting security left with DevSecOpsThe concept is pretty simple: You can't just "Shift left" and magically have a secure application. Security testing and remediation must be applied to all stages of software development and application deployment stages. Wow, I made that sound easy, it's not. You need automation and workflow processes and tools. For example, each time a new version of code is submitted (let's say via Git), you should build the application, then scan it, then send the results back to someone who can fix it. The complicated parts: How many code commits should trigger a build? What should the application be scanned for and how? What results stop the build from going to production?
- 3. Armis Identifies Nine Vulnerabilities in Critical Infrastructure Used by Over 80% of Major Hospitals in North AmericaAnd here I thought these were just used in banks: "nine critical vulnerabilities in the Nexus Control Panel, which powers all current models of Translogic’s pneumatic tube system (PTS) stations by Swisslog Healthcare. The Translogic PTS system is a critical infrastructure for healthcare used in more than 3,000 hospitals worldwide. The system is responsible for delivering medications, blood products, and various lab samples across multiple departments of a hospital. The discovered vulnerabilities can enable an unauthenticated attacker to take over PTS stations and gain full control over the tube network of a target hospital. This type of control could enable sophisticated ransomware attacks that can range from denial-of-service of this critical infrastructure to full-blown man-in-the-middle attacks that can alter the paths of the networks’ carriers, resulting in deliberate sabotage of the workings of the hospital."
- 4. Qualys : To Lead Four Sessions At Black Hat And DEF CON 2021This session: "Taming Vulnerability Management Overload" is described as "unpacks the importance of vulnerability patching to discuss why companies fail to patch promptly - even when patches are available - and other barriers companies face that delay patching.". I really thought we'd be done talking about this, but we're not. Also, Qualys has done a great job of enabling you to just apply the patch when a vulnerability is found. So, yea, you should just do that.
- 5. Corelight Introduces Smart PCAP to Give Security Teams Immediate Access to the Right Network Evidence"Smart PCAP is a new licensed feature that offers a cost-effective alternative to full packet capture, delivering weeks to months of packet visibility interlinked with Corelight logs, extracted files, and security insights for fast pivots and investigation. Unlike other solutions that offer selective PCAP capabilities, Corelight Smart PCAP is encryption-aware, tracks protocol activity across ports, and directly integrates with the security gold standard for network evidence, Zeek. With Corelight, analysts can configure and selectively capture packets based on:" - So are Smart PCAPs full PCAPs, or just the most significant bits?
- 6. SolarWinds says shareholders’ cyber disclosure lawsuit failsDo you believe this case should just be thrown out?
- 7. Code42 : and Rapid7 Partner to Deliver Enhanced Detection and Investigation of Insider Threat Events"Code42® Incydr™ product with Rapid7 InsightIDR. Security teams using InsightIDR with the Code42 Incydr integration will have the ability to identify, prioritize and triage the most critical insider threat events – data leakage, theft or malicious attempts to conceal file exfiltration. Code42 Incydr is the first data source dedicated to insider threat events to be accessible to InsightIDR users."
- 8. Ivanti Buys RiskSense To Boost Risk Assessment and Patch Intelligence Capabilities — Redmondmag.com
- 9. SentinelOne Unveils Storyline Active Response (STAR) To Transform XDR
- 10. Optiv Security Launches Next-Gen Managed XDR to Stop Threats Earlier in Attack Lifecycle, Minimize Business Impact
- 11. WhiteSource Launches Cure, the Industry’s First Self-Fixing SoftwareLight on details, but I like where this is going: "Application security testing tools today are too often focused on finding issues, rather than fixing them, generating a constant flow of security alerts that overwhelms organizations. Meanwhile, processes for deciding what security issues to address first, and then fixing these issues are manual and time-intensive. This also requires security knowledge that even experienced developers, who are at the heart of the shift left revolution, might lack -- let alone novice ones. WhiteSource Cure relieves the application security workload through automation, providing developers with code they can trust."
- 1. SentinelOne Unveils Storyline Active Response (STAR) To Transform XDRStruggling a bit through the word salad in this one also. This article is about "SentinelOne Storyline Active Response" (STAR), which is going to "transform XDR" Does that mean it isn't XDR? Is it supplemental? It integrates with SentinelOne's ActiveEDR. Replaces the need for manual and one-off EDR activities... by allowing customers to manually create automated rulesets? But then, SentinelOne's Singularity XDR platform is built on top of STAR, apparently. So EDR + STAR = XDR, sounds like. EDR pulls the data and performs the actions, while STAR enables practitioners to create detection rules and pair them with automated responses. Oh, no - STAR is actually one of a pile of XDR "power tools", so this is more like a module that plugs into Singularity XDR. They also have: - Extended Data Retention (which sounds more like extra hard drives, not a feature or tool) - Binary Vault (analyze new, unknown binaries - like WildFire or VirusTotal) - Remote Script Orchestration (collection of pre-made scripts for various stuff - Cloud Funnel (redirect EDR data to a different tool)
- 2. NEW PRODUCT: Optiv Security Launches Next-Gen Managed XDR to Stop Threats Earlier in Attack Lifecycle, Minimize Business ImpactThe overall trend of XDR is strong, and as we've mentioned on previous episodes is evolutionary, not revolutionary. A somewhat newer trend, however, is XDR offerings from MSSPs and in general, MSSPs trying to move towards valuations that look more like software companies than services companies. This started with the move from MSSP (we'll keep it running) to MDR (we'll find the attackers) and now to XDR (we'll find the attackers better). SecureWorks built an XDR offering out of their Red Cloak EDR product, Arctic Wolf is being valued at software startup multiples, and Bishop Fox has taken funding from Forgepoint to create and market a subscription product. The big question is: can they do a better job of running security than we can? Should we welcome this change? Optiv is using Devo as the back end for its XDR product, which also begs the question: when a reseller gets into the software/ARR game, is it going to hurt their relationship with competing products that they sell? How does SentinelOne feel about Optiv's XDR offering? Also, get a load of this word soup and what it takes to make a qualifying statement that's unique in this insanely crowded market: "Optiv MXDR is the only managed cloud-based, next-gen advanced threat detection and response service that ingests data across various layers of technologies to correlate, normalize, enrich, and enable automated responses to malicious activity in real-time"
- 3. FUNDING: DNSFilter Raises $30 Million in Series A Funding$30m Series A is healthy, especially with names like Dmitri Alperovich attached to it. It's apparently using a number of different methods, including AI, to determine if a DNS entry is malicious or not. If it's a website, they do image analysis on it, like PIXM. They analyze the website content. They look at where the IP is hosted, who owns the domain, age of domain, etc. Some of that isn't new, some of it is, but a DNS firewall still seems like an approach worth investing in. At least, as long as it doesn't impact performance or run into too many false positives. Also, through this article, I learned that GCHQ's National Cyber Security Center runs something called "Active Cyber Defense", or ACD. The idea is that they'll run secure services for the whole nation (including secure DNS), but it's only available to government institutions so far. Read more about ACD here: https://www.securityweek.com/inside-uks-active-cyber-defense-program
- 4. FUNDING: Bug Bounty and VDP Platform YesWeHack Raises $18.8 MillionYesWeHack isn't new, it's a bug bounty platform provider that has actually been around for a while. Because it caters specifically to Europe and European challenges (researcher residency) and constraints (GDPR), we don't hear about it as much over here in the US. The $18.8m raise is a series B, which sounds about right for this market. I'm still not sure if the jury is in on whether these platforms can be profitable or how to value them properly. We haven't seen an exit in this market and I'm not even sure what an exit would look like - I've struggled to imagine who an acquirer might be.
- 5. FUNDING: Cyber Risk Management Firm Safe Security Raises $33 MillionThis one is yet another scorecard vendor - the 7th on my list so far. The interesting bit here is that BT Group led the round, which got them exclusive rights to resell it.
- 6. LEADING THOUGHTS: The Presenting Vendor ParadoxDaniel Miessler always has good pieces to make you think and this one is no exception. Talk content is often full of boring stuff from vendors and people generally want better content. The paradox lies in that a lot of the best experts that you want to hear from work for vendors. TL;DR here, in my opinion, is that the problem isn't vendors giving talks, it's vendors giving BAD talks. It's not so much a vendor issue as a quality issue. Personally, I've probably seen more crappy talks given by non-vendors than vendors and this is always a challenge for event planners - how do you pick the best talks based on a 350-word abstract?
- 7. Robo-Lawyer Valued at $210 Million With Backing From Andreessen
- 8. FUNDING: Managed cybersecurity startup SolCyber emerges from stealth with $20MSolCyber was founded by ForgePoint and was kicked off with a $20M round. They're an MSSP and seem like they're aimed squarely at some of that giant ArcticWolf valuation!