Daily Archives: October 29, 2020

US hospitals warned of threat of imminent ransomware attack

US hospitals and healthcare providers have been warned that there is evidence of a credible and imminent threat that they will be targeted by ransomware. In an alert jointly released by the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS), the agencies reveal that it has "credible information of an increased and imminent cybercrime threat to US hospitals and healthcare providers." Read more in my article on the Bitdefender Business Insights blog.

Employee Spotlight: Nurul Mohd-Reza, Customer Retention Specialist

Reading Time: ~ 4 min.

Nurul Mohd-Reza knows how to empathize with the customers she serves. Her work with marginalized groups as a college student, she says, helped prepare her for when the pandemic turned many of her customers’ businesses upside down last March.

Here she discusses what she’s learned after just 10 months in the industry and provides some advice for those looking to dive headfirst into something new.

Tell us a little bit about your career background. How did you get to where you are today?

I started working at Webroot back in January, so my time here hasn’t been long. For most of my collegiate career I worked in the Division of Student Affairs at CU Boulder, focusing specifically on leadership and development. I served as a student advisor to university officials and local businesses. And so, as time went on, I became very interested in the dynamic between people and business. From there, I knew I wanted to dive deeper into this realm but was unsure on how to get started. So after college I began working in healthcare operations.

I believe what got me interested in this career path was when I attended Denver Start Up Week, which was a phenomenal experience. It opened my eyes to the unfamiliar world of customer success. Seeing how companies used technology and data to proactively understand their customer persona, and on top of that, scale engagements to fit their customer’s needs was truly insane. I thought what better way of molding my interests than being on the front lines serving as an advocate between people and product.

And how did you land at Webroot specifically?

It’s a funny story. I had come across this position and halfway through filling out the application I thought I might not be well-equipped for the role, so I actually ended up not finishing the application. And then a recruiter reached out to me and said they were interested in starting a conversation. It was unconventional, but I’m very grateful she reached out because it gave me an opportunity to explain my transition and why I wanted to make that jump into tech. 

From there, I ended up interviewing here at Webroot and it was a great experience overall. Being early on in my career, I knew I wanted to work in an environment that obviously fostered growth, professionally and personally. After speaking with my current boss, I was very optimistic about the trajectory of Webroot, as well as the vision for Customer Success and this team specifically.

What are your core responsibilities as a customer retention specialist?

I would say my time is split between two main responsibilities. My primary role is to oversee the renewal process for a subset of SMBC contracts projected for the quarter. On the other hand, we are a customer facing role. So handling business customer inquiries as they arise. This involves everything from advising customers on certain buying decisions to providing in-product guides.

However, we are starting to shift our focus on how to effectively connect with customers throughout their lifecycle. Previously, we’ve concentrated on the renewal period which is 90 days before expiration. Now, we’re starting to expand our scope and engage with customers to create those smooth onboarding workflows, as well as push early-on adoption of the product. 

At the end of the day, it’s really about strategy—how do we effectively educate and guide the customer to build depth behind the product in hopes of retaining that relationship for the long haul.

What would you say has been the most significant challenge of your career so far?

I think one of the most significant challenges was switching to an industry I’d never worked in before. The learning curve was steep in terms of familiarizing myself with the products we offer, our workflow with all the various systems we use, and the dynamic relationships between our various partners.

In Customer Success, it’s not simply about securing renewals. The process involves having to solve roadblocks in order to help a customer achieve their goal. We have to work with a range of departments to solve issues the customer is facing—whether it be from a product standpoint or a billing redundancy. So being able to learn each player’s role and then manage those relationships was obviously a challenge to begin with. It’s exciting, though. It keeps you on your feet and you get to meet a lot of new people from diverse backgrounds. 

Another obvious challenge was COVID-19. I had only been working in the office for about two months when the pandemic hit. Learning how to onboard remotely was new and something I had to juggle with most definitely.

What skills do you feel have carried over well from your work in public affairs?

I believe Customer Success is focused on building relationships with our customers—which to my advantage was a valuable skill I carried over from my work in public affairs. In this role, it’s very important to enjoy solving problems and addressing issues head-on. You have to be incredibly flexible and create some sense of fluidity in the midst of a growing que of customer requests.

In my previous role, I worked with marginalized communities to combat an array of social issues. So learning how to communicate with empathy, while also moving with focus and intent was crucial and very much transcends into my current role now.

Do you have a favorite part of the job after 10 months with the company?

I’m optimistic about being able to refine the customer journey. I believe the beauty behind Customer Success is it’s still an unknown territory. Everywhere you look, companies have a different way and methodology on how they interact with the customer. Not to mention, the type of technology and automation coming into play is fascinating.

In addition to that, our team is fairly new, which gives us a range of autonomy to create the structure and the formatting that we believe will best deliver value to our customers throughout their lifecycle. Although we are now part of a 15,000-person organization, it still feels like a start-up environment. We are constantly working to strategize and envision how we want the customer experience to evolve. To me, it’s very exciting to be at the intersection of all these moving parts. 

Any advice for someone in your same situation, looking to cross over into the tech industry?

Well, given my experience, I’d say don’t doubt your capabilities. No experience is wasted experience. Even if you might not be the absolute perfect fit for a position, you have a breadth of skills you’ve developed over the past couple of years that will help mold you into whatever new role you’re interested in.

I believe one of the best pieces of advice I was ever given was don’t close a door on yourself before the opportunity even presents itself. By saying you can’t do this, or you don’t have the skills for that, you’ve already blocked out all these great possibilities. So be open to new experiences and don’t hold back.

To see what positions are available for you at OpenText, visit our careers page here.

The post Employee Spotlight: Nurul Mohd-Reza, Customer Retention Specialist appeared first on Webroot Blog.

I’ve Joined the 1Password Board of Advisers

I've Joined the 1Password Board of Advisers

Almost a decade ago now, I wrote what would become one of my most career-defining blog posts: The Only Secure Password is the One You Can't Remember. I had come to the realisation that I simply had too many accounts across too many systems to ever have any chance of creating decent unique passwords I could remember. So, I set out to find a password manager and 10 Christmas holidays ago now, I spent the best 50 bucks ever:

I've Joined the 1Password Board of Advisers

I chose 1Password way back then and without a shadow of a doubt, it has become one of the most important pieces of software I have ever used. Since that date in 2011, I doubt there's been a single day I haven't used 1Password to log into a website, fill in my credit card details or refer to other notes stored securely within the product. In fact, just thinking about the frequency with which I use the password manager, I must have interacted with 1Password in one way or another tens of thousands of times now. So, I've just kept buying it:

I've Joined the 1Password Board of Advisers

I've been buying the Families Plan because 1Password isn't just for me, it's for everyone and what better time to start learning about securing your online assets than as early as possible:

1Password has been a part of my family for years so my announcement today comes with much excitement: I'm becoming a part of the 1Password family and joining their board of advisers! I'll be devoting a slice of my time to help the company build even better products and services in an era when password management has never been more important. I'll be talking more about the work we're doing together over time but for now, I'm just happy to be joining a great team building important software that makes a meaningful difference to so many people 😊

It’s Cybersecurity Awareness Month and there is still a lot to do

October is National Cyber Security Awareness Month (NCSAM). And there is still a lot to do!

For the last 17 years, the National Cybersecurity Awareness Month (NCSAM) campaign, driven by the Department of Homeland Security, has raised awareness about the importance of cyber security across the Nation with the mission of ensuring that all Americans have the resources they need to be safer and more secure online.

In alignment with this noble mission, Microsoft Security is providing educational content and executive speakers to empower our customers, employees and families. Tune into the CyberTalks recap to listen to the keynoted delivered by @Ann Johnson, Corporate Vice President of Security, Compliance and Identity, on how to future proof your security strategy.

Cyber security podcasts

In addition to the blog series that is taking over our blog in October, Microsoft Security is also sponsoring two security podcasts in CyberScoop.com we want to encourage our community to tune in and listen to both conversations.

  • Available nowEnabling secure remote work by embracing Zero Trust—One of the greatest challenges we often hear from public and private sector CISOs, when it comes to achieving a Zero Trust IT operating environment, is the question of how to tackle such a massive undertaking—and where to begin. Tune in to listen to CTO, Steve Faehl, to learn more about Microsoft’s journey towards Zero Trust.
  • Available October 19: Risk Reduction—Podcast featuring GM, Alym Rayani who delivers an in-depth conversation about compliance and its connection to security.

Additional security blogs to read

Government agency audit traceability

The reality today for many government agencies is there is no audit traceability to determine which email messages and content an attacker may have seen during a breached session into a user’s mailbox. The standard level of Office 365 auditing includes events that a user logged into their mailbox but does not include detailed information on the activity that occurs within the mailbox. As a result, organizations have no choice but to assume all content within the mailbox is compromised whether sensitive data or PII was viewed by the adversary. To learn more about how using Advanced Audit can help improve forensic investigation capability, read this blog from Matthew Littleton, Principal Technical Specialist on this Public Sector blog.

Top 5 security questions asked by US Government customers

In an era of remote work, end users wanted to collaborate with outside agencies but in a way that meant their data was secure. IT Admins wanted to know which configuration options best fit their organization’s security posture. CIO’s wanted to lean in and give their workforce the best in class technology, all while following US Government accreditation standards. The common theme in most questions asked by our customers was around security. Read more about the top 5 security questions asked by our US Government customers for Microsoft Teams.

October is my favorite time of year, between the change of season, Major League Baseball playoffs, and with football underway. It’s also National Cybersecurity Awareness Month, though with so many cyberattacks and incidents in the news, one month of dedicated focus hardly seems sufficient. Learn how Microsoft delivers on an end-to-end security strategy to reduce risk and deliver on its commitment to customers.

Working with the enemy

With so many external cyber threats facing Government agencies, it can be easy to overlook risks from insiders. Learn how Predictive Analytics can help agencies reduce risk and identify insider threats at scale.

To learn more about how to be #Cybersmart visit the cybersecurity website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post It’s Cybersecurity Awareness Month and there is still a lot to do appeared first on Microsoft Security.

Catch the Most Sophisticated Attacks Without Slowing Down Your Users

Most businesses cannot survive without being connected to the internet or the cloud. Websites and cloud services enable employees to communicate, collaborate, research, organize, archive, create, and be productive.

Yet, the digital connection is also a threat. External attacks on cloud accounts increased by an astounding 630% in 2019. Ransomware and phishing remain major headaches for IT security teams, and as users and resources have migrated outside of the traditional network security perimeter, it’s become increasingly difficult to protect users from clicking on a link or opening a malicious file.

This challenge has increased the tension between two IT mandates—allowing unfettered access to necessary services, while preventing attacks and blocking access to malicious sites. Automation helps significantly with modern security pipelines blocking about 99.5% of malicious and suspicious activity by filtering known bad files and sites, as well as using sophisticated anti-malware scanning and behavioral analytics.

Security is a lot of work

However, the remaining half of 1% still represents a significant number of sites and potential threats that require time for a team of security analysts to triage. Therefore, IT managers are faced with the challenge of devising balanced security policies. Many companies default to blocking unknown traffic, but over-blocking of web sites and content can hinder user productivity while creating a surge in help-desk tickets as users attempt to go to legitimate sites that have not yet been classified. On the flipside, web policies that allow access too freely greatly increases the likelihood of serious, business-threatening security incidents.

With a focus on digital transformation, accelerated by the change in work habits and locations during the pandemic, companies need flexible, transparent security controls that enable safe user access to critical web and cloud resources without overwhelming security teams with constant help desk calls, policy changes, and manual triaging. Remote Browser Isolation – if implemented properly – can help achieve this.

While security solutions leveraging URL categorization, domain reputation, antivirus, and sandboxes can stop 99.5% of threats, remote browser isolation (RBI) can handle the remaining unknown events, rather than the common strategy of choosing to rigidly block or allow everything. RBI allows web content to be delivered and viewed in a safe environment, while analysis is conducted in the background. Using RBI, any request to an unknown site or URL that remains suspicious after traversing the web protection defense-in-depth pipeline will be rendered remotely, preventing any impact to a user’s system in the event the content is malicious.

Relying on RBI

Remote browser isolation blocks malicious code from running on an employee’s system just because they clicked a link. The technology will also prevent pages from using unprotected cookies to try and gain access to protected web services and sites. Such protections are particularly important in the age of ransomware, when an inadvertent click on a malicious link can lead to significant damage to a company’s digital assets.

Given the benefits of remote browser isolation, some companies have deployed the technology to render every site. While this can very effectively mitigate security risk, isolating all web and cloud traffic demands considerable computing resources and is prohibitively expensive from a license cost point of view.

By integrating remote browser isolation (RBI) technology directly into our MVISION Unified Cloud Edge (UCE) solution, McAfee integrates RBI with the existing triage pipeline. This means that the rest of the threat protection stack – including global threat intelligence, anti-malware, reputation analysis, and emulation sandboxing – can filter out the majority of threats while only one out of every 200 requests needs to be handled using the RBI. This dramatically reduces overhead. McAfee’s UCE makes this approach dead simple: rather than positioning remote browser isolation as a costly and complicated add-on service, it is included with every MVISION UCE license.

Full Protection for High-Risk Individuals

However, there are specific people inside a company—such as the CEO or the finance department—with whom you cannot take chances. For those privileged users, full isolation from potential internet threats is also available. This approach ensures full virtual segmentation of the user’s system from the internet and shields it against any potential danger, enabling him to use the web and cloud freely and productively.

McAfee’s approach greatly reduces the risk of users being compromised by phishing campaigns or inadvertently getting infected by ransomware – such attacks can incur substantial costs and impact an organization’s ability to operate. At the same time, organizations benefit from a workforce that is freely able to access the web and cloud resources they need to be productive, while IT staff are freed from the burden of rigid web policies and constantly addressing help-desk tickets. .

Want to know more? Check out our RBI demonstration.

The post Catch the Most Sophisticated Attacks Without Slowing Down Your Users appeared first on McAfee Blogs.

With No Power Comes More Responsibility

You’ve more than likely heard the phrase “with great power comes great responsibility.” Alternatively called the “Peter Parker Principle” this phrase became well known in popular culture mostly due to Spider-Man comics and movies – where Peter Parker is the protagonist. The phrase is so well known today that it actually has its own article in Wikipedia. The gist of the phrase is that if you’ve been empowered to make a change for the better, you have a moral obligation to do so.

However, what I’ve noticed as I talk to customers about cloud security, especially security for the Infrastructure as a Service (IaaS) is a phenomenon I’m dubbing the “John McClane Principle” – the name has been changed to protect the innocent 🙂

The John McClane Principle happens when someone has been given responsibility for fixing something but at the same time has not been empowered to make necessary changes. At the surface this scenario may sound absurd, but I bet many InfoSec teams can sympathize with the problem. The conversation goes something like this:

  • CEO to InfoSec: You need to make sure we’re secure in the cloud. I don’t want to be the next [insert latest breach here].
  • InfoSec to CEO: Yeah, so I’ve looked at how we’re using the cloud and the vast majority of our problems are from a lack of processes and knowledge. We have a ton of teams that are doing their own thing in the cloud, and I don’t have complete visibility into what they’re doing.
  • CEO to InfoSec: Great, go fix it.
  • InfoSec to CEO: Well the problem is I don’t have any say over those teams. They can do whatever they want. To fix the problem they’re going to have change how they use the cloud. We need to get buy-in from managers, but those managers have told me they’re not interested in changing anything because it’ll slows things down.
  • CEO to InfoSec: I’m sure you’ll figure it out. Good luck, and we better not have a breach.

That’s when “with no power comes more responsibility” rings true.

And why is that? The reason being is that IaaS has fundamentally changed how we consume IT and along with that how we scale security. No longer do we submit purchase requests and go through a long, lengthy processes to spin up infrastructure resources. Now anyone with a credit card can spin up the equivalent of a data center within minutes across the globe.

The agility however introduced some unintended changes to InfoSec and in order to scale, cloud security cannot be the sole responsibility of one team. Rather cloud security must be embedded in process and depends on collaboration between development, architects, and operations. These teams now have a more significant role to play in cloud security, and in many cases are the only ones who can implement change in order to enhance security. InfoSec now acts as Sherpas instead of gatekeepers to make sure every team is marching to the same, secure pace.

However, as John McClane can tell you the fact that more teams look after cloud security doesn’t necessarily mean you have a better solution. In fact, having to coordinate across multiple teams with different priorities can make security even more complex and slow you down. Hence the need for a streamlined security solution that facilitates collaboration between developers, architects, and InfoSec but at the same time provides guardrails, so nothing slips throw the cracks.

With that, I’m excited to announce our new cloud security service built especially for customers moving and developing applications in the cloud. We call it MVISION Cloud Native Application Protection Platform – or just CNAPP because every service deserves an acronym.

What is CNAPP? CNAPP is a new security service we’ve just announced today that combines solutions from Cloud Security Posture Management (CSPM), Cloud Workload Protection Platform (CWPP), Data Loss Prevention (DLP), and Application Protection into a single solution. Now in beta with a target launch date of Q1, 2021, we built CNAPP to provide InfoSec teams broad visibility into their cloud native applications. For us, the goal wasn’t how do we slow things down to make sure everything is secure; rather how do we enable InfoSec teams the visibility and context they need for cloud security while allowing dev teams to move fast.

Let me briefly describe what features CNAPP has and list some features that are customer favorites.


The vast majority of breaches in IaaS today are due to service misconfigurations. Gartner famously said in 2016 that “95% of cloud security failures will be the customer’s fault.”Just last year Gartner updated that quote to say “99% of cloud security failures will be the customers’ fault.” I’m waiting for the day when Gartner’s says “105% will be the customer’s fault.”

Why is the percentage so high? There are multiple reasons, but we hear a lot from our customers that there is a huge lack of knowledge on how to secure new services. Each cloud provider is releasing new services and capabilities at a dizzying pace with no blockers for adoption. Unfortunately, the industry hasn’t matched pace of having a workforce that knows and understands how best to configure these new services and capabilities. CNAPP provides customers with the ability to immediately audit all cloud services and benchmark those services against best security practices and industry standards like CIS Foundations, PCI, HIPPA, and NIST.

Within that audit (we call it a security incident), CNAPP provides detailed information on how to reconfigure services to improve security, but the service also provides the ability to assign the security incident to dev teams with SLAs so there’s no ambiguity on who owns what and what needs to change. All of these workflows can be automated so multiple teams are empowered in near real-time to find and fix problems.

Additionally, CNAPP has a custom policy feature where customers can create policies for identifying risky misconfigurations unique to their environments as well as integrations with developer tools like Jenkins, Bitbucket, and GitHub that provide feedback on deployments that don’t meet security standards.


IaaS platforms have become catalysts for Open Source Software (OSS) like Linux (OS), Docker (container), and Kubernetes (orchestration). The challenge with using these tools is the inherit risk of Common Vulnerabilities and Exposures (CVE) found in software libraries and misconfigurations in deploying new services. Another famous quote by Gartner is that “70% of attacks against containers will be from known vulnerabilities and misconfigurations that could have been remediated.” But how does the InfoSec team quickly spot those vulnerabilities and misconfigurations, especially in ephemeral environments with multiple developer teams pushing frequent releases into CI/CD pipelines?

Based on our acquisition of NanoSec last year, CNAPP provides full workload protection by identifying all compute instances, containers, and container services running in IaaS while identifying critical CVEs, misconfigurations in both repository and production container services, and introducing some new protection features. These features include application allow listing, OS hardening, and file integrity monitoring with plans to introduce nano-segmentation and on-prem support soon.

Customer Favorites

We’ve had a great time working jointly with our customers to release CNAPP. I’d like to highlight some of the use cases that have proven to be game changers for our customers.

  • In-tenant DLP scans: many of our customers have legitimate use cases for publicly exposed cloud storage services (sometimes referred to as buckets), but at the same time need to ensure those buckets don’t have sensitive data. The challenge with using DLP for these services is many solutions available in the market copy the data into the vendor’s own environment. This increases customer costs with egress charges and also introduces security challenges with data transit. CNAPP allows customers to perform in-tenant DLP scans where the data never leaves the IaaS environment, making the process more secure and less expensive.
  • MITRE ATT&CK Framework for Cloud: the language of Security Operation Centers (SOC) is MITRE, but there is a lot of nuance in how cloud security incidents fit into this framework. With CNAPP we built an end-to-end process that maps all CSPM and CWPP security incidents to MITRE. Now InfoSec and developer teams can work more effectively together by automatically categorizing every cloud incident to MITRE, facilitating faster responses and better collaboration.
  • Unified Application Security: CNAPP is built on the same platform as our MVISION Cloud service, a Gartner Magic Quadrant Leader for Cloud Access Security Broker (CASB). Customers are now able to get detailed visibility and security control over their SaaS applications along with applications they are building in IaaS with the same solution. Our customers love having one console that provides a holistic picture of application risk across all teams – SaaS for consumers and IaaS for builders.

There are a lot more features I’d love to highlight, but instead I invite you to check out the solution for yourself. Visit https://mcafee.com/CNAPP for more information on our release or request a demo at https://mcafee.com/demo. We’d love to get your feedback and hear how MVISION CNAPP can help you become more empowered and responsible in the cloud.

This post contains information on products, services and/or processes in development. All information provided here is subject to change without notice at McAfee’s sole discretion. Contact your McAfee representative to obtain the latest forecast, schedule, specifications, and roadmaps.

The post With No Power Comes More Responsibility appeared first on McAfee Blogs.

A Software Security Checklist Based on the Most Effective AppSec Programs

Veracode???s Chris Wysopal and Chris Eng joined Enterprise Strategy Group (ESG) Senior Analyst Dave Gruber and award-winning security writer and host of the Smashing Security podcast, Graham Cluley, at Black Hat USA to unveil the findings from a new ESG research report, Modern Application Development Security. The research is based on a survey of nearly 400 developers and security professionals, which explored the dynamic between the roles, their trigger points, the extent to which security teams understand modern development, and the buying intentions of application security (AppSec) teams.

As the presenters went through the data, it led to a larger discussion about AppSec best practices and what steps organizations can take to mature their programs. Here are the best practices laid out during the presentation as an easy-to-follow checklist as well as supporting data from the ESG report.

Application security controls are highly integrated into the CI/CD toolchain.

In the ESG survey, 43 percent of organizations agreed that DevOps integration is most important to improving AppSec programs, but only 56 percent of respondents answered that they use a highly integrated set of security controls throughout their DevOps process. Integrating security measures into the CI/CD toolchain not only makes it easier for developers to run AppSec tests, but it also helps organizations discover security issues sooner, which speeds up time to deployment.

Application security best practices are formally documented.

In order to have a successful AppSec program, everyone needs to be on the same page regarding best practices. The CISO should help facilitate the formal documentation of AppSec best practices. Developers and security professionals can reference the list and use it to guide their decisions.

Application security training is included as part of the ongoing development security training program.

Developers have been increasingly tasked with implementing security measures, including writing secure code and remediating vulnerabilities. Most developers don???t receive secure code training courses in college, so it is up to organizations to offer security training. But according to the survey, more than 20 percent of organizations only provide training when developers join the team.

Developers should have multiple, at-leisure training opportunities throughout the year, like virtual or hands-on programs ??? such as Veracode Security Labs. Chris Wysopal pointed out the importance of human touchpoints as part of ongoing developer training. If someone is checking in on developers to make sure they???re completing their training, they???ll likely take it more seriously. Consider a security champions program. The security champions are developers who have an interest in learning about security. If you have at least one security champion on every scrum team, that person can help ensure that their peers are up to speed on the latest security training and best practices.

Ongoing developer security training includes formal training programs, and a high percentage of developers participate.

At-leisure security training is a great way for developers to learn on their own time. But it is also important to implement formal security training with a set completion date and a skills assessment. Without formal security training, developers may not develop the skills they need to write secure code and remediate vulnerabilities. This could lead to slower and more expensive deployments because of rework or vulnerable code being pushed to production.

According to the survey, 35 percent of respondents answered that less than half of their development teams are participating in formal training. And only 15 percent reported that all their developers are participating. As for frequency, less than half require their developers to engage in formal training more than once per year.

Development managers are responsible for communicating best practices to developers.

Developers rely on the information they receive from their development managers. Development managers should be following the organization???s documented AppSec best practices and they should be communicating the best practices to the developers.

Security issues are traced back to the individual development teams.

42 percent of organizations responded that they track security issue introduction for individual development teams. This number should be much higher because if you don???t track security issues introduced by each team, the team could make the same mistake multiple times. When you track the security issues, you can target efforts to improve those teams and individuals who introduce the most issues.

You track your AppSec program using formal processes and metrics to ensure that it???s continuously improving.

You should have a formal process in place to regularly measure your AppSec program using metrics. With the right metrics, you can pinpoint areas where your AppSec program is performing well and areas that could use improvement. The data can also be used to show senior management or stakeholders if their AppSec investment is getting the right return on investment (ROI).

You track individual development teams using metrics to ensure that they are continuously improving.

Just as you should be tracking if security issues are introduced by individual development teams, you should also be tracking if the development teams are making continuous improvements. If you are addressing teams or individuals when security issues are introduced, it should be expected that the teams/individuals are taking steps to ensure that the same mistake doesn???t happen again. Metrics can be used to prove that the teams are actively making improvements.

You track security issues during the code development process.

If code is not tracked for security issues in the development phase and a vulnerability is identified later in the software development lifecycle (SDLC), it can be costly and time consuming to fix the flaws. You can track the code with a tool like Veracode???s IDE Scan. The IDE Scan reviews code in real-time and provides remediation methods. ツ?

Automated risk aggregation tools roll-up risk to keep senior development leaders informed.

Senior development leaders should be fully aware of the risks and vulnerabilities in applications. Consider using automation risk aggregation tools to keep leaders informed in an efficient manner.


To make sure your organization is following the best practices, download the printer-ready Software Security Checklist: 10 Elements of an Effective AppSec Program.

Become a security intelligence expert, with these free tools from Recorded Future

Many thanks to the great folks at Recorded Future, who have sponsored my writing for the past week. If 2020 taught the security industry anything, it is this: There has never been a better time to be a cybercriminal. From extortion ransomware to cyberespionage campaigns, adversaries are capitalizing on uncertainty, causing chaos, and cashing in. … Continue reading "Become a security intelligence expert, with these free tools from Recorded Future"

Unilever CISO on balancing business risks with cybersecurity

Imagine showing up to work every day knowing that your job requires protecting 160,000 employees creating more than 450 products around the world—tea, ice cream, personal care, laundry and dish soaps—across a customer base of more than two and a half billion people every day. Unilever Chief Information Security Officer (CISO) Bobby Ford embraces the challenge, summing up his proactive approach this way: “I believe the responsibility of our group—the cybersecurity risk management group—is to enable the business to take risks.”

In this episode of “The Shiproom” I talk with Bobby about striking that balance between risk versus business needs, along with some of his strategies for protecting Unilever’s global workforce. We also discuss the ongoing challenges of communication and collaboration between the business and security sides of an organization. “I’m not the captain of the ‘no’ police,” Bobby explains. “Recognizing that the organization has to take risks—that’s what it means to be in business.”

On managing those risks, Bobby provides a useful metaphor: “For me, a mature cybersecurity strategy happens at the intersection of business intelligence and threat intelligence.” We discuss what constitutes threat intelligence, and why it’s important to maintain an ongoing conversation between business and security—so that decisions aren’t made in a vacuum.

Bobby also addresses the importance of diversity in the workplace, including “diversity of thought” and why a diverse workforce makes for better security. “The simplest answer is that the adversary is diverse. It’s hard to combat and defend against a diverse opponent when you lack diversity [on your team].”

We also discuss British food, arm wrestling, the Queen, shampoo, quesadillas, wombats, and more. Check out the whole discussion on:

What’s next

In an upcoming Shiproom episode, I’ll talk with Kurt John, CISO at Siemens USA. Kurt is listed in Security Magazine’s top 10 most influential cybersecurity leaders, and he’s a board member of the Virginia Innovation Partnership Authority tasked with enhancing Virginia’s tech-based economy. Kurt also serves on a special cybersecurity committee organized by the Under-Secretary-General of the United Nations. Don’t miss it.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Unilever CISO on balancing business risks with cybersecurity appeared first on Microsoft Security.

Smashing Security podcast #202: The Wu-Tang Clan are Among Us

Voting machines are under the microscope, scammers are posing as rap stars, and American politician AOC isn't the only one who's been getting into the Among Us game. All this and much more is discussed in the latest edition of the award-winning "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by James Thomson. Plus don't miss the first part of our featured interview with LastPass's Dalia Hamzeh.

NIST Offers ‘Quick-Start’ Guide for Its Security and Privacy Safeguards Catalog

If you’ve ever tried to set up a home entertainment system by poring over a thick manual, you might appreciate the manufacturer also providing you with a quick-start guide so you can get your party going in short order. Information security experts at the National Institute of Standards and Technology (NIST) have created what is essentially a quick-start guide to their flagship risk management tool, to help organizations reduce their security and privacy risks more easily. Their creation, whose full title is Control Baselines for Information Systems and Organizations (NIST Special Publication

KashmirBlack Botnet Hijacks Thousands of Sites Running On Popular CMS Platforms

An active botnet comprising hundreds of thousands of hijacked systems spread across 30 countries is exploiting "dozens of known vulnerabilities" to target widely-used content management systems (CMS). The "KashmirBlack" campaign, which is believed to have started around November 2019, aims for popular CMS platforms such as WordPress, Joomla!, PrestaShop, Magneto, Drupal, Vbulletin, OsCommerence,