Category Archives: business

Cybersecurity Platforms: 8 Must-Have Attributes

Defending enterprises against the growing frequency and complexity of cyberattacks is becoming an ever-increasing burden to cybersecurity budgets and manpower. An ESG enterprise-class cybersecurity technology platform white paper commissioned by McAfee shows CISOs have “reached a tipping point where the current cybersecurity point tools are no longer acceptable.” Current high-cost, complex strategies using disconnected point tools aren’t working and CISOs are abandoning their collection of cybersecurity point tools in favor of a consolidated, integrated approach.

ESG reports that consolidation is wide spread and growing – 22% of organizations are actively consolidating the number of cybersecurity vendors they do business with on a large scale while 44% of respondents are consolidating the number of cybersecurity vendors they do business with on a limited basis. ESG expects this trend to gain momentum over the next 12 to 24 months.

In response to this consolidation trend, more service providers are attempting to market their disparate tools as a platform. According to the ESG white paper, “Industry hyperbole has led to user confusion about what qualifies as a cybersecurity technology platform.”

Based on ESG’s survey findings, the following eight key attributes should be included in all RFIs/RFPs and become part of every cybersecurity technology platform:

  1. Prevention, detection, and response capabilities. CISOs expect cybersecurity platforms to provide strong defensive capabilities (i.e., rules, heuristics, machine learning models, behavioral algorithms, threat intelligence integration, etc.) capable of blocking and detecting threats with close to 100% efficacy. When threats are detected, cybersecurity platforms should average low false positive rates and provide concise forensic evidence that enables analysts to track events that led to an alert. Cybersecurity platforms should also include simple mitigation techniques such as quarantining a system, halting a process, or terminating a network connection. Users should have the ability to automate these remediation measures when desired.
  2. Coverage that spans endpoints, networks, servers, and cloud-based workloads and API-driven services. Cybersecurity platforms should be able to prevent, detect, and respond to threats across an enterprise IT infrastructure composed of endpoints, networks, servers, or cloud-based workloads and API-driven services. Prevention, detection, and response capabilities should be united so that security and IT operations teams can monitor activities and take actions across any security technology controls and any location.
  3. Central management and reporting across all products and services. All security controls should report to a central management plane delivering configuration management, policy management, monitoring, and remediation capabilities. Central management must be built for scale, support role-based access control, and offer the ability to customize multiple UIs and functions for different security and IT operations profiles.
  4. An “open” design. Security platforms must be built for integration by supporting common messaging buses and open APIs. Best-in-class cybersecurity platforms will also feature an open design capable of supporting third-party developers and security vendors with developer support resources, partner ecosystems, technical support services, and go-to market programs.
  5. Tightly coupled plug-and-play products and managed services. The transition from point tools to cybersecurity platforms may be an arduous process journey requiring a phased implementation. As a result, cybersecurity platforms must play the role of force multiplier, providing incremental value through the integration of additional products and services. Supplementing any security product or managed service should increase the security efficacy and operational efficiency of the entire platform.
  6. Security coverage that includes major threat vectors including email security and web security. Most malware attacks emanate through compromised systems using techniques such as phishing, malicious attachments/links, and drive-by downloads. Cybersecurity platforms must include strong prevention/detection filters that work inline and service the entire IT infrastructure. Filters can be provided by the platform vendor or through third-party integrations.
  7. Cloud-based services. Cybersecurity platforms should be capable of utilizing cloud-based resources for processes such as file analysis, threat intelligence integration, behavioral analytics, and reputation list maintenance. Cloud-based services should be applied to all cybersecurity platform users in real time. When a malicious file is detected at one site, all other platform customers should be updated with prevention and detection rules to safeguard them from that threat.
  8. Multiple deployment options and form factors. The components of cybersecurity platforms should be accessible as on-premises software/devices, cloud-based server implementation, SaaS, or some combination. ESG provides the example of a large global enterprise may deploy on-premises software/devices at corporate headquarters, cloud-based server implementation for large regional offices, and SaaS for remote workers. All form factor options should be anchored by central configuration management, policy management, and global monitoring.

ESG’s white paper advises CISOs to approach cybersecurity platforms with a long-term strategy and project plan that spans a 24-to-36-month timeframe.

ESG also identifies McAfee as “one of a few vendors” whose product fits the description of a cybersecurity technology platform. Because McAfee’s ePO-based cybersecurity technology platform aligns well with ESG’s eight key cybersecurity technology platform attributes and high priority enterprise customer requirements, ESG states “CISOs would be well served to explore McAfee’s ePO-based cybersecurity technology platform as it aligns well with current and future cybersecurity requirements for improving security efficacy, increasing operations efficiency, and enabling the business.

Read more on how McAfee’s ePO can consolidate and improve your enterprise’s cybersecurity defenses.

The post Cybersecurity Platforms: 8 Must-Have Attributes appeared first on McAfee Blogs.

How Deepfakes Can Ruin Your Business

Worldwide concern is increasing over the adverse effects that deepfakes could have on society, and for good reason. Recently, the employee of an energy company based in the UK was tricked into thinking he was talking on the phone with his boss, the CEO of the German parent company, who asked him to transfer $243,000 to a Hungarian supplier. Of course, the employee was not speaking with the actual CEO, but with a scammer who was impersonating the real CEO through voice-altering AI.

This kind of social engineering attack is not new. In fact, merely two months ago, cybersecurity researchers identified three successful deepfake audio attacks on companies. Their “CEO” called a financial officer to ask for an urgent money transfer. The voices of the real CEO had been taken from earnings calls, YouTube videos, TED talks, and other recordings, and inserted into an AI program which enabled fraudsters to imitate the voices.

These types of incidents are the audio version of what are known as deepfake videos, which have been causing global panic for the past couple of years. As we become accustomed to the existence of deepfakes, this may affect our trust in any videos we see or audio footage we hear, including the real ones. Videos, which once used to be the ultimate form of truth that transcended edited pictures that can be easily altered, can now deceive us as well.

And this brings us to the question:

How safe is your business in the face of the deepfake threat?

What are Deepfakes?

Deepfakes are fake video and audio footage of individuals, that are meant to make them look like they have said and done things which, in fact, they haven’t. “Deep” relates to the “deep learning” technology used to produce the media and “fake” to its artificial nature. Most of the time, the faces of people are superimposed on the bodies of others, or their actual figure is altered in such a way that it appears to be saying and doing something that they never did.

The term was born in 2017 when a Reddit user posted a fake adult video showing the faces of some Hollywood celebrities. Later, the user also published the machine learning code used to create the video.

Can we detect and stop Deepfakes?

Right now, researchers and companies are investigating how they can utilize AI to distinguish and wipe out deepfakes. New advancements have started to rise that are meant to help us identify which pictures and recordings are real and which are fake.

For example, Facebook, Microsoft, the Partnership on AI coalition, and academics from several universities are launching a contest to help improve the detection of deepfakes. They aim to encourage people to produce a technology that can be used by anyone to detect when deepfake material has been created. The Deepfake Detection Challenge will feature a data set and leaderboard, alongside grants and awards, to motivate participants to design new methods of identifying and stopping fake footage meant to deceive others.

Yet, this won’t prevent the fake media from being created, shared, seen and heard by millions of people before it is removed. And without doubt, it can be extremely difficult to face the consequences and repair the damage once malicious materials get distributed.

How can you spot Deepfake videos?

Until some highly reliable technical solutions are designed, we should learn to identify the tell-tale signs of deepfakes. So, here are the flaws you should be looking for:

  • Blinking – According to research, the eye blinking in videos seems to be not that well presented in deepfake videos.
  • Head position – Watch out for blurry face borders that subtly blend into the background.
  • Artificially-looking skin – If the face looks extra smooth like it’s been edited, this may be another warning sign. Also, watch out for the skin tone that can be slightly different than the rest of the body.
  • Slow speech and different intonation – Sometimes, you will notice the one who is being impersonated talks rather slowly or there isn’t quite a match between the real person’s voice and the fake one.
  • An overall strange look and feel – In the end, you should trust your instinct. Sometimes, you can simply tell something’s not right.

At the moment, one can easily spot deepfakes. But in the future, as this technology progresses, it will gradually become more difficult.

Deepfakes could destroy everything

Here is what deepfakes could have a highly negative impact on:

#1. Politics

Deepfakes could influence elections since they can put words into politicians’ mouths and make them look like they’ve done or said certain things which, in fact, they haven’t. Deepfake producers could target popular social media channels, where the content shared can instantly become viral.

#2. Justice

Fake evidence for criminal trials could be used against people in court and this way, they could become accused of crimes they did not commit. Thus, the wrong people could go to jail. And on the other hand, people who are guilty could be set free based on false proof.

#3. Stock market

Deepfakes could be used to manipulate stock prices when altered footage of influential people making certain statements gets distributed. Imagine what would happen if a fake video of the CEOs of companies such as Apple, Amazon, or Google declaring they’ve done something illegal. For instance, back in 2008, Apple’s stock dropped 10 points based on a false rumor that Steve Jobs had suffered a major heart attack emerged.

#4. Online bullying

The deepfake technology could also be used to amplify cyberbullying, especially since it’s now becoming widely available. People can easily turn into victims when manipulated media of them is posted online. Or they can get blackmailed by cybercriminals who are threatening leak the footage if, for instance, they don’t pay a certain amount of money.

#5. Companies

Someone could be making false statements about your business to destabilize and degrade it. Malicious actors could make it look like you or someone within your organization admitting to having been involved in consumer fraud, bribery, sexual abuse, and any other wrongdoings you can think of. Obviously, these kinds of false statements can destroy your company’s reputation and make it difficult for you to prove otherwise.

What can be done?

Due to the current gaps in the law, producers of deepfakes are not incriminated. However, the Deepfakes Accountability Act (known as “Defending Each and Every Person from False Appearances by Keeping Exploitation Subject to Accountability Act – yes, you’ve correctly identified an acronym right there) aims to take measures to criminalize this type of fake media.

In short, anyone who creates deepfakes would be required to reveal that the footage is altered. And if they fail to do so, it will be considered a crime. The existence of these kinds of regulations is mandatory to protect deepfake victims and also the general public from distorted information.

How can you protect your business from Deepfakes?

Your competitors could resort to deepfake blackmail in order to try to eliminate you from the industry.

No matter how good technological deepfake detection solutions will become, they won’t prevent manipulated media from being shared and reach large numbers of people. So, the best way is to teach your employees how to identify fake footage and question everything that seems suspicions inside the organization.

#1. Train your employees

The topic of deepfakes can be looked at during your cybersecurity training. For instance, if they receive an unexpected call from the CEO who is asking them to transfer $1 million to a bank account, they could, first of all, question if the person on the other line is who they say they are. Maybe, a good countermeasure would be to have a few security questions in place that need to be asked to verify a caller’s identity.

#2. Monitor your brand’s online presence

Your brand’s presence is probably already being monitored online. So, make sure your designated people keep an eye on fake content involving your organization and if anything suspicious is brought to light, they do their best to take it down as soon as possible and mitigate the damage.

This brings us to the next point.

#3. Be transparent

If you become a victim of deepfakes, ensure that your audience is aware of the targeted attack. Trying to ignore what happened or assume that people didn’t believe what they’ve seen or heard won’t make the issue disappear. Therefore, your PR efforts should be centered around communicating that someone from your company has been impersonated and highlighting the artificial nature of the distributed footage.

Never let misinformation erode your public’s confidence!

Wrapping it all up

The dangers of deefakes are real and should not be underestimated. A single ill-intended rumor could destroy your business. So, you, both as an individual and an organization, should be prepared to stand against these threats.

 

The post How Deepfakes Can Ruin Your Business appeared first on Heimdal Security Blog.

Countdown to MPOWER 2019: Survival Guide

This year, we’re excited to host the 12th annual MPOWER Cybersecurity Summit at the ARIA in Las Vegas, where fellow security experts will strategize, network, and learn about the newest and most innovative ways to ward off advanced cyberattacks. With the show nearly upon us, I’m sharing a “survival guide” for first-time attendees and anyone who might want a refresher of what’s to come. Here are a few tips and tricks to help make your MPOWER experience even more successful and enjoyable.

Travel, Transportation and Accommodations

MPOWER is the best place to leverage your existing McAfee investment, engage with our ecosystem of security experts, connect with other McAfee customers and much more.

If you haven’t yet booked your travel arrangements, be sure you do so as soon as possible to take advantage of the special rates offered by the ARIA Resort & Casino. When you arrive at the Las Vegas McCarran International Airport, it will be a quick 20 minute Uber or Lyft ride to the ARIA. For more information on ground transportation from the airport to the hotel, click here.

TIP: Need some help convincing your company or manager? Click here for our email template (and modify as appropriate) to help justify your attendance at MPOWER 2019.

Innovative Keynote Speakers

We have a great lineup of keynote speakers this year. You’ll hear from Secretary of State Madeleine K. Albright, General Colin L. Powell, and tech venture capitalist Roger McNamee. We’ll also have McAfee leadership on the keynote stage, including CEO Chris Young, EVP & Chief Product Officer Ashutosh Kulkarni, SVP of Cloud Rajiv Gupta, SVP & Chief Technology Officer Steve Grobman, and CMO Allison Cerra.

TIP: Be sure to get to the keynote stage early, as spots fill up fast.

Breakout Sessions

The sessions offered at MPOWER 19 will give you a better understanding of how to maintain the highest standards of security while reducing company costs, streamline processes, and drive efficiencies in the daily administration of your systems. You’ll also have an exclusive opportunity to hear actual McAfee customers discuss how they solved real-world business challenges.

TIP: Once you’ve registered, enter your registration information at the MPOWER 19 My Event site to create a personalized agenda of the sessions and events you most want to attend. Then use your convenient schedule to make sure you don’t miss a thing!

MVISION Training Classes

New at MPOWER this year, MVISION training classes will be available free to customers and can be added to your schedule during registration. Classes will run October 1-3, and each attendee will receive a Certificate of Completion that can be submitted as a Continuing Education Unit (CEU/CPE) to ISC2, CompTIA, and other certification vendors. Seating is limited and available on a first-come, first-served basis—so add a course to your registration today!

TIP: Be sure to get your badge scanned at the door for each session to get credit.

Customer Spotlight

Stop by the Customer Spotlight, located on Level 1 to have fun. This is a place where you can kick back and relax, challenge your peers to a game (Jenga, Connect 4, Cornhole, and many more) or just take a few minutes to catch up on email or recharge your phone. The Customer Spotlight will be open Tuesday through Thursday, 8:00 AM – 5:00 PM.

TIP: The list of the activities is lengthy—there’s something for everyone! For your participation, we offer an incentive program that will earn you points—redeem anytime for McAfee gear and much more.

Expo Hall & Innovation Fair

The Sponsor Expo will feature an impressive lineup of McAfee partners, including some of the world’s most successful businesses. This is your chance to meet with the key players of the security industry—all in one location. Also, stop by the Innovation Fair booth and see what product innovations McAfee has planned in the areas of threat defense, data protection, intelligent security operations, and cloud defense. During the Innovation Fair hours, you will be able to join in on short innovation talks with technical leaders from McAfee.

TIP: Navigating the conference and expo hall will involve a lot of walking. Bring comfortable shoes—your feet will thank you later.

Stay Connected with Twitter

Twitter is one of the best ways to “stay connected” whether you are at the event or attending virtually. You can learn a lot about what’s going on at MPOWER by following the #MPOWER19 hashtag—McAfee will be live tweeting keynotes, favorite session updates, valuable insights, freebies, party details and more. Be sure to tweet your own findings, happenings, etc. using the hashtag.  

TIP: Follow @McAfee, @McAfee_Business for conference updates, company announcements and more!

The MPOWER Mobile App

 The MPOWER 19 Mobile App puts a full guide to the conference in the palm of your hand. Just download and enter your MPOWER registration info to access the daily schedule of events, session details, speaker info, and more! Available for iPhone/iPad and Android, the MPOWER 19 Mobile App will help you maximize the value of the conference and keep you updated on everything that’s happening.

TIP: When onsite at MPOWER 19, visit the Mobile App Help Desk near registration to get all your questions answered. 

MPOWER Special Evening Event

On October 3rd, we’ll be hosting Fall Out Boy for a special performance. Get ready to dance the night away starting at 8 p.m. PT.

See You Soon!

We are committed to bringing together the best of the security industry to unite for a cause that’s bigger than all of us—the digital safety of our customers, organizations, and future generations. We invite you to join us in Las Vegas.

The post Countdown to MPOWER 2019: Survival Guide appeared first on McAfee Blogs.

Analyst Fatigue: The Best Never Rest

They may not be saying so, but your senior analysts are exhausted.

Each day, more and more devices connect to their enterprise networks, creating an ever-growing avenue for OS exploits and phishing attacks. Meanwhile, the number of threats—some of which are powerful enough to hobble entire cities—is rising even faster.

While most companies have a capable cadre of junior analysts, most of today’s EDR (Endpoint Detection and Response) systems leave them hamstrung. The startlingly complex nature of typical EDR software necessitates years of experience to successfully operate—meaning that no matter how willing the more “green” analysts are to help, they just don’t yet have the necessary skillset to effectively triage threats.

What’s worse, while these “solutions” require your top performers, they don’t always offer top performance in return. While your most experienced analysts should be addressing major threats, a lot of times they’re stuck wading through a panoply of false positives—issues that either aren’t threats, or aren’t worth investigating. And while they’re tied up with that, they must also confront the instances of false negatives: threats that slip through the cracks, potentially avoiding detection while those best suited to address them are busy attempting to work through the noise. This problem has gotten so bad that some IT departments are deploying MDR systems on top of their EDR packages—increasing the complexity of your company’s endpoint protection and further increasing employee stress levels.

Hoping to both measure the true impact of “analyst fatigue” on SOCs and to identify possible solutions, a commissioned study was conducted by Forrester Consulting on behalf of McAfee in March 2019 to see what effects current EDRs were having on businesses, and try to recognize the potential for solutions. Forrester surveyed security technology decision-makers, from the managers facing threats head-on to those in the C-suite viewing security solutions at the macro level in relation to his or her firm’s financial needs and level of risk tolerance. Respondents were from the US, UK, Germany or France, and worked in a variety of industries at companies ranging in size from 1,000 to over 50,000 employees.

When asked about their endpoint security goals, respondents’ top three answers—to improve security detection capabilities (87%), increase efficiency in the SOC (76%) and close the skills gap in the SecOps team (72%)—all pointed to limitations in many current EDRs.  Further inquiry revealed that while 43% of security decision makers consider automated detection a critical requirement, only 30% feel their current solution(s) completely meet their needs in this area.

While the issues uncovered were myriad, the results also suggested that a single solution could ameliorate a variety of these problems.  The introduction of EDR programs incorporating Guided Investigation could increase efficiency by allowing junior analysts to assist in threat identification, thereby freeing up more seasoned analysts to address detected threats and focus on only the most complex issues, leading to an increase in detection capabilities. Meanwhile, the hands-on experience that junior analysts would get addressing real-life EDR threats would increase both their personal efficiency and their skill level, helping to eliminate the skills gaps present in some departments.

To learn more about the problems and possibilities in the current EDR landscape, you can read the full “Empower Security Analysts Through Guided EDR Investigation” study by clicking here.

The post Analyst Fatigue: The Best Never Rest appeared first on McAfee Blogs.

The Sky Has Already Fallen (you just haven’t seen the alert yet)

Of course, the much-touted “Cybersecurity Skills Shortage” isn’t news to anyone, or it shouldn’t be. For seven or more years, journalists, industry analysts and practitioners have been opining about it one way or another. Analyses and opinions vary on how we have reached this impasse, my own being that this is a largely self-inflicted crisis caused by proscriptive hiring practices and unreasonable job requirements, but the outcome remains the same. We have too few people doing too much work, with too many tools and too few meaningful resources.

The typical SOC of today is drowning in a volume of alerts. In the financial world for example 60% of banks routinely deal with 100,000+ alerts every day, with 17% of them reporting 300,000+ security alerts, according to research carried out by Ovum, and this pattern is repeated across industry verticals.

There is no way that the typical Security Operations Center is staffed to the levels required to be able to triage these alerts, meaning that a large proportion of them are simply never actioned (read ignored). Of those that do eventually see a pair of eyes, it hardly seems worth the effort. An EMA report all the way back in 2017 found that analysts were spending around half an hour investigating each incident with much of the time being spent either downgrading alerts marked as critical (46%) or otherwise reprioritizing (52%) and identifying false positives (31%).

This deluge of information, coupled with a focus on small, repetitive and often manual tasks are critical components contributing to fatigue, boredom, and a feeling of powerlessness in the workplace. A recent survey carried out by Trend Micro revealed that IT teams are under significant pressure, with some of the challenges cited including prioritizing emerging threats (47%) and keeping track of a fractured security environment (43%). The survey showed that they are feeling the weight of this responsibility, with many (34%) stating that the burden they are under has led their job satisfaction to decrease over the past 12 months. It’s not just the SOC analysts either. In that same survey one third of IT executives told us that they felt completely isolated in their role.

Workplace pressure at these levels is simply not sustainable, fatigue leads to neglect, neglect to mistakes, and mistakes lead to burnout, further reducing the available talent pool and dissuading others from ever entering into the industry, it’s a vicious circle.

This security event flood is exacerbated by the fact that the majority of organizations rely on large numbers of specialized and disconnected tools. Many of the alerts that analysts are dealing with are often different views of the same object, or duplicate notifications from discrete security tools. The Ovum report I mentioned above notes that almost half their respondents (47%) told them that only one in five events is actually related to a unique security event.

In fact, Security Operations Centers are drowning in threat data, all the while thirsting for meaningful threat intelligence.

Water, water everywhere and all the boards did shrink,

Water, water everywhere nor any drop to drink.

A recent blog post by my friend and colleague Greg Young laid out his reasoning on “Why XDR is a big deal and is different from SIEM and Platforms.” And a truly mature XDR technology, with feature rich APIs, collecting, correlating, triaging, reporting and perhaps even remediating (to a certain level) must represent the direction of travel for the SOC of the near future.

We are not going to solve the skills shortage within a decade; arguably, we are not going to solve it at all, particularly if we continue to focus on filling the gap with human brains. The problem is not in the potential recruitment pipeline, it is in the actual data pipeline and that is where technology must play the lead role. An AI driven Tier I SOC platform able to scale with the continually increasing volume of data, automating and accelerating initial analysis, the creation of incident context, chasing down patient zero through an automated root cause analysis. Such a system would present the human Escalation Analysts with aggregated data in a logical attack-centric progression automating the Monitor, Prevent, Detect and Investigate roles and providing the SOC analyst with actionable threat intelligence for real Response and Remediation.

The post The Sky Has Already Fallen (you just haven’t seen the alert yet) appeared first on .

Chris Young and Ken McCray Recognized on CRN’s 2019 Top 100 Executives List

CRN, a brand of The Channel Company, recently recognized McAfee CEO Chris Young and Head of Channel Sales Operations for the Americas Ken McCray in its list of Top 100 Executives of 2019. This annual list honors technology executives who lead, influence, innovate and disrupt the IT channel.

Over the past year, Young led McAfee into the EDR space, directed the introduction of McAfee’s cloud and unified data protection offerings, and forged a partnership with Samsung to safeguard the Galaxy S10 mobile device. According to CRN, these accomplishments earned Young the number-three spot in CRN’s list of 25 Most Innovative Executives—a subset of the Top 100 list that recognizes executives “who are always two steps ahead of the competition.” Young is no stranger to the Top 100 Executives list: He also earned a place on last year’s list, when his post-spinout acquisitions led to him being named one of the Top 25 Disruptors of 2018.

Based on his work overseeing the launch of McAfee’s alternative route to market channel initiative, Ken McCray was also recognized as one of this year’s Top 100 Executives. The initiative, which has driven incremental bookings as Managed Security Partners and cloud service providers bring new customers on board, earned McCray a spot on the Top 25 IT Channel Sales Leaders of 2019. This has been an accolade-filled year for McCray: In February, he was named one of the 50 Most Influential Channel Chiefs for 2019, based on his division’s double-digit growth and the relationships he built with key cloud service providers.

The Top 100 Executives being recognized drive cultural transformation, revenue growth, and technological innovation across the IT channel. In doing so, they help solution providers and technology suppliers survive—and thrive—in today’s always-on, always-connected global marketplace.

“The IT channel is rapidly growing, and navigating this fast-paced market often challenges solution providers and technology suppliers alike,” said Bob Skelley, CEO of The Channel Company. “The technology executives on CRN’s 2019 Top 100 Executives list understand the IT channel’s potential. They provide strategic and visionary leadership and unparalleled guidance to keep the IT channel moving in the right direction—regardless of the challenges that come their way.”

We at McAfee are proud of the recognition Young and McCray have received, and look forward to seeing our company continue to thrive under their leadership.

The Top 100 Executives list is featured in the August 2019 issue of CRN Magazine and online at www.CRN.com/Top100.

The post Chris Young and Ken McCray Recognized on CRN’s 2019 Top 100 Executives List appeared first on McAfee Blogs.

Analytics 101

From today’s smart home applications to autonomous vehicles of the future, the efficiency of automated decision-making is becoming widely embraced. Sci-fi concepts such as “machine learning” and “artificial intelligence” have been realized; however, it is important to understand that these terms are not interchangeable but evolve in complexity and knowledge to drive better decisions.

Distinguishing Between Machine Learning, Deep Learning and Artificial Intelligence

Put simply, analytics is the scientific process of transforming data into insight for making better decisions. Within the world of cybersecurity, this definition can be expanded to mean the collection and interpretation of security event data from multiple sources, and in different formats for identifying threat characteristics.

Simple explanations for each are as follows:

  • Machine Learning: Automated analytics that learn over time, recognizing patterns in data.  Key for cybersecurity because of the volume and velocity of Big Data.
  • Deep Learning: Uses many layers of input and output nodes (similar to brain neurons), with the ability to learn.  Typically makes use of the automation of Machine Learning.
  • Artificial Intelligence: The most complex and intelligent analytical technology, as a self-learning system applying complex algorithms which mimic human-brain processes such as anticipation, decision making, reasoning, and problem solving.

Benefits of Analytics within Cybersecurity

Big Data, the term coined in October 1997, is ubiquitous in cybersecurity as the volume, velocity and veracity of threats continue to explode. Security teams are overwhelmed by the immense volume of intelligence they must sift through to protect their environments from cyber threats. Analytics expand the capabilities of humans by sifting through enormous quantities of data and presenting it as actionable intelligence.

While the technologies must be used strategically and can be applied differently depending upon the problem at hand, here are some scenarios where human-machine teaming of analysts and analytic technologies can make all the difference:

  • Identify hidden malware with Machine Learning: Machine Learning algorithms recognize patterns far more quickly than your average human. This pattern recognition can detect behaviors that cause security breaches, whether known or unknown, periodically “learning” to become smarter. Machine Learning can be descriptive, diagnostic, predictive, or prescriptive in its analytic assessments, but typically is diagnostic and/or predictive in nature.
  • Defend against new threats with Deep Learning: Complex and multi-dimensional, Deep Learning reflects similar multi-faceted security behaviors in its actual algorithms; if the situation is complex, the algorithm is likely to be complex. It can detect, protect, and correct old or new threats by learning what is reasonable within any environment and identifying outliers and unique relationships.  Deep Learning can be descriptive, diagnostic, predictive, and prescriptive as well.
  • Anticipate threats with Artificial Intelligence: Artificial Intelligence uses reason and logic to understand its ecosystem. Like a human brain, AI considers value judgements and outcomes in determining good or bad, right or wrong.  It utilizes a number of complex analytics, including Deep Learning and Natural Language Processing (NLP). While Machine Learning and Deep Learning can span descriptive to prescriptive analytics, AI is extremely good at the more mature analytics of predictive and prescriptive.

With any security solution, therefore, it is important to identify the use case and ask “what problem are you trying to solve” to select Machine Learning, Deep Learning, or Artificial Intelligence analytics.  In fact, sometimes a combination of these approaches is required, like many McAfee products including McAfee Investigator.  Human-machine teaming as well as a layered approach to security can further help to detect, protect, and correct the most simple or complex of breaches, providing a complete solution for customers’ needs.

The post Analytics 101 appeared first on McAfee Blogs.

Maths and tech specialists need Hippocratic oath, says academic

Exclusive: Hannah Fry says ethical pledge needed in tech fields that will shape future

Mathematicians, computer engineers and scientists in related fields should take a Hippocratic oath to protect the public from powerful new technologies under development in laboratories and tech firms, a leading researcher has said.

The ethical pledge would commit scientists to think deeply about the possible applications of their work and compel them to pursue only those that, at the least, do no harm to society.

Despite being invisible, maths has a dramatic impact on our lives

Related: Google whistleblower launches project to keep tech ethical

Related: To fix the problem of deepfakes we must treat the cause, not the symptoms | Matt Beard

Continue reading...

Test Your Knowledge on How Businesses Use and Secure the Cloud

Security used to be an inhibitor to cloud adoption, but now the tables have turned, and for the first time we are seeing security professionals embrace the cloud as a more secure environment for their business. Not only are they finding it more secure, but the benefits of cloud adoption are being accelerated in-step with better security.

Do you know what’s shaping our new world of secure cloud adoption? Do you know what the best practices are for you to accelerate your own business with the cloud? Test your knowledge in this quiz.

Note: There is a widget embedded within this post, please visit the site to participate in this post's widget.

Not prepared? Lucky for you this is an “open-book” test. Find some cheat sheets and study guides below.

Report: Cloud Adoption and Risk Report: Business Growth Edition

Blog: Top Findings from the Cloud Adoption and Risk Report: Business Growth Edition

Blog: Why Security Teams Have Come to Embrace the Cloud

MVISION Cloud Data Sheet

MVISION Cloud

The post Test Your Knowledge on How Businesses Use and Secure the Cloud appeared first on McAfee Blogs.

Black Hat 2019: Q&A with McAfee

Now in its 22nd year, Black Hat is an information security event showcasing the latest research, newest technology, scariest threats, and biggest trends. Around 19,000 security professionals will be taking over Las Vegas’s Mandalay Bay during the six-day event.

Before the security world convenes the first week in August, I spoke with McAfee leadership and threat researchers about the major themes we should expect to see at Black Hat and DEF CON this year.

Q: What should attendees watch out for at this year’s Black Hat?

Steve Povolny, Head of Advanced Threat Research: This year will piggyback on some of the themes we’ve seen developing in recent Black Hat briefings, including a growing focus on emerging technologies such as autonomous and connected vehicles, blockchain, and 5G, among many others. Some of the key industries under extra scrutiny include industrial control systems, aviation and aerospace, and supply chain. Finally, there is a continued and now-standard focus on crypto, mobile, and cloud/virtualization security.

Douglas McKee, Senior Security Researcher: Once again, Black Hat will have a great variety of talks for both the offensive- and defensive-minded individual. One of the newest topics we are starting to see will be on deepfakes. As social engineering continues to have a large impact on every security discipline, the concept of deepfakes becomes something to watch out for.

Q: What topic(s) do you think will play an important role at this year’s Black Hat and DEF CON?

Povolny: I foresee vehicle security continuing to generate heavy interest, as well as cloud and virtualization attacks. The more popular mobile device sessions are typically well attended, and we’ve had a spate of recent high-profile vulnerabilities that may drive even heavier traffic this year. Industrial controls are receiving renewed focus, though I’m surprised to see little to nothing in the area of medical devices given the security research community’s focus on this topic for the last 12-18 months.

McKee: Topics focused around our critical infrastructure and transportation will continue to play an important role, as these topics are growing fast with a security focus. As major companies continue to strive towards greater automation, how we protect this automation will play a key role in our everyday lives.

Philippe Laulheret, Senior Security Researcher: Although it’s not new, hackers and security researchers are looking into the security of secondary targets and then pivoting towards their main goal, which is usually hardened and more difficult to reach. Of particular interest are two talks centering on communication modules, and few others concerning equipment. Targeting VoIP phones, printers, faxes, etc., is really interesting: These devices sit on the network, are hard to monitor, and if compromised, can be used as a stepping stone to attack other machines. At the same time, they’re also valuable targets for eavesdropping or stealing confidential information.

Q: What is one of the biggest cyber concerns in 2019, and how can consumers or enterprises stay protected?

Povolny: The BlueKeep vulnerability (CVE-2019-0708) is a prime example of what should be top of mind for both enterprises and consumers. As WannaCry quickly taught the world, eliminating legacy operating systems and defunct protocols should be a foremost priority. These systems tend to be the most valuable targets, as attackers can reach millions of targets quickly through self-propagating code. I anticipate we will likely still see BlueKeep exploited publicly, perhaps (and maybe likely) turned into a worm in 2019. This is a rare opportunity for consumers and enterprise to address a likely breach before it happens, and to invest extra attention into removing or securing similar systems.

McKee: In 2019 it is almost impossible to buy a device that doesn’t have an IP address; everything is network connected. As both consumers and enterprises, we need to stay vigilant about what devices and information we are allowing to connect to the internet. Both our homes and offices are only as strong as our weakest device. The industry needs to continue to invest in developing secure products from the beginning while consumers direct extra attention to what they are buying.

Q: What are you hoping to get out of Black Hat or DEF CON this year and what do you want your attendees to take away from your session?

Povolny: I’m always interested in which topics tend to generate the most interest and why. So, I will be curious to see if my assessments of the most interesting topics are on point and will be spending additional time networking with researchers and attendees to find out what is driving them towards the topic. I’ll be speaking on IoT security, which encompasses threats across many of the industries, devices, protocols and technologies being presented at this year’s Black Hat. I’m hoping to give attendees a better understanding of the breadth and depth of the problem space and what the impacts are to them by showing them first-hand research from McAfee’s Advanced Threat Research team on a few IoT targets.

McKee: As a security researcher, I am always most interested in what new techniques the industry has uncovered to continue to find new vulnerabilities. It’s a constant game between evolving protections and new bypasses. In my session at DEFCON, I hope to convey some of the new methods we have used over the last year. More importantly I hope to highlight how, when researchers work together with vendors, very critical vulnerabilities can be swiftly mitigated.

 Laulheret: My presentation, “Intro to Embedded Hacking—How You, Too, Can Find A Decade-old Bug In Widely Deployed Devices,” is part of the DC 101 track and has the same aspiration of sharing one’s passion. The goal of this track is to get people up to speed on topics they are not familiar with yet. Hardware hacking can be intimidating if you are coming from a software background or if you never had any electronic/electricity classes. What I really want for this session is to show people that hardware hacking is neither hard nor scary, and by learning the basics, they will be able to investigate devices from their day-to-day life, potentially finding previously unknown critical flaws. There’s something extremely empowering in gaining the ability to dissect devices that used to be magic black boxes sitting on your network.

Best ways to catch McAfee at Black Hat & DEF CON:

Speaking Sessions:

Black Hat: Internet of Threats – The Current State of IoT Device Security

Steve Povolny, Head of Advanced Threat Research

Wednesday, August 7 | 12:40pm PT | Business Hall Theater B

 

DEF CON: Intro to Embedded Hacking—How You, Too, Can Find A Decade-old Bug In Widely Deployed Devices

Philippe Laulheret, McAfee Security Researcher

Thursday, August 8 | 1:00pm PT | Paris Theater

 

DEF CON: HVACking: Understand the Difference Between Security and Reality

Douglas McKee, McAfee Senior Security Researcher

Mark Bereza, McAfee Security Researcher

Friday, August 9 | 1:00pm PT | Track 2

 

Booth Presence:

Visit us at Booth #914 and test your hacking skills with our Capture the Flag contest.

 

Be sure to follow @McAfee for real-time updates from the show throughout the week.

The post Black Hat 2019: Q&A with McAfee appeared first on McAfee Blogs.

Cybersecurity Hygiene: 8 Steps Your Business Should be Taking

Whether you’re managing your enterprise’s cybersecurity or you’ve outsourced it to a service provider, you’re ultimately the one that will be held accountable for a data breach. If your vendor loses your data, your customers and board of directors will likely still hold you responsible.

McAfee’s recent report, Grand Theft Data II: The Drivers and Shifting State of Data Breaches, reveals a majority of IT professionals have experienced at least one data breach, and on average have dealt with six breaches over the course of their career. Nearly three-quarters of all breaches have required public disclosure or have affected financial results.

Enterprise threats are increasing in number and sophistication, while rapidly targeting new vulnerabilities. And while, the top three vectors for exfiltrating data were database leaks, cloud applications, and removable USB drives, IT professionals are most worried about leaks from cloud enterprise applications such as Microsoft OneDrive, Cisco WebEx, and Salesforce.com.

Cybersecurity hygiene best practices must not only be established but updated and followed to keep up with these agile, versatile threats. Here are eight steps your business should be taking to implement better cybersecurity hygiene:

  1. Educate Your Teams All employees are part of an organization’s security posture. And yet, 61% of IT professionals say their executives expect more lenient security policies for themselves, and 65% of those respondents believe this leniency results in more incidents. Do as I say, not as I do can be dangerous. It’s imperative that you develop a continuing cybersecurity education program for all enterprise teams including best practices for passwords and how to detect phishing emails. Your program should include re-education processes for your IT team on breach targets such as default accounts and missing patches.
  2. Timely Patches and Updates – The Data Exfiltration Report found that IT was implicated in most data breaches, and much of this can be attributed to failures in cybersecurity hygiene, such as the failure to get a security patch out across the enterprise within 24 to 72 hours. Or failing to check that all available updates are accepted on every device. The vulnerabilities these patches and updates are designed to address can remain vulnerable for months despite the availability of the fixes. Cloud and SaaS operations have proven that automated patching testing and deployment works well with minimal downside risk.
  3. Implement Data Loss Policies (DLP) Data loss prevention requires thinking through the data, the applications, and the users. Most security teams continue to operate in isolation, with 81% reporting separate policies or management consoles for cloud access security brokers (CASBs) and data loss prevention (DLP). It is more important than ever to have a set of consistent Data Loss Prevention (DLP) policies that protect data everywhere it’s stored, including the cloud and corporate endpoints, networks, or unmanaged devices.
  4. Pay Attention to Cloud Security Settings – Cloud applications are where the bulk of your data resides, and data is what most cybercriminals are after. As Dev Ops moves more workloads to the cloud your enterprise needs to pay attention to the security setting of the cloud instances it uses and be aware of the security associated with the underlying infrastructure. Many security measures and considerations in the cloud are the same as on-prem, but some are different. Understanding the security of the cloud you choose and the applications that you use in the cloud are a critical part of securely navigating digital transformation.
  5. Technology Integration and Automation – One of the top actions cited for reducing future breach risks is integrating the various security technologies into a more cohesive defense. A lack of integration between security products allows suspicious activity to dwell unnoticed. If an attack is identified and blocked, all entry points should be instantly informed. If a compromised device is detected, security products should automatically scan all other devices for evidence of similar compromise, and quarantine affected systems. Automation allows machines to make these decisions based on policy set by the security team and accelerates time to detection and remediation without incurring material risk of unintended IT consequences.
  6. Deploy and Activate CASB, DLP, EDR – A Cloud Attack Security Broker (CASB) automatically classifies sensitive information, enforces security policies such as data loss prevention, rights management, data classification, threat protection, and encryption. Data Loss Prevention (DLP) safeguards intellectual property and ensures compliance by protecting sensitive data. Endpoint Detection and Response (EDR) can help your enterprise gain visibility into emerging threats with little maintenance and by monitoring endpoint activity, detecting suspicious behavior, making sense of high-value data, and understanding context. EDR can also reduce your need for additional SOC resources.
  7. Run Proper Device Audits –It’s important to regularly review device encryption on all devices including laptops, tablets, and mobile phones. Using multifactor identification strengthens your security beyond common sense steps like evaluating and promoting password strength.
  8. Have an Incident Response Plan – You may have only minutes and hours to act on a cyberattack. Good intentions aren’t enough to effectively respond and remedy a security breach. Be prepared before it happens. An Incident Response Plan is integral in helping your enterprise respond more effectively, reduce business disruptions and a loss of reputation.

For more on how to improve your enterprise’s cybersecurity hygiene using automation, integration, and cloud-based deployment and analytics, check out McAfee MVISION EDR.

The post Cybersecurity Hygiene: 8 Steps Your Business Should be Taking appeared first on McAfee Blogs.

The $1.5 Million Email

Ransomware has been around since the late 1980s, but in recent years, it has emerged as one of the largest financial threats facing the public and private sector alike. According to the U.S. Department of Homeland Security, ransomware is the fastest-growing malware threat—and according to a report by Recorded Future in May, more than 170 state and local governments have been the victims of ransomware attacks since 2013.

In addition to improved ransomware capabilities, such as military-grade encryption algorithms, two key factors have emboldened cybercriminals to launch such attacks: the rise of hard-to-trace cryptocurrency such as Bitcoin, and the tendency of unprepared targets to continue meeting scammers’ demands, even as these demands become increasingly audacious.

One such target was the city of Riviera Beach, Fla., a waterfront suburb north of Palm Beach, which recently paid a near-record 65 Bitcoins to a gang of hackers after a ransomware attack brought the city to a halt.

On May 29, a city employee opened an email containing a piece of malware, which quickly infected nearly every city computer network. With the municipal computer system held hostage, all operations were hobbled—everything from the city’s website, email server and VoIP phones to the water utility pump stations. 911 dispatchers were forced to take down caller information on paper, employees and vendors had to be paid with paper checks, utility payments could only be accepted by snail mail or in person, and police officers had to resort to digging through closets at headquarters to find paper traffic citation pads.

City leaders were told they could make all of these problems go away—if they simply complied with the ransomers’ demand to remit 65 bitcoin (roughly $600,000) in exchange for the decryption key.

While the city had originally decided not to pay the ransom—opting instead to invest $914,000 into purchasing hundreds of new desktop and laptop computers and other hardware in an attempt to circumvent the issue—these measures ultimately failed. Three weeks after the original attack, based on the advice of an outside security consulting firm, the city council met to discuss next steps—and unanimously decided, after just two minutes of discussion, to acquiesce. The total cost, including the unbudgeted-for hardware, the consultation, and of course, the ransom itself, amounted to more than $1.5 million. For a city of just 35,000 residents, the cost was staggering, even after insurance paid its percentage.

While Riviera Beach was among the latest targets, it certainly won’t be the last, or the largest—according to a 2018 Deloitte-NASCIO survey, nearly half of states lack a separate cybersecurity budget, and a majority allocate under 3% of IT budgets to cyberthreat prevention.

But with ransomware attacks continuing to unleash a post-internet world on any unsuspecting target at any time, many targets are finding that, as much as they thought they lacked the resources to prevent such attacks, they’re even less prepared for the aftermath. Once infected, they’re left with two unsavory options: Pay the ransom, knowing that there’s no guarantee the hackers will decrypt the systems or that they’ll be decrypted perfectly. And even if they are, there are still the moral implications: When governments pay such ransoms, they’re not only putting taxpayer dollars directly into the hands of criminals, they’re also encouraging future ransomware attacks. The alternative, of course, is to try to rebuild…often from the ground up.

While cyberinsurance policies can give the illusion of protection, this solution will likely become less viable as the frequency of attacks continues to rise and the amount demanded continues to skyrocket. The goal, then, becomes for companies, government entities and individuals to prepare for and prevent these attacks before they’re targeted. While large-scale legislative solutions, such as outlawing the payment of ransomware demands, may eventually offer some relief, here are some steps that companies, individuals and government entities can take right now to prevent being victims:

  1. Learn: Resources such as NoMoreRansom.org—an initiative created by the National High Tech Crime Unit of Netherlands, Europol’s European Cybercrime Centre, and McAfee—aim to provide prevention education and help ransomware victims retrieve their encrypted data without having to pay criminals.
  2. Educate: When it comes to ransomware, knowing isn’t half the battle—it’s the entire battle. When millions of dollars hinge on your employees’ decision whether or not to open an email, organization-wide training on how to spot malicious emails and social engineering schemes may pay for itself many, many times over.
  3. Backup: There’s no reason to pay criminals to decrypt your data if you have access to a copy. Frequently back up essential data, ideally storing it both locally and on the cloud.
  4. Update: Always downloading the newest version of your operating system or apps helps you stay ahead of threats
  5. Defend: Sufficiently robust security solutions can protect you from known threats as well as those that have not yet been formally detected.

The post The $1.5 Million Email appeared first on McAfee Blogs.

Leveraging McAfee Endpoint Security to Protect Against Emotet and Other Malware

Customers often ask us how to implement the suggestions provided in our blogs and threat advisories to better protect their environments. The goal of this blog is to do just that.

By showing you how to better use our products, you’ll be able to protect against Emotet and other malware. Emotet is a Trojan downloader spread by malicious spam campaigns using JavaScript, VBScript, and Microsoft Office macro functions. It downloads additional malware and persists on the machine as a service. Emotet has been observed to download ransomware, mass-mailing worms, W32/Pinkslipbot, W32/Expiro, W32/Dridex, and banking Trojans.

NOTE: Always test changes prior to implementing them in your environment.

1. DATs and product updates

One of the most common issues seen while in Support was an outdated DAT.

2. Make sure you have at least one scheduled product update task in McAfee ePO to run daily.

3. On-Access Scan (OAS) configuration for McAfee Endpoint Security and McAfee VirusScan Enterprise

Ensure that On-Access Scan (OAS) is enabled and set to scan on read and write and that entire drives aren’t excluded from being scanned. McAfee Endpoint Security and McAfee VirusScan Enterprise allow you to configure different scan settings based on the process. You can enable “Configure different settings for High-Risk and Low-Risk processes” to improve performance and reduce the need for file/folder exclusions. See KB88205 for more information.

Be sure that Artemis/GTI is enabled and that the first scanner action is “Clean” and the second action is “Delete”.

NOTE: Setting Artemis/GTI to High or Very High should be done gradually and with testing to reduce the risk of false positives. See KB53735 for more information.

4. On-Demand Scan (ODS)

A weekly On-Demand Scan (ODS) is suggested to ensure that your systems don’t have malware or PUPs. Do not run an ODS during peak business hours, as users may complain about system performance.

5. Access Protection (AP)

While the default Access Protection (AP) rules provide decent coverage, both McAfee Endpoint Security and McAfee VirusScan Enterprise allow for the creation of user-defined rules to prevent infection and the spread of worms or viruses. Below are some pre-created ones that should be tested and enabled in your environment to provide additional protection.

Pre-Defined Rule:

  • Disabling Registry Editor and Task Manager — Certain malware may attempt to disable the Task Manager to prevent the user from terminating the malicious process. Enable this AP rule to prevent the Task Manager from being disabled.

6. Access Protection (AP) rules for virus and worm outbreaks

These rules should only be enabled during a virus outbreak and for workstations only. Implementing the last two shown below may cause issues with file servers running McAfee VirusScan Enterprise or McAfee Endpoint Security. Always test these rules before you enable them:

  • Remotely Creating Autorun Files
  • Remotely Creating or Modifying Files or Folders
  • Remotely Accessing Local Files or Folders

NOTE: Only create a separate AP policy for workstations if you wish to continue using the AP rules below. Remotely creating files between workstations is unusual behavior.

7. User-defined AP file/folder patch locations

The user-defined rule below is one common location for malware.

8. Microsoft Office malware

Most threats come through email and are often downloaders for other malware. The AP rule below is intended to prevent Microsoft Office applications from executing PowerShell. You can include CScript.exe and WScript.exe as well.

9. McAfee Endpoint Security firewall

Almost all organizations have a firewall at the perimeter level. Some may opt to disable the built-in firewall on workstations and servers. The McAfee Endpoint Security Firewall is more comprehensive than the Windows firewall and can be used to prevent communication to malicious IPs and domains.

10. Blocking malicious traffic with the firewall

Blocking malicious network traffic prevents new variants from being downloaded and can minimize the impact on the environment. Environments that don’t block malicious traffic as one of the first steps often take longer to clean up.

The post Leveraging McAfee Endpoint Security to Protect Against Emotet and Other Malware appeared first on McAfee Blogs.

Improving Cyber Resilience with Threat Intelligence

According to the SANS CTI 2019 survey results, 72% of organizations either consume or produce Threat Intelligence. Although most organizations have Intelligence data, they struggle with defining requirements and managing Cyber Threat Intelligence (CTI) as a program with measurable output. This likely results from threat data and intelligence being perceived as a technical function unrelated to business objectives.

We need to change this perception.

In my opinion, the key business objectives most closely related to threat intelligence are Risk Management and Cyber Resilience. Threat Intelligence can influence the outcomes of both.

Cyber Resilience itself requires risk management and adaptability. The need for businesses to become more resilient is driving the demand for an adaptable security architecture—one that not only effectively leverages threat intelligence to improve Security Operations, especially Incident Response, but also adapts cyber defenses such as endpoint and network controls to prevent the latest threats.

Meanwhile, regulations focused on improving cyber security are driving a continuous risk management approach. For example, in 2016, the European Union released the NIS (Network and Information Systems) Directive, which provides a legal framework to boost the overall level of cybersecurity in critical industries and calls specifically for threat intelligence and incident sharing among organizations and national authorities. With these drivers in mind, we now need to design a managed process with the goal of creating an efficient way to increase the business value of CTI. We can define this process as follows:

  • Discovering the most valuable data sources
  • Using automation to collect, investigate, respond and share
  • Integrating CTI into cyber defense processes
  • Measuring to prove the value of Threat Intelligence

1. Collection, Deduplication and Aggregation

The first step in the CTI Management Process is the collection, deduplication and aggregation of the data or feeds. One of the main gaps at the enterprise level is the collection of local produced Threat Intelligence. Local Threat Intelligence includes data generated from analytics solutions like sandboxes and from incidents. Sandboxes usually produce intelligence data in the form of Indicators of Compromise (IOCs). These local sources could expose targeted attacks, and therefore are potentially the most valuable threat data source.

McAfee’s Open Architecture allows for the production, consumption and sharing of threat intelligence in various ways. Here is an example of how our architecture automates aggregation of various CTI sources with an open-source tool, MISP. The MISP platform subscribes to the McAfee Data Exchange Layer messaging fabric to consume IoCs from McAfee’s Advanced Threat Defense sandbox in real time. Additionally, MISP consumes and manages feeds from open or paid sources, providing an entry-level tool to manage the threat intel process.

Here is another example of how our architecture supports the aggregation process, this time by working with a commercial vendor, ThreatQ.

2. Investigation and Hunting

The second step in the CTI management process is investigation and hunting. Here, the biggest task is figuring out how to make Threat Intelligence actionable, which can be done by answering questions like:

  • Have we seen any related artifacts (IP address connections, Hash/File executions) in my enterprise in the past?
  • Do we have, right now, any devices that have related artifacts?

Before answering these questions, the right data must be collected from the enterprise sensors. Fundamental information should include IP address connections, file hashes on endpoints, web proxy, DNS and Active Directory logs. These logs provide the necessary data for correlation and historical analysis. The following example demonstrates how the architecture can automate some of the key triage steps.

MISP can push Threat Intelligence into McAfee’s SIEM solution, ESM (Enterprise Security Manager), to automate historical analysis. There, it can query McAfee’s Threat Intelligence Exchange server to identify which systems executed related artifacts, and where and when they did so. Furthermore, MISP can run real-time queries against McAfee-protected endpoints with McAfee Active Response to identify any persistent artifacts that are currently in the enterprise network.

Here is another example working with ThreatQ. This time, ThreatQ interacts with McAfee ESM, Active Response and McAfee TIE to identify systems that have or had artifacts related to Threat Intelligence indicators. These various integrations support manual enrichment task and investigations.

The screenshot below highlights the various McAfee integrations as part of an investigation.

3. Response

The third step in the CTI Management Process is response. Cyber Threat Intelligence is essential to prevent the latest threats and should be integrated into key cyberdefense countermeasures. The following example demonstrates an automated update process using McAfee’s Open Architecture, with the Data Exchange Layer (DXL) fabric as the key component.

ThreatQ can communicate via the DXL fabric with McAfee technologies. During this process ThreatQ is able to update key cyber defense countermeasure tools with Threat Intelligence to protect against the latest threats.

Another part of this process step is sharing threat intelligence with other parties, such as partners and communities. Most Threat Intelligence Platforms (open source and commercial) support various protocols for external CTI sharing. This includes TLP, STIX, TAXII and DXL. These protocols support the automated exchange and governance of the shared data.

Another part of this process step is sharing threat intelligence with other parties, such as partners and communities. Most Threat Intelligence Platforms (open source and commercial) support various protocols for external CTI sharing. This list includes TLP, STIX, TAXII and DXL, which feature protocols facilitating the automated exchange and governance of the shared data.

4. Measurement

Finally, the value of Threat Intelligence can be proven by measuring a variety of outcomes. The following are some of the metrics commonly quantified and reported on:

  1. Number of duplicate Threat Intelligence Artifacts removed
  2. Impact on Mean-Time-To-Respond
  3. Number of IOCs generated from Threat Intelligence
  4. Number of incidents identified based on Threat Intelligence
  5. Number of attacks blocked via Threat Intelligence

Summary

The creation and implementation of the right process is critical to the success of Cyber Threat Intelligence within the enterprise. In this blog, we defined a CTI management process of Collection, Investigation, Response and Measurement. McAfee’s research, management platform and open architecture enable you to implement this process and get the best value out of Cyber Threat Intelligence, promoting resilience and enabling better risk management.

Links to additional resources

The post Improving Cyber Resilience with Threat Intelligence appeared first on McAfee Blogs.

Don’t Hesitate When Transforming Your Business

Transformation is a popular buzz word in the tech industry. The market is full of companies promising to be the change your business needs to help it transform into the best player in its category. Many companies that have been around for a decade or more believe they’ve already transformed their business numerous times to keep up with the latest technology trends, while newer companies tend to practice business transformation daily to stay competitive. But is business transformation really needed? The answer is yes! However, transformation is an evolutionary process and won’t happen overnight. Organizations need to think about the future and embrace the fact they need to constantly change and move forward.

Transformation is Continuous

A disruptive and groundbreaking company will continually transform alongside its customers, adopting new applications and policies around the cloud, BYOD and more. As these items evolve, companies are confronted with the challenges and risks of change, including securing new endpoints on devices or in the cloud.

As companies evolve and transform to keep up with the latest IT trends, overlooking the security of company data is a common misstep. A recent study by leading IT analyst firm Frost & Sullivan revealed that 83% of APAC organizations don’t think about cybersecurity while embarking on digital transformation projects. Although 72% of the organizations conduct regular breach assessment to protect themselves against cyberattacks, 55% of them were at risk.

A Plan of Action

Companies are predicted to spend $1.7 trillion on digital transformation by the end of 2019, a 42% increase from 2017, according to IDC. With IT budgets at nearly their highest point, it’s time to rethink your transformation strategy and make security a priority.

The cloud is transforming the enterprise, and as a market leader, McAfee is transforming the way businesses secure data in the cloud. We transform the nature of security itself with SaaS (security-as-a-service) consumption models. By partnering with us, organizations can transform confidently, leveraging security solutions purpose-built with transformation in mind, including those that secure every segment of the cloud and heterogenous device environments. McAfee cloud security solutions extend your security from device to cloud with data visibility, data loss prevention, and advanced threat protection on a platform that supports an open ecosystem. Our goal is to make the most secure environment for your business from device to cloud.

As you start your transformation journey, consider the following questions:

  • How is your organization aligned? What are your organization’s goals?
  • What are the biggest/most important strategic initiatives your company has over the next two to four years?
  • What are your current major IT initiatives? Security initiatives? Cloud initiatives?

Looking to transform your business with McAfee? We’re here to help. Use the resources below for more information.

The post Don’t Hesitate When Transforming Your Business appeared first on McAfee Blogs.