Category Archives: Cloud Security

Lax Security Exposes Smart-Irrigation Systems to Attack Across the Globe  

Systems designed by Mottech Water Management were misconfigured and put in place and connected to the internet without password protections.

Researchers: LinkedIn, Instagram Vulnerable to Preview-Link RCE Security Woes

Popular chat apps, including LINE, Slack, Twitter DMs and others, can also leak location data and share private info with third-party servers.

Best Security Practices to Protect your Web Application from Future Threats

Almost all businesses nowadays use web applications for their targeted growth, but these apps’ security is mostly compromised if proper steps are not taken. During the web application development, all other features are given time and preference, but very few pay attention to the web application security they deserve. The vulnerabilities in your web application can be easily exploited by cybercriminals who always remain in search of sites with lower security protection.

Here are one of the most important security practices that you should implement to secure your web application from the most common threats:

Install SSL Certificates

One of the most effective measures to secure your web applications from cyberattacks is through encoding all the information shared on it. SSL certificates use SSL (Secure Socket Layers) or TLS (Transport Layer Security) security protocols to protect the data from the reach of cybercriminals through encryption.

If you do not activate SSL certificates on your web applications, hackers can easily read the shared information if they somehow get access to it. SSL certificates use cryptographic keys to make it impossible for the attackers to read the data.

https://lwstatic-a.akamaihd.net/kb/wp-content/uploads/2019/07/ssl-security-plan.png

The certificate authorities ensure that data transfer is encrypted throughout the communication process. Before buying an SSL certificate for your web app make sure you are purchasing it from a trustworthy SSL Authority like a ClickSSL that provides some of the most popular SSL certificates in very reasonable price.

 

Manage User Permissions

Wisely managing user’s permissions makes your web applications more secure than before. There would be numerous employees working in your company, and you know that not every worker needs full access to the system to perform his/her job. So, it would be best to implement the “Principle of least privilege” to limit every user’s access.

If you have granted full access permissions to everyone working in your organization, it will take a single cyber-attack by the scammers to access your entire system. So, to avoid any data breaches, you should strictly implement the least privilege principle in your firm. This may be a time-consuming process, but it will save your web app from many potential threats and malicious workers too.

 

Train your Employees

If you are running an organization, you should never expect that most of your employees will have a decent knowledge of current cyber security threats. Most of your staff members would have the necessary information about these scams. This may put you and your company in hot waters, as your employees with no sound knowledge of cyberattacks can quickly become the victim of hackers.

So, to protect your web application, you need to conduct proper cybersecurity training sessions for your employees. You must hire a web application security master to train all your staff about your web app and operating environment’s potential threats.

This cyber security training will help your employees independently identify and save themselves and your business from all security threats.

Hire Professional Hackers

Ethical hackers use the same tricks and techniques applied by cybercriminals to exploit your web application’s vulnerabilities. But they do this for your benefits to understand the security risks in your web app. Professional white hackers use the following techniques to test your web app’s security:

Cross-site scripting (XSS)

Man-in-the-middle (MITM) attacks

Broken authentication

Distributed Denial-of-service (DDoS) attacks

Sensitive data exposure

SQL injection

Phishing

White hat hacking

After your web app’s penetration test (Pen-testing), you would become familiar with your website’s security weaknesses that will help you improve your web application’s security.

Secure Web App during Development

This is one of the essential security steps in protecting your web apps from the reach of hackers. This technique is all about preventing your software from security issues that occur during the development lifecycle. For this, you need to hire developers who have full knowledge of all the prevalent security problems and prevent malicious code in the actual program of the web application.

And if they find any malicious activity during the development lifecycle, they should identify and eliminate that issue.

Regular Updates

With multiple network security threats, it is essential to release regular updates for your web apps security. Outdated software lacks recent security features and can easily be manipulated by malicious hackers. Depending on your web app’s infrastructure, you need to update your web app’s components. Keeping your web application up to date will protect it from the known attacks by hackers.

update key

 

Keep Monitoring your App Regularly

To stay on the safe side, you should regularly keep looking for security vulnerabilities in your web app. It would help if you used different techniques for testing your mobile app security level. You can use dynamic and static application security testing tools to monitor your web app’s performance and security level. Regular testing of your system will help you know the vulnerabilities and implement new protection schemes to protect your web application.

Backup all Data

With an increase in the number of cyberattacks in today’s world, your web app data remains under threat every time. Hackers may get full access to your web app data that will put you in serious trouble. To avoid such a situation, you need to store all your web app data at another location. It may be a good idea to replicate the archives of all your information in multiple places to protect you from heavy losses in case your primary backup location is damaged or compromised.

The 3-2-1 backup rule diagram

Employ Security Experts

You need to invest more in security services to protect your web application from cybercriminals. Hiring security experts is a wise step towards improving your web app security. A security specialist or security service company uses specialized tools to monitor the security level of your website. The scanning results show the vulnerabilities present in your site. They then help you implement new security techniques to protect your web applications.

Before hiring anyone for security improvements, do complete research and check the individual’s reputation or the firm to validate their competence and authenticity.

Conclusion

Cybercriminals are finding new ways to take advantage of the weaknesses in your web applications. They always remain searching for websites that have poor web application security to launch an attack on them. To protect your web applications, you need to stay updated about all the known security threats. For organizations, dealing with malicious attacks is dependent on all employees. If any of your workers make a mistake in handling the potential cyberattack, it can put all your firm’s data in danger.

Cybersecurity protection starts with training your employees and implementing the right security techniques to secure your web applications. Implementing the above-listed best security practices will keep your web applications safe from all types of cyberattacks.

The post Best Security Practices to Protect your Web Application from Future Threats appeared first on CyberDB.

Moving to the cloud with a security-first, zero trust approach

Many companies tend to jump into the cloud before thinking about security. They may think they’ve thought about security, but when moving to the cloud, the whole concept of security changes. The security model must transform as well. Moving to the cloud and staying secure Most companies maintain a “castle, moat, and drawbridge” attitude to security. They put everything inside the “castle” (datacenter); establish a moat around it, with sharks and alligators, guns on turrets; … More

The post Moving to the cloud with a security-first, zero trust approach appeared first on Help Net Security.

Data-Centric Security for the Cloud, Zero Trust or Advanced Adaptive Trust?

Over the last few months, Zero Trust Architecture (ZTA) conversations have been top-of-mind across the DoD. We have been hearing the chatter during industry events all while sharing conflicting interpretations and using various definitions. In a sense, there is an uncertainty around how the security model can and should work. From the chatter, one thing is clear – we need more time. Time to settle in on just how quickly mission owners can classify a comprehensive and all-inclusive, acceptable definition of Zero Trust Architecture.

Today, most entities utilize a multi-phased security approach. Most commonly, the foundation (or first step) in the approach is to implement secure access to confidential resources. Coupled with the shift to remote and distance work, the question arises, “are my resources and data safe, and are they safe in the cloud?”

Thankfully, the DoD is in the process of developing a long-term strategy for ZTA. Industry partners, like McAfee, have been briefed along the way. It has been refreshing to see the DoD take the initial steps to clearly define what ZTA is, what security objectives it must meet, and the best approach for implementation in the real-world. A recent DoD briefing states “ZTA is a data-centric security model that eliminates the idea of trusted or untrusted networks, devices, personas, or processes and shifts to a multi-attribute based confidence levels that enable authentication and authorization policies under the concept of least privilege access”.

What stands out to me is the data-centric approach to ZTA. Let us explore this concept a bit further. Conditional access to resources (such as network and data) is a well-recognized challenge. In fact, there are several approaches to solving it, whether the end goal is to limit access or simply segment access. The tougher question we need to ask (and ultimately answer) is how to do we limit contextual access to cloud assets? What data security models should we consider when our traditional security tools and methods do not provide adequate monitoring? And is securing data, or at least watching user behavior, enough when the data stays within multiple cloud infrastructures or transfers from one cloud environment to another?

Increased usage of collaboration tools like Microsoft 365 and Teams, SLACK and WebEx are easily relatable examples of data moving from one cloud environment to another. The challenge with this type of data exchange is that the data flows stay within the cloud using an East-West traffic model. Similarly, would you know if sensitive information created directly in Office 365 is uploaded to a different cloud service? Collaboration tools by design encourage sharing data in real-time between trusted internal users and more recently with telework, even external or guest users. Take for example a supply chain partner collaborating with an end user. Trust and conditional access potentially create a risk to both parties, inside and outside of their respective organizational boundaries. A data breach whether intentional or not can easily occur because of the pre-established trust and access. There are few to no limited default protection capabilities preventing this situation from occurring without intentional design. Data loss protection, activity monitoring and rights management all come into question. Clearly new data governance models, tools and policy enforcement capabilities for this simple collaboration example are required to meet the full objectives of ZTA.

So, as the communities of interest continue to refine the definitions of Zero Trust Architecture based upon deployment, usage, and experience, I believe we will find ourselves shifting from a Zero Trust model to an Advanced Adaptive Trust model. Our experience with multi-attribute-based confidence levels will evolve and so will our thinking around trust and data-centric security models in the cloud.

 

 

The post Data-Centric Security for the Cloud, Zero Trust or Advanced Adaptive Trust? appeared first on McAfee Blogs.

Pharma Giant Pfizer Leaks Customer Prescription Info, Call Transcripts

Hundreds of medical patients taking cancer drugs, Premarin, Lyrica and more are now vulnerable to phishing, malware and identity fraud.

Microsoft Exchange, Outlook Under Siege By APTs

A new threat report shows that APTs are switching up their tactics when exploiting Microsoft services like Exchange and OWA, in order to avoid detection.

“Best of Breed” – CASB/DLP and Rights Management Come Together

Securing documents before cloud

Before the cloud, organizations would collaborate and store documents on desktop/laptop computers, email and file servers. Private cloud use-cases such accessing and storing documents on intranet web servers and network attached storage (NAS) improved the end-user’s experience. The security model followed a layered approach, where keeping this data safe was just as important as not allowing unauthorized individuals into the building or data center. This was followed by a directory service to sign into to protect your personal computer, then permissions on files stored on file servers to assure safe usage.

Enter the cloud

Most organizations now consider cloud services to be essential in their business. Services like Microsoft 365 (Sharepoint, Onedrive, Teams), Box, and Slack are depended upon by all users. The same fundamental security concepts exist – however many are covered by the cloud service themselves. This is known as the “Shared Security Model” – essentially the Cloud Service Provider handles basic security functions (physical security, network security, operations security), but ultimately the end customer must correctly give access to data and is ultimately responsible for properly protecting it.

The big difference between the two is that in the first security model, the organization owned and controlled the entire process. In the second cloud model, the customer owns the controls surrounding the data they choose to put in the cloud. This is the risk that collaborating and storing data in the cloud brings; once the documents have been stored in M365, what happens if it is mishandled from this point forward? Who is handling these documents? What if my most sensitive information has left the safe confines of the cloud service, how can I protect that once it leaves? Fundamentally: How can I control data that lives hypothetically anywhere, including areas that I do not have control over?

Adding the protection layers that are cloud-native

McAfee and Seclore have extended an integration recently to address these cloud-based use cases. This integration fundamentally answers this question: If I put sensitive data in the cloud that I do not control, can I still protect the data regardless of where it lives?

The solution works like this:

The solution puts guardrails around end-user cloud usage, but also adds significant compliance protections, security operations, and data visibility for the organization.

Data visibility, compliance & security operations

Once an unprotected sensitive file has been uploaded to a cloud service, McAfee MVISION Cloud Data Loss Prevention (DLP) detects the file upload. Customers can assign a DLP policy to find sensitive data such as credit card data (PCI), customer data, personally identifiable information (PII) or any other data they find to be sensitive.

Sample MVISION Cloud DLP Policy

If data is found to be in violation of policy, it means the data must be properly protected. For example, if the DLP engine finds PII, rather than let it sit unprotected in the cloud service, the McAfee policy the customer sets should enact some protection on file. This action is known as an “Response”, and MVISION Cloud will properly show the detection, violating data, and actions taken in the incident data. In this case, McAfee will call Seclore to protect the file. These actions can be performed both in near real-time, or will enact protection whenever data already exists in the cloud service (on demand scan).

“Seclore-It” – Protection Beyond Encryption

Now that the file has been protected, downstream access to the file is managed by Seclore’s policy engine. Examples of policy-based access could be end-user location, data type, user group, time of day, or any other combination of policy choices. The key principle here is the file is protected regardless of where it goes and enforced by a Seclore policy that the organization sets. If a user accesses the file, an audit trail is recorded to assure that organizations have the confidence that data is properly protected. The audit logs show allows and denies, completing the data visibility requirements.

Addressing one last concern; if a file is “lost” or the need to restrict access to files that are no longer in direct control such as when a user leaves the company, or if the organization simply wants to update policies on protected files, the policy on those files can be dynamically updated. This addresses a major data loss concern that companies have for cloud service providers and general data use for remote users. Ensuring files are always protected, regardless of scenario is simple to achieve with Seclore by taking the action to update a policy. Once the policy has been updated, even files on a thumb drive stuffed in a drawer are now re-protected from accidental or intentional disclosure.

Conclusion

This article addresses several notable concerns for customers doing business in a cloud model. Important/sensitive data can now be effortlessly protected as it migrates to and through cloud services to its ultimate destination. The organization can prove compliance to auditors that the data was protected and continues to be protected. Security operations can track incidents and follow the access history of files. Finally, the joint solution is easy to use and enables businesses to confidently conduct business in the cloud.

Next Steps

McAfee and Seclore partner both at the endpoint and in the cloud as an integrated solution. To find out more and see this solution running in your environment, send an inquiry to cloud@mcafee.com

 

The post “Best of Breed” – CASB/DLP and Rights Management Come Together appeared first on McAfee Blogs.

Top 10 Microsoft Teams Security Threats

2020 has seen cloud adoption accelerate with Microsoft Teams as one of the fastest growing collaboration apps, McAfee customers use of Teams increased by 300% between January and April 2020. When we looked into Teams use in more detail in June, we found these statistics, on average, in our customer base:

 

Teams Created                                                                 367

Members added to Teams                                      6,526

Number of Teams Meetings                              106,000

3rd Party Apps added to Teams                                 185

Guest users added to Teams                                  2,906

This means that a typical enterprise has a new guest user added to their teams every few minutes – you wouldn’t allow unknown people to walk into an office, straight past security and walk around the building unescorted looking at papers sitting on people’s desks, but at the same time you want to allow in those guests you trust. For Teams, you need the same controls – allow in those guests you trust, but confirm their identity and make sure that they don’t see confidential information.

Microsoft invests huge amounts of time and money in the security of their systems, but security of the data in those systems and how they are used by the users is the responsibility of the enterprise.

The breadth of options, including inviting guest users and integration with 3rd party applications can be the Achilles heel of any collaboration technology. It takes just seconds to add an external third party into an internal discussion without realizing the potential for data loss, so sadly the risk of misconfiguration, oversharing or misuse can be large.

IT security teams need the ability to manage and control use to reduce risk of data loss or malware entering through Teams.

After working with hundreds of enterprises and over 40 million MVISION Cloud users worldwide and discussing with IT security, governance and risk teams how they address their Microsoft Teams security concerns, we have published a paper that outlines the top ten security threats and how to address them.

Microsoft Teams: Top 10 Security Threats

This collaboration potentially increases threats such as data loss and malware distribution. In this paper, McAfee discusses the top threats resulting from Teams use along with recommended actions.
Download Now

A few of the 10 Top Microsoft Teams Security Threats are below, read the paper for the full list.

  1. Microsoft Teams Guest Users: Guests can be added to see internal/sensitive content. By setting allow and/or block list domains, security can be implemented with the flexibility to allow employees to collaborate with authorized guests via Teams.
  2. Screen sharing that includes sensitive data. Screen sharing is very powerful, but can inadvertently share confidential data, especially if communication applications such as email are showing alerts on the screen.
  3. Access from Unmanaged Devices: Teams can be used on unmanaged devices, potentially resulting in data loss. The ability to set policies for unmanaged devices can safeguard Teams content.
  4. Malware Uploaded via Teams: File uploads from guests or from unmanaged devices may contain malware. IT administrators need the ability to either block all file uploads from unmanaged devices or to scan content when it is uploaded and remove it from the channel, informing IT management of any incidents.
  5. Data Loss Via Teams Chat and File Shares: File shares in Teams can lose confidential data. Data loss prevention technologies with strong sensitive content identification and sharing control capabilities should be implemented on Teams chat and file shares.
  6. Data Loss Via Other Apps: Teams App integration can mean data may go to untrusted destinations. As some of these apps may transfer data via their services, IT administrators need a system to discover third-party apps in use, review their risk profile and provide a workflow to remediate, audit, allow, block or notify users on an app’s status and revoke access as needed.

McAfee has a wealth of experience helping customers security their cloud computing systems, built around the MVISION Cloud CASB and other technologies. We can advise you about Microsoft Teams security and discuss possible threats of taking no action. Contact us to let us help you.

Teams is just one of the many applications within the Microsoft 365 suite and it is important to deploy common security controls for all cloud apps. MVISION Cloud provides security for Microsoft 365 and other cloud-based applications such as Salesforce, Box, Workday, AWS, Azure, Google Cloud Platform and customers’ own internally developed applications.

 

The post Top 10 Microsoft Teams Security Threats appeared first on McAfee Blogs.

Securing an Agile and Hybrid Workforce

Guest article by Andrea Babbs, UK General Manager, VIPRE

2020 has forced businesses to revise many of their operations. One significant transition being the shift to a remote working model, for which many were unprepared in terms of equipment, infrastructure and security. As the government now urges people to return to work, we’re already seeing a shift towards a hybrid workforce, with many employees splitting their time between the office and working from home.

As organisations are now reassessing their long-term office strategies, front and centre to that shift needs to be their IT security underpinned by a dependable and flexible cloud infrastructure. Andrea Babbs, UK General Manager, VIPRE, discusses what this new way of working means long-term for an organisation’s IT security infrastructure and how businesses can successfully move from remote working to a secure and agile workforce.

Power of the Cloud
In light of the uncertainty that has plagued most organisations, many are looking to options that can future-proof their business and enable as much continuity as possible in the event of another unforeseen event. The migration of physical servers to the Cloud is therefore a priority, not only to facilitate agile working, but to provide businesses with greater flexibility, scalability and more efficient resources. 

COVID-19 accelerated the shift towards Cloud-based services, with more data than ever before now being stored in the Cloud. For those organisations working on Cloud-based applications and drives, the challenges of the daily commute, relocations for jobs and not being able to ‘access the drive’ are in the past for many. Cloud services are moving with the user – every employee can benefit from the same level of security no matter where they are working or which device they are using. However, it’s important to ensure businesses are taking advantage of all the features included in their Cloud subscriptions, and that they’re configured securely for hybrid working. 

Layered Security Defence
Cloud-powered email, web and network security will always underline IT security defences, but these are only the first line of defence. Additional layers of security are also required to help the user understand the threat landscape, both external and internal. Particularly when working remotely with limited access to IT support teams, employees must be ready to question, verify the authenticity and interrogate the risk level of potential phishing emails or malicious links. 

With increased pressure placed on users to perform their roles faster and achieve greater results than ever before, employees will do what it takes to power through and access the information they need in the easiest and quickest way possible. This is where the cloud has an essential role to play in making this happen, not just for convenience and agility but also to allow users to stay secure – enabling secure access to applications for all devices from any location and the detection and deletion of viruses – before they reach the network. 

Email remains the most-used communication tool, even more so when remote working, but it also remains the weakest link in IT security, with 91%of cybercrimes beginning with an email. By implementing innovative tools that prompt employees to double-check emails before they send them, it can help reduce the risk of sharing the wrong information with the wrong individual. 

Additional layers of defence such as email checking tools, are removing the barriers which slow the transition to agile working and are helping to secure our new hybrid workforce, regardless of the location they’re working in, or what their job entails. 

Educating the User
The risk an individual poses to an organisation can often be the main source of vulnerability in a company’s IT infrastructure. When remote working became essential overnight, businesses faced the challenges of malware spreading from personal devices, employees being distracted and exposing incorrect information and an increase in COVID-related cyber-attacks. 

For organisations wanting to evolve into a hybrid work environment, their IT security policies need to reflect the new reality. By re-educating employees about existing products and how to leverage any additional functionality to support their decision making, users can be updated on these cyber risks and understand their responsibilities.

Security awareness training programmes teach users to be alert and more security conscious as part of the overall IT security strategy. In order to fully mitigate IT security risks and for the business to benefit from an educated workforce, both in the short and long term, employees need to change their outdated mindset. 

Changing the Approach
The evolution of IT and security over the past 20 years means that working from home is now easily achievable with cloud-based setups, whereas in the not too distant past, it would have been impossible. But the key to a successful and safe agile workforce is to shift the approach of full reliance on IT, to a mindset where everyone is alert, responsible, empowered and educated with regular training, backed up by tools that reinforce a ‘security first’ approach. 

IT departments cannot be expected to stay one step ahead of cybercriminals and adapt to new threats on their own. They need their colleagues to work mindfully and responsibly on the front lines of cyber defence, comfortable in the knowledge that everything they do is underpinned by a robust and secure IT security infrastructure, but that the final decision to click the link, send the sensitive information or download the file, lies with them. 

Conclusion
As employees prove they can work from home productively, the role of the physical office is no longer necessary. For many companies, it is a sink or swim approach when implementing a hybrid and agile workforce. Introducing and retaining flexibility in operations now will help organisations cope better with any future unprecedented events or crises.

By focusing on getting the basics right and powered by the capabilities of the Cloud, highlighting the importance of layered security and challenging existing mindsets, businesses will be able to shift away from remote workers being the ‘exception,’ to a secure and agile workforce as a whole.

MITRE ATT&CK for Cloud: Adoption and Value Study by UC Berkeley CLTC

Are you prepared to detect and defend against attacks that target your data in cloud services, or apps you’ve built that are hosted in the cloud? 

Background 

Nearly all enterprises and public sector customers we work with have enabled cloud use in their organization, with many seeing a 600%+ increase1 in use in the March-April timeframe of 2020, when the shift to remote work rapidly took shape. 

The first step to developing a strong cloud security posture is visibility over the often hundreds of services your employees use, what data is within these services, and then how they are being used collaboratively with third parties and other destinations outside of your control. 

With that visibility, you can establish full control over end-user activity and data in the cloud, applying your policy at every entry and exit point to the cloud.  

That covers your risk stemming from legitimate use by employees, external collaborators, and even API-connected marketplace apps, but what about your adversaries? If someone phished your CEO, stole their OneDrive credentials and exfiltrated data, would you know? What if your CEO used the same password across multiple accounts, and the adversary had access to apps like Smartsheet, Workday, or Salesforce? Are you set up to detect this kind of multi-cloud attack? 

Our Research to Uncover the Best Solution  

Most enterprise security operations centers (SOCs) use MITRE ATT&CK to map the events they see in their environment to a common language of adversary tactics and techniques. This helps to understand gaps in protection, model how attackers progress from access to exfiltration (or encryption/destruction), and to plan out security policy decisions.  

The original ATT&CK framework applied to Windows/Mac/Linux environments, with Android/iOS included as well. For cloud environments, the MITRE ATT&CK framework has a shorter history (released October 2019), but is quickly gaining adoption as the model for cloud threat investigation 

In collaboration with the University of California Berkeley’s Center for Long-Term Cybersecurity (CLTC) and MITRE, we sought to uncover how enterprises investigate threats in the cloud, with a focus on MITRE ATT&CK. In this initiative, researchers from UC Berkeley CLTC conducted a survey of 325 enterprises in a wide range of industries, with 1K employees or above, split between the US, UK, and Australia. The Berkeley team also conducted 10 in-depth interviews with security leaders in various cybersecurity functions.  

Findings 

MITRE has done an excellent job identifying and categorizing adversary tactics and techniques used in the cloud. When asked about the prevalence of these tactics observed in their environment, 81% of our survey respondents had experienced each of the tactics in the Cloud Matrix on average. 58% had experienced the initial access phase of an attack at least monthly. 

Given the frequency in which most enterprises experience these adversary tactics and techniques, we found widespread adoption of the ATT&CK Cloud Matrix, with 97% of our respondents either planning to or already using the Matrix. 

In the full report, we explore deeper implications of using MITRE ATT&CK for Cloud, including consensus on the value it brings to enterprise organizations, challenges with implementation, and many more interesting results from our investigation. Head to the full report here to dive in.  

One of the most promising benefits of MITRE ATT&CK is the unification of events derived from endpoints, network traffic, and the cloud together into a common language. Right now, only 39% of enterprises correlate events from these three environments in their threat investigation. Further adoption of MITRE ATT&CK over time will unlock the ability to efficiently investigate attacks that span multiple environments, such as a compromised endpoint accessing cloud data and exfiltrating to an adversary destination. 

This research demonstrates promising potential for MITRE ATT&CK in the enterprise SOC, with downstream benefits for the business. 87% of our respondents stated that adoption of MITRE ATT&CK will improve cloud security in their organization, with another 79% stating that it would also make them more comfortable with cloud adoption overall. A safer transition to cloud-based collaboration and app development can accelerate businesses, a subject we’ve investigated in the past2MITRE ATT&CK can play a key role in secure cloud adoption, and defense of the enterprise overall.  

Dive into the full research report for more on these findings! 

White Paper

MITRE ATT&CK® as a Framework for Cloud Threat Investigation

81% of enterprise organizations told us they experience the adversary techniques identified in the MITRE ATT&CK for Cloud Matrix – but are they defending against them effectively?

Download Now

 

1https://www.mcafee.com/enterprise/en-us/forms/gated-form.html?docID=3804edf6-fe75-427e-a4fd-4eee7d189265&eid=LAVVPBCF  

2https://www.mcafee.com/enterprise/en-us/forms/gated-form.html?docID=75e3a9dc-793e-488a-8d8a-8dbf31aa5d62&eid=5PES9QHP 

The post MITRE ATT&CK for Cloud: Adoption and Value Study by UC Berkeley CLTC appeared first on McAfee Blogs.

Reducing Cloud Infrastructure Risk through Skills: Meet the Forescient Cyber Range

There’s no question that cloud services can accelerate business with instant computing power, on-demand scalability, ease of access, and built-in security controls.  However, these features are also attractive to hackers.  According to McAfee Cloud Adoption and Risk Report 2019, the average enterprise organization experiences 31.3 actual cloud-related security threats each month, a 27.7% increase over the same period last year.

5 Reasons Why You Should Avoid Free VPNs

Virtual Private Network (VPN) is a technology that offers total security for all your digital activities. It serves as a barrier against third-party groups, hackers, cyber threats, malware, and sensitive data leakage. 

More than ever, we need to invest with high-end protection to ensure our privacy is never compromised. VPNs are of high demand due to the current condition where most people stay at home and work remotely. With increased online activity, it’s high time to protect your privacy. 

Free VPNs are enticing and offer ‘great’ security without extra cost. Their services are too-good-to-be-true, which you need to doubt and stay away from it. 

Are There Alternatives To Top-Rated VPN Providers? 

The threat of using free VPN is high as it does not offer robust encryption compared to paid services. It is better to pay for a cheap VPN service than to compromise your security. Affordable VPN services offer powerful data encryptions for people with limited budgets. They provide standard encryption technology to ensure your privacy is protected and your digital activities are secured. 

There are a few reliable and trusted VPN solutions that offer affordable VPN instead of using free services that threaten your security. These are great alternatives that won’t hurt your wallet but will surely be of great help, especially if you’re a constant internet explorer. 

5 Facts Why Free VPNs Are A No-No

Free VPN software keeps records of your digital activities and sells them to third parties. They offer encryptions that don’t ‘really’ mask your activities nor protect your identity. Free VPN services log all your sensitive data which is already a threat to your privacy. Aside from that, here are five things you need to remember: Free VPNs are a no-no. 

  1. Monitor And Sell All Collected Data

VPNs act as your protective barrier against digital threats while you’re online. It secures all your data, online activities, and private information against prying eyes, government surveillance, etc. VPNs blocked hackers and your ISP from collecting or selling data to gain profit. 

Free VPN shifts the message, and you become their milking cow to fund the service they offer in exchange for the data they collected from you. These sensitive data are then sold to third parties, and prose threats not just to your information, but your privacy is at stake. 

  1. Leaks IP Addresses

Robust VPN solutions offer total security and encryption on all your digital activities and traffic. It serves as your secret portal in the world wide web against cyber threats, hackers, and prying eyes. 

Using free VPN is like a tunnel with tons of holes that can leak your data or IP address. Hackers can track your activity, prying eyes can monitor you, and worse can expose you to tons of privacy threats. 

  1. They Are Not Safe

Free VPN solutions are risky. They are a dangerous threat to your security and privacy. Running a VPN service is pricey and offering it for free to users is fishy. That means your data are the menu served for other people to devour. 

  1. Aggressive Ads

Free VPNs practice aggressive ads that can go over a hit where you land into a hazardous site. It can expose you to tons of threats and hackers that can instantly access your information and files. High volume ads can also weigh your system down and affect browsing experience aside from privacy threats. 

  1. Malware Exposure 

Free VPN solutions contain malware that can damage not just your privacy but your devices. You have higher chances to get exposed with these nasty bugs when you download such software. Mobile ransomware and malware can steal your sensitive information like social security details and bank login details. 

Conclusion

Free VPNs are enticing and offer ‘robust security’ without the need to pay for hundreds of dollars a year. However, your security is at stake, together with your sensitive data, and information. 

Though it can help you stream region-restricted websites, you need to reconsider options and potential threats. Free VPNs are not safe; if you want to secure your digital presence, you can opt for an affordable VPN solution that offers high-end encryption to ensure your privacy and data is protected against potential hacks.

The post 5 Reasons Why You Should Avoid Free VPNs appeared first on CyberDB.

MVISION Cloud for Microsoft Teams

McAfee MVISION Cloud for Microsoft Teams, now offers secure guest user collaboration features allowing the security admins to not only monitor sensitive content posted in the form of messages and files within Teams but also monitor guest users joining Teams to remove any unauthorized guests joining Teams.  

Working from home has become a new reality for many, as more and more companies are requesting that their staff work remotely. Already, we are seeing how solutions that enable remote work and learning across chat, video, and file collaboration have become central to the way we work. Microsoft has seen an unprecedented spike in Teams usage and they have more than 75 million daily users as of May 2020, a 70% increase in daily active users from the month of March1 

What’s New in MVISION Cloud for Microsoft Teams 

MVISION Cloud for Microsoft Teams now provides policy controls for security admins to monitor and remove unauthorized guest users based on their domains, the team guest users are joining etc. As organizations use Microsoft Teams to collaborate with trusted partners to exchange messages, participate in calls, and share files, it is critical to ensure that partners are joining teams designated for external communication and only guest users from trusted partner domains are joining the teams.  

 Organizations can configure policies in McAfee MVISION Cloud to:

  • Monitor guest users from untrusted domains and remove the guest users automatically. Security admins do not have to reach out to Microsoft Teams admin and ask them to remove any untrusted guest users manually.  
  • Define the list of teams designated for external communication and make sure that users from partner organizations are joining only those teams and not any internal teams. If the partner users join any internal-only teams, they will be removed by McAfee MVISION Cloud automatically.  

With these new features, McAfee offers complete data protection and collaboration control capabilities to enable organizations to safely collaborate with partners without having to worry about exposing confidential data to guest users 

Here is the comprehensive list of use cases organizations can enable by using MVISION Cloud for Microsoft Teams. 

  • Modern data security. IT can extend existing DLP policies to messages and files in all types of Teams channels, enforcing policies based on keywords, fingerprints, data identifiers, regular expressions and match highlighting for content and metadata. 
  • Collaboration control. Messages or files posted in channels can be restricted to specific users, including blocking the sharing of data to any external location. 
  • Guest user control. Guest users can be restricted to join only teams meant for external communication and unauthorized guest users from any domains other than trusted partner domains can be automatically removed.  
  • Comprehensive remediation. Enables auditing of regulated data uploaded to Microsoft Teams and remediates policy violations by coaching users, notifying administrators, quarantining, tombstoning, restoring and deleting user actions. End users can autonomously correct their actions, removing incidents from IT’s queue. 
  • Threat prevention. Empowers organizations to detect and prevent anomalous behavior indicative of insider threats and compromised accounts. McAfee captures a complete record of all user activity in Teams and leverages machine learning to analyze activity across multiple heuristics to accurately detect threats. 
  • Forensic investigations: With an auto-generated, detailed audit trail of all user activity, MVISION Cloud provides rich capabilities for forensics and investigations. 
  • On-the-go security, for on-the-go policies. Helps secure multiple access modes, including browsers and native apps, and applies controls based on contextual factors, including user, device, data and location. Personal devices lacking adequate control over data can be blocked from access. 

McAfee MVISION Cloud for Microsoft Teams is now in use with a substantial number of large enterprise customers to enable their security, governance and compliance capabilities. The solution fits all industry verticals due to the flexibility of policies and its ease of use. 

The post MVISION Cloud for Microsoft Teams appeared first on McAfee Blogs.

The DRaaS Data Protection Dilemma

Written by Sarah Doherty, Product Marketing Manager at iland

Around the world, IT teams are struggling with choosing between less critical, but important tasks, versus focusing on innovative projects to help transform your business. Both are necessary for your business and need to be actioned, but should your team do all of it? Have you thought about allowing someone else to guide you through the process while your internal team continues to focus on transforming the business? 

DRaaS Data protection dilemma; outsourcing or self-managing?
Disaster recovery can take a lot of time to properly implement so it may be the right time to consider a third-party provider who can help with some of the more routine and technical aspects of your disaster recovery planning. This help can free up some of your staff’s valuable time while also safeguarding your vital data.

Outsourcing your data protection functions vs. managing them yourself
Information technology has raised many questions about how it really should be done. Some experts favour the Disaster Recovery as a Service (DRaaS) approach. They believe that data protection, although necessary, has very little to do with core business functionality. Organisations commonly outsource non-business services, which has driven many to consider the idea of employing third parties for other business initiatives. This has led some companies to believe that all IT services should be outsourced, enabling the IT team to focus solely on core business functions and transformational growth.

Other groups challenge the concept and believe that the idea of outsourcing data protection is foolish. An organisation’s ability to quickly and completely recover from a disaster - such as data loss or an organisational breach - can be the determining factor as to whether the organisation will remain in business. Some may think that outsourcing something as critical as data protection, and putting your organisation’s destiny into the hands of a third party, is a risky strategy. The basic philosophy behind this type of thinking can best be described as: “If you want something done right, do it yourself.”

Clearly, both sides have some compelling arguments. On one hand, by moving your data protection solution to the cloud, your organisation becomes increasingly agile and scalable. Storing and managing data in the cloud may also lower storage and maintenance costs. On the other hand, managing data protection in-house gives the organisation complete control. Therefore, a balance of the two approaches is needed in order to be sure that data protection is executed correctly and securely.

The answer might be somewhere in the middle
Is it better to outsource all of your organisation’s data protection functions, or is it better to manage it yourself? The best approach may be a mix of the two, using both DRaaS and Backup as a Service (BaaS). While choosing a cloud provider for a fully managed recovery solution is also a possibility, many companies are considering moving away from ‘do-it-yourself’ disaster recovery solutions and are exploring cloud-based options for several reasons.

Firstly, purchasing the infrastructure for the recovery environment requires a significant capital expenditure (CAPEX) outlay. Therefore, making the transition from CAPEX to a subscription-based operating expenditure (OPEX) model makes for easier cost control, especially for those companies with tight budgets.

Secondly, cloud disaster recovery allows IT workloads to be replicated from virtual or physical environments. Outsourcing disaster recovery management ensures that your key workloads are protected, and the disaster recovery process is tuned to your business priorities and compliance needs while also allowing for your IT resources to be freed up.

Finally, cloud disaster recovery is flexible and scalable; it allows an organisation to replicate business-critical information to the cloud environment either as a primary point of execution or as a backup for physical server systems. Furthermore, the time and expense to recover an organisation’s data is minimised, resulting in reduced business disruption.

Consequently, the disadvantages of local backups is that it can be targeted by malicious software, which targets backup applications and database backup files, proactively searching for them and fully encrypting the data. Additionally, backups, especially when organisations try to recover quickly are prone to unacceptable Recovery Point Objectives (RPO).

What to look for when evaluating your cloud provider

It is also essential when it comes to your online backups to strike a balance between micromanaging the operations and completely relinquishing any sort of responsibility. After all, it’s important to know what’s going on with your backups. Given the critical nature of the backups and recovery of your data, it is essential to do your homework before simply handing over backup operations to a cloud provider. There are a number of things that you should look for when evaluating a provider.
  • Service-level agreements that meet your needs.
  • Frequent reporting, and management visibility through an online portal.
  • All-inclusive pricing.
  • Failover assistance in a moment’s notice.
  • Do it yourself testing.
  • Flexible network layer choices.
  • Support for legacy systems.
  • Strong security and compliance standards.
These capabilities can go a long way towards allowing an organisation to check on their data recovery and backups, on an as-needed basis, while also instilling confidence that the provider is protecting the data according to your needs. The right provider should also allow you the flexibility to spend as much or as little time on data protection, proportional to your requirements.

Ultimately, using cloud backups and DRaaS is flexible and scalable; it allows an organisation to replicate business-critical information to the cloud environment either as a primary point of execution or as a backup for physical server systems. In most cases, the right disaster recovery provider will likely offer you better recovery time objectives than your company could provide on its own, in-house. Therefore as you review your options, cloud DR could be the perfect solution, flexible enough to deal with an uncertain economic and business landscape.

McAfee ESM Named a 2020 Gartner Peer Insights Customers’ Choice for SIEM

The McAfee team is very proud to announce that once again McAfee was named a Gartner Peer Insights Customers’ Choice for SIEM for its McAfee Enterprise Security Manager (ESM) Solution, a recognition of high satisfaction from a number of reviews by verified end-user professionals.

We are most appreciative of our customers who support our solutions and share their opinions through forums like Gartner Peer Insights. The voice and passion of our customers is instrumental in shaping our success and motivates us each day to improve and innovate.

To that end we have taken our SIEM product and made it deployable on-prem or in the cloud via ESM Cloud. By leveraging the power of cloud computing, the new McAfee ESM Cloud allows customers to accelerate time to value for security operations centers by removing operational barriers, providing automated deployment, 24/7 system health monitoring, regular software updates, and patches, thereby allowing teams to focus efforts on security tasks.

Here are some quotes from customers that contributed to Gartner Peer Insights’ recognition of ESM:

“Provides the features you need, in a simple easy to use, easy to understand display”

“Integration and deployment was very easy, we integrated the McAfee Enterprise Security Manager (ESM), McAfee Event Receiver (ERC), and McAfee Enterprise Log Manager (ELM) in our lab in just a little under 4 hours… In under 4 hours we were collecting from a variety of MS Windows systems and a variety of Linux systems (RHEL, Ubuntu, and CENTOS). Other SIEM systems that we were evaluating took days to get running and then we still spent time on having to tune them.”

Cybersecurity Architect, Government. Read full review here

“A complete realistic security solution equipped with all major tools to secure structures.”

“This security manager is the best choice out there… McAfee Manager is best in the ways that we can view and analyze all the major activities being performed in the company’s system and securities and how we can improve the overall security related concerns. It has all these pre-equipped features which facilitates the overall requirements for enterprises.

Senior Consultant, Services Industry. Read full review here.

To all our customers who submitted reviews, thank you! These reviews mold our products and our customer journey, and we look forward to building on the experience that earned us this distinction!

  • Learn more about our award winning SIEM solution by visiting the ESM solutions page.
  • Read the SIEM reviews written by IT professionals that earned us this distinction by visiting Gartner Peer Insights’ SIEM page.

Gartner Peer Insights ‘Voice of the Customer’: Security Information and Event Management, 3 July 2020. Gartner Peer Insights Customers’ Choice constitute the subjective opinions of individual end-user reviews, ratings, and data applied against a documented methodology; they neither represent the views of, nor constitute an endorsement by, Gartner or its affiliates.

The post McAfee ESM Named a 2020 Gartner Peer Insights Customers’ Choice for SIEM appeared first on McAfee Blogs.

Transform your Architecture for the Cloud with MVISION UCE and SD-WAN

“Features are a nice to have, but at the end of the day, all we care about when it comes to our web and cloud security is architecture.” – said no customer ever.

The fact is that nobody likes to talk about architecture when shopping for the latest and greatest cyber security technology, and most organizations have been content to continue fitting new security tools and capabilities into their existing traditional architectures. However, digital transformation projects including cloud migration and ubiquitous mobile access have revealed architectural cracks, and many companies have seen the dam burst with the explosion in remote access demand in recent months. As a result, organizations are coming around to the realization that digital transformation demands a corresponding network and security architectural transformation.

The Secure Access Service Edge (SASE) framework provides organizations for a model to achieve this transformation, by bringing network and security technology together into a single, cloud-delivered service that ensures fast, secure, reliable, and cost-effective access to web and cloud resources. In this blog we are going to focus in on remote offices and how the combination of SD-WAN and Next-Generation Secure Web Gateway capabilities offered by MVISION UCE can enable SASE and deliver on the promise of digital transformation. 

The Cloud and the Architectural Dilemma

In the past organizations were largely concentrated in a limited number of locations. Applications and data were hosted on servers at a central data center location on the local area network – typically at or near the headquarters. Users typically worked in the office, so they would also be located at the office and access corporate resources on the same network. Surrounding this network was a perimeter of security controls that could inspect all traffic going in or out of the organization, keeping trusted resources safe while keeping the bad guys out. Remote users and branch offices were logically connected to this central network via technologies like VPN, MPLS, and leased lines, so the secure network perimeter could be maintained.

While this approach sufficed for years, digital transformation has created major challenges. Applications and data storage have migrated to the cloud, so they no longer reside on the corporate network. Logic would dictate that the optimal approach would be for remote users and offices to have direct access to cloud resources without having to route back through the corporate network. But this would result in the organization’s IT security perimeter being completely circumvented, meaning lost security visibility and control, leading to unacceptable security and compliance risks.

So network and security architects everywhere are facing the same dilemma: What is the best way to enable digital transformation without any major compromises? Organizations have generally followed one of the four following architectural approaches based on their willingness to embrace new technologies and bring them together:

We’re going to discuss these four options here, and evaluate them based on four factors: security, speed, latency, and cost. The results will show that there’s only one way to achieve fast, secure, and cost-effective access to web and cloud resources.

Approach 1: STATUS QUO

Due to risk of losing security visibility and control, many organizations have refused to allow “direct-to-cloud” re-architecting. So even when high-speed internet links could connect users directly to cloud and web resources, this approach necessitates that all traffic still be pushed through slower MPLS links back to the corporate network, and then go back out through a single aggregated internet pipe to access web and cloud resources. While this theoretically maintains security visibility and control, it comes at great cost.

For starters, the user experience is greatly hampered by poor performance. Bandwidth suffers from the slow MPLS link back to the corporate office, as well as through the congested company internet connection. In addition, the extra network hops and increased network contention leads to high latency – this has been drastically amplified in recent months as the amount of remote traffic backhauling through the corporate network has exploded well beyond original design expectations. These factors don’t even take into account the potential impact of service disruptions brought about by introducing a single point of failure into the network architecture.

In addition to poor performance, there is a tangibly higher financial cost associated with this approach. Multiple MPLS lines connecting branch offices to the corporate data center are considerably more expensive than public internet connectivity. Additionally, in order to accommodate the routing of ALL user traffic, organizations need to dramatically increase investment in their central network and security perimeter infrastructure capacity, as well as the bandwidth of the shared internet pipe.

So we’re left needing to find a long-term answer to the challenges of speed, latency, and cost. These considerations are what have led many network architects to proceed to deploy SD-WAN.

Approach 2a: GOING DIRECT-TO-CLOUD WITH SD-WAN

The first step in delivering a cloud-ready architecture is removing the bottleneck incurred by forcing all traffic to be routed through slow MPLS lines to the central network and then back out to the cloud. SD-WAN technology can help in this regard. By deploying SD-WAN equipment at the edge of the branch network, optimized traffic policies can be created that route traffic directly to web and cloud resources using fast, affordable internet connections, while using the same internet connection to send only data center-bound traffic directly back to the corporate network over a dynamic set of VPN tunnels. WAN optimization and QoS, as well as various other edge network and security functions like firewall filtering that are better suited to being performed at the network edge, deliver the fastest and most reliable user experience, while minimizing the traffic burden on the central network.

By employing SD-WAN, network architects can achieve substantial cost savings by eliminating expensive MPLS links back to the corporate data center. Additionally, users aren’t constrained by the much slower bandwidth of those MPLS lines.

However, there are major drawbacks to this model. While SD-WAN solutions feature a number of strong flow control capabilities that can be distributed to each remote site – including firewalling, DNS protection, and data obfuscation – they don’t have the same robust data and threat protection capabilities that organizations have built into their network perimeter security. Therefore, architects still need to backhaul all traffic over the internet back to the data center, even if that traffic is ultimately destined to go right back out to the internet! So while the speed and cost-effectiveness of this connection is greatly improved in comparison to the old model, the need to continue backhauling traffic presents the same latency and congestion challenges.

Approach 2b: MCAFEE MVISION UNIFIED CLOUD EDGE

So if traffic paths need to run back to the corporate data center for organizations to maintain security visibility and control, but the majority of resources users are accessing are in the cloud, wouldn’t it make sense to situate the security controls in the cloud a more direct and secure traffic path? Enter McAfee MVISION Unified Cloud Edge.

MVISION UCE’s Next-Gen Secure Web Gateway provides a cloud-native, lightning-fast, 99.999% reliable, hyper-scale secure edge. By converging SWG, CASB, and DLP, and Remote Browser Isolation technologies, MVISION UCE ensures that remote users and offices enjoy the most sophisticated levels of threat, data, and cloud application protection, as well as unique proactive risk management capabilities  that even exceed what is possible in a traditional on-premises security framework.

Just as important as the advanced security capabilities is the fact that MVISION UCE is built on a fast, reliable, scalable foundation. Thanks to a global Point of Presence (POP) network and unique peering relationships, MVISION UCE can extend a hyper-scale secure edge wherever users need it. Despite a 240% surge in traffic during the spring of 2020, McAfee was able to maintain 99.999% availability and met all of the latency requirements stipulated in our SLAs. Organizations could count on our infrastructure in the toughest of times, and can continue to do so going forward.

By subscribing to an affordable public internet connection at the branch site and connecting to MVISION UCE, customers can achieve many of the desired benefits. MVISION UCE’s comprehensive data, threat, and cloud application protection capabilities more than satisfy security requirements. And for the majority of user traffic that is destined for the web or cloud, the direct internet connection ensures fast, low-latency access.

However, without deploying SD-WAN in conjunction with UCE, organizations still need to have those slow, expensive MPLS links to maintain connectivity to their legacy data center applications and resources. Therefore, customers won’t be able to realize cost savings, and those connections to data center resources will suffer the same speed and latency challenges. And that is where we finally arrive at the ideal cloud security architecture, bringing MVISION UCE together with SD-WAN.

Approach 3: MVISION UCE + SD-WAN = SASE

By bringing together MVISION UCE with SD-WAN in a seamlessly integrated solution, organizations can deliver SASE and build a network security architecture fit for the cloud era. McAfee makes it possible for customers to easily converge MVISON UCE with virtually any SD-WAN solution via robust native support for SD-WAN connectivity, leveraging industry standard Dynamic IPSec and GRE protocols. Through this integration, customers benefit from the complete range of essential SASE capabilities, with SD-WAN providing the integrated networking functionality and MVISION UCE delivering the security capabilities. McAfee has supported our channel partners in successfully delivering joint SD-WAN-cloud SWG projects with many of the major SD-WAN vendors in the market, and we have forged tight alliances with the industry leaders through our Security Innovation Alliance (SIA).

So how does a combined UCE-SD-WAN solution satisfy the four architectural requirements? Security is clearly addressed by UCE’s threat, data, and cloud application protection capabilities, as well as the distributed firewall capabilities delivered by SD-WAN. By using a single fast internet connection, SD-WAN is able to intelligently and efficiently route traffic directly to cloud resources or back to the corporate data center. With MVISION UCE providing security directly in the cloud, SD-WAN can forward web- and cloud-bound traffic directly, without any excessive latency. Cost savings come from removing the expensive MPLS lines, and since the majority of traffic no longer needs to backhaul through the corporate data center, additional savings can be achieved by reducing central network bandwidth and infrastructure capacity.

Build a Cloud-Ready Network Security Architecture Today

Digital Transformation represents the next great technological revolution, and organizations’ ability to move to the cloud and empower their distributed workforces with fast, secure, simple, and reliable access will likely determine how successful they are in the new era. SASE represents the best way to achieve a direct-to-cloud architecture that doesn’t compromise on security visibility & control, performance, complexity, or cost. By seamlessly integrating our MVISION UCE solution with SD-WAN, it’s never been easier for organizations to deliver SASE to remote offices. As a result, users will benefit from greater productivity, IT personnel will enjoy greater operational efficiency, and companies will enjoy exceptional cost savings as a result of consolidated infrastructure and optimized network traffic.

To learn more about how MVISION UCE and SD-WAN can work together, attend a webinar hosted by McAfee and one of our key SD-WAN technology partners, Silver Peak Systems. Click here to register.

The post Transform your Architecture for the Cloud with MVISION UCE and SD-WAN appeared first on McAfee Blogs.

Source Code Leak – What We Learned and How You Can Protect Your IP

This week we learned about a leak of source code from 50 prominent companies, posted by a Swiss IT consultant. These come after another recent leak of source code from Nintendo, prompting us to comment on the issue of IP protection and secure development pipelines.  

The latest leak appears to stem primarily from a misconfiguration of SonarQube, an open-source tool for static code analysis, which allows developers to audit their code for bugs and vulnerabilities prior to deployment.  

Our own assessment found that SonarQube communicates on port 9000, which was likely misconfigured to be open to the internet for the breached companies, allowing researchers to gain access and discover the data now exposed in the leak.   

A search for SonarQube on the popular IoT search engine Shodan allows anyone to discover ports used by common software such as this. With this information so easily available, ports unintentionally left open can introduce a wide swath of intrusion attempts.  

Several of the source code repositories also contained hard-coded credentials, which open the door to accessing other resources and expansion of the breach. It is a best practice to never commit code with hard-coded/plaintext credentials to your repositories.   

How You Can Protect Your IP  

Mistakes like misconfiguration and accidental credential exposure will happen in the development process, which is where InfoSec teams need to step in. Auditing infrastructure code both prior to deployment and continuously in production is essential for companies practicing DevOps and CI/CD.  

Our solution to this problem is MVISION Cloud, the multi-cloud security platform for enterprises to protect their data, prevent threats, and maintain secure deployments for their cloud-native apps.  

Audit Cloud Accounts for Misconfiguration 

With MVISION Cloud InfoSec teams can monitor their company’s public cloud accounts, like AWS, Azure, or GCP, for configuration mistakes that may expose sensitive data. In the example below, MVISION Cloud discovered that a resource in AWS EC2 was configured with Unrestricted Access to ports other than 80/443, opening up potential breach scenarios like we saw with the source code leak.  

Scan Application Code for Vulnerabilities  

Companies with active container deployments should take this one step further, auditing not only for misconfigurations but also CVEs in their container images. In the example below, MVISION Cloud discovered that one container image contained 219 code vulnerabilities, many of which could be exploited in an attack.  

Scan Repositories for Hard-Coded Credentials and Secret Keys 

To mitigate the risk of credential or secret key exposure, within MVISION Cloud you can easily scan your repositories for specific data types and take multiple levels of action. Below we’ve set up a policy to scan Bitbucket and Github with our Data Loss Prevention (DLP) data identifiers for AWS Keys and Passwords. With Passwords, we are using keyword validation, meaning we will only trigger an incident if a keyword like pwd, p, or password is nearby. We’ve chosen the least disruptive action here – notifying the end user to remediate themselves, however the option to delete the data is also available.   

The speed of DevOps is allowing companies to innovate quickly, but without security audits built into the pipeline, misconfigurations and vulnerable code can go unnoticed and expose data in a breach. We strongly encourage the movement from DevOps to DevSecOps, building this audit process into the standard practice of application development. 

For more on how MVISION Cloud can enable you to implement a DevSecOps practice, get in touch with us today.  

The post Source Code Leak – What We Learned and How You Can Protect Your IP appeared first on McAfee Blogs.

Introducing MITRE ATT&CK in MVISION Cloud: Defend with Precision

The latest innovation in MVISION Cloud, the multi-cloud security platform for enterprise, introduces MITRE ATT&CK into the workflow for SOC analysts to investigate cloud threats and security managers to defend against future attacks with precision.

Most enterprises use over 1,500 cloud services, generating millions of events, from login, to file share, to download and an infinite number of actions meant for productivity yet exploited by adversaries. Until now, hunting for adversary activity within that haystack has been an arduous effort, with so much noise that many data breaches have gone unnoticed until it is too late.

MVISION Cloud takes a multi-layered approach to cloud threat investigation that can speed your time to detect adversary activity in your cloud services, identify gaps, and implement targeted changes to your policy and configuration.

First, the haystack of events is processed continuously against a baseline of known good behavior by User and Entity Behavior Analytics (UEBA) to identify the anomalies and actual threats in your environment, assessing behavior across multiple services and accounts.

Events processed by UEBA determined to be a compromised account

Events processed by UEBA determined to be a compromised account 

This takes your investigation process down to a manageable quantity of incidents. With this release, those incidents are now in the same language as the rest of the SOC – MITRE ATT&CK. Each cloud security incident is mapped to ATT&CK tactics and techniques, showing you adversary activity currently being executed in your environment.  

Multi-cloud MITRE ATT&CK view of adversary activity in MVISION Cloud

Multi-cloud MITRE ATT&CK view of adversary activity in MVISION Cloud 

You have three views within MVISION Cloud:  

  • Retrospective: viewing all adversary techniques that have already occurred in your environment 
  • Proactive: viewing attacks in progress, that you can take action to stop  
  • Full kill-chain: viewing a combination of incidents, anomalies, threats, and vulnerabilities into a holistic string of infractions.  

Multiple teams in your organization benefit from this addition to MVISION Cloud:  

  • SecOps Teams Advance from Reactive to Proactive: McAfee MVISION Cloud allows analysts to visualize not only executed threats in the ATT&CK framework, but also potential attacks they can stop across multiple Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS) environments 
  • SecOps Teams Break Silos: SecOps teams can now bring pre-filtered cloud security incidents into their Security Information Event Management (SIEM)/Security Orchestration, Automation and Response (SOAR) platforms via API, mapped to the same ATT&CK framework they use for endpoint and network threat investigation  
  • Security Managers Defend with Precision: McAfee MVISION Cloud now takes Cloud Security Posture Management (CSPM) to a new level, providing security managers with cloud service configuration recommendations for SaaS, PaaS and IaaS environments, which address specific ATT&CK adversary techniques 

With McAfee, threat investigation isn’t just for one environment – it is for all of your environments, from cloud to endpoint and your analytics platforms. With McAfee MVISION CloudMVISION EDRand MVISION Insights, your enterprise has an extended detection and response (XDR) platform for the heterogenous attacks you face today.

Cloud Threat Investigation 101: Hunting with MITRE ATT&CK

The leading SecOps teams use MITRE ATT&CK. Now, Cloud threat investigation speaks the same language with ATT&CK built into MVISION Cloud, unlocking new, precise methods for Cloud defense.

Download Now

The post Introducing MITRE ATT&CK in MVISION Cloud: Defend with Precision appeared first on McAfee Blogs.

Multi-Cloud Environment Challenges for Government Agencies

Between January and April of this year, the government sector saw a 45% increase in enterprise cloud use, and as the work-from-home norm continues, socially distanced teamwork will require even more cloud-based collaboration services.

Hybrid and multi-cloud architectures can offer government agencies the flexibility, enhanced security and capacity needed to achieve what they need for modernizing now and into the future. Yet many questions remain surrounding the implementation of multi- and hybrid-cloud architectures. Adopting a cloud-smart approach across an agency’s infrastructure is a complex process with corresponding challenges for federal CISOs.

I recently had the opportunity to sit with several public and private sector leaders in cloud technology to discuss these issues at the Securing the Complex Ecosystem of Hybrid Cloud webinar, organized by the Center for Public Policy Innovation (CPPI) and Homeland Security Dialogue Forum (HSDF).

Everyone agreed that although the technological infrastructure supporting hybrid and multi-cloud environments has made significant advancements in recent years, there is still much work ahead to ensure government agencies are operating with advanced security.

There are three key concepts for federal CISOs to consider as they develop multi- and hybrid-cloud implementation strategies:

  1. There is no one-size-fits-all hybrid environment

Organizations have adopted various capabilities that have unique gaps that must be filled. A clear system for how organizations can successfully fill these gaps will take time to develop. That being said, there is no one-size-fits-all hybrid or multi-cloud environment technology for groups looking to implement a cloud approach across their infrastructure.

  1. Zero-trust will continue to evolve in terms of its definition

Zero-trust has been around for quite some time and will continue to grow in terms of its definition. In concept, zero-trust is an approach that requires an organization to complete a thorough inspection of its existing architecture. It is not one specific technology; it is a capability set that must be applied to all areas of an organization’s infrastructure to achieve a hybrid or multi-cloud environment. 

  1. Strategies for data protection must have a cohesive enforcement policy

A consistent enforcement policy is key in maintaining an easily recognizable strategy for data protection and threat management. Conditional and contextual access to data is critical for organizations to fully accomplish cloud-based collaboration across teams.

Successful integration of a multi-cloud environment poses real challenges for all sectors, particularly for enterprises as large and complex as the federal government. Managing security across different cloud environments can be overwhelmingly complicated for IT staff, which is why they need tools that can automate their tasks and provide continued protection of sensitive information wherever it goes inside or outside the cloud.

At McAfee, we’ve been dedicating ourselves to solving these problems. We are excited that McAfee’s MVISION Cloud has been recognized as the first cloud access security broker (CASB) with FedRAMP High authorization. Additionally, we’ve been awarded an Other Transaction Authority by the Defense Innovation Unit to prototype a Secure Cloud Management Platform through McAfee’s MVISION Unified Cloud Edge (UCE) cybersecurity solution.

We look forward to engaging in more strategic discussions with our partners in the private and public sectors to not only discuss but also help solve the security challenges of federal cloud adoption.

The post Multi-Cloud Environment Challenges for Government Agencies appeared first on McAfee Blogs.

McAfee Vision for SASE: Making Cloud Adoption Fast, Easy and Secure

While cloud services deliver on promised savings and convenience, keeping everything secure remains a moving target for many organizations.

That’s because the enterprise perimeter has not only expanded, it has pushed the service edge to anywhere business takes you—or employees choose to go. Consequently, many organizations must uplevel how they protect cloud-based apps, data and services. Achieving success will be difficult with walled-garden style defenses found in legacy environments.

Gartner suggests an Adaptative Zero Trust approach (CARTA) to secure use of cloud applications, and it recommends a Secure Access Service Edge (SASE) framework to deliver connectivity and security for Cloud applications.

A lot of SASE vendors have focused on convergence of networking and security, but the key business goal of SASE is to protect applications and data in the cloud by building a pervasive edge that spans all manners of accessing these applications and data.

McAfee’s MVISION Unified Cloud Edge (UCE) delivers this pervasive edge and enables organizations to apply consistent data protection and threat prevention policies across their entire estate, including users, devices, locations and applications. Under the covers, MVISION UCE is convergence of Cloud Access Security Broker (CASB), next-gen Secure Web Gateway (SWG), and data loss protection (DLP) technologies delivered via a single global cloud fabric –with consistent policy and incident management.  Each of the MVISION UCE components provide coverage over distinct controls points that seamlessly deliver the pervasive edge:

  • McAfee CASB provides direct visibility and control over cloud-native interactions that are impossible to broker via a network/man-in-the-middle approach. This not only includes real time data and threat protection for data being stored/created in the cloud, it also includes on-demand scanning over existing data to identify both sensitive data and malware. The data objects could include files, messages and field data such as structured data objects in business applications like Salesforce.com, ServiceNow, Workday, etc.
  • McAfee’s next-gen SWG establishes proxy-based visibility and control over web traffic with deep awareness of cloud activity and data interactions. This keeps users safe from accidental data loss or malware, and it delivers the most advanced threat protection against ransomware, phishing attempts and other advanced attacks by integrating Remote Browser Isolation (RBI), a recommended part of a SASE architecture in our next-gen SWG.
  • A common DLP engine that provides device-to-cloud visibility and control over sensitive data on personal or managed devices, data resident and transacted in the cloud and data transiting over the network. McAfee MVISION UCE shares data classifications with all enforcement points for device, network, and the cloud with a single incident management console and API.

The convergence of cloud-native SWG and CASB also enables use cases that can extend network-delivered SASE controls with deep context of cloud applications in a single fabric. Many cloud-application-centric use cases that are critical in a post-COVID work from home scenario cannot be delivered by pure-play cloud SWGs, including:

  • The ability to apply contextual access control to users connecting to sanctioned Cloud applications directly over the internet, without a VPN. MVISION UCE ensures a user with a corporate device has full access to Microsoft 365, whereas a user with an unmanaged device has read-only access, which can be delivered by an app-proxy or remote browser isolation.
  • The ability to control unsanctioned Cloud applications at different levels of granularity including tenancy, activity and data. McAfee provides consistent policies that specifically identify and grant permissions to unsanctioned or personal services like OneDrive where the cloud user can be blocked from synching any data to personal OneDrive, or can be blocked from synching only “classified or sensitive” data to personal OneDrive.
  • The ability to protect against day-zero threats from the cloud in real time without any friction to the user experience. McAfee helps prevent end-user synching or downloading malware delivered from a trusted cloud storage provider such as OneDrive, Google Drive or  Dropbox.

In addition, most SASE vendors today focus on user to cloud security – otherwise known as front door controls, but that is not sufficient. Data and threats also need to be protected across side doors in the cloud. Protection also needs to be extended to backdoors within the cloud. McAfee’s MVISION UCE delivers side- and back-door controls that are not offered by any other SASE

  • Connected Application Control

Enables your architecture to discover SaaS applications or home-grown applications connected to each other via API channels. It can then authorize these API connections based on policies, risk and behavior of the connected application. For instance, a Sales VP connecting Clari, a sales forecasting mobile application, to the corporate Salesforce.com instance and pulling all the Salesforce.com data into Clari. The SASE architecture needs to be able to discover all such app-to-app connections and have granular policies around what scope of access should be allowed.

  • SaaS Cloud Security Posture Management (CSPM)

Allows your SASE architecture to assess and manage the security posture of your SaaS provider’s control and management planes. Specifically, Microsoft 365 has more than 200 individual configuration settings that need to be evaluated for an appropriate security posture of 365. For example, the default sharing permissions on Sharepoint that make shared links available to anyone in the world and never expire.

  • Sharing and Collaboration Control

Enables your architecture to control the transaction flow of sensitive data being shared inappropriately between users within the organization or across organizations via popular collaboration platforms such Microsoft OneDrive, Microsoft Teams, Slack, Zoom, etc. For example, McAfee helps ensure sensitive data is not posted to external (guest) users in Microsoft Teams.

Cloud-native

Long promised, cloud transformation is catching on at a time when enterprises increasingly rely upon cloud services to support their expanding digital activities. It can support large parts of the workforce who are working remotely and from home. Data and Threat controls must work in real-time as data moves to and from cloud applications. Accordingly, organizations need a cloud-native security architecture that is frictionless and ensures cloud applications function without latency or application breakage, and with security delivered in real-time. This real-time capability is not just necessary for network controls delivered by the SWG service; they are equally essential for cloud-native controls delivered via API and email gateways. Gartner describes the use of Points of Presence (POP) for global distribution and scale for SASE architectures. Most vendors offering SASE describe their footprint in terms of their network POPs. McAfee MVISION UCE has more than 50 globally distributed network POPs, but it also has similar scale and capacity for API and email POPs to ensure pervasive real-time control.

By our estimate, load increases on cloud security services in the last three months have soared from between 200% and 700%. While this surge has caused many other SASE providers to buckle, McAfee has logged an amazing 99.999% uptime! This is largely driven by our cloud-native architecture which does not rely on racking and stacking network appliances in public cloud, or by purely relying in colocation POPs that might have longer lead times to build-out and support burst capacity. McAfee MVSION UCE is not only built in a cloud-native (i.e. software- defined) manner deployed in POPs around the world, it also has ability to leverage public cloud providers such as AWS, Azure and GCP for burst POP capacity in order to deliver surge capacity without delay.

MVISION UCE, with its focus on protecting data and preventing threats in the cloud, along with its approach to both network-based and cloud-native controls, marks a key milestone on the path to implementing Gartner’s SASE framework.

Click here to learn more about McAfee MVISION UCE.

The post McAfee Vision for SASE: Making Cloud Adoption Fast, Easy and Secure appeared first on McAfee Blogs.

What to Expect from the Next Generation of Secure Web Gateways

After more than a century of technological innovation since the first units rolled off Henry Ford’s assembly lines, automobiles and transportation bear little in common with the Model T era. This evolution will continue as society finds better ways to achieve the outcome of moving people from point A to point B.

While secure web gateways (SWGs) have operated on a far more compressed timetable, a similarly drastic evolution has taken place. SWGs are still largely focused on ensuring users are protected from unsafe or non-compliant corners of the internet, but the transition to a cloud- and remote-working world has created new security challenges that the traditional SWG is no longer equipped to handle. It’s time for the next generation of SWGs that can empower users to thrive safely in an increasingly decentralized and dangerous world.

How We Got Here

The SWG actually started out as a URL filtering solution and enabled organizations to ensure that employees’ web browsing complied with corporate internet access policy.

URL filtering then transitioned to proxy servers sitting behind corporate firewalls. Since proxies terminate traffic coming from users and complete the connection to the desired websites, security experts quickly saw the potential to perform more thorough inspection than just comparing URLs to existing blacklists. By incorporating anti-virus and other security capabilities, the “secure web gateway” became a critical part of modern security architectures. However, the traditional SWG could only play this role if it was the chokepoint for all internet traffic, sitting at the edge of every corporate network perimeter and having remote users “hairpin” back through that network via VPN or MPLS links.

Next-Generation SWG

The transition to a cloud and remote-working world has put new burdens on the traditional perimeter-based SWG. Users can now directly access IT infrastructure and connected resources from virtually any location from a variety of different devices, and many of those resources no longer reside within the network perimeter on corporate servers.

This remarkable transformation also expands the requirements for data and threat protection, leaving security teams to grapple with a number of new sophisticated threats and compliance challenges. Unfortunately, traditional SWGs haven’t been able to keep pace with this evolving threat landscape.

Just about every major breach now involves sophisticated multi-level web components that can’t be stopped by a static engine. The traditional SWG approach has been to coordinate with other parts of the security infrastructure, including malware sandboxes. But as threats have become more advanced and complex, doing this has resulted in slowing down performance or letting threats get through. This is where Remote Browser Isolation (RBI) brings in a paradigm shift to advanced threat protection. When RBI is implemented as an integral component of SWG traffic inspection, and with the right technology like pixel mapping, it can deliver real-time, zero-day protection against ransomware, phishing attacks and other advanced malware while not hindering the browsing experience.

Another issue revolves the encrypted nature of the internet. The majority of web traffic and virtually all cloud applications use SSL or TLS to protect communications and data. Without the ability to decrypt, inspect and re-encrypt traffic in a compliant, privacy-preserving manner, a traditional SWG is simply not able to cope with today’s world.

Finally, there is the question of cloud applications. While cloud applications operate on the same internet as traditional websites, they function in a fundamentally different way that traditional SWGs simply can’t understand. Cloud Access Security Brokers (CASBs) are designed to provide visibility and control over cloud applications, and if the SWG doesn’t have access to a comprehensive CASB application database and sophisticated CASB controls, it is effectively blind to the cloud.

 

What we need from Next-Gen SWGs

Fig. Next Generation Secure Web Gateway Capabilities

A next-gen SWG should help simplify the implementation of Secure Access Service Edge (SASE) architecture and help accelerate secure cloud adoption. At the same time, it needs to provide advanced threat protection, unified data control, and efficiently enable a remote and distributed workforce.

Here are some of the use cases:

  • Enable a remote work force with a direct-to-cloud architecture that delivers 99.999% availability – As countries and states slowly came out of the shelter-in-place orders, many organizations indicated that supporting a remote and distributed workforce will likely be the new norm. Keeping remote workers productive, data secured, and endpoints protected can be overwhelming at times. A next-gen SWG should provide organizations with the scalability and security to support today’s remote workforce and distributed digital ecosystem. A cloud-native architecture helps ensure availability, lower latency, and maintain user productivity from wherever your team is working. A true cloud-grade service should offer five nines (99.999%) availability consistently.

 

  • Reduce administrative complexity and lower cost – Today, with increased cloud adoption, more than eighty percent of traffic is destined for the internet. Backhauling internet traffic to a traditional “Hub and Spoke” architecture which requires expensive MPLS links can be very costly. Network slows to a halt as traffics spikes, and VPN for remote workers have proven to be ineffective. A next-gen SWG should support the SASE framework and provide a direct-to-cloud architecture that lowers the total operating costs by reducing the need for MPLS links. With a SaaS delivery model, next-gen SWG’s remove the need to deploy and maintain hardware infrastructure reducing hardware and operating costs. Per Gartner’s SASE report, organizations can “reduce complexity now on the network security side by moving to ideally one vendor for secure web gateway (SWG), cloud access security broker (CASB)…”  By unifying CASB and SWG, organizations can benefit from unified policy and incident management, shared insights on business risk and threat database, and reduced administrative complexity.

 

  • Defend against known and unknown threats – As the web continues to grow and evolve, web-borne malware attacks grow and evolve as well. Ransomware, Phishing and other advanced web-based threats are putting users and endpoints at risk.  A next-gen SWG should provide real-time Zero-day malware and advanced phishing protection via a layered approach that integrates dynamic threat intelligence for URL, IPs and file-hashes and real-time protection against unknown threats with machine-learning and emulation-based sandboxing. A next-gen SWG should also include integrated Remote Browser Isolation to prevent unknown threats from ever reaching the endpoints. Furthermore, a next-gen SWG should provide the capability to decrypt, inspect and re-encrypt SSL/TLS traffic so threats and sensitive data cannot hide in encrypted traffic. Lastly, a next-gen SWG should be XDR-integrated to improve SOC efficiencies. SOC teams have too much to deal with already and they shouldn’t settle for Siloed security tools.

 

  • Lock down your data, not your business – More than 95% of companies today use cloud services, yet only 36% of companies can enforce data loss prevention (DLP) rules in the cloud at all. A next-gen SWG should offer a more effective way to enforce protection with built-in Data Loss Prevention templates and in-line data protection workflows to help organizations comply with regulations. A device-to-cloud data protection offers comprehensive data visibility and consistent controls across endpoints, users, clouds, and networks. When incidents do happen, administrators should be able to manage investigations, workflows, and reporting from a single console. Next-gen SWGs should also integrate user and entity behavior analytics (UEBA) to further protect business sensitive data by detecting and separating normal users from the malicious or compromised ones.

SWGs have clearly come a long way from just being URL filtering devices to the point where they are essential to furthering the safe and accelerated adoption of the cloud. But we need to push the proverbial envelope a lot further. Digital transformation demands nothing less.

 

The post What to Expect from the Next Generation of Secure Web Gateways appeared first on McAfee Blogs.

Working from Home in 2020: Threat Actors Target the Cloud

Like any enterprise, cybercrime focuses its resources where it can derive value, which is data. In the case of ransomware, data is held hostage for a direct monetary exchange, whereas many other data breaches seek to steal data and monetize it on dark web markets. These two methods are even starting to merge, with some cybercrime organizations now offering Data-Leaking-as-a-Service. For most of the history of cybercrime, resources and infrastructure used to steal data targeted endpoint devices and network stores, using malware to land an attack, find data, and exfiltrate. That’s where the data was.   

Now, we have a dramatic shift of data moving to cloud service providers, held not within the confines of a customer’s managed network but instead a third party. The shift to working from home in early 2020 accelerated cloud use, just as it accelerated other trends like food delivery and telehealth. Read more about the increase in cloud use in our first post on this topic, here.  

With the acceleration of cloud adoption comes more data in the cloud, and in lockstep, threat actors shifting their attack resources to the cloudThrough the first months of 2020 as this shift occurred, we monitored attack attempts from external threat actors on our customer’s cloud accounts, which increased 630%: 

  

In this chart, we’ve plotted all threats across 30 million cloud end users, along with the two primary categories of external threat events targeted at cloud accounts. They are: 

  • Excessive Usage from Anomalous Location. This begins with a login from a location that has not been previously detected and is anomalous to the user’s organization. The threat actor then initiates high-volume data access and/or privileged access activity.  
  • Suspicious Superhuman. This is a login attempt from more than one geographically distant location, impossible to travel to within a given period of time. We track this across multiple cloud services, for example, if a user attempts to log into Microsoft 365 in Singapore, then logs into Slack in California five minutes later.  

The increase in threat events impacted some verticals more than others, with companies in Transportation/Logistics, Education, and Government agencies hit the hardest:  

 

Head over to the report below for more analysis on how specific verticals were targeted, where these attacks came from, and recommendations for how to protect your organization.  

 

The post Working from Home in 2020: Threat Actors Target the Cloud appeared first on McAfee Blogs.

Quantifying Cloud Security Effectiveness

Let’s start with the good news. Agencies are adopting cloud services at an increased rate. Adoption has only increased in times of coronavirus quarantine lockdowns with most federal, state and municipal workforce working from home. What’s even better news is that we also see increased adoption of cloud security tools, like CASB, which is commensurate with the expanding cloud footprint of US Public Sector agencies.

So now we have security tools in place to secure our cloud assets in SaaS, PaaS and IaaS. The next step is to determine what security controls need to be implemented. What DLP policies should the agency adopt? What capabilities of a cloud services should be enabled or disabled to maintain a robust security posture? How does an agency actually go about measuring the effectiveness of the security controls that were implemented? How do we find out how we stack up against our peer organizations?

To answer these questions, McAfee developed MVISION Cloud Security Advisor (CSA). Cloud Security Advisor is a portal that is provided “out-of-the-box” with your organization’s MVISION Cloud CASB tenant. CSA provides a comprehensive set of recommendations for organizations to prioritize efforts in implementing their cloud security controls. The recommendations are broken down into Visibility and Control metrics. There is also a section that provides quarterly reports on various parameters, which we will discuss in a little bit.

When you first access Cloud Security Advisor dashboard you are presented with a “magic quadrant” that shows your organization’s security posture relative to other peer organizations on the scales of Control and Visibility and provides a maturity score for both.

There is even an option to select a vertical market to see how your organizations stacks up to organizations in other business sectors.

On the right of the main dashboard are check list items that provide a short description and current progress in following Cloud Security Advisor’s recommendations. CSA scans the organization’s MISION Cloud environment once every 24 hours. Any changes to MVISION Cloud will be reflected in the next scan. In the screenshot below, for example, we see an environment that is not enforcing controls on publicly shared links in Collaboration SaaS apps.

From here, a security admin can simply click on the check list item and then on Enable Policy. This will automatically take the user to the DLP Policy Templates page to select the appropriate policy for enforcement.

Another powerful capability of MVISION Cloud Security Advisor is providing quarterly Cloud Security Reports. These are accessible from the main CSA dashboard by going to View Reports and then selecting a quarter for which you would like to see the report.

From there we can start examining our organization’s cloud footprint to identify total number of Shadow IT services discovered that quarter as well as some additional Shadow IT statistics.

Next we can look at IaaS resources in all our AWS, Azure and GCP environments.

We then proceed to look at summary statistics for DLP and access policy violations. Incidents show policy violations of each type detected across all of the organization’s cloud environments secured by MVISION Cloud CASB.

Next screen shows user behavioral anomalies and threats uncovered by MVISION Cloud UBA machine-learning engine.

The Malware section of the report provides insights into malware uncovered in SaaS and IaaS environments connected to MVISION Cloud.

The Data at Risk report is probably the most pertinent to gauging the effectiveness of the MVISION Cloud CASB solution. This report shows how much of the organization’s data was at risk and how it was secured using MVISION Cloud CASB. As seen from the image, there is a downward trend, indicating progress is being made to secure organization’s data.

The Sensitive Data report shows how organization’s sensitive data is distributed across all cloud services in use by the organization. This report also provides insights into cloud adoption trends for your organization.

The “Users” report is a pivot table of the Sensitive Data report that organizes incidents and policy violations by individual users. Ultimately, the report shows how much of a risk an organization’s users pose to organization’s data.

The Mobile Devices report shows incidents for each type of detected mobile device.

The next three pages of the CSA report provide a deeper dive into the data on the front page of the CSA portal we saw in the beginning of this blog. On the Scores page we see the “magic quadrant” with Control and Visibility axis, together with progress relative to previous quarters. Visibility score and Control score, both on a scale of 100, gauge your organization’s maturity in securing its cloud footprint.

Next, the Visibility metrics page. Visibility metrics measure how well an organization has been doing in gaining visibility into what is out there in their cloud environment and how secure it is.

Finally, the Control metrics page shows how well an organization has performed in placing controls and mitigating security risks for its cloud environment.

And that, in a nutshell, is it. By reviewing the screenshots from the Cloud Security Advisor dashboard you should now have a good idea of the metrics at your disposal to quantify cloud security effectiveness for your organization.

To see MVISION Cloud Security Advisor in action, please check out the video below:

The post Quantifying Cloud Security Effectiveness appeared first on McAfee Blogs.

Simplify Secure Cloud Adoption with Your Next-Gen Secure Web Gateway

Today, with increased cloud adoption, more than eighty percent of corporate network traffic is destined for the internet. Backhauling internet traffic to a traditional Web Gateway’s “Hub and Spoke” architecture can be very costly. Network slows to a halt as traffics spikes, and VPN for remote workers proved to be ineffective and low performance in a situation like COVID.

Figure 1. Legacy Secure Web Gateway architecture in a cloud world.

Performance aside, as you adopt new cloud services and move more data to the cloud, you’re probably thinking: how do I protect business critical data, and how can I prevent threats coming in from the internet and cloud applications?

Many organizations are either adopting cloud services faster than they can secure them, or applying on-premises Web Gateway tools and architectures that were not designed to meet the challenges of cloud traffic. This can lead to attacks, malware, data leaks, and an unproductive work force.

IT departments need a secure yet flexible direct-to-cloud Web Gateway solution that ensures availability, maintain employee productivity and defend against threats.

Here are some of the capabilities of a Next-gen Cloud Secure Web Gateway to consider:

Real-time Zero-day Malware Prevention: Today’s threats are frequently customized and targeted. Zero-day protection is essential, and traditional gateways handle this by offloading to an out of band sandbox. The key to a next generation gateway is to provide that protection in real time – not forensically after the fact.

Unification with CASB: Gartner recommends that to reduce complexity on the network security side is to move to ideally one vendor for secure web gateway (SWG), cloud access security broker (CASB).  The Next-gen Cloud Secure Web Gateway should be a cloud- managed solution that is unified with CASB with shared risk databases, closed loop remediation and unified workflow.

Scalability and Availability: A cloud-native architecture that can offer the cloud-scale which is required as your remote workforce mushrooms as opposed to a SWG that is simply hosted in the cloud. A true cloud-grade service availability provides five nines 99.999% uptime – consistently.   Ask yourself, can you afford 50+ minutes of downtime?

Figure 2. Downtime Calculation Example.

McAfee’s Next-gen Cloud Secure Web Gateway (offered via MVISION Unified Cloud Edge) is unified with MVISION Cloud (CASB) to offer cloud-delivered web security to protect web traffic, provide visibility into data flowing to cloud applications, and safely enable both on-prem and remote workers. Furthermore, it is a direct to cloud solution that helps drive down cost and increase scalability and performance.

To find out more, listen to our latest podcast.

 

The post Simplify Secure Cloud Adoption with Your Next-Gen Secure Web Gateway appeared first on McAfee Blogs.

Cyber Security Roundup for May 2020

A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, April 2020.

As well reported, UK foreign exchange firm Travelex business operations were brought to a standstill after its IT systems were severely hit by the Sodinokibi ransomware at the start of the year. It was reported that
 REvil group were behind the attack and had stolen 5Gbs of customer personal data, and then demanded $6 million (£4.6m) in ransom. The Wall Street Journal reported in April 2020 that Travelex had reached a deal, paying $2.3 million (£1.84m) in Bitcoin to the cybercriminals. This sort of response incentivises future ransomware activity against all other businesses and could lead to an inflation of future cyber-extortion demands in my opinion.

Cognizant, a US large digital solutions provider and IT consultancy, was reportedly hit by the Maze ransomware.  Maze, previously known as the 'ChaCha' ransomware, like the Travelex attack, not only encrypts victim's files but steals sensitive data from the IT systems as well. Enabling the bad guys to threaten the publishing of the stolen data if the organisation cough up to their cyber-extortion demands, so the bad guys are very much rinsing and repeating lucrative attacks.

Microsoft wrote an excellent blog covering the 'motley crew' of ransomware payloads  The blog covers ransomware payloads said to be straining security operations especially in health care, Microsoft warned, urging security teams to look for signs of credential theft and lateral movement activities that herald attacks.

Researchers continue to be busy in exposing large sensitive datasets within misconfigured cloud services.  In April researchers reported 14 million Ring user details exposed in misconfigured AWS open database, fitness software Kinomap had 42 million user details exposed in another misconfigured database, and Maropost had 95 million users exposed, also in a misconfigured database.

Nintendo confirmed 160,000 of its users' accounts had been accessed, exposing PII and Nintendo store accounts. The gaming giant Nintendo said from April, its user's accounts were accessed through the Nintendo Network ID (NNID), which is primarily used for Switch gaming. The company is unaware exactly how the intrusion had occurred, saying it “seems to have been made by impersonating login to “Nintendo Network ID. “If you use the same password for your NNID and Nintendo account, your balance and registered credit card / PayPal may be illegally used at My Nintendo Store or Nintendo eShop. Please set different passwords for NNID and Nintendo account,” Nintendo said. In response to these issues the company has abolished user’s ability to log into their Nintendo account via NNID and passwords for both NNID and Nintendo accounts are being reset and the company is recommending multi-factor authentication be set up for each account.  The account breaches weren't the only cyber issue affecting Nintendo in April, it reported that a bot, dubbed 'Bird Bot' was used by a reseller to buy up Nintendo Switches before customers could make their Switch purchase from Nintendo. The bot using reseller benefits at the expense of consumers, in buying up all available Switches directly from Nintendo, they are able to sell them on for higher prices, so making a quick and easy tidy profit, due to the current high demand of Switches and lack of supply.

April was a busy month for security updates, Microsoft released security patches fixing 113 vulnerabilities on Patch Tuesday and an out-of-band patch for Teams found by researchers at CyberArk. Patch Tuesday for a quiet one for Adobe, though they released fixes for 21 critical vulnerabilities in illustrator and Bridge at the end of the month.  Oracle released a huge 397 fixes for 450 CVEs in over 100 products, which I think is a new record for a patch release!  

Sophos said it and its customers were attacked when a previously unknown SQL injection vulnerability in their physical and virtual XG Firewall units was exploited. “The attack affected systems configured with either the administration interface (HTTPS admin service) or the user portal exposed on the WAN zone. In addition, firewalls manually configured to expose a firewall service (e.g. SSL VPN) to the WAN zone that shares the same port as the admin or User Portal were also affected,Sophos said.

There were security critical patch releases for Mozilla Firefox, Chrome (twice), and for 8 Cisco products. A bunch of VMware patches for including a CVSS scored 10 (highest possible) in vCenter, a critical in vRealize Log Insight and a critical cross-site scripting vulnerability in ESXi 6.5 and 6.7. And finally, on the patch front, Intel decided to discontinue multiple products, as it was unable to keep ahead of patch their vulnerabilities.

Stay safe, safe home and watch for the scams.

BLOG
NEWS

AWARENESS, EDUCATION AND THREAT INTELLIGENCE