Category Archives: Endpoint security

Multi-stage downloader Trojan sLoad abuses BITS almost exclusively for malicious activities

Many of today’s threats evolve to incorporate as many living-off-the-land techniques as possible into the attack chain. The PowerShell-based downloader Trojan known as sLoad, however, puts all its bets on BITS.

Background Intelligent Transfer Service (BITS) is a component of the Windows operating system that provides an ability to transfer files in an asynchronous and throttled fashion using idle bandwidth. Abusing BITS, which provides the ability to create self-contained jobs that can be prioritized and queued up and that can launch other programs, has become a prevalent attack technique. Recent sophisticated malware campaigns like Astaroth have found success in the use of BITS for downloading payloads or additional components, especially in systems where the firewall is not configured to block malicious traffic from BITS jobs.

sLoad, detected by Windows Defender Antivirus as TrojanDownloader:PowerShell/sLoad, is used by adversaries for exfiltrating system information and delivering additional payloads in targeted attacks. It has been around for a few years and has not stopped evolving. What hasn’t changed, though, is its use of BITS for all of its exfiltration activities, as well as command-and-control (C2) communications from handshake to downloading additional payloads.

Once sLoad has infiltrated a machine, it can allow attackers to do further, potentially more damaging actions. Using exfiltrated information, attackers can identify what security solutions are running and test payloads before they are sneaked into the compromised system or, worse, high-priced targets. sLoad uses scheduled tasks, which runs the malware every three minutes, opening the window of opportunity for further compromise—hence raising the risk for the affected machine—every time it runs. We have already seen the malware attempt to deliver several other, potentially more dangerous Trojans to compromised machines.

While several malware campaigns have leveraged BITS, sLoad’s almost exclusive use of the service is notable. sLoad uses BITS as an alternative protocol to perform data exfiltration and most of its other malicious activities, enabling the malware to evade defenders and protections that may not be inspecting this unconventional protocol. Cloud-based machine learning-driven behavioral blocking and containment capabilities in Microsoft Defender Advanced Threat Protection detect and block sLoad’s activities as Behavior:Win32/sLoad.A.

In this blog we’ll share our analysis of the multiple ways in which sLoad is abusing BITS and share how Microsoft Defender Advanced Threat Protection defeats these advanced malware techniques.

Stealthy installation via multiple cascaded scripts

sLoad is known to infect machines using spear-phishing emails and a common but effective detection evasion technique: the cascaded scripts. One script drops or downloads one or more scripts, passes control to one of these scripts, and repeats the process multiple times until the final component is installed.

Over time, we’ve seen some variations of this technique. One sLoad campaign used the link target field of a LNK file to run PowerShell commands that extracts and runs the first-stage PowerShell code, which is appended to the end of the LNK file or, in one instance, the end of the ZIP file that originally contained the LNK file. In another campaign, the first-stage PowerShell code itself uses a download BITS job to download either the sLoad script and the C2 URL file or the sLoad dropper PowerShell script that embeds the encrypted sLoad script and C2 URL file within itself.

In the most recent attacks, for the first stage, sLoad shifted from using PowerShell script to VBScript. The randomly named VBScript file is simply a proxy that builds and then drops and runs a PowerShell script, always named rr.ps1. This is none other than the same sLoad PowerShell dropper mentioned earlier that embeds the encrypted sLoad script and C2 URL file within itself.

In most variations of the installation, the sLoad dropper script is the last intermediate stage that performs the following actions, and eventually decrypts and runs the final sLoad script:

  1. Creates an installation folder in the %APPDATA% folder named after the first 6 characters of the Win32 Product UUID. 
  2. Drops an infection marker file named _in, and during the successive executions, uses the LastWriteTime on this file to check whether the malware is installed within last 30 mins, in which case, it terminates. 
  3. Drops the encrypted sLoad script and the C2 URL file as config.ini and web.ini, respectively. 
  4. Builds and drops two more randomly named scripts: one VBScript and one PowerShell script. 
  5. Uses schtasks.exe to create a scheduled task named AppRunLog to run the randomly named VBScript from the previous step with decryption key supplied as a command line parameter; deletes the previously created related tasks (if found) before creating this one. The scheduled task is configured to start at 7:00 AM and run every 3 mins. 

The dropped VBScript that runs under the scheduled task is yet another proxy that simply runs the dropped PowerShell script with the same command line parameter (the decryption key). The PowerShell script decrypts the contents of the previously dropped config.ini in the memory into another piece of PowerShell code, which it then runs. This is the final component, the script detected as TrojanDownloader:PowerShell/sLoad, that uses BITS to perform every important malicious activity.

BITS abuse

The sLoad PowerShell script (the final component) then abuses BITS to carry out all of the following activities:

Finding an active C2 server

The malware decrypts the contents of previously dropped web.ini into a set of 2 URLs and creates a BITS download jobs to test the connection to these URLs. It then saves the URL that responds in the form of a file that contains a message “sok”, being downloaded as part of created BITS job. This ensures that the handshake is complete.

If none responds, the script appends the number “1” to the domain names in both URLs, saves the encrypted data back to the web.ini file, and exits from the script. As a result, the next time the scheduled job runs, the script uses the modified web.ini to obtain the modified URLs to attempt connecting to an active C2. With each unsuccessful attempt of connecting with C2s, the number appended to the domain names is increased by increments of 1 until it reaches 50, at which time it resets to 1. This technique offers a bit of a cushion and ensures continued contact between a compromised machine and a C2, in case the primary C2 is blocked.

This prevents the malware infrastructure from losing a compromised host if the primary C2 is blocked. It’s also interesting to see how the URLs used to reach C2 are structured to appear related to CAPTCHA verification, an attempt to escape watchful eyes.

Fetching a new list of C2s

For continued exfiltration of information, it’s important to maintain contact with an active C2. As the malicious domains cannot stay up running for a long time, the malware packs a functionality to refresh the list of C2 every time the scheduled task runs. Using a BITS download job, the malware downloads a new copy of web.ini from the active C2 to provisions a new set of C2s for future use.

Exfiltrating system information

Once an active C2 is identified, the malware starts collecting system information by performing the following:

  • saves the output of “net view” command
  • enumerates network drives and saves the provider names and device ids
  • produces the list of all running processes
  • obtains the OS caption
  • looks for Outlook folder, as well as Independent Computing Architecture (ICA) files, which are used by Citrix application servers to store configuration information

It then creates a BITS download job with the RemoteURL built using the URL for active C2 and the system information collected up this point.

Crafting URLs infused with stolen info is not a novel attacker technique. In addition, creating a BITS job with an extremely large RemoteURL parameter that includes non-encrypted system information stands out and is relatively easy to detect. However, this malware’s use of a download job instead of an upload job is a clever move to achieve stealth.

Deploying additional payloads

Because the malware exfiltrates system information using a BITS download job, it gets an opportunity to receive a response in the form of a file downloaded to the machine. It uses this opportunity to obtain additional payloads from the C2.

It sleeps and waits for the file to be downloaded. If the downloaded file instructs to download and invoke additional PowerShell codes, the supplied URL is used for the task. If not, then the URL is assumed to be pointing to an encoded PE image payload. The malware creates another BITS download job to download this payload, creates a copy of this newly downloaded encoded file, and uses another Windows utility, certutil.exe, to decode it into a portable executable (PE) file with .exe extension. Finally, it uses PowerShell.exe to run the decoded PE payload. One more BITS download job is created to download additional files.


The malware comes built with one of the most notorious spyware features: uploading screenshots. At several stages during the installation as well as when running additional payloads, the malware takes several screenshots at short intervals. It then uses a BITS upload job to send the stolen screenshots to the active C2. This is the only time that it uses an upload job, and these are the only files it uploads to the C2. Once uploaded, the screenshots are deleted from the machine.

Conclusion: Multiple layers of protection against multi-stage living-off-the-land threats

sLoad is just one example of the increasingly more prevalent threats that can perform most of their malicious activities by simply living off the land. In this case, it’s a dangerous threat that’s equipped with notorious spyware capabilities, infiltrative payload delivery, and data exfiltration capabilities. sLoad’s behavior can be classified as a Type III fileless technique: while it drops some malware files during installation, its use of only BITS jobs to perform most of its harmful behaviors and scheduled tasks for persistence achieves an almost fileless presence on compromised machines.

To defeat multi-stage, stealthy, and persistent threats like sLoad, Microsoft Defender ATP’s antivirus component uses multiple next-generation protection engines on the client and in the cloud. While most threats are identified and stopped by many of these engines, behavioral blocking and containment capabilities detects malicious behaviors and blocks threats after they have started running:

These detections are also surfaced in Microsoft Defender Security Center. Security operations teams can then use Microsoft Defender ATP’s other capabilities like endpoint detection and response (EDR), automated investigation and response, Threat and Vulnerability Management, and Microsoft Threat Experts to investigate and respond to attacks. This reflects the defense-in-depth strategy that is central to the unified endpoint protection provided by Microsoft Defender ATP.

As part of Microsoft Threat Protection, Microsoft Defender ATP shares security signals about this threat to other security services, which likewise inform and enrich endpoint protection. For example, Office 365 ATP’s intelligence on the emails that carry sLoad is shared to and used by Microsoft Defender ATP to build even stronger defenses at the source of infection. Real-time signal-sharing across Microsoft’s security services gives Microsoft Threat Protection unparalleled visibility across attack vectors and the unique ability to provide comprehensive protection against identities, endpoints, data, cloud apps, and infrastructure.


Sujit Magar
Microsoft Defender ATP Research Team



Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft Defender ATP community.

Read all Microsoft security intelligence blog posts.

Follow us on Twitter @MsftSecIntel.


The post Multi-stage downloader Trojan sLoad abuses BITS almost exclusively for malicious activities appeared first on Microsoft Security.

This Year in Ransomware Payouts (2019 Edition)

Even though 2017 still remains the year when we saw the ransomware pandemic at its peak, cybercriminals will not stop these attacks on individuals and businesses anytime soon. Unfortunately, ransomware attacks continued to make headlines this year as well. So, in this article, I’m going to look at the highest ransomware payouts of 2019, what organizations paid the ransom, and see why it’s never a good idea to pay the ransom.

But first of all, let’s start with some mind-blowing 2019 ransomware statistics from 2019.

Ransomware statistics in 2019

Here are the most shocking ransomware facts coming from 2019 alone:

  • Two-thirds of ransomware attacks targeted state and local governments.
  • 55% of SMBs from the US would pay hackers to recover their stolen data in ransomware attacks.
  • Over 500 US schools were affected by ransomware attacks in 2019.
  • Almost 70 US government organizations were infected with ransomware since January 2019.
  • A total of 140 US local governments, police stations, and hospitals have been infected with ransomware.
  • In the third quarter of 2019, the average ransomware payout increased to $41,000.

The most significant ransomware payouts of 2019

In the best-case scenario, victims of ransomware could simply wipe their systems and recover their data from offline backups. However, some organizations don’t keep any backups at all. Or worse, even if they do have copies of their data, sometimes they also end up being locked up by cybercriminals.

There are times when ransomware victims can decrypt their files with free ransomware decryption tools but sadly, there isn’t a decryptor available for all the ransomware strains out there. This sometimes leads to companies paying the ransom, being desperate to get their business back up and running.

Without further ado, below you will find the most significant ransomware payouts of 2019.

#6. Park DuValle Community Health Center, Kentucky, USA

June 2019

Amount paid: $70,000

In June 2019, Park DuValle Community Health Center had the medical records of almost 20,000 patients encrypted by ransomware and ended up paying the $70,000 ransom. The attack had left them locked out of their system for almost two months, impacting the health center’s medical records system and appointment scheduling tool.

For seven weeks, they had to record the patients’ information on pen and paper and ask them to speak from memory about their past treatments. The health care center basically had to operate on a walk-in basis since they were not able to schedule appointments or view any data.

“This is everything. This is medical records, contact information, insurance information, anything about a patient…everything is gone,” said Elizabeth Ann Hagan-Grigsby, CEO of Park DuValle. “The records involved are for past and present patients,” she continued.

This was the second time during the same year that Park Duvalle was impacted by a ransomware attack. Back in April 2019, their systems had been locked down for about three weeks. This time, they had their data backed up, so they did not pay the ransom. However, the second time, they were unable to recover their data from the backups, so they decided to pay the ransom to restore it.

The ransom amount was paid in 6 bitcoins (the equivalent of $70,000). The cybercriminals provided the encryption keys and Park DuValle was able to recover its data.

#5. Stratford City, Ontario, Canada

April 2019

Amount paid: $71,000

In April of this year, the City of Stratford also became a victim of a ransomware attack that chose to pay the ransom. According to the story published on Cybersecurity Insiders, the malware was installed on six of their servers on a physical note, that encrypted two virtual servers as well, leaving their sensitive data locked down.

Even though they received warnings from officials, they paid 10 bitcoins, which at the time of attack meant roughly $71,000. The security company they contacted was not able to recover their data and was only involved in forensics. Consequently, the city negotiated the price that needed to be paid for their information to become available again. Their cyber insurance covered $15,000 of the ransom.

It seems that no personally identifiable information data was compromised and revealed in this ransomware incident.

#4. La Porte County, Indiana, USA

July 2019

Amount paid: $130,000

Another victim of the Ryuk ransomware, La Porte County, Indiana, paid $130,000 to recover their data.

The attack happened on July 6 and was noticed right before it managed to spread to all of the network’s computers. The IT staff confined it to less than 7% of machines, however, two domain controllers were impacted and thus, network services became unavailable.

According to the source, the FBI and a forensic investigation firm attempted to recover the data without paying the ransom, but their efforts proved to be unsuccessful. $100,000 out of the $130,000 payment demand was covered by insurance.

Apparently, the county did have back up servers in place, however, they became infected by ransomware as well.

The ransomware that affected La Porte County’s systems is allegedly Ryuk, the same strain that affected Lake City. It was called a “triple threat” because it originated from Emotet infection that delivered the Trickbot trojan, which then launched Ryuk.

#3. Jackson County, Georgia, USA

March 2019

Amount paid: $400,000

Back in March, Jackson County had its network shut down by a ransomware attack, leaving only its website and 911 emergency system untouched. This meant they had to do their reports and bookings in pen and paper, just like they did before using computers became the norm.

Their officials contacted the FBI and hired a cybersecurity consultant. The security specialist negotiated with the cyber attackers and it was decided that Jackson County had to transfer $400,000 to receive the decryption key and gain access to their data once again.

“We had to make a determination on whether to pay. We could have literally been down months and months and spent as much or more money trying to get our system rebuilt”, said Kevin Poe, Jackson County Manager.

Apparently, the county’s network had been infected with the Ryuk ransomware strain, which as of now, does not have a free decryption tool available. According to experts, this type of ransomware had one of the most active campaigns in 2019, also affecting over 500 schools in the US.

Researchers are saying the Ryuk ransomware only launches after it completely spreads on the target’s network.

Here is what the Ryuk ransomware note would look like:

What the Ryuk ransomware note looks like


#2. Lake City, Florida, USA

June 2019

Amount paid: $500,000

A second city in Florida paralyzed by ransomware agreed to pay the ransom: 42 bitcoins ($500,000).

Even though their IT staff disconnected the systems within ten minutes of the attack’s detection, the ransomware managed to infect their network almost entirely. The police and fire departments were not affected, as they were running on a separate network. The people who needed to pay their bills could only do it in cash or money orders and they received handwritten receipts.

Cybercriminals reached out to the city’s insurance provider a week after the infection took place and the ransom payment of 42 bitcoins was negotiated. The money was paid from the city’s insurance.

Over 100 years’ worth of records (ordinances, meeting minutes, resolutions, and City Council agendas) were encrypted for almost a month. A few weeks after the ransom was paid, they did not even recover all of their data. What’s more, Lake City’s information technology director was accused of failing to secure the network and not recovering the data quickly enough and eventually lost his job.

Lake City was another victim of the Ryuk ransomware strain.

#1. Riviera Beach City, Florida, USA

May 2019

Amount paid: $600,000

This brings us to the biggest ransomware payout of 2019, which was made by Riviera Beach City in Florida.

Allegedly, right after an employee clicked on a phishing email link received on May 29, hackers managed to infiltrate into the city’s network and locked it up. All of the city’s online systems went down, including email and even some phones, and on top of that, water utility pump stations were affected as well. As a result, payments could only be accepted in person or by mail (only in cash or by check) and communication was conducted by phone.

The City Council unanimously agreed to pay the ransom. The requested amount was 65 bitcoins, the equivalent of nearly $600,000. More than $300,000 from the city’s insurance policy was used to pay the ransom. The payment was officially made merely a few after Riviera Beach agreed to spend around $1 million to replace the infected computer equipment.

Riviera Beach’s attack looked similar to what Jackson County experienced in March, so they seem to have been yet another victim of the Ryuk ransomware strain.

The biggest ransom ever paid

Even though we’ve witnessed several major ransomware payouts this year, they were not the all-time biggest.

In 2017, the Korean web hosting firm Internet Nayana received the largest ransom demand ever (a whopping $1.14 million), which they also ended up paying. During their negotiations, some of their data was permanently deleted. To make up for the incident, Nayana offered free hosting for life and refunds to its affected customers. So, of course, besides the actual payment, the ransomware attack involved additional costs and reputational damage.

Others refused to pay

Paying the ransom was not something that every ransomware victim considered in 2019. And sadly, the data recovery costs for some organizations that declined the payment ended up being much higher than the actual ransom. So, since it has been proven that paying the ransom can be a lot cheaper than dealing with an attack’s aftermath, local governments are increasingly choosing to pay.

For instance, back in March 2018, the City of Atlanta was infected with the SamSam ransomware variant. Cybercriminals demanded a $52,000 ransom payment, however, Atlanta refused to pay and they had to spend $2.6 million to recover from the attack.

Baltimore City’s ransomware resistance story

On May 7, 2019, cybercriminals froze around 10,000 Baltimore government computers and asked for a $100,000 payment in bitcoins. The city’s employees were locked out of their email accounts and citizens were unable to pay their bills. This wasn’t the first time the city became a victim of ransomware – in 2018, their 911 system was shut down for about a day by another similar attack and in both cases, they did not transfer money into the attackers’ Bitcoin wallet.

The second time, their computer systems were infected with the RobbinHood ransomware strain.

Bernard C. Jack Young, Mayor of Baltimore City, explained why they chose not to pay the ransom:

The city representative acknowledges that by paying the ransom there is no guarantee their systems will be unlocked and also emphasizes the fact that they are choosing not to encourage criminal behavior.

“Why don’t we just pay the ransom? I know a lot of residents have been saying we should’ve just paid the ransom or why don’t we pay the ransom?

Well, first, we’ve been advised by both the Secret Service and the FBI not to pay the ransom. Second, that’s just not the way we operate. We won’t reward criminal behavior.

If we paid the ransom, there is no guarantee they can or will unlock our system.

There’s no way of tracking the payment or even being able to confirm who we are paying the money to. Because of the way they requested payment, there’s no way of knowing if they are leaving other malware on our system to hold us for ransom again in the future.

Ultimately, we would still have to take all the steps we have taken to ensure a safe and secure environment. I’m confident we have taken the best course of action.” – Bernard C. Jack Young, Mayor of Baltimore City

US mayors have adopted a resolution against paying the ransom

A proposal to ban ransom payments was put forward by Bernard Young, the abovementioned mayor of Baltimore City, which has been adopted. The resolution reads:

“Paying ransomware attackers encourages continued attacks on other government systems, as perpetrators financially benefit.”

“The United States Conference of Mayors has a vested interest in de-incentivizing these attacks to prevent further harm.”

“The United States Conference of Mayors stands united against paying ransoms in the event of an IT security breach.”

Although the adopted resolution doesn’t have any legal binding, it can be used to justify not paying the ransom in front of federal authorities and taxpayers.

Paying the ransom is a short-term solution

Ransomware payouts have become a highly controversial topic and for a good reason. Several questions arise when it comes to paying the ransom: Are you really going to recover your data? Where is your money actually going? Are you funding terrorist groups?

The FBI has explicitly stated that they do not support the practice and they urge organizations to report any ransomware incidents to law enforcement, no matter if they paid or not.

I strongly believe no one, be them consumers or organizations, should ever pay the ransom.

Here is why:

#1. There is no guarantee you will ever recover your data

In some cases, people still lost their data even if they paid the ransom. For instance, the GermanWiper ransomware deletes your files even though you did pay.

Also, malicious hackers actually like to be taken seriously, so if you think that by paying only a fraction of the requested amount you will get your data back (or at least some part of it), you are wrong. For example, the City of New Bedfords, Massachusetts, was yet another government institution infected with the Ryuk ransomware. They tried to negotiate for $400,000 instead of $5.3 million, aiming to align the payment with the ones that were paid by cities hit by the same type of malware. However, their offer was declined.

 #2. You are funding criminal organizations

Yes, it may be cheaper and faster to get your data back (if you are lucky enough) by paying the ransom. But are you really okay with transferring your money to shady hacking groups who may be using the money for more malicious purposes?

#3. You are only encouraging this behavior

If organizations continue to pay the ransom, cybercriminals will not stop this practice anytime soon. In fact, it has already become a highly profitable underground business, also known as Ransomware as a Service (RaaS).

So, do you actually want to incentivize more and more attacks and contribute to the further propagation of the ransomware illegal industry?

Think about it this way. In the long run, if you’ve chosen to pay the ransom, you will definitely not save any money. Why not use the amount that you would have given to those ransomware attackers to improve your defenses instead?

How to Prevent Ransomware in Your Organization

Ransomware disasters can, fortunately, be avoided. As you’ve probably noticed from the ransomware incidents that I’ve listed, the best targets seem to be government entities that have outdated IT systems in place and that don’t always follow cybersecurity best practices.

Here is how you can stop ransomware from infecting your organization:

#1. Back up your data

I can’t stress this enough. The first and most important thing you can do is have copies of your data stored somewhere safe, that won’t be able to get infected as well. What’s more, make sure that your back up system actually works and test it frequently.

#2. Watch out for excessive admin rights inside your organization

Sometimes, ransomware can prove to be a result of abused privileged accounts (malware propagation is often linked to compromised credentials that belong to admin accounts).

So, be certain that your organization runs on the principle of least privilege and the Zero Trust model. In short, be careful whom you grant admin rights to within your organization. A tool such as Thor AdminPrivilege™ can help you easily escalate and de-escalate privileges and when used in tandem with our other solutions, you will get notified when threats are discovered and more than that, admin rights will be automatically de-escalated on compromised accounts.

#3. Use security tools specifically designed to stop ransomware

For instance, a product like Thor Foresight Enterprise is properly equipped to protect your organization against ransomware. First of all, it instantly blocks any incoming attacks (for example, associated with malicious URLs) and secondly, it contains a patch management tool, created to help you close all vulnerabilities related to outdated systems and software.

#4. Train your users

Last, but not least, your users should be able to recognize the signs of cyberattacks. I often hear IT admin struggling with compromised accounts and malware infections that happen due to users that seem to keep clicking on phishing links and following the instructions (for example, submitting their login credentials).


All in all, 2019 has shown us that ransomware is still a lucrative business for cybercriminals. The organizations that are choosing to pay the ransom only worsen the situation, setting high expectations for future ransomware attackers. So, the bottom line is this: if you are ever faced with this tough decision – to pay or not to pay, think about what paying actually means.

Are you in favor of paying the ransom? Let me know your thoughts in the comments section below.

The post This Year in Ransomware Payouts (2019 Edition) appeared first on Heimdal Security Blog.

Improve cyber supply chain risk management with Microsoft Azure

For years, Microsoft has tracked threat actors exploiting federal cyber supply chain vulnerabilities. Supply chain attacks target software developers, systems integrators, and technology companies. Tactics often include obtaining source code, build processes, or update mechanisms to compromise legitimate applications. This is a key concern for government cybersecurity in the cloud, as the expanding digital estate requires movement towards a Zero Trust security model.

There are several techniques to attack cyber supply chains in Information Communications and Technology (ICT) products and services. Supply chain attacks are most concerning because they target vulnerabilities in your infrastructure before you even deploy your assets and software.

Attackers can:

  • Compromise software building tools to ensure that their malware is imprinted into all software generated from the building tools.
  • Replace software update repositories with malicious replicas that distribute malware across entire software ecosystems.
  • Steal code-signing certificates to make malicious software appear as legitimate code.
  • Intercept hardware shipments to inject malicious code into hardware, firmware, and field-programmable gate arrays (FPGAs).
  • Pre-install malware onto IoT devices before they arrive to target organizations.

Managing Supply Chain Risk Management (SCRM) to defend against supply chain attacks

Defending against supply chain attacks requires a comprehensive approach to managing Supply Chain Risk Management (SCRM). Federal risk managers must deploy strong code integrity policies and technical screening controls to ensure their software complies with organizational directives such as applying NIST SP 800-53A security controls for Federal Information Security Management Act (FISMA) compliance. Code integrity requires full non-repudiation of software to validate information producer associations, identity, and chain of custody for systems and components (NIST SP 800-161, 2015). One critical opportunity for addressing code integrity in your supply chain is to implement and adhere to a secure software development lifecycle for applications that you develop in-house and that you acquire from third-party supply chain partners.

Microsoft continues to use the Security Development Lifecycle, a fundamental process of continuous learning and improvement in the security, integrity, and resiliency of our enterprise applications. We require supply chain providers to adhere to these practices as well.

Organizations should employ asset monitoring and tracking systems such as radio-frequency identification (RFID) and digital signatures to track hardware and software from producers to consumers to ensure system and component integrity. FIPS 200 specifies that federal organizations “must identify, report, and correct information and information system flaws in a timely manner while providing protection from malicious code at appropriate locations within organizational information systems” (FIPS 200, 2006).

How Microsoft fights against malware

Microsoft understands how to fight malware and have worked hard for many years to offer our customers leading endpoint protection to defend against increasingly sophisticated attacks across a variety of devices. These efforts have been recognized, for example, in this year’s 2019 Gartner Endpoint Protection Platforms Magic Quadrant. In addition, Microsoft Defender Advanced Threat Protection (ATP) integrates directly with Microsoft Azure Security Center to alert your security teams of threat actors exploiting your vulnerabilities.

Magic Quadrant for Endpoint Protection Platforms.*

Endpoint Protection Platforms can support software development and fight malware, but government organizations must follow recommendations for software vendors and developers by applying patches for operating systems and software, implementing mandatory integrity controls, and requiring Multi-Factor Authentication (MFA) for administrators.

Azure Security Center Recommendations help government organizations eliminate security vulnerabilities before an attack occurs by facilitating actions to secure resources, including OS vulnerability detection, mandatory controls, and enforcing authentication with MFA and secure access with just-in-time (JIT) virtual machine access.

When you remediate recommendations, your Secure Score and your workloads’ security postures improve. Azure Security Center automatically discovers new resources you deploy, assesses them against your security policy, and provides new recommendations for securing them.

Azure Security Center also facilitates cyber learning through gamification. Secure Score allows your SecOps and Security Governance Risk & Compliance (SGRC) teams to remediate vulnerabilities through a points-based system. This capability can enhance system configurations and reinforce supply chain risk management in a single pane of glass for your infrastructure security posture, and even includes a regulatory and compliance dashboard to facilitate federal compliance requirements and can be tailored to your organization.

Security of federal information systems requires compliance with stringent standards such as NIST SP 800-53, FISMA, CIS Benchmarks, and FedRAMP Moderate. Azure Blueprints facilitates compliance with these standards ensuring a secure-by-design approach to federal information security. Azure Blueprints enable cloud architects and information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization’s standards, patterns, and requirements.

Azure Blueprints are a declarative way to orchestrate the deployment of various resource templates and other artifacts such as role assignments, policy assignments, and Azure Resource Manager templates. Azure Blueprints also provide recommendations and a framework to directly apply compliance requirements to your environment while monitoring configurations through Continuous Monitoring (CM).

Employing a comprehensive monitoring program

Protecting your supply chain also requires a comprehensive monitoring program with cyber incident response and security operations capabilities. Azure Sentinel is a cloud-native security information and event manager (SIEM) platform that uses built-in artificial intelligence (AI) to help analyze large volumes of data across an enterprise—fast. Azure Sentinel aggregates data from all sources, including users, applications, servers, and devices running on-premises or in any cloud, letting you reason over millions of records in a few seconds.

Azure Sentinel leverages the Microsoft Graph, which detects threats, reduces false positives, and puts your responders on target. Azure Sentinel Workbooks optimize productivity with dozens of built in dashboards to enhance security monitoring.

Azure Sentinel Analytics allow your cyber defenders to employ proactive alerting to detect threats impacting your supply chain security. Azure Sentinel Playbooks includes over 200 connectors to leverage full automation through Azure Logic Apps. This powerful capability allows federal agencies to compensate for the cyber talent gap with Security Automation & Orchestration Response (SOAR) capabilities while leveraging machine learning and AI capabilities. Azure Sentinel deep investigation allows your incident response teams to dig into incidents and identify the root cause of attacks.

Azure Sentinel’s powerful hunting search-and-query tools are based in the MITRE ATT&K Framework, allowing your responders to proactively hunt threats across the network before alerts are triggered. The Azure Sentinel community is growing on GitHub and allows your team to collaborate with the information security community for best practices, efficiencies, and security innovation.

Azure Sentinel

Intelligent security analytics for your entire enterprise.

Learn more

Cyber Supply Chain Risk Management (SCRM) is a growing concern within the federal sector. Microsoft is committed to bolstering government cybersecurity in the cloud. Microsoft Azure goes the distance to protect your network against supply chain attacks through Microsoft Defender ATP’s industry leading Endpoint Protection Platform, Azure Security Center’s comprehensive continuous monitoring platform, Azure Blueprints approach to rapidly deploying a compliant cloud, and Azure Sentinel’s cloud-native SIEM that harnesses the limitless power of the cloud through threat intelligence, machine learning, AI, and automation.

Learn more about government cybersecurity in the cloud with Microsoft

Here are some of the best resource to learn more about government cybersecurity in the cloud with Microsoft:

Also, join us for the Microsoft Ignite Government Tour in Washington, D.C., February 6, 2020.

Bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity or visit our website for the latest news and updates on cybersecurity.

Are you a federal government agency that needs help with cybersecurity? Reach out to TJ Banasik or Mark McIntyre for additional details on the content above, or if you have any other questions about Microsoft’s cybersecurity investments for the federal government.


*This graphic was published by Gartner, Inc. as part of larger research documents and should be evaluated in the context of the entire document. The Gartner documents are available upon request from Microsoft. Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

The post Improve cyber supply chain risk management with Microsoft Azure appeared first on Microsoft Security.

Endpoint Security 301: When Products, Policies, and People Break Down the Lines of Communication

Security architecture is like the ocean: no one owns it, and it is constantly affected by change. New technologies are introduced, staff changes occur, and as a result, communication suffers. I often see environments where ownership is placed into silos across teams in the enterprise, meaning IT administrators preventing threats may not get the insights uncovered by security operations teams. On the other hand, SecOps may not receive details on why a policy or configuration change has occurred. What’s more, in environments without effective integration between security tools, this lack of communication means the insights and visibilities that might benefit other stakeholders rarely travel or surface outside the immediate security team.

Add into the mix a pool of security tools that can’t co-exist — or who do so poorly in a way that causes conflicts with the other — and the situation is complicated even further. Clearly, implementing an effective, comprehensive endpoint strategy is one challenge, but maintaining that strategy is usually where the real battle begins.

A crucial part of winning this battle is ensuring that IT security administrators and SecOps work together effectively. Let’s examine how these two can do so to ensure all bases and endpoints are covered.

A Lack of Alignment Exacerbates the Skills Gap

A quick reminder: IT security teams are responsible for the health of the network and IT infrastructure, requiring them to focus on access controls, endpoint protection, and vulnerability management. SecOps teams, meanwhile, establish the rules their organization must follow to secure their environment.

Logically, these teams should work hand-in-hand, but in most enterprises, they are siloed due to functional or technical limits. Each has little visibility into what the other side is doing on a day-to-day basis, plus a complete lack of insight into longer-term strategic security initiatives. This can lead to a breakdown in rules, configurations, and escalations that has a detrimental impact on an enterprises’ infrastructure.

Lack of communication can also make it hard for IT security admins to know how to escalate and prioritize issues, as well as prevents SecOps from upskilling. For example, junior analysts can only address about 30% of alerts today. The remainder of alerts require a higher skill set to remediate, a problem that’s only compounded by the lack of qualified cybersecurity talent. In fact, some estimates expect the number of unfilled cybersecurity jobs to rise to 3.5 million by 2021, and because many SecOps tools today require significant experience to operate, communication and education will only become more critical.

Establishing Shared Visibility Between Teams

Now that we know the issues that can arise when SecOps and IT admins don’t communicate, let’s address some of the solutions and outcomes. It all starts with better, shared visibility. When each team has insight into what the other is working on, teams are no longer siloed, and less time is spent on alerts and false positives that frontline IT can handle rather than SecOps. This means that if an eventual hack or breach does occur, more time and effort can be spent on threat remediation in order to strengthen an enterprise’s endpoint environment.

Shared visibility extends into joint policy creation as well. When forming policies, if IT admins and SecOps provide their respective input, there is less of a chance of miscommunication or misconfiguration. Policy changes can be understood from the get-go by forming a holistic approach, with the necessary expertise and insights from both teams coming together to create an overarching endpoint security strategy that’s more secure.

SecOps and IT must also find a way to extend that visibility to new team members. In my experience, solving security architecture issues requires a two-pronged approach. First, the security industry should take more responsibility for designing products usable by both the most advanced security professionals and operational staff and analysts. But second, organizations must ensure that a lack of continuity at customer sites from staff rotations is maintained through documented policies to support product configurations. In other words, organizations must ensure the appropriate processes are in place to support the security tools they deploy. This historical knowledge matters because, anecdotally,I find that a significant number of escalations are addressable simply by reverting a customer environment back to default settings. New employees are unaware of this quick fix and therefore waste precious time and resources on unnecessary efforts.

Collaborating for True Endpoint Security

With these challenges in mind, we recommend the following steps.

  • Create visible, documented policies for all products and scenarios. This helps overcome a lack of communication, staff turnover, and the inability of products to integrate.
  • Conversely, seek integration and automation. And in fact, organizations are doing so, with over 70% pursuing increased automation in endpoint security, including automated detection and response.
  • Establish cross-functional collaboration in other ways. For example, require IT admins to flag threats to SecOps.
  • Review your policy book and guidelines quarterly so that the latest technology and processes can be effectively integrated into guidelines.

IT security admins and SecOps teams don’t have to — and shouldn’t — do their jobs alone. To cover all bases, they can leverage a multitude of endpoint security solutions with proactive, collaborative, and integrated technology built in. These solutions allow IT security admins and SecOps teams to focus their efforts elsewhere, such as on strategic projects, policies, and insights.

McAfee MVISION Endpoint and MVISION Mobile, for example, build machine learning (ML) algorithms and analysis into their architecture to help monitor and identify malicious behavior. Additionally, McAfee Endpoint Detection & Response combines real-time endpoint monitoring and data collection with rules-based automated response and analysis capabilities so that both IT security and SecOps can be involved in the process of fostering effective enterprise endpoint security in a way that makes both of their jobs easier.

With the proper visibility between IT security and SecOps teams, advanced security solutions not only bring an endpoint security strategy full circle but also allow for more time to be spent on collaboration and teamwork. An endpoint security strategy is only as strong as its weakest link – human, solution, or otherwise. Enterprises should ensure that their weakest link isn’t a vulnerable missing link between IT admins and SecOps.

To learn more about effective endpoint security strategy, be sure to follow us @McAfee and @McAfee_Business.


The post Endpoint Security 301: When Products, Policies, and People Break Down the Lines of Communication appeared first on McAfee Blogs.

Microsoft Security—a Leader in 5 Gartner Magic Quadrants

Gartner has named Microsoft Security a Leader in five Magic Quadrants. This is exciting news that we believe speaks to the breadth and depth of our security offerings. Gartner places vendors as Leaders who demonstrate balanced progress and effort in all execution and vision categories. This means that Leaders not only have the people and capabilities to deliver strong solutions today, they also understand the market and have a strategy for meeting customer needs in the future. Microsoft was identified as a Leader in the following five security areas:

  • Cloud Access Security Broker (CASB) solutions1
  • Access Management2
  • Enterprise Information Archiving3
  • Unified Endpoint Management (UEM) tools4
  • Endpoint Protection Platforms5

Given this, Microsoft Security doesn’t just deliver strong security products in five crucial security areas only. We provide a comprehensive set of security solutions that are built to work together, from identity and access management to threat protection to information protection and cloud security.

Our products integrate easily and share intelligence from the trillions of signals generated daily on the Microsoft Intelligent Security Graph. And they work with non-Microsoft solutions too. You can monitor and safeguard your assets across clouds—whether you use Microsoft Azure, Amazon Web Services, Slack, Salesforce, or all the above.

By unifying security tools, you get visibility into your entire environment across on-premises and the cloud, to better protect all your users, data, devices, and applications. Today, we’ll review the five areas where Microsoft is recognized as a Leader in security.

A Leader in CASB

Our cloud security solutions provide cross-cloud protection, whether you use Amazon Web Services, Azure, Google Cloud Platform—or all three. We also help you safeguard your data in third-party apps like Salesforce and Slack.

Gartner named Microsoft a Leader in CASB based on the ability to execute and completeness of vision. Cloud App Security provides rich visibility into your shadow IT, enables you to identify and remediate cloud native attacks, and allows you to control how your data travels across all your cloud apps—whether they’re from Microsoft or third-party applications.

As Gartner says in the CASB Magic Quadrant, “platforms from leading CASB vendors were born in the cloud and designed for the cloud. They have a deeper understanding of users, devices, applications, transactions, and sensitive data than CASB functions designed to be extensions of traditional network security and SWG security technologies.”

We work closely with customer to improve our products, which is one of the reasons our customer base for Cloud App Security continues to grow.

Gartner graph showing Microsoft as a Leader in Cloud App Security.

A Leader in Access Management

Azure Active Directory (Azure AD) is a universal identity and access management platform that provides the right people the right access to the right resources. It safeguards identities and simplifies access for users. Users sign in once with a single identity to access all the apps they need—whether they’re on-premises apps, Microsoft apps, or third-party cloud apps. Microsoft was recognized for high scores in market understanding and customer experience.

Gartner says, “Vendors that have developed Access Management as a service have risen in popularity. Gartner estimates that 90 percent or more of clients based in North America and approximately 65 percent in Europe and the Asia/Pacific region countries are also seeking SaaS-delivered models for new Access Management purchases. This demonstrates a preference for agility, quicker time to new features, elimination of continual software upgrades, reduction of supported infrastructure and other SaaS versus software benefits demonstrated in the market.”

Gartner graph showing Microsoft as a Leader in Access Management.

A Leader in Enterprise Information Archiving

Enterprise information archiving solutions help organizations archive emails, instant messages, SMS, and social media content. Gartner recognized us as a Leader in this Magic Quadrant based on ability to execute and completeness of vision.

Gartner estimates, “By 2023, 45 percent of enterprise customers will adopt an enterprise information archiving (EIA) solution to meet new requirements driven by data privacy regulations; this is a major increase from five percent in 2019.”

Gartner graph showing Microsoft as a Leader in Enterprise Information Archiving.

A Leader in Unified Endpoint Management (UEM)

Unified Endpoint Management (UEM) solutions provide a comprehensive solution to manage mobile devices and traditional endpoints, like PCs and Macs. Microsoft’s solution, Microsoft Intune, lets you securely support company-provided devices and bring your own device policies. You can even protect company apps and data on unmanaged devices. We have seen rapid growth in Intune deployments and expect that growth to continue.

Gartner noted that, “Leaders are identified as those vendors with strong execution and vision scores with products that exemplify the suite of functions that assist organizations in managing a diverse field of mobile and traditional endpoints. Leaders provide tools that catalyze the migration of PCs from legacy CMT management tools to modern, UEM-based management.”

Intune is built to work with other Microsoft 365 security solutions, such as Cloud App Security and Azure AD to unify your security approach across all your clouds and devices. As Gartner writes, “Achieving a truly simplified, single-console approach to endpoint management promises many operational benefits.”

Gartner graph showing Microsoft as a Leader in Unified Endpoint Management.

A Leader in Endpoint Protection Platforms

Our threat protection solutions provide tools to identify, investigate, and respond to threats across all your endpoints. Gartner named Microsoft a Leader for Endpoint Protection Platforms, recognizing our products and our strengths and ability to execute and completeness of vision. Azure Advanced Threat Protection (ATP) detects and investigates advanced attacks on-premises and in the cloud. Windows Defender Antivirus protects PCs against software threats like viruses, malware, and spyware across email, apps, the cloud, and the web.

Gartner says, “A Leader in this category will have broad capabilities in advanced malware protection, and proven management capabilities for large-enterprise accounts.”

Gartner graph showing Microsoft as a Leader in Endpoint Protection Platforms.

Learn more

Microsoft is committed to helping our customers digitally transform while providing the security solutions that enable them to focus on what they do best. Learn more about our comprehensive security solutions across identity and access management, cloud security, information protection, threat protection, and universal endpoint management by visiting our website.

1Gartner “Magic Quadrant for Cloud Access Security Brokers,” by Steve Riley, Craig Lawson, October 2019

2Gartner “Magic Quadrant for Access Management,” by Michael Kelley, Abhyuday Data, Henrique, Teixeira, August 2019

3Gartner “Magic Quadrant for Enterprise Information Archiving,” by Julian Tirsu, Michael Hoech, November 2019

4Gartner “Magic Quadrant for Unified Endpoint Management Tools,” by Chris Silva, Manjunath Bhat, Rich Doheny, Rob Smith, August 2019

5Gartner “Magic Quadrant for Endpoint Protection Platforms,” by Peter Firstbrook, Dionisio Zumerle, Prateek Bhajanka, Lawrence Pingree, Paul Webber, August 2019

These graphics were published by Gartner, Inc. as part of larger research documents and should be evaluated in the context of the entire document. The Gartner documents are available upon request from Microsoft. Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved.

The post Microsoft Security—a Leader in 5 Gartner Magic Quadrants appeared first on Microsoft Security.

Windows 10 Nov 2019 Update supported by Seqrite Endpoint Security

Estimated reading time: 2 minutes

Microsoft has recently released a new update for Windows 10 PCs, called Windows 10 November 2019 Update also known as Version 1909 and codenamed “19H2”.

In this article, some of the highlights of this update are listed and how Seqrite Endpoint Security is compatible with this update is briefed.

Highlights of Windows 10 November 2019 Update

  1. Enhanced Microsoft Edge web browser experience.
  2. Introduction of a new button “Manage notifications” to the top of Action Center that launches the main “Notifications & actions” Settings page. The new “Reserved Storage” feature through which, some disk space will be reserved to be used for updates, apps, temporary files, and system caches, to ensure that critical OS functions always have access to disk space.
  3. Notifications settings under Settings > System > Notifications will now default to sorting senders of notification by most recently shown notification, rather than senders’ names. This makes it easier to find and configure frequent and recent senders. A new setting is also available to turn off notification alert tune.
  4. The navigation pane on the Start menu now expands when you hover over it, to let you know where the click action may lead you.
  5. Options to configure and turn off notifications from an app/website are also shown right on the notification, both as a banner and in Action Center.
  6. Added the ability for Narrator and other assistive technologies to read and learn where the Fn (function) key is located on the keyboard and what its current status is, locked or unlocked.
  7. Updated the search box in File Explorer powered by Windows Search. This change will help integrate OneDrive content online with the traditional indexed results.
  8. Enabled the ability for enterprises to supplement Windows 10 in Secure Mode policy to allow traditional Win32 (desktop) apps from Microsoft Intune.
  9. Enabled Windows Defender Credential Guard for ARM64 devices, for additional protection against credential theft for enterprises deploying ARM64 devices in the organizations.


Supported Seqrite Endpoint Security Version Details:

  1. For Existing Users

Users of Seqrite Endpoint Security 7.2 or later MUST take the latest updates on Windows 10 19H1[Version 1903] first and only then update to Windows 10 19H2 [Version 1909].

As Windows 10 19H2 [Version 1909] is an update package and should be installed on top of Windows 10 19H1 [Version 1903].

Recommendation – After receiving the latest Seqrite Definition Updates, restart your PC. Then update to Windows 10 19H2 [Version 1909].

  1. For New Users

Fresh Install – Fresh installation of Seqrite Endpoint Security 7.2 and later versions support this update for Windows 10 [Version 1909].


How to apply the latest Seqrite update?

To apply the latest Seqrite update automatically, enable Automatic Update for EPS client under Policy Settings.

How to know if the Seqrite update has been successfully applied and is compatible with Windows 10 Nov 2019 Update? 

If your Seqrite Endpoint Security Client’s Virus Database Date is the latest, it means it is compatible with the mentioned update.  

If you have any queries about the Windows 10 Nov 2019 Update and your Seqrite Product, please call us on 1800-121-7377 or drop us a line in the comment sections below.

The post Windows 10 Nov 2019 Update supported by Seqrite Endpoint Security appeared first on Seqrite Blog.

Seqrite Endpoint Security Cloud Supports the Windows 10 Nov 2019 Update

Estimated reading time: 2 minutes

Microsoft has recently come up with a new update for Windows 10 PCs, called Windows 10 November 2019 Update, also known as Version 1909 and codenamed “19H2”.

Here we’ll list down some of the highlights of this update and see how Seqrite Endpoint Security Cloud is compatible with this OS.

Highlights of Windows 10 November 2019 Update

  1. Enhanced Microsoft Edge web browser experience.
  2. Introduction of a new button “Manage notifications” to the top of Action Center that launches the main “Notifications & actions” Settings page. The new “Reserved Storage” feature through which, some disk space will be reserved to be used for updates, apps, temporary files, and system caches, to ensure that critical OS functions always have access to disk space.
  3. Notifications settings under Settings > System > Notifications will now default to sorting senders of notification by most recently shown notification, rather than senders’ names. This makes it easier to find and configure frequent and recent senders. A new setting is also available to turn off notification alert tune.
  4. The navigation pane on the Start menu now expands when you hover over it, to let you know where the click action may lead you.
  5. Options to configure and turn off notifications from an app/website are also shown right on the notification, both as a banner and in Action Center.
  6. Added the ability for Narrator and other assistive technologies to read and learn where the Fn (function) key is located on the keyboard and what its current status is, locked or unlocked.
  7. Updated the search box in File Explorer powered by Windows Search. This change will help integrate OneDrive content online with the traditional indexed results.
  8. Enabled the ability for enterprises to supplement Windows 10 in Secure Mode policy to allow traditional Win32 (desktop) apps from Microsoft Intune.
  9. Enabled Windows Defender Credential Guard for ARM64 devices, for additional protection against credential theft for enterprises deploying ARM64 devices in the organizations.

Supported Seqrite Endpoint Security Cloud Versions

  1. For Existing Users

Users having Seqrite EPS Cloud 1.2 or later must take the latest Client Updates on Windows 10 19H1[Version 1903] first. Then they can upgrade Windows operating system (OS) to Windows 10 19H2 [Version 1909]. As Windows 10 19H2 is an update package and should be installed on top of Windows 10 19H1.

Recommendation – After receiving the latest Client Updates, restart your PC. Then migrate to Windows 10 19H2.

  1. For New Users

Fresh Install – Our latest version of Seqrite EPS Cloud 1.3 is compatible with Windows 10 November 2019 Update.


How to apply the latest Client Update?

  • The update will be applied automatically if Automatic Update is turned ON.
  • You can also apply the update manually, by following any one of these methods:
    1. On the client dashboard, click the Update Now
    2. Go to Help > About and click Update Now.
    3. Right-click on the Seqrite in the system tray and click Update Now.
    4. Go to Start > All Programs > Quick Update > Select the mode you prefer for updating Seqrite and click Next.

How to ensure if the Client update has been successfully installed and is compatible with Windows 10 November 2019 Update?

If your Client Virus Database Date is latest, it means it is compatible with Windows 10 19H2.

If you have any queries about Windows 10 19H2 and Seqrite Endpoint Security Cloud client, please call us on 1800-121-7377 or drop us a message in the comments section below.

The post Seqrite Endpoint Security Cloud Supports the Windows 10 Nov 2019 Update appeared first on Seqrite Blog.

Response Required: Why Identifying Threats With Your EDR Isn’t Enough

The perpetrator was a master of disguise, outfitting himself as an employee to bypass the extensive preventive security controls and flee with the contents of the vault. Fortunately, the building was equipped with strong detection security measures, and the burglar—unaware of the location of a laser tripwire—soon set off a silent alarm. A handful of the best-equipped and most experienced officers swarmed the building just minutes later, tracing the subject to a large storage area where they found him frantically digging through the large box of documents and cramming a few in his backpack.

While the other officers stood in the hallway at the ready, one began walking toward the perp, shouting “It’s all over, buddy. This is the end of the road.” The criminal, fear-stricken, turned to run. As he began to make his way toward a freight entrance, he was dumbfounded to hear only his own footsteps reverberating off the walls. He chanced a look back at the officer, who had not moved. “You thought you could run, but we found you! You’re under arrest!” the officer shouted, still not moving a muscle. Knowing something had to be going on, the criminal took this opportunity to hurriedly backtrack to the box and grab his ill-gotten loot. He looked back at the officer, who was still frozen in place.

The criminal looked incredulously at the officer, laughed and shook his head. Feeling no threat, he slowly shuffled out with his giant box of classified documents into the night.

The “R” Is There For A Reason

What is true in the world of police is also true in the world of cybersecurity: Detection means nothing without response. And not any response, but the right response.

EDR marketing materials focus heavily on their ability to detect the largest number of the newest threats in the least amount of time. But without a broad and well-developed set of response mechanisms in place, even the best detection abilities are of little use. Unlike, say, a legacy anti-virus product, EDR isn’t a “set it and forget it” technology—you can’t just put it on your network and call it a day. Your ability to adequately respond to threats is going to depend on two factors. While having capable analysts at the helm is vital, not limiting them with inadequate tools is an equally important part of safeguarding your enterprise.

Response Options Must Be Extensive

What if our officer instead had access to a full range of response capabilities? Criminals are unpredictable, and it’s impossible to know ahead of time whether “Put your hands up!” will be sufficient, or whether you’ll need to call for backup, use a stun gun or give chase. The ability to determine the best response isn’t enough if you don’t have access to that response method.

So it goes in cybersecurity. The EDR market is sharply divided in terms of response capabilities, and the ability—or inability—to adequately respond should be a purchasing consideration. Any decent EDR will yield the necessary context and present it in a way that allows you to easily and quickly assess the situation. A good EDR will put a panoply of response capabilities at your fingertips. Should you kill the process? Restart the machine? Quarantine the box? The amount of flexibility offered can affect how quickly you’re able to handle the threat.

Ideally, according to a SANS Institute report, your EDR should have at least the following response options:
– Terminate running processes
– Prevent processes from executing based on name, path, argument, parent, publisher or hash
– Block specific processes from communicating on the network,
– Block processes from communicating with specific host names or IP addresses
– Uninstall Services
– Edit registry keys and values
– Shut down or reboot an endpoint
– Log users off an endpoint
– Delete files and directories

But what do you do when the specific response you need isn’t available out of the box? In this case, you need to be able to program your own script to perform a custom action or response. Many EDRs lack the technology to make this possible, but it’s an important thing to look for—just because your business needs don’t require it now, doesn’t mean it won’t in the future.


EDR: Excessively Delayed Reaction?

What if our officer can chase a suspect, but only in baby steps? What if he or she can call for backup, but it takes them 45 minutes to arrive?

Having every response ever conceived still isn’t enough if they cannot contain threats in time.

With attackers moving from initial compromise to action on objectives with increasing quickness, the old way of “reassign the ticket to IT” no longer cuts it—by the time IT notices the ticket, the attacker may already have gone.

It’s important to have at your disposal the best response. But when you don’t yet know what something is, your best response may not be your first response. In other words, sometimes you’re going to want to be able to quarantine the affected device(s) while you investigate and scope in order to limit the threat’s impact.

The ability for the EDR to integrate with existing workflows, rather than dictating those workflows, can also make a big difference. A lot of people look at MTTD (Mean Time To Detection)—but that’s only part of the story. A better indicator of an EDR’s effectiveness is MTTR (Mean Time To Response). According to SANS Institute analyst Jake Williams, enterprises that have orchestrated actions between detection and response have MTTR metrics that are both more favorable and more reliable.

There’s no shortage of EDR solutions on the market, at all levels of speed and capability. It’s worth making sure that yours offers as much in terms of response as it does in detection—remember, when you choose an EDR, you’re partnering with the technology that will serve and protect your enterprise.  When the chips are down, are you going to have an EDR that can identify, track and eliminate a threat in time to prevent massive devastation?

In a future blog, we’ll explain how detection and response should work in parallel with prevention to safeguard your enterprise. 

 Want to learn more about what to look for—and watch out for—in an EDR? Click here to read “Why Traditional EDR Is Not Working—and What To Do About It.”

The post Response Required: Why Identifying Threats With Your EDR Isn’t Enough appeared first on McAfee Blogs.

What is the Zero Trust Model?

In today’s ever-evolving threat landscape, the traditional “trust, but verify” approach does not seem to be working anymore. Especially now since it has become increasingly common for threats to originate from within an organization. According to Verizon, 34% of data breaches in 2018 involved internal actors. This is the reason why more and more companies have started to implement a different security model: Zero Trust.

The “Zero Trust” concept is relatively new and was coined in 2010 by John Kindervag, a former Forrester analyst. Its architecture allows companies to map out both external and internal security threats and maximize the chances of timely mitigation.

In case you are not familiar with Zero Trust, in this article, I’m going to try to answer some burning questions such as:

  • What is Zero Trust and why is it relevant for your organization?
  • What principles is Zero Trust based on?
  • How can you implement the Zero Trust model?

Defining Zero Trust

As indicated by its name, Zero Trust is a concept based on the notion that organizations should not trust anyone or any device by default and thus, they must verify every single connection before allowing access to their network. This model came as a response to former security approaches founded on the assumption that insider threat was nonexistent and that they were only focused on defending organizations from external threats.

Potential malicious actors aren’t the only driver for the Zero Trust initiative. As more and more companies are choosing to move their workloads to the cloud or follow the hybrid approach of using both on-premises and cloud applications, the popularity of the Zero Trust model has skyrocketed. Now, an increasing number of employees and their internal and external stakeholders are accessing resources from worldwide locations. And since the security perimeter is no longer contained within an office building and remote users are connecting to cloud applications from various locations, cyber-criminals have multiple points of access.

Therefore, the need for a different approach has grown.

According to the Zero Trust model, nothing neither inside nor outside an organization’s security perimeter should be trusted by default. Businesses that use the “traditional” security model, which implies that everything contained inside their network can be automatically trusted, oftentimes fail to defend themselves. In this case, malicious hackers, once they manage to get past a company’s firewall, are able to easily move through their systems. Their antiquated security architectures only aim to stop threats from entering an organization and once an infected network is left unsupervised, an organization’s sensitive data remains exposed.

On the other hand, the Zero Trust Model runs on the belief that one should “never trust and always verify”.

Traditional security architecture vs. Zero Trust architecture

The traditional security architecture is often referred to as the perimeter model after the castle-with-moat approach encountered in physical security. Through this model, protection is given by building multiple lines of defenses that attackers must go past before eventually gaining access, while possible insider threats are not taken into account.

The traditional network security architecture divides networks into zones within one or more firewalls. In this case, each zone is assigned a certain level of trust, that decides which network resources are allowed to reach. Through this model, high-risk resources (like web servers connected to the public internet) are put into an exclusion zone (oftentimes known as “DMZ” or “demilitarized zone”). Here, traffic can be closely monitored and controlled.

Below you can see a representation of standard security architecture:

What standard security architecture looks like

Source: Traditional network security architecture, Zero Trust Networks by Doug Barth, Evan Gilman

By contrast, this is what a Zero Trust network would look like:

An example of zero trust architecture design

Source: Traditional network security architecture, Zero Trust Networks by Doug Barth, Evan Gilman

Here, the supporting system is called the control plane, and every other component is referred to as the data plane, which is being coordinated and configured by the control plane. The latter allows requests for access to restricted resources only from authenticated and authorized devices and users. At this layer, fine-grained policies based on “role in the organization, time of day, or type of device” can be applied. Furthermore, accessing even more secure resources can require stronger authentication.

As soon as the control plane has granted access to a request, the data plane will be configured to accept traffic from that client only.

The main idea here is that even though some compromises in regards to the strength of these measures can be made, a third party is given permission to authenticate based on a variety of inputs.

The Principles Behind Zero Trust and How to Implement It

According to John Kindervag, Zero Trust is based on three main ideas:

  1. All resources must be accessed in a secure manner regardless of location
  2. Access control is on a “need-to-know” basis and strictly enforced
  3. All traffic must be inspected and logged

Zero Trust can be linked to technologies such as multifactor authentication, encryption, and privileged access management (PAM).

PAM has been founded on the principle of least privilege, which is based on the notion that you should be giving your users only the access they need in order to avoid exposing your users to as less sensitive information as you can. For a complete overview of the term, check out our latest guide on the principle of least privilege. Also, feel free to check out our PAM solution, Thor AdminPrivilege™, that helps you stay on top of your user rights management.

Zero trust networks also employ micro-segmentation, which stands for the practice of dividing perimeters into small areas so that certain parts of your network have separate access. Consequently, if any data breaches occur, micro-segmentation will limit further exploitation of networks by malicious actors.

The UK National Cyber Security Center (NCSS) has released an alfa version of the Zero trust architecture design on GitHub. The following ten principles can be used as a starting point for building the foundation of a Zero Trust architecture:

#1. Know your architecture

The first and most important thing you should do is create an inventory of your assets and know everything about every single component of your architecture, including your users, their devices, and the data they are accessing.

Moreover, before transitioning to a Zero Trust architecture, you need to take into account all your existing services since they may not have been designed for the Zero Trust scenario and therefore may be unsafe in front of potential attackers.

#2. Create a single strong user identity

Your organization should use a single user directory and know which accounts are connected to which individuals. For granular access control, you should be creating specific roles for each user.

This way, in case of an attack, it’s crucial for you to understand exactly which user is responsible, what they are trying to access, and if they do have the necessary permissions to access certain data.

#3. Create a strong device identity

Besides users and accounts, every device owned by your organization should be uniquely identifiable in a single device directory.

Furthermore, zero trust systems have to monitor what devices are trying to access their network and make sure that every single one of them is authorized. This practice will further minimize the attack surface of your network.

#4. Authenticate everywhere

In your zero trust architecture, all connections should require authentication. At the same time, authentication should be stronger than just a username and password. Multi-factor (or two-factor) authentication is considered to be a core value of Zero Trust. So, besides entering a password, users should be able to provide additional proof that they are who they claim to be, for instance, through submitting a code received on their mobile device as evidence.

#5. Know the health of your devices and services

To be able to know the health of your devices and services in real-time is crucial. You should be asking yourself different questions, such as: Are the latest operating system updates installed? Are the latest software patches applied? Do I have a complete overview of my environment available at all times?

Your systems need to be kept up-to-date with the latest patches and you should be able to determine the version and patch level of the services you are using. For instance, a tool like X-Ploit Resilience can help you automate both Windows and 3rd party software updates.

#6. Focus your monitoring on devices and services

Given that devices and services are more exposed to network attacks than in traditional architectures it’s important that comprehensive monitoring for attacks is carried out.

#7. Set policies according to the value of services or data

The access policies you set up define the power of your zero trust architecture. This means that your policies should be defined in accordance with the value of the data accessed or taken action. For instance, actions such as creating new admin roles should require a stricter policy than low impact operations, like checking out the lunch menu, NCSS is saying.

#8. Control access to your services and data

You should not be granting your users access to a service unless the request is authorized against a policy. What’s more, always make sure your transmitted data is protected with encryption.

#9. Don’t trust the network, including the local network

In order to remove trust from the network, you need to build trust in the devices and services.

Do not automatically trust any network between the device and the service it is trying to access, including your local network. Devices should be configured to prevent DNS spoofing, Man in the Middle attacks, unsolicited inbound connections, etc.

#10. Choose services designed for zero trust

Last but not least, always opt for services specifically designed to support Zero Trust. Keep in mind that legacy services may require additional components to enable Zero Trust, so always make sure you have the resources to handle this.


Zero Trust is quite a new approach to network security and at the same time, it’s also part of a broader philosophy, which implies that you must not automatically trust your network. Instead, you should first think that any connection can potentially be malicious, and only after you’ve verified it, you can be confident that you can trust it. So, consider redesigning and rebuilding your security strategy based on the Zero Trust concept to reduce the chances of breaches and strengthen your defenses.

The post What is the Zero Trust Model? appeared first on Heimdal Security Blog.

Driving collaboration between security and IT ops teams is a major challenge

Strained relationships between security and IT ops teams leave businesses vulnerable to disruption, even with increased spending on IT security and management tools, a Tanium research reveals. According to the study of more than 400 IT leaders at large enterprises, 67% of businesses say that driving collaboration between security and IT ops teams is a major challenge, which not only hampers team relationships, but also leaves organisations open to vulnerabilities. Over 40% of businesses with … More

The post Driving collaboration between security and IT ops teams is a major challenge appeared first on Help Net Security.

Healthcare spikes data breach fever, endpoint threat detections grow 60%

The healthcare industry has been overwhelmingly targeted by Trojan malware during the last year, which increased by 82 percent in Q3 2019 over the previous quarter, according to Malwarebytes. The two most dangerous Trojans of 2018–2019 for all industries, Emotet and TrickBot, were the two primary culprits. Emotet detections surged at the beginning of 2019, followed by a wave of TrickBot detections in the second half of the year, becoming the number one threat to … More

The post Healthcare spikes data breach fever, endpoint threat detections grow 60% appeared first on Help Net Security.

What is the Principle of Least Privilege?

The principle of least privilege (POLP), also known as the “principle of least authority” is a security concept based upon limiting access to the minimum necessary for an action to be performed. Contrary to popular belief, the least privilege concept does not only apply to users. In fact, it covers multiple areas, such as hardware, systems, process, applications, and more. However, the focus of this article is going to be the concept of least privilege applied to your employees, or in other words, how limiting your users’ rights to the lowest level possible will close security holes in your organization.

Principle of Least Privilege Definition

So, what is the principle of least privilege?

In simple terms, the concept refers to users not being able to access information or perform actions unless they absolutely must in order to do their jobs. The same applies to every single area that I’ve mentioned above and it also extends to real-life scenarios.

Think about it: why would someone from the IT department need access to your payroll reports? Or why would your entire pool of employees be able to view, download, and edit your customers’ database? Actually, does every single user really need full admin rights at all times?

Not applying the principle of least privilege is a fundamental security mistake that threatens your organization, encourages the propagation of insider threat, and puts your business’ data at high risk.

One thing you should keep in mind is that the least privilege model isn’t all about taking away admin rights from your employees. It also involves monitoring the access for the ones who do have admin rights and temporarily escalating and de-escalating users’ rights.

The principle of least privilege must be part of your cybersecurity strategy since it will lower the risks of malware infections and data breaches.

Real-life examples of organizations that failed to adopt POLP

According to research, 74% of data breaches happen due to privileged credential abuse. Yes, that many breaches could have been prevented if only the wrong users did not have the “right” privileged accounts to be abused by malicious actors.

Here are some examples of companies involved in cyberattacks because they did not follow the principle of least privilege.


After Marriot acquired the Starwood hotel chain, in 2018 they discovered that an unauthorized access incident had been occurring for four years (and started with two years prior to the acquisition). The data for 500 million customers was leaked. And for around 327 million of customers, “the information included some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.” For some of these hotel guests, the data also featured encrypted payment card numbers and payment card expiration dates.

In this case, “unauthorized access” refers to the hotel chain failing to properly manage privileged access within the organization. And the worst part is that the incident occurred for four years due to poor admin rights management.


In 2016, an employee of the UK account and payroll software company Sage was arrested for an insider threat data breach. Allegedly, the employee used unauthorized access to steal the organization’s confidential information of between 200 and 300 of its customers, including addresses, insurance numbers, and bank account details.

Desjardins Group

The financial services giant based in Quebec, Canada was affected by a massive data breach caused by insider threat. The incident took place in the summer of 2019 and the personal information of more than 2.9 million members was shared with people outside of the organization. The compromised data included names, dates of birth, social insurance numbers, addresses, phone numbers, email addresses, and banking details. According to the source, passwords, security questions, and PINs were not disclosed.


An attacker with insider knowledge had stolen the personal data of 2 million of Vodafone’s customers from a server located in Germany. The malicious actor worked for a company contractor and was not a direct Vodafone employee, which only emphasizes that vendor privileges should also be carefully monitored.

Korea Credit Bureau

An employee from the Korea Credit Bureau (KCB) was arrested and accused of stealing the data from customers of three credit card firms. The sources say that he was working for them as a temporary consultant. The number of affected users was at least 20 million, which makes up almost 40% of South Korea’s total population. The data included names, social security numbers, phone numbers, credit card numbers, and expiration dates. The data was sold to marketing companies, whose managers were also arrested.

This list could go on and on, but I believe you’ve learned the lesson and got an idea of what can happen if the wrong people have high levels of privileges inside your organization.

How can you apply the principle of least privilege?

First of all, let’s take a look at two important concepts related to POLP:

  • Privilege bracketing
  • Privilege creep

What is privilege bracketing?

Unlike standard user accounts, admin accounts have increased privileges and therefore pose higher risks. From a cybersecurity standpoint, it’s best to grant admin rights to your users only when they actually need them and for the shortest time possible that still enables them to complete their tasks.

This approach is called privilege bracketing. Basically, it refers to the practice of reducing users’ permission levels to the shortest timeframe possible for them to complete a task and afterward de-escalating their rights. Privilege bracketing can be automated and controlled by privileged access management software.

How about privilege creep?

Another important aspect related to POLP is privilege creep, being also known as access creep. This concept applies to users who gradually gather unnecessary permissions. The behavior commonly occurs in companies where employees change job functions or departments and their user privileges are not modified to reflect their new roles. This way, the users end up having privileges for multiple positions.

POLP, a crucial layer of defense for your organization

You should keep in mind that POLP is just a single layer within your overall security strategy. The principle of least privilege itself or the privileged access management solutions will not be able to stop malicious code or prevent unwanted network connections.

This means that other tools and technologies should be deployed as well to cover all potential security gaps in your company. To be able to do effectively accomplish this, you should also be running a complete EDR solution that addresses common concerns like security issues related to unpatched software, advanced malware, network vulnerabilities, social engineering attacks, data breaches, email fraud, etc.

What are the benefits of least-privileged user accounts?

As you can probably already tell, the principle of least privilege is of utmost importance inside any organization. Its purpose is to protect a company’s assets from both potential insider and outsider threats. Every business that includes the principle of least privilege in their IT security strategy makes sure that they deny access to their employees to certain information, data, and systems that they do not need to access to be successful in their role.

Here are some major benefits of applying the principle of least privilege for your organization:

#1. Avoiding malware propagation

For instance, let’s suppose a system has been infected by malware. If this system is part of an organization that follows the principle of least privilege it will not be able to spread to other computers. This means that you will reduce the chances of viruses, worms or rootkits being installed since most of your employees will not have the admin rights that enable their installation. Furthermore, since a potentially affected user has limited rights, the malware will not be able to produce any catastrophic damage, such as permanently deleting or downloading proprietary data.

#2. Limiting entrances for malicious actors

Assigning the proper privileges to each user’s job function will prevent malicious employees from stealing data and getting access to confidential information, using it for their own gain, and selling it on the dark web.

Shockingly, according to a study conducted among UK employees, 25% of respondents suggested that they would be open to selling data for the right price (£1,000 or $1,280, that is). Moreover, 1 in 10 respondents admitted that for £250 or less, they would also sell intellectual property, such as product specifications and product code and patents. However, if a user’s credentials get compromised, the cyber attacker will only have limited access to your organization’s resources.

A least privilege policy creates fewer targets for malicious actors while promoting a healthy IT environment.

What’s more, the danger of unintentional insider threats can always exist inside your organization. This means that some employees may unknowingly do harm by clicking on phishing links or following instructions received from imposters.

#3. Improving data classification

The principle of least privilege can also help your company better classify its data. This way, you will always know who has access to what data and where exactly it’s stored in case someone gains unauthorized access.

#4. Complying with regulatory requirements

By applying POLP in your organization, you can improve audit readiness and at the same time achieve regulatory compliance. Currently, many standards require companies to grant employees only the rights they need to complete their daily operations. However, even if it’s not mandatory for your business to comply with these regulations, keep in mind that as a best practice, the principle of least privilege should always be implemented.

How to implement the principle of least privilege

Now that you know how applying the principle of least privilege will benefit your organization, here are some best practices on how you should implement it.

  • Set up a privilege audit

This is the first step that will allow you to verify all your accounts and see exactly what permissions have been granted to your users.

  • Define what level of privilege each account needs

By default, all accounts should have the lowest level of privileges possible. You should only increase privilege rights as required for certain people to be able to perform their jobs.

  • Apply the concept of privilege bracketing

This means that privileges should be raised for users that absolutely require them to perform their jobs for a limited time only. It’s advisable to use a tool that enables you to escalate and de-escalate your users’ rights and set up expiry times for their privileges.

  • Use automatic auditing

The privileged access management tool of your choice should also allow you to see full audit trails so you are always aware of what has been run by your users during the time their rights were elevated.

  • Prevent privilege creep

Make sure you audit privileges regularly to avoid situations where older users accumulated privileges over time and see if they still need them. Also, monitor when and how your developers use their accounts so you immediately identify any unusual activity.

  • Bear in mind the danger of physical devices

In some cases, implementing POLP might be as easy as simply disabling USB ports from your devices so your employees are not able to insert USB drives to download your confidential information or infect your systems with malware.

  • Choose a privileged access management solution

For instance, Thor AdminPrivilege™ offers you endpoint protection through admin rights management and a complete overview of your users’ activity. At the same time, it provides an automatic de-escalation of privileges if an endpoint has been flagged for suspicious behavior.


In short, the principle of least privilege is a basic cybersecurity concept that bolsters your defenses and enables you to give your users only the permissions they really need to perform their tasks. No matter how much you trust your employees and how skilled they are, they should have limited access to your company’s resources for the aforementioned reasons.


The post What is the Principle of Least Privilege? appeared first on Heimdal Security Blog.

Threat Hunting or Efficiency: Pick Your EDR Path?

“Do You Want It Done Fast, Or Do You Want It Done Right?” “Yes.”

“Help out more with our business objectives.” “Cover an increasing number of endpoints.” “Cut budgets.” “Make it all work without adding staff.”

Cybersecurity teams face a lot of conflicting objectives—both within their teams and from upper management. But a May 2019 commissioned study conducted by Forrester Consulting on behalf of McAfee really puts a fine point on it: When decision makers were asked which endpoint security goals and initiatives they’re prioritizing for the coming year, the top two responses were “improve security detection capabilities” (87%) and “increase efficiency in the SOC” (76%).

Unfortunately, traditional EDR solutions have made accomplishing both of these goals (and in some cases, even one or the other!) difficult, if not impossible. According to the study, gaps in EDR capabilities have created pain points for 83% of enterprises. For instance, while 40% of enterprises consider threat hunting a critical requirement, only 29% feel their current EDR solutions fully meet that need. On an even more basic level, 36% worry their EDR solution doesn’t surface every threat that breaks through—while an equal number of respondents say the alerts that are surfaced by their EDR are frequently not relevant or worth investigating.

These numbers clearly show there’s a lot of room for improvement, but at the same time, these two goals seem to be less than complementary. How would you choose to try and meet them?

Scenario 1: The Status Quo

Your team continues utilizing their traditional EDR solution on its own.

You lose points in efficiency out of the gate—according to Forrester, 31% of companies say that the systems are so complex, their junior staff lack the skillset to triage and investigate alerts without senior staff.

The number of alerts output by traditional EDR solutions will cost you efficiency in another way: another 31% of respondents say their teams struggle to keep up with the volume of alerts generated by their EDRs.

On the threat detection side, you’re not starting out with a perfect score, either: Again, keep in mind that more than a third of respondents believe that, even with this large volume of alerts, not everything is being caught.

As a baseline, let’s assume you’re starting out with a 7 in Threat Detection, and a 3.5 in Efficiency.
You’re still a long way from meeting your goals. Let’s look at our options.

Do you want to:

  • Add more staff members
  • Bolt on more software
  • Hire an MDR

Scenario 2: Add more staff members

With efficiency seeming such a far-off goal, your team decides to focus its efforts on threat detection. To help manage the number of alerts, you hire two new employees. You still have every bit as much noise coming from your EDR, and it still isn’t catching everything, but your team has marginally more ability to triage and respond to threats. You gain a point for threat detection, but a look at your department budget sheet shows your efficiency score is basically shot.

Final Score: 8 in Threat Detection, and a 2 in Efficiency.

Scenario 3: Bolting On More Software

Other businesses are taking a different tack. They’re keeping their traditional EDR solution, but they’re also bolting on more point solutions to help catch things that fall through the cracks. If you choose to go this route, your threat detection capabilities go up …. but between all the duplicate alerts, separate interfaces, and near complete lack of integration, your team is critically bogged down.  With junior staff able to triage just 31 percent of alerts on traditional EDR systems, senior analysts are having to manage all the alerts on all the interfaces on their own.

All this software isn’t cheap, and you’re losing time in both training in all of it, and in switching back and forth. Meanwhile, the solutions that were supposed to improve your threat detection capabilities are doing so … somewhat … but with things falling through the cracks amidst the chaos and analyst fatigue setting in, you wouldn’t know it.

Final Score: 7.5 in Threat Detection, 1.5 in Efficiency.

Scenario 4: Partnering with an MDR

You don’t want to hire any more staff—and even if you did, there aren’t many to hire. So instead you hire a Managed Detection and Response (MDR) provider to do what your EDR should be doing, but isn’t. You partner with the most reputable MDR you can find, and you’re confident that between what you’re doing and what they’re doing, there isn’t much getting past you. But you’re also paying twice to get a single set of capabilities.

Final Score: 9 in Threat Detection, 1 in Efficiency

Clearly, it’s time to try something new

  • I want to improve my efficiency with my current EDR!
  • I want to try something better.

Scenario 5: Improving efficiency with current EDR

How do you make a first-gen EDR more efficient? You don’t. In other words, if you want to get more out of an EDR that doesn’t utilize the latest technologies, the only adjustments you can make here have to come from your team. If you could get more threat detection mileage out of the same number of team members, your efficiency level would naturally rise.

Initial Score: 8 in Threat Detection, 4 in Efficiency

But as you soon find out, the mandatory late nights and your “you’d better step it up or else!” attitude aren’t exactly doing wonders for morale. With cybersecurity professionals in high demand everywhere, it isn’t long before you’re down at least one team member. Now you have 4 team members doing the number of 5. Which sounds decent ….

Intermediate Score: 6 in Threat Detection, 6 in Efficiency

… until an enterprising hacker takes note of your shorthandedness and targets you, hoping to use your situation to their advantage. Unfortunately, not only do you have a highly imperfect traditional EDR system and four employees trying to do the work of five … you have four disgruntled employees trying to do the work of five. According to IDC, in organizations that have experienced a breach in the last 12 months, those staff who are extremely satisfied are, on average, more likely to report fewer hours to identify the breach (11 hours) than those who are dissatisfied (23 hours). Guess which camp your team falls into?

Before long, your company is brought to its knees by a major attack. The press is all over it, and confidence in your company plummets. Your company’s reputation might recover … eventually … but things aren’t looking so good for you.

Final Score: Game Over.

Scenario 6: I want to try something better.

You’ve heard from your friends and colleagues about what doesn’t work. And, of course, you’ve read the horror stories. But you’re still left with two disparate goals. What if there was a way to increase threat detection capabilities without hiring more personnel, outsourcing what your EDR should be able to handle but isn’t, or creating a system with more bolts than Frankenstein’s monster?

According to Forrester, there is a way to bridge the goals of greater efficiency and better threat detection. With AI guided investigation, your junior analysts will be able to triage threats like your more seasoned analysts, freeing your senior analysts to focus on mission-critical tasks. And with less noise, your team will be free to focus on more of the right alerts.

Survey respondents backed this up: 35 percent believe AI-guided investigations will lead to fewer breaches, and 52 percent think they’ll lead to improved efficiency. Mission accomplished.

Final Score: You=1, Hackers=0.

To read more about how AI-guided investigation can help revolutionize your SOC, click here.

The post Threat Hunting or Efficiency: Pick Your EDR Path? appeared first on McAfee Blogs.

Finding the malicious needles in your endpoint haystacks

Accelerate Threat Hunts and Investigations with Pre-Curated Complex Queries

Security teams often lack the ability to gain deep visibility into the state of all their endpoints in real time. Even with a bevy of tools at their fingertips, once an incident occurs, conducting investigations can be likened to searching for a needle in a haystack. Teams struggle to make well informed remediation decisions fast enough, finding themselves asking questions like, what should I be searching for? Where specifically in my environment should I zero-in? Which datasets matter? Which are irrelevant? The struggle is real. As we all know, the longer a threat runs wild, the more havoc it stands to wreak on your environment. Between the intense time-pressure, endless datasets to sift through, and ambiguity associated with not knowing where or how to start, incident investigations can feel like frenzied wild goose chases.

Many teams have adopted threat hunting to take a more proactive and preventative (rather than purely reactive) approach to managing their security hygiene. With 43% of organizations performing continuous threat hunting operations in 2018, versus just 35% in 2017, the practice is undoubtedly growing in scope and popularity. However, this begs the question: what’s holding back the remaining majority – the other 57% – of organizations? The reality is that although many teams want to threat hunt, they simply don’t know how to get started, or erroneously believe that they don’t have the personnel, time, and resources to dedicate to the endeavor. But fortunately, that’s no longer the case…

Know everything. About every endpoint. Right now.

Cisco recently rolled out a powerful new advanced threat hunting and investigation capability in Cisco® AdvancedMalware Protection (AMP) for Endpoints called Orbital Advanced Search that gives users the ability to search across all endpoints for forensic information and malware artifacts. Think of this as the ultimate search engine for all your endpoints – with over a hundred pre-canned queries provided, Orbital makes security investigations and threat hunting simple by allowing you to quickly run complex queries on hundreds of attributes in near real-time on any or all endpoints. For example, it allows you to type in queries like:

  • Show me all computers that are listening on certain ports – something that certain variants of malware will do when they are waiting on instructions from a C&C on what to do.
  • Show me all processes that are running in memory but do not have a file on disk – something that is rarely seen with innocuous processes, and thus strongly indicates the possible presence of fileless malware trying to escape scanning and analysis hiding out in your environment.
  • Show me all the users logged in – if a user is logged into systems in a department that the user doesn’t belong in, or if the user is logged into multiple machines at one time, this could indicate a breach.

Orbital gives you deep visibility into what’s happening on any endpoint at any time by taking a snapshot of its current state, and the search options are limitless; users can immediately perform advanced searches via the 100+ curated queries that come with the tool or create their own custom queries. Whether you’re threat hunting, conducting an incident investigation, IT operations, or vulnerability and compliance assessments, Orbital gets you the answers you need about your endpoints fast.

How does it work?

Whether you are investigating an incident or proactively hunting for threats Orbital can help you simplify and accelerate these tedious processes in the following ways:

  1. Forensics snapshots. We can capture snapshots of data from endpoints such as running processes, open network ports and a lot more at the time of detection or on demand. It’s like “freeze framing” activity on an endpoint right to the moment. This allows you to know exactly what was happening on your endpoint at that point in time.
  2. Live search. Run complex queries on your endpoints for threat indicators on demand or on a schedule, capturing the information you need about your endpoints in near real time.
  3. Predefined and customizable queries. We provide over a hundred predefined queries that you can quickly run as they are or customize them as needed. These queries are simply organized in a catalog of common use cases and mapped to the MITRE ATT&CK.
  4. Storage options. The results of your queries can be stored in the cloud or sent to other applications such as Cisco Threat Response for further or future investigations.


Common use cases

Orbital Advanced Search can help you do the following important tasks better, faster:

  1. Advanced Threat Hunting: Search for malicious artifacts across any or all your endpoints in near real-time to accelerate threat hunts.
    1. Mature organizations – Streamline workflows for seasoned teams that already perform continuous threat hunting operations and get beyond atomic and computed IOCs and into the really interesting stuff, like registry keys, process PID exploits, and all kinds of attacker TTPs cataloged with Threat Grid and the MITRE ATT&CK.
    2. Novice Threat Hunters – Empowers teams that don’t have threat hunting programs in place to begin to threat hunt without requiring them to hire additional staff or rip and replace their security stack.
  2. Incident Investigation: Get to the root cause of incidents faster to accelerate incident investigation and remediation efforts.
  3. IT Operations: Track software inventory, disk space, memory, computer utilization, and other IT operations artifacts quickly and expediently – good threat hunting tools can also be used to enhance IT operations.
  4. Vulnerability and Compliance: Easily check the status of Operating Systems for things like software version levels to validate patch management to ensure that your endpoints are in compliance with current policies.

Threat Hunting Versus Incident Response

An additional bonus to threat hunting is that it breeds familiarity with tools and techniques that come into play when an incident or breach does occur, effectively training teams to be better incident responders. Since both disciplines deal directly with threats in your environment, the skills exercised when threat hunting are arguably one and the same as those associated with incident response. The only difference is that whereas incident response is reactive and involves known evidence of a threat in your environment, threat hunting is a proactive practice that is carried out without evidence. Since practicing threat hunting sharpens investigative skills and response times, teams that threat hunt are naturally better equipped to react like pros when faced with real incidents. The ‘Hunting for hidden threats’ whitepaper in Cisco’s Cybersecurity Report Series covers this topic in more detail and is a great place to learn even more.

Whether you’re new to threat hunting, are a seasoned veteran who wants to streamline operations and take your threat hunting program to the next level, or merely want to accelerate incident remediation, the solution to your woes has arrived. Test drive Orbital Advanced Search today with a free trial of Cisco AMP for Endpoints, or register for one of our Threat Hunting Workshops to get hands-on experience threat hunting, investigating, and responding to threats so that you can become a pro at finding the malicious needles in your digital haystacks.

The post Finding the malicious needles in your endpoint haystacks appeared first on Cisco Blogs.

SECURITY ALERT: Remain Vigilant for More BlueKeep Attacks That Can Impact Vulnerable Windows Machines

Almost six months ago, we were urging users to patch their systems due to a remote code execution vulnerability present in Remote Desktop Services, where attackers could connect to a target’s system using RDP. At that time (May 2019), Microsoft released a patch for CVE-2019–0708, the Remote Desktop vulnerability dubbed BlueKeep. The exploitation could cause the “blue screen of death”, potentially leading to a Game of Thrones ‘Red Keep’ moment”. This vulnerability was thought to be ‘wormable’, meaning that any malware that exploited it could propagate from computer to computer.

We predicted that it could potentially produce the same amount of damage as we witnessed in the case of the WannaCry ransomware and the older Conficker worm. A few days back, security researcher Kevin Beaumont reported that his BlueKeep honeypot was being exploited in the wild. His discovery was also confirmed by Marcus Hutchins, the security researcher who stopped the WannaCry outbreak and who is a specialist in the BlueKeep exploit.

How was the BlueKeep exploit used?

Recently, a malicious hacker group was spotted using a demo BlueKeep exploit released by the Metasploit team back in September, which was meant to help system administrators test vulnerable systems. Attackers have now been using it break into unpatched Windows systems and install cryptocurrency miners.

But even though these attacks may seem insignificant compared to what had been foreseen, right now, the Microsoft security team is warning its customers that “the BlueKeep exploit will likely be used to deliver payloads more impactful and damaging than coin miners”.

“Security signals and forensic analysis show that the BlueKeep Metasploit module caused crashes in some cases, but we cannot discount enhancements that will likely result in more effective attacks. In addition, while there have been no other verified attacks involving ransomware or other types of malware as of this writing, the BlueKeep exploit will likely be used to deliver payloads more impactful and damaging than coin miners.”- Microsoft’s Security Blog

In other words, although many security researchers thought that the attacks were not as bad as everyone believed they would be, Microsoft supports the idea that this is merely the beginning and that danger most likely is still around the corner.

“Many of these unpatched devices could be unmonitored RDP appliances placed by suppliers and other third-parties to occasionally manage customer systems. BlueKeep can be exploited without leaving obvious traces, customers should also thoroughly inspect systems that might already be infected or compromised.”, said Microsoft.

Consequently, for the third time this year, Microsoft is once again urging its users to apply their patches. The second warning came as a reminder at the end of May 2019, when almost 1 million computers connected were still vulnerable to CVE-2019-0708. As of now, around 750,000 endpoints are thought to still be affected by the BlueKeep vulnerability. Many other organizations have issued warnings in the past few months, including the NSA, the US Department of Homeland Security, or the UK’s National Cyber Security Centre, advising companies to patch their outdated systems.

A BlueKeep vulnerability summary

In case you missed it entirely or are only familiar with some parts of the story, in short, here is what you need to know about the BlueKeep vulnerability:

  • BlueKeep (or CVE-2019-0708) is a vulnerability in the Microsoft RDP (Remote Desktop Protocol) service.
  • It only impacts Windows 7, Windows Server 2008 R2, Windows Server 2008. Windows 8 and Windows 10 systems are not affected by this vulnerability.
  • Microsoft released the patches for the vulnerability in May 2019.
  • Although many researchers developed full-fledged BlueKeep exploits over the summer, no one made the code publicly available because it was considered to be too dangerous and could possibly be exploited by malicious actors, according to ZDNet.
  • In July 2019, a US company began selling a BlueKeep exploit to its customers only for penetration testing purposes.
  • In September, Metasploit published the first BlueKeep proof-of-concept exploit available for anyone.
  • Now, in October, malware creators have started using this BlueKeep Metasploit module in actual malicious campaigns.

Patch your vulnerable systems immediately!

The BlueKeep vulnerability only emphasizes the importance of updating and patching in a timely manner, just like our customers who apply Windows updates through our X-Ploit Resilience module do. Our technology has helped 99.5% of our users successfully deploy their patches in time and we are actively pushing the last 0.5% of them to update as soon as possible.

The post SECURITY ALERT: Remain Vigilant for More BlueKeep Attacks That Can Impact Vulnerable Windows Machines appeared first on Heimdal Security Blog.

Microsoft works with researchers to detect and protect against new RDP exploits

On November 2, 2019, security researcher Kevin Beaumont reported that his BlueKeep honeypot experienced crashes and was likely being exploited. Microsoft security researchers collaborated with Beaumont as well as another researcher, Marcus Hutchins, to investigate and analyze the crashes and confirm that they were caused by a BlueKeep exploit module for the Metasploit penetration testing framework.

BlueKeep is what researchers and the media call CVE-2019-0708, an unauthenticated remote code execution vulnerability in Remote Desktop Services on Windows 7, Windows Server 2008, and Windows Server 2008 R2. Microsoft released a security fix for the vulnerability on May 14, 2019.

While similar vulnerabilities have been abused by worm malware in the past, initial attempts at exploiting this vulnerability involved human operators aiming to penetrate networks via exposed RDP services.

Microsoft had already deployed a behavioral detection for the BlueKeep Metasploit module in early September, so Microsoft Defender ATP customers had protection from this Metasploit module by the time it was used against Beaumont’s honeypot. The module, which appears to be unstable as evidenced by numerous RDP-related crashes observed on the honeypot, triggered the behavioral detection in Microsoft Defender ATP, resulting in the collection of critical signals used during the investigation.

Microsoft security signals showed an increase in RDP-related crashes that are likely associated with the use of the unstable BlueKeep Metasploit module on certain sets of vulnerable machines. We saw:

  • An increase in RDP service crashes from 10 to 100 daily starting on September 6, 2019, when the Metasploit module was released
  • A similar increase in memory corruption crashes starting on October 9, 2019
  • Crashes on external researcher honeypots starting on October 23, 2019

Figure 1. Increase in RDP-related service crashes when the Metasploit module was released

Coin miner campaign using BlueKeep exploit

After extracting indicators of compromise and pivoting to various related signal intelligence, Microsoft security researchers found that an earlier coin mining campaign in September used a main implant that contacted the same command-and-control infrastructure used during the October BlueKeep Metasploit campaign, which, in cases where the exploit did not cause the system to crash, was also observed installing a coin miner. This indicated that the same attackers were likely responsible for both coin mining campaigns—they have been actively staging coin miner attacks and eventually incorporated the BlueKeep exploit into their arsenal.

Our machine learning models flagged the presence of the coin miner payload used in these attacks on machines in France, Russia, Italy, Spain, Ukraine, Germany, the United Kingdom, and many other countries.

Figure 2. Geographic distribution of coin miner encounters

​These attacks were likely initiated as port scans for machines with vulnerable internet-facing RDP services. Once attackers found such machines, they used the BlueKeep Metasploit module to run a PowerShell script that eventually downloaded and launched several other encoded PowerShell scripts.

Figure 3. Techniques and components used in initial attempts to exploit BlueKeep

We pieced together the behaviors of the PowerShell scripts using mostly memory dumps. The following script activities have also been discussed in external researcher blogs:

  1. Initial script downloaded another encoded PowerShell script from an attacker-controlled remote server ( hosted somewhere in France via port 443.
  2. The succeeding script downloaded and launched a series of three to four other encoded PowerShell scripts.
  3. The final script eventually downloaded the coin miner payload from another attacker-controlled server ( hosted in Great Britain.
  4. Apart from downloading the payload, the final script also created a scheduled task to ensure the coin miner stayed persistent.​

Figure 4. Memory dump of a PowerShell script used in the attacks

The final script saved the coin miner as the following file:


The coin miner connected to command-and-control infrastructure at hosted in Israel. Other coin miners deployed in earlier campaigns that did not exploit BlueKeep also connected to this same IP address.

Defending enterprises against BlueKeep

Security signals and forensic analysis show that the BlueKeep Metasploit module caused crashes in some cases, but we cannot discount enhancements that will likely result in more effective attacks. In addition, while there have been no other verified attacks involving ransomware or other types of malware as of this writing, the BlueKeep exploit will likely be used to deliver payloads more impactful and damaging than coin miners.

The new exploit attacks show that BlueKeep will be a threat as long as systems remain unpatched, credential hygiene is not achieved, and overall security posture is not kept in check. Customers are encouraged to identify and update vulnerable systems immediately. Many of these unpatched devices could be unmonitored RDP appliances placed by suppliers and other third-parties to occasionally manage customer systems. Because BlueKeep can be exploited without leaving obvious traces, customers should also thoroughly inspect systems that might already be infected or compromised.

To this end, Microsoft customers can use the rich capabilities in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) to gain visibility on exploit activities and defend networks against attacks. On top of the behavior-based antivirus and endpoint detection and response (EDR) detections, we released a threat analytics report to help security operations teams to conduct investigations specific to this threat. We also wrote advanced hunting queries that customers can use to look for multiple components of the attack.





Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft Defender ATP community.

Read all Microsoft security intelligence blog posts.

Follow us on Twitter @MsftSecIntel.


The post Microsoft works with researchers to detect and protect against new RDP exploits appeared first on Microsoft Security.

Relentless Breach Defense Endpoint Protection Platform + Endpoint Detection and Response

As evasive and complex as today’s threats have become, it’s no wonder security professionals in organizations of all sizes are ripping out their legacy antivirus completely in favor of Endpoint Protection Platforms (EPP) and Endpoint Detection and Response (EDR) technologies. Endpoint Protection Platform (EPP) delivers next generation antivirus that stops today’s complex attacks. Endpoint Detection and Response (EDR) offers more advanced capabilities like detecting and investigating security incidents, and the ability to remediate endpoints quickly. The question then becomes, which should you choose? And why can’t you have both?

We believe you can AND we believe it should simplify your security operations. That’s why we’ve brought EPP and EDR capabilities together in a single cloud-delivered solution called Cisco® Advanced Malware Protection (AMP) for Endpoints. It is relentless at stopping breaches and blocking malware, then rapidly detects, contains, and remediates advanced threats that evade front-line defenses. Moreover, it’s easy to deploy, easy to use and leverages your existing security investments to help you address threats beyond the endpoint. That’s what we call relentless breach defense and here’s three ways Cisco AMP for Endpoints does this.

#1. Block threats. Before they target you.

How effective you are at protecting your endpoints really depends on how good the threat intelligence you’re acting on. That’s why at Cisco, we employ machine learning and automation to spot malware activity fast, malware attack prevention to block ransomware, exploit prevention to stop fileless malware and a variety of other protection engines fueled by Cisco Talos, the largest non-governmental threat intelligence group on the planet. We find more vulnerabilities than other vendors and push out protection before the bad guys can exploit them, giving you an advantage. And because we’re Cisco, Talos sees more network traffic than anyone else. Whether a threat begins on the Internet, in an email, or on someone else’s network. Our cloud-based global telemetry sees a threat once, anywhere in the world, and blocks it everywhere, across our endpoint ecosystem and our entire security platform.

#2. Know everything. About every endpoint.

We simplify threat hunting and investigation with our newly announced endpoint detection and response (EDR)capabilities that automate advanced investigative queries across any or all of your endpoints. Whether you are doing an investigation as part of incident response, threat hunting, IT operations, or vulnerability and compliance, we get you the answers you need. We have preloaded scripts so you can leverage the expertise of our Talos threat hunters or even customize your own. These queries are organized in a catalog of common use cases, even aligning with the Mitre ATT&CK. We provide deeper visibility on what happened to any endpoint at any given time by taking a snapshot of its current state – you can think about this as a “freeze-framing” activity on a device right to the moment when something malicious was seen. And we continuously monitor and analyze the behavior of your endpoints, giving you the information you need to investigate and respond to the riskiest threats quickly and confidently. If a file that appeared clean upon initial inspection ever becomes a problem, we can provide a full history of the threat’s activity to catch, isolate, contain, and remediate at the first sign of malicious behavior.

#3. Respond completely. With security that works together.

Threats are not one dimensional and neither should your defenses be. That’s why we built our endpoint security with out-of-the-box integrations with the rest of the Cisco security platform to block, detect, investigate and respond to threats across your entire environment – not just your endpoints. With security that works together, we help you streamline your security operations, making security investigations faster and easier. You will get to the root cause fast, and automate actions to stop a threat in its tracks. We empower you to respond to attacks at the first sign of malicious behavior using one-click isolation of any endpoint, everywhere. Importantly, we have broader control beyond just the endpoint. We instrument our endpoint security to leverage threat intelligence from web, email, cloud and network security solutions; and multi-factor authentication integration for Zero-Trust, creating security defenses that work together for more effective protection and response against the most challenging threats with less time, effort, and cost to do so.

Channel your inner threat hunter: register for one of our Threat Hunting Workshops. You’ll get hands on experience threat hunting, investigating and responding to threats so you and be relentless at breach defense too.


The post Relentless Breach Defense Endpoint Protection Platform + Endpoint Detection and Response appeared first on Cisco Blogs.

Further enhancing security from Microsoft, not just for Microsoft

Legacy infrastructure. Bolted-on security solutions. Application sprawl. Multi-cloud environments. Company data stored across devices and apps. IT and security resource constraints. Uncertainty of where and when the next attack or leak will come, including from the inside. These are just a few of the things that keep our customers up at night.

When security is only as strong as your weakest link and your environments continue to expand, there’s little room for error. The challenge is real: in this incredibly complex world, you must prevent every attack, every time. Attackers must only land their exploit once. They have the upper hand. To get that control back, we must pair the power of your defenders and human intuition with artificial intelligence (AI) and machine learning that help cut through the noise, prioritize the work, and help you protect, detect, and respond smarter and faster.

Microsoft Threat Protection brings this level of control and security to the modern workplace by analyzing signal intelligence across identities, endpoints, data, cloud applications, and infrastructure.

Today, at the Microsoft Ignite Conference in Orlando, Florida, I’m thrilled to share the significant progress we’re making on delivering endpoint security from Microsoft, not just for Microsoft. The Microsoft Intelligent Security Association (MISA), formed just last year, has already grown to more than 80 members and climbing! These partnerships along with the invaluable feedback we get from our customers have positioned us as leaders in recent analyst reports, including Gartner’s Endpoint Protection Platform Magic Quadrant, Gartner’s Cloud Access Security Broker (CASB) Magic Quadrant and Forrester’s Endpoint Security Suites Wave and more.

As we continue to focus on delivering security innovation for our customers, we are:

  • Reducing the noise with Azure Sentinel—Generally available now, our cloud-native SIEM, Azure Sentinel, enables customers to proactively hunt for threats using the latest queries, see connections between threats with the investigation graph, and automate incident remediation with playbooks.
  • Discovering and controlling Shadow IT with Microsoft Cloud App Security and Microsoft Defender Advanced Threat Protection (ATP)—With a single click, you can discover cloud apps, detect and block risky apps, and coach users.
  • Enhancing hardware security with our partners—We worked across our partner ecosystem to offer stronger protections built into hardware with Secured-core PCs, available now and this holiday season.
  • Offering Application Guard container protection, coming to Office 365—In limited preview now, we will extend the same protections available in Edge today to Office 365.
  • Building automation into Office 365 Advanced Threat Protection for more proactive protection and increased visibility into the email attacker kill chain—We’re giving SecOps teams increased visibility into the attacker kill chain to better stop the spread of attacks by amplifying your ability to detect breaches through new enhanced compromise detection and response in Office 365 ATP, in public preview now. And later this year, we’re adding campaign views to allow security teams to see the full phish campaign and derive key insights for further protection and hunting.
  • Getting a little help from your friends—Sometimes you need another set of eyes, sometimes you need more advanced investigators. Available now, with the new experts on demand service, you can extend the capabilities of your security operations center (SOC) with additional help through Microsoft Defender ATP.
  • Improving your Secure Score—Back up the strength of your team with numbers. New enhancements in Secure Score will make it easier for you to understand, benchmark, and track your progress. We also added new planning capabilities that help you set goals and predict score improvements, and new CISO Metrics & Trends reports that show the impact your work is having on the health of your organization in real-time.
  • Taking another step in cross-platform protection—This month, we’re expanding our promise to offer protections beyond Windows with Enterprise Detection and Response for Apple Macs and Threat and Vulnerability Management for servers.

Microsoft Ignite

Join us online November 4–8, 2019 to livestream keynotes, watch selected sessions on-demand, and more.

Learn more

Infographic showing the Microsoft Intelligent Security Graph: unique insights, informed by trillions of signals from Outlook, OneDrive, Windows, Bing, Xbox Live, Azure, and Microsoft accounts.

There’s no way one person, or even one team, no matter how large could tackle this volume of alerts on a daily basis. The Microsoft Intelligent Security Graph, the foundation for our security solutions, processes 8.2 trillion signals every day. We ground our solutions in this intelligence and build in protections through automation that’s delivered through our cloud-powered solutions, evolving as the threat landscape does. Only this combination will enable us to take back control and deliver on a Zero Trust network with more intelligent proactive protection.

Here’s a bit more about some of the solutions shared above:

Discovering and controlling cloud apps natively on your endpoints

As the volume of cloud applications continues to grow, security and IT departments need more visibility and control to prevent Shadow IT. At last year’s Ignite, we announced the native integration of Microsoft Cloud App Security and Microsoft Defender ATP, which enables our Cloud Access Security Broker (CASB) to leverage the traffic information collected by the endpoint, regardless of the network from which users are accessing their cloud apps. This seamless integration gives security admins a complete view of cloud application and services usage in their organization.

At this year’s Ignite, we’re extending this capability, now in preview, with native access controls based on Microsoft Defender ATP network protection that allows you to block access to risky and non-complaint cloud apps. We also added the ability to coach users who attempt to access restricted apps and provide guidance on how to use cloud apps securely.

Building stronger protections starting with hardware

As we continue to build in stronger protections at the operating system level, we’ve seen attackers shift their techniques to focus on firmware—a near 5x increase in the last three years. That’s why we worked across our vast silicon and first- and third-party PC manufacturing partner ecosystem to build in stronger protections at the hardware level in what we call Secured-core PCs to protect against these kind of targeted attacks. Secured-core PCs combine identity, virtualization, operating system, hardware, and firmware protection to add another layer of security underneath the operating system.

Application Guard container protections coming to Office 365

Secured-core PCs deliver on the Zero Trust model, and we want to further build on those concepts of isolation and minimizing trust. That’s why I’m thrilled to share that the same hardware-level containerization we brought to the browser with Application Guard integrated with Microsoft Edge will be available for Office 365.

This year at Ignite, we are providing an early view of Application Guard capabilities integrated with Office 365 ProPlus. You will be able to open an untrusted Word, Excel, or PowerPoint file in a virtualized container. View, print, edit, and save changes to untrusted Office documents—all while benefiting from that same hardware-level security. If the untrusted file is malicious, the attack is contained and the host machine untouched. A new container is created every time you log in, providing a clean start as well as peace of mind.

When you want to consider the document “trusted,” files are automatically checked against the Microsoft Defender ATP threat cloud before they’re released. This integration with Microsoft Defender ATP provides admins with advanced visibility and response capabilities—providing alerts, logs, confirmation the attack was contained, and visibility into similar threats across the enterprise. To learn more or participate, see the Limited Preview Sign Up.

Automation and impact analysis reinvent Threat and Vulnerability Management

More than two billion vulnerabilities are detected every day by Microsoft Defender ATP and the included Threat and Vulnerability Management capabilities, and we’re adding even more capabilities to this solution.

Going into public preview this month, we have several enhancements, including: vulnerability assessment support for Windows Server 2008R2 and above; integration with Service Now to further improve the communication across IT and security teams; role-based access controls; advanced hunting across vulnerability data; and automated user impact analysis to give you the ability to simulate and test how a configuration change will impact users.

Automation in Office 365 ATP blocked 13.5 billion malicious emails this year

In September, we announced the general availability of Automated Incident Response, a new capability in Office 365 ATP that enables security teams to efficiently detect, investigate, and respond to security alerts. We’re building on that announcement, using the breadth of signals from the Intelligent Security Graph to amplify your ability to detect breaches through new enhanced compromise user detection and response capabilities in Office 365 ATP.

Now in public preview, the solution leverages the insights from mail flow patterns and Office 365 activities to detect impacted users and alert security teams. Automated playbooks then investigate those alerts, look for possible sources of compromise, assess impact, and make recommendations for remediation.

Campaign detections coming to Office 365 ATP

Attackers think in terms of campaigns. They continuously morph their email exploits by changing attributes like sending domains and IP addresses, payloads (URLs and attachments), and email templates attempting to evade detection. With campaign views in Office 365 ATP, you’ll be able to see the entire scope of the campaign targeted at your organization. This includes deep insights into how the protection stack held up against the attack—including where portions of the campaign might have gotten through due to tenant overrides thereby exposing users. This view helps you quickly identify configuration flaws, targeted users, and potentially comprised users to take corrective action and identify training opportunities. Security researchers will be able to use the full list of indicators of compromise involved in the campaign to go hunt further. This capability will be in preview by the end of the year.

Protection across platforms: enterprise detection and response (EDR) for Mac

Work doesn’t happen in just one place. We know that people use a variety of devices and apps from various locations throughout the day, taking business data with them along the way. That means more complexity and a larger attack surface to protect. Microsoft’s Intelligent Security Graph detects five billion threats on devices every month. To strengthen enterprise detection and response (EDR) capabilities for endpoints, we’re adding EDR capabilities to Microsoft Defender ATP for Mac, entering public preview this week. Moving forward, we plan to offer Microsoft Defender ATP for Linux servers, providing additional protection for our customers’ heterogeneous networks.

We understand the pressure defenders are under to keep pace with these evolving threats. We are grateful for the trust you’re putting in Microsoft to help ease the burdens on your teams and help focus your priority work.

Related links

The post Further enhancing security from Microsoft, not just for Microsoft appeared first on Microsoft Security.

Cyber Insurance: Should You Consider It For Your Company?

In the wake of frequent cyber-attacks affecting businesses, cyber insurance has become a highly researched and debated topic. This industry has been constantly growing for a couple of decades now. As per Zion Market Data research, the global cyber insurance market is expected to reach $22.8 billion globally by 2024, with a compound annual growth rate of 24%.

In spite of the high availability of cybersecurity protection and prevention tools, there still might be a chance for a company to become a data breach victim. However, this doesn’t mean measures such as employee training and cybersecurity solutions should be left behind. By all means, you should not be relying solely on reactive practices, like buying insurance policies. It’s always better to prevent a cyber disaster than deal with the consequences.

But what does cyber insurance cover? Is it worth investing in cyber insurance? These questions may have crossed your mind, so, in this article, I’m going to try to give answers to some burning questions and help you decide if or which cyber insurance providers may be right for your organization.

What is Cyber Insurance?

First things first, let’s start off with a definition of cyber insurance.

Cyber insurance is a type of insurance for businesses against digital threats. It is also commonly known as cyber risk or cyber liability insurance.

With so many cyber dangers threatening companies, no wonder it has become a highly popular service for organizations large and small around the world. But if you do decide to invest in cyber insurance, are you fully aware of what it’s all about?

Keep on reading to find out.

Why do companies generally purchase cyber insurance policies?

And how many organizations out there are actually covered by cyber insurance? According to Spiceworks data, 38% of organizations are covered by a cyber-insurance plan, with nearly half having had a policy for under 2 years, 32% for 3-4 years, and 24% having been covered for 5+ years.

cyber insurance statistics

Source: Spiceworks study

What’s more, 71% of survey respondents stated that they purchased a policy for precautionary reasons. This seems to be the top driver for organizations to get coverage, followed by an increased priority on cybersecurity (44%), handling a high volume of personal data (39%), and industry-specific regulations (28%). On top of that, only 14% seem to have bought insurance coverage due to customer requirements and an additional 14% as a result of new data protection regulations, such as GDPR. Additionally, IT professionals admit to choosing cyber insurance coverage just to get some peace of mind and hope they never use it.

cyber insurance statistics

Source: Spiceworks study

What does cyber insurance cover?

Cyber risk is without a doubt one of the most difficult aspects to deal with as it has a high impact on both societies and businesses worldwide. Cyber insurance plans are typically created with digital risk in mind in order to ensure (in the best way they can) the continuity of a business and ultimately enable companies to become cyber resilient.

However, not all cyber insurance policies are created equal. Sometimes, decision-makers may be tempted to choose low-price services and end up with a bad deal. This typically happens because in some cases, cyber insurance providers trying to safeguard their existence in the face of harsh competition, tend to create packages that leave high-risk areas uncovered. Why does this happen, you may be wondering. Because some cyber insurance vendors are inexperienced in cybersecurity and don’t fully understand an organization’s actual needs in the current threatscape.

Before deciding to purchase a cyber-insurance policy, you will want to know what it covers to be able to better asses if a certain insurer is a good fit for your company. So, evaluate your options carefully.

A Cyber insurance coverage checklist

Here are the main items typically covered by cyber insurance policies:

  • Restoration of damaged data and software destructed by forms of malware (such as viruses, spyware, worms, etc.)
  • Extortion losses (ransomware)
  • Setting up a temporary environment so your company can continue to operate
  • Business interruptions that resulted directly from a cyber-attack (such as DDoS attacks)
  • Temporary security experts hired to defend your company against the attack
  • Legal expenses and fees
  • Costs with notifying employees and the public
  • Costs associated with the reputation damage

What does cyber insurance NOT cover?

Even though your cyber insurance may fix some of your post-cyberattack problems, keep in mind that it will not sort everything out. Below are some aspects that are (usually) not covered:

  • Physical property loss and damage

Normally, cyber insurance coverage excludes physical loss that happened as a direct result of a cyber-attack. For instance, think about manufacturers and energy suppliers that may be more likely to become victims of cyberattacks meant to cause physical damage. If machines are destroyed due to malicious hackers overriding them, losses will not be covered by cyber insurance and instead, they would most likely fall under other types of business insurance, such as crime insurance.

  • Social engineering attacks

Oftentimes, cyber insurance policies have social engineering reduction clauses. Some sources are mentioning a payout reduction if employees fall victim to social engineering attacks. For instance, according to a city government, “they had a $50-million-dollar cybersecurity insurance policy, but if a claim involved social engineering, then it only paid out a maximum of $200,000.” And unfortunately, customers who are not aware that 70% to 90% of all successful data breaches happen due to social engineering attacks, are potentially wasting up 90% of they were expecting to be covered.

What’s more, according to a report released by Mactavish, many insurance policies contain grey areas. Below you can see what they normally don’t cover.

  • They do cover attacks or hacks but exclude accidents and errors
  • They do cover costs imposed by law, but not total incident costs
  • They only cover the time of the network interruption, but not the overall business disruption moving forward
  • They may exclude systems delivered by third-party service providers
  • They may not cover software or systems currently in development
  • Policies may sometimes not cover incidents caused by contractors
  • Customers may not be able to choose their own IT, PR or legal specialist since the insurance policy only covers appointed advisors.

Thus, the points above would typically need to be negotiated before signing the insurance contract. Therefore, you really need to bear in mind these common exceptions when you are evaluating cyber insurance vendors and be sure you choose the plan that best matches your business and cybersecurity needs. And better yet, never put large amounts of money and your trust in cyber insurance policies and invest in proactive cybersecurity measures instead.

Is cyber insurance really worth it after all?

It depends on several factors. Ultimately, it’s up for you to decide, according to your current business needs.

For instance, would it be better to spend $15,000 to buy a cyber insurance policy or to use that money to upgrade your current cybersecurity offering and train your employees to recognize and react at the first signs of cyber compromise? Or split the amount between these areas?

Oftentimes, cyber insurance may create a false sense of security, so be careful how much you actually invest in it and what items it includes. Also, keep in mind that after choosing a certain insurance policy, you should not just leave it there to gather dust indefinitely. In fact, your cyber insurance contract should be constantly reviewed and updated depending on your evolving needs and current cyber-threat dangers.

So, how much cyber insurance coverage do you really need?

On average, data breaches cost companies 150$ per record, according to the IBM and Ponemon Institute 2019 Cost of a Data Breach Report. Furthermore, the study also concluded that the average time to identify and contain a data breach was 279 days. If you do decide to purchase a cyber insurance policy, these figures can be some good starting points.

You should take into consideration aspects such as:

  • How much sensitive information you store
  • Where is the sensitive information stored
  • What measures you would need to take if you experienced a data breach
  • What would the costs be to replace the damaged software (and perhaps hardware)
  • Do you have any employees trained to mitigate the damage, or do you need external security specialists?
  • Is there any PR staff able to deal with crisis management if you experienced a data breach?

Trying to find answers to these questions and come up with answers to other questions formulated by yourself taking into account your own business model will help you get an idea of how much insurance coverage you would need in case of an emergency.

Should you replace cybersecurity with cyber insurance?

No, never! Cyber insurance should never be used, under any circumstances, as a cybersecurity replacement. Do not operate with the it-won’t-happen-to-me mentality and try to cut down costs associated with security tools. You may “save” some money for a while, but in the long run, this practice will only damage your business.

Cyber insurance and ransomware payouts, a controversy

Some cyber-insurance companies seem to encourage ransomware victims to pay the ransom. Apparently, this practice is seen as the cheapest way to reverse ransomware attacks and at the same time ensure the least downtime possible. And this happens despite warnings and discouragement from law enforcement agencies that are saying “ransoms shouldn’t be paid because they fund criminal activity.” What’s more, in the past, we saw ransomware strains that deleted data even if the victims paid, so the ransomware payment behavior certainly comes as a red flag. Sadly, the main goal of insurance companies here is to get the issues resolved at the lowest price possible.

What should companies do instead of paying the ransom? Use the proper cybersecurity tools, apply system and software updates as soon as they are released, and always back up their sensitive data.

Bottom Line

Even though no organization will be completely safe from cyber-attacks and even if cyber insurance does offer you protection to some extent, it’s never advisable to rely solely on it. So, make sure that you invest in the right proactive cybersecurity tools, systems, and procedures alongside your employees’ cybersecurity training. And only then, if you choose to, create a cyber insurance plan tailored to your company and be certain it gets constantly revised and updated.

The post Cyber Insurance: Should You Consider It For Your Company? appeared first on Heimdal Security Blog.

Vendor Email Compromise (VEC): The Classic Business Email Compromise (BEC) Scheme with a Spin

A new email fraud scheme has taken Business Email Compromise (BEC) to a whole new level of sophistication. The recently discovered type of email scam has been dubbed Vendor Email Compromise (VEC) and as its name suggests, the attackers prey on employees working at vendor companies 

A new cybercriminal group, identified as Silent Starling by researchers at Agari, ran these malicious email campaigns. The fraudsters hacked the email accounts of employees working in the target’s finance department and gathered as much information as they could from their inboxes. In the end, the scammers sent them perfectly timed payment requests accompanied by fake invoices.  

Since late 2018, over 700 employee accounts from more than 500 companies in the United States and over a dozen other countries have been compromised. Consequently, more than 20,000 sensitive emails have been harvested. 

Vendor Email Compromise, a new milestone in the evolution of BEC attacks 

Traditionally, a BEC attack is based upon what is commonly referred to as CEO fraud or the impersonation of an upper or middle-management employee. In this case, fraudsters contact their “colleagues” from the financial department, requesting an urgent payment and providing all the necessary details for the money to be transferred. Since the email comes from a superior and the message is transmitted with a sense of urgency, employees are likely to fall for this scam, being completely unaware the money will end up in a cybercriminal’s account.  

And now, through this social engineering tactic, impostors are targeting a new niche: vendors 

More precisely, scammers are preying on employees working in a vendor’s finance department, with the ultimate goal of gathering intelligence on customers they interact with. 

Who are the attackers behind Silent Starling? 

The criminal group originates from West Africa and has been involved in fraudulent practices since 2015. First, they engaged in romance scams and check fraud and transitioned to BEC attacks in mid-2016, Agari writes. In their first two years of BEC, they focused on wire transfer requests and gift card attacks, only at the end of 2018 shifting their focus to VEC scams.  

Three main malicious actors belonging to the cyber-gang have been identified, but at least eight other group members may have been involvedEach of these individuals was in charge of certain tasks, such as collecting leads to be targeted, finding mule accounts or hijacking and scanning compromised email accounts in search of relevant information.  

How do Vendor Email Compromise attacks work? 

Similarly, as I’ve briefly mentioned aboveboth BEC and VEC scams are based on social engineering. But what sets them apart is that VEC attacks are targeting a supplier’s customers, who receive what looks like realistic payment requests for an actual service they are expecting to pay for.  

But how do VEC scams actually work? 

Since they are highly elaborate schemes, they are conducted through multiple stages. Below you can see the main phases of Vendor Email Compromise attacks: 

Attack PhasesDescription
Phase 1The first phishing wave / Target: Vendors
Phase 2Account takeover
Phase 3Inbox monitoring
Phase 4The second phishing wave / Target: The vendors’ customers

Phase #1. Credential stealing through phishing campaigns 

The phishing emails coming from the Silent Starling group are posing as popular business applications, a practice commonly employed by cybercriminals. For instance, merely a few days ago, we’ve discovered yet another Microsoft phishing campaign targeting Office365 users 

Going back to Silent Starling’s malicious emails, the website they were using is Microsoft OneDrive or DocuSign login pages and voicemail and fax notifications. 

Vendor Email Compromise VEC


Vendor Email Compromise VEC


The attackers have reportedly used over 70 phishing websites to harvest the users’ credentials. They managed to intercept the login details for more than 700 employees at over 500 companies in 14 countries. The main countries where the attacks were conducted were the United States, Canada, and the United Kingdom.  

But who falls for these email scams in the first place, you may be wondering? Well, the ones who have not received a basic cybersecurity training may click malicious links and enter their login credentials without checking if the sender and landing page are legitimate. What’s more, they are not using the proper tools to protect their business from phishing attacks. 

Apparently, at a single US-based company, the accounts of 39 employees have been compromised. The phishing campaign ran between September 2018 and March 2019, as reported by Agari. The credentials of people in various business functions, such as billing, sales, HR, and senior executives were stolen in these campaigns 

In one of the phishing emails that targeted the above-mentioned company, 13 email accounts were compromised within thirty minutes from the time they were sent. Furthermore, at least six employees also had their personal email account credentials compromised. Most likely, this happened due to employees making the common password mistake of reusing the exact same passwords (or slight variations) for both their corporate and personal accounts and this way, attackers we able to practice credential stuffing 

Phase #2. Taking over the compromised accounts 

During this stage, first of all, the attackers would access the employees’ hacked accounts and look for significant vendors who could be impersonated. 

Secondly, they would set up email rules to forward and even redirect copies of all incoming emails from the respective vendors to the scammers’ inboxes. After these rules are created, victims are most likely not noticing any signs of someone spying on their email accounts. Thus, cybercriminals can continue their activity for a long time and evade detection. 

For instance, the Silent Starling attackers had access for over four months to employees’ email accounts from a US-based real estate company. During this period, they received more than 2,800 confidential emails containing “income statements, invoices, customer agreements, rental injury process, and other policy paperwork”, Agari notes. 

Phase #3. The waiting game begins 

VEC attacks are based on lengthy processes, during which cybercriminals harvest as much sensitive information as they need to in order to be able to masquerade as real vendor representatives. This is one of the main differences between VEC and BEC since the latter usually takes advantage of an individual’s innate tendency to respond to urgency.  

During this phase, fraudsters are trying to figure out information such as: 

  • Vendor’s customers 
  • Invoice look and feel 
  • Customer payments due dates 
  • Due amounts 
  • Customer contacts responsible for payments 

high volume of emails floods their inbox, so these scammers are most probably using automatic tools to identify keywords related to payments and invoices rather than manually looking at each email. 

 Phase #4. Spear phishing emails are sent to the vendor’s customers 

After cybercriminals have gathered enough information from the compromised accounts, they will start the next phase of the VEC attack: crafting authentic-looking spear-phishing emails and sending them to the vendor’s customers. Just like in a standard BEC attack, the goal is to trick the victim into transferring money to the fraudster’s account. 

According to Agari, there are three primary aspects that need to be correctly identified by VEC attackers in order for the scams to be successfully conducted: 

  • Vendor identity – Here, employees responsible for customer billing coming from the vendor’s side need to be correctly identified. Then, they can be impersonated in three ways: 
    1. The fraudster logs into the compromised account directly. 
    2. The victim’s email address is spoofed. 
    3. The attacker registers a domain that looks very similar to the vendor’s official domain. 
  • Emails’ content – VEC scammers always do their best to mimic the way a vendor representative writes an email to appear more genuine and may even copy their email signature. 
  • Timing – Attackers need to send payment requests at the exact date that other past invoices were due at, in order not to arouse suspicion. 

 Vendor Email Compromise VEC 


 Vendor Email Compromise VEC


A comparison between VEC and BEC 

How is Vendor Email Compromise different from Business Email Compromise and how are they similar? 

Below you can find a quick comparison between VEC and BEC:

Business Email Compromise (BEC)Vendor Email Compromise (VEC)
In both cases, attackers need access to a business email account or use spoofed email addresses to trick their targets into transferring money to their bank accounts.
A traditional BEC attack takes place inside the targeted organization.

Example: The fraudster impersonating the CEO asks someone from the organization to make a payment.
Attackers break into the vendor’s email accounts and target their customers. Ironically, the initial target (the vendor) will not be affected financially at all.

Example: The fraudster impersonating an employee who works in the vendor’s financial department sends a fake invoice to the customer.
Usually, attackers collect information about their targets from social media and other places publicly available online.Based on multiple stages, during which the attacker gathers relevant information about the target so they can perfectly imitate them (i.e. the way the targeted employees formulate emails, email endings, email signature, etc.)
Scammers use a sense of urgency in their communication with the targeted customer.VEC attacks require extreme patience. Attackers do an extensive amount of research to find out as much valuable information as they can about their targets.

How to protect your business from VEC/BEC attacks 

Naturally, it will be quite difficult for anyone to identify VEC attacks, regardless if you’re a vendor or customer employee. These attacks could go on for months and months without being detected. And since traditional cybersecurity solutions are not able to pick up these types of advanced threats, a mix between human vigilance and the right security tools is what it takes to prevent and stop them before they damage your organization. 

So, how can Business/Vendor Email Compromise be avoided?  

1. Train your employees 

Firstyour staff should be able to identify the tell-tale signs of phishing (suspicious sender email address/URL, the sender is asking them to “update” their credentials or “verify” their identity, etc.). 

This basic knowledge can be accumulated through regular cybersecurity training, so make sure all your employees are on the same page when it comes to identifying phishing and other types of cyberattacks. 

Secondly, your organization should use a next-gen proactive antimalware solution, that blocks malicious links if your employees accidentally click them. 

2. Implement multi-factor authentication methods 

Let’s suppose your employees could not tell they were a victim of a phishing attack and that you were not using the right cybersecurity solution that could have prevented the attack 

After obtaining your employees’ credentials, attackers will now try to log in to their email accounts. So, a good method to prevent unauthorized access is multi-factor authentication. I’ve extensively written about password security best practices here, so feel free to check out this guide as well. 

3. Constantly review your cybersecurity policy 

Accompanied by your mandatory training should be your cybersecurity policy, so make sure you have one in place and update it whenever necessary. Don’t just keep an antiquated one that becomes obsolete as cyber threats develop.  

Your company’s cybersecurity policy should cover best practices that everyone must follow, as well as actionable steps your employees must take at the first signs of compromise 

What’s more, don’t forget about your remote employees. Your cybersecurity policy should have a section specially dedicated to remote workers, who may sometimes be at higher risk than your on-site staff. I encourage you to also take a look at the guide in which I explain what are the cybersecurity issues with remote work and how to address them.  

4. Use a next-generation email fraud protection solution 

There are certain advanced threats that can’t be detected and blocked by traditional spam filters. A standard email security solution will not be able to identify business email compromise: fake money-transfer requests, CEO impersonation/impostor emails, malicious content in historical emails, spoofed emails, etc.  

This is why we’ve developed MailSentryan email security solution specifically designed to quickly detect fraud, fake invoices and that will help you save time and skip manual background checks.  

MailSentry works as an add-on to existing spam filter solutions.

It scans email content and attachments for fraudulent account numbers, invoice modifications, and signs of imposters. It’s based on Artificial Intelligence that detects the signs of the most advanced cyber threats. Furthermore, it uses more than 125 vectors of analysis and is fully coupled with live threat intelligence to find and stop Business Email compromise, CEO Fraud, phishing, and complex malware. Not only that, but it’s also backed up by a live 24/7 anti-fraud specialist team.

MailSentry is the only next-gen email security solution in the world connected to bank systems, being capable to cross-check IBAN and Account numbers against money mule accounts.


Business Email Compromise is one of the fastest-growing threats of today’s threatscape. As cybercriminals continue to improve their attack techniques to better evade detection, it becomes increasingly harder for you to keep your confidential data and money safe. 

If you are a vendor, train your employees to be extra cautious when establishing any kind of contact with both your customers and internal stakeholders. If you are a company engaged in business relationships with vendors, the same rules apply. Without doubt, you can never be too careful, as you never know where malicious actors and advanced cyber threats may be hiding. Yet, the good news is that your business can and will remain protected and competitive if you take into account all the necessary preventive measures. 

The post Vendor Email Compromise (VEC): The Classic Business Email Compromise (BEC) Scheme with a Spin appeared first on Heimdal Security Blog.

Defining Cloud Security – Is It the Endpoint, Your Data, or the Environment?

You’ve heard it once; you’ve heard it a hundred times – “secure the cloud.” But what does that phrase mean? On the surface, it’s easy to assume this phrase means using cloud-enabled security products. However, it’s much more than that. Cloud security is about securing the cloud itself through a combination of procedures, policies, and technologies that work together to protect the cloud—from the endpoint to the data to the environment itself. A cloud security strategy must be all-encompassing, based on how data is monitored and managed across the environment. So, let’s examine how IT security teams can address common cloud challenges head-on, while at the same time establishing the right internal processes and adopting the necessary solutions in order to properly secure the cloud.

Cloud Security’s Top Challenges

As we enter a post-shadow IT world, security teams are now tasked with understanding and addressing a new set of challenges—those that can stem from a complex, modern-day cloud architecture. As the use of cloud services grows, it is critical to understand how much data now lives in the cloud. In fact, the amount of sensitive data stored in cloud-based files is only growing, currently standing at 21% after having increased 17% over the past two years. So it’s no wonder that threats targeting the cloud are growing, too: The average organization experiences 31.3 cloud-related security incidents each month, a 27.7% increase over the same period last year.

Frequently impacted by data breaches and DDoS attacks, cloud technology is no stranger to cyberthreats. However, the technology is also impacted by challenges unique to its makeup—such as system vulnerabilities and insecure user interfaces (UIs) and application programming interfaces (APIs), which can all lead to data loss. Insecure UIs and APIs are top challenges for the cloud, as the security and availability of general cloud services depends on the security of these UIs and APIs. If they’re insecure, functionalities such as provisioning, management, and monitoring can be impacted as a result. There are also bugs within cloud programs that can be used to infiltrate and take control of the system, disrupt service operations, and steal data, mind you. The challenge we see with data and workloads moving to the cloud is insufficient knowledge of developers on the evolution of cloud capabilities. We are finding misconfigurations to be one of the major contributors of data leaks and data breaches as well, meaning cloud configuration assessment is another best practice that IT should own. Another major source of cloud data loss? Improper identity, credential, and access management, which can enable unauthorized access to information via unprotected default installations.

The good news? To combat these threats, there are a few standard best practices IT teams can focus on to secure the modern-day cloud. First and foremost, IT should focus on controls and data management.

Security Starts with Process: Controls and Data Management

To start a cloud security strategy off on the right foot, the right controls for cloud architecture need to be in place. Cloud security controls provide protection against vulnerabilities and alleviate the impact of a malicious attack. By implementing the right set of controls, IT teams can establish a necessary baseline of measures, practices, and guidelines for an environment. These controls can range from deterrent and corrective to preventative and protective.

In tandem with controls, IT teams need to establish a process or system for continually monitoring the flow of data, since insight into data and how it is managed is vital to the success of any cloud security strategy. A solution such as McAfee Data Loss Prevention (DLP) can help organizations monitor data through the use of a management console or dashboard. This tool can help secure data by extending on-premises data loss prevention policies to the cloud for consistent DLP, protecting sensitive data wherever it lives, tracking user behavior, and more.

Solving for Visibility, Compliance, and Data Protection

When it comes to securing data in the cloud, visibility and compliance must be top of mind for IT teams as well. Teams need to gain visibility into the entirety of applications and services in use, as well as have proper insight into user activity to have a holistic view of an organization’s existing security posture. They also need to be able to identify sensitive data in the cloud in order to ensure data residency and compliance requirements are met.

That’s precisely why IT teams need to adopt an effective cloud access security broker (CASB) solution that can help address visibility and compliance issues head-on. What’s more, this type of solution will also help with data security and threat protection by enforcing encryption, tokenization, and access control, as well as detecting and responding to all types of cyberthreats impacting the cloud.

Bringing It All Together

By combining the right controls and data management processes with a CASB solution, security teams can protect the cloud on all levels. A CASB solution like McAfee MVISION Cloud protects data where it lives today, in the cloud. This CASB solution is a cloud-hosted software that sits between cloud service customers and cloud service providers to enforce security, compliance, and policies uniformly across all cloud assets, from SaaS to IaaS/PaaS. Plus, McAfee MVISION Cloud can help organizations extend security controls of their on-premises infrastructure to the cloud and beyond. To extend these controls, this solution detects, protects, and corrects. During detection, IT security teams gain complete visibility into data, context, and user behavior across all cloud services, users, and devices. When data leaves the cloud, McAfee MVISION Cloud applies persistent protection wherever it goes: in or outside the cloud. And when an error does occur, the solution takes real-time action deep within cloud services to correct policy violations due to human error and stops security threats. While McAfee MVISION Cloud protects the cloud itself, it’s also important to protect access to the cloud at the start, or the endpoint. An endpoint security solution, such as McAfee Endpoint Security, is also integral for safeguarding the cloud, since endpoints are a target for credential theft that leads to greater risk in the cloud environment.

In an ever-changing threat landscape, implementation of the proper controls and data management, with the addition of effective cloud security solutions, are the keys to a strong cloud security strategy. By taking into account and working to proactively protect the multitude of endpoints connected to the cloud, the amount of data stored in the cloud, and the cloud environment itself, IT security teams can help ensure the cloud is secure.

To learn more about cloud security and other enterprise cybersecurity topics, be sure to follow us @McAfee and @McAfee_Business.


The post Defining Cloud Security – Is It the Endpoint, Your Data, or the Environment? appeared first on McAfee Blogs.

MITRE ATT&CK™ APT3 Assessment

Making a case for the importance for real-time reporting is a simple exercise when considering almost every major campaign.  Take the case of Shamoon, where analysis into the Disttrack wiper revealed a date in the future when destruction would happen.  Similarly, cases where actors use different techniques in their attacks reveal that once mapped out, a story becomes visible. The question is, do you have visibility and early warnings into these threats and how timely are they presented to you so there’s time to respond? 

MITRE’s ATT&CK for Enterpriseproduced by the Cyber Security division of MITRE, is an adversarial behavior model for possible attacker actionsThe ATT&CK matrix used is a visualization tool in the form of a large table, intended to help provide a framework to talk about attacks in a unified way. This is coupled to detailed descriptions of different tactics and techniques and how they differ from attacker to attacker.  

When you participate in the assessment, MITRE is the red team simulating the techniques, used by APT3 in this case, and we as McAfee are the blue team using our products to detect their actions and report them. When the red team attacks us with a variant of a technique, as a blue team, we need to prove we detected it. 

McAfee went through a MITRE ATT&CK assessment early this summer and we are excited to announce that MITRE has published the results of the APT3 assessment today on their website. In today’s cyber-threat landscape, it’s all about ‘time’, time to detect, time to respond, time to remediate, etc. When it comes to advanced attacks represented in APT3 – real time detections offer a significant advantage to incident responders to rapidly contain threats. 

As the results show, McAfee provided the most real-time alerts while detecting the attacksWhen real-time alerts and simple efficacy score, as calculated using criteria published by Josh Zelonis of Forrester, are considered together, McAfee occupies a leadership position in the upper right quadrant of the chart: 



During MITRE’s APT3 evaluation, McAfee was the only vendor to display real-time alerts for certain attacks, including T1088: Bypass User Account Control, one of the techniques used by Shamoon. 

While MITRE’s evaluation focused on MVISION EDR’s detection capabilities, there are several aspects that defenders need to consider in order to properly triage, scope, contain and close an incidentDuring the APT3 attack we generated 200+ alerts and telemetry datapoints which were the core of MITRE’s evaluationYet we don’t expect analysts to review them individually. In MVISION EDR those 200+ data points got clustered into 14 threats which added context to paint a more complete picture of what happened in order to speed triage. 

Furthermore, analysts could trigger an automated investigation from a threat and therefore involve our AI driven investigation guides to bring more context from other products (e.g. ePO, SIEM)endpoint forensics, analytics and threat intelligence.  


Investigation case collecting 4000+ pieces of evidence, linking it, showing expert findings and uncovering potential lateral movement between two devices 

 Thanks to our automated investigation guides, in the case of APT3MVISION EDR was able to gather passive DNS information and link the evidence to further expose potential lateral movement and C2. 

Although it was not exercised by MITRE, the next step for the analyst would have been to use MVISION EDR’s real time search to further scope the affected devices and take containment actions (e.g. quarantine, kill processes, etc). 

McAfee has been engaged with MITRE in expanding the ATT&CK Matrix and helping to evolve future ATT&CK Evaluations. We are a proud sponsor of ATT&CKcon and will be exhibiting at ATT&CKcon 2.0 later this month. Come learn more about how automated AI-driven investigations can reduce the time to detect and respond to threats using McAfee MVISION EDR. 



The post MITRE ATT&CK™ APT3 Assessment appeared first on McAfee Blogs.

Maintaining Effective Endpoint Security 201

Today’s enterprises are faced with unique, modern-day issues. Many are focused on adopting more cloud-based services and reducing infrastructure footprint, all while the number of devices accessing the environment grows. This, in turn, requires security teams to create different levels of access, policies, and controls for users. Plus, as these businesses expand some unexpected security issues may arise, such as alert volume, lack of visibility, complicated management, and longer threat dwell times. To strike a balance between business objectives and a healthy security posture, IT teams can implement some of the tactics we recommended in our Effective Endpoint Security Strategy 101 blog, such as virtual private networks (VPNs), proper employee security training, and machine learning (ML) and artificial intelligence (AI) technology for predictive analysis. But with the threat landscape evolving every day, is there more these organizations can do to sustain an effective endpoint strategy while supporting enterprise expansion? Let’s take a look at how teams can bolster endpoint security strategy.

Managing the Many Vulnerabilities

As enterprises try to keep pace with the number of endpoints, as well as the threats and vulnerabilities that come with these devices, multiple levels of security need to be implemented to maintain and expand a sustainable security posture. One way for enterprise security teams to keep track of these vulnerabilities and threats is through the use of vulnerability management. This process involves the identification, classification, and prioritization of vulnerabilities when flaws arise within a system.

For vulnerability management to be successful, security teams must have full visibility into an endpoint environment. This awareness will help teams proactively mitigate and prevent the future exploitation of vulnerabilities. Plus, with endpoints always evolving and being added, a vulnerability management system is a necessity for expanding effective endpoint security.

Beware of Privilege Escalation

Due to the sheer number of endpoints being introduced to the enterprise environment, the possibility of a vulnerable endpoint increases. And with vulnerable endpoints creating gateways to important enterprise data, cybercriminals often attempt to exploit a bug or flaw in an endpoint system to gain elevated access to sensitive resources. This tactic is known as privilege escalation.

To thwart cybercriminals in their tracks and subvert privilege escalation attacks, security teams can employ the practice of least privilege. In other words, users are granted the least amount of privilege required to complete their job. That way, if hackers manage to get their hands on an exposed endpoint, they won’t be able to gain access to troves of corporate data. The threat of privilege escalation can also be solved through patches and added layers of security solutions at different stages of the endpoint.

Administering Enterprise Access

Who can access specific assets and resources within an enterprise is an important discussion to be had for any endpoint security strategy. Not all users should have access to all resources across the network and if some users are given too much access it can lead to increased exposure. This is where access management comes into play.

Maintaining a secure endpoint environment requires security teams to identify, track, and manage specific, authorized users’ access to a network or application. By creating differentiated levels of access across the board, teams can ensure they are prioritizing key stakeholders while still controlling the number of potential exposure points. Beyond monitoring accessibility, its critical security teams know where data is headed and are able to control the flow of information. The good news? Teams can rely on a solution such as McAfee Data Loss Prevention (DLP) to assist with this, as it can help security staff protect sensitive data on-premises, in the cloud, or at the endpoints.

Coaching Users on Passwords and Identity Management

Passwords are the first defense against cybercriminals. If a cybercriminal guesses a password, they have access to everything on that device – so the more complex and personalized a password is the better. Beyond encouraging complex password creation, it’s crucial security teams make single sign-on (SSO) or multifactor authentication a standard aspect of the user login process. These are easy-to-use tools that users can take advantage of, which help add more protective layers to a device.

Assessing the Risks

 As a security team, assessing the overall risk present in your organization’s current environment is a top priority. From checking for potential cyberthreats to monitoring and evaluating endpoints to ensure there are no exposures – its important teams do their due diligence and conduct a comprehensive risk assessment. Teams need to make risk assessments a routine aspect of their overall security strategy, as new risks are always popping up. To do so in a proper and timely manner, better visibility is required, and teams should get into a habit of red teaming and leveraging automation for response and remediation. McAfee MVISION Endpoint Detection and Response (EDR) can also help teams get ahead of modern threats with AI-guided investigations that surface relevant risks, as well as automate and remove the manual labor of gathering and analyzing evidence.

Once a risk assessment has been done, security teams must take immediate action on the results. After potential threats are identified and analyzed with the help of McAfee MVISION EDR, teams must work to correct any potential negative impact these risks may have on an enterprise, resources, individuals, or the endpoint environment. By leveraging a centralized management tool, enterprise teams can do just that — reducing alert noise, elevating critical events, and speeding up the ability to respond and harden endpoints when risks or areas of exposure are identified.

Utilizing Advanced Security Solutions

To cover all the bases, it is vital teams leverage multiple endpoint security solutions that have proactive technology built-in and are collaborative and integrative. Take McAfee MVISION Endpoint and MVISION Mobile for example, which both have machine learning algorithms and analysis built into their architecture to help monitor and identify malicious behavior. Additionally, McAfee Endpoint Security delivers centrally managed defenses, like machine learning analysis and endpoint detection, to protect systems with multiple, collaborative defense and automated responses.

Advanced security solutions bring an endpoint security strategy full circle. Take the time to research and then invest in technology that is suitable for your enterprise’s needs. Growth does not have to be hindered by security, in fact having the two work in tandem will ensure longevity and stability.

To learn more about effective endpoint security strategy, be sure to follow us @McAfee and @McAfee_Business.

The post Maintaining Effective Endpoint Security 201 appeared first on McAfee Blogs.

Easier Management with Integrated Endpoint Security

Integration matters. We at McAfee have been advocating the administrative benefits of integrated, centrally managed endpoint security for decades, but you don’t just have to take our word for it. A recent independently written article in BizTech Magazine concurs.

BizTech explores technology and business issues that IT leaders and business managers face when they’re evaluating and implementing solutions. In “Businesses Find Endpoint Security Easier to Manage with Integrated Solutions,” journalist Kym Gilhooly references a number of independent security surveys as well as interviews a CISO, an IT manager, and a network administrator at three different companies. Each of these cybersecurity professionals and their respective small and medium-sized companies came to the conclusion that, to defend against today’s breadth of threats—from signature-based to zero-day, known and unknown— an integrated security approach combining endpoint detection and response (EDR), next-generation antivirus, and application control makes more sense than deploying discrete solutions.

Uniting these technologies in one integrated solution has allowed them to take action across the threat defense lifecycle—from detecting and blocking threats and whitelisting critical applications to tracking down malicious exploits during or before execution and helping incident response teams respond and remediate faster. As CISO Tony Taylor of dairy company Land O’Lakes points out in the article, “There are lots of security tools out there, but if you don’t integrate the stack, you’ve got to associate all that information and make the connections yourself.”

EDR Becoming an Integral Component of Endpoint Security

All the companies interviewed by Gilhooly affirm the importance of EDR in their security defense. As an IT manager at a 500-employee retail company states in the article, “The days when IT took a set-it-and-forget-it approach to endpoint security are over.” The ability to quickly investigate threats—whether reactively seeking to understand where a threat originated, how it spread and what damage it caused, or proactively hunting for anomalous behavior and dormant threats—is becoming a must-have tool to shrink the response and remediation gap.

What’s more, the article recognizes that an integrated EDR-EPP (endpoint protection software) solution makes much more sense than bolting on an EDR point solution. That’s because EDR and EPP can enhance each other’s effectiveness. For instance, if a company uses McAfee Endpoint Security or SaaS-based McAfee MVISION Endpoint alongside McAfee MVISION EDR, when the EPP part of the integrated solution detects anomalous behavior on an endpoint—but not enough to convict it—an analyst can use EDR to enrich the data, subsequently raising or lowering the incident’s severity ranking. On the flip side, when the EDR part detects an unknown threat in the environment, the analyst can query the threat reputation database and share new threat information instantly across endpoints via the EPP.

The more cyberdefense tools can collaborate and be managed as a unified solution, the more actions can be automated, IT staff burdens reduced, and time freed up for more proactive forensics and other activities.

In short, the BizTech article reiterates what we’ve been saying: Integration is more than just a buzzword. It’s time to stop thinking about EDR as an add-on, or EPP and EDR as separate entities. It’s also time to start moving endpoint security to the cloud. The article touches on that, too.

To learn more about effective endpoint security strategy, be sure to follow us @McAfee and @McAfee_Business.


“There are lots of security tools out there, but if you don’t integrate the stack, you’ve got to associate all that information and make the connections yourself.”

— Land O’Lakes CISO Tony Taylor (as quoted in BizTech)



The post Easier Management with Integrated Endpoint Security appeared first on McAfee Blogs.

7 Questions to Ask Your Child’s School About Cybersecurity Protocols

Just a few weeks into the new school year and, already, reports of malicious cyberattacks in schools have hit the headlines. While you’ve made digital security strides in your home, what concerns if any should you have about your child’s data being compromised at school?

There’s a long and short answer to that question. The short answer is don’t lose sleep (it’s out of your control) but get clarity and peace of mind by asking your school officials the right questions. 

The long answer is that cybercriminals have schools in their digital crosshairs. According to a recent report in The Hill, school districts are becoming top targets of malicious attacks, and government entities are scrambling to fight back. These attacks are costing school districts (taxpayers) serious dollars and costing kids (and parents) their privacy.

Prime Targets

According to one report, a U.S. school district becomes the victim of cyberattack as often as every three days. The reason for this is that cybercriminals want clean data to exploit for dozens of nefarious purposes. The best place to harvest pure data is schools where social security numbers are usually unblemished and go unchecked for years. At the same time, student data can be collected and sold on the dark web. Data at risk include vaccination records, birthdates, addresses, phone numbers, and contacts used for identity theft. 

Top three cyberthreats

The top three threats against schools are data breaches, phishing scams, and ransomware. Data breaches can happen through phishing scams and malware attacks that could include malicious email links or fake accounts posing as acquaintances. In a ransomware attack, a hacker locks down a school’s digital network and holds data for a ransom. 

Over the past month, hackers have hit K-12 schools in New Jersey, New York, Wisconsin, Virginia, Oklahoma, Connecticut, and Louisiana. Universities are also targeted.

In the schools impacted, criminals were able to find loopholes in their security protocols. A loophole can be an unprotected device, a printer, or a malicious email link opened by a new employee. It can even be a calculated scam like the Virginia school duped into paying a fraudulent vendor $600,000 for a football field. The cybercrime scenarios are endless. 

7 key questions to ask

  1. Does the school have a data security and privacy policy in place as well as cyberattack response plan?
  2. Does the school have a system to educate staff, parents, and students about potential risks and safety protocols? 
  3. Does the school have a data protection officer on staff responsible for implementing security and privacy policies?
  4. Does the school have reputable third-party vendors to ensure the proper technology is in place to secure staff and student data?
  5. Are data security and student privacy a fundamental part of onboarding new school employees?
  6. Does the school create backups of valuable information and store them separately from the central server to protect against ransomware attacks?
  7. Does the school have any new technology initiatives planned? If so, how will it address student data protection?

The majority of schools are far from negligent. Leaders know the risks, and many have put recognized cybersecurity frameworks in place. Also, schools have the pressing challenge of 1) providing a technology-driven education to students while at the same time, 2) protecting student/staff privacy and 3) finding funds to address the escalating risk.

Families can add a layer of protection to a child’s data while at school by making sure devices are protected in a Bring Your Own Device (BYOD) setting. Cybersecurity is a shared responsibility. While schools work hard to implement safeguards, be sure you are taking responsibility in your digital life and equipping your kids to do the same. 


The post 7 Questions to Ask Your Child’s School About Cybersecurity Protocols appeared first on McAfee Blogs.

Analyst Fatigue: The Best Never Rest

They may not be saying so, but your senior analysts are exhausted.

Each day, more and more devices connect to their enterprise networks, creating an ever-growing avenue for OS exploits and phishing attacks. Meanwhile, the number of threats—some of which are powerful enough to hobble entire cities—is rising even faster.

While most companies have a capable cadre of junior analysts, most of today’s EDR (Endpoint Detection and Response) systems leave them hamstrung. The startlingly complex nature of typical EDR software necessitates years of experience to successfully operate—meaning that no matter how willing the more “green” analysts are to help, they just don’t yet have the necessary skillset to effectively triage threats.

What’s worse, while these “solutions” require your top performers, they don’t always offer top performance in return. While your most experienced analysts should be addressing major threats, a lot of times they’re stuck wading through a panoply of false positives—issues that either aren’t threats, or aren’t worth investigating. And while they’re tied up with that, they must also confront the instances of false negatives: threats that slip through the cracks, potentially avoiding detection while those best suited to address them are busy attempting to work through the noise. This problem has gotten so bad that some IT departments are deploying MDR systems on top of their EDR packages—increasing the complexity of your company’s endpoint protection and further increasing employee stress levels.

Hoping to both measure the true impact of “analyst fatigue” on SOCs and to identify possible solutions, a commissioned study was conducted by Forrester Consulting on behalf of McAfee in March 2019 to see what effects current EDRs were having on businesses, and try to recognize the potential for solutions. Forrester surveyed security technology decision-makers, from the managers facing threats head-on to those in the C-suite viewing security solutions at the macro level in relation to his or her firm’s financial needs and level of risk tolerance. Respondents were from the US, UK, Germany or France, and worked in a variety of industries at companies ranging in size from 1,000 to over 50,000 employees.

When asked about their endpoint security goals, respondents’ top three answers—to improve security detection capabilities (87%), increase efficiency in the SOC (76%) and close the skills gap in the SecOps team (72%)—all pointed to limitations in many current EDRs.  Further inquiry revealed that while 43% of security decision makers consider automated detection a critical requirement, only 30% feel their current solution(s) completely meet their needs in this area.

While the issues uncovered were myriad, the results also suggested that a single solution could ameliorate a variety of these problems.  The introduction of EDR programs incorporating Guided Investigation could increase efficiency by allowing junior analysts to assist in threat identification, thereby freeing up more seasoned analysts to address detected threats and focus on only the most complex issues, leading to an increase in detection capabilities. Meanwhile, the hands-on experience that junior analysts would get addressing real-life EDR threats would increase both their personal efficiency and their skill level, helping to eliminate the skills gaps present in some departments.

To learn more about the problems and possibilities in the current EDR landscape, you can read the full “Empower Security Analysts Through Guided EDR Investigation” study by clicking here.

The post Analyst Fatigue: The Best Never Rest appeared first on McAfee Blogs.

Don’t Silo Your Endpoint Security Roadmap

If there’s a gap you bridge it, if there’s a hole you plug it. These are simple musts that businesses have to follow – they need to right wrongs and adjust processes to create better outcomes. The same thing goes for the security teams tasked with safeguarding these organizations, who know they must always bridge the gap between exposed and secure. These security teams know that in order to plug any holes they must at minimum apply standard endpoint security to their infrastructure. While most teams know one solution can’t be the be-all and end-all for their strategy, many are still slow to adopt new technologies to their defense strategy. Here’s why.

Outdated Adoption Mindsets

I meet a lot of security professionals that are aware a better mousetrap exists, but feel as though the pains of making a change outweigh the advantages of better detection or threat detail. I get it, I’m up against my own list of critical projects and nice-to-have things that are difficult to move to the top of the list. Maybe that’s why so many businesses are stating they intend to adopt next-gen technologies but are struggling with the expertise to move ahead with a product or deploy it.

When it comes to getting more tactical against the latest generation of threats that are designed to evade detection, the natural next step for these teams is to add a product like McAfee MVISION EDR. This type of product is top of mind for many right now, as 82% of IT leaders say they don’t have the visibility they need. As a threat hunting tool, EDR tells security teams how exactly threats entered an environment, what these threats did while inside, and how teams can pivot to action against them now and prevent similar attacks from happening again. The value of the EDR might be understood, but adopting it is usually hindered by pre-existing mindsets.

Many security professionals out there think of products, such as McAfee ENS and McAfee MVISION EDR as two separate entities. The same thing goes for solutions such as DLP and CASB. These teams often adopt one solution at a time, with the hope of eventually being able to collect them all one day. Compounding this issue, many fear they’re going to overwhelm existing staff with all the new training and education required for proper adoption. But therein lies the problem – these solutions shouldn’t be viewed as a burden or mutually exclusive, given accurate threat protection in today’s modern threat landscape is reliant on multiple success factors working together at the same time. Adoption should be holistic and simultaneous.

The Importance of Integration

Just like one size typically doesn’t fit all, one solution cannot address all threats. That means your defense strategy shouldn’t rely on just one defense or detection method to protect every user from every kind of threat. Therefore, security teams need to clear out old notions and start looking at solution adoption with the idea of integration and a platform that is sustainable for the long term, not just a product. Meaning, by achieving the right convergence of solutions, teams will establish a holistic security posture for their organization, ultimately positioning it for success.
So, what does this blend of solutions look like? To cover all the bases, organizations should look toward adopting solutions designed with collaboration and integration in mind. Take McAfee’s EPP for example, which is built with the future in mind. Our cloud-first MVISION products are designed to help you transform your IT environment. Specifically, our EDR solution is designed to meet you where you are with AI-guided investigations, detecting and remediating both the opportunistic and targeted attacks.

The more defense solutions can work together, the more actions can be automated and burdens can be reduced for the IT staff. So, instead of making your buying decision in order to fill a gap in today’s environment, make sure you buy with tomorrow’s gaps in mind. Focus on how the product you buy today will work or not work with the purchases you make in the future. From there, security will move beyond a simple must, becoming second nature.


To learn more about effective endpoint security strategy, be sure to follow us @McAfee and @McAfee_Business.

The post Don’t Silo Your Endpoint Security Roadmap appeared first on McAfee Blogs.

FaceApp: The App That Ages Your Employees and Your CIO

Bring Your Own Device (BYOD) is one of the defining characteristics of the modern mobile workforce but it’s also a weakness many businesses aren’t paying enough attention to. It’s likely many corporate BYOD users  have downloaded a hot new app named FaceApp. An AI face editor, this app is rising in popularity all thanks to the FaceApp Challenge — where people leverage the app’s old age filter to appear elderly in photos and post the results on social media. However, the application has also drummed up some discussions around its current privacy permissions,

Sharing More Than Just a Laugh

Though the company has stated no malicious intent, it’s still questionable if access to other data has been given without permission from these users. In any event, the scenario is one that keeps security practitioners up at night. Unsecured mobile devices are an easy entry point to spread malware, obtain credentials and gain access to corporate systems that contain even more sensitive data.

From FaceApp to Fending Off Threats

With apps creating gateways to corporate data, employees need to ensure all their devices have an extra layer of security added. To safeguard an organization’s network, lock down any corporate data, and ensure your CIO can get a decent night’s rest, teams should adopt an agile and intelligent security solution which treats mobile devices like any other endpoint. McAfee MVISION Mobile provides an always-on defense for iOS and Android devices and analyzes deviations surrounding device behavior to make determinations about indicators of compromise to accurately identify advanced threats. For those who are transitioning to a more tactical threat hunting role and exploring Endpoint Detection and Response tools (EDR) ignoring mobile security or using an approach that doesn’t integrate with endpoint platforms and EDR tools will pose another problem – a window of opportunity for threat actors. Mobile security is more than just a checkbox for an elevated approach to security. Like a good soldier on the frontlines that notifies his commander of the enemy’s approach, mobile security needs to elevate alerts to the SecurityOperations team. EDR that relies on manual correlation of mobile defense alerts or observations will extend the opportunity for an attacker to move from the mobile device to more critical systems.

Before the next FaceApp challenge emerges, I encourage you to evaluate your mobile device coverage. Is it automating actions and moving quickly when malicious apps or connections attempt to reach your corporate network through a mobile device? Does your current approach to mobile security elevate critical events to your security team? If not, it might be time to consider a more integrated approach that elevates your security posture with the insights to identify the next potential threat before it becomes a headline.

To learn more about effective endpoint security strategy, be sure to follow us @McAfee and @McAfee_Business.

The post FaceApp: The App That Ages Your Employees and Your CIO appeared first on McAfee Blogs.