Category Archives: Endpoint security

How Safe Is Your Endpoint From Cyber Attack

In the current business environment, any device that can connect to a network is termed as “endpoint” from desktops, laptops, tablets, smartphones and, more recently, IoT devices. As devices evolve, threats continue keeping its pace. Unfortunately, today’s firewalls and antivirus are not strong enough to cope with the ever-changing environment of a business. Endpoints are now exposed to ransomware, phishing, malicious advertisements, software subversion, and other attacks. Not to mention that attackers use zero-day attacks that use previously unidentified vulnerabilities to send malicious programs to endpoint computers.

How do today’s businesses protect against these malicious threats? First, before choosing the right Endpoint Protection (EPP) platform, companies need to gain a deeper knowledge of “endpoints”.

Unknown files that trigger the change

According to a recent study by Comodo Cybersecurity, over the past five years, unknown files, a potentially malicious and unrecognizable executable, have exploded. Every day, more than 300,000 malicious files are detected. Managing new or unknown files is one of the most important features of an EPP.

Most EPP products use a trust-based assumption, called ‘default allow posture’ for new or unknown files. This method allows files to have unlimited write privileges to system files, in addition to known bad files. This means that files not identified as bad must be good or secure. As you can imagine, one of the biggest problems with the “default allow” security feature is that cybercriminals are constantly developing new variants to avoid detecting on the endpoints. This can expose companies to threats for days, weeks, or even months before they are detected.

Sandbox and beyond

In order to successfully fight cyber criminals, many EPP vendors have integrated sandbox technology into their products to combat malicious software. For those who are unfamiliar, the sandbox is an isolated virtual environment that mimics the endpoint operating environment to safely run unknown files without the risk of damaging host or network devices.

This solution is gradually losing its effectiveness. Cybercriminals create threats that can detect when security cages (sandbox) are being used and automatically take action to prevent detection. In addition, sandboxes are becoming increasingly resource intensive and complex, slowing down their ability to handle threats without compromising productivity.

The Need for a Zero Trust Architecture

As cybercriminals are using the Default Allow approach to their benefit, while also modifying these variants to bypass sandboxes, companies need a better solution. The obvious answer is to adopt a Zero Trust architecture, where unknown executables are never trusted and always verified, without impacting user productivity. To successfully achieve a Zero Trust architecture, 100% of unknown files must be instantly contained and analyzed in the cloud and by humans to prevent breaches. Additionally, the business still needs to operate, and users should not have to experience productivity loss or impact. Successfully achieving a Zero Trust architecture will bulletproof your business from damage.

With cybercriminals taking advantage of the default allow approach and modifying that variant to avoid isolated spaces, businesses need a better solution. The obvious answer is the adoption of the Zero Trust architecture, where unknown executables are verified without compromising user productivity. To successfully achieve the zero trust architecture, 100% of the unknown files must be immediately loaded and analyzed in the cloud and by individuals to avoid violations. In addition, the company must continue to operate and users do not have to suffer productivity losses or impacts. Successfully reaching the Zero Trust architecture ensures that your business is safe from cyber attack.

Best Practices for Evaluating EPP

Protecting the endpoints of malicious software is one of the most important aspects of securing a company’s IT resources. Endpoint protection must be part of a holistic IT security approach in which perimeter network security solutions secure the boundary between internal networks and service provider networks, and endpoint security further reduces the risk of threats or malicious activity affecting IT operations.

The first step in choosing an EEP solution is evaluating the needs of the business, which should include capacity and scalability, compliance, budget, and policies. The next step is to closely examine the capabilities, which should include, but is not limited to centralized management, threat detection and blocking, unknown file handling, file reputation scoring and support to achieve a Zero Trust architecture.

Choosing the right EPP

In addition to these best practices, Gartner recently released a research paper that strongly recommends that security managers and risk managers conduct a thorough concept to accurately determine the endpoint protection platform that is better suitable.

Related Resources:

Best Endpoint Protection Software

Endpoint Security : Why Is Endpoint Protection Good?

The post How Safe Is Your Endpoint From Cyber Attack appeared first on .

Top Security and Risk Management Trends Unveiled at Gartner Security and Risk Management Summit 2019

Standing at the shores of the Potomac, The Gaylord National Resort and Convention Center National Harbor is gearing up to host the 2019 Gartner Security and Risk Management Summit June 17-20. On in its 24th year, this event is the premier gathering of security, risk management and business continuity management leaders.

In the Digital Age, IT security is everyone’s business and Cisco is looking forward to continuing our tradition of being a Premier sponsor and sharing the latest innovations to improve your security posture and mitigate risk.

Whether you are a CISO looking to network with peers and improve your leadership skills or a security professional looking for practical advice – Cisco has a you covered.

 

JOIN US ONSITE

Private Meetings

Want to talk strategy? Cisco executives and subject matter experts will be available for private meetings. Please get in  contact to schedule a meeting.

 Discount Code

Use priority code SECSP25 and receive $350 off your conference registration.

Cisco Booth 409

Will feature giveaways and demos including:

Featuring:

  • Endpoint Security
  • Advanced Malware Protection (AMP) and Cisco Threat Response
  • Secure Internet Gateway and SD-WAN
  • Cisco Umbrella, Cisco Cloudlock and Cisco Web Security Appliance (WSA)
  • Zero Trust
  • Duo Security, Now Part of Cisco
  • Network and Cloud Security Analytics
  • Stealthwatch
  • NGFW and NGIPS
  • Firepower and Cisco Defense Orchestrator
  • Workload Protection
  • Application and Workload Security

 

Networking Welcome Reception

Monday, June 17, 2019 | 5:45 p.m. – 7:30 p.m.

Location: Exhibit Showcase

Join us in the Exhibit Showcase for a special circus-themed reception where you can engage with your peers, Gartner Analysts, and exhibitors while enjoying delicious food and beverages, fun games, raffle drawings, and lively entertainment. Also, don’t miss a chance to get a sneak peak at the motorcycle we’ll be raffling off on Wednesday.

Hospitality Suite: Cisco Hog Wild

Wednesday, 5:45 p.m., National Harbor 5

All attendees are invited to cruise over for a night of blues, beer, BBQ, and a chance to win a 2019 Harley-Davidson Softtail Street Bob motorcycle!

Cisco Sessions

SPS13: The Tectonic Shift in Security

By: Gee Rittenhouse, Jeff Reed

Monday, June 17, 2019, 3:15–4 p.m. | Potomac C

Securing today’s modern work environment is increasingly complicated. As technology shifted to lean into the digital business transformation, a new architecture built for a multicloud environment was required. Cisco will discuss the multi-domain architecture needed to securely connect every user, on every device, on every network, to every application.

 

TH5: Threat Research – Fighting the Good Fight

By: Joel Esler

Monday, June 17, 2019, 1:15–1:40 p.m. | Theater 1, Exhibit Showcase, Prince George’s Hall D

Exploitable vulnerabilities exist. It’s a fact of life in the modern work environment. Attackers are achieving greater ROI with every attack. The counterpunch is threat intelligence. Cisco will discuss the future of threat, the evolving threat landscape and the inescapable need for automated threat intelligence as part of your security architecture.

 

ETSS3: Building Zero Trust Security Solutions

By: Wendy Nather, Ash Devata

Monday, June 17, 2019, 11:30 a.m.-12 p.m. | Chesapeake 3

Call it “zero trust” or “an initial step on the road to CARTA” – we know the classic design patterns of security have to change. In this session, we’ll talk about different ways to build on the fundamentals of “zero trust,” working together with partners in stages to create better and more usable security.

 

ETSS15: Future of the Firewall

By: Bret Hartman, Houda Soubra

Tuesday, June 18, 2019, 10:45–11:15 a.m. | Chesapeake 5

The digital transformation underway in many organizations poses an increasing challenge to security operations. Secure your hybrid environments of edge, end point and cloud with a single orchestrator solution to: Streamline policy design and enforcement; automate administrative tasks; improve accuracy; and reduce deployment time.

 

ETSS17: Designing Security for the Future of Your Network

By: Meg Diaz

Tuesday, June 18, 2019, 3:30–4 p.m. | Chesapeake 2

With the explosion of cloud apps, the move to highly distributed environments (SD-WAN, anyone?), and an increase in mobile workers, the threat landscape isn’t standing still. Learn more about what your peers are experiencing, a new approach to secure roaming users/branch locations, and how Cisco is evolving security to address these challenges in innovative ways.

 

ETSS23: Workload Security and Visibility

By: Vaishali Ghiya

Wednesday, June 19, 2019, 10:45–11:15 a.m. | Chesapeake 3

Technologies like virtualization, SDN are rapidly rolling out new applications and services. Modern applications no longer reside just within a company’s physical data center but also deploy across a multicloud environment. Learn how to 1) protect workloads 2) deliver a zero-trust security approach with deep visibility and multi-layered segmentation.

View the full agenda here. Don’t forget to download the conference app so that you don’t miss a beat!

 

Follow us and join the conversation on TwitterFacebookLinkedIn.

See you there!

The post Top Security and Risk Management Trends Unveiled at Gartner Security and Risk Management Summit 2019 appeared first on Cisco Blog.

Staying Ahead of ‘Andromeda-Style’ Threats in Your Environment


Why rapid attack containment and a short remediation cycle matter

When a new threat gets in the environment, a security incident could unfold very quickly. Detecting the compromise and taking control of the infected endpoint fast is not only critical to preventing the spread of the threat, it is also vital to shrinking the remediation cycle time and cost.

 

Lessons learned from the ‘Andromeda Strain’

It only takes a single unknown threat getting a foothold in your network for a damaging incident to cause immeasurable harm to the business. Next thing you know, you’re living Michael Crichton’s “Andromeda Strain,” battling a contagious virus you don’t fully understand. And, like Crichton’s protagonists, you know that the longer you allow the threat to run wild, the more havoc it will wreak.

A little fun fact: when Crichton unleashed his fictional extraterrestrial virus bent on destroying Earth in the “The Andromeda Strain” 50 years ago, the best-seller launched his blockbuster career. The deadly outbreak in the novel started when a military satellite introduced the virus from space, leading scientists on a hair-raising quest to contain it. Andromeda killed nearly instantly. If it didn’t, it wouldn’t be worth a movie and a series years later, after all.

Destroying the mutating Andromeda microbe was a matter of life or death. Containing a rogue endpoint? Maybe not. But with every hour or day, an infection that roams inside your network is driving up your remediation costs. As the attack’s footprint grows, so does the potential of escalation to a full-blown data breach.

 ‘Time to remediation’ the new name of the game

The days when mean time to detection (MTTD) was a top cybersecurity KPI have gone the way of legacy AV. Certainly, fast detection is imperative. But that’s not your inflection point. Especially if you’re finding yourself in an Andromeda-type scenario where you have no idea what you’re dealing with.

The containment phase is where you can start taking control from the bad guys and limiting the damage — and avoiding a long, expensive remediation cycle.

In our annual CISO benchmark survey, the number of respondents using MTTD as a metric has decreased from 61% in 2018 to 51% in 2019. For 48% of CISOs, mean time to remediate (MTTR) is the top indicator of cybersecurity posture, compared to 30% in 2018. This shift in focus to rapid incident response and mitigation indicates a strategic change, but a SANS incident response report suggests that it’s also a struggling point. Although 53% of the SANS respondents said they detected incidents within 24 hours, it took the majority (61%) two or more days to remediate.

Turning the table with Cisco AMP for Endpoints

The majority of security incidents, as well as data breaches, involve either malware or an evolved form like ransomware. SANS found that for 37% of organizations, containment takes at least two to seven days. How much mayhem can malware cause in that window? Think WannaCry.

With Cisco AMP for Endpoints, you can rapidly contain the attack by isolating an infected endpoint, so you can stop the threat from spreading. Drastically reducing the footprint of the attack, you can accelerate incident investigation and response, while shrinking remediation costs. Here’s how it works:

  • From the endpoint connector, isolate an infected endpoint through the cloud console.
  • The endpoint is removed from the network while maintaining communication with the cloud console — you have complete control of the host and the logging and forensic data.
  • Automatically trigger endpoint isolation through automation APIs.
  • Quickly reactivate the host once you return it to a clean state.

Dealing with the ‘comeback kid’

Threat actors, sadly, don’t take a hint. Like way too many movies and TV shows from the ‘90s, they keep coming back.

Your job is to successfully contain and clean up an infection. The attacker’s “job” is to keep trying. In fact, in the SANS survey, 26% of respondents said they’ve been breached by the same actor more than once.

The challenge is two-fold. On one side is the increased threat complexity. On the other, according to an ESG Research survey, is the heterogenous nature of the defense tools and the manual processes. The survey found that 76% of security pros felt that threat detection and response is more difficult now than two years ago, primarily due to the volume and sophistication of the threats. Almost half agreed or strongly agreed that the process and tooling around detecting and responding to threats are limited, with 64% identifying manual processes as the challenge; and 66% struggled because of the multiple independent point tools.

A few highlights of how Cisco AMP for Endpoints can address these challenges:

  • Delivers prevention, detection and response capabilities in one solution.
  • Helps you respond to incidents in hours instead of days or months.
  • Enables you to proactively hunt for the riskiest 1% of threats.
  • With retrospective security, it blocks threats as soon as they begin to act maliciously, even if they seemed benign when they entered the endpoint.
  • You only have to spot a threat once — with our shared intelligence and integrated security architecture, it is blocked anywhere else across the environment.

You never know when you’re facing your next Andromeda. Don’t delay – boost your ability to rapidly contain threats. Learn more or start today with the free trial of Cisco AMP for Endpoints.

The post Staying Ahead of ‘Andromeda-Style’ Threats in Your Environment appeared first on Cisco Blog.

Why Removing Admin Rights Closes Critical Vulnerabilities in Your Organization

First of all, let’s clear up any confusion the title might have brought on: this is not about removing admin rights forever, for everyone but yourself or anything like that. This is about making the removal of admin rights the default setting in your organizational network.

After making sure every employee but a few system administrators have a user profile instead of an admin one, the administrative rights should be managed by a case by case basis.

Since we recently launched our automated admin rights privilege management software, Thor AdminPrivilege™, I decided it would be the perfect time to dive in-depth into this topic.

Here is our best guide on how removing admin rights improves your security on all counts and how to be effective about it (regardless of whether you use our software or not).

What you can expect to find in the following guide:

  • Why free admin rights are dangerous (for both internal and external threats)
  • The vulnerabilities which get closed by removing admin rights
  • How risks are minimized by closing admin rights
  • Data and real-world examples
  • Best practices for minimizing risks derived from admin privileges

Ready? Let’s go!

Managing Admin Rights for Neutralizing Insider Threat

You may already be familiar with the concept of neutralizing insider threat by managing admin rights.

First of all, as a disclaimer, you should know that removing admin rights for regular users inside your organization doesn’t completely eliminate risks associated with insider threat. You can’t control for everything a user might be doing which is dangerous just by deescalating their administrative rights on their endpoint.

There are still plenty of risky things which an employee can do, both intentionally and unintentionally, even without admin privileges. These include:

  • Setting a weak password or a password they also use for other personal accounts;
  • Sharing their password with others, who might be targeting the employee for malicious purposes;
  • Clicking unsafe links from emails or the web;
  • Giving protected information to malicious third parties, because of a scam (like CEO fraud) or intentionally;
  • Snooping through the files on a colleague’s workstation when they leave it unattended (risky especially if the colleague has access to more sensitive data than they do);
  • Inserting an infected USB stick or external hard drive into a work station.

Still, removing admin rights by default is often a bare minimum for reducing insider threat considerably. While not a lot of people know that removing admin rights still doesn’t prevent all insider threat risks, almost everyone knows it’s a good thing to do, security-wise.

Here are just some of the risks derived from granting everyone admin privileges. As you’ll see, a user can do even more harm to your organization if they do have access to full administrative rights. Such things include:

  • Installing malicious apps like spyware or malware meant to steal money, data or disrupt activities;
  • Creating back-doors for third parties to install malicious apps or to hijack the systems;
  • Access or export sensitive data which can then be further mishandled;
  • Creating changes to lock legitimate users out of the systems;
  • Publishing misleading or embarrassing content in order to cause a PR crisis etc.

Of course, this doesn’t mean that the user would willingly do all of these things, but it’s something which hackers could accomplish by tricking a user with admin privileges. The trick could be accomplished by almost anything – a spam email, a USB stick which the hackers replaced with one of their own and so on.

So why then do some organizations still allow default administrative rights to their users? Because they are still succumbing to some dangerous myths about admin privileges:

  • Only employees who hate us could cause harm and we get along well with all employees;
  • We have anti-virus and a firewall installed so we’re fine, there’s no harm they could do;
  • If admins need to approve all requests they will lose a ton of time;

I have to admit that there may be a grain of truth in some of the myths above, but not in the way people who buy into these myths may think. For example, it does indeed help to have an anti-virus solution and firewall installed, but it’s not enough.

Also, it is true that admins lose a bit of time approving admin rights requests but that’s nothing compared to the risk they help avoid and, more importantly, the time waste can be completely avoided by using an admin rights management software (like our Thor AdminPrivilege™).

Managing Admin Rights for Neutralizing External Threat. Vulnerabilities Closed by Removing Admin Rights

Few people know this, but removing admin rights and granting them only upon request and within a specific time frame can help close external threats too. It’s not just about managing insider threat. It’s also about closing security gaps which are often found in common B2B software, operating systems and so on.

Such systemic vulnerabilities are often discovered and patched without a breach having to happen for security researchers to become aware of the threat. But other times, unfortunately, the vulnerabilities are discovered by hackers and exploited before they can be patched up.

So, what can you do to avoid your company becoming the next news-worthy example of a breach?

Removing admin privileges from your organization is the immediately effective, most powerful protective measure you can take.

Examples of data breaches done by hackers exploiting system vulnerabilities

Just to give you a better idea about the scope of the danger, here is what you should be aware of.

  • 63% of all data breaches come from weak or stolen passwords – if users didn’t have admin privileges, this would not be so dangerous;
  • 74% of all data breaches come from the abuse of accounts with admin privileges;
  • In a notoriously bad decision, Equifax used ‘admin’ as the username and password of a database, leading to a huge data breach;
  • Deloitte had a data breach in 2017 by having accounts with admin privileges compromised;
  • Facebook has been all over the news with scandals and data breaches and leaks derived from mishandling of admin rights;
  • Linksys routers leaked all historic records in May 2019 because that was their default admin setting;
  • Marriot had the financial data of over 400 million users stolen over a time window of 4 years – if unauthorized access was tracked better through admin rights management, the breach would have been discovered sooner;

I could go on, but I think you have a better picture now of what happens when administrative rights are mishandled. You can probably see news of data breaches pop up in the news all the time, but while you learn the tech details and methods used by hackers (DNS hijacking, a Trojan, good old malware, etc.), you rarely hear how it all began and how the hackers gained access in the first place: through abusing an account with administrative privileges.

Systemic vulnerabilities which can be closed by removing admin rights from users

Besides classic insider threat scenarios, there are also system vulnerabilities which can be easily abused from a fully-privileged account.

An analysis over Microsoft security revealed that the number of Microsoft vulnerabilities ranked as ‘critical’ is up and running, increasing by 29% over a period of 6 years (from 2013 to 2018). In 2018, there were over 700 vulnerabilities reported for various Windows OS versions.

Only 272 vulnerabilities are reported for 2019 at the time of me writing this article (June 2019), but it’s still a huge figure. This doesn’t mean that Microsoft products are bad or unsecure, on the contrary. But system vulnerabilities are inevitable in products with this kind of a user pool and with hackers working tirelessly to find loopholes in them.

Since risk is inevitable, the only way to mitigate it is to remove admin privileges for regular users and only grant them upon request and for a limited time frame.

Best Practices for Managing Admin Rights Securely

Here are a few best practices for managing your admin rights safely and in a most productive way for both your users and your system administrators.

#1. Nurture an environment of ‘least privileges’ possible

Important: Please note that we encourage you to create a security stance of ‘least privileges’, but not necessarily a company culture of ‘need to know basis’. Internal transparency makes employees see beyond their own little grid, understand the purpose of their individual tasks and contribute toward the end goals more effectively. So, except the cases where you are dealing with really sensitive info, don’t fall into the trap of creating a company culture based on secrecy or your overall productivity will drop.

#2. Automate the escalation and de-escalation of admin privileges

Automation is by far the most effective way to escalate and de-escalate admin privileges for all endpoint users within the organization, without occupying most of the sys admins time with these tasks.

A reliable admin rights management software (such as our Thor AdminPrivilege™) not only automated the process of requesting admin rights permission (from the user’s side) and granting or not granting them (from the admin’s side), but it also uses intelligence from our cybersecurity suite to flag down endpoints with suspicious activity and to make endpoint quarantine easier.

#3. Make sure administrators follow up on each case unless de-escalation is automated

If you’re going to stick to the manual work for escalating and deescalating admin rights, at least make sure that whenever admin rights privileges are granted to a user, the admins then follow up to deescalate the rights shortly.

The recommended time window is 5 to 15 minutes since that’s enough for the user to install whatever software they need. We also recommend that the system administrator oversees exactly the software that will be installed, because since the admin rights management is not automated there is the risk of unwittingly installing a corrupted file.

#4. Make sure there are procedures in store for endpoint quarantine

What happens if an account gets breached by insider threat? Can you ensure that there’s no way that account can perform any actions which could have consequences for the security of your company?

Make sure your internal policy and technical safety measures allow your system admins to deescalate any privileges fast and further quarantine the compromised endpoint. Of course, an automated admin rights management software can do that faster and more effectively, but it’s not impossible to be done manually either.

#5. Make sure the super-user accounts are also secured

By super-user accounts I mean the accounts of system administrators who have the privileges to install any software, access any data, escalate or de-escalate the admin rights of other users and so on.

While it’s important to have one or more system administrators to manage the rights of the other users in the organization securely, you must set in place procedures for securing their accounts as well. In the event that one of the admins has their own account hacked, how well will your organization be able to handle the crisis?

The best way to go about it is to talk with your CTO and sys-admins about establishing a crisis management procedure especially for this kind of scenario. Include priorities such as making the activity of system admins transparent for other system admins, allowing the system to trace back their steps (leave breadcrumbs) for accountability, preventing administrative tasks from being done remotely, and allowing the other admins to de-escalate the compromised admin account fast in case of a breach.

Wrapping it up

If you’re currently offering admin privileges to all users or some users within your organization, go review the status of these rights ASAP. Create a map of user admin privileges and a procedure for granting them. Removing admin rights by default is the bare minimum you need to do to secure your organization from critical vulnerabilities related to insider threat.

Use a specialized software for managing admin rights securely, like our Thor AdminPrivilege™. Be vigilant: while trusting your employees, limit the damage that a hacker could do if they breach an employee account.

Have more than one admin account and allow admins to contain the damage if one of the super-user accounts gets compromised. Stay up to date with the latest threats and practices (for example, by checking back here and reading our blog). Make sure the rest of your cybersecurity system is ready for any challenge by setting up a multi-layered approach.

Removing admin privileges is but a first step to getting more secure, but it’s an essential one. As long as you do it ASAP and create a coherent internal policy for admin rights escalation, you’re definitely on the right track!

The post Why Removing Admin Rights Closes Critical Vulnerabilities in Your Organization appeared first on Heimdal Security Blog.

How to build a strong cloud network security strategy

Estimated reading time: 2 minutes

While enterprises often focus on building strong, robust cybersecurity interfaces for their in-house networks, cybersecurity for cloud networks is a whole different ballgame. Yet, enterprises cannot avoid the advantages of doing their business on the cloud – the sheer convenience and the flexibility offered are perks which all enterprises want to embrace. That also means that while embracing the advantages, they must also build a strong cloud network security strategy to safeguard their defenses.

Some of the key points that need to be considered when creating a strong cloud network security strategy include:

A layered approach – Cybersecurity is a domain where there’s no one solution for all the dangers that lurk in the wild and it is important to maintain a layered approach for cloud network security, allowing multiple safeguards in case of undesirable events. This would include safeguarding all endpoints with strong anti-virus and anti-malware solutions like Seqrite Endpoint Security (EPS), while utilizing Enterprise Mobility Management solutions like Seqrite MobiSMART for mobile devices.

Comply with regulations – Most companies nowadays operate under some sort of regulatory control of their data, for example the HIPAA for private health information or the FERPA for student records. Often this information is stored in the cloud with very limited access and under strict regulations. If this data privacy is violated, it can have serious consequences and is a factor to be kept in mind when considering a cloud network security strategy.

Encryption – If data is stored on the cloud, then enterprises must consider encrypting that data. This ensures that the data stored would be useless to a cyber-criminal if the cloud is breached in any particular way without the encryption key. Companies can consider Seqrite’s Endpoint Encryption solution which is a one-stop security solution for companies looking to bolster their data security, foster customer confidence by securely handling their data and ensure compliance with data protection laws.

The need for a strong cybersecurity policy – The best strategies can be ineffective if they are not backed up with a strong cybersecurity policy. When it comes to cloud network security, enterprises must be proactive in drafting strong, effective cybersecurity policies. These must clearly lay out what is expected of employees, the rules and processes involved and also the importance of staying safe. These policies must be complied to and regularly updated, based on trends and updates in the market.

Integration with mobile – Any cloud network security strategy will need to have an integration with mobile phones. Hence, there is also the need for an enterprise to have strong Enterprise Mobility Management (EMM) solutions to manage the mobile devices on their network. They can consider solutions like Seqrite mSuite and Seqrite MobiSMART for this regard, allowing employees to access productivity apps on BYOD (Bring Your Own Device) or CYOD (Choose Your Own Device) platforms while maintaining strong security.

The post How to build a strong cloud network security strategy appeared first on Seqrite Blog.

Endpoint Security : Why Is Endpoint Protection Good?

With the rise of remote workers and BYOD (Bring Your Own Device) policies, company networks are at risk of a security breach. Internet use and cloud-based platforms make it difficult for network security to track malware and unauthorized access into a company’s network. This issue means endpoint security and protection becomes a vital policy to put in place.

What is endpoint protection and security?

Endpoint security is a network security measure that requires endpoint devices to have a high level of security. Endpoint devices like mobiles and laptops must be secure before accessing a company’s network.

Many companies are still not aware or convinced that they need to put in place endpoint security. Below, we listed facts on why endpoint protection is beneficial for a company’s health:

What is endpoint protection? — Fact #1: It is more than anti-virus and anti-malware software

Though anti-virus and anti-malware tools form a part of endpoint security, it is more than that. Endpoint security ensures that the endpoint device is secure when communicating with the network. Implementation of IDS and firewalls are part of endpoint security.

An anti-malware program may prevent malware from infecting the endpoint device. But it will not prevent the malware from accessing the company’s network and infecting the entire system.

What is endpoint protection? — Fact #2: It ensures endpoint devices become responsible for its own security

Though a company network’s firewall acts as a line of defense against attacks, it does not prevent or limit access to devices that have authority to enter the network. An infected device that has access to the network will pass through the firewall without being detected or stopped. Endpoint security makes sure devices are responsible for their security and reduces the need for network security to look for unauthorized access and malware.

What is endpoint protection? — Fact #3: It protects customer and employee data

While company networks have sensitive data stored in their servers, endpoint devices still hold a large amount of important data in them.

In banks and financial institutions, recently encoded client data are often stored in endpoint devices, so even a small breach of the endpoint device may become a huge issue.

Employee data and information are also stored in endpoint devices. If stolen, this information can be used to impersonate employees, and sensitive company information may leak to unauthorized persons.

Setting up endpoint security ensures the level of security in each endpoint and the protection of the data stored in them.

What is endpoint protection? — Fact #4: It saves a company’s image and money

Security breaches can be costly for a company. When sensitive data fall into the wrong hands, competitors can use them to launch a smear campaign. A network breach also means a company will need to change their network security, which can cost a company thousands of dollars.

Final Note

Requiring endpoint devices to have a certain level of security decreases the chance that malware and unauthorized access can pass undetected into the secure network and steal sensitive data. Make sure you have proper endpoint security today.

Related Resources:

The 10 Endpoint Security Products for Business

How to Choose the Best Endpoint Protection Software in 2019?

The post Endpoint Security : Why Is Endpoint Protection Good? appeared first on .

Security Happenings at Cisco Live U.S.

Come learn from the best in threat defense

Throughout the year, you hear us talking about our innovative security strategy – about how integration, automation, and simplification make your security posture better. We highlight the need for a new approach to security in a multi-domain world. An approach that securely connects any user, on any device, on any network, to any application.

Next week is your chance to join us for interactive sessions, professional networking, and hands-on demos to find out where your security stands. Whether you discover that you’re on the right track, or that you have a long way to go, our security events at Cisco Live San Diego will provide valuable insight to take your security to the next level. And you will have some fun in the process!

Below are the major security activities happening at Cisco Live from June 9 – 13 at the San Diego Convention Center.

Captivating Keynotes

Don’t miss these Cisco keynotes to hear about our overall strategy and how security fits into the bigger picture:

You Make Possible | Monday, June 10 |  10:30 a.m. – 12:00 p.m.

Join Cisco CEO Chuck Robbins and engineering leader David Goeckeler as they share Cisco’s vision for the future and unveil new innovations that will transform our industry, your business, and our world.

Innovation Without Boundaries | Tuesday, June 11 | 10:30 a.m. – 12:00 p.m.

CEO Chuck Robbins, networking and security leader David Goeckeler, collaboration leader Amy Chang, and chief customer experience officer Maria Martinez will discuss our commitment to your success through our game-changing technology and an entirely new customer experience.

Simple, Secure, Digital Workplace with Cisco Meraki | Tuesday, June 11 | 2:00 – 2:30 p.m.

Today’s users demand next-generation, digital experiences within applications that are securely accessible from anywhere. This session, led by Meraki SVP and GM Todd Nightingale, will demonstrate Meraki’s innovative, data-driven approach to engineering, optimizing customer networks, prioritizing application traffic, and security.

What Is the Future of the Firewall? | Wednesday, June 12 | 11:30 a.m. – 12:00 p.m.

In the world we live in today, is the perimeter dead? Or do we actually need firewalls in more places than ever before? If so, how do we manage them all? Come see our SVP of security product management, Jeff Reed, to learn about the future of the firewall and see demos of Cisco Defense Orchestrator and Cisco Threat Response.

And make sure you stay for our closing keynote with Julia Louis-Dreyfus!

A Conversation with Julia Louis-Dreyfus | Thursday, June 13 | 3:00 – 4:00 p.m.

Much like the tech industry, the entertainment industry is rapidly changing. Join the star of the HBO hit series, Veep, as she humorously delivers insights and inspiration on how to remain relevant despite the chaos.

Click here for more details on these and other keynotes throughout the week.

Insightful Security Sessions

Today’s dynamic threat landscape demands a security strategy that focuses on the threat itself more than simply prevention. Cisco security solutions provide threat-centric protection that spans the entire attack continuum – before, during, and after an attack. And we cover you wherever threats get in – from edge to endpoint and beyond.

Cisco Security will present over 160 sessions at Cisco Live. Check out the Cisco Live security page to plan your schedule for the week. Our security sessions, labs, and technical seminars will help you take a holistic approach to security and stop more threats faster.

If you’re interested in these sessions, be sure to book them now. They fill up fast!

We know that 160+ sessions is a lot. See the end of this post for 10 recommended crowd pleasers!

World of Solutions

Don’t forget about the show floor as a treasure trove of valuable information and experiences. The World of Solutions is the energetic core of Cisco Live, where you’ll have the chance to learn about the latest innovations from Cisco and our partners, and connect in one amazing space.

Spend some time in the Cisco Showcase and Security Village to get up close and personal with Cisco and partner technologies. Attend expo sessions, see live demos across our security portfolio, network with your peers, and kick back a little. Also be sure to stop by the Duo Security area to learn about Cisco Zero Trust, charge up your devices, and zone out on some games.

The Park

Are you struggling with more remote users, more cloud apps than you can count, and network decentralization? Come see our Cisco Umbrella team at The Park to find out how they provide a first line of defense for securing users anywhere they access the Internet.

Meet the Expert/Engineer

Consistently rated as one of the highest value programs at Cisco Live, these meetings give you the opportunity to set the agenda for a 1:1 conversation with a Cisco expert. Visit the “Meet the Engineer” desk on site to schedule a personalized discussion focused on your unique questions and challenges.

Capture the Flag

Think you have what it takes to root out threats and protect the network? Check out Capture the Flag in the Sails Pavilion on the 2nd floor.

Cisco Live Celebration

If you need a break from all your learning, be sure to attend the infamous Cisco Live Celebration on Wednesday, featuring the Foo Fighters and Weezer!

What’s new?

While you’re at the show, keep an eye on our news page and social media for the major product announcements we’re making during the week. See something you like? You’ll be in the perfect place to ask questions and learn more. You’ll also find chances on our Cisco Security Facebook and Twitter pages to win great prizes like a Samsung 55″ 4K Smart TV and a Sonos Beam Soundbar.

Live Broadcast

Can’t make it to San Diego? You can still get your front row seat to Cisco Live by tuning into the live broadcast.

10 Recommended Security Sessions

Make sure you review the full agenda of security sessions to choose what’s right for you. But if you don’t know where to start, here are some suggestions:

Talos Insights: The State of Cyber Security | Monday, June 10 | 1:00 – 2:30 p.m.

Cisco’s Talos team specializes in early-warning intelligence and threat analysis for maintaining a secure network. In this talk, we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies.

Converge or Die: Security Products and Services | Tuesday, June 11 | 9:30 – 10:30 a.m.

Products and services are converging. Attend this session and walk away with the knowledge you need to approach today’s dynamic threat landscape with confidence.

Cisco SD-WAN Security from the WAN to Cloud Edge | Wednesday, June 12 | 8:00 – 9:00 a.m.

WAN transformation increases your exposure to a range of internal and external threats that were previously handled by your data center security. We’ll learn more about these threats and why a combination of on-premises and cloud security is a must-have for your IT team.

Endpoint Security, Your Last Line of Defense | Wednesday, June 12 | 1:00 – 3:00 p.m.

With the proliferation of advanced malware, and the endpoint being the target of the vast majority of attacks, security on the endpoint is more important now than ever. This session will dive into the arsenal of Cisco endpoint security products.

Behind the Perimeter: Fighting Advanced Attackers | Wednesday, June 12 | 4:00 – 5:30 p.m.

Unlike defending against automated and predictable infections that we see every day, dealing with advanced adversaries can be a painful experience. Our goal is to derive a series of principles that make such attacks expensive to mount, maintain, and cover.

Demystifying Zero Trust – What does it really mean? How do you achieve it with Cisco and Duo Security? | Thursday, June 13 | 8:00 – 10:00 a.m.

In this intermediate-level session, we will provide clarity into how to go from “zero” to “hero” when it comes to deploying Zero Trust in your environment.

Protecting Your Office 365 Environment: Leverage the Firepower API, Cisco Cloud Email Security, and more | Thursday, June 13 | 8:00 – 10:00 a.m.

Office 365 has become a popular choice to consume Microsoft’s email, voice, and file sharing applications. Due to changes in the consumption of applications, we need to think differently about how to secure our networks, endpoints, and users.

Workload Security and Visibility | Thursday, June 13 | 9:30 – 10:30 a.m.

Modern applications no longer just reside within a company’s physical data center, but are also deployed across a multi-cloud environment. As a result, customers must now rethink their approach to data center security and workload protection as the available attack surface and opportunity for data theft has expanded.

Risky Business: Help Reduce Risk by Gaining Visibility and Control of Cloud App Usage | Thursday, June 13 | 1:00 – 2:30 p.m.

In this session, we’ll address the security risks involved with cloud app usage and how you can gain full visibility and control of cloud applications in your environment using Cisco Umbrella.

The Future of Security Analytics | Thursday, June 13 | 1:00 – 2:30 p.m.

What does it mean to deliver superior security analytics? Join Cisco Distinguished Engineer TK Keanini to explore security analytics in its entirety: reviewing new forms of telemetry, analytical techniques, and the mistakes and shortcomings of the past so that we don’t make them again in the future.

See you next week at #CLUS!

Subscribe to our Cisco Live blog series to stay updated on everything happening at Cisco Live 2019.

The post Security Happenings at Cisco Live U.S. appeared first on Cisco Blog.

What Automation Means for Your Business’ Security

Businesses across the country are being won over by the many productivity and efficiency benefits offered by automation. A study from ReportLinker estimates the digital process automation market is expected to grow to $12.61 billion by 2023, a compound annual growth rate of 13.13 percent. From manufacturing to marketing, many types of businesses have found ways to integrate automation into their daily operations. Companies like Oracle, who recently increased automation levels for apps in its sales suite, are finding new ways to offer automation tools to various types of professionals.

Workforces are seeking to embrace more digitized tools, processes, and practices in hopes to improve operations and help their employees become as productive and efficient as possible. Whether it be in the form of document sharing platforms, instant messaging apps, or self-driving cars, there’s one thing for sure: automation will play a critical role in this transition. As Dhruv Asher, UiPath’s senior vice president of business development and product alliances, tells Investors’ Business Daily, “Robotic Process Automation is a cornerstone for digital transformation. If you talk to any [chief information officer] they’re looking to create a modern workforce for a digital economy, to go through a digital transformation.”

But as automation tools gain popularity with business professionals, what impact will they have on business security? Here are four security concerns to keep in mind when implementing automation tools in your business.

Beware the automation-savvy hacker

Just like businesses, governments, and other organizations have begun to index data and automate processes, so have malicious hackers. Though hacking used to involve more hands-on technical competencies, automated “hacking tools” have evolved in sophistication and scope, making it much simpler for hackers to break into even complex systems. Port scanners and password crackers are examples of tools that automate simple, repetitive processes exponentially faster than humans. Organizations of all sizes must find and implement strategies to resist these automated tasks because automatically finding vulnerabilities is now much simpler for hackers.

Misconfigured, outdated, or unpatched software can enable successful external cyber attacks. Businesses must learn to be proactive in their patch management and should consistently monitor systems for any vulnerabilities that would leave them susceptible to hackers. Organizations looking to defend against external threats should consider how the daily work of the IT department impacts overall data security.

Limit password sharing for automation tools

Some of the most popular tools for business automation are those that can automatically pay monthly bills. They’re extremely beneficial for businesses; forgetting to pay a bill can otherwise negatively impact a company’s access to lines of credit. Many companies use these tools to deduct the necessary amounts each month, often on a specific day. However, a business should restrict permissions to those accounts and assign multiple personnel to monitor transactions. There is always a possibility for insider threats, whether intentional or unintentional, so businesses should have proper checks and balances in place. Because automated bill-pay systems are often monitored less than those that have to be completed manually, malicious insiders and outsiders can easily wreak havoc on the system. They can change payment schedules, delete payment methods, or withdraw large sums of money, all of which can negatively impact a business’s finances.

Don’t ignore update notifications

Many automation tools display pop-up messages when new software updates are available. These messages can be easy to ignore. You might be in the middle of a project, important email, or just in the depths of the workday, and can’t take the time to reboot the system or your device right at that moment. You’re not alone; A Google study from 2015 found that just 38 percent of regular software users update their programs automatically or immediately upon being notified a new version is available.

However, it’s important for users to update their software as soon as possible. Sometimes the updates only encompass new features, but, more often than not, they also address bugs that could compromise security. It’s best for businesses to check for software updates on a schedule, whether it be weekly, bi-weekly, or setting a particular day each month. For example, Microsoft introduced Patch Tuesday in 2003, which is the unofficial name for their scheduled release of security fixes on the second Tuesday of each month. If you’re concerned regular updates will disrupt your workday, try to schedule maintenance outside your regular work hours or during other periods of downtime, such as your lunch hour.

Use automation for security too

Let’s face it: many security professionals aren’t the biggest fans of automation, especially when it’s applied to their everyday processes. Putting machines in control of things like provisioning, data access, backup, and a host of other functions can add more risk to an already risky environment. Though an automated organization does pose new security challenges, the fact is the same tools being used to augment other departments, like marketing or inventory management, can also be applied to security.

For example, according to the FireMon 2018 State of the Firewall report, which surveyed more than 300 security professionals, nearly 40 percent of respondents indicated the IT/cloud team or the application owner is responsible for network security in the cloud. Nearly one-fifth of respondents did not know who was responsible. This research indicates that people outside the security department are often responsible for cloud security. This is where automation can play an important role. Tasks in the change-management process, such as planning, risk assessment, and compliance testing, can all be automated, which improves workflows for these security professionals.

Although automation can be a tremendous help to businesses, it can also pose risks if it’s misused, neglected, or not sufficiently monitored. If you’re one of the many businesses looking to incorporate automation into its operations, be sure to effectively monitor security and restructure your security policies on a regular basis. Staying aware of the security concerns listed in this article will help businesses of all sizes and in all industries ensure they implement processes to use automation tools safely and effectively.

This article was written by guest author Marie Johnson.

About the author:

Contributor to Enlightened Digital, UX Designer and technology writer from New York City. If I’m not writing my latest blog post in my kitchen, you’ll likely find me strolling through Central Park, cappuccino in hand.

The post What Automation Means for Your Business’ Security appeared first on Heimdal Security Blog.

The Right Protection For Your Endpoints

As companies look for an advanced next-generation security solution to protect their PCs, Macs, servers and mobile devices, they have many different vendors to choose from and also many questions. Can it prevent attacks? What kind of malware can it protect? What happens when a new malware comes? Will this solution help? How can I deploy it? Is the tool easy to manage? Will my endpoints protect my system inside and outside the corporate network?

To protect today’s evolving threat vector endpoints, endpoint security solutions must use technologies that have the capabilities to detect better, and whitelists to identify good and bad files. Endpoint protection should evolve towards a platform approach to prevent damage from known and unknown threats.

Prevention Capabilities

Prevention is your first line of defence. Preventing cyberattacks and blocking malware at point-of-entry in real time is essential. To ensure the best possible prevention, make sure your next-gen endpoint security solution provides the following:

Prevention is your first line of defence. Preventing cyberattacks and blocking malware is critical. For the best prevention, ensure that your next-generation Endpoint Security solution provides:

  • AV Detection: The advanced Endpoint Security solution should do all the AV work and consolidate protection.
  • Global Threat Intelligence: A team of threat hunters who identify the latest threats and zero days to protect it 24 hours a day, 7 days a week.
  • Proactive protection: Identifies and corrects vulnerabilities, analyze them quickly and stops suspicious executions at low frequency.

Highlights of Gartner Report

  • Importance of endpoint protection
  • Verdict systems
  • Beyond the sandbox
  • Implementation of a zero trust environment
  • Best practices for evaluating endpoint protection

Things to know

When organizations notice changes to features or processes that conflict with their current implementation, they should not simply ignore these changes just because “it always worked that way.” Policies and processes have been developed in many companies at a time when threats were different, and there were no mitigations.

Today, most endpoint providers use a standard-authorize approach. This means that only applications or executable that are considered malicious will be blocked from running on an endpoint. Changing the default permission architecture for zero trusts can help prevent unknown threats from corrupting endpoints.

Also, Read

What is Endpoint Security?

Endpoint Security Basics

How to Choose the Best Endpoint Protection Software in 2019?

The post The Right Protection For Your Endpoints appeared first on .

Zero Trust Architecture and its Relevance in Cybersecurity

In the world of technology, just as in any other sphere of life, things that were once in vogue have become outdated, and things that are the trend today would soon go out of use. This naturally applies to cybersecurity as well.

Cybersecurity is an area that evolves much faster than many other domains in the world of technology. This is partly because existing technologies are constantly being updated with new versions or replaced with newer ones. This is also partly because cybersecurity firms and experts have to stay ahead of the cybercriminals who are constantly coming up newer and sophisticated kinds of threats and attacks.

Today let’s discuss a rather new technology that has replaced the widely used and much popular Default Allow approach to cybersecurity. The new technology, the Zero Trust architecture is now turning quite popular among modern day enterprises. Let’s examine different aspects of this development and also discuss the relevance of the rapidly evolving Zero Trust architecture.

What’s the issue with Default Allow?

The Default Allow approach to cybersecurity, which was deemed highly effective, works by allowing unknown files and apps to access enterprise networks. The negative aspect of Default Allow is that cybercriminals could exploit it as a fast, easy way to penetrate enterprise networks and then execute malware attacks and data breaches. They could go for Zero Day attacks or ransomware attacks and cause enterprises huge losses. It’s here that Zero Trust architecture gains relevance.

Zero Trust architecture- What’s it?

Zero Trust architecture is, as the name itself suggests, all about not trusting anything that comes into a network. Thus, the IT team works with the supposition that all files and apps are dangerous as long as they are not verified. Hence, they’d employ a set of security systems and software throughout the network, spanning the web, the cloud, the LAN, the endpoints etc to ensure that every single file or application is safe.

How it works?

As already mentioned, the basic underlying principle here is that of zero trust. Everything needs to be verified before being allowed to execute in a network…

Thus, today we have a wide range of Endpoint Protection platforms that help enterprises achieve a Zero Trust architecture by not trusting and always verifying all unknown files. All unknown files that are executed on an endpoint are instantly placed in a container, thereby ensuring uninterrupted service and zero damage to the user. The unknown files in the containment are all analyzed statically and dynamically, in the cloud as well as by human experts. Post analysis, the verdicts are given. 95 percent of verdicts are returned in under 45 seconds while for 5 percent, it might take up to 4 hours. Then, the files are handled accordingly. Those that are found to be safe and let in and those that are unsafe are blocked. To be noted is the fact that those files for which a 100 percent safe verdict cannot be given from a cloud analysis in 45 seconds are immediately escalated to a human analyst, who does a review to determine if the files are safe or malicious. The highlight is that neither productivity nor user experience is impacted as the analysis process happens without being perceived and the users can immediately run files and applications as they are contained and analyzed in the cloud.

The relevance of a Zero Trust architecture

We have always maintained that the human element is of utmost importance in cybersecurity. Every single employee who is part of a corporate network is responsible for the overall security of the network. Still, errors are bound to happen. One or the other employee might by chance click on a link or download an attachment in a phishing email and that one click or one stray download might pave the way for a devastating cyberattack, sometimes a ransomware strike that could cripple the entire network. This, we’d like to mention, is not underestimating the importance of the human element in cybersecurity. It’s just that it’s only human to err, but one single error that’s thus committed could cost dear for a business organization. To err is human, but then, as regards cybersecurity, there’s no point in consoling ourselves by stating that to forgive is divine, because sometimes, the damages done to businesses as a result of small human errors are irreversible.

Similarly, it wouldn’t be proper to trust the IT teams to detect every threat. Their systems too could sometimes fail. We do point out time and again that all security systems have or develop flaws that could be exploited before they are found and fixed.

Thus, it’s important, not just important but highly relevant, that business enterprises seek to empower their workforces, their networks and their IT teams with the Zero Trust mindsets and the architecture that’s needed to support it. The cyberattacks that could happen as a result of depending wholly on Default Allow could have disastrous consequences and hence we need to go for the Zero Trust architecture, for better protection and data security.

Also, Read

Penetration Testing The Most Visible Component of Cyber Security

Importance of Employee Awareness and Training For Cyber Security

Cyber security and strategy

 

The post Zero Trust Architecture and its Relevance in Cybersecurity appeared first on .

BlueKeep RDP flaw: Nearly a million Internet-facing systems are vulnerable

Two weeks have passed since Microsoft released security fixes and mitigation advice to defang expected exploits taking advantage of CVE-2019-0708 (aka BlueKeep), a wormable unauthenticated remote code execution flaw in Remote Desktop Services (RDP). The vulnerability, reported by UK’s National Cyber Security Centre (NCSC), has the potential to be the means for attacks that could rival the 2017 WannaCry onslaught and NotPetya attacks. A recent scanning effort by Robert Graham, head of offensive security research … More

The post BlueKeep RDP flaw: Nearly a million Internet-facing systems are vulnerable appeared first on Help Net Security.

Heimdal™ Security acquires BasicBytes and launches Thor AdminPrivilege™

In a move that will change the work lives of sysadmins for the better, Heimdal Security A/S has acquired the BasicBytes IVS. All shares of BasicBytes is now owned by Heimdal™ Security, as part of Heimdal’s long-term strategy of changing the standard of endpoint security.
Heimdal has spotted great potential in BasicBytes’s fast-growing technology and aims to capture significant market share by offering innovative and mind-changing technologies. Heimdal™ plans to further develop the technology and will launch unique technology combinations with Endpoint security technology and Privilege Rights Management working in tandem; and is now working on Thor AdminPrivilege™, a new product for system administrators, to be launched soon.

Morten Kjaersgaard, CEO Heimdal Security details:

“While pursuing Heimdal Security’s expansion plans, AccessDirector (previously developed by BasicBytes) will be developed into AdminPrivilege™. As part of the acquisition of AccessDirector, we will expand its abilities within administrative rights management and combine it with our existing Proactive and Reactive protection technologies, to deliver a unique, highly advanced and yet simple product offering, that to the furthest extent possible will run autonomously.

We want to offer a groundbreaking change in the way system admins handle security tasks and simplify security in organizations.

Our strategy of making advanced endpoint security made simple and our ambition to expand our portfolio, is what made us to see that BasicBytes deserved a place in the Heimdal Security family. The technologies developed by BasicBytes so far will be enhanced to the Heimdal standards and aligned with our cybersecurity agenda.

Together with AccessDirector, the following products have also been added to the Heimdal Security resource vault following the acquisition of the BasicBytes company: RunAsHandler, Easy Click Assistant and CM Tray Tools.

The first on our development roadmap is the AdminPrivilege™. This new product will first be integrated into the Heimdal Dashboard, available for the users of Thor Enterprise products. The expected release date for the new AdminPrivilege™ integration is November 2019. Still, until the new product is launched, the existing BasicBytes product will still be available for sale.”

How will AdminPrivilege™ work?

The new functionality will allow system admins to manage privilege permissions for users in their organization easily and securely. From the Heimdal™ Dashboard – AdminPrivilege™ tab or on mobile, system administrators will be able to view what permissions the users in their organization are asking for and grant (or deny) their privilege requests. Furthermore, this can even be run in “Auto-mode”, so that users actions are logged with a full audit trail, but can run without individual approval of actions – even combined with the protection suite offering, so that high-risk users are blocked from escalation automatically. No more manual enabling and disabling, no more time waste – that’s the AdminPrivilege™ promise.

The level of permissions which will be managed by AdminPrivilege™ will also be granular, stratified and complex enough to allow admins to maintain a secure level of control over what happens. As indicated, it will have a unique market offering, giving the option of denying requests coming from a specific endpoint in their organizational network if Thor Vigilance (Next-Gen Antivirus) or the VectorN Detection engine (Thor Foresight’s machine learning detection) has flagged that endpoint as displaying suspicious behavior during a past number of days.

AdminPrivilege™ will give granular control to user rights such as:

  • Allowing or Stopping “Run as administrator” or “Administrator Rights” privileges;
  • Specify a written reason for each permission request (or not);
  • Get permission to run their processes as admin or not;
  • Get a limited time window for admin privileges on their endpoint;

Based on all the insights provided by the other tools within the Thor Enterprise security suite, admins will be able to:

  • Remove permissions fast and quarantine the endpoint;
  • Block elevation of system files;
  • Enable email and/or Application alerts for each pending approval;
  • Enable approval via Dashboard or via mobile

The history of each user and endpoint will be securely tracked and available to view in the dashboard so that admins can keep an eye on things and potential security incidents can be better documented.

We’re anxious to embark on this journey, starting from the base technology layer from our new acquisition, BasicBytes, and moving forward into plenty of other applications for a more granular vigilance and control over security.

“The AdminPrivilege™ functionality and dashboard is just a first step into this journey. After this launch more innovations are to follow on the Heimdal Security roadmap for the rest of 2019” – Morten Kjaersgaard, CEO of Heimdal Security.

You can read more about the new AdminPrivilege™ product here.

You can find the Danish version of this announcement here.

About Heimdal Security: Heimdal Security is an emerging cybersecurity company, founded in 2014 in Copenhagen by winners of the world ethical hacking competition Defcon CTF. Since then, the company has grown spectacularly, earning awards for both its proactive security suite (Anti-Malware Solution of the Year in 2018) and for its blog, providing intelligence to security outlets worldwide (Most Educational Security Blog in 2016).

The post Heimdal™ Security acquires BasicBytes and launches Thor AdminPrivilege™ appeared first on Heimdal Security Blog.

Rise of cyber-physical attacks

Estimated reading time: 3 minutes

It was back in 2012 when the then Defense Secretary of the United States warned of the possibility of the country facing a “cyber-Pearl Harbor”. He painted a bleak possibility – that extremist groups and enemy nations would use cyber tools to gain access to critical switches and disrupt transport and infrastructure.

While an attack on such a grand scale has not materialized as yet, Panetta’s warning sounds even more pertinent in this day and age of the Internet of Things (IoT). We live in the era of smart, where every device has the smart label in front of it – smart televisions, smart vehicles, smart cities, smart toasters, smart lights, etc. The boundaries between the physical and the cyber has merged and there has been a rise of cyber-physical attacks – cyber attacks which have an impact in the physical world as well.

Not a new phenomenon

Of course, perhaps the most noteworthy cyber-physical attack was the Stuxnet malicious worm, discovered in 2010. While no one has claimed responsibility, it caused substantial damage to Iran’s nuclear program, causing the nuclear centrifuges to tear themselves apart. It was believed to be created by American & Israeli cyber experts.

But in recent years, there have been examples of cyber-physical attacks at a much lower scale but with a similar likelihood of destruction. In Italy this year, some researchers travelled to various construction sites and demonstrated to workers there that they could easily take control of construction cranes remotely making them perform actions they wished. The message was clear – construction cranes are incredibly vulnerable and in the hands of a malicious group, could cause immense destruction.

Shock and awe

At a grander scale, power grids in Ukraine were successfully targeted in December 2015 and the consequences were severe. Electricity supply was disrupted and more than 230 thousand people were left without power for one to six hours. In Germany in 2014, a cyber attack caused massive damage at a blast furnace in a German steel mill when attackers gained access to control systems, which led to parts of the plant failing and the blast furnace being damaged.

It’s quite clear then that enterprises also must take note of this growing and troubling trend of cyber-physical attacks and take the necessary steps required to secure themselves against this growing threat. Some of the ways they can do that is through:

  • Plug the gaps – Most cyber-physical attacks happen due to gaps in the enterprise’s network security. Enterprises must constantly keep monitoring their security perimeters and step in to plug those gaps as soon as possible.
  • Understand your environment – It is important for organizations to have an ear to the ground regarding the industry they operate in and what are the new threats. Staying aware of the new trends and vulnerabilities will ensure that they can react and respond to threats as soon as they emerge.
  • Create a culture of security – It is incumbent on enterprises to create a security-first approach in their organization. This includes training employees on the importance of cybersecurity, ensuring that there are strict policies regarding cybersecurity with compliance to it.
  • Include physical security with cybersecurity – As mentioned earlier, the boundaries between the physical and digital worlds are converging and enterprises must be secure in both the worlds. Physical security is also paramount in this regard with strict rules against tailgating, secure access control systems and proper storage of confidential information.
  • Use a secure cybersecurity solution – A strong cybersecurity solution will allow enterprises to secure their defenses along with monitoring their network activity. Enterprises can consider Seqrite’s Endpoint Security (EPS) which is a simple and innovative platform integrating advanced technologies to protect the network.

The post Rise of cyber-physical attacks appeared first on Seqrite Blog.

The 10 Endpoint Security Products for Business

Large data breaches often occur when hackers successfully attack a device such as a computer, mobile device, or laptop. To solve this problem, companies can provide endpoint security protection that protects them from malicious attacks. Endpoint security software features include easy installation, proactive protection, and malware removal, as well as the ability to counter various attacks. Some of the main endpoint security products are as follows:

1. Trend Micro Apex One

Trend Micro Apex One integrates malware prevention technology with endpoint detection and response capabilities. It is the new endpoint security brand from Trend Micro Inc. Apex One. It combines advanced threat protection techniques to eliminate vulnerabilities between endpoint computers and user. This product advertises as being user-friendly; however, some users say that full scans consume resources so administrators should try to run them outside office hours.

2. Malwarebytes Endpoint Protection

Malwarebytes Endpoint Protection provides organizations with complete protection against known and unknown malware. It is an advanced threat prevention tool for endpoint systems that uses a multi-layered approach with multiple detection techniques. Malwarebytes Endpoint Protection is deployed through the Malwarebytes cloud-based management platform. According to Gartner, users appreciate the real-time protection of malware bytes, but some say it takes a long time to perform a full scan, even if the application is running in the background.

3. Kaspersky Small Office Security

Kaspersky Small Office Security is particularly suitable for small businesses. The product is easy to install and manage and provides security for computers, file servers, laptops, and mobile devices. It protects companies against cyber-attacks, financial fraud, ransomware, and data loss. Although this is a good value for money, some users say it can be expensive for companies that do not require file server protection.

4. Kaspersky Total Security for Business

Kaspersky Total Security for Business is good for small environments requiring full endpoint security product functionality. It includes all the features and security of Kaspersky Endpoint Security for Business Advanced for messaging servers and Web gateways. Total Security for Business is marketed as easy-to-use and quick to run scans. However, since the load takes a while, administrators must load it after a few user tests on the Kaspersky Total Security for a Business page outside of office hours.

5. Sophos Intercept X

Intercept X from Sophos Ltd uses a comprehensive approach to defense-in-depth to ensure end-user security, rather than relying on one of the key security techniques. Intercept X integrates with world-class malware detection and leverages protection with built-in endpoint detection and response. Intercept X removes attackers by blocking exploits and techniques they use to spread malware, steal credentials, and evade detection. The implementation is supposed to be simple; however, support can be random, according to Gartner on Sophos review page.

6. McAfee Endpoint Security

McAfee Endpoint Security replaces several legacy McAfee products. It is the company’s modern, integrated endpoint security platform with a single agent architecture and built-in advanced defenses, including analysis, containment, detection, and the response of machine-learning endpoints. It is easy to implement and manage. However, according to some tests done by this tool at Gartner, scanning infected files takes a lot of time and affects the daily productivity of a device.

7. Symantec Endpoint Protection 15 (cloud)

Symantec Endpoint Protection 15 provides multi-layer security products for cloud-deployed endpoints, simplified single-agent administration, and an AI-controlled security management console. It can also be integrated with Symantec products and third-party products. The product integrates with existing security infrastructures to quickly address threats. Although it runs in the background and is not very intrusive, Endpoint Protection 15 can require a lot of resources and sometimes even slow down computers, as some users believe on a TrustRadius review page.

8. Webroot Business Endpoint Protection

Webroot Inc. Business Endpoint Protection is a fully cloud-based endpoint security product that uses machine learning to continuously monitor and adapt endpoint threat detection, protection, and prevention. It defends many types of physical and virtual systems and the

9. Seqrite Endpoint Security

Seqrite Endpoint Security from the house of Quick Heal Technologies Ltd, it offers a variety of advanced features in an integrated platform, including advanced endpoint protection with antivirus, intrusion detection, firewall and more. This also has technologies like anti-ransomware, advanced DNA analysis and a behavioral detection system to protect networks from modern threats, and more.

10. Windows Defender Advanced Threat Protection (ATP)

Windows Defender ATP is a platform designed to help enterprise networks prevent, detect, investigate and respond to advanced threats. According to Gartner, many users rate the product highly because it is lightweight and simple to manage centrally, but some say it can be a bit overwhelming for new users because of its power and the number of options.

Also, Read:

Endpoint Security or Antivirus Software for Small Businesses?

Endpoint Security-Related Issues that Providers Encounter

Endpoint Security Basics

The 5 Steps to Ensure Cloud Security

Modern Malware is Deceiving Endpoint Security

The post The 10 Endpoint Security Products for Business appeared first on .

New browser extensions for integrating Microsoft’s hardware-based isolation

The hardware-based isolation technology on Windows 10 that allows Microsoft Edge to isolate browser-based attacks is now available as a browser extension for Google Chrome and Mozilla Firefox.

We introduced the container technology in 2017. Since then, we have been evolving the technology and engaging with customers to understand how hardware-based isolation can best help solve their security concerns. We know that many of our customers depend on multi-browser environments to allow enterprise apps to meet various compatibility requirements and enable productivity. And while modern browsers are continuously working to mitigate vulnerabilities, there are still exposures across these complex engines that can lead to irreversible and costly damages.

To provide customers with a comprehensive solution to isolate potential browser-based attacks, we have designed and developed Windows Defender Application Guard extensions, now generally available, to allow customers to integrate hardware-based isolation with Google Chrome and Mozilla Firefox.

How it works

The extensions for Google Chrome and Mozilla Firefox automatically redirect untrusted navigations to Windows Defender Application Guard for Microsoft Edge. The extension relies on a native application that we’ve built to support the communication between the browser and the device’s Application Guard settings.

When users navigate to a site, the extension checks the URL against a list of enterprise sites defined by enterprise administrators. If the site is determined to be untrusted, the user is redirected to an isolated Microsoft Edge session. In the isolated Microsoft Edge session, the user can freely navigate to any site that has not been explicitly defined as enterprise-trusted by their organization without any risk to the rest of system. With our upcoming dynamic switching capability, if the user tries to go to an enterprise site while in an isolated Microsoft Edge session, the user is taken back to the default browser.

To configure the Application Guard extension under managed mode, enterprise administrators can follow these recommended steps:

  1. Ensure devices meet requirements.
  2. Turn on Windows Defender Application Guard.
  3. Define the network isolation settings to ensure a set of enterprise sites is in place.
  4. Install the new Windows Defender Application Guard companion application from the Microsoft Store.
  5. Install the extension for Google Chrome or Mozilla Firefox browsers provided by Microsoft.
  6. Restart the device.

Intuitive user experience

We designed the user interface to be transparent to users about Windows Defender Application Guard being installed on their devices and what it does. We want to ensure that users are fully aware that their untrusted navigations will be isolated and why.

  1. When users initially open Google Chrome or Mozilla Firefox after the extension is deployed and configured properly, they will see a Windows Defender Application Guard landing page. 
  2. If there are any problems with the configuration, users will get instructions for resolving any configuration errors. 
  3. Users can initiate an Application Guard session without entering a URL or clicking on a link by clicking the extension icon on the menu bar of the browser.

Commitment to keep enterprise users and data safe

Hardware-based isolation is one of the innovations that enhances platform security on Windows 10. It is a critical component of the attack surface reduction capabilities in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) and the broader unified security in Microsoft Threat Protection. With the new Application Guard extension for Google Chrome and Mozilla Firefox, customers can extend the security benefits of isolation in their environments and further reduce attack surface. Customers can confidently navigate the expansive internet with protection for enterprise and personal data.

The Windows Defender Application Guard extensions for Google Chrome and Mozilla Firefox are now available for Windows 10 Professional, Enterprise, and Education SKUs, version 1803 and later with latest updates.

 

Rona Song
Windows platform security team

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft Defender ATP community.

Follow us on Twitter @MsftSecIntel.

The post New browser extensions for integrating Microsoft’s hardware-based isolation appeared first on Microsoft Security.

Seqrite Endpoint Security supports the Windows 10 May 2019 Update

Estimated reading time: 2 minutes

As part of the Windows 10 Updates, Microsoft has now come up with a new update for Windows 10 PCs. It’s called Windows 10 19H1 (Windows 10 May 2019 Update).

This post lists down some of the highlights of Windows 10 May 2019 update and Seqrite Endpoint Security’s compatibility with the OS.

Highlights of the Windows 10 May 2019 Update

  1. Improvements in Windows Security app
  2. Improvements in Snip & Sketch tool
  3. Improvements in Microsoft Edge web browser
  4. Improvements in Windows Update
  5. New Office app
  6. New “Reserved Storage” feature through which, some disk space will be set aside to be used by updates, apps, temporary files, and system caches to ensure that critical OS functions always have access to disk space.
  7. Improvements in Windows Subsystem for Linux (WSL) Command Line Tool. You can now access and browse file system of WSL (Windows Subsystem for Linux) in File Explorer.
  8. Windows Search and Cortana are now separate things
  9. New Windows Sandbox feature – for safely running applications in isolation

Supported Seqrite Endpoint Security Version Details 

  1. For Existing Users

Users of Seqrite Endpoint Security 7.0 or later MUST take the latest updates and only then upgrade to Windows 10 May 2019 Update.

Recommendation – Before moving to Windows 10 May 2019 Update, latest Seqrite definition Update is mandatory.

  1. For New Users

Fresh Install – Fresh installation of Seqrite Endpoint Security 7.2 and later versions support this update for Windows 10 May 2019 Update. 

How to apply the latest Seqrite update?

To apply the latest Seqrite update automatically, enable Automatic Update for EPS client under Policy Settings.

How to know if the Seqrite update has been successfully applied and is compatible with Windows 10 May 2019 Update? 

If your Seqrite Endpoint Security Client’s Virus Database Date is the latest, it means it is compatible with the mentioned update. 

Note – Fresh installation of Seqrite Endpoint Security 7.1 and below version is not supported on Windows 10 May 2019 Update.

If you have any queries about the Windows 10 May 2019 Update and your Seqrite Product, please call us on 1800-121-7377 or drop us a line in the comment sections below.

The post Seqrite Endpoint Security supports the Windows 10 May 2019 Update appeared first on Seqrite Blog.

Endpoint Security: It’s a Whole New World

Once upon a time, endpoint security was just a hall monitor. It watched for known bad files identified with a simple signature and sent you an alert when the file was blocked. To be safe, it would scan every machine daily, an intrusive activity that slowed down machines and sped up the heart rates of […]… Read More

The post Endpoint Security: It’s a Whole New World appeared first on The State of Security.

Endpoint’s Relevance in the World of Cloud

Businesses everywhere are looking to cloud solutions to help expedite processes and improve their data storage strategy. All anyone is talking about these days is the cloud, seemingly dwindling the conversation around individual devices and their security. However, many don’t realize these endpoint devices act as gateways to the cloud, which makes their security more pressing than ever. In fact, there is a unique relationship between endpoint security and cloud security, making it crucial for businesses to understand how this dynamic affects information security overall. Let’s explore exactly how these two are intertwined and how exactly endpoint security can move the needle when it comes to securing the cloud.

Cloudier Skies

Between public cloud, private cloud, hybrid cloud, and now multi-cloud, the cloud technology industry is massive and showing zero signs of slowing down. Adoption is rampant, with the cloud market expected to achieve a five-year compound annual growth rate (CAGR) of 22.5%, with public cloud services spending reaching $370 billion in 2022. With cloud adoption drawing so much attention from businesses, it’s as important as ever that enterprises keep security top of mind.

This need for security is only magnified by the latest trend in cloud tech – the multi-cloud strategy. With modern-day businesses having such a diverse set of needs, many have adopted either a hybrid or multi-cloud strategy in order to effectively organize and store a plethora of data – 74 percent of enterprises, as a matter of fact. This has many security vendors and personnel scrambling to adjust security architecture to meet the needs of the modern cloud strategy. And though all businesses must have an effective security plan in place that compliments their cloud architecture, these security plans should always still consider how these clouds can become compromised through individual gateways, or, endpoint devices.

The Relationship Between Endpoint and Cloud

The cloud may be a virtual warehouse for your data, but every warehouse has a door or two. Endpoint devices act as doors to the cloud, as these mobile phones, computers, and more all connect to whichever cloud architecture an organization has implemented. That means that one endpoint device, if misused or mishandled, could create a vulnerable gateway to the cloud and therefore cause it to become compromised. Mind you – endpoint devices are not only gateways to the cloud, but also the last line of defense protecting an organization’s network in general.

Endpoint is not only relevant in the world of cloud – it has a direct impact on an organization’s cloud – and overall – security. A compromised endpoint can lead to an exposed cloud, which could make for major data loss. Businesses need to therefore put processes into place that outline what assets users put where and state any need-to-knows they should have top of mind when using the cloud. Additionally, it’s equally important every business ensures they make the correct investment in cloud and endpoint security solutions that perfectly complement these processes.

 Ensuring Security Strategy Is Holistic

As the device-to-cloud cybersecurity company, we at McAfee understand how important the connection is between endpoint and cloud and how vital it is businesses ensure both are secured. That’s why we’ve built out a holistic security strategy, offering both cloud security solutions and advanced endpoint products that help an organization cover all its bases.

If your business follows a holistic approach to security – covering every endpoint through to every cloud – you’ll be able to prevent data exposures from happening. From there, you can have peace of mind about endpoint threats and focus on reaping the benefits of a smart cloud strategy.

To learn more about our approach to endpoint security strategy, be sure to follow us @McAfee and @McAfee_Business, and read more in our latest paper:

 

The post Endpoint’s Relevance in the World of Cloud appeared first on McAfee Blogs.

What is Emotet?

Estimated reading time: 4 minutes

Emotet malware was first identified in 2014 as Banking trojan. Emotet has evolved from banking trojan to threat distributor till now. It has hit many organizations very badly in 2018 with its functionalities like spamming and spreading. Further with its widespread rich/existence at many organizations, it became threat distributor. Since mid of 2018, Emotet is used by threat actors to spread other malwares like TrickBot, Qakbot and most dangerous Ryuk ransomware. It has also been observed that it loads modules and launches different malware depending on geographical location i.e. Country of Victim.

Malware authors strategy is to use infected systems for all means like firstly for credential stealing, further use these credentials for spreading and spamming. Finally, when all use of this infected system is done, it deploys other malwares like Ransomware, TrickBot, Qakbot.

From mid of 2018, Emotet has become headache for security providers because of its polymorphic, self-updating and spreading capabilities which makes cleaning of such infected network very complex and sometimes takes months for cleaning.

How it can enter into your system?

It enters into your system by phishing mail as shown in below fig:

Such emails contain malicious attachments like doc, pdf, xls, js, etc. Once user opens such attachment, it will download and launch Emotet. Sometimes such mail may contain malicious links, when opened by users, it downloads and launches Emotet. Other way is through lateral spreading i.e. if one of your friend or colleagues in the same network is infected with Emotet, then your friends’ machine can deploy Emotet on your machine.

What Emotet can do?

It has many capabilities like password stealing, Email Harvesting, spamming, lateral spreading, launching other malwares. All of these are discussed in detail in our research paper on EMOTET.

Impact:

According to US-CERT alert released on July 20, 2018, “Emotet continues to be amongst the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors. Emotet infections have cost SLTT governments up to $1 million per incident to remediate.”

At Quick-Heal labs, we have seen many of our customers are badly affected because of spamming done by emotet. As malware sends many phishing mails to user’s contacts, mail server reaches its maximum limits and blocks user’s account for the day. As a result, most of the employees of such infected organization cannot send mails. Such blockages lead to disruption to regular operations or work and further potential harm to an organization’s reputation. Finally, after a week or two we were able to totally clean total network.

Ryuk ransomware infection may cause temporary or permanent loss of user’s critical data.

What Quick-Heals Telemetry says:

As you can see, number of hits per day are very high from July 2018 till April 19. It indicates how widespread it is. But same is not the case with actual numbers of customer escalations. At quick-heal Labs, even after detecting thousands of samples per day, we received many customer escalations in initial months after outbreak. Further, we added some rules, IOC’s, signatures at each level of Product features namely at Virus Protection, Behavior Detection, Email Protection, Memory scan, IDS & IPS, Machine learning based, Browsing protection. This directly affected in Zero customer escalations for Emotet from last few months with already infected customers also totally cleaned. As stats are indicating that we are detecting thousands of Emotet samples per day in last few months and still NO customer escalation/issue reported.

How can I remove Emotet?

If your machine is in network of any organization, then firstly isolate it immediately. Patch with latest updates of installed software’s and clean the system.

As Emotet can move laterally in network, your machine can be infected again when you reconnect to network. Identify and clean each infected machine in same network. It’s really complex process to follow. One can always choose Quick-heal Antivirus / Seqrite Endpoint Security to avoid this complex process and stay safe with cleaning of already infected machines and proactively blocking against future Emotet infections.

Preventive measures

  1. Keep your computer up-to-date with the latest updates of Operating system, Security software and other software.
  2. Don’t open any link in the mail received from an unknown/untrusted source.
  3. Don’t download attachments received by an unknown/untrusted source.
  4. Don’t enable ‘macros’ for Microsoft’s office documents.
  5. Educate yourself and others for keeping strong passwords.
  6. Use two-factor authentication where-ever possible.

Conclusion:

Stats indicate that we are detecting thousands of Emotet samples per day in last few months and still NO customer escalation/issue has been reported. With this we can say that Quick Heal is able to stop Emotet till today’s date. As its always cat and mouse game between malware and security vendors, we expect evolution of Emotet to next step. We will be continuously monitoring Emotet for future also and will ensure all customers are secured from such malwares.

To read more about the detailed analysis of the Emotet, download this PDF.

The post What is Emotet? appeared first on Seqrite Blog.

Microsoft updates break AV software, again!

Microsoft’s May 2019 security fixes have again disrupted the normal functioning of some endpoint security products on certain Windows versions. Current problems “We have had a few customers reporting that following on from the Microsoft Windows 14th May patches they are experiencing a hang on boot where the machines appear to get stuck on ‘Configuring 30%’,” UK-based Sophos explained. “We have currently only identified the issue on a few customers running Windows 7 and Windows … More

The post Microsoft updates break AV software, again! appeared first on Help Net Security.

How to Get the Best Layered and Integrated Endpoint Protection

Security teams have historically been challenged by the choice of separate next-gen endpoint security technologies or a more integrated solution with a unified management console that can automate key capabilities.

At this point it’s not really a choice at all – the threat landscape requires you to have both. The best layered and integrated defenses now include a broad portfolio of advanced prevention technologies, endpoint security controls, and advanced detection/response tools – all within an integrated system that goes beyond alerts and into insights that even a junior analyst can act on.

More Endpoints = More Vulnerabilities

Endpoints are long beyond on-premises servers, PCs, and traditional operating systems. Internet of things devices such as printers, scanners, point-of-sale handhelds, and even wearables are vulnerable and can provide entry points for organized attacks seeking access to corporate networks. Mobile devices—both BYOD and corporate issued—are among the easiest targets for app-based attacks. Per the 2019 McAfee Mobile Threat Report, the number one threat category was hidden apps, which accounted for almost one-third of all mobile attacks.

Many enterprises are unaware of their target-rich endpoint environments, resulting in security teams struggling to maintain complete vigilance. A 2018 SANS Survey on Endpoint Protection and Response revealed some sobering statistics:

  • 42% of respondents report having had their endpoints exploited
  • 84% of endpoint breaches include more than one endpoint
  • 20% didn’t know whether they’d been breached

Endpoint attacks are designed to exploit the hapless user, including web drive-by, social engineering/phishing, and ransomware. Because these attacks rely on human actions, there’s a need for increased monitoring and containment, along with user education.

The latest attacks have the ability to move laterally across your entire environment, challenging every endpoint until a vulnerability is found. Once inside your walls, all endpoints become vulnerable. Modern endpoint security must extend protection across the entire digital terrain with visibility to spot all potential risks.

Less Consoles = Better Efficiency

A 2018 MSA Research report on security management commissioned by McAfee revealed that 55% of organizations struggle to rationalize data when three or more consoles are present. Too many security products, devices, and separate consoles call for a large budget and additional employees who might struggle to maintain a secure environment.

In contrast, single management consoles can efficiently coordinate the defenses built into modern devices while extending their overall posture with advanced capabilities—leaving nothing exposed. With everchanging industry requirements, an integrated endpoint security approach ensures that basic standards and processes are included and up to date.

Why McAfee Endpoint Security

McAfee offers a broad portfolio of security solutions that combine established capabilities (firewall, reputation, and heuristics) with cutting-edge machine learning and containment, along with endpoint detection and response (EDR) into a single-agent all-inclusive management console.

Is it time you took a fresh look at your strategy? Learn more in this white paper: Five ways to rethink your endpoint protection strategy.

The post How to Get the Best Layered and Integrated Endpoint Protection appeared first on McAfee Blogs.

Microsoft’s Attack Surface Analyzer now works on Macs and Linux, too

Microsoft has rewritten and open-sourced Attack Surface Analyzer (ASA), a security tool that points out potentially risky system changes introduced by the installation of new software or configuration changes. About Attack Surface Analyzer The initial version of the tool (v1.0, aka “classic”) was released in 2012 and worked only on Windows. It can be still downloaded, but is not supported any longer. This newest version (v.2.0) is built using .NET Core 2.1 and Electron, and … More

The post Microsoft’s Attack Surface Analyzer now works on Macs and Linux, too appeared first on Help Net Security.

How MVISION Mobile can combat the WhatsApp Buffer Overflow Vulnerability

A new WhatsApp vulnerability has attracted the attention of the press and security professionals around the world. We wanted to provide some information and a quick summary.

This post will cover vulnerability analysis and how McAfee MVISION Mobile can help.

Background

On May 13th, Facebook announced a vulnerability associated with all of its WhatsApp products. This vulnerability was reportedly exploited in the wild, and it was designated as CVE-2019-3568.

WhatsApp told the BBC its security team was the first to identify the flaw. It shared that information with human rights groups, selected security vendors and the US Department of Justice earlier this month.

The CVE-2019-3568 Vulnerability Explained

WhatsApp suffers from a buffer overflow weakness, meaning an attacker can leverage it to run malicious code on the device. Data packets can be manipulated during the start of a voice call, leading to the overflow being triggered and the attacker commandeering the application. Attackers can then deploy surveillance tools to the device to use against the target.

A buffer overflow vulnerability in WhatsApp VOIP (voice over internet protocol) stack allows remote code execution via a specially-crafted series of SRTP (secure real-time transport protocol) packets sent to a target phone number.

Affected Versions:

  • WhatsApp for Android prior to v2.19.134
  • WhatsApp Business for Android prior to v2.19.44
  • WhatsApp for iOS prior to v2.19.51
  • WhatsApp Business for iOS prior to v2.19.51
  • WhatsApp for Windows Phone prior to v2.18.348
  • WhatsApp for Tizen prior to v2.18.15.

The Alleged Exploit

An exploit of the vulnerability was used in an attempted attack on the phone of a UK-based attorney on 12 May, the  Financial Times reported. The reported attack involved using WhatsApp’s voice calling function to ring a target’s device. Even if the call was not picked up, the surveillance software could be installed.

How MVISION Mobile can combat CVE-2019-3568 Attacks

To date, the detection technology inside MVISION Mobile has detected 100 percent of zero-day device exploits without requiring an update.

MVISION Mobile helps protect customers by identifying at-risk iOS and Android devices and active threats trying to leverage the vulnerability. It leverages Advanced App Analysis capabilities to help administrators find all devices that are exposed to the WhatsApp vulnerability by identifying all devices that have the vulnerable versions of WhatsApp on them and establish custom policies to address the risk. If the exploit attempts to elevate privileges and compromise the device, MVISION Mobile would detect the attack on the device.

For more information about MVISION Mobile, download our datasheet or visit our web site.

The post How MVISION Mobile can combat the WhatsApp Buffer Overflow Vulnerability appeared first on McAfee Blogs.

Cisco AMP for Endpoints excelling in AV Comparatives Business Main Test Series

AV-Comparatives have long been the benchmark of 3rdparty testing in the endpoint security space. This year, for the first time ever, AMP for Endpoints participated in AV-Comparatives malware testing. The Business Main Test Series was broken up into two main sections: the Malware Protection Test and Business Real-World Protection Test.

While the full report will be released in July, AV-Comparatives released a short fact sheet today. Because the test is only partially completed, the results will continue to vary, but Cisco AMP for Endpoints expects to maintain consistently high scores.

Overview

First, let’s give the brief facts behind the Business Main Test Series:

  • 19 products are participating
  • All products tested on a Windows 10 RS5 64-bit
  • All vendors were allowed to configure their products
  • Cloud and PUA detection activated in all products

Given these parameters, the 19 products will participate in a fourth month test culminating in July. At this midpoint, however, the products have participated in the two aforementioned tests.

For more information on specific configurations and a list of all participants, read the full fact sheet here.

Malware Protection Test 

In this test, the products were tested with 1,311 different malware samples. Based on criteria defined by AV-Comparatives in their report, the products were given parameters to detect the malware samples.

So far, AMP for Endpoints is one of eight products to have a malware protection rate of 99.8% or higher. In addition to this extremely high detection rate, AMP for Endpoints registered 0 false alarms on common business software.

AV-Comparatives also performed tests on non-business software. This will not affect the final “Approved Business Product” rating they deliver, but the results are notable as it helps to demonstrates how well a product can really delineate between good and bad. Cisco AMP for Endpoints was granted the highest rating of “very low “which denotes 0-5 false positives on non-business software.

Cisco AMP for Endpoints consistently pledges to deliver elite threat detection, investigation, and response. The 99.8% malware protection rate so far highlights Cisco AMP for Endpoint’s ability to deliver on that pledge. At the same time, the low number of false positives shows that Cisco AMP for Endpoints does not need to bog down IT professionals with useless alerts allowing them to focus on what’s really important.

Real-World Protection Test

Over the course of two months, the products encountered 389 test cases. Of the 389 test cases, Cisco AMP For Endpoints has blocked all but three while producing ZERO false alarms. Resulting in a 99.2% protection rate so far. Cisco AMP For Endpoints is only one of three products to have zero false alarms. Others have already flagged up to 18 false alarms.

Conclusion

It is important to note that this test has not concluded. We are, however, very excited for a continued strong showing from Cisco AMP for Endpoints in the second half of the test. So far, Cisco AMP for Endpoints has already shown an elite combination of threat detection, investigation, and response combined with low false positives designed to empower IT professionals to quickly identify and respond to threats.

For more on the report, click here.

To try AMP for Endpoints for free, sign up for the free trial.

Memory analysis is the ground truth

In recent years, enterprises have adopted next-gen endpoint protection products that are doing an admirable job detecting anomalies. For example, searching for patterns such as remote access to memory, modification of specific registry keys and alerting on other suspicious activities. However, typically anomalies only provide us with an indication that something is wrong. In order to understand the root problem, respond and ensure that a machine is entirely clean, we must search for the malicious … More

The post Memory analysis is the ground truth appeared first on Help Net Security.

Detecting credential theft through memory access modelling with Microsoft Defender ATP

Stealing user credentials is a key step for attackers to move laterally across victim networks. In today’s attacks, we see a range of tools used to achieve credential theft, requiring protections that target the root behavior and not just individual known tools as is often done by traditional antimalware software.

Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP), Microsoft’s unified endpoint protection platform, uses multiple approaches to detect credential dumping. In this post, we’ll discuss one of them: a statistical approach that models memory access to the Local Security Authority Subsystem Service (lsass.exe) process.

The lsass.exe process manages many user credential secrets; a key behavior associated with credential theft, and therefore common across many tools used by attackers, is to read large amounts of data from this process’ memory space.

Microsoft Defender ATP instruments memory-related function calls such as VirtualAlloc and VirtualProtect to catch in-memory attack techniques like reflective DLL loading. The same signals can also be used to generically detect malicious credential dumping activities performed by a wide range of different individual tools.

A statistical approach to detecting credential theft

Reviewing the behavior of multiple known tools, we see that the number and size of memory reads from the lsass.exe process related to credential dumping are highly predictable. The diagram below shows a (slightly simplified) view of this.

Fig1-number-of-read-perations-vs-number-of-bytes-read

By contrast, legitimate reads from the lsass.exe process, such as routine handling of users signing in, fall outside this cluster.

Microsoft Defender ATP uses such a model to discriminate between expected and unexpected accesses to lsass.exe process memory, and raise an alert in the latter case:

Fig2-Sensitive-credential-memory-read

Microsoft Defender ATP’s process tree view of the alert identifies the tool performing the suspicious credential access activity, in this example, sqldumper.exe. This is a legitimate administrator tool found on many database servers, but attackers have been known to abuse it to dump credentials to avoid the risk of downloading custom tooling that may be flagged by antimalware solutions.

Fig3-Alert-process-tree

Similarly, Microsoft Defender ATP detects attacker abuse of otherwise legitimate administrator tooling, such as the Microsoft Sysinternals tool ProcDump or Task Manager, when these are repurposed to dump lsass.exe process memory. Attackers take this approach, sometimes referred to as living-off-the-land, to avoid tools that they know are commonly detected as malicious. In the memory-dumping scenario described here, they may even exfiltrate the memory dump and perform the credential extraction offline rather than on the victim machine.

Over time we have also seen Microsoft Defender ATP identify several distinct custom tools using this memory modelling technique. A couple of open-source examples are shown here.

Fig4-Sample-open-source-tools

Foiling cyberattacks by stopping credential theft

In this blog post we illustrated one of several ways in which Microsoft Defender ATP detects credential theft. Security operations (SecOps) teams can use the alerts in Microsoft Defender ATP to quickly identify and respond to attacks: stopping credential dumping techniques empowers SecOps to resolve cyberattacks before the latter stages, such as lateral movement, command-and-control, and exfiltration.

Microsoft Defender ATP uses rich security data, advanced behavioral analytics, and machine learning to detect attacks. Enhanced instrumentation and detection capabilities in Microsoft Defender ATP can better expose covert, sophisticated attacker techniques like credential theft and other in-memory attacks. Microsoft Defender ATP demonstrated its strength in detecting credential dumping and other high-impact attacker techniques in MITRE’s evaluation of EDR solutions.

Microsoft Defender ATP contributes to and benefits from security signals shared across Microsoft’s security solutions through Microsoft Threat Protection, which provides seamless, integrated, and comprehensive security across multiple attack vectors. The enriched security data drives stronger protection and the orchestration of threat remediation across identities, endpoints, email and data, apps, and infrastructure.

To test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced attacks, sign up for a free trial.

To learn more about Microsoft Threat Protection, read our monthly updates on the evolution of this comprehensive security solution.

 

 

Rob Mead and Tim Burrell
Microsoft Threat Intelligence Center

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft Defender ATP community.

Follow us on Twitter @MsftSecIntel.

 

The post Detecting credential theft through memory access modelling with Microsoft Defender ATP appeared first on Microsoft Security.

We Are Ready on Day One for Our Linux Customers

Our customers look to McAfee to ensure that their enterprises are protected from the changing threat landscape. That’s why we’ve worked with Red Hat, the world’s leading provider of open source solutions for Linux, to ensure that we were part of the entire process leading up to today’s announcement of Red Hat Enterprise Linux 8 (RHEL8). We’ve been working extensively with Red Hat throughout the pre-release process to ensure that you get the threat protection you desire on the day the new operating system is released.

If you’re already one of our McAfee Endpoint Security for Linux customers, this means you can take advantage of vast hardware and virtualization support as well as cloud integration support on whether you’re using on-prem ePO or McAfee MVISION.

McAfee Endpoint Security for Linux 10.6.2 now provides zero-day support for RHEL8. Red Hat Enterprise Linux is a significant proportion of the install base among our customers. It’s important that we provide timely and crucial support for the latest release of RHEL8 so our customers can take advantage of the improvements and efficiencies available on the platform.

McAfee Endpoint Security for Linux 10.6 provides three important features that benefit our customers:

  • Support for Docker containers
  • CPU throttling
  • Centralized management capabilities of native firewall

Container adoption has been rising steadily among our customer base. By supporting McAfee Endpoint Security for Linux on docker containers, our customers can be confident that their container deployments are protected with the same solution that they currently deploy on their servers.

CPU throttling limits the consumption of CPU resources, allowing our customers to efficiently manage when an on-demand scan deploys, thus enhancing the usability of the solution in a low-resource environment.

Centralizing and simplifying management capabilities of native functionality, such as the firewall, through a familiar interface allows administrators to quickly react and enforce firewall policies, reducing the time to deploy and gain operational efficiency.

To learn more about McAfee Endpoint Security, visit our website.

The post We Are Ready on Day One for Our Linux Customers appeared first on McAfee Blogs.

Confused about Cybersecurity Platforms? We Can Help.

“Cybersecurity platform” continues to be an industry buzzword. Vendors talk about it at industry events, and many analysts. But can every vendor claim to offer a platform and also be credible? More importantly, how does that help your business? The security industry has evolved by responding to emerging threats with new, shiny tools, resulting in many disparate tools. Most organizations (over 60%, according to ESG research) are looking to consolidate security vendors. This trend for fewer tools is also showing better results. A recent Cisco CISO Benchmark Study cited organizations with fewer vendors saw less than 5,000 alerts per day versus 10,000 alerts (over 66% of organizations). Teams were able to focus on more important work like remediation and those with less than 10 vendors had higher average response rates. But fewer vendors can mean fewer management consoles reducing the complexity. Fewer siloed vendors may be a step to a cybersecurity platform. It seems to be a driver for a platform approach or integrated architecture, as suggested by a customer in the Cisco report.

If we can reduce the vendor footprint and have a more integrated architecture, that helps us significantly. I would rather have more automation on the back-end through an integrated architecture than having to slap something on top of it and write some new scripts to bring it all together.” —Cisco CISO Report 2019

What is a Cybersecurity Platform?

ESG Research dug deeper into this platform appeal by surveying organizations to learn their desire for a cybersecurity platform and what the top attributes for this platform are. The attributes help provide a definition of a cybersecurity platform and fall into three driver buckets: Must Be Comprehensive, Make It Simple, and Embrace the Cloud.

 

 

 

 

How Does McAfee Stack Up?

This is a good list to use to evaluate if you are looking to take a cybersecurity platform approach. McAfee reviewed the ESG criteria to test our platform approach and found that we are 100% on target. See the results in the ESG paper McAfee’s Enterprise-class Cyber Security Technology Platform.

Core to the McAfee platform is industry-acclaimed McAfee ePolicy Orchestrator. There’s also the mature and proven messaging fabric, Data Exchange Layer (DXL), which connects and optimizes across security functions and provides real-time threat intelligence to the entire security ecosystem. Our customers agree—watch our video about Prime Therapeutics. They are detecting threats and correlating data with McAfee ePO, DXL, McAfee Threat Intelligence Exchange, and McAfee Active Response.

Who Are the Platform Players?

Looking at the attributes, not all vendors can meet the criteria. Most security vendors offer just one distinct security tool. Offering a platform requires a vendor to have an integrated portfolio and/or willingness to easily integrate with other security functions. If they do match the criteria, you can dig deeper to find a few “gotcha” items.

Most organizations believe that taking a platform approach for their cybersecurity will yield higher efficacy and stronger operational efficiencies. These metrics can translate into better business outcomes like saving $1 million when an organization can respond efficiently to contain a cyberattack within 30 days of a data breach (IBM Cost of Data Breach Study 2018).

McAfee has held the position for years that security working together is better. Comment below with your cybersecurity platform perspective.

The post Confused about Cybersecurity Platforms? We Can Help. appeared first on McAfee Blogs.

Effective Endpoint Security Strategy 101

Every organization wants to expedite processes, reduce costs, and bolster their staff. And in today’s modern digital world, these objectives are largely attainable, but can occasionally come with some unwarranted side effects. With all the devices an organization uses to achieve its business’ goals, things can occasionally get lost in the shuffle, and cybersecurity issues can emerge as a result. Balancing your business’ objectives while ensuring your organization’s data is secure can be a challenge for many. But that challenge can be assuaged by addressing cyberthreats at the start – the endpoint. Adopting an effective endpoint protection strategy is crucial for a modern-day organization and defines a strong security posture. In fact, the importance of endpoint security has even caught the eye of venture capitalist firms, who are investing billions a year in the cybersecurity sector. But what exactly are the components of a successful endpoint security strategy? Let’s break it down.

Ensure the Basics Are in Place

If there’s one thing my previous experience with consumer security has taught me, it’s that the proliferation of connected devices is showing no signs of slowing. The same goes for the connected devices leveraged by businesses day in and day out. Organizations often give multiple devices to their workers that will be used to communicate and contain crucial business-specific information. These devices are used by employees that go just about anywhere and do just about everything, so it’s important businesses equip their people with the tools they need to protect these devices and the data they safehouse.

The first important tool – VPNs, or Virtual Private Networks. The modern workforce is a mobile one, and professionals everywhere are carrying their devices with them as they travel and connect to public Wi-Fi networks. Public Wi-Fi networks are not typically the most secure, and VPNs can help ensure those mobile devices connect securely to avoid potentially exposing data.

These devices should always have strong authentication as well, which acts as the first line of defense for any security issues that arise. Remind everyone that their devices should be locked with a strong and complex password that acts as the gatekeeper for their device. That way, the company will be protected if that individual endpoint device becomes lost or stolen.

Empower Your Employees to Do Their Part

One of the most important tools to equip your employees with is proper security training. In order to keep endpoint devices safe and networks secure, employees should undergo regular security training sessions. This training should keep everyone up-to-date on the latest threats, the necessary precautions they need to take when browsing the web, and how their individual devices can impact an organization’s network.

One main point to hit upon during employee security training – the importance of updates. Updating your device software can feel like a menial task, but the gravitas behind the ask cannot be understated. Outdated software was the cause of the WannaCry global cyberattack and will be a differentiator moving forward for when attacks do come after individual endpoint devices.

Make Predictive Technology an Essential

Now, in order to anticipate major cyberattacks like WannaCry, adopting predictive technology for your endpoint security strategy is of the utmost importance, as these innovations can be used to guide your incident response strategy. Take it from hundreds of IT professionals, who in a recent SANS survey expressed that predictive technologies – such as machine learning (ML) and artificial intelligence (AI) – are required in order to go from already knowing bad elements to focusing on identification of abnormal behavior.

ML and AI technology are also particularly crucial for visibility. This technology can empower security teams to gain insight into their endpoint detection and response systems, which automatically reduces the time required to address threats. Therefore, businesses need to have this predictive technology in place to anticipate and quickly gain insight into all threats affecting their organization’s network.

Adopt Innovative Technology

For those unsure where to start when it comes to AI and ML, there’s good news – there are actually endpoint security solutions out there that have predictive technology included in their build. Solutions such as McAfee MVISION Mobile and McAfee MVISION Endpoint have machine learning algorithms and analysis built into their architecture to help identify malicious behavior and attack patterns affecting endpoint devices.

Innovative solutions such as these will act as the cherry on top of your endpoint security strategy. So, it is crucial to take the time to invest in the right technology, irrespective of the nature of your enterprise. By creating the right combination of process and product, your organization’s network will be secure, and you won’t have to pick between business growth and a healthy security posture.

To learn more about effective endpoint security strategy, be sure to follow us @McAfee and @McAfee_Business, and read more in our latest paper: Five Ways to Rethink Your Endpoint Protection Strategy.

The post Effective Endpoint Security Strategy 101 appeared first on McAfee Blogs.

Why Traditional EDR Doesn’t Solve Today’s Modern Threats

Today’s cyberattacks are more advanced and complex than ever before. It’s no surprise that enterprises can no longer rely on traditional endpoint detection and response (EDR) solutions to protect against the evolving threat landscape. With the amount of data rapidly expanding in conjunction with an increasing number of endpoints, enterprise IT departments are facing new management and security challenges. EDR can provide businesses with another layer of threat detection in a multilayered security approach.

Cyberthreats Have Evolved, So Should Your Security

The impact of a cyberattack is no longer siloed to one employee’s device. It has the ability, speed, and scope to impact your entire business in mere seconds. And it’s hard not to think of cybersecurity as being the never-ending game of cat-and-mouse, with cybercriminals constantly developing new skills, updating code, and deploying new tactics to get inside your endpoints. But instead of your organization trying to play catch up, get ahead of malicious actors by developing a comprehensive security strategy to prevent attacks before they happen.

Many cyberthreats use multiple attack mechanisms, which means just one form of security is no longer enough to keep your entire enterprise secure from malicious actors. And although some anti-virus software can’t keep up with new malware or variants of known malware, it still plays an important role in a multilayered approach for a robust cybersecurity strategy. Endpoint detection and response is also essential when developing a comprehensive security approach. It offers a threat detection capability, allowing your next-generation solution to track down potential threats if they break through the first layer of your digital perimeter.

The Importance of EDR

The SANS Endpoint Protection and Response Survey reports that 44% of IT teams manage between 5,000 and 500,000 endpoints across its network. Each of these endpoints become an open door for a potential cyberattack. Given the increasing number of endpoints, organizations are beginning to understand that they’re more susceptible to breaches and are willing to adopt a multilayered security approach to prevent as many attacks as possible.

With endpoint detection and response, organizations have granular control and visibility into their endpoints to detect suspicious activity. There are new features and services for EDR, expanding its ability to detect and investigate threats. An EDR solution can discover and block threats in the pre-execution stage, investigate threats through analytics, and help provide an incident response plan. Additionally, some EDR solutions can leverage AI and machine learning to automate the steps in an investigative process. These new capabilities can learn an organization’s baseline behaviors and use this information, along with a variety of other threat intelligence sources, to interpret findings.

Incorporating EDR Into Your Security Strategy

The adoption of EDR is projected to increase significantly over the next few years. According to Stratistics MRC’s Endpoint Detection and Response – Global Market Outlook (2017-2026), sales of EDR solutions—both on-premises and cloud-based—are expected to reach $7.27 million by 2026, with an annual growth rate of nearly 26%.

When adopting EDR into your security portfolio, the application should have three basic components: endpoint data collection agents, automated response, and analysis and forensics. McAfee MVISION Endpoint Detection and Response (EDR) helps you get ahead of modern threats with AI-guided investigations that surface relevant risks and automate and remove the manual labor of gathering and analyzing evidence.

For more information on endpoint detection and response, check out our Security Awareness page and the McAfee Endpoint Security portfolio of products.

The post Why Traditional EDR Doesn’t Solve Today’s Modern Threats appeared first on McAfee Blogs.

From Mobile and ISP to Endpoint Engineering: Undergoing a Role Transition in the Security Industry

The technology around us is constantly changing, and cybersecurity practices are evolving to match these new innovations. As the cybersecurity landscape shifts to meet the needs presented by new technology, opportunities arise for cybersecurity professionals to step into new roles – an experience I recently underwent myself. I’ve recently shifted from McAfee’s Mobile and ISP Business Unit to our Enterprise Endpoint Engineering team, a transition that has given me the opportunity to leverage what I’ve learned in the industry and step forward as a leading woman in tech.

Through this process, I’ve seen first-hand how growth opportunities within the cybersecurity field are beneficial for both individuals and the future of the security industry as well. For example, my transition allows me to apply my past experience and knowledge to a new area of security. Previously, I specialized in engineering solutions that protected mobile, IoT, and smart home devices. However, with my transition into this new role, I am still protecting individual endpoint devices, but rather in a new type of environment — an organization’s network.

Just like the ever-growing number of IoT devices connecting to users’ home networks, endpoint devices are popping up everywhere in corporate networks these days. As we add more endpoint devices to corporate networks, there is a growing need to ensure their security.  Endpoint security, or endpoint protection, are systems that protect computers and other devices on a network or in the cloud from security threats. End-user devices such as smartphones, laptops, tablets, and desktop PCs are all classified as endpoints, and these devices are all now rapidly connecting to an organization’s network with every employee, partner, and client that enters the building. That’s why it’s imperative companies prioritize a robust and agile endpoint security strategy so that all of their network users can connect with confidence. Similar to securing all the personal devices on a home network, it’s a sizable challenge to secure all corporate endpoints. And my new team, the McAfee Enterprise Endpoint Engineering group, is here to help with exactly that.

Leading consumer engineering taught me how to make security simple for a home user’s consumption. How to protect what matters to a user without them being experts on the threat landscape or security vulnerabilities, security breaches and campaigns around device, data, cloud and network. This is something I plan to bring to the new role. Leading a business unit focused on delivering security through mobile carriers and ISPs taught me the strength of bringing together an ecosystem both on technology and the channel to solve end users’ security needs in a holistic way. That ecosystem view is another that I bring to this role, besides leading engineering from the lens of growing the business.

This transition is not only exciting from a personal perspective but also because it is a testament to the progress that is being seen across the cybersecurity industry as a whole. There’s a lot to be said about the vast opportunities that the cybersecurity field has to offer, especially for women looking to build a career in the field. Cybercriminals and threat actors often come from diverse backgrounds. The wider the variety of people we have defending our networks, the better our chances of mitigating cyberthreats. From there, we’ll put ourselves in the best position possible to create change – not only within the industry but within the threat landscape as a whole.

The post From Mobile and ISP to Endpoint Engineering: Undergoing a Role Transition in the Security Industry appeared first on McAfee Blogs.

Mobile Threat Report Commentary: Mobile Malware is Not Going Away

Employees use their mobile devices to be proactive and stay connected in both their personal and work lives. The movement to the cloud has allowed employees to check email, download documents, and share information that may contain sensitive information, even when they’re not on an enterprise network. Businesses must protect their enterprise environments and combat threats that target their employees as average consumers.

McAfee research shows that every mobile-enabled device is subject to some type of malicious exploit. In 2018, McAfee researchers discovered mobile malware named TimpDoor, which turned Android devices into hidden proxies. But in 2019, businesses should be prepared for malware that goes beyond mobile devices too.

Detections of backdoors, cryptomining, fake apps, and banking Trojans all increased substantially in the second half of 2018 and attacks on other connected household devices gained momentum as well. While hidden apps like Adware remain by far the most common form of mobile malware, others are growing and learning how to infect other devices.

Mobile devices are becoming a hub for ransomware and malware developers. One common thread through much of the mobile attack landscape is the quest for illicit profits. Criminals are looking for ways to maximize their income and shift tactics in response to changes in the market.

“75% rise in banking Trojans, enabling cybercriminals to steal financial credentials from mobile devices”

“550% increase in mobile malware realized by the end of 2018”

Weak to non-existent security controls from manufacturers and a lack of simple evasion techniques, such as changing the default username and password, make connected devices in the home and workplace targets for cybercriminals.

Although mobile devices have become key enablers for business productivity and connectivity, they’re still the greatest risk to enterprises today. This changes how enterprises need to secure the mobile devices that connect to their environment. Enterprises must invest in endpoint security solutions to protect themselves from the evolving threat landscape. Mobile is one of the fastest growing endpoints and needs to be protected just as much as laptops and desktop computers.

McAfee has addressed the growing need by introducing the MVISION portfolio family, which provides IT administrators with comprehension and control through one single management console. McAfee MVISION Mobile provides on-device detection, local (end user) threat remediation, visual mapping of nearby dangerous networks, customizable on-device user notifications, and advanced threat detection. This provides the enterprise-class threat defense that businesses today need to be secure.

Read the McAfee Mobile Threat Report to learn more about protecting your employees’ mobile devices from malware and other cyberthreats.

The post Mobile Threat Report Commentary: Mobile Malware is Not Going Away appeared first on McAfee Blogs.

Your Mobile Phone: Friend or Foe?

Where would we be without our mobile phones?  Our kids, boss, friends – so many people reach out to us via our mobile phone.  And unfortunately, hackers have also started reaching out – in major ways. The severity of attacks on mobile devices is often underestimated. It is now common to have employees use their phones for work-related tasks when they are not within the perimeter of their corporate firewall, giving cybercriminals the opportunity to access sensitive information if and when they hack into an employee’s phone. Let’s take a closer look at some of the common mobile threats that put your business at risk and how to prevent them.

App-Based Threats

Although new mobile malware declined by 24% in Q3 2018, per our latest Quarterly Threats Report, app-based threats still dominate the threat landscape. Malicious actors use social engineering techniques by asking users to update their applications by uninstalling the real app and re-installing a malicious one. With one click, malware can be installed on your mobile device.

Many app-based threats can evolve into more insidious attacks and can go beyond exploiting your personal information. An attacker’s initial goal is to get access and all they need is one vulnerable employee to fall victim to an app-based threat. Once the attacker gains access to an employee’s personally identifiable information (PII) or credentials, they can hijack accounts, impersonate the employee, and trick other employees into divulging even more sensitive corporate data.

Late last year, the McAfee Mobile Research team discovered an active phishing campaign that uses text messages (SMS) to trick users into downloading and installing a fake voice-message app. The app allowed cybercriminals to use infected devices as network proxies without the users’ knowledge.

This year, we expect to see an increase in underground discussions on mobile malware—mostly focused on Android—regarding botnets, banking fraud, ransomware, and bypassing two-factor authentication security.

Risky Wi-Fi Networks

Using public Wi-Fi is one of the most common attack vectors for cybercriminals today. With free public Wi-Fi widely available in larger cities, it has become a convenient way to access online accounts, check emails, and catch up on work while on the go. The industry has seen network spoofing increase dramatically in the past year. To put this into perspective, picture a hacker setting up a rogue access point in a public place like your local bank. A hacker will wait for you to connect to Wi-Fi that you think is a trusted network. Once the hacker gains access, they’re connected to your mobile device. They’ll watch remotely as you access sensitive information, revealing log-in credentials, confidential documents, and more.

Whether you are at home or working remotely, network security needs to be a high priority.

Device Attacks

Cybercriminals have various ways of enticing users to install malware on their mobile devices. Ad and click fraud is a growing concern for device attacks, where criminals can gain access to a company’s internal network by sending an SMS phish. These types of phishing attempts may start as adware, but can easily spread to spyware to the entire botnet.

Another growing concern with mobile device threats is when malware is hidden in other IoT devices and the information obtained by the hacker can be used as an entry point to your mobile device or your company network. With IoT malware families rapidly being customized and developed, it’s important for users to be aware and know how to protect themselves.

How to Better Protect Your Mobile Device

 

Mobile devices have all the organizational information that traditional endpoints have. McAfee® MVISION Mobile lets you protect against threats to your employees and your data on iOS and Android devices like you do on your PCs. With MVISION Mobile, you can manage the defense of your mobile devices alongside your PCs, IoT devices, servers, and cloud workloads inside McAfee ePolicy Orchestrator (McAfee ePO) with unified visibility into threats, integrated compliance reporting, and threat response orchestration.

The most comprehensive mobile device security is on the device itself, and MVISION Mobile delivers unparalleled on-device protection. Visit our web site for more information, and a product tour.

The post Your Mobile Phone: Friend or Foe? appeared first on McAfee Blogs.

Shut Down Unlikely Attack Vectors in Your Organization

As a security professional, I probably take security more seriously than most. But when we start talking about the Internet of Things (IoT), the science fiction buff in me comes to the forefront a little bit. While we don’t want any kind of attacks to happen to our organizations, it can be a little fun to imagine the crazy ways hackers can use mundane appliances to hack into a network.

For example, earlier this year, a North American casino was hacked through a smart fish tank. Since the equipment in the tank was connected to the Internet, attackers were able to use that as their vector for network access. Fortunately, the breach was discovered quickly afterward—and you never want to hear about security breaches like this, but it certainly does make for a unique story.

That highlights the risks that are out there today. If you’re connected to the Internet, you are vulnerable to attacks. With IoT and the proliferation of smart devices, we’re starting to see some creativity from hackers that is not necessarily being counteracted with the appropriate level of security controls. That fancy fish tank certainly didn’t have the appropriate level of security controls. Having “regular” devices connect to the Internet can bring flexibility and manageability, but it also opens up more vulnerabilities.

That risk is something that everybody needs to understand. Basically, like any good risk owner, you need to think about what device you have, how it’s connecting, where it’s connecting to, and whether or not that connection has a level of security that meets your policy and control expectations. Honestly, what I’ve seen is that because of the easy and seamless connectivity of these smart devices, a lot of organizations are not thinking about necessary security measures. They aren’t quite seeing that a fish tank or a biomedical device or even an HVAC system can be just as vulnerable to attack as a server or application.

So how do you keep your network and data safe and still take advantage of the benefits of the IoT? Employ the same techniques I spoke of last week: protect, detect, and react. Assess, document, and validate risks. Make sure that you have a complete and total information security risk management or risk governance program. Apply these techniques and programs to every single device on your network, no matter how low-level it may seem. Something as normal as a thermostat or refrigerator could be a gateway for a hacker.

Our experts can help you assess your environment for risks and vulnerable points in your network, and help you put together a comprehensive security program that doesn’t leave out anything—even your lobby fish tank or break room fridge.

The post Shut Down Unlikely Attack Vectors in Your Organization appeared first on Connected.