Five worthy reads is a regular column on five noteworthy items we’ve discovered while researching trending and timeless topics. In this edition, we’ll learn about the worst data breaches that happened recently, their impact, and the cost of data breaches for companies. The COVID-19 pandemic has not only had an impact on the mental and physical health of employees, but on the digital health of organizations around the world.

If you are debugging issues with a host, it is quite common to want to make changes to CFEngine policy, and speed up the process of fetching, evaluating and reporting for that host. You can do this by running cf-runagent and cf-hub from the command line, now we’ve brought this functionality into Mission Portal.

This release brings 50 enhancements, up from 43 in Kubernetes 1.20 and 34 in Kubernetes 1.19. Of those 50 enhancements, 15 are graduating to Stable, 14 are existing features that keep improving, and a whopping 19 are completely new. It’s great to see old features, that have been around as long as 1.4, finally become GA. For example CronJob, PodDisruptionBudget, and sysctl support.

In April 2020, MalwareHunterTeam found a number of suspicious files in an open directory and posted about them in a series of tweets. Trend Micro later confirmed that these files were part of the first cryptojacking malware by TeamTNT, a cybercrime group that specializes in attacking the cloud—typically using a malicious Docker image—and has proven itself to be both resourceful and creative.

Several years back before the COVID-19 pandemic hit and the work-from-home shift took hold, we wrote a blog about how the mobile-centric zero trust framework removed the traditional perimeter security controls to protect the corporate enterprise network and all connected endpoints from cybercriminals.

Hey there, We recently ran a series of webinars* on how different-sized cybersecurity teams modernized their security operations and embedded polling questions within the webinars to gather some feedback. A set of possible answers was selected based on the ENISA NIS Investments report. In this blog post I’d like to share the results of the polls and the conclusions we can draw from them.

In January and February of 2021, the threat actor called Hafnium used a number of post-exploitation tools after gaining access to Exchange servers through a zero-day exploit. One of their persistence methods was creating new user accounts in the domain, giving them the ability to log back into the network using normal authentication rather than use a web shell or continue to re-exploit the vulnerability (which has since been patched).

From May 2021, Google is using ‘Core Web Vitals’ as a brand new ranking signal. Google states that business owners should monitor and improve their scores to avoid damaging their organic SEO. In this blog, we will explain how to improve Core Web Vitals scores. To discover the specific issues affecting your users’ experience, we strongly advise having a Core Web Vitals audit.

“Where necessity speaks, it demands”. This old saying seems particularly apt right now with the pandemic forcing organizations to completely change the way they think about their IT networks. That rapid shift to remote work has resulted in a massive demand for cloud-based services.

GCP audit logs are a powerful tool that track everything happening in your cloud infrastructure. By analyzing them, you can detect and react to threats. Modern cloud applications are not just virtual machines, containers, binaries, and data. When you migrated to the cloud, you accelerated the development of your apps and increased operational efficiency. But you also started using new assets in the cloud that need securing.

Lateral movement is a growing concern with cloud security. That is, once a piece of your cloud infrastructure is compromised, how far can an attacker reach? What often happens in famous attacks to Cloud environments is a vulnerable application that is publicly available can serve as an entry point. From there, attackers can try to move inside the cloud environment, trying to exfiltrate sensitive data or use the account for their own purpose, like crypto mining.

Implementing the AWS Foundations CIS Benchmarks will help you improve your cloud security posture in your AWS infrastructure. What entry points can attackers use to compromise your cloud infrastructure? Do all your users have multi-factor authentication setup? Are they using it? Are you providing more permissions that needed? Those are some questions this benchmark will help you answer. Keep reading for an overview on AWS CIS Benchmarks and tips to implement it.

Implementing effective threat detection for AWS requires visibility into all of your cloud services and containers. An application is composed of a number of elements: hosts, virtual machines, containers, clusters, stored information, and input/output data streams. When you add configuration and user management to the mix, it’s clear that there is a lot to secure!

I have a setup at home where I keep a local git server running on a Raspberry Pi 3 which contains personal/work journal, dotfiles and a personal policy repository. It was set up manually so before adding a new git repository for a family password store I set about retrofiting the configuration in CFEngine. The goal in this blog is to ensure that what I have already is managed by CFEngine and that what I want to add, /srv/git/passwords.git, is created.

If you haven’t been living under a rock for the past few weeks, you've probably come across the recent Microsoft Exchange Server vulnerabilities and its associated exploits.Stop!!! The first thing you should do is to go and patch any Exchange servers you may be running, then you can come back and finish reading this blog. Microsoft's blog provides links to various tools to help in this regard.

In SecOps, knowing which host processes are normally executed and which are rarely seen helps cut through the noise to quickly locate potential problems or security threats. By focusing attention on rare anomalies, security teams can be more efficient when trying to detect or hunt for potential threats. Finding a process that doesn’t often run on a server can sometimes indicate innocuous activity or could be an indication of something more alarming.

As an MSSP (Managed Security Service Provider), HIPAA Vault relies on CFEngine to automate & secure their infrastructure on behalf of their customers. HIPAA Vault has been a longtime CFEngine Community user since 2012 and recently upgraded to Enterprise in order to boost their infrastructure visibility through Mission Portal and features like Compliance Reporting that help them provide a more secure & compliant cloud hosting solution.

In the blink of an eye, you can miss a new business disrupting security incident. We all recognize that cybersecurity breaches are increasing in volume and sophistication. How we respond to them is critical. Security vulnerabilities force organizations to go outside of their daily activities to execute out-of-band responses. We face numerous challenges in managing security risk.

With the new Contexts API release, developers can save their team valuable time while enhancing security practices. We know maintaining your organization’s security is crucial. There is the need to meet strict compliance guidelines, such as FedRAMP and GDPR, and what seems to be an increasing number of breaches, like the compromise of over 150,000 video security cameras as a result of a targeted Jenkins server.

Organizations are migrating an increasing amount of their infrastructure into the cloud. The cloud provides organizations with a number of benefits like greater scalability, improved reliability and faster time to value. However, these potential benefits can be offset if security is an afterthought.

For logs and tracking insider threats, you need to start with the relevant data. In these turbulent times, IT teams leverage centralized log management solutions for making decisions. As the challenges change, the way you’re monitoring logs for insider threats needs to change too. Furloughs, workforce reductions, and business practice changes as part of the COVID stay-at-home mandates impacted IT teams.

From exposing your network vulnerabilities to becoming a passageway for intruders, open ports can pose several risk vectors that threaten your network’s confidentiality, integrity, and availability. This is why it’s a best practice to close your open ports. To tackle the risks introduced by open ports, network admins rely on port scanning tools to identify, inspect, analyze, and close open ports in their networks.

One of the major concerns when moving to the cloud is how to approach AWS S3 security. Companies may have moved their workflows to Amazon, but are still cautious about moving their data warehouse. And that is totally understandable. We have all heard about data breaches in companies like Facebook, GoDaddy, and Pocket. It’s important that access to information is done properly, in a limited and controlled fashion, to avoid such breaches.

Welcome to another monthly update on what’s new from Sysdig. Our team continues to work hard to bring great new features to all of our customers, automatically and for free! This month was mostly about compliance and a PromQL Query Explorer! Have a look below for the details. We have added a number of new compliance standards to our compliance dashboards page, making it even easier for our customers to quickly (and continuously!) check how well they’d do from an audit.

We are very excited to announce the official release of Ivanti Desktop and Server Manager Remote Control - A new Remote Control solution based on Ivanti technology! Ivanti continues to provide useful tools to support our customers in the Everywhere Workplace – especially in times where remote work is more often the norm rather than the exception.

In almost every case, APIs have changed how modern applications connect to their data. Mobile apps, single-page web apps, IoT devices, integration hooks between software—all of these things rely on APIs to fetch, update, delete, and create data. In fact, one set of APIs might serve as the backbone of a website, mobile app, voice assistant device, and more, meaning one data store owns a treasure trove of information about us, the human users.

Let’s take a moment and think about security in your organization. Security is often separate from other engineering teams such as development, operations, networking, IT, and so forth. If you narrow down your focus to specifically releasing new software or features and functions in existing software, you’ll find that while development and operations are working together very quickly and efficiently, they’re still vaulting these functions and features over to security.

Lateral Movement describes techniques that adversaries use to pivot through multiple systems and accounts to improve access to an environment and subsequently get closer to their objective. Adversaries might install their own remote access tools to accomplish Lateral Movement, or use stolen credentials with native network and operating system tools that may be stealthier in blending in with normal systems administration activity.

Every security team should utilize security frameworks in their strategy and tactics to help reduce risk from common cybersecurity threats. Security frameworks guide organizations on how they should develop, build, and maintain their IT security policies and procedures while sharing best practices for meeting compliance requirements. Healthcare operations in particular are often presented with increasing regulatory scrutiny and obligations that must be met in order to be competitive.

When a website is compromised to steal credit card information, a link to a malicious JavaScript file is normally inserted into the website’s code. This file then loads what is called the skimmer, the code responsible for skimming personal and financial details from customers.

The use of honeypots in an IT network is a well-known technique to detect bad actors within your network and gain insight into what they are doing. By exposing simulated or intentionally vulnerable applications in your network and monitoring for access, they act as a canary to notify the blue team of the intrusion and stall the attacker’s progress from reaching actual sensitive applications and data.

A Certificate Revocation List (CRL) is a list of certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date. Those certificates should no longer be trusted. A client application such as an Icinga Agent can use a CRL to verify that the certificate of the server is valid and trusted.

TierPoint is a leading provider of secure, connected data center and cloud solutions at the edge of the Internet with thousands of customers. At TierPoint, I’m responsible for maintenance and development of the information security program, which includes threat analytics, incident response, and digital forensics. We’re constantly looking for new and even more effective ways to aggregate, process, and make decisions from massive amounts of data streaming in from diverse sources.

Marie Kondo, a Japanese organizational consultant, helps people declutter their homes in order to live happier, better lives. She once said: Similarly, in security, operational teams are constantly bogged down by a “visible mess” that inhibits their ability to effectively secure their organization.

At Elastic Security, we approach the challenge of threat detection with various methods. Traditionally, we have focused on machine learning models and behaviors. These two methods are powerful because they can detect never-before-seen malware. Historically, we’ve felt that signatures are too easily evaded, but we also recognize that ease of evasion is only one of many factors to consider.

AWS Fargate is a technology that you can use with Amazon ECS to run containers without having to manage servers or clusters of Amazon EC2 instances. With AWS Fargate, you no longer have to provision, configure, or scale clusters of virtual machines to run containers. This removes the need to choose server types, decide when to scale your clusters, or optimize cluster packing. In short, users offload the virtual machines management to AWS while focusing on task management.

Today, AWS announced the general availability of Amazon ECS Exec, a powerful feature to allow developers to run commands inside their ECS containers. Amazon Elastic Container Service (ECS) is a fully managed container orchestration service by Amazon Web Services. ECS allows you to organize and operate container resources on the AWS cloud, and allows you to mix Amazon EC2 and AWS Fargate workloads for high scalability.

Government IT organizations must demonstrate and maintain compliance with a large and growing number of regulations and standards around network access control (NAC), ensuring that all connected devices to their environment are not vulnerable is a key requirement. Comply to connect (C2C) simplifies this by enforcing that patches and hardened configurations are applied to devices before they connect and updated continually.

Five worthy reads is a regular column on five noteworthy items we discovered while researching trending and timeless topics. In this week’s edition, let’s explore how quantum computing works and how it impacts cybersecurity.

I thought my last blog, Visual Link Analysis with Splunk: Part 3 - Tying Up Loose Ends, about fraud detection using link analysis would be the end of this topic for now. Surprise, this is part 4 of visual link analysis. Previously (for those who need a refresher) I wanted to use Splunk Cloud to show me all the links in my data in my really big data set. I wanted to see all the fraud rings that I didn’t know about. I was happy with my success in using link analysis for fraud detection.

We’ve all become more conscious of the risk of online scammers and hackers, especially since we put more and more of our personal information into websites and apps on a daily basis. We’ve become more knowledgeable on the likes of data protection through EU regulations like GDPR and learned about how we “drop” cookies as we surf the web.

A huge portion of today’s corporate network is made up of mobile endpoints, such as laptops, tablet computers, and mobile phones. These are domain-joined and non-domain devices that require access to corporate assets to carry out everyday operations.

The Logz.io Cloud SIEM team is excited to announce a new free trial! You’ll be able to ship 1 GB of security events per day for 21 days. Cloud SIEM makes it easy to centralize, prioritize, and investigate security events, so you can respond to threats faster than ever. Check out this short demo video to see how it works. Sound interesting? Check out the instructions for our 21 day free trial below!

The Elastic Common Schema (ECS) provides an open, consistent model for structuring your data in the Elastic Stack. By normalizing data to a single common model, you can uniformly examine your data using interactive search, visualizations, and automated analysis. Elastic provides hundreds of integrations that are ECS-compliant out of the box, but ECS also allows you to normalize custom data sources. Normalizing a custom source can be an iterative and sometimes time-intensive process.

How often do you check your event log monitor for potential security breaches? Did you know that many potential security breaches, events, and other problems are logged to event logs? Unfortunately, even the most skilled IT professionals have a hard time making sense of what to watch for that could indicate security issues or even a potential breach until it is too late. Event logs contain a ton of information that can be useful.

A ransomware attack is a bug that we can’t shake off. Or perhaps, it can even be called a shape-shifter that somehow finds a way into networks, no matter how many armed sentries you’ve deployed in and around your perimeter. The line between ransomware and a data breach is slowly fading. Threat actors prefer ransomware over other modes of attack because they work.

CVE-2020-13942 is a critical vulnerability that affects the Apache open source application Unomi, and allows a remote attacker to execute arbitrary code. In the versions prior to 1.5.1, Apache Unomi allowed remote attackers to send malicious requests with MVEL and OGNL expressions that could contain arbitrary code, resulting in Remote Code Execution (RCE) with the privileges of the Unomi application.

Microsoft recently announced a campaign by a sophisticated nation-state threat actor, operating from China, to exploit a collection of 0-day vulnerabilities in Microsoft Exchange and exfiltrate customer data. They’re calling the previously unknown hacking gang Hafnium. Microsoft has apparently been aware of Hafnium for a while — they do describe the group’s historical targets.

In the last 90 days, the news of cyberattacks on critical infrastructure has been stunning. From the unprecedented breach represented by Sunburst to the more recent bone-chilling attack at the Oldsmar water facility, the urgency to secure critical infrastructure in transportation, utilities, energy, water, critical manufacturing, telecommunications, healthcare, government facilities and the defense sector has never been higher.

CIS (Center for Internet Security) is a non-profit organization that aims to develop a best practice in relation to cyber security. The CIS benchmarks have been adopted by many organizations as the standard against which to measure their systems.

Learn how to prevent security issues and optimize containerized applications by applying a quick set of Dockerfile best practices in your image builds. If you are familiar with containerized applications and microservices, you might have realized that your services might be micro; but detecting vulnerabilities, investigating security issues, and reporting and fixing them after the deployment is making your management overhead macro.

Cloud API logs are a significant blind spot for many organizations and often factor into large-scale, publicly announced data breaches. They pose several challenges to security teams: For all of these reasons, cloud API logs are resistant to conventional threat detection and hunting techniques.

Microsoft Azure provides a suite of cloud computing services that allow organizations across every industry to deploy, manage, and monitor full-scale web applications. As you expand your Azure-based applications, securing the full scope of your cloud resources becomes an increasingly complex task. Azure platform logs record the who, what, when, and where of all user-performed and service account activity within your Azure environment.

The SolarWinds exploits have been widely reported, fully covered, and basically as we would say in Aussie – Done to Death Mate. But some of the info got me thinking, especially this article from my buddies at Microsoft which gives some great background and flows for that how the attacks were actually working. I’ve been working with Ivanti Application Control – formerly AppSense Application Manager for over 17 years.

Insider threats are becoming a growing concern across different industries. Most coverage goes to outside attacks, especially when it comes to big corporations and government agencies. However, internal security is something organizations need to take very seriously to avoid irreparable damages. Not many enterprises can afford internal threat detection programs. However, they can definitely adopt proactive measures to avoid them, especially when it comes to sensitive systems and data.

Passwords are dying. The cost of creating and maintaining passwords is becoming untenable. Which can be seen in the rise of users logging in with social products and developers outsourcing their pain to Auth0 and the likes. We decided to sidestep the password based authentication and went passwordless on our new product. Read on to see how you can go passwordless too.

You must secure your software supply chain. Now, more than ever, it is vital. For a long time, a primary concern in security was malicious actors exploiting inherent weaknesses in software. Privilege escalations, SQL injections, race conditions etc. These are, of course, still a concern and should be afforded the attention that they deserve. But now, there is another worry, one that is arguably even more important – A Supply Chain Attack.

We’re all familiar with the internet, especially since we use it to do almost all of our daily activities. Since the days of that familiar buzzing noise of AOL dial-up as it connected to somewhere out there in the stratosphere, we’ve been hooked on the internet and its vast space that holds endless amounts of information, ready for us to tap into right at our fingertips.

Any organization with data assets is a possible target for an attacker. Hackers use various forms of advanced cyberattack techniques to obtain valuable company data; in fact, a study by the University of Maryland showed that a cyberattack takes place every 39 seconds, or 2,244 times a day on average. This number has increased exponentially since the COVID-19 pandemic forced most employees to work remotely, and drastically increased the attack surface of organizations around the world.

ESG research on cyber risk management, which involved 340 cybersecurity professionals, revealed that 40 percent felt tracking patch and vulnerability management over time was their biggest challenge.

It is not only the COVID-19 pandemic and the associated rise of remote work that is shaping the everyday routine of network security practitioners. Let's take a look at 5 major trends in network security.

If you want just to see how to find HAFNIUM Exchange Zero-Day Activity, skip down to the “detections” sections. Otherwise, read on for a quick breakdown of what happened, how to detect it, and MITRE ATT&CK mappings.

When you have a team of security analysts that have a wide range of expertise, knowledge, and experience, it is natural to see the difference in the quality of work performed. One of the biggest challenges that security operation managers face when auditing the work performed is that some team members may execute different steps at different levels of rigor when investigating and remediating threats.

Hey there, The European Union Agency for Cybersecurity (ENISA) has recently published its NIS Investment report - a survey conducted on European organisations identified as Operator of Essentials Services (OES) and Digital Service Providers (DSP).

For anyone who works in cybersecurity, getting a tough job done with severely limited resources is all in a day’s work. But when funding allocations suddenly shift after essential programs are already under development, it can be hard for even the most creative, resilient CIOs and CISOs to keep up.

With our ability to ingest GCP logs and metrics into Splunk and Splunk Infrastructure Monitoring, there’s never been a better time to start driving value out of your GCP data. We’ve already started to explore this with the great blog from Matt here: Getting to Know Google Cloud Audit Logs. Expanding on this, there’s now a pre-built set of dashboards available in a Splunkbase App: GCP Application Template for Splunk!

It’s been noted that there are two types of organizations – those that have suffered a data breach, and those that will fall victim to a data breach sooner than later (most likely sooner). The hard truth of this statement is reflected in the fact that according to some sources 97% of networks will experience a security compromise over any given six-month period. And with a staggering 9.7 billion data records having been breached since 2013, these numbers are only rising.

The privilege escalation category inside MITRE ATT&CK covers quite a few techniques an adversary can use to escalate privileges inside a system. Familiarizing yourself with these techniques will help secure your infrastructure. MITRE ATT&CK is a comprehensive knowledge base that analyzes all of the tactics, techniques, and procedures (TTPs) that advanced threat actors could possibly use in their attacks.

The modern technology landscape is ever-changing, with an increasing focus on methodologies and practices. Recently we’re seeing a clash between two of the newer and most popular players: DevOps vs DevSecOps. With new methodologies come new mindsets, approaches, and a change in how organizations run. What’s key for you to know, however, is, are they different? If so, how are they different? And, perhaps most importantly, what does this mean for you and your development team?

Tigera, in collaboration with Microsoft, is thrilled to announce the public preview of Calico for Windows on Azure Kubernetes Service (AKS). While Calico has been available for self-managed Kubernetes workloads on Azure since 2018, many organizations are migrating their .NET and Windows workloads to the managed Kubernetes environment offered by AKS.

Did you know there are currently 4.20B social media users globally? That’s 53% of the total global population! From the most popular social media platforms like Facebook and YouTube, to the hottest up and coming platforms like TikTok and Clubhouse, there is one thing they all have in common: privacy regulations and considerations should be and need to be top priority. Ivanti’s Sr.

Imagine a world of passwordless authentication, where users anywhere on any device can become automatically validated before access is granted. Or what if I told you the phrase ‘enabling secure access effortlessly’ is what we do here at Ivanti? You might ask how.

Some tasks are better off automated. Paying bills on time? Automated payments. Orchestrating a coordinated response to security alerts and triaging security events? There’s Splunk Phantom for that. Monotonous tasks, in our work and personal lives, should and can be automated in order to free up time and energy to focus on the things that matter.