Preventative security should be driven by data and risk assessment, not compliance.

As organizations increasingly move their data and workloads to the cloud, securing cloud identities has become paramount. Identities are the keys to accessing cloud resources, and, if compromised, they enable attackers to gain access to sensitive data and systems.

Most attacks we see today are client-side attacks, in which attackers compromise someone's account and use their privileges to move laterally and access sensitive data and resources. To prevent this, you need visibility into your cloud's identity infrastructure. Unless you know the identity of all the people and objects that are accessing systems, their permissions, and their relationships, you won't have the context necessary to effectively assess your risk and take preventative measures.

A number of high-profile attacks illustrate this problem. A compromised cloud identity gave attackers access to SolarWinds' Orion software, where they deployed malicious code to thousands of their customers, including government agencies and Fortune 500 companies. Another example is the Microsoft Exchange attack, in which attackers exploited a vulnerability in Exchange to gain access to email accounts. From there, they stole sensitive data and sent phishing emails in an attempt to compromise other accounts.

For securing the cloud, I advise implementing an approach known as applied risk, which allows security practitioners to make decisions about preventative actions based on contextual data about the relationship between identities and what the downstream impacts of threats are in their specific environments. Here are some practical tips for adopting applied risk.

**Treat Cloud Protection as a Security Project, Not a Compliance Exercise**

For starters, shift your mindset. Gone are the simple days of client-server computing. The cloud environment is a complicated system of data, users, systems, and interactions between all of them.

Checking a series of boxes won't bring greater security if you don't understand how everything works together. Most teams take an unguided approach to preventive security, putting blind faith in the prioritization and remediation strategy put in place years ago. Yet security requires a bespoke approach tailored to every security team based on the organization's broader risk exposure. Not every "critical" alert from a security vendor is necessarily the biggest risk to that specific environment.

To accurately prioritize remediation and reduce risk, you must consider the entire attack surface. Understanding the relationships between exposures, assets, and users help you to determine which issues pose the greatest risk. When you take into account additional context, the "critical" finding may not be the biggest issue.

**Get Visibility Into Your Cloud Identity Infrastructure**

Next, visibility is key. To credibly identify the applied risk, you should do a comprehensive audit of all the identities and access control points in your cloud identity infrastructure. You need to know what resources you have in your environment, whether they're in the cloud or on-premises, how they're provisioned and configured, and other variables.

When securing the cloud, you can't only look at how cloud-specific resources are configured — you have to audit the identity aspect: virtual machines (VMs), serverless functions, Kubernetes clusters, and containers, for instance. One admin may have an account tied to AWS, an Active Directory account with a different role to log into their local systems, an account on GitHub, a Salesforce account, etc. You also have to consider things like the hygiene of the machines that the developers, DevOps, and IT teams are using. A successful phishing attack on a DevOps engineer can have a massive impact on the security posture of your cloud environments.

From there, you should map the relationships between identities and the systems they access. This is an important part of understanding your attack surface. Cloud-native application protection platforms (CNAPPs) are designed to help with this. Having a strong CNAPP platform gives the security team the ability to detect abnormal behavior around a particular identity and detect when configurations start to drift.

**Align Your Different Teams**

Once you have the identities and the relationships mapped out, you need to tie them to vulnerabilities and misconfigurations to determine where you are most vulnerable and start quantifying the applied risk. You can't create an effective remediation strategy without that.

But data and strategy will take you only so far. Teams tend to operate in silos, and each follows prioritization actions based on the specific software they are using, without communication with other teams or alignment on a holistic vision for minimizing risk. Because not every attack surface is the same, you need to structure the organization so that different skill sets can take mitigative action based on the variables specific to their environment.

When teams are coupled more closely, organizational risk drops. Let's say you have a cross-site scripting vulnerability in one of your Web applications. Wouldn't it make sense to prioritize any security or configuration issue associated with the infrastructure running that application? The inverse is also true. Does it not make more sense to address the vulnerability that is running in production or sitting on the Internet versus a vulnerability running in a dev environment with no chance of exploitation?

A large part of the reason security teams work in these silos is because the vendor landscape has kind of forced them to work this way. Until recently, there hasn't been a way to do the things I'm proposing here — at least not for anyone but the 1% of organizations that have vast security budgets and built in-house tools and teams.

To sum up, protecting identities — cloud and otherwise — requires adopting a mindset shift from compliance to a holistic security, applied risk approach that involves gaining visibility into your cloud infrastructure with CNAPP and aligning different teams on prioritizing remediation.

Securing Cloud Identities to Protect Assets and Minimize Risk

When investing in a unified endpoint management solution, prioritize the needs of your network and users ahead of brand names. This Tech Tip focuses on questions to ask.

A high-caliber, enterprise-grade unified endpoint management (UEM) solution is more critical than ever in today's remote, hybrid, and constantly fluctuating work landscape. If you're in procurement or finance, you're likely under a lot of pressure to choose the right one. You must drive operational efficiency through cost savings and overhead optimization.

For many organizations, Microsoft Intune (rebranded from Microsoft Endpoint Manager \[MEM\] and generally sold as part of an MS Enterprise License Agreement \[ELA\]) looks like a solid choice for endpoint management. It's a cloud-based solution with clear name recognition. Another plus: Microsoft's Intune plan pricing seems very approachable.

Other options have less name recognition than Microsoft but may be a better fit depending on an organization's needs. For example, according to G2, Ivanti Neurons for UEM gets high ratings for quality of support and ease of use. Atera offers particular expertise for small businesses. NinjaOne is rated well for being "a good partner in doing business."

The upshot: Organizations should not be making purchasing decisions based on brand name and pricing. Instead, companies should look beneath the surface before investing in technology, particularly in high-stakes scenarios with serious return on investment (ROI) potential.

**What to Ask Before Investing in a UEM Solution**

We cannot attempt to discuss the pros and cons of every major UEM solution available. With that in mind, here's what I recommend asking when evaluating a UEM solution:

1.  What type of devices will I be using the UEM solution for? Is it primarily mobile, mostly laptops or desktops, or a combination?
2.  Are my endpoints dispersed regionally, globally, or mostly on-site behind a perimeter?
3.  How is my IT help desk going to support and troubleshoot these devices? What is the additional cost per year to support?
4.  How many employees will be involved, and what's the cost per employee?
5.  What are the licensing agreements like? Do I need to buy a whole pie when I only want a slice?
6.  How is pricing structured? Will it scale based on usage?
7.  Do my employees exclusively use one type of device and operating system or a mix? If it's the latter, will the UEM solution work just as well regardless of the device type and OS used?
8.  Would my IT and security team benefit more from a central dashboard with a single-pane-of-glass view or integrated Mobile Threat Defense capabilities?
9.  How does the solution integrate with my other vendors/solutions and third-party apps?
10.  How many more IT employees will it take to manage? Does it require more servers?

Some of those questions might sound overly technical to those in finance and procurement, but your answers can significantly affect your true usability and costs.

**Get the Full Picture of Your Total Cost of Ownership**

As a rule, technology must suit the organization using it, and no technology solution is suitable for everyone. Total cost of ownership, for instance, is important, and it varies among solutions. Let's look at Intune as an example.

For all its strengths and lightweight supports on operating systems such as Android and macOS, Intune is not recommended for some verticals and businesses that require robust support on third-party applications. It is not intended as a complete systems-management platform. Part of the reason it might look like you're saving money by switching to Intune is because it's built primarily for a narrow subset of needs — and those needs are more cost-effective for Microsoft to handle.

Suppose you have diverse endpoints and many third-party apps to manage and integrate. In that case, you'll end up in a tough spot — either tolerating significant vulnerability or shelling out more for a comprehensive solution to pick up the slack. You'll also likely need to acquire additional software to run on certain operating systems. Furthermore, Microsoft charges additional costs per year for its Remote Help/Remote View of mobile devices.

There are more gaps like this, but perhaps most critically for finance, Microsoft Intune's pricing is based in part on the volume of data transmitted. These usage fees are challenging to predict and budget for and can add up. It becomes problematic when deciding between facilitating an unlimited flow of protected data or managing costs. Additionally, I've seen many enterprises having to buy more servers to manage Intune and hire additional administrators to manage those servers.

**The Bottom Line for Your Bottom Line**

In this example, Microsoft Intune is a fantastic option if:

*   You need a robust solution for lightweight mobile applications mainly on the same OS.
*   Your use case is straightforward enough that a single-pane-of-glass view isn't relevant.
*   The numbers look favorable based on your usage needs.

If you have more complicated requirements, perform due diligence to identify more flexible options.

Regardless of where you end up, do not go _without_ a UEM solution. Your company's security depends on it.

Understand the True Cost of a UEM Before Making the Switch

Groups have fallen silent after bold claims of action at the start of the conflict.

Hacktivist cyber activities around the Israel-Hamas conflict have significantly slowed, with some groups no longer plotting such attacks and others focusing on targets outside Israel.

Research of Dark Web discussions released this month by Security Scorecard found several hacktivist groups had made plans to conduct attacks or identified targets to be attacked, but many groups have since fallen silent or resorted to selling attack services.

A pro-Palestinian group, Dark Storm Team, posted claims in August 2023 on Dark Web forums that it would "attack Israel infrastructure," and in early October, claimed to be preparing attacks against Israel's European allies. However, as of Oct. 20, it had reverted to promoting its DDoS-as-a-service options.

Many hacktivist groups threatened to launch disruptive attacks against Israel and Palestine, while the hacktivist group SiegedSec claimed responsibility for a series of attacks against Israeli infrastructure and industrial control systems.

In addition, the Persian language-speaking, pro-Palestinian hacktivist channel Solomon's Ring has not claimed an attack since Oct. 8. Despite being active since October 2022 and its claims of hacking and stealing data from an Israeli data center, there is no evidence of this nor of any leaks of that data.

KillNet Palestine (potentially a division of the Russian hacktivist group KillNet), meanwhile, has not posted any new content since a message announcing its formation on Oct 13.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Hacktivist Activity Related to Gaza Conflict Dwindles

**BOSTON** – Today, the Healey-Driscoll Administration announced a $2.3 million grant through the MassTech Collaborative's MassCyberCenter to CyberTrust Massachusetts, a nonprofit dedicated to strengthening the cybersecurity ecosystem, to support cybersecurity resiliency for Massachusetts communities and help develop a talent pipeline at Masschusetts colleges and universities to encourage students to enter the field. The CyberTrust Massachusetts grant was announced at the seventh annual Massachusetts Cybersecurity Forum held at the State House today during Massachusetts Cybersecurity Month. 

"Our administration knows how important it is to protect our municipal governments, small businesses, and community organizations from cybersecurity threats," said Secretary Yvonne Hao of the Executive Office of Economic Development. "This grant to CyberTrust Massachusetts will help support cybersecurity resiliency in our cities and towns while bringing new students into the field through training and career development opportunities."

"This grant is a game changer," said Carolyn Kirk, Executive Director of the Massachusetts Technology Collaborative, the parent organization of the MassCyberCenter. "When you recognize that cybersecurity impacts us at every level, from the state government to your personal laptop, it becomes apparent that you need to build a strong plan to solve such a complex and pervasive issue. That is why we have taken a multi-pronged approach that educates students about the opportunities that exist in a cybersecurity career, providing the critical training on cutting-edge tools, and the mentorship they need to succeed in a career. As a former mayor, the support that these students will provide to municipalities and small businesses, supported by the award to CyberTrust Massachusetts, will help protect small organizations that face critical funding and staffing challenges which leave them exposed to emerging cyber threats. Through our support for CyberTrust Massachusetts, we can accomplish this dual mission – to provide new career opportunities for Massachusetts students, while at the same time bolstering our cyber readiness statewide."

"This is more than a financial grant; it builds on the institutional capital our consortium members are investing in the future of cybersecurity in Massachusetts. After a strong start, we look forward to being able to scale," said Peter Sherlock, CEO of CyberTrust Massachusetts. "We are creating a new model, where experiential learning meets cutting-edge technology to fortify our cybersecurity infrastructure across the state and ready the next generation of cyber professionals for meaningful and impactful careers."

The funding will allow CyberTrust Massachusetts to support cybersecurity resiliency for local governments in Massachusetts through Security Operations Centers (SOCs), which are centers staffed by security experts who protect the cybersecurity of an organization through monitoring, detection, and response to cyber threats. The SOCs will provide 24/7 services for municipalities, which often cannot afford to hire outside SOCs or security experts to support their technical infrastructure, and help these communities conduct assessments to test their vulnerability to cybersecurity risks. The funding will also allow CyberTrust Massachusetts to hire students from affiliated academic organizations in Massachusetts and provide training, experience, and career development for these young cybersecurity professionals. In addition to municipal support, CyberTrust Massachusetts will continue providing key training tools used by cyber ranges at community colleges and universities across the state where students and young professionals can learn how to respond to cyber threats in a simulated environment. 

"Cybersecurity is often perceived as a technical discipline that is exclusive to coders and professionals with STEM degrees, but there is a strong demand in the field for individuals with diverse skills like problem solving and critical thinking that do not require advanced degrees," said John Petrozzelli, Director of the MassCyberCenter at MassTech. "In order for the cybersecurity ecosystem in Massachusetts to improve and grow, it's essential that we communicate to students the opportunities that are available in cybersecurity and how valuable these skills are, so that anyone interested in becoming a cybersecurity expert knows these career pathways exist and are not limited to a select few. At the MassCyberCenter, we believe this approach will not only build new pathways for students and enable companies to hire new talent, but believe it will significantly improve the cybersecurity posture of our municipalities and businesses alike."

Today's Massachusetts Cybersecurity Forum brought together industry experts, academic leaders, and government officials to discuss partnerships, identify resources, and share innovative ideas about how to meet the state’s cybersecurity goals. The event featured a keynote from John Petrozzelli, Director of the MassCyberCenter, as well as discussions about collaborations for cyber defense and how Massachusetts organizations are confronting the cybersecurity implications of artificial intelligence and quantum computing.   

"It is critically important that we not only make our governments, industries, and constituents secure against the cyber threats of today, but also that we foster a pipeline for the next generation of cybersecurity professionals that can fight the cyber criminals of tomorrow. This generous grant from the Healey-Driscoll Administration does just that," said State Senator Michael Moore (D-Millbury). "I'd like to thank the Governor for recognizing how important it is to harden our online systems and to make them more resilient against bad actors. I am confident that CyberTrust Massachusetts will use these funds to help build a better, stronger, more secure Commonwealth."

**About the MassCyberCenter at the MassTech Collaborative**

The MassCyberCenter was launched in September 2017 to enhance opportunities for the Massachusetts cybersecurity ecosystem and strengthen the resiliency of the state's public and private communities. Earlier this month, the center held the 2023 Massachusetts Municipal Cybersecurity Summit in Worcester, which brought together municipal leaders, first responders, utility providers, and IT personnel from across the state to discuss threats, training, workforce development and cyber incident response planning. The MassCyberCenter works with cities, towns, universities, and the private sector to build cyber awareness, institute best practices, leverage future workforce talent, and create a more powerful cyber defense force to guard against future threats. Learn more at masscybercenter.org.

Healey-Driscoll Awards $2.3M to CyberTrust Massachusetts to Strengthen Municipal Cybersecurity Efforts

Generative artificial intelligence tools have unleashed a new era of terror to CISOs still battling longstanding shadow IT security risks.

Security teams are confronting a new nightmare this Halloween season: the rise of generative artificial intelligence (AI). Generative AI tools have unleashed a new era of terror for chief information security officers (CISOs), from powering deepfakes that are nearly indistinguishable from reality to creating sophisticated phishing emails that seem startlingly authentic to access logins and steal identities. The generative AI horror show goes beyond identity and access management, with vectors of attack that range from smarter ways to infiltrate code to exposing sensitive proprietary data.

According to a survey from The Conference Board, 56% of employees are using generative AI at work, but just 26% say their organization has a generative AI policy in place. While many companies are trying to implement limitations around using generative AI at work, the age-old search for productivity means that an alarming percentage of employees are using AI without IT's blessing or thinking about potential repercussions. For example, after some employees entered sensitive company information onto ChatGPT, Samsung banned its use as well as that of similar AI tools.

Shadow IT — in which employees use unauthorized IT tools — has been common in the workplace for decades. Now, as generative AI evolves so quickly that CISOs can't fully understand what they're fighting against, a frightening new phenomenon is emerging: shadow AI.

**From Shadow IT to Shadow AI**

There is a fundamental tension between IT teams, which want control over apps and access to sensitive data in order to protect the company, and employees, who will always seek out tools that help them get more work done faster. Despite countless solutions on the market taking aim at shadow IT by making it more difficult for workers to access unapproved tools and platforms, more than three in 10 employees reported using unauthorized communications and collaboration tools last year.

While most employees' intentions are in the right place — getting more done — the costs can be horrifying. An estimated one-third of successful cyberattacks come from shadow IT and can cost millions. Moreover, 91% of IT professionals feel pressure to compromise security to speed up business operations, and 83% of IT teams feel it's impossible to enforce cybersecurity policies.

Generative AI can add another scary dimension to this predicament when tools accumulate sensitive company data that, when exposed, could damage corporate reputation.

Mindful of these threats, in addition to Samsung, many employers are limiting access to powerful generative AI tools. At the same time, employees are hearing time and time again that they'll fall behind without using AI. Without solutions to help them stay ahead, workers are doing what they'll always do — taking matters into their own hands and using the solutions they need to deliver, with or without IT's permission. So it's no wonder that the Conference Board found that more than half of employees are already using generative AI at work — permitted or not.

**Performing a Shadow AI Exorcism**

For organizations confronting widespread shadow AI, managing this endless parade of threats may feel like trying to survive an episode of _The Walking Dead_. And with new AI platforms continually emerging, it can be hard for IT departments to know where to start.

Fortunately, there are time-tested strategies that IT leaders and CISOs can implement to root out unauthorized generative AI tools and scare them off before they begin to possess their companies.

*   **Admit the friendly ghosts.** Businesses can benefit by proactively providing their workers with useful AI tools that help them be more productive but can also be vetted, deployed, and managed under IT governance. By offering secure generative AI tools and putting policies in place for the type of data uploaded, organizations demonstrate to workers that the enterprise is investing in their success. This creates a culture of support and transparency that can drive better long-term security and improved productivity.
*   **Spotlight the demons**. Many workers simply don't understand that using generative AI can put their company at tremendous financial risk. Some may not clearly understand the consequences of failing to abide by the rules or may not feel accountable for following them. Alarmingly, security professionals are more likely than other workers (37% vs. 25%) to say they work around their company's policies when trying to solve their IT problems. It's essential to engage the entire workforce, from the CEO to frontline workers, in regular training on the risks involved and their own roles in prevention while enforcing violations judiciously.
*   **Regroup your ghostbusters.** CISOs would be well-served to reassess existing identity and access management capabilities to ensure they're monitoring for unauthorized AI solutions and can quickly dispatch their top squads when necessary.

Shadow AI is haunting businesses, and it's essential to ward it off. Savvy planning, diligent oversight, proactive communications, and updated security tools can help organizations stay ahead of potential threats. These will help them seize the transformative business value of generative AI without falling victim to the security breaches it will continue to introduce.

What Lurks in the Dark: Taking Aim at Shadow AI

Small and midsize businesses face the same cyberattacks as enterprises, but with fewer resources. Here's how to protect a company that has leaner means.

Small and midsize businesses (SMBs) are not immune to cyberattacks, yet they struggle with an evolving threat landscape and knowing how to best manage risk.

During the "Cybersecurity for SMBs Roundtable: Navigating Complexity and Building Resilience" earlier this month, Sage brought together a group of CISOs and other cybersecurity professionals from small businesses, government agencies, and nonprofit organizations to discuss some of the biggest concerns facing SMBs and their ability to secure their company assets. Among the top challenges for SMBs and nonprofit organizations are:

*   **The human factor.** Employees continue to make mistakes, such as clicking on links in phishing emails or allowing unprotected access to their devices, that put company networks at risk.
*   **Third-party compliance needs.** Partner organizations, contractors, vendors, and other third-party entities require SMBs to meet their cybersecurity requirements, especially those organizations, like financial institutions, that are highly regulated.
*   **Data privacy laws across states and countries.** Not meeting those compliance requirements could result in sanctions and fines.
*   **The hybrid workforce.** SMBs no longer have the same levels of oversight of devices and online behaviors when employees are working remotely, even part of the time.
*   **Targeted platforms and industries.** Threat actors look for organizations that use applications designed to raise money or collect large amounts of personal information.
*   **Changing threat landscape.** New attack vectors, new malware, and new threat actors seem to emerge every day.

Nearly half of SMBs have experienced a cybersecurity incident in the past year, according to a new study from Sage. While 69% of respondents worldwide say that cybersecurity is part of their company culture, nearly the same number don't consider it until there's an incident — only 4 in 10 respondents say their company regularly discusses cybersecurity.

**Cybersecurity Doesn't Have to Be Expensive**

After an attack, it's too late to start discussions about how to protect the network and company, but many SMBs don't have the right systems in place. According to Sage's research, for example, 46% of SMBs don't use firewalls and 19% rely only on very basic tools.

Yes, cybersecurity can be expensive. Enterprise companies can have upward of 100 security tools in use. It doesn't have to be that complicated for SMBs, however, and some approaches can even be free or inexpensive.

Start by creating an insider risk program that oversees security policies across the company with an emphasis on employee behavior, recommended Shawnee Delaney, CEO at Vaillance Group, during the roundtable.

"It requires you to have the conversations, sometimes an uncomfortable conversation, because no one wants to think their own employees might do something malicious," Delaney said. "But the truth is, the vast majority \[of cyber incidents\] are unintentional."

Managing human employment life cycles is vital to an effective cybersecurity system. It begins during the interview and hiring process by making sure you have someone who is a good cultural fit and is willing to recognize how cybersecurity fits into the organizational structure, Delaney added. Once you have made a hire, follow onboarding processes that stress basic security hygiene, including least-privilege and as-needed access. And when the employee leaves, make sure offboarding processes disconnect access completely.

**Individualize Security Training**

Because of the human connection to cybersecurity, everyone in a smaller company, from the CEO on down, has to have a basic understanding of what threats look like. There are plenty of security awareness training options out there, but SMBs would be wise to avoid a one-size-fits-all option.

Training should be geared toward the individual workers based on criteria such as job function and generational gaps in tech savviness and interests. Older workers often have a different style of learning than younger employees, just as employees who work in more labor-intensive jobs may have a different relationship to technology than those who are attached to their devices all day. Not respecting those differences results in uneven training that could end up doing more harm than good.

**Make Cybersecurity a Business Issue**

There's a tendency, especially among SMBs, to think of cybersecurity as an IT problem for which all the knowledge lies in the tech space, according to Gustavo Zeidan, Sage's CISO.

A better approach is to think of cybersecurity as a business issue. Security culture is better driven from the top, Zeidan said during the roundtable, and management needs to be discussing cyber threats and how their businesses may be targeted.

"Business leaders acknowledge it's a problem, but they don't talk about it," Zeidan explained. The worst thing that can happen is to be unprepared for a security incident that disrupts business operations.

And when there is a cyber incident within the company, don't keep it hidden. The Federal Trade Commission (FTC) offers guidelines on who should be contacted, including law enforcement, customers, and vendors.

But don't stop there. Communicate with other businesses and discuss strategies to work through the incident. Share this information through industry-focused organizations or at local Chamber of Commerce meetings — wherever you have contact with other business leaders.

"If you have a breach, be open, be honest, and share your lessons learned with other businesses so practitioners can learn from that," said Delaney. "It doesn't matter if we're competitors. It's all national security when you boil it down."

**Know Where to Go for Help**

Every company, no matter its size, needs more cybersecurity expertise than it has. Regardless of how the SMB invests in security, the responsibility for cybersecurity needs to be spread across the company.

Resources are available to help guide SMBs in their security journey. The Cybersecurity and Infrastructure Security Agency (CISA), for example, offers an SMB cybersecurity guide that speaks specifically to the different security-related roles individuals play in a small business environment.

Partnerships with businesses of all types and sizes is core to CISA's mission, said roundtable panelist Lauren Boas Hayes, senior adviser for technology and innovation at CISA.

"The landscape is changing; there are new threats every day," Delaney added.

Practitioners and businesses might feel like they're playing whack-a-mole with their efforts to thwart these new threats, but the good news for SMBs is that mitigation techniques are out there. It's just a matter of finding the program that works best for the individual company.

SMBs Need to Balance Cybersecurity Needs and Resources

The newly launched AI & ML Security Library allows developers to analyze the code used in machine learning systems to identify and address risks.

As part of "shift left" to incorporate security discussions earlier in the software development life cycle, organizations are beginning to look at threat modeling to identify security flaws in software design. With developers increasingly incorporating machine learning in their applications, threat modeling is necessary for identifying the risks to the organization.

"People are still grappling with the whole idea that when you use that very new technology \[machine learning\], it brings along a bunch of risk, as well," says Gary McGraw, co-founder of the Berryville Institute of Machine Learning. "I've been in the unenviable position of saying, 'Well, there's this risk, and there's that risk, and the sky is falling,' and everybody goes, 'Well, what am I supposed to do about that?'"

There have been many conversations about machine learning risk, but the difficulty lies in figuring out how to address them, McGraw says. Threat modeling – identifying the types of threats that can cause harm to the organization – helps organizations think through security risks in machine learning systems such as data poisoning, input manipulation, and data extraction. If developers could understand the security flaws in their designs by threat modeling, it would reduce the time spent on security testing during development and before production. NIST's Guidelines on Minimum Standards for Developer Verification of Software recommends threat modeling to look for design-level security issues.

IriusRisk’s threat modeling tool addresses this challenge by automating both threat modeling and architecture risk analysis. Developers and security teams can import the code into the tool to generate diagrams and threat models. Threat modeling templates make threat modeling accessible even to those not familiar with diagramming tools or risk analysis.

And the newly launched AI & ML Security Library allows organizations using IriusRisk to threat model the machine learning system they are planning in order to understand what the security risks are, as well as how to mitigate those risks.

“We're finally getting around to building machinery that people can use to address the risk and control the risk," says McGraw, who is also a member of IriusRisk’s advisory board. "When you put machine learning into your \[system\] design, and you're using IriusRisk, now you know what risks are involved and what to do about that."

**What ML Threat Modeling Looks Like**

IriusRisk's AI & ML Security Library helps organizations ask necessary questions. For example:

1.  Asking where the data being used to train the machine learning model came from. It's important to also ask whether anyone had the opportunity to embed incorrect or malicious data to make the machine do the wrong thing.
2.  Consider how the machine keeps learning once it is in production. Machine learning systems that are online and keep on learning from users are more dangerous than the ones that are not online. "It depends on who is using it. Is it your people? Is it bad people? Is it everybody on Twitter, or X?" McGraw says, noting there have been examples of past projects that had to be taken offline after it learned objectionable information.
3.  Ask if confidential information can be extracted from the machine. If you put confidential information into your machine learning algorithm, it is not protected by cryptographic means and can be extracted. "If you put the data in the machine, it's in the machine," McGraw says. "You need to think about making sure that people using your machine learning system cannot extract that confidential data."

The AI & ML Security Library is based on the BIML ML Security Risk Framework, a taxonomy of machine learning threats, as well as an architectural risk assessment of typical machine learning components developed by McGraw. The framework is designed to be used by developers, engineers, and designers creating applications and services that use machine learning in the early design and development phases of the project. With IriusRisk's library, everybody who is using machine learning can use BIML's framework.

The AI & ML Security Library is available to IriusRisk customers and those using the community edition of the platform.

**Time to Be Threat Modeling**

The AI & ML Security Library was developed in response to interest from organizations about how to analyze and secure AI and ML systems, according to Stephen de Vries, CEO of IriusRisk.

"We have seen a surge in interest from our customers in the finance and technology sectors for guidance on how to analyze, and secure design ML systems," de Vries said in a statement. "Since these are often new projects that are still in the design phase, performing threat modeling here adds a lot of value, because those teams will very quickly understand where the security goalposts are – and what they need to do in order to get there."

The library doesn't help organizations that don't have visibility into their machine learning use. Just as organizations can have shadow IT – where different business stakeholders set up their own servers and Web applications without IT oversight – they can also have shadow machine learning, McGraw says. Different departments are trying out new applications and tools, but there is a gap between what individual employees are using and what risks IT and security teams know about.

“Everybody's like, 'I don't think I have any machine learning in my organization,'" McGraw says. "But as soon as they find out that they do … they find it everywhere.”

Many organizations do not incorporate threat modeling during software design, and those that do rely on manual processes where a person analyzes the threats one at a time.

"If you have a mature threat modeling program and you're using a tool like IriusRisk, you can also now handle machine learning. So the people who are already doing the best are going to do even better," McGraw says. "What about the people who aren't doing threat modeling? Maybe they should start. It's not new. It's time to do it."

IriusRisk Brings Threat Modeling to Machine Learning Systems

**PRESS RELEASE**

**SHORT HILLS, N.J.****,** **Oct. 26, 2023** **/PRNewswire/ --** Cranium, the leading enterprise AI security and trust software firm, today announced that the company has raised $25 million in Series A funding. Telstra Ventures led the round with participation from KPMG LLP and SYN Ventures. Both participating investors previously provided seed funding when Cranium emerged from stealth six months ago and spun out of KPMG with additional investment from SYN Ventures.

The new round brings Cranium's total funding to $32 million. The funds will be used for innovation, research and development (R&D), and business expansion. Cranium's newest round will build company growth, strengthen customer momentum, and accelerate Cranium Enterprise software platform innovation through product development; scale go-to-market strategies, including sales and marketing efforts; allow investment in R&D to further visibility into the security of AI systems; enhance security, regulation, and compliance in AI/ML environments against adversarial threats; and reinforce its teams and customers with additional support.

"AI is being embedded into every business process and function at an unprecedented speed. Prioritizing responsible AI now, at the beginning of the AI revolution, will allow enterprises to scale more effectively and not run into major roadblocks and compliance issues later," said Jonathan Dambrot, CEO and Co-Founder of Cranium. "We're honored and deeply grateful for the support from our customers and investors whose dedication to Cranium only fuels our commitment to provide unparalleled visibility, trust, and a new level of security when it comes to the entire AI ecosystem of any organization."

Cranium helps organizations gain confidence in the AI-enabled products in services they are both creating and using. Cranium's software is custom-built to address the gap between data science, compliance, and cybersecurity teams by providing a single source of truth for AI security risks, which is done in a way that avoids requiring teams to change their processes, tools, or workflows; its value is ensuring AI systems are secure, trustworthy, and compliant, properly handling vital resources such as health, financial, and consumer data to meet compliance regulations.

"The rapid rate of innovation fueled by the emergence of GenAI capabilities has generated fresh challenges for cybersecurity teams, raising new questions over compliance, trustworthiness, and security of their AI/ML environments," said Marcus Bartram, General Partner at Telstra Ventures. "Cranium stands at the forefront of AI security and trust software, empowering organizations to navigate the crowded cybersecurity industry with its groundbreaking product and pioneering innovations addressing enterprises' urgent needs grappling with AI regulation, compliance, and security frameworks. We're thrilled to invest in the team at Cranium and are confident in the tremendous impact they're poised to make."

Since its inception, Cranium's dedication to making AI security attainable by working with global leaders in health sciences, financial services, consumer packaged goods, and retail showcases its versatility and holistic view of the AI industry. As the first-ever technology spinout out of KPMG's startup incubator, Cranium's mission is to secure the AI revolution, enabling organizations to secure their AI technologies. Cranium's unique design and features, grounded in years of industry experience and high-level partnerships, lend it a distinct edge in the increasingly crowded cybersecurity market.

**About Cranium**

Cranium is the leading enterprise AI security and trust software firm, enabling organizations to gain visibility, security, and compliance across their AI and GenAI systems. Organizations can map, monitor, and manage their AI/ML environments against adversarial threats without interrupting how teams train, test, and deploy their AI models through its Cranium Enterprise software platform. The Cranium platform also allows organizations to quickly gather and share information about the trustworthiness and compliance of their AI models with their third parties, clients, and regulators. Incubated and funded in stealth inside of KPMG Studio, Cranium helps cybersecurity and data science teams understand that AI impacts their systems, data, or services everywhere. Secure your AI at Cranium.AI.

**About Telstra Ventures**

Telstra Ventures Accelerates the Extraordinary – we fuel the growth of standout disruptors. In our first eleven years, 96 investments have generated 38 liquidity events including Auth0, BigCommerce, Box, CrowdStrike, DocuSign, Rancher, Skillz, Snap, and Whispir. To date, our Revenue Acceleration Platform has driven > US$500 million in revenue for our portfolio companies, extending their reach across Australia, Asia, UK and the US. In 2022, we announced the close of our third fund, bringing Funds Under Management to US$1 Billion. To see our full portfolio and learn more, visit www.telstraventures.com.

Cranium Announces $25 Million in Series A Funding to Secure AI

**PRESS RELEASE**

**MILPITAS, Calif.,Oct. 26, 2023/PRNewswire/ --** As Cybersecurity Awareness Month comes to a close, SonicWall today released the findings of its 2023 SonicWall Threat Mindset Survey which found that 55% of its customers are more concerned about cyberattacks in 2023, with the main threat being focused on digital attacks like ransomware and spear phishing.

"Understanding our partners and customers greatest concerns is at the heart of SonicWall's outside-in strategy," said SonicWall President and CEO Bob VanKirk. "Even further, it's taking that insight and acting upon it to provide key value-add products and services. The data from the 2023 SonicWall Threat Mindset Survey helps keep our finger on the pulse of what truly matters to our valued customers. As organizations around the globe struggle with economic declines and political strife, SonicWall remains committed to providing the latest in threat intelligence and cyber security solutions to help our partners and customers successfully navigate these rough waters."

SonicWall's proprietary threat mindset survey uncovered additional findings:

*   **Continued concerns about intensifying cyberattacks**: There is growing concern regarding cyberattacks amongst 54% of professionals surveyed; ransomware leads the distress as 83% of all customers cited it as their biggest concern. 94% of respondents are equally or more concerned about overall attacks in 2023. Phishing and spear-phishing (76%), as well as encrypted malware (64%), comprised the top three concerns.
*   **Organizations slow to patch**: Despite rising cyberattack concerns, 78% of organizations don't patch critical vulnerabilities within 24 hours of patch availability; another 13% only apply critical patches when time allows.
*   **Increased fear around insider threats:** Insider threat incidents have continued to increase and 49% of IT professionals cited it as a growing worry. The larger the organization, the more potential insider threat incidents exist. Critical business information and sensitive data can be found in employees' emails – and IT professionals feel the concern.
*   **Now Hiring: cybersecurity professionals needed:** 41% of respondents described their IT/ cybersecurity personnel as inadequate. With the cyberattack landscape becoming savvier with stronger capabilities of pulling off attacks, organizations must prioritize protection and hiring individuals who have the knowledge and skills to best position their company to not fall victim to these ongoing cyberattacks.

Companies are not only losing millions of dollars to unending malware and ransomware strikes but cyberattacks on essential infrastructure are impacting real-world services. Despite the growing concern of cyberattacks, organizations are struggling to keep pace with the fast-moving threat landscape as they orient their business, networks, data and employees against never-ending cyberattacks.

"The evolving cyber threat landscape is the new normal," said EIS Management CIO Jeff Falk. "The labor diverted from business initiatives to cybersecurity concerns swells year-over-year, which demands I spend more of my time managing the business' security needs, having an impact on business operations."

In an effort to promote cybersecurity attentiveness, SonicWall supports Cybersecurity Awareness Month in October with an added emphasis on a new enduring cybersecurity awareness program, Secure Our World. Secure Our World reflects a new enduring message to be integrated across the Cybersecurity and Infrastructure Security Agency's (CISA) awareness campaigns and programs and encourages all of us to take action each day to protect ourselves when online or using connected devices.

**Methodology**

SonicWall surveyed approximately 10,000 customers from around the globe. Questions were optional and some were open-ended, while others were multiple choice.

**About SonicWall**

SonicWall, a partner-first business, has been an unquestioned leader in the cybersecurity for more than 30 years. SonicWall defends organizations mobilizing for their new business normal with seamless protection that stops the most evasive cyberattacks across endless exposure points and increasingly remote, mobile and cloud-enabled workforces. By knowing the unknown, providing real-time visibility and enabling breakthrough economics, SonicWall closes the cybersecurity business gap for enterprises, governments and SMBs worldwide. For more information, visit www.sonicwall.com or follow us on Twitter, LinkedIn, Facebook and Instagram.

SOURCE SONICWALL INC

SonicWall Data Confirms That Ransomware Is Still the Enterprise's Biggest Fear

**PRESS RELEASE**

**DENVER****,** **Oct. 26, 2023** **/PRNewswire/ --** New data from the Lumen Technologies (NYSE: LUMN) Distributed Denial of Service (DDoS) mitigation platform landed the banking industry in the unenviable position of being the most targeted vertical of Q3 2023. This is the first time the banking industry topped Lumen's "most targeted verticals" list and was largely due to the events of a single day: Sept. 21, 2023.

On that day, a single banking customer was targeted with more than 230 DDoS attacks – a whopping 4,500% increase over the daily average for that industry – yet it experienced no downtime. Had the attackers been successful, they could have caused significant damage in the form of lost business, remediation costs and reputational damage.

"The successful mitigations for this banking customer can be traced back to Lumen's multi-layered approach to DDoS mitigation," said Brett Lemarinel, director of unified threat management for Lumen. "It starts at our network, where countermeasures are built in, and our intelligent routing technology, which sends excess traffic through our 500+ scrubbing locations. Our DDoS customers have an added layer of protection from Rapid Threat Defense, our proprietary capability that utilizes threat intelligence from Lumen Black Lotus Labs® to block DDoS botnet traffic before it reaches the customer's environment."

Lemarinel continued, "This should be a warning to all other businesses. More than 230 mitigations in a single day suggests the threat actor was determined to wreak havoc on this customer. Even though the attacker failed, the activity we saw on Sept. 21 is a potent reminder that any business can be in an attacker's crosshairs on any given day."

**Other notable findings in the report include:**

A never-before-seen, four-vector combination was attempted during the Sept. 21 event. The four-vector combination included DNS Amplification, IP Fragmentation, Invalid Packets and Static Filtering. Cyber attackers frequently modify their vector combinations as they attempt to defeat mitigation strategies, but the Lumen DDoS mitigation platform has the flexibility required to recognize and stop these attacks before they impact the targeted customers. The total number of attacks decreased in Q3 2023. Attackers frequently run their operations like a business and, as with any business, cyberattacks have seasonal ups and downs. In Q3 2023, Lumen mitigated 4,217 attacks, which was a 23% quarter-over-quarter decrease and a 24% annual decrease. The banking industry was also the most-targeted vertical for application threats, according to Lumen's application protection partner, ThreatX. Among all industries, the highest percentage of blocked traffic (25.5%) came from programmatic access, which are suspicious, automated attempts to access a web application. This number is up 89% from the previous quarter. The banking sector experienced a significant percentage of "Attacks Against Authentication" (nearly 25%), which are used to gain unauthorized access to financial data. Financial institutions are attractive to attackers, as evidenced by the high attack ratio and combination of brute-force attacks that targeted banks in Q3. Protecting financial data is paramount, but robust web application and API protection solutions can help protect the industry.

"The Q3 ThreatX application attack analysis underscores the critical importance of bot protection and the need for awareness of industry-specific threats," said Neil Weitzel, director, Security Operations Center at ThreatX. "The especially high number of programmatic access threats this quarter underscores the prevalence of bots in API and application attacks. In addition, our findings reveal variations in threats across industries, so businesses must stay vigilant and proactive to safeguard their applications and APIs."

**About Lumen Technologies**

Lumen connects the world. We are igniting business growth by connecting people, data, and applications – quickly, securely, and effortlessly. Everything we do at Lumen takes advantage of our network strength. From metro connectivity to long-haul data transport to our edge cloud, security, and managed service capabilities, we meet our customers' needs today and as they build for tomorrow. For news and insights visit news.lumen.com, LinkedIn: /lumentechnologies, Twitter: @lumentechco, Facebook: /lumentechnologies, Instagram: @lumentechnologies, and YouTube: /lumentechnologies.

**About ThreatX**

ThreatX is managed API and application protection that lets you secure them with confidence, not complexity. It blocks botnets and advanced attacks in real time, letting enterprises keep attackers at bay without lifting a finger. Trusted by companies in every industry across the globe, ThreatX profiles attackers and blocks advanced risks to protect APIs and applications 24/7. Learn more at https://www.threatx.com.

Source

DARKReading