Jelle Wieringa analyzes the differences between HDR and security awareness training and how HDR addresses the security layer of human risk management.

Human detection and response (HDR) is a new approach to cybersecurity that focuses on identifying and responding to threats that originate from human activity, such as phishing attacks or social engineering tactics. Traditional security awareness training (SAT), on the other hand, aims to educate employees on best practices for staying secure online and avoiding common cybersecurity risks.

A key difference between HDR and SAT is what they focus on. While SAT typically emphasizes prevention, HDR focuses on analyzing and responding to security incidents that have already infiltrated an organization. This can include monitoring network traffic for unusual behavior, analyzing user behavior to identify potential insider threats, and users neglecting to follow an organization’s IT policies.

These events typically consist of security alerts, based on indicators of compromise (IoCs), that are collected by an organization's existing security stack. These are used as triggers to generate an alert to dedicated technologies that sit alongside traditional security categories within the security stack, such as firewalls, intrusion prevention, extended detection and response tools, and security event and information management systems. These dedicated technologies are uniquely positioned to monitor, identify, detect, and respond to user-related security activity and behavior.

HDR and traditional SAT are complementary. By enabling users to make better security decisions, security awareness training helps prevent many common social engineering threats. Meanwhile, HDR provides an added automated layer of protection by analyzing and responding to threats that may have slipped through the cracks. Combined, SAT and HDR help to actively reduce risk to organizations.

**A Multifaceted Approach to Building a Security Culture**

HDR is an effective tool for building a strong security culture within an organization. By emphasizing the importance of analyzing and responding to security threats, HDR helps employees understand the critical role they play in protecting sensitive data and systems. This creates a sense of ownership and responsibility around cybersecurity, encouraging employees to take a proactive approach to security.

HDR integrates a mindset of security into the daily operations of employees. It fuels an intrinsic motivation in employees to make better security decisions by employing nonintrusive, behavior-boosting techniques that increase the user's awareness and responsibility levels.

Additionally, HDR helps reinforce the message that security is everyone's responsibility, not just the job of the IT department. By involving employees in the detection and response process, organizations create a culture of vigilance and collaboration that encourages individuals to watch out for one another.

By integrating HDR into a broader security awareness program, organizations create a culture of security that permeates all levels of the organization, from frontline employees to executives. This leads to a more secure and resilient organization that is better equipped to protect against a wide range of cyber threats that target an organization’s largest attack surface: their employees.

**Addressing the Security Layer of Human Risk Management**

HDR significantly improves an organization's ability to manage human risk by automatically responding to threats that arise from human activity. By monitoring user behavior and analyzing data for anomalies, HDR detects and mitigates risks such as insider threats, phishing attacks, and other social engineering tactics. This helps organizations address human risk, minimize the impact of security incidents, and ultimately protect sensitive data and systems from compromise.

Because of the automated nature of HDR technologies and their integration in an existing security stack of an organization, they provide a proactive form of security. Where traditional security measures that focus on the human factor often take an approach of trying to prevent attacks, HDR acts at the moment an attack has slipped through these prevention methods. It provides an additional layer of security through real-time detection and response, thereby increasing the organization’s resilience and reducing risk.

**The Three Big Benefits**

The three biggest benefits are increased visibility for security operations through specialized threat detection and response, improved incident response times, and enhanced visibility and control by giving security operations the ability to enable response mechanisms in response to risky user behavior.

First, HDR enables organizations to analyze and respond to attacks that originate from human activity, like phishing attacks or social engineering tactics that have successfully escaped the users’ notice.

Second, by automating the detection and response process, HDR significantly reduces security operations center (SOC) alert noise and incident response times, minimizing the impact and damages of security incidents on the organization.

Finally, by providing enhanced visibility and control over user intended and unintended behavior, HDR helps organizations manage human risk and protect sensitive data and systems from compromise.

**About the Author**

    

Jelle Wieringa has over 20 years of experience in business development, sales, management, and marketing. In his current role as security awareness advocate for EMEA for KnowBe4, he helps organizations of all sizes understand why more emphasis is needed on the human factor, and how to manage the ongoing problem of social engineering. Previously, Wieringa was responsible for building an AI-driven platform for security operations at a leading managed security provider. Wieringa holds the SACP certification.

Human Detection and Response: A New Approach to Building a Strong Security Culture

Accidentally typing a password in the username field of the platform saves them to audit logs, to which threat actors can gain access and use to compromise enterprise services.

A post-exploitation attack method has been uncovered that allows adversaries to read cleartext user passwords for Okta, the identity access and management (IAM) provider — and gain far-ranging access into a corporate environment.

Researchers from Mitiga discovered that the IAM system saves Okta user passwords to audit logs if a user accidentally types them in the "username" field when logging in. Threat actors who have gained access to a company's system can then easily harvest them, elevate privileges, and gain access across multiple enterprise assets that use Okta, the researchers said.

"In our research, we could easily use the logs to match the password with the valid user, resulting in gaining credentials to the Okta user account," Okta senior security researcher Doron Karmi and principal security researcher and developer Or Aspir wrote in the post. When adversaries login to Okta as those users, it "expands the blast radius of the attack to the many platforms that Okta secures, and gaining further access to systems," they wrote.

The vulnerability exists because Okta audit logs supply detailed information about user activity, including usernames, IP addresses, and login timestamps. The logs also provide insights into successful and unsuccessful login attempts and whether they were performed via Web browser or mobile app.

**In Defense of Okta Features**

Okta is a cloud-based enterprise-grade IAM service that connects enterprise users across applications and devices and is used by more than 17,000 customers globally. While it was built for cloud-based systems, it also is compatible with many on-premises applications.

Representatives from Okta confirm that saving cleartext passwords in audit logs is "expected behavior when users mistakenly enter their password in the username field," according to a statement by the company provided by Mitiga. They also said that only platform administrators — the most privileged users in the system — have access to audit logs that save cleartext passwords, and those users "should be trusted not to engage in malicious activities."

It's not the first time the company has had to defend a built-in feature of the platform's regarding how it handles user passwords. The company posted a blog post last July in response to a report by Authomize researchers that Okta's architecture for password synching allows malicious actors signed on as an app administrator of a downstream app to access passwords in plaintext, including admin credentials, even over encrypted channels.

That report came after threat group Lapsus$ claimed to have breached Okta with "superuser" account credentials, posting screenshots they claimed to have grabbed from internal systems. It was determined that 366 Okta customers were potentially impacted in that incident, though Okta later said it determined only two actual breaches.

**What Happens if Untrusted Users Gain Access**

Mitiga's research is relevant if someone other than a trusted administrator gains access to these logs and can access the data, which can happen in a number of ways, the researchers said.

One way would be if an attacker has permission to read the logs in an organization's SIEM solution such as Splunk, as the logs are saved in this solution, they said. Moreover, in such a scenario, every user with read-only access to the SIEM solution potentially could have access the passwords, including Okta admins.

Attackers also could gain access to the logs and thus user passwords through third party-services that have permissions to read Okta configurations, such as cloud security posture management (CSPM) products that request a "read-only" admin role, the researchers said. "The role includes the ability to read the audit logs, which means those products/services could read users' credentials," they said.

Once attackers have gained access to user credentials, they can try to log in as those users to any of the organization's different platforms that use Okta single sign-on. This data also could be used to escalate privileges in the case of exposed administrator' passwords, the researchers said.

**Avoid Leaking Okta Passwords**

Both Mitiga researchers and Okta provided recommendations for how enterprises can avoid inadvertently exposing Okta credentials to threat actors, with the latter also advising how platform users can avoid typing their password in the username field in the first place.

Mitiga advised enterprises to use an SQL query, which can be found on Mitiga's GitHub, to detect potential users that enter their password by mistake, and also consider rotating user passwords. They also should train employees to avoid entering passwords in the username field on the Okta login page, and continuously monitor Okta audit logs for suspicious activities, including failed login attempts, following up with investigations if necessary.

Implementing multifactor authentication (MFA) also can prevent unauthorized access even if attackers obtain users' credentials, according to Mitiga, a feature that Okta said is enforced by default when accessing the Okta admin console.

"Similarly, admins can set up an Authentication Policy that requires additional MFA when logging in to specific applications, which would further restrict what actions a bad actor can perform," according to Okta.

To avoid inadvertently logging passwords in the username field, Okta users should implement field validation to check that the input in each field matches the expected format. They can also implement Okta's FastPass feature that uses biometric features or device activation to allow users to sign in with a single click or tap without even entering a username or password at all. Clearly labeling the "username" and "password" fields in Okta with placeholder text within each field, the company said, can also help users avoid this mistake.

Okta Post-Exploitation Method Exposes User Passwords

DMARC blocks spam and phishing emails sent from spoofed domains, and it's vastly underutilized, a new report says.

Just 1.2% of a group of nearly 10 million verified .org domains analyzed have adopted Domain-based Message Authentication, Reporting, and Conformance (DMARC) security standards, which automatically flag and report emails suspected to be sent from an impersonated domain.

New analysis from EasyDMARC added that even while the DMARC email security standard adoption rate swelled among the top-100 US nonprofit organizations to 20%, of the overall number of domains using DMARC, 45.6% were misconfigured.

“Impersonating email domains is one of the main tools used in successful phishing, spoofing, and ransomware attacks," Gerasim Hovhannisyan, EasyDMARC CEO and co-founder said about the findings. "That's why it's so worrying to see our research indicate that only 1.2% of global nonprofits have implemented domain authentication via DMARC, which remains the best way to curb this threat."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Just 1% of Nonprofit Domains Have Basic DMARC Email Security Protections

In the triumvirate of identity types, protecting the identity, privacy, and data of carbon-based forms — humans — is key. Safeguards must be in place as AI becomes more interactive.

ChatGPT and Bard AI are making the news for all kinds of reasons. People are charmed and unnerved by the quirky responses and how seemingly sentient these chatbots are.

But artificial intelligence (AI) has existed for years, and the issues today aren't just related to a greater capacity for writing term papers and malware. These new tools simply add to an already complex ecosystem of identities, which may be carbon-based, silicon-based, or now, increasingly complex artificial identities created by AI.

**Identity Trifecta**

First, let's define these different identity types:

**Carbon-based identity:** This one is easy. It's humans. We have names, we have personally identifiable information, mannerisms, and so much more. And we live, breathe, and interact with carbon, silicon, and artificial identities every day.

**Silicon-based identity:** A silicon-based identity is something that we all interact with but rarely or never think about as an entity: our cars, smartphones, and millions of other items that rarely exist or interact on their own.

**Artificial-based identity:** If you've ever read a novel, you've met a whole cast of artificial identities. Each character is a fictional creation with a backstory, internal motivations, and seemingly interactive relationships. The new chatbots can create detailed identities in moments.

**Why Does Identity Matter?**

A silicon-based identity integrates with you and your identity. Take your smartphone, for example. You set it up and customize it so that you can log in with your fingerprint or your face. You use it to set up online banking accounts, social media profiles, and much more. Essentially, you create a link between your carbon identity and your silicon identity, which allows you to interact with your bank and other peer-to-peer connections. When you sell or give away the phone, you know you need to wipe all that data, otherwise the next user could use connections that you authenticated to access your financial, work, and other personal accounts. Even after removing the data, the phone still exists as a silicon identity, and it will integrate with the next carbon entity that sets it up.

Artificial entities are increasingly easy to create, however. AI can generate faces that people find trustworthy and have difficulty distinguishing from real ones. Combined with chatbots, some of these entities have LinkedIn profiles and can easily — and convincingly — reach out to prospective customers without adding to an organization's staffing costs or training requirements. Other chatbots may be answering your banking questions, responding to fraud alerts, or authorizing transactions. They may help you book a flight, facilitate a product return, or respond to insurance queries.

**Who — or What — Are You Talking To?**

How to know which type of entity you're talking to is a question that's only going to become more challenging in the coming months and years. Today, most chatbots can answer simple questions with canned responses. Most users probably find them frustratingly inadequate and try to interact with a carbon entity instead. But it's getting harder to tell them apart. As these solutions become more available, flexible, and interactive, you need to consider who you want to share protected information with.

It may seem safe to share your banking information with an artificial identity, forgetting that if you share your checking account info and authorize them to take money out, you have very little control over when and how that happens. There are some financial regulations in place to help consumers, but they only help after something goes wrong. When your credit or debit card is compromised, you can dispute fraudulent transactions, prevent future charges, and get a new card. That can limit the potential fallout.

Health information is far more complicated. If you share information with an artificial identity about your carbon entity, such as that you have diabetes and high blood pressure, that information goes somewhere you can no longer control. If this private health information is disclosed, either because the artificial entity you shared it with was created for malicious purposes or because the data collected wasn't properly secured and encrypted, that part of your identity is now compromised and you cannot make that information private again.

**Protect Data, Privacy, and Identity**

As the different types of identities become increasingly intertwined and complicated, it's important for organizations to make it clear when an identity interfacing directly with people is artificial, why they're using it, and how.

They also need to protect the identity, privacy, and data of the carbon identities, regardless of how it is collected. That means how this information is collected, transmitted, and encrypted is important.

As we move forward, we must make certain that we protect data, privacy, and identity by challenging and validating access for all these different types of identities. Although artificial identities are becoming interactive and seemingly human, the responsibility to protect carbon identities is paramount.

Are You Talking to a Carbon, Silicon, or Artificial Identity?

Op[4]'s firmware security platform detects, prioritizes, and remediates exploitable vulnerabilities in Internet of Things and embedded systems.

New cybersecurity startup Op\[4\] launched today with a platform designed to fix vulnerabilities in Internet of Things (IoT) and embedded devices.

The platform, based on technology originally developed for DARPA, “continuously and accurately” detects, isolates, validates, classifies, prioritizes and remediates n-day and zero-day vulnerabilities, the company said in a statement. N-day refers to vulnerabilities in software and systems that are not going to be fixed.

One of the challenges with securing IoT and embedded devices is isolating exploitable firmware flaws. Op\[4\]'s platform addresses this by simulating a running device in order to identify active and inactive code, according to a company spokesperson. This way, the risk is assessed at the binary code level.

Op\[4\] plans to align the platform with the White House's national cybersecurity IoT labeling initiative launching later this year. The company is also preparing industry-specific versions for consumer IoT, aerospace and defense, and telecommunications markets.

The company launched with over $2 million in initial seed funding secured through a combination of product sales and private investment.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

IoT Startup OP[4] Launches With Firmware Security Platform

**NEW YORK** **,** **March 22, 2023** **/PRNewswire/ --** Lightspin, the leading cloud security solution for SaaS companies, today launched the Remediation Hub as part of its cloud-native application protection platform (CNAPP) solution. An evolution of Lightspin's root cause analysis feature, the Remediation Hub provides users the ability to dynamically remediate the most critical cloud environment risks, at scale. As a result, organizations can quickly identify and fix the security threats that matter most. 

"Our Remediation Hub was born out of the overwhelming positive customer response to our root cause analysis feature," said Vladi Sandler, co-founder and CEO for Lightspin. "The Remediation Hub expands on our industry-leading capabilities and helps maximize remediation depth and breadth for overlapping critical issues discovered, thus improving efficiency and reducing the time spent on one-off fixes. By providing the much-needed context, the Remediation Hub allows users to reduce the most risk with minimum actions."

Lightspin analyzes the root cause of all risks detected in the cloud environment including vulnerabilities, misconfigurations, identity risks and prioritizes remediation steps based upon a quantified risk score produced by Lightspin's proprietary algorithm. It then generates the proposed remediation to the root cause – Lightspin is the only CNAPP solution to offer remediation with dynamic guardrails for DevOps. Security teams can quickly and easily see how much a remediation action will improve the security score of their cloud environment. 

In a real-world example, a cloud environment has a root cause risk source of an unpatched image. The image has 100 vulnerabilities and there are five EC2 instances using the image. Most tools will flag 500 vulnerabilities to fix. With Lightspin's root cause analysis, the security team can see that there is only one necessary action: fix the image. 

Other cloud security tools push automated corrective remediation in users' public clouds, but this approach can actually add risk and cause more issues if not implemented carefully. Lightspin's Remediation Hub instead offers recommended remediation with the flexibility for teams to select to apply these fixes to their environments or to modify them to suit their unique organizational requirements.

The Remediation Hub also enables ticketing management via platforms such as Jira and ServiceNow, giving security teams capability to assign owners and track results right in the platform dashboard without navigating to another tool. By centralizing the Lightspin recommended actions and remediations discovered, security teams can simplify and streamline workflows to easily address and understand the root cause of vulnerabilities in their cloud environment. 

**Follow Lightspin**  
LinkedIn: https://www.linkedin.com/company/lightspin/  
Twitter: @lightspintech  
Blog: https://blog.lightspin.io/

**About Lightspin**

Lightspin is the #1 cloud security solution for SaaS companies of all sizes. Agentless and easy to deploy, Lightspin's Cloud Native Application Protection Platform (CNAPP) efficiently prioritizes and remediates cloud security risks in minutes using the industry's only Attack Path Engine built on the graph. Supporting Amazon Web Services, Google Public Cloud, Microsoft Azure and Kubernetes, Lightspin simplifies cloud security and compliance via its self-serve offering and graph-based algorithms. Based in New York and Tel Aviv, Lightspin is backed by Dell Technologies Capital, IBM, and Ibex Investors. Leading SaaS companies such as Imperva, ITV, Kaltura, PageUp and Riskified trust Lightspin to protect their data and workloads in the cloud. Learn more at www.lightspin.io.

Lightspin Launches Remediation Hub to Identify and Fix Cloud Security Threats

The advisory comes the same week as a warning from the EU's ENISA about potential for ransomware attacks on OT systems in the transportation sector.

The US Cybersecurity and Infrastructure Security Agency (CISA) this week issued advisories for a total of 49 vulnerabilities in eight industrial control systems (ICS) used by organizations in multiple critical infrastructure sectors — some unpatched.

The need for organizations in critical infrastructure sectors to consider cybersecurity is growing. ICS and operational technology (OT) environments are no longer air-gapped, segmented as they once used to be, and are increasingly accessible over the Internet. The result is that both ICS and OT networks have become increasingly popular targets for both nation-state actors and financially motivated threat groups.

That's unfortunate given that many of the vulnerabilities in CISA's advisory are remotely exploitable, involve low attack complexity, and allow attackers to take control of affected systems, manipulate and modify settings, escalate privileges, bypass security controls, steal data, and crash systems. The high-severity vulnerabilities are present in products from Siemens, Rockwell Automation, Hitachi, Delta Electronics, Keysight, and VISAM.

The CISA advisory coincided with a report from the European Union on threats to the transportation sector that also warned about the potential for ransomware attacks on OT systems used by aviation, maritime, railway, and road transport agencies. At least some of the vulnerable systems in CISA's advisory pertain to organizations in the transportation sector as well.

**Low-Complexity, High-Impact Vulnerabilities**

Seven of the 49 vulnerabilities in CISA's advisory are in Siemens' RUGGEDCOM APE1808 technology and currently have no fix. The vulnerabilities allow an attacker to elevate privileges on a compromised system, or to crash it. Organizations in multiple critical infrastructure sectors around the globe currently use the product to host commercial applications.

Seventeen other flaws are present in various third-party components that are integrated into Siemens' Scalance W-700 devices. Organizations in multiple critical infrastructure sectors use the product including those in chemical, energy, food, and agriculture and manufacturing. Siemens has urged organizations using the product to update its software to v2.0 or later and to implement controls for protecting network access to the devices.

Thirteen of the newly disclosed vulnerabilities affect Delta Electronic' InfraSuite Device Master, a technology that organizations in the energy sector use to monitor the health of critical systems. Attackers can exploit the vulnerabilities to trigger denial-of-service conditions or to steal sensitive data that could be of use in a future attack.

Other vendors in CISA's advisory, with multiple vulnerabilities in their products are Visam, whose Vbase Automation technology accounted for seven flaws and Rockwell Automaton with three flaws in its ThinManager product used in the critical manufacturing sector. Keysight had one vulnerability in its Keysight N6845A Geolocation Server for communications and government organizations and Hitachi updated information on a previously known vulnerability in its Energy GMS600, PWC600, and Relion products.

This is the second time in recent weeks where CISA has warned organizations in critical infrastructure sectors about serious vulnerabilities in systems they use in industrial and operational technology environments. In January, the agency issued a similar alert on vulnerabilities in products from 12 ICS vendors, including Siemens, Hitachi, Johnson Controls, Panasonic, and Sewio. As with the current set of flaws, many of the vulnerabilities in the previous advisory also allowed threat actors to take over systems, escalate privileges and create other havoc in ICS and OT settings.

**OT Systems in the Crosshairs**

Meanwhile, a report this week from the European Union Agency for Cybersecurity (ENISA) on cyberthreats to the transportation sector warned of potential ransomware attacks against OT systems, based on an analysis of 98 publicly reported incidents in the EU transportation sector between January 2021 and October 2022. 

The analysis showed that financially motivated cybercriminals were responsible for some 47% of the attacks. A plurality of these attacks (38%) was ransomware related. Other common motivations included operational disruptions, espionage, and ideological attacks by hacktivist groups.

Though OT systems were sometimes collaterally damaged in these attacks, ENISA's researchers found no evidence of directed attacks on them in the 98 incidents it analyzed. "The only cases were OT systems and networks were affected were either when entire networks were affected or when safety-critical IT systems were unavailable," the ENISA report said. However, the agency expects that to change. "Ransomware groups will likely target and disrupt OT operations in the foreseeable future."

The European cybersecurity agency's report pointed to an earlier ENISA analysis that warned of ransomware actors and other new threat groups tracked as Kostovite, Petrovite, and Erythrite targeting ICS and OT systems and networks. The report also highlighted the continued evolution of ICS specific malware such as Industroyer, BlackEnergy, CrashOverride, and InController as signs of growing attacker interest in ICS environments.

"In general, adversaries are willing to dedicate time and resources in compromising their targets to harvest information on the OT networks for future purposes," the ENISA report said. "Currently, most adversaries in this space prioritize pre-positioning and information gathering over disruption as strategic objectives."

CISA Warns on Unpatched ICS Vulnerabilities Lurking in Critical Infrastructure

**SAN JOSE, Calif.****,** **March 22, 2023** **/PRNewswire/ --** Vectra AI, the leader in AI-driven hybrid cloud threat detection and response, today announced the introduction of Vectra Match. Vectra Match brings intrusion detection signature context to Vectra Network Detection and Response (NDR), enabling security teams to accelerate their evolution to AI-driven threat detection and response without sacrificing investments already made in signatures.

"As enterprises transform embracing digital identities, supply chains and ecosystems — GRC and SOC teams are forced to keep pace. Keeping pace with existing, evolving and emerging cyber threats requires visibility, context and control for both known and unknown threats. The challenge for many security organizations is doing so without adding complexity and cost," says Kevin Kennedy, SVP Products at Vectra. "Vectra NDR now enables security teams to unify signatures for known threats and AI-driven behavior-based detection for unknown threats in a single solution."

With the addition of Vectra Match, Vectra NDR addresses core GRC and SOC use cases enabling more efficient and effective:

*   Correlation and validation of threat signals for accuracy.
*   Compliance for network-based CVE detection with compensating controls.
*   Threat hunting, investigation and incident response processes.

According to Gartner®, "recent trends in the NDR Market indicate many NDR offerings have expanded to capture new categories of events and to analyze additional traffic patterns. This includes **new detection techniques:** by adding support for more traditional signatures, performance monitoring, threat intelligence and sometimes malware detection engines. This move toward more multifunction network detection aligns well with the use case of network/security operations convergence, but also with midsize enterprises."1

"The attack surface cyber attackers have at their disposal continues to grow exponentially creating unknown threats on top of the tens of thousands of known vulnerabilities that exist. Attackers simply have exponentially more ways to infiltrate an organization and exfiltrate data — and do so with far more frequency, velocity and impact. Keeping pace with attackers exploiting known vulnerabilities and unknown threats is an immense challenge for every Security, Risk and Compliance officer," says Ronald Heil, Global Risk Advisory Lead for Energy and Natural Resources and Partner at KPMG Netherlands. "Today, cyber-resilience and compliance requires complete visibility and context for both known and unknown attacker methods. Without it, disrupting and containing their impact becomes an exercise in brand reputation and customer trust damage control. Vectra Match capabilities allow us to combine both worlds, having the continued AI-based detection of real-time "movement", while also having the ability to check against specific Suricata indicators — often required during incident response or proof of compliancy (e.g., Log4J). Consolidating AI-based and signature-based detection enables optimization, because in our case, less is more."

"When it comes to shadow IT, we know people with admin rights are 'building boxes off the grid.' Our SOC team cannot protect what we cannot see, thus making these unknown systems prime targets for attackers. No doubt, behavior-based AI-driven detections are great for catching attackers deploying new, evasive methods, but when it comes to attackers leveraging CVEs to compromise unknown, unpatched systems, we need signature-based detection. Combining signature-based detection with behavior-based detection gives our SOC team visibility for both the known-unknown and unknown-unknown threats. It's the best of both worlds," says Brett Fernicola, Sr. Director, Security Operations at Anywhere.re.

**Vectra NDR with Vectra Match**

Vectra NDR — a key component of the Vectra platform — provides end-to-end protection against hybrid and multicloud attacks. Deployed on-premises or in the cloud, the Vectra NDR console is a single source of truth (visibility) and first line of defense (control) for attacks traversing cloud and data center networks. By harnessing AI-driven Attack Signal Intelligence, Vectra NDR empowers GRC and SOC teams with:

*   AI-driven Detections that think like an attacker by going beyond signatures and anomalies to understand attacker behavior and zero in on attacker TTPs across the entire cyber kill chain post compromise, with 90% fewer blind spots and 3x more threats proactively identified.
*   AI-driven Triage that knows what is malicious by utilizing ML to analyze detection patterns unique to the customer's environment to score how meaningful each detection is, thus reducing 85% of alert noise — surfacing only relevant true positive events that require analyst attention.
*   AI-driven Prioritization that focuses on what is urgent by automatically correlating attacker TTPs across attack surfaces, evaluating each entity against globally observed attack profiles to create an attack urgency rating enabling analysts to focus on the most critical threats to the organization.

Vectra NDR empowers security and risk professionals with next-level intrusion detection. Armed with rich context on both known and unknown threats, GRC and SOC teams not only improve the effectiveness of their threat detection, but the efficiency on their threat hunting, investigation and incident response program and processes. Vectra NDR with Vectra Match is available for evaluation and purchase today. For additional information, please visit the following resources.

**Blog:** Vectra AI Announces Vectra Match for Signature-Based Detections

**Solution Brief:** Stop Network Exploits with Vectra NDR and Vectra Match 

**Product page:** Vectra NDR

**About Vectra**

Vectra® is the leader in Security AI-driven hybrid cloud threat detection and response. Only Vectra optimizes AI to detect attacker methods — the TTPs at the heart of all attacks — rather than simplistically alerting on "different." The resulting high-fidelity threat signal and clear context enables cybersecurity teams to rapidly respond to threats and stop attacks from becoming breaches. The Vectra platform and services cover public cloud, SaaS applications, identity systems and network infrastructure — both on-premises and cloud-based. Organizations worldwide rely on the Vectra platform and services for resilience to ransomware, supply chain compromise, identity takeovers, and other cyberattacks impacting their organization. For more information, visit vectra.ai. 

1Gartner Market Guide for Network Detection and Response, Published 14 December 2022 \- ID G00730869 GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

SOURCE Vectra

Vectra Unifies AI-Driven Behavior-Based Detection and Signature-Based Detection

**HERZLIYA,** **Israel** **and** **PALO ALTO, Calif.****,** **March 22, 2023** **/PRNewswire/ --** XM Cyber, the leader in hybrid cloud security, announced today the acquisition of Confluera, a pioneer in next-generation cyber attack detection and response for the cloud. XM Cyber now offers a comprehensive CNAPP (Cloud Native Application Protection Platform) solution using its unique attack path modeling to prioritize and assess real risk to the critical assets in your cloud environment.

Together with Confluera, XM Cyber's Continuous Exposure Management platform will provide all aspects of cloud security, from identifying and fixing risk regarding cloud identities (CIEM), identifying vulnerabilities and the detection and response of actual cyber attacks in real time (CWPP), and best practice and compliance management (CSPM).

The rapid rise in sophisticated attacks across hybrid cloud environments requires organizations to equip themselves with a dual strategy that combines advanced preventative capabilities with active detection and response. Classic EDRs that were originally meant for endpoint protection aren't equipped to deal with the runtime protection of cloud infrastructures. Detection in the cloud requires the next-generation capabilities of CxDR (Cloud eXtended Detection and Response), which leverages visibility from different vantage points and accurately combines them to identify multi-stage attacks propagating across distributed cloud environments.

The XM Cyber solution enables organizations to see their on-prem and cloud environments just like an attacker would and identify weaknesses that can potentially be exploited on attack paths to critical assets. With the addition of Confluera, organizations will now have the ability to continuously monitor their cloud environments in real-time to see if they are actually being exploited and effectively block the attacker's progress before any damage is caused.

"We work so well together because we're both looking at the environment through attack path modeling," said Boaz Gorodissky, co-founder and CTO of XM Cyber. "For example, XM Cyber shows our customers how an attacker could take advantage of a cloud secret found in the on-prem environment, move into the cloud, escalate privileges of an EC2, and compromise S3 buckets with sensitive information through a chain of events. Now with Confluera, we will detect if this attack path is actually happening in real time, alert our customers and help them stop the attack before it reaches the S3 buckets."

Confluera co-founder and CTO Abhijit Ghosh, who will be leading the development and integration of the CxDR with XM Cyber as VP CxDR, added: "We are very excited to join forces with XM Cyber to deliver a comprehensive cloud security platform. The technologies complement one another. They cover the prevention and detection aspects of security, with a common attack path modeling-based approach of unifying diverse visibility to identify multi-stage attacks. We are thrilled about leveraging this synergy to address our shared mission of protecting hybrid cloud environments from advanced attacks." Confluera co-founder Niloy Mukherjee further added that "the offensive cybersecurity knowledge of XM Cyber's research team will greatly enrich Confluera's engine to discover and intercept any form of security threat possible across any cloud plane."

The acquisition of Confluera comes less than a year after XM Cyber acquired Cyber Observer to expand its CSPM capabilities.

"Integrating Confluera into our offering just made so much sense. We compared their detection capabilities on workloads with a prominent CWPP solution and were able to detect several attacks that the other CWPP solutions did not. And perhaps just as significantly, it did not create unnecessary noise for the security teams," said Noam Erez, co-founder and CEO of XM Cyber. "Today, security teams are overwhelmed with an overwhelming amount of alerts and multiple security tools that they can't keep track of. They are demanding the consolidation of solutions that can accurately and holistically analyze risk and pinpoint high priority exposures to be remediated efficiently. Confluera aligns perfectly with this core value that we deliver within our suite of services and is a natural fit for us."

The new real-time detection and response capabilities will be available to XM Cyber customers soon. To learn more, please visit: confluera.com. XM Cyber will be attending RSA 2023 and providing demos at their booth #1755 in the South Hall Expo. 

**About XM Cyber** 

XM Cyber is a leading hybrid cloud security company that's changing the way organizations approach cyber risk. XM Cyber transforms exposure management by demonstrating how attackers leverage and combine misconfigurations, vulnerabilities, identity exposures, and more, across AWS, Azure, GCP, and on-prem environments to compromise critical assets. With XM Cyber, you can see all the ways attackers might advance, and all the best ways to stop them, pinpointing where to remediate exposures with a fraction of the effort. Founded by top executives from the Israeli cyber intelligence community, XM Cyber has offices in North America, Europe, and Israel.

**About Confluera**

Confluera is the leading provider of next-generation Cloud eXtended Detection and Response (CxDR) solutions. Founded by Abhijit Ghosh and Niloy Mukherjee, Confluera's patented real-time attack storyboarding, built for hybrid cloud environments, gives organizations full visibility into active attack progressions and helps to drastically reduce the industry average time to detect and respond to advanced attacks. To learn more about Confluera's award-winning solution, visit confluera.com.

XM Cyber Announces Acquisition of Confluera, Adding Run-Time Protection on Cloud Workloads

A new Tech Insight report examines how the enterprise attack surface is expanding and how organizations must deal with vulnerabilities in emerging technologies.

Keeping applications and networks secure can seem like a Sisyphean task. No matter how much time and resources security and IT teams devote to vulnerability assessment, patching, and other mitigations to reduce cyber-risk, they are not enough. In fact, vulnerability management can feel like a series of never-ending tasks.

There is no shortage of vulnerabilities under attack by criminals. Last year saw major vulnerabilities, such as Log4Shell, Ruby on Rails (Follina), and Spring4Shell, plus flaws in Google Chrome, F5 BIG-IP, Microsoft Office, and Atlassian Confluence, to name a few.

The Cybersecurity Infrastructure Agency's Known Exploited Vulnerabilities catalog currently lists vulnerabilities in widely used enterprise applications, such as Oracle eBusiness suite, SugarCRM, Zoho, Control Web Panel, and Microsoft Exchange Server.

And common, yet dangerous vulnerabilities persistently make their way into Web applications, such as broken access control, cryptographic failures, security misconfigurations, and vulnerable and outdated components.

However, enterprise security teams can’t consider their jobs done just by mitigating these types of vulnerabilities. As they adopt new technologies, enterprises need to expand their vulnerability and attack surface management programs accordingly.

A new Dark Reading Tech Insight report examines key areas for enterprise security teams to pay attention to: firmware, 5G networks, edge computing, operational technology and IT convergence, cloud vulnerabilities and misconfigurations, vulnerabilities in open source software, and vulnerabilities in continuous software development pipelines. The report details these types of vulnerabilities and how to mitigate them.

Source

DARKReading