**TEL AVIV, Israel****,** **Feb. 7, 2023** **/PRNewswire/ --** ARMO, creator of open-source Kubernetes security platform Kubescape, announced today that it has integrated ChatGPT's generative AI into ARMO Platform. With ARMO Custom Controls powered by ChatGPT, users can quickly build custom controls based on Open Policy Agent (OPA) to solve their unique security needs. They can then run them to ensure their Kubernetes clusters and CI/CD pipelines are secure, correctly configured and compliant with security policies.

Open Policy Agent (OPA) provides a standard for security policies, which can be constructed using the Rego declarative language. However, Rego is not a widely known language and using it can be complicated and confusing.

ARMO Custom Controls pre-trains ChatGPT with security and compliance Regos and additional context, utilizing and harnessing the power of AI to produce custom made controls requested via natural language. The user gets the completed OPA rule produced by ChatGPT, as well as a natural language description of the rule and a suggested remediation to fix the failed control — quickly, simply and with no need to learn a new language.

Users can then run the new AI-generated control locally to use it live, and will soon be able to save and run it as an ARMO Platform custom control. Custom controls can also be submitted as pull requests to Kubescape's public regolibrary, contributing them to the community so that all Kubescape users can benefit from them.

"We realized that Kubernetes custom controls are a perfect use-case for generative AI," said Shauli Rozen, co-founder and CEO of ARMO. "By giving ChatGPT some important background and context first, ARMO Platform users can harness it to create custom controls and policies in seconds, complete with descriptions and suggested remediations. Users can focus on securing their Kubernetes environments and not on learning new code languages and tools. We look forward to building on new technology like ChatGPT as part of ARMO's mission to make Kubernetes security simple, easy and transparent."

To try ARMO Custom Controls powered by chatGPT, sign up to ARMO Platform for free.

Read more here 

**About ARMO**

ARMO, the creator of Kubescape, is on a mission to create an end-to-end Kubernetes security platform, powered by open source. We cover all Kubernetes security issues without adding to engineers' burden. Our products enforce organizational security and compliance policies without slowing down the business.

ARMO focuses solely on open source based CI/CD & Kubernetes security, allowing organizations to be fully compliant and secure from code to production. Our solution makes security simple and frictionless for DevOps and is embraced by security.

ARMO Platform is the enterprise solution based on Kubescape. It's a multi-cloud Kubernetes and CI/CD security single pane of glass. Features include: risk analysis, security compliance, misconfiguration and image vulnerability scanning, RBAC visualization.

Kubescape is an open-source Kubernetes security platform. It includes risk analysis, security compliance, and misconfiguration scanning. Targeted at the DevSecOps practitioner or platform engineer, it offers an easy-to-use CLI interface, flexible output formats, and automated scanning capabilities. It saves Kubernetes users and admins precious time, effort, and resources.

ARMO Integrates ChatGPT to Help Users Secure Kubernetes

**WILMINGTON, Del.****,** **Feb. 7, 2023** **/PRNewswire/ --** Intel 471, the premier provider of cyber threat intelligence solutions across the globe, today announced the release of its suite of Attack Surface Protection solutions, specifically designed to scale and grow with the needs of security teams worldwide.

The Intel 471 Attack Surface Protection suite is comprised of three offerings enabling organizations to identify, manage, and protect their digital footprint from the ever increasing and sophisticated cyber threats. Specifically:

*   **Attack Surface Discovery** – maps an enterprise's digital footprint at a single point in time using data from over 200 different OSINT sources, perform scans, probe for vulnerabilities and weaknesses, and identify Shadow IT assets
*   **Attack Surface Management** – builds on Attack Surface Discovery adding continuous monitoring of your attack surface, scan comparisons, automated alerts, and APIs to implement orchestration.
*   **Attack Surface Intelligence** – super charges Attack Surface Management by adding Intel 471 threat intelligence from the cyber underground, which exposes an entire class of threats to your attack surface.

Intel 471 Attack Surface Protection solutions are built upon the company's acquisition of SpiderFoot, a best-in-class open-source intelligence platform purposefully built to assist security professionals in the automation of asset discovery, attack surface monitoring or security assessments. SpiderFoot's CEO, Steve Micallef now serves as Intel 471's vice president of Attack Surface Technology and has been instrumental in developing our Attack Surface Protection solutions. 

"With digital transformation driving an ever-expanding attack surface, enterprises must have best-in-class solutions to identify, monitor, alert and protect their digital footprint and extended third-party attack surface.  As the premier provider of cyber threat intelligence, our solutions are tailored to grow and scale to meet enterprises' business requirements," said Mark Arena, CEO of Intel 471. "Our strategic acquisition of SpiderFoot and the release of our Attack Surface Protection solutions expand our portfolio to meet the specific and individualized attack surface needs of customers worldwide."

**About Intel 471**

Intel 471 empowers enterprises, government agencies, and other organizations to win the cybersecurity war using near-real-time insights into the latest malicious actors, relationships, threat patterns, and imminent attacks relevant to their businesses.

The company's TITAN platform collects, interprets, structures, and validates human-led, automation-enhanced results. Clients across the globe leverage this threat intelligence with our proprietary framework to map the criminal underground, zero in on key activity, and align their resources and reporting to business requirements. Intel 471 serves as a trusted advisor to security teams, offering ongoing trend analysis and supporting your use of the platform. Learn more at https://intel471.com/.

Intel 471 Announces Powerful and Scalable Attack Surface Protection Solution Suite

**MADISON, Wis.****,** **Feb. 7, 2023****/PRNewswire/ --** Infosec Institute, a leading cybersecurity education provider and part of Cengage Group, today announced the launch of a new security awareness training series titled, "Work Bytes" for Infosec IQ, a security awareness and training platform that empowers employees with the knowledge and skills to reduce their cyber risk. Work Bytes fills the void often seen with other cybersecurity training – the content is concise and entertaining, but most importantly it helps employees retain the information they've learned, ensuring a more knowledgeable and security-aware workforce.

Set in the backdrop of a hilarious office comedy, Work Bytes features a colorful cast of creative characters, including vampires, pirates, aliens, and zombies. These fantastical and unlikely co-workers encounter and navigate today's most common and complex cybersecurity threats from phishing emails to social engineering scams.

Cybersecurity threats are more prevalent than ever, and the reality is that employees are the biggest risk factor within an organization, but they can also be an organization's biggest asset with the right training. In fact, 82% of data breaches involve a human element. Aside from the major reputational damage that accompanies a data breach, business continuity post-breach is also greatly affected with experts predicting that by 2025, 60% of organizations will use cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements.

"Cybersecurity threats are constantly evolving so the way companies train employees to recognize, navigate and deter these threats must change, too," said Jim Chilton, GM for Infosec and CTO of Cengage Group. "Lengthy, time-consuming, and stale trainings result in low engagement and a low retention of information which poses a massive risk for businesses. Our award-winning team has researched, developed, and brought to market a fresh content training series that educates, entertains, and engages today's learners so that they don't just 'check the box,' but begin building a strong, always-vigilant cybersecurity culture."

The Work Bytes training series is just the latest addition to Infosec IQ's content library where it joins five other award-winning training series including the highly acclaimed "Choose Your Own Adventure® Security Awareness Games."  One of the key benefits of Infosec IQ and its training platform is the opportunity to choose the type of content that resonates most with a company's culture and employee base. Offering personalized and tailored cybersecurity training ensures security knowledge and awareness – because cybersecurity needs everyone.

For more information on Infosec IQ and the Work Bytes series visit https://www.infosecinstitute.com/iq/work-bytes/ or watch the trailer here.

**About Infosec**

Infosec, part of Cengage Group, is a leading cybersecurity education provider helping IT and security professionals advance their careers and empowering employees to be cyber-safe at work and home. Its mission is to equip individuals and organizations with the knowledge and skills to confidently outsmart cybercrime. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent and teams, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ's security awareness and phishing training.

SOURCE Infosec Institute, part of Cengage Group

Infosec Launches New Office Comedy Themed Security Awareness Training Series

**LOS ALTOS, Calif.****,** **Feb. 7, 2023** **/PRNewswire/ --** Contrast Security (Contrast), the code security platform built for developers and trusted by security, today released its Cyber Bank Heists report, an annual report that exposes the cybersecurity threats facing the financial sector.

Authored by Contrast's Senior Vice President of Cyber Strategy Tom Kellermann, the report is a warning to global financial institutions (FIs) that security must be a top-of-mind issue amid rising geopolitical tensions, increased destructive attacks utilizing wipers and a record-breaking year of zero-day exploits. Financial sector security leaders from around the world - in a series of interviews - revealed specific trends when it comes to notable cyberattacks, e-fraud and cyber defense. Some of the most eye-opening results from the report include:

*   60% were victimized by destructive attacks
*   64% saw an increase in application attacks, while 50% experienced attacks against their APIs
*   48% experienced an increase in wire transfer fraud
*   50% have detected campaigns to steal non-public market information
*   54% of the banks were most concerned with the cyber threat posed by Russia
*   72% plan to invest more in application security in 2023

"The increase of online threats, phishing, ransomware attacks, account takeovers and business email compromises impacting the financial sector is growing every day and we can see in real-time the damage this is doing to the longevity of businesses and the impact it's having on our economy," said Derek Booth, Assistant to the Special-Agent-in-Charge, U.S. Secret Service and Head of the Mountain West Cyber Fraud Task Force. "I applaud Tom Kellermann for speaking with some of the most influential people within the sector to determine solutions that can better protect FIs against vulnerabilities in banks and methods of commerce through industry-wide transparency."

"The complexity of securing financial digital systems and the need to develop new ways to guard against sophisticated cyberattacks has increased exponentially in the last year. In response, FIs are fighting to evolve and create more effective prevention, detection and response to these damaging attacks," said Booth.

"Cybersecurity can no longer be viewed as an expense but rather a functionality of conducting business. Trust and confidence in the safety of FIs depend on effectively mitigating and responding to cyberattacks," said Kellermann.

The report provides helpful guidance, and specific defensive countermeasures to defend against growing cybercrime conspiracies and cyberespionage including:

1.  Deploy intelligent runtime protection
2.  Conduct weekly threat hunting
3.  Deploy AppSec for serverless platforms
4.  Defend your APIs
5.  Add a cybersecurity specialist to your board

"The financial sector needs to shift its thinking when it comes to attacks, as geo-political tensions manifest via cyberattacks. Cybercrime cartels are modernizing their criminal conspiracies so as to steal non-market information and destroy the integrity of sensitive data within financial institutions," said Kellermann. "This is no longer a question of duty of care but rather a duty of loyalty to the digital safety of customers. That is why the Cyber Bank Heists report not only highlights these trends but depicts countermeasures that can help institutions defend from within."

Booth will be joining Kellermann for a LinkedIn Live roundtable discussion at 9:00am PST on Tuesday, February 7 and a live webinar at 9:00am PST on Thursday, February 23 to discuss their reactions to the report and the financial security risks impacting organizations this year. Contrast also published a three-part blog series that dives deeper into cyberattack trends, e-fraud, and defensive shifts. 

To download the Cyber Bank Heists report, please visit https://www.contrastsecurity.com/cyberbankheistsreport. FIs can also request a demo of Contrast's financial capabilities by visiting https://www.contrastsecurity.com/solutions/financial-services. 

**About Cyber Bank Heists report:** 

Authored by Contrast's Senior Vice President of Cyber Strategy Tom Kellermann, the annual Cyber Bank Heist report includes findings from interviews conducted with global financial sector leaders focusing on the current state of security threats and the defensive shifts made by cybercriminals. The report provides an analysis of geopolitical tensions, destructive attacks and zero-day exploits from the previous year. It also offers specific defensive countermeasures that should be employed by FIs to protect against growing cybercrime conspiracies and cyberespionage. To learn more about the annual Cyber Bank Heists report, please visit https://www.contrastsecurity.com/cyberbankheistsreport.

**About the Author Tom Kellermann:** 

Tom Kellermann is the Senior Vice President of Cyber Strategy at Contrast Security, Inc. Previously, Tom held the positions of Head of Cybersecurity Strategy for VMware, Inc. and Chief Cybersecurity Officer for Carbon Black, Inc., wherein he authored the "Modern Bank Heist report" for the past five years. In 2020, he was appointed to the Cyber Investigation Advisory Board for the United States Secret Service. On Jan. 19, 2017, Tom was appointed the Wilson Center's Global Fellow for Cybersecurity Policy. Tom previously held the positions of Chief Cybersecurity Officer for Trend Micro, Inc., Vice President of Security for Core Security and Deputy CISO for the World Bank Treasury. In 2008, Tom was appointed a commissioner on the Center for Strategic & International Studies' (CSIS') Commission on Cyber Security for the 44th President of the United States. In 2003, he co-authored the Book "Electronic Safety and Soundness: Securing Finance in a New Age."

**About Contrast Security (Contrast):**

A world leading code security platform company purposely built for developers to get secure code moving swiftly and trusted by security teams to protect business applications. Developers, security and operations teams quickly secure code across the complete software development life cycle (SDLC) with Contrast to protect against today's targeted application security (AppSec) attacks. Contrast also makes security testing available to all developers for free with CodeSec.

Founded in 2014 by cybersecurity industry veterans, Contrast was established to replace legacy AppSec solutions that cannot protect modern enterprises. With today's pressures to develop business applications at increasingly rapid paces, the Contrast Secure Code Platform defends and protects against full classes of common vulnerabilities and exposures (CVEs). This allows security teams to avoid spending time on focusing false positives and remediate true vulnerabilities faster. Contrast's platform solutions for code assessment, testing, protection, serverless, supply chain, APIs and languages help enterprises achieve true DevSecOps transformation and compliance.

Contrast protects against major cybersecurity attacks for its customer base which represents some of the largest brand-name companies in the world, including BMW, AXA, Zurich, NTT, SOMPO Japan and American Red Cross, as well as numerous other leading global Fortune 500 enterprises. Contrast partners with global organizations such as AWS, Microsoft, IBM Cloud, Guidepoint Security, Trace3, Deloitte and Carahsoft, to seamlessly integrate and achieve the highest level of security for customers.

The growing demand for the world's only platform for code security has landed the company on some of the most prestigious lists including the Inc. 5000 List of America's Fastest Growing Companies and has designated Contrast as one of the fastest growing companies on the Deloitte Technology Fast 500 List.

Financial Institutions Are Suffering From Increasingly Sophisticated Cyberattacks, According to Contrast Security

**SANTA CLARA, Calif.****,** **Feb. 7, 2023** **/PRNewswire/ --** Valtix, the industry's first multi-cloud network security platform as a service, today announced findings from its 2023 Multi-cloud Security Report, which found that 95% of companies are pushing toward a multi-cloud environment, but only 58% believe they have the security architecture to support it. Respondents in the survey of more than 200 U.S. IT leaders cited complexities, gaps and other challenges between the overall strategy and the infrastructure they ultimately create.

The survey found that multi-cloud activity continues to rise with 93% of respondents currently having workloads and data on more than one cloud. Of those not yet in a multi-cloud environment, a full 94% expect to be multi-cloud within 12 months. Companies are embracing multi-cloud twice as fast this year compared to Valtix's year-ago survey. At that time, only 62% of organizations were multi-cloud, with 84% expecting to get there within two years.

"Multi-cloud continues as a strategic priority for most organizations in 2023—yet it also remains a concern for nearly all organizations," said Vishal Jain, co-founder and CEO of Valtix. "Very few companies have the tech, talent and confidence they need to put in place a comprehensive security infrastructure across multiple clouds. While many companies are still unintentional in their cloud choice, leaders are increasingly looking for proactive ways to leverage multi-cloud to benefit the business."

According to the survey, organizations cited several 'unintentional' factors that have accelerated their journey to a multi-cloud environment, including (1) shadow IT (51%), (2) different ISVs that support different clouds (48%), and (3) mergers and acquisitions (47%).

Even as adoption accelerates, 28% of IT leaders surveyed strongly believe multi-cloud is a "bad idea," citing issues such as (1) difficult to consistently secure (38%), lack multi-cloud security and management tools (35%) and (3) lack of multi-cloud reference architectures (32%). Only 57% of IT leaders are sure that multi-cloud security is achievable with current resources and technology, but admit they need to embrace it anyway, as 95% consider multi-cloud a "strategic priority" this year.

**Other findings:**

*   **Cloud Service Providers (CSPs) fail to define portability standards:** As businesses increasingly leverage CSPs for this cloud transformation, IT leaders surveyed were not hopeful CSPs will define portability standards anytime soon. A full 97% of IT leaders believe that CSPs should help define standards to enable better multi-cloud portability. However, 58% surveyed believe security standardization in a multi-cloud environment is a 'myth' and never achievable. Nearly all (90%) of organizations surveyed evaluate third-party security technology in addition to the security tools CSPs provide.
*   **Multi-cloud is a budgetary drain:** Managing multiple distinct security architectures with multi-cloud security is prohibitively expensive for 86% of organizations.
*   **The rise of the cloud security architect:** The Cloud Security Architect is growing as a common role with 86% of organizations currently employing an in-house cloud security architect. Moreover, 89% of organizations require every cloud project to adhere to a cloud security reference architecture.
*   **Cloud security posture management viewed as a commodity:** 67% of IT leaders view CSPM technology provided by the cloud providers as being critical to their success. Only 53% of organizations are looking to make a new CSPM technology investment in 2023.

A complimentary copy of the full report can be downloaded at https://valtix.com/lp/2023-multi-cloud-security-report/.

Follow Valtix on Twitter and LinkedIn to learn more.

**About the Survey**

Valtix commissioned an independent research firm to survey 200 IT leaders in the US about the problems they face with multi-cloud security, the tools they're using, the tools they want to use in the future, and the skills they need to scale and secure on multiple cloud platforms. The survey, which was conducted in January 2023, used a random sample of US IT leaders and has a margin of error of +/- 6.9% at the 95% confidence level.

**About Valtix**

Valtix is on a mission to protect every workload, every app architecture, across every cloud. Deployable in just 5 minutes, Valtix was built to combine robust multi-cloud security with cloud-first simplicity and on-demand scale. Powered by a cloud-native architecture, Valtix provides an innovative approach to cloud network security called Dynamic Multi-Cloud Policy™, which links continuous visibility with advanced security controls. The result: security that is more effective, adaptable to change, and aligned to cloud agility requirements. Join 4 of the top 10 pharmaceuticals and leaders across every industry – sign up free in minutes.

Valtix Survey: 95% of Organizations Say Multi-cloud Is a 'Strategic Priority' but Only 58% Have the Security Architecture to Support It

**NEW YORK****,** **Feb. 7, 2023** **/PRNewswire/ --** DataDome, the global leader in advanced bot and online fraud management, today released its inaugural "E-Commerce Holiday Bot & Online Fraud Report" which analyzes bot traffic during fraudsters' busiest time of year – the holiday season. The study identifies and quantifies the proliferation of bots, aggregating and analyzing traffic data of more than 110 billion requests made in Q4, 2022 across a range of e-commerce sites DataDome protects.

"During flash sales events such as Black Friday and Cyber Monday, e-commerce platforms typically face at least five times - and sometimes up to 30 times - more bot attacks than on normal days," said Benjamin Fabre, CEO & Co-Founder of DataDome. "As bad bots become more sophisticated and difficult to thwart, staying ahead of them is imperative. This holds true particularly during flash sales and the busy holiday season, when the impact of these attacks is maximized."

DataDome analyzed the website, mobile app and API traffic of e-commerce businesses it protects, across clothing, footwear, ticket, and electronic retail among other companies located in the United States, Europe, Australia, and Asia. Key observations from the report include:

*   The United States **was the #1 direct source of bot attacks.** The US generated 10 times the number of bot attacks compared to China, the second country of origin for the most bot attacks against online retailers and e-commerce platforms during this period. Attackers tend to choose IP addresses/proxies located in the same country as the website they target in order to appear more human and bypass traditional geo-blocking techniques. Many of the e-commerce sites DataDome protects are in the US, which helps explain why so many attacks appear to have originated from the US.
*   **E-commerce bots are becoming increasingly sophisticated in their ability to mimic human behavior and bypass basic security tools.** The availability of high-quality proxies has made it easy for attackers to leverage IPs from the home location of their target business. And attackers paid premium prices for ISP proxies, proving both the increasing ROI of online fraud, especially scalping, around Black Friday and other limited sales, and the effectiveness of ISP proxies in helping cybercriminals avoid detection by more basic bot mitigation tools and web application firewalls (WAFs).
*   **98% of the attacks were from scraping and scalping bots:** Numbering in the billions, scraping bots, considered a gateway automated threat that often leads to more aggressive and damaging attacks, were used to test the availability of products and target the limited infrastructure resources during the busy holiday season. Scalping attacks followed, as fraudsters tried to snag as much inventory as possible to resell for profit later.
*   **Some industries saw more impact than others:** Industries that saw the most bot traffic include clothing & footwear and electronic goods—especially hot ticket items, such as gaming consoles and luxury or limited edition merchandise. The biggest attack DataDome observed in Q4 2022 targeted a large US retailer with ~66M malicious bot requests in less than two hours.

"Fraudsters are getting easier access to more sophisticated bots and technology every day. As the ease and ROI of online fraud increase, so do the frequency and intensity of bot attacks," said Antoine Vastel, PhD, Head of Research at DataDome. "Yesterday's basic bot mitigation measures are no match against today's evolving threats—especially bots that use ISP proxies and machine learning to mimic human behavior. Now more than ever, it is critical that retailers protect all endpoints from attacks, as threats target the weakest link in their infrastructures."

The full research report, "E-Commerce Holiday Bot & Online Fraud," is available here. On February 16, 2023 at 12:00p EST, DataDome's Head of Research will host a webinar that dives into the report's findings.

For more information about DataDome's fraud detection and prevention, visit www.datadome.co/.

**About DataDome**

DataDome's bot and online fraud protection detects and mitigates attacks with unparalleled accuracy and zero compromise. Our machine learning solution analyzes 1 trillion data points per day to adapt to new threats in real time. Our 24/7 SOC experts protect hundreds of high-profile brands worldwide, including Reddit, Patreon, and AngelList. A force multiplier for IT security teams, DataDome is fully transparent, easy to deploy, and frictionless for consumers. In 2022, DataDome was named a Strong Performer in the Forrester Wave: Bot Management and ranked the top G2 Leader in Bot Detection & Mitigation for Fall 2022 and Winter 2023.

SOURCE DataDome

DataDome's Inaugural E-Commerce Holiday Bot & Online Fraud Report Reveals the U.S. as the Top Source of Bot Attacks

Security pros need to look beyond user education to find and disarm fraudulent actors.

The new year celebrations are behind us, and most of us have returned to our daily routines. This is as good a reminder as any that the spring scam season — or rather, tax season — is nearly here.

In all seriousness, the opening of the tax season most often brings with it a new crop of scams to defraud honest, hard-working people.

Of course, it is not just tax season that heralds scams. Nearly all big events, whether they are natural disasters, health crises, economic downturns, major sporting events, or otherwise, seem to bring with them their fair share of scams. Educating our end users as to the dangers of these scams and the potential for fraud losses is necessary but woefully insufficient.

But enterprises need to do even more to effectively combat scams. They need to protect their end users in ways that are not dependent on the end user themselves. Simply put, enterprises cannot rely solely on educating end users to reduce fraud losses.

Though there are undoubtedly numerous ways in which enterprises can combat scams, I'd like to discuss five techniques that enterprises can use to help avoid fraud losses resulting from scams.

**1\. Incorporating the User Layer**

It may sound radical, but the first step to combatting scams is accepting that a certain percentage of them will succeed against end users. Only when enterprises embrace this idea can they begin to reduce fraud losses resulting from scams. If we assume that a certain number of end users will be scammers and/or fraudsters that have taken over or otherwise compromised a legitimate end user's account, that allows us to understand that we need to look at the user layer.

In other words, we need insight into user behavior, device information, and network/environment information in order to add important context and enrich our understanding of who might be interacting with our online application. We can look for unusual activity, suspicious behavioral patterns, and strange device, network, and environment information that might help us realize that it is not the legitimate user who is interacting with the application. That can tip us off to when a legitimate end user has fallen prey to a scam.

**2\. Reducing Noise**

Say that an enterprise needs to look at 50, 100, or 200 suspicious events in a given day — including scam-related events. If those events are found in a work queue of 500 or 1,000 events, this is doable. If, on the other hand, those events are buried in a pile of noise and false positives numbering in the hundreds of thousands or even millions, this is considerably more challenging. Thus, an important component to combatting scams is to get them noticed in the first place.

In other words, it is important to significantly reduce the amount of noise and the volume of false positives that the fraud team needs to wrestle with on a daily basis.

**3\. Tightening Logic**

Related to the above point, a key reason for overabundance of false positives is alert logic that is not tight enough or precise enough. By incorporating the user layer, more precise logic, and more analytically clever rules, enterprises can significantly reduce the volume of false positives and noise that they must contend with. Tightening alert logic is a very effective way to increase the chances that scams will be detected before significant fraud losses have been incurred.

**4\. Performing Post-Transaction Analysis**

It is often the case that enterprises focus on real-time or near-real-time fraud detection and mitigation. This is, of course, extremely important and a noble goal. It would be naive, however, to believe that we are not overlooking or missing significant fraud losses that we are unable to detect in real time.

Analyzing data post-transaction — or "offline," if you will — allows us to identify suspicious or unusual activity that may be buried deep in the data. This allows us to identify reliable patterns, including around scams, that we can turn into real-time or near-real-time detection. This improves our fraud detection capabilities as a whole and helps us to reduce our risk of fraud losses.

**5\. Studying Behavioral Patterns**

An important part of post-transaction analysis that is worth mentioning separately is the study of behavioral patterns. As alluded to above, as careful as scammers and fraudsters try to be, they often leave clues behind that can help us detect that it is them and not the legitimate end user interacting with the online application.

The subtler the clues, the more important it is to study behavioral patterns in depth. Doing so can facilitate the discovery of fraudster "tells" that we can then leverage to more accurately detect scams.

While end-user education is necessary to limiting scam-related fraud losses, it is not sufficient. To truly tackle the scam problem, enterprises must embrace a variety of approaches, some of them outside of the box of conventional wisdom. The investment is most often worth it, however, as it can yield results in the form of significantly reduced fraud losses.

5 Ways to Survive Scam Season — or Rather, Tax Season

Three ways to stay safe in an economically uncertain 2023.

Last month, a Wall Street Journal article highlighted how chief information security officers (CISOs) will increasingly see budgets constrained based on the growing economic uncertainty facing companies in 2023. So, how should CISOs manage through this uncertainty? Let's start by acknowledging several planning constraints:

*   **Regulatory expectations** are nonnegotiable for corporate resourcing purposes and are likely to increase. New time-bound incident reporting regulations for public companies and critical infrastructure operators are pending, and the Biden administration's soon-to-be-released National Cybersecurity Strategy is likely to call for fuller use of existing regulatory authorities across sectors.
*   **Threat actors** are as active as ever and increasingly looking to identify and exploit weaknesses in core security technologies intended to defend us. The recent acknowledgment of source code theft at Okta, a leading provider of cloud-based multifactor authentication and single sign-on solutions, as well as the breach at password manager LastPass, put this in larger relief.
*   Given the **rapid proliferation of software across technology environments**, it is practically impossible for most organizations to ensure that all systems are fully hardened and patched.

Given these constraints, here are three steps that could help better optimize cybersecurity investments in a constrained spending environment:

**1\.** **Shine a light on underlying business and technology complexity.** Variances in the number of systems, applications, privileged users, third parties, employee attrition, and geographic presence all influence risk and what's required to defend an organization. Indeed, recent research by IBM Security highlights how increasing complexity (e.g., cloud migrations, third-party involvement, etc.) has tended to amplify incident response costs. It's foolhardy to impose limits on security spending without also considering whether at the same time, we are reducing complexity in the underlying business and technology environment that CISOs are being asked to defend. Measuring changes in the complexity of the underlying "attack surface" — that is, the set of points on the boundary of a system, a system element, or an environment where an attacker can try to enter, cause an effect on, or extract data from — should be a precondition to considering adjustments or restraints on cybersecurity resources.

**2\.** **Prioritize threat-informed defenses.** Cost constraints put a premium on prioritizing defenses based on behaviors that adversaries are known to use and critical software systems they are likely to target (including, but not limited to, identity and access management systems noted above). MITRE's ATT&CK framework not only comprehensively maps out threats and how they link to specific mitigations and detections — many of these mitigations and detections are achievable through technologies already in place, particularly as infrastructure providers incorporate security features into their offerings. Investing in defenses against prevalent threats can provide outsized risk reduction benefit. The Cybersecurity and Infrastructure Security Agency (CISA) recently released a set of Cybersecurity Performance Goals intended to "help establish a common set of fundamental cybersecurity practices for critical infrastructure, and especially help small and medium-sized organizations kickstart their cybersecurity efforts." Each of the goals is mapped to specific MITRE threat techniques.

As important, companies should invest at least some resources in validating that the controls theoretically in place are there in practice and operating as intended. CISA, the FBI, and the NSA jointly issued guidance last fall where they "recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory." Too often, we see incidents where the initial access was achieved through a misconfigured asset or undocumented security exception. Finally, the resilience aspect of threat-informed defense is critical: If a ransomware incident occurs, offline backups and up-to-date incident response plans will be key to minimizing damage.

**3\.** **Rationalize third-party risk management.** There are also several persistently vexing problems that no one organization can address and must instead be addressed at a sector or national level. Companies know that a cyber incident at a supplier can have cascading impacts on them, and they are increasingly mandating security audits and minimum baseline requirements as a condition of doing business. The problem is that there is no uniformity in this approach, leaving suppliers and customers to sort through a morass of requirements and attestations, which require more and more personnel resources to manage. Indeed "assessors" are increasingly becoming "assessees" when they are subjected to cyber-insurance renewal reviews. Sectorwide approaches are needed to bring greater uniformity to standards, reducing third-party compliance complexity and enabling repurposing of investment to threat-informed defense.

While many of these steps must be accomplished within the private sector, the federal government can help advance these steps. First, as we think about increased regulatory activity, we can help manage additional financial burdens by ensuring alignment on control expectations (in a manner that is threat-informed) across regulatory agencies (and ideally with sister programs in allied foreign governments) — i.e., so that companies subject to multiple regulatory programs can focus on a consistent set of expectations. Second, we should consider not just how regulations can penalize companies that fail to live up to expectations, but also how they can reward companies to go beyond them. Finally, by imposing standard baseline expectations and mechanisms for attestation across suppliers, as the federal government is trying to do with software security, we bring greater uniformity to third-party risk management.

Businesses are facing a highly complex business, technology, and threat environment. In a cost-constrained atmosphere, return on investment matters more than ever. We should thus be bringing as much accuracy as possible in how we align defenses to likely threats, and drive as much uniformity as we can in measuring cybersecurity performance in a transparent, accurate, and precise way.

Optimizing Cybersecurity Investments in a Constrained Spending Environment

New tech often requires new thinking — but that's harder to install.

Here's a provocative question: Is it possible, given the vast array of security threats today, to have too many security tools?

The answer is: You bet it's possible, if the tools aren't used the way they could be and should be. And all too often, they aren't.

New tools introduce new possibilities. Conventional thinking about security in a particular context may no longer be applicable exactly because the tech is new. And even if conventional thinking is applicable, it may require some modification to get the best use out of the tools.

That's a real problem for security executives. And the more powerful, sophisticated, and game-changing security tools may be, the higher the odds this problem will apply.

This is frequently the case with zero trust, since it differs so much from traditional security. New adopters sometimes expect a more high-powered firewall, and that's fundamentally not what they get. They've decided to invest in next-generation capabilities, yet they begin with a perspective that is often last generation in character, and it really diminishes their ROI.

**It's the Response, Not the Request, That's Risky**

The traditional perspective on corporate Web access, for instance, says that, within a business context, some sites are good and some sites are bad. Examples of good sites include tech media, industry partners and competitors, and news services. Examples of bad sites include gambling, pornography, and P2P streaming.

The traditional response is to whitelist the good sites, blacklist the bad sites, and call it a day. Beyond the fact that this line of thinking can lead security teams to make hundreds of rules about which sites to block and which sites to allow, I'd like to suggest it misses the point.

Today, we know that optimized cybersecurity is not so much about the perceived _character_ or _subject matter_ of a site. It's more about what kind of threats may be coming from the site to the organization, and what kind of data is leaving the organization for the site. That means you're going to need new approaches to asking and answering questions in both categories, and that, in turn, means new tools and a new understanding.

This situation comes up in the context of content delivery networks (CDNs). They represent a huge fraction of all Internet traffic and, for the most part, it's true that the content they deliver will be innocuous as a security threat. That's why many security admins have set up rules to allow all traffic from such sources to proceed to corporate users on request.

But is it really wise simply to whitelist an entire CDN? How do you know some of the sites it serves up haven't been compromised and aren't a de facto attack vector?

Furthermore — and this is where it gets interesting — what if you actually have a tool so powerful and so fast that it can assess CDN content, in or in very close to real time, for its potential as a security threat before it reaches users? Wouldn't you be wise to _use_ that tool, if properly configured, as opposed to _not_ use it?

In this scenario, the old assumption that no tool could be that powerful and fast, which used to be true, is now false. It's no more valid than the old assumption that CDN-sourced content must inherently be safe.

So to implement this new and more sophisticated perspective on Web access, it's pretty clear more is required than simply implementing new tech (rolling out new tools). People will have to be trained in the tech's feature set and capabilities, and processes will have to be adjusted to take that new info into account. If that doesn't happen, security admins who are simply given new tech will not be getting the best use out of it. They will be, if you'll forgive the term, a fool with a tool.

**Stay On Top of Capabilities and Configurations**

Streamlining your vendor security stack is always preferable to bolting on new tools with niche functionality. Otherwise, chief information security officers (CISOs) may end up trying to secure a supply closet, not knowing which locks are actually in effect. Even so, this isn't a one-and-done responsibility.

Suppose, for instance, it selects one partner for the network security, another for endpoint security, and a third specifically for identity management. Suppose all three partners are genuinely top tier.

If the organization's people and processes don't understand and take full advantage of the partners' capabilities, those capabilities will not deliver total value, and the organization will not be as protected as it could be. The number of security tools has essentially been reduced to three great tools, but the security architecture still needs ongoing attention.

In the age of the cloud, updates and features are being pushed constantly. That means configuring a new security tool once and stepping away isn’t enough. Because new functions can disrupt a business's operations in ways unforeseeable to a vendor, they are often turned off by default when first released. To be their most effective, security tools must be reconfigured regularly.

I'll conclude with a common example I see frequently. Because botnets are a major ongoing problem, it's important to have some bot detection/bot blocking capabilities in place. This may take the form of monitoring logs for things like compromised endpoints, which command-and-control servers may try to contact to deliver instructions.

This is precisely the kind of information security managers should be thrilled to get.

But because many departments don't have the time or inclination to analyze their logs, they don't benefit from the information contained within them. As a result, compromised endpoints aren't cleaned and no forensics are conducted to learn how they were compromised in the first place.

This brings me to my bottom line: Keep your eyes open, understand what new tech and new partners can do and capitalize on it to the best effect. Your organization and career will both benefit.

Read more _Partner Perspectives_ with Zscaler.

A Fool With a Tool Is Still a Fool: A Cyber Take

Security teams can use a blocklist containing tens of thousands of proxy IP addresses used by the pro-Russian hacktivist group to defend their organizations from DDoS attacks.

SecurityScorecard has pulled together a list of proxy IP addresses used by KillNet to launch distributed denial-of-service attacks (DDoS) against various entities around the world over the past year.

KillNet has taken responsibility for DDoS attacks against US-based hospitals and airports, as well as financial and government organizations in Germany. The pro-Russian group is targeting countries supporting Ukraine, especially NATO countries.

In a DDoS attack, the attack group cause thousands of connection requests and packets to be sent to the targeted entity's server or website per minute. The attack is made possible by bots – compromised systems that are being harnessed by the attack group. The sheer volume and size of these requests and packets can slow down the targeted system or even overwhelm it to the point where it is no longer available.

In January, KillNet's attacks took websites for 14 hospitals offline; affected organizations included University of Michigan Hospitals and Health Centers, Stanford Hospital, Duke University, and Cedars-Sinai. Knocking websites offline for days or disrupting network connectivity can interfere with patient care: Patients may be prevented from scheduling appointments and doctors may be unable to send and receive health information online. Both the US Department of Health and Human Services (HHS) and the American Hospital Association released warnings that KillNet posed a threat to healthcare organizations.

"While KillNet’s DDoS attacks usually do not cause major damage, they can cause service outages lasting several hours or even days," AHA said.

SecurityScorecard's blocklist, which lists tens of thousands of proxy IP addresses used by the hacktivists in previous DDoS attacks, can be particularly helpful for defenders at healthcare organizations. Security teams can use the list, which is regularly updated by SecurityScorecard's team of researchers, and deploy firewall rules to block malicious traffic from even entering the network. The list can also support network monitoring and investigations to identify and track attacker activities.

Right now, it is just DDoS attacks, but there is also the worry that other criminal groups – such as ransomware gangs – sharing KillNet's political views will join in to target these organizations.

"It is likely that pro-Russian ransomware groups or operators, such as those from the defunct Conti group, will heed KillNet's call and provide support," HHS warned. "This likely will result in entities KillNet targeted also being hit with ransomware or DDoS attacks as a means of extortion, a tactic several ransomware groups have used."

Cloudflare's analysis shows an increase in DDoS activity against healthcare organizations and that there may already be multiple threat actors acting on behalf of KillNet.

"The attacks observed by the Cloudflare global network do not show a clear indication that they are originating from a single botnet and the attack methods and sources seem to vary," Cloudflare said last week. "This could indicate the involvement of multiple threat actors acting on behalf of Killnet, or it could indicate a more sophisticated, coordinated attack."

Source

DARKReading