**SANTA CLARA, Calif.****,** **Jan. 5, 2023** **/PRNewswire/ --** Netskope, a leader in Secure Access Service Edge (SASE), on the heels of its recognition as Cloud Security Services Vendor of the Year, its sixth straight ranking on the Forbes Cloud 100 list of top cloud companies, and its recognition as a Leader in the 2022 Gartner® Magic Quadrant™ for Security Service Edge (SSE), today announced an oversubscribed investment round of $401M.

The partners for this oversubscribed convertible note investment were four of the world's premier investors. The financing was led by investment funds managed by Morgan Stanley Tactical Value, with participation from Goldman Sachs Asset Management, Ontario Teachers' Pension Plan, and CPP Investments. Netskope plans to extend its technology and platform advantages and market reach through continued innovative worldwide platform development and expansion of strategic go-to-market activities, underscoring its leadership and momentum in what leading analysts estimate to be the $36 billion market opportunity for SASE by 2025.

This financing marks the latest among many recent business and financial milestones for Netskope and serves as another strong validation and indicator of the continued momentum and adoption of the company's vision, team, products, culture, and market opportunity. 

**Securing Modern Cloud Networks** 

As hybrid and remote work has become the new reality, and the use of the cloud accelerates, enterprises of all sizes need to transform their network and data security strategy and architecture. As a result, they are rapidly adopting SASE as a foundational part of their zero trust strategy, to safeguard data, support digital transformation efforts, and realize better efficiency by addressing security and networking challenges through a unified architecture. In addition, enterprises are increasingly seeking SASE capabilities from fewer sources to reduce vendor and tool sprawl. Gartner notes1 that, "by 2025, 65% of enterprises will have consolidated individual SASE components into one or two explicitly partnered SASE vendors, up from 15% in 2021."

The Netskope converged SASE platform includes Netskope's industry-leading Intelligent Security Service Edge (SSE) and Borderless SD-WAN technologies, all of which are crucial to providing the optimized access and zero trust-based security required in a modern networking and security technology stack. Netskope today is one of only a few providers of single-vendor SASE. It is also the only SASE provider recognized as a representative vendor in the 2022 Gartner Market Guide to Single Vendor SASE that also appears as a Leader in the 2022 Gartner Magic Quadrant for Security Service Edge. 

"Our vision from day one was that traditional network and security perimeters would transform, with users, data, and devices moving outside the confines of corporate network perimeters and requiring a new approach to security," said Sanjay Beri, Netskope CEO and co-founder. "With a cloud-first, data-first, and customer-centric philosophy, we built a market-leading SASE platform and one of the world's fastest and most-connected security cloud networks. We have enabled enterprises everywhere to allow their users to be mobile, efficient, and flexible while securing them and the data and applications they access, whether they are in the cloud, on the web, or are private applications on-prem and beyond. We are very proud of the team members, customers, industry luminaries, and existing and new partners announced today who are helping to enable Netskope's journey and secure the journey of all enterprises worldwide."

Over the past 12 months, Netskope has broadened its market reach in the following ways:

*   **Increased Customer Base** – to more than 2,400 total customers worldwide, including over 25 of the Fortune 100, and across all verticals including financial services, healthcare, retail, telecommunications, manufacturing, government, high tech, and beyond.
*   **Expanded SASE Platform** – through organic development of new endpoint data loss prevention, advanced cloud firewall, and zero trust network access products, as well as strategic acquisitions of WootCloud and Infiot to serve as core technology components of Netskope's innovative IoT Security and Borderless SD-WAN modules, respectively.
*   **Growing Patent Portfolio** – more than 100 global patents awarded to Netskope inventors, in data loss prevention, AI/ML, threat prevention, high speed cloud networking, and other strategic technology categories.
*   **Continued Expansion of NewEdge security private cloud** – now powered by full-compute data centers in more than 60 regions worldwide. Every Netskope NewEdge data center is accessible to every customer, with all Netskope SASE services available, providing low latency and high-performing infrastructure, and backed by industry-leading Service Level Agreements.
*   **New and Enhanced Go-to-Market Partnerships** – with some of the world's best-known cloud platform, service provider and systems integrator brands, including Orange, Deloitte, Telefonica, KPN, AWS, Google Cloud, CrowdStrike, Mimecast, Okta, and others which expand Netskope's global reach and ability to capture market share.
*   **Increased Corporate Footprint** – to more than 2,500 team members, active in over 40 countries, with open roles across teams and regions. In 2022, Netskope also enhanced its seasoned executive team with leaders from Salesforce, AWS, Cisco, Palo Alto Networks and others joining Netskope.
*   **Industry Recognition:** Recent Netskope highlights also include product, customer, and industry recognition, including:

*   Won 2022 CRN Cloud Services Vendor of the Year award
*   Won Best SASE Solution and Most Promising Unicorn awards from SC Media
*   Ranked among the highest two solutions for every single use case in the 2022 Gartner Critical Capabilities for Security Service Edge report
*   Named a Leader in the IDC Marketscape for Cloud Security Gateways
*   Awarded one of the first U.S. Federal Civilian Government SASE Contracts, led by the United States Patent and Trademark Office
*   Named for a sixth time to the Forbes Cloud 100, as one of only four security vendors to rank in the Top 50
*   Achieved best-in-class employer brand and employee experience ratings from Glassdoor
*   Achieved a Silver Medal from EcoVadis, highlighting commitment to ESG and business sustainability

"Cloud migration—and securing this modern network—represents one of the most significant and transformative technology shifts in decades," said Pedro Teixeira, managing director of Morgan Stanley and Co-Head of Morgan Stanley's Tactical Value Investing Team. "We seek to invest in high-quality companies that are driving their markets today and into the future.  Netskope epitomizes this, with its innovative SASE vision and solid execution, a robust platform with significant monetization ahead of it, a large global customer base, and defensible market leadership. We look forward to partnering with the team as they strive to realize the significant opportunity that lies ahead."

**Legal Notices**

Morgan Stanley & Co. LLC served as the sole placement agent for the note offering. Pillsbury Winthrop Shaw Pittman LLP served as Netskope's legal counsel and Latham & Watkins LLP served as Morgan Stanley Tactical Value's counsel. J Wood Capital Advisors LLC acted as financial advisor to Netskope.

This press release does not constitute an offer to sell, or a solicitation of an offer to buy, any securities of Netskope.  The securities referenced herein have not been registered under the Securities Act of 1933, as amended, and may not be offered or sold in the United States absent registration or an applicable exemption from such registration requirements.

**Gartner Disclaimer**

Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

**About Netskope**

Netskope, a global SASE leader, is redefining cloud, data, and network security to help organizations apply zero trust principles to protect data. Fast and easy to use, the Netskope platform provides optimized access and real-time security for people, devices, and data anywhere they go. Netskope helps customers reduce risk, accelerate performance, and get unrivaled visibility into any cloud, web, and private application activity. Thousands of customers, including more than 25 of the Fortune 100, trust Netskope and its powerful NewEdge network to address evolving threats, new risks, technology shifts, organizational and network changes, and new regulatory requirements. Learn how Netskope helps customers be ready for anything on their SASE journey, visit netskope.com.

Netskope Receives $401M In New Funding

Collaboration across all business units is key to building a robust cybersecurity program.

The shift to remote and hybrid work, a rise in IT outsourcing, and the commercialization of cybercrime have created a heightened threat landscape in which no organization is bulletproof. And in 2022, the global average cost of a data breach reached an all-time high of $4.35 million — so if cybersecurity isn't a priority when it comes to your organization's financial planning, it's time to make it one.

**Today's Threat Landscape Requires All Hands on Deck****

Modern organizations have vast supplier ecosystems of third-party vendors — and that means increased access to organizations' data and IT infrastructures. Although the growth of IT connectedness helps enterprises scale and meet business objectives, it also creates more opportunities to exploit vulnerabilities in the software supply chain.

Attacks on a third-party vendor's software negatively impact both the organization and its customers. Since customers often share sensitive data with third parties, it's critical for vendors to maintain strong security programs consistent with industry standards and regulatory requirements. But it's not just vendors who need to prioritize cybersecurity.

Cybercrime has financial consequences in the form of regulatory fines, ransom payments, and data recovery costs. Consumer trust also declines by an average of 67% after a data breach. Simply put, there's too much at stake to let cybersecurity planning sit on the backburner.

With organizational spend under greater scrutiny, it can be difficult to justify increased spending in any area of the business, cybersecurity included. But in reality, an economic downturn doesn't mean a downtick in cybercrime — data breaches climbed 167% from the second quarter to the third quarter of 2022.

****Enhance Cybersecurity Through Strategic Partnerships****

As cyberattacks continue to grow in frequency and severity, executives and decision-makers across industries have become more informed about cybercrime and the need for increased investment to mitigate it.

Collaboration between chief information security officers (CISOs) and business executives is crucial to building a robust cybersecurity program. These teams can leverage their respective skill sets to ensure alignment between cybersecurity initiatives and business objectives, more accurately measure the return on investment (ROI) of cybersecurity programs, and help make cybersecurity spending a priority.

With these best practices, security leaders can cultivate a strategic and collaborative partnership across all business units:

**Understand business shifts.** CISOs need to work together with the business to determine the most effective way to balance risk versus expense. Formalized processes should exist to engage the CISO and other key stakeholders about shifts in technology, locations, or the types of data being processed.

Additionally, regular communication between CISOs and other leaders can help them better understand each other's pain points and objectives. Through these conversations, security leaders can ensure their financial and business counterparts have the necessary context to respond to budget requests and initiatives.

**Leverage expertise to educate.** CISOs are responsible for educating organizational leaders about security risks and how to implement cost-effective controls to mitigate them. A potential recession is creating pressure for leaders to reduce spending, but experts anticipate global cybercrime costs to continue climbing. So while cybersecurity investments may present costs upfront, they pale in comparison to the financial and reputational risks of a data breach or cybersecurity incident.

Technologies and services like cloud-based vulnerability management platforms, third-party penetration testing, patch management and endpoint protection are critical in protecting the organization's data. It's up to security leaders to communicate the value of these tools, their benefits, and how they meet the needs of the business. Security leaders can speak the language of the business by focusing on outcomes and ROI rather than getting in the weeds on technical details.

The goal of establishing a solid relationship between CISOs and business leaders isn't to secure a blank check for cybersecurity spending. Instead, through regular communication and collaboration, they can work together to strike a balance between risk and expense, and determine where to allocate resources for effective cyber-threat mitigation. As a result, cybersecurity can remain a priority during budget planning and the entire organization can reap the benefits of increased customer trust and secure data.

**

How to Ensure Cybersecurity Investments Remain a Priority Across Your Organization

**DALLAS****,** **Jan. 5, 2023** **/PRNewswire/ --** Trend Micro Incorporated (TYO: 4704; TSE: 4704), a global cybersecurity leader, has established CTOne, a new Trend Micro subsidiary focused on advancing 5G network security and beyond. The group's intellectual capital and leadership come from Trend Micro's culture of innovation and is the latest incubation project to launch as a standalone business.

_To learn more about CTOne's private 5G network solutions, please visit:_ https://www.ctone.com

Eva Chen**, CEO of Trend Micro:** "Trend Micro has been at the forefront of network transformations for over three decades. The 5G network technology has enabled new capabilities and applications requiring new cybersecurity infrastructure. With our foresight and over six years of dedicated research into network technology, we are confident that CTOne will safeguard organizations in all 5G network environments."

Organizations need to integrate resources to combat emerging threats in the private 5G networks more effectively. By pre-deploying a security net, CTOne strengthens the digital resilience of vertical application fields and provides security for landing applications in private 5G network environments and achieving comprehensive protection from network to endpoint.

Low latency, large bandwidth, and high-density capabilities have accelerated many organizations to adopt private 5G networks. According to a Grand View Research report\*, the global private 5G network market size was valued at USD 1.38 billion in 2021 and is expected to expand at a compound annual growth rate of 49% in the next year. Private 5G networks are usually considered the most secure wireless communications standard. However, with the widely used Open Radio Access (O-RAN) structure, the proliferation of cloud networks, open-source software, and the variety of IoT devices, the 5G environment faces more cyber threats than ever.

Jason Huang**, CEO of CTOne:** "Safety today doesn't guarantee Safety tomorrow. While the communications technology market is booming, business operations are facing exposure to more complex risks. CTOne enables enterprises to secure private 5G networks against potential cyberattacks and build a high-quality industrial application ecosystem. In the future, we will collaborate with partners to maximize the advantages of private 5G with comprehensive security solutions."

In addition to private 5G network end-to-end security solutions, CTOne is also developing O-RAN and edge computing security solutions to assist enterprises in mitigating cyber risk when deploying related technologies.

\* Private 5G Network Market Size, Share & Trends Analysis Report By Component (Hardware, Software, Services), By Frequency (Sub-6 GHz, mmWave), By Spectrum, By Vertical, By Region, And Segment Forecasts, 2022 – 2030, Grand View Research

**About Trend Micro**

Trend Micro, a global cybersecurity leader, helps make the world safe for exchanging digital information. Fueled by decades of security expertise, global threat research, and continuous innovation, Trend Micro's cybersecurity platform protects hundreds of thousands of organizations and millions of individuals across clouds, networks, devices, and endpoints. As a leader in cloud and enterprise cybersecurity, the platform delivers a powerful range of advanced threat defense techniques optimized for environments like AWS, Microsoft, and Google, and central visibility for better, faster detection and response. With 7,000 employees across 65 countries, Trend Micro enables organizations to simplify and secure their connected world. www.trendmicro.com.

**About CTOne**

CTOne, a global cybersecurity leader in communication technology, offers enterprise cybersecurity solutions for next-generation wireless networks. A subsidiary of Trend Micro, CTOne enables digital transformation and strengthens the resilience of communication technology. https://www.ctone.com

SOURCE Trend Micro Incorporated

Trend Micro Announces New Subsidiary for 5G Cybersecurity

The hosting provider had not applied Microsoft's new patch due to publicly reported issues with the update.

Managed cloud hosting services company Rackspace Technology has confirmed that the massive Dec. 2 ransomware attack that disrupted email services for thousands of its small-to-midsized business customers came via a zero-day exploit against a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server, aka CVE-2022-41080.

"We are now highly confident that the root cause in this case pertains to a zero-day exploit associated with CVE-2022-41080," Karen O'Reilly-Smith, chief security officer for Rackspace, told Dark Reading in an email response. "Microsoft disclosed CVE-2022-41080 as a privilege escalation vulnerability and did not include notes for being part of a remote code execution chain that was exploitable."

CVE-2022-41080 is a bug that Microsoft patched in November. 

An external advisor to Rackspace told Dark Reading that Rackspace had held off on applying the ProxyNotShell patch amid concerns over reports that it caused "authentication errors" that the company feared could take down its Exchange Servers. Rackspace had previously implemented Microsoft's recommended mitigations for the vulnerabilities, which Microsoft had deemed a way to thwart the attacks.

Rackspace hired CrowdStrike to help with its breach investigation, and the security firm shared its findings in a blog post detailing how the Play ransomware group was employing a new technique to trigger the next-stage ProxyNotShell RCE flaw known as CVE-2022-41082 using CVE-2022-41080. CrowdStrike's post did not name Rackspace at the time, but the company's external advisor tells Dark Reading that the research about Play's mitigation bypass method was the result of CrowdStrike's investigation into the attack on the hosting services provider.

Microsoft told Dark Reading last month that while the attack bypasses previously issued ProxyNotShell mitigations, it does not bypass the actual patch itself.   

Patching is the answer if you can do it," the external advisor says, noting that the company had seriously weighed the risk of applying the patch at a time when the mitigations were said to be effective and the patch came with risk of taking down its servers. "They evaluated, considered and weighed \[the risk\] they knew about" at that time, the external advisor says. The company still hasn't applied the patch since the servers remain down. 

A Rackspace spokesperson would not comment on whether Rackspace had paid the ransomware attackers.  

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Rackspace: Ransomware Attack Bypassed ProxyNotShell Mitigations

Job applicants could face a raft of follow-on attacks after cyber intruders accessed their data in an opportunistic attack.

The Five Guys burger empire has been hit with what appears to be a "smash-and-grab" operation: Cyberattackers busted into a file server and made off with the personally identifiable information (PII) of people who applied to work at the chain.

Details are scant, but in a form letter to the impacted sent out on Dec. 29, Five Guys chief operating officer Sam Chamberlain noted that an "unauthorized access to files" was discovered on Sept. 17 and was blocked the same day.

He added, "We conducted a careful review of those files and, on December 8, 2022, determined that the files contained information submitted to us in connection with the employment process, including your name and \[variable data\]."

What was that "variable data," one might ask? Turke & Strauss LLP, a law firm that's investigating the matter on behalf of the victims, identifies the information as including Social Security numbers and drivers' license data.

Five Guys did not immediately respond to a request for verification or comment from Dark Reading.

Five Guys employs about 5,000 people worldwide, according to Forbes, and presumably the turnover and number of applications for open positions is similar to other food-service jobs. But while that means that a large number of people could potentially be affected by the breach, the company has so far left it unclear how many people were actually caught up in the incident.

Five Guys also hasn't announced what, if any, shoring up of security it plans to do in the wake of the incident, only noting that it engaged law enforcement and a cybersecurity firm, and that it would provide credit monitoring. Brad Hong, customer success manager at Horizon3ai, notes that improvements to defense should be an important part of the incident response.

"An unfortunate precedent has been set \[by the infamous Equifax breach\] to simply provide credit monitoring, shifting the onus of action back to the consumer instead of the organization announcing the technological steps taken to prevent breaches in the future," he says.

**A Whole Menu of Follow-on Attacks**

Researchers note that the unfolding situation could prove difficult for both the individual victims and the burger purveyor itself. This isn't Five Guys' first time being flamed on the cybercrime grill, as BullWall executive vice president Steve Hahn notes — and a prior incident illustrates just what could be at stake for both.

"In a past breach of Five Guys, the threat actor used the stolen data to make fraudulent charges on bank debit and credit cards, and one such bank, Trustco, was hit with $100,000 in fraudulent charges from customers of theirs that have been part of this data breach," he tells Dark Reading. "If the bad guys got that much out of Trustco, imagine how much they've bilked from Chase or Bank of America.”

As for the impact to the company, Trustco went on to file a lawsuit against Five Guys in New York for damages related to issuing new cards and reimbursing victims for fraudulent charges.

In this more recent case, John Bambenek, principal threat hunter at Netenrich, notes that there are any number of follow-on attacks that threat actors could mount using the data, even if it doesn't include payment-card information.

"The most immediate use of this data is to realize there are a handful of people on the lower end of the economic scale who are looking for jobs," he says. "I imagine there will be scams and mule recruitment lures sent to those people in the near future."

Hahn meanwhile mentions that the craftier cybercriminal types will often also try to take advantage of the fear and reaction in the market when such an incident is publicized, in the form of ultra-believable phishing efforts.

"Victims may get an email: 'We apologize but as you may have heard your data was part of our data breach,'" he explains. "'Please click here to reset your password.' These emails can look identical to emails from Five Guys and they can even spoof the Five Guys domain. Once the user puts in their credentials, they threat actor now has access to all the other sites they use that password on, like PayPal, Amazon, or Venmo."

Jim Morris, chief security adviser at Tanium, also tells Dark Reading that the potential for a cybercrime ripple effect could also include extortion, affecting applicants and organizations alike.

"Any victimized organization could receive double extortion threats — i.e., ask for money to not leak or sell the data," he says. "Individuals whose information is contained in the breach could be victims of triple extortion, whereby the attackers demand money from them to in turn not sell or use their data."

**A Smash (& Grab) Burger of Data Theft**

Since the data breach notice indicates that the bad guys accessed a single file server, with no lateral movement, this is likely a case of financially motivated attackers looking for low-hanging fruit, researchers say — and finding it.

Restaurants and food-service outlets have a unique set of financial challenges (like razor-thin margins) that can often lead to them deprioritizing security, even as they collect reams of data via online ordering, reservations systems, HR systems, and more, on an order of magnitude that far outstrips other sectors, says Andrew Barratt, vice president at Coalfire.

"The challenge is real — we have adaptive threat actors who will chase down any point of access versus defenders with limited budgets and a whole raft of macro-economic stresses to focus in on too," he says. "Really, we need to keep visibility of these kind of compromises high so that executives don't discount them as 'won’t happen to me.'"

Others are less charitable. Horizon3ai's Hong adds, "Unless the attack vector in this incident was a novel one, all signs point to this incident being another example of a company that chose returns over security. With Five Guys pulling in close to $2 billion in revenue, I’d be interested to see what their cybersecurity spend was."

Meanwhile, Web-facing systems could exacerbate the risk, Casey Ellis, founder and CTO at Bugcrowd, says.

"This sounds a lot like a recruiting system where candidates upload their resumes," he tells Dark Reading. "Having these sorts of systems available to the Internet makes sense when you consider the recruiting and job application process, but if something is more available to a public user, it's also more available to a potential attacker."

He adds, "Common Web coding flaws like Indirect Object References (IDOR), authentication flaws, and even injection flaws can enable this type of attacker outcome without the need for lateral movement."

Indeed, Tanium's Morris notes that the most common break-in approaches by threat actors looking for easy pickings tend to be the exploitation of known vulnerabilities, and phishing and stolen credentials. As such, there are simple steps that could make bottom-feeding data thieves simply move on to an easier target.

"Organizations can combat these attacks by having robust life-cycle management of all computer hardware and software. This requires identifying critical assets and data and protecting them accordingly," he says. "Asset life-cycle management must also include sustainable and efficient vulnerability and patching programs. Additionally, strong authentication and authorization processes that includes multifactor authentication need to be employed."

Five Guys Data Breach Puts HR Data Under a Heat Lamp

Developers should go beyond the basics to make it harder to exploit the API.

**Question: How can organizations make sure their APIs are resistant to compromise, in the face of increased API-based attacks?**

**Rory Blundell, founder and CEO of Gravitee:** Businesses of all sizes and across all industries routinely rely on internal APIs to unite their line-of-business apps, and on external APIs to share data or services with vendors, customers, or partners. Because a single API may have access to multiple applications or services, compromising the API is an easy way to compromise a broad set of business assets with minimal effort.

APIs have become a popular attack vector, and the frequency of API attacks has increased by an astounding 681%, according to recent research from Salt Labs. The first step in securing your APIs is to follow best practices, such as those that OWASP recommends to protect against common API security risks.

However, basic API security practices are not enough to keep IT resources safe. Businesses should take the following additional steps to protect their APIs.

**1\. Adopt Risk-Based Authentication**

Businesses should adopt risk-based authentication policies, which allow enforce security protections in instances of heightened risk. For example, an API client with a long record of issuing legitimate requests that follow a predictable pattern might not need to go through the same level of authentication for each request as a new client who has never connected before. But if the longtime API client's access pattern changes — if, for instance, the client suddenly begins issuing requests from a different IP address — requiring more rigorous authentication would be a smart way to ensure that the requests don't come from a compromised client.

**2\. Add Biometric Authentication**

Although tokens remain important as a basic means of authenticating clients and requests, they can be stolen. For that reason, coupling token-based authentication with biometric authentication is a smart way to enhance API security. Rather than assuming that anyone who possesses an API token is a valid user, developers should design applications so that users also have to authenticate using fingerprints, face scans, or a similar method, at least in higher-risk contexts.

**3\. Enforce Authentication Externally**

The more complex your API authentication schemes become, the harder it is to enforce security requirements within your application itself. For that reason, developers should strive to decouple API security rules from application logic and instead use external tools, like API gateways, to enforce security requirements. This approach makes API security policies more scalable and flexible because they can be easily implemented and updated within API gateways, rather through application source code. And most importantly, it lets you apply different rules to different users or requests based on varying risk profiles.

**4\. Balance API Security With Usability**

It's important not to let security become the enemy of usability. If you make API authentication measures too intrusive or burdensome, your users might abandon your APIs, which is the opposite of what you want to happen. Avoid this by ensuring that API security rules are strict when there is a reason for them to be, but without imposing unnecessary requirements.

Attacks targeting APIs show no sign of slowing down. When designing and securing APIs, developers should go beyond OWASP recommendations to make it harder to exploit the API.

What Are Some Ways to Make APIs More Secure?

Even very short tasks may be worth automating if you do them frequently. Here's how to decide what to tackle first.

Picture it: the company boardroom, two weeks ago: Due to "an uncertain economic outlook," the expanded security budget and new hires you asked for in 2023 have been denied. As the company "tightens its belt," you may even lose existing budget and some headcount.

You had plans to use those resources to help you shore up security weaknesses and react more adroitly to changes and new environments that seem to appear like clockwork with every two-week development sprint.

So what's a CISO to do? Telling your engineers to work harder won't really cut it. You need a way to complete work more efficiently and do more with less. You need automation. Everyone's first reaction is that automation doesn't work everywhere — and that's correct — but there are plenty of cases where it works.

**Identifying What to Automate**

Reach for automation when you have tasks that are repetitive — tasks that happen often enough that the time savings of automation can justify the upfront cost of development and maintenance of the solution. Points to consider:

*   **Frequency:** How often does the task occur? Even a short, 30-second task can be a valuable target for automation if you are doing it 100 times per week.
*   **Standardization:** Is the task standardized? Repetitive tasks that have well-documented playbooks or your staff can do in their sleep are great candidates for automation, while tasks that require substantial human consideration are not.
*   **Sub-tasks:** Can a portion of a task be broken off and automated? End-to-end automation isn't always possible, but partial automation can be valuable. 
*   **Opportunity cost:** Does this task have external costs that should be considered? A five-minute task that interrupts an engineer's workflow and delays the work by 20 minutes is actually a 25-minute task. If this engineer's time is better served building vs. completing interruption-driven tasks, the task is a prime candidate for automation. Be sure to include these factors when you weigh the opportunity cost of automating a task.

If a task isn't a good candidate for automation but still takes up a bunch of time, can you identify a different, but related, process to automate and reduce the number of times a task must be performed? For example, you might not be able to update vulnerable dependencies automatically in production, but flagging them during development may mean you have far fewer that make it that far.

**Example: Automating PCI Scans & Reporting**

Let's consider automation in the context of vulnerability scanning, the bane of many security teams' existence. At one employer, I needed to run weekly PCI scans of all of our infrastructure. Each week, before I could run that scan, I needed to update the asset inventory by manually compiling lists of IPs and hostnames from our cloud infrastructure providers, and then update the target list in the scanner's Web interface. We only did this once a week, but it took about 30 minutes each time.

Both the cloud infrastructure providers and the scanner had an API, so it was relatively simple to build automation that could authenticate to both systems and compile the relevant information. This was an automation win.

Once the vuln scanner reports were produced, we needed to review and act on the findings — another weekly task that took several hours. Because the reports were provided in XML, it was simple enough to have them machine-parsed, deduplicated, and summarized via email with new issues logged as tickets. _This_ was an even bigger automation win.

**Where to Start**

As with everything in information security, getting started with security automation boils down to prioritization. You can't possibly tackle everything at once, so identify the list of possibilities; rank them based on how much they matter, both in terms of risk and potential effort savings; and start working your way down the list.

If you're totally new to automation, start with smaller, easier wins and advance from there.

Take, for example, a security operations scenario you encounter more frequently than you'd like: open S3 buckets. Open S3 buckets seem to happen all the time, despite AWS' best efforts to warn against them. This can be a good candidate for automation because it is a standard process that happens with high frequency. Here is one way to accomplish this with the AWS command-line interface.

The AWS CLI command _aws s3api list-buckets_ lists all of the available S3 buckets. From that list, take each bucket name and use the command _aws s3api get-bucket-policy --bucket YOUR\_BUCKET\_HERE_ to get the bucket's permissions.

This will output the identity and access management (IAM) policy that is applied to the bucket. Parse the IAM policy, looking for policies that allow AllUsers (everyone on the Internet), AuthenticatedUsers (everyone with an AWS account, even people not in your organization), or buckets that simply allow the \* principal. This way we generate a list of all open buckets.

You can use that same _aws s3api get-bucket-policy_ command with the _\--policy_ parameter to upload a new policy file that doesn't have those permissions so that you can close these gaps. Once you become familiar enough with performing these tasks on the command line, you can start to script the repeatable steps into a Python or shell script. Eventually you can automatically kick off and run the entire process while you sleep or do other work.

**Automating Can Present Challenges**

If you are worried that your automation won't be ready for the prime-time demands of your production environment, start by automating away tasks in development and staging environments or even sales engineering and data science environments.

Finally, if you want to automate in production but have concerns about business impacts, focus on automating in response to recent changes pulled from a CI/CD system or something like AWS' EventBridge. Finding that you need an exception for a newly deployed system in the first minute of its life cycle (when it is being closely monitored by the teams that just deployed it) is much more palatable than finding it out because it broke a week ago after working for nine months and now customers are complaining.

There are costs associated with building and maintaining this automation. These costs vary depending on the tooling available to you and your team's skill sets. Some teams prefer to custom-script everything in Python/Ruby/Perl/Bash and orchestrate it through cron jobs and modules in your CI/CD pipeline. Other teams may prefer to shift some of the maintenance costs onto a remediation vendor — limiting their direct involvement to configuring tools that interface with a security information and event management (SIEM) or security orchestration, automation and response (SOAR) platform and using that to kick off low-code/no-code remediation workflows built into another tool.

The choice to use an external vendor can be a good way to lower the ongoing maintenance costs of your solution. This is especially true for interactions with APIs and services whose changes might break your tooling.

**The Cumulative Effect of Automation**

Each individual task might not seem to amount to much. However, over a whole team's worth of tasks for an entire organization, the savings start to add up and the cost starts to scale much more favorably.

Automation will never replace a security team — some tasks require human interaction and human decision-making. However, as businesses continue to grow and security budgets grow tighter, it can help to empower those humans to do more and be more effective and more productive.

Effective and Efficient Automation for Security Teams

**ATLANTA****,** **Jan. 4, 2023** **/PRNewswire/ --** CORL Technologies, the leading provider of risk management solutions for healthcare, today introduced Third-Party Incident Response (TPIR). This managed incident response solution allows healthcare providers to address third-party security incidents proactively. CORL's TPIR service tames the chaos of incident response by enabling healthcare companies to share information and provide total clarity about how each party will respond to industry-wide vulnerabilities and episodic data breaches.

According to SC Magazine, nine out of the ten most significant healthcare data breaches were caused by third-party vendors. The Verizon annual Data Breach Investigations Report indicates ransomware saw a 13% increase in 2022, making up almost 70% of malware breaches. Ransomware incidents can cause computer systems to be down for weeks, creating a ripple effect that can impact hundreds of providers and patients.

CORL's TPIR eliminates the chaos of third-party incident response for faster resolution. TPIR clarifies every stage in an incident lifecycle, including proactive preparedness profiles and scoring, impact mapping, managing outreach and response, automating communications, and identifying key metrics using standardized data. CORL offers healthcare companies numerous benefits, including:

*   **Improved preparedness** – Create a strong data foundation with readiness profiles, managed key contact rolodexes, and scores by vendor, vendor tier, and in aggregate.
*   **Extended visibility** – Understand incident implications using impact mapping, live response tracking, reports, and other tools.
*   **Reduced internal burden** – CORL serves as an expert partner providing scalable outreach, response management, and reporting.
*   **Well-defined course of action** – TPIR provides a clear communication plan for each vendor with correct contacts and escalations.

"We developed Third-Party Incident Response to prepare healthcare providers and vendors before an incident occurs," said Cliff Baker, Chief Executive Officer of CORL Technologies. "Vendor data breaches happen every day, and very few know who to contact or how to escalate when they don't get what they need. With TPIR we eliminate the chaos, provide clarity around points of contact, escalation, incident impact, remediation, etc., and do all the outreach, so there is no impact on the internal team."

TPIR provides preparedness at scale, starting with an accurate data foundation. CORL prepares a Third-Party Incident Preparedness (TPIP) profile and score for each vendor to identify gaps and improve preparedness across all vendors. CORL's managed Third-Party Incident Impact (TPI3) workflow provides rapid insight into how an incident impacts the business. The result is a coordinated plan of action that outlines responsibilities and eliminates duplicate efforts.

"CORL is committed to going beyond risk management tools that stop short of solving the problem," continued Baker. "Our managed assessment methodology, the way we utilize data, and decision-support tools address the healthcare industry's real-world security and privacy challenges. We are committed to integrating the best of technology and human intelligence to make third-party risk management a business enabler."

**About CORL Technologies**

CORL is a leading provider of vendor risk management solutions for the healthcare industry. CORL gets results by scaling organizational and vendor risk programs through our healthcare vendor risk clearinghouse solution, dashboard reporting that business owners can understand, and proven workflows that drive measurable risk reduction. CORL accelerates the speed of vendor risk assessments and holds vendors accountable for remediating risk exposures. Together with sister company Meditology healthcare's preeminent cybersecurity consulting firm and certification body, the company has offices in Atlanta, Philadelphia, Denver, San Diego, and St. Louis. 

For more information, visit http://corltech.com.

CORL Technologies Introduces Proactive Third-Party Incident Response Solution for Healthcare

Attackers have compromised a Colombian financial institution and are using a bevy of leaked customer details in further malicious activity to spread an info-gathering remote access Trojan (RAT).

Threat actors are using data stolen from a Colombian bank as a lure in what appears to be a malicious campaign aimed at spreading the BitRAT malware, researchers have found. The activity demonstrates the evolution of how attackers are using commercial, off-the-shelf malware in advanced threat scenarios, they said.

Researchers at IT security and compliance firm Qualys were investigating "multiple lures" for BitRAT when they identified that the infrastructure of a Colombian cooperative bank had been hijacked. Attackers were using sensitive data gleaned from that compromise to try to capture victims, they reported in a blog post published Jan. 3.

"While digging deeper into the infrastructure, we identified logs that point to the usage of the tool sqlmap to find potential SQLi faults, along with actual database dumps," Akshat Pradhan, senior engineer of threat research at Qualys, wrote in the post.

Overall, threat actors leaked 4,18,777 rows of sensitive data from the bank's customers, including details such as Colombian national ID numbers — called "Cedula" numbers — as well as email addresses, phone numbers, customer names, payment records, salary, home addresses, and other data, researchers said.

So far, researchers have not seen the data dumped on any hacker forums or Dark Web sites, and are following standard breach-disclosure guidelines as they further investigate, they said.

**A Commercial RAT With a Long Tail****

Threat actors began marketing BitRAT on underground cybercriminal markets starting in February 2021. The RAT is notorious for its social media presence and its relatively low price of $20, which makes it popular among cybercriminals, researchers said.

Key capabilities of BitRAT include: data exfiltration, execution of payloads with bypasses, distributed denial of service (DDoS), keylogging, webcam and microphone recording, credential theft, Monero mining, and running tasks for process, file, and software, among others.

BitRAT is an example of how the use of commercial RATs has evolved not only with new capabilities for propagation, but also by harnessing the use of legitimate infrastructures to host malicious payloads, Pradhan said. This is something that enterprises now need to account for in their respective security defense postures, he noted.

To that end, researchers advised that all organizations employ endpoint detection and response (EDR) solutions to detect malware such as BitRAT as it inserts itself into a network endpoint, they said. Functions like asset management, vulnerability detection, policy compliance, patch management, and file-integrity monitoring capabilities across a system are key for combating malware like this, they added.

Enterprises should also implement external attack surface management solutions, which allow for continuous monitoring and reduction of the entire enterprise attack surface — including internal and Internet-facing assets and discover previously unidentified exposures — to counter evolving threats, researchers said.

****Anatomy of the BitRAT****

Researchers found and analyzed a cache of Excel sheets — all authored by "Administrator" — being used as lures for a BitRAT campaign, with data from the tables being reused in Excel maldocs as well being included in the database dump, they said.

"The Excel contains a highly obfuscated macro that will drop an .inf payload and execute it," Pradhan wrote in the post. "The .inf payload is segmented into hundreds of arrays in the macro."

A de-obfuscation routine performs arithmetic operations on the arrays to rebuild the payload once it's ready for execution, with the macro then writing the payload to "temp" and executing it via a file called advpack.dll, he said.

The macro itself also includes a hex-encoded, second-stage .dll payload that is decoded via certutil, written to "%temp%\\," and executed by the command "rundll32," researchers found. After this process is executed, the temp files are then deleted, they said.

It's this .dll file that uses various anti-debugging techniques to download and execute the final BitRAT payload. The file also uses the WinHTTP library to download BitRAT-embedded payloads from a GitHub repository created in mid-November by a "throwaway" account to the "%temp%" directory, Pradhan wrote.

In the final stage of BitRAT execution, the .dll uses WinExec to start the "%temp%" payload and exits. To maintain persistence on a user's machine, the BitRAT sample starts and then relocates the loader to the user's startup, the researchers said.

**

BitRat Malware Gnaws at Victims With Bank Heist Data

Improve overall IT administration and establish a framework to identify misconfigurations and automate the process of checking IaC before it makes it into the production environment.

Infrastructure as code (IaC) has gained rapid popularity for its ability to automate the management and provisioning of IT infrastructure by replacing manual processes with machine-readable configuration (definitions) files that contain specifications that are simple to edit, maintain, and distribute.

This approach is especially appealing and efficient when standing up and modifying infrastructure-as-a-service (IaaS) instances in cloud application environments.

But, like any technology, these gains aren't without some pain. One of the most formidable tasks is dealing with IaC management and security. While it's now incredibly fast and convenient to propagate changes across multiple production environments, errors and vulnerabilities can also spread like wildfire. This includes misconfigurations and incorrect default settings, all of which can potentially expose sensitive data, intellectual property (IP), and trade secrets.

As a result, it's wise to establish a framework — including the right strategy and technology tools — that can identify misconfigurations, fix incorrect values, and automate the sometimes-daunting process of checking IaC.

**Cracking the Code on IaC**

One of the things that makes infrastructure-as-code so appealing is the ability to automate infrastructure deployment processes as part of the development life cycle. This practice is usually referred to as creating a CI/CD pipeline — continuous development and continuous deployment. Manually provisioning, configuring, and managing systems is a time-consuming and error-prone task. IaC is an essential component for automating these processes. With the click of a button, it's possible to set up, delete, or make widespread changes to an existing environment across multiple cloud platforms using APIs

It's also possible to gain visibility into all these changes. So, if it is necessary to roll back a system to a particular date or configuration, the task is reasonably easy to manage. Because IaC typically has built-in support for things like declarative and imperative language, filters, and rules and settings, it's possible to create a standard deployable configuration file that tells a cloud provider exactly what resource to provision.

Eliminating manual processes doesn't prevent problems. IaC environments remain vulnerable to configuration errors. In many cases, IaC definition files mitigate the risk of introducing security misconfigurations due to human errors such as applying the wrong user access policy or important security settings. However, when human-made mistakes happen, they will affect all resources that are using the same definition files and may impact thousands of resources.

In fact, it's remarkably easy to miss configuration issues in IaC, especially when a large and complex cloud infrastructure is provisioned. And once the problem exists in the production environment it's usually a lot more difficult and time-consuming to fix. As a result, organizations should implement a shift-left approach to IaC security that's designed to fix issues directly when code is written or modified.

**Finding the Fix**

Addressing the problem involves scanning new IaC files for errors and fixing them before they are released to production, as well as discovering misconfigurations already deployed in cloud environments and modifying the IaC files. This requires following a clearly defined three-step process:

*   **Identify the misconfigurations.** This "hygiene" starts with state and resource aware scanning of configuration files to identify errors or policy violations that need to be fixed. These processes should scan the cloud runtime environment and take into account the plan and state outcomes. Once problems have been identified, it's critical to fix code for all files that touch the cloud environment. In some cases, thousands of configuration files might exist.
*   **Create a staging environment for testing.** One of the big advantages of IaC is that you can quickly create many instances of your entire infrastructure, it's simple to create a staging environment and a production environment. Once the review process is complete in the staging environment, transferring it to a live setting is a process that takes place at the push of a button.
*   **Inspect an IaC environment before provisioning to production so that it aligns with security policies.** The inspection process should include a review that ensures that a policy is correctly translated into a control, and the control is correctly embedded in the configuration file. For example, an organization might check to see that any sensitive data isn't stored in clear text or secrets are not exposed. It's critical to conduct a thorough review so that a new setting or configuration doesn't introduce a new issue.
*   **Add the correct values.** The next step is to fix the actual problem. This may be something as straightforward as encrypting a database that was previously unencrypted or something as complicated as changing a specific setting in all the virtual machines or storage devices in a particular region or country. Once this analysis is complete, it's possible to update configuration files or create new ones.
*   **Deploy the new or updated code.** After you have made the necessary changes, it's time to push out the new or updated configuration files. While IaC makes this task much easier, it's important to ensure that the update is going to the right place and that it will be deployed as intended, as part of a managed CI/CD process.

While IaC provides huge advances for deploying and managing today's highly complex cloud and IT environments, it does not address security issues and configuration errors that will inevitably occur. However, with the right processes, procedures, and tools it's possible to automate the detection and remediation of security risk in even the largest IaC deployments.

Source

DARKReading