The extension allows cloud security teams to protect their organization's infrastructure at the source and collaborate with developers.

**PARIS, Oct. 18, 2022** — GitGuardian, the enterprise-ready automated secrets detection and remediation platform, is expanding its capabilities to new security verticals. GitGuardian is now building a comprehensive platform to help development and security teams write, maintain, and run secure code anywhere.  

The everything-as-code movement GitGuardian is securing has taken multiple domains by storm and elevated code to the ranks of the most valuable asset an organization can own. Often overlooked in the inventories of organizations, security teams have just awakened to the need to secure, protect, and continuously monitor the software development lifecycle (SDLC) for risks like tampering, code leakage, hardcoded credentials, and more.  

GitGuardian's product suite already provides such capabilities, but the company is now looking to consolidate everything into one single platform:

*   Secrets detection and remediation; GitGuardian helps security and development teams reduce the risks of secrets exposure in the software development lifecycle.
*   Public GitHub monitoring; GitGuardian helps organizations secure their extended attack surface by monitoring GitHub for leaked secrets and sensitive data.
*   Source code leakage detection; GitGuardian continuously scans public GitHub to look for proprietary code leaked from private repositories.
*   SDLC intrusion detection; GitGuardian enables security teams to deploy canary tokens at scale in their DevOps environments and lure attackers into revealing themselves.  
    

This movement has also blurred the boundaries between Application Security and Cloud Security. With Infrastructure-as-Code (IaC), both the application and cloud infrastructure layers have collapsed onto one another in git-based Version Control Systems.  

While software-defined infrastructure has unlocked automated cloud resource deployment with more speed and consistency for engineering teams, it is still fraught with risks. Gartner expects that through 2023, at least 99% of cloud security failures will be the user's fault, mainly misconfigurations. Such errors propagate from code to cloud-native environments, exposing critical workloads and resources on the way.  

To help Cloud Security teams protect their organization's infrastructure at the source, GitGuardian is adding Infrastructure-as-Code scanning for security misconfigurations to its platform. And in the spirit of Shift Left security, the company is enabling this through its popular open-source command-line interface (CLI) for developers, ggshield.  

“With this initial release, developers and Site Reliability Engineers will be able to find and fix over 60 types of security misconfigurations in Terraform files — while they develop.” says Eric Fourrier, GitGuardian co-founder and CTO.  

GitGuardian’s initial focus in Infrastructure-as-Code security is Terraform and AWS. Still, it plans to enrich its Infrastructure-as-Code policies directory, support additional cloud services providers like Azure and Google Cloud Platform, and integrate scanning natively in developer workflows on GitHub, GitLab, or Bitbucket.  

In its ongoing efforts to build a code security platform for the DevOps generation, GitGuardian is also actively exploring opportunities in areas such as Static Application Security Testing (SAST) and Software Composition Analysis (SCA).

**About GitGuardian**

GitGuardian, founded in 2017 by Jérémy Thomas and Eric Fourrier, has rapidly emerged as the leader in automated secrets detection and is now focused on providing a comprehensive code security platform. The company has raised a $56M total investment from Eurazeo, Sapphire, Balderton, and notable tech entrepreneurs such as Scott Chacon, co-founder of GitHub, and Solomon Hykes, co-founder of Docker.  

GitGuardian Internal Monitoring helps organizations detect and fix vulnerabilities in source code at every step of the software development lifecycle. With GitGuardian’s policy engine, security teams can monitor and enforce rules across their VCS, DevOps tools, and infrastructure-as-code configurations.  

Widely adopted by developer communities, GitGuardian is used by over 200,000 developers and is the #1 app in the security category on the GitHub Marketplace. GitGuardian is also trusted by leading companies, including Instacart, Genesys, Orange, Iress, Beyond Identity, NOW: Pensions, and Stedi.  

GitGuardian Internal Monitoring is an automated secrets detection and remediation platform. By reducing the risks of secrets exposure across the SDLC, GitGuardian helps software-driven organizations strengthen their security posture and comply with frameworks and standards.

Its detection engine is trained against over a billion public GitHub commits yearly. It covers 350+ types of secrets, such as API keys, database connection strings, private keys, certificates, and more.  

GitGuardian brings security and development teams together with automated remediation playbooks and collaboration features to resolve incidents quickly and thoroughly. Organizations can achieve higher incident closing rates and shorter fix times by pulling developers closer to the remediation process. Please visit the official website to learn more about GitGuardian Internal Monitoring, the enterprise-ready automated secrets detection, and remediation platform.

GitGuardian Extends Code Security Platform, Adding Infrastructure-as-Code Scanning for Security Misconfigurations

Organizations without the time or talent to patch may find patching-as-a-service to be a way to improve security.

Patching is a critical method to isolate risks and to ensure workflows are not interrupted due to allowing software to fall out of supportable versions.

The security risk resulting from unpatched vulnerabilities is substantial — Verizon's 2022 Data Breach Investigations report found around 70% of successful cyberattacks exploited known vulnerabilities with available patches.

Too often, however, IT teams must choose which urgent items get their attention, which creates a scenario where the urgent tasks get in the way of important tasks. By outsourcing patch management, also known as patching-as-a-service, organizations can shift the burden of ensuring that the patch process completes consistently to a third party.

**Control, Transparency Must Be Maintained**

Outsourcing patching can save an organization time and money. It can also lead to improved security. The outsource model provides security leaders with a verifiable service level agreement (SLA) to guarantee that the investment protects the organization.

"There are some challenges that come with outsourcing patching," cautions Darryl MacLeod, vCISO at Lares Consulting, an information security firm. "For example, an organization may lose some control over patch management, and the patch management process may not be as transparent as it would be if patch management was done in-house."

He adds that patching-as-a-service is probably most effective for small and midsized organizations that do not have the resources to patch in-house, but it can also be beneficial for organizations with complex patch management needs.

Data management and analytics company Aunalytics recently added a co-managed patching-as-a-service platform to its security solution suite. The company's vice president, Steven Burdick, points out the security challenges for every organization are evolving every day.

"Bad actors are knocking on any door they can find hopeful that you have not patched a workstation or key third-party application such as Acrobat Reader," he says. "Yet, despite your efforts to secure your environment by battening down the hatches, new, not yet discovered exploits continue to show up."

He argues that outsourcing security patching and antivirus/malware protection platforms allow organizations to invest the time of their team members in the areas where the business can get the best value.

"Assigning an FTE or part of an FTE to someone to manage patching and security platforms requires additional investments in time, travel, and training that do little more than prepare your IT staff for their next role in another company," he says.

**Paying a Third Party to Take Responsibility**

Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation, explains that outsourcing patching to a patching-as-a-service vendor is a subset of outsourcing IT operations, in that an organization is shifting responsibility to a third party.

"There are a lot of reasons organizations outsource these tasks, though cost savings and not having to manage an internal IT department are two common reasons," he says.

Like MacLeod, he points out there are also challenges. For one, the organization has to rely on the efficiency and integrity of the vendor to take on mission-critical issues without the oversight that comes with in-house assets.

Parkin says a successful program will require accurate and robust asset management tools, so the vendor knows what's live in the client's environment.

"They'll need an included, or compatible, patch management function," he adds. "Ideally, they will have inputs from vulnerability scanners and a risk management platform to help them prioritize the most important patches."

**Patching Services Rely on Automation**

MacLeod predicts that as patch management becomes more complex, patching-as-a-service providers will likely offer more comprehensive solutions that include patch management software, patch repositories, patch deployment tools, and other services.

Patch management software automates the patching process; a patch repository stores and manages patches; and patch deployment tools are used to deploy patches to systems.

"Service providers will likely continue to expand their customer base by offering patching services to more types of organizations," he adds.

He points out that the patching-as-a-service market has been growing in recent years as more organizations outsource patch management.

"This growth is expected to continue as patching becomes an increasingly complex and time-consuming task," MacLeod says.

**Outsourcing Makes up for Scarce Human Resources**

Burdick says Aunalytics is seeing a lot of interest in the healthcare industry, professional services firms, and government, where IT talent is hard to attract and retain.

He adds that manufacturers are often early adopters of this type of solution because they recognize that they must constantly evolve to compete.

Paying for these services in an "as-a-service" model precludes organizations from having to pay for the training and travel costs of IT security team members, Burdick says, as well as the cost to replace and retrain staff when the company's internal resource leave.

"Businesses today do not struggle buying technology; it's the people to use the technology and to keep it running efficiently who are very hard to source in this economy," Burdick says.

Patching-as-a-Service Offers Benefits, Challenges

Identity verification and identity authentication are neither synonymous nor interchangeable, and implementing both is essential to fighting fraud.

**Question: What is the difference between identity verification and authentication?**

**Shai Cohen, senior vice president of global fraud solutions, TransUnion:** As more services shift to a virtual format, consumers and organizations are threatened by more efficient and evolved forms of fraud. To confirm that a customer is who they say they are requires both identity verification and identity authentication.

These two terms are not synonymous or interchangeable, and the organizations that don't know the difference make themselves vulnerable to increased fraud losses. Treating a verified identity ("this identity exists") as authenticated or proofed ("this user is who they claim to be") makes an organization vulnerable to account takeover fraud and synthetic identities.

**Securing Account Creation and Use**

The combination of a name, address, phone number, and email on an online form can provide enough information for a company to verify a consumer's identity and establish a layer of trust when an account is first created. This information can be checked against multiple data sources, such as utilities or telephone carriers, to ensure the name matches the other qualifying data.

It's critical to note, however, that verifying that the identity exists does not prove it belongs to the person entering that information. Criminals can use illicitly obtained identifying information to apply for new accounts or benefits in victims' names. Some create synthetic identities where credentials have been fabricated and are not associated with a real person but can fool verification processes.

This type of identity theft has prompted a shift toward proofing or authentication practices. These approaches require significantly more rigor than simply verifying that an identity exists. Organizations work to confirm that the identifiers supplied to create a new account belong to the person entering the information — i.e., that the applicant is who they say they are. Some identity-proofing systems may request a selfie and government photo ID for a facial recognition match from new customers.

Authentication, on the other hand, is an ongoing identity-proofing process that both checks the identity of digital users and ensures the integrity of the devices they use. Two-factor authentication and one-time passcodes are both commonly used authentication methods that help grant account access to the right person in real time.

Note that security measures have to balance consumer needs. A 2021 study from the CMO Council reported that authentication frustration caused 61% of consumers to abandon a transaction, and TransUnion's 2022 "Global Digital Fraud Trends Report" showed that approximately two-thirds of consumers would switch companies for a better digital experience. Organizations should incorporate both identity verification and authentication processes so that they can ensure safe interactions and create a trusted virtual channel that keeps consumers coming back.

What Is the Difference Between Identity Verification and Authentication?

Younger workers surveyed are less likely to follow established business cybersecurity protocols than their Gen X and baby boomer counterparts, a new survey finds.

A new survey shows Generation Z and millennials, younger workers who have grown up as digital natives, are surprisingly more careless about their employer's cybersecurity than their senior Gen X and baby boomer colleagues. 

According to Ernst & Young LLP's 2022 Human Risk in Cybersecurity survey, although 83% of workers in the US report they understand their company's cybersecurity policies, younger Gen Z and millennial workers are less likely to comply with them. 

For instance, 48% of Gen Z and 39% of millennial employees confessed to being more cautious with their own devices compared to their work-issued devices; they also admitted to widely disregarding IT updates; reusing passwords for personal and professional accounts; and accepting browser cookies in far greater numbers than Gen X or baby boomer workers. 

"This research should be a wake-up call for security leaders, CEOs and boards because the vast majority of cyber incidents trace back to a single individual," Tapan Shah, EY Americas' consulting cybersecurity leader, said in a statement. "There is an immediate need for organizations to restructure their security strategy with human behavior at the core. Human risk must be at the top of the security agenda, with a focus on understanding employee behaviors and then building proactive cybersecurity systems and a culture that educates, engages, and rewards everyone in the enterprise."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Gen Z, Millennial Workers Are Bigger Cybersecurity Risks Than Older Employees

Head of German national cybersecurity agency was fired over ties to a member of Russian intelligence once honored by Vladimir Putin.

The chief of Germany's national cybersecurity agency, Arne Schönbohm, has lost his job as a result of allegations about his ties to a cybersecurity firm called Protelion (formerly Infotecs), which was founded by a reported member of Russian intelligence.

Interior Minister Nancy Faeser formally dismissed Schönbohm on Tuesday, according to Deutsche Welle (DW).

"The background to this is not least the allegations, which are well known and widely discussed in the media, and which have permanently damaged the necessary public confidence in the neutrality and impartiality of the conduct of his office as president of Germany's most important cybersecurity authority," the spokesperson told DW.

Schönbohm has held the post since February 2016 but faced mounting scrutiny following the Russian invasion of Ukraine, the report explained. A public-private advisory group Schönbohm founded 10 years ago called the Cyber Security Council of Germany included Protelion, which was run by someone whose ties to the Kremlin were so close they were reportedly honored by Vladimir Putin. Protelion has since been removed from the Council.

Although the Council declares itself politically neutral, according to DW, Minister Faeser began to question Schönbohm's affiliation with the group after he attended the organization's anniversary party last month.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

German Cybersecurity Boss Sacked Over Kremlin Connection

Manage the company's often-overlooked security certificates as the valuable assets they are, essential for security hygiene and to prevent issues.

Any activity conducted on the Internet must ultimately rely upon security certificates. These Secure Sockets Layer (SSL) certificates are what businesses and organizations trust and rely on when it comes to ensuring that any sort of transaction is kept secure and encrypted. Digital certificates and SSL are everywhere.

Due to their ubiquity, certificates are increasingly targeted by bad actors, who have become more creative in looking for a route into networks or to access applications. Just this year, code-signing certificates stolen from multinational technology company Nvidia were used to certify malware as genuine software tools, allowing bad actors to bypass security controls and attempt attacks.

**Why You Should Pay Attention to Certificates**

Alongside increasing attacks, there's also the matter of operational management. An expired certificate can lead to your website and services failing, interrupting staff, and stopping customers from making purchases. In May 2022, Spotify's service was down due to a lapsed certificate owned by a company it acquired, ultimately stopping millions of users from listening for several hours. In another example, Let's Encrypt saw one of its root certificates expire in September 2021, which led to downtime for a range of Internet services and websites, including Shopify and Netlify, which support thousands of companies doing business online.

Tracking SSL certificates is seen as a nuisance or low priority for IT teams, but any missed or overlooked certificate can lead to potential headaches around service availability. While it's easy to take these certificates for granted, they should be treated as valuable assets.

Looking at over 3 million certificates in our service inventory, we found that more than 7% of the certificates deployed have already expired and nearly 21% would expire in the next 90 days. Similarly, approximately 9% of websites have inadequate security based on the grade of the current certificate, according to their SSL Labs ratings. For these expired certificates, 48% were still using TLS1.2, 43% were using TLS1.1, and those using RC4 accounted for 12%.

If your organization provides a service online, then it is only as available as your SSL certificate. If you provide technology that is embedded in other companies' products — such as a cloud platform — then it can affect all the clients that rely on you, scaling up the problem. Keeping certificates current and secure should be a priority.

**Why Do Issues Around Certificates Exist?**

There are four main reasons why a security certificate might have inadequate security.

*   The first is the use of self-signed certificates, when someone chooses to use their own security certificate as a token to prove that their service is valid and can be trusted. This is the equivalent of marking your own homework at school — while you might trust yourself, this may not be enough for others that will rely on that certificate over time. There's also no external proof that your self-signed certificate was generated by you, rather than someone else.

*   Next is the problem that comes with using certificates created by an untrusted certificate authority. Certificate authorities _have_ to be trusted for what they certify to be widely used. This level of trust can be revoked if that company starts exhibiting poor business practices, or if their IT systems are compromised.

*   There can also be issues when certificates rely on older protocols for encryption, such as SSL v3 or TLS1.0/TLS1.1. As with many things, these standards were appropriate for the times when they were created, but they're now unsafe to use given the increases in computing power available. Attacks on sites can attempt to downgrade the encryption standard from modern versions to older protocols that are easier to break, or take advantage of flaws in how they're implemented to access data.

*   The last problem is the ability to understand what certificates you have, and what their status is. If you aren't aware that a certificate exists, then you can end up with an application that fails to work. This can lead to further problems for the application, and for any service that depends on it.

**Preventing Problems Is Better**

To prevent these kinds of problems, certificates must be treated as valuable assets rather than afterthoughts. Where to start?

Build an inventory of certificates with status information. With a multitude of certificates involved for most enterprises, automating this process will ensure that it is more efficient and easier to manage at scale.

Maintaining this list of certificates should help you spot gaps, such as self-signed certificates or ones that are close to their expiration date. By preventing issues before they lead to downtime, you can improve the overall approach to security and what the rest of the business sees.

For external-facing websites that use certificates, free tools like SSL Labs can easily demonstrate how well any site is set up, from a security perspective. This will include recommendations on what to do to improve security and remove problems. For developers building sites, this should be a standard part of their process.

Similarly, any developer working on internal applications should know how they use certificates in their applications internally, and they should be tracked, too. For other teams that might have to support certificates, from IT operations through to IT security teams, this insight into what certificates exist should be very useful as well. If developers aren't tasked with this, then carrying out discovery and inventory will be necessary to track certificates just like any other IT asset across the business.

Security certificates are necessary to make applications work, and to ensure that those services can be trusted. Managing them well and treating them as valuable assets is essential for security hygiene and to prevent issues. Even the littlest things can make a difference to security and delivering services.

Treat Essential Security Certificates as Valuable Assets

One of the oldest tactics in cybercrime is still one of the most widely feared — and with good reason, as campaigns are expected to increase and become more sophisticated over the next 12 months.

Phishing continues to represent not just a mainstay threat but also a significant cost to enterprises, with some large organizations with a robust IT and security staff spending $1.1 million per year to mitigate phishing attacks, new data shows.

Phishing-related security activities currently consume, on average, about one-third of the total time available to organizations' IT and security teams, according to a newly published report. A single malicious message costs organization an average of about 27 minutes and $31 in labor to mitigate, but can cost up to $85.33 if a company takes 60 minutes to eliminate the threat, researchers found.

This cost, combined with the consequences of successful phishing incidents — which include loss of account credentials, business email compromise, and data theft — means that about a third of organizations consider phishing to be either a "threat" or "extreme threat" to their businesses, researchers wrote in the report, which was commissioned by email security firm Ironscales and conducted and written by Osterman Research.

This situation is unlikely to improve anytime soon, as threat actors become even more sophisticated in how they craft phishing campaigns not only to hook enterprise workers, but also to make phishing emails harder to detect, the researchers found.

And while the shift to remote working that occurred during the pandemic lifted the burden of phishing slightly and led to a decline in this type of cybercrime activity over the 12 months previous to June 2022, the threat from phishing will soon be on the uptick again, the researchers found.

Enterprises should be on the alert and start preparing now to deal with imminent and "more sophisticated and pernicious" attacks — or expect to spend even more to handle phishing in the future, they said. "The time and cost currently expended on mitigating phishing will increase unless organizations start relying on better phishing protections," the researchers wrote.

**Organizational Burden**

Osterman Research surveyed 252 IT and security professionals in the United States in June 2022 for the report, asking them a range of questions about how their organizations deal with phishing and the impact it has.

Researchers attempted to quantify the actual business cost in terms of time and money spent addressing phishing that enterprises are incurring. They found that it indeed represents a significant investment that rises exponentially the more staff an organization has, and the more phishing emails a company receives.

That email cache from phishing in the current security landscape can be staggering, with some larger organizations receiving thousands of phishing emails per day, the researchers said. "Clearly, no organization has to deal with only a single phishing email," they wrote. "With several billion phishing messages sent globally every day, phishing is a significant proportion of overall email volumes."

**Lost Time and Money**

In terms of time, 70% of organizations surveyed said they spent 16 to 60 minutes per phishing email, representing the time from initial discovery of a potentially malicious email to complete removal from the environment, the researchers said.

On average, most organizations spend about 31 to 45 minutes to mitigate a phishing message, with 29% of respondents reporting this time frame at their respective organizations. Overall, handling phishing-related activities consumes an average of one-third of the working hours available each week for the IT and security teams at their organization, according to respondents.

Researchers also attempted to quantify the actual cost of phishing to an organization by considering a number of factors, including the roles that survey respondents play in mitigating phishing at their respective organizations, as well as their individual salaries.

What they found based on their calculations was that, on an annual basis, organizations spend, on average, $45,726 in salary and benefits paid per IT and security professional to handle phishing, they said.

This cost goes up exponentially depending on how many IT and security professionals an organization has, researchers said. An organization with five IT and security professionals is currently paying $228,630 of the annual salary and benefits paid to handle phishing, for example, while an organization with 25 IT and security professionals incurs significant more cost per year — or about $1.14 million — to handle phishing.

**Evolving Tactics**

To anyone who follows the security landscape, to say that threat actors who engage in phishing are getting more sophisticated is no surprise. By now, most corporate workers are already trained to recognize emails that are potentially malicious, which has spurred cybercriminals to pivot to trickier, more evasive tactics to ensure success.

Half of survey respondents cited three emerging characteristics of the phishing emails that are surfacing in the enterprise now as most worrying in terms of demonstrating these tactics.

The first is the use of adaptive techniques — also known as polymorphic attacks — which vary each phishing message slightly to decrease the likelihood of being detected as a phishing message, the researchers said. These messages "must be evaluated one by one, rather than being able to match using signatures or other known or trained identifiers," making them harder to mitigate, according to the report.

Another is threat actors' use of compromised account credentials — which are either obtained by earlier phishing attacks or purchased on the Dark Web — to hijack current email threads to send out more phishing emails. These messages also are likely to bypass detection, since they're sent from the organization’s own email infrastructure, "removing many threat signals that can be evaluated when messages originate externally," the researchers noted.  

Threat actors also are using other advanced obfuscation techniques in which "payload and link threats are nested, initially presented as benign, or subsequently downloaded," which also means phishing defenses have to work harder to flag potentially malicious emails, the researchers noted.

**Microsoft Teams and Slack**

Another emerging trend that at least half of the survey respondents reported seeing in their environments is phishing that spreads beyond email to communication and collaboration tools. Among the most common new attack vectors are messaging apps and cloud-based file sharing platforms such as Microsoft Teams and Slack, the researchers said.

"As phishing spreads to these new tools — often driven by account credential compromise — IT and security professionals will have to spend even more time addressing threats and seeking to eradicate threat actors from their other services," the researchers said.

What all of this adds up to for the enterprise is that they should get out ahead of the expected imminent surge in phishing attacks now if they want to free up cybersecurity staff to focus on more strategic initiatives, the researchers said.

Specifically, they advised enterprises "should be looking for more capable solutions that detect and stop more phishing attacks, offer detection of advanced polymorphic and nested threats, and protect communication and collaboration tools via a holistic solution rather than being limited to protecting email only."

Phishing Mitigation Can Cost Businesses More Than $1M Annually

Improving the flow of clean, safe code with heightened visibility and automation.

**SAN FRANCISCO, CA, 10/18/2022** — AutoRABIT announces a new update to its Salesforce DevSecOps platform that includes strategic integrations with major communication applications Slack and Microsoft Teams, new automation functionality, and seamless operation with Salesforce’s newest update API version 56.

The expanded functionality also includes opening the 600+ rules of CodeScan — AutoRABIT’s static code analysis solution—to Salesforce DX users, bringing best-in-class code security to a new group of Salesforce power users.

“We’re excited to further expand our suite of solutions to continue to meet the needs of our partners and customers. These updates to our release management processes will continue to help organizations save time and money during a time where both are needed,” said Prashanth Samudrala, VP of Products at AutoRABIT.

AutoRABIT Automated Release Management (ARM) now offers auto-approval for quality gates which moves DevOps teams closer to true Continuous Delivery (CD) by setting quality parameters and automating approvals, reducing manual processes across the development lifecycle. DevOps teams can also leverage a new auto-merge capability to keep development branches in sync — in real time — without having to tend to them individually.

AutoRABIT’s new update also expands upon the already extensive reporting capabilities of their ARM solution to deliver scheduled and automated reports so users can track success metrics on a pre-defined timeline.

Enhanced integrations with communication applications Slack and Microsoft Teams ensure asynchronous, organization-wide visibility into every development milestone. A dedicated channel is created which automatically updates the team when a change, issue, or success occurs within the development pipeline. AutoRABIT ARM also integrates with Hashicorp Vault for management and protection of sensitive data.

AutoRABIT’s newest update covers the entirety of their DevSecOps suite including CodeScan Shield, ARM, and Vault Data Backup & Recovery. These new features work together to create greater security, seamless flow of data, and accountability across Salesforce development teams.

AutoRABIT Accelerates Release Management Processes with Automation and Key Integrations

The tool helps red teams manage their activities, analyze the data from their campaigns, create reports, and better present results to organizations.

The Cybersecurity and Infrastructure Security Agency (CISA) has rolled out a free open source tool to help red teams and penetration testers more efficiently conduct their analysis, visualization, and reporting activities. The platform could help harmonize the necessary, but often boring, work of communicating results to clients and management, the US Department of Homeland Security (DHS) agency said.

The tool, dubbed RedEye, helps visualize command-and-control activities, allowing the teams to replay assessment actions rather than manually parsing log files to recreate events. CISA, along with the Department of Energy's Pacific Northwest National Laboratory (PNNL), created the tool to meet its own internal needs but decided to publish the software to help other red teams and gather feedback and feature requests from the community as a whole.

"The open source release was centered around contributing to the global information security community," a CISA spokesperson told Dark Reading. "Diversity and openness of thought makes products better for everyone, and getting community feedback and even 'pull requests' to contribute to the project make for compelling on-ramps into improvements and helping the community at large."

A number of organizations have published significant security tools as open source software in the past year. In August, NetSPI released two adversary simulation tools, PowerHuntShares and PowerHunt, to help companies detect vulnerable network shares and manage their attack surfaces. In November 2021, Google published its ClusterFuzzLite software as open source, a program that allows application security specialists to run various fuzzing capabilities against their software. The company released two related tools, OSS-Fuzz and ClusterFuzz, in 2016 and 2019, respectively.

The RedEye project could be a boon to red teams, especially those at smaller companies and agencies that do not have the support of a development team to make internals tools, says Charles Henderson, global head of IBM Security's X-Force team. By making a red team's reporting and communicating tasks more efficient, the tool can open up more time to do as much red teaming as possible, he says. Daily tasks, such as data aggregation, collating data, and working on presentation all take a lot of time — time that could be better spent simulating attacks.

"We spend a lot of time in security creating tools that are really centered around the 'cool' parts of security — the stuff that gets presented at conferences," Henderson says. "The truth of the matter is that we spend a lot of time in security on auxiliary functions, like reporting and the aggregation of data, which are — for lack of a better term — unsexy. To the degree we can start to decrease the time sink associated with those tasks, then we are going to be far better at security."

**Cyberattack Reporting**

RedEye can help red team members and executives understand the attack paths by creating visualizations of the entries in log files. The tool currently supports Cobalt Strike logs, but will expand to support telemetry from other red team toolsets, CISA said. The goal is to allow red team analysts to be able to better visualize and understand attempted and successful attack paths used during penetration tests and display that information clearly.

"This tool ... allows an operator to assess and display complex data, evaluate mitigation strategies, and enable effective decision making in response to a Red Team assessment," CISA said in the project documentation. "The tool parses logs, such as those from Cobalt Strike, and presents the data in an easily digestible format. The users can then tag and add comments to activities displayed within the tool."

The tool will be useful for companies that utilize in-house red teams as well as penetration-testing services as a way to standardize reporting. IBM creates its own tools to handle such activities, but the company is a "fairly advanced shop," says IBM Security's Henderson. "You would be surprised how few tools are out there for folks that may not not have the development resources that we do."

If RedEye becomes popular, it could help to standardize reporting formats and feature sets for reporting and analysis tools. However, CISA stresses that use of the tool is not a government requirement nor is it intended to be.

"While CISA is excited for the community to get the opportunity to use this tool on their own engagements, we trust that each red team will use the tools that meet their specific use case as they deem appropriate," the agency spokesperson said. "RedEye can help augment the way in which offensive reports and evidence is presented to customers/clients, but it is not intended to drive universal alignment around a common standards."

**Not Another Tool for Nefarious Hackers**

Adversary-attack simulation tools such as Cobalt Strike and Brute Ratel have grown in popularity, not only with defenders, but with attackers as well. While many tools created to help red teams and penetration testers are dual use, equally beneficial to the attacker as well as the defender, but RedEye really does not fall into that category, IBM Security's Henderson says.

"Criminals have gotten much better at eliminating the time sinks in their operations and focusing on the return on their investments, and this is the first time in a long time that a tool is coming out that is focusing on efficiency gains for the defender," he says. "I think that benefit to the stakeholders in security testing is going to be far more meaningful than any benefit that could be provided to criminals."

The CISA spokesperson said CISA plans to add a roadmap for the tool's development to the GitHub repository in the future, and specify which adversary-simulation tools it plans to support.

CISA Offers Free RedEye Analytics Tool for Red Teams

With the IT universe expanding, collaboration, thoughtfulness, and discipline can ensure a more secure future.

Does your organization truly understand the shared responsibility model? Shared responsibility emerged from the early days of cloud computing as a way to delineate responsibilities between cloud providers and their customers, but often there's a gap between what shared responsibility means and how it is interpreted. With the decentralization of IT, this gap is getting worse.

**Decentralization of IT**

Our applications, servers, and overall technology used to be under the purview and control of the IT department, yet with the shift to cloud, and specifically software-as-a-service (SaaS), this dynamic has changed. Whether it's the sales team bringing in a customer relationship management (CRM) system like Salesforce, or the HR department operating a human resources information system (HRIS) like Workday, there's a clear "expanding universe" of IT that no longer sits where it used to. Critical business workflows exist in separate business units far from IT and security and are managed as such. Our corporate IT footprints have become decentralized.

This is not some minor, temporary trend. With the ease and speed of adopting new SaaS applications and the desire to "lift and shift" code into cloud-based environments, this is the future. The future is decentralized.

**Challenging Security Realities**

The shift to business-owned and -operated applications puts security teams in a position where risk management is their responsibility; they are not even able to log in to some of these critical systems. It's like asking your doctor to keep you healthy but not giving her access to your information or having regular check-ups. It doesn't work that way.

Beyond the challenging human skills gap, there's technical entropy and diversity everywhere, with different configuration settings, event logs, threat vectors, and data sensitivities. On the access side, there are different admins, users, integrations, and APIs. If you think managing security on Windows and Mac is a lot, try it across many huge applications.

With this reality, how can the security team be expected to combat a growing amount of decentralized business technology risk?

**Shared Responsibility Becomes Shared Fate**

We must operate our technology with the understanding that shared responsibility is the vertical view between cloud provider and customer, but that enterprise-owned piece of shared responsibility is the burden of multiple teams horizontally across an organization. Too often the mentality is us versus them, availability versus security, too busy to care about risk, too concerned with risk to understand "the business." This must change.

An incident in security doesn't just impact security. We've heard "united we stand, divided we fall." We need to say that more in cyber — we win or lose together. This is why the horizontal view, across the org for the "customer-owned" piece of shared responsibility, must be viewed as a shared fate.

**Fighting Back, Together**

Great, we must do more. We all hear that a lot. But what specifically can we do immediately to improve our situation?

*   **Connect the people:** Regardless of the technology, we are still in an environment where technology is deployed, managed, and used by people. Bring together the people involved in particular technologies or workflows and make sure they know each other and can communicate well.

*   **Create a shared security-productivity vision:** If each group and/or role understands what incentives, responsibilities, and other dynamics exist for their teammates, there will be more empathy and better interactions.

*   **Continue to include security after procurement:** Once a new app is rolled out, the security team needs to be informed to determine who has access to the tool, how it will be used, and what data is stored within it. It's critical that the defenders in your organization have this visibility in order to protect against threats.

*   **Create a consistent access method:** This can be through your existing IAM tools, like Okta or Ping, but it's imperative to understand how users — both inside and outside of your organization — are going to be using the app and who has admin access and rights. This way, you can limit over-privilege and prevent wide-reaching data exposure and risk.

*   **Set organization-wide policies across apps:** For example, create file-sharing rules within tools like Google Drive or Box. This can be done without the security team blocking productivity among teams. When there's a clear partnership between security and the business, simple rules around passwords, expiration dates, or access control for file sharing can be the baseline for which threat detection rules and policy violations are more clearly written and deployed.

*   **Conduct a risk assessment of every app in your environment:** Whether it's employee data in Workday or Zoom recordings of board meetings that your apps are storing, it's critical to know the relative importance and risk level of each app. Ask yourself if adversaries would want to access it and, if so, how much they'd gain from the data. This will help you determine the types of apps you allow in your network, as well as policies and controls associated with the rollout.

*   **Roll out an integration policy, and stick to it:** With organizations of more than 1,000 employees using more than 150 SaaS applications on average today, it's important to understand integrations between apps like Google and Slack. While at times wildly convenient for a particular employee, this new integration web quickly changes risk profiles of your sanctioned SaaS applications, and it's incredibly difficult to keep up once your culture allows for random third-party integrations to connect to SaaS. Be disciplined here about setting a policy and sticking to it.

While our IT universe is expanding, with some collaboration, thoughtfulness, and discipline, we can have a more productive _and_ a more secure future. It's on us to make sure our shared fate is a positive one.

Source

DARKReading