New investment will accelerate growth and expansion of SaaS identity-hygiene platform.

**NEWARK, N.J., Nov. 30, 2022 /PRNewswire****/** — SPHERE Technology Solutions (SPHERE), a leader in identity hygiene, announced today a $31 million Series B investment led by Edison Partners, a Princeton-based leading growth equity firm, with participation from existing investor Forgepoint Capital. As part of the transaction, Edison General Partner Lenard Marcus will join SPHERE's board of directors.

As cyberattacks escalate in number and severity, Identity Hygiene has become foundational to enterprise security, digital transformation, and mandatory compliance. The increasing needs around ensuring identities have access to only the required resources has been in direct response to the rise in ransomware attacks and bad actors who take advantage of wide open and mismanaged access.

SPHERE immediately shrinks the attack surface of these threats through an automated platform that provides visibility and remediation of identity hygiene risks along with tech-enabled managed services, delivering expertise to accelerate these crucial programs. SPHERE's current customers are some of the largest and most highly regulated organizations globally, ranging from financial institutions to healthcare providers and more. With this investment, SPHERE will expand its SaaS offering, channel ecosystem and alliances, and sales and marketing to accelerate growth.

"As a company founded and operated by a team of security practitioners, we developed a mission-critical solution well before the market even deemed it mission-critical," said Rita Gurevich, founder and CEO of SPHERE. "We've experienced the problems that our customers encounter firsthand, and understand the time, dedication, and resources it takes to solve the complex issues they face every day. We're thrilled to have the support of Edison Partners and Forgepoint Capital for our next chapter of growth."

For over 13 years, SPHERE has enabled IT and Security teams to adopt a Zero Trust model by finding and fixing any type of identity access issue across any resource — in a fraction of the time these complex capabilities would take manually. The platform SPHEREboard provides an end-to-end workflow for end-user and privileged account controls, across cloud and on-premises systems and infrastructure, remediates open, excessive and inappropriate access, and provides an evergreen path for sustainability.

"Identity management, and more broadly information security, starts with the ability to ensure that the only parties with access to sensitive or operational data are those identified by management," said Marcus. "SPHERE's platform enables enterprises to improve their identity hygiene and maintain compliance. Its managed services offerings enable it to service the mid-market and large enterprises, where the problem is pervasive. Edison Partners is also proud to support female trailblazers like Rita Gurevich, who are closing the gender diversity gap in a historically male-dominated industry."

SPHERE continues to build significant traction and earn industry accolades that recognize the company's growth, leadership and commitment to diversity, a source of passion for Gurevich ever since she began building the company from the ground up. SPHERE was honored as a Gold Winner in the 2022 Globee Cyber Security Excellence Awards, named a finalist in the annual SINET 16 Awards, and selected by the Timmy Awards for Best Tech Workplace for Diversity in New York. A proven leader and innovator in cybersecurity, Gurevich was named by _SC Magazine_ as a top "Women to Watch" in 2022. She was also selected as the only female finalist for the _SC Awards_ "Security Executive of the Year."

"Our focus is to invest in the most innovative cybersecurity companies and SPHERE's combination of automation and expertise is unmatched in the industry," said Forgepoint Capital Managing Director Don Dixon. "Major corporations including many of the world's leading financial institutions rely on Sphere for its ability to effectively address two critical use cases – Zero trust initiatives and regulatory requirements for identity entitlements. We're excited to continue our partnership and to welcome Lenard and Edison to the board of directors."

**About SPHERE**

SPHERE is an award-winning, woman-owned cybersecurity business focusing on improving security and enhancing compliance. SPHERE's identity hygiene solution puts the controls in place to secure an enterprise's most sensitive data, create the right governance processes for systems and assets, and ensure organizations are compliant with the regulations surrounding their respective industries. For more information, please visit www.SPHEREco.com.

**About Edison Partners**

Edison Partners is a leading growth equity firm providing the financial and intellectual capital that CEOs and their executive teams need to grow and scale their companies. The firm's team brings more than 275 years of combined investing, operating and sector experience to each investment, accessible via the Edison Edge value creation platform, which is tailored to each business' strategy, stage and operating needs. Edison targets high-growth financial technology, healthcare IT and vertical SaaS and marketplace companies located outside Silicon Valley with $10 million to $30 million in revenue. Investments also include buyouts, recapitalizations, spinouts, and secondary stock purchases. Edison's active portfolio has created aggregated market value exceeding $10 billion. Edison Partners manages $1.6 billion in assets. For more information on Edison Partners, please visit edisonpartners.com and follow on LinkedIn.

**About Forgepoint Capital**

Forgepoint Capital is a leading cybersecurity venture capital firm that invests in transformative companies protecting the digital future. As the most active sector-focused firm in cybersecurity and infrastructure software, Forgepoint has the largest dedicated investment team and portfolio of over 40 companies. The firm brings over 100 years of proven company-building experience and its Advisory Council of more than 80 industry leaders to support entrepreneurs advancing innovation globally. Founded in 2015, Forgepoint is proud to partner with category-defining companies such as 1Kosmos, Area 1 Security (Cloudflare), Attivo Networks (SentinelOne), BehavioSec (RELX), Bishop Fox, Cysiv (Forescout), Huntress, IDX (ZFOX), Noname Security, NowSecure, ReversingLabs, SPHERE, Uptycs and more as they achieve their market potential. Learn more at forgepointcap.com or follow Forgepoint on LinkedIn.

SOURCE: SPHERE

SPHERE Receives $31M for Series B Funding From Edison Partners, Forgepoint Capital

Current authentication methods are based on the bearer model, but lack of visibility into the entities leveraging API secrets has made this untenable.

Today most API communication between machines is secured through API secrets — static keys, tokens, or PKI certificates that act like system passwords in order to authenticate machines and broker communication between them. These machines could be cloud workloads, pods, containers, servers, virtual machines, microservices, or physical machines like servers or Internet of Things devices.

The challenge with current mechanisms of securing authentication between machines is that they all prescribe a bearer model of authentication. As long as an API key, token, or certificate is valid, it can be held and used from anywhere, even a nefarious machine. The model does not guarantee trusted access or trust in the API client. Further adding to the risk is that these API secrets are often long-lived and cumbersome to maintain hygiene around.

Perfect security hygiene would mean each API secret is uniquely assigned to only one machine, never shared, routinely rotated. and securely distributed through development and deployment systems to the machine that needs it without the risk of being leaked along the way. The reality is API secrets are often shared across dozens or hundreds of machines and workloads. They are rarely, if ever, rotated, and provisioning and managing secrets across different applications and environments is an arduous task.

**The Cost of Secrets**

According to a 2021 report by 1Password, IT and DevOps spend an average of over 25 minutes each day managing secrets, at an estimated payroll expense of $8.5 billion annually across companies in the US. In a world where development and deployment systems are fully automated, provisioning and rotating secrets continues to be a very manual, laborious process.

Leaked infrastructure secrets come at a measurable cost. Exposed code, credentials, and keys — whether they are exposed accidentally or intentionally — cost companies an average of $1.2 million in revenue per year, according to the 1Password report.

More recently, the static nature of API secrets has made them ripe targets for adversaries. Much like passwords, secrets tend to become more vulnerable as they age — a problem that is only compounded when those secrets are being shared across dozens, sometimes hundreds of different workloads. Today, secrets are getting leaked at an alarming rate in code repositories, continuous integration (CI) systems like Jenkins or Travis, orchestration tools like Kubernetes, and cloud hosting environments like Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure. Ditto for logging tools like Splunk and Elastic and even collaboration environments like Slack. Organizations leaked more than 6 million passwords, API keys, and other sensitive data in 2021, doubling the number from the previous year, according to a recent GitGuardian review.

**Tools to Improve Things**

Enterprises can take extra steps to keep their secrets more secure. Secrets management solutions like vaults or secrets managers help organize and better secure these system passwords. But if your organization happens to be operating workloads with all three cloud providers, your team will have to leverage three proprietary secrets management systems in order to safeguard those secrets — Azure Key Vault, AWS Secrets Manager, and Secret Manager for GCP.

Tools do exist that can scan your environments to find hard-coded secrets in source code, code repositories, CI environments, and logging systems. Some tools can also scan public personal and organization repositories for secrets that may have already been exposed.

**An Unbearable Burden**

One significant blind spot for many engineering and security teams is visibility into the identities of the machines, applications, services, or workloads that are leveraging API secrets. If it isn't already broken by this point, that becomes the point where the bearer model starts to break down.

Between the manual nature of secrets management, the vulnerability of these static values, and the way the explosion of API usage has significantly increased the amount of compromised keys, tokens, and certificates, not having visibility into the entities that are leveraging API secrets has made the bearer model untenable. CISA's zero-trust framework and NIST 800-207 provide guidelines around how organizations think about machines and workloads as nonperson entities — where the user isn't a human, but rather another application or service account.

While CISA and NIST guidelines assist organizations in handling identity and access, the solution to this problem has already been established for human-to-machine interactions: multifactor authentication (MFA). If we think about the genesis of MFA as it relates to applications and services human users are accessing, the purpose is to validate the user identity with a set of credentials. Many companies require employees to enable MFA to ensure that it is indeed Jane who is trying to access the CRM application with her username and password, just in case her user credentials were compromised. The static nature of passwords, coupled with how long they tend to age well past most security guidelines, makes them ripe targets for adversaries, which is why many organizations mandate MFA to access applications that contain sensitive data.

The bearer model is no different — keys, tokens, and certificates are static values that act as system passwords. The challenge many organizations face is having visibility into the identities of the machines, applications, workloads, or services that are ultimately leveraging those credentials.

API Secrets: Where the Bearer Model Breaks Down

The simplicity and profitability of these attacks continue to appeal to threat actors a decade later.

In 2012, the US Federal Bureau of Investigation (FBI) began investigating an influx of reported fraud incidents involving threat actors rerouting payments to attacker-controlled accounts. In these incidents, victims received seemingly legitimate emails containing requests to alter scheduled payments. The threat actors typically impersonated executives or finance and payroll personnel and convinced victims to reroute payments to a different bank account. These first instances of business email compromise (BEC) kicked off a decade of attacks that use this simple yet highly effective scheme. While the threat has evolved, threat actors continue to use phishing attacks to steal credentials and then send fraudulent invoices soliciting payment. Thousands of organizations have lost billions of dollars.

**What Have We Learned in the Past Decade?**

When BEC was first discovered, law enforcement referred to it as "man in the email" fraud. Because much of the money at the time was sent to China, Japan, and South Korea, law enforcement believed that the threat actors could be Asia-based organized crime groups. Multiple investigations confirmed that these schemes were connected and that the money eventually ended up with threat actors located in Nigeria.

BEC fraud emerged from Nigerian organized crime groups that conducted operations such as romance scams, advance-fee schemes (also known as "Nigerian prince" or "419" scams), and elder fraud. The low barrier to entry and potential for high payouts attracted more threat groups. Because the technical aspects of these schemes are relatively simple, threat actors with little to no technical capabilities could launch successful attacks.

By 2014, cooperation between law enforcement and financial institutions revealed a clearer understanding of BEC schemes. As BEC tactics, techniques, and procedures (TTPs) matured, the financial losses and number of impacted organizations increased. In 2014, the US Internet Crime Complaint Center (IC3) received 2,417 BEC complaints, with losses totaling $226 million. The numbers grew steadily until a decrease in reported incidents in 2020. However, that decline was likely due to the COVID-19 pandemic disrupting normal business processes. Momentum resumed in 2021, with 19,954 complaints and adjusted losses of almost $2.4 billion.

    

Number of organizations reporting BEC incidents and reported losses between 2014 and 2021. Source: Secureworks, based on data from the Internet Crime Complaint Center (IC3).

**Who Is Connducting BEC Attacks?**

To this day, the vast majority of BEC operations still originate in Nigeria. Many Nigerian fraud groups incorporated BEC into their existing criminal activities and taught other threat actors how to operate the schemes. Each group determined its own targeting, focusing on specific geographic regions, organizational roles (e.g., CFO, finance manager, accountant), and industries. In 2016, Secureworks researchers estimated that the GOLD SKYLINE threat group (also known as Wire-Wire Group 1) stole approximately $3 million per year. By 2018, Secureworks research indicated that the GOLD GALLEON threat group attempted to steal an average of $6.7 million per year.

Due to the profitability of these schemes, cybercriminals in other regions began adopting BEC. Eastern European groups have shown particular sophistication. For example, Russian cybercrime group Cosmic Lynx has successfully targeted senior-level executives at multinational corporations using a dual impersonation scheme. The threat actors impersonate a company's CEO and then assume the identity of a legitimate attorney who is responsible for facilitating an acquisition. They prompt victims to send money to attacker-controlled accounts.

Despite the expansion of BEC attacks to other regions, none match the volume from Nigeria. The Nigerian fraud ecosystem has grown and flourished over the past decade. Hundreds of social media profiles flaunt wealth obtained from these attacks to recruit participants in Nigeria, where the average monthly salary is less than $800.

**Why Is BEC Still Prevalent?**

Despite thousands of BEC arrests, the schemes are still popular among cybercriminals. Business-to-business payments are the most frequent targets, but BEC actors also attack other payment methods. Payroll systems have been manipulated to add fictitious employees and send money to the associated accounts. BEC actors have also attacked real estate transactions and rerouted house payments.

While security controls can detect the compromise of an email account, technology can only go so far. As the threat actor continues to use the victim's account or pivots to attacker-controlled infrastructure, detection becomes more challenging. Organizations should implement technical proactive security defenses such as multifactor authentication and conditional access, along with human processes such as verifying requests via trusted contact details before performing high-risk actions and training employees to adopt a "trust but verify" approach to email.

Coordination among financial institutions, government agencies, private industry, and law enforcement across the globe has started to mitigate the impact of BEC attacks. In 2021, the IC3 Recovery Asset Team helped financial institutions recover approximately 74% of the stolen funds it pursued. Reducing the profitability of these attacks could lessen the appeal for threat actors and result in a decrease of BEC fraud.

The Evolution of Business Email Compromise

Red Hat has issued patches for a bug in an open source Java virtual machine software that opens the door to drive-by localhost attacks. Patch now, as it's easy for cyberattackers to exploit.

A critical remote code execution (RCE) bug in an open source Java virtual machine (JVM) framework threatens enterprise environments by giving attackers an easy way to compromise development teams — thus gaining access to production systems.

That's according to Joseph Beeton, senior application security researcher at Contrast Security, who discovered the vulnerability in Quarkus, a Red Hat-managed, Kubernetes-native Java framework that's optimized for JVMs.

The bug is tracked as CVE-2022-4116 and has been given a rating of 9.8 on the CVSS.

The relatively new Quarkus framework is used as a platform for serverless, cloud, and Kubernetes environments — the last of which is the de facto container management platform for cloud-native environments, and has had numerous security issues of its own.

The Quarkus flaw is present in the framework's Dev UI Config Editor, making it vulnerable to drive-by localhost attacks that could lead to RCE, Beeton wrote in a blog post published Nov. 29. Moreover, "exploiting the vulnerability isn’t difficult, and can be done by a malicious actor without any privileges," he noted in the post.

Beeton discovered the vulnerability some weeks ago while preparing a talk for the recently held DeepSec conference, but says that he waited to disclose his findings until after Red Hat published details of the flaw on its customer support portal Nov. 21. Beeton also published a proof of concept exploit for CVE-2022-4116 in his post.

Patched versions of Quarkus, available now, are 2.14.2.Final and 2.13.5.Final (LTS); anyone using the framework is encouraged to update immediately.

**'Dangerous' Security Flaw**

The vulnerability affects the "quarkus\_dev\_ui" package, according to Red Hat, which means it impacts developers building services using Quarkus, not actual services running in production.

However, it's still dangerous for several reasons — for one because it's fairly easy to exploit, and for another because developers often have direct access to an enterprise's production environment, Beeton tells Dark Reading.

"Developers generally have access to production systems, and even if they don't, they do have the ability to make code changes," he says. "A compromised developer's machine could be leveraged to push malicious code changes to production.”

For example, if a developer running Quarkus locally visits a website with malicious JavaScript, that JavaScript can silently execute code on the developer’s machine, which can lead to all kinds of trouble on any network or assets attached to it.

In enterprise cloud-based environments, developers also often have to code bases, Amazon Web Services keys, server credentials, and other assets, Beeton said in his posting.

"Access to the developer's machine gives an attacker a great deal of scope to pivot to other resources on the network, as well as to modify or to flat-out steal the codebase," he wrote.

**The Bug in a Cloud-Security Context**

The flaw must be understood in the context of cloud-based footprints that have numerous hosted services running in a larger environment, Beeton explained. One misconception about this type of architecture is that "services that are only bound to localhost are not accessible from the outside world," he noted in his post.

"Because of this misplaced belief, developers, for the sake of convenience, will run services they are developing that are configured in a less secure way compared with how they would \[typically\] do it," he wrote.

There's no problem with this scenario in the case of accessing normal JavaScript in a browser and loaded from a nonmalicious domain, he said. In that case, the JavaScript would not be able to make requests to other domains, including localhost, without a preflight request that is used to check the server's Cross-Origin Resource Sharing (CORS) settings. This is a standard check to see if the server allows requests from the domain being accessed.

However, in the case of a certain type of request that does not require a preflight request — called Simple Requests — the flaw comes into play, Beeton said.

"For a Simple Request, the browser makes the request, receives the response, but that data — including the HTTP Status Code — is not returned to JavaScript," he wrote. "It is possible, however, to infer whether the request was successful based on how long it took to return. Within those constraints, it is possible to access localhost and, in certain circumstances, to trigger arbitrary code execution."

**Multiple Ways Developers Can Be Targeted**

If this is the case, threat actors can compromise websites that developers use by injecting malicious JavaScript into ads served on the sites. For an attack on the Quarkus flaw to be successful in this scenario, someone who is running Quarkus in developer mode would have to visit a website containing the malicious JavaScript, Beeton said.

In this way, attackers can access developer code via non preflighted HTTP requests to those services bound to localhost, he explained.

"It just requires that Quarkus is running in developer mode at the same point the browser tab is open," he noted. "No other interaction is required for this vulnerability to be exploited."

Attackers also can exploit the flaw by launching a phishing attack that convinces a developer to open a web browser on a compromised page. "If they happen to be running Quarkus in developer mode, compromising them would merely entail getting them to click the link; the page containing malicious JavaScript will then be loaded, and they would be compromised," Beeton explained.

Other ways the flaw can be exploited are through common misconfigurations in the Spring framework, which provides a comprehensive programming and configuration model for modern Java-based enterprise applications, he said. Alternatively, an attacker can exploit known vulnerabilities to generate an RCE on the developer's machine or on other services on their private network.  

**Potential Impact and Fix**

There are two bits of good news surrounding the status of the flaw, Beeton acknowledged. One is that Red Hat's Quarkus team, as mentioned before, already has issued a fix that requires the Dev UI to check origin headers for "origin : localhost" — which is set by the browser itself and not modifiable by JavaScript — and only accept these requests, he said.

The other reassuring aspect is that Quarkus is a young framework, having been launched in 2019, so it's not likely to be used as extensively as, say, the open-source Spring Boot framework, he said.

And while Quarkus is gaining in popularity, particularly for Kubernetes enthusiasts, "given its ease of use and significantly lighter demand on hardware resources to run and to run applications," it still is not as widely used as Kubernetes itself, Beeton said.

"Therefore, the number of developers affected by this drive-by localhost attack is probably small," he said.

**Squashing the Attack Vector**

Even with the Quarkus flaw fixed, developers using open-source frameworks still should be wary as they develop services via the localhost, as there are likely more vulnerabilities equivalent to CVE-2022-4116 that have yet to be found, Beeton warned.

A solution for the entire attack vector is on the horizon with W3C’s new Private Network Access (PNA) specification, which eventually will be integrated into browsers to squash this mode of exploit altogether, he said.

Currently, however, only the team supporting the Chromium framework — the basis for the Chrome and Edge browsers — is actively working to implement the new spec, Beeton said. In fact, the targeted mid-December release of Chrome 109 should include support for PNA.

Firefox, meanwhile, has PNA support on its backlog, but has not yet scheduled a release date, while plans to add the spec to Safari or Edge remain unclear, though the Chromium update may bode well for its upcoming addition in Edge, he added.

Critical Quarkus Flaw Threatens Cloud Developers With Easy RCE

The quarterly report, made possible by its Dynamic Defense™ service, demonstrates significant progress in mitigating domain abuse among its top-level domains (TLDs).

**BELLEVUE, Wash., Nov. 30, 2022 /PRNewswire/** — To promote awareness among registrars, trusted notifiers, and end users, Identity Digital™, a leader in connecting the online world with domain names and related technologies, very recently published its first (Q2) Anti-Abuse Report. The report shares data and statistics on DNS abuse within the registry operator's TLD portfolio. The second (Q3) Anti-Abuse Report is slated to come out shortly as well.

The Anti-Abuse Report found that nearly 93% of the abuse cases identified in Q2 2022 involved phishing attacks, including homograph attacks, where bad actors register domains using visually similar characters to legitimate websites for nefarious purposes. Identity Digital automatically blocks homographic domain names, ensuring none of their variations can be registered.

"We're proud to publish our first Anti-Abuse Report that raises  
awareness on a wide range of DNS attacks and demonstrates significant  
progress in mitigating domain abuse within our TLD ecosystem," says Akram Atallah,  
CEO of Identity Digital. "While overall quite rare, in cases of clear  
domain abuse, we aim to intervene as quickly as possible. Most of the  
harm is done in the first eight hours, so taking swift action is  
important. As a result of the Dynamic Defense initiative, we observe  
55% mitigation of identified reports, within 24 hours of a report, which  
is five times faster than the 96 hours1 industry standard."  

The Identity Digital Dynamic Defense™ (DND) team has decades of experience dealing with DNS abuse, drafted industry-standard security frameworks, and are on the front lines of the fight against DNS abuse. Identity Digital acts upon specific, credible notices on serious abuse cases, including child sexual abuse materials, illegal online distribution of opioids, human trafficking, and specific and credible incitements to violence.

**About Identity Digital**

Identity Digital Inc. simplifies and connects the online world with domain names and related technologies to empower people to build, market, and own their authentic digital identities. The company is a member of the Anti-Phishing Working Group (APWG) and the Internet Watch Foundation (IWF). It's also represented in US InfraGard, a partnership between the FBI and the private sector dedicated to sharing information and intelligence to prevent hostile acts against the US. In addition, Identity Digital participates in ICANN at all levels and holds leadership positions at the Registries Stakeholder Group, the Registries Stakeholder Group DNS Abuse Working group, the Contracted Party House DNS Abuse Working Group, and the Security & Stability Advisory Committee (SSAC).

With the world's largest portfolio of nearly 300 TLDs, such as .live, .technology, and .restaurant, Identity Digital operates around 25 million domains on its innovative registry services platform. In addition, it enables customers to discover, register, support and use high-quality domain names with its registrar, Name.com. Headquartered in Bellevue, WA, Identity Digital is a global company with approximately 250 employees. For more information, please visit identity.digital.

1 Source: icann.org,

SAC115 SSAC Report on Interoperable Approach to Addressing Abuse Handling in the DNS

  
SOURCE: Identity Digital, Inc.

Identity Digital Releases Its First DNS Anti-Abuse Report

New functionality further reduces the risk of lateral movement.

**REDWOOD CITY, Calif., Nov. 30, 2022 /PRNewswire/** — Delinea, a leading provider of Privileged Access Management (PAM) solutions for seamless security, today announced the latest release of Cloud Suite, its solution that controls privileged access and authorization for on-premises and cloud servers. A new granular privilege elevation workflow allows users to request elevated privileges to execute specific commands or command sets that require full administrator rights. New functionality also enables administrators to assign privileged roles on Linux servers with more detailed control, helping to ensure that productivity does not compromise security.

According to the 2022 VMWare Global Incident Response Threat Report, lateral movements are detected in 25% of all attacks, with cybercriminals abusing tools such as host scripts, file storage, and synchronization. Cloud Suite empowers customers with robust capabilities that help contain the impact of a potential breach and greatly reduce the likelihood of lateral movements. For example, IT teams can consolidate identities across enterprise directories and cloud providers including Active Directory, Azure AD, AWS, and Google Cloud, simplify authentication, and apply granular authorization controls to implement least privilege best practices, enhancing security postures.

**More granular privilege elevation automation**

Available now in public preview, privilege elevation workflows give users a way to request access to commands that require elevated privileges when they don't have that access, and they are enabled for one, multiple, or all commands on the system. The new workflow allows users to request elevated privileges only for specific commands or command sets without having to request administrator access to all commands every time. This functionality supports the principle of just-in-time and just-enough access at a more granular level.

**Finer controls on Linux servers**

The Cloud Suite update also includes profile mapping for Unix roles that ensures privileged access controls can be managed as sets of enrolled Linux servers rather than globally, for a more targeted privilege authorization. This feature helps minimize the risk of over-privileged roles and promotes least privilege best practices.

"With this release of Cloud Suite, we are making it easier for our customers to apply finer, more granular controls for privileged access to their on-premise and public cloud servers which house their critical data," said Phil Calvin, Chief Product Officer at Delinea.

Additional updates in this release include added group privileges on Windows servers and support for the latest distributions of AlmaLinux and Rocky Linux.

Organizations can try the latest version of Cloud Suite for free at https://delinea.com/products/cloud-suite.

**About Delinea  
**Delinea is a leading provider of Privileged Access Management (PAM) solutions that make security seamless for the modern, hybrid enterprise. Our solutions empower organizations to secure critical data, devices, code, and cloud infrastructure to help reduce risk, ensure compliance, and simplify security. Delinea removes complexity and defines the boundaries of access for thousands of customers worldwide. Our customers range from small businesses to the world's largest financial institutions, intelligence agencies, and critical infrastructure companies. Learn more about Delinea on LinkedIn, Twitter, and YouTube.

© Delinea Inc. (formerly Centrify Corporation) 2022. Delinea™ is a trademark of Delinea Inc. All other trademarks are property of their respective owners.

SOURCE: Delinea

Delinea Introduces Granular Privileged Access Controls on Servers

The NSS Labs archive, available with free registration, consists of over 800 test reports, analyst briefs, and research published by NSS Labs from 2013 — 2020.

**AUSTIN, Texas, Nov. 29, 2022 /PRNewswire/** — CyberRatings.org, the nonprofit entity dedicated to providing transparency on cybersecurity product efficacy, has launched The NSS Labs archive, a library of over 800 test reports, analyst briefs and research published by NSS Labs from 2013 – 2020. Once available only to paid subscribers, CyberRatings.org is providing The NSS Labs archive to the community at no charge.

NSS Labs was an independent analysis and testing company recognized for its fact-based cybersecurity guidance that ceased operations on Oct. 15, 2020. Based in Austin, Texas, NSS Labs tested security products protecting networks, data centers, and endpoints for security effectiveness, evasions, performance, stability, and usability. It was in the early stages of producing methodologies for cloud testing when the company closed.

Following the NSS Labs closure, CyberRatings.org acquired some of the assets from the custodians of NSS Labs, including domain name, test data, and reports previously published on their website. The website also holds press releases and blogs over the last six years of the company's existence showing a timeline for the former company's development.

"The NSS Labs team produced a tremendous amount of volume year over year that can now serve as historical reference on security product efficacy," says Vikram Phatak, CEO of CyberRatings.org. "For example, some product scores demonstrated improvement over time while others went the opposite direction. We believe this is a good way to help consumers see how products have evolved."

Product reports and comparative reports from 2013 — 2020 listed below are now available in the following technology verticals:

*   Data Center Security
*   Endpoint Security (including Advanced Endpoint Protection and Browser)
*   Next Generation Firewall (NGFW)
*   Next Generation Intrusion Prevention System
*   Secure Sockets Layer / Transport Layer Security (SSL / TLS)
*   Software-Defined Wide Area Network (SD-WAN)

The NSS Labs archive can be accessed through www.nsslabs.com and www.cyberratings.org.

**Additional Resources**

*   Follow CyberRatings.org on Twitter
*   Follow CyberRatings.org on LinkedIn

**About CyberRatings.org**

CyberRatings.org is a nonprofit 501(c)6 entity dedicated to quantifying cyber-risk and providing transparency on cybersecurity product efficacy through testing and ratings programs. To become a member, visit www.cyberratings.org

SOURCE: CyberRatings.org

CyberRatings.org Revives NSS Labs Research

Cloud-native application protection platforms can apply machine-learning algorithms on cloud data to identify accounts with abnormal permissions and uncover potential threats.

Over the past decade, we've seen a dramatic uptick in cloud migrations. On-premises solutions are becoming a thing of the past, and the cloud is becoming the default in the present. But why cloud, and why now?

Many organizations are currently undergoing a digital transformation. Much of this is expedited, due to the COVID-19 pandemic. Moving to the cloud offers numerous benefits—scalability, agility, and cost reduction being some of the most significant. Legacy solutions require setting up more physical servers, which increases complexity and operational effort, leading to higher costs. Meanwhile, cloud lets us do everything—and more—with just a few clicks.

The move to the cloud poses new challenges. One of the simplest ways attackers can get to an organization's crown jewels in the cloud is by clearing attack paths through a combination of network access and permissions. In what's quickly becoming a go-to method, many attackers use cloud-native privilege escalation techniques like PassRole to gain privileged access. The smallest drift in an environment can open up these attack paths in seconds, creating utter madness for a business. With the right privileges, data exfiltration takes mere moments and is almost impossible to detect.

To expose these types of attack paths, DevOps and security teams can use machine-learning capabilities embedded in a cloud-native application protection platform (CNAPP) solution to detect abnormal permissions, correlate all the signals, and search for privileges that collide with public exposures and vulnerabilities.

One of the problems we've seen most frequently, and one that's difficult to track and catch, is extra permissions being granted to many users within a tenant. In these cases, most permissions are unused, and attackers can take advantage. A CNAPP solution can detect abnormal permissions of identities within a tenant using specific machine learning methodologies.

Our definition for "abnormal" is simple: actionable + most risky = abnormal. For instance, when users in a given group each have more or less the same set of permissions in an environment, but one user has extra permissions in another environment, we consider the extra permissions abnormal.

In case of outliers over data that consists of a large number of features, the native machine learning models would usually be PCA, DBSCAN, LOF, or Isolation Forest. However, we discovered that the perfect model is a _genetic algorithm_. Genetic algorithms aim to detect mutations within a series of genes.

How exactly do we do that? Let’s have a look at a specific example.

    

In the table above, we can see that Amos has some extra permission in the production environment, which we consider abnormal. Let's now convert that graph to a DNA vector (DNA assignment).

    

We see here that Amos has mutations. The goal is to search for close communities that have extra important permissions—only then may it be considered an anomaly. Also, if the communities are far from each other, it's not necessarily anomalous.

    

After more in-depth ML calculations to eliminate false positives, you'll end up with a genetic algorithm that can help detect outliers with abnormal permissions. It's fast, simple, and effective. Trying to perform this kind of analysis with a legacy approach would require a massive manual effort to first understand the business impact of each permission, and then detect the excessive permissions. On the other hand, an ML-based approach suggests a self-learning method without the need to understand each and every permission, helping to expedite the process.

With cloud threats constantly evolving, machine/deep-learning detection-based methods are going to become a necessity when evaluating CNAPP solutions. Don't wait for that next drift to activate a chain of catastrophic events—get ahead of the curve of detecting your next breach with the power of machine learning.

_Read more_ _Partner Perspectives from Zscaler._

Connect the Dots with Genetic Algorithms on CNAPP

The new Microsoft Defender for Endpoint capabilities include built-in protection and scanning network traffic for malicious activity.

Microsoft has announced several new capabilities for Microsoft Defender. The new features will protect devices from advanced attacks and emerging threats, the company said on Monday.

**Security Enabled by Default**

Built-in protection is generally available for all devices using Microsoft Defender for Endpoint, according to Microsoft.

Built-in protection is a set of default security settings for Microsoft's endpoint security platform to protect devices from ransomware attacks and other threats. Tamper protection, which detects unauthorized changes being made to security settings, is the first default setting being enabled, according to a Microsoft 365 knowledgebase article. Tamper protection prevents unauthorized users and malicious actors from making changes to security settings for real-time and cloud-delivered protection, behavior monitoring, and antivirus.

Microsoft enabled tamper protection by default for all customers with Defender for Endpoint Plan 2 or Microsoft 365 E5 licenses last year.

Enterprise administrators have the ability to customize built-in protection, such as setting tamper protection for some but not all devices, toggling protection on or off on an individual device, and temporarily disabling the setting for troubleshooting purposes.

**Zeek Comes to Defender**

Microsoft also partnered with Corelight to add Zeek integration to Defender for Endpoint, helping to reduce the time required to detect network-based threats. With Zeek, an open source tool that monitors network traffic packets to uncover malicious network activity, Defender can scan inbound and outbound traffic. The Zeek integration also allows Defender to detect attacks on nondefault ports, show alerts for password spray attacks, and identify network exploitation attempts such as PrintNightmare.

"The integration of Zeek into Microsoft Defender for Endpoint provides a powerful ability to detect malicious activity in a way that enhances our existing endpoint security capabilities, as well as enables a more accurate and complete discovery of endpoints & IoT devices," Microsoft stated.

Zeek won't replace traditional network detection and response technology, as it is designed to act as a complementary data source providing network signals. "Microsoft recommends that security teams combine both data sources — endpoint for depth, and network for breadth — to gain full visibility across all parts of the network," the company said.

**Detect Firmware Vulnerabilities**

Related, Microsoft provided some more details on the Microsoft Defender Vulnerability Management service, which is currently available under public preview. When it becomes publicly available, the service will be sold as a standalone product and as an add-on to Microsoft Defender for Endpoint Plan 2.

The Microsoft Defender Vulnerability Management now can assess the security of the device's firmware and report if the firmware is missing security updates to fix vulnerabilities. IT pros will also get "remediation instructions and recommended firmware versions to deploy," according to a Microsoft article on the vulnerability management service.

The hardware and firmware assessment will display a list of hardware and firmware in devices across the enterprise; an inventory of systems, processors, and BIOS used; and the number of weaknesses and exposed devices, Microsoft said. The information is based on security advisories from HP, Dell, and Lenovo and relates to processors and BIOS only.

Microsoft Defender Gets New Security Protections

Organizations must be prepared to root out bad actors by any means possible, even if it means setting traps and stringing lures.

As software supply chain attacks increase, cybersecurity talent wanes, and alert fatigue leads to burnout, an always-on, defense-first mentality will no longer suffice. While many defense strategies aim for zero incidents across an entire network, it's time to reevaluate that thinking. Take a page out of the bad actors' book by implementing new strategies that ensure fast detection and intelligence collection.

Enter cyber deception. Cyber deception is a proactive cyber defense methodology that, when executed well, puts the defender in the driver's seat. It enables defenders to lead the attacker and gather intelligence about the adversary's tools, methods, and behaviors via a system of honeypots, lures, tripwires, and much more. It is a strategy that cyber professionals deploy to gain the upper hand in operations against attackers, decreasing dwell time, obtaining valuable cyber threat intel, and mitigating data loss.

However, people oftentimes have a hard time grasping how cyber deception is going to assist them. The word "deception" has a negative connotation, making cyber professionals unclear about how effective it can really be. But organizations must accept that the cyber process is quickly shifting to be more proactive. Playing catch-up is no longer an option.

Understanding who benefits most from cyber deception, knowing the skill sets and technologies that must be applied throughout, and learning how organizations can successfully deploy this defense mechanism are crucial steps to getting started.

**Who Benefits Most**

The most frequently asked question is who will benefit from cyber deception — and who won't. When it comes to knowing whether your organization is up for the task, first consider your environment. If you have existing cybersecurity solutions, such as endpoint detection and response (EDR) and security operations centers (SOCs), systems that require high-fidelity alerting, or robust threat intelligence capabilities that can conduct analysis, produce reports, and shape public security postures, you're a good candidate.

However, deception will never be an effective solution for a team that does not have the resources to address alerts in a timely manner. It is meant to give the defenders an opening by producing high-fidelity alerts on top of existing solutions; without the proper staffing, these alerts become useless. Cyber deception would be inappropriate for even a large enterprise environment if it doesn't have a dedicated team to help manage the deception.

**What Skill Sets and Technologies Are Required**

Staffing a highly skilled and experienced team, with a breadth of experience working in blue team/red team scenarios, is key. Adequate training helps these teams deploy high-interaction decoys, lures, and services that will truly entice threat actors. For an even stronger approach, having logging/alerting solutions that help them respond to these "tripwires" in a timely manner will make all the difference.

On the technology front, honeypots, breadcrumbs, lures, and canary tokens are all crucial tools to trip high-fidelity alerts that identify threat actors. These deception tactics work by simulating critical infrastructures, services, and configurations so attackers can interact with these false IT assets. This effectively increases the cost of an attack.

However, these techniques can present logistical deployment issues and challenges. They are difficult to distribute widely and require significant resources to maintain and implement, so security teams can usually only deploy a limited number. That means, at times, there are not enough tools and resources to effectively detect cyber threats as a method of moving-target defense.

**How to Deploy Cyber Deception Successfully**

To deploy cyber deception using a commercially available product, it is important to start with a plan that considers what comes with the product. From there, you should:

*   Take time to fully understand the product in place, establishing what it can and cannot do. After an initial pilot, prioritize a strategy around your high-value assets first if your organization is ill-prepared for an enterprise deployment.
*   Ensure that your staff is fully trained on the platform well in advance of the actual product deployment. They must be prepared to fuse this actionable data into routine SOC operations.
*   Identify and understand where within your environment stakeholders are comfortable using these deception products. If your CISO is not comfortable with a robust deception strategy, consider at least seeding false administrative credentials to defend against that common threat vector.

And if you don't want to use a commercially available product? The deployment plan would include similar preparation as the items outlined above, replacing the product with in-house experience and tools. These steps should include but are not limited to:

*   Develop the servers, services, and shares in a manner that is enticing to an attacker while also being able to alert immediately when they are interrogated.
*   Deploy and manage multiple sensors to feed back to an operations center.
*   Train and enable network defenders to be able to respond to these threats in a timely manner.

Without a framework, threat actors can easily work their way around a cyber deception plan, likely giving them the upper hand in such a time-sensitive environment.

Cyber deception tactics, techniques, and procedures (TTPs) have been around for quite some time, but they have recently gained mainstream attention because they can assist in credential compromise detection in zero-trust approaches. Deception technology will likely become more commonplace as an effective tool to complement existing defenses and tactics; however, the proper education, skill sets, and training are needed to make it a formidable defense mechanism for cyber generations to come.

Source

DARKReading