Administrators and security teams who have lost visibility into their own networks can use DNS telemetry to home in on anomalous traffic.

**Question: How can administrators use DNS telemetry to complement NetFlow data in detecting and stopping threats?**

**David Ratner, CEO, Hyas:** For many years, DevSecOps teams relied heavily on flow data (the information collected by NetFlow and similar technology) to glean insight into events occurring within their networks. However, flow data's usefulness has waned with the shift to the cloud and increased network complexity.

Monitoring network traffic is the new big data problem. You either sample a smaller amount of flow data or incur the high costs of receiving a more comprehensive set. But even with all of the data, detecting subtle anomalous incidents (perhaps involving just one or a handful of devices and relatively low-volume traffic) that indicate malicious activity is still like looking for a needle in a haystack.

Administrators and security teams can regain visibility into their own networks with DNS telemetry. It is is easier and cheaper to monitor than flow data and can identify unknown, anomalous, or malicious domains based on threat intelligence data. These services can alert DevSecOps administrators and provide information on exactly where to look to investigate the incident. If necessary, administrators can access the corresponding flow data to get additional actionable information about the event, identify if the event is innocuous or malicious, and stop nefarious activity in its tracks. DNS telemetry solves the big data problem by letting teams more quickly and efficiently zero in on the areas that need attention.

An easy way to visualize the problem is to imagine staking out all the payphones in a neighborhood to intercept calls related to criminal activity. Actively watching each payphone and monitoring the content of each call made from each payphone would be incredibly tedious. However, in this analogy, DNS monitoring would notify you that a certain payphone made a call, when it made it, and who it called. With this information, you can then query flow data to find out additional pertinent information, like if the person on the other end picked up the call and how long they spoke.

A real-world scenario might occur like this: Your DNS monitoring system notices multiple devices making calls to a domain flagged as anomalous and potentially malicious. Even though this particular domain has never been used before in an attack, it is unusual, anomalous, and requires additional and immediate investigation. This triggers an alert, prompting administrators to query flow data for those particular devices and the specific communication with that domain. With that data, you can quickly determine if malicious activity is actually happening and, if it is, you can block the communication, cutting the malware off from its C2 infrastructure and stopping the attack before major damage is done. On the other hand, there may have been some legitimate reason for anomalous traffic, and it isn’t actually nefarious — maybe the device is simply reaching out to a new server for updates. Either way, now you know for sure.

How Does DNS Telemetry Help Detect and Stop Threats?

Microsoft added certificate-based authentication (CBA) to the Azure Active Directory to help organizations enable phishing-resistant MFA that complies with US federal requirements. The change paves the way for enterprises to migrate their Active Directory implementations to the cloud.

Microsoft has removed a key obstacle facing organizations seeking to deploy phishing-resistant multifactor authentication (MFA) by enabling certificate-based authentication (CBA) in Azure Active Directory.

The release of CBA in Azure AD, announced during last month's Microsoft Ignite conference, promises to pave the way for large enterprises to migrate their on-premises Active Directory implementations to the cloud. It's a move Microsoft is encouraging enterprises to undertake to protect their organizations from phishing attacks.

Further, this week, Microsoft took the first step toward enabling phishing-resistant MFA on employee-owned iOS and Android devices without requiring IT to install user certificates. Specifically, Microsoft on Wednesday issued a preview release of Azure AD with CBA support on mobile devices using security keys from Yubico.

**Meeting Federal Standards**

CBA capability in Azure AD is immediately critical to federal government agencies, which face a March 2024 deadline to deploy phishing-resistant MFA in compliance with US President Joe Biden's 2021 Executive Order (14028) on Improving the Nation's Cybersecurity.

The executive order directs all federal government agencies and those it does business with to move to zero trust architecture (ZTA) security. Phishing-resistant MFA is a requirement detailed in the follow-on guidance, Memorandum MB-22-09, issued early this year by the US Office of Budget and Management (OMB).

OMB's memorandum specifies that all civilian and intelligence agencies implement cloud-based identity architectures resistant to phishing. That means eliminating legacy MFA solutions that attackers can compromise, including SMS and one-time password (OTP) based authentication susceptible to phishing attacks.

SMS phishing attacks, also called "smishing," are fraudulent text messages that appear legitimate, directing victims to enter personal information into a fake website. "Smishing has turned increasingly into a meaningful attack vector; I see it all the time," says Andrew Shikiar, executive director of the FIDO Alliance.

Beyond federal agencies and contractors, preventing phishing from MFA bypass attacks has become crucial to all enterprises. This year, MFA relay attacks have escalated; for example, in the August compromise of Twilio's broadly used MFA service, the attackers prompted unwitting users to share their Okta credentials.

Experts anticipate such attacks will rise next year. "I think social engineering and MFA bypass attacks will continue to grow in 2023, where some other major service providers suffer meaningful breaches like we did this year," Shikiar says.

**Moving From ADFS to Azure AD**

Microsoft emphasized that CBA in Azure AD is critical in paving the way for federal government agencies to comply with the president's executive order. CBA provides a migration path from on-premises Active Directory Federation Services (ADFS) to the cloud-based Azure AD.

Now that CBA is available in Azure AD, organizations can use the cloud-based version of Active Directory to require users to login directly from all Microsoft Office and Dynamics programs and some third-party apps, which will authenticate them with an organization's public key infrastructure (PKI) using X.509 certificates. The X.509 certificate renders applications resistant to phishing because each user and device has its unique certificate.

Until now, organizations choosing to implement CBA in the cloud had to use third-party authentication services to enforce certificate policies. "What Microsoft is doing is removing the hurdle of having to have a separate service, and between you and the cloud, they're supporting that natively," says Derek Hanson, VP of solutions architecture and standards at Yubico.

"This removes the last major blocker for those of you who want to move all of your identities to the cloud," said Joy Chik, president of Microsoft's identity and network access division, during a session at the company's Ignite conference.

Chik emphasized that connecting applications to Azure AD paves the way for retiring on-premises ADFS, which organizations typically use to enable PKI. However, most organizations have relied on ADFS for decades, and migrating to Azure AD is a complex move. Nevertheless, Chik said it is necessary. "ADFS has become a primary attack vector," she said.

Indeed, most enterprises that use X.509 for authentication rely on federated servers — and in most cases, that means ADFS. Doug Simmons, managing director and principal consulting analyst at TechVision Research, estimates that at least 80% to 90% of enterprises use ADFS.

"I really don't know of any organizations that are not using ADFS," Simmons says. Now that CBA is available in Azure AD, Simmons agrees that organizations will begin the process of migrating from ADFS. "I think they will likely make the migration within the next two years," he says.

**Fulfilling the Government Mandates**

During the past year, Chik said that Microsoft has added more than 20 capabilities to ensure that all the critical authentication capabilities in ADFS are available in Azure AD. "Certificate-based authentication is critical for customers in regulated industries," Chik said. But she added, "This includes US federal agencies, which must deploy phishing resistant MFA to comply with White House executive order on cyber security."

Simmons notes that enabling agencies to meet this mandate is critical for Microsoft to retain and expand government deployments, especially agencies that require authentication that complies with the FIPS 140 and FIDO2 standards. "From what I understand, Microsoft needs Azure to stay ahead of the FedGov game or risk being further being overtaken by Google, AWS and others," Simmons explains. "So, this would be necessary to demonstrate said compliance and fully integrated support."

Earlier this year, Microsoft launched Entra, an identity and access management (IAM) platform anchored by Azure Active Directory and using other tools, including Permissions Management, Verified ID, Workload Identities, and Identity Governance.

"With Entra, they are making a significant investment in multi-cloud administrative security," Simmons adds. "Multicloud is key because they realize the world doesn't end with Azure. In fact, most of their customers — and probably all of our customers — have the big three clouds in production. To better secure cross-cloud admin, they need to make strong authentication available to the privileged users, who can be developers and admins. Just supporting phone-based push MFA isn't enough for some organizations, especially when it comes to the US government and defense."

**Bringing Azure AD CBA Support to Mobile Devices**

Microsoft's release this week of the public preview of Azure AD CBA support on iOS and Android devices enables the use of certificates on hardware security keys, initially Yubico's YubiKey. Microsoft's director of identity security Alex Weinert announced the release in a brief blog post.

"With Bring Your Own Device (BYOD) on the rise, this feature will give you the ability to require phishing-resistant MFA on mobile without having to provision certificates on the user's mobile device," Weinert wrote.

Yubico, which led the development of the FIDO authentication standards, worked with Microsoft to enable its YubiKeys, the first FIPS-certified, phishing-resistant authenticator currently available for Azure AD on mobile. Ultimately, contractors and US Department of Defense personnel will be able to embed their DoD common access cards (CAC) and personal identity verification (PIV) cards into their mobile devices.

"CBA is currently the only form of phishing-resistant authentication within Azure that is supported on mobile devices, which is an important factor for an organization when deciding which scheme to adopt," said Yubico solutions architect Erik Parkkonen in a blog post. Besides taking some configuration steps within Azure AD and installing the Microsoft Authenticator app on Android or iOS/iPadOS, users must install the Yubico Authenticator app on mobile devices.

Users must then install their personal identity verification (PIV) credential independent of the Azure solution, Parkkonen noted. Further, administrators can deploy Microsoft's latest Conditional Access authentication strength policies to enforce CBA. Microsoft last week released a preview of the new Conditional Access authentication strength capabilities.

Microsoft's Certificate-Based Authentication Enables Phishing-Resistant MFA

In the nearly two years since the company discovered the cyber intrusion, SolarWinds has fundamentally rearchitected its development environment to make it much harder to compromise, CISO Tim Brown tells Dark Reading.

The US Securities and Exchange Commission (SEC) appears poised to take enforcement action against SolarWinds for the enterprise software company's alleged violation of federal securities laws when making statements and disclosures about the 2019 data breach at the company.

If the SEC were to move forward, SolarWinds could face civil monetary penalties and be required to provide "other equitable relief" for the alleged violations. The action would also enjoin SolarWinds from engaging in future violations of the relevant federal securities laws.

SolarWinds disclosed the SEC's potential enforcement action in a recent Form 8-K filing with the SEC. In the filing, SolarWinds said it had received a so-called "Wells Notice" from the SEC noting that the regulator's enforcement staff had made a preliminary decision to recommend the enforcement action. A Wells Notice basically notifies a respondent about charges that a securities regulator intends to bring against a respondent, so the latter has an opportunity to prepare a response.

SolarWinds maintained that its "disclosures, public statements, controls, and procedures were appropriate." The company noted that it would prepare a response to the SEC enforcement staff's position on the matter.

The breach into SolarWinds' systems wasn't discovered until late 2020, when Mandiant found that its red-team tools had been pilfered in the attack.

**Class-Action Settlement**

Separately, but in the same filing, SolarWinds said it had agreed to pay $26 million to settle claims in a class action lawsuit filed against the company and some of its executives. The lawsuit had claimed the company had misled investors in public statements, about its cybersecurity practices and controls. The settlement would not constitute any admission of any fault, liability, or wrongdoing over the incident. The settlement, if approved, will be by paid by the company's applicable liability insurance.

The disclosures in the 8-K Form come nearly two years after SolarWinds reported that attackers — later identified as Russian threat group Nobelium — had breached the build environment of the company's Orion network management platform and planted a backdoor in the software. The backdoor, dubbed Sunburst, was later pushed out to the company's customers as legitimate software updates. Some 18,000 customers received the poisoned updates. But fewer than 100 of them were later actually compromised. Nobelium's victims included companies such as Microsoft and Intel as well as government agencies such as the US departments of Justice and Energy.

**SolarWinds Executes a Complete Rebuild**

SolarWinds has said it has implemented multiple changes since then to its development and IT environments to ensure the same thing doesn’t again. At the core of the company's new secure by design approach is a new build system designed to make attacks of the sort that happened in 2019 much harder — and nearly impossible — to carry out.

In a recent conversation with Dark Reading, SolarWinds CISO Tim Brown describes the new development environment as one where software is developed in three parallel builds: a developer pipeline, a staging pipeline, and a production pipeline. 

"There's no one person that has access to all of those pipeline builds," Brown says. "Before we release, what we do is we do a comparison between the builds and make sure that the comparison matches." The goal in having three separate builds is to ensure that any unexpected changes to code — malicious or otherwise — don't get carried over to the next phase of the software development life cycle. 

"If you wanted to affect one build, you would not have the ability to affect the next build," he says. "You need collusion amongst people in order to affect that build again."

Another critical component of SolarWinds' new secure-by-design approach is what Brown calls ephemeral operations — where there are no long-lived environments for attackers to compromise. Under the approach, resources are spun up on demand and destroyed when the task to which they have been assigned is completed so attacks have no opportunity to establish a presence on it.

**"Assume" a Breach**

As part of the overall security enhancement process, SolarWinds has also implemented hardware token-based multifactor authentication for all IT and development staff and deployed mechanisms for recording, logging, and auditing everything that happens during software development, Brown says. After the breach, the company in addition has adopted an "assumed breach" mentality of which red-team exercises and penetration testing are an essential component.

"I'm in there trying to break into my build system all the time," Brown says. "For example, could I make a change in development that would end up in staging or end up in production?" 

The red team looks at every component and service within SolarWinds' build system, making sure that the configuration of those components are good and, in some cases, the infrastructure surrounding those components is secure as well, he says.

"It took six months of shutting down new feature development and focusing on security alone" to get to a more secure environment, Brown says. The first release SolarWinds put out with new features was between eight and nine months after breach discovery, he says. He describes the work that SolarWinds has put in to bolster software security as a "heavy lift" but one that he thinks has paid off for the company. 

"They were just major investments to get ourselves right \[and\] reduce as much risk as possible in the whole cycle," says Brown, who also recently shared key lessons his company learned from the 2020 attack.

SolarWinds Faces Potential SEC Enforcement Act Over Orion Breach

Fourteen states, including Arizona, Iowa, and Pennsylvania, have called in the Guard to help with election network risk assessments and threat mitigation.

The National Guard has offered its 38 cyber units and 2,200 personnel to state and local election officials in an effort to help shore up cybersecurity during the 2022 US midterm elections.

Politico reported that during the midterm elections, the National Guard will have a Joint Cyber Mission Center staffed with personnel from the National Guard, Cybersecurity and Infrastructure Agency (CISA), and Department of Homeland Security to help coordinate detection and response efforts and thwart cyber threats to the election.

"We will surge during the election to ensure that we have 24 hour coverage throughout this whole process," Maj. Gen. Todd Hunt, adjutant general of the North Carolina National Guard, told Politico. "We are citizen soldiers, we live in this state, and we do have a vested interest in our state elections as well as our federal elections."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

National Guard Cyber Forces 'Surging' to Help States Protect Midterm Elections

One attack used 400 mule accounts to steal money by making fraudulent withdrawals, researchers say.

At least 16 African banks, financial services, and telecommunication companies have been identified as victims of the French-speaking threat group OPERA1ER, which has stolen at least $11 million since 2018. 

A new report from Group-IB explains it has been tracking OPERA1ER's activities since 2019; however, they waited to publish its findings until the group resurfaced after a 2021 break. Now the gang is back in action, the analysts explain, allowing Group-IB to document their OPERA1ER TTPs from 2019 through 2021, as well as the latest iteration in 2022. 

The researchers reported OPERA1ER has successfully breached the targets' systems at least 30 times since 2018. As an example of the group's sophistication and coordination, the report added, one of the of the group's attacks used more than 400 mule accounts to make fraudulent money withdrawals.

The group doesn't use exotic malware, in fact, the researchers said in the report that OPERA1ER's hallmark is easily accessible open source malware and everyday red-team frameworks like Metasploit and Cobalt Strike. OPERA1ER delivers remote access Trojans (RATs) through French-language email phishing lures and takes its time gathering intelligence about its victims before "cashing out," the report added. 

"Detailed analysis of the gang’s recent attacks revealed an interesting pattern in their modus operandi: OPERA1ER conducts attacks mainly during the weekends or public holidays," Rustam Mirkasymov, head of cyber-threat research at Group-IB Europe, said in a statement. "It correlates with the fact that they spend from three to 12 months from the initial access to money theft." 

Mirkasymov added the gang could be based out of Africa and the total number of OPERA1ER group members is unknown. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Cybercrime Group OPERA1ER Stole $11M From 16 African Businesses

An analysis by RSA Conference's security operations center found 20% of data over its network was unencrypted and more than 55,000 passwords were sent in the clear.

Even cybersecurity professionals need to improve their security posture.

That's the lesson from the RSA Conference in February, where the security operations center (SOC) run by Cisco and NetWitness captured 55,525 cleartext passwords from 2,210 unique accounts, the companies stated in a report released last week. In one case investigated by the SOC, a chief information security officer had a misconfigured email client that sent passwords and text in the clear, including sensitive documents such as their payment for a professional certification.

While the number of cleartext passwords is an improvement compared with the 96,361 passwords exposed in 2020 and the more than 100,000 sent in the clear in 2019, there is still room for improvement, says Jessica Bair Oppenheimer, director of technical alliances at Cisco Secure.

"As the RSA Conference is mostly attended by cybersecurity professionals and supporting roles within the security industry, we generally consider the demographic to represent more of a 'best-case' level of security awareness," she says. "Somewhat shockingly, unencrypted email is still being used in 2022."

The annual report presents a view into network usage among a security-focused group of users. Cisco and NetWitness emphasized that the wireless network at the RSA Conference is not configured in the most secure way, but configured to be monitored for educational purposes. For that reason, the network has a flat architecture, allowing any device to contact any other device on the network. Host isolation, which allow devices a route to the internet but not to other devices on the network, would be more secure but less interesting.

**User Credentials at Risk**

At approximately 19,900 attendees, the 2022 RSA Conference only had about half the number of people as the previous conference in 2020, but about the same number of users on the network, the report stated.

The major issue was failure to use encryption for the authentication step when using email and other popular applications. Nearly 20% of all data passed through the network in the clear, the report stated.

"Encrypting traffic does not necessarily make one more secure, but it does stop individuals from giving away their credentials, and organizations from giving away corporate asset information in the clear," the report stated.

Yet the situation isn't as bad as it could be. Because the wireless network includes traffic from the show floor, many of the usernames and passwords are likely from demo systems and environments, the report stated. Moreover, most of the cleartext usernames and passwords — almost 80% — were actually leaked by devices using the older version of the Simple Network Management Protocol (SNMP). Versions 1 and 2 of the protocol are considered insecure, while SNMP v3 adds significant security capabilities.

"This is not necessarily a high-fidelity threat," the report stated. "\[H\]owever, it does leak information about the device as well as the organization it's trying to communicate with."

In addition to the continued use of plaintext usernames and passwords, the SOC found that the number of online applications continues to grow rapidly, suggesting that the attendees are increasingly relying on mobile devices to get work done. The SOC, for example, captured unencrypted video camera traffic connecting to home security systems on port 80 and the unencrypted data used for setting up voice-over-IP calls.

**CISO Mistake**

For the most part, the unencrypted traffic is likely from small-business users, the companies stated in the report. "It is difficult to send email in cleartext these days, and analyzing these incidents found similarities," the report stated. "Most of this traffic was to and from hosted domains. This means email services on domains that are family names or small businesses."

Yet in one case, a chief information security officer had misconfigured their email client and ultimately exposed their email username and password by sending the data in the clear. The SOC discovered the issue when it found a receipt for a CISSP payment sent in the clear from an Android-based email client.

"The discovery sparked an investigation that confirmed dozens of emails from and to the person were downloaded across the open network in the unsecure protocol," the report stated.

Companies should verify that the technologies used by employees have created end-to-end encrypted connections and should apply zero-trust principles to check — at appropriate times — that the encryption is still being applied.

"We've found applications and websites that authenticate encrypted and then pass the data without encryption across the open networks," Cisco Secure's Oppenheimer says. "Alternatively, some will pass unencrypted credentials across open networks and then encrypt the data. Both scenarios are less than ideal."

Virtual private networks are not a panacea but can strengthen the security of unencrypted applications. Finally, organizations should use cybersecurity and awareness training to educate their hybrid workers in how to be secure when working from remote locations.

Unencrypted Traffic Still Undermining Wi-Fi Security

SMBs concerned about tightening security budgets despite increased risks.

**WATERLOO, ON, Nov. 7, 2022 /PRNewswire/** — OpenText™ _(_NASDAQ: OTEX), (TSX: OTEX), today released results of the OpenText Security Solutions 2022 Global Small-Medium Business (SMB) Ransomware Survey. Findings show growing concern about ransomware attacks, the impact of geopolitical tensions, and rising inflation rates. Eighty-eight percent of respondents noted they are concerned or extremely concerned about an attack impacting their business.

"SMBs are a sweet spot for hackers to exploit because they often lack cybersecurity resources, both technology and security expertise," said Prentiss Donohue, Executive Vice President, OpenText Security Solutions. "Today's complex threat landscape presents a huge risk to SMBs that don't have sufficient cyber resiliency preparation to stop the spread and recover quickly from an attack. With adversaries becoming increasingly sophisticated and relentless, a multi-layered protection strategy is no longer a nice to have, it is a necessity."

**Spotlight findings:**

**SMBs fear tightening security budgets amid growing concern of increased ransomware risks due to heightened geopolitical** **tensions.**

*   More than half (57%) of SMBs are worried about their cybersecurity budget shrinking amid rising inflation rates.
*   Fifty-two percent of respondents feel more at risk of suffering a ransomware attack because of heightened geopolitical tensions.
*   Eighty-four percent are concerned about a ransomware attack impacting their business.

**There's a concerning lack of awareness among SMBs when it comes to knowing if they've suffered a ransomware attack. Meanwhile, budgets to protect against these risks are low.**

*   Nearly half (46%) of SMBs have experienced a ransomware attack, yet 67% still don't think or aren't sure they are a ransomware target.
*   The majority (60%) of respondents are not confident or only somewhat confident that they can fend off a ransomware attack.
*   Despite many having experienced an attack before, security budgets are minimal to protect against ransomware and other threats:

*   60% spend less than $50,000 per year.
*   50% spend less than $20,000 per year.
*   Only 10% spend more than $50,000 per year.

**Managed service providers (MSPs) are an appealing security option for SMBs to offset resource constraints.**

*   More SMBs outsource their security to an IT provider or MSP than not, with 58% using external security management support.
*   Concurrently, 65% of SMBs that don't currently use a MSP would consider doing so in the future.

**Survey Resources Now Available:**

To learn more about the findings of the OpenText Security Solutions 2022 Global SMB Ransomware Survey, view the infographic (PDF) or read the blog.

**Survey Methodology**

OpenText Security Solutions polled 1,332 security and IT professionals from small and medium-sized businesses (SMBs), up to 1,000 employees, in the United States, the United Kingdom, and Australia from September 24 to October 10, 2022. Respondents represented a range of roles from security and technical employees to the C-Suite, and across multiple industries including technology, retail, education, manufacturing, healthcare and more.

**About OpenText Security Solutions**

As attack surfaces expand, OpenText Security Solutions help organizations of every size achieve cyber resilience with Webroot Security, Carbonite Data Management, BrightCloud® Threat Intelligence, and EnCase Digital Forensics and Threat Response. With a united front of best practices paired with layered solutions, we prevent, detect, and restore small, mid-sized and enterprise business operations in the event of a cybersecurity attack.

**About OpenText**  
OpenText, The Information Company™, enables organizations to gain insight through market leading information management solutions, powered by OpenText Cloud Editions. For more information about OpenText (NASDAQ: OTEX, TSX: OTEX) visit opentext.com.

**Connect with us:**  
OpenText CEO Mark Barrenechea's blog  
Twitter | LinkedIn

Certain statements in this press release may contain words considered forward-looking statements or information under applicable securities laws. These statements are based on OpenText's current expectations, estimates, forecasts and projections about the operating environment, economies and markets in which the company operates. These statements are subject to important assumptions, risks and uncertainties that are difficult to predict, and the actual outcome may be materially different. OpenText's assumptions, although considered reasonable by the company at the date of this press release, may prove to be inaccurate and consequently its actual results could differ materially from the expectations set out herein. For additional information with respect to risks and other factors which could occur, see OpenText's Annual Report on Form 10-K, Quarterly Reports on Form 10-Q and other securities filings with the SEC and other securities regulators. Unless otherwise required by applicable securities laws, OpenText disclaims any intention or obligations to update or revise any forward-looking statements, whether as a result of new information, future events or otherwise.

Copyright © 2022 OpenText. All Rights Reserved. Trademarks owned by OpenText. One or more patents may cover this product(s). For more information, please visit https://www.opentext.com/patents.

**SOURCE:** Open Text Corporation

OpenText Security Solutions Global SMB Ransomware Survey Reveals Heightened Worry About Increased Cyberattacks Due to Geopolitical Tensions

Investment round led by 11.2 Capital, Okta Ventures, and Mango Capital.

**LONDON and SAN FRANCISCO, Nov. 7, 2022 /PRNewswire/** — The newly available SURF zero-trust, identity-first enterprise browser reinforces organizational security by providing the critical visibility necessary to prevent attacks while simultaneously ensuring every user's privacy. The platform streamlines collaboration and delivers easy, secure access to applications and data for managed and unmanaged (BYOD) devices.

"The browser has become the main productivity tool for employees, which has turned it into the largest attack surface as well," said Pramod Gosavi, 11.2 Capital. "We invested because SURF directly addresses companies' security needs without compromising on the productivity and privacy of the end users."

The platform leverages identity first and already has deep integration with Okta's market-leading identity platform and access management (IDP) technology.

"The secure enterprise browser is one of the fastest growing markets," said Austin Arensberg, Senior Director, Okta Ventures. "We wanted to make sure we backed the most comprehensive solution - SURF, which simultaneously delivers on companies' critical priorities of identity, security, and privacy."

Founders Moty Jacob and Ziv Yankowitz spent five years working together as CISO and CTO at London-based ICAP-NEX Group, which was acquired by CME Group (the world's leading derivatives marketplace) for $5.4 billion. They built Chromium-based applications to strengthen security and ease management of financial transactions.

SURF Security was established to allow global enterprises to close security gaps – without affecting productivity -- by collapsing the security stack into one single powerful control point: the enterprise browser.

"Ziv and I have taken a pragmatic approach to building the browser, completely eliminating the trade-off between strengthening security at the expense of agility and productivity. We wanted to be business enablers," says Moty. "After many years of trying to stay one step ahead of threat actors with too many niche tools, we decided to integrate many security tools into a single solution, reinforced with zero trust and identity - while making everything easy for administrators and users."

Led by 11.2 Capital, Mango Capital, Okta Ventures, and security-focused Angel investors, the Seed round, combined with the already expanding customer base, allows the company the resources and support to grow significantly over the coming years.

"SURF has completely rethought browser endpoint security by natively designing the solution around Chromium and CDN/edge platforms, such as Cloudflare and Fastly," said Robin Vasan, Founder and Partner at Mango Capital. "They are also providing tight integration with key identity platforms like Okta and HashiCorp in user and machine identity security respectively, strengthening their market position."

The SURF browser observes every interaction between users and applications to discover policy breaches while enabling complete administrative visibility and control – without collecting individual personal data.

After quick and easy provisioning, enterprises can enforce security controls like DLP, content disarming and reconstruction, phishing prevention, session killswitch, on-the-fly file encryption, browser extension management, device posture checks, transactional MFA, watermarking, and more.

SURF replaces existing tools like VDI, VPN, RBI, DaaS, etc. Instead of adding overhead layers of virtualization, cost, and complexity and fracturing the user experience, the security and access controls are built directly within the browser. Users get full native experiences and streamlined performance, without any middle tiers, as if they were using the consumer version of any browser.

The platform delivers a complete end-to-end zero-trust experience for both on-prem and cloud applications, all built inside the browser. The comprehensive solution eliminates shadow IT, data leakage, social engineering, credential stuffing, unwanted extensions, browser-based attacks, and many other threats. Enterprises can streamline access to all software development tools and processes as well.

The SURF browser is available for Windows, Android, Apple, and Linux.

_Visit SURF at Oktane22 Nov. 8-10 at Moscone West in San Francisco._

**SOURCE:** SURF

Out of Stealth: New SURF Zero-Trust Enterprise Browser

Why are we still doing perfunctory penetration testing when we can be emulating realistic threats and stress-testing the systems most at risk?

I was on a call with a client the other day and she was in a great mood as she shared with me that her company's recent penetration test had come back with zero findings. There were only a few recommendations that were well in line with the goals that she had previously shared with the testing team.

She trusted this team as they had been used for a few years; they knew when she liked the testing performed, how she liked things documented, and could test faster (and cheaper). Certainly, the compliance box was being check with this annual pen test, but was the organization truly tested or protected against any of the most recent cyberattacks? No. If anything, the organization now had a false sense of security.

She also mentioned that their recent tabletop exercise (the portion of the penetration test where key stakeholders involved in the security of the organization discuss their roles, responsibilities and their related actions and responses to the mock cyber breach) for incident response was for ransomware. You _should_ be focused on ransomware if it hasn’t already been covered in previous testing, but what about human risk or insider threat? While, according to recent findings, three out of four cyber threats and attacks are coming from outside of organizations, and incidents involving partners tend to be much larger than those caused by external sources. According to those same studies, privileged parties can do more damage to the organization than outsiders.

So, why are we still doing perfunctory penetration testing when we can be emulating realistic threats and stress-testing the systems most at risk for maximum business damage? Why aren’t we looking at the most persistent threats to an organization using readily available insights from ISAC, CISA, and other threat reports to build realistic and impactful tabletops? We can then emulate that through penetration testing and increasingly realistic stress testing of systems to allow a sophisticated ethical hacking team to help, versus waiting for what is likely an inevitable breach at some point in the future.

Audit organizations and regulators expect companies to perform due diligence on their own tech and security stack, but they are still not requiring the level of rigor that's required today. Forward-looking organizations are becoming more sophisticated with their testing and incorporating their threat modeling tabletop exercises with their penetration testing and adversary simulations (also called red team testing). This helps ensure that they’re holistically modeling threat types, exercising their probability, and then testing the efficacy of their physical and technical controls. Ethical hacking teams should be able to progress from a noisy penetration test to a stealthier adversary simulation over time, working with the client to tailor the approach around touchy and off-limits equipment, such as financial services trading platforms or casino gaming systems.

Red teams are not just the offensive group of professionals pen testing a company’s networks; these days, they are made up of some of the most sought after cyber experts that live and breathe the technology behind sophisticated cyberattacks.

Strong offensive security partners offer robust red teams; organizations should be looking to ensure they can protect and prepare for today’s dangerous cybercriminal or nation-state threat actor. When considering a cybersecurity partner, there are a few things to consider.

**Is This Partner Trying to Sell You Something or Is It Agnostic?**

A legitimate and robust cybersecurity program is built by a team looking to equip your organization with the technology that is right for your circumstances. Not all technologies are one-size-fits-all, and therefore, products shouldn’t be recommended upfront but should be suggested following a thorough review of your company's needs and unique requirements.

**Deriving R&D From Defensive Data**

Find out if their team researches and develops custom tools and malware based on the most recent endpoint detection and response and other advanced defenses. There is no cookie-cutter approach to cybersecurity, nor should there ever be. The tools used to both prepare and defend an organization against advanced cyberattacks are constantly being upgraded and nuanced to combat the criminals' increasing sophistication.

**Get the Best**

Are their offensive security engineers truly nation-state caliber to evade detection and maintain stealth, or are they compliance-based pen testers? Simply put, do you have the best, most experienced team working with you? If not, find another partner.

**Check the Mindset**

Does the team lead with a compliance mindset or one of threat readiness? While compliance checklists are important to ensure you have the basics in place, it is just that: a checklist. Organizations should understand what, beyond the checklist, they need to stay safe 24/7.

Ultimately, find a cyber partner that will ask the hard questions and identify the broadest scope of considerations when analyzing a program. It should offer an offensive solution that will keep your organization one step ahead of the cybercriminals that continues to raise the bar for maximum resilience. Go beyond the pen test!

Beyond the Pen Test: How to Protect Against Sophisticated Cybercriminals

Dark Reading's analysis suggests that Human Security's acquisition of clean.io will significantly expand the company's fraud prevention and anti-malvertising portfolio.

When dealing with a medium as flexible as the Web, it’s impossible for the site owner to fully control what a user sees. The user doesn't need the site's consent to change the user interface or experience through add-ons, custom browser properties, proxies, and firewall settings.

However, certain things are still within the site owner’s control, such as advertiser selection, security, pricing, and content policy. That's the idea behind _site integrity_, that the user or third parties can't try to force a change on the server or the site's backend operations without consent. If someone, or something, can violate site integrity, that is a threat with real business impact.

An example is malvertising, when cybercriminals abuse the programmatic advertising ecosystem to deliver malware to end users via online advertisements. Exposing users to malware is bad enough, but malvertising creates a significant brand reputation problem for the brands and platforms delivering the ads.

How does Human Security's acquisition of clean.io — announced on Thursday for an undisclosed amount — change the market for anti-malvertising technology? Dark Reading's analysis of the two companies suggests that by joining forces, Human Security and clean.io will be able to offer publishers, platforms, and brands a full range of anti-fraud and anti-abuse tools for the advertising ecosystem.

**What's So Great About Clean Humans?**

Safeguarding the advertising ecosystem means ensuring the industry's $500 billion annual ad spend reaches real humans rather than funding criminal schemes. Toward that goal, clean.io employs real-time behavioral protections on the page, as opposed to relying on static creative reviews and pre-scanning techniques offline, according to Human Security. Integrating clean.io's client-side JavaScript behavioral analysis and mitigation to Human Security's Human Defense Platform will make malvertising incredibly costly for bad actors, the company says.

"Human and clean.io have long been strategic partners to help combat two of the most important problems we face in programmatic advertising: malvertising and fraud," Ron Lissack, senior vice president and chief architect at Xandr, said in the release announcing the acquisition. "This type of consolidation in the ecosystem is welcome news and brings with it a true and holistic, 360-degree approach to fighting cybercrime."

**A Solution to the Cart Problem**

Many merchants and retailers rely on coupons to help boost sales (more than 90% of online consumers say they search for and use coupon codes while shopping online), but when those coupons are abused, they have to deal with lost revenue and damaged brand reputation. Between taking the hit on the coupons themselves, having to pay affiliate fees to the coupon app folks, and getting false impressions about the success of certain ad campaigns, coupon fraud is no joke.

Fraud prevention is Human's bread and butter, and Dark Reading's analysis suggests that cart protection is one of the areas that will benefit from the clean.io acquisition. Human Security can expand its concept of site integrity to include fighting checkout fraud and automated coupon and affiliate code replication. By integrating clean.io's cleanCart technology into its BotGuard product, Human Security can expand coverage beyond the detection and elimination of fake leads from the first-party marketing pool.

This combination will eliminate fake affiliates from the pool in some cases, and in others drastically reign in affiliate payouts for out-of-scope automated coupon redemptions.

It's a potent combination; cleanCart was already boasting a 3% conversion rate boost, while claiming to pay for itself entirely within 90 days of purchase. Add BotGuard's improvement to lead quality and conversion rates, and the percentage of fraudulently sourced clients making it through the checkout process should be low.

**Final Analysis**

Human Security is creating a significant pattern of scalable growth through innovation and acquisition. While the recent merger with PerimeterX took them deep into the enterprise e-commerce checkout process, the clean.io acquisition will help stop fraud at its source through its anti-malvertising leadership and bridge the gap, making potential tech partnerships with e-commerce solutions as a whole (Shopify, WooCommerce, et al.) and cart-specific solutions (X-Cart, OpenCart, etc.) even more attractive.

The acquisition of clean.io by Human Security should give a significant boost to the company's real-time fraud detection capabilities and increase its ability to catch novel threats in the wild. The sheer amount of threat intelligence the combined company will have visibility into is another significant product advantage.

"With the clean.io acquisition, the Satori team will gain invaluable talent and threat intelligence. This will help us defend our customers from future attacks and support disruption efforts like 3ve, Methbot, PARETO, and most recently, Scylla," Gavin Reid, vice president of threat intelligence and research at Human Security, said in a statement. "We're looking forward to expanding our investigative power and strengthening our takedown mechanisms to continue safeguarding all of our clients and the industry as a whole."

Source

DARKReading