ICS/OT Security joins the lineup of 14 cybersecurity topic sections on the media site.

Dark Reading this week launched a new section — ICS/OT Security — focused on covering breaking news, technology trends, and insights into issues for securing industrial control systems and operational technology environments.

The industrial sector long has been a critical topic in Dark Reading's comprehensive news coverage — we've been pioneering and reporting on news and topics in this space for nearly two decades, with in-depth coverage of the game-changer Stuxnet attack as well as Triton/Trisis, the Ukraine power grid attack, and Colonial Pipeline, and many other key research findings and technology advancements in OT. 

Dark Reading's new ICS/OT Security section will help cybersecurity professionals navigate the challenges and trends unique to OT security, as well as the security implications of the convergence of IT and OT networks, including the relationship between the teams that manage securing the business network and those who manage securing the industrial one. 

This section will provide the latest news and analysis on threats and attacks against OT environments, as well as security tools, technologies, and strategies for protecting ICS and OT networks. This includes industrial systems such as medical devices and equipment, building automation systems, PLCs, SCADA, robotics systems, and other critical infrastructure components. 

Dark Reading already publishes a section dedicated to non-industrial IoT (Internet of Things) topics.

In keeping with the editorial mission of Dark Reading, the new ICS/OT Security section aims to provide you with the best and most in-depth ICS/OT security content to help you do your job on a day-to-day basis. If there are topics you'd like to see covered, news tips you would like to share — or if you'd like to tell us how we're doing, please ping us via \[email protected\].

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Dark Reading Launches New Section Dedicated to ICS/OT Security

A pair of Microsoft bugs allow cyberattackers to bypass native Windows Internet download security, says former CERT CC researcher who discovered the flaws.

Two separate vulnerabilities exist in different versions of Windows that allow attackers to sneak malicious attachments and files past Microsoft's Mark of the Web (MoTW) security feature.

Attackers are actively exploiting both issues, according to Will Dormann, a former software vulnerability analyst with CERT Coordination Center (CERT/CC) at Carnegie Mellon University, who discovered the two bugs. But so far, Microsoft has not issued any fixes for them, and no known workarounds are available for organizations to protect themselves, says the researcher, who has been credited with discovering numerous zero-day vulnerabilities over his career.

**MotW Protections for Untrusted Files**

MotW is a Windows feature designed to protect users against files from untrusted sources. The mark itself is a hidden tag that Windows attaches to files downloaded from the Internet. Files that carry the MotW tag are restricted in what they do and how they function. For example, starting with MS Office 10, MotW-tagged files open by default in Protected View, and executables are first vetted for security issues by Windows Defender before they are allowed to run.

"Many Windows security features — \[such as\] Microsoft Office Protected view, SmartScreen, Smart App Control, \[and\] warning dialogs — rely on the presence of the MotW to function," Dormann, who is presently a senior vulnerability analyst at Analygence, tells Dark Reading.

**Bug 1: MotW .ZIP Bypass, with Unofficial Patch**

Dormann reported the first of the two MotW bypass issues to Microsoft on July 7. According to him, Windows fails to apply the MotW to files extracted from specifically crafted .ZIP files.

"Any file contained within a .ZIP can be configured in a way so that when it's extracted, it will not contain MOTW markings," Dorman says. "This allows an attacker to have a file that will operate in a way that makes it appear that it did not come from the Internet." This makes it easier for them to trick users into running arbitrary code on their systems, Dormann notes.

Dormann says he cannot share details of the bug, because that would give away how attackers could leverage the flaw. But he says it affects all versions of Windows from XP on. He says one reason he has not heard from Microsoft likely is because the vulnerability was reported to them via CERT's Vulnerability Information and Coordination Environment (VINCE), a platform that he says Microsoft has refused to use.

"I haven't worked at CERT since late July, so I cannot say if Microsoft has attempted to contact CERT in any way from July on," he cautions.

Dormann says other security researchers have reported seeing attackers actively exploiting the flaw. One of them is security researcher Kevin Beaumont, a former threat intelligence analyst at Microsoft. In a tweet thread earlier this month, Beaumont reported the flaw as being exploited in the wild.

"This is without a doubt the dumbest zero day I’ve worked on," Beaumont said.

In a separate tweet a day later, Beaumont said he wanted to release detection guidance for the issue but was concerned about the potential fallout.

"If Emotet/Qakbot/etc find it they will 100% use it at scale," he warned.

In an emailed comment a Microsoft spokeswoman said the company is "aware of the technique and are investigating to determine the appropriate steps to address the issue_."_  The statement did not say which of the two MoTW related issues Microsoft is investigating or might be planning to address. Meanwhile, Slovenia-based security firm Acros Security last week released an unofficial patch for this first vulnerability via its 0patch patching platform.

In comments to Dark Reading, Mitja Kolsek, CEO and co-founder of 0patch and Acros Security, says he was able to confirm the vulnerability that Dormann reported to Microsoft in July. 

"Yes, it is ridiculously obvious once you know it. That's why we didn't want to reveal any details," he says. He says the code performing the unzipping of .ZIP files is flawed and only a code patch can fix that. "There are no workarounds," Kolsek says.

Kolsek says the issue is not difficult to exploit, but he adds the vulnerability alone is not enough for a successful attack. To exploit successfully, an attacker would still need to convince a user into opening a file in a maliciously crafted .ZIP archive — sent as an attachment via a phishing email or copied from a removable drive such as a USB stick for instance.

"Normally, all files extracted from a .ZIP archive that is marked with MotW would also get this mark and would therefore trigger a security warning when opened or launched," he says, but the vulnerability definitely allows attackers a way to bypass the protection. "We are not aware of any mitigating circumstances," he adds.   

**Bug 2: Sneaking Past MotW With Corrupt Authenticode Signatures**

Kolsek noted that his firm has a patch candidate ready for the second issue as well and should release it by Friday.

This second vulnerability involves the handling of MotW tagged files that have corrupt Authenticode digital signatures. Authenticode is a Microsoft code-signing technology that authenticates the identity of the publisher of a particular piece of software and determines whether the software was tampered with after it was published.

Dormann says he discovered that if a file has a malformed Authenticode signature, it will be treated by Windows as if it had no MotW; the vulnerability causes Windows to skip SmartScreen and other warning dialogs before executing a JavaScript file.

"Windows appears to 'fail open' when it encounters an error \[when\] processing Authenticode data," Dormann says, and "it will no longer apply MotW protections to Authenticode-signed files, despite them actually still retaining the MotW."

Dormann describes the issue as affecting every version of Windows from version 10 on, including the server variant of Windows Server 2016. The vulnerability gives attackers a way to sign any file that can be signed by Authenticode in a corrupt manner — such as .exe files and JavaScript files — and sneak it past MOTW protections.

Dormann says he learned of the issue after reading an HP Threat Research blog from earlier this month about a Magniber ransomware campaign involving an exploit for the flaw.

It's unclear if Microsoft is taking action, but for now, researchers continue to raise the alarm. "I have not received an official response from Microsoft, but at the same time, I have not officially reported the issue to Microsoft, as I'm no longer a CERT employee," Dormann says. "I announced it publicly via Twitter, due to the vulnerability being used by attackers in the wild."

Windows Mark of the Web Zero-Days Remain Patchless, Under Exploit

A credential-stealing attack that spoofed LinkedIn and targeted a national travel organization skates past DMARC and other email protections.

A phishing email purportedly from LinkedIn with the subject line "We noticed some unusual activity" was discovered targeting users at a travel organization, in an attempt to pilfer their credentials on the social-media platform.

The phishing campaign slipped past Google's email security controls after cheating email authentication checks via SFP and DMARC, according to Armorblox, whose email security system at the victim organization found and stopped the attack pointed at some 500 user inboxes.

"The main call-to-action button (_Secure my account_) included within the email contains a bad URL and took victims to a fake landing page. This fake landing page ... mimicked a legitimate LinkedIn sign in page that included LinkedIn logos, language, and illustrations that mirrored true LinkedIn branding," Armorblox wrote in a post about the attack campaign.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

LinkedIn Phishing Spoof Bypasses Google Workspace Security

Ursnif, a one-time banking Trojan also known as Gozi, becomes the latest codebase to be repurposed as a more general backdoor, as malware developers trend toward modularity.

Threat groups continue to recycle code from older tools into more generalized frameworks, a trend that will continue as the codebases incorporate more modularity, security experts said this week.

In the latest example, the threat group behind Ursnif — aka Gozi — recently moved the tool away from a focus on financial services to more general backdoor capabilities, cybersecurity services firm Mandiant stated in an analysis. The new variant, which the company has dubbed LDR4, is likely intended to facilitate the spread of ransomware and the theft of data for extortion.

The modular malware joins Trickbot, Emotet, Qakbot, IcedID, and Gootkit, among others, as tools that started as banking Trojans but have been repurposed as backdoors, without requiring the development effort of creating an entirely new codebase, says Jeremy Kennelly, senior manager for financial crime analysis at Mandiant.

"The developers working on banking Trojans have taken multiple approaches to retooling their malware as a backdoor to support intrusion operations, though a major code rewrite hasn’t generally been deemed necessary," he says. "These malware families — at their core — are just modular backdoors that have historically loaded secondary components enabling 'banker' functionality."

Mandiant's analysis of Ursnif points out that maintaining multiple codebases is a challenging task for malware developers, especially when one mistake could give defenders a way to block an attack and investigators a way to hunt down the attacker. Maintaining a single modular codebase is much more scalable, the company's analysis this week stated.

**A Malware Movement Toward Backdoor Modularity**

It's unsurprising that malware developers are moving to more general and modular code, says Max Gannon, a senior intelligence analyst at Cofense.

"In some cases, a purpose-built remote access Trojan (RAT), traditionally viewed as a backdoor, may be more conducive to the threat activity," he says. "However, a lot of threat actors want more than just a backdoor, and many commodity malware families have morphed to become multipurpose tools that simply include backdoor access."

The specialization of tools in the cybercriminal underground is also a reason why older codebases are being repurposed. By focusing specific tools on areas of attack — such as initial access, lateral movement, or data exfiltration — the developers of these tools are able to differentiate themselves against competitors and offer a unique set of features. Using existing codebases also saves time, and making such projects modular allows the tool to be customized for the customer's — read, "attacker's" — needs, says Jon Clay, vice president of threat intelligence at Trend Micro.

"The coders behind many of these toolkits create them and sell them within the cybercriminal underground markets, as they offer newbies and other malicious actors with a ready-made kits for executing attacks," he says. "Many of these offer automations now as well as GUI interfaces to manage the attacks and victim information/data."

The original Ursnif code appeared in the mid-2000s. The Zeus banking Trojan — used in thefts of tens of millions, and likely hundreds of millions, of dollars — has had a similar trajectory, with its adoption accelerated by a source code leak. Another banking Trojan, Emotet, has now become a general backdoor, allowing its development group to offer access as a service to other cybercriminals, a business relationship also demonstrated by Qakbot, another Trojan initially created as a banking Trojan.

All of these programs had the benefit of modularity, says Mandiant's Kennelly.

"All bankers that have been broadly repurposed as backdoors were already modular, which has the added benefit of limiting the complexity of the core malware while providing significant operational flexibility," he says. "These established malware families also had a proven track record and general familiarity to the actors using them."

**Swiss Army Knife Malware Delivery**

Rather than changes in functionality, a lot of the evolution in categorizing attackers tools has come about because labeling has had to catch up to changes in the malware design. By redesigning the codebases to be modular, defining a tool as a single thing — whether a banking Trojan, a spam bot, or a worm — becomes much more difficult. Adding a single new module would change the label for the code.

In the past, for example, computer viruses spread by infecting files, while worms used automated scanning and exploitation to spread quickly and more widely. However, a number of Trojans incorporated either or both functionality, leading to a more general term: malicious software, or malware.

A similar evolution has happened around the classification of attacker tools. Programs that were originally considered to be banking Trojans, RATs, or a scanning tools are now capabilities of more general frameworks, says Codefense's Gannon.

"If we think of a backdoor as software that sits on a machine to provide access that skirts normal security measures, banking Trojans inherently act as backdoors in order to perform their usual functions, so almost any banking Trojan can be used as one without the need for many changes," he says. "The difference is often simply in the intent of the user."

**How to Protect Against Modular Malware**

To combat the threat, companies should have tools that look for telltale signs that a backdoor or RAT are being used inside their network. Since phishing attacks are a common way to compromise end user's systems, multifactor authentication (MFA) and employee training can also help harden businesses against attacks.

Overall, having visibility into change to systems and anomalous traffic on the network can help immensely, Trend Micro's Clay says.

"The main thing to know is that in many cases there are early signs of these tools being used within the organization and that if seen," he says, "they should be taken very seriously that there is likely an active campaign against them."

Threat Groups Repurpose Banking Trojans into Backdoors

A more secure organization starts with stronger alignment between HR and the IT operation.

A common shortcoming of human resources (HR) departments is that — despite being an operation designed to put humans at the center of how an organization is run — they often fail to adequately align with their IT counterparts and the core technology systems that define how a business is run and protected from cyber-risk.

Insufficient coordination between HR and IT processes and procedures remains common and gives rise to security gaps that can represent some of the most dangerous vulnerabilities on a company's attack surface. Let's examine the scope of the challenge and some key cyber-asset management priorities that can close the schism for a more robust cybersecurity posture.

**Elevating HR's Role in Securing the Enterprise**

Gone are the days when HR's role in securing the enterprise relied on basic tutorials for employees about protecting passwords on company equipment. Today's threat environment intersects with the workforce in more ways than ever — from BYOD and authentication gaps to user vulnerabilities that make spear-phishing seem quaint. Traditional social engineering attacks are now being augmented by zero-click exploits that compromise employee devices without the user ever having to click a link or take any action at all.

Beyond malicious threats, even routine HR processes can introduce risk to the organization when they're not adequately aligned with the IT processes in an organization. As just one example, when an employee leaves a company, the offboarding goes far beyond just the exit interview to also include removing access to multiple enterprise systems, accounts, and devices — all of which require close coordination between HR and IT personnel and systems.

To better secure the enterprise, it's mission-critical to get HR and IT more united in a common and advanced understanding of cyber hygiene and risk mitigation. This relies on enhanced awareness of the impact that HR processes have on cyber assets in other parts of the organization, as well as the HR role in access management for employees and contractors. This requires asset visibility that must be ongoing and in real time, since our roles, devices, and access to data and systems may change multiple times over the course of our employment.

**Three Priorities for Better Cyber-Asset Visibility and Alignment Between HR and IT**

Any lack of IT coordination across the many integration points and business systems involved in the HR operation creates risk for the company. There must be an effort toward more visibility and synergetic business processes to align HR operations with the organization's larger IT estate. Here are three priorities for achieving this:

*   **Increase the data IQ among HR professionals:** Data literacy among domain-specific business analysts is important, and that message needs to get louder within the HR community. The more HR professionals can understand the technology implications of their work, the more they can help protect the IT estate as their processes and policies play out in the workforce.

*   **Fully integrate HR as a well-represented domain in the IT estate:** Unison between the HR department and the IT department security relies heavily on the alignment of their respective business processes. Ideally, this integration should include predefined, HR-specific compliance frameworks within the cyber-asset management domain that can be applied to all existing and future cyber assets. There should also be clear coordination with IT on HR's role in employee access to systems, files, and data.

*   **Automation is essential:** HR's digital reach into the organization is such that automation will inevitably be needed. As an example, let's return to the case of employee offboarding. Especially with the current "great resignation," the multiple IT tickets generated by each offboarding can pile up and lead to backlogs that expose the company to unnecessary risk, unless automation is introduced to handle more of these HR-related processes and handle them more quickly.

These priorities underscore the pivotal role cyber-asset management plays at the nexus of HR and IT operations. Better adherence to common data standards, a rigorous cloud tagging schema, and other cyber-asset management basics can streamline and scale the ability for HR and IT teams to work seamlessly together. The result is more visibility and control, and a single source of truth around where and how HR and IT operations affect each other, a clarity that enhances the overall security of the enterprise.

HR Departments Play a Key Role in Cybersecurity

Cybersecurity pros discuss a trio of lessons from the Equifax hack and how to prevent similar attacks in the enterprise.

On the morning of Sept. 7, 2017, US credit bureau giant Equifax announced hackers had infiltrated its network and exfiltrated customer names, Social Security numbers, birthdates, and addresses. The news of the breach — which compromised the private records of 147.9 million Americans (almost 50% of the entire US population), 15.2 million Britons, and almost 19,000 Canadians — immediately created pandemonium across organizations, forcing many business leaders to reconsider their security postures. Much has changed over the past five years, but the lessons from the Equifax breach are still relevant for enterprises.

Equifax didn't reveal the breach as soon as it discovered it — the company sat on the information for more than a month. It was the perfect antithesis: A business known to provide credit score rating, fraud solutions, financial marketing, and analytical services had been hacked. The attackers had gotten in through an unpatched vulnerability in Apache Struts. The worst part? Apache had already warned about the flaw and a patch was available.

"The Equifax breach is a unique attack in that a conscious decision was made by a company and its leadership: not to patch the vulnerability when the software vendor announced the vulnerability and provided the patch," says James Turgal, vice president of cyber risk, strategy, and board relations at Optiv.

The attack, now linked to four hackers from the Chinese military, represents one of the most sweeping attacks conducted against US businesses by foreign nationals. Industry experts discuss with Dark Reading what lessons to draw from the breach and how organizations can prevent similar threats in their environments.

**Data Management Is Still an Enterprise Problem**

"Equifax shows that organizations need to focus on data management," Adam Marrè, CISO at Arctic Wolf and former FBI special agent/cyber investigator, tells Dark Reading.

"With so many different IT and security priorities, companies aren't thinking about data management in the right ways. Most organizations only think about how best to monetize data or how to use it to serve their customers, but they often miss the significant increase in risk that storing the data brings."

Turgal agrees, noting that enterprises and individuals are at risk of data exfiltration and identity theft.

"Every day, companies large and small fall victim to identity theft," he says. "Both the high volume of activity and large transactions occurring at the corporate level attract threat actors, using data that typically has been exfiltrated from another breach by a separate threat actor and sold to the highest bidder to impersonate the identity of a business to commit fraud."

Gartner estimates that until 2025, "80% of organizations seeking to scale digital business will fail because they do not take a modern approach to data governance." That's a lot of businesses, and it's a figure that Marrè agrees with.

"In my experience, most companies don't have a comprehensive picture of how they collect, store, and manage data," he says. "Especially from a security standpoint, most businesses have no idea who has access to what data, how to properly classify it, how to protect it, and even how to set up data retention policies to properly get rid of it. By focusing on these aspects, businesses can transform their data strategies and further protect themselves and their customers."

Turgal suggests that organizations can safeguard data and identity by doing the following:

*   Include artificial intelligence and machine-learning technologies into the business processes to quickly spot anomalous behavior.
*   Review and update access permissions and utilize data encryption when the data is in transit and at rest.
*   Establish protocols for user provisioning and deprovisioning of regular and privileged access holders.
*   Continually educate employees on how to minimize risk.

**Enterprises Aren't Paying Attention to the Basics**

The fundamentals of cybersecurity are still lacking in several enterprise efforts at securing user data. Leaning on his experience in the FBI and private sector, Marrè says he has seen so many organizations that are not adequately prioritizing security. With security incidents at high-profile businesses and rampant ransomware and extortion attacks worldwide, organizations can no longer afford to ignore or sideline their security, he says.

"Although there are new and exciting technologies that are aimed at solving different attack vectors, focusing on successfully executing the fundamentals of cybersecurity remains the most effective strategy," Marrè says. "When it comes to protecting your organization and your data, prevention is good, but detection is a must."

Many attacks can be avoided by implementing zero-trust architecture to the letter. In hindsight, for example, the Equifax attack could have been prevented if the organization had paid more attention to the multiple threat warnings the company had received before the hack.

The Equifax breach was "a strong example of why enterprises should evaluate their data to understand the business need and ensure it is classified appropriately," says Andrew Bayers, head of threat intelligence at Resilience, adding that data should be stored and transmitted securely — and ultimately retained for only the amount of time needed.

**Cyber Resilience Needs Action, Not Reaction**

While it's true that some players in the enterprise are investing heavily in cybersecurity, several others are still lagging — giving malicious actors an opening to capitalize on discrepancies and take control of critical data assets. Although its activities are not immediately noticeable, a proactive cybersecurity team is worth its weight in gold.

"Having a skilled security team is the backbone of a sound cybersecurity strategy," Marrè says. "Whether it's a world-class team from a partner or in-house experts, this should be a priority for all companies."

To become cyber resilient, Bayers adds, organizations should identify vulnerabilities in their systems and prioritize patching according to the risks they pose.

Equifax's Lessons Are Still Relevant, 5 Years Later

Led by NTTVC, the funding enables further development of Cloud Native Intrusion Prevention from the team that invented Network Intrusion Prevention Systems.

AUSTIN, Texas, Oct. 25, 2022 /PRNewswire-PRWeb/ — Spyderbat, a cloud native runtime security company, today announced it has raised $10 million in Series A funding. The funding was led by NTTVC with participation from LiveOak Venture Partners, Benhamou Global Ventures and John McHale to fuel product development and go-to-market activities.

The Enterprise shift-left trend toward a more embedded approach to security in the continuous integration and continuous delivery (CI/CD) pipeline requires new innovation. While organizations adopt strategies to reduce exploitable vulnerabilities in cloud native environments, it has proven insufficient to defend against breaches. The rate of change enabled by cloud provisioning and microservice architectures increase the probability of misconfigurations and missed known and unknown vulnerabilities. Additionally, the dependencies on third-party components increase the probability of supply chain compromises and zero-day attacks. Spyderbat addresses these needs with capabilities that integrate runtime security throughout the lifecycle.

CEO Marc Willebeek-LeMair and CTO Brian Smith, co-founders of Spyderbat, are no strangers to intrusion prevention systems (IPS). As the original founders of TippingPoint, Willebeek-LeMair and Smith invented the network IPS in the early 2000s.

"As we grew closer to understanding the fundamental security concerns in cloud native environments, we recognized the need for a brand-new approach," states Willebeek-LeMair. "Traditional detection methods, along with the rate of change found in cloud native environments, create inaccurate findings that require teams to investigate each with limited data. This leads to high volumes of interrupt-driven efforts that are inconclusive. DevOps and Platform Engineering teams need an accurate understanding of what is happening before automation can occur and a broader protection solution."

The Spyderbat SaaS platform boasts three critical capabilities for detecting and blocking intrusions attacking known and unknown vulnerabilities:

*   Runtime Visibility -Spyderbat generates live detailed mapping and historic contextual visibility across Kubernetes, container and VM  
    environments to enable DevOps and Platform Engineering teams' immediate visibility to the root cause of security and operational issues. 
*   Runtime Delta - Armed with the ability to capture runtime activities with causal context, Spyderbat's Runtime Delta enables development teams to rapidly and securely iterate within guard rails, using an automated understanding of runtime behavior differences between builds and environments.
*   Runtime Intrusion Prevention - Spyderbat provides the industry's broadest form of protection that blocks attacks against cloud-native  
    workloads throughout the software development lifecycle, including supply-chain attacks, compromised credentials, ransomware, and  
    cryptojacking.

In addition to the platform's core capabilities, Spyderbat Labs produces continuous actionable intelligence updates to the Spyderbat platform by performing threat research for cloud native environments. Spyderbat Labs creates Shields to stop attacks against known vulnerabilities, packaged baseline policies to built-in Linux and Kubernetes services, and Attack Detections mapped to MITRE ATT&CK techniques.

"Spyderbat opens the doors to a new level of security and operational awareness," states Aldo Gonzalez, CTO at Client Support Software. "It identifies previous unknowns that require my attention, allowing me to easily see the whole picture and take action."

"It is not about detecting individual activities that may or may not indicate a compromise," adds Smith. "What separates Spyderbat is a complete understanding of runtime activities to recognize new workload behaviors or connect threat indicators to each other and their root cause. This context enables early detection and accuracy, with a thorough understanding of the intrusion that enables automation to block it."

"Spyderbat's platform offers early cloud-native intrusion prevention, which is critical for enterprises in today's complex and high-threat environment," said Fay Hazaveh Costa, Partner at NTTVC. "We are looking forward to supporting the Spyderbat team and helping to fuel their next phase of growth."

In addition to its core offering, Spyderbat separately announced today its Open-Source program. Spyderbat is exhibiting at KubeCon+CloudNativeCon October 26th through October 28th. Learn more about Spyderbat's solution for cloud native runtime security by visiting their booth #SU45.

**About Spyderbat**

  
Spyderbat delivers cloud native runtime security to customers with unprecedented precision in intrusion prevention and mitigation. Founded in 2019 on the recognition that the manual processes of traditional security operations are completely ineffective in rapidly changing cloud environments, Spyderbat is making threat prevention and security operation automation available with a platform for early, accurate, and thorough recognition of attacks. To learn more about Spyderbat's solutions, open-source projects, career opportunities, or to begin using Spyderbat's free tier, visit http://www.spyderbat.com.

Spyderbat Raises Series A to Deliver Runtime Security Throughout Cloud Native Software Development Environments

New report shows 75% of MSPs will invest in security threat intelligence services in the next 12 months to help businesses combat increased threats.

**MIAMI, FL / ACCESSWIRE / October 25, 2022** — Lumu, the creator of the Continuous Compromise Assessment cybersecurity model that empowers organizations to measure compromise in real-time, has partnered with Enterprise Management Associates (EMA) to conduct an independent survey exploring why MSPs are focusing on growing their cybersecurity practices, cites their most pressing concerns when it comes to threats and offers guidance on how MSPs can build a security stack effectively.

"There's been a monumental shift in threat actors' operations, which have led SMBs to face a higher risk of targeted security breaches," said Ricardo Villadiego, Founder and CEO of Lumu. "Now more than ever, entrepreneurs and small business leaders need to understand the heightened need for cybersecurity. With that awareness comes the need to implement a comprehensive cybersecurity program, but not every small business has the means to do so in-house. MSPs that can effectively meet the current needs of SMBs will gain market share and see significant growth opportunities."

The "MSP Cybersecurity Market Opportunity Blueprint" study found that:

*   In the next 12 months, 75% of MSPs are planning to invest in security and threat intelligence, 66.2% in threat detection and response, 66.2% in real-time attack visibility and 50% in forensics and incident response.
*   The most important concerns of MSPs when it comes to protecting customers from cyber threats are malware (77.9%), ransomware (70.6%), business email compromise (64.7%), and phishing (69.1%).
*   More simplistic malware techniques are enough for cyber-criminals to compromise SMBs, while larger organizations must employ more sophisticated and scalable techniques. Cyberattacks on small businesses consist mainly of malware (60%).
*   The top fears MSPs are around when/if customers experience a cyberattack are operational downtime (69.1%), losing the trust of your customers (64.7%), financial losses (63.2%), and reputational losses (61.8%).

Based on the findings of the report, EMA recommends five steps that MSPs should follow to start or evolve their cybersecurity practice:

*   **Customers' network-level threat visibility is vital:** MSPs should develop methods to identify any and all traces of compromise in the network because it will help MSPs minimize damage and avoid disruption.
*   **Ensure scalability through effective tools:** MSPs should favor SaaS-based commercially available solutions that can grow effectively with the MSP - tools built to effectively use cybersecurity talent, so they spend their time effectively.
*   **Leverage response automation:** MSPs achieve great levels of efficiency by combining real-time attack monitoring with integration capabilities that use out-of-the box or API techniques for data exchange and touchless response.
*   **Understand the pricing thoroughly:** MSPs need flexible pricing that matches the services delivered to their customers to not get locked into unfavorable long-term contracts which are undesirable considering the changing threat landscape.
*   **Protect the human element:** With phishing and other social engineering techniques increasing in sophistication and effectiveness, MSPs should train their staff and users across their customer base to identify and report these threats.

"We foresee that more than half of SMBs will part ways with MSPs that fail to address cybersecurity needs effectively and seek out alternative solutions," said Chris Steffen, Managing Research Director at EMA. "There's a huge opportunity for MSPs to get ahead of this and invest in security areas that are most prevalent to SMBs in the next 12 months such as security threat intelligence services, threat detection and response, real-time attack visibility, and forensic and incident response. The MSPs that prioritize these areas will be at an advantage over competitors and will be better equipped to grow their customer base."

To view the full findings of the MSP Cybersecurity Market Opportunity Blueprint report please download https://lumu.io/msp-growth-blueprint/.

**About Lumu**  
Headquartered in Miami, Florida, Lumu is a cybersecurity company focused on helping enterprise organizations illuminate threats and isolate confirmed instances of compromise. Applying principles of Continuous Compromise Assessment, Lumu has built a powerful closed-loop, self-learning solution that helps security teams accelerate compromise detection, gain real-time visibility across their infrastructure, and close the breach detection gap from months to minutes. Learn more about how Lumu illuminates network blindspots at www.lumu.io.

**About EMA**  
Founded in 1996, Enterprise Management Associates (EMA) is a leading industry analyst firm that specializes in going "beyond the surface" to provide deep insight across the full spectrum of IT management technologies. EMA analysts leverage a unique combination of practical experience, insight into industry best practices, and in-depth knowledge of current and planned vendor solutions to help its clients achieve their goals.

Learn more about EMA research, analysis, and consulting services for enterprise IT professionals, and IT vendors at www.enterprisemanagement.com or follow EMA on Twitter or LinkedIn.

MSP Market Opportunity Report Finds Cybersecurity as Primary Growth Driver as SMBs Lack Resources to Develop Security Program In-House

**PITTSBURGH, PA – October 25, 2022** — Security Journey, a best-in-class application-security education company, today launched a report revealing that security experts across industry and academia are calling for greater focus on programmatic secure coding training to solve the ‘AppSec dilemma’. As a group, the application security leaders acknowledged the gap that academia has left when teaching developers how to deliver code securely, and outlined the ways enterprises can make this education possible.

Currently, none of the top 50 undergraduate computer science programs in the U.S. require a course in code or application security . Yet the attack surface is growing; new vulnerabilities within the NIST National Vulnerability Database increased by over 200% from 2015 to 2021. The Security Journey report was born out of a roundtable discussion, conducted during cybersecurity awareness month, to find a solution to this lack of secure coding education for developers and others involved in the Software Development Lifecycle (SDLC).

Roundtable participants include a Professor in the Human Computer Interaction Institute at Carnegie Mellon University, a Program Manager for Security Awareness and Education, Security Journey’s CEO, Director of Content Engineering, and Security Education Evangelist, Amy Baker, as Moderator. The roundtable established key differences between security ‘awareness’ and ‘education’, noted the areas that AppSec regulation can go further, and concluded that enabling more continuous and programmatic education is essential.

To make this education possible, the report from the roundtable discussion identifies key shifts that organizations need to make, which include:

*   **Investment needs to be driven down from the top**: Key decision-maker, financial, and organizational support to advance ‘shift left’ initiatives.
*   **Training must be relevant to each professional:** Training programs bespoke to the challenges that developers face in their day-to-day, complementing their current stage of knowledge.
*   **Industry and academia collaboration:** Computer science and computer engineering professors examining curriculum to ensure security is included, making it easier for industry to embrace security from the start.

“Education is an underrated but essential part of computer security. The industry is currently severely under-educating all developers out there on really basic aspects of security and it’s hurting organizations.” Says Jason Hong, Professor in the Human Computer Interaction Institute at Carnegie Mellon University. “Education in academia and industry now needs to start focusing more on the human side of things – how do we improve people’s knowledge, where are their biggest gaps in understanding, and how do we incentivize and motivate not just developers but the corporations that employ them?”

Amy Baker, Security Education Evangelist at Security Journey added, “We need to bridge the gap between what development teams need to know about cybersecurity, and what education is provided to them either as part of undergraduate curriculum or by their employers. It’s not an impossible feat by any means, and we have a truly exciting opportunity now to improve application security knowledge in industry and academia.

To read all insights from the Security Journey Education vs. Awareness roundtable discussion, download the full paper.

**About Security Journey**

Security Journey helps enterprises reduce vulnerabilities through application security education for developers and everyone in the SDLC. Their programmatic approach provides video-based and text-based lessons along with live sandbox code experiments and real-world application exercises. All culminating in a collective security-first culture among development teams.

HackEDU’s spring 2022 acquisition of Security Journey brings together two powerful platforms to provide application security education for developers and the entire SDLC team. The two officially became one in August 2022 and are now Security Journey. Two approaches, one path to build a security-first development culture. Learn more and try our training at www.securityjourney.com.

Security Leaders are Calling for Industry to Take Action and Programmatically Improve Secure Coding Education

BILBAO, Spain, Oct. 25, 2022 /PRNewswire/ — SealPath, a leading provider of zero-trust data-centric security and enterprise digital rights management, announced the launch of SealPath Data Classification powered by Getvisibility, leveraging the latest Artificial Intelligence and Machine Learning technologies to provide their customers with an advanced standard of visibility, protection, control, and a dynamic understanding of their data as it is being created.

This innovative AI-enhanced data classification solution provides the insights and continuous automated protection that enterprise customers need to securely and accurately classify data over its entire lifecycle. Thus, organisations across multiple business verticals gain the ability to prevent data leaks and achieve compliance with the strictest data protection regulations.

With SealPath's classification, the user receives suggestions about the classification level when creating and editing a document. The software learns and adapts to different document types, continuously improving accuracy through AI, and allows organisations to classify unstructured information with unprecedented confidence.

SealPath's information protection is 100% integrated with the new intelligent data classification system so that those files labeled with a certain classification level or subject to a specific regulation can be protected automatically and without user intervention.

"SealPath Data Classification powered by Getvisibility was born in response to the outdated technologies most modern companies currently utilise to classify and manage their data. The solution's machine learning models have been pre-trained for years via data containing a wide array of data types – from personal information, medical and financial to defense data. Combined with robust software specialised in data classification, these thoroughly trained models minimize human error, costs, and time in labelling corporate information. We expect this new AI-powered approach will transform how organisations classify and protect their data," Luis Angel del Valle, CEO of SealPath, stated.

SealPath Data Classification deploys a flexible approach, considering different dimensions such as data sensitivity, associated regulations, data types, and scope of dissemination. Consequently, the system can adapt the classification to the organisation based on the aforementioned dimensions, enabling the automated protection of tagged data via AI/ML algorithms.

SealPath's protection, coupled with the AI and Machine Learning-powered classification system, streamlines an organization's efforts to avoid sensitive information data classification errors quickly and cost-effectively.

**About SealPath**

SealPath is a European leader in Zero-Trust Data-Centric Security and Enterprise Digital Rights Management, working with major companies in more than 25 countries. SealPath has been helping organisations across multiple business verticals, such as Manufacturing, Oil & Gas, Retail, Finance, Healthcare, and Public Administrations, protect their data for over a decade. SealPath's client portfolio includes organisations within the Fortune 500 index and Eurostoxx 50. SealPath makes it easy to avoid costly mistakes, lower the risk of data leaks, ensure security for confidential information and protect data assets.

SealPath Data Classification Powered by Getvisibility Applies Artificial Intelligence to Improve Accuracy and Efficiency of Data Labelling and Protection

Source

DARKReading