Four serious security issues on the popular appliance could be exploited by hackers with any level of access within the host network, Bitdefender researchers say.

A series of vulnerabilities on the popular asset management platform Device42 could be exploited to give attackers full root access to the system, according to Bitdefender.

By exploiting a remote code execution (RCE) vulnerability in the staging instance of the platform, attackers could successfully obtain full root access and gain complete control of the assets housed inside, Bitdefender researchers wrote in the report. The RCE vulnerability (CVE-2022-1399) has a base score of 9.1 out of 10 and is rated "critical," explains Bogdan Botezatu, director of threat research and reporting at Bitdefender.

"By exploiting these issues, an attacker could impersonate other users, obtain admin level access in the application (by leaking session with a LFI) or obtain full access to the appliance files and database (through remote code execution)," the report noted.

RCE vulnerabilities allow attackers to manipulate the platform to execute unauthorized code as root — the most powerful level of access on a device. Such code can compromise the application as well as the virtual environment the app is running on.

To get to the remote code execution vulnerability, an attacker that has no permissions on the platform (such as a regular employee outside of the IT and service desk teams) needs to first bypass authentication and gain access to the platform.

**Chaining Flaws in Attacks**

This can be made possible through another vulnerability described in the paper, CVE-2022-1401, that lets anyone on the network read the contents of several sensitive files in the Device42 appliance.

The file holding session keys are encrypted, but another vulnerability present in the appliance (CVE-2022-1400) helps an attacker retrieve the decryption key that is hardcoded in the app.

"The daisy-chain process would look like this: an unprivileged, unauthenticated attacker on the network would first use CVE-2022-1401 to fetch the encrypted session of an already authenticated user," Botezatu says.

This encrypted session will be decrypted with the key hardcoded in the appliance, thanks to CVE-2022-1400. At this point, the attacker becomes an authenticated user.

"Once logged in, they can use CVE-2022-1399 to fully compromise the machine and gain complete control of the files and database contents, execute malware and so on," Botezatu says. "This is how, by daisy-chaining the described vulnerabilities, a regular employee can take full control of the appliance and the secrets stored inside it."

He adds these vulnerabilities can be discovered by running a thorough security audit for applications that are about to be deployed across an organization.

"Unfortunately, this requires require significant talent and expertise to be available in house or on contract," he says. "Part of our mission to keep customers safe is to identify vulnerabilities in applications and IoT devices, and then to responsible disclose our findings to the affected vendors so they can work on fixes."

These vulnerabilities have been addressed. Bitdefender received version 18.01.00 ahead of public release and was able to validate that the four reported vulnerabilities — CVE-2022-1399, CVE-2022-1400, CVE 2022-1401, and CVE-2022-1410 — are no longer present. Organizations should immediately deploy the fixes, he says.

Earlier this month, a critical RCE bug was discovered in DrayTek routers, which exposed SMBs to zero-click attacks — if exploited, it could give hackers complete control of the device, along with access to the broader network.

Multiple Vulnerabilities Discovered in Device42 Asset Management Appliance

Many of the technologies and services that organizations are using to isolate Internet traffic from the internal network lack session validation mechanisms, security startup says.

Many of the tools that organizations are deploying to isolate Internet traffic from the internal network — such as multifactor authentication, zero-trust network access, SSO, and identity provider services — do little to protect against cookie theft, reuse, and session hijacking attacks.

Attackers in fact have a way to bypass all these technologies and services relatively easily because they often lack proper cookie session validation mechanisms, researchers from Israeli startup Mesh Security said this week.

The researchers recently examined technologies from Okta, Slack, Monday, GitHub, and dozens of other companies to see what protection they offered against attackers using stolen session cookies to take over accounts, impersonate legitimate users, and move laterally in compromised environments.

The analysis showed that a threat actor who manages to steal the cookies of an authenticated user and hijack their sessions could bypass all MFA checkpoints and other access controls offered by these vendors. It found that even in environments that had deployed MFA and ZTNA approaches, an attacker with stolen session cookies could access privileged accounts, SaaS applications, and sensitive data and workloads.

With Okta, for instance, Mesh security researchers discovered that if an adversary could steal the session cookies of a user logged into their Okta account, they could use it to log into the same account from a different browser and location. Mesh found the attacker could access any of the resources that the user was authorized to access via their Okta account. "Surprisingly, although these attempts are expected to be blocked, the technique allows the attacker to bypass active MFA mechanisms since the session has already been verified," Mesh said in a report summarizing its findings.

**Not Directly Responsible?**

Okta described such attacks as an issue for which it was not directly responsible. "As a web application, Okta relies on the security of the browser and operating system environment to protect against endpoint attacks such as malicious browser plugins or cookie stealing," Mesh quoted Okta as saying. Most of the other vendors that Mesh contacted about the issue similarly distanced themselves from any responsibility for cookie theft, reuse, and session-hijacking attacks, says Netanel Azoulay, co-founder and CEO of Mesh Security.

"We believe that this issue is the complete responsibility of the vendors on our list — including IdP and ZTNA solutions," Azoulay insists. "Every vendor who intensively promotes the 'verify explicitly' principle should embed it in their own system. The whole idea of Zero Trust is to always verify every single digital interaction explicitly and never to trust."

Cookie theft and session hijacking are well-known issues and an attack vector that many threat actors — including advanced persistent threat actors such as APT29 — use routinely in their campaigns. Common tactics for stealing session cookies include phishing campaigns, browsing traps, and malware such as CookieMiner, Evilnum, and QakBot.

Attackers often use stolen session cookies to access Web applications and services as an authenticated user and have access until the sessions time out — something that can happen within several hours or several days.

**A Growing Concern**

Azoulay says the issue is important because organizations are increasingly moving from a perimeter-centric security approach to a more identity-driven model. Organizations such as Okta and other ZTNA vendors have become the hubs that connect employees and resources, including SaaS apps, IaaS workloads, and data, via customized browser-based portals. These systems serve as the core network of enterprises these days and provide a one-to-many access mechanism for attackers, he says.

"Organizations are investing massive budgets and efforts to isolate Internet traffic from their internal network by implementing security solutions such as IdP, SSO, MFA, and ZTNA," Azoulay says.

"A threat actor can potentially bypass this entire expensive mechanism and control measures to reach an organization’s crown jewels with a click of a button," he says. "The current mitigation techniques aren't designed to address it."

In its response to Mesh's analysis, Okta recommended that admins clear a user's sessions in the user interface or via its API. The company also noted that session time-out is configurable — from as little as 1 minute to 90 days. Once a session has expired, any copied sessions would also expire, the company noted. Okta also highlighted steps that organizations can take to minimize risk from stolen session cookies. For downstream applications, for instance, Okta administrators can require additional sign-on policies — including MFA. Similarly, tying a session to a registered or a managed device would minimize the risk of a rogue session being established from another devices, Okta said.

Many ZTNA, MFA Tools Offer Little Protection Against Cookie Session Hijacking Attacks

Least privilege is a good defense normally applied only to users. What if we limited apps' access to other apps and network resources based on their roles and responsibilities?

At some point in their career, everyone has probably seen one of those operational hierarchy charts that define who reports to whom at an organization. Sometimes just called an org chart, it's a useful tool to let people know who works for them, and who their bosses are. For example, in a typical org chart, the head of a coding group might report to the director of product development, who in turn reports to the vice president of innovation. Who hasn't looked at one of those charts to try and find their personal little block nestled inside somewhere?

There is one thing that almost every organizational chart has in common regardless of the size of the business or other factors. For the most part, all the building blocks on those charts represent humans or groups of humans. We are not at the point where machines are able to oversee humans, so for now, org charts are an exclusively human affair. But does our software also need an organizational hierarchy?

Of course, I am not suggesting that we add software to our company org charts. Nobody wants to have an app for a boss. How would you even ask them for a raise? However, by helping define the responsibilities of our apps and software within a tight hierarchy, and enforcing those policies with least privilege, we can make sure that our apps and software also survive and thrive despite the devastatingly rough threat landscape arrayed against them.

**Attacks on Apps, Software Reach an All-Time High**

Attackers these days, and the bots and automation-driven software that work for them, are constantly scanning for any slip-up in defenses to exploit. While all software is being targeted, the most damaging attacks are being made against application programming interfaces, or APIs. They are often flexible and unique, and sometimes even created on the fly as needed in the development process.

APIs are certainly flexible, but they are also often way over-permissioned for their functions. Developers tend to give them lots of permissions so that they can, for example, continue to function even as the program they are helping to manage continues to develop and change. But that means that if an attacker compromises them, then they get a lot more than just the rights to access, for example, one chunk of a specific database. They may even capture near-administrator rights to an entire network.

It's no wonder that several security research firms say the overwhelming majority of credential-stealing attacks today are being made against software like APIs. Akamai puts that number at 75% of the total, while Gartner also says that vulnerabilities involving APIs have become the most frequent attack vector. And the most recent Salt Labs report shows attacks against APIs rising by almost 700% compared with last year.

**Creating an Org Chart for Software**

One of the ways that organizations are fighting back against credential-stealing threats is by enforcing least privilege or even zero trust within their networks. This limits users to just receiving barely enough permissions in order to accomplish their tasks. That access is often further restricted by factors such as time and location. That way, even if a credential-stealing attack is successful, it won't do the attacker much good since they will only have permission to perform limited functions for a brief time.

Least privilege is a good defense, but is normally only applied to human users. We tend to forget that APIs also hold elevated privileges, yet often aren't nearly as supervised. That is one of the reasons why broken access control is now public enemy number one, according to the Open Web Application Security Project (OWASP).

It's easy to say that the solution to this critical problem is to simply apply least privilege to software. But it's a lot harder to implement. First, developers need to be made aware of the dangers. And then, moving forward, APIs and other software should either be officially placed, or at least envisioned, as part of an org chart within the network where it will reside. For example, if an API is supposed to grab real-time flight data as part of a booking application, then there is no reason why it should also be able to connect with payroll or finance systems. On the software org chart, there would be no direct or even dotted lines connecting those systems.

It's probably unrealistic for developers to actually create an org chart showing the thousands or even millions of APIs operating in their organization. But being aware of the danger that they pose, and restricting their permissions to just what they need to do their jobs will go a long way to stopping the rampant credential-stealing attacks that everyone is facing these days. It begins with awareness, and ends with treating APIs and software with the same scrutiny as human users.

Rethinking Software in the Organizational Hierarchy

Platform engineered to let organizations mitigate risk and manage complexities.

LEXINGTON, Mass., August 9, 2022 - BLACK HAT US 2022 – Mimecast Limited (Mimecast), an email and collaboration security company, today announced the availability of the Mimecast X1™ Platform. The widespread adoption of hybrid work environments coupled with the increased usage of digital-centric communication channels has expanded the attack surface – creating new organizational security risks for both people and data. By safeguarding email and business communications, the Mimecast X1 Platform is engineered to leverage a rich source of intelligence to learn about people and how they collaborate. These insights enable organizations to work protected by protecting their people, data, and communications.

By 2026, Gartner® forecasts\* that 50% of C-level executives will have performance requirements related to risk built into their employment contract. The Mimecast X1 Platform is designed to mitigate risk across email communications – the No. 1 attack vector – and help empower organizations to secure their workplace environment wherever work happens. It serves as the foundation of the Mimecast® Product Suite – built to drive industry-leading detection capabilities, deliver reliability, resilience and scale, and transform data into insights that turn email and collaboration security into the eyes and ears of organizations worldwide.

The Mimecast X1 Platform encompasses four core innovations designed to mitigate risk and manage complexities:

*   **Mimecast X1™ Precision Detection**: Mimecast X1 Precision Detection is engineered to apply the latest advancements in AI and Machine Learning and enable intelligent detection of emerging and unknown threat types, while layered protection keeps users safe all the way down to the point of risk. The industry’s most robust view of the email threat landscape – derived from Mimecast’s inspection of 1.3 billion emails daily – powers instantaneous blocking of the vast majority of email-based threats.
*   **Mimecast X1™ Service Fabric:** By allowing customers to grow securely and seamlessly and uncover user insights that can accelerate detection and response, the Mimecast X1 Service Fabric provides the foundation for cloud-delivered security at scale.
*   **Mimecast X1™ Data Analytics:** Providing the foundation for a wide array of services and capabilities – from the discovery and analysis of new threats and accelerated product innovation to rich context for threat researchers and support for cross-correlation of data with systems beyond email – X1 Data Analytics is built with one primary goal in mind: making information actionable for customers.
*   **Mimecast Extensible Security Hooks (MESH):** MESH exposes a vast API ecosystem that supports fast, simplified integration of Mimecast with existing security investments. Hundreds of integrations to third party security solutions have been implemented, spanning SIEM, SOAR, EDR to TIP and XDR. The result is reduced complexity, lowered risk, and optimized security investments.

“The introduction of the Mimecast X1 Platform represents an important next step in our company’s transformational journey,” said Peter Bauer, Mimecast CEO. “Email is where collaboration happens, and it continues to be the top attack vector demanding the strongest possible protection. However, alleviating cyber risk is not just the CISO’s job anymore. It is a collective responsibility shared by every organizational leader and employee. With the adoption of these solutions, more organizations and employees at all levels can work protected by receiving critical security benefits at lower costs and with easy deployment options.”  

The company is also previewing Mimecast Email Security (Express), a new gateway-less email security solution. The existing email security product, Secure Email Gateway, will now be known as Mimecast Email Security (Gateway). With the introduction of this new deployment option, enabled by the Mimecast X1 Platform, Mimecast will be able to provide customers with world-class email security and deployment flexibility.

Qualified new customers can register for early access to a 30-day trial of Email Security (Express) immediately. The product will be generally available for purchase by new customers in the United States and United Kingdom in late fall 2022. To learn more about the Mimecast X1 Platform, experience a demo of Mimecast Email Security (Express), and explore other Mimecast products and solutions, visit Booth #1250 at Black Hat USA 2022 on August 10–11, or visit our website www.mimecast.com.

\*Gartner Press Release, “Gartner Unveils the Top Eight Cybersecurity Predictions for 2022-23,” June 21, 2022. \[https://www.gartner.com/en/newsroom/press-releases/2022-06-21-gartner-unveils-the-top-eight-cybersecurity-predictio\]

**Mimecast: Work Protected™**

**Since 2003, Mimecast has stopped** bad things from happening to good organizations by enabling them to work protected. We empower more than 40,000 customers to help mitigate risk and manage complexities across a threat landscape driven by malicious cyberattacks, human error, and technology fallibility. Our advanced solutions provide the proactive threat detection, brand protection, awareness training, and data retention capabilities that evolving workplaces need today. Mimecast solutions are designed to transform email and collaboration security into the eyes and ears of organizations worldwide.

_Mimecast, the Mimecast logo, Mimecast X1 and Work Protected are either registered trademarks or trademarks of Mimecast Services Limited in the Unites States and/or other countries. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. All other third-party trademarks and logos contained in this press release are the property of their respective owners._

Mimecast Announces Mimecast X1™ Platform Providing Customers With Email and Collaboration Security

Product enhancements to offer full IT and OT threat intelligence services for OPSWAT customers.

**Las Vegas, Nev., August 10, 2022** – OPSWAT, a global leader in critical infrastructure protection (CIP) cybersecurity solutions, today announced new malware analysis capabilities for IT and OT at the Black Hat USA 2022 Conference. These enhancements include OPSWAT Sandbox for OT with detection of malicious communications on OT network protocols and support for open-source third-party tools in its MetaDefender Malware Analyzer solution.

With increased threats and growing concerns around propagation into OT networks within critical infrastructure environments, threat intelligence for both the IT and OT sides of the business is essential in providing the necessary data and analysis capabilities to the entire organization. OPSWAT MetaDefender Malware Analyzer now offers the ability to map malware detected via OPSWAT Sandbox to the MITRE ATT&CK Industrial Control Systems (ICS) framework, enabling malware analysis teams to quickly understand malware tactics, techniques, and procedures (TTPs) specifically targeting OT environments. This alignment to a common security lexicon about cyberattacks targeting ICS/OT environments also helps bridge the communication gaps between IT and OT security teams.

“There is no better time and place than Black Hat to launch these new enhancements for OPSWAT MetaDefender Malware Analyzer,” said Yiyi Miao, Senior Vice President of Products. “Not only are we showcasing our heavy investment in R&D for our products, but through better malware analysis for OT, we are furthering our mission of protecting critical infrastructure. We’re excited for thousands of industry-leading InfoSec professionals to be the first to see these new capabilities and understand how we can help protect their critical environments.”

As an automation and orchestration platform, MetaDefender Malware Analyzer orchestrates the process of receiving suspicious files and submitting them to different tools like OPSWAT Sandbox, aggregating results, and then submitting those results, with actionable information and indicators of compromise (IOCs), to threat intelligence platforms. The solution also enables organizations to efficiently process and triage high volumes of suspicious files while correlating against multiple in-house and cloud threat intelligence sources. These capabilities extend the breadth of intel for malware analysis teams, giving them more actionable insights on premises about known threats and then ultimately helping them mitigate these threats.

These enhancements follow OPSWAT’s State of Malware Analysis 2022 report and the initial launch of OPSWAT MetaDefender Malware Analyzer earlier this year.

To learn more about these enhancements, visit https://www.opswat.com/solutions/malware-analysis.

Find OPSWAT at Black Hat USA 2022 at booth #1186, or schedule a time to meet the team here: https://info.opswat.com/black-hat-usa-2022.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

OPSWAT Presents New Malware Analysis Capabilities for Operational Technology at Black Hat USA 2022

Bugcrowd, the leader in crowdsourced cybersecurity, announced a live hacking event to test business-critical attack surface and mobile applications for Indeed.com, during the 2022 Black Hat USA and DEF CON cybersecurity conferences in Las Vegas.

Live hacking, or "Bug Bashes," are competitive, in-person events that connect organisations with top security researchers—sometimes called ethical hackers—to dig deeper into their evolving attack surface and enrich testing methodologies. These highly curated teams of security researchers possess a diverse arsenal of in-demand skills and collectively represent the most powerful intelligence available for modern use cases and emerging threats.

Motivated by lucrative rewards and time-bound incentives, these researchers will work hand in hand with Indeed to uncover critical blind spots and improve testing methodologies. Indeed's security and engineering teams will specifically collaborate with Bugcrowd researchers to secure Indeed's mobile applications and user data. A longtime customer of Bugcrowd, Indeed has already rewarded 1,500+ vulnerability submissions through its public bug bounty program with Bugcrowd.

"At Indeed, job seekers and employers alike trust us to protect their information," said Indeed Chief Information Officer and Chief Security Officer Anthony Moisant. "As we continue rapid growth and product development, we all know that bad actors continue advancing their tactics. By engaging Bugcrowd researchers in this Bug Bash, we're partnering with good actors to help spot—and fix—vulnerabilities to help people get jobs securely."

"We are excited about this latest Bug Bash because working in teams showcases the power of human ingenuity, and we want to congratulate Indeed on being a security-first company looking to further ensure their digital assets are secure," said Ashish Gupta, Chief Executive Officer of Bugcrowd. "With the sprawling digitisation of information and assets, and the resulting increase in cyber threats, business leaders need to adopt continuous testing practices that align with their continuous innovation."

Bug Bashes are one of the most proactive and advanced security initiatives that an organisation can take in the current, ever-evolving landscape today—concentrating the combined intelligence of some of the world's top bug hunters to help secure an expanding and expansive asset footprint.

_"Bugcrowd" and "Bugcrowd Security Knowledge Platform" are trademarks of Bugcrowd Inc. and its subsidiaries. All other trademarks, trade names, service marks and logos referenced herein belong to their respective companies._

**About Bugcrowd**

Bugcrowd is the leading provider of crowdsourced cybersecurity solutions purpose-built to secure the digitally connected world. Today's enterprise demands an offensive approach to cybersecurity—and Bugcrowd offers the only solution that orchestrates data, technology, and human intelligence to expose blind spots. The Bugcrowd Security Knowledge Platform™ enables businesses to do everything proactively possible to protect their organisation, reputation, and customers with products like Bug Bounty, Penetration Testing-as-a-Service, and more. Trusted by organisations across the globe, Bugcrowd uncovers and remediates vulnerabilities before they interrupt business by leveraging expert ingenuity and the knowledge of world-class security researchers. Based in San Francisco, Bugcrowd is backed by Blackbird Ventures, Costanoa Ventures, Industry Ventures, Paladin Capital Group, Rally Ventures, Salesforce Ventures and Triangle Peak Partners. Learn more at www.bugcrowd.com.

Bugcrowd Taps Top Hackers for Live Hacking Event with Indeed at 2022 Black Hat Conference

New release also includes enterprise-grade cloud security posture management (CSPM) and YARA-based malware scanning capabilities.

SAN FRANCISCO---Deepfence, a pioneer in the emerging security observability and protection space, today announced the 1.4 release of its open source project ThreatMapper, a cutting-edge, cloud native offering that expands attack path visualization, adds enterprise-grade cloud security posture management, and now includes the industry’s first cloud native, YARA-based malware scanner.

> “Security is a collective good and a basic right, and we are proud to offer an open platform that addresses the most pressing day one needs of cloud security teams”

ThreatMapper is an open platform for scanning, mapping, and ranking vulnerabilities in running pods, images, hosts, and repositories. ThreatMapper scans for known and unknown vulnerabilities, secrets, cloud misconfigurations and then puts those findings in context. With ThreatMapper, the scans happen as part of CI/CD or at runtime. This empowers organizations to not only identify threats but also to determine how–and how quickly–to deal with them. In a globally connected environment in which a single vulnerability can put untold numbers of organizations and their customers at risk (e.g. Log4j), a platform like ThreatMapper is critical.

Deepfence is a firm believer in a community-based approach to security, and open source ThreatMapper 1.4 provides more comprehensive threat mapping — of vulnerabilities, sensitive secrets, and, now, cloud misconfigurations and malware — as well as the ability to contextualize and correlate scan results in an intuitive graph that makes it easier to see, respond to, and proactively prevent potential attacks. This is truly an industry first. There is no other project, open source or commercial, that applies these comprehensive features and capabilities across the cloud native continuum.

Specifically, ThreatMapper 1.4 includes:

*   ThreatGraph, a powerful a new feature that uses runtime context like network flows to prioritize threat scan results and enables organizations to narrow down attack path alerts from thousands to a handful of the most meaningful (and threatening)
*   Agentless cloud security posture management (CSPM) of cloud assets mapped to various compliance controls like CIS, HIPAA, GDPR, SOC 2, and more
*   YaraHunter, the industry’s first open source malware scanner for cloud native environments

“The cloud native ecosystem is built on OSS libraries and components, yet the majority of tools available to secure cloud native workloads are closed source proprietary software that you can never fully understand how they work, and which only companies with deep pockets can afford. If we truly want to materially improve security of our cloud native workloads, we need to make the tooling accessible to everyone in the community, so we can build and innovate together. With ThreatMapper 1.4, Deepfence is rolling out what I see as another credible open source win for the industry – ThreatGraph, which provides a substantive range of threat detection, and more – combined into a single, easy-to-use open source tool," said Nick Reva, Engineering Manager, Security Engineering, Snapchat.

ThreatMapper 1.4 enables organizations to find and rank potential threats, such as the Log4j2 vulnerability, so security teams can make informed decisions and shore up critical gaps that may have otherwise gone unnoticed. This builds on the advanced security tools in Deepfence ThreatMapper 1.3, such as secret scanning at runtime and runtime Software Bill of Materials (SBOMs), protecting not only individual organizations but also our ever-more-interconnected society as a whole.

"Security is a collective good and a basic right, and we are proud to offer an open platform that addresses the most pressing day one needs of cloud security teams," said Sandeep Lahane, Co-founder and CEO of Deepfence. "ThreatMapper 1.4 is a giant leap forward for the security community, providing the most comprehensive security features and capabilities that security teams need, free of any cost or limitations. With version 1.4 we've strengthened ThreatMapper's capabilities to the point that we’re not aware of any other product – open source or commercial – that can match it."

ThreatMapper 1.4 is 100% open source and available on GitHub. Learn more about the latest features in the release blog here.

**About Deepfence**

Deepfence is an essential security observability and protection platform for cloud-native and container environments. Deepfence measures, maps, and visualizes your runtime attack surfaces, and provides full-stack protection from known and unknown threats. Deepfence ThreatMapper helps protect the increasingly vulnerable software supply chain by automatically scanning, mapping, and ranking application vulnerabilities and sensitive secrets in running containers, images, hosts, and repositories — from development through production. Deepfence ThreatStryker uses industry attack heuristics to interpret ThreatMapper intelligence and telemetry, identifying attacks-in-progress and deploying mitigating firewall and quarantine measures. To learn more, visit deepfence.io.

Deepfence ThreatMapper 1.4 Unveils Open Source Threat Graph to Visualize Cloud-Native Threat Landscape

Because demonstrating compliance with industry regulations can be cumbersome and expensive, it's important to ensure they're also absolutely essential.

While I was recently helping a client mitigate a data breach, there was another team on the premises ensuring that the organization met the standards for a popular security compliance certificate. This is not the first time that I have encountered certifying bodies signing off on an organization's compliance even as it was under cyberattack. This ironic situation illustrates the confusing role that the growing number of different compliance certifications play. On the one hand, these certifications increase security efforts, but it is also clear they are not a blanket solution, as certified companies are attacked all the time.

While SOC2 and ISO 27001 are among the best known certifications, there are dozens of voluntary compliance schemes that companies can adopt. In fact, companies often have more than one certificationbecause there is no real international standard, meaning that organizations seek out additional compliance certifications when entering new markets in order to satisfy demands of clients, customers, and partners. With SOC2 taking up to three months to implement, while ISO takes up to six months, companies are spending large amounts of human and financial resources on these certifications. So it is time to ask if this endeavor is worth it.

**Certifications Can Bring Unexpected Benefits**

There is no doubt that such schemes offer benefits — but not necessarily the ones that organizations expect. Most importantly, they raise cybersecurity awareness throughout an organization, often in a bottom-up manner.  

Because potential customers and clients are routinely asking about certifications, it is often an organizations'marketing and sales teams that approach their CISO to request seeking out certifications. Whether a certification is ultimately pursued — and what actual security benefits, if any, it brings — this momentum is important and creates stronger links between cybersecurity teams and the rest of the business. These relationships can help lay the foundation for more holistic cybersecurity practices and policies, and emphasize to the entire business the importance of investing in cybersecurity.

Requests for certifications from sales, marketing and other teams also illustrate to the CISO and the entire C-suite how cybersecurity can be a business enabler, and a marketing tool; for example, if an organization has a certain certification they can highlight that to appeal to potential customers and clients.

In fact, many organizations require that their service-providers, from payroll solutions to delivery services, have a certain compliance certificate. So not having such a certification could mean, for example, that a vehicle fleet management company will not win a contract from a startup that wants transportation services. This helps companies understand in general how any cybersecurity spending and practices should be aligned with business goals and not happen in a vacuum or with a pure-compliance mindset.

**False Sense of Security**

But organizations seeking out these certifications must also realize that they can only do so much. Certified organizations are attacked all the time. The number of companies with ISO certifications has more than quadrupled in the last decade, but attacks continue to rise. This is partly because in the current environment, nothing can completely prevent attacks. While certifications are a starting point, they do not make up for holistic security assessments that map out the most probable attack routes, the most valuable and vulnerable targets, and then focus on protecting those assets.

In addition, these certifications and audits can be implemented in a wide-ranging manner, and it is difficult to tell how thorough they actually are. This is because there are hundreds of different companies that offer official certification for SOC2, ISO 27001, and others. Although there are basic guidelines, their methods differ, and, frankly, some probably do a better job than others.

**What Should Organizations Do?**

At the end of the day, businesses should seek out the certifications that are popular in their markets. It is a way to build security awareness and momentum inside an organization, and also creates a vehicle for integrating an emphasis on cybersecurity into marketing and sales efforts, as well as fostering an environment where cybersecurity spending is linked to business goals. On a practical level, many certifications, including ISO, can prevent fines or reputational damage in the event of an attack because they demonstrate to the public that the organization was taking preventative steps.

At the same time, businesses should make sure the organization they select for any certification does a thorough job. For example, there should be actual penetration or other testing performed as part of the evaluation, not just a questionnaire that is completed about testing done in the past.

Most importantly, organizations cannot let their guard down even after they have completed the long, tedious and costly process of certification. They must continue to engage in ongoing risk assessment, focus on protecting the most valuable parts of a business and use proactive defensive measures, like threat hunting and ethical hacking.

In sum, the value of these certifications is derived by viewing them as starting points, rather than end goals. These certifications are often critical in advancing the conversation and the priority of cybersecurity in organizations.

Compliance Certifications: Worth the Effort?

Zero trust and XDR are complementary and both are necessary in today's modern IT environment. In this article, we discuss the intersection of zero trust and XDR.

What do the Colonial Pipeline ransomware attack, Florida water hack, and Twitch data leak share in common? All were high impact, but none of them were sophisticated cyberattacks.

Rather, three years of rapid digital transformation have resulted in a sprawling and porous attack surface of distributed workforces and network environments (cloud, edge, on-premises). The game has changed, but most organizations are still operating on dated tech stacks and security models, making it easy for bad actors to take advantage.

Many companies are realizing it's time for a new security playbook that addresses the needs of the modern workforce.

**Zero Trust: Never Trust, Always Verify**

What keeps CISOs up at night? Uncertainty about the security posture of their endpoints and data; the massive potential for human error (Colonial Pipeline); and the complexity of, well, the evermore complex IT environment of today. In other words … _chaos_.

The solution? One simple rule: never trust, always verify — zero trust.

The official definition of zero trust from Forrester Research, originator of the concept, is:

_"Zero Trust is an information security model that **denies access to applications and data by default**. Threat prevention is achieved by only granting access to networks and workloads utilizing policy informed by continuous, contextual, risk-based verification across users and their associated devices. Zero Trust advocates these three core principles: All entities are untrusted by default; least privilege access is enforced; and **comprehensive security monitoring is implemented."**_

Let's unpack that definition:

✔ You deny access to data and applications by default.

✔ You grant access only to users, networks and workloads adhering to the framework.

✔ You continuously verify the identity of all users and their devices.

✔ You enforce least privilege access by default.

✔ You implement comprehensive security monitoring.  

Since its introduction, the evolution to zero trust has greatly increased security over legacy-based approaches that granted frictionless access to users and applications once a perimeter was cleared, but it is not perfect.

A zero-trust posture works great at limiting access and the potential blast radius of an attack, but does not itself protect the kingdom from persistent attacks on IT environments and users.

While identity and access management (IAM) tools handle the never-trust-always-verify principles of the zero-trust security framework, additional tools such as XDR are still needed to insulate your network, applications, and endpoints from the constant attacks that most organizations face.

**XDR: The Solution to Siloed Security**

Considered an evolution of endpoint detection and response (EDR) and network detection and response (NDR), extended detection and response (XDR) offers protection throughout critical areas of your network, devices, applications, and IT infrastructure.

_How?_

Gartner's definition of XDR holds the answer:

_"Extended detection and response describes a unified security incident detection and response platform that automatically collects and correlates data from multiple proprietary security components."_

Put simply, XDR shatters the point-solution silos that prevent a complete view of your security posture, actively monitors all systems, AND intelligently identifies and acts on threats when they occur.

The capabilities under the hood making this possible include:

**\--Analytics and Detection**

✔ Internal and external traffic monitoring to identify threats _even if_ they bypass your network perimeter.

✔ Integrated threat intelligence to preempt attacks already executed elsewhere on your system.

✔ Machine learning-based detection for catching zero-day and anomalous threats that can bypass signature-based methods.

**\--Investigation and Response**

✔ Correlation of related alerts and data to help security teams stealthily determine the root cause of an attack and predict the adversary's next step.

✔ Centralized user interface (UI) to expedite documentation and response times.

✔ Response and orchestration capabilities, such as automatically blocking an endpoint attack and then updating org-wide endpoint policies.

**\--Dynamic and Flexible Deployments**

✔ Security orchestration integrating with existing controls to ensure unified and standardized responses.

✔ Scalable, cloud-based storage and compute so historical data (and the advanced persistent threat patterns it reveals) is preserved.

✔ Machine learning and threat intelligence for informed, iterative improvement over time.

**XDR and Zero Trust Working Together**

With the global average cost of a data breach reaching an all-time high of $4.35 million, it's no wonder 97% of IT and security pros see implementing zero trust as a top priority.

However, the implementation of zero trust in itself is not the full answer to modernizing security posture. XDR helps to complete the comprehensive security monitoring requirements of zero trust by stacking multiple security technologies into a single platform.

The evolution to a zero-trust security posture enhanced with XDR protections ensures that even the most distributed workforces remain protected across all users, applications, and environments.

**About the Author**

    

Bruno Darmon is the Chief Strategy Officer at Cynet, a provider of natively automated XDR platform. Bruno has over 25 years of high-tech leadership, sales and entrepreneurial experience. Prior to joining Cynet, Darmon served 17 years as Vice President of EMEA Sales at Check Point Software Technologies.

Zero Trust & XDR: The New Architecture of Defense

First-of-its-kind solution discovers and protects both data at rest and in motion.

**TEL AVIV, August 3, 2022 –** Flow Security today announced $10M in seed funding and launched the first data security platform that discovers and protects both data at rest and in motion. The funding was led by Amiti, with participation from GFC, Amdocs Ventures, and industry leaders such as CyberArk CEO Udi Mokady and Demisto CEO and co-founder Slavik Markovich.

Enterprises of all sizes continue to make heavy investments in technology stacks as they transition to modern cloud application architectures. This new era promises many benefits, but has also led to significant data sprawl and major difficulties in securing data. With the widespread adoption of modern architectures, securing sensitive data such as PII, PHI, financial information, and intellectual property has become a near-impossible task.

Flow Security helps organizations overcome these challenges by continuously mapping and detecting all data-related risks for an improved data security posture. Flow is the only data security platform that supports use cases including discovering and classifying data flows to external services, policy enforcement, automatic data-related threat modeling, and reducing data access permissions to the minimum. Flow has a growing customer base in highly-regulated markets such as e-commerce, fintech, healthcare, insurtech, and more.

"Discovery, mapping and protecting data is usually a manual process, which is not effective in large organizations," says Nir Chervoni, Head of Data Security of Booking.com, "Automatic data mapping should consist of analyzing the actual payload, and not only its metadata. So far, Flow is the only company I've seen that provides that capability for multiple scenarios."

“Security and data protection teams are struggling to keep up with the rapid pace of today, and Flow is making their lives exponentially easier,” said Ben Rabinowitz, Managing Partner and Founder at Amiti Ventures. “We’re thrilled to be a partner on this journey, and eager to help capitalize on this opportunity to give security teams the technology they need to become business enablers.”

“We’ve reviewed dozens of different data security tools lately, and we weren’t satisfied with any of them,” said Ralph Pyne, VP of Security at NextRoll. “But Flow’s data-in-motion approach is a game changer. It took the platform a few days to map data-related threats that usually take months of manual work to detect.”

“Data security is not a new problem, but the challenges are changing and growing,” said Jonathan Roizin, co-founder and CEO of Flow Security. “Organizations are moving at a record pace and quickly transitioning to the cloud and cloud-first applications. These transformations often make life easier, but they also make the jobs of security professionals even more difficult. With Flow, security teams are no longer forced to chase down information. It simplifies security and regulatory processes and bridges the gap between security and development teams."

**About Flow Security**

Flow Security revolutionizes data security with the first platform that discovers and protects data not only at rest, but also in motion. Founded in 2021 by Jonathan Roizin and Rom Ashkenazi, the Israel-based company is backed by Amiti, GFC, Amdocs Ventures, and market-leading angel investors.

Source

DARKReading