A poor, permanent hire can be a very expensive error, whereas a mis-hire on a virtual CISO can be rapidly corrected.

The cybersecurity challenges that companies are facing today are vast, multidimensional, and rapidly changing. Exacerbating the issue is the relentless evolution of threat actors and their ability to outmaneuver security controls effortlessly.

As technology races forward, companies without a full-time CISO are struggling to keep pace. For many, finding, attracting, retaining, and affording the level of skills and experience needed is out of reach or simply unrealistic. Enter the virtual CISO (vCISO). These on-demand experts provide security insights to companies on an ongoing basis and help ensure that security teams have the resources they need to be successful.

**How a vCISO Works**  
Typically, an engagement with a vCISO is long lasting, but in a fractional delivery model. This is very different from a project-oriented approach that requires a massive investment and results in a stack of deliverables for the internal team to implement and maintain. A vCISO not only helps to form the approach, define the action plan, and set the road map but, importantly, stays engaged throughout the implementation and well into the ongoing management phases.

The best vCISO engagements are long-term contracts, such as 12 to 24 months. Typically, there's an upfront effort where the vCISO is more engaged in the first few months to establish an understanding, develop a road map, and create a rhythm with the team. Then, their support drops into a regular pace which can range from two to three days per week or five to ten days per month.

**What to Expect From a vCISO**  
When bringing a vCISO on board, it's important that person has three key attributes: broad and extensive experience in addressing cybersecurity challenges across many industries; business acumen and the ability to rapidly absorb complex business models and strategies; and knowledge of technology solutions and dynamics that can be explored to meet specific organizational needs.

The first thing a vCISO will focus on is prioritization, beginning with understanding a company's risks. They will then organize actions that provide the greatest positive influence on mitigating these risks while ensuring sustainability in the program. The goal is to establish a security approach that addresses the greatest risks to the business in a way that has staying power and can provide inherent value to additional downstream controls.

Having extensive experience in the technical space, a vCISO can take into consideration the full spectrum of options — those existing within the business environment, established products and services in the marketplace, and new solutions entering the market. Just within that context, a vCISO can collaborate with the technical team to take advantage of existing solutions and identify enhancements that can further capabilities in a cost-efficient manner.

**The Value of a vCISO**  
One of the most common findings is that companies often have a large portfolio of cybersecurity technology, but very little is fully deployed. Additionally, most tech teams are not leveraging all of the capabilities, much less integrating with other systems to get greater value. Virtual CISOs help companies save money by exploiting existing technical investments that dramatically improve security. And, since the improvement is focused on existing tools, the transition for the IT and security staff is virtually eliminated due to established familiarity with the environment.

Another essential value point of a vCISO is access to an informed and well-balanced view on risk and compliance. While cybersecurity is dominated by technical moving parts, the reality is the board, executive leadership, and management team needs to incorporate cyber-risks and related liabilities into the overall scope of risk across the business at an executive level. In this sense, leadership has a vast array of competing challenges, demands, and risks and some can be even more impactful than cybersecurity.

**How to Convince the Executive Team**  
A CEO is under a constant barrage of challenges, problems, risks, and opportunities. Cybersecurity needs to be part of that formula. If one of the core values of having a vCISO is getting meaningful cyber-risk insights, then trust and confidence in that person is paramount and needs to be established from the beginning.

Another challenge is the team dynamic — at the heart of being a CEO is their success as a leader. Introducing what is essentially a consultant can be an adjustment for the team. It's important that the vCISO hire fits the culture and can easily integrate with everyone on the team including the CIO, CTO, CPO, CRO, etc.

The conversation with the CFO will understandably have a heavy financial tone. For companies debating between a full-time CISO or a vCISO, it's clear a poor permanent hire can be a very expensive error, whereas a mis-hire on a vCISO can be rapidly corrected.

As organizations continue to come to grips with the byproducts of digitization and new security challenges that often seem insurmountable, a vCISO can be an enormous value. Beyond offering an efficient and cost-effective model, they bring many advantages to businesses with fewer risks than a dedicated resource.

Virtual CISOs Are the Best Defense Against Accelerating Cyber-Risks

To be truly effective, threat detection and response need to combine the strengths of people and technology.

There is a debate in the world of cybersecurity about whether to use human or machine expertise. However, this is a false dichotomy: Truly effective threat detection and response need both kinds of expertise working in tandem.

It will be years before machines completely replace the humans who perform typical detection and response tasks. What we predict for the meantime is a symbiotic relationship between humans and machines. The combination means that detection of and response to threats can be faster and more intelligent. It leaves humans to focus on what humans do best, while artificial intelligence (AI) shines at tasks better suited for machine processing.

Threat detection is very much an adversarial problem. Attacks rely on stealth, which often makes detection difficult, especially among billions of data points. Technologies we've relied on for the past 20 years are not sufficient to combat threats or sift through the "noise" to find the "signal." Yet skilled humans can find threats that rule-based systems cannot identify.

Any system that uses AI for the next generation of threat detection will need to harness the power of both human and machine expertise and be able to learn and adapt based on human feedback.

**Perfection Is Not the Goal, Human Performance Is**

There's a misconception that AI can't really make decisions, and we need vastly experienced human experts with irreproducible human intuition.

Looking at this through the lens of the classic Turing test, we asked: Can a machine outperform a security analyst in 80% of the work currently done by humans? If the answer is yes, imagine the productivity gains and efficiency for security operations.

We see reason for optimism here. Forty years ago, a chess engine beating a human was unthinkable, but the problem was settled in half that time. Just 10 years ago, automated audio transcription was poor, and humans were better at the task. Now machines can transcribe at least as well as humans.

**Teaming Up for the Best Outcome**

Most companies can't hire enough staff to deal with all of the security alerts. The ideal solution to this talent crunch employs intelligent automation to assist security analysts, incident responders, and threat hunters. There are three main ways to successfully apply security automation:

**1\. Alert triage.** Turning millions of alerts and thousands of events into a handful of actionable cases with context about what happened and why helps prioritize tasks for human workers.

**2\. Incident response.** Automating repetitive tasks reduces the mean time to detect (MTTD) and mean time to respond (MTTR). This frees up human analysts to respond to more important threats and make more effective, immediate decisions.

**3\. Threat detection.** Threat detection is an offensive game, focused on identifying and correlating new threats across the network, different endpoints, and applications while prioritizing actions over alerts. Of the three, this is also the main area for improvement: How can we apply automation _more_ effectively to threat detection?

**Automating Threat Detection**

There are two kinds of automation. The first is replicating simple human actions to build into an AI-driven process. Threat detection, however, is essentially a decision-making process.

The second kind of automation requires us to determine which incidents genuinely require escalation by human security analysts. The current quality of automation technology is clear — in some security operations, machines exceed human accuracy. The goal is to build a decision engine that makes decisions as well as human beings, if not better.

But how can we trust that machine decision-making equals or supersedes human decision-making? Simple. Look at the data!

Automation may mark an alert as an incident that a human security analyst later closes without escalation. Ask them why, and the analyst will walk you through their thought process. Those "whys" are the basis of what we call a factor. Factors that are not immediately obvious may play an important part in the final decision.

The more factors we gather, the sharper the accuracy of both human and machine expertise. Meanwhile, we can also reduce false positives. Every difference between human and machine may uncover additional factors, or human analysts may combine factors in different ways than the automated system.

**Improving the Decision Engine**

A rules engine is limited to modeling just the "bad" qualities or behavior we observe in a pool of data. As a result, it can only identify and respond to incidents that fall within those criteria. In contrast, a decision engine teaches the machine both "bad" and "good" and enables the model to progressively learn.

Mimicking a human's approach to learning and replicating it delivers the same decision, only automated. Hundreds of decisions can be made in just one minute, and resolution time plummets. Instead of running through 20 routine alerts, human analysts could focus their time and energy on one or two actionable cases.

Triage presents thousands of alerts a day. But in threat hunting, the problem is three or four orders of magnitude larger. Hundreds of millions of events mean we're looking for the proverbial needle in a haystack. So how do we apply the same factor analysis approach to threat hunting as we do to alert triage?

Factors can be mapped to each of these hundreds of millions of events with feature engineering. If we extract a given factor, we can apply transformations and reduce the number of different values the factor has (its dimensionality), which is especially useful when dealing with 100 different values or more.

This allows us to map each factor to a score and combine them for a final score, which the AI can use to make decisions. But because there will always be differences in decisions made by human analysts and decision engines, the AI must be able to accept human feedback.

This is supervised algorithmic machine learning in action. Humans provide feedback via labeling, and this input "educates" the system to build a model. It's even possible to build an unsupervised system for tasks that fit it. To work effectively, AI needs to be explainable, customizable, and adaptable.

When we build a decision engine with human expertise and incorporate automation wherever possible, this is what the next generation of SOC technology will look like.

The Next Generation of Threat Detection Will Require Both Human and Machine Expertise

Phishing retained its place as the top root cause of data compromises, according to new data from the Identity Theft Resource Center (ITRC).

Ransomware attacks leading to data breaches fell 20% in the second quarter of 2022 compared with the first quarter and dropped quarter over quarter, according to new data from the Identity Theft Resource Center.

"Security researchers believe that the decline in ransomware attacks is due to a combination of factors, including the ongoing conflict in Ukraine and the collapse of cryptocurrencies favored by cybercriminals," the ITRC report notes. "All of these trends – fewer compromises, fewer victims, few ransomware attacks – can be reversed quickly with just a handful of large breaches or a series of smaller ones."  

The ITRC report also says that phishing remained the No. 1 root cause of data compromises in the first half of 2022. Data compromises rose slightly in the second quarter of the year, although the pace of data compromises for the first half of 2022 is down 4% compared with the same period in 2021.

But the ITRC study also shows that the data indicating a downward trend in breaches and ransomware numbers could be an illusion, masked by the nearly 40% of data breach notices that don't include basic information, such as attack vector or a victim count. This is the first time that "unknown" topped the list of data breach causes since the ITRC began tracking data breaches.

So far in 2022, there have been 817 publicly reported data breaches with 53,350,425 victims, down from the record-high 851 recorded by the ITRC in 2021. This includes 802 data breaches with 46,209,107 victims, 10 data exposures affecting 7,136,948 victims, and 5 unknown events numbering 4,370 victims, according to ITRC data.  

In the first half of 2022, 367 entities were affected by 44 third-party/supply chain attacks, including 10 attacks reported in the two previous years. Among those singled out by the report were the Illuminate Education, Ciox Health, and Eye Care Leaders supply chain attacks.

System errors and human errors also contributed to data exposures and included failures to configure cloud security, misconfigured firewalls, and email correspondence containing sensitive information. Physical attacks, which include device theft and improper disposal, resulted in 13 breaches in the second quarter of 2022, for a total of 115,395 victims.

**Ransomware, Phishing Threat to Businesses Still Acute**

As malicious actors move their focus away from individuals, organizations are bearing the brunt of attacks, with global ransomware incidents targeting everything from enterprise servers to grounding an airline.

Data pulled from incident response cases by Unit 42 earlier in the year showed cyber-extortion attacks jumped by 85% as ransomware attackers demanded dramatically higher ransom fees in 2021.

A February report by the ITRC showed phishing is also one of the primary data-breach causes at many organizations in 2021. According to the ITRC, 537 out of 1,613 publicly disclosed breaches in 2021 — or one-third — involved phishing, smishing, or business email compromise.

Malicious actors are moving their focus to small businesses, which are likely to have fewer security resources to combat such attacks — a QuickBooks vishing scam targeting SMBs was just the latest in a string of incidents.

Data Breaches Linked to Ransomware Declined in Q2 2022

"Retbleed" bypasses a commonly used mechanism for protecting against a certain kind of side-channel attack.

Researchers at ETH Zurich have found a way to overcome a commonly used defense mechanism against so-called speculative execution attacks targeting modern microprocessors.

In a technical paper published this week, the researchers described how attackers could use their technique — dubbed "Retbleed" — to steal sensitive data from the memory of systems with Intel and AMD microprocessors that are vulnerable to the issue. The researchers built their proof-of concept code for Linux but said some Windows and Apple computers with the affected microprocessors likely have the issue as well.

Their discovery prompted Intel and AMD to issue advisories this week describing mitigations against the new attack method. In an emailed statement, Intel said it had worked with industry partners, the Linux community, and Virtual Machine Manager (VMM) vendors to make mitigations available to customers. "Windows systems are not affected as they already have these mitigations by default," Intel noted.

AMD said the issue the researchers had identified potentially allows arbitrary speculative code execution under certain microarchitecture conditions. "As part of its ongoing work to identify and respond to new potential security vulnerabilities, AMD is recommending software suppliers consider taking additional steps to help guard against Spectre-like attacks," AMD said in an emailed statement. "That guidance is found in a new AMD whitepaper now available."

Both chipmakers said they were not aware of any active exploits in the wild related to the issue that the researchers at ETH Zurich discovered and reported.

**A Dangerous Attack Vector**

Security researchers consider speculative execution attacks as dangerous because they give attackers a way to access and steal sensitive data — including passwords and encryption keys — in a computer's memory. It's an issue that is especially of concern in shared environments such as public cloud services and shared enterprise infrastructure.

Speculative execution is a performance-enhancing mechanism in modern microprocessors where instructions in code are executed in advance of when they are needed, without waiting for previous instructions to be completed. The technique can help speed up microprocessor performance. If the microprocessor guesses wrong and executes an instruction that is not needed, it discards that instruction. But in doing so, it sometimes leaves artifacts from system memory in the processor's buffers or cache.

Threat actors have taken advantage of this fact to devise so-called side channel attacks where they get the microprocessor to speculatively execute code in such a way as to get it to access — and reveal — sensitive information in the system memory. The issue became a major concern in 2018 with the disclosure of the Spectre and Meltdown vulnerabilities in most microprocessors used in everything from servers to PCs, laptops, and mobile devices.

Since then, chipmakers like Intel and AMD have introduced changes and mitigations to make it harder for adversaries to carry out speculative execution side-channel attacks.

One widely used mitigation against speculative execution attacks is called "Retpoline," a Google-developed approach for controlling how a microprocessor performs speculation when handling certain instructions — so-called indirect "jumps" and "calls".

**'Crazy Trick'**

Retpolines work by replacing indirect jumps and calls with the "return" function, says Johannes Wikner, one of the researchers at ETH Zurich who developed the new exploit. "Retpoline replaces indirect jumps with returns using a crazy trick," Wikner says. "It tricks the processor to believe there has been a 'call' made from the location where the indirect jump was intended to lead."

The motivation for replacing indirect jumps and calls with returns was because the return function was considered impractical to exploit, he says.

But that is not the case, Wikner says. Their research showed that it is possible to trigger microarchitectural conditions on Intel and AMD CPUs that force the return function to be speculatively executed just like was possible with indirect jumps and calls. "Retpoline does not \[consider\] the fact the returns can be exploited, into account," he says. "This allows us to bypass the Retpoline defense."

Wikner says it took the researchers some work to exploit the issue on Intel microprocessors and required their finding a sequence of deep function call stacks to trigger it. "We found on AMD that all returns can be exploited regardless of the function call stack," he says. "We built a framework to make it easy also on Intel."

Bogdan Botezatu, director of threat research at Bitdefender, which last year developed a side-channel attack of its own against Intel CPUs, says Retbleed appears to be a side-channel attack as well one that bypasses a mitigation set in place for Spectre. "This is yet another way in which modern CPUs can be exploited to inadvertently leak information that should be considered secret — and for which hardware defenses are burnt into the silicon," he says.

He says two things are worth mentioning when talking about this type of attack. Conceptually, it beats measures built into chips to prevent data from leaking from one realm to the other. "In the hands of a patient and properly positioned attacker, this vulnerability can exfiltrate important information from shared computers or virtualized servers. This is bad," he says.

**Complex to Execute**

At the same time, such attacks require significant knowledge and logistics to successfully result in exfiltration of the data sought by a potential attacker. High-profile targets should be worried about the existence of this vulnerability and should deploy Intel and AMD's recommended mitigations. "Side-channel attacks are effective, but difficult to execute and exfiltrate exactly that piece of information that attackers are after," Botezatu says.

Intel said that two security advisories it published Tuesday address the research. One of them is here and the other here. The company described the issue as impacting some of its Skylake generation processors that do not have a feature called enhanced Indirect Branch Restricted Speculation (eIBRS). "Intel worked with the Linux community and VMM vendors to provide customers with software mitigations to enable Indirect Branch Restricted Speculation (IBRS), and enhanced Indirect Branch Restricted Speculation (eIBRS) where supported."

Windows systems are not affected because they use IBRS by default, the Intel statement noted.

Researchers Devise New Speculative Execution Attacks Against Some Intel, AMD CPUs

Forcepoint's test results are second in a series of publications on this new technology.

AUSTIN, Texas, July 13, 2022 /PRNewswire/ -- CyberRatings.org, the non-profit entity dedicated to providing transparency on cybersecurity product efficacy, has completed an independent test of the Forcepoint Cloud Network Firewall (CNFW). Forcepoint received the highest possible overall rating of 'AAA' with excellent security and performance. The instance used for this test was c5.9xlarge (36 vCPU, 72 GB memory, and 10+ Gbps network Bandwidth).

Forcepoint's test report is the second in a series of CNFW publications from CyberRatings. Management & Reporting Capabilities, Routing and Policy Enforcement, SSL/TLS Functionality, Threat Prevention and Performance were all tested using Amazon Web Services (AWS) as the cloud provider. More products are being added to the test before the comparative report is published in the second half of 2022. The group test is the first-ever cloud network firewall evaluation provided to the market.

The CyberRatings exploit repository contains exploits that demonstrate a wide range of protocols and applications. Exploit sets for individual tests are selected based on CVSS score (how widely used is an application + what can an attacker do?), use case, and relevance to customers. Forcepoint's Threat Protection was rated excellent, blocking 35 out of 35 evasion techniques, 977 out of 977 exploits, with an excellent combined Rated Throughput of 943 Mbps.

While the firewall market is one of the largest and most mature security technology segments, this latest evolution virtualizes this functionality to provide scalable and elastic policy enforcement in a cloud environment.

"We were impressed with Forcepoint's security and performance," said Vikram Phatak, CEO of CyberRatings.org. "This product is a worthy contender and should be considered by enterprises," added Phatak.

A blog addressing the timeline for more CNFW to be published was issued today. To read the CyberRatings in-depth report on the various CNFW capabilities offered by Forcepoint, go to CyberRatings.org.

**Additional Resources**

*   Follow CyberRatings.org on Twitter
*   Follow CyberRatings.org on LinkedIn

**About CyberRatings.org**

CyberRatings.org is a non-profit 501(c)6 entity dedicated to quantifying cyber risk and providing transparency on cybersecurity product efficacy through testing and ratings programs. To become a member, visit www.cyberratings.org

CyberRatings.org Issues AAA Rating on Forcepoint's Cloud Network Firewall

New research report finds most financial organizations have experienced a breach due to an authentication weakness, yet only a third took action

New York, NY – July 13, 2022 – HYPR, The Passwordless Company™ and Vanson Bourne, today released a new report that reveals the financial sector is failing to combat the biggest threat in cybersecurity – compromised credentials. Findings show that 80% of financial service organizations experienced at least one cyber breach in the past 12 months related to a weakness in authentication, yet only one-third of organizations changed their authentication methods following the breach, leaving a significant number highly exposed to future attacks and breaches. The State of Authentication in the Finance Industry report also shows there is a recognized solution to combat such attacks, with a resounding 89% stating that passwordless authentication is needed to reach the highest levels of security.

The report, which shares insights from 500 IT security decision-makers in the financial sector, represents a cross-section of small and medium businesses and enterprise companies spanning the U.S, U.K, France and Germany. Findings uncover the burden that current authentication practices are leaving on financial organizations globally, specifically the high-risk cracks in security, strain on budgets and overall operational disruption. More importantly, the results identify the discrepancies around “perceived” and “actual” authentication security.

Over the last 12 months, an alarming 85% of surveyed organizations faced a cyber breach; more startlingly, nearly three quarters (72%) experienced multiple breaches in the same timeframe – driving the annual average to a staggering 3.4 breaches per year. Remarkably, 90% of these victims still believe their current authentication approach is secure, despite data proving otherwise. Of these attacks:

● 36% reported phishing as the most prevalent type of attack, followed closely by malware and credential stuffing, equally at 31%, and push notification attacks at 29%.

● The annual average direct cost of authentication-related cyber breaches was $2.19 million, not factoring in intangible and hidden costs.

● Nearly one third lost customers to their competitors and experienced a loss of employee (29%) and customer data (26%) in the aftermath of the breach.

“The finance industry is at the forefront of cybersecurity. As one of the most targeted sectors for attack, financial services companies have an impressive track record of adopting new, innovative defense technologies to deliver the protection that clients need,” said David Reilly, Security and Financial Services Strategic Advisor and former CIO and CTO for Bank of America. “While improvements in perimeter, network and behavioral analytics have advanced, authentication security has not moved at the same pace. We now have the opportunity to make a step-function change and improve authentication security by removing the risk of static passwords and credentials which can be learned and leveraged by attackers. Eliminating the static password risk is the strategic path forward.”

**Financial Organizations Have a False Sense of Security Regarding Multi-Factor Authentication**

The financial sector is the most highly targeted industry for cyberattacks, and the most forward-thinking and progressive with technology adoption. Despite that, a substantial proportion of respondents (32%) admit that their employees are using legacy authentication methods such as SMS and OTPs, and close to one-quarter (22%) use usernames and passwords only. The report findings spotlight a disconnect as 84% feel that traditional MFA provides complete security and at the same time, 99% agree that their current authentication methods are inadequate.

"The Financial Services industry, like many others, is facing a paradox. Data shows that traditional authentication methods are perceived to be effective but the data also clearly shows that these methods don’t provide enough protection, leaving organizations exposed to unacceptable risk. At the same time, the scale of attacks and malicious strike techniques are rapidly growing, widening this vulnerability gap," says Bojan Simic, co-founder, CEO and CTO of HYPR. "Ongoing guidance and mandates from government bodies such as CISA are a critical step forward in raising the red flag and calling for immediate action for stronger controls. Passwordless MFA is the gold standard and must be the foundation of all security strategies – the data speaks for itself.”

**Benefits of Passwordless Authentication Are Known with Improved User Experience and Security Leading The Way**

89% of financial organizations understand that passwordless authentication is needed both to achieve the highest level of authentication security and to ensure user satisfaction. Nine out of ten also agree that the cost benefits are a dominant factor for passwordless adoption. Factors such as password fatigue, impacts to productivity and help desk costs are major adoption drivers. Additionally, respondents named meeting cyber insurance requirements (31%), improving supply chain security (31%) and supporting Zero Trust initiatives (27%) as benefits of passwordless authentication.

For more information on HYPR visit https://www.hypr.com.

Report: Financial Institutions Overly Complacent About Current Authentication Methods

In the wrong hands, the changes could enable state-sponsored internet surveillance says Mozilla's Chief Security Officer

BRUSSELS, July 13, 2022 /PRNewswire/ -- There is a serious threat to existing internet security measures stemming from the European Commission's proposed revision to the eIDAS regulation. If implemented, experts say it could open individuals browsing online to additional security risks and set a precedent to allow state-sponsored internet surveillance. As currently drafted, article 45.2 could undermine the EU's own ambitions to be the frontrunner of a more secure, responsible and competitive internet that protects people from illegal activity.

Under the revised article 45.2 of the eIDAS regulation, browsers would be mandated to accept the EU-designed Qualified Web Authentication Certificates (QWACs) even though they have weaker security properties than those most browsers currently allow. Moreover, browsers would be prevented from applying any of the existing security due diligence checks to the entities which issue these certificates, thereby bypassing the critical first line of defense against cybercrime.

Article 45.2 is attracting growing attention from parliamentarians and cybersecurity experts alike. In her draft report, MEP Romana Jerković, the file's rapporteur, deleted it in order to have more time to figure out an approach that doesn't compromise security. Meanwhile, in a letter sent to MEPs and EU countries, academics said that mandating the use of QWACs could introduce "_significant weaknesses into the global multi-stakeholder ecosystem for securing web browsing._" They added that the move could make it "_more difficult to protect individuals from cybercriminals_."

Attempts have been made in the past to forcefully bypass browser security checks for rights-interfering ends, most notably in Kazakhstan in 2020 and Mauritius in 2021. In both cases, the governments aimed to use so called "man-in-the-middle" attacks to carry out state-sponsored surveillance of internet traffic.

Marshall Erwin, Chief Security Officer at Mozilla, said: "_While this is not the intent of the EU, the inclusion of article 45.2 in eIDAS will make it more difficult to push back on these surveillance attempts in future. The EU sets many global standards and we're concerned that if this is copied elsewhere, the regulation will give the tools to governments to carry out state-sponsored surveillance of internet traffic. Such actions present a very real and dangerous unintended consequence of the EU's digital identity plans._"

For more information see **here.**

SOURCE Mozilla

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Mozilla: EU's eIDAS Proposal Attracts Growing Criticism

**KIRKLAND, Wash., July 13, 2022 –** Adaptiva today released the inaugural “Managing Risks and Costs at the Edge” report. Sponsored by Adaptiva and conducted by Ponemon Institute, 629 IT and IT security practitioners in the United States were surveyed, representing an average organizational headcount of 13,213 and IT budget of $184,366,500. Respondents indicated that most enterprises struggle to maintain visibility and control of their endpoint devices, leading to increased security breaches and impaired ability to ward off outside attacks.

Report findings show that the average enterprise now manages approximately 135,000 endpoint devices. Despite $4,252,500 of annual budget spent on endpoint protection, an average of 48 percent of devices – or 64,800 per enterprise – are at risk because they are no longer detected by the organization’s IT department or the endpoints’ operating systems have become outdated. Additionally, 63 percent of respondents find that the lack of visibility into their endpoints is the most significant barrier to achieving a strong security posture.

Additional report highlights include:

*   **Sprawling Centralized Infrastructure:** IT organizations are facing unprecedented rates of distribution point sprawl, which has grown rapidly since the onset of the COVID-19 pandemic. 61 percent of respondents say distribution points have increased in the last two years, and the average endpoint has as many as 7 agents installed for remote management, further adding to management complexity.
*   **Updates Are Hardest to Maintain:** 62 percent of respondents say new OS and application versions are the most difficult to maintain across all endpoints, followed by patches and security updates at 59 percent, and network settings and connectivity issues at 50 percent.
*   **Lacking Resources:** 66 percent of respondents say that their organizations don’t have ample resources to minimize endpoint risk. Consequently, respondents indicate they could only stop 52 percent of attacks with their current technologies and expertise.

"The world has been changing at unprecedented rates in the last two years, yet there haven’t been any significant innovations in the endpoint management space for over a decade, since the advent of cloud computing,” said Deepak Kumar, Founder and CEO of Adaptiva. “Unfortunately, most organizations are running uphill with endpoint management tools that weren’t designed for today’s distributed, decentralized, and digital-first world. IT needs tools that provide organizations with total and complete visibility over their endpoints, with real-time and continuous delivery of content to keep them healthy, patched, and secure. This won’t be achieved by the dominant endpoint management solutions in the market today, which still rely on bloated centralized infrastructure, in the cloud and on-prem."

As cyberattacks increase in frequency and magnitude, organizations are under increasing pressure to implement effective endpoint management solutions. Fifty-four percent of respondents had an average of 5 attacks on their organizations in the last year, at an average annual cost of $1.8 million. The cascading effects of system downtime and disruptions to employee productivity have left organizations scrambling to keep up.

Fortunately, enterprises now have options that can help eliminate costly infrastructure and repetitive human effort, while also continuously monitoring and automatically remediating endpoint issues with simple customization that keeps the edge of your network secure.

Visit adaptiva.com to read the full report and learn how Adaptiva’s solutions can help your organization gain proactive control over all their Windows endpoint devices.

**About Ponemon Institute**  
Ponemon Institute© is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors, and verifies the privacy and data protection practices of organizations in a variety of industries.

**About Adaptiva**  
Adaptiva provides serverless endpoint management that eliminates the need for a vast IT infrastructure and monitors itself by automating traditionally manual tasks. Leveraging innovative peer-to-peer protocols, the Adaptiva Edge Cloud Platform is powered by the surplus capacity of existing devices already on the network – in the office or working from home. This enables IT to continuously deliver software, configurations and patches to endpoints no matter where they are. The world’s largest enterprise organizations and government agencies rely on Adaptiva for real-time endpoint visibility and content delivery, as well as automated compliance checks, remediations, and patching without ever throttling the network or the end user experience. Learn how at adaptiva.com.

Nearly Half of Enterprise Endpoints Present Significant Security Risks

Microsoft reveals now-fixed flaw in Apple's App Sandbox controls could allow attackers to escalate device privileges and deploy malware.

Microsoft has revealed a now-fixed flaw in Apple's macOS that allowed specific kinds of code to bypass the operating system's App Sandbox restrictions on third-party applications, potentially allowing attackers to escalate device privileges and install additional malicious payloads.

Microsoft shares credit for the find (CVE-2022-26706) with researcher Arsenii Kostromin, the company said in its announcement, adding that Apple patched the vulnerability in its May 16 security update.

The team at Microsoft discovered the bug while researching malicious macros in Microsoft Office for macOS, they explained in a recent blog post.

"Our research shows that even the built-in, baseline security features in macOS could still be bypassed, potentially compromising system and user data," the team wrote. "Therefore, collaboration between vulnerability researchers, software vendors, and the larger security community remains crucial to helping secure the overall user experience. This includes responsibly disclosing vulnerabilities to vendors."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

MacOS Bug Could Let Malicious Code Break Out of Application Sandbox

Most organizations are flying blind when remediating vulnerabilities. We lack the tooling to secure software fast enough. We need a new approach to vulnerability management now.

In a world increasingly dependent on technology, software sprawl is growing. Companies use custom-built software, open source software, and products from third-party providers when building applications. Through this software supply chain, the digital attack surface expands. Each software dependency can also open it up to potential attack as bugs are found in all types of software that malicious actors can exploit. Certain attacks in the headlines in the last year, including those that impacted SolarWinds and Kaseya, highlight the fragility of the software supply chain and the far-reaching implications if the supply chain is exploited.

Now the federal government is paying attention to software threats. It is now a requirement for companies that want to contract with government agencies to maintain a software bill of materials (SBOM) in order to have a clear and complete inventory of the software an organization has throughout its environment.

In tandem with understanding one's software environment is also the need to find vulnerabilities within that environment. Vulnerability management tools look for specific vulnerabilities and are segmented to specific areas within the various environments where software resides. Some scan for CVEs in the infrastructure, some on containers, and some in OSS libraries.

But there are severe limitations to both of these tools. While SBOM tools have been developed, unfortunately, most require a lot of manual work and are limited to specific parts of the software stack and environment. And while vulnerability scanners may locate bugs, they do not give security teams context that is specific to their own individual environments about how much risk each flaw might pose.

The result is most organizations are still flying blind when it comes to remediating vulnerabilities. Static SBOMs only reveal a point in time view of the software environment. And vulnerability scanners only offer limited information about flaws, with no real "action plan" on how to prioritize and remediate them other than CVE scores, which are of little value in many cases. Tech debt grows, and the attack surface is still massive.

In this software-driven world, we lack the tooling to release secure software — or secure released software — fast enough.

**We Need a New Approach to Vulnerability Management**

With software outpacing the ability of traditional vulnerability management to scan everything, a new approach is needed. The answer? Tools and strategy that allow security and development professionals to see all software across the stack and understand risk holistically.

Here's why.

1.  **Understanding what you have is not enough.** More software and more vulnerabilities are creating huge backlogs for IT. That's why we not only need tools to detect the vulnerabilities associated with the software, but also tools to prioritize these vulnerabilities and understand what matters. Rezilion's research shows that only a small percentage of discovered vulnerabilities are loaded into memory and therefore, exploitable, reducing patching backlogs by up to 85%.
2.  **Context is key.** You must be able to figure out which software and applications will be most affected by vulnerabilities and whether the vulnerability poses a high risk. You also need to know what the attacker will achieve by exploiting the vulnerability and gaining access to your network, and what the impact will be.
3.  **Knowing what vulnerabilities matter doesn't mean you know how to fix them effectively**. Furthermore, remediation has also become more complex with many stakeholders and even more vulnerabilities.

To solve this, security and dev teams need intelligence on how to handle every vulnerability, what packages to upgrade, and to make sure this information is passed to the right stakeholders to make it easy for them to apply patches. This is the future of vulnerability management.

**Detect. Prioritize. Remediate: The New Road Map for Software Attack Surface Management**

The path forward in vulnerability management includes three key stops: Detect. Prioritize. Remediate. If these components sound familiar to you, it's because they're part of a framework called "Attack-Surface Management" that has been successfully applied to assets and networks. This is the strategy needed to expand software security beyond its traditional boundaries of simply scanning for vulnerabilities.

You can arrive at the stops with three capabilities:

**Detect:** A dynamic SBOM to see in real-time into the software environment and identify flaws.

**Prioritize:** A vulnerability prioritization tool to understand which bugs pose an actual risk.

**Remediate:** An automated vulnerability remediation that fixes the critical vulnerabilities.

**Does Your Vulnerability Management Strategy Include the Three Key Elements?**

Ask yourself whether your organization is protected with the traditional approach to vulnerability management using manual tools to find vulnerable software components. Most organizations today are fighting battle that fails to reduce the rapidly growing software attack surface. The best way forward is one that not only identifies bugs but also prioritizes and fixes them quickly and efficiently. That's why new tools and approaches are required in order to truly manage vulnerabilities in today's constantly growing attack surface.

**About the Author**

    

Liran Tancman, CEO and co-founder of Rezilion, is one of the founders of the Israeli cyber command and spent a decade in Israel's intelligence corps. In 2013, Liran co-founded CyActive, a company that built a technology capable of predicting how cyber threats could evolve and offer future-proof security. Liran served as CyActive's CEO and led it from its inception to its acquisition by PayPal in 2015. Following the acquisition, Liran headed PayPal's global Security Products Center responsible for developing cutting-edge technologies to secure PayPal's customers.

Source

DARKReading