Service ingests AWS, GCP and Microsoft Azure data.

DENVER, June 14, 2022 /PRNewswire/ -- Enterprise security teams face unprecedented attack surface expansion as technology evolution, employee fatigue and complicated cloud or digital transformation initiatives strain resources. Optiv, the cyber advisory and solutions leader, today announced the expansion of its Managed XDR (MXDR) offering to ease clients' burden of safeguarding critical data, applications and systems in the cloud (public or multi-cloud) in near real-time with an all-star roster of integrated platforms, including:

*   Amazon Web Services (AWS), which provides clients with additional detection and response capabilities to protect them from increasingly complex cyberattacks.
*   Google Cloud (GCP), which adds comprehensive visibility and workload protection at scale across multi-cloud environments.
*   Microsoft Azure, which offers extensive data protection and integrated services.

Users rely on Optiv MXDR's unique ability to aggregate, organize and prioritize security alerts and configuration changes and correlate them across multiple cloud sources. By chaining services together with leading platforms, Optiv streamlines data collection and enrichment to provide customizable insights to strengthen security controls. Clients are able to address threat detection and visibility on a scale that meets their individual level of cloud adoption. In addition, the service's expansion ensures in-depth coverage and access to rapid investigation and response measures.

"Organizations require enhanced and fully integrated solutions to counter the evolving methods and increased number of cyberattacks by threat actors. As part of Optiv's Advanced Detection and Response solution, MXDR and AWS, GCP and Azure help our clients reduce their risk and focus their valuable resources on the things that matter most," said Rocky Destefano, Optiv's chief technology officer. "By innovating with world-class cloud partners, we're taking Optiv's security analysis expertise to the next level and helping our clients secure their future by focusing on the very best of what the market has to offer."

Optiv's MXDR was launched in August 2021. A collaborative approach to cutting-edge services, products and technical experts is necessary to defend against a wide-range of adversaries. With expanded integration in the cloud, organizations have the potential to lean on Optiv to provide enhanced detection and response, quicker returns to operational normalcy and business-centric outcomes across every stage of the security lifecycle, no matter the level of maturity.

For the latest news and updates from Optiv, visit https://www.optiv.com/newsroom/.

**Follow Optiv**

Twitter: www.twitter.com/optiv  
LinkedIn: www.linkedin.com/company/optiv-inc  
Facebook: www.facebook.com/optivinc  
YouTube: www.youtube.com/c/OptivInc  
Blog: www.optiv.com/explore-optiv-insights/blog

**Optiv** **Security: Secure greatness™**

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to more than 7,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.

Optiv MXDR Enhances Detection Coverage With Expanded Cloud Integration

New open source database details the software that cloud service providers typically silently install on enterprises' virtual machines — often unbeknownst to customers.

RSA CONFERENCE 2022 – If cloud services weren't complicated enough for the typical business today to properly configure and secure, there's also a lesser-known layer of middleware that cloud providers run that can harbor hidden security flaws.

Researchers from Wiz.io last week at RSA Conference in San Francisco unveiled an open source, cloud middleware database on GitHub that details the specific middleware agents that Amazon Web Services (AWS), Google, and Microsoft install on their cloud customers' virtual machines. The goal is to shine a light on this traditionally hidden proprietary software layer and its potential software flaws that can leave a cloud customer unknowingly at risk of attack.

Cloud providers often silently install these "secret agent" middleware programs on their customers' virtual machines, and with the highest privileges, as a "bridge" between their cloud services and their customers' VMs. The Cloud Middleware Dataset database project aims to provide cloud customers insight into this layer of software they rarely know exists on their virtual machines in a cloud service — and the potential security risks associated with it.

"These agents are adding an additional attack surface and cloud customers don't know about those agents ...; most are installed silently. If they come pre-installed, they have no idea" either, Shir Tamari, head of research at Wiz.io, told Dark Reading in an interview at the RSA Conference last week.

The most high-profile example of cloud middleware gone wrong was the discovery of major flaws in Microsoft Azure's Open Management Infrastructure (OMI) agent software last fall. Tamari and his fellow researchers unearthed major remote execution and privilege escalation vulns in Azure, with a collection of flaws they dubbed OMIGOD. OMI runs on many Linux VMs in Azure to provide configuration management functions for cloud customers.

Of the four OMIGOD vulnerabilities (CVE-2021-38647, CVE-2021-38648, CVE-2021-38645, and CVE-2021-38649), the most painful one was CVE-2021-38647, which could allow an attacker to gain root on a VM with a single packet, merely by stripping the authentication header. The problem: A default configuration for OMI was exposed the HTTPS management port on the public Internet. Microsoft provided auto-updates for Azure to address the flaws, after initially releasing patches that most Azure customers had no idea applied to them since they weren't aware of OMI.

"There was confusion over how to handle this middleware" patching, Tamari said.

The Cloud Middleware Dataset so far includes several agents used in Azure in addition to OMI, such as Microsoft Azure Guest Agent (WALinuxAgent), which is preconfigured in all Azure Linux images and has root privileges. WALinuxAgent's listing in the database notes that the agent previously contained an information disclosure vulnerability, CVE-2019-0804. If exploited, it could allow an attacker to access memory in the kernel from a user process.

Other Azure middleware detailed in the database are Operations Management Suite, dependency agent, pipelines agent, and RD Agent service, each of which is employed in various Azure services.

AWS, meanwhile, has four such middleware agents listed in the dataset, AWS Systems Manager Agent (SSM Agent), AWS PV Drivers, AWS ECS container agent, and AWS EC2 Hibernation Initialization Agent. A local privilege escalation flaw CVE-2022-29527 was found this year in SSM Agent that an attacker could use to gain root access. That agent comes preconfigured in Windows, Linux, and macOS VM images.

Google Cloud runs Accounts Daemon, OSConfig agent, and a guest agent in its cloud services, all of which are Linux-based. OSConfig and guest also run on Windows. Accounts Daemon, which works in Google's OS Login service, previously was patched for a local privilege escalation flaw, CVE-2020-8933, that would have given root access. OSConfig, which is built into GCP VM images, also had a local privilege escalation vuln in 2020 that Google later fixed.

**What to Ask About Cloud Middleware**

So, how can organizations pinpoint these "secret agents," as Wiz researchers refer to them?

In an interview with Dark Reading at RSAC, Wiz co-founder and CTO Ami Luttwak said organizations should ask questions of cloud providers to get a clear view of what their software environment looks like: "Whose middleware is it \[and\] how do you know if it's running on your environment" and does the software contain vulnerabilities, and how are updates and patches handled?

"This is a different attack surface. It's a gray area," he said. "It needs transparency and a clear process for updates for agents, VMs."

Beware the 'Secret Agent' Cloud Middleware

SSO's one-to-many architecture is both a big advantage and a weakness.

With the average enterprise using almost 1,000 applications, it's no surprise that single sign-on (SSO) has become such a critical gatekeeper. It provides ease of access and can eliminate the sprawl of usernames and passwords that haunt users and frustrate administrators.

While SSO is useful, it's not without inherent risk. Since it uses a one-to-many architecture, if an identity is breached, an attacker instantly gains access to all of the resources that particular account holder is authorized to use. As we know, users will often select weak passwords and can easily fall prey to phishing attacks.

Another challenge is that not every system can use a single sign-on solution, leaving gaps in security. While most SSO technologies can support multiple cloud-based applications, homegrown and legacy applications require different approaches, like Microsoft Active Directory. This creates identity silos and creates massive complexity.

Meanwhile, passwords remain the weak link in any security implementation, including SSO, because they don't actually validate the identity of the user.

**Mitigating SSO Risks**

Multifactor authentication (MFA), which is supported by many SSO solutions, is usually layered on top of usernames and passwords, but there's no identity verification taking place other than something you know (mother's maiden name or such) and something you have, such as your cellphone. Combining MFA and identity verification will fill some of the gaps in SSO.

Adding identity verification works well for organizations that already scan employees' biometrics, drivers' licenses, or passports in the hiring process because they already have a proof of identity on file for comparison. Identity-proofing all employees before issuing credentials is a strong first step toward bringing SSO into the zero-trust world, which requires reauthentication when risk factors are elevated.

However, in order to implement zero-trust access, organizations must validate a user's identity and not just require an additional authentication factor. That's because if an attacker has compromised a user's identity, asking for reauthentication or a second form of authentication will not detect that the access request is being made by someone who is not actually the authorized user. Without this fundamental understanding of identity, any authentication method including SSO cannot be trusted.

Replacing passwords as the main method of identifying a user is the key first step in making SSO more secure, but several other techniques can build on that effort to make it even more secure and easy to use. Security analytics can be used to detect anomalies in user behavior patterns. For example, if a user has made a few failed attempts to log on or is connecting from an unusual device or location, the system could require a new secondary form of authentication.

It's also important to understand what digital assets are not covered by SSO. For example, custom-built and legacy applications don't not easily integrate with SSO. Therefore, an approach that marries identity verification with authentication provides the trust levels necessary to support both SSO and extend passwordless access to assets that are not covered by SSO.

If an SSO implementation is still based on passwords, it's extremely important to establish a secure password reset process. For example, using verified biometrics that use what's called liveness detection to make sure that a static image of the user is not being used to spoof the system. This type of capability can ensure the authorized account holder is present when resetting a password, and that the reset is not being performed by an attacker.

Clearly, SSO's one-to-many architecture is both a big advantage and a weakness. By supplementing SSO with identity verification and advanced MFA, it's possible to eliminate passwords in a safe and secure fashion.

Understanding and Mitigating Single Sign-on Risk

The combination of Awingu and the Parallels Remote Application Server platform will enable end users to securely work from anywhere, at any time, on any device, or OS.

OTTAWA, June 13, 2022 (GLOBE NEWSWIRE) -- Corel, a leader in professional creativity and productivity solutions, today announced it has acquired Awingu, a provider of secure remote access technology, for an undisclosed amount. Awingu will become a part of the Parallels brand portfolio. The combination of Awingu and the Parallels® Remote Application Server (RAS) platform will give end users added flexibility and freedom they need to securely work from anywhere, at any time, on any device, or OS. Parallels, part of the Corel group, is an all-in-one application delivery and virtual desktop infrastructure (VDI) solution that provides remote access to virtual applications and desktops delivered through on-premises, hybrid, or cloud-based environments.

Ideal for both mid-market and large enterprises, Awingu provides a secure way for organizations to facilitate bring your own device (BYOD) or work from anywhere policies through its easy-to-use and secure unified workspace. With this technology acquisition, the Parallels RAS platform will become a one-stop solution that gives customers the ability to easily access legacy and cloud-native applications and files, while alleviating the worry of data security and infrastructure complexity from IT teams.

“The future of work is now; we are living it. The pandemic further accelerated the need for organizations to determine and shift their remote and hybrid work infrastructures. Now, organizations are figuring out how they can cater to the flexibility that employees want with their workplaces while also ensuring secure and efficient access,” said Prashant Ketkar, Chief Technology and Product Officer, Corel. “We’re committed to helping organizations navigate this shift in the workplace, and with the addition of Awingu we’re one step closer to improving the experience for every stakeholder that interacts with our products.”

Awingu will continue to operate alongside Parallels’ offerings to deliver secure remote workspaces for customers in healthcare, finance, manufacturing, government, and telco verticals. Additionally, Awingu will expand its integration with Parallels to accelerate innovation and provide a unified capability for secure remote access to both legacy and cloud-native applications. This will provide a range of solutions for customers leveraging on-premises assets, hybrid architectures, and any cloud.

“I’m excited to join the Corel organization with the Awingu team. Both companies have a customer-first mindset and share the mission to ensure a seamless, secure, and effective workspace no matter where an employee is located,” said Walter van Uytven, CEO, Awingu. "Together with Parallels RAS, we’ll bring a broader, richer set of solutions across the secure remote desktop and app streaming industry to our customers.” The Awingu team, including CEO Walter van Uytven, will join Corel, bringing their strategic and engineering expertise to the organization to help accelerate product roadmaps.

Unlike most solutions in the market, Awingu does not require agents on the server or software to be installed on end-user devices. Awingu is “clientless” and runs entirely in the browser, where it aggregates all company files and applications, including SaaS and legacy Windows or Linux applications into one online workspace with one login. The ability to aggregate traffic provides an audit mechanism to secure actions in remote workspaces, enabling administrators to implement a zero trust security solution at the edge. This ease of use and simplified deployment enables customers to implement Awingu in hours, not days, empowering IT departments of all sizes to enable secure remote workspaces for their end-users. Founded in 2011 and headquartered in Ghent, Belgium, Awingu has been named a Gartner Cool Vendor in unified workspaces. Awingu is available in over 20 countries and partners with organizations like Microsoft, Blackberry, and Barracuda and serves customers such as the Port of Antwerp, Peloton, UDLAP University, and ConvergeOne.

Corel is a KKR portfolio company. Awingu was previously backed by Pamica NV, an investment company of Awingu’s former Executive Chairman, Michel Akkermans.

**About Corel**  
Corel products enable millions of connected knowledge workers around the world to do great work faster. Offering some of the industry's best-known software brands, we give individuals and teams the power to create, collaborate, and deliver impressive results. Our success is driven by an unwavering commitment to deliver a broad portfolio of innovative applications – including CorelDRAW, MindManager, Parallels, and WinZip – to inspire users and help them achieve their goals. To learn more about Corel, please visit www.corel.com.

**About Awingu**  
Awingu is a browser-based "Unified Workspace" that allows users to work and collaborate from virtually anywhere using any device compatible with HTML5 browsers. Awingu offers businesses the ease and convenience of platform-independent mobility and Bring Your Own Device. Awingu requires zero client software installation, making IT administration extremely simple. Awingu is headquartered in Ghent, Belgium, with offices in New York, United States.

Corel Acquires Awingu

Google last week reported seven vulnerabilities in the browser, four of which it rated as high severity.

The US Cybersecurity and Infrastructure Agency (CISA) Friday urged users and administrators to update to a new version of Chrome that Google released last week to fix a total of seven vulnerabilities in its browser.

In an advisory, Google described four of the flaws — three of which were reported to the company by external researchers — as presenting a high risk for organizations. The company said it had decided to restrict access to bug details until most users have updated to the new version of Chrome (102.0.5005.115).

One of the vulnerabilities is a so-called use after free issue in the WebGPU application programming interface for functions such as computation and rendering on a Graphics Processing Unit. The bug (CVE-2022-2007) is remotely exploitable and can have an impact on the confidentiality, integrity, and availability of affected systems, according to a description of the flaw on vulnerability database VulDB. "No form of authentication is needed for exploitation. It demands that the victim is doing some kind of user interaction," VulDB noted.

Google awarded $10,000 to the security researcher who reported the flaw to the company in May. VulDB estimated the price for an exploit for the flaw to be between $5,000 and $25,000 currently, though that could go up soon, it noted.

The second flaw is an out-of-bounds memory access use in the WebGL API for rendering 2D and 3D graphics. Two researchers from Vietnamese firm VinCSS Internet Security Services reported the bug (CVE-2022-2008) in April. VulDB described the flaw as being remotely exploitable but requiring at least some user interaction by the victim. The flaw appears to be easily exploitable and requires no authentication, VulDB said. Google's advisory noted the reward for disclosing the vulnerability had yet to be determined.

The third high-severity vulnerability that the new Chrome version addresses (CVE-2022-2010) is an out-of-bound read issue in compositing or in rendering Web page content. A security researcher with Google's own Project Zero bug hunting team discovered the vulnerability in May. Like the other two flaws, this one also affects the confidentiality, integrity, and availability of affected systems, VulDB said.

The fourth high severity vulnerability that Google disclosed is a use-after-free issue that an external security researcher reported to the company in May. The flaw (CVE-2022-2011) exists in ANGLE, a function that Google describes as an "almost native Graphics Layer engine" in Chrome. The memory corruption vulnerability has a near identical impact as the other three, based on VulDB's description of the issue.

**CISA: Flaws Allow Attackers to Take Control of Affected Systems**

CISA urged organizations to review Google's Chrome release note and apply the update to mitigate risk. "Google has released Chrome version 102.0.5005.115 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system," it said.

The seven flaws that Google addressed with its latest Chrome version is considerably smaller in number than some other recent Chrome-related bug disclosures from the company. A Chrome update that Google released on May 24 included fixes for 32 flaws, one of which was rated as being of critical severity while seven others were rated as being highly critical. Another update, also in May, contained fixes for 13 flaws, eight of which the company rated as being of high severity.

CISA Recommends Organizations Update to the Latest Version of Google Chrome

Employee email compromise potentially exposed patients' medical information, including lab test results and dates of services.

Kaiser Permanente recently revealed that an employee email compromise on April 5 left personal medical information on nearly 70,000 of its patients at risk of compromise.

Although Kaiser said the attacker had access for only a couple of hours and there is no evidence that sensitive data was breached, patient information including first and last name, medical record number, dates of service, and lab test results were involved, the company said in a notice about the incident. 

The US Department of Health and Human Services Office for Civil Rights is investigating the compromise, which took place at the Kaiser Foundation Health Plan of Washington and potentially impacted a total of 69,589 patients, its website said. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Kaiser Permanente Breach Exposes Data on 70K Patients

Public Travis CI logs loaded with GitHub, AWS, Docker Hub account tokens, and other sensitive data could be leveraged for lateral cloud attacks.

A security flaw in the Travis CI API has left tens of thousands of developers' user tokens and other sensitive information exposed to attack, as threat actors could use the credentials to wage attacks in cloud services, including GitHub, Amazon Web Services (AWS), and Docker Hub.

The issue was first reported as far back as 2015, but the vulnerability in the API can still be exploited to launch attacks laterally across the cloud, according to a new blog post from Team Nautilus, which notes that all free-tier users of Travis CI are at risk.  

The Travis CI API is commonly used by developers to test apps, and during their research the analysts were able to access more than 770 million cleartext logs, chock-full of the kind of sensitive data that threat actors could leverage to move laterally across cloud services for malicious activity. 

"We disclosed our findings to Travis which responded that this issue is 'by design', so all the secrets are currently available," according to the post on the Travis CI API vulnerability. "All Travis CI free tier users are potentially exposed, so we recommend rotating your keys immediately."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Exposed Travis CI API Leaves All Free-Tier Users Open to Attack

Cut away everything that costs more attention, storage, or time than its impact is worth.

One of my favorite quotes comes from John Naisbitt's book _Megatrends_: "We are drowning in information but starved for knowledge." This quote so accurately captures much of modern life. In particular, it succinctly describes the state of many enterprise security programs that, unfortunately, suffer from high levels of false-positives and other "noise" that reduce their effectiveness.

To understand why security teams are so held back by noise, we must first understand the consequences of noise for the security team. While not an exhaustive list, here are a few key repercussions.

**Wasted cycles****:** When security teams build a workflow around a centralized work queue, that work queue needs to be attended to — from triage and incident-handling to analysis, investigation, forensics, and recovery. That means that all events in the queue need to be prioritized and reviewed. Noise fills this queue with items to review that do not add value to the security program. In other words, noise wastes the security team's precious and valuable cycles.

**Missed true-positives**:**** The phrase "finding a needle in a haystack" is an apt one in security, and in security operations in particular. The needle represents true-positive security incidents, while the haystack represents false-positives. The more false-positives there are, the more difficult that makes finding the real security incidents that are buried in the noise.

**Increased infrastructure costs**:**** Noise also comes with an infrastructure cost. Each log, alert, and event, regardless of whether it adds value, must be retained. Thus, if the team is collecting a large amount of information that adds little to no value, they are merely using excess infrastructure. This comes with a cost that takes budget away from areas where it could add significantly more value. Identifying budget for a never-ending list of security priorities is always high on the list for security leaders.

**Skewed metrics**:**** False positives tend to skew metrics. Certain metrics, particularly those that focus on percentage of time spent on security incidents, ratios of true-positives to false-positives, volume of incidents, number of incidents handled, and analyst time per incident will be highly affected by the volume of noise. The lower the rate of false positives can be, the more accurately and favorably these metrics will turn out.

**How to Eliminate the Noise**

Knowing a few of the reasons why false-positives and noise negatively affect our security program helps us build a plan to address the problem. Here are nine suggestions that I've found helpful over the course of my career.

**1\. Begin with risk**:**** Not surprisingly, a firm understanding of and commitment to risk is the strongest of bases for building a strong security program. Assess the risks and threats to the enterprise, understand what within the enterprise they affect, and learn the potential cost and potential for damage and loss associated with each one.

**2\.** **Create goals and priorities**:**** Selecting when to address what is one of the most important strategic decisions a security team can make. Prioritize the risks and threats enumerated in the previous step and create goals and priorities that will be addressed both near-term and longer-term.

**3\. Assess impact**:**** Identifying critical assets, key resources, and important data stores, among other things, helps the team understand the potential impact of an incident. Knowing where the most sensitive and important assets, resources, and data are helps focus the team on where gaps in telemetry exist.

**4\. Identify data overkill and gaps**:**** Understand the existing telemetry collection in place and evaluate whether each data source contributes to improving detection for the security team. If it doesn't, then collecting it just adds infrastructure costs while not adding value. Identify gaps in telemetry that leave the team blind to potential security incidents and develop a plan to address those gaps.

**5\. Consider technology overkill and gaps**:**** Look closely at existing technology that is in place. Examine where technology is helpful, such as producing highly reliable security alerting, collecting valuable telemetry data, or making process and workflow more efficient. Keep a close eye on where technology is fighting, rather than helping, the security team, as well as where gaps exist in telemetry and detection.

**6\. Throw out the default rule set**:**** Rules, signatures, and other detection techniques that generate a large volume of noise do not add value to the security program. Instead, they bury the team in false-positives and actively work against timely and accurate detection of security incidents. It may sound radical, but there are far more benefits to throwing out the default rule set than there are disadvantages.

**7\. Implement tight detection****:** Truly embracing the "less is more" philosophy includes incisively interrogating the data to produce high-fidelity, high-reliability alerts and events. While implementing more sophisticated approaches to detection requires a significant time investment up front, it pays big dividends. The better the alerting and eventing, the more signal and the less noise the work queue will have.

**8\. Focus on process**:**** The highest quality work queue in the world won't help when there are broken or nonexistent processes. A world-class security team has mature, efficient, and effective processes that guide and govern how they work.

**9\. Continuously improve**:**** No security program is in an ideal state, and the best security teams are keenly aware of their weaknesses and opportunities for improvement. Taking lessons learned from each of the above points and using them to continuously improve the security program is critical to its long-term success.

The conventional wisdom that more data, more events, and more alerts make for better detection is outdated and misinformed. Through a strategic focus on risk and a methodical approach to reducing noise, enterprises can improve both the state of their detection capabilities and the maturity of their security programs. Improving the signal-to-noise ratio and embracing the "less is more" philosophy for security can help enterprises detect security incidents sooner and more accurately while wasting significantly fewer resources on false-positives and noise.

In Security, Less Is More

In this new episode of Tech Talks, Darktrace's Tony Jarvis and Dark Reading's Terry Sweeney discuss how to protect networks after the death of the perimeter.

The pandemic-propelled shift to work-from-home and bring-your-own-devices accelerated the already expanding move to the cloud. IDC predicts that global cloud spending will grow from $703 billion in 2021 to $1.3 trillion in 2025. Statista reports that the percentage of corporate data stored on the cloud rose from 30% in 2015 to 48% at the beginning of the COVID-19 crisis in 2019; so far in 2022, 60% of corporate data lives in the cloud rather than on-premises networks.

In this installment of Tech Talks, Tony Jarvis, director of enterprise security for Asia Pacific and Japan for Darktrace, and Dark Reading contributing editor Terry Sweeney discuss the rise of the cloud, the decline of on-premises, and the possible death of the traditional perimeter in the wake of those technological shifts. 

"There's a lot of digital transformation that's taken place virtually overnight," Jarvis says. "Some organizations are struggling with this. And for that reason, they're not going to fully abandon on-premise networks anytime soon."

Indeed, a recent InformationWeek report shows that while IT pros widely use cloud services, they believe the cloud is less secure than their traditional on-premises systems. Over half of respondents (55%) would keep sensitive data on-prem if they could, the report indicates.

As on-premises networks decline in favor of cloud resources, however, those IT departments need new security measures to accommodate the new IT environment. 

"There's no real perimeter anymore — not in the traditional sense — and that means that things can get in through a number of different ways. We need to get better at detecting that," Jarvis says.

New incursion paths require new ways to guard against invasion. At the beginning of 2022, the US Office of Management and Budget released a detailed blueprint for security measures it requires government agencies and vendors to implement, and zero-trust policies ranked prominently. Sweeney asked Jarvis whether he thinks zero-trust architectures can keep endpoint devices secure when they're away from VPNs.

"I think of zero trust almost like a new set of rules or a new perimeter. And we want to be looking for anomalies taking place within that perimeter," Jarvis says. That means looking for unusual behaviors that will give away an attacker's motivations, such as lateral movement and living-off-the-land techniques. Artificial intelligence tools can automatically look for deviations from the norm and cut off those actions.

Of course, cloud security means accepting that attackers don't care if they are targeting cloud or on-premises systems. Focusing on one at the expense of the other is a problem. The attacks will focus on wherever they see weakness.

"We're always thinking not in terms of good or bad per se, but more in terms of normal — Does this belong in the environment? — and then, by association, unusual," Jarvis said. "Attackers will always go after the weak spots; they'll go after whatever gives them the greatest chance of getting in, no matter where that is."

Tony Jarvis on Shifting Security Gears as We Move to the Cloud

The annual report is always filled with useful security information. Here are several of the most important lessons from this year's edition.

The data in the new Verizon "Data Breach Investigations Report" (DBIR) offers critical insights into the current state of cybersecurity. After a year of data breaches and cyberattacks consistently dominating headlines, this year's report closely examines what adversaries are looking for when they're trying to infiltrate businesses and organizations. This year's DBIR, the 15th edition, confirms what we assumed: Cyber threats are on the rise and we must work together to better our security posture. The findings collected in the report are timely for the trained security researcher, but here are three takeaways I think are the most important.

**Conducting the Symphony of Disruption**

The most common action that adversaries are taking to disrupt their target's IT ecosystem is launching denial-of-service (DoS) attacks that effectively flood a network with traffic or information in the pursuit of crashing it. The 2022 DBIR says that 46% of all incidents were DoS attacks, followed by remote access–led attacks, including backdoor and command-and-control-based attacks. Distracting and disrupting the IT and security teams in this way can help obfuscate and bury the other adversarial activities in their toolkit as they look for their initial access.

Ransomware, phishing, stolen credentials, and several other types of attacks round out the list, but one attack vector stands out from the rest. More than 60% of security incidents over the past year were conducted through a Web application, consistent with data collected by Verizon in past years.

Because Web applications — closely followed by email — are where your organization most frequently connects to the Internet, it makes sense that they'd be the primary vectors for threat actors trying to breach your environment. While a Web application may fall victim to a hacker proficient with SQL or with an exploit handy, email is the domain of virtually every employee at every organization. That's why social engineering played a role in nearly all 5,212 breaches recorded in the 2022 DBIR.

**Is Your Human Secure?**

The 2022 DBIR highlights the importance of maintaining a strong security awareness program, which I believe is a critical element of securing an organization. Just about 82% of all breaches recorded last year involved social engineering in some form, with threat actors preferring to phish their targets via email more than 60% of the time.

Though the DBIR found just 2.9% of employees actually clicked on phishing emails last year, that's more than enough for hackers to work with, especially if they're able to steal credentials or dump their malware of choice following the phish. For me, the important point is that there is a continuing trend for staff to report more phishing attempts – and even more importantly, to report them after they have responded to a phishing email.

Building an organizational culture that allows staff to be comfortable admitting they were duped is a difficult task because security awareness traditionally is a stick used to punish people and a metric to cover the company's compliance checkboxes.

Security leaders need to create a program that goes of their organization and doesn't just shame them for failing. For example, we need to create programs that don't automatically "fail" someone for clicking a link, because that's why links exist! A program that seeks to trick their own colleagues into failing is generally unproductive in the educational process and does almost nothing for the company's security posture.

A good security awareness training program is consistent, targeted, and limited in scope to allow employees to learn and practice one security skill at a time. Avoiding information overload will keep employees engaged and ready for emerging threats.

And lastly, security awareness is not just a corporate project. Strong awareness and education will help staff be more aware of digital risks in their personal lives as well. Well-implemented security awareness programs take advantage of this blurring to encourage their staff to care about security.

**The Ransomware Business Is Booming**

Ransomware, to nobody's surprise, is increasing in frequency by 13% over the prior year, with almost 70% of malware breaches involving some form of it. The dramatic increase in ransomware attacks — as large as the increases of the last five years combined, according to the report — makes sense, as hackers looking to make a quick buck need only encrypt their target's data rather than seek out specific financial information or credentials within their environment.

The report also states that 40% of ransomware incidents last year involved the use of desktop-sharing software. For example, cybercriminals used this tactic when exploiting vulnerabilities in Microsoft RDP, or just weak or stolen user credentials. On the other hand, 35% of ransomware incidents involved the use of email, leading to researchers recommending that organizations lock down their RDP and ensure their emails are scanned for potential phishing attempts. How we are in 2022 and still suffering from attacks over such a well-known attack vector as email is surely one of the biggest questions to come out of this report.

**Final Thoughts**

The DBIR is an excellent resource for the cybersecurity community to evaluate a tumultuous past 12 months, and the data within can be evaluated to predict the trends in attack types, vectors, and the motivations of hackers throughout the next year. In 2021, adversaries made it clear they were more focused on money than anything else, and with vulnerability exploits doubling from the previous year, it's a safe bet to say that once again the fundamentals of cybersecurity – across both IT hygiene and human engagement – will be the key to reducing the risk of damage and loss.

Source

DARKReading