Organizations looking to maximize their security posture will find AI a valuable complement to existing people, systems, and processes.

Source: marcos alvarado via Alamy Stock Photo

COMMENTARY

The global rise of increasingly sophisticated cybercrimes creates daily challenges for the cybersecurity industry, as security professionals grapple with new and evolving attacks, complex IT architecture, and the integration of artificial intelligence (AI) into nefarious actors' tactics, techniques, and procedures (TTPs). As a result, cybersecurity practitioners feel a sense of urgency to stay at the forefront of technological advances to defend against a growing arsenal of exploits.

In this environment, a methodical approach to the intentional use of AI for cybersecurity protocols will help avoid falling prey to the hype and myths of groupthink, such as these five myths of AI and cybersecurity: 

**1\. You'll fall behind if AI isn't your primary solution for cybersecurity.**

While AI can enhance cybersecurity tasks by analyzing large volumes of data to recognize nefarious identifying patterns, it can also be susceptible to false positives and negatives, be trained on bad data, or act in unexpected ways. Many common cyber threats can still be effectively mitigated through basic security practices like strong passwords, regular patching, and employee awareness about social engineering. Incorporating AI into security solutions is not a license to abandon proven tools and replace established best practices. Sophisticated attackers will find ways to evade AI-based detection, so adopting AI cannot be the only solution for security and defense. Time-tested security practices like organizational culture, leadership commitment, and employee training are still critical fundamentals of a robust organizational risk management practice. 

**2\. Threat actors are using AI, which will lead to an exponential increase in cyberattacks.**

AI is undoubtedly a powerful tool that can be used for both good and bad — it's not a guaranteed game-changer for threat actors. The cybersecurity landscape is a dynamic battleground, and the interplay between AI-powered attacks and defenses is complex. AI may increase the speed and sophistication of certain attacks, such as better phishing attempts; however, it has not fundamentally changed the attack vectors or the attack surface within organizations. A mature security posture using foundational defensive practices continues to be a sound approach to reducing risk and thwarting attacks. 

**3\. AI-powered tools are better, and every tool needs an AI feature.**

AI-aided tools can provide powerful additions to a defensive infrastructure with quicker, more comprehensive data discovery. Left unchecked, AI is capable of producing sometimes comical but altogether bad results, such as the Google Overview suggestion of adding glue to homemade pizza sauce, or the McDonald's AI drive-through putting bacon on ice cream. In cybersecurity, erroneous results have serious consequences, including loss of trust, excessive costs, and endangering human safety. The potential benefit of any AI-powered resource must be balanced against the potential cost of error. The safest use of AI is within a layered defense model, which allows for verification and redundancy in protective solutions. 

**4\. You can only combat AI with AI.**

AI is a valuable tool in the cybersecurity quiver, but it's not impenetrable. Like any other defensive technique, attackers can exploit vulnerabilities in AI models or develop exploits to bypass AI defenses. Combating AI threats requires a multilayered approach that combines AI with human expertise, traditional security measures, and a strong focus on prevention, detection, and response. Using AI to combat AI may also raise ethical and legal concerns, particularly around issues like autonomous decision-making, accountability, and potential for misuse. These concerns must be carefully considered before implementation, to ensure responsible, ethical use of AI in cybersecurity. By leveraging the strengths of both humans and AI, organizations can build a more resilient and effective cybersecurity posture. 

**5\. AI is going to replace your job.**

Companies who are hiring fewer entry-level people for cybersecurity roles are not doing so because AI has eliminated those jobs; rather, they are limited by shrinking budgets and a need to hire people who can make an immediate impact when they come onboard. AI excels at automating repetitive tasks, analyzing vast amounts of data and identifying patterns, but human intuition and judgment is still needed to interpret those insights, make critical decisions, and adapt strategies to combat evolving threats. At its best, AI allows humans to focus on creative and strategic thinking to deliver complex problem-solving. The prominence of AI has created new jobs like AI engineers and AI ethicists to manage AI systems. AI-related roles, along with roles in cybersecurity, will continue to emerge and evolve. AI won't replace people, but people who know how to work with AI may replace people who don't. 

Effective cybersecurity requires a multilayered approach that combines technology, processes, and people. Solely relying on AI for cybersecurity can create a false sense of security, and AI-based cybersecurity solutions can be costly and complex. While AI is transforming the workforce, it's unlikely to lead to widespread job displacement. Instead, it likely will change the nature of work and require adaptation and development of new skills.

Progressive companies will see the value of investing in training programs and implementing policies that support workforce transition. Organizations looking to maximize their security posture with enhanced value, productivity, creativity, and innovation will find AI a valuable complement to existing people, systems, and processes.  

**About the Authors**

Senior Vice President & Executive Dean, Western Governors University

Paul Bingham is the senior vice president and executive dean at Western Governors University’s School of Technology, which currently serves 60,000 students nationwide and is the top conferrer of cybersecurity degrees in the country. Prior to WGU, Paul spent 24 years as an FBI agent, leading and managing domestic and international cybersecurity investigations and FBI SWAT teams on over 100 high-risk tactical missions. 

SIEM & Data Analytics Engineer, H2L Solutions Inc.

Micah VanFossen is a cybersecurity engineer currently working as a SIEM & Data Analytics Engineer at H2L Solutions Inc., where he focuses on data ETL (enrich, transform, load) processes, detections, and data analysis. He is a lifelong learner, spending time researching, studying, and educating others through his blog, The Purple Van. Micah is also a member of the SIII Tiger Team for the US Cyber Games Program and holds an MS in cybersecurity and information assurance from WGU.

Top 5 Myths of AI &amp; Cybersecurity

Improvements in cybersecurity and basics like patching aren't keeping pace with the manufacturing sector's rapid growth.

Source: Robert Evans via Alamy Stock Photo

In the past year, the manufacturing industry has been the top target for ransomware groups, due to the sector's lack of technological advancement, even as its digital footprint continues to grow.

According to a study released by Black Kite, the manufacturing sector accounts for 21% of ransomware attacks and places manufacturing entities at a significantly high risk, making them more than three times as likely to suffer a ransomware attack.

Not just this, but out of the 5,000 companies that were examined, 80% of manufacturing companies have "critical" CVSS-rated vulnerabilities, 67% of which are already listed in the Known Exploited Vulnerabilities (KEV) catalog maintained by the Cybersecurity and Infrastructure Agency (CISA). 

"The manufacturing industry stands at a critical juncture, where the stakes of third-party risk have never been higher," the Black Kite researchers wrote. "The rapid pace of digital transformation has opened new avenues for efficiency and innovation but has also introduced significant vulnerabilities."

The threat actors are aware of the weak links that have opened up due to the industry's rapid growth and are aware that "these companies play critical roles within global supply chains."

When one operation or company in the chain gets attacked, it can lead to a domino effect and "cascading operational disruption and financial and reputational damage." In short — when threat actors target both manufacturing and supply chains, they get more bang for their buck if they succeed.

**Manufacturing a New Defense**

So, what can enterprises that are more likely to fall victim to an attack do to prevent the worst from happening?

First, organizations must recognize that though many systems will be affected when updated, that doesn't justify allowing systems to become exposed on the Internet. 

"Patch management is the first line of defense, yet it's widely neglected in this industry," Ferhat Dikbiyik, chief research and intelligence officer at Black Kite, tells Dark Reading. With a majority of these organizations having Internet-facing assets that are likely rife with vulnerabilities, Dikbiyik says this is low-hanging fruit for threat actors and must be addressed as quickly as possible.

In addition, organizations must address exposed credentials and better secure their Web applications to prevent becoming the next ransomware statistic, he adds.

"Cybersecurity doesn't have to be a barrier to innovation — it can be a growth enabler," Dikbiyik says. "With the right cyber defenses in place, manufacturers can protect their expanding digital operations while continuing to grow without sacrificing safety."

Manufacturers Rank as Ransomware's Biggest Target

The addition of Network Perception will provide Dragos with enhanced network visibility, compliance and segmentation analytics to the Dragos OT cybersecurity platform.

Source: ElenaBs via Alamy Stock Photo

Industrial control systems (ICS) provider Dragos today announced that it has acquired Network Perception for an undisclosed sum, a move aimed at expanding its threat detection and visualization capability for operational technology (OT) environments.

Since its founding in 2016, Dragos has emerged as one of the leading providers of cybersecurity protection for ICS systems. It has amassed $440 million in Series D funding and has over 400 employees. The company that Dragos bought, Network Perception, is lesser known and considerably smaller. It has only 27 employees and has raised $15.73 million, most of which is Series A funding from 2022.

The Dragos threat intelligence platform, designed for OT infrastructure, includes sensors that monitor networks for anomalies and IOCs and visualization tools to track assets and risks and provide response playbooks.

Adding Network Perception promises to fill a gap in the Dragos platform, company officials told Dark Reading. Network Perception's NP-View tool provides network visibility, compliance monitoring, segmentation analytics and reporting for various large electric utilities.

**Early Ties with Government and Industry Regulators**

Network Perception was incubated roughly a decade ago at the University of Illinois at Urbana-Champaign (UIUC) cybersecurity research lab. At the time, co-founder and CEO Robin Berthier says he and his team were working on the U.S. Department of Energy's 10-year cybersecurity roadmap, which developed a prototype for what is now NP-View.

"We grew pretty fast to become the de facto solution in the electric industry as the OT network visibility and segmentation analysis solution, which is extremely important in the case of compliance for the regulation in this industry," Berthier says.

He credits Network Perception's initial success to the decision by the industry's key regulators, North American Electric Reliability Corp. (NERC) and the Federal Energy Regulatory Commission (FERC), to use NP-View to conduct audits nationwide in 2017. According to Berthier, Network Perception has since tallied about 100 customers.

Berthier claims that NP-View is unique because it ingests only configuration files from firewalls, routers and switches deployed in OT networks, not log data or telemetry from sensors.

"From those configuration files, we build a model of the environment, and we can then show a topology map of those complex networks and check all the potential pathways inside those environments, which is very complementary to what Dragos is doing," Berthier explains.

Further, he notes that while Dragos' sensors monitor network traffic, security operators still must decide what steps to take to address suspicious activity and anomalies. "It's really important to have the context around the network's access policy, like the zone-to-zone accessibility," Berthier says.

**Modeling Network Traffic for Threats**

NP-View models an adversary's potential targets, including which ports and services are vulnerable and what's permitted by the firewalls, according to Berthier. "It is that part of the modeling of networks that gives you that information that is extremely complex and sophisticated," he says.

"It's a level of sophistication today that no human, even expert analysts, can comprehend because of the different layers of logic that the firewalls are using, from VPNs to VLANs to access rules to network address translation," Berthier adds. "We model and present that in a very simple, comprehensive way for both technical as well as non-technical users.”

When integrated, the Dragos platform will be able to consume the data ingested into NP-View to add context around the different levels of suspicious activity that is needed, he notes.

The addition of Network Perception will likely boost Dragos' visualization and risk-based capabilities while enhancing customers’ cyber resilience and compliance efforts, predicts Omdia principal analyst for IoT cybersecurity, Hollie Hennessy.

"Many OT organizations are struggling with challenges such as skills shortage and resource issues, meaning compliance can be a struggle--thus being able to automate functions such as reporting instantly, can alleviate some of those issues," she says. "Network perception also has micro segmentation capabilities which again can help to mitigate risk - something that will enrich Dragos' preventative capabilities and can also help with compliance."

Dragos field technology officer Phil Tonkin says that half of Network Perception's customer base, which is all in the electric sector, uses the Dragos platform. While Dragos's earliest customers were electric utilities, the company has expanded its base to include oil and gas providers, manufacturers, water utilities, transportation and mining.

In the coming quarters, Tonkin says Dragos will integrate NP-View into its platform and offer it as an option to its customers in adjacent OT sectors. "Although the driver to get capabilities like this into the electric sector in the US has often been driven by compliance, we're seeing more and more people understanding the need to carry out those same actions just to manage their risks," he says.

The deal marks only the second acquisition for Dragos. The company bought assessment tool provider NexDefense in 2019. Though isn’t ruling out other potential acquisitions, Dragos is not currently shopping for other companies. “Right now, our focus is to just build on the strengths that we've just gained by bringing Network Perception into the team,” Tonkin says.

**About the Author**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Dragos Expands ICS Platform with New Acquisition

Prioritizing security as a critical element to an organization’s effectiveness and success will reduce the risk of incidents, while benefiting the whole team and the organization’s reputation.

Source: Xavierlorenzo via Alamy Stock Photo

October is National Cybersecurity Awareness Month in the U.S. when IT teams prep their annual security education and awareness training program. For many employees, this may be their only interaction with the security team outside of onboarding, submitting a help ticket, or a potential incident. But every person plays a part in the security function of the business every day, whether they realize it or not. As they do, they have the potential to be an asset or risk to the team’s security posture.

According to the 2024 Verizon Data Breach Investigations Report (DBIR), 68% of all breaches include the human element, with people being involved either via error, use of stolen credentials or social engineering. While exploiting technical vulnerabilities is rising in frequency as the initial way-in for an attacker, stolen credentials and phishing still account for the lion’s share of recorded breaches.

Prioritizing security as a critical element to an organization’s effectiveness and success will reduce the risk of incidents, while benefiting the whole team and the organization’s reputation.

**Putting a Price on Trust**

Security is a core business function, as crucial to an organization's success as finance, revenue generation or product departments. It's also a key factor in shaping an organization's reputation, specifically influencing public and internal perceptions of whether the organization is trusted and reliable. To understand the profound impact of perceived security (or insecurity) on both public image and the bottom line, one need only examine customer reviews or stock prices of major businesses before and after a publicized breach or outage.

Security has a particularly significant impact on whether the company is seen as reliable and safe for business. The difference between a successful security program and a vulnerable one comes down to whether that value is communicated regularly and effectively.

**What's Measured Matters**

In some organizations, a CISO or CIO can advocate for security at the executive level, informing other leaders and stakeholders of its needs and value. In most businesses, however, this responsibility falls to the IT team leader, adding to their already substantial workload.

While it may seem like self-promotion or extraneous work, it’s extremely valuable to take the extra time to summarize threats stopped, processes improved, projects completed and team members modeling strong security behavior. This effort ensures that the benefits and value of the security program remain a priority for leadership, rather than being overshadowed by the next quarter's budget concerns or the hope of avoiding bad news.

Before starting from scratch, find existing resources by asking vendors and partners what performance reports and metrics they can provide. Many tools should already have audit or other templated reporting functions, and some may even offer custom summaries or executive briefings designed to update leaders on progress.

When choosing metrics, ask whether they truly advance effective security goals. As one example, a common phishing training misstep is solely tracking the number of people who click the link before and after training. While reducing risky clicks is valuable, reducing that number to zero is unlikely. Instead, focusing on how quickly someone reports a phish can materially reduce the time it takes to detect and stop a real-world attack. Now, training can emphasize the importance of reporting suspicious activity, even if an employee initially fell for the phish. This approach encourages openness rather than silence born from fear or embarrassment, and rewarding proactive behavior can significantly increase the likelihood of team members reaching out when something’s up.

Remember, what gets measured gets managed. Carefully selecting and tracking meaningful security metrics improves security posture and demonstrates the tangible value of a security program to the organization. This data-driven approach can help secure necessary resources and support for ongoing security initiatives, turning the security function from a cost center into a value driver for the business.

**Shedding the "Department of No" Reputation**

There’s an oft-repeated cliche of security as The Department of No: a roadblock to productivity, best unseen and unheard. And if most security interactions are perceived as “tedious and/or confusing” or “frustrating and/or terrifying,” people will go out of their way to avoid future interactions.

In reality, security works tirelessly to keep the organization and people within it safe and protected from innumerable risks. What may feel like an arbitrary refusal from a teammate’s perspective may very well be backed by good policy.

Improving this perception doesn't mean abandoning controls or approving every request. Instead, it requires clearly explaining why policies are in place, regularly collecting feedback on processes that prove to be roadblocks and showcasing wins as part of the normal business cadence.

Errors can be more than additional help tickets for IT teams to triage or irregularities to investigate: they can provide invaluable feedback where a process is unintuitive or misunderstood. Talking through “why” someone wanders off the authorized path can help identify confusing documentation, unconsidered use cases or other qualitative feedback that slips through what can be captured in a system log.

**What Have You Done For Them Lately?**

Most people don't have security experts on call in their personal life, and this gives security teams a unique opportunity to help, while building on their relationship with the team at large. Instead of just rolling out click-through training modules to meet insurance and compliance requirements, treat education like another opportunity to provide an employee benefit.

Inform employees about trending attacks and scams, so they can be aware and inform potentially vulnerable family members. Teach them about good security hygiene, not only on work systems but also on sites they’re likely to use in their daily life like social media or personal banking. Not only does this practice help keep your team safe from threats when they aren't at work, it also feeds back into organizational security by making them harder targets for attackers. It would be great if attackers took off nights and weekends, but in reality, we know they’ll go after access wherever (and through whomever) it’s available.

Sharing a few tips every week during team meetings, on team chat and at all-hands updates is also more digestible for people. It’s easier to absorb a few tips each week than resist the urge to tune out a dry, monotone hours-long training session.

This approach also improves retention. According to Hermann Ebbinghaus's research on memory and the “forgetting curve”, we forget the vast majority of newly learned information within a couple of days of learning it. However, the second iteration of reviewing that same information will increase both the percentage of information recalled, and how long it will be remembered. Regular refreshers and expansions on a topic will result in a more complete understanding and a resilient recall of the topic.

**Stronger Together**

Shifting the relationship of security from one of avoidance to one of reinforcement, safety and reliable guidance will motivate people to listen more carefully to security messaging. Greater understanding and buy-in cultivate a stronger security mindset across teams, defining security as a shared, proactive function rather than a specialized, reactive one.

Security is a collective effort, and helping your team stay safer inside and outside of work will benefit both them and the organization. By redefining security as a trusted ally rather than a dreaded email or meeting invite, we can create a more resilient and secure environment for all. Remember, when it comes to security, we are indeed stronger together!

**About the Author**

Security Strategist, Blumira

Zoe Lindsey is a security strategist at Blumira with over a decade of experience in information security. She began her infosec career at Duo Security in 2012 with a background in medical and cellular technology. Throughout her career, Zoe has advised organizations of all sizes on strong security tactics and strategies. As a sought-after speaker, she has shared best practices and recommendations at industry-leading events including RSA Conference, SecureWorld, and Cisco Live.

Normalizing Security Culture: Don’t Have to Get Ready If You Stay Ready

The bug gives attackers a way to run arbitrary code on affected servers and take control of them.

Source: Color4260 via Shutterstock

Attackers are actively targeting a severe remote code execution vulnerability that Zimbra recently disclosed in its SMTP server, heightening the urgency for affected organizations to patch vulnerable instances right away.

The bug, identified as CVE-2024-45519, is present in the Zimbra postjournal service component for email journaling and archiving. It allows an unauthenticated remote attacker to execute arbitrary commands on a vulnerable system and take control of it. Zimbra issued updates for affected versions last week but has not released any details of the flaw so far.

**Attacks Began Sept. 28**

Researchers at Proofpoint this week reported observing attacks targeting the flaw beginning on Sept. 28 and have continued unabated. In a series of posts on X, the security vendor described the attackers as sending spoofed emails that look like they are from Gmail to vulnerable Zimbra servers. The emails contain base64-encoded malicious code in the CC field instead of normal email addresses. This code is crafted to trick Zimbra into running it as shell commands, rather than processing it as a regular email address. This technique could potentially allow attackers to execute unauthorized commands on affected Zimbra servers, Proofpoint said.

"Some emails from the same sender used a series of CC'd addresses attempting to build a Web shell on a vulnerable Zimbra server," Proofpoint said. "The full CC list is wrapped as a string, and if the base64 blobs are concatenated, they decode to a command to write a Web shell."

The Web shell allows the attacker to remotely access the server via specially crafted HTTP requests and to modify files, access sensitive data, and execute other arbitrary commands. The attackers can use it to download and run malicious code on a vulnerable system, Proofpoint said. "Once installed, the webshell listens for inbound connection with a pre-determined JSESSIONID Cookie field," the vendor noted. "If present, the webshell will then parse the JACTION cookie for base64 commands. The webshell has support for command execution via exec or download and execute a file over a socket connection."

**Patch Yesterday**

Ivan Kwiatkowski, a threat researcher at HarfangLab, said the malcious emails are coming from 79.124.49\[.\]86, which appears to be based in Bulgaria. "If you're using @Zimbra, mass-exploitation of CVE-2024-45519 has begun. Patch yesterday."

Notably, the threat actor is using the same server for sending the exploit emails and hosting the second-stage payload, which suggests a relatively immature operation, says Greg Lesnewich, threat researcher at Proofpoint. "It speaks to the fact that the actor does not have a distributed set of infrastructure to send exploit emails and handle infections after successful exploitation," Lesnewich says. "We would expect the email server and payload servers to be different entities in a more mature operation."

Lesnewich says the volume of attacks has remained roughly the same since they began last week and appear to be more opportunistic in nature than targeted.

**Input Sanitization Error**

Researchers at the open source Project Discovery released a proof-of-concept for the vulnerability on Sept. 27. They identified the issue as stemming from a failure to properly sanitize user input, thereby enabling attackers to inject arbitrary commands. Zimbra's patched versions of the software have addressed the issue and neutralized the ability for direct command injection, the researchers wrote. Even so, "it's crucial for administrators to apply the latest patches promptly," they noted. "Additionally, understanding and correctly configuring the mynetworks parameter is essential, as misconfigurations could expose the service to external exploitation."

Thousands of companies and millions of users use Zimbra Collaboration Suite for email, calendaring, chat, and video services. Its popularity has made the technology a big target for attackers. Last year, for instance, researchers found as many as four Chinese advanced persistent threat actors leveraging a Zimbra zero-day (CVE-2023-37580) to target government agencies worldwide. Zimbra patched the flaw in July 2023 a month after the attacks began. Last February, researchers at W Labs spotted North Korea's prolific Lazarus Group attempting to steal intelligence from organizations in the healthcare and energy sectors by targeted unpatched Zimbra servers.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Zimbra RCE Vuln Under Attack Needs Immediate Patching

PRESS RELEASE

Herndon, VA, October 1, 2024 — Expel, the leading managed detection and response (MDR) provider, today announced cybersecurity industry luminary, Kevin Mandia, has joined its board of directors. The Mandiant founder brings over three decades of security leadership and venture capital expertise to help shepherd Expel into its next phase of growth.

“I believe you need an experienced founder that truly knows security to run a great security company. I met Dave nearly 30 years ago when we were computer crime investigators in the United States Air Force, and we have been committed to cybersecurity ever since. Dave was our first pick at Mandiant to lead our software business, our managed defense business, and much of our go-to-market teams. I witnessed Dave build and scale our business from the ground up with relentless focus on the outcomes for our customers,” said Mandia, speaking about Dave Merkel, co-founder and CEO of Expel. “I believe in Expel’s leadership, products, and services, along with its commitment to solving critical security challenges for its customers, and that is what excites me as I join this remarkable team.”

Mandia’s board appointment comes as Expel continues its upward trajectory. Last year, Expel strengthened strategic partnerships with major global players in and around the security space, including Wiz, Visa, and, most recently, modePUSH, a leading incident response firm, to improve joint capabilities that meet a broader range of customer security needs. Expel’s momentum includes 50% year-over-year revenue growth (FY23-FY24) and surpassing $100 million in annual recurring revenue, achieving “centaur status,” as of FY24.

“I’ve been lucky to call Kevin \[Mandia\] a mentor and a friend for much of my professional life, and I’m honored to have his guidance again—in this official capacity—as we tackle this next chapter,” said Dave Merkel. “The opportunity in MDR is massive, and Expel is uniquely qualified to lead the market. That Kevin is willing to come along for the ride as a board member tells me we’re on the right path.”

As rapidly advancing AI-powered technologies reshape the threat landscape for attackers and defenders alike, Expel remains confident and committed to accelerating its unique approach to cybersecurity. The company’s customer base has grown by 67% since early 2023, and Expel holds an industry-leading Net Promoter Score (NPS) of 75—a notoriously unforgiving scale. Expel’s relentless focus on delivering measurable customer outcomes reflects in its impressive metrics:

*   A 20-minute mean-time-to-remediate (MTTR)
    

*   An 87% reduction in customers’ MTTR with auto-remediation
    

*   99% of customers say Expel is a brand they trust
    

These metrics provide Expel customers with the time and peace-of-mind they need to focus on the business priorities that matter most. With comprehensive coverage across cloud, on-prem, identity, network environments, and more, Expel combines skilled analysts with its purpose-built SecOps platform, Expel Workbench™, to augment teams or help develop new ones—meeting customers’ exact needs.

Mandia’s appointment to the board reunites him with Merkel, combining their deep expertise and shared roots in the defense community. This career intersection once again reflects Mandia’s strong belief in Expel’s leadership—including Merkel’s co-founders, Yanek Korff and Justin Bajko, both fellow Mandiant alums and current Expel executives—and its ability to protect organizations against evolving threats.

For exclusive insights directly from Mandia and Merkel on the future of cyber defense, register here for an upcoming webinar on Thursday, October 17 at 11am ET. To learn more about Expel MDR or get in touch with any questions, reach out anytime at expel.com/contact.

Here’s what Expel customers have to say:

“Working with Expel is like putting on noise canceling headphones—granting us the freedom to focus on AstraZeneca’s most pressing business priorities, not reams of alerts, as a true extension of our security team. Having long worked with members of Expel’s leadership team, as both a colleague and a customer, I can confidently say I never have to question whether the Expel team is prioritizing our security needs. And knowing Kevin \[Mandia\] from my years at Mandiant, I know he sees what I do in Expel: an MDR that’s fiercely committed to bettering the lives of its customers through unmatched protection and superior outcomes.”  
Kristina Sisk, Cyber Security Defense Operations Director, AstraZeneca

“Dragos has had a long and successful relationship with Expel, one that’s critical to our ability to achieve our mission to protect the industrial infrastructure that we depend on every day. We see how the threat landscape is evolving, and Dragos and Expel have always been in lock-step in our approach to improving the security postures of our customers. Welcoming Kevin onto Expel’s board adds to the company’s already formidable leadership and advisory team, and further reinforces the crucially important role that MDR plays in modern cybersecurity programs.”  
Robert M. Lee, co-founder and CEO, Dragos

About Expel

Expel is the leading managed detection and response (MDR) provider trusted by some of the world’s most recognizable brands to expel their adversaries, minimize risk, and build security resilience. Expel’s 24/7/365 coverage spans the widest breadth of attack surfaces, including cloud, with 100% transparency. We combine world-class security practitioners and our AI-driven platform, Expel Workbench™, to ingest billions of events monthly and still achieve a 20-minute critical alert MTTR. Expel augments existing programs to help customers maximize their security investments and focus on building trust—with their customers, partners, and employees. For more information, visit our website, check out our blog, or follow us on LinkedIn.

Kevin Mandia Joins Expel's Board of Directors

PRESS RELEASE

PHOENIX, AZ – September 26, 2024 – Bishop Fox, the leading authority in offensive security, today announced Cosmos for ServiceNow, developed in partnership with ServiceNow to enable customers to effortlessly sync validated exposures from the Bishop Fox Cosmos portal into their ServiceNow® environment, where they can be managed as part of existing security workflows. This integration further improves a customer’s security posture by closing the window of vulnerability while reducing the manual burden on security teams.

ServiceNow’s expansive partner ecosystem and partner program is critical in supporting the $275 billion forecasted market opportunity through 2026 for the Now Platform. The ServiceNow Partner Program recognizes and rewards partners for their varied expertise and experience to drive opportunities, open new markets, and help customers transform their business across the enterprise.

As a Registered Build Partner, Bishop Fox developed this solution to help organizations take action on the detailed findings and remediation guidance provided by the Cosmos managed service as part of their existing security operations. This seamless, bi-directional integration with the Now Platform simplifies the management of vulnerabilities and allows security teams to concentrate on resolving threats and safeguarding assets. The solution is available in the ServiceNow Store. Full product details can be found here, but briefly, the major benefits include:

1.  Streamlined vulnerability remediation with automatically created and updated remediation tickets based on Cosmos findings.
    
2.  Improved incident response efficiency and speed with Cosmos vulnerability data directly integrated into ServiceNow workflows, as well as customizable workflows that mirror an organization’s processes.
    
3.  No data silos or communication gaps, with vulnerability information fully synchronized across Cosmos and ServiceNow
    
4.  Enhanced compliance and reporting by consolidating remediation tracking and reporting into a single platform.
    
5.  Scalable security operations with an augmented ability to manage large volumes of security data efficiently across multiple instances of ServiceNow.
    

“Cosmos has become a standard bearer for vulnerability identification and management with more than 110 billion operations executed per year, a 70 percent reduction in time to remediate critical vulnerabilities, and elimination of 93 percent of resource requirements,” said Kevin Tonkin, chief product officer of Bishop Fox. “By integrating with platforms like ServiceNow, on which our customers depend for managing security operations, we help to further accelerate internal efforts and unburden security teams by making it easier for an organization to take advantage of the full power of Cosmos.”

“Partnerships succeed best when we lean into our unique skills and expertise, and have a clear view into the problem we’re trying to solve,” said Erica Volini, senior vice president of global partnerships at ServiceNow. “Bishop Fox’s Cosmos integration extends our reach well beyond where we can go alone and represents the legacy and goals of the Now Platform. I am thrilled to see the continued innovation we will achieve together to help organizations succeed in the era of digital business.”

About Bishop Fox

Bishop Fox is the leading authority in offensive security, providing solutions ranging from continuous penetration testing, red teaming, and attack surface management to product, cloud, and application security assessments. We’ve worked with more than 25% of the Fortune 100, half of the Fortune 10, eight of the top 10 global technology companies, and all of the top global media companies to improve their security. Our Cosmos platform, service innovation, and culture of excellence continue to gather accolades from industry award programs including Fast Company, Inc., SC Media, and others, and our offerings are consistently ranked as “world class” in customer experience surveys. We’ve been actively contributing to and supporting the security community for almost two decades and have published more than 16 open-source tools and 50 security advisories in the last five years. Learn more at bishopfox.com or follow us on Twitter.

Bishop Fox Announces Cosmos Integration With ServiceNow

PRESS RELEASE

VIENNA, Va., Oct. 1, 2024 /PRNewswire/ -- The Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) today announced that Pam Lindemoen will join the organization as Chief Security Officer & VP of Strategy. In this role, she will oversee the organization's security operations, including cybersecurity and information security, while also leading strategic planning and partner engagement. With nearly 30 years of experience, Lindemoen brings a wealth of knowledge in information security, application development, and infrastructure to the organization.

"We're thrilled to welcome Pam Lindemoen to the RH-ISAC team," said Suzie Squier, president of RH-ISAC. "Her extensive experience in navigating complex regulatory environments and fostering robust security postures will be invaluable to our members. Pam's strategic vision and proven track record in developing comprehensive cybersecurity programs align perfectly with our mission to enhance the security of consumer-facing industries through collaboration."

Lindemoen's expertise spans various industries, including healthcare, technology, financial services, and manufacturing. Most recently, she served as CISO Advisor at Cisco. In this role, among other duties, she was instrumental in facilitating the CISO Leadership Development Program that RH-ISAC provided to develop talent in the industry. Lindemoen also serves on the advisory board for Cyber Florida: The Florida Center for Cybersecurity.

Lindemoen's appointment comes at a critical time for the retail and hospitality industries, which face increasing cybersecurity threats and complex regulatory requirements. Her multifaceted expertise in information security, application development, and infrastructure positions her uniquely to address the diverse challenges faced by RH-ISAC members. As CSO, Lindemoen will play a key role in shaping the organization's strategic initiatives and supporting members in their cybersecurity efforts.

Learn more about RH-ISAC and memberships at rhisac.org.

ABOUT RH-ISAC  
The Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) is a trusted community for sharing sector-specific cybersecurity information and intelligence. RH-ISAC connects information security teams at the strategic, operational, and tactical levels to work together on issues and challenges, to share practices and insights, and to benchmark among each other – all with the goal of building better security for consumer-facing industries through collaboration. RH-ISAC serves businesses including retailers, restaurants, hotels, gaming casinos, food retailers, consumer products, and other consumer-facing companies. For more information, visit www.rhisac.org.

You May Also Like

Retail &amp; Hospitality ISAC Announces Pam Lindemoen As New CSO and VP

Poor permission controls and user input validation is endemic to the platforms that protect Americans' legal, medical, and voter data.

Source: Xinhua via Alamy Stock Photo

A veritable laundry list of high- and critical-severity bugs have been uncovered in software platforms used by government agencies across the US.

Govtech systems are some of the most critical out there, responsible for storing the most sensitive personally identifying information (PII) US citizens own: Social Security numbers (SSNs) and IDs; legal and medical records; voter registrations; and much more. It will surprise few and comfort no one that these systems also happen to be riddled with vulnerabilities. 

Security researcher Jason Parker uncovered issues in 19 such platforms this year, disclosing more than a handful of them late last week. There was the bug in the state of Georgia's portal for canceling voter registrations, the access control issue that exposed court documents in counties across Florida, and the many critical vulnerabilities bogging down a public records request management platform used by hundreds of city, county, and state governments nationwide.

**Case Study: A Voter Registration Issue**

Some might be old enough to remember when government bugs were cool and inventive. "The Thing," for example — a listening device embedded into a wooden seal, which hung in the residence of the US ambassador to Moscow for seven years before it was discovered.

Today's government bugs are rather banal — access control flaws or improper validations of user input. The kinds of things hackers can use them for, however, are not at all dull.

At the end of July, for example, Georgia launched a voter cancellation request portal. Within days, researchers discovered multiple issues with the site. Parker, for example, found that anyone could submit a cancellation request using only the information easily gleaned from public sources — names, dates of birth, counties of residence — while skipping any requirement for more serious PII, like a driver's license or SSN. The issue earned a "high" Common Vulnerability Scoring System (CVSS) score of 8.6 out of 10, and was fixed shortly after initial disclosure.

It turned out that members of the public had attempted to take real advantage of these issues in the meantime, though, most notably by unsuccessfully deregistering Rep. Marjorie Taylor Greene, and Georgia's Secretary of State Brad Raffensperger, two prominent Republicans in the state.

**A Panoply of GovTech Bugs**

This kind of basic lack of authentication was emblematic of the security flaws Parker has stumbled upon.

Besides the Georgia bug, for example, were the trio of bugs in Granicus' GovQA. GovQA is a public records management system that is used by more than one-third of the largest US cities, more than 80 state agencies, and nearly half of the "top" US counties, according to GovQA's website.

Another series of bugs in Granicus' electronic filing system allowed for the leakage of sensitive information, the ability to block user logins or modify accounts without authorization, and privilege escalation. The "critical," 9.8 CVSS-rated bugs were reportedly patched back in April.

A similar platform, Thomson Reuters' C-Track eFiling, allowed attackers to escalate from regular user accounts to those saved for court administrators by manipulating certain fields in the registration process. A patch for the "critical" 9.1-rated bug was confirmed last week.

More issues of similar severity were uncovered in court record systems used in counties in Florida, Arizona, Georgia, South Carolina, and others.

**Why GovTech Is So Flawed**

Government technologies tend to be flawed for all the reasons one might guess.

"A lot of their systems that I've seen are quite literally 20 years old," Parker explains. "They're just adding whatever on top of these legacy platforms for years and years."

Besides standard bureaucracy, outdated and unloved tech is kept alive thanks to a lack of sufficient funding for new systems, services, and security solutions to protect them. And vendors aren't always held to account for the ways in which they fall short on their ends of the bargain.

If anything's going to change, Parker says, it will start with the Federal Risk and Authorization Management Program (FedRAMP) — a governmentwide program for cloud security assessment, authorization, and continuous monitoring — and StateRAMP — a nonprofit offering a similar program for state and local governments. "These are minimum requirements for cybersecurity," Parker says, "and they're being adopted by more and more states, and counties, too."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Gov't, Judicial IT Systems Beset by Access Control Bugs

PRESS RELEASE

CAMBRIDGE, UK, Oct. 1, 2024 /PRNewswire/ -- Darktrace, a global leader in cybersecurity AI, has today announced the completion of its acquisition by Thoma Bravo, a leading software investment firm, for $5.3bn. The recommended cash acquisition was announced on 26 April 2024 and the Scheme of Arrangement has now become effective. 

Jill Popelka, CEO of Darktrace, said: "Thoma Bravo will be a hugely valuable partner as we pursue further scale and innovation for our next stage of growth. Darktrace's position at the cutting edge of cybersecurity AI coupled with Thoma Bravo's deep strategic and sector expertise will be a powerful combination. Protecting businesses and organisations with best-in-class AI-powered, proactive cybersecurity will remain at the absolute core of what we do. Together, we can take this even further, investing in our people to enhance our technical capabilities and delivering exceptional service and value for our customers."

Seth Boro, Managing Partner at Thoma Bravo, said: "Darktrace holds a unique position at the forefront of cybersecurity technology. As one of the early adopters of AI, the value of its capabilities is evident to businesses, governments and society across the world. We are excited to work alongside Jill and the Darktrace team to build on their success, supporting their ambitions to protect the world from the most advanced cyber threats." 

About Darktrace  
Darktrace is a global leader in AI for cybersecurity that keeps organizations ahead of the changing threat landscape every day. Founded in 2013, Darktrace provides the essential cybersecurity platform protecting organizations from unknown threats using its proprietary AI that learns from the unique patterns of life for each customer in real-time. The Darktrace ActiveAI Security Platform™ delivers a proactive approach to cyber resilience with pre-emptive visibility into security posture, real-time threat detection, and autonomous response – securing the business across cloud, email, identities, operational technology, endpoints, and network. Breakthrough innovations from our R&D teams in Cambridge, UK, and The Hague, Netherlands, have resulted in over 200 patent applications filed. Darktrace's platform and services are supported by over 2,400 employees around the world who protect nearly 10,000 customers across all major industries globally. To learn more, visit http://www.darktrace.com. 

SOURCE Darktrace

You May Also Like

Source

DARKReading