How newly exposed security weaknesses in industrial wireless, cloud-based interfaces, and nested PLCs serve as a wake-up call for hardening the physical process control layer of the OT network.

S4x23 — Miami — As IT and operational technology (OT) network lines continue to blur in the rapidly digitalized industrial sector, new vulnerabilities and threats imperil conventional OT security measures that once isolated and guarded physical processes from cyberattacks.

Two new separate sets of research released this month underscore real, hidden dangers to physical operations in today's OT networks from wireless devices, cloud-based applications, and nested networks of programmable logic controllers (PLCs) — effectively further dispelling conventional wisdom about the security of network segmentation as well as third-party connections to the network.

In one set of findings, a research team from Forescout Technologies was able to bypass safety and functional guardrails in an OT network and move laterally across different network segments at the lowest levels of the network: the controller level (aka Purdue level 1), where PLCs live and run the physical operations of an industrial plant. The researchers used two newly disclosed Schneider Modicon M340 PLC vulnerabilities that they found — a remote code execution (RCE) flaw and an authentication bypass vulnerability — to breach the PLC and take the attack to the next level by pivoting from the PLC to its connected devices in order to manipulate them to perform nefarious physical operations.

"We are trying to dispel the notion that you hear among asset owners and other parties that Level 1 devices and Level 1 networks are somehow different from regular Ethernet networks and Windows \[machines\] and that you cannot move through them in very similar ways," says Jos Wetzels, security researcher with Forescout. "These systems are reachable, and you can bypass safety checks if you have the right level of control. We are showing how to do this."

The highly complex attack sequence that the researchers demonstrated with a proof-of-concept (PoC) — and that they acknowledge would require the technical chops and resources of nation-state attackers — stands in stark contrast to a relatively simple new hack that another group of researchers pulled off that exposes plants via wireless network devices. Both of these separate sets of OT attack findings poke holes in traditional assumptions of inherent security at the lower layers of OT networks, and the two teams of researchers behind them shared their findings here this week at the S4x23 ICS/OT conference.

**Wireless Threat "Got Our Attention"**

In the second batch of research, a team at ICS security provider Otorio found some 38 vulnerabilities in products including cellular routers from Sierra Wireless and InHand Networks, and a remote access server for machines from ETIC Telecom. A dozen other bugs remain in the disclosure process with the affected vendors and were not named in the report.

The flaws include two dozen Web interface bugs that could give an attacker a direct line of access to OT networks.

Matan Dobrushin, vice president of research at Otorio, says his team used the open source WiGLE tool, a Shodan-style search app that locates and maps wireless access points around the world. WiGLE collects SSID or network names, encryption types (such as WEP or WPA), and the geolocation of a wireless access point. The team was able to locate various OT sites via those geolocated Aps that WiGL spotted, including an oil well with weak authentication to its wireless device.

The team discovered relatively simple ways for an attack to hack industrial Wi-Fi access points and cellular gateways and wage man-in-the-middle attacks to manipulate or sabotage physical machinery in production sites. In one attack scenario, the researchers pose, an attacker armed with a laptop could find and drive to a plant location and connect to the operational network.

"You don't have to go through all of the layers of the enterprise IT network or firewalls. In this example, someone can just come with a laptop and connect directly to the most sensitive physical part of that network," Dobrushin says. "This is what got our attention."

Physical proximity is just one of three attack scenarios the team discovered when they found the vulns in these wireless devices. They also could reach the plant wireless devices via oft-exposed IP addresses inadvertently open to the public Internet. But the third and most surprising attack scenario they found: They could reach the OT networks via blatantly insecure cloud-based management interfaces on the wireless access points.

Many of the devices that come with cloud-based management also contain interfaces with either very weak authentication, or no authentication at all. InHand Networks' InRouter302 and InRouter615, for example, use an unsecured communications link to the cloud platform by default, sending information in cleartext.

"It's a single point of security and failure," Dobrushin says of the weak management interfaces, and "the main attack surface" for plant wireless access points.

The onus is on the wireless device vendors to better secure their Web interfaces. "I think the biggest fail point here is not wireless itself, not the cloud itself: It's the integration point between the cloud and modern Web-based world, to the old industrial world. These integration points are not strong enough."

For example, an RCE vulnerability in the Sierra Wireless Airlink's AceManager Web interface could let an attacker inject malicious commands. The vulnerability actually bypasses a previous patch Sierra had issued in April of 2019 for another bug, according to Otorio.

**Lateral Movement Research**

Forescout's research, meanwhile, also shows how Purdue Level 1 of an OT network security is not as airtight as many industrial organizations believe. The company's findings demonstrate how a threat actor could spread an attack across various network segments and types of networks at the Purdue Level 1/controller level of the OT network.

In their proof-of-concept attack, the researchers first hacked a Wago coupler device in order to reach the Schneider M340 PLC. Once they got to the PLC, they employed two newly disclosed vulnerabilities they first found last year as part of the OT:ICEFALL set of vulns but were unable to reveal until Schneider had patched them, CVE-2022-45788 (remote code execution) and CVE-2022-45789 (authentication bypass). That allowed them to bypass the PLC's internal authentication protocol and move through the PLC to other connected devices, including an Allen-Bradley GuardLogix safety control system that protects plant systems by ensuring they operate in a safe physical state. Then they were able to manipulate the safety systems on the GuardLogix backplane.

What sets their findings apart is that it looks at lateral movement not just between Level 1 devices in the same network segment or to Layer 2 SCADA systems but spreading across nested devices and networks at Layer 1. And unlike previous PLC research, Wetzels and Daniel dos Santos, head of security research at Forescout, didn't just hack a PLC via an inherent vulnerability. They instead pivoted from the PLC to other systems connected to it in order to bypass the security and physical safety checks within the OT systems.

"We're not just talking directly \[to\] one of the PLCs. We're moving to all devices existing behind it to bypass the functional and safety constraints" of the PLC that would cause the device to halt or shut down the process, Wetzels says. "Or I can manipulate the PLC and cause physical damage."

Wetzels says some vendors provide incorrect guidance to OT operators that states that "nesting" PLCs via serial links or nonroutable OT protocols provides secure segmentation for those devices and the OT network. "We're demonstrating this is a faulty line of reasoning against a certain type of attacker," he says. The researchers show that all devices — valve controllers and sensors, for example — that reside under the PLC in other networks behind it also can be exposed and provide an attacker more detailed control of the systems.

"If you want to manipulate \[the physical processes\] at a deep level, you move deep into those networks," he says.

Another weak and often-overlooked link are network connections to third-party maintenance providers, for HVAC or water treatment plant work, for example. The maintenance contractor often has a remote connection to their packaged system, which then interfaces with the OT network. "The perimeter to the outside that exists at Level 1 is not hardened or monitored," Wetzels explains.

**How to Defend Against These Threats to OT**

Forescout's Wetzels and dos Santos recommend that OT operators re-evaluate the state of their Level 1 devices and interconnectivity. "Make sure nothing can be disabled by cyber means," Wetzels advises.

He also recommends that plants with Ethernet links that are not firewalled should add a firewall. And at the least, ensure visibility of the traffic with an intrusion detection system, he says. If the PLCs include IP-based access control list (ACL) and forensics inspection functions, deploy them to harden the devices, he says.

"Likely there's a lot of network crawlspace not on your radar," Wetzels said today in his presentation here. "At Level 1, between different \[network\] segments needs a perimeter security profile."

As for the wireless access point vulnerabilities and attacks Otorio revealed, the researchers recommend disabling weak encryption in wireless access devices, masking wireless devices publicly or at least whitelisting authorized devices, and ensuring strong authentication for IP-based devices.

They also advise disabling unused cloud-based services, which typically are on by default, and firewalling and/or adding virtual private network (VPN) tunnels among the connections.

Tom Winston, director of intelligence content at Dragos, says wireless access points in the industrial network should use multifactor authentication. "Access control is always a concern."

OT Network Security Myths Busted in a Pair of Hacks

78 new CVEs patched in this month's batch — nearly half of which are remotely executable and three of which attackers already are exploiting.

Microsoft has issued fixes for three zero-day bugs that attackers currently are actively exploiting in the wild.

One of them, tracked as CVE-2023-21715, is a security feature bypass vulnerability in Microsoft Office that gives attackers a way to bypass Office macro policies for blocking untrusted files and content. The second is an elevation-of-privilege vulnerability in Windows Common Log File System Driver (CVE-2023-23376), which allows an attacker to gain system-level privileges. The third is CVE-2023-21823, a remote code execution (RCE) bug in the Windows Graphics Component which also enables an attacker to gain system-level access.

**The Zero-Day Trio**

The three zero-day vulnerabilities were part of a substantially larger set of 78 new CVEs that Microsoft disclosed in its monthly security update Tuesday. The company assessed nine of these flaws as being of "critical" severity and 66 as presenting an "important" threat to organizations.

Nearly half the vulnerabilities (38) that Microsoft disclosed this month were remote code execution (RCE) bugs — a category of flaws that security researchers consider especially serious. Elevation-of-privilege bugs represented the next highest category, followed by denial-of-service flaws and spoofing vulnerabilities.

Dustin Childs, head of threat awareness at Trend Micro's ZDI, which reported eight of the vulnerabilities in this month's update, says all the bugs that are under active attack represent a critical risk because threat actors are already using them.

"The Graphics Component bug (CVE-2023-21823) makes me worry on two accounts," he says. "Since this was found by Mandiant, it was likely discovered by a team working an incident response," Childs says. That means it's unclear how long threat actors might have been using it. Also worrisome is that the update is available through the Microsoft store, he notes.

"People who are either disconnected or otherwise blocked from the store will need to manually apply the update," he says.

Childs says that based on Microsoft's description of CVE-2023-21715, the security feature bypass vulnerability in Microsoft Office sounds more like an elevation-of-privilege issue. "It's always alarming when a security feature is not just bypassed but exploited. Let's hope the fix comprehensively addresses the problem."

Ultimately, all three bugs that attackers are actively exploiting are of concern. But a threat actor would still need to use each of these bugs in combination with some form of a code execution bug to take over a system, Childs says.

Automox recommends that organizations using Microsoft 365 Applications for Enterprise patch CVE-2023-2175 within 24 hours. "This vulnerability is an actively exploited zero-day that allows attackers to craft a file to bypass Office security features," Automox said in a blog post. It allows attackers to "potentially execute malicious code on end-user devices if they can coerce users to download and open files on vulnerable devices via social engineering."

**New Exchange Server Threats**

Satnam Narang, senior staff research engineer at Tenable, highlighted three Microsoft Exchange Server vulnerabilities (CVE-2023-21706, CVE-2023-21707, CVE-2023-21529) as issues that organizations should note because Microsoft has identified them as flaws that attackers are more likely to exploit.

"Over the last few years, Microsoft Exchange Servers around the world have been pummeled by multiple vulnerabilities, from ProxyLogon to ProxyShell, to more recently ProxyNotShell, OWASSRF and TabeShell," Narang said in a statement.

Exchange flaws have become valuable commodities for standard sponsored threat actors in recent years, he said. "We strongly suggest organizations that rely on Microsoft Exchange Server to ensure they've applied the latest Cumulative Updates for Exchange Server."

**RCE Bugs in Microsoft PEAP**

Researchers at Cisco's Talos threat intelligence group, meanwhile, pointed to three RCE bugs in Microsoft Protected Extensible Authentication Protocol (PEAP) as being among the most critical bugs in Microsoft's security update for February 2023.

The flaws, tracked as CVE-2023-21689, CVE-2023-21690 and CVE-2023-21692, allow an authenticated attacker to try and trigger malicious code in the context of the server's account.

"Almost all Windows versions are vulnerable, including the latest Windows 11," the company said in a statement.

CVE-2023-21689 — one of the three critical vulnerabilities in PEAP — allows attackers to get server accounts to trigger malicious code via a network call, according to Automox.

"Since this vulnerability is very likely to be targeted and is relatively simple for attackers to exploit, we recommend patching or ensuring that PEAP is not configured as an allowed EAP type in your network policy," the company said in its post. Affected organizations — those that have Windows clients with Network Policy Server running and have a policy that allows PEAP — should patch the flaw within 72 hours, Automox advised.

9 New Microsoft Bugs to Patch Now

Microsoft is sending the world a whole bunch of love today, in the form of patches to plug dozens of security holes in its Windows operating systems and other software. This year's special Valentine's Day Patch Tuesday includes fixes for a whopping three different "zero-day" vulnerabilities that are already being used in active attacks.

**Microsoft** is sending the world a whole bunch of love today, in the form of patches to plug dozens of security holes in its **Windows** operating systems and other software. This year’s special Valentine’s Day Patch Tuesday includes fixes for a whopping three different “zero-day” vulnerabilities that are already being used in active attacks.

Microsoft’s security advisories are somewhat sparse with details about the zero-day bugs. Redmond flags CVE-2023-23376 as an “Important” elevation of privilege vulnerability in the **Windows Common Log File System Driver**, which is present in Windows 10 and 11 systems, as well as many server versions of Windows.

“Sadly, there’s just a little solid information about this privilege escalation,” said **Dustin Childs**, head of threat awareness at Trend Micro’s **Zero Day Initiative**. “Microsoft does note that the vulnerability would allow an attacker to exploit code as SYSTEM, which would allow them to completely take over a target. This is likely being chained with a remote code execution bug to spread malware or ransomware. Considering this was discovered by Microsoft’s Threat Intelligence Center, it could mean it was used by advanced threat actors. Either way, make sure you test and roll these fixes quickly.”

The zero-day CVE-2023-21715 is a weakness in **Microsoft Office** that Redmond describes as a “security feature bypass vulnerability.”

“Microsoft lists this as under active exploit, but they offer no info on how widespread these exploits may be,” Childs said. “Based on the write-up, it sounds more like a privilege escalation than a security feature bypass, but regardless, active attacks in a common enterprise application shouldn’t be ignored. It’s always alarming when a security feature is not just bypassed but exploited. Let’s hope the fix comprehensively addresses the problem.”

The third zero-day flaw already seeing exploitation is CVE-2023-21823, which is another elevation of privilege weakness — this one in the **Microsoft Windows Graphic** component. Researchers at cybersecurity forensics firm **Mandiant** were credited with reporting the bug.

**Kevin Breen**, director of cyber threat research at **Immersive Labs**, pointed out that the security bulletin for CVE-2023-21823 specifically calls out **OneNote** as being a vulnerable component for the vulnerability.

“In recent weeks, we have seen an increase in the use of OneNote files as part of targeted malware campaigns,” Breen said. “Patches for this are delivered via the app stores and not through the typical formats, so it’s important to double check your organization’s policies.”

Microsoft fixed another Office vulnerability in CVE-2023-21716, which is a **Microsoft Word** bug that can lead to remote code execution — even if a booby-trapped Word document is merely viewed in the preview pane of **Microsoft Outlook**. This security hole has a CVSS (severity) score of 9.8 out of a possible 10.

Microsoft also has more valentines for organizations that rely on **Microsoft Exchange Server** to handle email. Redmond patched three Exchange Server flaws (CVE-2023-21706, CVE-2023-21707, and CVE-2023-21529), all of which Microsoft says are remote code execution flaws that are likely to be exploited.

Microsoft said authentication is required to exploit these bugs, but then again threat groups that attack Exchange vulnerabilities also tend to phish targets for their Exchange credentials.

Microsoft isn’t alone in dropping fixes for scary, ill-described zero-day flaws. Apple on Feb. 13 released an update for iOS that resolves a zero-day vulnerability in Webkit, Apple’s open source browser engine. **Johannes Ullrich** at the **SANS Internet Storm Center** notes that in addition to the WebKit problem, Apple fixed a privilege escalation issue. Both flaws are fixed in iOS 16.3.1.

“This privilege escalation issue could be used to escape the browser sandbox and gain full system access after executing code via the WebKit vulnerability,” Ullrich warned.

On a lighter note (hopefully), Microsoft drove the final nail in the coffin for **Internet Explorer 11 (IE11)**. According to Redmond, the out-of-support IE11 desktop application was permanently disabled on certain versions of Windows 10 on February 14, 2023 through a **Microsoft Edge** update.

“All remaining consumer and commercial devices that were not already redirected from IE11 to Microsoft Edge were redirected with the Microsoft Edge update. Users will be unable to reverse the change,” Microsoft explained. “Additionally, redirection from IE11 to Microsoft Edge will be included as part of all future Microsoft Edge updates. IE11 visual references, such as the IE11 icons on the Start Menu and taskbar, will be removed by the June 2023 Windows security update (“B” release) scheduled for June 13, 2023.”

For a more granular rundown on the updates released today, see the SANS Internet Storm Center roundup. If today’s updates cause any stability or usability issues in Windows, AskWoody.com will likely have the lowdown on that.

Please consider backing up your data and/or imaging your system before applying any updates. And feel free to sound off in the comments if you experience any problems as a result of these patches.

Microsoft Patch Tuesday, February 2023 Edition

HAProxy before 2.7.3 may allow a bypass of access control because HTTP/1 headers are inadvertently lost in some situations, aka "request smuggling." The HTTP header parsers in HAProxy may accept empty header field names, which could be used to truncate the list of HTTP headers and thus make some headers disappear after being parsed and processed for HTTP/1.0 and HTTP/1.1. For HTTP/2 and HTTP/3, the impact is limited because the headers disappear before being parsed and processed, as if they had not been sent by the client. The fixed versions are 2.7.3, 2.6.9, 2.5.12, 2.4.22, 2.2.29, and 2.0.31.

CVE-2023-25725: The Reliable, High Performance TCP/HTTP Load Balancer

By Waqas
Google Cloud released its newest AI feature for online retailers in 2023. Their shelf-checking AI solution, Vertex AI…
This is a post from HackRead.com Read the original post: Google Vertex AI Vision: Revolutionizing E-Commerce?

Google Cloud released its newest AI feature for online retailers in 2023. Their shelf-checking AI solution, Vertex AI Vision, was released in September 2021 and aims to simplify the online shopping experience for all device users.

From personalised search to AI-driven product recommendations, Google Cloud is opening up a new era of possibilities for e-commerce retailers. In a fiercely competitive market, post-Covid retail must be customisable, adaptable and customer-focused, especially if smaller brands want to keep up with demographic trends.

“Upheavals over the last few years have reshaped the retail landscape, and the tools retailers need to be more efficient, more compelling to their customers, and less exposed to future shocks,” said VP of Retail at Google Cloud, Carrie Tharp. “Despite the uncertainty, the retail industry has enormous opportunities. The leaders of tomorrow will be those who address today’s most pressing in-store and online challenges with the newest technology tools, such as artificial intelligence and machine learning.”

Stick with us as we navigate the future of online retail strategy and reveal some of Google Clouds’ newest features, designed to boost e-commerce success in 2023.

**Ecommerce challenges in 2023**

The ecommerce industry is predicted to make up over 22% of global sales in 2023 and is likely to be worth over $6.3 trillion by the end of the year.

As we move into an era of social selling and a push for new technology, the e-commerce industry has become more accessible yet more competitive at the same time.

With over half of all online shopping searches now coming from a mobile device, a new generation of digitally native consumers wants more from their online experience. From personalisation to loyalty rewards, ecommerce retailers must be prepared to constantly adapt to consumer social trends and new internet-accessible devices on the market. 

Google Cloud aims to combat this, using its latest developments in artificial intelligence. Let’s have a closer look at how Google’s new AI retail tool could transform online stores and the customer experience.

**Adaptable site browsing **

Did you know that personalised content can increase conversion potential by over 110%? If site browsers are quickly greeted with a set of customisable product searches, they are more likely to progress to the checkout. 

(Image Source: Search Logistics)

In fact, personalising your ecommerce site alone can increase revenue by up to 25%, opening up opportunities for store growth and reach.

Google Cloud’s new AI-driven search solution aims to take personalisation one step further. Using AI, Google Cloud can analyse the behaviour of site users, tracking purchase history, items they view and even scroll times on pages. Using this information, it quickly identifies a customer’s preferences and makes sure they see those first when entering a site’s navigation system. 

Researchers from Google Cloud found that 86% of shoppers are more likely to interact with a brand that understands their interests and acts on their preferences.

Their retail search solution does just that, aiming to enhance a website’s ability to adapt to each shopper. Better still, this is all done using first-party cookies and previous on-site data. Customer preferences are stored for retailer use only, making for a more secure experience on and off-site. 

**AI-driven product sorting**

Working in the same way as a personalised search experience, Google Cloud has also integrated AI-driven product sorting into their new update. 

This handy tool allows ecommerce retailers to improve their product discovery journey, increasing the chances of conversion on-site. 

(Image Source: OJ Digital Solutions)

As you can see above, the current average conversion rate for ecommerce sellers stands at a measly 2.5%, often down to consumer bounce once on site.

In order to reduce bounce rates and get conversions flowing, ecommerce sites must be hosted on a server with large bandwidth and no downtime. Alongside this, all aspects of the site should be optimised with consumer personalisation in mind.

Optimising the order products and services on-site appear in AI-driven recommendations improves the chances of conversion success by over a third. While traditional ecommerce retailers order products in order of relevance/best sellers, Google’s new system will recommend products based on historical consumer data, improving relevance and the chances of a direct sale.

**Consumer-focused recommendations**

Did you know that product recommendation systems play a critical role in a successful retail strategy? With online retail sales predicted to surpass $8 trillion by 2026, competition has quickly risen amongst small retailers, meaning that finding new ways to optimise the customer experience is the key to staying in the game. 

Using Google Cloud’s new Discovery AI feature, ecommerce retailers can use machine learning to ensure that product recommendations on-site adapt to each user. Not only will this increase revenue during a search session, but means that no landing page will look the same again.

From rolling product banners to personalised popups, taking time to enable customisable recommendations will lead to higher sale revenue and a spike in user engagement.

The feature has been created in collaboration with software developers DeepMind, which uses first-party data to consider product categories, product prices and consumer behaviour when generating new recommendations for site searchers.

Better still, Google Cloud is using this same feature to introduce a ‘buy it again’ option that suggests products based on a user’s past purchase history.

**Automatic shelf checking for physical stores**

While managing an online store can be tricky, it’s important to keep physical processes in check too, especially if you want to keep product shipping times fast and consumers satisfied with your service. 

Retailers use many different versions of shelf-checking tech, but Google Cloud’s newest AI-driven solution puts many of them to shame. Using the Cloud’s most recent feature, retail assistants can categorize and distinguish products in seconds.

Based on visual and text-based prompts, Google’s AI shelf checker can turn product data into actionable insights that can improve inventory visibility and give sales reps a better idea of product availability online. 

According to recent insights from NielsenIQ, having empty shelves cost retailers a whopping $82 billion in 2021 alone. Google’s AI-driven self-checking solution aims to combat the costs of empty shelves and reduce widespread wipe out of products, especially when you can track stock automatically.

**What’s next for online retailers?**

Online retail will continue to evolve in the coming years, with AI standing at the forefront. As we see great influxes of online consumers, site pages should be optimised with personalisation in mind. 

With so many retail options to choose from on the web, the key here is to make your business stand out from the crowd. 

Using Google Cloud’s new AI retail tool, ecommerce vendors can customise their search options, offer loyal customers personalised recommendations, and even gain greater access to product availability data straight from the storeroom. 

A completely online future of retail is just around the corner. If you want to remain successful in a digital era, make sure you’re ahead of the technological curve. 

1.  Fields of application of artificial intelligence
2.  Google Introduces Bard: New ChatGPT Rival
3.  How Artificial intelligence Stops Cybercriminals
4.  ARMO integrates ChatGPT to secure Kubernetes
5.  AI-based Model to Predict Extreme Wildfire Danger

Google Vertex AI Vision: Revolutionizing E-Commerce?

The goal: Ensure that data is always finely curated and accessible, and that security decisions get made with high-fidelity data.

In a tale seemingly as old as time, security teams have been continuously under siege. Be it novel attack paths, lethal adversaries, new technologies — such as public cloud, containerization, Kubernetes, and serverless computing — or stringent regulatory requirements, teams have faced quite the burden. To help shoulder the load, the industry has established frameworks and pushed out amazing tech, from SIEMs to CNAPPs and XDRs to CASBs. These processes and technologies have helped to keep attackers at bay and people protected, but have created a new problem of far too much data.

To face off against this data-driven world, CISOs and security teams will need to embrace the data and look outside of traditional security personas to adopt a new model of working: security data operations, or simply (and catchier) SecDataOps.

SecDataOps is a term used to describe the process of integrating data into the entire security life cycle, whether for risk management, incident response, or cyber-threat intelligence production. Quantitative data about your environment, assets, business domain, and adversaries must be used. This also means security teams have to adopt strong data analysis, engineering and science processes from data collection and storage to dissemination and archiving. The goal of SecDataOps is to ensure that data is always finely curated and accessible, and that security decisions are made with high-fidelity data.

**Joint Task Force**

SecDataOps need not be a formalized reporting structure all at once but instead can be a joint task force and an additional horizontal responsibility in a security program. Occasionally, SecDataOps may bleed into enterprise architecture, enterprise IT, and other teams as needed. Instead of forcing all your security engineers to become data engineers, consider first bringing in big data consultants and other experts to help take account of how data moves in the organizations, where it's stored, how much it costs, all the way down to schema and formats.

Once the governance and management of raw data available to a team directly from security tools or from environments (e.g., cloud APIs, configuration management databases, existing data lakes) is complete, metrics need to be defined. Service-level agreements (SLAs) are typically formalized agreements but are a great way to hold your burgeoning SecDataOps practices to high quality standards.

Strong SLAs define the purpose of setting the SLA (the why), the promise and specific metric (the what and how), and any specific requirements (the when), if applicable. Creating these SLAs from the start that align to both the overall SecDataOps program and for specific datasets, data feeds, or projects will be important to achieve cohesion and long-term SecDataOps success.

Only once a strong baseline is set can specialized projects or process overhauls can be carried out. This same contextual approach can be applied to cloud security posture management remediation or as enrichment for real-time investigatory requirements such as pulling in ownership and asset data into a security alert investigation.

The leadership decision of a SecDataOps team is an important choice and may need to change as the team matures. When existing as an additional responsibility or joint task force, it may make sense to have the CISO run the function no matter what their level of hands-on technical acumen is; this is to hold the cross-functional team together. The results of SecDataOps will have a strong business emphasis, as the goal is to rapidly detect, pinpoint, and address various risks.

Harnessing data and building generative adversarial networks and massive business-intelligence dashboards to quantify cyber-risk is the exciting part of SecDataOps. But large parts of the work will be formative and the outcome for protecting the business is still the primary goal. Do not fear bringing in outside talent to build out the data piece of the equation. Having a team that is ready to cross-train and learn from one another will be vastly more successful than throwing security engineers to the data wolves.

This security data problem is not going away. Starting off is simply an information gathering operation: meet with your teams, understand how they harness data, what data they wish they had, and start from there. Do not get lost dreaming of what cool machine-learning algorithms you can deploy when sometimes the best outcome is well-governed data. SecDataOps is the way we win this data war and defeat our adversaries.

Why SecDataOps Is the Future of Your Security Program

**DENVER****,** **Feb. 14, 2023** **/PRNewswire/ --** Ping Identity, the intelligent identity solution for the enterprise, has formed a new strategic alliance with Deloitte, a leader in global security consulting services, to help the organizations' shared clients improve advanced Identity Access Management (IAM) Solutions selection and onboarding. Through the alliance, Ping and Deloitte's shared clients will be able to streamline digital identity management and effectively authorize which employees, customers, vendors, and suppliers can access sensitive corporate resources.

Deloitte brings to the alliance its significant experience in identity and access management across strategy, implementation and operations-managed services for both workforce and customer IAM solutions in a global customer ecosystem. Ping Identity brings its strength in single sign-on (SSO) and multi-factor authentication (MFA) technologies as well as advanced capabilities like identity authorization, risk and fraud mitigation, and overall IAM orchestration. Deloitte and Ping's shared clients will have access to intelligent identity solutions able to scale enterprise-wide and to offer customers a secure and frictionless experience. 

"We're moving into an experience-first world where identity is paramount to enable security and frictionless interactions," said Andre Durand, CEO and founder of Ping Identity. "Our IAM solutions align well with Deloitte's deep knowledge of connected customer journeys and trusted customer experiences. This alliance will help more organizations reduce risk and accelerate time-to-value as they look to modernize their identity strategies."

As part of the alliance, Deloitte will receive Ping Identity's dedicated sales training, certifications, product roadmap updates, and marketing resources that strengthen and secure access to the cloud, mobile, SaaS, and on-premises applications across the hybrid enterprise.

"As the digitization of businesses continues to increase, providing a trusted employee and customer experience is imperative for organizations," said Nakul Sharma, a Deloitte Risk & Financial Advisory managing director, Deloitte & Touche LLP. "Offering visibility and transparency around how data is used is important to building trust throughout the enterprise as well as with consumers. Our alliance with Ping is an important step in our ecosystem growth to offer Deloitte clients enhanced identity management solutions to help secure identities and data across digital engagement channels."

As used in this document, "Deloitte" means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of our legal structure. Certain services may not be available to attest clients under the rules and regulations of public accounting.

**About Ping Identity**

At Ping Identity, we believe in making digital experiences both secure and seamless for all users, without compromise. That's digital freedom. We let enterprises combine our best-in-class identity solutions with third-party services they already use to remove passwords, prevent fraud, support Zero Trust, or anything in between. This can be accomplished through a simple drag-and-drop canvas. That's why more than half of the Fortune 100 choose Ping Identity to protect digital interactions from their users while making experiences frictionless. Learn more at www.pingidentity.com.

Ping Identity and Deloitte Forge Alliance to Give Organizations Advanced Identity and Access Solutions

**ARLINGTON, Va.****,** **Feb. 14, 2023** **/PRNewswire/ --** ThreatConnect, maker of leading threat intelligence operations (TI Ops) and risk quantification solutions, announced today the company's accelerated growth through 2022 and market leading position heading into 2023.

"With a tumultuous year marked by geopolitical and economic uncertainty that increased pressure on CISOs and their teams to improve security effectiveness and efficiency, ThreatConnect had a tremendous year in both new customer acquisition and product innovation," said Balaji Yelamanchili, CEO of ThreatConnect. "As we enter 2023, we're positioned to continue delivering market leading product innovation that enables our customers and partners to manage efficient TI Ops with quantifiable risk mitigation strategies."

**Customer & Revenue Growth** 

*   Substantial double-digit growth in new logo and expansion business, including some of the world's largest technology, financial services, healthcare, governmental, and cyber security organizations choosing ThreatConnect for their TI Ops and risk quantification initiatives.
*   Expanded risk quantification and TI Ops deployments with three of the top five software companies in the world, 12 global financial services organizations, and 33 other large enterprise customers.
*   Now serving nearly 200 global customers, including five of the top 10 software companies in the world, three of the top five airlines, three of the top five pharmaceutical companies, two of the top five insurance providers, and more than 10 defense and federal agencies.

**Threat Intelligence Operations Innovation**

The company's product and engineering teams delivered a variety of new features that enable cyber threat intelligence (CTI) teams to more efficiently investigate and create intelligence, and work with security operations (SecOps) teams to consume and operationalize threat intelligence.  These new features are designed to deliver better security outcomes in terms of mean time to detect (MTTD) and mean time to resolve (MTTR) potential threats and incidents, and drive efficiencies across teams and tools.

**Specific Innovations:** 

ThreatConnect made many useful product enhancements, including:

*   ThreatConnect's Collective Analytics Layer (CAL™), powered by Big Data and Machine Learning, increased its volume of data by 25% versus prior year to over 176 billion points of data used for scoring potential indicators of compromise (IOCs), providing insights for investigations, and categorizing relationships between indicators, threat actors, malware, and campaigns. By merging anonymized insights from ThreatConnect users with this massive data set creates the ability to have better confidence scoring and enrichment on potential IOCs that very few other players in the market can claim.
*   Natural Language Processing (NLP) capabilities to recognize MITRE ATT&CK® techniques by extracting insights from open source blogs, research, and other sources. This enables customers to get faster insights on relevant threats they are investigating.
*   Highly intuitive graph investigation capability that incorporates the customer's threat intelligence and internal case & investigation data, with insights from CAL's Automated Threat Library, including threat actors, campaigns, and ATT&CK techniques, and a growing number of third-party intelligence and enrichment sources.
*   A new reporting engine that makes it easy to create and disseminate threat intelligence reports with graphs, tables, images, and narrative descriptions.
*   New Enrich Anywhere capability automates the addition of context to indicators of compromise, allowing users to easily identify false positives and pinpoint actionable intelligence.  
*   Streamline the work of the SOC by infusing relevant threat intelligence directly into every step of their case workflow, and allowing for relevant artifacts and findings to be promoted for validation as threat intelligence by the CTI team.
*   Measure the work being done by the team with case and analyst efficiency metrics.
*   Stronger multi-tenant management of clients for MSSP and multi-tiered organizations with the introduction of Super Admin Users who can answer RFI's or work alongside analysts in other organizations without leaving their ThreatConnect instance.

**Risk Quantification Break Out Year**

*   Significant double digit annual sales growth, including new customers in healthcare, finance and manufacturing.
*   Launched technology alliance and go-to-market partnership with SecurityScorecard, resulting in 14 net new customers.
*   New go-to-market partnership with 3 of the top global software vendors.

**Industry recognition**

Winner of multiple industry accolades, including the Global Infosec Awards, Cybersecurity Excellence Award, and the top 100 most Innovative Cybersecurity companies by Expert Insights.

**Experienced Leadership and Board Advisors**

In 2022, the company added seasoned cybersecurity operators to its executive ranks with cybersecurity veterans. Balaji Yelamanchili, previously EVP and General Manager of Symantec's Enterprise Security business, joined the company as Chief Executive Officer.  Burney Barker, a veteran of Forescout, Gigamon, and Dell EMC, joined the company as Chief Revenue Officer.  In the Chief Marketing Officer role, Charles Gold joined the company, bringing more than 25 years of executive experience at category leaders including Sonatype, Virtru, and FireMon.

The company also added an elite group of enterprise cybersecurity leaders as Board Advisors.  This esteemed group includes Colin Anderson, current CISO at Ceridian and former CISO at Safeway and Levi Straus, Myrna Soto former CISO at MGM and Comcast and current Board member at Spirit Airlines and Trinet, and Patrick Joyce, CISO at Medtronic.  They will advise the company's Board and executive team on strategic product and go-to-market matters.

"Enterprises are transforming  their approach to security operations to support their move to the cloud and the digital economy while at the same time addressing a growing threat landscape and emerging threats like ransomware,"  said Yelamanchili.   "Our TI Ops and risk quantification solutions are critical to these initiatives and, given our momentum in 2022 and near term product roadmap, I couldn't be more excited about this coming year."

**About ThreatConnect**

ThreatConnect enables threat intelligence operations, security operations, and cyber risk management teams to work together for more effective, efficient, and collaborative cyber defense and protection. With ThreatConnect, organizations can infuse ML and AI-powered threat intel and cyber risk quantification into their work, allowing them to orchestrate and automate processes to get the necessary insights, and respond faster and more confidently than ever before. More than 200 enterprises and thousands of security operations professionals rely on ThreatConnect every day to protect their organizations' most critical assets.

ThreatConnect Closes 2022 with Accelerated Growth in Threat Intelligence Operations (TI Ops)

No, there’s not a sudden influx of unidentified objects in the skies above the US—but the government is paying closer attention.

When U.S. government officials in early February identified and eventually shot down a surveillance balloon attributed to China, the prominent acknowledgment of a spy balloon captured public attention and inflamed tensions between Washington and Beijing. But since then, the prospect of the US government intercepting unidentified flying objects has become quotidian, with three UFOs shot down in the past four days—two near Alaska and one over Lake Huron near Michigan. The spree raises the question, are there more UFOs over US airspace than usual, or is everyone just looking more closely?

Researchers say it's the latter, and they note that even before the balloon mania began, the US government tracked many UFOs in its airspace, including a number of balloons. The US Office of the Director of National Intelligence (ODNI) released a January report, for example, tracking incidents involving UFOs, which the US government calls Unidentified Anomalous Phenomena or UAPs. Between March 5, 2021, and August 30, 2022, the All-Domain Anomaly Resolution Office had 247 reports of UAPs. In a wider pool of 366 UAP reports that also includes newly discovered incidents that occurred before 2021, ODNI said that 163 were balloons “or balloon-like entities,” 26 were “Unmanned Aircraft Systems,” or drones, and six were “attributed to clutter.” So, not all UFOs are balloons, and not all unidentified balloons are spy balloons.

Additionally, CNN reported on Friday that in the past year, the US intelligence community invented a novel technique for conducting real-time tracking of spy balloons or other balloon vehicles of interest. After an incident in which a Chinese spy balloon briefly entered US airspace in 2021, US intelligence forces used data they'd collected about the balloon to look back at radar and other aerial surveillance data to search for previously unidentified past incidents. The results then allowed officials to create models for tracking balloon flights around the world in close to real time.

The heightened alert in recent days may have also led to other tweaks to US radar noise reduction methods to detect more small aircraft at altitudes where planes don't usually fly.

“This isn't new; we just hadn't been detecting them in the past,” says Brynn Tannehill, a RAND Corporation senior technical analyst and a former naval aviator. “I suspect that filters on US systems had previously been ignoring things that were too slow, high, or small to be considered threats. Now that the parameters on the filters have been adjusted, we're seeing more of what was already there for the past few years.”

US government officials said at the beginning of the month that the Chinese spy balloon was roughly the size of three buses. Meanwhile, US Defense Department officials said the UFO the US shot down on Friday was likely not a balloon and was roughly the size of a small car. The object shot down on Saturday, on orders from Canada's prime minister, Justin Trudeau, was described by Canadian officials as cylindrical and seemingly smaller than a surveillance balloon. US officials said the UFO shot down on Sunday was octagonal and didn't seem to be carrying anything.

The White House says that China has been working on a balloon surveillance initiative in recent years “that it has used to violate the sovereignty of the US and over 40 countries across five continents,” according to a statement by National Security Council spokesperson Adrienne Watson. On Sunday, the Chinese government claimed that the US illegally flew over 10 balloons in its airspace in the past year. The Biden administration denied the allegation. “Any claim that the US government operates surveillance balloons over the PRC is false,” Watson said in the statement.

“With the balloon at the beginning of February, the US caught China with its hands in the proverbial cookie jar and made the decision to make it public,” says Jake Williams, a former National Security Administration hacker and an analyst at the Institute for Applied Network Security. “There is likely a ton of statecraft happening in the background, either as a result of the decision to publicly acknowledge the first balloon or that led to the decision itself. Generally, yes, things change once a surveillance target knows they're being surveilled.”

The Biden administration has been been criticized by some Republican lawmakers and others for being slow to shoot down the Chinese spy balloon and hesitant to reveal specific details about the three other UFOs taken out in recent days. (US officials said shooting down the balloon over land would pose an unacceptable risk due to falling debris.) RAND's Tannehill says, though, that from an investigative perspective, it's difficult to process so many cases simultaneously. 

“The White House is caught between rapid response and getting the facts right,” Tannehill says. “Until the path analysis is done, we're guessing at who launched them. Getting the facts wrong publicly would be highly damaging to US credibility.” She adds that the UFO disabled on Saturday that also flew over Canadian airspace “brings another NATO country into the discussion, and it becomes a NATO problem, not just US or NORAD,” the North American Aerospace Defense Command. 

Of the object shot down on Sunday over Lake Huron, the US Defense Department said in a statement, “We did not assess it to be a kinetic military threat to anything on the ground, but assess it was a safety flight hazard and a threat due to its potential surveillance capabilities. Our team will now work to recover the object in an effort to learn more.”

Oh, and if you're still holding out for this flurry of aerial activity to be related to aliens, the White House is here to burst your bubble: “I know there have been questions and concerns about this," White House press secretary Karine Jean-Pierre said at a press conference yesterday, “but there is no, again no indication of aliens or extraterrestrial activity with these recent takedowns.” General Glen VanHerck, commander of the Air Force’s Northern Command, added during a news conference on Sunday, though, “I haven’t ruled out anything at this point.”

The More You Look for Spy Balloons, the More UFOs You’ll Find

One thing is clear. The "business value" of data continues to grow, making it an organization's primary piece of intellectual property.
From a cyber risk perspective, attacks on data are the most prominent threat to organizations. 
Regulators, cyber insurance firms, and auditors are paying much closer attention to the integrity, resilience, and recoverability of organization data – as well as

One thing is clear. The "_business value"_ of data continues to grow, making it an organization's primary piece of intellectual property.

From a cyber risk perspective, attacks on data are the most prominent threat to organizations.

Regulators, cyber insurance firms, and auditors are paying much closer attention to the integrity, resilience, and recoverability of organization data – as well as the IT infrastructure & systems that store the data.

****What Impact Does This Have On The Security Of Storage & Backup Systems?****

Just a few years ago, almost no CISO thought that storage & backups were important. That's no longer the case today.

Ransomware has pushed backup and recovery back onto the IT and corporate agenda.

Cybercriminals, such as Conti, Hive and REvil, are targeting storage and backup systems, to prevent recovery.

Some ransomwares – Locky and Crypto, for example – now bypass production systems altogether, and directly target backups.

This has forced organizations to look again at potential holes in their safety nets, by reviewing their storage, backup, and data recovery strategies.

****CISO Point of View****

To get insights on new storage, backup, and data protection methods, 8 CISOs were interviewed. Here are some of those lessons.

_Source: CISO Point of View: The ever-changing role of data, and the implications for data protection & storage security (Continuity)_

CISOs are concerned about the rise of ransomware – not only of the proliferation of attacks but also of their sophistication: "_The storage and backup environments are now under attack, as the attackers realize that this is the single biggest determining factor to show if the company will pay the ransom,_" says **George Eapen**, Group CIO (and former CISO) at Petrofac,

**John Meakin**, former CISO at GlaxoSmithKline, BP, Standard Chartered, and Deutsche Bank believes that "_As important as it may be, data encryption is hardly enough to protect an organization's core data. If attackers find their way into a storage system (as data encryption alone won't prevent them from doing so), they are free to cause severe damage by deleting and compromising petabytes of data – whether they're encrypted or not. This also includes the snapshots and backup._"

Without a sound storage, backup, and data recovery strategy, organizations have little chance of surviving a ransomware attack, even if they end up paying the ransom.

****Shared Responsibility - CISO vs. Storage & Backup Vendor****

While storage & backup vendors provide excellent tools for managing availability and performance of their infrastructure, they don't do the same for the security and configuration of those same systems.

Some storage and backup vendors publish security best practice guides. However, implementation and monitoring of security features and configurations is the responsibility of an organization's security department.

There are, however, a number of cyber resiliency initiatives that are being carried out. These include:

****Current Ransomware Resiliency Initiatives For Storage & Backup:********Air-gapped data copies****

Adding an air-gap means separating backups from production data. This means that if the production environment is breached, attackers don't immediately have access to backups.

You can also keep storage accounts separate.

****Storage snapshots & replication****

Snapshots record the live state of a system to another location, whether that's on-premises or in the cloud. So, if ransomware hits the production system, there is every chance it will be replicated onto the copy.

****Immutable storage & vault****

Immutable storage is the simplest way to protect backup data. Data is stored in a Write Once Read Many (WORM) state and cannot be deleted for a pre-specified period.

Policies are set in backup software or at storage level and it means backups can't be changed or encrypted.

While immutability is helpful in remediating cyberthreats, it is certainly not bullet proof.

Immutable storage can be 'poisoned', enabling hackers to change the configuration of backup clients and gradually replace stored data with meaningless information. In addition, once hackers gain access to the storage system, they can easily wipe out snapshots.

****Storage security posture management****

Storage security posture management solutions help you get a full view of the security risks in your storage & backup systems. It does this by continuously scanning these systems, to automatically detect security misconfigurations and vulnerabilities.

It also prioritizes risks in order of urgency and business impact, and provides remediation guidance.

****4 Steps to Success****

1.  Define comprehensive security baselines for all components of storage and backup systems (NIST Special Publication 800-209; Security Guidelines for Storage Infrastructure provides a comprehensive set of recommendations for the secure deployment, configuration, and operation of storage & backup systems)
2.  Use automation to reduce exposure to risk, and allow much more agility in adapting to changing priorities. Storage security posture management (also known as storage vulnerability management) solutions can go a long way to helping you reduce this exposure.
3.  Apply much stricter controls and more comprehensive testing of storage and backup security, and the ability to recover from an attack. This will not only improve confidence, but will also help identify key data assets that might not meet the required level of data protection
4.  Include all aspects of storage and backup management, including often-overlooked key components such as fiber-channel network devices, management consoles, etc.

NIST Special Publication 800-209; Security Guidelines for Storage Infrastructure provides an overview of the evolution of storage technology, recent security threats, and the risks they pose.

It includes a comprehensive set of recommendations for the secure deployment, configuration, and operation of storage resources. These include data and confidentiality protection using encryption, isolation and restoration assurance.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#intel