Last year, 71% of enterprise breaches were pulled off quietly, with legitimate tools, research shows.

RSA CONFERENCE 2023 – San Francisco – With little more than smart reconnaissance and existing tools, adversaries are increasingly capable of compromising an enterprise network without making any noise or leaving a trace behind.

In fact, according to CrowdStrike CEO Jeff Hurtz and president Michael Sentonas, 71% of enterprise cyberattacks in calendar year 2022 were done without malware.

At this year's RSA Conference, Hurtz and Sentonas returned to the keynote stage to walk the audience through a case study of just how easily a threat actor can not just penetrate a network but also move laterally and persist without making a ripple, illustrating in stark terms the kind of challenge cybersecurity teams face trying to detect, much less mitigate, malwareless compromises.

The legendary cybersecurity duo profiled the "Spider" cybercrime group from the stage as a perfect example of the phenomenon.

"They're very well prepared, and they are very well resourced," Sentonas explained. "And they really like to leverage existing tools; there's no need to get fancy if you can just blend in."

**Spider: Anatomy of a Malwareless Attack**

First, Spider initiates an in-depth intelligence gathering effort. Hurtz said his team was able to establish the threat actor spent more than an hour on the phone with the victim company's help desk trying to get any insights that could fuel the next phase of social engineering. 

Once they had a specific user in their sights, Spider initiates a voice call informing the user their credentials had been compromised. Victims are then sent a malicious link and prompted to enter in not just their login details, but also their multifactor authentication (MFA) data. Once the user is tricked into handing those over, Spider is off and running.

"We call that the layer A problem," Hurtz joked, about the user handing over the goods. "It's between the chair and the keyboard."

Spider then uses the Tails operating system and Evilginx2 to compromise the user's credentials to set up an AnyDesk account controlled by the cyberattackers. AnyDesk remains a popular remote desktop tool among threat actors, Hurtz added.

Spider also uses dedicated machines that hide their identity, and run their code on hardware as much as possible to avoid detection. "It could be from anywhere," Sentonas said. "It blends in because its not going to come from some crazy domain."

Other tools, like DigitalOcean Droplet, used as a virtual machine, fill out the attack chain. Ultimately, Hurtz and Sentonas explained, the Spider attack ends with the persistent actor set up with their own users on the network, free and able to exfiltrate data at will. And importantly, Sentonas noted, if the threat actor can get into the on-premises network, the cloud is likely going to sync and become compromised as well.

Importantly, Sentonas and Hurtz wanted to disabuse the audience of the notion that threat actors need full admin access to set up new users. They don't, and Sentonas showed exactly how just delegated permissions could allow him to move freely about the company's customer relationship management system, as well as add themselves as a SQL server admin.

In the past couple of quarters, CrowdStrike has been dealing with about one enterprise per week reeling from this type of malware-free cyberattack, Sentonas said.

**How to Defend Against Malware-Free Cyberattacks**

When it comes to defending the enterprise, endpoint detection and response (EDR) and other malware detection tools aren't terribly useful against malware-free cyberattacks. There's simply no malicious code to detect.

Instead, Hurtz and Sentonas urged enterprises to focus on gathering as much telemetry as possible from the endpoint to the cloud and managing identity down to the tiniest details.

But gathering all that telemetry and identity data leaves teams with vast oceans of information that's not particularly useable for threat hunting. That's where artificial intelligence (AI) and machine learning (ML) can be meaningfully deployed to look for anomalous activity, like added user accounts, to detect malicious activity, without malicious code.

It's also important to protect the enterprise MFA service from compromise, they added.

"Maintain good identity store hygiene, Sentonas said. "And protect the services you use for MFA."

Malware-Free Cyberattacks Are On the Rise; Here's How to Detect Them

The advanced persistent threat (APT) group referred to as Evasive Panda has been observed targeting an international non-governmental organization (NGO) in Mainland China with malware delivered via update channels of legitimate applications like Tencent QQ.
The attack chains are designed to distribute a Windows installer for MgBot malware, ESET security researcher Facundo Muñoz said in a new

The advanced persistent threat (APT) group referred to as **Evasive Panda** has been observed targeting an international non-governmental organization (NGO) in Mainland China with malware delivered via update channels of legitimate applications like Tencent QQ.

The attack chains are designed to distribute a Windows installer for MgBot malware, ESET security researcher Facundo Muñoz said in a new report published today. The activity commenced in November 2020 and continued throughout 2021.

Evasive Panda, also known as Bronze Highland and Daggerfly, is a Chinese-speaking APT group that has been attributed to a series of cyber espionage attacks targeting various entities in China, Hong Kong, and other countries located in East and South Asia since at least late December 2012.

The group's hallmark is the use of the custom MgBot modular malware framework, which is capable of receiving additional components on the fly to expand on its intelligence-gathering capabilities.

Some of the prominent capabilities of the malware include stealing files, logging keystrokes, harvesting clipboard data, recording audio streams, and credential theft from web browsers.

ESET, which discovered the campaign in January 2022 after a legitimate Chinese application was used to deploy an installer for the MgBot backdoor, said the targeted users were located in the Gansu, Guangdong, and Jiangsu provinces and are members of an unnamed international NGO.

The trojanized application is the Tencent QQ Windows client software updater ("QQUrlMgr.exe") hosted on the domain "update.browser.qq\[.\]com." It's not immediately clear how the threat actor managed to deliver the implant through legitimate updates.

But it points to either of the two scenarios, a supply chain compromise of Tencent QQ's update servers or a case of an adversary-in-the-middle (AitM) attack, as detailed by Kaspersky in June 2022 involving a Chinese hacking crew dubbed LuoYu.

In recent years, many software supply chain attack has been orchestrated by nation-state groups from Russia, China, and North Korea. The ability to gain a large malicious footprint quickly has not been lost on these attackers, who are increasingly targeting the IT supply chain to breach enterprise environments.

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

"AitM styles of interception would be possible if the attackers – either LuoYu or Evasive Panda – were able to compromise vulnerable devices such as routers or gateways," Muñoz elaborated.

"With access to ISP backbone infrastructure – through legal or illegal means – Evasive Panda would be able to intercept and reply to the update requests performed via HTTP, or even modify packets."

This is significant as the findings come less than a week after Broadcom-owned Symantec detailed attacks mounted by the threat actor against telecom service providers in Africa using the MgBot malware framework.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Chinese Hackers Using MgBot Malware to Target International NGOs in Mainland China

Rapid7 Insight Agent token handler versions 3.2.6 and below, suffer from a Directory Traversal vulnerability whereby unsanitized input from a CLI argument flows into io.ioutil.WriteFile, where it is used as a path. This can result in a Path Traversal vulnerability and allow an attacker to write arbitrary files. This issue is remediated in version 3.3.0 via safe guards that reject inputs that attempt to do path traversal.

*   Products
    
    *   Insight Platform Solutions
    *   
    *   Threat Intelligence
        
        THREAT COMMAND
        
    *   Vulnerability Management
        
        INSIGHTVM
        
    *   Dynamic Application Security Testing
        
        INSIGHTAPPSEC
        
    *   Orchestration & Automation (SOAR)
        
        INSIGHTCONNECT
        
    *   Cloud Security
        
        INSIGHTCLOUDSEC
        
    
    *   More Solutions
    *   Penetration Testing
        
        METASPLOIT
        
    *   On-Prem Vulnerability Management
        
        NEXPOSE
        
    *   Digital Forensics and Incident Response (DFIR)
        
        Velociraptor
        
    
    *   Cloud Risk Complete
        
        Cloud Security with Unlimited Vulnerability Management
        
        Explore Offer
    *   Managed Threat Complete
        
        MDR with Unlimited Risk Coverage
        
        Explore offer
    
*   Services
    
    *   MANAGED SERVICES
    *   Detection and Response
        
        24/7 MONITORING & REMEDIATION FROM MDR EXPERTS
        
    *   Vulnerability Management
        
        PERFECTLY OPTIMIZED RISK ASSESSMENT
        
    *   Application Security
        
        SCAN MANAGEMENT & VULNERABILITY VALIDATION
        
    
    *   OTHER SERVICES
    *   Security Advisory Services
        
        PLAN, BUILD, & PRIORITIZE SECURITY INITIATIVES
        
    *   Product Consulting
        
        QUICK-START & CONFIGURATION
        
    *   Training & Certification
        
        SKILLS & ADVANCEMENT
        
    *   Penetration Services
        
        TEST YOUR DEFENSES IN REAL-TIME
        
    *   IoT Security Testing
        
        SECURE EVERYTHING CONNECTED TO A CONNECTED WORLD
        
    *   Premium Support
        
        PRIORITY HELP & FASTER SOLUTIONS
        
    
*   Support & Resources
    
    *   SUPPORT
    *   Support Portal
        
        CONTACT CUSTOMER SUPPORT
        
    *   Product Documentation
        
        EXPLORE PRODUCT GUIDES
        
    *   Release Notes
        
        DISCOVER THE LATEST PRODUCT UPDATES
        
    *   
    
    *   RESOURCES
    *   Fundamentals
        
        FOUNDATIONAL SECURITY KNOWLEDGE
        
    *   Blog
        
        THE LATEST INDUSTRY NEWS AND SECURITY EXPERTISE
        
    *   Resources Library
        
        E-BOOKS, WHITE PAPERS, VIDEOS & BRIEFS
        
    *   Extensions Library
        
        PLUGINS, INTEGRATIONS & DEVELOPER COMMUNITY
        
    *   Partners
        
        RAPID7 PARTNER ECOSYSTEM
        
    *   Webcasts & Events
        
        UPCOMING OPPORTUNITIES TO CONNECT WITH US
        
    *   Vulnerability & Exploit Database
        
        SEARCH THE LATEST SECURITY RESEARCH
        
    
*   Company
    
    *   OVERVIEW
    *   
    *   Leadership
        
        EXECUTIVE TEAM & BOARD
        
    *   News & Press Releases
        
        THE LATEST FROM OUR NEWSROOM
        
    *   
    *   Our Customers
        
        Their Success Stories
        
    
    *   COMMUNITY & CULTURE
    *   Social Good
        
        OUR COMMITMENT & APPROACH
        
    *   Rapid7 Cybersecurity Foundation
        
        BUILDING THE FUTURE
        
    *   Diversity, Equity & Inclusion
        
        EMPOWERING PEOPLE
        
    *   Open Source
        
        STRENGTHENING CYBERSECURITY
        
    *   Public Policy
        
        ENGAGEMENT & ADVOCACY
        
    
*   RESEARCH
*    Sign In

*   All Products
    
    *   AppSpider
    *   Insight Agent
    *   InsightAppSec
    *   InsightCloudSec
    *   InsightConnect
    *   Insight Platform
    *   InsightIDR
    *   Insight Network Sensor
    *   InsightOps
    *   InsightVM
    *   Metasploit
    *   Nexpose
    *   tCell
    *   Managed Services
    

*   Products
    
    *   Insight Platform Solutions
    *   
    *   Threat Intelligence
        
        THREAT COMMAND
        
    *   Vulnerability Management
        
        INSIGHTVM
        
    *   Dynamic Application Security Testing
        
        INSIGHTAPPSEC
        
    *   Orchestration & Automation (SOAR)
        
        INSIGHTCONNECT
        
    *   Cloud Security
        
        INSIGHTCLOUDSEC
        
    
    *   More Solutions
    *   Penetration Testing
        
        METASPLOIT
        
    *   On-Prem Vulnerability Management
        
        NEXPOSE
        
    *   Digital Forensics and Incident Response (DFIR)
        
        Velociraptor
        
    
    *   Cloud Risk Complete
        
        Cloud Security with Unlimited Vulnerability Management
        
        Explore Offer
    *   Managed Threat Complete
        
        MDR with Unlimited Risk Coverage
        
        Explore offer
    
*   Services
    
    *   MANAGED SERVICES
    *   Detection and Response
        
        24/7 MONITORING & REMEDIATION FROM MDR EXPERTS
        
    *   Vulnerability Management
        
        PERFECTLY OPTIMIZED RISK ASSESSMENT
        
    *   Application Security
        
        SCAN MANAGEMENT & VULNERABILITY VALIDATION
        
    
    *   OTHER SERVICES
    *   Security Advisory Services
        
        PLAN, BUILD, & PRIORITIZE SECURITY INITIATIVES
        
    *   Product Consulting
        
        QUICK-START & CONFIGURATION
        
    *   Training & Certification
        
        SKILLS & ADVANCEMENT
        
    *   Penetration Services
        
        TEST YOUR DEFENSES IN REAL-TIME
        
    *   IoT Security Testing
        
        SECURE EVERYTHING CONNECTED TO A CONNECTED WORLD
        
    *   Premium Support
        
        PRIORITY HELP & FASTER SOLUTIONS
        
    
*   Support & Resources
    
    *   SUPPORT
    *   Support Portal
        
        CONTACT CUSTOMER SUPPORT
        
    *   Product Documentation
        
        EXPLORE PRODUCT GUIDES
        
    *   Release Notes
        
        DISCOVER THE LATEST PRODUCT UPDATES
        
    *   
    
    *   RESOURCES
    *   Fundamentals
        
        FOUNDATIONAL SECURITY KNOWLEDGE
        
    *   Blog
        
        THE LATEST INDUSTRY NEWS AND SECURITY EXPERTISE
        
    *   Resources Library
        
        E-BOOKS, WHITE PAPERS, VIDEOS & BRIEFS
        
    *   Extensions Library
        
        PLUGINS, INTEGRATIONS & DEVELOPER COMMUNITY
        
    *   Partners
        
        RAPID7 PARTNER ECOSYSTEM
        
    *   Webcasts & Events
        
        UPCOMING OPPORTUNITIES TO CONNECT WITH US
        
    *   Vulnerability & Exploit Database
        
        SEARCH THE LATEST SECURITY RESEARCH
        
    
*   Company
    
    *   OVERVIEW
    *   
    *   Leadership
        
        EXECUTIVE TEAM & BOARD
        
    *   News & Press Releases
        
        THE LATEST FROM OUR NEWSROOM
        
    *   
    *   Our Customers
        
        Their Success Stories
        
    
    *   COMMUNITY & CULTURE
    *   Social Good
        
        OUR COMMITMENT & APPROACH
        
    *   Rapid7 Cybersecurity Foundation
        
        BUILDING THE FUTURE
        
    *   Diversity, Equity & Inclusion
        
        EMPOWERING PEOPLE
        
    *   Open Source
        
        STRENGTHENING CYBERSECURITY
        
    *   Public Policy
        
        ENGAGEMENT & ADVOCACY
        
    
*   RESEARCH

*   Sign In

*   Documentation
*   All Products
    
    *   AppSpider
    *   Insight Agent
    *   InsightAppSec
    *   InsightCloudSec
    *   InsightConnect
    *   Insight Platform
    *   InsightIDR
    
    *   Insight Network Sensor
    *   InsightOps
    *   InsightVM
    *   Metasploit
    *   Nexpose
    *   tCell
    *   Managed Services

CVE-2023-2273: Insight Agent Release Notes

The Data Security Maturity Model ditches application, network, and device silos when it comes to architecting a data security strategy.

RSA CONFERENCE 2023 – San Francisco – The coalition behind the Data Security Maturity Model has issued a second iteration of the framework, aimed at making it easier for businesses to protect data from leaks.

The coalition, created by Cyberhaven last summer, is led by Sounil Yu, CISO at JupiterOne and includes a range of security leaders from a range of companies, including Boston Scientific, Caterpillar Financial, Fleet, Flexport, Motorola Mobility, Twilio, VillageMD, and others.

During a panel at RSA Conference 2023, entitled Comprehensive Cyber Capabilities Framework: A Tech Tree for Cybersecurity, coalition members laid out a vision for the next generation of data security.

"The ability to protect any type of data across devices, applications, and cloud assets is essential if organizations are to take advantage of the power of modern collaboration and digital transformation without exposing their data to external threats, insider threats, or simple mistakes by well-intentioned users," the coalition said in a statement.

The DSMM aligns to the NIST Cybersecurity Framework and the Cyber Defense Matrix, and to enable a data-centric view, it defines five key functions:

*   **Identify & Classify:** Find and classify all data covered by the data security program.
*   **Protect:** Minimize the exposure of sensitive data by controlling how it is accessed, used, and retained.
*   **Detect:** Collect and analyze data risk to identify data-related security events or policy violations that were not stopped by the "Protect" function.
*   **Respond:** Establish immediate, short-term actions to be taken upon detection of a potential incident.
*   **Recover & Improve**: Determine actions needed to not only restore normal operations (as they pertain specifically to data), but also to build back stronger.

In its second iteration released this week, the maturity model refines each of these pillars to take into account more granular context, such as what server infrastructure is being used, how much is in the cloud, privacy regulations, how employees and others use the data, and how applications, APIs, and non-human endpoints use it, and more — in order to gain a fuller picture of an organization's data footprint.

**The Data & Digital Transformation Problem**

Richard Rushing, panelist and CISO of Motorola Mobility, tells Dark Reading that a new framework approach was needed given that, in the age of digital transformation, getting arms around all of the data being generated at any given point within an organization simply can't be accomplished by looking at protection in a siloed way. The old concept of seeing data in the context of devices, applications, or the network, needed to be traded for a focus on the data itself, wherever it goes within an organization.

"If you think about what security is enabling, it's the use of data, and ubiquitous access to it," he says. "It's necessary to connect to the network to use the data that's in the network to make better decisions for the business or make better decisions for your customers. But data is found in different places, sometimes it's at rest, and sometimes it's in transit."

He adds that the problem is — quite literally — growing, also necessitating a rethink of protection architecture.

"Data is on a logarithmic curve; for every amount of data that I have next year, it's probably 2.5 times more than the amount of data I had this year," he says. "We're data hoarders, for lack of a better term; no one wants to get rid of people's information who have signed up to websites and forums and everything else, so we have this enormous data sprawl. That, in turn, leaves behind security blind spots."

Further adding to the challenge is the fact that some data is of course more sensitive than other information, and some information doesn't need protecting at all, Rushing points out. And there's dynamism in terms of defining appropriate security levels as data ages.

He uses a product launch to illustrate his point. "With a product release, we start off with a situation where no one knows about it, everything's embargoed, and you're protecting this important intellectual property," he explains. "And the next thing you know, it's released for public consumption. And it's suddenly not top secret anymore, in fact, you want the whole world to know about it."

Rushing says that the framework is meant to tame some of this chaos, and that it can be tailored to large enterprises and small-to-midsized businesses alike. It allows organizations to focus in on a number of practice areas, too — including risk-based decision prioritization, collaboration, continuous education, risk management for vendors and third parties, compliance, being transparent, and incident response and how to recover data.

"I don't want to say it's one size fits all, but it's very close to one size fits all," he explains. "The controls are going to be different depending on the environments, but the approach is meant to be flexible enough to accommodate that."

He says that the framework is a living architecture that the coalition plans to refine and evolve over time. However, the time to make the switch to thinking about things in a data-centric kind of way should start now.

"If you don't start \[or\] you don't think about this, you're going to get hit in the next 6, 12, 18 months in some way, shape, or form," he warns. "It's not like the Internet is becoming a safer neighborhood and data is the new oil that's going to drive business and attackers alike."

CISOs Rethink Data Security With Info-Centric Framework

**SAN FRANCISCO****,** **April 25, 2023** **/PRNewswire/ --** BlackBerry Limited (NYSE: BB; TSX: BB) and Solutions Granted today announced an extended partnership, naming the leading cybersecurity services provider a Master Managed Security Services Provider (MSSP), enabling it to better scale and meet the growing demand for cybersecurity services among small and medium-sized businesses (SMBs).

"Solutions Granted has been honored as BlackBerry MSSP Partner of the Year for North America for five consecutive years and we're excited to take our partnership to the next level by crowning them as our top Master MSSP," said Adam Enterkin, Chief Revenue Officer, Americas, BlackBerry Cybersecurity. "BlackBerry is dedicated to increasing its focus on MSSP partners to ensure they're set up for success. Endpoints are proliferating, and so are the cyberattacks against them. Our extended partnership with Solutions Granted will help hundreds of small and mid-size businesses continuously adapt to an ever-changing threat landscape."

As a 'Master MSSP', Solutions Granted will be better positioned to help its own partners to deliver Managed Detection and Response (MDR) and other Managed Security Services to their mid-market and SMB clients.  In partnership with BlackBerry and heavily leveraging the Cylance® AI-powered portfolio, Solutions Granted helps thousands of clients secure their environments and prevent attacks. By working with Solutions Granted, MSSPs and managed service providers (MSPs) can offer industry leading managed security, without making the significant investment of building out their own security operations center (SOC).

CylanceENDPOINT™ is among the solutions it helps managed service providers (MSPs) deploy to clients, either as individual managed services or integrated into a SOC-as-a-service offering.

"BlackBerry's support for our business model provides the flexibility we need to continue to meet customer demand and provide the best possible product support for their business needs," said Michael E. Crean, Chief Executive Officer, Solutions Granted. "We value the investment BlackBerry is making in our partnership and know this will go a long way in setting up our customers for success."

To learn more about BlackBerry MSSP Partners, visit blackberry.com/us/en/partners/mssp-partners.

**About BlackBerry**

BlackBerry (NYSE: BB; TSX: BB) provides intelligent security software and services to enterprises and governments around the world.  The company secures more than 500M endpoints including over 215M vehicles.  Based in Waterloo, Ontario, the company leverages AI and machine learning to deliver innovative solutions in the areas of cybersecurity, safety and data privacy solutions, and is a leader in the areas of endpoint management, endpoint security, encryption, and embedded systems.  BlackBerry's vision is clear - to secure a connected future you can trust.

BlackBerry. Intelligent Security. Everywhere. 

For more information, visit BlackBerry.com and follow @BlackBerry.

_Trademarks, including but not limited to BLACKBERRY and EMBLEM Design are the trademarks or registered trademarks of BlackBerry Limited, and the exclusive rights to such trademarks are expressly reserved.  All other trademarks are the property of their respective owners.  BlackBerry is not responsible for any third-party products or services._

**About Solutions Granted Inc.**

Solutions Granted is a Master Managed Security Services Provider (Master MSSP). They offer cybersecurity solutions to North American MSPs and MSSPs and are committed to delivering solutions without requiring minimums, commitments, or long-term contracts. They proudly offer many security layers as well as a 24x7 U.S.-based Security Operations Center (SOC). Over the past several years, Solutions Granted has emerged as a clear leader in the channel, by winning countless awards including the CRN Security 100 list, Top 100 MSSP List, Top Global MSSP List, and BlackBerry MSSP Partner of the Year. Learn more at https://www.SolutionsGranted.com.

BlackBerry Extends Partnership With Managed Security Services Provider (MSSP) to Ensure SMBs are Set Up for Cyber Success

CISOs and cybersecurity teams will play a key role in hardening artificial intelligence and machine learning systems.

RSA CONFERENCE 2023 – San Francisco – As enterprises and government agencies increasingly weave artificial intelligence (AI) and machine learning (ML) into their broader set of systems, they'll need to account for a range of risk resilience issues that start with cybersecurity concerns but spread far beyond those. 

A panel on April 24 at RSA Conference 2023 composed of distinguished AI and security researchers examined the problem space of AI resilience, which includes weighty issues like adversarial AI attacks, AI bias, and ethical application of AI modeling.

Cybersecurity professionals need to start to tackling these issues both within their organizations and as collaborators with government and industry groups, panelists noted.

"Many organizations will look to integrate AI/ML capabilities of their core business functions, but in doing so will increase their own attack surface," explained panel moderator Bryan Vorndran, assistant director at the FBI Cyber Division. "Attacks can occur in every stage of the AI and ML development and deployment cycle, models, training data, and APIs can be targeted."

The good news is that there is time to ramp up into these efforts if the community begins work now.

"We have a really unique opportunity here as a community," said Neil Serebryany, CEO of CalypsoAI. "We're aware of the fact that there is a threat, we're seeing early incidents of this threat, and the threat is not full-blown yet."

The 'yet' is the operative word, he emphasized, and his fellow panelists agree. The field of risk management is in a place with AI similar to where cybersecurity was with the Internet in the 1980s, said Bob Lawton, chief of missions capabilities for the Office of the Director of National Intelligence Science and Technology Group.

"Imagine if it's 1985 and you knew the challenges that we were going to face in the cyber domain now, what would we as a community, as an industry do differently 35 years ago, and that's exactly where we're at with AI right now," said Lawton. "We have the time and space to get it right."

Specifically when it comes to direct attacks against AI systems by adversaries, the threats are still very rudimentary, but that's only because the attackers are only putting the work they need to in order to achieve their objectives right now, said Christina Liaghati, AI strategy execution and operations manager for MITRE Corporation.

"I think we're going to see many more of the malicious actors having a higher level of sophistication of these attacks, but right now they don't have to, which I think is what's really interesting about this space," she told the audience.

Nevertheless, she warned that organizations can't treat the risks lightly. The interest of threat actors to increase their sophistication and knowledge of AI models will only keep growing as it is embedded into systems they can profitably attack. And this is just as true of smaller organizations using simple ML models in financial systems as it would be for government agencies using it in an intelligence capacity.

**Everyone Is at Risk**

"If you're deploying AI in any environment where any actor might want to misuse or evade or attack that system, your system is vulnerable," she said. "So, it's not just super advanced tech giants or anybody that's deploying AI in a massive way. If your system is in any kind of consequential environment and then you incorporate AI and machine learning into that broader system of systems context, you could be exposing it in new ways that you're probably not thinking about or necessarily prepared for."

The challenge with AI for many cybersecurity executives is that addressing these risks will require they and their teams gain a whole new set of knowledge and parlance around AI and data science.

"I don't think that AI assurance at its core is a traditional infosec problem," Serebryany said. "It's a machine learning problem that we're trying to figure out how to translate into the infosec community."

For example, hardening the models requires understanding of key data science metrics like recall precision accuracy and F1 scores, he said.

"So I think it's kind of incumbent upon us to be able to figure out how to take these underlying ML concepts and research and translate the parlance, the concepts and the standard operating procedures within a soft context that makes sense within the infosec community," he said.

At the same time, Liaghati said to not discount the security basics as AI/ML models and systems will be deployed in the context of other systems for which security teams have decades of experience managing risk. The principles of data security, application security, and network security are still extremely relevant, as are standard risk management and OpSec best practices.

"So many of those are just good practices. It's not just a big, fancy adversarial layer or being able to patch a data set. It's not necessarily that complicated," she says. "Many of the ways that you can mitigate these threats are just thinking about the amount of information that you're putting out within public domain on what models you're using, what data you're using, where it's coming from, \[and\] what the broader system context looks like around that AI system.

AI Experts: Account for AI/ML Resilience & Risk While There's Still Time

**AUSTIN, Texas – April 25, 2023 –** Global security leader Forcepoint today extended the depth and breadth of its Data-first SASE (Secure Access Service Edge) offering with the launch of Forcepoint Data Security Everywhere. Forcepoint is simplifying enterprise DLP management across cloud, web and private apps and streamlining compliance wherever hybrid workers store, access and use confidential information.

The company is also bringing to market Forcepoint ONE Insights thatenables users to quickly visualize and quantify the financial value of security efficacy delivered by Forcepoint solutions. Forcepoint ONE Insights’ visualization console presents key performance indicators such as adoption, data and threat protection, policy violations, performance, and risk.

“Data isn’t the new oil; it is the new air. Literally everything runs on data today and our lives and livelihoods depend on it. Before today, securing data required a mishmash of point solutions. Forcepoint is taking the lead in solving this problem with Forcepoint Data Security Everywhere,” said Manny Rivelo, CEO of Forcepoint. “We’re deliveringenterprise-wide data security plus the power and flexibility of Forcepoint ONE SSE to keep data safe at all times, even after it is accessed.Comprehensive data security is a critical capability within our Data-first SASE solution, providing the visibility and control organizations need to protect their data and simplify Zero Trust security.”

In two years, humanity's collective data will reach 175 billion terabytes -- the number 175 followed by 21 zeros. This data includes everything that powers business and consumers’ day-to-day lives. It is accessed and used by hybrid workforces on corporate endpoints and personal devices such as phones and tablets to do their jobs. Forcepoint Data Security Everywhere is a direct response to the reality that business productivity depends upon people having the ability to safely and efficiently use data anywhere.

By connecting Forcepoint Enterprise DLP to the Forcepoint ONE Security Service Edge (SSE) platform, customers can extend a new or existing enterprise DLP policy, including its advanced classifiers, data fingerprinting, and enforcement settings, to the web and cloud. A unified security policy from Forcepoint protects sensitive data across all channels, including endpoints, websites, cloud services, networks, email and private apps.Forcepoint’s data-first approach goes far beyond basic data protection that is often built into SASE solutions. By classifying data and organizing it into different groups rather than relying on hardcoded patterns, Forcepoint data security policies can be written once and enforced everywhere to automatically handle new instances and types of sensitive data.This end-to-end enforcement is ideal for organizations with cloud-based applications or distributed workforces.

**Key Benefits of Enforcing Data Security Everywhere**

*   Adds Forcepoint ONE SSE channels to Forcepoint Enterprise DLP, protecting data across any website, cloud application, and web-based private applications. 
*   Applies new or existing DLP policies across CASB, SWG, and ZTNA channels. 
*   Simplifies DLP management by leveraging over 1,600 out-of-the-box classifiers, policies and templates enabling granular enforcement for files.
*   Gives security operations center (SOC) and IT teams complete incident reporting and forensic information from a single management console.

Forcepoint Data Security Everywhere is immediately available direct from Forcepoint and through the company’s global network of channel partners.

**AI-powered Data Visualization with Forcepoint ONE Insights**

Further extending the value-added capabilities of Forcepoint ONE, in late Q2 2023 the company will unveil Forcepoint ONE Insights, formerly code-named Symphony, which provides economic value and advanced security analytics for real-time insights into an organization's security status.

Forcepoint ONE Insights technology, included with all Forcepoint ONE subscriptions, uses machine learning and artificial intelligence to analyze security data from multiple sources, such as network traffic, endpoint devices, and cloud applications. Using the at-a-glance visualization, security teams can identify potential threats more quickly, reducing the risk of data breaches. They can also see in real-time dashboards showing the economic value and ROI of their use of Forcepoint ONE.

**Meet Forcepoint Experts at RSA 2023**

During the week of RSA, April 25-27, the company will provide hands-on opportunities with Forcepoint Data Security Everywhere and Forcepoint ONE Insights at the Forcepoint Experience Center on the fourth floor of the St. Regis San Francisco. Organizations that want to learn more and get demos can request a meeting.

**Additional information**

*   Read the Data Security Everywhere blog \[link\]
*   Read the Forcepoint Insights blog \[link\]
*   Learn about Data-first SASE
*   Learn about Forcepoint ONE, FlexEdge Secure SD-WAN

**About Forcepoint**

Forcepoint simplifies security for global businesses and governments. Forcepoint’s all-in-one, truly cloud-native platform makes it easy to adopt Zero Trust and prevent the theft or loss of sensitive data and intellectual property no matter where people are working. Based in Austin, Texas, Forcepoint creates safe, trusted environments for customers and their employees in more than 150 countries. Engage with Forcepoint on www.forcepoint.com, Twitter, and LinkedIn.

Forcepoint Delivers Data Security Everywhere, Extending DLP Policies From Endpoints to the Cloud

Full packet capture and log monitoring directly on SASE nodes maintains enterprise-grade security, no matter where the data originates.

**SAN FRANCISCO** **— April 24, 2023 —** NetWitness, a globally trusted provider of threat detection and response technology and incident response services, today announced  the launch of direct Secure Access Service Edge (SASE) packet integrations with several market-leading SASE vendors, including Palo Alto Networks (NASDAQ: PANW), Broadcom, a Symantec company (NASDAQ: AVGO), and Netskope. The new integrations enable NetWitness to deliver unparalleled network visibility across the enterprise. The news comes on day one of RSA Conference 2023, where NetWitness will be demonstrating the technology at booth number 5744.

With hybrid/remote work environments becoming ever more common, SASE is the gold standard network technology that enables modern workforces to interact with corporate resources wherever they are - securely.  By performing full packet capture and log monitoring directly on SASE nodes and combining them with all on-prem, cloud, and SaaS sources, NetWitness can maintain enterprise-grade network security, no matter where the data originates. Featuring better security, including encryption and Zero-Trust access, SASE offers major benefits to today’s distributed organizations. 

“I certainly think companies want to be proactive with their network security, but until now it’s been very difficult to do,” said Ken Naumann, CEO of NetWitness. “The landscape has gotten exponentially more complex over the years with hybrid work and third-party cloud providers. Data is now originating from, well, everywhere. Examining those data logs after the fact is like closing the barn door after the horse has already left the stable. You’re losing if you’re not doing it in real time - when it actually matters.”

Network edge security has historically created numerous blind spots for important security technologies that perform threat analysis, detection, and response. Traditional network and security architectures were not designed for the new work environment, where data and traffic come from all over the globe and hundreds, if not thousands, of different devices. This has led to visibility issues for network managers, who have traditionally relied on VPN and proxies to solve the problem. Unfortunately, routing everything to specific points increases difficulty and network costs, and presents a massive scaling issue.

NetWitness’s integrations overcome these issues and restore full visibility to critical SASE data. A SASE architecture converges networking and security functions in the cloud to securely connect users, things, and applications and deliver an exceptional experience, anywhere.  

In 2019, Gartner announced SASE as the future state of network security. Since then, the SASE landscape has evolved quickly, with SASE networking and security components being delivered from a single vendor as a way to create seamless, secure access that extends across on-premises to the cloud.  

For more information, visit www.NetWitness.com or visit booth 5744 at RSA Conference. 

**About NetWitness**

NetWitness provides comprehensive and highly scalable threat detection and response capabilities for organizations around the world. The NetWitness Platform delivers complete visibility combined with applied threat intelligence and user behavior analytics to detect, prioritize, investigate threats, and automate response. This empowers security analysts to be more efficient and stay ahead of business-impacting threats. For more information, visit netwitness.com.

NetWitness Partners With Palo Alto Networks, Broadcom to Launch SASE Packet Integrations at RSA Conference 2023

Integration of AI can lead to reduction of up to 90% in meantime to resolve security incidents.

**TAMPA, Fla. – April 24, 2023 –** ReliaQuest, a force multiplier of security operations, today announced the introduction of powerful artificial intelligence (AI) capabilities to its GreyMatter Intelligent Analysis solution, delivering meaningful insights on emerging security incidents within seconds. With this feature, security teams can easily make sense of threats and take action, enhancing their efficiency.  

ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints. On average, GreyMatter customers see up to a 70% reduction in alert noise in the first year.  

GreyMatter Intelligent Analysis was introduced in July 2022 as part of the security operations platform. The new AI features enable security analysts to automate security operations and workflows. Updates to the solution include: 

*   Augment investigations – get answers faster: Pairs automation with generative AI capabilities to help analysts gain clarity quicker. Capabilities that augment investigations include dynamic and automated enrichment of alerts, deeper context from historical incident data and external sources such as threat and vulnerability feeds and recommend action prompts.  

*   Assist analysts – focus on investigations, not documentation: GreyMatter Intelligent Analysis takes the pain of low-brain, high-time tasks out of security operations. The solution assists with key tasks including automated ticket summaries, interactive AI assistants for quicker search and threat hunting hypothesis.  

*   Automate actions – smarter and faster response actions: With the continued training of the generative AI and Machine Learning models with real-world cyber security data and fine-tuning by analysts and customers, GreyMatter Intelligent Analysis can automate investigations, response actions and alert escalations.  

“Generative AI is a genuine game changer and important step to help ReliaQuest’s, mission to Make Security Possible. Since inception, ReliaQuest GreyMatter has been using AI/ML to automate tasks across the detection, investigation, and response workflow, helping customers realize better and faster security outcomes. With updates to GreyMatter Intelligent Analysis, our 700+ global customers will have automation capabilities with generative AI to further reduce response time by up to 90% in multiple scenarios and help security analysts get answers faster than ever before,” said Brian Murphy, Founder and CEO at ReliaQuest.   

“We work with ReliaQuest as our security partner because of their innovative and unique approach to solving challenges faced by security teams around the world. Generative AI has the potential to disrupt security operations and we’re thrilled to be working with ReliaQuest to bring AI to the SOC. Their practical approach, based on years of managing security operations, places them in a unique position and we’re glad to be partnering with them on this journey,” said Dannie Combs, Senior Vice President and Chief Information Security Officer at Donnelley Financial Solutions. 

ReliaQuest has over 15 years of curated security incident response data with trillions of signals from across some of the world’s leading organizations. Pairing this with its team of over 400 security professionals gives ReliaQuest the unique opportunity to train its AI/ML models with real-world data and fine-tune them with human expertise. GreyMatter is used by some of the leading Fortune 500 companies.  

Currently in early release with select customers, generative AI with GreyMatter Intelligent Analysis will reach general availability in the second half of 2023. For more information about ReliaQuest, please visit www.reliaquest.com  

**About ReliaQuest** 

ReliaQuest is the force multiplier of security operations. Our security operations platform, GreyMatter, automates detection, investigation and response across cloud, endpoint, and on-premises tools and applications. GreyMatter is cloud native, built on an open XDR architecture and delivered as a service any time of the day, anywhere in the world. With over 700 customers worldwide and 1,200 teammates working across six global operating centers, ReliaQuest is driving outcomes for the most trusted enterprise brands in the world. ReliaQuest is a private company headquartered in Tampa, Fla., with multiple global locations. For more information, visit www.reliaquest.com.

ReliaQuest Adds AI Capabilities to GreyMatter Intelligent Analysis

Ultimately, AI will protect the enterprise, but it's up to the cybersecurity community to protect "good" AI in order to get there, RSA's Rohit Ghai says.

Threat actors armed with artificial intelligence (AI) tools like ChatGPT can pass the bar exam, ace an Advanced Placement biology course, and even create polymorphic malware. It's up to the cybersecurity community to put AI to work to combat it.

RSA CEO Rohit Ghai used the opening keynote of this year's RSAC in San Francisco, Calif. to call on the cybersecurity community to use AI as a tool to work on the side of "good." First, that means putting it to work on solving cybersecurity's "identity crisis," he said.

To demonstrate, Rhai called up onto the screen a ChatGPT avatar, one he called "GoodGPT."

"Calling it 'good' is somehow personally comforting to me," he added. He then asked it basic cybersecurity questions.

While "GoodGPT" spat out a sequence of words culled from a veritable ocean of available cybersecurity data, he went on to explain there are critical cybersecurity applications for AI far beyond simple language learning, and it starts with identity management.

"Without AI, zero trust has zero chance," Ghai said. "Identity is the most attacked part of the attack surface."

It's no big secret the security operations center (SOC) is overwhelmed. In fact, Ghai said the industry average timeframe to identify and remediate an attack is about 277 days. But with AI, it's possible to manage access in the most granular terms, in real time, and at the data level, creating a framework that is truly based on the principle of least privilege.

"We need solutions that ensure identity throughout the user lifecycle," he added.

During this year's RSA, Ghai said there are at least 10 vendors selling AI-powered cybersecurity solutions positioned as a tool that will help human cybersecurity professionals. Ghai characterized the current pitch as AI-as-a-copilot. But that framing belies the reality, he warned.

"The copilot description sugarcoats a truth," Ghai said. "Over time many jobs will disappear."

The role of humans, he explained, will evolve into creating algorithms to ask important questions, along with supervising AI's activities and handling exceptions.

"It's humans who will ask those questions which have never been asked before," he said.

Ultimately, humans and enterprises will have to rely on AI to protect them.

"And the cybersecurity community can protect 'good' AI," Ghai added.

Tag

#intel