Tune into Dark Reading's News Desk interviews with the industry’s leaders, discussing news and hot topics, such as this year’s "Transofrm" theme, at RSA Conference 2022 in San Francisco

RSA CONFERENCE 2022 -- San Francisco -- The tag line for RSA Conference is "Where the world talks security," and security leaders covered a whole gamut of topics at Dark Reading's News Desk last week. From new security frameworks and technologies such as secure service edge, extended detection and response (XDR), and confidential computing; to security best practices such as resilience and risk-based prioritization, these News Desk segments covered a lot of ground. There were conversations about automation and the cloud, as well. Check out the YouTube playlist of all the topics that came out of Dark Reading News Desk during RSA Conference 2022 in San Francisco.

Lookout on Getting It Right at the Secure Service Edge

By implementing Secure Service Edge technology, security pros can consolidate their cloud access security broker, secure Web gateway, and zero-trust offerings on to a single platform, according to Jim Dolce, CEO and chairman of Lookout Security.

Concentric AI on How To Maximize Your AI Returns, In and Out of the SOC

Artificial intelligence has transformed the security landscape and given security professionals powerful tools to do their jobs more efficiently, says Karthik Krishnan, CEO and founder of Concentric AI.

DeepSurface on Risk-Based Prioritization Adds New Depth to Vulnerability Management

DeepSurface’s CTO Tim Morgan talks about how context awareness and risk-based prioritization can fortify vulnerability management. Morgan also encourages security pros to look beyond CVSS scores when performing risk assessments.

Anjuna Security on Tapping ‘Confidential Computing’ to Secure Data, Users, and Organizations

Ayal Yogev, CEO and co-founder of Anjuna Security, describes the emerging model of Confidential Computing, as well as how it leverages enclaves and creates Trusted Execution Environments, which isolates data from unauthorized access. 

Seemplicity on Security Security & Productivity: The New Power Couple

Scanning and remediation are handicapped without some robust automation to power them, says Ravid Circus, co-founder and Chief Product Officer of Seemplicity, who’s looking to accelerate time-to-remediation and reducing risk.

ReliaQuest Bolsters Extended Detection With Threat Intelligence

Customers consistently struggle to get from reactivity to a proactive security strategy, but combining extended detection response (XDR) with threat intelligence is a big step in that direction, says ReliaQuest CTO Joe Partlow. 

Automox Adds Automation to Patching, Vuln Management

Patching and patch management remain among security pros’ biggest pain points; Paul Zimski, VP of product strategy for Automox, believes adding automation to the mix can make a serious dent in the patching equation for most organizations.

Uptycs on Observability Is Key to Cloud Security

Transformation is a key theme at RSAC 2022, and Uptycs founder Ganesh Pai weighs in on how cloud security teams can reduce risk and lock things down more tightly. He also talks about how security observability can drive innovation for organizations. 

Lacework Blends Artificial Intelligence and Automation To Bolster Cloud Security

Artificial intelligence is essential for endowing multicloud environments with greater visibility, insights and actions, according to Mark Nunnikhoven, distinguished cloud strategist for Lacework. 

BAE Systems on Want Better Security? Up Your Collaboration Game

"Information sharing and collaboration are essential to good security, says Peder Jungck, VP and general manager of BAE Systems Inc.’s Intelligence Solutions. That effect is compounded when info is shared across companies and industries, he adds. 

Sophos on Keeping Tabs on the Bad Guys Using Threat Research

John Shier, senior security advisor for Sophos, shares original research data on adversaries and the ongoing scourge of ransomware. Spoiler alert: Things aren’t getting better, as bad actors pivot to more sophisticated tactics to avoid detection. 

Cisco Makes Resilience a Cornerstone of Security Strategy

RSA keynoter and Cisco executive Jeetu Patel talks to the Dark Reading News Desk about the power of information sharing, an integrated approach to security, and how to give users controlled, trusted access to applications and services.

Okta on Identity-First Security Helps Reduce and Neutralize Enterprise Threats

Okta’s Marc Rogers and Auth0’s Jameeka Aaron discuss the biggest threats connected to identity, as well as how the move to hybrid work compounds the challenge of keeping users — and their data — secure. 

Darktrace on Prevent Breaches and Malware With Proactive Defenses

Pressure to reduce and manage risk — internally and externally — is more urgent than ever, according to Mike Beck, global CISO for Darktrace. That’s why organizations require more sophistication and integration in their security management platforms. 

Noname Security: Proactiveness Is the Name of the Game In App Security

Software code has come under attack in innovative and deeply troubling ways, says Noname Security’s Shay Levi. These attacks have altered the security landscape for developers and their organizations, as well as suppliers, partners, and customers. 

Sysdig Takes a Deeper Cut At Cloud Security

Cloud security can challenge security pros like nothing else, including workload security issues arising from app design patterns or DevOps practices, says Sysdig’s VP of research and development Omer Azaria. 

Raytheon on A Few Simple Ways To Transform Your Cybersecurity Hiring  

It was already tough to find good, experienced security professionals, then along the came the Great Resignation to make hiring even tougher, notes Jon Check, executive director of cyber protection solutions for Raytheon Intelligence and Space. 

Panther Labs on Mitigating the Security Skills Shortage

Migrating apps to the cloud has set off a hiring frenzy for security pros with expertise related to data analysis and monitoring, observes Jack Naglieri of Panther Labs. It’s also created a big need to make workloads more manageable, he adds.

Application Security Testing Is On the Mend With Automated Remediation

Software developers and security pros alike struggle with application security, and Arabella Hallawell, CMO of Mend, breaks down how automated remediation can improve software composition analysis and application security testing.

Cisco on How To Secure a High-Profile Event Like the Super Bowl

Whether you’re locking down a network or facing fourth down with mere inches, resilience is key, according to Cisco’s TK Keanini and Tomás Maldonado, CISO for the National Football League. In both cases, protection isn’t optional.

Halcyon on How to Blunt the Virulence of the New Ransomware

COVID’s had some company in the last couple years with another mutating scourge: Ransomware. Thanks to the Dark Web, ransomware has scaled up and become more heavily monetized, says Halcyon CEO and co-founder Jon Miller.

Security Leaders Discuss Industry Drivers at Dark Reading's News Desk at RSAC 2022

An issue was discovered in Subrion CMS v4.2.1 There is a stored cross-site scripting (XSS) vulnerability that can execute malicious JavaScript code by modifying the name of the uploaded image, closing the html tag, or adding the onerror attribute.

**Affected pages:** xxxxx/blog/

Execute malicious javascript code by modifying the name of the uploaded image to close the html tag or adding the onerror attribute.  
**yes:**  
  
**no:**  

**detailed steps:**  
After publishing a blog with uploaded pictures, click "Edit Blog Entry" to enter the modification page, open Burp Suit and then directly click "save", modify the content of image\[file\] in the request packet in Burp Suit as the attack code  
**payload:**"onerror="alert(/xss/)  
  
**Any member browses the blog page:**

CVE-2021-41502: [XSS!!]When modifying a written blog, you can modify the name of the uploaded picture to cause a stored XSS vulnerability · Issue #885 · intelliants/subrion

Humio for Falcon provides long-term, cost-effective data retention with powerful index-free search and analysis of enriched security telemetry across enterprise environments

**AUSTIN, Texas and RSA Conference 2022, SAN FRANCISCO – June 6, 2022 –** CrowdStrike (Nasdaq: CRWD), a leader in cloud-delivered protection of endpoints, cloud workloads, identity and data, today introduced Humio for Falcon, a new capability that extends data retention of CrowdStrike Falcon telemetry for up to one year or longer, enhancing threat analytics and threat hunting abilities for organizations while helping them meet compliance requirements.

Humio for Falcon brings together an industry-leading security platform in CrowdStrike Falcon, with the powerful search capabilities of CrowdStrike’s centralized logging offering, Humio. The new capability gives security teams the ability to store security and IT telemetry from the Falcon platform, which is enriched and contextualized across endpoints, workloads and identities to address the challenge of operationalizing the ever-growing volumes of data. Humio for Falcon helps security teams analyze and act on all data – both real-time and historical data – in their environment. With longer data retention due to advanced compression of ingested data, security teams can uncover and detect potential threats within their environments with deep, contextual analytics and sub-second search results at any scale through a modern, index-free architecture.

“While the data available to threat hunters and incident responders grows at an exponential rate, they are routinely forced to reduce the duration they can store this information,” said Michael Sentonas, chief technology officer at CrowdStrike. “Humio for Falcon solves this problem by delivering scalable and cost-effective data retention that enables threat hunters and incident responders to look back and see if and when an adversary was active in an IT environment and reconcile every system they touched. It’s truly a game-changer in the industry.”

Humio for Falcon provides:

*   **Threat hunting and troubleshooting at unprecedented scale:** By retaining Falcon data for extended periods of time, security teams can proactively search and uncover hidden threats in the environment with sub second speed, remove advanced persistent threats (APTs) by sifting through the data to detect irregularities that might suggest potential malicious behavior and better prioritize and address vulnerabilities before they can be weaponized.
*   **Longer data retention to help meet compliance requirements and reduced cost:** With scalable storage and advanced compression techniques, customers can store and manage Falcon data for one or multiple years, based on customer requirements. This wealth of real-time and historical data enables completeness and accuracy of investigation and analysis, resulting in faster threat remediation.
*   **New user interface (UI) dashboard visualization for fast and custom search:** Feature-rich query language and index-free searches allows security teams to run queries on Falcon data and get immediate answers. Get the ability to seamlessly ingest, aggregate and search through massive security and IT telemetry and gain valuable, contextual insights with sub-second latency searches for meeting real-world security requirements, including advanced threat and vulnerability investigations.

  
“With Humio for Falcon, we were able to save approximately $150,000 in the first year,” said Tom Sipes, director, IT security and compliance at Tuesday Morning. “Also, the ability to save data for an extended time period is critical. When we detect an indicator of compromise, we can go back in time and analyze the entire attack chain to accelerate investigations and pinpoint issues more quickly.”

**Additional Resources**

*   For more information on Humio for Falcon, please visit our blog.
*   To watch a Humio for Falcon demo, please visit this page.
*   Did you know? Humio can ingest over one petabyte of data per day. Humio was also named “Log Analytics Solution of the Year” by the Data Breakthrough Awards for 2022.

  
**About CrowdStrike**  
CrowdStrike (Nasdaq: CRWD), a global cybersecurity leader, has redefined modern security with one of the world’s most advanced cloud-native platforms for protecting critical areas of enterprise risk – endpoints and cloud workloads, identity and data.

Powered by the CrowdStrike Security Cloud and world-class AI, the CrowdStrike Falcon® platform leverages real-time indicators of attack, threat intelligence, evolving adversary tradecraft and enriched telemetry from across the enterprise to deliver hyper-accurate detections, automated protection and remediation, elite threat hunting and prioritized observability of vulnerabilities.

Purpose-built in the cloud with a single lightweight-agent architecture, the Falcon platform delivers rapid and scalable deployment, superior protection and performance, reduced complexity and immediate time-to-value.

CrowdStrike Introduces Humio for Falcon, Redefining Threat Hunting with Unparalleled Scale and Speed

A Linux-based banking Trojan is a master at staying under the radar.

A stealthy Linux threat called Symbiote is targeting financial institutions in Latin America, with all file, processes, and network artifacts hidden by the malware, making it virtually invisible to detection by live forensics.

The malware was first uncovered in November, according to a blog post by BlackBerry Research. What sets Symbiote apart from other Linux malware is its approach to infecting running processes, rather than using a stand-alone executable file to inflict damage.

It then harvests credentials to provide remote access for the threat actor, exfiltrating credentials as well as storing them locally.

"It operates as a rootkit and hides its presence on the machine. Once it has infected the machine fully, it allows you to see only what it wants you to see," Joakim Kennedy, security researcher at Intezer and author of the BlackBerry blog post, explains. "Essentially, you can't trust what the machine is telling you."

However, it can be detected externally, he says, since it exfiltrates stolen credentials via the DNS requests.

Kennedy says the domain names the malware uses impersonate big banks in Brazil, which also helps it stay under the radar.

"While we couldn't tell based on only what we found, attackers targeting financial institutions are often motivated by potential monetary gain," he says.

**Shared Object Library**

Nicole Hoffman, senior cyber threat intelligence analyst at Digital Shadows, points out that unlike most malware variants, the Symbiote malware is a shared object library, instead of an executable file.

Symbiote uses the LD\_PRELOAD variable that allows it to be pre-loaded by applications before other shared object libraries.

"This is a sophisticated and evasive technique that can help the malware blend in with legitimate running processes and applications, which is one of the reasons Symbiote is difficult to detect," she says.

The malware also has Berkeley Packet Filter (BPF) hooking functionality. Packet capture tools intercept, or capture, network traffic typically for the purposes of an investigation.

BPF is a tool embedded within several Linux operating systems that allows users to filter out certain packets depending on the type of investigation they are performing, which can reduce the overall results, making analysis easier.

"The Symbiote malware is designed to essentially filter its traffic out of the packet capture results," Hoffman explains. "This is just another layer of stealth used by the attackers to cover their tracks and fly under the radar."

Kennedy adds that this is the first time the BPF hooking functionality has been observed operating in this way, and points out that other malware variants have typically used BPF to receive commands from their command-and-control server.

"This malware instead uses this method to hide network activity," he says. "It's an active measure used by the malware to prevent being detected if someone investigates the infected machine — like covering up its footsteps so it's harder to track down.”

**Easier to Attack?**

Mike Parkin, senior technical engineer at Vulcan Cyber, says there may be a perception on the attacker's part that the targets in Latin America have a less mature security infrastructure and would thus be easier to attack.

He explains that the attackers went out of their way to hide their malware from anything that's running on the infected system, leveraging BPF to hide their communications traffic.

"While this will work on the local host, other network-monitoring tools will be able to identify the hostile traffic and the infected source," he says.

He explains that there are several endpoint tools available that should identify changes on a victim system.

"There are also forensic techniques that can use the malware's own behavior against it to reveal its presence," he notes. "The authors who created Symbiote went to great lengths hide their malware. They leveraged a combination of techniques, though in so doing delivered some indicators of compromise that defenders could use to identify an infection in-situ."

Kennedy says that the most important action is to focus on the techniques used by this malware to ensure that you can detect and/or protect against those, whether you're protecting against Symbiote or another attack that uses the same technique.

"I would say Symbiote, and other recently discovered undetected Linux malware, shows that operating systems other than Windows are not immune to highly evasive malware," he says. "Since it doesn’t get as much attention as Windows malware, we don't know what else is out there that hasn’t been discovered yet."

Symbiote Malware Poses Stealthy, Linux-Based Threat to Financial Industry

CrowdStrike Asset Graph provides unprecedented visibility of assets in an IT environment to optimize cyber defense strategies and manage risk.

**AUSTIN, Texas and RSA Conference 2022, SAN FRANCISCO – June 6, 2022 –** CrowdStrike (Nasdaq: CRWD), a leader in cloud-delivered protection of endpoints, cloud workloads, identity and data, today introduced CrowdStrike Asset Graph, a new graph database powered by the CrowdStrike Security Cloud that provides IT and security leaders with a 360-degree view into all assets (both managed and unmanaged) alongside unprecedented visibility into their attack surface across devices, users, accounts, applications, cloud workloads, operational technology (OT) and more to simplify IT operations and stop breaches.

As organizations accelerate their digital transformation, they are expanding their attack surface exponentially. This has dramatically increased their risk exposure to adversaries who are discovering and exploiting these soft targets and vulnerabilities faster than IT and security teams can discover them. Visibility is one of the foundational principles of cybersecurity because you cannot secure and defend the assets you don’t know exist. This, in turn, creates a race between adversaries and companies’ IT and security teams to find these blind spots. According to a 2022 report from Enterprise Strategy Group (ESG), “69% of organizations have experienced a cyberattack in which the attack itself started through the exploit of an unknown, unmanaged, or poorly managed internet-facing asset.”

CrowdStrike Asset Graph solves this problem by dynamically monitoring and tracking the complex interactions between assets, providing a single holistic view of the risks those assets pose. While other solutions simply provide a list of assets without context, Asset Graph provides graphic visualizations of the relationships between all assets such as devices, users, accounts, applications, cloud workloads and OT, along with the rich context necessary for proper security hygiene and proactive security posture management to reduce risk in their organizations.

“Digital transformation has led to an equal and pronounced acceleration of security transformation in the modern enterprise. For companies furthest along on this journey, IT operations and security teams – once distinct silos – are converging, creating a far more proactive posture when it comes to security and risk management,” said Amol Kulkarni, chief product and engineering officer at CrowdStrike. “Built specifically to address this new dynamic, CrowdStrike Asset Graph lets organizations see the assets they have and how they interact with each other, helping them make informed, risk-based decisions – from security to IT performance, utilization, capacity, license management and more – to proactively protect and manage their IT environment.”

**Bridging the gap between IT operations and security**  
The CrowdStrike Falcon platform was purpose-built with a cloud-native architecture to harness vast amounts of high-fidelity security and enterprise data, and deliver solutions through a single, lightweight agent to keep customers ahead of today’s sophisticated adversaries.

CrowdStrike’s groundbreaking graph technologies, which started with the company’s renowned Threat Graph, form a powerful, seamless and distributed data fabric, interconnected into a single cloud – the Security Cloud – that powers the Falcon platform and CrowdStrike’s industry-leading solutions. Using a combination of AI and behavioral pattern-matching techniques to correlate and contextualize information in the vast data fabric, CrowdStrike’s graphs create a “collect data once, reuse it multiple times” approach to solving the biggest problems that customers face. With the introduction of Asset Graph, CrowdStrike is applying this same approach to solving customers’ hardest, unmet challenges with an eye to proactive security, as well as unprecedented IT visibility and risk management.

The three highly-advanced graph technologies underpinning the Falcon platform now include:

*   **Threat Graph:** CrowdStrike’s industry-defining Threat Graph takes trillions of security data points from millions of sensors, enriched by threat intelligence data and third-party sources, to identify and link threat activity together to provide full visibility of attacks and automatically prevent threats in real-time across CrowdStrike’s global customer base.
*   **Intel Graph:** By analyzing and correlating massive amounts of data on adversaries, their victims and their tools, Intel Graph provides unrivaled insights on the shifts in tactics and techniques, powering CrowdStrike’s adversary-focused approach with world-class threat intelligence.
*   **Asset Graph:** With this release, CrowdStrike is solving one of the most complex customer problems today: identifying assets, identities and configurations accurately across all systems including cloud, on-premises, mobile, Internet of Things (IoT) and more, and connecting them together in a graph form. Unifying and contextualizing this information will lead to powerful new solutions that transform how organizations enforce security hygiene and dynamically manage their security posture.

  
CrowdStrike Asset Graph will enable new Falcon modules and features built on top of it to define, monitor and explore the relationships between assets within an organization. The first Falcon module to use Asset Graph is Falcon Discover (Security Hygiene), which includes the following enhancements:

*   **Newly enhanced dashboards, highly customizable filters and sharing options:** IT teams can tailor their experience of Asset Graph’s map visualization and powerful search capabilities, all presented conveniently within the Falcon Discover console.
*   **New third-party data integration with ServiceNow:** Combining this integration with Asset Graph and Falcon Discover, IT teams gain another layer of asset visibility around devices in a single console, providing enhanced monitoring over unmanaged and unsupported assets.

  
“It’s a cliche for a reason. You can’t protect what you can’t see. The first step in wrangling shadow IT or shining a light on blind spots is understanding what assets you have to secure and how those are interacting with unforeseen insecure assets,” said Juan Jose Chang, CISO at Bladex. “We believe that Falcon Discover combined with CrowdStrike Asset Graph will be the difference between using a flashlight versus a row of street lamps to see where you’re going.”

**Additional Resources**

*   For more information on CrowdStrike Asset Graph and enhancements to Falcon Discover, please visit our blog.

  
**About CrowdStrike**  
CrowdStrike (Nasdaq: CRWD), a global cybersecurity leader, has redefined modern security with one of the world’s most advanced cloud-native platforms for protecting critical areas of enterprise risk – endpoints and cloud workloads, identity and data.

Powered by the CrowdStrike Security Cloud and world-class AI, the CrowdStrike Falcon® platform leverages real-time indicators of attack, threat intelligence, evolving adversary tradecraft and enriched telemetry from across the enterprise to deliver hyper-accurate detections, automated protection and remediation, elite threat hunting and prioritized observability of vulnerabilities.

Purpose-built in the cloud with a single lightweight-agent architecture, the Falcon platform delivers rapid and scalable deployment, superior protection and performance, reduced complexity and immediate time-to-value.

CrowdStrike Introduces CrowdStrike Asset Graph to Help Organizations Proactively Identify and Eliminate Blind Spots

New CrowdXDR Alliance partners include Menlo Security, Ping Identity, and Vectra AI.

**AUSTIN, Texas and RSA Conference 2022, SAN FRANCISCO – June 6, 2022 –** CrowdStrike (Nasdaq: CRWD), a leader in cloud-delivered protection of endpoints, cloud workloads, identity and data, today announced it has expanded the CrowdXDR Alliance to include key strategic partners across web and email security (Menlo Security), identity and access management (Ping Identity) and network detection and response (Vectra AI). CrowdStrike also introduced new capabilities for the Falcon XDR (Extended Detection and Response) module to speed up detections for security teams, including an integration with ServiceNow, an existing CrowdXDR Alliance partner, to dramatically simplify security operations workflows with automated ticket creation.

Falcon XDR’s new capabilities include:

*   **Falcon Fusion workflows based on XDR detections:** Natively integrated with Falcon XDR, Falcon Fusion (CrowdStrike’s SOAR framework) now automates numerous workflows directly from a Falcon XDR detection including:
    *   Ticket creation through ServiceNow, a CrowdXDR Alliance partner.
    *   Notifications through email, Slack or webhook.
    *   Incident details from status changes to team assignments and comments.
*   **XDR detections event timeline:** Speed triage and investigation with a timeline view that displays key events of a detection in chronological order to easily understand how activity progressed.
*   **Graph visualization of custom XDR detections:** Create custom XDR detections from queries written to hunt for threats in the environment. Falcon XDR graph explorer visualizes how the events and entities in a custom XDR detection are related, enabling security analysts to rapidly orient and explore connections in cross-domain data.

  
“CrowdStrike continues to bring together the best of both open and native approaches to XDR,” said Michael Sentonas, chief technology officer at CrowdStrike. “For organizations seeking an open approach, we continue to expand third-party support for the CrowdXDR Alliance, which is delivering a standardized schema for data sharing to enrich XDR detections. We welcome Menlo Security, Ping Identity and Vectra AI to the CrowdXDR Alliance and look forward to partnering with them to deliver third-party integrations. For organizations seeking a native approach, we continue to bolster Falcon XDR with new capabilities that speed up threat detection and response efforts across data sources and environments. Ultimately, we are offering a solution that allows customers to choose an XDR approach that best fits their needs.”

**Partner Quotes**

*   **Poornima DeBolle, Menlo Security co-founder and chief product officer:** “The Internet should be safe, seamless, and effective for all workers. However, cybercriminals are making this difficult by deploying increasingly sophisticated malware, including ransomware fueled by Highly Evasive Adaptive Threats. We need to stop such malware and zero-day exploits from ever getting to endpoints. Menlo Security is excited to join CrowdStrike’s CrowdXDR Alliance. Our integration with CrowdStrike Falcon XDR will enable organizations to offer a safe online experience, without having to sacrifice productivity for security.”

*   **Loren Russon, vice president of product management at Ping Identity:** “We are excited to join CrowdStrike’s CrowdXDR Alliance and continue to expand our joint solutions. Customers are demanding expansive partner ecosystems through easy-to-deploy integrations, and this partnership delivers that through enterprise-proven identity security along with comprehensive visibility and protection against threats.”
*   **Michael Porat, senior vice president, corporate and business development at Vectra AI:** “As the scale and intensity of cyberattacks continue to proliferate, it reminds us that prevention alone cannot protect organizations from today’s cultivated attacks. To successfully mitigate modern security threats, organizations must implement more advanced threat detection and response mechanisms that accurately pinpoint attacker behavior and stop attackers from navigating through hybrid clouds. We are excited to join CrowdStrike’s CrowdXDR Alliance and look forward to sharing our threat detection and response expertise with other esteemed security vendors as we all work together with one common goal – detecting and stopping malicious actors.”

  
**Additional Resources**

*   For more information on the CrowdXDR Alliance and Falcon XDR, please visit our blog.
*   CrowdStrike was named a Strong Performer in The Forrester New Wave for Extended Detection and Response (XDR) Providers, Q4 2021.1

  
**About CrowdStrike**  
CrowdStrike (Nasdaq: CRWD), a global cybersecurity leader, has redefined modern security with one of the world’s most advanced cloud-native platforms for protecting critical areas of enterprise risk – endpoints and cloud workloads, identity and data.

Powered by the CrowdStrike Security Cloud and world-class AI, the CrowdStrike Falcon® platform leverages real-time indicators of attack, threat intelligence, evolving adversary tradecraft and enriched telemetry from across the enterprise to deliver hyper-accurate detections, automated protection and remediation, elite threat hunting and prioritized observability of vulnerabilities.

Purpose-built in the cloud with a single lightweight-agent architecture, the Falcon platform delivers rapid and scalable deployment, superior protection and performance, reduced complexity and immediate time-to-value.

1 The Forrester New Wave: Extended Detection and Response (XDR) Providers, Q4 2021

CrowdStrike Adds Strategic Partners to CrowdXDR Alliance and Expands Falcon XDR Capabilities

The commission argues that legislative action is needed to ensure a well-functioning market for AI systems that balances benefits and risks.

The European Commission (EC) is currently debating new rules and actions for trust and accountability in artificial intelligence (AI) technology through a legal framework called the EU AI Act. Its aim is to promote the development and uptake of AI while addressing potential risks some AI systems can pose to safety and fundamental rights.

While most AI systems will pose low to no risk, the EU says, some create dangers that must be addressed. For example, the opacity of many algorithms may create uncertainty and hamper effective enforcement of existing safety and rights laws.

The EC argues that legislative action is needed to ensure a well-functioning internal market for AI systems where both benefits and risks are adequately addressed.

"The EU AI Act aims to be a human centric legal-ethical framework that intends to safeguard and protect human rights and fundamental freedoms from violations of these rights and freedoms by algorithms and smart machines," says Mauritz Kop, Transatlantic Technology Law Forum Fellow at Stanford Law School and strategic intellectual property lawyer at AIRecht.

The right to know whether you are dealing with a human or a machine — which is becoming increasingly more difficult as AI becomes more sophisticated — is part of that vision, he explains.

Kop notes that AI is now mostly unregulated, except for a few sector-specific rules. The act aims to address the legal gaps and loopholes by introducing a product safety regime for AI.

"The risks are too high for nonbinding self-regulation by companies alone," he says.

**Effects on AI Innovation**

Kop admits that regulatory conformity and legal compliance will be a burden, especially for early AI startups developing high-risk AI systems. Empirical research that shows the GDPR – while preserving privacy and data protection and data security – had a negative effect on innovation, he notes.

Risk classification for AI is based on the intended purpose of the system, in line with existing EU product safety legislation. Classification depends on the function the AI system performs and on the specific purpose and modalities for which the system is used.

"The legal uncertainty surrounding \[regulation\] and the lack of budget to hire specialized lawyers or multidisciplinary teams still are significant barriers for a flourishing AI startup and scale-up ecosystem," Kop says. "The question remains whether the AI Act will improve or worsen the startup climate in the EU."

The EC will determine which AI gets classified as "high risk" using criteria that are still under debate, creating a list of examples of high-risk systems to help guide judgment.

"It will be a dynamic list that contains various types of AI applications used in certain high-risk industries, which means the rules get stricter for riskier AI in healthcare and defense than they are for AI apps in tourism," Kop says. "For instance, medical AI is \[classified as\] high risk to prevent direct harm to patients due to AI errors."

He notes there is still controversy about the criteria and definition of AI that the draft uses. Some commentators argue it should be more technology-specific, aimed at certain riskier types of machine learning, such as deep unsupervised learning or deep reinforcement learning.

"Others focus more on the intent of the system, such as social credit scoring, instead of potential harmful results, such as neuro-influencing," Kop added. "A more detailed classification of what 'risk' entails would thus be welcome in the final version of the act."

**Facial Recognition as a High-Risk Technology**

Joseph Carson, chief security scientist and advisory CISO at Delinea, participated in several of the talks around the act, including as a subject matter expert in the use of AI in law enforcement and articulating the concerns around security and privacy.

The EU AI Act, he says, will mainly affect those organizations that already collect and process personal identifiable information. Therefore, it will impact how they use advanced algorithms in processing the data.

"It is important to understand the risks if no regulation or act is in place and what the possible impact \[is\] if organizations abuse the combination of sensitive data and algorithms," Carson says. "The future of the Internet is a scary place, and the enforcement of the EU AI Act allows us to embrace the future of the Internet using AI with both responsibility and accountability."

Regarding facial recognition, he says the technology should be regulated and controlled.

"It has many amazing uses in society, but it must be something you opt in and agree to use; citizens must have a choice," he says. "If no act is in place, we will see a significant increase in deepfakes that will spiral out of control."

Malin Strandell-Jansson, senior knowledge expert at McKinsey & Co, says facial recognition is one of the most debated issues in the draft act, and the final outcome is not yet clear.

In its draft format, the AI Act strictly prohibits the use of real-time remote biometric identification in publicly accessible spaces for law enforcement purposes, as it poses particular risks for fundamental rights – notably human dignity, respect for private and family life, protection of personal data, and nondiscrimination.

Strandell-Jansson points out a few exceptions, including use for law enforcement purposes for the targeted search for specific potential victims of crime, including missing children; the response to the imminent threat of a terror attack; or the detection and identification of perpetrators of serious crimes.

"Regarding private businesses, the AI Act considers all emotion recognition and biometric categorization systems to be high-risk applications if they fall under the use cases identified as such — for example, in the areas of employment, education, law enforcement, migration, and border control," she explains.

As such, potential providers would have to subject such AI systems to transparency and conformity obligations before putting them on the market in Europe.

**The Time to Act on AI Is Now**

Dr. Sohrob Kazerounian, AI research lead at Vectra, an AI cybersecurity company, says the need to create a regulatory framework for AI has never been more pressing.

"AI systems are rapidly being integrated into products and services across wide-ranging markets," he says. "Yet the trustworthiness and interpretability of these systems can be rather opaque, with poorly understood risks to users and society more broadly."

While some existing legal frameworks and consumer protections may be relevant, applications that use AI are sufficiently different enough from traditional consumer products that they necessitate fundamentally new legal mechanisms, he adds.

The overarching goal of the bill is to anticipate and mitigate the most critical risks resulting from the use and failure of AI, with actions ranging from banning systems deemed to have "unacceptable risk" altogether to heavy regulation of "high-risk" systems. Another, albeit less-noted, consequence of the framework is that it could provide clarity and certainty to markets about what regulations will exist and how they will be applied.

"As such, the regulatory framework may in fact result in increased investment and market participation in the AI sector," Kazerounian said.

**Limits for Deepfakes and Biometric Recognition**

By addressing specific AI use cases, such as deepfakes and biometric or emotional recognition, the AI Act is hoping to ameliorate the heightened risks such technologies pose, such as violation of privacy, indiscriminate or mass surveillance, profiling and scoring of citizens, and manipulation, Strandell-Jansson says.  

"Biometrics for categorization and emotion recognition have the potential to lead to infringements of people's privacy and their right to the protection of personal data as well as to their manipulation," she says. "In addition, there are serious doubts as to the scientific nature and reliability of such systems."

The bill would require people to be notified when they encounter deepfakes, biometric recognition systems, or AI applications that claim to be able to read their emotions. Although that's a promising step, it raises a couple of potential issues.

Overall, Kazerounian says it is "undoubtedly" a good start to require increased visibility for consumers when they are being classified by biometric data and when they are interacting with AI-generated content rather than real humans or real content.

"Unfortunately, the AI act specifies a set of application areas within which the use of AI would be considered high-risk, without necessarily discussing the risk-based criteria that could be used to determine the status of future applications of AI," he said. "As such, the seemingly ad-hoc decisions about which application areas are considered high-risk simultaneously appear to be too specific and too vague."

Current high-risk areas include certain types of biometric identification, operation of critical infrastructure, employment decisions, and some law enforcement activities, he explains.

"Yet it isn't clear why only these areas were considered high-risk and furthermore doesn't delineate which applications of statistical models and machine-learning systems within these areas should receive heavy regulatory oversight," he adds.

**Possible Groundwork for Similar US Law**

It is unclear what this act could mean for a similar law in the US, Kazerounian says, noting that it has now been more than half a decade since the passing of GDPR, the EU law on data regulation, without any similar federal laws following in the US — yet.

"Nevertheless, GDPR has undoubtedly influenced the behavior of multinational corporations, which have either had to fracture their policies around data protections for EU and non-EU environments or simply have a single policy based on GDPR applied globally," he said. "In any case, if the US decides to propose legislation on the regulation of AI, at a minimum it will be influenced by the EU act."

EU Debates AI Act to Protect Human Rights, Define High-Risk Uses

So-called Symbiote malware, first found targeting financial institutions, contains stealthy rootkit capabilities.

A new malware variant attacking Linux systems that steals credentials and allows for remote access to victim machines camouflages so well that the researchers studying it say they can't conclude if it's being used in targeted or larger-scale attack campaigns.

Security researchers from Intezer and BlackBerry's Research & Intelligence Team say the so-called Symbiote malware is unusual in that it's not a pure executable file: it's actually a shared object library that loads itself into a machine's running processes using the LD\_Preload file in Linux. "Once it has infected all the running processes, it provides the threat actor with rootkit functionality, the ability to harvest credentials, and remote access capability," the researchers wrote in a blog post this week.

Symbiote was first sighted in November of 2021, they said, and at the time appeared to be created for attacking financial institutions in Latin America.

"Once the malware has infected a machine, it hides itself and any other malware used by the threat actor, making infections very hard to detect. Performing live forensics on an infected machine may not turn anything up since all the file, processes, and network artifacts are hidden by the malware. In addition to the rootkit capability, the malware provides a backdoor for the threat actor to log in as any user on the machine with a hardcoded password, and to execute commands with the highest privileges," the researchers wrote.

While detecting the rootkit is a major challenge, the researchers said organizations should watch for anomalous DNS requests. But relying on antivirus and endpoint detection and response tools to detect it is moot: They can be compromised by the rootkit since it's embedded in "userland," the researchers warned.  

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

New Linux Malware 'Nearly Impossible to Detect'

Raytheon Intelligence & Space's Jon Check joins Dark Reading's Terry Sweeney at Dark Reading News Desk at RSA Conference to talk about how hiring must change.

It was tough to find good, experienced security professionals already — then along the came the Great Resignation to make hiring even tougher, notes Jon Check, executive director of cyber protection solutions for Raytheon Intelligence and Space. Check explains how hiring practices must change, as well as new ways to attract new talent and how to encourage a better work-life balance among SOC personnel.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

A Few Simple Ways to Transform Your Cybersecurity Hiring

‘Zero trust’ architecture and secure supply chains to the fore in new strategy

‘Zero trust’ architecture and secure supply chains to the fore in new strategy

The US Department of Justice (DoJ) has set out a three-year strategic plan to bolster its cybersecurity posture among other priorities for improving its IT skills, systems, and processes.

Other overarching objectives set out in the Information Technology Strategic Plan for Fiscal Years 2022-2024 center on enhancing service delivery, embracing innovation, expanding the workforce, and increasing financial transparency.

The DoJ says the strategy was made in response to increasingly sophisticated cyber threats posed by foreign intelligence services, criminal groups, hacktivists, and insider threats.

Other cited influences were changing user expectations, growing technology complexity, a need to optimize resources, and the pandemic-fuelled demand for distributed workforce operating models.

**Securing the supply chain**

The cybersecurity strategy is made up from four strands, including proactively managing IT supply chain risk throughout the IT lifecycle via two key initiatives.

The first initiative, said the agency, involves developing “a thorough, comprehensive, and continuous understanding of its vendors and the software and hardware being used across the Department” – in particular for the “most mission-critical supply chains”.

RECOMMENDED HTTP/3 evolves into RFC 9114 – a security advantage, but not without challenges

This will help the DoJ “comply with the federal government-wide initiative to require a Software Bill of Materials (SBOM)”, which provides visibility of components used in software and the vulnerabilities lurking therein.

Armed with an SBOM, the agency can then “develop an enterprise-wide view to monitor IT supply chain risk” by “leveraging existing tools like SPDR \[Security Posture Dashboard\] and creating new ones, where needed”.

Existing processes for IT Investment and Acquisition Review (ITAR), meanwhile, will be modified “to ensure we can identify IT procurements with elevated supply chain risk early in the acquisition process”.

**Don’t trust, verify**

The DoJ will also reinforce its ‘cybersecurity foundation’ by enhancing asset inventory management, modernizing monitoring and management of internet traffic, and focusing “more heavily on the continuous assessment of public-facing applications and systems for exploitable vulnerabilities”.

A third pillar of the strategy focuses on adopting zero trust principles and tools to combat access-based threats.

Read more of the latest government security news

Doing so “removes the concept of implicit trust and instead requires a contextual approach that includes the application, user, and device to allow for access decisions to adjust based on the context of the user”, explained the DoJ.

Among other things, the agency plans to reduce more than 20 current ‘identity providers’ (IdPs) to a single provider in order to promote consistent security standards and reduce the administrative burden.

The final infosec pillar focuses on enhancing cloud security to support the DoJ’s growing adoption of cloud-based technolgies. This will involve centralizing and streamlining cloud monitoring to drive analytics for identifying and managing cybersecurity risks and implementing an SPDR.

**Presidential priorities**

The DoJ says its IT vision has been aligned to priorities set out in the President Biden’s Management Agenda and cybersecurity-oriented Executive Order signed last year, as well as its own Comprehensive Cyber Review.

“Cyber-attacks are constantly challenging DoJ and other agencies,” says Melinda Rogers, the DoJ’s chief information officer and deputy assistant attorney general.

“Therefore, we will continue to diligently protect the agency’s critical data through increased cyber resilience and risk reduction while optimizing data utilization to create consumable and intelligent products.”

The DoJ’s strategy comes as fellow US government agencies the FBI and Cybersecurity and Infrastructure Security Agency (CISA) have warned that “publicly known” but often unpatched vulnerabilities – as opposed to previously unknown (zero-day) flaws – are increasingly prioritized targets for Chinese threat actors.

YOU MIGHT ALSO LIKE Chinese cyber threat actors are widely abusing well-known attacks to infiltrate networks, CISA warns

Tag

#intel