Next-generation AI products learn proactively and identify changes in the networks, users, and databases using "data drift" to adapt to specific threats as they evolve.

In March 2019, Norsk Hydro, a Norwegian renewable energy and aluminum manufacturing company, faced a ransomware attack. Rather than paying the ransom, a cybersecurity team used artificial intelligence to identify the corruption in the computer system and rebuild the operations in an uncorrupted parallel system. LockerGoga ransomware was eventually identified as the culprit, which spread via Windows-based systems. While Norsk avoided paying the ransom, the attack still forced it to operate without computer systems for an extended period of time (weeks to months), while the security team isolated and scanned thousands of employee accounts for malicious activity.

Signature-based detection is an approach in which a unique identifier is established about a known threat so that it can be identified in the future. However, signature-based approaches require continuous updates that take time and effort to maintain. Next-generation artificial intelligence (AI) products learn proactively and identify changes in the networks, users, and databases through what is called data drift to adapt to specific threats as they evolve.

AI products are the linchpin of a multifaceted defense system that can be utilized in the background prophylactically, especially against unknown threats. Cyberattacks that make the evening news are usually the ones that end in disaster; it is hardly ever reported how AI could have prevented those attacks in the first place. In addition, cyberattacks that are contained or thwarted on a daily basis, while AI is ubiquitously at work, are almost never reported in the news because they happen so frequently.

Unfortunately, as a result of the lack of coverage on these "non-events" in public forums, most people don't understand how AI makes an effective cyber defense achievable and not just theoretical. Here is what you should know.

**Deep-Learning Next-Generation AI Tools**

Data drift is a term used to measure changes in underlying data patterns. A typical example would be if an e-commerce business launched a new payment gateway to sell furniture. In this instance, BECS direct deposit might be a new financial term introduced in the business workflow. BECS, or Bulk Electronic Clearing System, governs how direct debits, automatic payments, bill payments, and direct credits work and how a range of bulk electronic transaction types are made between its participants.

Deep-learning AI models can detect the term and, with minimal human assistance, classify it as a financial transaction. Next-generation AI then can monitor financial transaction data flows and correlate the data accordingly, associating it with financial context and sensitivity.

The financial data monitoring can involve, for example, an application programming interface while the user checks out via online shopping cart or even general business flow. The advantage of the auto-detection approach is that a security team doesn't need to be on the lookout for new vulnerability patches for these terms. Instead, the security team can rely on AI to recommend new data patterns and self-patch accordingly.

A successful effort to thwart phishing attacks that endangered Stanford University can be used as an illustration. WannaCry ransomware threatened campus systems, but the university's self-patching AI software, in addition to its firewall protections and email security solutions, prevented the threats from successfully escalating.

Data transformers are one of the AI tools used to auto-discover and classify data patterns. A transformer model memorizes and tracks relationships between changes in data attributes to create contextual insights. It is similar in many ways to how a human brain works when reading a book. Although you often do not understand a character's role in the story or their relationships with the other characters when they first appear, you gain that knowledge as the story develops.

Data transformers use attention-based mechanisms constantly learning in the same way to gain a greater understanding of networks, files, emails, etc., and how the content of data relate to and interact with each other to identify and classify malicious changes. The text is represented by mathematical datasets, which derive data representations that can be later used to quantify the changes in data as it is being processed by a transformer.

Deep-learning models can also be used for behavioral purpose classification, which assist security teams with efficiently identifying sensitive or harmful content. An AI transformer model uses its understanding of natural language to analyze email data it has never been exposed to, such as credit offers, lottery ticket promotions, employment offers, or COVID test results, in order to classify and identify malicious content. Similar mechanisms can be used to identify malicious content in documents containing employee health information even though the AI model had never analyzed any kind of healthcare data before. The transfer model proactively alerted security teams regarding the sharing of sensitive data before a breach occurred.

**What This Means for Your Business**

Not only is it important to ensure that cybersecurity systems are in place to defend against and prevent threats, but it's also important to have the right one that synthesizes with your business's needs. Manual document classification for documents, emails, and text messages is complex and requires technical expertise. Deep-learning transformers simplify those tasks, and if done right, can be leveraged efficiently to save costs and effort.

However, an AI model with incorrect settings can result in false positives, and in turn, generate too many alerts, creating headaches for security teams. As a result, one should always seek expert advice when selecting products with AI components. The next-gen AI tools will be able to automate your business processes with minimal setup, human intervention, rules, and policies.

Artificial Intelligence and Security: What You Should Know

Cloud migration, DevSecOps, cyber insurance, and more have emerged as important motivators for cybersecurity investment and focus.

RSA CONFERENCE — San Francisco — Security hygiene and software supply-chain/vendor risk have emerged as the top two security priorities for chief information security officers (CISOs) at medium-sized organizations, new research has revealed.

That's according to Forgepoint Capital, which surveyed CISOs across a spectrum of industries and sizes. For organizations with 50 to 1,000 employees, security hygiene is seen as particularly critical, according to the data.

"Most breaches are due to unpatched systems, misconfigurations, poor passwords, and other easily avoidable issues," the report, shared with Dark Reading at the 2022 RSA Conference this week, pointed out. "Typically, organizations of this size don’t have the budget to build multiple backups and failovers, with real scenarios where a security incident can put the company out of business."

That said, there was notable variance across industry segments. For instance, zero percent of respondents in the healthcare vertical cited security hygiene as a priority.

"It's not that they think that nurses don't need to worry about passwords," says Will Lin, managing director of Forgepoint. "It's that security responsibility is much more distributed than in other industries. If I'm, say, BlueCross BlueShield, I can't control the password requirements and security hygiene of all the subsidiaries I have. It's each one's own responsibility to do it. I have to prioritize what I can actually solve."

There's a different narrative for professional services firms, where more than 80% said security hygiene is a top focus.

"They're exactly the opposite from healthcare," Lin says. "They're responsible for the security of all their consultants. These are all my employees, I need to do it. So that's why it becomes the highest priority for this group."

**Cybersecurity Workforce Shortage**

Meanwhile, CISOs at organizations with less than 50 employees cited talent development and social-engineering awareness as their top two priorities, with the ongoing cybersecurity workforce shortage of particular concern.

"Talent departure and social-engineering attacks can have major ramifications," according to the report. "Due to the small size of their employee base, these companies can realistically affect more change by focusing on human capital than a large organization can. As companies grow larger, no matter how much access control is established, threat vectors will remain. Thus, the focus shifts from personnel to security automation and incident response."

When examining CISOs' views of security prioritization by industry, the survey found that all security professionals prioritize areas with the highest return on investment (ROI). For example, 50% of professional services companies marked security hygiene as an essential focus, but healthcare professionals are focused more on the software supply chain and third-party vendor risk, such as the security of connected medical devices, given its bigger tie to ROI in their field.

**Cloud Migration and Digital Transformation**

Forgepoint also found that cloud migration is driving security prioritization for medium-sized businesses in particular, with 73% of survey respondents noting that it's a factor in 75% or more of their efforts. In contrast, just 13% of very large businesses (more than 10,000 employees) and 43% of large businesses (1,000 to 10,000 employees) said the same. For businesses with fewer than 50 employees, half of them said the move to the cloud is driving 75% of their security choices.

"Very large companies, surprisingly enough, are actually the furthest behind cloud migration," Lin tells Dark Reading. "And the smaller companies are further along in cloud migration. The big companies have a lot of legacy infrastructure, so it's going to take them a much longer time to move to the cloud, while smaller companies are more cloud native, and they're trying to cut costs, which the cloud helps with."

Digital transformation also emerged as a top security motivator for CISOs in every industry except for professional services — likely due to the ongoing reality of remote working forcing businesses to embrace software-as-a-service and other corporate working apps.

This is driving a new security focus on securing application programming interfaces (APIs, cited by 62% of all respondents) and DevSecOps for embedding security into application development (cited by 54%).

**Areas of Control and Cyber Insurance**

Survey respondents said traditional access control areas like data security (40%) and identity (41%) are still top priorities for organizations. But more than a quarter (28%) of CISOs highlighted an emerging area, cyber insurance, as a top control area of interest.

With ransomware, malware, APTs, and other cyberattacks at all-time highs, organizations of all sizes are considering investing in cyber insurance — however, it's a painful process, Lin says, especially as many insurance firms don't cover ransomware incidents, and the application process can be onerous and dictate where precious security dollars are invested.

"The cost of cyber insurance is going up, and the coverage is going down," Lin says. "And perhaps most of all, the questionnaires that cyber insurance companies give companies to fill out in order to determine how expensive coverage will be don't provide a representational picture of how good of a bet insuring a company is."

For instance, many require companies to have multifactor authentication (MFA) on all accounts in order to qualify for affordable coverage — but its across-the-board implementation at the expense of other efforts (patching, for instance) may not be the best approach for defending the business.

"Companies themselves often don't know how effective their controls are, so how could a cyber insurance underwriter be predictive?" Lin says. "If the question is, do you have an MFA on everything, companies can never check yes to that. Because there are some places where you can't have MFA. It's just not physically possible. Or, in some cases the app that's doing all the authentication might not have an MFA feature enabled. So they have to click no, and when they do, they immediately see a premium increase."

Meanwhile, just 24% of all respondents cited monitoring threat intelligence as a priority — which is a function of it being perceived as difficult to operationalize, Lin says.

"The key issue is, even like organizations like Google have no idea what to do with all of the telemetry and data," Lin said. "Companies simply have a tough time figuring out what to do with their threat intel — it's just the actionability of it."

Overall, the survey also found that three-quarters (76%) of CISO survey respondents say they expect security budgets to increase this year.

"As cybersecurity budgets increase, it’s expected that budgets will become more flexible to accommodate new and emerging products that defy the limitations of the currently identified categories," Forgepoint concluded.

In a Quickly Evolving Landscape, CISOs Shift Their 2022 Priorities

The dangerous malware appears to be well and truly back in action, sporting new variants and security-dodging behaviors in a wave of recent phishing campaigns.

The dangerous malware appears to be well and truly back in action, sporting new variants and security-dodging behaviors in a wave of recent phishing campaigns.

Emotet’s resurgence in April seems to be the signal of a full comeback for what was once dubbed “the most dangerous malware in the world,” with researchers spotting various new malicious phishing campaigns using hijacked emails to spread new variants of the malware.

The “new and improved” version of Emotet is exhibiting a “troubling” behavior of effectively collecting and using stolen credentials, “which are then being weaponized to further distribute the Emotet binaries,” Charles Everette from Deep Instinct revealed in a blog post this week.

“\[Emotet\] still utilizes many of the same attack vectors it has exploited in the past,” he wrote. “The issue is that these attacks are getting more sophisticated and are bypassing today’s standard security tools for detecting and filtering out these types of attacks.”

In April, Emotet malware attacks returned after a 10-month “spring break” with targeted phishing attacks linked to the threat actor known as TA542, which since 2014 has leveraged the Emotet malware with great success, according to a report by Proofpoint.

These attacks—which were being leveraged to deliver ransomware—came on the back of attacks in February and March hitting victims in Japan using hijacked email threads and then “using those accounts as a launch point to trick victims into enabling macros of attached malicious office documents,” Deep Instinct’s Everette wrote.

“Looking at the new threats coming from Emotet in 2022 we can see that there has been an almost 900 percent increase in the use of Microsoft Excel macros compared to what we observed in Q4 2021,” he wrote.

**Emotet Rides Again**

The attacks that followed in April targeted new regions beyond Japan and also demonstrated other characteristics signaling a ramp-up in activity and rise in sophistication of Emotet, Deep Instinct noted.

Emotet, like other threat groups, continues to leverage a more than 20-year-old Office bug that was patched in 2017, CVE-2017-11882, with nearly 20 percent of the samples that researchers observed exploiting this flaw. The Microsoft Office Memory corruption vulnerability allows an attacker to perform arbitrary code execution.

Nine percent of the new Emotet threats observed were never seen before, and 14 percent of the recent emails spreading the malware bypassed at least one email gateway security scanner before it was captured, according to Deep Instinct.

Emotet still primarily uses phishing campaigns with malicious attachments as its transportation of choice, with 45 percent of the malware detect using some type of Office attachment, according to Deep Instinct. Of these attachments, 33 percent were spreadsheets, 29 percent were executables and scripts, 22 percent were archives and 11 percent were documents.

Other notable changes to Emotet’s latest incarnation is its use of  64-bit shell code, as well as more advanced PowerShell and active scripts in attacks, according to Deep Instinct.

****History of a Pervasive Threat****

Emotet started its nefarious activity as a banking trojan in 2014, with its operators having the dubious honor of being one of the first criminal groups to provide malware-as-a-service (MaaS), Deep Instinct noted.

The trojan evolved over time to become a full-service threat-delivery mechanism, with the ability to install a collection of malware on victim machines, including information stealers, email harvesters, self-propagation mechanisms and ransomware. Indeed, Trickbot and the Ryuk and Conti ransomware groups have been habitual partners of Emotet, with the latter using the malware to gain initial entry onto targeted systems.

Emotet appeared to be put out of commission by an international law-enforcement collaborative takedown of a network of hundreds of botnet servers supporting the system in January 2021. But as often happens with cybercriminal groups, its operators have since regrouped and seem to be working once again at full power, researchers said.

In fact, in November 2021 when Emotet emerged again nearly a year after it went dark, it was on the back of its collaborator Trickbot. A team of researchers from Cryptolaemus, G DATA and AdvIntel separately observed the trojan launching a new loader for Emotet, signaling its return to the threat landscape.

Potent Emotet Variant Spreads Via Stolen Email Credentials

By Owais Sultan
Hyperconverged infrastructure is changing the way data centers work for the better. Learn about the benefits of hyperconverged…
This is a post from HackRead.com Read the original post: Hyperconverged Infrastructure (HCI) is Changing Data Centers

****Hyperconverged infrastructure is changing the way data centers work for the better. Learn about the benefits of hyperconverged infrastructure.****

Every year there is a huge number of technological reforms and upgrades that can make life easier for both individuals and companies. Sometimes, large-scale changes also affect the data processing centers.

If even more than 10 years ago data center managers worked with traditional infrastructure familiar to everyone, then in recent years there have been big changes. These changes were the use of networks that provide both speed and availability (software-defined networks), a distributed information technology architecture in which customer data is processed at the edge of the network, as close as possible to the source (edge computing), the fifth generation of mobile communications, as well as artificial intelligence. 

Such technologies imply a major transformation in how data centers operate. However, the most important thing is that qualified specialists are needed to work with such technologies, which means higher requirements for data center managers. They must be able and know how to work with such innovative solutions, and explore and customize them. It would seem that the use of technology should be beneficial, but for people working with such innovations, this becomes a challenge. 

That is why the latest technology has been developed that promises to solve all these problems. 

**Table of Contents:**

1.  **Hyperconverged Infrastructure** 
2.  **Converged Infrastructure** 
3.  **Key Benefits of HCI**

**Hyperconverged Infrastructure **

Before describing all the advantages of technology, it is worth considering the hyperconverged infrastructure definition. HCI is a distributed infrastructure platform that combines servers, networks, and storage with sophisticated software to produce adaptable key components that may improve existing infrastructure.

The consistent building pieces required to establish a hyperconverged infrastructure can be acquired as a mix of electronic, electrical, and mechanical hardware or as virtual stacks.

Such an infrastructure consists of standard components: servers running on the x86 architecture, software for creating, running, and managing virtual machines, and special software needed for management.

The beauty of a hyperconverged data center is that if you need more processing power, you can easily scale the process. All you need to do is attach a few extra boxes, depending on how much you need to scale everything. Thus, each organization gets a great opportunity to improve the processing centers of HCI data. 

It is already clearly visible how quickly the demand for the creation of such data centers is growing. 3 years ago, the global market for such products and services was estimated at over $6 billion. In 5 years, it will be valued at more than $22 billion. Companies now must cut information technology expenses, drastically speed up the building of data centers, manage numerous operations, and grow swiftly.

**Converged Infrastructure **

There existed a converged infrastructure prior to the introduction of such an upgraded infrastructure. It comprises pre-engineered equipment and programs that professionals may purchase and install independently. In short, it’s like an IKEA crib. You get a set of ready-made components that you need to combine to get the finished product. That is, you get components that will be compatible with each other. You do not need to search for suppliers for each component to separately assemble everything you need. 

Hyperconverged infrastructure is a more advanced CI. This infrastructure already contains all the necessary components that you can work with. In simple words, if CI is an IKEA crib that needs to be assembled, then HCI is a prepackaged meal that you just need to heat.

If you use a similar infrastructure in your data center, then to increase the capacity, you only need to order more infrastructure units. Easy and simple scalability allows multiple companies to increase the volume of data processing, as well as quickly adapt to new company needs. 

**Key Benefits of HCI**

Scalability is the most important advantage of HCI. However, this is not all that such an infrastructure can offer. 

**Low-cost hyperconverged infrastructure units **

HCI requires x86 servers, which are installed in most modern data centers. Thus, companies do not need to spend money to buy the necessary servers. In addition, every time there is a need to add capacity, companies need to buy only one type of device instead of a huge variety of different devices. They can be purchased from a single supplier, which reduces the time of purchase and implementation.

In addition, if necessary, if there are difficulties with installation or updates, then you only need to seek technical assistance from one vendor instead of working with many different vendors. 

**Remote control **

Infrastructure components are handled as services in a software-defined data center. They can be managed and configured remotely, which greatly facilitates the work of managers. At any time of the day or night, managers can quickly reduce or increase the amount of storage, and memory, adjust computing power, as well as all the necessary resources. This means that managers will be able to update all resources used as soon as it is needed.  

**Achieving the greatest efficiency of all processes **

All used infrastructure resources are combined into clusters. If you need more memory for a particular process or application, or need more storage capacity and compute power, you can quickly identify those resources that aren’t already being used to provide what you need. With unified management, managers can quickly discover these resources, pool them together, and make them available for process or application execution when needed. 

**Integrated management **

You only need a single console to manage all the processes. Local and remote clusters can be managed from one place. Thus, the entire management process is greatly simplified. 

Companies operating in the field of IT have a chance to reduce the costs of IT departments, as well as increase their productivity. The work of specialists is facilitated since it is no longer necessary to think about how to deploy a system, integrate it, and separately maintain each component while solving other problems associated with managing the center. 

There is no need to expand the staff, as well as to attract consultants who charge a lot for their work. If your staff has generalists, then they will be able to do most of the work without help. 

**Conclusion **

There are many benefits to implementing hyperconverged infrastructure in your data center. The first and most important is the speed and ease of scaling, which is low cost. In addition, all processes can be controlled remotely using a single console. Achieving the greatest efficiency of all processes occurs quickly if necessary.

1.  Why Data Security is crucial?
2.  Big Data and Cybersecurity: Opportunity or Threat?
3.  How big data analytics helps enterprises improve cybersecurity
4.  Top Data-Driven Methods for Improving Your Investment Decisions
5.  Cybersecurity, Big Data & Automation Tools: What Marketers Need To Know

Hyperconverged Infrastructure (HCI) is Changing Data Centers

Lacework's Mark Nunnikhoven joins Dark Reading's Terry Sweeney at Dark Reading News Desk during RSA Conference to talk about AI and cloud security.

Artificial intelligence is essential for endowing multicloud environments with greater visibility, insights and actions, according to Mark Nunnikhoven, distinguished cloud strategist for Lacework. And AI is key to automating security tasks, he adds. AI, in turn, can help enable faster innovation with security built in from the first line of code, as well as gain meaningful security insights to build apps quickly and confidently by highlighting any potential issues well before they reach production, according to Nunnikhoven.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Lacework Blends Artificial Intelligence and Automation to Bolster Cloud Security

Sabre and Travelport had to report the weekly activities of former “Cardplanet” cybercriminal Aleksei Burkov for two years, info that eventually led to his arrest and prosecution.

Sabre and Travelport had to report the weekly activities of former “Cardplanet” cybercriminal Aleksei Burkov for two years, info that eventually led to his arrest and prosecution.

The U.S. government ordered two travel companies to provide information about the movement of a Russian citizen suspected of hacking. The surveillance data was used as part of an investigation by the U.S. Secret Service, according to court documents recently unsealed.

The revelation of the extent of surveillance that the feds ordered companies to do in a 2015 investigation of Russian hacker Aleksei Burkov once again raises questions of privacy, accountability and responsibility in terms of how much access the government should have to an individual’s private data.

A letter from Forbes prompted the unsealing of court documents in the case Burkov, a now-infamous cybercriminal who at the time of the investigation was suspected of facilitating the theft of $20 million from stolen credit cards on a website called Cardplanet that he was running on the dark web.

The feds arrested Burkov at Ben-Gurion Airport near Tel Aviv in December 2015, and he eventually was extradited to the U.S. in 2019. In January 2020, he pleaded guilty to one count of access device fraud and one count of conspiracy to commit access device fraud, identity theft, computer intrusions, wire fraud and money laundering.

Burkov eventually was sentenced to nine years in a federal prison, but mysteriously sent back to Russia in September 2021 for reasons which are still unclear, according to Forbes.

Forbes submitted a legal challenge to unseal documents in the case, which it won, subsequently publishing a report this week on what those documents revealed: extensive surveillance of Burkov by two travel companies, U.S.-based Sabre and U.K.-based Travelport, at the behest of the feds. The government used this data to track Burkov’s movements which eventually led to his arrest and prosecution.

****Tracking Burkov’s Movement****

The court documents show that in November 2015, a judge in the U.S. District Court for the Eastern District of Virginia granted a request by the U.S. government and ordered Sabre and Travelport to provide “all records, services and usages” of Burkov for a two-year period following the issuing of the order. The companies also had to provide a “real time” report on a weekly basis of  Burkov’s account activity to the feds.

The order was granted under the All Writs Act, a broad, 233-year-old law that allows for the government to “issue all writs necessary and appropriate” to aid authorities in their quest for the “proper administration of justice.”

The act is open to interpretation and has already been used a number of times by the U.S. government as a means of forcing tech companies into giving up information to aid them in investigations—a situation the American Civil Liberties Union deems “improper use.”

Indeed, the act has most often been used against tech giants Google and Apple to force them to help the federal government unlock Android devices or iPhones of suspects in criminal cases.

The most high-profile of these cases came after a 2015 mass shooting in San Bernadino, Calif., when Apple held its ground in its refusal to unlock the iPhone of shooter Syed Rizwan Farook. Eventually, the case came to end when the FBI managed to unlock the device without Apple’s help.

****Privacy Issues or Just Cause?****

While privacy advocates believe the federal use of the courts to force tech companies to give up data that customers shared with them in privacy is an overreach, security professionals for the most part support the action in the case of criminal investigations—to a point.

The monitoring of Burkov’s movement to apprehend him was justified due to the criminal nature of his activity, one security professional told Threatpost.

“After reviewing the facts of the case, a federal judge agreed there was enough cause and issued a ruling that authorized this activity,” Rosa Smothers, a former CIA cyber threat analyst and technical intelligence officer and current senior vice president at security firm KnowBe4, wrote in an email to Threatpost. “This was not a case of rogue government officials conducting unapproved data collection.”

Another security professional said that he’s not overly concerned if the federal government uses legal means to get access to private data collected by technology companies. However, it’s not always clear who has access to the “massive troves of data” being collected by companies like Meta and Google, observed John Bambenek, Principal Threat Hunter at security and operations analytics company Netenrich, in an email to Threatpost. This, he said, is concerning and should be remedied.

“Whether its Meta saying they can’t figure out where personal data is being used inside Meta, or law enforcement being able to get real time information on suspects, society just hasn’t come to grips with the implications of surveillance capitalism,” he said.

Feds Forced Travel Firms to Share Surveillance Data on Hacker

The company's vision for the future of cloud security is based on simplified, horizontal coverage across multiple cloud platforms.

Networking giant Cisco has unveiled a plan to simplify security operations, including the debut of an open security platform called Security Cloud, conceived as a unified platform for end-to-end security across hybrid multicloud environments.

The platform offers threat prevention, detection, response, and remediation capabilities, as well as less-intrusive methods for risk-based authentication, including a Wi-Fi fingerprint.

Cisco is also emphasizing intelligent user and device identity verification checks that run continuously and in the background.

**Horizontal Coverage**

TK Keanini, CTO of Cisco Secure, explains that in an age where organizations are protecting assets across multiple clouds — be they Microsoft Azure, Amazon AWS, or Google Cloud Platform — security teams are struggling to provide uniform, horizontal coverage across this infrastructure.

"We're trying to abstract away networking and security to a layer that is completely horizontal across that which you protect — your compute and storage," Keanini says. "Where before, networking and security were sometimes living in those silos, we're now logically above it. We want to provide a function that's consistent and has the economics of cloud."

Featuring Cisco Meraki SD-WAN technology, the secure access service edge (SASE) subscription service Cisco+ Secure Connect Now streamlines deployment and management of SASE through a cloud-managed platform with a unified dashboard.

A unified Secure Client is designed to help simplify the streaming of Cisco Secure agents, including AnyConnect, Secure Endpoint, and Umbrella.

"With Secure Connect, we tried to basically abstract away the complexity and hand you an application experience," Keanini says. "We're going after a person who doesn't ever want to be a networking expert, or they just want the network to work, and they want to control it via an app."

Cisco is also leveraging the OpenID Foundation's Shared Signals and Events standards, including CAEP and RISC, to build session trust analysis by sharing information between vendors.

The company also has enhanced its Secure Cloud Analytics, which automatically promotes alerts into SecureX and maps those alerts to MITRE ATT&CK.

It also debuted the Secure Firewall 3100 Series, which features an AI-powered encrypted visibility engine, uses machine learning (ML) technology to uncover threats, and offers a custom security research service, called Talos Intelligence On-Demand.

Keanini says that the through line with all of these services, as well as with Cisco's Security Cloud vision, is simplicity — specifically, providing services that remove complexity for organizations and individuals.

"You're good if you provide security, but you're even better if you provide security and usability," he says. "If you're going to reach the common person that just never wants to be a security expert, you got to deliver an application experience. That's really simple."

Cisco Revamps Cloud Security Strategy With New Secure Access, SASE Portfolio

x86 pv: Insufficient care with non-coherent mappings T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen maintains a type reference count for pages, in addition to a regular reference count. This scheme is used to maintain invariants required for Xen's safety, e.g. PV guests may not have direct writeable access to pagetables; updates need auditing by Xen. Unfortunately, Xen's safety logic doesn't account for CPU-induced cache non-coherency; cases where the CPU can cause the content of the cache to be different to the content in main memory. In such cases, Xen's safety logic can incorrectly conclude that the contents of a page is safe.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2022-26363,CVE-2022-26364 / XSA-402 version 4 x86 pv: Insufficient care with non-coherent mappings UPDATES IN VERSION 4 ==================== Public release. ISSUE DESCRIPTION ================= Xen maintains a type reference count for pages, in addition to a regular reference count. This scheme is used to maintain invariants required for Xen's safety, e.g. PV guests may not have direct writeable access to pagetables; updates need auditing by Xen. Unfortunately, Xen's safety logic doesn't account for CPU-induced cache non-coherency; cases where the CPU can cause the content of the cache to be different to the content in main memory. In such cases, Xen's safety logic can incorrectly conclude that the contents of a page is safe. IMPACT ====== Malicious x86 PV guest administrators can escalate privilege so as to control the whole system. VULNERABLE SYSTEMS ================== All versions of Xen are vulnerable. Only x86 PV guests can trigger this vulnerability. Only x86 PV guests configured with access to devices (e.g. PCI Passthrough) can trigger the vulnerability. Only CPUs which can issue non-coherent memory accesses are impacted. CPUs which enumerate the SelfSnoop feature are not impacted, except as noted in errata. Therefore, we believe that Xen running on Intel IvyBridge or later CPUs is not impacted by the vulnerability. MITIGATION ========== Not passing devices through to untrusted x86 PV guests will avoid the vulnerability. CREDITS ======= This issue was discovered by Jann Horn of Google Project Zero. RESOLUTION ========== Applying the appropriate attached patches resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. Furthermore, the XSA-402 patches depend logically on the XSA-401 patches, and will not function safely without XSA-401 in place first. xsa402/xsa402-?.patch xen-unstable xsa402/xsa402-4.16-?.patch Xen 4.16.x xsa402/xsa402-4.15-?.patch Xen 4.15.x xsa402/xsa402-4.14-?.patch Xen 4.14.x xsa402/xsa402-4.13-?.patch Xen 4.13.x $ sha256sum xsa402\* xsa402\*/\* 3572a7bf70f372707705eec7e24ec6737d41dde906d82b4197597480df557b0c xsa402.meta ce956e3b24b34b10034d6cc219f616e96e5b7b3a391f6d9a97d96694579e86b3 xsa402/xsa402-1.patch 8faaae88b7d88a3ef66ebd9db7d5fbfa600ab1216b38954a7a8b44822a32b87e xsa402/xsa402-2.patch 344c76e842e830ef209427359d2b566d6b54f8862c16662ca628c459680614d7 xsa402/xsa402-3.patch 210e8312f351f1b26b58e5f24479381371ddfbae4b1d3b7233a9ed909a3d08cd xsa402/xsa402-4.13-1.patch 5d9e6cb667d47f58f1b85c02844510673f9bfa5a94a74847bfe641bc9722dc67 xsa402/xsa402-4.13-2.patch 176bbd997d163cfb17811065e084ee118ba272e02302c0237dcfeca7d261943d xsa402/xsa402-4.13-3.patch 0ee1adac14c185c3b928f8384c6f5749ecf1c028eb65e17ad54de5be0773b40b xsa402/xsa402-4.13-4.patch 366a79734861535818c54e3d831c7349de11fbd761ee04ced712590e50a149ed xsa402/xsa402-4.13-5.patch 487227003630a70a640e434c6b0125f73c8d7affc9c90297de737a29a0cf0c7e xsa402/xsa402-4.14-1.patch 328dd4090ecb6bd13696a9a69d098476d14ccde4d78e0127c2512569c73aa01a xsa402/xsa402-4.14-2.patch 739263e622620e95c03118d3ea9d4f96ea3ce83d17ae6d06ca596cbe3d7c6035 xsa402/xsa402-4.14-3.patch f35a7c0282efe0271517fe6407f2d36f97455710041fa3bce72a61bc3733b556 xsa402/xsa402-4.14-4.patch ba4b84e95fbad023c1db21b677b166e09a4a2c0c4346ecb4612a32ee97f37efe xsa402/xsa402-4.14-5.patch ccdcbebcef9b84dce82c95f6faaa85f73f137c47c54aa891ee350e90cf1e8ceb xsa402/xsa402-4.15-1.patch 51d6875b097ba9913620e827cc1d634e6d3506fb6ab8ab7ac763e46634d7b67c xsa402/xsa402-4.15-2.patch 58b02bd665366c235534c58bc0f040863f3b1083551541c2b6de090c5d0caf6c xsa402/xsa402-4.15-3.patch 457cb2be1425948589cd0b7084087f6b995df29af289c10f9e9011df6f704cc0 xsa402/xsa402-4.15-4.patch 808cb71f43ab64ac6e992ffc081790292e014b7476304502caaee0f2d8e92b6d xsa402/xsa402-4.15-5.patch d90732dd1ef85c6d33471f83a707245e4bff3b737110ba4b8533c549b06175cc xsa402/xsa402-4.16-1.patch f68ad7dd8f68f688bb2f42664af8c7eeecc4888b84afe8e102e96518c22ceb2c xsa402/xsa402-4.16-2.patch 96f0c356281c59cc90894c0160121469096c3076cc4e1b52e81a521da10e9d76 xsa402/xsa402-4.16-3.patch 27aeb50651bfde461b84c98a897062e261b9ac84b6e07e9afbaae4c20c61a963 xsa402/xsa402-4.16-4.patch d65c84f2cf1f75d96c1853ffeeb8eed793e6382d21795af04871ead07f6b330c xsa402/xsa402-4.16-5.patch 5b472eda637ff59b0b7dff85a7869d7197f728b581581ce97b1617c2dcb62397 xsa402/xsa402-4.patch 15741042b7e6c04deff2edcbd21f1c4649d58790919fa18d4b131b53d68a124f xsa402/xsa402-5.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: deployment of the mitigation (i.e., switching guests from passed-through devices to virtual devices) is \*not\* permitted during the embargo, as it could be seen by an attacker and potentially give them a hint about the nature of the vulnerability. Futhermore, distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmKh4lkMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZWi0H/3qjj6TwK57IN/QXxMxnPf/Z8w1C4J64dHXXksXz epUV7NAUMhZMiL1TDRXORLCcUEC9ErwBb3xdz+rSy/3oyqVNL2vERu7LtXKriIgi WZYvk/19QzBNVTrGUbXmLFER/0hGo6r3wW3VPhziAoTc71f2PW4wIWbvGOzvHpSU PuRhScXNMdJsu6dh5mNahqQE2nxRSOY/B9D8KDZTCJ4GwMKqZGuwRu5FuoHhXDa/ iOy4kUt6SOJ46L7Za1ULdYe6wdYWzJJtVaoojgjU/gqwtT3uXLa3eqsUqXjGynxj iGGOMFTypAMhMXqEgKzUEbJOYvvaLmC/D/bbVZ7U80Nya18= =bGG4 -----END PGP SIGNATURE-----

CVE-2022-26363

AI works best when security professionals and AI are complementing each other.

Artificial intelligence has advanced greatly in the past decade. On my phone, I'm reading Apple and Google news that is well-tailored to me, thanks to AI recommendation models. Self-driving cars are already picking up passengers for rides in downtown San Francisco.

The same transformation is happening in the cybersecurity world too. However, questions remain: Will AI replace security professionals? Or will AI still be as useful in the zero-trust era given that access is tightened to the minimum already?

AI was introduced to the center stage of the cybersecurity industry a few years ago, originally to tackle malware detection and anomaly detection use cases. We have come a long way to better understand both the usefulness and the limitations of applying AI to cybersecurity, especially in the zero-trust era.

**AI Is Still Needed**

First, a zero-trust architecture doesn't remove the need for AI. Though zero trust eliminates the attack surface and reduces the chance for the anomaly to happen, zero trust demands AI more.

Today, an enterprise user's security policy is typically that person's department security policy. Whether users are in a big or a small department, they all follow very similar, if not the same, security policy, including access control policy.

In the zero-trust era, we need a personalized, contextual, dynamic, and granular security policy — which is exactly what zero trust is about. Access control, for instance, is no longer based on simple rules but a set of complex policies based on your identity, your device, your posture, your intention, your risks, your content, and a lot of rich data points.

However, generating such complex, granular, and personalized policy _at scale_ can be very time-consuming if relying on human rules and heuristics. Different employees will use different applications and such application usage may need to evolve fast in a short period of time. AI is a critical technology to make such an intelligent and personalized security policy recommendation at scale.

At the same time, it is impossible for AI to capture or comprehend all the nuances and contexts of any complex environment, so AI may make recommendations that are suboptimal from experts' eyes. With ongoing human feedback, we can improve the AI model and its effectiveness.

**Threat Detection**

Second, zero trust gives the enterprise much tighter protection than it has had in the past, but no matter how tightened things are, there is always a weak link somewhere. Therefore, we want AI to assist with evasive and unknown threat detection and prevention.

Some evasive threats are undetected in time by conventional signature-based or sandbox technology. The SolarWinds supply chain attack is a good example. This global attack turned the SolarWinds Orion software into a weapon, subsequently gaining access to several government systems and thousands of private systems around the world. There was no involvement from any malware by the traditional definition, and it was hard to rely on any single layer of the conventional technology to detect such an attack ahead of time.

AI has a good potential to be the technology to do a better job with unknown threat detection because it can "predict" threats that have never been seen before.

Practically, we will want to layer multiple security technologies along with AI. For instance, in the case of malware, the tried-and-true approach of signature matching and sandbox will continue to play a key role. AI will complement greatly, but not displace, the conventional technology.

**Easily Understood**

Third, enterprise customers want to utilize AI in a way that is easily understood and digestible by security professionals. The "explainable AI" may not improve the AI model efficacy on the surface, but it will increase the adoption of AI significantly.

For instance, AI may be able to detect an unknown threat, but SecOps teams may want to see which family the threat belongs to before taking an action. For another example, AI may be able to generate intelligent and relevant security policy recommendations, but SecOps teams may still want to know the context of why certain recommendations are made before accepting them.

**Conclusion**

The cybersecurity industry needs AI to help reduce unknown attacks at scale and come up with granular and contextual security policies at scale to reduce the attack surface. We want the result to be explainable too.

AI-powered security tools and products are an amazing digital assistant to SecOps professionals. And professionals are assisting AI technology to advance, too, as we will need humans to verify many of the outputs and/or provide feedback for the AI model to improve.

AI is useful to scale the enterprise security functions, like more-intelligent policies and more-intelligent threat detection as discussed above. AI works best when security professionals and AI are complementing each other. In the end, AI is an assistant to security professionals and will not be a replacement for human effort for a long time to come.

How AI Is Useful — and Not Useful — for Cybersecurity

BAE Systems' Peder Jungck joins Dark Reading's Terry Sweeney at Dark Reading News Desk during RSA Conference to discuss the importance of collaboration.

Information sharing and collaboration are essential to security practitioners, says Peder Jungck, VP and general manager of BAE Systems Inc.'s Intelligence Solutions business unit. And the power of that shared data is compounded when shared across companies and industry sectors, he adds. Jungck also discusses how sharing and collaboration work in cloud environments, and shares tools, processes, and organizations that can improve collaboration both internally and with partners, suppliers, and customers.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Tag

#intel