Too many organizations are STILL getting breached. Every day across large and small organizations, intrusions and breaches happen.

Every day across organizations both large and small, intrusions and breaches happen. Attackers get inside. If the organizations are fortunate, they detect and get them out before they do any damage. They remediate the situation before the intrusion turns into an official breach. But for many less fortunate, when breaches happen they can last for weeks, months, or years under the radar. Once finally discovered, the investigations can be long and painful, and they often get publicized.

We live in a world where attackers appear to have the upper hand and, on some days, even seem to be winning. It's hard to understand the current state of affairs when there is an endless number of cybersecurity vendors, service providers, and experts touting their abilities to secure organizations of all sizes.

There are many promises. Many promote 99.9% accuracy and their ability to stop all breaches. Vendors talk about their solutions having artificial intelligence (AI) and machine learning (ML) to identify unknown threats, but not too many people can really explain exactly how AI and ML work in cybersecurity. There's a lot of hype.

There is not a single vendor on the planet right now that can provide a one-stop shop of world-class technology to prevent and stop breaches. One doesn't exist. Organizations need to be able to choose best-in-class technologies that work well and integrate together no matter what company built them.

**Breaches Keep Happening**

According to the Identity Theft Resource Center, the landscape has not improved much over the last 15 years. With all of the protection and intelligence available contrasted against successful intrusions and breaches, something is not adding up.

The industry as a whole has not achieved the objective of preventing, or even mitigating, breaches.

We must keep in mind that while intrusions and breaches are a reality, they don't need to be devastating. One of the main reasons they often are so harmful: blind spots.

Despite security controls focused on specific areas of environments such as identity and access management (IAM), endpoint protection platform (EPP), endpoint detection and response (EDR), next-generation firewall (NGFW), data loss prevention (DLP), network detection and response (NDR), and so on, blind spots are still everywhere. All these different security controls are great for looking at the area they're assigned, but if they aren't all talking to each other, organizations are flying blind.

**Attackers Love Blind Spots and Credentials**

While security teams are chasing false alerts, external attackers are finding legitimate credentials already exposed, and exploiting vulnerabilities that enable them to find credentials from within the environment. Or they're using a large amount of money to entice a legitimate user to share their credentials voluntarily. Once the credentials are in hand, a bad actor can take their time to scour the environment, map sensitive data locations, and quietly create "backdoors" for future use.

If the attacker is more of the "smash and grab" type, they can carry out a flash attack, deploy malware, ransomware, or any number of damaging attacks and watch the chaos ensue.

For those rare trusted employees who goes rogue, their path to carrying out a devastating attack is much shorter. Already with an established presence, legitimate access, and user IDs/passwords inside the environment, the opportunity to prevent them in carrying out nefarious activities is often nonexistent. The only hope for organizations is the domain of detection and response.

**Know Normal, Prevent, and Detect **

Security teams need to know what is normal behavior in their organization to quickly identify anything abnormal like the situations mentioned above. Right now, there is still way too much focus in cybersecurity on prevention, and not enough on detection and response. No matter how many prevention tools are in place, attackers are still getting in and insiders are still getting out. Too many security operations teams are still flying blind.

Currently, organizations will continue to experience intrusions and breaches, but what the pain and lasting consequences aren't inevitable. By incorporating the ability to determine what normal activity is for users and entities, organizations stand a better chance of detecting the abnormal and uncovering external and insider threats (whether malicious or accidental), turn the tables on the attackers, and mitigate damage. And that's true even as "normal" constantly changes.

Organizations will win when they know normal and identify what's abnormal — the breach.

**About the Author**

    

Gorka Sadowski is Chief Strategy Officer at Exabeam. In his role, Sadowski assists the executive team and functional leaders across the company. Sadowski has more than 30 years of security experience. Most recently, Sadowski was senior director and security and risk management analyst at Gartner. Prior to Gartner, Sadowski led business development at Splunk and built the Splunk security ecosystem. Prior to Splunk, Sadowski established presence for LogLogic in southern Europe, ran security activities for Unisys in France, and launched the first partner-led intrusion detection and prevention system in the industry.

Flying Blind in Security Operations

Trying to remediate everything was never a winning strategy. RBVM is an approach that gets organizations better results with less effort.

For the past five years, the National Vulnerability Database (NVD) has broken its own record of reported vulnerabilities and is on pace to do the same in 2022. With a threat landscape growing that quickly, it's no surprise to see security teams can't keep pace.

According to a report from Cobalt, 79% of security teams struggle to consistently monitor for vulnerabilities amid today's labor shortages, and 54% of security respondents are considering quitting their jobs.

Trying to remediate everything was never a winning strategy. Risk-based vulnerability management (RBVM) is an approach that gets organizations better results with less effort than trying to keep up with the daily average of more than 60 new vulnerabilities so far in 2022.

Five years of data backs this up. The top four metrics used to measure success with RBVM have consistently gotten better, even as a record number of common vulnerabilities and exposures (CVEs) has added more noise to the fray each year.

Let's take a deeper look at those metrics, how they've improved, and why they've improved.

**RBVM 101**

In its early days, RBVM was taboo because everyone saw vulnerability management as an all-or-nothing proposition. Precious few reached "all" status, and getting there meant a lot of time wasted on remediating vulnerabilities that posed no threat.

"Maturity models" attempt to collect the best cybersecurity practices determined by experts and tweak them over time, but there's an even better way: data. A series of research reports from the Cyentia Institute has provided some answers on what organizations should be prioritizing and informed a better approach to RBVM.

Research produced in conjunction with the Cyentia Institute has shown that 23% of published vulnerabilities have associated exploit code and 2% have observed exploits in the wild. That dramatically reduces the amount of effort required … if you're remediating the right way.

We can judge how organizations are doing by looking at remediation capacity, velocity, coverage, and efficiency. The Cyentia Institute analyzed data from Kenna's platform across the past five years and visualized it in the charts below.

Capacity, the proportion of open vulnerabilities being closed on average every month, has generally increased over the past five years for leading and average organizations. While most organizations are remediating more of their open vulnerabilities, the bottom quarter of organizations has remained steady with no meaningful shifts.  

    

Source: Kenna Security

Remediation velocity saw quick, meaningful progress and has since been improving slowly. Where we are now is a _vast_ advancement over early 2016, when the half-life was more than 125 days. Over the last four years, the half-life — or time it takes to remediate half the newly discovered vulnerabilities — has dropped by more than a third from 32 days to 21 days.  

    

Source: Kenna Security

Efficiency and coverage are related, which is why they're shown together, and without a significant change in prioritization strategy, improving one of those metrics will often lead to a decrease in the other. For example, one way to increase coverage is to simply remediate more, but that makes you less efficient.

Around 2018, both coverage and efficiency were around 35%, but an increase in coverage (more exploited vulns are remediated correctly) causes a decrease in efficiency (fewer of the remediated vulnerabilities are being exploited). This is likely caused by organizations increasing their capacity to remediate more vulnerabilities.  

    

Source: Kenna Security

Keep in mind that this is all happening as we've seen the number of reported vulnerabilities increase each year since 2017. Organizations that have adopted RBVM are filtering out the noise by focusing on risk. They're also remediating more vulnerabilities faster, which is why coverage and efficiency continue to improve.

**Explaining the Success**

While a more intelligent approach to vulnerability management makes the biggest difference, vendors have gotten smarter, too. Research tells us that Microsoft has more vulnerable assets observed and more exploitation activity than its peers. When the software giant issues patches quickly, it has a heavy impact on remediation velocity (organizations address half their vulnerabilities affecting Microsoft products in roughly 22 days, more than 40 times quicker than SAP or Linux at 900 days).

Between a smarter approach and quick patches from software vendors, vulnerability management is in a far better position than it was five years ago. The proof is in the numbers that organizations have better success when they approach security through a risk lens.

The labor market has further complicated the already complex issue of security, but now organizations know they don't have to fix everything. In fact, it would be silly to and you'll end up driving your valuable security practitioners away. By adopting RBVM, organizations can start to quell the unrelenting pandemonium today's security landscape has become.

How Risk-Based Vulnerability Management Has Made Security Easier

Ducktail targets marketing and HR professionals through LinkedIn to hijack Facebook accounts and run malvertising schemes.

A spear-phishing campaign dubbed "Ducktail" has been discovered targeting marketing and HR professionals through LinkedIn, with the aim of taking over Facebook Business accounts and abusing the Ads function to run malvertising schemes.  

The campaign delivers a tailored malware, which identifies individuals likely to have admin privileges, scans the victim' machine, searches for popular browsers, and extracts all the stored cookies, including any Facebook session cookies, from the browsers it finds.  

The malware component can take advantage of authenticated Facebook sessions to steal information from the victim's Facebook account, which it then uses to hijack the victim's Facebook Business and Facebook Ads accounts.

The campaign appears to be financially motivated, according to security specialist WithSecure's new report on the Ducktail campaign.

"One of the unique features of the malware is its ability to hijack Facebook Business accounts associated with the victim's Facebook account," WithSecure's report explains. "It attempts to grant the threat actor's emails access to the business with the highest-privilege roles."

Mohammad Kazem Hassan Nejad, researcher for WithSecure Intelligence, explains that the attackers carefully select their targets, making sure they're likely to be on Facebook Ads or Business first. if the threat actor blindly distributes the malware through other forms of attack, such as malicious spam campaigns, this could ring more bells that would alarm companies, cybersecurity vendors, and Meta about Ducktail's activity much sooner, he notes.

"By scouting for companies that operate on Facebook's Ads and Business platform beforehand and targeting individuals that most likely have access to a Facebook Business account, we believe the threat actor tries to increase their chance of success whilst making the least amount of noise," he says.

**Connections to SilentFade**

Nejad adds that Ducktail is the first Facebook-centric malware operation he's aware of that attempts to directly hijack Facebook Business accounts. However, Nejad notes that an earlier Facebook malware operation, dubbed SilentFade, used similar tactics, such as utilizing infostealer logic that leverages Meta's GraphAPI to gather private information about the victims' Facebook account. SilentFade was focused on committing ad fraud.

"However, SilentFade and Ducktail also differ in a few notable ways," Nejad says. "Whereas SilentFade infects victim systems via modified pirated software and potentially unwanted programs, we've observed the Ducktail operation utilizing spear-phishing over a combination of LinkedIn and file/cloud hosting services, in a targeted manner."

And while the SilentFade operation was attributed to a group in China, Nejad says WithSecure has attributed this operation, with high confidence, to an outfit in Vietnam.

Nejad points out the threat actor has continued to update the malware to improve its ability to bypass existing or new Facebook security features alongside other implemented features.

"For instance, one of the latest mechanisms added to the malware allows the threat actor to send a list of email addresses, through their command-and-communication channel, that they would like to use to hijack a specific business," he explains.

**Facebook Business Offers Hackers a Prime Opportunity**

Facebook remains one of the most popular social-network platforms, with close to 3 billion monthly active users, according to its latest quarterly results. That large user base and the wide outreach it provides makes it a perfect platform for advertisers and businesses to operate on — and so, Facebook is one of phishers' favorite brands, according to a recent report.

Just last month, a social-engineering campaign bent on stealing Facebook account credentials and victim phone numbers targeted business pages via a savvy campaign incorporating Facebook's Messenger chatbot feature.

As Ducktail hijacks Facebook business accounts by gaining administrator-level access, it essentially gives the threat actor the ability to gain unlimited access to use the hijacked business account as they wish. This could include carrying out malicious advertising (malvertising), classic fraud efforts (running scams), or to spread disinformation. The threat actor could also potentially use its newfound access to blackmail a company by locking them out of its own business account.

"However, we believe the Ducktail operation uses hijacked business accounts purely to make money by pushing out ads, similar to the SilentFade campaign," Nejad says.

**Review Users, Revoke Access**

Nejad added that to protect themselves from these types of attacks, organizations must exercise caution, practice vigilance, and follow common cybersecurity practices.

"If you believe you've been a victim, we also recommend reviewing users who have been added to your Facebook Business account through Meta's Business Manager, and revoking access for unknown users that were granted Admin access with finance editor role, as well as terminating all browser authentication sessions and resetting your existing login credentials," Nejad says.

Ducktail Spear-Phishing Campaign Uses LinkedIn to Hijack Facebook Business Accounts

Machine learning should be considered an extension of — not a replacement for — existing security methods, systems, and teams.

Contrary to what you may have read, machine learning (ML) isn't magic pixie dust. In general, ML is good for narrowly scoped problems with huge datasets available, and where the patterns of interest are highly repeatable or predictable. Most security problems neither require nor benefit from ML. Many experts, including the folks at Google, suggest that when solving a complex problem you should exhaust all other approaches before trying ML.

ML is a broad collection of statistical techniques that allows us to train a computer to estimate an answer to a question even when we haven't explicitly coded the correct answer. A well-designed ML system applied to the right type of problem can unlock insights that would not have been attainable otherwise.

A successful ML example is natural language processing (NLP). NLP allows computers to "understand" human language, including things like idioms and metaphors. In many ways, cybersecurity faces the same challenges as language processing. Attackers may not use idioms, but many techniques are analogous to homonyms, words that have the same spelling or pronunciations but different meanings. Some attacker techniques likewise closely resemble actions a system administrator might take for perfectly benign reasons.

IT environments vary across organizations in purpose, architecture, prioritization, and risk tolerance. It's impossible to create algorithms, ML or otherwise, that broadly address security use cases in all scenarios. This is why most successful applications of ML in security combine multiple methods to address a very specific issue. Good examples include spam filters, DDoS or bot mitigation, and malware detection.

**Garbage in, Garbage Out**

The biggest challenge in ML is availability of relevant, usable data to solve your problem. For supervised ML, you need a large, correctly labeled dataset. To build a model that identifies cat photos, for example, you train the model on many photos of cats labeled "cat" and many photos of things that aren't cats labeled "not cat." If you don’t have enough photos or they're poorly labeled, your model won't work well.

In security, a well-known supervised ML use case is signatureless malware detection. Many endpoint protection platform (EPP) vendors use ML to label huge quantities of malicious samples and benign samples, training a model on "what malware looks like." These models can correctly identify evasive mutating malware and other trickery where a file is altered enough to dodge a signature but remains malicious. ML doesn't match the signature. It predicts malice using another feature set and can often catch malware that signature-based methods miss.

However, because ML models are probabilistic, there's a trade-off. ML can catch malware that signatures miss, but it may also miss malware that signatures catch. This is why modern EPP tools use hybrid methods that combine ML and signature-based techniques for optimal coverage.

**Something, Something, False Positives**

Even if the model is well-crafted, ML presents some additional challenges when it comes to interpreting the output, including:

*   **The result is a probability.** The ML model outputs the likelihood of something. If your model is designed to identify cats, you'll get results like "this thing is 80% cat." This uncertainty is an inherent characteristic of ML systems and can make the result difficult to interpret. Is 80% cat enough?
*   **The model can't be tuned**, at least not by the end user. To handle the probabilistic outcomes, a tool might have vendor-set thresholds that collapse them to binary results. For example, the cat-identification model may report that anything >90% "cat" is a cat. Your business’s tolerance for cat-ness may be higher or lower than what the vendor set.
*   **False negatives (FN)**, the failure to detect real evil, are one painful consequence of ML models, especially poorly tuned ones. We dislike false positives (FP) because they waste time. But there is an inherent trade-off between FP and FN rates. ML models are tuned to optimize the trade-off, prioritizing the "best" FP-FN rate balance. However, the "correct" balance varies among organizations, depending on their individual threat and risk assessments. When using ML-based products, you must trust vendors to select the appropriate thresholds for you.
*   **Not enough context for alert triage.** Part of the ML magic is extracting powerful predictive but arbitrary "features" from datasets. Imagine that identifying a cat happened to be highly correlated with the weather. No human would reason this way. But this is the point of ML — to find patterns we couldn't otherwise find and to do so at scale. Yet, even if the reason for the prediction can be exposed to the user, it's often unhelpful in an alert triage or incident response situation. This is because the "features" that ultimately define the ML system's decision are optimized for predictive power, not practical relevance to security analysts.

**Would "Statistics" by Any Other Name Smell as Sweet?**

Beyond the pros and cons of ML, there's one more catch: Not all "ML" is really ML. Statistics gives you some conclusions about your data. ML makes predictions about data you didn't have based on data you did have. Marketers have enthusiastically latched onto "machine learning" and "artificial intelligence" to signal a modern, innovative, advanced technology product of some kind. However, there's often very little regard for whether the tech even uses ML, never mind if ML was the right approach.

**So, Can ML Detect Evil or Not?**

ML can detect evil when "evil" is well-defined and narrowly scoped. It can also detect deviations from expected behavior in highly predictable systems. The more stable the environment, the more likely ML is to correctly identify anomalies. But not every anomaly is malicious, and the operator isn't always equipped with enough context to respond. ML's superpower is not in replacing but in extending the capabilities of existing methods, systems, and teams for optimal coverage and efficiency.

The Beautiful Lies of Machine Learning in Security

Company joins AWS Partner Network to provide customers with industrial cybersecurity solution to ensure reliable electricity and fuel supplies.

*   Siemens Energy joins the AWS Partner Network as a Technology Partner to provide customers with industrial cybersecurity, analytics, and storage solutions
*   Siemens Energy’s AI-driven Managed Detection & Response (MDR) solution is a first-of-a-kind security offering available in AWS Marketplace built for energy and utilities, by an integrated energy technology company focused across the entire energy value chain
*   MDR’s monitoring and detection insights provide scalable protection against disruptive cyberattacks in the energy sector using innovative artificial intelligence

Siemens Energy Inc, one of the world’s leading energy technology companies, announces it is joining the Amazon Web Services (AWS) Partner Network (APN), a global community of partners that leverage programs, expertise, and resources to build, market, and sell customer offerings.

This expanded relationship includes listing Siemens Energy’s Managed Detection and Response (MDR) industrial cyber security solution in AWS Marketplace, a digital catalog that makes it easy for customers to find, compare, and immediately start using the software and services that run on AWS. This MDR security offering in AWS Marketplace is built for energy and utilities, by an integrated energy technology company focused across the entire energy value chain. As energy companies strive to protect physical infrastructure from escalating cyber threats, Siemens Energy’s MDR on AWS reduces the cost and technical barriers to achieving strong, fast, comprehensive cyber defense.

Expanding access to state-of-the-art cybersecurity is essential to ensuring reliable electricity and fuel supplies. Cyber risks to infrastructure are escalating amid the ongoing transition toward renewable and low-carbon energy sources and the accompanying expansion of digital devices in the energy sector. Siemens Energy’s MDR will help customers leverage analytics to secure their infrastructure while reducing costs, improving efficacy, and reducing emissions.

Siemens Energy’s industrial monitoring and detection solution defends critical infrastructure against cyberattacks, helping protect communities around the world from supply chain disruptions. AWS’s capabilities allow MDR’s technology to quickly collect and analyze large volumes of data to monitor for cyber threats, giving energy sector chief information security officers (CISOs) the power to detect and uncover attacks before they execute.

Secure cloud capabilities that can integrate digital applications and leverage sensitive data – such as real-time monitoring and detection – add an important and cost-effective tool to the defensive arsenal for CISOs and industrial security analysts.

“The energy transition relies on seamlessly connecting physical assets with digital technologies to foster innovation, reduce emissions, and improve efficiency, but this future depends on strong cybersecurity across the whole supply chain,” said Leo Simonovich, Vice President and Global Head of Industrial Cyber, Siemens Energy. “Siemens Energy’s AI-driven industrial cyber monitoring and detection platform is purpose-built to help CISOs identify, prevent, and mitigate cyber threats to the energy sector’s digital business model. Energy companies at every scale can now access and integrate advanced cyber threat detection across their operating environment, leveraging AWS’s secure cloud platform to build and defend the foundation of a digital energy ecosystem.”

Siemens Energy Takes Next Step to Protect Critical Infrastructure

The open source fully homomorphic encryption library from Duality Technologies is intended to help developers build their own FHE-enabled applications.

While encryption is not a cure-all to address every security challenge, done right, it is an essential component for securing systems, data, and communications. However, doing encryption right is not easy and requires paying careful attention to how it is implemented.

While there are several well-established methods for encrypting data in storage (at rest) and keeping the data encrypted while moving across the network from one system to another (in transit), that isn’t the case for keeping the data encrypted while being processed by applications (in use). Fully homomorphic encryption (FHE) is one way to work with data stored in the cloud or third-party environments while keeping it encrypted.

Several companies have been experimenting with FHE recently. After completing FHE field trials, IBM has begun offering FHE service on IBM Cloud. IBM offers a FHE toolkit for MacOS, iOS, Linux, and Android. Microsoft’s Simple Encrypted Arithmetic Library (SEAL) is a free and open source cross-platform homomorphic encryption library organizations can use to run computations on encrypted data.

FHE currently is slow and has high overhead. Toward that end, Intel is working with Microsoft and DARPA (Defense Advanced Research Projects) to create an ASIC (a specialized microchip customized for a specific purpose) for FHE to help reduce computational overhead and drive down processing time.

And just last week, Duality Technologies released OpenFHE, an open source fully homomorphic encryption library.

"There are several FHE libraries out there, but they suffer from a usability dilemma," said Vinod Vaikuntanathan, co-founder and chief cryptographer at Duality Technologies, in a release. "FHE open source libraries all work on different platforms, implement different features, and have different APIs."

OpenFHE supports advanced FHE features such as bootstrapping, scheme switching, and multiple hardware acceleration backends using the standard Hardware Abstraction Layer (HAL). The associated compilers and other developer tools help developers integrate the library’s encrypted computing capabilities to create their own FHE-enabled applications.

FHE is considered to be the easiest among privacy technology, and OpenFHE is intended to be a “foundational building block” for conducting computations on encrypted data, says Kurt Rohloff, CTO and co-founder of Duality. An example use case allows data providers to encrypt their data locally, aggregate their encrypted data at a central data hub such as a cloud provider, and then run analyses on the data at the hub. All this is possible by using potentially sensitive or private data that doesn’t need to be decrypted.

OpenFHE is the “culmination of years of work” from multiple teams (PALISADE, HElib, and HEAAN) that have “decided to join forces to build the best library possible,” says Rohloff. PALISADE provides a general architecture for an extensible framework that supports multiple post-quantum FHE schemes in a single library, with the ability to integrate general hardware acceleration technologies, he says. HElib provides advanced capabilities for the BGV protocol, allowing for some of the most advanced designs for the most complicated FHE schemes. And finally, HEAAN provides extensive support for CKKS, the protocol most effective for machine learning (ML) applications run on encrypted data.

OpenFHE Brings New Encryption Tools to Developers

MenuDrive, Harbortouch, and InTouchPOS fell victim to a long Magecart infection that started in January and only ended days ago.
The post Malware spent months hoovering up credit card details from 300 US restaurants appeared first on Malwarebytes Labs.

Criminal hackers have been able to steal at least 50,000 credit cards from 300 restaurants in the US, after launching two Magecart campaigns that target the MenuDrive, Harbortouch, and InTouchPOS online payment platforms:

Magecart is a web-skimmer—malware that is injected onto a vulnerable website so it can steal credit card information as it’s entered into the site’s checkout. Because it does not interupt card payments, it just quietly siphons off users’ card details, it can be very difficult for both its victims and their users to spot.

Recorded Future’s Insikt Group recently identified two Magecart campaigns targeting the aforementioned online payment platforms. Stolen details were offered for sale in various underground marketplaces on the dark web.

“Online ordering platforms are a very attractive target since they deal with many vendors downstream, which also means a high number of customers are going to be entering payment data that could be skimmed,” said Jerome Segura, Senior Director of Malwarebytes’ Threat Intelligence Team, and an expert in web skimmers.

Although MenuDrive, Harbortouch, and InTouchPOS are not as popular as Uber Eats, Hungrrr, or DoorDash, many small, local restaurants across the US outsource their online ordering process to them as it’s cost-effective.

The Insikt Group discovered the first Magecart campaign on January 18 this year, affecting 80 restaurants via MenuDrive and 74 restaurants via Harbortouch. On both platforms, the skimmer was injected into the restaurant’s web pages, including the subdomain on the online payment service’s platform.

Skimmers deployed two scripts to MenuDrive, one built for stealing payment card details, the other made for stealing user details like the card holder’s name, email address, and phone number. On Harbortouch, however, only a single script is used to steal all personally identifiable information (PII) and card details.

The skimmer code use on MenuDrive with the exfiltration URL highlighted in orange.

The campaign against InTouchPOS started earlier than the other two—around November last year—but most skimmer injections didn’t happen until January 2022.

Instead of stealing data as it was entered into the site, the InTouchPOS skimmers overlaid the site with a fake payment form for users who are ready to checkout.

“Attackers routinely probe networks using automated tools or a more manual approach, especially if the target is deemed highly valuable,” Segura said. “Compromising a third-party site breaks the chain of trust already established between a provider and a merchant but on a scale of ‘one to many’.”

Malware spent months hoovering up credit card details from 300 US restaurants

Security professionals can now achieve real-time protection for their workloads in minutes.

**BOSTON — July 25, 2022** — Aqua Security, the leading pure-play cloud native security provider, today announced the launch of out-of-the-box runtime protection with minimal configuration to stop attacks in real time on running workloads. Protection is composed of new curated and optimized default security controls, as well as advanced threat intel from observations of real attacks on cloud native environments. Both the controls and threat intel are the result of knowledge gained through years of securing customers’ live production environments. Customers can now apply this knowledge to achieve trusted and advanced runtime protection in minutes without requiring in-depth knowledge of their applications and environments.

Using eBPF technology and threat intel from cyber research team Aqua Nautilus to identify advanced threats, Aqua surfaces the most critical issues in real time while also implementing a set of controls to protect running workloads immediately, without disrupting the business.

“Aqua is transforming the runtime security paradigm,” said Amir Jerbi, CTO and co-founder, Aqua Security. “Traditional runtime security requires security teams to have a great deal of cloud native knowledge, and as a result has been slow to adopt. Aqua is removing this barrier to adoption by making cloud workload threat protection immediately effective and easy for security professionals.”

**Stopping Attacks in Real Time with Runtime Security  
**  
Recent data from Nautilus shows that one in three live attacks could be missed when relying exclusively on snapshot scanning of running workload images. Nautilus also found tens of thousands of instances of in-memory attacks and fileless attacks in a one-month period—attacks that would not be seen or stopped without kernel-level visibility.

Aqua’s detection of anomalous behavior goes beyond point-in-time snapshots and catches malicious behavior of known and unknown threats in real time—this includes both known CVEs and zero-day exploits that have yet to be discovered. The new default runtime controls are based on ongoing recommendations from Aqua Nautilus, who detect and analyze 80,000 attacks a month using Aqua’s open source eBPF-based threat detection engine, Aqua Tracee. The result is real-time visibility at the kernel level that alerts customers the moment an attacker breaches a running workload, reducing attackers’ dwell time from months to milliseconds.

The importance of runtime security in a platform is highlighted in Gartner’s Market Guide for Cloud Workload Protection Platforms (CWPP). According to Gartner, “CWPP offerings should start by scanning for known vulnerabilities and risks in development. At runtime, they should protect workloads from attack, typically using a combination of system integrity protection, application control, behavioral monitoring, host-based intrusion prevention and optional anti-malware protection.”

Aqua’s Runtime Protection solution is part of Aqua’s fully integrated Cloud Native Application Protection Platform (CNAPP), the Aqua Platform. Customers of the Aqua Platform also have access to the entire, full set of customizable, advanced runtime capabilities if and when they decide to define and implement more stringent policies.

Key benefits of Aqua Runtime Protection include:

*   **Discover attacks immediately** with continuously updated kernel-level behavioral detection. Updates are based on cloud native threat research from Aqua Nautilus along with years of experience securing customer workloads in production.
*   **Respond faster and reduce attacker dwell time** by stopping attacks with pattern-based anti-malware in production and the option to block or delete malware on access.
*   **Simplify incident investigation** and rapidly determine the impact and attack path of a security incident with a detailed incident timeline including rich contextual information.

“Unlike overly complex runtime solutions, legacy solutions not designed for cloud-native applications, or solutions that can’t detect in real time, our goal with this release is to provide runtime security that is simple to deploy, giving you effective real-time security out-of-the-box,” said Jerbi. “What this boils down to is that, unlike alternative solutions, Aqua’s Platform will both detect sophisticated attacks and stop them in real time.”

Aqua’s out-of-the-box Runtime Protection is now available and will make an industry debut at AWS re:Inforce on July 26-27 in Boston at Booth 104. To learn more, visit Aqua’s YouTube.

**\*Gartner, “Market Guide for Cloud Workload Protection Platforms,” Neil MacDonald, Tom Croll, 12 July 2021.**

**GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved.**

**Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.**

**About Aqua Security**   
Aqua Security stops cloud native attacks and is the only company with a $1 Million Cloud Native Protection Warranty to guarantee it. As the pioneer and largest pure-play cloud native security company, Aqua helps customers unlock innovation and build the future of their business. The Aqua Platform is the industry’s most integrated Cloud Native Application Protection Platform (CNAPP), prioritizing risk and automating prevention, detection and response across the lifecycle. Founded in 2015, Aqua is headquartered in Boston and Ramat Gan, Israel, with Fortune 1000 customers in over 40 countries. For more information, visit https://www.aquasec.com.

Aqua Launches Out-of-the-Box Runtime Security with Advanced Protection against the Most Sophisticated Threats

By Deeba Ahmed
If exploited, the flaw could have allowed an attacker to hijack the device’s camera and microphone to spy…
This is a post from HackRead.com Read the original post: Flaws in Enabot Ebo Air Home Security Robot Allowed Attackers to Spy on Users

****If exploited, the flaw could have allowed an attacker to hijack the device’s camera and microphone to spy on the homeowners.****

Security lab Modux researchers identified a flaw in Enabot’s Ebo Air smart robot, a device designed to entertain your entire family and pets. As per Modux researchers’ findings, attackers could easily hack the smart robot by exploiting the flaw and spying on the occupants/users.

The attacker can record videos, compromise the camera, and communicate with the users via the device’s built-in microphone. All this can happen while the device owners remain unaware of hacking, and the attacker can discreetly monitor the indoor activities.

Image captured by researchers (Image: Modux Labs

**What is the Flaw?**

While testing the Ebo Air smart robot, Modux discovered it was pre-configured with a default admin password. Therefore, an attacker could use the password to connect to the device through the Secure Shell/SSH network communication protocol, which computers use to enable communication.

Once this is done, the attacker can access and exploit almost all functions of the device, from accessing/capturing audio video to conducting surveillance. It is worth noting that the hack could be successful only if the attacker hacks your home Wi-Fi network, which isn’t too difficult considering the poor security mechanisms in routers.

**Risks Associated with the Flaw**

When attackers gain remote control over the device, they can fully control it remotely (from anywhere) anytime. Furthermore, any Ebo Air robot could be exploited with the flaw, whether on sale or in use by homeowners, because the default password was the same.

Another issue is that the device didn’t get wiped entirely after a factory reset, so the users’ passwords would still be accessible even if the device is sold. In that case, the new owner could easily access your home Wi-Fi network and identify your location.

**Current Status of the Flaw**

According to Modux Labs’ blog post, they promptly informed Enabot about the flaw, and the company responded positively. The company fixed the flaw and mitigated the threat by terminating the SSH service and eliminating the chance of an attacker controlling the device.

Moreover, Enabot fixed the incomplete factory data reset issue. However, Ebo Air users can still be at risk unless they update the app and device to install the latest security fixes.

**Lesson Learned**

In conclusion, it is evident that IoT devices are at major risk due to their default credentials. One must be sure to change these credentials after setting up the device. Additionally, it is important to keep an eye on the latest security patches issued by the manufacturer. By doing so, we can help mitigate the risk of our IoT devices being compromised.

**More IoT Security News**

1.  ThroughTek Flaw Exposed Millions of IoT Cameras to Spying
2.  New malware found targeting IoT devices, Android TV globally
3.  Millions of IoT devices, baby monitors open to audio, video snooping
4.  High severity Intel chip flaw left cars, medical and IoT devices vulnerable
5.  Feds Dismantle Russian Rsocks Botnet Powered by Millions of IoT Devices

Flaws in Enabot Ebo Air Home Security Robot Allowed Attackers to Spy on Users

SecuriThings' CEO Roy Dagan tackles the sometimes overlooked security step of physical security maintenance and breaks down why it is important.

SecuriThings’ CEO Roy Dagan tackles the sometimes overlooked security step of physical security maintenance and breaks down why it is important.

Infosec Insiders author Roy Dagan, CEO, SecuriThings

A crime occurs, police go to access video of the scene and then discover that crucial views are not available due to an outage or malfunction. This is precisely what the NYPD encountered in the recent subway shooting  in New York City this past April when multiple surveillance cameras and video feeds failed at subway stations where the shooter was active. Should this be happening in 2022?

Unfortunately, outages of surveillance video are more common than you might think. There are many incidents that happen every year where having a working physical security system could have helped catch the perpetrators early.

But in many cities and enterprises there is a startling  gap in maintenance of expensive security technology installed to protect the public. Equally surprising: this public safety problem is eminently fixable. In case after case, manual audits, planned periodic manual checks, and reliance on a variety of third parties simply don’t lead to accurate diagnostics or maintenance taking place.

The NYC case is not unique; it’s just the most recent high-profile example. The maintenance disconnect is seen in security systems nationwide. Investment in physical security for governments, transport systems, cities, hospitals, and many venues can reach millions of dollars per year. But what good is it to buy the equipment without organizing  maintenance to be effective – to actually _happen_? This massive industry problem is, by extension, also a public safety and law enforcement issue.

****Physical Security Doesn’t Get the Maintenance It Needs****

It’s striking that hundreds – perhaps thousands – of cases of physical security system failure happen each year and remain in the shadows. What happened with the New York’s subway surveillance is most notable for one reason: it made news because it may have impeded identification of a terror suspect.

Cyber criminals routinely attempt to compromise IoT devices like networked cameras as entry points to attack IT networks. That’s just one reason cybersecurity must extend to connected devices used for physical security. But modern physical security infrastructure needs additional 24/7 automated protection and cyber management – beyond blocking hackers – to maintain 99% uptime and fulfill its physical security function.

In Atlanta, the most-surveilled U.S. city (49 cameras per 1,000 inhabitants), a 2021 murder in a park went unrecorded because nine cameras were down. Atlanta tries to have each of its 25,000-odd cameras checked twice a week, but is hampered by having different maintenance agreements with various providers and camera vendors for different makes. To its credit, Atlanta managed to drive down its not-working ratio down from 18% to 10%, but that is still twice its stated target.

****Why Security Cameras Must Not Fail, and Why They Do****

Every camera counts. One camera being down can mean no criminal identification. Multiple views are often necessary to secure arrests and convictions – making them far more important than 14-megapixel resolution. For identification purposes, a wide-angle view is rarely definitive. Conclusive identification usually comes from a narrow-angle view, so area coverage requires numerous cameras or mobile units.

Multiple cameras allow seamless tracking of a perpetrator from a crime scene, tracing a person from camera to camera to camera. That can lead to a vehicle or positive ID, or even enable police to establish stalking and intent, and identify collaborators. Knock one camera out of action, and the chain of identification can be broken.

There is another obvious reason physical safety depends on having a sufficient number of cameras up and running to catch multiple views: minutes and seconds of delay in identifying matter a great deal.

If a security device malfunctions when most needed, the cost to the organization can be very high. The price in human terms could even be higher. An assault on company property that goes unseen and unstopped by security guards because a camera fails as a result of insufficient maintenance, could directly lead to tragic outcomes for victims, and of course, lawsuits.

Video loss on surveillance security cameras is common. The causes can include severe weather, network issues, bad power supply, cabling problems, defective hardware, software bugs, IP address conflicts, and misconfiguration. And malicious hacking – or plain old vandalism.

Despite the wide range of root causes, the #1 cause of non-working video is simple lack of maintenance. Resource-constrained organizations may underestimate maintenance needs and costs. The fact is, many NVR and DVR systems fail within three years, so predictive maintenance is key. Since the unpredictable happens, it’s essential that system operators have fast, remote outage detection and diagnostic capability.

Manual maintenance checks are not scalable, and they are expensive. Atlanta recently estimated its cost of maintenance at $600 annually per camera, which is high. This shows the high cost of farming out maintenance to third parties that may do sporadic manual checks, rather than having automated, centralized control of devices and visibility into diagnostics.

****In 2022, Maintenance of Physical Security Systems Should Not Be an Afterthought****

It’s time for all facility operators, not just New York’s MTA, to adopt the technology that can manage and scale with their camera installations, and answer the urgency of central monitoring of their operation and security. NYC has 10,000 cameras in its subway system; the city of San Francisco  has over 2,000 networked cameras overseen by neighborhood groups. Chicago has approximately  32,000 cameras.

Let’s picture this. After costly, laborious manual checks of surveillance cameras, a list of outages – often without accurate diagnostics – is handed upward, and is easily forgotten in a folder or desk drawer. By contrast, a centralized system that is constantly checking _every_ camera, and doesn’t forget to alert management with accurate diagnostics when problems arise, is hard to ignore. Moreover, when  it’s abundantly clear the system keeps track of just how long each camera was offline, quick action is incentivized. This type of management platform can also automate and carry out key security and maintenance operations such as firmware upgrades and password rotations that are essential to the health and uptime of each device.

These functions scale effectively when all the equipment is tracked and managed in one system; by contrast, a patchwork quilt of \[manual\] maintenance measures will have gaps and is proven ineffective..

For tasks like routine maintenance, full visibility is needed to know which cameras are down, and then determine why. Security staff and IT need remote diagnosis of malfunctioning units, to know whether an onsite technician visit is necessary.  Given the technology available to manage and protect them today, all security cameras in public-facing and urban settings and transit systems should be properly secured, maintained, and managed – and they should work. It’s just too risky and costly to keep doing what does not work.

_Roy Dagan is CEO and & Co-founder of SecuriThings—the provider of the first IoTOps solution designed to help organizations maximize their devices’ operational efficiency and security. He started the company after many years of building cyber security, risk management and intelligence systems. Prior to SecuriThings, Roy held multiple roles leading product management teams in a range of companies including RSA, The Security Division of EMC and NICE Systems._

Tag

#intel