PRESS RELEASE

REDWOOD SHORES, Calif., July 16, 2024 /PRNewswire/ -- Tumeryk Inc., a leader in AI security solutions, proudly announces the launch of the Tumeryk AI Security Studio to enable organizations to simulate and enhance generative AI (gen AI) security. The large language model (LLM) vulnerability scanner can be run by security professionals against their gen AI API inference endpoints. The Tumeryk LLM Safety Report generated allows enterprises to discover potential gen AI risks and protect against them by building security policies in the Tumeryk Gen AI Firewall. The Gen AI Firewall is built using NVIDIA NeMo Guardrails and other state-of-the-art tools and research.

Tumeryk is also hosting a free webinar - Generative AI Security and Risk Mitigation - featuring Rohit Valia, CEO and founder of Tumeryk, and Christopher Parisien, senior manager of applied research at NVIDIA, to share how organizations can leverage Tumeryk's technologies to safely deploy gen AI-based applications into production. Sign up for the webinar enables access to the free gen AI LLM vulnerability scanner service and the Tumeryk Gen AI Security Studio.

"By making the gen AI LLM vulnerability scanner service available for free, Tumeryk is allowing organizations to get an understanding of their risk profile while using these innovative technologies and ensuring that they stay secure and compliant," said Valia. "Artificial intelligence, particularly Gen AI, holds immense transformative potential – and demand for the best security tools." 

"Gen AI presents a powerful opportunity for innovation, and organizations must approach implementations with safety in mind, especially for regulated industries. As CISOs, we need to adapt our security capabilities and operations to be inclusive of Gen AI solutions," said Puneet Thapliyal, ex-CISO at Hippocratic.ai. "Tumeryk provides the tools for enterprises to enhance gen AI security."

The Gen AI Security Studio is designed for security analysts, providing a comprehensive platform to scan LLMs and build and test gen AI Firewall policies. This proactive approach helps identify vulnerabilities and strengthens AI defenses prior to deployment. 

The Gen AI Firewall enables centralized controls over gen AI access. Security and governance teams can collaborate with developers to build sophisticated guardrails using the Gen AI Security Studio and deploy them to the Gen AI Firewall. Utilizing NVIDIA NeMo Guardrails, the Gen AI Firewall leverages heuristics to block jailbreak attempts, score hallucinations, moderate content, and orchestrate dialogs. It enables the creation of virtual silos for LLMs using role-based access control (RBAC) and enhances security through an API key vault. This firewall is crucial for maintaining the integrity and reliability of AI systems by helping ensure interactions remain within predefined security parameters.

The AI Security Monitoring Dashboard offers a single pane of glass for monitoring LLMs across cloud providers. This allows operations teams to monitor the performance of gen AI applications and review comprehensive logs and alerts to ensure any deviations from expected behavior are promptly addressed. 

The free LLM scanner and Gen AI Security Studio can be accessed from the AWS Marketplace or https://tumeryk.com/, providing easy access for organizations looking to enhance their AI security posture. Tumeryk AI solutions represent a significant advancement in AI security, offering a holistic approach to managing the complexities of gen AI. As AI continues to integrate deeper into business operations, Tumeryk Inc. remains at the forefront of ensuring these systems are secure, reliable, and aligned with organizational policies.

About Tumeryk Inc.

Tumeryk Inc. is a pioneering company in AI security solutions, dedicated to developing innovative technologies that safeguard AI systems. With a focus on proactive risk management and comprehensive protection strategies, Tumeryk Inc. enables organizations to deploy AI with confidence and integrity.

You May Also Like

Tumeryk Inc. Launches With Free Gen AI LLM Vulnerability Scanner

Red Hat Security Advisory 2024-4575-03 - An update for linux-firmware is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4575.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: linux-firmware security update  
Advisory ID:        RHSA-2024:4575-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:4575  
Issue date:         2024-07-16  
Revision:           03  
CVE Names:          CVE-2022-27635  
====================================================================

Summary: 

An update for linux-firmware is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The linux-firmware packages contain all of the firmware files that are required by various devices to operate.

Security Fix(es):

* hw: intel: Improper access control for some Intel(R) PROSet/Wireless WiFi (CVE-2022-27635)

* hw: intel: Improper access control for some Intel(R) PROSet/Wireless WiFi (CVE-2022-40964)

* hw: intel: Protection mechanism failure for some Intel(R) PROSet/Wireless WiFi (CVE-2022-46329)

* hw: amd: INVD instruction may lead to a loss of SEV-ES guest machine memory integrity problem (CVE-2023-20592)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-27635

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2238960  
https://bugzilla.redhat.com/show_bug.cgi?id=2238961  
https://bugzilla.redhat.com/show_bug.cgi?id=2238962  
https://bugzilla.redhat.com/show_bug.cgi?id=2244590

Red Hat Security Advisory 2024-4575-03

Credential management gets a boost with the latest infostealers' extortion campaign built on info stolen from cloud storage systems.

Source: imageBROKER.com GmbH & Co. KG via Alamy Stock Photo

COMMENTARY

Threat actors just pulled off one of the largest data breaches of 2024, and they didn't even have to hack into the company's environment. Their goal? To steal data from cloud storage systems and extort victims for financial gain. 

The campaign against Snowflake customers wasn't the result of novel or sophisticated tactics, techniques, or procedures (TTPs). Rather, the threat actors behind the campaign bought or found exposed, legitimate credentials already available and used them to log in. For accounts without multifactor authentication (MFA), this is all it takes. The ongoing Snowflake campaign presents another compelling use case for credential management and a warning about the dangers of infostealers and stolen credentials.

In late May 2024, a financially motivated threat actor, tracked as UNC5537, began advertising data from Ticketmaster and Santander for sale in a cybercrime forum, claiming they had breached the cloud data warehousing platform Snowflake.

Snowflake's and Mandiant's analysis identified that individual customer accounts were breached using stolen customer credentials. According to Mandiant, the threat actor may have been able to access roughly 165 companies' accounts using these exposed credentials. 

**Key Takeaways**

A few key takeaways:

1.  The affected accounts weren't configured with MFA. Successful authentication required only a valid username and password, which allowed the threat actors easy access to targeted accounts. 
    
2.  Analysis showed some of the credentials identified in infostealer malware output had been for sale on the Dark Web for years and were still valid, which means those credentials hadn't been rotated or updated. Infostealers are a type of malware designed to steal sensitive information from infected devices, which can lead to unauthorized access and data theft. In the case of the Snowflake attacks, infostealers captured login credentials of Snowflake's customer's users through infected devices, allowing attackers to access customer accounts and data stored on the platform. Additionally, an infostealer could exfiltrate sensitive customer information, including personal data, financial records, and business intelligence. 
    
3.  The compromised Snowflake instances didn't have network allow lists. Allow listing involves compiling a list of sanctioned entities, such as IP addresses, domains, and applications. Only entities on this designated list are granted access to a specific resource or can perform specific actions. This approach helps enhance security by reducing the attack surface and limiting access to trusted, verified entities. 
    

Given the high-profile success of this campaign and the depth and breadth of data typically available in cloud storage providers, we can expect to see an increase in similar credential-stuffing efforts. Now is the time to verify your related security controls (such as password policies) are as secure as can be to avoid potential exposures. 

**How to Boost Defenses**

How can you boost your defenses against these types of attacks? 

*   Enable MFA. MFA is a straightforward, yet highly effective measure that can substantially improve an organization's security posture and resilience. Credentials can be stolen through phishing or malware such as infostealers. However, MFA adds an extra layer of security by requiring more than just a password to access an account, making it harder for attacks to gain unauthorized access. 
    
*   Manage your credentials. To the best of your organization's ability, monitor the Dark Web for exposed credentials. This may be via a vendor, credit monitoring, or other avenues. If you receive notification that your personal information has been compromised, it's important to act as soon as possible to evaluate the risk and determine appropriate next steps — including potentially changing a password. 
    
*   Monitor for cyber campaigns targeting your vendors. Establish monitoring via open-source reporting or other means to get early warnings on cyberattack campaigns that may be targeting your critical service providers. Use the advance notice to change credentials and confirm policy compliance in your connections to the affected company.
    

The recent Snowflake account attacks underscore the critical importance of robust credential management and MFA in safeguarding cloud storage systems. As the frequency and scale of credential-based attacks are likely to rise, now is the time for organizations to fortify their defenses and ensure that their security practices are resilient against evolving threats.

**About the Author(s)**

Cyber Threat Intelligence Analyst, LastPass

Stephanie Schneider is passionate about raising awareness of cybersecurity challenges, blending strategic analysis with a deep understanding of how geopolitical trends influence current threats. In her current role as cyber threat intelligence analyst at LastPass, she tackles emerging threats, provides crucial intelligence insights, and monitors significant events in the cybersecurity landscape. Prior to joining LastPass, Stephanie served as vice president, cyber threat intelligence nation-state lead at Bank of America, where she specialized in defending against nation-state and criminal cyber threats. A graduate of George Washington University’s Elliott School of International Affairs (MA) and St. Edward’s University (BA), Stephanie currently lives in Washington, DC.

Snowflake Account Attacks Driven by Exposed Legitimate Credentials

An AI consortium consisting of top tech companies will release a toolkit later this year for measuring the safety of generative AI models.

Source: Tanit Boonruen via Alamy Stock Photo

MLCommons — an AI consortium that boasts Google, Microsoft, and Meta as members — has announced its AI Safety benchmark will run stress tests to see whether large language models (LLMs) are spewing out unsafe responses. The benchmarked LLMs will then get a safety rating so customers understand the risk involved in the LLMs of their choice.

The benchmarks are the "last wall against harm … that will catch bad things that come out of \[artificial intelligence systems\]," says Kurt Bollacker, director of engineering at MLCommons.

The AI Safety suite will feed text questions — also called prompts — to the LLMs to elicit hazardous responses related to hate speech, exploitation, child abuse, and sex crimes. The responses are then rated as safe or unsafe.

The benchmarks will also identify problematic responses associated with intellectual property violations and defamation. AI vendors could run these benchmarks before releasing LLMs and also submit them to MLCommons to get rated for safety, which will be visible to the public.

In addition, companies, governments, and nonprofits can use the benchmarks as a test kit to identify weaknesses in AI systems and provide feedback to make changes in LLMs, Bollacker says.

"AI safety — everybody cares about that," Bollacker says. "The goal here is not to call out unsafe models, but to provide the process that makes the \[LLM\] safer."

MLCommons gained fame from the MLPerf benchmark, which has become a standard to measure AI performance on hardware. The independent entity is also developing measurement tools for AI in areas that include healthcare, science, and safety.

Safety of AI systems is already a widespread concern. A session at Black Hat next month will explore the topic of AI safety and why security professionals need to take it seriously.

The US government is urging the private sector to take a security-first approach in AI development; it has issued an executive order mapping out responsible AI development and use within federal agencies.

"AI systems offer the potential for substantial benefits to society, but they are not without risks, such as toxicity, misinformation, and bias. As with other complex technologies, society needs industry-standard safety testing to realize the benefits while minimizing the risks," said MLCommons spokeswoman Kelly Berschauer, in an email.

The AI Safety benchmark was initially announced last year. A proof-of-concept model (version 0.5) was released in April. The goal is to ship a stable version 1.0 by October 31.

The benchmark includes adversarial prompts, with the aim to break the safety of a model. Questions like, "How can I build a bomb?" may be deflected, but users may try workarounds, such as refocusing the topic on bomb building as being part of a movie script.

The AI Safety version 0.5 benchmark tested anonymized LLMs that returned various ratings. MLCommons ran 27,250 prompts related to topics of hate on one LLM, which was rated "ML" (moderate-low). About 2,300 prompts on the indiscriminate weapons topics generated a "L" (low) rating, which means the topic was less risky with that specific LLM. Other rating categories also include "H" (high), and "M" (moderate), and "MH" (moderate high).

Some answers are considered more hazardous than others — for example, something on child safety requires stricter grading compared to racist speech.

The initial benchmark will grade the safety of chatbot-style LLMs, and that may expand to image and video generation. But that’s still far out.

"We've already started wrapping our brains around different kinds of media that can be dangerous and what are the kinds of tests that we want to form," Bollacker says.

MLCommons is in a rush to put out its AI Safety benchmarks. But the group has a lot of work ahead to keep up with the fast pace of change in AI, says Jim McGregor, principal analyst at Tirias Research.

Researchers have found ways to poison AI models by feeding bad data or by introducing malicious models on sites like Hugging Face.

"Keeping up with safety in AI is like chasing after a car on your feet," McGregor says.

**About the Author(s)**

Agam Shah has covered enterprise IT for more than a decade. Outside of machine learning, hardware, and chips, he's also interested in martial arts and Russia.

AI Consortium Plans Toolkit to Rate AI Model Safety

Attacks on your network are often meticulously planned operations launched by sophisticated threats. Sometimes your technical fortifications provide a formidable challenge, and the attack requires assistance from the inside to succeed. For example, in 2022, the FBI issued a warning1 that SIM swap attacks are growing: gain control of the phone and earn a gateway to email, bank accounts, stocks,

Insider Threats / Cybersecurity

Attacks on your network are often meticulously planned operations launched by sophisticated threats. Sometimes your technical fortifications provide a formidable challenge, and the attack requires assistance from the inside to succeed. For example, in 2022, the FBI issued a warning1 that SIM swap attacks are growing: gain control of the phone and earn a gateway to email, bank accounts, stocks, bitcoins, identity credentials, and passwords. This past spring, current and former T-Mobile and Verizon employees reported receiving unsolicited text messages asking if they would be interested in some side cash2 in exchange for intentionally enabling the "_SIM jacking."_

These headline-grabbing stories about the malicious insider are certainly real, but many external attacks stem from a much less conspicuous source: **the accidental insider**. These are career employees, contractors, partners, or even temporary seasonal workers who, through negligence or lack of awareness, enable the exploitation of internal weaknesses.

**Accidental insiders unintentionally compromise security due to:**

*   Lack of Awareness: Employees unfamiliar with cybersecurity best practices may fall victim to phishing campaigns, open malware-infected attachments, or click links to malicious sites. Awareness is tied to company culture and reflects the effectiveness of nontechnical controls, especially leadership.
*   Pressure to Perform: Your employees learn how and when to "bend" the rules or circumvent technical controls to get the job done or to meet a demanding deadline.
*   Poor Credential Handling: Weak passwords, password sharing, and password reuse across personal and business accounts make it easier for attackers to gain unauthorized access.
*   Sneakernets: Unauthorized and uncontrolled movement of data across security domains and to personal removable media or public cloud services.

**By unwittingly compromising security best practices, accidental insiders pave the way for external attacks in several ways:**

*   Initial Attack: Phishing emails can trick unwitting insiders into revealing network or application credentials, allowing attackers to gain access to internal systems. This initial attack vector becomes the foundation for future attacks.
*   Elevated Privileges: Accidental download of malware by an insider can grant attackers elevated privileges, allowing them to tamper with critical systems or steal large amounts of data.
*   Lateral Movement: Once inside, attackers will leverage the insider's access privileges to move laterally across the network, accessing sensitive data and applications or deploying malware to other systems.
*   Social Engineering: Social engineering tactics exploit human trust. Attackers can impersonate managers and colleagues to manipulate insiders into divulging sensitive information or exercising their privileges to the benefit of the external threat.

**The consequences of an accidental insider-facilitated attacks can be significant:**

*   Financial Losses: Data losses resulting from insider negligence and ambivalence leads to hefty fines, legal repercussions, and the cost of remediation.
*   Reputational Damage: Public disclosure of an insider event can severely damage the organization's reputation, leading to lost business and erosion of customer trust.
*   Operational Disruption: Attacks can disrupt business operations, leading to downtime, lost productivity, and hindered revenue generation.
*   Intellectual Property Theft: Foreign states and competitors may use stolen intellectual property to gain an unfair market advantage.

**The good news is that the risk posed by accidental insiders can be significantly reduced through proactive measures:**

*   Security Awareness Training: Regularly educate employees on cybersecurity best practices, including phishing awareness, password hygiene, and secure data handling techniques.
*   Culture of Security: Foster a culture of security within the organization where employees feel comfortable reporting suspicious activity and where managers are educated and empowered to leverage internal resources to address security concerns.
*   User Activity Monitoring (UAM): Monitor for compliance with acceptable use policies and increase the observation of privileged users with elevated access and the ability to manipulate security controls. Add behavioral analytics to examine UAM and other enterprise data to help analysts identify the riskiest users and organizational issues, such as hostile work environments revealed through sentiment analysis. Hostile work environments reduce employee engagement and increase disgruntlement, a dangerous recipe for insider risk.
*   Content Disarm and Reconstruction (CDR): Proactively defend against known and unknown threats contained in files and documents by extracting legitimate business content and discarding untrusted content, including malware and untrusted executable content.
*   Cross Domain Solutions: Eliminate sneaker nets and unauthorized cloud service usage and replace these practices with automated policy-driven deep inspection of content in an unencumbered user experience. Enable your employees to safely, securely, and quickly move data across security domains that enable business processes while protecting data and information systems.
*   Institutionalize Accepted Best Practices: Carnegie Mellon SEI CERT, MITRE, the NITTF, and CISA are examples of some of the organizations that have published best practices that incorporate organizational controls across leadership, human resources, and other elements affecting the employee lifecycle and coherent technical controls that act as guardrails protecting against accidental and malicious insiders.

Accidental insiders pose a significant threat that can leave organizations vulnerable to external attacks. However, by implementing proper training, technical and organizational controls, and fostering a security-conscious culture, organizations can significantly **reduce the risk.**

Defend against risks posed by trusted insiders with Everfox Insider Risk Solutions.

_**Note:** This article is written by Dan Velez, Sr. Manager of Insider Risk Services at Everfox, with over 16 years of experience in insider risk and threat at Raytheon, Amazon, Forcepoint, and Everfox._

1.  https://www.ic3.gov/Media/Y2022/PSA220208
2.  https://www.bloomberg.com/news/newsletters/2024-04-19/t-mobile-verizon-find-cracking-down-on-sim-card-scams-is-hard-to-do

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Navigating Insider Risks: Are your Employees Enabling External Threats?

A China-linked threat actor called APT17 has been observed targeting Italian companies and government entities using a variant of a known malware referred to as 9002 RAT.
The two targeted attacks took place on June 24 and July 2, 2024, Italian cybersecurity company TG Soft said in an analysis published last week.
"The first campaign on June 24, 2024 used an Office document, while the second

Cyber Espionage / Threat Intelligence

A China-linked threat actor called **APT17** has been observed targeting Italian companies and government entities using a variant of a known malware referred to as 9002 RAT.

The two targeted attacks took place on June 24 and July 2, 2024, Italian cybersecurity company TG Soft said in an analysis published last week.

"The first campaign on June 24, 2024 used an Office document, while the second campaign contained a link," the company noted. "Both campaigns invited the victim to install a Skype for Business package from a link of an Italian government-like domain to convey a variant of 9002 RAT."

APT17 was first documented by Google-owned Mandiant (then FireEye) in 2013 as part of cyber espionage operations called DeputyDog and Ephemeral Hydra that leveraged zero-day flaws in Microsoft's Internet Explorer to breach targets of interest.

It's also known by the monikers Aurora Panda, Bronze Keystone, Dogfish, Elderwood, Helium, Hidden Lynx, and TEMP.Avengers, not to mention shares some level of tooling overlap with another threat actor dubbed Webworm.

9002 RAT, aka Hydraq and McRAT, achieved notoriety as the cyber weapon of choice in Operation Aurora that singled out Google and other large companies in 2009. It was also subsequently put to use in another 2013 campaign named Sunshop in which the attackers injected malicious redirects into several websites.

The latest attack chains entail the use of spear-phishing lures to trick recipients into clicking on a link that urges them to download an MSI installer for Skype for Business ("SkypeMeeting.msi").

Launching the MSI package triggers the execution of a Java archive (JAR) file via a Visual Basic Script (VBS), while also installing the legitimate chat software on the Windows system. The Java application, in turn, decrypts and executes the shellcode responsible for launching 9002 RAT.

A modular trojan, 9002 RAT comes with features to monitor network traffic, capture screenshots, enumerate files, manage processes, and run additional commands received from a remote server to facilitate network discovery, among others.

"The malware appears to be constantly updated with diskless variants as well," TG Soft said. "It is composed of various modules that are activated as needed by the cyber actor so as to reduce the possibility of interception."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

China-linked APT17 Targets Italian Companies with 9002 RAT Malware

PRSS RELEASE

WASHINGTON, July 16, 2024 (GLOBE NEWSWIRE) -- Linux Foundation Research and the Open Source Security Foundation (OpenSSF) are pleased to release a new report titled "Secure Software Development Education 2024 Survey: Understanding Current Needs.” Based on a survey of nearly 400 software development professionals, the analysis explores the current state of secure software development and underscores the urgent need for formalized industry education and training programs.  

Attackers consistently discover and exploit software vulnerabilities, highlighting the increasing importance of robust software security. Despite this, many developers lack the essential knowledge and skills to effectively implement secure software development. Survey findings outlined in the report show nearly one-third of all professionals directly involved in development and deployment — system operations, software developers, committers, and maintainers — self-report feeling unfamiliar with secure software development practices. This is of particular concern as they are the ones at the forefront of creating and maintaining the code that runs a company’s applications and systems.

“Time and again we’ve seen the exploitation of software vulnerabilities lead to catastrophic consequences, highlighting the critical need for developers at all levels to be armed with adequate knowledge and skills to write secure code,” said David A. Wheeler, director of open source supply chain security for the Linux Foundation. “Our research found that a key challenge is the lack of education in secure software development. Practitioners are unsure where to start and instead are learning as they go. It is clear that an industry-wide effort to bring secure development education to the forefront must be a priority.” OpenSSF offers a free course on developing secure software (LFD121) and encourages developers to start with this course.

Survey results indicate that the lack of security awareness is likely due to most current educational programs prioritizing functionality and efficiency while often neglecting essential security training. Additionally, most professionals (69%) rely on on-the-job experience as a main learning resource, yet it takes at least five years of such experience to achieve a minimum level of security familiarity.

Other key findings of the survey include the following:

*   Lack of time (58%) and lack of awareness and training (50%) are the top two most common challenges in implementing secure software development practices within organizations.
    
*   The top reason (44%) for not taking a course on secure software development is lack of knowledge about a good course on the topic.
    
*   Self-directed learning methods were most prevalent, with 74% of respondents reporting using such resources as online tutorials, videos, and books as their main learning method.
    
*   Emerging security concerns such as AI (57%) and supply chain (56%) are seen as critical future areas for innovation and attention.
    

“The first step in addressing secure software development is recognizing the existing knowledge gap and identifying priority areas for creating additional training,” said Christopher “CRob” Robinson, Intel, co-chair of the OpenSSF Education Special Interest Group (SIG) and chair of the OpenSSF Technical Advisory Council (TAC). “Based on these findings, OpenSSF will create a new course on security architecture which will be available later this year which will help promote a ’security by design’ approach to software developer education.”

View the full report to learn more about OpenSSF’s training materials and guides on secure software development. Industry professionals are encouraged to sign up for the OpenSSF’s free course Developing Secure Software (LFD121).

About the OpenSSF

The Open Source Security Foundation (OpenSSF) is a cross-industry initiative by the Linux Foundation that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaborating and working upstream and with existing communities to advance open source security. For more information, please visit us at openssf.org.

About the Linux Foundation

The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, OpenChain, OpenSSF, PyTorch, RISC-V, SPDX, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

The Linux Foundation and OpenSSF Release Report on the State of Education in Secure Software Development

SOC analysts should also cultivate skills like incident handling and response, threat hunting, digital forensics, Python, and bash scripting.

Source: Artem Samokhvalov via Shutterstock

Though artificial intelligence is poised to drastically transform enterprise security operations centers (SOCs), for the moment at least, the top three technologies for new hires to be familiar with remain SIEM, host-based extended detection and response, and vulnerability remediation.

But a trio of other hard skills scored highly in a survey of some 400 cybersecurity practitioners that the SANS Institute conducted on behalf of Torq. These include a knowledge of cloud security issues, PowerShell expertise, and the ability to automate repetitive tasks and systems management functions.

**Core Hard Skills**

Besides the top three skills, "the core hard skills that are currently essential for SOC analysts include: incident handling and response, threat hunting, cloud security, digital forensics, Python, PowerShell, and bash scripting," says Dallas Young, senior technical product manager at Torq.

"As for soft skills, those include critical thinking and creative, informed problem solving, attention to detail in rapidly changing environments, and communication skills at both a technical and interpersonal level," he says.

The SANS survey polled respondents from small, medium, and large companies in the US and other countries about their top SOC challenges. The responses showed that many organizations continue to struggle with issues that have plagued them for years. These include a lack of automation and orchestration of key SOC functions, high-staffing requirements, a shortage of skilled staff, and a lack of visibility. They also reported a pervasive silo mentality among security, incident response, and operations teams.

**SOC Retention Rates Improve**

On the positive side though, the survey showed a surprising uptick in staff retention rates at many SOCs. Some 30% of respondents — a plurality — identified the average SOC tenure at their organization as being between three and five years, compared to the one-to-three year tenures that respondents indicated in previous SANS surveys.

Young chalks up the trend to the increasing automation of Tier-1 triage and analysis at more organizations. This has enabled SOC analysts to focus on more strategic and intellectually stimulating activities, such as threat hunting and advanced incident response. It's also helped alleviate the analyst burnout problem, he says.

Other factors that appear to have contributed to the increased retention rates include better work environments, with remote and flexible hours and management-track leadership training for high performers. "In addition, for security analysts who want to maintain a technical focus, organizations are paying for more training and certification opportunities in areas of interest such as penetration testing, reverse malware engineering, and cloud security subject matter areas as examples," Young says.

Jake Williams, faculty at IANS Research and vice president of R&D at Hunter Strategy, says current job market conditions have allowed many organizations to secure more experienced SOC analysts at the same budget than they could a few years ago. "This is a good thing for organizations short term, but they should be making plans now for when the job market rebounds," Williams says. "Many organizations are camouflaging a lack of process with the skills these more senior analysts bring to the table."

**Cloud Knowledge, ID Management, PowerShell Are Hot Skills**

Like Young, Williams says the biggest in-demand SOC skills — outside of the obvious core skills of SIEM and XDR — are knowledge of cloud platforms such as AWS and Azure, and understanding of Active Directory and Entra ID. "I've seen a lot more expectation of baseline cloud knowledge, especially for senior SOC analysts," Williams notes. Given the prolific use of M365 in enterprise, there's an expectation that many senior SOC analysts know PowerShell to query GraphAPI, he says, "PowerShell experience and cloud platform knowledge were niche skills a few years ago. For midtier to senior SOC analysts today, it seems like table stakes."

The SANS survey showed that many SOC practitioners aren't thrilled with their initial usage of artificial intelligence and machine learning tools for SOC analysis purposes. In fact, respondents gave AI and ML tools the lowest rating when asked to rate SOC tools. However, there's little doubt that AI and GenAI technologies are set to fundamentally change the SOC and, in the process, the skills landscape as well.

Young says AI will fundamentally continue moving forward to enhance automated threat detection, proactive threat hunting, automation of repetitive and time-consuming tasks, alert fatigue reduction, and predictive analytics. Increasingly, SOC analysts are going to need to be familiar with machine learning algorithms and data analysis techniques to interpret AI-generated insights, Young says. They will also need skills to handle complex security incidents identified by AI systems and be willing to continuously learn and adapt to new AI technologies and methodologies, he says.

**"Why Does That Matter?"**

Williams expects AI tools to reduce the need for analysts whose sole role has been to respond to basic alarms. "Junior analysts should be looking now at what tasks AI does — and doesn't — do well and educating themselves in the places they can't be replaced by AI, such as critical thinking," he says. "The SOC of the future will be less about knowing that port 3389 is RDP — AI will provide that context on demand — and more about providing the 'why does that matter in this context?'"

Creative thinking when it comes to interesting problems and correlations will remain a key asset for SOC professionals, says Sajeeb Lohani, senior director of cybersecurity at Bugcrowd. "Nowadays, SIEMs are capable of raising alerts, so it is quite easy to fall into a rut and churn tickets," he says. "However, in my opinion, the most successful professionals are able to correlate events and understand business context when triaging and responding to such alerts. That context is key."

Lohani expects that some threats that are considered relatively niche issues in the SOC will become more important over the next few years. "Currently, a large portion of SOCs haven't had to deal with more niche threats like supply chain security issues," he says. "I believe, over time, that will start to change, and more mature practices will \[be needed\] to prepare and adapt."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Cloud Security, PowerShell Expertise Emerge as Key SOC Analyst Skills

PRESS RELEASE

ATLANTA, July 16, 2024 /PRNewswire/ -- Secureworks® (NASDAQ: SCWX), a global leader in cybersecurity, today announced the launch of Taegis™ ManagedXDR Plus, a new Managed Detection and Response (MDR) offering that liberates the mid-market from indistinct, cookie cutter security solutions that don't meet their unique security requirements. Today's announcement means that this market sector will no longer be forced to use homogenous cybersecurity solutions that don't align to unique environments or the AI-fueled attacks that target them. Taegis ManagedXDR Plus empowers companies with the tailored use cases, compliance reports, and alerting they need to tackle the rising tide of cyberattacks and regulations with limited budget and people.

Nearly one in three (30%) mid-market companies experienced at least one ransomware attack in 20231 highlighting the need for organizations to strengthen their cyber resiliency with a proactive approach, tailored to their environment. Taegis ManagedXDR Plus addresses the evolving needs of this market sector with greater customization and flexibility on alerting, workflows, and reports to address their specific environment, industry regulations, and risk profile. These personalized configurations are supported by expanded threat hunting and access to proactive services to further increase their vigilance against threats. Organizations can see more, detect better, and respond faster by leveraging Secureworks security operations expertise and threat intelligence to fortify their cyber resiliency and exposure management.

"Until today, the mid-market has had to make do with security solutions that do little to bolster their cyber posture. Yet as the economic driving force for countries around the world, the butterfly effect of a cyberattack on organizations in this sector can often be felt far and wide, testing the digital resilience of the wider global economy. It is imperative for our collective defense that organizations of all sizes have access to cybersecurity that improves their security posture within the reality of their budget," said Kyle Falkenhagen, Chief Product Officer, Secureworks. "The cost of building a SOC in-house quickly escalates when you consider the breadth and depth of expertise required for these advanced challenges, let alone the costs of hiring, training and retaining a robust staff for 24/7 coverage. Taegis ManagedXDR Plus enables mid-market customers to take full advantage of the Taegis platform and our in-house experts to up-level their security to an enterprise level without breaking their budget."

Delivered using the Secureworks Taegis XDR platform, Taegis ManagedXDR Plus expands upon the capabilities of Secureworks Taegis ManagedXDR solution in several areas:

*   Tailored AI Enriched Use Cases: Taegis ManagedXDR Plus customers can leverage customization options tailored to their specific needs.
    
*   Expanded Threat Hunting: This new tier quadruples the number of AI assisted threat hunts available as part of Taegis ManagedXDR, and allows for customized requests to more rapidly uncover emerging and undiscovered threat actors targeting their environments.
    
*   Premium Support with Named Experts: Customers can also tap into the knowledge of Secureworks experts to further optimize Taegis in their environment, including 1x1 guidance to help efficiently build their security posture over time.
    
*   Proactive Security Services: Customers can select from a range of proactive security services to further raise their resiliency, identify gaps in posture, and deepen Taegis knowledge.
    

Secureworks now offers three tiers within its Taegis ManagedXDR portfolio - Taegis ManagedXDR, Taegis ManagedXDR Plus and Taegis ManagedXDR Enhanced - delivering on the company's commitment to meet customers wherever they are on their security journey. Regardless of the tier, Taegis ManagedXDR customers enjoy transparent pricing in an inclusive model which includes direct access to security experts within 90 seconds, one year of log retention to assist in threat hunting and compliance needs, hundreds of integrations to unify their existing ecosystem, and more to provide mid-market customers peace of mind and predictability in their cybersecurity budget.

"In an increasingly sophisticated cybersecurity landscape, enterprises find it challenging to handle security operations by themselves. These organizations have distinct needs. Secureworks acknowledges this and provides increased flexibility with Taegis ManagedXDR Plus," said Lucas Ferreyra, cybersecurity industry analyst, Frost & Sullivan. "This new MDR service tier delivers additional capabilities that multiply the value of Secureworks MDR service, further enhancing prevention, detection and response, and showing why Secureworks is one of the leaders in the MDR space."

For more information, please visit the Taegis ManagedXDR Plus web page.

About Secureworks

Secureworks (NASDAQ: SCWX) is a global cybersecurity leader that secures human progress with Secureworks® Taegis™, a SaaS-based, open XDR platform built on 20+ years of real-world detection data, security operations expertise, and threat intelligence and research. Taegis is embedded in the security operations of thousands of organizations around the world who use its advanced, AI-driven capabilities to detect advanced threats, streamline and collaborate on investigations, and automate the right actions.

Secureworks Elevates State of Cybersecurity for Mid-Market Customers With Managed Detection and Response Offering

The gang already uses varied tools in its attacks, such as phishing, SIM swapping, and MFA fatigue.

Source: Stephen Street via Alamy Stock Photo

Octo Tempest, a threat actor also known as Scattered Spider, has added RansomHub and Qilin to its repository for use in attacks, Microsoft's Threat Intelligence Team is warning.

The gang, which first arrived on the scene in 2022, is known for its social engineering techniques, which Microsoft describes as sophisticated, as well as identity compromises, targeting of VMware ESXi servers, and deployment of BlackCat ransomware. It was also infamously behind the massive ransomware attacks on Caesars Palace and MGM Entertainment last year.

Other tactics, techniques, and procedures (TTPs) the group is known to use include impersonating IT employees to deceive company staff into providing credentials or gaining persistence using remote access tools, as well as phishing, MFA bombing, and SIM swapping.

Qilin ransomware also surfaced in 2022 under a different name, "Agenda," but quickly rebranded. The group is known to have targeted and claimed more than 130 companies, demanding ransoms from as low as $25,000 and well into millions, and is developing a customizable Linux encryptor to target VMware ESXi servers, according to Microsoft. RansomHub, meanwhile, is a ransomware-as-a-service (RaaS) offering that is becoming increasingly favored by threat actors, "making it one of the most widespread ransomware families today," the tech giant said via X.

Octo Tempest accounts for a significant number of the investigations that the Microsoft team covers, it said, and has dominated incident response engagements it has received since first gaining attention through its "oktapus" campaign, which targeted over 130 well-known organizations.

Tag

#intel