Annual ThreatLabz Report reveals phishing-as-a-service as the key source of attacks across critical industries and consumers globally; underscores urgency to adopt a zero-trust security model.

**Key Findings**

· Phishing attacks rose 29% globally to a new record of 873.9M attacks observed in the Zscaler**TM** cloud last year

· Retail and wholesale were the most targeted industries, experiencing over a 400% increase in phishing attacks over the last 12 months

· The United States, Singapore, Germany, Netherlands, and the United Kingdom were the most frequently targeted by phishing scams

· Emerging phishing vectors, such as SMS phishing, are increasing faster than other methods as end users become more wary of suspicious emails

· Rising phishing activity is directly linked to “phishing- as-a-service” options, which provide a marketplace of pre-built attack tools that reduce technical barriers to entry for criminals

**SAN JOSE, Calif. – April 20, 2022** – Zscaler, Inc. (NASDAQ: ZS), the leader in cloud security, today released the findings of its 2022 ThreatLabz Phishing Report that reviews 12 months of global phishing data from the Zscaler security cloud to identify key trends, industries and geographies at risk, and emerging tactics. According to the FBI Internet Crime Complaint Center (IC3), phishing attempts are the most frequently-reported cyberattack. Zscaler’s ThreatLabz research team analyzed data from more than 200 billion daily transactions, and 150 million daily blocked attacks in order to identify emerging threats and track malicious actors from across the globe. This year’s report showed dramatic 29% growth in overall phishing attacks compared to previous years, with retail and wholesale companies bearing the brunt of the increase. The report also showed an emerging reliance on phishing-as-a-service methods, as well as new attack vectors, such as SMS phishing, becoming one of the more prevalent methods of intrusion.

“Phishing attacks are impacting businesses and consumers with alarming frequency, complexity, and scope - with the rise in phishing-as-a-service making it easier than ever for non-sophisticated actors to launch successful attacks. Our annual report highlights how cybercriminals continue to escalate their usage of phishing as a starting point to breach organizations to deliver ransomware or steal sensitive data,” said Deepen Desai, CISO and VP of Security Research and Operations at Zscaler. “To defend against advanced phishing attacks, organizations must leverage a multi-pronged defensive strategy anchored on a cloud native zero trust platform that unifies full SSL inspection with AI/ML-powered detection to stop the most sophisticated phishing attempts and phishing kits, lateral movement prevention and integrated deception to limit the blast radius of a compromised user, proactive controls to block high risk destinations such as newly registered domains that are often abused by threat actors, and in-line DLP to safeguard against data theft.”

Phishing has always been one of the most pervasive cyberthreats, with various methods used to steal private information. One of the reasons this type of attack grows in prevalence every year is its low barrier to entry. Cybercriminals use current events, such as the COVID-19 pandemic or cryptocurrency, to convince unwitting victims to hand over confidential data, such as passwords, credit card information, and login credentials.

The 2022 ThreatLabz Phishing Report found that phishing attacks lure victims by posing as top brands or promoting topical events. The top phishing themes in 2021 included categories such as productivity tools, illegal streaming sites, shopping sites, social media platforms, financial institutions, and logistical services.

**A Global Problem**

In 2021, the U.S. was the most-targeted country globally, accounting for over 60% of all phishing attacks blocked by the Zscaler security cloud. The next most frequently attacked countries include Singapore, Germany, the Netherlands, and the United Kingdom.

Not all countries experienced the same attention from phishing attacks. For example, the Netherlands experienced a decrease of 38 %, which may have resulted from recently-passed legislation that increased the penalties for online fraud.

Phishing attacks were also not evenly distributed across different industries. Retail and wholesale businesses experienced an increase of over 400% in phishing attempts - the most out of all tracked industries. These businesses were followed by financial and government sectors, with organizations in these industries seeing over 100% increases in attacks on average. However, some industries experienced partial relief from phishing attacks last year. Healthcare saw a notable drop of 59 %, while the services industry saw a decline of 33 %.

**Phishing-as-a-Service - The Growing Threat**

While phishing has long been one of the most common tactics used in cyberattacks by sophisticated threat actors, it's becoming more accessible to non-technical cybercriminals due to a maturing underground marketplace for attack frameworks and services. By selling their pre-built phishing tools and services on the dark web, cybercriminals are making it easier to deploy phishing scams at scale, creating a greater chance for more phishing activity in 2022.

**Countering Phishing Attacks**

According to the Zscaler ThreatLabz research team, an average-sized organization receives dozens of phishing emails every day. This means that employees at all levels must be aware of the most common phishing tactics and empowered to spot phishing attempts that can result in financial losses and damage to the business’ brand.

Facing the threats outlined in the 2022 ThreatLabz Phishing Report can be daunting, and while it's impossible to eliminate phishing risk, effective management can prevent business-critical information from falling into the hands of cybercriminals. Among other recommendations, Zscaler suggests the following tactics for countering phishing growth:

· Learning and understanding the risks posed by phishing to better inform policy and technology decisions

· Leveraging automated tools and actionable intelligence to empower employees with the tools needed to reduce phishing incidents

· Delivering timely employee training to build security awareness and promote user reporting

· Simulating phishing attacks to identify gaps in security policies and procedures

· Evaluating security infrastructure to ensure access to the latest research and system capabilities

**How the Zscaler Zero Trust Exchange****TM Can Mitigate Phishing Attacks**

User compromise is one of the most difficult security challenges to defend against. The Zscaler Zero Trust Exchange incorporates phishing prevention controls into a holistic zero trust architecture that disrupts every stage of attacks and minimizes damages. Capabilities include:

· **Preventing compromise** with full SSL inspection at scale, threat analysis using natively integrated threat intel and IPS signature detection, AI/ML phishing detection, and policy-defined high-risk URL categories commonly used for phishing such as newly observed and newly registered domains.

· **Eliminating lateral movement** by connecting users directly to apps, not the network, to limit the blast radius of a potential incident.

· **Shutting down compromised users and insider threats** with in-line application inspection and integrated deception capabilities to trick and detect attackers.

· **Stopping data loss** by inspecting data both in motion and at rest to prevent theft by an active attacker.

To download the full report, see the ThreatLabz 2022 Phishing Report.

**Methodology**

The ThreatLabz team evaluated data from the Zscaler security cloud, which monitors over 200 billion transactions daily across the globe. ThreatLabz analyzed a year’s worth of global phishing data from the Zscaler cloud from January 2021 through December 2021 to identify key trends, industries and geographies at risk, and emerging tactics.

New Zscaler Research Shows Over 400% Increase in Phishing Attacks With Retail and Wholesale Industries at Greatest Risk

Cybereason MalOp Detection Engine augmented with Nuanced DFIR Intelligence reduces the mean-time-to-detect and remediate incidents.

BOSTON, April 21, 2022 /PRNewswire-PRWeb/ -- Cybereason, the XDR company, today launched Cybereason DFIR (Digital Forensics Incident Response), a solution designed to automate incident response (IR) investigations by incorporating nuanced forensics artifacts into threat hunting, reducing remediation time by enabling security analysts to contain cyberattacks in minutes.

Today, many organizations find themselves vulnerable to breaches because security analysts lack the tools to quickly investigate and remediate all aspects of a threat. By offering incident response solutions driven by forensics, Cybereason can extend deeper value to Defenders. With the Cybereason MalOp™ Detection Engine augmented by Cybereason DFIR, security analysts can leverage the industry's most comprehensive detections from root cause across every impacted asset.

With forensics data added to the MalOp, security analysts have instant visibility into a wider range of intelligence sources to enable rapid decisions and remediate threats more efficiently. Cybereason DFIR includes the following capabilities:

Forensic Data Ingestion: Feed a treasure trove of forensic data to the MalOp™ Detection Engine for deeper insights, enrichment and contextualization.

Live File Search: Search for any suspicious file in the environment based on a wide variety of search criteria without the need for prior collection.

IR Tools Deployment: Streamline cumbersome IR investigations and work seamlessly with similar DFIR tools by deploying them via the Cybereason Sensor.

ExpressIR: IR Partners and large customers with internal DFIR teams can deploy a pre-provisioned IR environment to begin the investigation within hours of an incident.

"Cybereason DFIR enhances the performance of the Cybereason XDR Platform in our customers' environments enabling security analyst teams to detect, identify, analyze and respond to sophisticated threats before adversaries can inflict harm, and when needed, conduct a thorough post-mortem analysis of a complex incident. The merging of our powerful Cybereason XDR Platform with Cybereason DFIR provides the industry with the most powerful tools available," said Cybereason Chief Technology Officer and Co-founder Yonatan Striem-Amit.

Anything connected to the internet is part of an organization's attack surface, yet Defenders are forced to use multiple siloed solutions producing uncorrelated alerts to try to find and end these complex malicious operations. Now, Defenders can leverage Cybereason DFIR to centralize DFIR investigative work and end sophisticated attacks with the only solution on the market to deliver:

\--Comprehensive Response: Cybereason DFIR has a number of tailored remediation actions analysts can perform directly from the investigation screen. The solution empowers analysts to reduce Mean-Time- To-Detect and Mean-Time-To-Remediate. Cybereason DFIR also allows Defenders to contain attacks by executing commands directly on the host in question with remote shell and real-time response actions.

\--Uncover Advanced Adversaries: Fully reveal sophisticated adversaries and analyze complex TTP's by tracing the attacker path back to root cause. Defenders will have a better understanding of the full scope and timeline of an incident using enriched forensics to identify all impacted systems and users. Security analysts can investigate relevant files and forensic artifacts of interest through wide-ranging criteria to collect files as needed.

\--Fully Supported Technology: With a shortage of Tier III qualified security analysts, many security teams are understaffed and lack in-house IR expertise. Cybereason automates most aspects of a DFIR investigation and up-levels the capabilities of Level 1 and 2 analysts to perform complex forensic tasks. In addition, the Cybereason Services Teams fully supports investigations, breach recovery, forensic audits and deep-dive analysis.

About Cybereason  
Cybereason is the XDR company, partnering with Defenders to end attacks at the endpoint, in the cloud and across the entire enterprise ecosystem. Only the AI-driven Cybereason XDR Platform provides planetary-scale data ingestion, operation-centric MalOp™ detection, and predictive response that is undefeated against modern ransomware and advanced attack techniques. Cybereason is a privately held international company headquartered in Boston with customers in more than 40 countries.

Learn more: https://www.cybereason.com

Cybereason Launches Digital Forensics Incident Response

Seedrs Ltd. deployed and configured Alert Logic Intelligent Response in minutes, and immediately began blocking critical threats.

HOUSTON, April 21, 2022 /PRNewswire/ -- Alert Logic by HelpSystems today announced general availability of its new intelligent response capabilities. The innovations, including simple mode and a mobile application, relieve IT and security departments of repetitive response tasks and the need for constant administration through human-guided and fully automated workflows. Seedrs, Europe's leading online private investment platform, is among the first adopters of the new capabilities, now available at no additional cost to Alert Logic MDR® customers.

Alert Logic Intelligent Response™ is designed to minimize the impact of a breach via embedded SOAR capabilities with workflows to enable response actions across network, endpoints, and cloud environments. This provides a backstop if attacks bypass prevention tools, improving an organization's security posture while allowing them to adopt automation at their own pace. As part of a holistic response strategy, the solution addresses detection, notification, and containment with multiple actions and use cases in a simplified user experience, making it easy for any organization to create automated response actions.

"The wizard-based user interface of Alert Logic's simple mode made the whole intelligent response configuration possible in just minutes," said Jonas Pereira, Senior DevOps Engineer, Seedrs. "I also have full visibility of our infrastructure, and our safety, literally in my pocket with the Alert Logic mobile application, ensuring we can effectively respond to any potential threat instantly."

Intelligent response simple mode focuses on the three most commonly needed actions:

*   **Shun an attacker** at the edge of a network, for Alert Logic and AWS WAFs
*   **Isolate a host** for SentinelOne or Microsoft Defender for Endpoint users
*   **Disable user** credentials that may be compromised, via AWS IAM or Azure Active Directory (including Office 365)

These three use cases are vital for preventing attacks or reducing the impact of successful attacks. Organizations may introduce the human touch anywhere in the process and increase the level of automation to suit their needs. Customizable response playbooks also save time by helping security experts integrate automated response actions into their business processes.

In addition to simple mode, the Alert Logic mobile application streamlines human-guided response, allowing security teams to remotely execute decisions for response actions immediately. Using the mobile application, CISOs can instantly approve response actions from anywhere, for a more flexible work environment.

"The beta customers who helped guide development of Alert Logic Intelligent Response told us they needed a flexible solution that allowed them to adopt automation at their own pace to increase their security posture," said Onkar Birk, Managing Director, Alert Logic by HelpSystems. "We're putting response in front of people in an intuitive way, getting them involved in the process, taking security actions to contain problems, and enabling resource-stretched teams to deploy best practice security."

To learn more about Alert Logic Intelligent Response, visit https://www.alertlogic.com/why-alert-logic/intelligent-response/.

**About Alert Logic** **by HelpSystems  
**Alert Logic by HelpSystems is the only managed detection and response (MDR) provider that delivers comprehensive coverage for public clouds, SaaS, on-premises, and hybrid environments. Since no level of investment prevents or blocks 100% of attacks, you need to continuously identify and address breaches or gaps before they cause real damage. With limited expertise and a cloud-centric strategy, this level of security can seem out of reach. Our cloud-native technology and white-glove team of security experts protect your organization 24/7 and ensure you have the most effective response to resolve whatever threats may come. Founded in 2002, Alert Logic is headquartered in Houston, Texas and has business operations, team members, and channel partners located worldwide. Learn more at alertlogic.com. Alert Logic – unrivaled security for your cloud journey.

**About HelpSystems  
**HelpSystems is a software company focused on helping exceptional organizations secure and automate their operations. Our cybersecurity and automation software protects information and simplifies IT processes to give our customers peace of mind. We know security and IT transformation is a journey, not a destination. Let's move forward. Learn more at www.helpsystems.com.

© HelpSystems, LLC and its group of companies. All trademarks and registered trademarks are the property of their respective owners.

Alert Logic®, Alert Logic MDR®, and Alert Logic Managed Detection and Response® are registered trademarks of Alert Logic, Inc.

Alert Logic Intelligent Response™ is a trademark of Alert Logic, Inc.

Alert Logic Releases MDR Incident Response Capability for Addressing a Breach

To better manage risks, companies can concentrate on resilience, sharing information to protect from cyber threats, and making the cybersecurity tent bigger by looking at workers with nontraditional skill sets.

As we look ahead, there are many reasons for optimism in cybersecurity. Defenders are maturing in their approach, we're getting better at articulating cyber threats in the language of business risk, and we're continually improving cross-sector collaboration.

But we still face a challenge navigating the changing threat landscape, something I discussed with industry peers on an HP-hosted CISO panel. I believe the cybersecurity industry needs to build on the positives by understanding cyber strategy more clearly in the context of good corporate governance, and by addressing the growing diversity and skills gap within our cybersecurity talent pool.

**When Change Is the Only Constant  
**As IT modernizes to support remote work, new customer experiences and evolving business processes, we're seeing attack surfaces expand exponentially. On the one hand, this contributed to a record number of compromises in 2021, while the number of published vulnerabilities surged to an all-time high.

Yet there's another story behind the headlines. For years, we've been talking about the same old paradigm of attacker and victim. In this one-to-one relationship, the attacker targets a victim and either succeeds or doesn't. Today, we're seeing more of what I would call "one-to-many" attacks. Supply chain attacks are nothing new, but we're seeing an uptick in their sophistication and ambition. Attackers have realized they don't need to constantly go one-to-one. They can find a common hub that connects hundreds or even thousands of potential victims and compromise it. For close to the same effort expelled, they have a significant step up in ROI.

As organizations look to manage supplier risk, spiraling costs, and geopolitical tension in the post-pandemic world, the complex web of interdependencies upon which they rely is growing. This is most apparent in the airline industry. It was fascinating to hear United Airlines VP and CISO, Deneen DeFiore, explain how the mindset in cyber is shifting from data protection to resilience. Understanding these supplier dependencies is critical to managing risk effectively, to minimize the operational impact of cyber threats.

**Collaboration Will Be Key  
**This mounting complexity also makes industry collaboration more important. It's only via collaboration with the right public and private sector organizations that we can understand how attackers are operating. Part of this involves organizations thinking about what is and isn't helpful to disclose around breaches. We can all agree that indicators of compromise (IoCs) are out of date as soon as they're published. So, what is relevant that can be shared between organizations?

Today's conversation is too centered around whether an organization was breached or not. If breaches are close to inevitable, we should focus more on sharing breach findings and post-mortem results that will help others.

The way CISA coordinated information sharing during the early days of the Log4Shell saga offers a useful model. The agency did an amazing job organizing and sharing information from different industry sources. Let's learn from it. Because as Ian Pratt, HP's global head of security for personal systems, explained, cybercriminal organizations are run like businesses now. They've become masters at sharing intelligence, information, and tooling to further their objectives.

**A People Problem  
**This touches on another critical point. The industry is short of more than 2 million cybersecurity professionals globally. In this moment of crisis, we should nurture the beginnings of something far bigger and better by growing our talent pool and breaking down the barriers to joining our sector.

There's an opportunity to make the cybersecurity tent bigger by looking outside of the industry. We could bring in more nontraditionally educated people, as we don't necessarily need college degrees for every role. We could target workers mid-to-late in their careers who have a rich set of skills in areas such as risk management or communication.

Diversity is also critical, but much work needs to be done. According to findings in an HP-commissioned study, 30% of women in the US applied for a promotion last year. However, of those that applied, only 40% of women were successful, vs. 52% of men. Cybersecurity, like the tech industry as whole, has a diversity issue, particularly with getting women into senior roles. We must understand how to best support women and their careers, as this is key for fostering a diverse workforce and attracting new talent.

Employers must do better at harnessing this large pool of untapped talent. As Siemens USA Chief Cybersecurity Officer Kurt John explained, diversity is the No. 1 way to drive creativity in response to the threats that we all face.

The good news is that boardrooms are starting to appreciate the importance of diversity and cybersecurity — just as CISOs are beginning to talk about cyber in the language of business risk. That offers definite grounds for optimism.

What has increasingly dawned on me is that, as cybersecurity leaders, we're much more likely to make the right decisions for the enterprise by viewing cyber in the context of effective corporate governance. I believe that's the way to craft an enterprise-specific strategy. Let's make the "G" in _environmental, social, and governance_ (_ESG_) really mean something for cybersecurity and get ourselves onto the front foot.

3 Ways We Can Improve Cybersecurity

Intel, FiVerity, and Fortanix team up to launch an AI-driven fraud detection platform into a confidential computing environment.

A new partnership will bring confidential computing to financial services companies in their fight against digital identity fraud.

Confidential computing tackles the challenge of securing data during processing or runtime by using hardware-based trusted execution environments (TEE), an environment that focuses on data integrity, data confidentiality, and code integrity. The data, as well as the application processing that data, are isolated within secure enclaves so that nothing else can access that data, even if the infrastructure is compromised. This way, enterprises can run sensitive applications on public clouds or other hosted environments without worrying about the possibility of data exposure.

The partnership is between Intel, digital fraud prevention platform FiVerity, and Fortanix, a cloud security company. FiVerity's anti-fraud platform relies on artificial intelligence (AI) to detect fraud and incorporates the latest data privacy technologies. FiVerity will rely on Intel Software Guard Extensions to protect the data and control access, while Fortanix will deliver the confidential computing environment for FiVerity's fraud-detection models and transaction data from financial institutions.

Financial institutions would be able to analyze intelligence on fraud activity without exposing personally identifiable information, keeping banks in compliance with security and privacy requirements and reducing their exposure to digital fraud, the three companies said in a joint statement.

The confidential computing market is estimated to grow to $54 billion by 2026, according to a recent report from the Linux Foundation and Confidential Computing Consortium and conducted by the Everest Group.

"We believe that digital fraud detection is a particularly important and timely challenge for the industry which can be addressed with this technology," said Fortanix CEO Ambuj Kumar in a statement.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Anti-Fraud Partnership Brings Confidential Computing to Financial Services

Companies must enforce more security on their own third-party providers and retain the ability to conduct independent investigations, experts say.

Identity cloud provider Okta concluded its investigation into a recent breach of its systems by the Lapsus$ extortion group, which gained access to some of company's systems through a third-party contract firm and then revealed the compromise in March.

The breach impacted only two customers, with the hackers maintaining control of a single computer at contract firm Sitel for a 25-minute period, Okta said in the postmortem analysis published on Tuesday. While the identity and access management firm had initially considered as many as 366 customers at risk, the impact ended up being far less, David Bradbury, chief security officer at Okta, stated in the analysis.

The breach caused consternation within the security community because of the lack of notice from Okta and worries that access to the company's systems could undermine much of the security of its single sign-on (SSO) services — an issue of trust that Bradbury acknowledged.

"While the overall impact of the compromise has been determined to be significantly smaller than we initially scoped, we recognize the broad toll this kind of compromise can have on our customers and their trust in Okta," he said, adding: "The conclusions from the final forensic report do not lessen our determination to take corrective actions designed to prevent similar events and improve our ability to respond to security incidents."

To head off attacks in the future, Okta intends to create more stringent security requirements for third-party contractors and have processes in place to confirm compliance. The company has already cut ties with Sitel, according to the postmortem report.

The Okta breach raised the profile of attacks on software supply chains and third-party providers, adding on to lessons from previous compromises such as SolarWinds and Kaseya, says Merritt Maxim, vice president at business intelligence firm Forrester Research. Third-party firms and service providers need to have measures in place to continuously assure customers that their services are secure, he says.

"This is an issue that has to be front and center for security organizations, to push beyond doing just security questionnaires for providers, to doing actual assessments and auditing of third parties," he says. "Simulate breaches and test your incident response plans, and rather than rely on the vendors to do it perfectly, you should be determining what you can do in response to a breach."

**Conduct Your Own Investigation**  
When a breach happens in a third-party provider, such as Okta or its own third-party provider Sitel, companies either are left in the dark or must pursue their own investigation. Whether Okta knew of the breach and failed to notify customers for two months, or the company failed to understand that a contractor's computer had been compromised, businesses need to be ready to verify the details of an incident, members of Cloudflare's security team argued in a March blog post.

Cloudflare has to verify its own systems, since some of the screenshots in leaked by Lapsus$ group appeared to indicate that they may have had access to Cloudflare's instance of Okta. As soon as a provider is breached, companies should have a playbook in place to spell out the steps that need to be taken to assure the integrity of their systems, such as checking all passwords and verifying changes to multifactor authentication with special attention paid to any event initiated by the support group.

To facilitate future investigations, Cloudflare's security team recommended that companies store logs from third-party services on their own premises to have a verifiable copy.

"For years, it has been a struggle to work with different software as a service provider to get all the logs ourselves," says Joe Sullivan, chief security officer at Cloudflare. "Too many times in the past, we have thought there was a risk and we did not have the logs, so we are very proactive."

For its part, Okta maintains that the company did not know about the severity of the issue until March 17, when Sitel sent their summary report, which they then connected with the Lapsus$ screenshots a few days later. "We recognized what appeared to be a connection to the January failed takeover attempt we observed and reported to Sitel," an Okta spokesman said. "We've publicly said we didn't understand the extent of the Sitel compromise in January, and if we had, our actions would have been different."

**Cloud Rife With Single Points of Failure**  
The incident also underscores that while cloud providers typically raise their customers' level of security, the cloud attracts attacks because so much access is concentrated in a small number of providers. Companies should always start by conducting a threat assessment to understand the risks presented by any infrastructure that they move to the cloud, Sullivan says.

"You look at what is the worst that could happen, and how do you mitigate that risk," he says. "If a compromise of a system could lead to a bunch of customer data getting exposed or intellectual property being accessed, then you need to go further."

In the end, while the cloud model asserts that responsibility for security is shared, companies need to understand that that they need to take their fate into their own collective hands, says Forrester Research's Maxim.

"Don't assume that the vendor is going to take care of security and will do it all perfectly," he says. "Have the right playbooks and policies ready to go, so if there is an incident, you can take action whether the vendor is ready or not."

For its own part, Okta plans to directly manage even third-party devices that access its customer-support tools so as to maximize visibility into potential security threats, and it will limit the amount of information that support personnel can view, Bradbury said in the company's postmortem analysis. In addition, as a third-party provider itself, Okta plans to review how to better communicate incidents with its customers.

_Editor's note: This story was updated on April 21 with a quote from an Okta spokesman._

Okta Wraps Up Lapsus$ Investigation, Pledges More Third-Party Controls

Module enables apps to establish trust in new devices without adding user friction.

**Palo Alto, CA -- April 20, 2022 --** Mobile authentication pioneer Incognia, today announced the launch of a new location identity fraud detection module to support mobile app security for customers across finserv, crypto, social networks, online gaming and more. Incognia’s latest solution module is Location-based Device Authorization which prevents fraud following device change at login.

Authorization of new devices on mobile is one of the highest friction and highest risk points in the user journey. When new devices attempt a login, the challenge is determining whether this is the legitimate user, or a fraudster using social engineering to get access to the user's credentials. Traditional device fingerprinting solutions are useless in establishing trust in new devices, and as a result most organizations have been forced to employ multi-factor authentication (MFA), which increases user friction and ultimately creates a poor user experience. The Incognia Location-based Device Authorization solution is designed to address the challenges of establishing trust in new devices without adding user friction.

Incognia provides a highly accurate risk signal using anonymized location behavior and device intelligence to detect high risk devices attempting to login before fraud occurs. At login, Incognia delivers a risk assessment based on checking the device integrity and whether the current device location is consistent with the user’s historical location behavior pattern. In an internal study, Incognia identified that 89% of legitimate device authorizations occur at trusted locations, which are places that the user visits most frequently, such as home.

Key benefits and features include:

\- Reduced friction when legitimate good users change their mobile device

\- Reduction in account takeovers due to social engineering

\- Real-time validation of trusted devices with global geographic coverage

“The frequent use of one-time passwords over SMS for new device authorization in mobile apps is causing users unwanted friction and frustration, while also serving as an inadequate security measure to keep fraudsters out,” said André Ferraz, founder and CEO of Incognia. “We’re excited to expand Incognia’s fraud prevention capabilities with our new module, using anonymized location behavior and device intelligence to detect high risk devices attempting login and catch fraud before it happens. Leveraging trusted location behavior allows our customers to enable a frictionless authentication experience.”

Incognia fraud prevention modules are available now. To get started, visit www.incognia.com.

**About Incognia**

Incognia is a privacy-first location identity company that provides frictionless mobile authentication to banks, fintech and mCommerce companies, for increased mobile revenue and lower fraud losses. Incognia’s award-winning technology uses location signals and motion sensors to silently recognize trusted users based on their unique behavior patterns and is a key enabler for zero-factor authentication. Deployed in over 200 million devices, Incognia delivers a highly precise risk signal with extremely low false positive rates.

Incognia is privately held and headquartered in Palo Alto, California with teams in New York and Brazil.

Stay connected and follow Incognia on Twitter and LinkedIn.

Incognia Introduces New Location-Based Device Authorization Solution

This is the shift that companies need to make after a cyberattack.

My team recently received a call from a company in Europe that had received warnings from law enforcement that it might be targeted by hackers. We found evidence through our data forensics that an attacker had entered the company's network, taken credentials, and then left. From what we found, the attacker had just as much access and knowledge as the CISO — maybe even more.

And this was likely not the end of the story; attackers usually spend weeks or months inside networks (known as dwell time) before actually doing anything. There was a good chance the attacker would come back. That should be top of mind for any company that's dealing with the aftermath of an attack or intrusion, and the response requires a holistic, active approach even if an incident appears to be over. Often referred to as the "recovery" period, the hours, days, and weeks after a detected intrusion or attack are anything but passive. This period demands action; in fact, it should be called "post-incident response," not "recovery." Not only is this a crucial period of every cyber incident, but it can also be an important growth opportunity for cybersecurity posture and the company in general.

**Attackers** **Return, So Victims Should Study Their Enemies  
**Often when we see an intrusion like the one at this European company, organizations aren't focused enough or don't spend the required budget to make recommended changes, and the attacker comes back with something worse, such as a ransomware attack that can cause great financial and reputational harm. Many companies also fail to see the unique opportunity that is hidden in the fact that attackers often come back: The post-attack or post-intrusion phase can serve as a valuable time to learn about the enemy — where they came from, how they entered, which assets they spent the most time checking out.

Although much time is spent trying to determine who the enemy could be when preparing for possible attacks, the post-attack period offers actual evidence on who the enemy is. This improved understanding of current and possible future enemies allows for a better allocation of resources in order to protect the assets that not only matter most to business value and continuity but are also most likely to be targeted. Knowing from which geographic area an attacker originates and if there is a chance they're connected to state-backed efforts also allows companies to hire cybersecurity teams that bring the necessary talent to deal with the sorts of threats an organization is facing.

**Stopping an** **Attack Is Only the Beginning  
**Just because an attack path was blocked, or attackers may have left all the data accessible (declining to put ransomware on it, for example), they still could have obtained intellectual property and proprietary or personal data. And this could then be leaked for purposes of sabotaging a business, obtaining intelligence, or for making money on the Dark Web. Attacks with multiple stages or objectives are growing; what may initially manifest as a ransomware attack to extract money from victim organization could turn into a smear campaign when that information is leaked or used to influence public opinion. Just because one organization is able to detect or stop an attack with little obvious damage, the attacker could later target other organizations that are connected, either directly through the software supply chain or through phishing campaigns aimed at email addresses taken from the original, relatively unscathed, target. Even though an incident appears over, it probably isn't; more victims are likely to emerge.

**Deal** **With the Last Mile of an Attack on a Managerial Level  
**After an attack or signs of a security breach, companies must make sure they meet a checklist of demands, including informing the right parties, such as government and regulatory bodies, customers, clients, and business partners. All of these obligations should be an integral part of the post-incident response and involve multiple departments.

But the involvement of multiple departments and the entire C-suite should not end with these obligations. The post-incident period is one of the most important times for a holistic managerial approach; after all, if an attacker decides to leak sensitive corporate information to the public, or sell it on the Dark Web, that is not just the CISO's problem; it is also something that executives across departments must deal with. This includes public relations; in today's world, where everyone, everywhere is vulnerable to cyberattacks, an organization's reaction to an attack and how it handles it is paramount to preserving its brand integrity.

Post-incident activity is, and should be, intense. But it should not — as it unfortunately often is — be left to the CISO. We often see that while an attack or security breach is in progress, most of the company's leadership is involved, including the CEO, COO, and human resources and legal teams. It is essential that these executives and teams continue to lead the post-attack phase.

The entire company should also be involved in reviewing not just what went wrong technically, leading to a cyberattack, but how it was handled, pinpointing lessons for the future, and updating its cybersecurity response plan. Now more than ever, cybersecurity can make or break a company; this reality requires a full-fledged team effort at every stage of an attack, even when some may mistake it for being over.

If done well, a response to an attack will not only close vulnerabilities but protect the brand's reputation, operations, and customers and leave a company better prepared to ward off the next attack.

From Passive Recovery to Active Readiness

The rebranded Microsoft Purview platform integrates Microsoft 365 Compliance and Azure Purview, and adds new capabilities and products to help manage data no matter where it resides.

The shift to a hybrid workplace has forced organizations to rapidly adopt cloud technologies and remote access tools to enable ubiquitous connectivity.

That in turn has generated more data than ever before, and organizations are faced with the prospect of securing their data, managing data governance, and keeping up with compliance requirements. Collaboration tools can result in sensitive data leaks if not properly managed. Microsoft announced changes in its data governance platform to help customers see their assets across their entire data estate, along with helping to manage risks and regulatory compliance.

Microsoft has rebranded Azure Purview, which became generally available last fall, to Microsoft Purview and brought over the products that used to make up Microsoft 365 Compliance. Microsoft Purview also features new functionality in Microsoft Purview eDiscovery to improve identification of data stored in Teams; the general availability of Microsoft Purview Data Loss Prevention for macOS; and a preview of the ability to create encrypted documents for iOS and Android platforms.

Microsoft Purview will bring "that chief data officer and their team together with the risk officer, the compliance officer, and \[have\] a unified view and ability to manage data," says Alym Rayani, general manager of compliance and privacy at Microsoft.

For organizations, getting a sense of what data they have is a growing challenge, as is making sure the data isn’t leaving the organization in an unauthorized manner. Data has become the "lifeblood" of how businesses operate, says Rayani, but knowing what the organization has, or where it is even stored, is a growing challenge. The rapid adoption of cloud applications and remote access tool have expanded the data estate. An example would be how more employees are exchanging data using Microsoft Teams — not just in the chat or conversations, but also sharing files.

"Data lives everywhere. There's a lot of it," Rayani says, noting that about 93% of customers told Microsoft they store data across multiple clouds and multiple solutions.

**Understanding the Data**  
Before organizations can do anything about their data, they have to first understand it. Toward that goal, Microsoft expanded its sensitive information type catalog with more than 50 new classifiers, such as those covering patient and healthcare data. There were already 250 classifiers, for data elements such as credit card and Social Security numbers, Rayani says. These classifiers are available for DLP, Information Protection (auto-labeling), Data Lifecycle Management, Insider Risk Management, Records Management, eDiscovery, and Microsoft Priva.

The classifiers are necessary to identify sensitive data, and to allow organizations to create policies that accommodate the specific requirements for each type. There may be patient records that are considered confidential even if payment card numbers or Social Security numbers are not included.

"One of the things we've been hearing from customers is, 'Hey, I need to get a good understanding of my data environment, my data landscape. It lives across a range of systems. It lives in apps. It lives in different platforms,'" Rayani says.

**Governance to the Forefront**  
Microsoft Purview is not just about visibility or classifying data, but can give organizations governance tools that extend all across the data environment. Data leak prevention is one example, but another important area of data governance is insider risk management, Rayani says. While the idea of a malicious insider — the person trying to steal confidential information and intellectual property — is a classic example of insider threat, there is also a lot of the "inadvertent" insider — the one who accidentally exposes data while trying to do their job.

For example, a marketing employee trying to share something over Teams may violate data leak prevention policy. With Microsoft Purview, organizations have tools to warn the user in the moment that there is a policy violation, block the action, and offer an alternative method, such as a secure SharePoint site, Rayani says.

  

    

How each of the products in the Microsoft Purview family are branded. Source: Microsoft

Organizations frequently have to stitch together multiple products to give security, governance, compliance, and legal teams a clear view of what is happening in their environment. Almost 80% of IT decision-makers in the United States purchased multiple products to do so, and a majority had purchased three or more, according to a recent Microsoft survey. This patchwork of products can expose infrastructure gaps and is both costly and complex to manage, Jessica Hawk, Microsoft's corporate vice president of data, AI and mixed reality, wrote on the Azure blog. Microsoft Purview's goal is to provide a unified view to improve security, privacy, and compliance, she wrote.

The company will continue strengthening the integration between Azure products and Microsoft 365, as well as adding new capabilities. For example, sensitivity labels — which designate the data classification — will be consistent across products, and they will be viewable in both Microsoft Purview's compliance portal (formerly Microsoft 365 Compliance) and governance portal (Azure Purview).

"We believe the new way to optimize your data strategy is to deliver a unified view of data in the organization across hybrid, multicloud environments by bringing together the business users of data with the protectors of data," Hawk wrote.

Microsoft Launches Purview Platform to Govern, Protect, and Manage Sensitive Data

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

Tag

#intel