In this Tech Talk, Darktrace's David Masson and Dark Reading's Terry Sweeney discuss the rise of destructive attacks against critical infrastructure.

For years government regulators and security experts have been sounding the alarm about attacks that could cripple critical infrastructure — the assets and systems that support the functioning of a modern society and economy — but it took the attack against Colonial Pipeline for people to really pay attention, says David Masson, director of enterprise security with Darktrace.

That ransomware attack showed people firsthand how a cyber threat actually stopped gas from coming out of the pump, says Masson in this Tech Talk conversation with Dark Reading's Terry Sweeney. It doesn't even matter that the attackers behind Colonial Pipeline likely did not intend that outcome.

Since then, several other critical infrastructure organizations have been hit by ransomware and other attacks. There is also a worrisome trend toward more destructive attacks, Masson said. As an example, he points to the Russians trying to take down the telecommunications network in Ukraine to disrupt communications within the country. When their attempts failed, the Russians shot missiles directly at the cell towers and destroyed them, Masson notes.

About 85% of critical national infrastructure is under private control in North America, Masson says, which makes regulating critical infrastructure a bit of a challenge. The shift to public-private partnership, where infrastructure operators share threat information and intelligence with government agencies, is essential to understand the scale of the threat, he says.

President Dwight D. Eisenhower famously said that plans are worthless, but planning is indispensable. That mindset should drive security preparations: Deploy technology that gives visibility into the network, train people to recognize attacks, and maintain good backups so you can rebuild the infrastructure when needed.

"Start practicing and get ready so you don't end up being a rabbit stuck in the headlights," Masson says.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Darktrace's David Masson on What Attacks on Critical Infrastructure Look Like

Contextual Intelligence derived with machine learning helps customers identify, assess and remediate threats from IoT devices on their networks, achieving full visibility and control.

**SANTA CLARA, Calif. – June 1, 2022 –** Netskope, the leader in Security Service Edge (SSE) and Zero Trust, today announced it has acquired WootCloud, an innovator in applying Zero Trust principles to IoT security. The acquisition brings to Netskope WootCloud’s award-winning HyperContext® Security Platform, which provides end-to-end visibility, context, and threat remediation for managed and unmanaged devices, and will extend Netskope’s acclaimed SSE and Zero Trust capabilities to protect enterprise IoT devices at scale.

The massive volume of Internet-connected devices continues to expand; by 2025, there will be 55.7 billion connected IoT devices (“things”), generating almost 80B zettabytes (ZB) of data\[1\]. WootCloud technology will enable Netskope customers to support both user- and device-centric policies with Zero Trust principles applied to govern access and interactions with critical data. As Gartner® notes, by 2026, 50% of organizations will prioritize advanced data security features for inspection of data at rest and in motion as a selection criterion for SSE, up from 15% in 2021\[2\].

Founded in 2016 in San Jose, Calif., WootCloud offers device discovery, classification, and control to help customers gain deep visibility and context into all devices on their networks (both managed and unmanaged) and provide a risk and threat assessment measurement for devices that can be leveraged within a broader IoT security strategy. WootCloud’s cloud-based platform is capable of collecting billions of daily measurements of device characteristics, and this telemetry data is further analyzed using proprietary AI/ML models for device classification, risk assessment, and threat detection.

WootCloud critical uses cases include:

*   **Device classification and visibility** to discover managed and unmanaged devices, classify and provide contextual information, and provide deep insights that “true-up” an asset inventory
*   **Device Risk,** dynamically ascertained bycontinuous real-time monitoring to detect malicious behavior, and exchange device attributes with security operations tools for remedial actions.
*   **Access control and segmentation** to offer dynamic asset grouping, automate network segmentation, and facilitate various actions using existing Network Access Control (NAC), firewalls, access points, and other technologies
*   **Cybersecurity asset management** to drive compliance with corporate policies and gain insights into license use, helping to optimize the total IT environment

“Securing a hybrid work environment includes the ability to establish adaptive zero trust across users, devices, networks, applications, and data— increasing confidence in policy enforcement everywhere,” said Sanjay Beri, CEO and co-founder of Netskope. “WootCloud’s innovative technology will further extend Netskope’s industry-leading SSE and Zero Trust capabilities, ensuring that critical data is protected from the network, to the cloud, to enterprise IoT devices.”

“Netskope is an unquestioned leader in Security Service Edge and Zero Trust, and it makes perfect sense to combine and extend our collective capabilities to protect enterprise IoT devices at scale,” said Amit Srivastav, CEO of WootCloud. “We are so proud of what we have achieved with WootCloud, and we are excited to join Netskope for this next stage of the growth journey.”

“WootCloud has been a fantastic partner to Dartmouth, designing and executing solutions to meet Dartmouth’s enterprise security needs,” said Mitchel Davis, Vice President and Chief Information Officer, Dartmouth College. “WootCloud’s decision to join Netskope will help the combined company continue to grow in a way that will prioritize scale while preserving the innovation that made WootCloud special. Netskope is a well-recognized security leader, and we are excited to continue this partnership.”

Zero Trust principles are critical to the implementation of Secure Access Service Edge (SASE), which converges critical security, networking, and business value requirements into one technology architecture. Gartner cites that, b​y 2025, at least 60% of enterprises will have explicit strategies and timelines for SASE adoption encompassing user, branch and edge access, up from 10% in 2020\[3\]. Properly implemented SSE, which describes the security stack needed to enable SASE architecture, fundamentally includes zero trust and transforms what enterprises can achieve for security at scale.

Financial terms of the acquisition are undisclosed. WootCloud CEO Amit Srivastav has joined Netskope as an Executive Advisor to the CEO, and all of the WootCloud engineering team, led by the original founding CEO Srinivas Akella, have joined Netskope’s engineering organization.

Visit Netskope.com for more on Netskope capabilities for SSE, IoT security and Zero Trust.

**About Netskope**

Netskope, a global cybersecurity leader, is redefining cloud, data, and network security to help organizations apply Zero Trust principles to protect data. The Netskope Intelligent Security Service Edge (SSE) platform is fast, easy to use, and secures people, devices, and data anywhere they go. Netskope helps customers reduce risk, accelerate performance, and get unrivaled visibility into any cloud, web, and private application activity. Thousands of customers, including more than 25 of the Fortune 100, trust Netskope to address evolving threats, new risks, technology shifts, organizational and network changes, and new regulatory requirements. Learn how Netskope helps customers be ready for anything on their SASE journey, visit netskope.com.

\[1\] IDC, “Future of Industry Ecosystems: Shared Data and Insights,” January 2021

\[2\] Gartner, “Critical Capabilities for Security Service Edge, John Watts, Craig Lawson, Charlie Winckless, Aaron McQuaid, 16 February 2022.

\[3\] Gartner 2021 Strategic Roadmap for SASE Convergence, Neil MacDonald, Nat Smith, Lawrence Orans, Joe Skorupa, March 25, 2021

Netskope Acquires WootCloud, Extending Zero Trust Capabilities to Enterprise IoT

Combined company creates world-class security operations platform to offer customers unmatched visibility and detection to defend against threats.

TAMPA, Fla., June 01, 2022 (GLOBE NEWSWIRE) -- ReliaQuest, a force multiplier of security operations, today announced that it has entered into an agreement to acquire Digital Shadows, a company that delivers threat intelligence for security teams, for $160 million. The acquisition combines ReliaQuest’s ability to extend detection and response across cloud, network, and endpoint environments with Digital Shadows' digital risk and threat intelligence technology. This gives security operations teams the ability to detect and respond to threats with real-time internal and external visibility.  

“Combining the internal visibility provided by ReliaQuest with the external threat intelligence and digital risk monitoring brought by Digital Shadows creates an end-to-end picture for enterprises around the world,” said Alastair Paterson, co-founder and CEO at Digital Shadows. “The complementary technical capability, shared cultural values, and geographic synergies offered by the combined companies make this a great opportunity for our customers and our partners.”

Security teams are stretched between investigating and responding to threats they can see while working to increase visibility across both security and business applications where they have limited visibility to detect and respond. The ability to extend and automate detection and response across both security and business applications is critical to a successful security program.

ReliaQuest and Digital Shadows will make security operations more effective by integrating the digital risk and threat intelligence that security leaders care about into a security operations platform that increases visibility, reduces complexity, and manages risk. The new offerings will drive down response time, provide context around threats and allow for an end-to-end view, all while decreasing the cost of visibility. Security operation teams can leverage automation with confidence to free up time to focus on the specific areas that matter the most.

“Alastair Paterson and James Chappell built a world-class team, technology, and culture in Digital Shadows and I am looking forward to our organizations working together to make security possible for organizations all over the world,” said Brian Murphy, founder and CEO at ReliaQuest. “The combination of ReliaQuest and Digital Shadows makes a lot of sense for our customers, our partners, and both of our teams. We have a responsibility and opportunity to leverage our collective expertise to continue to tackle what I believe to be the largest technical challenge of our generation, cybersecurity.”

ReliaQuest’s GreyMatter is a cloud native platform built on an Open XDR architecture, and delivered as a service, extending detection and response across a customer’s network, cloud, and endpoint for both security and business applications. Digital Shadows’ platform was built with today’s overloaded security analyst at heart, who demanded a more relevant and actionable approach to threat intelligence. The addition of Digital Shadows to ReliaQuest’s GreyMatter platform provides an important outside-in perspective to ReliaQuest’s already robust detection and response capability.

The transaction has received the approval of both companies’ Board of Directors and is subject only to customary closing requirements and regulatory approvals.

For more information about ReliaQuest, please visit our website.

**About ReliaQuest**  
ReliaQuest, the force multiplier of security operations, increases visibility, reduces complexity, and manages risk with its cloud native security operations platform, GreyMatter. ReliaQuest GreyMatter is built on an XDR architecture and delivered as a service anywhere in the world, any time of the day, by bringing together telemetry from tools and applications across cloud, on-premises and hybrid cloud architectures.

Hundreds of Fortune 1000 organizations trust ReliaQuest to operationalize security investments, ensuring teams focus on the right problems while closing visibility and capability gaps to proactively manage risk and accelerate initiatives for the business. ReliaQuest is a private company headquartered in Tampa, Fla., with multiple global locations. For more information, visit www.reliaquest.com.

**About Digital Shadows**  
Digital Shadows provides threat intelligence that delivers for every security team. Our platform was built with today’s overloaded security analyst at heart, who demanded a more relevant and actionable approach to threat intelligence. SearchLight focuses on digital risks that organizations care about, using a proven threat model that adapts to the organization risk profile and appetite. This approach delivers a low noise solution, allowing security teams to work faster and with less resources than ever before. To sign up for our free weekly threat intel digest or learn more about our platform, visit www.digitalshadows.com.

ReliaQuest to Acquire Digital Shadows

Password management solution delivers proactive, seamless approach to protecting privacy and login credentials for consumers and businesses; Password Management market expected to reach $3 billion by 2026.

**SAN FRANCISCO, June 1, 2022** — Lookout, Inc., a leading provider of endpoint and cloud security solutions, today announced it has acquired SaferPass, an innovative Password Management company that provides secure online identity solutions for both consumers and businesses. By adding Password Management technology to its suite of security solutions, Lookout is expanding on its mission to deliver proactive protection and safeguard customer data for individuals and businesses.

Whether shopping online, banking, or connecting to corporate applications and email, usernames and passwords have become the standard form of authentication to validate a user’s identity and enable access to sensitive information. Passwords can be difficult to use and incredibly insecure, especially in cases where a user has many accounts. On average, people have more than 100 accounts with an associated password to remember. In addition, human-generated passwords are often algorithmically weak; according to the Verizon Data Breach Investigations Report, 81% of data breaches leveraged weak, stolen or reused employee passwords, and every time a password is reused, it opens the door to a potential data breach. Additionally, nearly 64% of people reuse the same passwords across their online accounts. If login credentials are compromised, the consequences can be serious – including personal identity theft or stolen corporate information.

SaferPass delivers a robust, innovative solution for identity and password management to both consumers and businesses, enabling users to securely manage their passwords, banking and other sensitive information across devices. The SaferPass solution provides an encrypted digital vault that stores secure login information used to access services through mobile apps and web browsers. In addition to keeping a user’s identity, credentials and sensitive data safe, the product helps create strong, unique passwords through a password generator tool that ensures the individual is not using the same password in multiple places and that their password has not been compromised in a previous breach.

According to Mordor Intelligence, the Password Management market on its own, was valued at over $1.2 billion in 2020 and is expected to reach over $3 billion by 2026.

“We are pleased to welcome the SaferPass team to Lookout, and excited to combine our respective solutions to deliver better value to consumers and businesses alike,” said Jim Dolce, Lookout CEO. “Today, every password owned by an employee is a potential access point to organizations both small and large. At the same time, large scale data breaches have leaked billions of consumer emails and passwords on the dark web, putting individuals at risk of identity theft and financial fraud. The SaferPass team shares our vision for providing seamless security solutions that address all access points and protect personal and corporate data wherever it may reside. This is an exciting next step in Lookout’s evolution.”

The acquisition of SaferPass broadens the Lookout portfolio of security solutions and expands the opportunity for its carrier ecosystem and channel partners – it also expands Lookout’s footprint in Central Europe through its new location in Bratislava, Slovakia. SaferPass will now operate under the Lookout brand and leadership and the SaferPass team will be fully integrated into the Lookout organization. The financial terms of this transaction have not been disclosed.

****Additional Resources****

*   To learn more about Lookout for SMBs and Consumers, visit: https://protection.lookout.com/
*   To learn more about the Lookout Security Platform, visit: https://www.lookout.com/products/platform
*   Sign up for a free trial of Lookout.

Follow the Lookout blog and join the conversation on LinkedIn and Twitter.

Lookout Acquires SaferPass To Address The Rising Threat Of Identity Theft

Edge technology widens the attack surface by bringing data analysis closer to where it's collected. Now is the time for public and private sector groups to establish guidelines and identify security best-practices frameworks.

Edge technology widens the attack surface by bringing data analysis closer to where it's collected. Now is the time for public and private sector groups to establish guidelines and identify security best-practices frameworks.

Source: NicoElNino via Alamy Stock Photo

The federal government's IT modernization efforts have focused on centralizing cloud computing technologies. As more agencies improve those capabilities, they're starting to think about how computing at the edge can improve their data-driven decisions.

However, as edge computing continues to grow given emerging technologies, such as 5G, there's one area being neglected: security. With edge computing, we're on the cusp of repeating the familiar mistake of not thinking through the security implications of new technologies.

Now is the time to change that. By identifying gaps and vulnerabilities that edge technology could create prior to its implementation, the public sector can ensure the edge isn't creating new security risks.

**Edge Security-Related Challenges**

Data is now the core foundation of any business. Yet managing the unprecedented growth of data in cloud-based operations has placed a massive strain on Internet communications, causing latency and inefficiency. Edge technology eliminates those latency and performance issues by bringing the data analysis closer to where it's collected — on mobile devices or sensors — so it can be processed more quickly.

With data being processed closer to the end user, there is an array of unrecognized security concerns that government agencies can address to securely implement this new technology.

As exciting as the possibilities associated with the edge can be, we know adversaries see opportunities to engage in pernicious or malevolent behavior with emerging technology. It's critical we recognize that edge technology widens the attack surface by generating and analyzing data outside of the traditional IT perimeter.

**Shift of Security Mindset**

This requires IT and security leaders to shift their mindset when it comes to securing edge technology. But with the security of edge computing not well-defined, federal agencies should ensure they consider the following steps when implementing edge technology.

*   **Clarifying roles and responsibilities.** Federal agencies need to work in coordination with technology vendors to determine the responsibilities for securing the edge. With an array of different agencies and vendors playing a role in edge technology, there's currently a lack of understanding around the role each party plays regarding security. To determine this, there needs to be a framework developed between the government and the technology community that offers best practices for how they can share the responsibility of securing edge technology to close unrecognized security gaps.

*   **Applicability and gap analysis of current security products and services**. Government organizations need to ask vendors how their products and services address edge-based computing security before implementing them. Questions should range from the security of edge-based products to how these products and services are monitored and remediated. Without an understanding of the security practices already implemented into edge technology, you can't ensure that proper protocols are in place to defend against unprotected areas. Being proactive is key.

*   **Best practices and standardized compliance frameworks.** Identify the best practices for edge computing technology and live by them. Start by working off existing standards and compliance-based frameworks. Then, align with certified organizations such as the Cloud Security Alliance (CSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Institute of Standards and Technology (NIST) to ensure the organization is best equipped to meet the security and compliance considerations for mission-critical information and national security systems.

**The Future of Edge Security**

Luckily, the future of the edge isn't dark. But the government needs a plan to address the inevitable security threat landscape. Both private and public sector organizations can help make this possible by drafting frameworks, identifying best practices, and coming together to share that intelligence. These are the steps necessary to create an industrywide method. Through combined support of private and public sector organizations — such as the CSA — government agencies can start to unpack and prepare for security challenges of the edge _before_ its implementation  

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Security at the Edge: Why It's Complicated

**Woburn, MA – June 1, 2022 —** The new release of Kaspersky’s Threat Intelligence (TI) Portal unifies all vendors’ TI services, sources and cyber-reconnaissance capabilities in a single and convenient interface. The updated portal supports real-time search across various threat intelligence resources, including Kaspersky’s databases, Dark Web and Surface Web. New features include the visualization of cyber-investigations and extended opportunities for analysis of complex malicious objects.

Threat intelligence, which provides insights on the threat landscape and allows organizations to anticipate risks, has become one of the most evolving and in-demand specialties as confirmed by IT security leaders’ surveys and market predictions. However, the diverse set of TI capabilities and the variety of available sources and services have made it difficult for security specialists to assemble a unified threat intelligence solution which matches their needs.

The renewed Kaspersky Threat Intelligence Portal\[1\] is a single pane of glass for threat intelligence. In addition to cyberthreat data, it also delivers validated information from external sources and new features that facilitate incident investigation as well as detection and attribution of previously unseen malicious objects.

**Unified search across all threat intelligence resources**

Kaspersky TI Portal now supports search across different sources\[2\], all in a single UI, making access to valuable insights easily accessible. Through real-time master search customers are able to get information across Kaspersky’s databases, including APT, crimeware, ICS and Digital Footprint Intelligence reports and actor profiles as well as across Dark Web, Surface Web and validated OSINT IoCs sources\[3\].

New **Dark Web search** offers instant access to insights from a comprehensive range of deep and dark web sources allowing organizations to get tailored evidence of planned attacks, discussions around vulnerabilities and successful data breaches in order to reduce the attack surface, secure online brand value and take appropriate actions.

To offer security practitioners a reliable source of information about global security events that can potentially or are already threatening company’s assets, brand or organization, Kaspersky TI Portal introduces **Surface Web search**. The service allows investigators to search for security-related news, discussions or other content across a validated range of relevant open web sources, such as theme-based newswires, blogs or forums.

**Better visibility for in-depth investigation**

Graphical visualization is an extremely useful tool for researchers when they are looking for indicators and try to find connections between them. The **Research Graph** introduced in Kaspersky TI Portal is designed to explore data stored inside the portal, discover threat commonalities and generate new related IoCs. It provides a clear picture of the relationship between web addresses, domains, IP addresses, files and other context encountered during investigations. It also allows for an in-depth view of information without losing the context of the conducted investigation.

**Complex threat analysis**

Kaspersky TI Portal delivers a unified interface for complex file analysis via a merged “Threat Analysis” tab that leads to Cloud Sandbox and Threat Attribution Engine (TAE), which now runs completely in the cloud. The tab offers access to the results of Dynamic, Static, Anti-Virus and Attribution analysis for objects considered suspicious, offering enriched Threat Intelligence within a single place and providing a powerful tool for faster detection of previously unseen malicious objects.

_“We see that customers are looking for a consolidated threat intelligence offering that can_ _deliver_ _a holistic and global perspective on the threat landscape as well as fit their specific needs,”_ comments Anatoly Simonenko, head of technology solutions product management at Kaspersky. “_Our renewed Threat Intelligence Portal meets these requirements as it unifies our unique and broad knowledge about threats with external threat data and allows companies to customize our offering by choosing services and sources that are most beneficial for their existing IT security function.”_

More information about Kaspersky Threat Intelligence Portal is available via this link

**About Kaspersky  
**

Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.

Enhanced Threat Intelligence Portal Provides Consolidated Access to Kaspersky Threat Intelligence Expertise

Vectra offers a free of charge security assessment for your cloud tenant.

SAN JOSE, Calif. , June 1, 2022 /PRNewswire/ -- Vectra AI, a leader in AI-driven threat detection and response for hybrid and multi-cloud enterprises, today announced the launch of Vectra Protect, a posture management tool designed to discover and mitigate security risks in Microsoft 365 (M365). Vectra Protect combines 50,000+ hours of expert research and development with automation to analyze an organization's M365 security posture and provide customized implementation plans to remediate risk. To ensure all organizations, regardless of security staffing or resources, can have access to the solution, Vectra is extending a free sign-up for an Azure Active Directory scan until September 30, 2022.

With the accelerated use of M365 collaboration tools, which now have over 270 million users, cyber attackers are actively targeting access management tools like Azure AD to enter other SaaS tools and enterprise network assets. They then establish a foothold to launch ransomware attacks, steal intellectual property and gain unauthorized access to sensitive user data. With its scanning engine, Vectra Protect combines insights from the M365 Graph API with PowerShell module data to provide a truly holistic view into the integrity of every identity in an organization's M365 environment. As the only scan designed to uncover identity security issues in M365, Vectra Protect provides organizations with:

*   **Quick, actionable remediation insights:** With its multi-stage methodology, the scan provides organizations with actionable results within hours. Rather than hindering the security team with more alerts, the scan creates a comprehensive risk mitigation map that provides a path to implementation with clear guidance on risk and operational impact.
*   **Tailored cloud support:** Organizations can gain insight into the severity of vulnerabilities, material changes to their configuration state, the operational impact of the required solution, and the steps for remediation aligned to their applicable industry standards and regulatory requirements.
*   **Configuration correction and compliance:** Vectra Protect delves deep into the configuration complexities of M365, highlighting misconfigurations with clear context to guide companies to complete risk resolution and provide security teams with the proof they need to show their policies are effective and compliant.
*   **Confidence in collaboration:** By understanding areas where risks and configuration issues persist, organizations can fulfill the promises of cloud technology without creating unmanaged risk. Organizations can gain efficiencies in implementing and using SaaS tools like M365 by eliminating default settings and aligning operations, information technology, security, and audit teams on security priorities.

"Azure AD has become a large attack vector as cybercriminals look to exploit the lack of security controls and solutions currently available for the tool," said Aaron Turner, CTO of SaaS Protect at Vectra AI. "Organizations must understand that Microsoft's default security settings are not specifically tailored to their business operations or industry, which introduces waves of unnecessary risk. Combining this with the constant changes in M365, both internally and externally, leaves a host of potential vulnerabilities and configuration issues that organizations are responsible for correcting. Vectra Protect helps unravel this complexity to deliver the visibility and assurance organizations need to protect these essential business tools."

The free Vectra Protect for Azure AD scan, a value up to $50,000, will be readily available to any M365 customer operating in any M365 environment\*. The scan focuses on a common foothold for unauthorized access and risk: access management in the active directory. Turner will be showcasing the technology and enumerating how to protect the M365 tenant and hunt for threats during RSAC 2022 in San Francisco, CA. You can register for his session here.

For more details about Vectra Protect for Azure AD and to request a free scan, please visit: https://www.vectra.ai/azure-ad-scan

\*Exclusions apply.

**About Vectra AI  
**Vectra® is a leader in cyber threat detection and response for hybrid and multi-cloud enterprises. The Vectra platform uses AI to detect threats at speed across public cloud, identity, SaaS applications, and data centers. Only Vectra optimizes AI to detect attacker methods—the TTPs at the heart of all attacks—rather than simplistically alerting on "different". The resulting high-fidelity threat signal and clear context enables cybersecurity teams to respond to threats sooner and to stop attacks in progress faster. Organizations worldwide rely on Vectra for cybersecurity resilience in the face of dangerous cyber threats and to prevent ransomware, supply chain compromise, identity takeovers, and other cyberattacks from impacting their businesses. For more information, visit vectra.ai.

Help Organizations to Mitigate Risk in Microsoft 365 with 'Vectra Protect'

AI and ML are important SecOps tools, but human involvement is still required.

Artificial intelligence (AI) can be used to enhance the efficiency and scale of SecOps teams, but it will not solve all your cybersecurity needs without the need for some human involvement — at least, not today.

Most commercial AI successes have been associated with supervised machine learning (ML) techniques specifically tuned for prediction tasks that yield business value. These use cases for ML, such as spoken language understanding for your smart-home assistant and object recognition for self-driving cars, make use of vast amounts of labeled data and computation required to train complex deep learning models. They also focus on solving problems that barely change. This is in contrast to cybersecurity, where we rarely have the millions of examples of malicious activity needed to train deep learning models, and we face intelligent adversaries that frequently change their tactics to try to outmaneuver our latest detection capabilities, including those using ML.

In addition, the digital exhaust from human behavior in enterprise environments is extremely hard to predict. Anomalies in these systems are common and very rarely represent malicious threat actor behavior. It is therefore unreasonable to expect that unsupervised anomaly detection can be used to learn about an enterprise environment’s normal behavior and be able to generate meaningful alerts about malicious activity without creating false alarms on unusual but benign events.

Finally, the degree of data imbalance in threat detection is unlike many other use cases for ML. Imagine for a moment that you are a midsize to large enterprise collecting 1 billion potentially security-relevant telemetry events per day and expect to find one incident worth seriously investigating. Nobody wants to lose the ransomware lottery and have their business grind to a halt with the potential for even worse reputational damage by missing that one security incident. However, if you build an ML-based threat detector processing each event by itself that is 99.9% accurate, you would be searching for that one true positive in a sea of 1 million false positives. Conquering this data imbalance requires significant expertise and a multipronged detection strategy.

Despite these challenges, there are ways for SecOps teams to leverage the technical power of AI/ML to gain operational efficiencies. The following principles should be considered when doing so.

**1\. Symbiotic Humans and Machines Work Better Together**

Consider ML a complement to human intelligence rather than a substitute for it. In the context of complex systems, especially when combatting intelligent adversaries that adapt quickly, automation will deliver the greatest value with active learning at its core. Humans should regularly review the results of ML-based systems, provide feedback, add additional examples of new malicious behaviors, retune the models, and constantly iterate. Anyone who has ever had to face an intelligent adversary, whether it be in cyberspace or in combat, should be familiar with the OODA loop, developed by US Air Force Colonel John Boyd. It has many similarities to active learning techniques that can be exceptionally useful in ensuring that automatable decisions made in each loop are using the best insights, optimizing the utility of manual analysis performed in some loops, and scaling it to assist in processing more loops than humanly possible.

**2\. Pick The Right Tool for the Job**

You do not have to become an AI expert to make good AI-related decisions for your team, but you should be reasonably informed about the basics to ensure that you are picking the right tool for the job.

First, it is important to know the difference between anomalous and malicious behaviors because they are rarely the same and require very different techniques when it comes to detection. The former is easy to discover with unsupervised anomaly detection that does not require labeled training data, but the latter requires supervised learning that typically requires many historical examples.

Second, alerts with a high signal-to-noise ratio are critical for SecOps teams, and you need to fully understand the downstream effects of any probabilistic system that will not be 100% accurate.

Finally, while nearly every ML technique has been applied to cybersecurity, it is still important to have thousands of signatures from threat intelligence that operate like a minefield of trip wires. When constantly tuned by an expert team of security researchers, signatures provide a critical baseline for detecting known threats that needs to be a part of every security program for the foreseeable future.

**3\. Use AI Where It Can Be Most Successful**

It is ironic that many cybersecurity professionals who might trust AI to drive their car are skeptical about AI executing remedial containment actions. Automated action, after all, is one of the best ways to make your SecOps team more efficient. Automation frees the creative human mind from getting bogged down in time-consuming operational tasks — which are right in AI's wheelhouse. ML is useful in detecting advanced threats, especially when you can aggregate evidence, and it is also useful when prioritizing alerts from a variety of detectors that may come from different systems. AI can automate low-risk containment actions, such as quarantining suspicious files or requiring users to re-authenticate, which can dramatically increase your SecOps efficiency and lower your cyber-risk.

With all that said, AI/ML cannot be your only cybersecurity strategy — at least, not in 2022. When you are searching for important needles in immense haystacks, the most effective strategy still comes from pairing machine intelligence with the human intuition of expert analysts.

Distinguishing AI Hype From Reality in SecOps

Voice recognition—and data collection—have boomed in recent years. Researchers are figuring out how to protect your privacy.

Your voice reveals more about you than you realize. To the human ear, your voice can instantly give away your mood, for example—it’s easy to tell if you’re excited or upset. But machines can learn a lot more: inferring your age, gender, ethnicity, socio-economic status, health conditions, and beyond. Researchers have even been able to generate images of faces based on the information contained in individuals’ voice data.

As machines become better at understanding you through your voice, companies are cashing in. Voice recognition systems—from Siri and Alexa to those using your voice as your password—have proliferated in recent years as artificial intelligence and machine learning have unlocked the ability to understand not just what you are saying but who you are. Big Voice may be a $20 billion industry within a few years. And as the market grows, privacy-focused researchers are increasingly searching for ways to protect people from having their voice data used against them.

Vocal Threats

Both the words you say and how you say them can be used to identify you, says Emmanuel Vincent, a senior research scientist specializing in voice technologies at France’s National Institute for Research in Digital Science and Technology (Inria), but this is only the beginning. “You will also find other pieces of information about your emotions or your medical condition,” Vincent says.

“These additional pieces of information help build a more complete profile—then this would be used for all sorts of targeted advertisements,” Vincent says. As well as your voice data potentially feeding into the vast realm of data used to show you online ads, there’s also the risk that hackers could access the location where your voice data is stored and use it to impersonate you. A small number of these cloning incidents have already happened, proving the value your voice holds. Simple robocall scams have also recorded people saying “yes” to use the confirmation in payment scams.

Last year, TikTok changed its privacy policies and started collecting the voiceprints—a loose term for the data your voice contains—of people in the US alongside other biometric data, such as your faceprint. More broadly, call centers are using AI to analyze people’s “behavior and emotion” during phone calls and evaluate the “tone, pace, and pitch of every single word” to develop profiles of people and increase sales. “We’re almost in a situation where the systems to recognize who you are and link everything together exist, but the protection is not there—and it’s still quite far away from being readily usable,” says Henry Turner, who researched the security of voice systems at the University of Oxford.

Hidden Meaning

Your voice is produced through a complex process involving the lungs and your voice box, throat, nose, mouth, and sinuses. More than a hundred muscles are activated when you speak, says Rébecca Kleinberger, a voice researcher at the MIT Media Lab. “It's also very much the brain,” Kleinberger says. 

Researchers are experimenting with four ways to enhance privacy for your voice, says Natalia Tomashenko, a researcher at Avignon University, France, who has been studying voice and is the first author of a research paper on the results of a voice privacy engineering challenge. None of the methods are perfect, but they are being explored as possible ways to boost privacy in the infrastructure processing your voice data.

First is obfuscation, which tries to completely hide who the speaker is. Think of a Hollywood depiction of a hacker totally distorting their voice over a phone call as they explain a devilish plot or ransom (or hacktivist collective Anonymous’s promotional videos). Simple voice-changing hardware allows anyone to quickly change the sound of their voice. More advanced speech-to-text-to-speech systems can transcribe what you’re saying and then reverse the process and say it in a new voice.

Second, Tomashenko says, researchers are looking at distributed and federated learning—where your data doesn’t leave your device but machine learning models still learn to recognize speech by sharing their training with a bigger system. Another approach involves building encrypted infrastructure to protect people’s voices from snooping. However, most efforts are focused on voice anonymization.

Anonymization attempts to keep your voice sounding human while stripping out as much of the information that could be used to identify you as possible. Speech anonymization efforts currently involve two separate strands: anonymizing the content of what someone is saying by deleting or replacing any sensitive words in files before they are saved and anonymizing the voice itself. Most voice anonymization efforts at the moment involve passing someone’s voice through experimental software that will change some of the parameters in the voice signal to make it sound different. This can involve altering the pitch, replacing segments of speech with information from other voices, and synthesizing the final output.

Does anonymization technology work? Male and female voice clips that were anonymized as part of the Voice Privacy Challenge in 2020 definitely do sound different. They’re more robotic, sound slightly pained and could—to some listeners at least—be from a different person than the original voice clips. “I think it can already guarantee a much higher level of protection than doing nothing, which is the current status,” says Vincent, who has been able to reduce how easy it is to identify people in anonymization research. However, humans aren’t the only listeners. Rita Singh, an associate professor in Carnegie Mellon University’s Language Technologies Institute, says that total de-identification of the voice signal is not possible, as machines will always have the potential to make links between attributes and individuals, even connections that aren’t clear to humans. “Is the anonymization with respect to a human listener or is it with respect to a machine listener?” says Shri Narayanan, a professor of electrical and computer engineering at the University of Southern California.

“True anonymization is not possible without completely changing the voice,” Singh says. “When you completely change the voice, then it's not the same voice.” Despite this, it is still worth developing voice-privacy technology, Singh adds, as no privacy or security system is totally secure. Fingerprints and face identification systems on iPhones have been spoofed in the past, but overall, they’re still an effective method of protecting people’s privacy.

Bye, Alexa

Your voice is increasingly being used as a way to verify your identity. For example, a growing number of banks and other companies are analyzing your voiceprints, with your permission, to replace your password. There’s also the potential for voice analysis to detect illness before other signs are obvious. But the technology to clone or fake someone’s voice is advancing quickly.

If you have a few minutes of someone’s voice recorded, or in some instances a few seconds, it’s possible to recreate that voice using machine learning—_The Simpsons’_ voice actors could be replaced by deep fake voice clones, for instance. And commercial tools for recreating voices are readily available online. “There’s definitely more work in speaker identification and producing speech to text and text to speech than there is in protecting people from any of those technologies,” Turner says.

Many of the voice anonymization techniques being developed at the moment are still a long way from being used in the real world. When they are ready to be used it’s likely that companies will have to implement tools themselves, to protect their customers' privacy—there’s currently little individuals can do to protect their own voice. Avoiding calls with call centers or companies that use voice analysis, and not using voice assistants, could limit how much your voice is recorded and reduce possible attack opportunities.

But the biggest protections may come from legal cases and protections. Europe’s GDPR covers biometric data, including people’s voices, in its privacy protections. Guidelines say people should be told how their data is being used and provide consent if they’re being identified, and that some restrictions should be placed on personalization. Meanwhile, in the US, courts in Illinois— home to some of the strongest biometric laws in the country—are increasingly inspecting cases involving people’s voice data. McDonald’s, Amazon, and Google are all facing judicial scrutiny over how they use people’s voice data. The decisions in these cases could lay down new rules for the protection of people’s voices.

Tag

#intel