Episode 2: Incident response experts-turned-ransomware negotiators Ed Dubrovsky, COO and managing partner of CYPFER, and Joe Tarraf, chief delivery officer of Surefire Cyber, explain how they interact with cyber threat actors who hold victim organizations' systems and data for ransom. Among their fascinating stories: how they negotiated with cybercriminals to restore operations in a hospital NICU where lives were at stake, and how they helped a church, where the attackers themselves "got a little religion."

Dark Reading Confidential: Meet the Ransomware Negotiators

While Progress has released patches for the vulnerabilities, attackers are trying to exploit them before organizations have a chance to remediate.

Source: Color4260 via Shutterstock

Attackers appear to be pounding away at a couple of critical bugs that Progress Software disclosed this week in its MOVEit file transfer application, with nearly the same ferocity as they did the zero-day flaw the company disclosed almost exactly a year ago.

While patches are available for the new flaws, the big question now for affected organizations is whether they can apply them quickly enough to beat adversaries targeting their systems, especially with a proof-of-concept (PoC) exploit available in the wild.

**Patching Alone Is Insufficient**

Even those that might have already applied updates have more work to do because the original patch that Progress issued for one of the flaws does not mitigate new issues that the software maker discovered after the patch release.

The new MOVEit Transfer vulnerabilities are both improper authentication issues in the SFTP module. They allow an attacker to potentially impersonate any user on an affected instance and take control of it. One of the flaws, tracked as CVE-2024-5806, affects MOVEit Transfer versions from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, and from 2024.0.0 before 2024.0.2. The other, identified as CVE-2024-5805, affects MOVEit Gateway: 2024.0.0.

When Progress first disclosed CVE-2024-5806 on June 25, the company assigned the flaw a medium-severity score of 7.4 out of a maximum possible 10 on the CVSS scale. Progress quickly upgraded that score to 9.1 after researchers at watchTowr discovered a vulnerability in a third-party component (IPWorks SSH) used in MOVEit Transfer. Progress described the issue as introducing new risks to organizations, including those that might have already applied the patch for CVE-2024-5806.

In an update to its original advisory, Progress urged affected organizations to install the patch and also block public inbound RDP access to MOVEit Transfer servers and limit outbound transfers to only known and trusted endpoints.

An Internet scan that Censys conducted on June 25 unearthed some 2,700 MOVEit Transfer instances online, most of them in the US. Internet scanning entity ShadowServer, which reported observing exploit attempts targeting CVE-2024-5806 almost immediately after Progress disclosed the flaw, identified some 1,800 instances online as of June 27.

**Relatively Easy to Exploit**

"Based on our understanding of the vulnerability, exploitation doesn't appear exceptionally difficult," says Emily Austin, principal security researcher at Censys. In theory, an actor would need to identify an unpatched MOVEit Transfer instance and know a valid username for accessing the service, she says. "While knowing a valid username might seem like a hurdle, a little OSNIT combined with watchTowr researchers' discovery of a method for enumerating valid MOVEit Transfer instance usernames makes this somewhat trivial," Austin notes.

The new flaws come a year after Progress disclosed CVE-2023-34362, a SQL injection zero-day vulnerability in MOVEit Transfer that ranked as one of the most widely exploited flaws of 2023. The Cl0p ransomware group, which claimed credit for discovering the flaw, was among the many that exploited it with devastating affect last year.

Affected organizations cannot afford to delay given how widely they are being targeted, says Mike Walters, president and co-founder of Action1. "The consequences can be devastating because these vulnerabilities allow an attacker to take over the server," Walters says. "With a CVSS score of 9.1 and a PoC available, the vulnerability will likely be added to the toolkit of leading APT groups rather quickly." If the companies that were attacked last time have not ramped up their information security in any way, the consequences for them could well be the same as last time, he warns.

Austin says CVE-2024-5806 is somewhat more complex than the SQL injection bug in MOVEit Transfer that Cl0p exploited throughout 2023. Even so, instance administrators should still take the new flaw very seriously and follow mitigation guidance provided by Progress Software, she says.

"We don't have a way to see exploitation or patch status of MOVEit Transfer instances, but we know that as of Tuesday, June 25, 2024, there are 2,700 MOVEit Transfer instances exposed to the Internet," Austin says. "This is very similar to the number of MOVEit Transfer exposures we observed around this time last year, suggesting that the tool is still widely used in spite of various security issues."

**Cause for Optimism?**

Despite the severity of the threat, there is still some optimism that the new flaws that Progress disclosed this week — especially CVE-2024-5806 — won't cause quite as much damage as last year's SQL injection flaw because patches are already available.

At this time, it seems unlikely that the exploitation of this vulnerability will be as widespread as last year's massive campaign exploiting CVE-2023-34362, says Paul Prudhomme, principal security analyst at SecurityScorecard. "That was a zero-day vulnerability, giving threat actors more time to exploit it before a patch became available," he says. "In this case, threat actors have less time because patches are already available; the most that they can do is take advantage of organizations’ delays in patching it, so this window of time is crucial to minimizing its impact."

Prudhomme reiterates that patching alone is not sufficient against vulnerabilities such as CVE-2024-5806. "A layered security approach, combining patching with threat intelligence and proactive risk management, is essential," he says. "Organizations can build resilience against evolving cyber threats by prioritizing a multifaceted approach to security.”

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

MOVEit Transfer Flaws Push Security Defense Into a Race With Attackers

Wireless service providers prioritize uptime and lag time, occasionally at the cost of security, allowing attackers to take advantage, steal data, and worse.

Source: peter galleghan via Alamy Stock Photo

Mobile devices are at risk of wanton data theft and denial of service, thanks to vulnerabilities in 5G technologies.

At the upcoming Black Hat 2024 in Las Vegas, a team of seven Penn State University researchers will describe how hackers can go beyond sniffing your Internet traffic by literally providing your Internet connection to you. From there, spying, phishing, and plenty more are all on the table.

It's a remarkably accessible form of attack, they say, involving commonly overlooked vulnerabilities and equipment you can buy online for a couple of hundred dollars.

**Step 1: Set Up a Fake Base Station**

When a device first attempts to connect with a mobile network base station, the two undergo an authentication and key agreement (AKA). The device sends a registration request, and the station replies with requests for authentication and security checks.

Though the station vets the phone, the phone does not initially vet the station. Its legitimacy is essentially accepted as a given.

"Base stations advertise their presence in a particular area by broadcasting 'sib1' messages every 20 milliseconds, or 40 milliseconds, and none of those broadcast messages have authentication, or any kind of security mechanisms," explains Penn State assistant professor Syed Rafiul Hussain. "They're just plaintext messages. So there's no way that a phone or a device can check whether it's coming from a fake tower."

Setting up a fake tower isn't as tall a task as it might seem. You just need to mimic a real one using a software-defined radio (SDR). As Kai Tu, another Penn State research assistant points out, "People can purchase them online — they're easy to get. Then you can get some open source software (OSS) to run on it, and this kind of setup can be used as a fake base station." Expensive SDRs might cost tens of thousands of dollars, but cheap ones that get the job done are available for only a few hundred.

It might seem counterintuitive that a small contraption could seduce your phone away from an established commercial tower. But a targeted attack with a nearby SDR could provide even greater 5G signal strength than a tower servicing thousands of other people at the same time. "By their nature, devices try to connect to the best possible cell towers — that is, the ones providing the highest signal strength," Hussain says.

**Step 2: Exploit a Vulnerability**

Like any security process, AKA can be exploited. In the 5G modem integrated in one popular brand of mobile processor, for example, the researchers found a mishandled security header that an attacker could use to bypass the AKA process entirely.

This processor in question is used in the majority of devices manufactured by two of the world's biggest smartphone companies. Dark Reading has agreed to keep its name confidential.

After having attracted a targeted device, an attacker could use this AKA bypass to return a maliciously crafted "registration accept" message and initiate a connection. At this point the attacker becomes the victim's Internet service provider, capable of seeing everything they do on the Web in unencrypted form. They can also engage the victim by, for example, sending a spear phishing SMS message, or redirecting them to malicious sites.

Though AKA bypass was the most severe, the researchers discovered other vulnerabilities that would allow them to determine a device's location, and perform denial of service (DoS).

**How to Secure 5G**

The Penn State researchers have reported all the vulnerabilities they discovered to their respective mobile vendors, which have all since deployed patches.

A more permanent solution, however, would have to begin with securing 5G authentication. As Hussain says, "If you want to ensure the authenticity of these broadcast messages, you need to use public key infrastructure (PKI). And deploying PKI is expensive — you need to update all of the cell towers. And there are some non-technical challenges. For example, who will be the root certificate authority of the public keys?"

It's unlikely that such an overhaul will happen any time soon, as 5G systems were knowingly built to transmit messages in plaintext for specific reasons.

"It's a matter of incentives. Messages are sent in milliseconds, so if you incorporate some kind of cryptographic mechanism, it will increase the computational overhead for the cell tower and for the user device. Computational overhead is also associated with time, so performance-wise it will be a bit slower," Hussain explains.

Perhaps the performance incentives outweigh security ones. But whether it be via a fake cell tower, Stingray device, or any other means, "They all exploit this feature — the lack of authentication of the initial broadcast messages from the cell towers."

"This is the root of all evil," Hussain adds.

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Your Phone's 5G Connection Is Vulnerable to Bypass, DoS Attacks

The attacks infiltrate enterprise networks through browsers, and show an evolution in evasive and adaptive tactics from well-resourced state-sponsored actors.

Source: Rawpixel.com via Shutterstock

Three novel credential-phishing campaigns have emerged from state-sponsored actors that have compromised at least 40,000 corporate users — including top-level executives — in just three months' time, researchers have found.

The attacks target a range of industries and enter corporate environments through browsers, allowing them to get past network infrastructure security controls and cloud network services and demonstrating an evolution in capabilities on the part of adversaries, according to researchers from Menlo Security who discovered them.

The campaigns — called LegalQloud, Eqooqp, and Boomer — are characterized by their deployment of what the researchers call highly evasive and adaptive threat (HEAT) attack techniques that can circumvent controls such as multifactor authentication (MFA) and URL filtering.

Tactics used by the campaigns include bypassing MFA and using phishing kits and adversary-in-the-middle (AitM) tactics to take over user sessions; impersonating entities, primarily Microsoft, familiar to or associated with the organizations targeted; and using dynamic phishing links that make it hard for filtering technologies to track and thus detect.

"These are challenging new tactics, and security practitioners must augment controls and take care to address them immediately," according to the report. "These sophisticated attacks magnify concerns about the effectiveness of traditional network security controls such as secure service Edge (SSE), secure Web gateways (SWG), and endpoint detection and response (EDR)."

**State-Sponsored Actors Get Aggressive**

The campaigns are aimed exclusively at credential phishing, with evidence to connect them to China-sponsored threat actors who are targeting the US and private enterprise in "aggressive cyber espionage efforts, posing an alarming risk to national security and pilfering innovation," according to the report. However, though researchers have established some attribution to a group previously tracked by Microsoft as Storm-1101/DEV-1101 — known for its development of AitM tactics that are used in the campaigns — it's not entirely clear exactly to which nation the attacks are linked.

All told, the campaigns targeted more than 3,000 unique domains across more than 10 industries and government institutions, and six out of 10 malicious links that users clicked on were connected to some kind of phishing campaign or fraud, with one of four of phishing links getting past legacy URL filtering, the researchers found.

Overall, this activity demonstrates how "nation-state cyber actors are constantly refining their methods to make their attacks more sophisticated and adaptable," notes Patrick Tiquet, vice president, security and architecture, at Keeper Security. This, in turn, means enterprises must accept that "adapting cybersecurity strategies is an ongoing process that demands flexibility and agility," he says.

**Specific Credential-Stealing Campaigns**

Though the campaigns have similarities, each has its own unique set of targets and tactics, all with the ultimate goal of extracting credentials from corporate users for further malicious purposes, primarily cyber-espionage.

LegalQloud, so-named because it impersonates legal firms to steal Microsoft credentials, targeted 500 enterprises in 90 days and is exclusively hosted on Tencent Cloud, which is from the largest Internet company in China. This hosting enables the URLs to bypass traditional categorization and allow-list controls, the researchers said.

Eqooqp has been targeting multiple government and private sector organizations — including logistics, finance, petroleum, manufacturing, higher education, and research firms — with AitM attacks that can defeat MFA. Menlo found nearly 50,000 attacks associated with the campaign, which uses malicious HTML attachments or links to pages that mimic Microsoft to phish credentials.

Another phishing campaign, Boomer, is especially intricate, targeting the government and healthcare sectors with advanced evasive techniques that include dynamic phishing sites, custom HTTP headers, tracking cookies, bot-detection countermeasures, encrypted code, and server-side generated phishing pages.

"Boomer uses server-side generated phishing pages for rapid campaign deployment and modification, enhancing the campaign’s ability to evade traditional security tools, indicating a higher level of skill," according to the report. "Boomer also includes properly configured security headers, such as X-XSS-Protection, and uses legitimate libraries, like Font Awesome for icons."

The campaign's Web application also employs a hidden iframe that's designed to detect bots and scan automation as a further advanced evasion tactic, the researchers found.

**Demand for Stronger Defense**

What all this amounts to is that organizations continue to have their work cut out for them to keep up with the evolving nature of attacks, especially from well-resourced state-sponsored actors, security experts say.

AitM attacks in particular — in which attackers deploy a proxy server between a target user and the website the user wishes to visit — "are the future of cybercrime," notes one security expert, and will be a particular thorn in the side of organizations' security strategies going forward.

"\[They\] are extremely effective and much harder to trace and prevent compared to traditional social engineering attacks," says Mika Aalto, co-founder and CEO at human risk management platform firm Hoxhunt.

And while they historically have been technically difficult to achieve for attackers, their recent prevalence shows that threat actors are quickly navigating this barrier, which will bring on "a wave of serious breaches from AitM-integrated credential harvesters, BECs, and ransomware," he says.

"The bottom line is, you have to accept that some attacks will get through to your users and thus you must do your best to prepare them for that fateful moment," Aalto says. "Security awareness and phishing training must keep pace with the latest threats so that people understand AitM and dynamic phishing, and they know how to spot these attacks and stay safe. Indeed, as cybersecurity is now a matter of national security and not just about protecting an organization's own data, it must be treated with the highest priority," Tiquet observes.

This requires organizations to embrace a zero-trust framework that "must evolve alongside technological advancements, workflow changes and shifts in the threat landscape," Tiquet says, and be continually refined and adapted "to ensure it remains effective in mitigating risks and protecting sensitive information."

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

China-Sponsored Attackers Target 40K Corporate Users in 90 Days

CISA outlines how modern cybersecurity relies on network visibility to defend against threats and scams.

Source: The X FilePhoto via Adope Stock Photo

The Cybersecurity and Infrastructure Security Agency (CISA), along with the Federal Bureau of Investigation (FBI) and similar entities in New Zealand, has issued guidance on modern approaches to network access security. With the growing number of breaches and data incidents, organizations need to be thinking about, and planning to adopt, modern firewall and network access management technologies to gain visibility over the network.

CISA lays out three specific approaches its guidance: zero trust, secure service edge (SSE), and secure access service edge (SASE). The guidance also tackles remote access, virtual private network (VPN) deployment, and remote access misconfiguration, as well as threats and vulnerabilities associated with VPN and conventional remote access deployments.

*   Zero trust: Based on the principle "never trust, always verify," the zero-trust approach focuses on making sure users are authenticated, authorized, and validated before providing access to data and applications. Implementing zero trust can cut the risk of data breaches by around 50%, CISA said.
    
*   SSE: SSE combines features such as cloud access security brokers (CASBs), secure Web gateways (SWGs), and zero-trust network access (ZTNA). Organizations using SSE witnessed a 40% reduction in security incidents and a 30% improvement in network performance, CISA said.
    
*   SASE: SASE broadens SSE's functionality to provide users with secure, optimized access to data and applications, regardless of their physical locations. Deploying SASE improves network agility by 35% and reduces operational costs by 25%, according to CISA.
    

**Network Best Practices**

CISA and its partners also recommended ways to optimize network security:

*   Continuous monitoring and assessment: Organizations need to implement continuous monitoring to identify user activity and network traffic to detect and respond to threats in real time.
    
*   Multifactor authentication (MFA): As several recent breaches have shown, adding MFA for an extra layer of user authentication will help block many security threats.
    
*   Regular security audits: Look for vulnerabilities by conducting regular security audits and penetration testing on the network.
    

**About the Author(s)**

CISA Releases Guidance on Network Access, VPNs

By committing to build secure habits at work and in our personal lives, and to helping others do the same, our personal information will be much better protected.

Source: Aleksey Funtap via Alamy Stock Photo

COMMENTARY

In the world of cybersecurity, we often hear the saying, "It's not a matter of if, but when." While this is said mostly in reference to security breaches, it could also be used to remind us that secure social habits reduce the likelihood of those breaches happening in the first place.

Throughout my career in cybersecurity, I've observed a high level of security carelessness, even among security professionals. This is problematic because one individual's insecure behavior can cause others to be less secure as well. Remember the human behavior studies that showed the tendency to litter is higher if a person sees litter all around them? It's the same for cybersecurity. If we see insecure behaviors all around us, we are less motivated to improve security practices.

The good news is that change can truly happen, and it can start with one person: you.

**What Are Secure Social Norms, and Why Create Them?**

Social norms typically are informal, unwritten rules that guide acceptable behavior among members of a group or society. Secure social norms can be established at two levels: The general level that focuses on what everyone needs to know about protecting information, and the role-based level that pertains to groups of people performing specific tasks.

Consider the example of protecting personal identifiable information (PII). While organizations are bound to protect the personal information of their employees and customers, it is up to individuals to take action to secure their data, and to help others learn how to do so as well. Not doing this can lead to financial loss, identity theft, and so much more.

Security professionals have a unique opportunity to transform security awareness concepts into social norms and actions. By doing so, we elevate the security culture all around us. Now is the time to step up and become the team member who practices secure behaviors and inspires others to do the same.

**Steps for Establishing Secure Social Norms**

Below are some practices security practitioners can adopt to establish secure social norms for ourselves and everyone around us.

**1\. Make data security relatable and actionable.**

Launching a security awareness campaign that helps people understand PII in tangible, everyday terms can be a great way to teach people how to protect their personal data. Always use brief, clear language to explain security words and topics. When sharing tips and best practices, provide examples. And be sure to spell out the specific actions to take to be more secure, as well as the positive impact it can have.

**2\. Educate people on what constitutes PII and how to protect it.**

The more we use apps and websites, the more important it is to know how our personal information can be accessed, how it might be used, and when we should not share it. Below are some key examples to help develop a security mindset:

*   Safeguard the primary identifier. A Social Security number is the critical primary identifier of an individual within the United States. If you reside outside the US, find out what the primary identifier is for your country.
    
*   Protect your banking information. Your bank account number should be carefully protected. A stolen bank account number can be used to commit fraud on fintech platforms.
    
*   Know other elements that can be considered PII. Your IP address, school, and degree are all PII. When isolated, this information may not be used to identify you. However, when collected and used together, it can pinpoint you.
    
*   Set up multifactor authentication. Adding multifactor authentication is an easy way to protect your accounts. However, numerous organizations ask only for usernames and passwords. This lack of focus on using strong credentials is disappointing. Stolen PII can be used to take over an individual's identity in order to open bank accounts, apply for loans, and more. 
    
*   Beware of social engineering scams. Phishing messages from senders who impersonate close friends and family are common ways fraudsters target individuals. Read the Federal Trade Commission's guidance to learn how to protect yourself.
    
*   Build consistent and secure social norms at places you frequent often. You might not think about protecting your data when going to the supermarket. However, be wary when the checkout clerk asks for your phone number or email address. Don't be embarrassed to ask why they need this information. Develop a habit of being inquisitive about such requests.
    
*   Protect your data when seeking expert advice. If you are looking for professional support like tax or legal services, ask them how they protect your information. Some services may not have the bandwidth to focus on customer data security. Go with a reputable firm that has a lot at stake.
    
*   Safeguard protected health information (PHI). PHI is information in a medical record or designated record set that was created, used, or disclosed in the course of providing a health care service and can be used to identify an individual. 
    
*   Develop a habit of knowing the privacy policy of any website where you open an account. Most websites are required to ask how you want your data to be shared. Choose the option that protects you the most.
    
*   Obtain an identity protection service. It's a no-brainer. It's advisable to freeze your credit in all three credit bureaus: Equifax, Experian, and Transunion. This option is available free of charge and ensures that no new accounts can be fraudulently opened. It isn't sufficient to get protection from just one of the credit bureaus — you need all three.
    

**You Can Make a Difference**

We know much more about security today; the issue is that we don't act on it. If we commit to build secure habits and help others do the same, we can be much better protected. If we don't take action, the costs and its outcome will be significant. Instead of simply hearing about someone else's security breach, we will be the ones affected. Remember, it's not a matter of if, but when.

This content is not intended to provide tax, legal, or financial advice. Please consult your adviser with any questions.

**About the Author(s)**

Director of Information Security, BILL

Sriram Dandapani is a seasoned cybersecurity leader with a strong engineering background and a passion for executing enterprise-wide initiatives critical to the infrastructure. Sriram also enjoys mentoring early-in-career security practitioners and dedicates his time to building security awareness with the engineering community. Before joining BILL, Sriram held leadership and senior technical positions at Lifelock, Nimble Storage, and BT Counterpane. Sriram has a master's in computer science (data science) from the University of Illinois Urbana, Champaign, and has obtained the Stanford LEAD professional certificate for driving innovation and change.

Achieve Next-Level Security Awareness by Creating Secure Social Norms

PRESS RELEASE

DENVER — June 25, 2024 — Optiv, the cyber advisory and solutions leader, has published its 2024 Threat and Risk Management Report, which examines how organizations’ cybersecurity investments and governance priorities are keeping up with the evolving threat landscape. 

Based on an independent Ponemon Institute survey, the report reveals a 59% increase in cyber budgets year-over-year. Additionally, 63% of organizations with more than 5,000 employees had an average of $26 million allocated to cybersecurity investments in 2024.

The report shows a significant rise in data breaches and security incidents, with 61% of respondents experiencing a data breach or cybersecurity incident in the past two years, and 55% of respondents experiencing four or more incidents in that timeframe. These numbers highlight the urgent need for organizations to further prioritize cybersecurity investments and strategies.

Download the full report: 2024 Cybersecurity Threat and Risk Management Report

“Cyber incidents are not slowing down, which means organizations must work at a speed above those of the threat actors attacking their environments. As we see security budgets increasing, many organizations are also recognizing the need to make smart investments in process and governance assessments to ensure compliance,” says Jason Lewkowicz, executive vice president and chief services officer at Optiv. “Establishing a more consistent, strategic approach to security technology, process and people management will be essential for organizational risk management and resilience.”

Additional key findings include:

*   Security Tool Overload — While organizations are investing in more technologies, 40% of respondents believe they have too many, hindering overall effectiveness. By contrast, only 29% feel that they have the right number of tools. This underscores the need for a strategic approach to cybersecurity investment, focusing on streamlining existing tools and ensuring a seamless technology stack integration.
    
*   Top Investment Areas — The top three areas of investment for 2024 cybersecurity budgets are internal security assessments (60%), identity and access management (IAM) programs (58%) and the acquisition of additional cybersecurity tools (51%).
    
*   Lack of Formal Budgeting Practices — Despite increasing budgets, only 36% of respondents have a formal approach to determining cybersecurity budgets. This lack of formal budgeting practices can lead to inefficiencies and missed opportunities to address critical security gaps.
    
*   Rising SOAR Adoption — The use of security orchestration automation and response (SOAR) technology is increasing, with 73% of respondents leveraging SOAR to automate incident response activities. This automation can help security teams respond more efficiently to threats. 
    

Artificial intelligence (AI) and machine learning (ML) capabilities are another growing focal area for cybersecurity organizations looking for ways to accelerate their threat detection, prevention and process automation capabilities to keep up with threat actors who are also using these tools.

More companies are leveraging AI in the form of use and prevention:

*   44% of respondents use AI/ML to prevent cyberattacks
    
*   35% purchased use-case specific tools
    

*   34% use automated processes and audits
    

Optiv’s report delves deeper into best practices employed by high-performing organizations, offering valuable insights for those seeking to strengthen their cyber defenses. It also explores additional challenges, such as the inconsistency of cybersecurity incident response plans (CSIRPs), navigating cyber insurance/governance requirements and the need for improved communication of cybersecurity risks to senior management.

“Our independent research for Optiv reveals the positive steps organizations are taking to reduce risk, while also addressing the challenges they face in the evolving cyber threat landscape,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “Part of the complexity organizations continue to face in dealing with threats is due to the number of ineffective technology tools. Recognizing this, IT professionals and senior leadership are becoming more cognizant of the importance in strengthening their security posture, resulting in the increase of cybersecurity budgets and allocating funds based on proven effectiveness in reducing security incidents.”

Findings from Optiv’s report are based on responses from 650 IT and cybersecurity professionals.

For the latest news and updates from Optiv, visit https://www.optiv.com/company/optiv-newsroom.

You May Also Like

Optiv Report Shows Nearly 60% Increase in Security Budgets as Most Organizations Report Cyber Breaches and Incidents

In this Black Hat USA preview, scholar Jason Healey examines strategies for measuring and shifting the balance of cyber defense.

Source: Ronstik via Alamy

Defenders are perpetually playing catch-up to attackers. For every security innovation or new technology introduced, cybercriminals develop just as many tricks to bypass them. This ongoing struggle will be the focus of an upcoming presentation at Black Hat USA 2024, this August in Las Vegas, by Jason Healey, a senior research scholar at Columbia University.

"For over 50 years, we've known that the red team always gets through," Healey says. "Despite the billions of dollars spent, thousands of patents filed, and countless hours worked, defense hasn't notably improved relative to offense."

Last year's publication of the US National Cybersecurity Strategy marked a significant milestone, setting a new goal to enhance defense at the largest scale and least cost. However, Healey argues that progress means little without measurable indicators to determine whether defense is gaining relative advantages over offense.

Healey's session at Black Hat — titled "Is Defense Winning?" — will introduce several key indicators to assess whether the balance is shifting in favor of defense.

"Many of these indicators, such as changes to mean time to detect \[MTTD\], are already collected by the community," he says. "Others, like measuring the mean time between catastrophes, might need to be fresh."

Drawing parallels with climate change metrics, Healey says there is a need for a similar holistic approach to security as well.

"Just as climate experts track CO2 levels and temperature changes, we need macro-level indicators to understand cyberspace as a whole," he says.

**Measuring Success in Cyber Defense**

Healey played a role in drafting the National Cybersecurity Strategy, which incorporates the concept of defensibility and leverage. He believes systemic changes, such as automated updates, over individual actions, like user education or isolated security measures, will be more important in affecting change for defenders.

"We need to find areas where the smallest turn of the screwdriver will have the largest impact," he says.

One of the critical challenges Healey addresses is how to measure success in cyber defense. He proposes several propositions and indicators to gauge progress, including the ability of threat actors to adapt their tactics, techniques, and procedures (TTPs).

"We would want to see them having to rapidly change their TTPs because we're thwarting them," he says.

Healey also calls for the cybersecurity community to leverage existing reports, such as Verizon's annual data breach report and Google's zero-day reports, to establish defensibility metrics.

"Companies like Veracode already report relevant metrics, but they need to be presented in time series to track trends," he says.

**Achieving New Indicators for Defense**

Healey's ultimate goal is to inspire the cybersecurity community to strive for measurable improvements. His presentation aims to spark a crucial conversation about the effectiveness of current strategies and the importance of setting tangible goals, challenging attendees to reflect on their collective impact.

"We need to set reasonable targets, like reducing the mean time to detect and dwell time to less than 24 hours by 2030," Healey says. "Are we actually making the difference we say we want to have in the world?"

By introducing new indicators and drawing on lessons from other fields, Healey aims to equip defenders with the tools they need to shift the balance in their favor. The date and time for Healey's presentation will be published soon.

**About the Author(s)**

Contributing Writer, Dark Reading

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.

Is Defense Winning? A Look at Decades of Playing Catch-up

PRESS RELEASE

SANTA CLARA, Calif., June 25, 2024 /PRNewswire/ -- Netskope, a leader in Secure Access Service Edge (SASE), today published new global research that finds that shifts in the cyber threats landscape have changed the way today's Chief Information Security Officers (CISO) evaluate their business' risk appetite. Specifically, 92% of CISOs report that these changes are creating tensions with their CEO and other members of the C-suite, and two-thirds (66%) say they are "walking a tightrope" between what the business wants and what makes sense from a security perspective.

The research surveyed more than 1,000 CISOs around the world to explore the evolution of the CISO role as a strategic member of the executive team. Contradicting legacy stereotypes of the CISO as inherently risk averse, only 16% of today's CISOs classified their current risk appetite as low. In fact, CISOs see their CEOs as much more risk averse than themselves, with twice as many respondents (32%) perceiving their CEO as having a low-risk appetite.

Other findings expand upon the changing role of the CISO:

*   Over half of the CISOs who participated in the research (57%) said their appetite for risk has increased in the last five years. This may be despite the increasing volume and sophistication of cyber threats, or because of it: 74% state that a first-hand experience of a cyber security incident was important in impacting their risk comfort levels.
    
*   Better access to data and analytics (76%) was the top reason given for their shift in risk appetite.
    
*   Two thirds of CISOs (65%) now describe their responsibility in terms of improving business resilience, rather than managing cyber risk.
    
*   However, 23% of participating CISOs strongly agree that other members of the C-suite currently fail to see that the CISO role makes innovation possible.
    

The rise of the progressive CISO

Two thirds (65%) of CISOs surveyed believe the CISO role is changing rapidly, and they report becoming more proactive and progressive, a trend driven by the adoption of modern technology that creates new possibilities for driving innovation and business impact: 

*   Just 36% of CISOs see themselves playing a "protector" role primarily focused on defending the organization.
    
*   In contrast, 59% of CISOs now consider themselves to be business enablers, with 67% stating that they want to play an even more active role going forward.
    
*   66% wish they could say "yes" to the business more often.
    

James Robinson, Netskope's own CISO commented:

"The research makes it clear that CISOs are generally hungry to play a more proactive role that enables innovation while also protecting the business. In my experience, the best way to make CISOs more proactive partners across the C-suite is to gain deep understanding of the business challenges C-suite colleagues are focused on solving and align those to security strategies, rather than attempt to assert security strategy - or individual technology choices - on what is perceived to be C-suite risk appetite."

"Too often this alignment doesn't occur among enterprise teams. But CISOs who are able to define the ways in which they are helping their C-suite peers to acquire new revenues, drive efficiencies, and navigate regulatory requirements will be recognized as valuable contributors at the highest levels." 

Discussing the research, Steve Riley, Field CTO at Netskope, said:

"With business technology and cyber threats evolving at a faster pace than ever, it is encouraging to see that CISOs are increasingly progressive in their thinking. CISOs clearly no longer feel the need to lock down access completely if it is to the detriment of the business."

"However, our findings show that the wider C-suite is not always ready for CISOs to break out of their traditional role as the protector of the business. To truly enable secure innovation and business transformation, security leaders need to bring their colleagues on the journey with them and help them to understand how buzz phrases like zero trust actually contribute to strategies that strike a balance between staying secure and getting work done."

The research was conducted on behalf of Netskope by Censuswide and interviewed 1,031 CISOs worldwide across five markets (UK, North America, France, Germany, Japan) in a wide range of sectors including healthcare, retail, finance, and industry.

Please find the full report including additional insights into CISOs attitudes of industry trends here.

About Netskope  
Netskope, a global SASE leader, helps organizations apply zero trust principles and AI/ML innovations to protect data and defend against cyber threats. Fast and easy to use, the Netskope One platform and its patented Zero Trust Engine provide optimized access and real-time security for people, devices, and data anywhere they go. Thousands of customers trust Netskope and its powerful NewEdge network to reduce risk and gain unrivaled visibility into any cloud, web, and private application activity—providing security and accelerating performance without trade-offs. Learn more at netskope.com.

CISOs Growing More Comfortable With Risk, But Better C-Suite Alignment Needed

PRESS RELEASE

CAMBRIDGE, Mass., June 25, 2024 /PRNewswire/ -- Akamai Technologies, Inc. (NASDAQ: AKAM), the cloud company that powers and protects life online, announces the company has completed its acquisition of application programming interface (API) security company, Noname Security. On May 7, Akamai announced an agreement between the two parties for Akamai to acquire the company in exchange for approximately $450 million.

Noname, one of the top API security vendors in the market, is expected to accelerate Akamai's ability to meet growing customer demand and market requirements as the use of APIs continues to expand. Specifically, Akamai will be able to extend protection across all API traffic locations, no matter the business, integration, or deployment requirements customers may have. Akamai also expects to gain greater scale with Noname's additional sales and marketing resources, and established channel and alliance relationships.

For more information, visit the Akamai application and API security page and the Akamai blog.

About Akamai

Akamai powers and protects life online. Leading companies worldwide choose Akamai to build, deliver, and secure their digital experiences — helping billions of people live, work, and play every day. Akamai Connected Cloud, a massively distributed edge and cloud platform, puts apps and experiences closer to users and keeps threats farther away. Learn more about Akamai's cloud computing, security, and content delivery solutions at akamai.com and akamai.com/blog, or follow Akamai Technologies on X, formerly known as Twitter, and LinkedIn.

You May Also Like

Source

DARKReading