Aiming to give threat hunters a list of popular attack tactics, a cybersecurity team analyzed collections of real-world threat data to find attackers' most popular techniques.

An analysis of threats encountered by four organizations has identified the most common techniques used by attackers to compromise systems, infiltrate networks, and steal data, according to data analysts at Splunk SURGe, which published details of the research on Dec. 14.

The analysis used published data from Mandiant, Red Canary, MITRE's Center for Threat Informed Defense, and the US Cybersecurity and Infrastructure Security Agency (CISA) to find the most popular post-compromise threat activities, as defined by the MITRE ATT&CK framework. Threat groups that gain access to a compromised system, for example, are likely (28% of the time) to start up the PowerShell command line utility to extend their attack laterally throughout a network and to gain persistence on the compromised machine, the analysis found.

The use of PowerShell, obfuscating files, and exploiting public-facing applications are the three most popular techniques for attackers, the analysis found. Using the data, security operations center (SOC) managers can ensure that they are focused on detecting common tactics, says Ryan Kovar, distinguished security strategist and leader of Splunk’s SURGe research team.

"A lot of times, SOC analysts don't know where to start, and these are the areas where four trusted sources are saying they see adversaries consistently using these techniques," he says. "I talk to a lot of people around the world, and they do not have logging turned on for PowerShell, and if you do not have logging for PowerShell you are never going to see what is arguably the No. 1 adversary technique according to these four groups."

    

The rankings of the top four techniques by data set. Source: Splunk

The analysis effort combined data on cyberattacks from multiple industries and multiple years, including more than 400 techniques from the MITRE ATT&CK framework and more than 100 techniques targeting industrial control systems (ICS).

The analysis comes at a time when attackers are shifting toward using more stealthy tactics and hands-on intrusion techniques, making the training of SOC analysts increasingly important. In the past year, for example, cybersecurity services firm CrowdStrike has seen a small but measurable increase in targeted attacks, which now account for 18% of all attacks. In addition, attackers are eschewing malware in their attacks, with 71% of intrusions investigated by the firm not using malicious tools.

For defenders, finding ways to detect attacks remains difficult, Splunk researchers stated in the analysis.

"It has never been more difficult to decide which threats deserve the most attention," the analysis stated. "A sound defensive approach to directing analysis efforts should be data-driven, focusing on the trends and progression of attacker tradecraft, such as represented in ATT&CK."

**PowerShell, Obfuscated Files Top Tactics**

The top four tactics used by intruders includes using PowerShell as a command shell and script interpreter and attempting to obfuscate files and commands to remain stealthy. Using vulnerabilities in public-facing applications is the third most common technique, while spear-phishing attacks are the No. 1 initial access technique, according to Splunk's analysis.

The company plans to expand the list to a top 20 most common tactics, allowing security teams to discuss whether they can detect the techniques and how best to use their current tools to do so.

A critical part of the effort should be to game out each technique, how it could be detected, and whether the current information, telemetry, and logs are able to detect attackers who use the technique. Determining which logs and telemetry to track is the hard part, Kovar says.

"Find all the ways to log and show that information because every vendor and company has such different information and different platforms," he says. "That is where the hard work comes in, and for a lot of people, they know what they want to do, but they just don't know where to start."

**Easing the Pain for Threat Hunters**

By focusing on the attack techniques most commonly used by attackers, SOCs and security teams should have more information about how to improve their programs and better detect attackers.

Easing the work of SOC analysis is critical. A year-old survey found that 72% of SOC analysts rated the pain of doing their jobs at least a 7 out of 10.

In the end, Splunk's SURGe team aims to give cybersecurity professionals a way to harden their networks against attacks. Tackling the top 20 list of attacker tactics and ensuring that the SOC can detect every technique is a great way to begin 2023, Kovar says.

"Your mileage may vary," he adds, "but I am very confident that if you want to start your threat hunting program in a couple areas and want an immediate return on investment, this is where you can start."

Analysis Shows Attackers Favor PowerShell, File Obfuscation

Deloitte's Future of Cyber study highlights the fact that cybersecurity is an essential part of business success and should not be limited to just mitigating IT risks.

Cyber threats should no longer be viewed as just an IT problem, but also a business problem, Deloitte said in its latest Future of Cyber study. Operational disruption, loss of revenue, and loss of customer trust are the top three significant impact of cyber incidents. More than half, or 56%, of respondents told Deloitte they suffered related consequences to a moderate or large extent.

In 2021, the top three negative consequences from cyber incidents and breaches were operational disruption, which includes supply chain and the partner ecosystem, intellectual property theft, and a drop in share price. While operational disruption remained the top concern in 2022, loss of revenue and loss of customer trust and negative brand impact moved up in importance. Intellectual property theft and drop in share price dropped to eighth and ninth (out of ten) in ranking. Losing funding for a strategic initiative, loss of confidence in the integrity of the technology, and impact on employee recruitment and retention moved up in ranking in 2022. Respondents were also asked to mark two consequences they felt would be most important in 2023: Operational disruption and loss of revenue topped the list.

"Today, cyber means business, and it is difficult to overstate the importance of cyber as a foundational and integral business imperative," Deloitte noted in its report. "It \[cyber\] should be included in every functional area, as an essential ingredient for success—to drive continuous business value, not simply mitigate risks to IT."

**Cyber Maturity Matters**

Deloitte categorized organizations' cybersecurity maturity based on their adoption of cyber planning, risk management, and board engagement. Risk management included activities such as industry benchmarking, incident response, scenario planning, and qualitative and quantitative risk assessment. Whether or not the organization adopted any of these three practices hinged on stakeholders recognizing the importance of cyber responsibility and engagement across the whole organization, Deloitte said in its report. Examples included having a governing body that comprises IT and senior business leaders to oversee the cyber program, conducting incident-response scenario planning and simulation at the organizational and/or board level, regularly providing cyber updates to the board to secure funding, and conducting regular cyber awareness training for all employees.

In the analysis, 21% of organizations were considered high maturity, as they adhered to two or three of the key practices, and 41% of organizations were categorized as medium maturity for adhering to one of the practices. The remainder, or 38%, were low maturity, as they did not adhere to any of practices identified by Deloitte.

According to Deloitte, 91% of organizations reported at least one cyber incident or breach, but low maturity organizations tended to experience more significant cybersecurity events (6 or more events).

There were some differences based on the organization's maturity in what kind of issues they were concerned about. High-maturity organizations seem more concerned about cybercriminals and terrorists, as well as phishing, malware, and ransomware. Medium-maturity and low-maturity organizations were more concerned about denial-of-service attacks.

High maturity organizations are doing more when it comes to engaging leadership, planning, and acting, and they are seeing results in areas typically not associated with cybersecurity, such as increased efficiency, resiliency, and agility, Deloitte noted. Nearly 70% of high maturity organizations said their cybersecurity posture had an impact on enhancing trust and enabling efficiency throughout the organization. And 65% of the high maturity organizations cited resilience and agility as the benefits they are seeing as a result of their cybersecurity activities. More than half of the leaders of these high maturity organizations said their cybersecurity activities gave them confidence to take on new initiatives, compared to 45% for medium-maturity organizations and 40% for low-maturity organizations, Deloitte found. Cybersecurity also helped with the bottom line: 47% of high maturity organizations claimed their cybersecurity initiatives helped increase revenue.

Cybersecurity Drives Improvements in Business Goals

Here's what you need to patch now, including six critical updates for Microsoft's final Patch Tuesday of the year.

Microsoft has released fixes for 48 new vulnerabilities across its products, including one that attackers are actively exploiting and another that has been publicly disclosed but is not under active exploit now.

Six of the vulnerabilities that the company patched in its final monthly security update for the year are listed as critical. It assigned an important severity rating to 43 vulnerabilities and gave three flaws a moderate severity assessment. 

Microsoft's update includes patches for out-of-band CVEs it addressed over the past month, plus 23 vulnerabilities in Google's Chromium browser technology, on which Microsoft's Edge browser is based.

**Actively Exploited Security Bug**

The flaw that attackers are actively exploiting (CVE-2022-44698) is not among the more critical of the bugs for which Microsoft released patches today. The flaw gives attackers a way to bypass the Windows SmartScreen security feature for protecting users against malicious files downloaded from the Internet. 

"An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging," Microsoft said.

CVE-2022-44698 presents only a relatively small risk for organizations, says Kevin Breen, director of cyber-threat research at Immersive Labs. "It has to be used in partnership with an executable file or other malicious code like a document or script file," Breen says. "In these situations, this CVE bypasses some of Microsoft's built-in reputation scanning and detection — namely SmartScreen, which would normally pop up to tell a user the file may not be safe." 

At the same time, users should not underestimate the threat and should patch the issue quickly, Breen recommends.

Microsoft described another flaw — an elevation of privilege issue in the DirectX Graphics kernel — as a publicly known zero-day but not under active exploit. The company assessed the vulnerability (CVE-2022-44710) as being "Important" in severity and one that would allow an attacker to gain system-level privileges if exploited. However, the company described the flaw as one that attackers are less likely to exploit.

**Vulnerabilities to Patch Now**

Trend Micro's ZDI flagged three other vulnerabilities in the December Patch Tuesday security update as being significant: CVE-2022-44713, CVE-2022-41076, and CVE-2022-44699.

CVE-2022-44713 is a spoofing vulnerability in Microsoft Outlook for Mac. The vulnerability allows an attacker to appear as a trusted user and cause a victim to mistake an email message as if it came from a legitimate user. 

"We don't often highlight spoofing bugs, but anytime you're dealing with a spoofing bug in an email client, you should take notice," ZDI's head of threat awareness Dustin Childs said in a blog post. The vulnerability could prove especially troublesome when combined with the aforementioned SmartScreen MoTW bypass flaw that attackers are actively exploiting, he said.

CVE-2022-41076 is a PowerShell remote code execution (RCE) vulnerability that allows an authenticated attacker to escape the PowerShell Remoting Session Configuration and run arbitrary commands on an affected system, Microsoft said. 

The company assessed the vulnerability as something that attackers are more likely compromise, even though attack complexity itself is high. According to Childs, organizations should pay attention the vulnerability because it is the type of flaw that attackers often exploit when looking to "live off the land" after gaining initial access on a network. 

"Definitely don’t ignore this patch," Childs wrote.

And finally, CVE-2022-44699 is another security bypass vulnerability — this time in Azure Network Watcher Agent — that, if exploited, could affect an organization's ability to capture logs needed for incident response. 

"There might not be many enterprises relying on this tool, but for those using this \[Azure Network Watcher\] VM extension, this fix should be treated as critical and deployed quickly,' Childs said.

Researchers with Cisco Talos identified three other vulnerabilities as critical and issues that organizations need to address immediately. One of them is CVE-2022-41127, an RCE vulnerability that affects Microsoft Dynamics NAV and on-premises versions of Microsoft Dynamics 365 Business Central. A successful exploit could allow an attacker to execute arbitrary code on servers running Microsoft's Dynamics NAV ERP application, Talos researchers said in a blog post. 

The other two vulnerabilities that the vendor considers to be of high importance are CVE-2022-44670 and CVE-2022-44676, both of which are RCE flaws in the Windows Secure Socket Tunneling Protocol (SSTP). 

"Successful exploitation of these vulnerabilities requires an attacker to win a race condition but could enable an attacker to remotely execute code on RAS servers," according to Microsoft's advisory.

Among the vulnerabilities that the SANS Internet Storm Center identified as important are (CVE-2022-41089), an RCE in the .NET Framework, and (CVE-2022-44690) in Microsoft SharePoint Server.

In a blog post, Mike Walters, vice president of vulnerability and threat research at Action1 Corp., also pointed to a Windows Print Spooler elevation of privilege vulnerability (CVE-2022-44678), as another issue to watch. 

"The newly resolved CVE-2022-44678 is most likely to be exploited, which is probably true because Microsoft fixed another zero-day vulnerability related to Print Spooler last month," Walters said. "The risk from CVE-2022-44678 is the same: an attacker can get SYSTEM privileges after successful exploitation — but only locally."

**A Confusing Bug Count**

Interestingly, several vendors had different takes on the number of vulnerabilities that Microsoft patched this month. ZDI, for instance, assessed that Microsoft patched 52 vulnerabilities; Talos pegged the number at 48, SANS at 74, and Action1 initially had Microsoft patching 74, before revising it down to 52.

Johannes Ullrich, dean of research for the SANS Technology Institute, says the issue has to do with the different ways one can count the vulnerabilities. Some, for instance, include Chromium vulnerabilities in their count while others do not. 

Others, like SANS, also include security advisories that sometimes accompany Microsoft updates as vulnerabilities. Microsoft also sometimes releases patches during the month, which it also includes in the following Patch Tuesday update, and some researchers don't count these. 

"The patch count can sometimes be confusing, as the Patch Tuesday cycle is technically November to December, so this will also include patches that were released out of band earlier in the month, and can also include updates from third party vendors," Breen says. "The most notable of these are patches from Google from Chromium, which is the base for Microsoft's Edge browser."  
Breen says by his count there are 74 vulnerabilities patched since the last Patch Tuesday in November. This includes 51 from Microsoft and 23 from Google for the Edge browser. 

"If we exclude both the out-of-band and Google Chromium \[patches\], 49 patches for vulnerabilities were released today," he says.

A Microsoft spokesman says the number of new CVEs for which the company issued patches today was 48.

Microsoft Squashes Zero-Day, Actively Exploited Bugs in Dec. Update

OSV-Scanner generates a list of dependencies in a project and checks the OSV database for known vulnerabilities, Google says.

Securing the software supply chain is an increasingly complex and time-consuming challenge for enterprises. To help developers find vulnerability data for open source components, Google launched OSV-Scanner on Tuesday.

Modern software development requires managing multiple dependencies – software libraries and components that add functionality to the application without having to develop them from scratch. Developers need to be aware of vulnerabilities which may exist in the components, but the task is complicated by the fact that each dependency potentially contains other dependencies.

A new report from the Station 9 research team at Endor Labs found that 95% of all vulnerabilities in open source software are found in transitive dependencies – code packages that are indirectly pulled into projects by other dependencies. Developers need to be able to manage vulnerabilities in the dependencies they selected as well as in these transitive dependencies. To complicate matters even more, the same research report found that even the latest version of a package could still have known vulnerabilities.

Last year, Google launched the OSV.dev service, a distributed open source vulnerability database, to help developers with vulnerability management. OSV.dev encompasses 16 different open source ecosystems and vulnerability databases, with a total of 38,000 advisories. The idea is to use the service for vulnerability tracking, triage, and patch automation. Google's Rex Pan calls OSV-Scanner, which connects a project's list of dependencies with the vulnerabilities that affect them, the "next step" in managing open source vulnerabilities.

With OSV-Scanner, developers can match code and dependencies against a list of known vulnerabilities and identify any available patches or newer versions of the software component. The scanner identifies all the transitive dependencies being used by the project by analyzing software manifests, software bill of materials, and commit hashes. The scanner then connects to OSV.dev to display the known vulnerabilities in the project.

The information generated by the scanner "closes the gap between a developer's list of packages and the information in vulnerability databases," Pan wrote in the blog post announcing the new tool. Features such as the ability to utilize specific function level vulnerability information automated remediation will be available in the future, Pan wrote.

OSV-Scanner automates the discovery and patching of vulnerabilities in the software supply chain. The 2021 United States Executive Order for Cybersecurity specifically included automated tools "that check for known and potential vulnerabilities and remediate them" as a requirement for national standards on secure software development.

Developers can download and try out OSV-Scanner from the osv.dev website or use OpenSSF Scorecard's Vulnerabilities check to automatically run the scanner on a GitHub project, Google says.

Google Launches Scanner to Uncover Open Source Vulnerabilities

Citrix issues a critical update as NSA warns that the APT5 threat group is actively trying to target ADC environments.

Citrix has issued a patch for a critical flaw affecting Citrix ADC and Citrix Gateway, adding that the company is aware of attacks against the vulnerability in the wild.

The vulnerability, tracked under CVE-2022-27518, affects Citrix ADC and Citrix Gateway versions 12.1 (including FIPS and NDcPP) and 13.0 before 13.0-58.32. 

"Both must be configured with an SAML SP or IdP configuration to be affected," Citrix noted in its security update.

The National Security Agency (NSA) issued its own warning that the China-linked APT5 threat group has been actively targeting Citrix ADCs to bypass authentication controls to breach organizations. It also provided threat hunting guidance for security teams, and asked for intelligence sharing among the public and private sectors.

"The indicators and context from this analysis can be used by organizations for defensive purposes against this malicious activity," the NSA announced. "NSA requests that any additional insights and/or discoveries be shared with the NSA Cybersecurity Collaboration Center in order to enhance understanding of this activity and so that it can be used to improve the overall security posture of the Defense Industrial Base, DoD, and USG."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Citrix ADC, Gateway Users Race Against Hackers to Patch Critical Flaw

Software teams can now fix bugs faster with faster release cycles, but breach pressure is increasing. Using SBOM and automation will help better detect, prevent, and remediate security issues throughout the software development life cycle.

Rapid development and deployment cycles have long been criticized for the potential to introduce more flaws in software. But the "move fast and break things" adage doesn't hold up in modern environments, which are increasingly being targeted by malicious actors. On the other hand, faster release cycles can also mean patches can be implemented faster — and this is just one factor that is accelerating the rate at which software teams can fix bugs.

As demand for reliable, secure software increases, a number of tactics and technologies have emerged to help teams build, maintain, fix, and secure their applications faster than ever. Approaches such as DevSecOps, bug bounty programs, open source bug reporting, and even Google's Project Zero have had substantial influence on how we secure software. But if identifying and patching vulnerabilities has become easier, why are we still reading about so many breaches? Let's explore.

**New Tactics Accelerate Bug Fixing**

The wide adoption of DevOps solutions and organization workflows, which we've seen in recent years, means faster release cycles of software. In the not-so-distant past, a software company would release an updated version every few months, which would contain fixes for security issues detected and patched in that period. Anything that wasn't yet discovered or fixed would have to wait for the next release in another few months. With DevOps methodology and technology in place, software vendors and open source project maintainers release versions of their product dozens of times a day — when the fix is ready, the product receives it, cutting the time-to-fix dramatically.

Some organizations are going a step further to implement security into development processes. Research from ESG shows that 62% of organizations have a plan or are evaluating use cases for DevSecOps implementation. And those organizations that have already put these processes into place are seeing radical improvements in the speed at which they can identify and remediate vulnerabilities.

Bug bounty programs have also become mainstream. Some platforms allow software vendors to use the power of crowdsourcing to discover security issues in their own products. This flow must be managed with a dedicated framework for bug fixing. And as the discovery of issues grows, the organization is compelled to create better ways to fix them, and the time-to-fix is getting shorter.

Within the open source community, code management solutions such as GitHub, GitLab, and others have a built-in way to report and track security issues so that open source maintainers and users can easily report and follow vulnerabilities that are presented in an open source project. The information is public (on the public projects), and the maintainers and the community feel committed to fixing issues quickly.

A final factor is the impact made by Google's Project Zero. As part of this initiative, Google has a team of security researchers dedicated to studying zero-day vulnerabilities in the hardware and software systems that are depended upon by users around the world. In 2021, Google's Project Zero detected a record 58 zero-day vulnerabilities in the wild.

In addition, most software companies that are presented in Project Zero's data set aren't your ordinary software vendors, and the project forces these major tech companies to fix security issues within 90 days, which results in shifts in engineering culture and organizational structure as the engineering community at large emulates the big innovators.

**Challenges Remain, Affecting Software Security**

Patches for software are often delivered via updates that require a consumer to upgrade to the latest version, a move which can often impact operations. Resolution in a timely manner can even be impossible, in some cases. Companies developing software today are often relying on a high percentage of open source code and many components that create complexity. Upgrading an open source library, which a company relies on throughout its codebase, or a specific version of a docker image, could mean substantial changes across its products. A single security fix might create a massive amount of work for engineering teams. As a result, teams must prioritize bug fixes, and only critical security issues are getting resolved.

**Improvements in Software Security**

Automation is key. It's impossible for software consumers and vendors to deal with a large amount of security risk in large codebases without using an automated process for detection, remediation, and prevention. Prioritizing is also important. A small engineering team could easily find itself overwhelmed with all the potential security issues disclosed, but it usually doesn't affect its software. To determine if applications are affected by security risks, companies need to take a comprehensive approach — from source code, throughout the DevOps pipelines releasing it, and through the production environment in the cloud. Connecting those dots helps engineers properly manage security risks in apps.

Companies should also employ technologies to assess the health and reputation of open source code. Factors to evaluate include quality, maintainability, popularity, and risk for supply-chain incidents. Automated security tools can play a role here as well by preventing risky code from entering the codebase and notifying developers of potentially dangerous packages. Also, employing a software bill of materials (SBOM) can provide transparency into the software components used in applications, accelerate the identification and remediation of potential vulnerabilities, and help achieve compliance with government regulations.

Accelerating Vulnerability Identification and Remediation

Jira, Confluence,Trello, and BitBucket affected.

**BENGALURU, December 13, 2022 —** Researchers at CloudSEK observed that for Atlassian products - Jira, Confluence, and BitBucket, cookies are not invalidated, even if the password is changed, with 2FA (Two-factor Authentication) enabled, as the cookie validity is 30 days. They only expire when the user logs out, or after 30 days.

CloudSEK researchers have identified that this flaw can be leveraged by threat actors to take over hundreds of companies’ Jira accounts. Our records show over 1,282,859 compromised computers and 16,201 Jira cookies for sale on dark web marketplaces. And just in the last 30 days, over 2,937 compromised computers and 246 Jira credentials were made available. In the past 90 days, we have observed at least one compromised computer from a Fortune 1000 company. This is just considering their primary domains, not their subsidiaries. (Check the complete blog) 

The new finding came after Dec 06, 2022, when CloudSEK disclosed a cyber attack directed at the company. During the course of the investigation into the root cause of the incident, the internal investigation team identified that the threat actor gained access to a CloudSEK employee’s Jira account, using Jira session cookies present in stealer logs being sold on the dark web.

CloudSEK is releasing a free tool that lets companies check if their compromised computers and Jira accounts are being advertised on dark web marketplaces.

With over 10 million users across 180,000 companies, including 83% of Fortune 500 companies, Atlassian products are widely used across the globe. And threat actors are actively exploiting this flaw to compromise enterprise Jira accounts.

**Stolen Atlassian Cookies Can Lead to Unauthorized Account Access even if 2FA enabled**

CloudSEK’s investigation shows that cookies of Atlassian products remain valid for a period of 30 days, even if the password is changed and 2FA is enabled. Hence, threat actors can restore Jira, Confluence, Trello, or BitBucket sessions, using stolen cookies, even if they don’t have access to Multi-factor Authentication (MFA), OTP/ PIN. The cookies, by default, expire when the user logs out, or after 30 days.(Check the complete blog)

This is a known issue, and most companies do not consider it to be within the scope of security reporting, because to use this and get into systems, tokens are required.

However, it is no longer very difficult for threat actors to get their hands on these tokens. With the rise in device compromise campaigns, breaches, and password leaks, cookie theft has become commonplace. And cookies are available for sale and one can simply search for a company, buy their logs, find relevant tokens to gain access to their internal systems. In the last 30 days, more than 200unique instances of atlassian.net related credentials/ cookies have been put up for sale on darkweb marketplaces. Given that the credentials were put up for sale in the last 30 days, it is highly likely that many of them are still active.

In the case of Atlassian products, only one JSON web token (JWT) is required to hijack a session i.e._cloud.session.token_. Atlassian JWT (JSON Web Token) tokens have the email address embedded in the cookie. Hence, it is easy to determine which user the cookie belongs to.

You can check if your organization’s data is available for sale on dark web marketplaces here.

Security Flaw in Atlassian Products Affecting Multiple Companies

Former Head of Security at Stripe and Distinguished Security Engineer at Google joins cloud security leader to help scale security excellence across customer base.

**MOUNTAIN VIEW, Calif.****,** **Dec. 13, 2022** **/PRNewswire/ —** Lacework®, the data-driven cloud security company, today announced the appointment of Niels Provos as the company's first Head of Security Efficacy. Provos brings nearly two decades of industry experience in creating healthy engineering teams that build security infrastructure and systems that solve cloud security problems at scale. He puts a particular emphasis on treating security as an engineering problem.

After receiving his PhD in computer science from the University of Michigan, Provos spent over 15 years supporting the development of Google's security and privacy engineering practice, such as helping to establish Safe Browsing which protects over 4 billion devices on the Internet. He then joined Stripe in 2018 as Head of Security where he set Stripe on a path towards a world-class security posture to help build significant trust with customers and to be ready for the public markets. To keep himself balanced and get more people interested in working in the security domain, he also produces cybersecurity-themed EDM tracks under his artist name Activ8te.

"I have helped to build two world-class security organizations and during that time have seen adversaries become more sophisticated and attacks increase in frequency and volume. I deeply believe that every company needs to be enabled to protect their customers' data against threats from outside or inside. That's why my next challenge is being part of a team with the greater mission of helping customers be secure in a more hostile environment," said Provos. "Lacework is in a great position by focusing on customer outcomes that matter to help scale security like no other company before."

"Niels is one of the strongest security-minded leaders in the world with a long track record of building world-class security organizations. He truly understands the challenges security professionals face in today's cloud environments and how to solve them," said Jay Parikh, CEO, Lacework. "Niels will help us continue delivering new innovations in the Polygraph Data Platform, bringing the security excellence he built at Stripe and Google to customers of all sizes and industries."

Provos is another industry leader to join Lacework in recent months, along with CMO Meagen Eisenberg, CFO Andrew Casey, VP of Americas Channels Faraz Siraj, and VP of Global Technical Services Chris Gilbert. In the last year, Lacework was named  to CNBC's Disruptor 50 list, the Forbes Cloud 100, and ranked sixth in Forbes' America's Best Startup Employers 2022 list. Lacework was also recently recognized  as a leader in innovation and growth by Frost & Sullivan in the analyst firm's recent Global CNAPP Radar Report.

**About Lacework** 

Lacework offers the data-driven security platform for the cloud and is the leading cloud-native application protection platform (CNAPP) solution. Only Lacework can collect, analyze, and accurately correlate data — without requiring manually written rules — across an organization's AWS, Azure, Google Cloud, and Kubernetes environments, and narrow it down to the handful of security events that matter. Security and DevOps teams around the world trust Lacework to secure cloud-native applications across the full lifecycle from code to cloud. Get started at www.lacework.com.

Niels Provos Joins Lacework as Head of Security Efficacy

Enterprises can now adopt the industry's most comprehensive Zero Trust Network Access 2.0 to secure access to all applications from any device.

**SANTA CLARA, Calif.****,** **Dec. 13, 2022** **/PRNewswire/ —** In a world where work is now an activity not a place, organizations need to connect a distributed workforce without compromising on security and user experience. Palo Alto Networks (NASDAQ: PANW), the global cybersecurity leader, today announced an expanded partnership that brings together BeyondCorp Enterprise from Google Cloud and Prisma® Access from Palo Alto Networks to provide hybrid users secure and seamless access to applications - SaaS, cloud or on-premise - from managed or unmanaged devices.

Built on the backbone of the Google Cloud network, this comprehensive cloud-delivered Zero Trust Network Access (ZTNA) 2.0 solution enables all users to work securely from anywhere regardless of device type. With Prisma Access, customers get superior ZTNA 2.0 security for all devices, branch offices and applications. BeyondCorp Enterprise Essentials enables secure access to applications and resources for unmanaged devices. Combined threat intelligence and machine learning (ML) automatically detects and remediates threats to users, applications or enterprise data; all powered by the superior performance, planetary reach, and low-latency connections of Google Cloud.

"Legacy VPN and Zero Trust Network Access (ZTNA) 1.0 solutions provide access to users that is too broad and lacks continuous security inspection, putting cloud-first and hybrid organizations at risk," said Kumar Ramchandran, SVP, Products for Palo Alto Networks. "ZTNA 2.0 by Palo Alto Networks secures the modern hybrid enterprise. This partnership will allow organizations to benefit from the performance, scale, and reliability offered by Google Cloud's global network, coupled with the security expertise of Palo Alto Networks" 

"Together with Prisma Access and BeyondCorp, customers will now have seamless access to a Zero Trust security solution built for today's workforce, powered by Google Cloud's innovation, scale, and trusted cloud infrastructure," said Sunil Potti, VP/GM, Cloud Security at Google Cloud. "At Google Cloud, we continue to deliver opinionated solutions with our customers' needs in mind, bringing together innovations from across Google and its ecosystem of partners in easy-to-consume offerings that are backed by Google's unique scale and deep experience."

Palo Alto Networks Prisma Access platform helps transform networking and security to deliver a true Zero Trust that supports both managed and unmanaged devices while delivering consistent protections across the entire enterprise. The industry's only ZTNA 2.0 solution provides deep and ongoing inspection of all application traffic, even for allowed connections to prevent all threats, including zero-day threats, providing secure access for data centers, branch offices and mobile users. Prisma Access is purpose-built on Google's global backbone to secure enterprises at cloud scale.

BeyondCorp Enterprise is based on Google's years of experience with zero trust and provides organizations with a seamless and secure experience for anyone who needs to access applications, cloud resources, and private data hosted on Google Cloud, in third-party clouds, or on-premises. BeyondCorp Enterprise leverages Chrome to provide a secure enterprise browsing solution where agents cannot be installed on devices, providing a simple, yet secure zero trust approach for unmanaged devices.

**About Palo Alto Networks**

Palo Alto Networks, the global cybersecurity leader, is shaping the cloud-centric future with technology that is transforming the way people and organizations operate. Our mission is to be the cybersecurity partner of choice, protecting our digital way of life. We help address the world's greatest security challenges with continuous innovation that seizes the latest breakthroughs in artificial intelligence, analytics, automation, and orchestration. By delivering an integrated platform and empowering a growing ecosystem of partners, we are at the forefront of protecting tens of thousands of organizations across clouds, networks, and mobile devices. Our vision is a world where each day is safer and more secure than the one before. For more information, visit www.paloaltonetworks.com.

Google Cloud and Palo Alto Networks Team to Protect the Modern Workforce

**TAMPA BAY, Fla.****,** **Dec. 13, 2022** **/PRNewswire/ —** KnowBe4, the provider of the world's largest security awareness training and simulated phishing platform, today announced its support of the Metaverse Safety Week initiative.

The Metaverse is designed to transform human engagement and interactions and push the boundaries of commercialization. It is also a whole new world with security risks, vulnerabilities and legitimate user concerns. People currently interested in the metaverse are already being duped by phishing scams peddling fraudulent NFTs, metaverse land-sales and other dubious Web3 projects via social media, Discord channels, email and comments on popular YouTube videos.

Anna Collard, SVP of Content Strategy and Evangelist at KnowBe4 Africa says: "Security issues in the metaverse include trolls, sexual and racial harassment, which are all problems we are faced with right now on most digital platforms, but the immersiveness of VR can have a more devastating effect on their victim's mental well-being. The risks for children are especially high as they are more likely to explore the metaverse before their parents will, exposing them to inappropriate content without us, the parents or caregivers being aware of it."

As an industry we have an opportunity to address these risks proactively and reduce harm to humans and societies by coming together to build awareness and safeguards. This is why KnowBe4 is sponsoring the Metaverse Safety Week, a virtual event, which is an international community effort, led by the XR Safety Initiative, featuring industry leaders from around the world and spanning five days from Dec 10th to Dec 15th, 2022.

The event will explore the challenges of these brave new worlds in critical areas of the immersive ecosystem and ensure that we ask the uncomfortable questions now. It will help to bring to light the opportunities to create a better and safer Metaverse for all, spreading awareness and promoting policies, guidelines and research. It will explore core issues such as bias, transparency and data ownership through art, panels, debates and workshops, bringing global perspectives to advance our shared ecosystem.

Register for the event (https://www.eventbrite.com/e/metaverse-safety-week-2022-tickets-395485727457).

**About KnowBe4**

KnowBe4, the provider of the world's largest security awareness training and simulated phishing platform, is used by more than 54,000 organizations around the globe. Founded by IT and data security specialist Stu Sjouwerman, KnowBe4 helps organizations address the human element of security by raising awareness about ransomware, CEO fraud and other social engineering tactics through a new-school approach to awareness training on security. Kevin Mitnick, an internationally recognized cybersecurity specialist and KnowBe4's Chief Hacking Officer, helped design the KnowBe4 training based on his well-documented social engineering tactics. Tens of thousands of organizations rely on KnowBe4 to mobilize their end users as the last line of defense.

**About the XRSI - XR Safety Initiative** 

XR Safety Initiative (XRSI) is a global non profit Standards Developing Organization (SDO) that promotes privacy, safety, security, and ethics in immersive environments. Founded in 2019 by Kavya Pearlman, known as the "Cyber Guardian," an award-winning cybersecurity professional with a deep interest in immersive and emerging technologies. Headquartered in the San Francisco Bay Area, XRSI currently has over 150 diverse and multidisciplinary advisors from around the globe. The Metaverse Safety Week 2022 (#MSW2022) is an international community effort, a safety awareness campaign, led by the XRSI - XR Safety Initiative, featuring industry leaders from around the world at a week-long conference inside an exclusively created #VirtualWorld.

Source

DARKReading