Even without an overarching dictionary of common definitions, the concept of a secure access service edge (SASE) has spread, but a standard could help cloud services work better together.

During the coronavirus pandemic, organizations had to quickly adjust to the disappearance of central offices, employees working from home, and applications moving to the cloud.

The solution usually involved a combination of technologies — such as flexible networking infrastructure, identity and device-base security, and cloud-native applications and capabilities — continuing a trend identified by business analyst firm Gartner in 2019, which dubbed it the secure access service edge, or SASE (pronounced "sassy").

The SASE collection of cloud-centric technologies focuses on the identity of users and devices, granular access controls, functionality pushed to the network edge, and a de-emphasis on data centers — essentially, it's a combination of security technologies and software-defined wide area network infrastructure, commonly referred to as SD-WAN.

The term, however, quickly became a buzzword in the industry, with companies claiming to be SASE-compliant or have products that supported SASE. For that reason, nonprofit industry association MEF — a global industry association focused on network, cloud, and technology — decided this week to create a standard lexicon for SASE technologies and services that defines service attributes, a framework and common definitions, and a zero-trust framework.

The goal is to make services communicate better about capabilities and to make features — especially security features — interoperable across infrastructure, says Stan Hubbard, principal analyst with MEF.

With SASE, "the user can be anything and anywhere, and security and network functions can be distributed away from the enterprise data center to maximize the availability of high-performance edges and security clouds," Hubbard says, adding that "SASE standards are key to addressing the top two SASE service provider challenges which impact growth and efficiency in the market — customer education and lack of an industry standard."

**SASE Deployment Won't Wait for a Standard**

Gartner predicts that SASE will continue to grow quickly. By 2025, about 80% of companies expect to unify their Web, cloud services, and private application access using SASE, up from 20% in 2021, according to Gartner.

Yet, don't expect companies to wait for standards, says Andrew Lerner, vice president and analyst at Gartner.

"We don’t expect the lack of standards to limit adoption, and we also don’t expect the ratification or creation of a new standard to instantly change anything in the market," he says. "With time, we suspect that more offerings will emerge to achieve a certification, but vendors are not waiting, and enterprises aren't waiting either at this point."

The adoption is also driven by industry consolidation and organization's focus on simplifying their enterprise infrastructure. By 2025, about two-thirds (65%) of enterprises will consolidate a variety of SASE components into one or two SASE vendors, a massive increase from the 15% of companies that did so in 2021, according to Gartner.

Network technology and security firm Palo Alto Networks has seen similar industry consolidation. One customer, for example, simplified from nine products and five vendors down to a single SASE product, says Matt De Vincentis, vice president for SASE for the company, which is not a member of MEF.

"Almost every enterprise is trying to reduce the number of security tools and vendors that they have," he says. "Every time there is a new security vulnerability or availability issue, a new group of startups pop up to propose a solution. It's becoming unmanageable for customers."

**MEF Boosts the SASE Conversation**

Yet, with vendors and service providers claiming to have SASE products, both customers and partners need to establish a common dictionary and a common understanding of what capabilities SASE products should have, says MEF's Hubbard.

MEF has created standards, certification programs, and automation tools for the network, cloud, and service provider industries. The latest effort defines standards that define the attributes of SASE services and provides a framework for those services, while a second proposal creates a zero-trust framework for security services using identity, authentication, policy management, and access control to protect and secure organizations' data, systems, and networks.

"The SASE vendor ecosystem lacks common terminology leaving organizations challenged to compare SASE feature sets and solutions," Hubbard says. "Standards help simplify offerings and provide clarity for organizations when selecting SASE services. Choices can be made based on industry-standard features and common definitions allowing for easier evaluation and faster decision making and implementation."

With SASE Definition Still Cloudy, Forum Proposes Standard

The not-so-charming APT's intelligence-gathering initiatives are likely being used by the Iranian state to target kidnapping victims.

State-sponsored advanced persistent threat (APT) Charming Kitten (aka TA453), which is purportedly linked to the Islamic Revolutionary Guard Corps (IRGC), has updated its phishing techniques, and is using malware and more confrontational lures, possibly in service to kidnapping operations.

Since 2020, Proofpoint researchers have observed variations in phishing activity by the APT (which also overlaps with the groups Phosphorous and APT42), with the group employing new methods and targeting different targets than in the past. In the latest campaigns, researchers have observed more aggressive activity, which could be used to support attempted "kinetic operations" from the IRGC, including murder for hire and kidnapping, researchers said.

"TA453, like its fellow advanced persistent threat actors engaged in espionage, is in a constant state of flux regarding its tools, tactics, techniques, and targeting," a Proofpoint report out this week concluded. "Adjusting its approaches, likely in response to ever-changing and expanding priorities, the outlier campaigns are likely to continue and reflect IRGC intelligence-collection requirements, including possible support for hostile, and even kinetic, operations."

**Hacking E-Mail Accounts**

In 2021, Proofpoint documented TA453 spoofing two scholars at the University of London to try and gain access to email inboxes belonging to journalists, think tank personnel, academics, and others. In August, Google researchers said the hacking team had started employing a data-theft tool targeting Gmail, Yahoo, and Microsoft Outlook accounts using previously acquired credentials. Intelligence gathered from email conversations could be used for location tracking and more. 

One campaign that researchers observed against a former member of the Israeli military was threatening and disturbing in that regard, Proofpoint's report noted.

"TA453 utilized multiple compromised email accounts, including those of a high-ranking military official, to deliver a link to the target," researchers explained. "The use of multiple compromised email accounts to target a single target is unusual for TA453. While each of the URLs observed were unique to each compromised email account, each linked to the domain gettogether\[.\]quest and pointed to the same threatening message in Hebrew."

The message read: "I'm sure you remember what I told you. Every email you get from your friends may be me and not someone who it claims. We follow you like your shadow, in Tel Aviv, in \[redacted\], in Dubai, in Bahrain. Take care of yourself."

**Updated Cyber-Targets for Charming Kitten**

Previous Charming Kitten email campaigns had almost always targeted academics, researchers, diplomats, dissidents, journalists, and human rights activists, using web beacons in message texts before eventually attempting to tap the target's credentials. Such campaigns can start with weeks of innocuous conversations on accounts created by the actors before launching the actual attack.

The new campaigns have targeted specific researchers in the medical field, an aerospace engineer, a real estate agent, and travel agents, among others, wrote Proofpoint researchers Joshua Miller and Crista Giering in a post this week.

In some cases, TA453 relies on a fictitious person, "Samantha Wolf," as bait. Proofpoint researchers first identified the persona in mid-March when the associated Gmail account was included in the bait content of a malicious document.

"Samantha's confrontational lures demonstrate an interesting attempt to generate engagement with targets not seen from other TA453 accounts," the report noted.

The Proofpoint report said it could state "with moderate confidence" that the more aggressive activity could represent collaboration with another branch of the Iranian state, including the IRGC Quds Force, which carries out physical operations.

In May, Israeli intelligence agency Shin Bet identified Iranian intelligence services' phishing activity designed to lure targets to kidnap them, Proofpoint noted.

"Based on the indicators provided, Proofpoint correlated this activity with TA453 campaigns from December 2021 in which campaigns attributed to TA453 used a spoofed email address of a reputable academic ... to give a researcher an 'Invitation to Zurich Strategic Dialogue Jan-2022,' " according to the report.

Iran-Backed Charming Kitten APT Eyes Kinetic Ops, Kidnapping

The MirrorFace group has deployed popular malware LodeInfo for spying and data theft against certain members of the Japanese House of Representatives.

The Chinese APT group MirrorFace attempted to influence the elections for the Japanese House of Representatives this year, an investigation has revealed.  

According to researchers at European IT security vendor ESET, the group used spear-phishing attacks on individual members of a political party. The research team, which calls the campaign Operation LiberalFace, found the fraudulent emails contained the well-known malware LodeInfo, a backdoor used to spread malware or steal credentials, documents, and emails from its victims.

MirrorFace is a Chinese-language threat actor that targets companies and organizations based in Japan. It launched the attack on June 29, 2022, before the Japanese elections in July.

Under the pretext of being the PR department of a Japanese political party, MirrorFace asked the recipients of the emails to share the attached videos on their own social media profiles. This was allegedly to further strengthen the party's perception and secure victory in the Chamber of Deputies.

The message also contains clear instructions on the publishing strategy for the videos and was supposedly sent in the name of a prominent politician.

**Malicious Attachments**

All spear-phishing messages contained a malicious attachment that, when executed, triggered the LodeInfo malware program on the compromised machine.

LodeInfo is a MirrorFace backdoor that is under continuous development. Its functions include taking screenshots, keylogging, terminating processes, exfiltrating data, executing additional malware, and encrypting certain files and folders.

The sophisticated and ever-evolving LodeInfo has earlier been deployed against media, diplomatic, government, public sector, and think-tank targets, according to researchers at Kaspersky, who have been tracking the malware family since 2019.

A previously undocumented credential stealer, named MirrorStealer by ESET Research, was also used in the attack. It's capable of stealing credentials from various applications such as browsers and email clients.

"During the Operation LiberalFace investigation, we managed to uncover further MirrorFace TTPs, such as the deployment and utilization of additional malware and tools to collect and exfiltrate valuable data from victims," wrote ESET researcher Dominik Breitenbacher. "Moreover, our investigation revealed that the MirrorFace operators are somewhat careless, leaving traces and making various mistakes."

There is speculation that this hacker group may be connected to APT10, but ESET could not find clear evidence of this or of cooperation with other APT groups in its analysis and is therefore pursuing MirrorFace as a separate entity.

The group reportedly primarily targets media, defense contractors, think tanks, diplomatic organizations, and academic institutions, with the goal of spying on and exfiltrating files of interest.

State-sponsored cyberattackers affiliated with China are actively building out a large network of attack infrastructure by compromising targets in the public and private spheres, according to a joint alert from the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the FBI.

The state-sponsored group RedAlpha APT, for example, has for years been targeting organizations working on behalf of the Uyghurs, Tibet, and Taiwan, looking to gather intel that could lead to human-rights abuses.

Chinese APT Group MirrorFace Interferes in Japanese Elections

Effective customer data management helps companies avoid data breaches and the resulting cascade of issues. From validating "clean" data to centralized storage and a data governance strategy, management steps can help keep data safe.

Did you know that over 83% of companies experience data breaches because of inaccurate data management?

Data breaches can cause serious issues, such as information leaks, file corruption, and stolen property.

**Effective Data Management Steps**

The good news is that you can avoid all those issues with proper customer data management. Here's what you need to know about effective customer data management for keeping your business safe, secure, and profitable.

**1\. Keep Data Clean**

One factor of misinformed decisions involves something called dirty data. To get a better idea of what dirty vs. clean data looks like, we've broken things down in the table below:

**CLEAN DATA**

**DIRTY DATA**

*   Complete records for a corresponding database

*   Comes from the people and the system

*   Any information that's unique, valid, and accurate

*   Inaccurate, inconsistent, and duplicated data

*   Readily accessible

*   Mistaken information during data recording

Keeping data clean includes validating and updating email addresses, home addresses, and phone numbers as needed. It also involves deleting obsolete contacts and removing any duplicated data.

Data cleansing can also involve the following:

*   Performing a data audit;
*   Establishing customer data centralization across departments instead of silos; and
*   Following a consistent company data format.

When you do all these, you're enhancing your data's current value. Having clean data within your organization ensures no miscommunications or missed opportunities when interacting with current and potential customers.

**2\. Centralize Your Data Storage**

Data storage centralization focuses on keeping data in a single location to help streamline processes and prevent inaccurate or incorrect data.

Centralizing your data storage also promotes better control and mobility of the information, enhancing your business' overall workflow and boosting efficiency.

Also, having a single data storage system allows quicker and easier maintenance. Imagine running multiple storage systems with different nodes — this makes it difficult to locate the problem whenever a failure occurs.

Finally, centralized data storage systems are easier to safeguard. In contrast, distributed storage systems become more vulnerable and difficult to analyze once a data breach occurs.

Here are a few examples of data storage that you can implement:

*   **On-premises storage:** A local data center set up in your physical office.
*   **Cloud storage:** Involves maintenance by a service provider and an internet connection for easy access.
*   **Hybrid cloud storage:** Combined on-premises and cloud storage, giving you more flexibility.

**3\. Implement Data Sharing**

Data sharing is a give-and-take process that involves various departments gaining access to the company's data.

Implementing data sharing can help the company's data and analytics personnel access the data they need when they need it. This results in better analytics strategies for the business's enhanced digital transformation.

When companies allow data sharing, they also improve efficiency. This is because more employees can access the information they need, speeding up the workflow.

Of course, when implementing data sharing, you must ensure you're doing so carefully. Otherwise, you can easily run into data breach issues. And, of course, informing customers of data breach issues is never fun.

So, use trusted and encrypted data-sharing systems that allow you to transfer information among users safely.

**4\. Create a Data Governance Strategy**

Data governance is another important part of data security and proper management and organization of information.

Essentially, it refers to managing the integrity, usability, accessibility, and security of your company's data.

Creating a data governance strategy also ensures all employees have the same goal for managing your company's customer data.

The three main parts of an effective data governance strategy include:

*   **Alignment:** Standardizing step in customer data collection across all departments.
*   **Validation:** Confirmation that data collection is performed correctly.
*   **Enforcement:** Changes in data collection should pass through the right channels.

The goal of a data governance strategy is a data dictionary, or a tracking plan. It should explain each piece of data collected, its owner, and the purpose of its collection.

**5\. Back up your data**

Roughly 58% of small businesses haven't considered backing up their data. This is a big problem because if that data gets corrupted or goes missing, those businesses won't have a way of restoring it.

One key method of managing your customer data relies on backing it up. A backup protects your business against data leaks, lost data, corrupted data, and other loss-related issues.

The three most common backup methods are:

*   **Full backup:** Which copies all your data in storage.
*   **Incremental backup:** Copies all the changed data since the last backup.
*   **Differential backup:** A full backup at first that later switches to incremental during the succeeding updates.

Any of these methods can help protect your customer data against any type of loss.

**Best Practices**

Effective customer data management helps protect customer privacy and prevent internal and external communication. It can prevent serious issues such as information leaks and data corruption.

A good data management strategy should involve centralized data storage, data sharing, and data governance, clean data, and regular backups.

By implementing these best practices, you'll be able to protect your company's data while ensuring your customers stay confident in your business's reliability.

Compliance Is Not Enough: How to Manage Your Customer Data

Accelerating security challenges and the increasing footprint of edge and IoT devices call for zero-trust principles to drive cyber resiliency.

As businesses ramp up their adoption of edge and Internet of Things (IoT) infrastructure, security risks that already challenge IT organizations stand to become trickier than ever. The distributed nature of edge devices, the scale of IoT, and the limited compute capacity of devices at the edge heap on added difficulties to the increasingly shaky traditional security practices of yesteryear. In the era of edge, it simply won't be feasible anymore to cling to the castle-and-moat security tactics that practitioners have held on to for probably a decade too long as it was.  

Zero-trust principles are going to be key to meeting the security challenges of today and tomorrow — and fundamental to that will be architecting secure server hardware that stands at the bedrock of edge architecture.

**The Challenges Calling for Zero Trust**

Edge and IoT notwithstanding, security threats keep growing. Recent statistics show that global attack rates are up by 28% in the last year. Credential theft, account takeovers, lateral attacks, and DDoS attacks plague organizations of all sizes. And the costs of cybercrime keep ticking upward. Recent figures by the FBI's Internet Crime Complaint Center (IC3) found that cybercrime costs in the US topped $6.9 billion, up dramatically from $1.4 billion in 2017.

Throwing transformative technology architectures into this mix will only exacerbate matters if security isn't baked into the design. Without proper planning, securing assets and processes at the edge becomes more difficult to manage due to the rapidly proliferating pool of enterprise devices.

Market stats show that there are already more than 12.2 billion active IoT and edge endpoints worldwide, with expectations that by 2025 the figure will balloon to 27 billion. Organizations carry more risk because these devices are different than traditional on-premises IT devices. Devices at the edge — particularly IoT devices — frequently:

*   Process critical data away from data centers, with data including more private information
*   Are not supported or secured as strongly by many device manufacturers
*   Don't control passwords and authentication as strongly as traditional endpoints
*   Have limited compute capacity to implement security controls or updates
*   Are geographically distributed in nonsecured physical locations with no barbed wire, cameras, or barriers protecting them

All of this adds up to an enlarged attack surface that is extremely difficult to manage due to the sheer scale of devices out there. Policies and protocols are harder to implement and manage across the edge. Even something as "simple" as doing software updates can be a huge task. For example, often IoT firmware updates require manual or even physical intervention. If there are thousands or even tens of thousands of those devices run by an organization, this quickly becomes a quagmire for an IT team. Organizations need better methods for pushing out these updates, doing remote reboots, and performing malware remediation, not to mention monitoring and tracking the security status of all of these devices.

**More Than Authentication: The Promise of Zero Trust**

Zero trust is a set of guiding principles and an architectural approach to security that's well-suited to start addressing some of the edge security challenges outlined above. The heart of the zero-trust approach is in conditional access. The idea is that the right assets, accounts, and users are only granted access to the assets they need — when they're authorized, and when the situation is safely in line with the org's risk appetite. The architecture is designed to continually evaluate and validate all of the devices and behaviors in the IT environment before granting permissions and also periodically during use. It's great for the fluidity of the edge because it's not tied to the physical location of a device, network location, or asset ownership.

It's a sweeping approach, and one that can help reduce the risk surface at the edge when it is done right. Unfortunately, many organizations have taken a myopic view of zero trust, equating it solely as an authentication and authorization play. But there are a whole lot of other crucial elements to the architecture that enterprises need to get in place.

Arguably the most critical element of zero trust is the verification of assets before access is granted**.** While secure authentication and authorization is crucial, organizations also need mechanisms to ensure the security of the device that's connecting to sensitive assets and networks — including servers handling edge traffic. This includes verifying the status of the firmware in place, monitoring the integrity of the hardware, looking for evidence of compromised hardware, and more.

**Enabling Zero Trust With the Right Hardware**

While there is no such thing as zero-trust devices, organizations can set themselves up for zero-trust success by seeking out edge hardware that's more cyber resilient and enables easier verification of assets to stand up to the rigors of a strong zero-trust approach to security.

This means paying close attention to the way vendors architect their hardware. Ask questions to ensure they're paying more than just marketing lip service to the zero trust ideal. Do they follow a framework like the US Department of Defense's seven-pillar zero-trust standards? Looking for important controls for device trust, user trust, data trust, and software trust baked into the products that organizations choose to make up their edge architecture will in turn help them build zero trust into their own architecture.

Zero Trust in the Era of Edge

Check out our slideshow detailing the emerging cybersecurity trends in cloud, creating a defensible Internet, malware evolution, and more that lit up audiences in London.

Live From London: Next-Gen Cybersecurity Takes Stage at Black Hat Europe

SHA-1 was deprecated in 2011. NIST has set the hashing algorithm's final retirement date to Dec. 31, 2030.

It is time to retire SHA-1, or the Secure Hash Algorithm-1, says the US National Institute of Standards and Technology (NIST). NIST has set the date of Dec. 31, 2030 to remove SHA-1 support from all software and hardware devices.

The once-widely used algorithm is now easy to crack, making it unsafe to use in security contexts. NIST deprecated SHA-1 in 2011 and disallowed using SHA-1 when creating or verifying digital signatures in 2013.

"We recommend that anyone relying on SHA-1 for security migrate to SHA-2 or SHA-3 as soon as possible," NIST computer scientist Chris Celi said in a statement.

SHA-1 was among the seven hash algorithms originally approved for use in the Federal Information Process Standards (FIPS) 180-4. The next version of the government's standard, FIPS 180-5, will be final by the end of 2030 -- and SHA-1 will not be included in that version. That means after 2030, the federal government will not be allowed to purchase devices or applications still using SHA-1.

Developers need to make sure their applications don't use any components that support SHA-1 by that time. While it may seem like plenty of time to make updates, developers need to submit the applications to be certified as meeting FIPS requirements. It's better to get verified and recertified earlier rather than later, as there may be a backlog of revised code to review, NIST said.

"By completing their transition before December 31, 2030, stakeholders – particularly cryptographic module vendors – can help minimize potential delays in the validation process," NIST said.

Along with updating FIPS, NIST will revise NIST Special Publication (SP) 800-131A to reflect the fact that SHA-1 has been withdrawn, and will publish a transition strategy for validating cryptographic modules and algorithms.

SHA-1 has been on its way out for years. Major web browsers stopped supporting digital certifications based on SHA-1 in 2017. Microsoft dropped SHA-1 from Windows Update in 2020. But there are still legacy applications that support SHA-1.

While hashing is supposed to be one-way and not reversible, attackers have taken SHA-1 hashes of common strings and stored them in lookup tables, making it trivial to launch dictionary-based attacks.

Also, collision attacks – initially described as a theoretical attack in 2005 – became more practical in 2017. While individual strings produce unique hashes most of the time, the collision attack creates a situation where two different messages generate the same hash value, allowing attackers to use a different string to crack the hash.

NIST Finally Retires SHA-1, Kind Of

Zero trust is useful in some situations, but organizations should not be trying to fit zero trust everywhere. In some cases, identity-based networking is an appropriate alternative.

People like to tout NIST’s SP 800-207 \[Zero Trust Architecture\] as the hot new thing, but the fact is, zero trust network models have been around for over a decade. Google took zero trust way past the proof of concept stage with its BeyondCorp model, and by the time 2010 rolled around, the company had the most functional zero trust network on the planet.

Fast forward a dozen years, and zero trust is once again the _craze-de-jour_ of the cybersecurity industry. The question is: _Should_ it be?

Zero trust isn’t the silver bullet that many it is, and zero trust shouldn’t be the new normal.

**What's the Problem with Zero Trust?**

Briefly: Zero trust presumes that no network connection, internal or external, can be trusted. Every user authenticates with multi-factor, every system’s authentication is reverified multiple times on the network, and the default access policy for everything is ‘deny’.

The primary methods of establishing and maintaining zero trust are micro-segmentation, overlay networks, enhanced identity governance, and policy-based access controls.

Setting aside the issues and the expense associated with incorporating zero trust into an existing network, the zero trust model starts to erode when the resources of two corporations need to play together nicely. Federated activity, ranging from authentication to resource pooled cloud federation, doesn’t coexist well with zero trust.

This is where we see a lot of hand waving on how to make things work. The compromises, the shortcuts, and the sacrifices that organizations wind up making to allow federation under a zero trust model should give pause to even the most hardcore CIO.

But more to the point, the problem with zero trust is that humans don’t work in a zero trust manner, and for a good reason. It’s a waste of time and resources to re-validate someone’s identity over and over again when they haven’t even left the room. Our human trust cycle relies on logic, probability, and casual observation to establish and track the identities within an observable range. Interactions with low or no trust tend to be seen as low value, or even hostile.

So what kind of trust model can fully incorporate federation, and emulate more human and relatable trust cycles?

**What About Identity-First Networking?**

To usefully emulate the kind of ‘informed trust’ model that humans use every day, we need to flip the entire concept of zero trust on its head. In order to do that, network interactions need to be evaluated in terms of risk.

That’s where identity-first networking comes in. In order for a network request to be accepted, it needs both an identity and explicit authorization; System for Cross-domain Identity Management (SCIM) based synchronization is used to achieve this. This securely automates the exchange of a user identity between cloud applications, diverse networks, and service providers.

Think of it as federation taken to an entirely new level. Or perhaps, a new _layer_. Identity is established at the network transport layer. This means that some of the most traditionally difficult resources to secure (databases, container clusters, etc.) can have their access levels centrally managed by integrating them with a trusted identity provider.

Identity is inextricably intertwined with the concept of trust. All network activity is automatically identity indexed, which means usage patterns are easy to track, and any attempts at unauthorized access are immediately flagged up. If a user or process tries to access something unusual, they’ll stick out like a sore thumb. DNS filters do most of the heavy lifting.

The risk of identity forging is greatly reduced, because the ID provider acts as the one true source of knowledge. The attacker would need the ID provider’s root certificate in order to be effective, a highly unlikely circumstance.

Computationally, this process is far less expensive than zero trust. In the case of zero trust, the work of checking and rechecking authentication several times during any given transaction adds up. In the case of identity-first, the packet doesn’t make it through the front door (or any doors in between as far as internally forged packets are concerned) without the right identity and attached permissions.

Multi-factor authentication is required for identity-first networking, but that’s hardly a bad thing in this day and age. The incorporation of identity-first makes VPNs redundant, which is only a sad story for the VPN providers.

**Zero Trust Should Not Be All-Encompassing**

There are places where zero trust is entirely appropriate. There are certainly government, national defense, and financial sector applications where zero trust shines.

But unless you’re creating your network from scratch, zero trust requires some expensive retooling to fully implement. This makes it inappropriate for many SMEs, as well as any organization that would rather adopt a model based on heavy federation.

In theory, the expense of zero trust is balanced out by the lower cost per security breach. But if a method such as identity-first networking can get the job done, there’s a new cost to benefit analysis that needs to be made on a per-organization basis.

Zero Trust Shouldn’t Be The New Normal

New features bring greater visibility and context into SaaS applications access and activity.

**NEW YORK****,** **Dec. 15, 2022** **/PRNewswire/ --** Axonius, the leader in cybersecurity asset management and SaaS management, today announced the release of two new capabilities within Axonius SaaS Management to help organizations better understand their overall SaaS application risk. Behavioral Analytics and SaaS App-to-Device Correlation allow IT and security teams to gain added visibility and context into the users and devices accessing SaaS applications, and whether suspicious activity is occurring for critical SaaS apps.

SaaS continues to represent an ever-expanding component of an organization's attack surface. Not only does the increase in adoption of SaaS applications change IT and security operations, it also adds new role and skill expectations for IT and security team members – like using already scarce resources to track organization SaaS app utilization and identify misconfigured SaaS settings potentially exposing sensitive data. All of this adds to more complexity and can have a profound impact on an organization's security posture.

"A lot of sensitive data is stored in and shared between SaaS applications, and oftentimes, it's very difficult to understand which users and devices have access to those applications," said Amir Ofek, CEO of AxoniusX, the innovation unit of Axonius. "For IT and security teams tasked with protecting their organization's entire SaaS app stack, they need the right information to help them better understand the who, the what, and the how of SaaS app usage. These new capabilities within our SaaS management solution will bring necessary context to the questions surrounding SaaS security."

**SaaS App-to-Device Correlation**

SaaS App-to-Device Correlation helps understand if unmanaged and unauthorized devices are being used to access various SaaS apps. By leveraging Axonius Cybersecurity Asset Management and its hundreds of adapters across the technology stack, Axonius SaaS Management will now automatically correlate each SaaS user to their associated devices and provide a more comprehensive view of an organization's security posture. Organizations will now have visibility into unmanaged or unauthorized devices accessing SaaS apps, and be able to decrease the risk of data loss.

"SaaS App-to-Device correlation ultimately helps organizations contextualize their SaaS application data," continued Ofek. "Using both Axonius Cybersecurity Asset Management and SaaS Management products, organizations gain a more complete view of their device security posture than they might receive with standalone integrations. No other solution on the market today can offer this much comprehensive and rich data."

**Behavioral Analytics** 

Over the past year, we've seen an increase in data breaches originating from SaaS applications. For example, the Okta breach in early 2022 demonstrated how one compromised SaaS application can often have a domino effect throughout an entire organization.

By adding Behavioral Analytics capabilities within Axonius SaaS Management, organizations will gain visibility into user behavior within SaaS applications over time – and be able to detect any anomalies or suspicious activity that could pose organizational risk. The solution aggregates log data across various sources, including Okta, Microsoft Azure AD, and Google Workspace, to identify suspicious activity, events, and complex behavioral patterns. As a result, Axonius helps facilitate in-depth investigations by the incident response and SOC teams within the organization.

Beyond identifying suspicious behavior, the behavioral analytics capability can help organizations investigate temporary privileges granted for existing users, identify anomalous login activities that deviate from the user's normal activity and other baselines, minimize data theft or leakage of confidential data, and more.

"These latest developments and the integration of the Axonius Cybersecurity Asset Management and SaaS Management products ensure comprehensive visibility and further correlation across SaaS applications, devices, cloud services, and users in an organization's environment, streamlining efforts to reduce the attack surface amidst an increasingly complex cyber landscape," said Ofek.

To learn more about these latest capabilities and to better understand how Axonius can help you control complexity across your entire IT environment, visit the website or request a demo.

**About Axonius**

Axonius gives customers the confidence to control complexity by mitigating threats, navigating risk, automating response actions, and informing business-level strategy. With solutions for both cyber asset attack surface management (CAASM) and SaaS management, Axonius is deployed in minutes and integrates with hundreds of data sources to provide a comprehensive asset inventory, uncover gaps, and automatically validate and enforce policies. Cited as one of the fastest-growing cybersecurity startups, with accolades from CNBC, Forbes, and Fortune, Axonius covers millions of assets, including devices and cloud assets, user accounts, and SaaS applications, for customers around the world. For more, visit Axonius.com.

SOURCE Axonius

Axonius Bolsters SaaS Management Offering With New Behavioral Analytics and SaaS User-Device Association Capabilities to Help Teams Address SaaS Application Risk

InfraGard's members include key security decision-makers and stakeholders from all 16 US civilian critical-infrastructure sectors.

A hacker using the handle "USDoD" has reportedly stolen contact information on more than 80,000 members of an FBI-run program called InfraGard and put the information up for sale on an English-speaking Dark Web forum.

The information the hacker accessed from InfraGard's database appears to be fairly basic and in some cases does not even include an email address, according to KrebsOnSecurity, which first reported on the incident this week. But the information belongs to CISOs, security directors, IT and C-suite executives, healthcare professionals, emergency managers, and law enforcement and military personnel directly responsible for protecting US critical infrastructure.

**A Potentially Valuable Asset**

As such, the stolen data represents a valuable asset for adversaries, says former InfraGard member Chris Pierson, currently CEO of BlackCloak, an online privacy-protection service for top executives and corporate leaders.

"The InfraGard database of contacts is a big win for any intelligence agency or nation-state to possess," Pierson says. The compromised data is nowhere close in sensitivity compared to major breaches such as the one that the US Office of Personnel Management (OPM) disclosed in 2015. Still, it is very practical and easy to use from an attacker's perspective, he says.

"While much of the information may be public or publicly available, the condensing of this information into the key people who run our nation's critical infrastructure is immensely valuable," Pierson notes. Personal addresses, personal cell phones, and easy access to which members possess a security clearance are all key pieces of data for an adversary to have, he says.

The FBI describes InfraGard as an initiative to bolster the nation's collective ability to defend against physical and cyber threats to critical infrastructure targets. It basically connects the FBI directly with critical infrastructure owners, operators, and security stakeholders. Its members include key security personnel and decision-makers from all 16 US civilian critical infrastructure sectors.

According to KrebsOnSecurity, the hacker "USDoD" gained access to the InfraGard database by first applying for a new account using the name, date of birth, and Social Security number of a chief executive officer at a large financial services company. The hacker apparently applied for InfraGard membership in November and provided an attacker-controlled email address and the actual phone number of the CEO, as contact information.

**An Opsec Lapse?**

Though InfraGard was supposed to have vetted that information, they never did and instead approved the application based on the information that the hacker had provided, KrebsOnSecurity reported. Similarly, though accessing InfraGard's portal requires two-factor authentication, the hacker found he could use the email address as a second factor instead — thereby obviating the need for access to the real CEO's phone.

Once on the portal, the attacker discovered that InfraGard user information could be relatively easily accessed via an API built into several components on the website, KrebsOnSecurity said, citing a direct conversation with the attacker. The hacker then apparently got a friend to code a Python query for retrieving all available InfaGard member information via the API. KrebsOnSecurity quoted the attacker as setting an asking price of $50,000 for the stolen dataset, but not really expecting any buyers at that price because of the basic nature of the information.

InfraGard member Will Carson, director of IT and cybersecurity at Cybrary, expressed frustration over the incident. “As an InfraGard member, it certainly isn't great to hear your information may have been disclosed from a news outlet before you hear from the impacted organization," he said in a statement responding to the news. He expressed disappointment over being unable to log into his InfraGard account after the apparent breach.

"Although I have full faith InfraGard leadership has a stronger grasp of the facts than I do from the outside, the radio silence to date makes me uneasy as a potentially impacted professional," he says.

The FBI did not immediately respond to a Dark Reading request for comment submitted via email to its press office.

Source

DARKReading