This legacy of corporations' appetite for data is not worth the risk, leaders say, emphasizing the need to find, secure and redact records

CHICAGO and NEW YORK, Oct. 6, 2022 -- Dark data represents the biggest potential cybersecurity exposure for U.S. and U.K. businesses, according to a special cybersecurity edition of the DealMaker Meter report, "Understanding Risk: The Dark Side of Data," from Donnelley Financial Solutions (NYSE: DFIN), a leading risk and compliance company. Defined as data that a company has collected but no longer needs — ranging from outdated customer information to old employee records — dark data is often forgotten and unprotected by corporations, creating substantial liabilities as well as tempting targets for cyber criminals.

The rise in dark data has accompanied corporations' increased interest in accumulating a wide variety of data sets (often called Big Data), which can be used to improve marketing, product development, customer service and a host of other activities. Dark data can be unstructured, sensitive, personal, regulated, vulnerable or high-risk information an organization has collected and stored over time.

Nearly seven of 10 enterprise leaders surveyed said data storage presents more risk than value. But while 33 percent of senior leaders and IT personnel are aware of the risks of dark data, 18 percent of others within organizations are less knowledgeable.

In addition to worrying about managing dark data, 96 percent of executives are concerned about data fraud and 95 percent are worried data breach incidents will increase over the next two years. Rightfully so, given more than half have experienced an incident this year and others indicated they had more than five data breaches and/or data fraud incidents this past year.

One key takeaway from the report is that IT departments should deploy technologies to better find, secure and redact dark data.

Other key findings include:

*   Preparing for Tomorrow: Company leaders are focused on improving how their companies protect sensitive data, with 77 percent enacting new policies and processes, 72 percent increasing reporting measures and 75 percent investing in partners and software and solutions. 

*   Technology First: To enhance protection, more than 83 percent indicated they would choose new technology tools over adding more team members, the choice of just 17 percent.

Containing insights from a blue-ribbon panel of finance, legal, HR and IT professionals at large public and private companies in the U.S. and U.K., the special fall edition of the DealMaker Meter is an online tool that provides a snapshot of cybersecurity and dark data concerns. It is designed to help business decision-makers better understand key topics impacting their industry and the world around them.

"This report shows that the appetite for Big Data within corporations has a cost," said Dannie Combs, Chief Information Security Officer at DFIN. "Our clients are increasingly turning to us to help mitigate the risks associated with dark data. We are seeing an influx of requests from companies to leverage virtual data rooms as corporate repositories to store, secure and manage data across departments including finance, legal, HR and R&D. Our Data Protect software is used globally by clients to cost-effectively find and redact dark data across disparate IT systems."

This special fall edition of the DealMaker Meter, "Understanding Risk: The Dark Side of Data," is available for download on the DFIN website here.

**About Donnelley Financial Solutions (DFIN)**

DFIN is a leading global risk and compliance solutions company. We provide domain expertise, enterprise software and data analytics for every stage of our clients' business and investment lifecycles. Markets fluctuate, regulations evolve, technology advances, and through it all, DFIN delivers confidence with the right solutions in moments that matter. Learn about DFIN's end-to-end risk and compliance solutions online at DFINsolutions.com or you can also follow us on Twitter @DFINSolutions or on LinkedIn.

DFIN DealMaker Meter: Surge in 'Dark Data' Represents Growing Danger for Corporations

SAS and Neterium partnered to deliver Neterium’s next-gen screening capabilities on SAS’ analytics platform.

Cary, NC (Oct 10, 2022) The volume, velocity and complexity of today’s sanctions screening landscape require extraordinary vigilance, backed by best-of-breed analytics and data orchestration that empower always-on monitoring and immediate action. To meet these modern-day thresholds, Paris-based Orange Bank teamed with SAS and Neterium to achieve real-time sanctions screening in the cloud.

“Our newly deployed AML-CTF platform, powered by SAS and Neterium, is already proving to be a game-changer,” said Veronique McCarroll, Deputy CEO of Orange Bank.

Ever committed to staying at the forefront of banking innovation, Orange Bank began contemplating new sanctions screening tools in 2021. Going real-time would enable its compliance team to bolster the French bank’s anti-money laundering (AML) and counter-terrorist financing (CTF) guardrails. The bank also aimed to streamline the varied tools used and managed by its analysts. It relied on SAS to deliver on its vision.

Achieving next-gen sanctions screening

“As we considered complementing technologies that would help Orange Bank achieve the agility and responsiveness it required, Neterium was an immediate standout,” said Stu Bradley, Senior Vice President of Fraud and Security Intelligence at SAS. “SAS chose to partner with Neterium to provide the real-time sanctions screening engine because of the efficiency, effectiveness and scalability of its solutions, and also for the explainability of its AI-driven decisioning.”

Over a period of nine months, SAS and Neterium collaborated to align Neterium’s cloud-native real-time “watchlist screening-as-a-service” with SAS® Visual Investigator. Neterium’s dual API-based offerings, Jetscan and Jetflow, operate seamlessly on the SAS platform. The potent synthesis gives Orange Bank automated entity and transaction screening against major government and global watchlists as well as politically exposed persons (PEP) lists.

“Built-in AI and advanced screening technologies improve detection relevance and allow our analysts to monitor a holistic, real-time view of AML risk,” said McCarroll. “I’m confident this implementation will sustainably increase our team’s efficiency and effectiveness – and, likewise, that we leverage the best technology partners to continually enhance our integrated compliance platform.”

“By focusing exclusively on developing infinitely scalable screening capabilities delivered through an API, Neterium has mastered the nuances and complexities of what is perhaps the most confounding facet of financial crimes compliance,” said Florence Vicentini, Chief Commercial Officer and Head of Partnerships at Neterium. “The depth and breadth of SAS’ financial crimes compliance platform is similarly unmatched in the market, which makes the connecting of our technologies and capabilities for Orange Bank a formidable mix.”

“The world’s volatile geopolitical landscape is fraught with risks that demand a real-time view of entities and transactions in the context of ever-expanding sanctions watchlists,” added SAS’ Bradley. “Achieving real-time sanctions screening will help Orange Bank address their compliance challenges through reduced false positives, enhanced performance and improved operational efficiency.”

Today’s announcement was made during Sibos 2022, the world’s global, premier financial services event, convening in Amsterdam, Oct. 10-13. Attendees are invited to engage with SAS experts on sanctions screening and other topics throughout the conference at Sibos Booth B115.

About SAS

SAS is the leader in analytics. Through innovative software and services, SAS empowers and inspires customers around the world to transform data into intelligence. SAS gives you THE POWER TO KNOW.

Orange Bank Deploys Real-Time Sanctions Screening with SAS and Neterium

SaaS security platform promises to track down shadow IT, map supply chain risk, and "nudge" employees to work securely.

After months of speculation and input from security, compliance, and IT operations professionals, Nudge Security has launched its new software-as-a-service (SaaS) platform with the promise of making the increasingly weighty lift of enterprise IT teams lighter. 

Nudge received $7 million in seed money in April to develop what co-founders Russell Spitler and Jamie Blasco told Dark Reading at the time would be a cloud product developed in coordination with psychologists to help end users at critical decision points and avoid security risks and mistakes. 

Now Nudge — which officially emerged from stealth mode today — is offering a free two-week trial for its tool, which the company says will automatically discover shadow IT assets, map digital supply chain risk, and automate security tasks. 

The tool gives end users automated "nudges" to guide them to make secure decisions. 

"Not only do security nudges reduce the burden on IT, security, and compliance teams, but they also give your employees the opportunity to practice good security habits in practical, real-world scenarios — not just during hypothetical training sessions," the company said in an announcement about the Nudge launch. "Simply connect it, go make a sandwich, and then see what you’ve been missing." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Nudge Security Launches Platform With Humans in Mind

Ransomware attacks are on the rise, but organizations also have access to advanced tools and technologies they can use to fight back.

Ransomware is a hot topic. No industry is immune, and the ransomware gangs behind these attacks are making a lot of money with minimal risk of being caught. However, every industry has increasing access to the advanced tools and technologies needed to fight back.

In the past few years, ransomware attacks have evolved to include crippling, networkwide attacks using multiple extortion methods to target both your data and reputation, all enabled by human intelligence. This has led to ransomware operators driving their profits to unprecedented levels, with predictions noting that the total cost of ransomware attacks will reach $265 billion by 2031.

We have seen a major shift from commodity ransomware attacks to human-operated ransomware. These “hands-on-keyboard” attacks target an entire organization rather than a single device or individual, leveraging human attackers’ knowledge of common system and security misconfigurations to get in, navigate the enterprise network, and adapt to the environment and its weaknesses as they go.

Attackers use a three-step approach to carry out successful human-operated ransomware attacks. First, they gain initial access to an environment using primarily identity attacks (via email, browser, password spray, etc.). Once the attackers have gained access to the organization, they then move laterally within the network to steal more credentials to gain elevated privileges and ultimately find an admin account that gives them access to data. Now that the attackers have access to the data, they can steal it, encrypt it, and deploy a ransomware payload to the resources of their choosing. This type of attack results in catastrophic outcomes for business operations that are very difficult to clean up.

**Ways to Prepare**

Given how common these ransomware attacks are and how easy they are to carry out, what can you and your organization do to prepare for future attacks?

First, we strongly recommend implementing a zero-trust approach. Based on the three principles of verify explicitly, use least-privileged access, and assume a breach, a comprehensive zero-trust architecture creates several safeguards within and across identity, endpoints, apps, infrastructure, network, and data. We not only recommend this approach with our customers and partners, but we also embrace it in our own approach to global security and software development here at Microsoft.

Next, integrated threat protection helps secure organizations by using the combination of extended detection and response (XDR) and security information and event management (SIEM) tools to detect attacks _while_ they are happening and stop them. Cloud-native SIEM systems can help eliminate security infrastructure setup and maintenance while scaling to meet organizational security needs and without being restricted by storage or query limits. Likewise, cross-domain threat protection, cloud security posture management (CSPM), and cloud workload protection (CWP) solutions can be deployed to increase efficiency and effectiveness while securing your digital estate.

Lastly, we recommend having a backup and incident response (IR) plan prepared in the event that your organization is compromised. It is crucial to back up all critical systems automatically on a regular basis and ensure all backups are protected against deliberate erasure/encryption. Your backup service should offer a centralized management interface to monitor, govern, and optimize data protection at scale, and you should look for a platform that can secure your backup platform whether data is in transit or at rest.

For incident response, organizations need to ensure rapid detection and remediation of common attacks on endpoint, email, and identity (ransomware operators love these three) by prioritizing common entry points and monitoring for adversaries disabling security. It is important to regularly practice these backup and incident response plans.

Mitigating human-operated ransomware attacks is a top priority for organizations worldwide. By implementing these strategies and tools outlined in our ransomware mitigation plan, organizations can be fearless, armed with the ability to secure everything without limits.

The Playbook for Human-Operated Ransomware

From the basics to advanced techniques, here's what you should know.

Cybersecurity has been compared to a never-ending game of whack-a-mole, with an ever-changing cast of threats and threat actors. While the attacks that make headlines may change from year to year, the basic fact remains: Any network, no matter how obscure the organization it supports, most likely will come under attack at some point. Thus, attaining and maintaining a strong security posture is of critical importance for organizations of any size.

An organization's security posture, however, is constantly changing. Employees join or leave the company; endpoints are added and discarded; and network and security technologies are deployed, decommissioned, configured, and updated. Each change in network elements can represent a potential attack vector for malware and other threats.

That's why security teams should review their security processes periodically and keep aligned with new developments in defensive and offensive testing and modeling. Doing so can help move the needle on security maturity from the most basic to an advanced, much stronger security posture, and from a reactive to a proactive model.

**The Basics: Vulnerability Scanning**

The first step most IT organizations undertake is vulnerability scanning, which seeks out potential weaknesses in the network and endpoints that could be exploited by attackers. There's a wide variety of scanners available as open source or commercial software, as managed services, and on cloud platforms like AWS and Alibaba. Some of the more popular scanners include Nessus, Burp Suite, Nmap, and Qualys, though each has its own area of focus. Several offer automatic patch remediation, as well.

Another consideration is whether to perform an external scan — which can discover potential vulnerabilities that hackers can exploit — or internal scanning that can find potential paths attackers would take once inside the network. Many, if not most, IT teams will do both.

While vulnerability scanning is relatively easy to use, it's not the end-all, be-all of a security strategy. For example, scanning might not detect subtle misconfigurations or the more complicated attack paths that advanced persistent threats (APTs) might take. They're also often prone to false positives and must be updated consistently.

Overall, though, vulnerability scanning is an important baseline step. Once it's running well, the next step is penetration testing.

**Penetration Testing**

Penetration testing typically entails human ethical hackers who attempt to gain access to the network interior, much as an outside hacker would. Here, too, there's a wide variety of tools and services available — many of the aforementioned vulnerability scanners offer tools that can be used in pen testing. Others include Metasploit, Kali Linux, Cobalt.io, and Acunetix.

Run periodically, pen testing can uncover weaknesses that aren't found by vulnerability scanners. Furthermore, human-managed pen testing can explore more complex pathways and technique combinations that hackers increasingly leverage to exploit victims, such as phishing.

Not surprisingly, the biggest trends impacting networking and cybersecurity are essentially the same trends noted in penetration testing this year: rampant ransomware attacks, the newly distributed workforce, and the rise of Web applications and cloud usage to support remote workers. Each of these trends will require thoughtful consideration in choosing tools and designing plans for penetration testing.

While penetration testing can provide a great deal of benefit, it's a good idea to periodically review the wealth of information on best practices available online.

**Red Team/Purple Team**

The third step in the quest for security maturity is usually the establishment of a red team that will manually attempt to attack and penetrate the organization's security defenses. This may be a completely separate team, or it may be closely allied with the blue team (the defenders) in a combination called a purple team. As another option, some vendors offer red-team services on a subscription or one-off basis.

A red team will imitate the tactics, techniques, and procedures (TTPs) that attackers use — which usually turns up more points of vulnerability than penetration testing can reveal. The blue team can then begin to resolve these weaknesses, further hardening the network against attack.

But too often, red and blue teams devolve into an adversarial relationship that's counterproductive. It's also quite expensive to set up a red team, and given the shortage of cybersecurity professionals, it may not be feasible. Therefore, many CISOs are investigating two newer trends: adversary emulation and adversary simulation.

**Using Adversary TTPs for Good**

There are vast, freely available libraries of common tactics, techniques, and procedures used during attacks, such as MITRE's ATT&CK framework. Adversary emulation and simulation leverage these libraries to evaluate security based on intelligence for specific attacks and then simulating the TTPs used.

For example, MITRE developed a sample adversary emulation plan for APT3, an advanced persistent threat that previously targeted mostly US entities. The emulation plan covers three phases from command-and-control setup to initial access; from host compromise through to execution; and data collection through exfiltration. The Center for Threat-Informed Defense has posted other emulation plans.

Adversary emulation lets security teams assess their defenses against real-world attacks. It can also be used to test the security infrastructure's detection and response rates.

**Looking Ahead**

Security vendors are moving beyond simply advocating the concept of MITRE's ATT&CK and MITRE Shield. Many vendors are leveraging one or both to improve their own products and services. For example, some security vendors map anomalies and events to the ATT&CK framework, making it easier for security teams to respond.

MITRE's CALDERA also deserves attention. It provides an intelligent, automated adversary emulation system that can be programmed for a specific attack profile and launched into the network to test its defenses. Caldera can also be used to train blue teams on detecting and remediating specific attacks.

There are also open source projects for adversary behavior simulation in development. A few of them of note include Uber's Metta, Nextron Systems' APT Simulator, Elastic/Endgame's Red Team Automation, CyberMonitor's Invoke-Adversary, and Red Canary's Atomic Red Team.

**Conclusion**

Keeping abreast of developments in key security processes is important for security teams as they strive to defend the network against changing threats. By so doing, they can move the organization closer to a far stronger security posture.

What You Need for a Strong Security Posture

The campaign uses a combination of tactics and a common JavaScript obfuscation technique to fool both end users and email security scanners to steal credentials.

Attackers are spoofing Google Translate in an ongoing phishing campaign that uses a common JavaScript coding technique to bypass email security scanners. Leveraging trust in Google Translate is a never-before-seen approach, researchers said.

Researchers from Avanan, a Check Point Software Company, uncovered the campaign, which uses the coding technique to obfuscate phishing sites to make them appear legitimate to the end user as well as fool security gateways. The phish also uses social engineering tactics to convince users they need to respond quickly to an email or face having an account closed, according to a blog post published today.

The messages direct a user to a link that directs them to a credential-harvesting page that appears to be a legitimate Google Translate page, with a pre-populated email field that requires only that a person enter his or her password to log in.

The campaign is an example of a number of current, increasingly more sophisticated tactics that threat actors are using in contemporary phishing campaigns to fool both more savvy end users who have become familiar with malicious tactics, as well as email scanners that delete suspicious messages before they get through, noted Jeremy Fuchs, an Avanan cybersecurity researcher and analyst.

"This attack has a little bit of everything," he wrote in the post. "It has unique social engineering at the front end. It leverages a legitimate site to help get into the inbox. It uses trickery and obfuscation to confuse security services."

**"Urgent Plea"**

Researchers observed a Spanish-language email being used in the campaign, which begins — as most phishing messages do — with social engineering.

In this case, hackers make an "urgent plea" for a user to confirm access to his or her account by informing them that they are missing out on important emails and have only 48 hours in which to review them before they will be deleted.

"That's a compelling message that might get someone to act," Fuchs noted.

Upon taking the bait, the link directs a victim to a login page that is a "pretty convincing" Google Translate lookalike page, complete with the typical logo on the upper left-hand corner of the page and a drop-down list of languages. Closer inspection shows that the URL has nothing to do with Google Translate, however, the researchers noted.

The code in the background makes it even more apparent that the page is a fake, with the "HTML that goes into turning this site into a Google Translate lookalike_,"_ Fuchs wrote.

One of the JavaScript commands hackers use here is the "unescape function_,"_ which is "a classic command that helps obfuscate the true meaning of the page," he wrote.

Unescape is a function in JavaScript that computes a new string in which hexadecimal escape sequences are replaced with the character that it represents. The function can be used on a webpage to appear to show the page as one thing but then, when decoded, shows a "bunch of gibberish" that can trick email security, according to a video about the phishing campaign posted by Avanan.

"This attack requires vigilance on the part of the end user, and advanced natural language processing on the part of the security service to stop," Fuchs noted in the post.

**Phishers Pivoting for Success**

Indeed, as Internet users already are familiar with common tactics that threat actors use to fool them into giving up credentials to phishing pages, actors increasingly are pivoting to new tactics or combining common ones in different ways to help ensure the success of their cybercriminal activity, the researchers said.

Attackers recently have been seen using everything from voice-themed messages to spoofed PayPal invoices to leveraging the ongoing war in the Ukraine to get unwitting email users to take phishing bait.

Even with the ramp-up in sophistication, however, the usual precautions that all Internet users and security professionals alike should take to avoid giving up their credentials to phishers still apply — not only in the case of the Google Translate campaign but across the board, according to Avanan.

Researchers recommend that people always hover over URLs found in messages before clicking on them to ensure the destination is legitimate, as well as pay closer attention to grammar, spelling, and factual inconsistencies within an email before trusting it.

And as always, users also should put basic common sense into play when dealing with emails from unknown entities, researchers said. If they ever have doubts about where they're coming from or their intentions, they should just ask the original sender to be sure before taking further actions.

Cyberattackers Spoof Google Translate in Unique Phishing Tactic

Despite dozens of tools and external vendors, 2 in 3 organizations believe their data strategy isn't sustainable beyond three years, which could leave businesses vulnerable.

SAN FRANCISCO, Oct. 13, 2022 /PRNewswire/ — Cribl, the leader in enabling open observability, in collaboration with CITE Research, today released the State of Security Data Management 2022. The industry-wide report examines the primary cybersecurity challenges that enterprises are facing in the midst of hybrid work mandates, ongoing digital transformation efforts, and rapidly growing data volumes. Conducted in September 2022, the report surveyed 1,000 senior-level IT and security decision-makers.

**Key findings from the research:**

*   Two in three organizations believe their data management strategy isn't sustainable beyond three years, with one-third of organizations acknowledging that it's sustainable for less than one year, which could impact both threat visibility and attack response time.
*   63% currently use more than 25 tools for data visibility and control, with more than 40% planning to add more tools in the next 12-24 months––as the majority of organizations are now managing more than 30 data sources.

"We all know cybersecurity teams are under incredible pressure, but what these results indicate is that beneath the surface of what the headlines espouse — sophisticated attackers, expanding attack surface, skills shortages — lies a more entrenched problem for cybersecurity teams: data," said Clint Sharp, CEO and co-founder of Cribl. "Practitioners are drowning in a deluge of data while managing dozens of tools and external vendors, limiting organizations' visibility and hindering their ability to swiftly respond to potential threats. But there's a light at the end of the tunnel: We're trending towards greater collaboration between IT and security teams and increased interoperability between tools, which will boost the cybersecurity industry in coming years."

**Additional findings include:**

*   Despite acknowledging that their data management strategies are not sustainable, 92% of organizations state that they are confident in their current strategy.
*   Nine in 10 respondents indicated that IT and security teams are now working closely together, and rely on the same information and tools in their day-to-day operations.
*   Though historically hesitant to outsource cybersecurity operations, nearly 70% of organizations have an internal incident response and an external managed detection and response (MDR) provider.
*   53% of organizations believe greater control over their data would improve response and remediation time, 52% believe it would improve threat visibility, and 50% believe it would improve alert management.

For more insights from The State of Security Data Management 2022, please visit http://cribl.io/state-of-security-data-management.**Methodology**

The survey was conducted in September 2022 in partnership with CITE Research. The 1,000 respondents were based in the US with Director level or above job titles in software development, IT, or C-Suite. Respondents were spread across a variety of industries at organizations with greater than $100 million in revenue.

**About Cribl**

Cribl makes open observability a reality for today's tech professionals. The Cribl product suite defies data gravity with radical levels of choice and control. Wherever the data comes from, wherever it needs to go, Cribl delivers the freedom and flexibility to make choices, not compromises. It's enterprise software that doesn't suck, enables tech professionals to do what they need to do, and gives them the ability to say "Yes." With Cribl, companies have the power to control their data, get more out of existing investments, and shape the observability future. Founded in 2017, Cribl is a remote-first company with an office in San Francisco, CA. For more information, visit www.cribl.io or our LinkedIn, Twitter, or Slack community.

State of Security Data Management 2022 Report Reveals Overconfidence Masks a Pervasive Data Problem

New open source Cloud Hunter tool, developed through Lacework Labs research, helps customers get better visibility to reduce response times for incident investigations.

SAN JOSE, Calif., Oct. 13, 2022 /PRNewswire/ — Lacework®, the data-driven cloud security company, today released the fourth Lacework Labs Cloud Threat Report and subsequently launched a new, open source tool for cloud hunting and security efficacy testing. The new tool, known as Cloud Hunter, will help customers keep pace with ever-improving adversarial tradecraft through advanced environmental analysis and improved incident response time.

Developed in response to new types of sophisticated threat models uncovered through Lacework Labs' research, Cloud Hunter utilizes the Lacework Query Language (LQL) to permit hunting across data within the Lacework platform by way of dynamically-created LQL queries. Customers can quickly and easily find data and develop queries for ongoing monitoring as they scale detections along with their organization's cloud security program. Data is automatically analyzed while Cloud Hunter extracts information, further streamlining the capabilities and response times for incident investigations.

The Lacework Labs Cloud Threat Report examines the cloud security threat landscape over the past three months and unveils the new techniques and avenues cybercriminals are exploiting for profit at the expense of businesses. In this latest edition, the Lacework Labs team found a significantly more sophisticated attacker landscape, with an increase in attacks against core networking and virtualization software, and an unprecedented increase in the speed of attacks following a compromise. Key trends and threats identified include:

*   **Increased speed from exposure to compromise:** Attackers are advancing to keep pace with cloud adoption and response time. Many classes of attacks are now fully automated to capitalize on timing. Additionally, one of the most common targets is credential leakage. In a specific example from the report, a leaked AWS access key was caught and flagged by AWS in record time. Despite the limited exposure, an unknown adversary was able to login and launch tens of GPU EC2 instances, underscoring just how quickly attackers can take advantage of a single simple mistake.
*   **Increased focus on infrastructure, specifically attacks against core networking and virtualization software:** Commonly deployed core networking and related infrastructure consistently remains a key target for adversaries. Core flaws in infrastructure often appear suddenly and are shared openly online, creating opportunities for attackers of all kinds to exploit these potential targets.
*   **Continued Log4j reconnaissance and exploitation**: Nearly a year after the initial exploit, the Lacework Labs team is still commonly observing vulnerable software targeted via OAST requests. Analysis of Project Discovery (interact.sh) activity revealed Cloudflare and DigitalOcean as the top originators.

"Creating an open source tool not only extends our capabilities as a research team and company, but also gives us a way to fully give back to and empower the developer community based on what we're seeing from our threat research," said James Condon, Director of Threat Research at Lacework. "As our research shows an increasingly more sophisticated attack landscape, this tool provides a more detailed analysis of an organization's unique environment based on the new techniques being leveraged by attackers. Cloud Hunter is the first tool from Lacework to generate queries that can be directly converted into custom policies within a customer's environment."

The Lacework Labs team also examined issues around how "rogue accounts" are utilized by attackers for the reconnaissance and probing of S3 buckets as well as the growing popularity of cryptojacking and steganography. A full copy of the report and the executive summary can be found here.

**About Lacework**

Lacework is the data-driven security platform for the cloud. The Lacework Cloud Security Platform, powered by Polygraph, automates cloud security at scale so our customers can innovate with speed and safety. Only Lacework can collect, analyze, and accurately correlate data across an organization's AWS, Azure, GCP, and Kubernetes environments, and narrow it down to the handful of security events that matter. Customers all over the globe depend on Lacework to drive revenue, bring products to market faster and safer and consolidate point security solutions into a single platform. Founded in 2015 and headquartered in San Jose, Calif., Lacework is backed by leading investors like Sutter Hill Ventures, Altimeter Capital, D1 Capital Partners, Tiger Global Management, Counterpoint Global (Morgan Stanley), Franklin Templeton, Durable Capital, General Catalyst, XN, Coatue, Dragoneer, Liberty Global Ventures, and Snowflake Ventures, among others. Get started at www.lacework.com.

Attackers Use Automation to Speed from Exploit to Compromise According to Lacework Labs Cloud Threat Report

Can already beleaguered CISOs now add possible legal charges to their smorgasbord of job considerations? Disclose a breach to comply and face dismissal, or cover it up and face personal punishment.

This is a challenging time to be a CISO. The security community has been eagerly following multiple stories regarding Uber in the past few weeks. From the play-by-play of their recent major hack, to last week's guilty verdict of former Uber security chief Joe Sullivan, CISOs are facing considerable challenges.

The verdict in the Sullivan case found him guilty of obstructing a federal investigation and concealing a felony from the government. According to the New York Times: "Stephanie M. Hinds, the US attorney for the Northern District of California, said in a statement: 'We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users. Where such conduct violates the federal law, it will be prosecuted.'"

The government is sending a message to CISOs in the US — disclose and potentially lose your job, or cover up and go to jail. If they disclose information to the government, they meet compliance regulations, but their job will be on the line. A breach, especially one in which personally identifiable information (PII) is compromised, will result in a lawsuit and the CISO will likely get fired.

But the punishment for noncompliance, inability to demonstrate full disclosure, or any gray zone in the middle is now personal (unlike other regulations where noncompliance results in fines for the company). Covering up a breach, in the Uber case, and then further hiding details of the hack in the context of a federal investigation, can result in prison time.

This case also brings to light a new challenge for CISOs: "What did you know?" Concealing information is an important part of this case and verdict. Hiding information by saying "I didn't know" isn't an answer for a CISO with a data breach — it reflects negligence at best and is at worst a lie. Security teams need to know — and most likely _do_ know about their security posture, from the many security tools they use — and what they know can't be concealed.

The Sullivan case has enormous gravity for the security industry. What can we expect from CISOs? Are these expectations fair?

**Managing Expectations for CISOs**

According to proposed legislation, the expectations are as follows. From the Form 8-K (6-K) Disclosure About Material Cybersecurity Incidents (PDF) — the following rules will be added:

*   New Item 1.05 of Form 8-K will require SEC-reporting companies to disclose a material cybersecurity incident within four business days of determining that a material incident has occurred.
*   The company must determine the materiality of a cybersecurity incident "as soon as reasonably practicable" after discovery of the incident.
*   The SEC indicated last year in a cybersecurity enforcement action that companies must maintain disclosure controls and procedures designed to ensure that all available relevant information concerning any cybersecurity incident is analyzed for timely disclosure in the company's SEC reports.
*   "Cybersecurity incident" means an unauthorized occurrence on or through company's information systems that jeopardizes the confidentiality, integrity, or availability of a company's information systems "or any information residing therein."

The question is, what should CISOs do? They're already deploying multiple security solutions. On-premises, cloud, endpoint detection, firewalls, ransomware recovery, workload protection … the list goes on and on. Still, hackers get in — as in Uber's case — often by simply nagging an employee to click on a phishing link. Millions of dollars on attack prevention and "user XYZ" takes the system down.

**Ways to Aid CISOs**

I've been working in security for most of my career, building the tools that keep hackers out. I'd like to propose a few ways we can help CISOs out of the complicated situation they're in.

1.  **Get rid of tools that alert on every potential attack or misconfiguration.** A generation of alert-based security tools pinging security teams for every small thing has made the situation worse. There is no way for a security team to keep up with the hundreds of alerts, mostly false alerts, that their security tools provide. They need to be able to see a real-time incoming attack, in the context of their specific assets – one that provides a sequence of events identifying immediate risk to the company's most valuable assets. We need to do better to support security teams with tools that provide value, not just alerts.
2.  **Retool.** Regulators expect CISOs to be able to detect, analyze, and understand impact of real attack events (vs. potential misconfigurations) fast. This requires retooling and rethinking much of the security software "stack" to ensure that we're keeping a step ahead of hackers. Using dated techniques is one area that often results in friction between security best practices and reality.
3.  **Work more closely with government** on the important regulations that are being proposed for legislation. To protect our CISOs from falling into felony territory, we need legislation that protects the public while also protecting CISOs that come forward and report data breaches. CISOs who genuinely plan for every attack scenario (and can show this planning) but find themselves outsmarted by hackers should not be penalized by the companies they serve.
4.  **Align security goals.** Many organizations are moving too fast to focus on security — and it will catch up with them. Development teams are increasingly leveraging agile techniques like CI/CD (continuous integration, delivery, and deployment) to deliver new and innovative features quickly and maintain a competitive advantage. And security is not part of the dev team's or any typical employee's everyday thought process — but it must be. Organizations must have a security strategy that permeates the organization so everyone — developers, marketing, HR, finance, the board, and everyone else share the responsibility with the CISO and security teams. _All_ employees play a role in securing data assets.

What the Uber Breach Verdict Means for CISOs in the US

This marks the third identity and access management (IAM) company acquired by Thoma Bravo in just the past few months.

Private equity firm Thoma Bravo continues its massive multibillion-dollar buying spree in the identity and access management (IAM) space, this time splashing out $2.3 billion in a reportedly all-cash offer for ForgeRock. 

ForgeRock went public just a little over a year ago, Reuters pointed out. The San Francisco-based company provides IAM for end consumers, workforce, and Internet of Things (IoT) devices, the company site says.

ForgeRock shareholders will receive $23.25 per share, which represents a premium of about 53.4% to the stock's last closing price on Tuesday. The deal is expected to close in the first half of 2023.

Thoma Bravo is banking on a swelling market for cloud services to drive IAM demand, according to earlier Dark Reading reporting on investors' keen interest in the cybersecurity software sector. 

Reuters added that the private equity firm has also expressed interest in Darktrace and Nearmap over the past year. 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading