The latest startup to enter the space also has a free scanning service to audit the contents of any website.

Enterprise defenders need to know what they have in their environments before they can figure out how to protect them. The challenge lies in the fact that organizations often have assets they have forgotten about or never knew about them in the first place.

Attack surface management continuously looks at the organization's IT infrastructure from the outside to determine what assets attackers can see. Halo Security, officially launched at Black Hat USA this week, is the latest entrant into the attack surface management space.

Halo Security's attack surface management platform helps enterprise defenders identify and monitor all of their Internet-facing assets across clouds and service providers. The platform's vulnerability scanning, application testing, and manual penetration testing capabilities allow defenders to detect risks and security posture improvements, as well as organize the data to remediate found issues. The agentless and recursive discovery engine can help uncover unknown assets, the company says.

The company also announced a free scanning tool to audit security controls of any website. The Halo Security Site Scan service audits all the certificates, headers, scripts, forms, and technologies in use on the website and makes recommendations to improve the site's security posture.

Originally founded in 2013, Halo Security operated under the McAfee umbrella until 2021.

Attack surface management prioritizes protecting assets attackers can see. Because enterprises know they can't protect what they can't see, there is a growing interest in attack surface management solutions. IBM acquired Randori for an undisclosed sum back in June. Bishop Fox, the security consultancy behind the Cosmos platform that continuously maps the attack surface and identifies high-risk exposures, announced last month that it had raised $75 million as part of a series B funding round.

"There's a reason Gartner and others are sounding the alarm about the need for attack surface management tools," said Halo Security founder and CEO Tim Dowling.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Halo Security Emerges From Stealth With Full Attack Surface Management Platform

New SOC Analyst Assessment delivers threat-informed training in a live lab environment to help cybersecurity professionals defend their organizations against the latest adversarial tactics and techniques.

LAS VEGAS, Aug. 9, 2022 /PRNewswire/ — Black Hat 2022 — Cybrary, the leading training platform for cybersecurity professionals, today announced a major evolution of its offerings that includes new threat-informed and interactive training and assessment experiences designed to help teams better reduce organizational cyber-risk resulting from the millions of unfilled positions in the industry.

Cybrary's new capability architecture enables cybersecurity leaders to evaluate, measure, and upskill their workforce and take the guesswork out of the hiring process. Aspiring and existing cyber professionals will be able to demonstrate their skills, build confidence, or reveal gaps in knowledge and areas for improvement as they apply for new roles, onboard, and perform their jobs. Managers will be able to quickly and continuously assess prospective and current team members' capabilities to help them become productive faster by creating training plans aligned to areas of opportunity.

**Cybrary Launches New SOC Analyst Assessment**

At Black Hat this week, Cybrary is unveiling a beta program for the first assessment of its kind geared specifically toward SOC analysts. Cybrary's SOC Analyst Assessment is an engaging, live lab environment that simulates a typical day in the life of a SOC analyst, teaching users how to separate noise from real threats and develop the skill-based instincts necessary to best protect their organizations.

"As the cybersecurity field has evolved, so has Cybrary. By creating opportunities for individuals to build relevant skills as they enter the field and delivering immersive, threat-informed training for more experienced professionals, we're taking our offerings to the next level," said Kevin Hanes, Cybrary's CEO. "Combining next-generation tools like the SOC Analyst Assessment with the 1,900-plus learning activities offered within our platform today advances our mission to equip cybersecurity professionals with the skills to succeed against ever-evolving threats."

By simulating a typical day in the life of a SOC analyst and placing individuals directly in a realistic, gamified, and scenario-based lab exercise, the SOC Analyst Assessment provides real-time insights into their ability to perform essential job functions. The assessment is also mapped to major cybersecurity frameworks, including MITRE ATT&CKⓇ, NIST NICE, and CAE-CD Knowledge Units. With robust reporting capabilities, learners and managers alike will gain actionable insights that highlight strengths, weaknesses, and recommended courses for further training in Cybrary's expansive resource library.

**How Cybrary is Tackling the Skills Gap Head-On**

The cybersecurity skills shortage is a reality that all companies, regardless of size or sector, face when trying to develop their employees' skills and protect their organizations against complex, ever-evolving cyber threats. Investing in people is key to narrowing the cybersecurity skills gap, and Cybrary remains committed to providing accessible, affordable, and high-quality tools at scale to arm practitioners and organizations alike with confidence to respond to threats.

"Leveraging Cybrary's all-new training architecture, in addition to CTIG's expertise, we are developing a suite of high-fidelity experiences aligned to cybersecurity roles," said Rob Usey, Cybrary's CTO. "Our unique, hands-on training and assessments will allow organizations to hire the right talent faster, pinpoint their entire team's skill gaps, and prescribe courses and activities to upskill practitioners at all experience levels every day."

Cybrary's new hands-on, scenario-driven resources, such as the SOC Analyst Assessment, are the first of many upcoming tools that will revolutionize cybersecurity training for years to come. Organizations interested in becoming SOC Analyst Assessment beta testers are encouraged to submit a request.

The launch of Cybrary's new strategy comes on the heels of rapid growth and momentum for the company with its new $25M Series C funding round, addition of both a new CEO, executive team, and top researchers, as well as launch of the Cybrary Threat Intelligence Group (CTIG), which tracks threat actors and vulnerabilities to ensure every training, course, and lab is relevant, timely, and communicates real-world skills.

For more information on Cybrary's next generation of hands-on training experiences or to leverage the entirety of its resource library, please visit Cybrary's Black Hat booth (#1381) from Aug. 10-11, 2022, or visit www.cybrary.it.

**About Cybrary**

Cybrary is the industry-leading training platform that provides the right training at the right time to fully equip cybersecurity professionals at every stage in their careers. Cybrary's threat-informed training, advanced assessment capabilities, and certification preparation helps industry professionals build the skills and knowledge to confidently mitigate the threats their organizations face and bridge the persistent cybersecurity skills gap. Cybrary enables more than 3 million learners, from individuals to service providers and government agencies to Fortune 1000 organizations, to be ready to respond in the fight against constantly evolving cybersecurity threats. For more information on Cybrary's offerings, visit www.cybrary.it.

Cybrary Unveils Next-Generation Interactive, Hands-On Training Experience to Upskill Cybersecurity Professionals

The finding exposes the danger of older, unpatched bugs, which plague at least 4.5 million devices.

A new vector to exploit a vulnerable version of Google SLO Generator has been uncovered, which facilitates remote code execution (RCE). It allows an attacker to gain access to the system and deploy malicious code as if it is coming from a trusted source inside the network.

Google SLO Generator is a widely used Python library used by engineers who want to track their Web API performance. The tool is used by thousands of Google services, but prior to a September 2021 patch, it housed unsafe and exploitable functions, potentially exposing user input data.

Michael Assraf, co-founder and CEO of Vicarius, explains that this path to exploitation was previously unknown and created a new way to exploit outdated versions for worse outcomes than simple information disclosure.

It is unknown how many of the more than 167,000 applications using this library are running vulnerable versions, according to Vicarius, which published a report detailing the attack path. Users who updated the code won't be exposed to this attack, but that said, unpatched vulnerabilities are still the most common way that companies are successfully attacked.

Assraf also raises the issue of potentially problematic workarounds as security researchers uncover new vectors to exploit vulnerable software instances. Developers will often use workarounds to protect against known exploits rather than deploying a systematic update/patch.

"Developers who fall into that category will be vulnerable to this new exploit — along with anyone else who has yet to deploy the patch," he says.

**Millions of Unpatched Devices Remain a Problem**

Externally accessible vulnerabilities expected to remain a favorite attack vector for cybercriminals in the future. A report published this week from Rezilion found vulnerabilities as old as a decade remain unpatched in software and Internet-connected devices.

The study identified more than 4.5 million Internet-facing devices that remain open to vulnerabilities discovered between 2010 to 2020. The report also identified active scanning/exploitation attempts in most of these vulnerabilities.

Yotam Perkal, director of vulnerability research at Rezilion, says there are multiple reasons why unpatched vulnerabilities are so common.

"First, many organizations with less mature security programs do not even have visibility into the vulnerabilities they have in their environment," he says. "Without the proper tooling and vulnerability management processes in place, they are basically blind to the risk and can't patch what they do not know about."

Second, even for organizations with mature vulnerability management processes in place, patching presents a challenge — it requires time and a considerable amount of effort and can often lead to unforeseen patch compatibility issues.

"With the constant rise in the number of new vulnerabilities discovered each year, organizations simply struggle to keep up," he explains.

**Unpatched Vulnerabilities a Top Security Issue**

Assraf calls unpatched vulnerabilities one of the most significant, prevalent, yet fixable security problems across the board — and for a multitude of reasons.

"This issue transcends industry and company size, although large enterprises are typically more susceptible due to sheer volume of systems and users in place," he adds.

He points out there are also new vulnerabilities cropping up daily, so managing "zero vulnerabilities" is a bit of a pipedream.

In addition, large-scale updates also occasionally break things and create unforeseen consequences and compatibility issues, leaving many to take a stance of "If it ain’t broke, don’t fix it."

"The problem is, it is broken, you just don't see the chink in the armor until you've been breached," Assraf warns. "Other common issues are around visibility, shadow IT, and distributed teams that lead to ownership complications."

From his perspective, visibility is the first step in getting vulnerabilities and patching under control, as you can’t fix what you don’t know is broken.

"Having an accurate and continuously updated asset inventory of all assets and devices in your environment is a critical first step," he explains.

Next is knowing how to prioritize the updates available to those systems and assets, which is a common place where enterprises fall short and the volume begins to become just noise.

Perkal says he thinks the key point to having a more proactive posture towards risks from unpatched vulnerabilities is awareness.

"Once you are aware of the risk, make sure you have the right processes and tools in place that will allow you to effectively take action," he says. "At the end of the day, applying an existing patch to a known vulnerability that is known to be exploited in the wild should be the easy aspect of proper security hygiene."

A July report from Palo Alto Networks' Unit 42 also suggested attackers play favorites when looking at which software vulnerabilities to target.

**Solving the Patching Problem With Business Context**

Assraf says it's common to prioritize based on criticality from the major frameworks like CVSS, which assign severity ratings to known vulnerabilities — several security vendors also assign their own black-box scoring systems.

"What's important to account for, and where this step — and vendors — often fall short, is a failure to take business context into account," he says.

It's important therefore to focus on the potential threats that will have the largest impact on your unique digital environment, not necessarily a third-party rating assigned without context.

"The most mature organizations will then automate the patching process based on said context, updating the most critical systems while minimizing downtime and impact through strategic scheduling of deployment," Assraf says.

Perkal points out that most of the code running in an organization comes from various third parties, whether open source or commercial.

"While this allows organizations to focus on their core business logic and release code faster, this also introduces a security risk in the form of software vulnerabilities," he says. "Patching everything simply isn't feasible."

He says to be able effectively to cope with the risk, attack surface management platforms that can intelligently prioritize the vulnerabilities that matter most, as well as help automate some of the mitigation and remediation aspects, can help address this risk.

"The most concerning aspect I drew from the research is these old, known, exploitable vulnerabilities are still so pervasive," he adds. "It's especially concerning since it is likely the same analysis we did is also being conducted by attackers, and by leaving this huge attack surface vulnerable, we are making their lives easy."

Researchers Debut Fresh RCE Vector for Common Google API Tool

Upcoming Black Hat USA presentation will examine the implications of Kerberos weaknesses for security on the local machine.

As the main authentication protocol for Windows enterprise networks, Kerberos has long been a favored hacking playground for security researchers and cybercriminals alike. While the focus has been on attacking Kerberos authentication to carry out remote exploits and aid in lateral movement across the network, new research explores how Kerberos can also be abused to great effect in carrying out a variety of local privilege escalation (LPE) attacks.

At the Black Hat USA conference this week in Las Vegas, James Forshaw, security researcher for Google Project Zero, and Nick Landers, head of adversarial R&D for NetSPI, plan to take the security discussion beyond the Kerberoasting and Golden/Silver ticket attack discussions that have dominated Kerberos security research in recent years. In the session "Elevating Kerberos to the Next Level," Forshaw and Landers will explore authentication bypasses, sandbox escapes, and arbitrary code execution in privileged processes.  

"James and I have both spent a lot of our time digging into Windows internals, and Kerberos is fundamental to network authentication between Windows systems. However, most of the existing research and tooling I've done focuses on remote exploitation — ignoring attack surfaces that exist on just a local machine," says Landers, who explained why the pair decided to dig deeper into design flaws in the way Kerberos does local authentication. "Through this, we've discovered many interesting flaws — some fixed and some not — that we're excited to share on Wednesday, along with the tooling we’ve built and knowledge we've gained over the last several months."

The tooling will help others in the security research community to inspect and manipulate Kerberos on local systems to build on the pair's research. The duo will also offer up some important detection and configuration advice to help security practitioners mitigate the risk of the flaws that they'll present.

From a bigger-picture perspective, Landers hopes that his talk can help bring further attention to Kerberos from the entire security world. He says that even though it is the recommended long-term solution for network authentication in Windows environment, replacing deprecated protocols like NetNTLM, security teams shouldn't assume that its more secure by default than the predecessors.

"Kerberos maintains an extremely large feature set, which continues to grow every year. Obscure functionality first designed in 1998, as well as brand-new code engineered for Windows 11, can both provide nuanced attack surfaces for LPE, security bypasses, or even RCE," he says. "Where there are more features to search, there is always greater opportunity to discover flaws."

In addition to offering practical mitigation steps, he hopes the talk will spur security and network administrators to brush up on their Kerberos knowledge to better harden their systems.

"Administrators should become more familiar with Kerberos to be able to apply best practice mitigations effectively. Specifically, since we consistently see the knowledge of attackers outpacing that of defenders when it comes to Kerberos internals," he says.

His talk will be one of several eye-opening identity and access management-related research presented at Black Hat this week. Some discussions up for exploration include how hybrid cloud IAM deployments are leaving open flaws and misconfigurations ripe for attack and the way that attackers can utilize stolen PII to make it easier to conduct smishing attacks.

Abusing Kerberos for Local Privilege Escalation

The success of Domino's Flex IoT project can be attributed in large part to the security best practices it followed.

The Internet of Things (IoT) has created a great deal of opportunity for the enterprise — and equal possibility for risk. We have witnessed vulnerable IoT technologies leak personal data, fall victim to cyberattacks, and face exploitation in dozens of ways — in "things" ranging from medical devices to smart hot tubs. Security must be at the foundation of every plan, and for organizations to reap the full benefits of IoT technology, they must incorporate it from acquisition to deployment.

I recently had the opportunity to partner with Domino’s Pizza and evaluate firsthand the security implications at work around a large-scale enterprise IoT project — the company's IoT-based ecosystem solution, Flex. Flex is a platform comprising various small services that allow stores to leverage diverse Web experiences and digital products on different kiosk screens.

Through the assessment and review of Flex, Domino’s stakeholders and I were able to build a comprehensive understanding of security vulnerabilities and best practices for implementing IoT in the enterprise environment. Here’s what we found together — and what organizations implementing IoT should consider every step of the way.

**Security Considerations for the Acquisition Phase**

Making security a priority in an IoT acquisition plan helps prevent problems down the road, but security is often left out or ineffectively executed during this phase.

An organization's security team is critical to successful planning and implementation of a large-scale IoT project. The security team's role is to help define the security expectations and requirements for IoT technology to ensure that they match the organization's security policies. Introducing new IoT technologies may highlight gaps in governance, so having the security team involved paves the way for installing new security protocols and controls.

Organizations' enterprise-level IoT initiatives, including Domino's, often require external vendor services. Before entering into such a relationship, organizations must conduct a vendor risk assessment because vendors often need direct access to an organization's network or VPN access to manage resources or corporate data. The risk assessment process should extend from conception to deployment, with regular re-evaluations of each vendor and its products to ensure they continue meeting base requirements and security expectations. This will help protect the organizations implementing IoT as well as the supply chain.

**Security Considerations for the Design and Implementation Phases**

When it comes to implementation and support of a new IoT solution, it may be necessary to make modifications. An important first step is to determine how the new IoT solution maps to current security control processes and compliance needs. For example, Domino's security control solution uses NIST SP 800-53 and Center for Internet Security (CIS) Controls. CIS provides a companion manual that can help with the mapping process and is handy for any organization deploying an enterprise IoT project.

External services can also help design IoT technology at the highest security level. Domino’s partnered with expert services from Google for its Flex solution to ensure that baseline configuration met industry best practices and mapped to internal security policies.

**Security Considerations for the Deployment and Support Phases**

When it is time to deploy, it's necessary to evaluate the entire product ecosystem: firewalls, routers, embedded hardware, back-end server systems, cloud API and Web services, and more. The security of any component within the ecosystem can ultimately affect the security of all other parts — such is the nature of IoT. All security testing needs to be holistic.

Following deployment is the support phase, where the solution should continue to operate and meet business needs, using management and support infrastructure. Ideally, this is how organizations can avoid outages and other security incidents that lead to loss of services or data or that impact production.

The key to this support plan is patch management, which many organizations overlook with embedded appliances. It's important to develop a regularly cadenced patch management cycle, with QA testing and changes piloted to a small production test group before rolling out official updates. Enterprises should also consider integrating new IoT technology with logging and monitoring processes. Tackling security through these channels should allow for better detection and action on security incidents.

**The Value in Planning Ahead**

There is a great deal of complexity and difficulty when tackling a project as all-encompassing as Domino’s IoT implementation, but with a bit of foresight comes success.

With threat actors taking advantage of any vulnerabilities — across a range of industries — it’s critical to follow holistic security processes before adding any technology to an enterprise ecosystem. While there is no one-size-fits-all strategy when designing, implementing, and deploying new solutions within the enterprise, best practices exist and should be considered. Domino’s successful Flex project is a testament to the value in planning — carefully — ahead.

Domino's Takes a Methodical Approach to IoT

Initial attacks used damaging wiper malware and targeted infrastructure, but the most enduring impacts will likely be from disinformation, researchers say. At Black Hat USA, SentinelOne's Juan Andres Guerrero-Saade and Tom Hegel will discuss.

The online attacks against infrastructure and information operations used by both sides in the conflict between Russia and Ukraine fulfill the definition of cyberwar and hold lessons for governments and companies, two researchers plan to say this week at the Black Hat USA conference in Las Vegas.

Cyberattacks preceding Russia's invasion of Ukraine on Feb. 24, 2022 — and ongoing operations since the initial push into eastern Ukraine — qualify as cyberwar because they involve state-sponsored actors, use tactics designed to support Russia's objectives, and focus on specific targets and motivations, says Tom Hegel, a senior threat researcher at threat intelligence firm SentinelOne, who will present the research at the conference. The threat actors aimed to support the overall war effort, in the case of Russia-linked actors, or the support for Ukraine's defense, in the case of Ukraine-linked actors, he says.

In their Wednesday, Aug. 10, presentation, "Real 'Cyber War': Espionage, DDoS, Leaks, and Wipers in the Russian Invasion of Ukraine," Hegel and colleague Juan Andres Guerrero-Saade plan to outline how attackers have used seven different families of malware and denial-of-service (DoS) attacks to attack everything from telecommunications infrastructure to oil and gas firms.

"We want to challenge the idea that cyberwar has not occurred, but also lay out a road map of what we have seen over the past few months in terms of actors and the types of activities," Hegel says. "The Russian threat actors, while there is not a clear line that they have crossed that makes it cyberwar, we have seen the initial wave of wipers, then community-focused hacktivism that took off, and finally a long tail of destructive attacks."

The presentation is the latest research attempting to define what constitutes cyberwar and cyber conflict.

**Defining "Cyberwar"**

The most formal definition comes from the second version of the _Tallinn Manual on the International Law Applicable to Cyber Warfare_, published in 2017, which defines cyberwar as "a cyberattack, in either an offensive or defensive cyber operation, that is reasonably expected to cause death to persons, damage, or cause destruction to objects." The manual, however, often uses the words cyberattack and cyberwar interchangeably and excludes cyber operations that could be supportive of war efforts, such as information operations and attacks on financial systems, neither of which aim to cause physical damage or death, two professors stated in a review of the manual in 2017.

In the current conflict, cyber operations have similarly supported the aims of either Russia or Ukraine rather than attempting to necessarily inflict physical damage or death.

"The connection to war is focused on destruction or disruption of infrastructure, or gaining an upper hand during an armed conflict, even if the coordination of the kinetic attacks with cyber operations is not there," Hegel says.

The playbook used by Russia in the early days of — and even prior to — the invasion of Ukraine included initial waves of damaging attacks focused on infrastructure, especially telecommunications systems. During Russia's buildup of forces on Ukraine's border, threat actors used a variety of attacks, such as WhisperGate and HermeticWiper, to target organizations in Ukraine with destructive wipers.

"In many conflicts, there is an aspect that has been modernized on the cyber side, but this is the first time that we have a really clear example of cyberwar," Hegel says.

**The Rise of Influence Campaigns**

While not traditionally considered a facet of cyberwar, the most enduring strategy of the current conflict may be information operations, he says. Russia has pursued a disinformation strategy to change worldwide opinions and gain support for its claims of Ukrainian territory, while Ukraine has pursued information operations to undermine Russian support for its invasion and bolster support for supplying the country with weapons.

"The disinformation side is a big piece of this war, but even more so, the weaponization of public information that is already out there," Hegel says. "A good example is the Amnesty International report, for example, and social media accounts supportive of Russia amplifying pieces of the message critical of Ukraine."

The researchers also had a message for corporate information-security teams. Companies should take note of the activities used by each side in a cyberwar, because the conflict can quickly impact participants who otherwise would be distant from the war. Organizations that take side or a stand in a conflict will often be targeted, but collateral damage is also a problem. The cyber-physical Stuxnet attack on Iran's nuclear processing capability, for example, spread to non-Iranian systems, although the payload did not affect those systems in the same way. Two even worse attacks, WannaCry and NotPetya, are both thought to have been cyber operations and both spread far beyond the original targeted group of organizations, causing billions in damages.

"A lot of what we have seen is not just government attacking government, but businesses in the middle being impacted," Hegel says. "It is not just because of their function being impacted, such as a telecommunications company's infrastructure, but also because their messaging made them a target. So even though you are not taking a step in a conflict, you will likely get pulled in, if your business operates in those regions at all."

Russia-Ukraine Conflict Holds Cyberwar Lessons

Study offers a cyber "state of the industry" analysis from a hacker's perspective to help companies anticipate attacks.

**ANNAPOLIS, Md.** (Aug. 9, 2022) – The majority of companies across the US oil and gas industry are at risk of a successful cyberbreach, according to BreachBits, a cyber-risk rating and monitoring company that evaluates and tests organizations from a hacker's perspective to empower them to anticipate attacks. Following an analysis of 98 representative upstream, midstream, downstream, and supply chain companies across the energy sector, BreachBits has released its findings in _BreachRisk: Energy 2022_, a cyber state of the industry study.

"On average, the oil and gas companies we observed were at Medium Risk, with a score of 4.1 out of 10 on our BreachRiskTM scale, but that risk was not distributed evenly across the sector," said BreachBits CEO and Co-Founder John Lundgren. "Additionally, 11% of the companies presented potentially serious, High Risk threats. We identify and monitor cyber-risks at scale as we did here, detect issues, and then test them just as a hacker would for our customers."

The study by BreachBits ranked 59% of companies at Medium Risk for a cyberbreach, 13% at Low Risk, and 28% at Very Low Risk. Other key observations included:

*   94% of all ransomware threats were held by only 51% of companies.
*   BreachRisk increases for companies with greater than $50-million in annual recurring revenue.
*   BreachRisk significantly increases for companies with more than 250 employees.

BreachBits, founded by US military cyber warfare veterans, measures an organization's BreachRisk as the likelihood of a successful breach against the potential impact to the subject.

"We measure cyber-risk based on actual threats and viable attack vectors, not hypothetical ones, and we do that from the hacker's perspective. That means the risks we identified in this study are the same observations being made by active cyberattackers," said BreachBits COO and Co-Founder J. Foster Davis. "What's different is that we've taken those complex assessments and translated them into an easy-to-understand cyber-risk score that everyone from the boardroom to the server room can use to better understand, measure, and communicate risk."

Whether an organization needs to assess its own risk or that of a client, partner, portfolio, or supply chain, the BreachRisk methodology by BreachBits provides a new standard to benchmark exposure to cyberattackers, track risk mitigation efforts, make informed decisions, and shape the next era of cyber insurance. The full _BreachRisk: Energy 2022_ study is available for download at: www.breachbits.com/breachrisk-energy-2022

**About BreachBits**

BreachBits is revolutionizing the way defenders talk about cyber, empowering stakeholders and all parts of an organization with easy-to-understand cyber-risk scores. Led by a team of cyber warfare veterans and multidisciplined professionals, we help defenders predict cyberattacks before they happen and communicate threats to key stakeholders. Organizations are both enabled and threatened by cyberspace today, but BreachBits helps leaders make informed business risk decisions. Learn more at: breachbits.com

US Oil and Gas Sector at Risk of a Cyberbreach, According to BreachBits Study

Extends all aspects of the Arbor Sightline solution with unique, real-time multidimensional DDoS and traffic analytics capabilities.

WESTFORD, Mass., Aug. 9, 2022 --(BUSINESS WIRE) — NETSCOUT SYSTEMS INC., (NASDAQ: NTCT), a leading provider of cybersecurity, service assurance, and business analytics solutions, today introduced Arbor Insight, a groundbreaking technology that, when combined with Arbor Sightline, dramatically enhances and extends threat detection, service delivery, and network operator visibility to address the evolving threat landscape. This combination extends Netscout's DDoS leadership to unparalleled levels.

"ATRs provide the ideal solution for short- and longer-term reporting, so operators can better answer network, security, and business questions and provide reliable, relevant services to their customers."

With DDoS attack traffic continuing to exceed pre-pandemic levels and ISPs presenting a broader threat surface, network operators of all scales need unconstrained, multidimensional visibility into the traffic running across their networks to optimize their defenses.

The new, combined solution set of Sightline with Insight leverages ASI, Netscout's unique metadata technology, to correlate multiple sources of network telemetry with global intelligence and local configuration to deliver an 80-plus facet record for each monitored network communication. Arbor Insight provides security and network operations teams with the optimal data set to perform critical tasks — including time-series analysis of critical traffic dimensions and annotated flow data for in-depth investigations, forensics, and retrospective analysis. Additionally, by using configurable, optimized data sets, Insight delivers instant access to high-fidelity data with minimal storage and compute requirements, greatly extending the value of existing Sightline deployments.

**Powerful Advanced Traffic Reports**

Insight delivers flexible, multidimensional time-series threat and traffic analytics using new customizable Advanced Traffic Reports (ATRs). ATRs augment users' operational workflows with immediate n-dimensional visibility into key areas of interest, facilitating speed-of-thought drill downs and sub-filtering to quickly expose network dynamics such as top attack targets and vectors, top talkers/services/protocols, historical anomalies, threat signatures, and more. In addition, ATRs automatically maintain the desired data fidelity and granularity, allowing instant response to any query, supporting long- and short-term visibility needs, and optimizing total cost-of-ownership. These capabilities help network operators tune their defenses, deliver superior design, scale their mitigation capabilities, and more quickly onboard new service customers — reducing costs and increasing revenue.

"Arbor Insight extends the value of Sightline by providing the right data set at the speed of thought with integrated, end-to-end workflows for superior visibility and performance," stated Tom Lyons, vice president of product, Netscout. "ATRs provide the ideal solution for short- and longer-term reporting, so operators can better answer network, security and business questions, and provide reliable, relevant services to their customers."

Visit our website for more information on Arbor Sightline and Arbor Insight.

**About NETSCOUT  
**NETSCOUT SYSTEMS, INC. (NASDAQ: NTCT) protects the connected world from cyberattacks and performance disruptions through advanced network detection and response and pervasive network visibility. Powered by our pioneering deep packet inspection at scale, we serve the world’s largest enterprises, service providers, and public sector organizations. Learn more at www.netscout.com or follow @NETSCOUT on LinkedIn, Twitter, or Facebook.

_©2022 NETSCOUT SYSTEMS, INC. All rights reserved. NETSCOUT, the NETSCOUT logo, Guardians of the Connected World, Adaptive Service Intelligence, Arbor, ATLAS, Cyber Threat Horizon, InfiniStream, nGenius, nGeniusONE, and Arbor are registered trademarks or trademarks of NETSCOUT SYSTEMS, INC., and/or its subsidiaries and/or affiliates in the USA and/or other countries. Third-party trademarks mentioned are the property of their respective owners._

Netscout Arbor Insight Leverages Patented ASI Technology to Enhance Security and Operational Awareness for Network Operators of Any Scale

New time series model and enhanced alerting experience make it easy for organizations to address more threats in the cloud while enabling faster investigations.

**SAN JOSE, Calif., Aug. 9, 2022** \-- Lacework, the data-driven cloud security company, today announced new capabilities that enable organizations to uncover more critical threats to their infrastructure and empower teams to collaborate more efficiently in alert investigation and response. Lacework has added fully automated time series modeling to the existing anomaly detection capabilities of the Polygraph Data Platform. Using automated learning and behavioral analytics, the time series model builds a baseline of the volume and frequency of activity within a customer's environment and actively monitors for spikes that deviate from that unique baseline to detect potential threats such as cryptominer attacks and compromised accounts with accuracy. Organizations can also proactively discover increased cloud usage due to misconfigurations — gaining a better understanding of their environment to help control costs. Lacework does this without the need for constant tuning of thresholds, significantly reducing both manual work and false-positive alerts. Lacework has also upgraded its alerting experience with features that empower teams to collaborate more efficiently in alert investigation and response.

The enormous amount of activity in the cloud and adoption of new technology makes it difficult to gain visibility into risks, investigate alerts efficiently, and take action, especially when teams are siloed into different workstreams and tools. Signature and rules-based approaches can't keep pace with this dynamic environment and often overwhelm security teams with thousands of contextless alerts across a range of environments.

Polygraph, the Lacework cloud behavioral analytics engine, uses dozens of models to build a baseline of normal behaviors in the cloud. The time series model introduces a new dimension of analysis by tracking changes in activity frequency and volume over time in a cloud environment. It works with the existing models to uncover more anomalies with fewer alerts.

Lacework also automatically adjusts the severity of alerts based on continuous learning and a fine-grained understanding of how much the observed behaviors deviate from the predicted baseline for improved accuracy. According to Cybersecurity Ventures, the number of unfilled cybersecurity jobs worldwide grew by 350% between 2013 and 2021, with no sign of relief in the next five years. By consolidating alerts into only those that matter and providing security teams with more context about what is happening across their environment, Lacework allows these overburdened teams to uncover more risks and deal with them more efficiently.

"It's critical organizations get transparency as to what is happening across their multicloud environments, but security teams face a massive challenge keeping up with the dynamic nature of cloud environments while threats like cryptomining continue to proliferate," said Frank Dickson, IDC Group Vice President, Security and Trust. "As an industry plagued by a seemingly insurmountable skills shortage, simply layering more alerts on the SOC does not help. Context matters; context quickly forwards SOC investigations from awareness to understanding by enabling correlations across datasets. Alerts are thus replaced with context-rich incidents that are quickly actionable and facilitate outcomes for customers. In the end, secure outcomes are the goal of every SOC."

Lacework has also revamped the alerting experience to help organizations better collaborate with teams to prioritize, investigate, and track the status of all alerts. This includes:

· **Context-rich insights:** Richer insights give the complete picture of what happened, associated events, timelines, and other details, helping organizations understand where to focus and make better decisions.

· **Configurable bi-directional sync:** When teams update an alert on the Lacework user interface or the associated ticket in backend workflow tools like Jira, the alert status is automatically updated on both sides with bi-directional sync for accelerated resolution. Organizations can even give feedback on Lacework alert severity levels, which in turn helps the Polygraph Data Platform learn and optimize modeling to further improve alerting experience.

· **Easy to manage alert life cycle:** Teams can more easily organize alerts, view tags, filter to see a set of specific alerts, change the state of an alert to indicate whether it needs to be investigated or has been resolved, and add comments to classify and better collaborate with teams.

"Lacework relentlessly innovates to deliver features that help customers gain the visibility and controls they need to stay ahead of the evolving threat landscape," said Arash Nikkar, VP of Engineering, Lacework. "The Polygraph Data Platform is the only cloud security solution to combine automated time series analysis with sophisticated cloud behavioral analytics to build baselines that are tailored to a company's unique environment. Combined with our enhanced alerting capabilities, we're making it easier for teams to identify relevant risks and prioritize threats, even as their organization scales, the attack surface grows bigger, and security incidents increase exponentially."

Time series modeling is available now for Lacework customers in AWS environments. Configurable bi-directional sync enhancements to the Lacework alerting experience are available to select customers in beta.

Additional Resources:

· Visit our team at Black Hat USA at booth #2440 on the show floor.

· Check out the Lacework blog to learn more about the new time series model and enhanced alerting experience.

· Become an expert on security fundamentals and learn more from your security and developer peers through Lacework Academy and the Lacework Community.

· Read what Lacework customers have to say about the Lacework Polygraph Data Platform.

**About Lacework**

Lacework is the data-driven security company for the cloud. The Lacework Polygraph® Data Platform automates cloud security at scale so our customers can innovate with speed and safety. Only Lacework can collect, analyze, and accurately correlate data across an organization's AWS, Microsoft Azure, Google Cloud, and Kubernetes environments, and narrow it down to the handful of security events that matter. Customers all over the globe depend on Lacework to drive revenue, bring products to market faster and safer, and consolidate point security solutions into a single platform. Founded in 2015 and headquartered in San Jose, Calif., Lacework is backed by leading investors like Sutter Hill Ventures, Altimeter Capital, D1 Capital Partners, Tiger Global Management, Counterpoint Global (Morgan Stanley), Franklin Templeton, Durable Capital, GV, General Catalyst, XN, Coatue, Dragoneer, Liberty Global Ventures, and Snowflake Ventures, among others. Get started at www.lacework.com.

Lacework Updates Threat Detection To Uncover More Malicious Activity and Speed Investigation at Scale

Given the lack of reporting requirements, the findings are more like assumptions. Here's what organizations can do to minimize exposure.

The most significant finding in the Cyber Safety Review Board's voluminous analysis of the Log4j vulnerability is what it didn't observe.

The board is "not aware of any significant Log4j-based attacks on critical infrastructure systems." Also, "exploitation of Log4j occurred at lower levels than many experts predicted, given the severity of the vulnerability." That's remarkable since Log4j is one of the most severe vulnerabilities of the past decade.

Given how widely the library is used, it's difficult to accept that a vast vulnerability like this — identified as "endemic" — _didn't_ cause any real damage to critical infrastructures. The report saying there weren't any significant incidents is no reason to drop our guard, however. In fact, we need to be more vigilant than ever.

The report acknowledges that unlike, say, government agencies reviewing transportation disasters, there was "no crash site or damaged vehicle to inspect, no stress tests to perform on failed equipment, and no wiring diagrams to review." And since critical infrastructure owners and operators were not yet required to report breaches to the federal government, there's a significant blind spot. The findings in the report are just assumptions, and organizations should not feel comforted by them.

Log4j remains deeply embedded in systems everywhere — it's one of the few pieces of software that popular applications such as Apache Struts, ElasticSearch, Redis, Kafka, and others have in common. We're also told that during the board's review, community stakeholders identified "new compromises, new threat actors, and new learnings."

Some of this represents the democratization of software programming. This is a good thing — but we need to be aware that as long as we have software, we'll have software vulnerabilities.

**Knowing Every Link in the Chain**

Guarding against weak links in the software supply chain requires adequate knowledge of every link in the chain — an elusive goal. Most organizations have terrible asset management practices — and it's impossible to secure technologies in the infrastructure when no one is sure what those technologies are, where they're stored, and how they're used.

There are always new tools and capabilities coming down the pike, and with cloud applications, it's even worse. For homegrown applications in the cloud, developers typically don't see it as their responsibility to track which software components are in the mix. Their focus is on output, not sourcing. And with software-as-a-service (SaaS) applications, there's a near-total dependence on the third-party vendor doing the right thing.

Even without consequences we can point to, Log4j offers further proof that software supply chain security is fundamentally broken.

**What to Do Next**

So what can we do to fix it? The CSRB report serves up recommendations rich with anecdotes. They're well-meaning but too opaque for companies to implement in real-world settings. For example, we're told that "organizations should be prepared to address Log4j vulnerabilities for years to come." But how?

There are steps organizations can take. Again, there are no guarantees — foolproof protection is impossible. But the dangers can be contained and minimized.

First, organizations need greater awareness of all technologies in use; asset management is useless without up-to-date asset inventory. This is an ongoing priority, and it requires developer buy-in. Almost every business uses open source software, so asset inventory must extend down to the dependency level. This isn't sexy, but it may be one of the most essential activities to carry out effectively.

Developers and their software are one thing, yet in every enterprise business users now deploy the apps they believe are best for getting the job done. Employers are understandably concerned about security and compliance, but heavy-handed enforcement (i.e., attempting to block access) represents a losing proposition for everyone. Employee application choice and enterprise security are not mutually exclusive — and with technologies now available, they go hand-in-hand.

In the past we'd call this unsanctioned use of applications shadow IT, but now there's a better term: unmanageable applications. They're very common and easy to spot because they don't support identity and security standards. IT-authorized applications are hard enough to police; unmanageable applications are an even bigger challenge.

Second, we need to move toward zero-trust architecture. This concept is getting a lot of buzz, but there are challenges in deploying zero trust for unmanageable applications. Implementing zero trust requires multiple layers of controls. Trying to apply zero-trust principles to unmanageable applications that don't support industry standards like SAML (for authentication) and SCIM (for adding and removing users) is extremely difficult. Unmanageable applications cannot be added to a zero-trust protected surface since they don't support identity standards. A fundamental zero-trust principle defines who can access a data, application, asset, or service (DAAS) element. Organizations must ensure they include all business apps, including the unmanageable ones, in their zero-trust strategy, not only those that support standards.

We haven't dodged a bullet with Log4j, and there are more zero-days on the way. The CSRB report should serve as a wake-up call for organizations worldwide to dig deeper into their software supply chain for _all_ applications. Physical supply chains have long had this attention; software deserves the same scrutiny.

Source

DARKReading