Early adopters reaping the benefits of improved SOC operations and efficiencies.

**SANTA CLARA, Calif., Oct. 12, 2022 /PRNewswire/** — Delivering on the promise to help organizations leverage massive scales of data for their defenses, Palo Alto Networks (NASDAQ: PANW) today announced the general availability of Cortex® XSIAM, a breakthrough autonomous security operations platform powering today's modern secure operations center (SOC) and fundamentally changing the way data, analytics and automation are used across enterprise and cloud security operations.

Earlier this year, Cortex XSIAM was made available to a number of top organizations through the XSIAM Design Partner Program. The design partners spanned healthcare, logistics, design and manufacturing, technology, public sector, and entertainment verticals. The common challenges these organizations face include overwhelming alert volumes accompanied by a high number of false positives, lack of visibility across all parts of the organization, including cloud environments, and excessive manual overhead associated with managing numerous siloed tools.

"The SOC is where some of the best cybersecurity professionals work, and it is time that they have the right platform to get their jobs done effectively. We want to give our customers a new approach to SOC operations with a focus on results, efficiency and productivity," said Lee Klarich, chief product officer, Palo Alto Networks. "Cortex XSIAM establishes an autonomous SOC where organizations can respond to threats in a fraction of the time it takes today, and analysts can focus on the highest priority incidents. The SOC of the future will be built on AI and automation — any other approach is destined for failure."

Palo Alto Networks operates its own SOC on Cortex XSIAM and has seen the benefits of intelligent data integration, machine learning-based threat models, extensive automation and proactive analysis of the IT environment to reduce the attack surface. The Palo Alto Networks SOC processes over one trillion events per month, with Cortex XSIAM automatically handling the vast majority of those events. On average, the Cortex-powered SOC detects threats in 10 seconds and responds to high priority threats in one minute, with an 80% reduction in alerts that SOC analysts need to analyze.

The feedback on XSIAM has been strong. Design partners consistently reported improved visibility, fewer incidents, reduced false positives and reduced mean time to response. Paul Alexander, director of IT operations at Imagination Technologies Group, an international leader in the creation and licensing of semiconductor System-on-Chip Intellectual Property, said, "XSIAM is already helping us to resolve and address threats way more quickly and efficiently, reduce risk and track metrics."

"We see XSIAM as a platform that combines multiple capabilities into one unified ecosystem," said David Norlin, CISO at Lumifi. "For us, that means empowering analysts to move quicker on multiple datasets, detect threats more comprehensively, and deliver an even better service to our clients."

"From our first demo of XSIAM as part of the early access program, we were shocked and impressed with the maturity of the platform," said Randy Watkins, chief technology officer at Critical Start. "This was not a beta product, but a solution that customers would immediately be able to build their entire security operations program around. The data models within XSIAM are some of the best approaches we've seen to solving the lack of consistency with log management."

"XSIAM aims at much more than SIEM and provides the engine for the autonomous SOC," said Bobby Brillhart, vice president of engineering at Norlem. "XSIAM creates unprecedented opportunities for us as an MDR provider to scale our services and significantly decrease our MTTR."

**Optimized for Cloud-Native Environments**

By design, XSIAM operates across both cloud and enterprise security operations, providing true end-to-end management of threats, wherever they originate. Unlike most existing SIEM products, XSIAM comes with the ability to collect and integrate cloud telemetry that is unique to cloud-native systems. While companies born in the cloud benefit from the scale and automation of XSIAM and the ease of integration with public cloud and SaaS telemetry, organizations with legacy SIEM deployments can seamlessly transition to XSIAM as the next-generation autonomous SOC platform.

**Availability**

Cortex XSIAM is now available globally with full support across multiple cloud locations to comply with local regulations.

**Additional Resources**

*   Register for Palo Alto Networks' November event: The Modern SOC, Reimagined.
*   Join us at Ignite, Palo Alto Networks customer conference, to learn more and see XSIAM in action.
*   Follow Palo Alto Networks on Twitter, LinkedIn, Facebook and Instagram.

**About Palo Alto Networks**

Palo Alto Networks is the world's cybersecurity leader. We innovate to outpace cyberthreats, so organizations can embrace technology with confidence. We provide next-gen cybersecurity to thousands of customers globally, across all sectors. Our best-in-class cybersecurity platforms and services are backed by industry-leading threat intelligence and strengthened by state-of-the-art automation. Whether deploying our products to enable the Zero Trust Enterprise, responding to a security incident, or partnering to deliver better security outcomes through a world-class partner ecosystem, we're committed to helping ensure each day is safer than the one before. It's what makes us the cybersecurity partner of choice.

At Palo Alto Networks, we're committed to bringing together the very best people in service of our mission, so we're also proud to be the cybersecurity workplace of choice, recognized among Newsweek's Most Loved Workplaces (2021), Comparably Best Companies for Diversity (2021)and HRC Best Places for LGBTQ Equality (2022). For more information, visit www.paloaltonetworks.com.

_Palo Alto Networks, Cortex, and the Palo Alto Networks logo are registered trademarks of Palo Alto Networks, Inc. in the United States and in jurisdictions throughout the world. All other trademarks, trade names, or service marks used or mentioned herein belong to their respective owners. Any unreleased services or features (and any services or features not generally available to customers) referenced in this or other press releases or public statements are not currently available (or are not yet generally available to customers) and may not be delivered when expected or at all. Customers who purchase Palo Alto Networks applications should make their purchase decisions based on services and features currently generally available._

**SOURCE:** Palo Alto Networks, Inc.

Palo Alto Networks Ushers in the Next-Generation Security Operations Center With General Availability of Cortex XSIAM — the Autonomous Security Operations Platform

The computing giant didn't fix ProxyNotLogon in October's Patch Tuesday, but it disclosed a rare 10-out-of-10 bug and patched two other zero-days, including one being exploited.

For its October Patch Tuesday update, Microsoft addressed a critical security vulnerability in its Azure cloud service, carrying a rare 10-out-of-10 rating on the CVSS vulnerability-severity scale.

The tech giant also patched two "important"-rated zero-day bugs, one of which is being actively exploited in the wild; and further, there may be a third issue, in SharePoint, that's also being actively exploited.

Notably, however, the Microsoft didn't issue fixes for the two unpatched Exchange Server zero-day bugs that came to light in late September.

In all for October, Microsoft released patches for 85 CVEs, including 15 critical bugs. Affected products run the gamut of the product portfolio as usual: Microsoft Windows and Windows Components; Azure, Azure Arc, and Azure DevOps; Microsoft Edge (Chromium-based); Office and Office Components; Visual Studio Code; Active Directory Domain Services and Active Directory Certificate Services; Nu Get Client; Hyper-V; and the Windows Resilient File System (ReFS).

These are in addition to 11 patches for Microsoft Edge (Chromium-based) and a patch for side-channel speculation in ARM processors released earlier in the month.

**A Perfect 10: Rare Ultra-Critical Vuln**

The 10-out-of-10 bug (CVE-2022-37968) is an elevation of privilege (EoP) and remote code-execution (RCE) issue that could allow an unauthenticated attacker to gain administrative control over Azure Arc-enabled Kubernetes clusters; it could also affect Azure Stack Edge devices.

While cyberattackers would need to know the randomly generated DNS endpoint for an Azure Arc-enabled Kubernetes cluster to be successful, exploitation has a big payoff: They can elevate their privileges to cluster admin and potentially gain control over the Kubernetes cluster.

"If you are using these types of containers with a version lower than 1.5.8, 1.6.19, 1.7.18, and 1.8.11 and they are available from the Internet, upgrade immediately," Mike Walters, vice president of vulnerability and threat research at Action1, warned via email.

**A Pair (Maybe a Triad) of Zero-Day Patches – but Not THOSE Patches**

The new zero-day confirmed as being under active exploit (CVE-2022-41033) is an EoP vulnerability in the Windows COM+ Event System Service. It carries a 7.8 CVSS score.

The Windows COM+ Event System Service is launched by default with the operating system and is responsible for providing notifications about logons and logoffs. All versions of Windows starting with Windows 7 and Windows Server 2008 are vulnerable, and a simple attack can lead to gaining SYSTEM privileges, researchers warned.

"Since this is a privilege escalation bug, it is likely paired with other code-execution exploits designed to take over a system," Dustin Childs, from the Zero Day Initiative (ZDI), noted in an analysis today. "These types of attacks often involve some form of social engineering, such as enticing a user to open an attachment or browse to a malicious website. Despite near-constant anti-phishing training, especially during 'Cyber Security Awareness Month,' people tend to click everything, so test and deploy this fix quickly."

Satnam Narang, senior staff research engineer at Tenable, noted in an emailed recap that an authenticated attacker could execute a specially crafted application in order to exploit the bug and elevate privileges to SYSTEM.

"While elevation of privilege vulnerabilities requires an attacker to gain access to a system through other means, they are still a valuable tool in an attacker’s toolbox, and this month’s Patch Tuesday has no shortage of elevation-of-privilege flaws, as Microsoft patched 39, accounting for nearly half of the bugs patched (46.4%)," he said.

This particular EoP problem should go to the head of the line for patching, according to Action1's Walters.

"Installing the newly released patch is mandatory; otherwise, an attacker who is logged on to a guest or ordinary user computer can quickly gain SYSTEM privileges on that system and be able to do almost anything with it," he wrote, in an emailed analysis. "This vulnerability is especially significant for organizations whose infrastructure relies on Windows Server."

The other confirmed publicly known bug (CVE-2022-41043) is an information-disclosure issue in Microsoft Office for Mac that has a low CVSS risk rating of just 4 out of 10.

Waters pointed to another potentially exploited zero-day: a remote code execution (RCE) problem in SharePoint Server (CVE-2022-41036, CVSS 8.8) that affects all versions starting with SharePoint 2013 Service Pack 1.

"In a network-based attack, an authenticated adversary with Manage List permissions could execute code remotely on the SharePoint Server and escalate to administrative permissions," he said.

Most importantly, "Microsoft reports that an exploit has likely already been created and is being used by hacker groups, but there is no proof of this yet," he said. "Nevertheless, this vulnerability is worth taking seriously if you have a SharePoint Server open to the internet."  

**No ProxyNotShell Patches**

It should be noted that these are not the two zero-day patches that researchers were expecting; those bugs, CVE-2022-41040 and CVE-2022-41082, also known as ProxyNotShell, remain unaddressed. When chained together, they can allow RCE on Exchange Servers.

"What may be more interesting is what isn’t included in this month's release. There are no updates for Exchange Server, despite two Exchange bugs being actively exploited for at least two weeks,” Childs wrote. “These bugs were purchased by the ZDI at the beginning of September and reported to Microsoft at the time. With no updates available to fully address these bugs, the best administrators can do is ensure the September … Cumulative Update (CU) is installed.”

"Despite high hopes that today's Patch Tuesday release would contain fixes for the vulnerabilities, Exchange Server is conspicuously missing from the initial list of October 2022 security updates," says Caitlin Condon, senior manager for vulnerability research at Rapid7. "Microsoft's recommended rule for blocking known attack patterns has been bypassed multiple times, emphasizing the necessity of a true fix."

As of early September, Rapid7 Labs observed up to 191,000 potentially vulnerable instances of Exchange Server exposed to the Internet via port 443, she adds. However, unlike the ProxyShell and ProxyLogon exploit chains, this group of bugs requires an attacker to have authenticated network access for successful exploitation.

"So far, attacks have remained limited and targeted," she says, adding, "That's unlikely to continue as time goes on and threat actors have more opportunity to gain access and hone exploit chains. We'll almost certainly see additional post-authentication vulnerabilities released in the coming months, but the real concern would be an unauthenticated attack vector popping up as IT and security teams implement end-of-year code freezes."

**Admins Take Note: Other Bugs to Prioritize**

As far as other issues to prioritize, ZDI's Childs flagged two Windows Client Server Run-time Subsystem (CSRSS) EoP bugs tracked as CVE-2022-37987 and CVE-2022-37989 (both 7.8 CVSS).

"CVS-2022-37989 is a failed patch for CVE-2022-22047, an earlier bug that saw some in-the-wild exploitation," he explained. "This vulnerability results from CSRSS being too lenient in accepting input from untrusted processes. By contrast, CVE-2022-37987 is a new attack that works by deceiving CSRSS into loading dependency information from an unsecured location."

Also notable: Nine CVEs categorized as RCE bugs with critical severity were also patched today, and seven of them affect the Point-to-Point Tunneling Protocol, according to Greg Wiseman, product manager at Rapid7. "\[These\] require an attacker to win a race condition to exploit them," he noted via email.

Automox researcher Jay Goodman adds that CVE-2022-38048 (CVSS 7.8) affects all supported versions of Office, and they could allow an attacker to take control of a system "where they would be free to install programs, view or change data, or create new accounts on the target system with full user rights." While the vulnerability is less likely to be exploited, according to Microsoft, the attack complexity is listed as low.

And finally, Gina Geisel, also an Automox researcher, warns that CVE-2022-38028 (CVSS 7.8), a Windows Print Spooler EoP bug, as a low-privilege and low-complexity vulnerability that requires no user interaction.

"An attacker would have to log on to an affected system and run a specially crafted script or application to gain system privileges," she notes. "Examples of these attacker privileges include installing programs; modifying, changing, and deleting data; creating new accounts with full user rights; and moving laterally around networks."

Microsoft Addresses Zero-Days, but Exchange Server Exploit Chain Remains Unpatched

New research demonstrates the use of thermal camera images of keyboards and screens in concert with AI to correctly guess computer passwords faster and more accurately.

Password-cracking and guessing attempts are successful enough as it is to put more than a little gray in the hair of experienced cybersecurity professionals. Now new research shows even more effective cracking attempts could be perpetrated by attackers equipped with a cheap thermal camera and some simple deep-learning models.

The AI-driven attacks were conceptualized and refined by Dr. Mohamed Khamis of the University of Glasgow School of Computing Science and his colleagues at the school, Norah Alotaibi and Dr. John Williamson, who are set to publish their results in an upcoming issue of the ACM Transactions on Privacy and Security journal.

The paper details their work to use off-the-shelf thermal cameras and a probabilistic model that utilized 1,500 thermal images they took of recently used keyboards to create a method of accurately cracking passwords — even in uncontrolled settings. Dubbed ThermoSecure, the method captures heat signatures via thermal cameras and analyzes them with the researchers' AI modeling to guess a password with 86% accuracy when the images are taken within 20 seconds of input, and 62% accuracy within 60 seconds of input.

"Even without knowing the order of the keys, it is possible to significantly reduce the search space, which means fewer attempts are required to guess a password," the researchers wrote in their paper.

Khamis pointed to the accessible price of thermal cameras — which can be picked up for less than $200 — as a cue for why his team wanted to explore this as a potential threat vector. As he explains, this is likely an area where the bad guys are already innovating to develop ways to leverage these tools to their advantage.

"They say you need to think like a thief to catch a thief. We developed ThermoSecure by thinking carefully about how malicious actors might exploit thermal images to break into computers and smartphones," he said. "It's important that computer security research keeps pace with these developments to find new ways to mitigate risk, and we will continue to develop our technology to try to stay one step ahead of attackers."

**Not the First Thermal Rodeo**

While this is not the first piece of research touching on the use of thermal imaging to guess passwords, previous studies took pictures in highly controlled settings. This latest one focused on how the layering of AI can bridge the gap in accuracy in uncontrolled conditions that might be affected by different camera angles and user behavior. The study also examined how factors like password length and typing styles could impact the accuracy of this technique, offering some hints for mitigation measures.

For example, the jump from eight-symbol passwords up to 16-symbol passwords cut the accuracy of the attack by 26 points when images were taken 20 seconds after input. Similarly, faster-touch typists left less of a heat signature than slower "hunt-and-peck" typists, meaning that the accuracy was about 12 points lower for the former compared with the latter.

Some other mitigating factors included the use of backlit keyboards — which heat up keys enough to "light up" a thermal image enough to flummox the AI model — and the kind of plastic used in a keyboard. For example, ABS plastic retains heat for significantly less time than PBT plastic.

Of course, one of the most reliable mitigations are the ones that are cited for just about any kind of password-cracking or guessing attacks: that is, seeking out alternative login methods.

"Users can help make their devices and keyboards more secure by adopting alternative authentication methods, like fingerprint or facial recognition, which mitigate many of the risks of thermal attack," Khamis said. "In my team, we have previously proposed authentication schemes that rely on eye movements for password entry; gaze-based authentication is resistant to thermal attacks by design."

AI and Residual Finger Heat Could Be a Password Cracker's Latest Tools

Attackers could exploit the "Sandbreak" security bug, which has earned a 10 out of 10 on the CVSS scale, to execute a sandbox escape, achieve RCE, and run shell commands on a hosting machine.

A remote code execution (RCE) vulnerability in a widely used JavaScript sandbox has earned a top rating of 10 on the CVSS vulnerability risk scale; it allows threat actors to execute a sandbox escape and run shell commands on the hosting machine.  

Researchers from cloud security firm Oxeye discovered the dangerous flaw, which they dubbed "Sandbreak" in vm2, a JavaScript sandbox that has more than 16 million monthly downloads, according to its NPM package manager.

"The fact that this vulnerability has the maximum CVSS score of 10 and is extremely popular means its potential impact is widespread and critical," Oxeye architect Yuval Ostrovsky and security researcher Gal Goldshtein wrote in a blog post published Oct. 10.

Oxeye found the flaw on Aug. 16 and informed the project owners two days later. On Aug. 28, GitHub issued CVE-2022-36067 and gave the vulnerability the highest risk rating possible.

The project's maintainers reacted swiftly to issue a patch for Sandbreak in vm2 version 3.9.11, which should be applied by anyone using the sandbox because of the heightened risk of vulnerability, the researchers said.

**Sandboxes: Historically Trustworthy**

Like all sandboxes, vm2 offers an isolated environment where applications can run trusted code, serving a vital purposes in modern applications because developers or network administrators can use them to run programs or open files without affecting the app, system, or platform in which they run.  

Software developers often use sandboxes to test new programming code, and they are well known as an important tool in cybersecurity research, allowing researchers to test potentially malicious software without harming other parts of a network or app environment.

Indeed, the fact that a sandbox is so universally trusted is what makes the Sandbreak flaw so critical and should sound an alarm across all sandbox users to shore up their implementations, the researchers said.

"By their very definition, sandboxes are considered safe places and trusted as mechanisms that isolate potentially dangerous code from our applications," they wrote in the post. "But what would happen if this trust was compromised?"

**Technical Analysis**

Researchers explored just that in their investigation of Sandbreak, which they discovered while analyzing previous security lapses disclosed to the team maintaining vm2.

The bug exists in the vm2 bug reporter, which would allow cyberattackers to abuse the error mechanism in Node.js. They could customize the call stack of an error that occurred in the app to escape the sandbox, the researchers disclosed.

"Customizing the call stack can achieve this by implementing the 'prepareStacktrace' method under the global 'Error' object,'" the researchers explained in the post. "This means that when an error occurs and the 'stack' property of the thrown error object is accessed, Node.js will call this method while providing it with a string representation of the error alongside an array of 'CallSite' objects as arguments."

One of the methods exposed by the CallSite objects because of the issue is "getThis," which is responsible for returning the “this” object that was available in the related stack frame, the researchers found.

This behavior can lead to sandbox escapes because some of the "CallSite" objects "may return objects created outside the sandbox when invoking the 'getThis' method," they wrote. If an attackers could gain hold of a "CallSite" object created outside of the sandbox, they could access Node's global objects and execute arbitrary system commands from there.

**Bypassing the Mitigation**

The maintainers of vm2 were aware that overriding "prepareStackTrace" could indeed lead to a sandbox escape. They tried to mitigate the escape path by wrapping the Error object and the "prepareStackTrace" method with their own implementation, which succeeded in preventing anyone from overriding the method and performing the escape, they said.

However, Oxeye researchers found they could bypass this, because vm2 missed wrapping specific methods related to the "WeakMap" JavaScript built-in type, they said. "This allowed the attacker to provide their own implementation of 'prepareStackTrace,' then trigger an error, and escape the sandbox," the researchers wrote.

Knowing that the prepareStackTrace function of the Error object is the function they needed to override to escape the sandbox, Oxeye researchers went even further and decided to try to override the global Error object with their own object.

Doing this implemented the prepareStackTrace function, which allowed them to escape the sandbox. A few simple steps later and they had access to the currently executing process and could execute commands on the system running the sandbox, they said.

**Using Sandboxes Safely**

Although sandboxes by their very nature are meant to safely run untrusted code within an app or system, enterprises shouldn't automatically assume they are without risk, the researchers warned.

However, if using a sandbox in an environment is unavoidable, Oxeye recommends reducing risk by separating the logical, sensitive part of an application from the microservice that runs the sandbox code.

This will ensure that "if a threat actor successfully breaks out from the sandbox, the attack surface is limited to the isolated microservice," the researchers wrote.

Enterprises also should avoid using a sandbox that relies on a dynamic programming language such as JavaScript when possible, they said.

"The dynamic nature of the language widens the attack surface for a potential attacker, making defending against such attacks much harder," researchers observed in their post.

Critical Open Source vm2 Sandbox Escape Bug Affects Millions

The IT security executive led ICS/OT, IT/OT integration, and other security programs, as well as diversity and inclusion efforts in the industry.

Paul Brager, a leading operational technology (OT) expert and executive, passed away late last month while on a business trip.

Brager, who most recently was director of the global OT security program at energy technology company Baker Hughes, was a well-known industry leader in the industrial cybersecurity sector and worked in the IT security field for 27 years, specializing in industrial control system (ICS)/OT, IT/OT convergence, and cyber-risk topics, among other areas. He was also a researcher and a renowned speaker in the industry, including at Interop and on the Dark Reading News Desk at Black Hat USA. 

Brager also led mentoring and advocacy initiatives for people of color and for women in cybersecurity, promoting diversity and inclusion.

His wife, Keirsten Brager, a cybersecurity professional as well as an author, announced her husband's passing this week via his LinkedIn profile, noting that Paul suffered a heart attack on Sept. 27 while on a business trip in Brazil.

_**NOTE: Dark Reading editors had the honor of interviewing Paul Brager on several occasions, as well as working** **with him as a speaker for the security track of Interop in 2017**_**_. His insights on industry issues_ _always made us smarter, and our reporting more informed. Our hearts and thoughts go out to Keirsten and their childre__n,_ _Kaylie and Dylan. The industry has lost a true leader._**

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

OT Cybersecurity Leader Paul Brager Passes Away

Exposed code included private key for Intel Boot Guard, meaning it can no longer be trusted, according to a researcher.

Intel has confirmed the leak of the Unified Extensible Firmware Interface (UEFI) BIOS of Alder Lake, the company's code name for its latest processor — the 12th generation Intel Core processor — which debuted in late 2021. 

According to reports, the Intel UEFI code was first leaked late last week on 4chan, and later GitHub, and it contained 5.97GB of data. It was dated 9-30-22, likely when it was exfiltrated, analysts reported. "In addition, one thing should be noted that the key pairs required by Boot Guard during provisioning stage is also included in the leaked content," researchers from Hardened Vault who analyzed the leaked data explained. 

Researcher Mark Ermolov noted the same thing on Twitter on Oct. 8, adding, "... the Intel Boot Guard on the vendor's platforms can no longer be trusted." 

The researchers at Hardened Vault pointed out the code could be particularly useful for malicious actors who want to reverse engineer the code to find vulnerabilities. 

In a statement provided to Security Week, Intel acknowledged the breach, attributing it to a third-party and downplaying its potential security risk. "Intel does not believe this exposes, or creates, any new security vulnerabilities as we do not rely on obfuscation of information as a security measure," Intel said in a statement. "We are reaching out to customers, partners and the security research community to keep them informed of this situation." 

The Hardened Vault team said it hasn't been able to trace the data back to the leaker but suggested that the developer of the firmware solution, Insyde, might have more information to share. "But it is still impossible to confirm the person who leaked it," the team wrote. "The leak is part of Insyde solution which integrate Intel’s resources. Perhaps Insyde knows more than we do."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Intel Processor UEFI Source Code Leaked

How data-driven security can best safeguard your unique cloud operations.

The cloud is made up of extremely dynamic environments that undergo constant expansion, updating, and change. As such, securing these cloud environments requires an equally dynamic solution, uniquely differentiated from that of traditional, on-premises computing environments. Yet a recent study suggests that 32% of organizations use the same rules, processes, and tools for both on-premises and cloud security.

Using the same rules-based security approaches for the cloud is like trying to force a square peg into a round hole — it won't fit no matter how you spin it, yet far too many enterprises still try. Given their disappointing track record in securing corporate computing, rules-based systems cannot be expected to be effective in the cloud, which is both different and more challenging. The dynamic and vulnerable nature of the cloud requires enterprises to take a new approach: one that views security as a data problem whose solution provides both safety and agility.

**Accept Cloud Security for What It Is: Never the Same Day as Before**

Unprecedented data growth is forcing enterprises around the world to reconsider their data storage infrastructure, forgoing legacy architecture and migrating to cloud platforms. While the cloud promises new levels of efficiency and scale, one of its defining characteristics is constant change. The pace of software iteration is supercharged, with open source building blocks constantly churning, underlying platforms rapidly evolving, and operations horizontally scaling out and vertically tailing. As more computing moves to the cloud, the faster the potential attack surface increases, resulting in more risks and vulnerabilities. Long story short: running an operation in the cloud is an exercise in frantic change management.

The world of traditional business computing no longer exists. The cloud environment is far removed from on-premise's closed-off walls (and soft squishy center) guarded by multiple layers of defense. According to O'Reilly, 90% of organizations use the cloud, and Gartner estimates that over 95% of new digital workloads will be deployed on cloud-native platforms by 2025. Security professionals are facing a completely new landscape. And outdated rules-based approaches to security are only guaranteed to flood operations teams with contextless alerts, leading to poor visibility, guesswork, and fear of the unknown.

Protecting operations in the cloud is fundamentally different from protecting traditional, on-premises computing. The security industry needs to accept this fact and prioritize providing visibility and stability to its customers. By understanding the unique construction of each customer's cloud operations, the defining characteristics of their workload, and the specifics of their computing environment, security professionals can provide the foundation for customers to operate with confidence and agility as they adapt safely to each change. But such a foundation can only be achieved by data-driven techniques and comprehensive analysis.

**Monitoring and Analyzing Anomalies, Not Rules

Traditional monitoring relies on rules that trigger alerts based on known security-related issues, whether or not those issues are relevant to an organization's operations or workload. It's a somewhat backward paradigm: Rather than working to comprehend the organization's operations and maintaining their health, the rule-based paradigm focuses on understanding potential threats, based on general-purpose knowledge of the threat ecosystem. Not only does this approach require security expertise (which can be hard to find), but it also fails to make the security team an enabler that helps corporations be agile by maintaining stability in the face of changes.

When a doctor prescribes medication, a treatment that works for one patient might not work for another. Just as every patient is unique, so is every cloud environment. An organization's cloud operations are not a cookie-cutter concern, but rather a conglomeration of configurations, technologies, tools, and processes that have evolved over time, often with many detours and dusty corners. Therefore, there can be no one-size-fits-all solution to cloud security: What should be permitted, and what should be flagged as a threat or high-risk anomaly, must be based on what constitutes normal behavior in each unique cloud environment.

Fortunately, using modern data processing and machine learning techniques makes it possible to learn the salient, stable aspects of each customer's operations. These techniques mine the torrent of data about customers' cloud activities and separate out the irrelevant, ephemeral noise caused by the cloud's constant churn. From that foundation, the customer can understand the normal, healthy behavior of their operations and highlight any anomalies that might pose a threat, whether to the security or to the stability of their operations.

In particular, this approach can be highly effective in uncovering new threats before they become known, or identifying new threat variants as they appear — since exploit attempts will trigger anomalies, whether successful or not. This last benefit is of critical use in cases such as last year's Log4j vulnerability, where, over weeks and months, a succession of rapidly evolving exploits were reported by 44% of worldwide networks, as corporations struggled to remedy the vulnerability.

Taking a different approach to security in the cloud is not only a technical necessity but also a requirement from a personnel standpoint. Security teams are strapped, with alert fatigue and burnout running rampant. For even the most prepared teams, the operational and maintenance effort can be overwhelming, especially since the results are often dishearteningly lackluster. Any approach that significantly reduces the number of daily alerts can greatly improve morale and productivity. The benefits are even greater if the alerts comprise a handful of security-critical issues and data-driven anomalies, presented in an easy-to-understand context of normal operations.

It's time to let go of the past. Organizations need to say goodbye to traditional, manual rules-based security approaches and adjust for the cloud. Security should be a key concern throughout all stages of cloud software development, from build time to runtime. But cloud security should also not be a barrier that blocks agility. Rather, cloud security should be a foundation that helps maintain stability in the face of change. The best way to ensure this is via a data-driven approach to cloud security that fully accounts for the unique characteristics, structure, and dynamic behavior of each cloud environment.

**

It's Time to Make Security an Innovation Enabler

Skybox Security Cloud Edition ushers in a new era of proactive cybersecurity .

SAN JOSE, Calif., Oct. 11, 2022 — Skybox Security today announced the next generation of its award-winning Security Posture Management Platform – including the industry's first Software-as-a-Service (SaaS) solution for Security Policy and Vulnerability Management. Propelling its global customer base into the next era of proactive cybersecurity, major innovations advance its platform that continuously tests attack feasibility, exposure, remediation options, and compliance across hybrid environments.

"Today, we're delivering on our mission of building the world's leading Security Posture Management platform," said Skybox Security CEO and Founder Gidi Cohen. "Skybox equips customers with the hybrid network modeling, path analysis, and automation they need to reduce the risk of a significant data breach by 55%. Our latest innovations are significant for customers that deploy on-prem, as well as customers that will benefit from our new SaaS solution. The new Skybox Cloud Edition offering capitalizes on the speed, scale, innovation, and productivity benefits powered by the cloud to drive the pursuit of broader digital business opportunities."

**Expansion into Cyber Asset Attack Surface Management**

Challenging the status quo through a dynamic, fresh approach to Cyber Asset Attack Surface Management (CAASM), Skybox visualizes all assets through API integrations, identifies and prioritizes vulnerabilities using proprietary threat intelligence, sees gaps in security controls, and automatically provides remediation options. In addition, significant advancements to the proprietary Skybox network model enable customers to dynamically model operational technology, IT, and hybrid cloud environments – including all networking and security data related to a specific asset.

According to Gartner Research: "CAASM enables security teams to improve basic security hygiene by ensuring security controls, security posture, and asset exposure are understood and remediated. Organizations that deploy CAASM reduce dependencies on homegrown systems and manual collection processes, and remediate gaps either manually or via automated workflows. Organizations can visualize security tool coverage, support attack surface management (ASM) processes, and correct systems of record that may have stale or missing data."1

**Industry's First Solution To Automatically Map Vulnerabilities To Malware Type**

Skybox also introduced the industry's first Security Posture Management solution that connects Vulnerability Management with Threat Hunting. Building on its Exposure Management process that emphasizes publicly known vulnerabilities and identifies control gaps, Skybox now also associates vulnerabilities to malware by name, category, and distinct classes – including ransomware, Remote Access Trojans (RATs), botnets, cryptocurrency miners, trojans, and more.

"Executives and board members want to know if their cybersecurity teams are staying ahead of the latest celebrity malware such as TrickBot, REMCOS, FormBook, AZORult, Ursnif, Agent Tesla, and NanoCore," said Ran Abramson, Threat Intelligence Analyst, Skybox Research Lab. "Powered by Skybox threat intelligence, CISOs have automated analysis that can prove they retired millions of malware and exploits. No other cybersecurity solution can provide customers with our advanced vulnerability prioritization and threat trend reporting."

**Expanded Integrations Eliminate Complexity, Reduce Administrative Burden, and Provide More Effective Cybersecurity**

With over 150 integrations, Skybox Security is the only solution that builds an extensive model of a customer's unique hybrid environment, including all of the customer’s L3 devices. Expanded integrations include:

*   **Amazon Web Services (AWS):** Expanded cloud capabilities include support of AWS firewalls in distributed mode. Reduce risk while validating compliance by eliminating permissive, obsolete, shadowed, and redundant rules.
*   **Cisco Application Centric Infrastructure (ACI):** Adding new capabilities to its Cisco ACI integration, Skybox now delivers granular visibility into ACI Fabric tenants across spanning networking, micro-segmentation policies, and device attributes.
*   **Palo Alto Networks Prisma Cloud:** Furthering its commitment to shift-left security practices, vulnerabilities in container images across DevOps toolchains can now be identified and prioritized for remediation via the Skybox multi-factor risk scoring algorithm.

**Skybox Cloud Edition Accelerates Customer Value With Increased Flexibility, Scalability, Business Agility, and Resiliency**

Skybox Cloud Edition delivers the capabilities of the Skybox Security Posture Management Platform in a Software-as-a-Service (SaaS) offering to unlock additional business agility and resiliency benefits.

*   **First SaaS solution for Security Policy Management**: Leapfrogging the competition, Cloud Edition capabilities reduce software installation maintenance tasks. Streamlined licensing and deployment are designed to meet customer demand.
*   **Advanced Vulnerability and Exposure Management**: With the industry's most flexible deployment options for Vulnerability and Exposure Management (both on-premises and SaaS versions), customers can select the deployment model that aligns with their corporate and regulatory requirements.
*   **Limitless scalability**: Manage security policies, prioritize vulnerabilities, and remediate exposures across the most complex on-premises, cloud, operational technology (OT), and hybrid environments. Automate, verify, and operationalize risk reduction.
*   **Faster deployment options**: Cuts deployment time and reduces the need for procuring hardware, performing testing, and installing updates – enabling customers to unlock value faster. Customers with vast, global environments will reap huge benefits due to the size and diversity of their attack surface.
*   **Instant automatic updates**: Customers benefit immediately from the latest product innovations and platform updates. Upgrades are much less disruptive, with no need for change management resources. Seamless, automated upgrades are critical given the dynamic threat and regulatory landscapes.
*   **Guaranteed availability:** The solution is hosted in AWS for outstanding stability, performance, and guaranteed availability. Additionally, 24/7 monitoring of the tenants, across both the Network Operations Center (NOC) and Security Operations Center (SOC), maintains optimal network performance and performs real-time analysis for continuous threat mitigation.

**Customer Quotes**

"We had endless streams of vulnerability remedial work. Everything seemed extremely important. Hence why we moved to Skybox: Because it gave us exactly the prioritization model we needed." – Director of Cybersecurity, Manufacturing Organization

"The overall visibility that Skybox has given us of the network – that's something we didn't have before. You can't really put a number on that, but it's a massive impact." – Principal Network Engineer, IT Security Company

"They were getting burned out. So, this has changed at least one of my engineers' lives. He actually said it over and over, 'This is the best thing that's ever happened to me.' Had it been anyone else, I doubt we would have kept anyone in that position for long." – Information Security Manager, Financial Services Organization

"Assets that are critical are tracked in Skybox, and the risk is assessed. If there is a vulnerability, we can fix it immediately. It's reflected in Skybox, and we have evidence for future audits." – Information Security Manager, IT Security Company

**Additional Resources**

*   Skybox Security reduces the risk of data breach by 55%, Total Economic Impact™ Study reveals
*   Skybox Security featured in 6 Gartner® Hype CyclesTM, 2022

Skybox Cloud Edition is available now. To learn more about the Skybox Security Posture Management Platform, visit https://www.skyboxsecurity.com/products/security-posture-management-platform/.  
**About Skybox Security  
**Over 500 of the largest and most security-conscious enterprises in the world rely on Skybox for the insights and assurance required to stay ahead of dynamically changing attack surfaces. Our Security Posture Management Platform delivers complete visibility, analytics, and automation to quickly map, prioritize and remediate vulnerabilities across your organization. The vendor-agnostic solution intelligently optimizes security policies, actions, and change processes across all corporate networks and cloud environments. With Skybox, security teams can now focus on the most strategic business initiatives while ensuring enterprises remain protected.

Skybox Security Unveils Industry's First SaaS Solution For Security Policy and Vulnerability Management Across Hybrid Environments

Existing software security firms and new startups tackle the tasks of exposing dependencies and helping developers manage their use of open source components.

With open source code making up about 80% of the average application, application security professionals are urging developers to create pipelines that put software supply chain security front and center.

The push for more clarity about the security of open source components is driving the introduction of tools that go beyond software composition analysis (SCA) and static analysis to give companies better visibility into the makeup of their programs. One area to pay more attention to is the dependencies used to create applications. On Oct. 10, a group of application security specialists took the wraps off Endor Labs, a startup that aims to provide a variety of capabilities that focus on managing dependencies and help reduce the attack surface posed by the vast web of components that make up the typical application.

Current approaches can return tens of thousands of potential security issues, many of which are false positives and only 10% or 20% of which may actually be used by the application, says Varun Badhwar, co-founder and CEO of Endor Labs.

"It turns out that 80 to 90% of those reported vulnerabilities, while they exist in the package version itself, they do not apply to you because your developers are not using that code," he says. "You might have some component with 10,000 lines of code, and your developers are only calling 200 lines because they are using a single function."

Some research has put the estimate of attackable bugs at merely 3%.

**The Problem of Software Supply Chain**

Endor Labs is the latest company to tackle the security of the software supply chain. In March, Sonatype, a provider of software supply chain security tools, introduced more capabilities for the visualization of dependency trees to trace vulnerabilities back to the components that introduced them. And a year ago, a group of former Google employees started Chainguard, which focuses on the entire software supply chain, including asset management, vulnerability management, and software integrity. Other companies — Anchore, Snyk, Synopsys, and Veracode, to name a few — have made recent moves to better address the software supply chain as well.

The goal is for developers to adopt processes and tools that enumerate the dependencies in their applications, detect vulnerabilities in those components, and gain insight into the trustworthiness of the maintainers and projects, says Dan Lorenc, CEO and co-founder at Chainguard.

"We have attacks happening at each and every point along the software supply chain, from the way code gets built, to its deployment, to how it’s run and then packaged and shipped to end users," he says. "Because software supply chain security covers the entire development life cycle, it isn’t like other areas in security where point solutions can solve it."

At present, developers tend to create their code and then scan for vulnerabilities, only discovering poorly coded components long after they made the decision to use the code. Open source software typically makes up anywhere from 70% to 90% of the code included in Web and cloud applications, and the average application requires scores of dependencies, while JavaScript applications average more than 500 dependencies.

**Adding Visibility**

Current tools provide little value or input into the developer's selection process, so development teams need more visibility into the components making up their supply chains, Endor Lab's Badhwar says.

"Let's be honest — a developer's best friend today is Google," Badhwar says. "If a product manager comes to a developer and says, 'Build me feature X,' one of the first things the developer does is go to Google and search for a package or a dependency that accelerates their development."

Some developers may go as far as looking at the number of GitHub stars — using the package's popularity as a proxy for trustworthiness — and may even read about the software on the discussion forums of HackerNews, Reddit, or StackOverflow, he says.

Endor Labs expands the dependency management process into companies' DevOps pipeline and even down to the developer's IDE, giving developers and application security teams information on the security of the components. The platform also allows application security teams to set policies that will be enforced during the selection process, Badhwar says.

The approach helps push companies beyond their focus on software bills of material (SBOMs). Because government agencies require the information, the software manifests have taken off as software makers comply with regulations.

Yet while SBOMs are a helpful step along the path to more security software, they are generated at the end of the application release cycle, so they don’t actually help manage the risk, says Brian Fox, co-founder and chief technology officer at Sonatype.

Organizations instead need capabilities to effectively manage the life cycle of dependencies, starting from the far left side where developers select new dependencies, he says.

"It is only with a deep organizational understanding of your overall bill of materials that you can better arm your software for the next zero-day disclosure," Fox says. "Our data shows that organizations who actively manage their supply chains have dramatically better outcomes and response times than those who do not."

Dependency Management Aims to Make Security Easier

DigiCert ready to help smart home device manufacturers achieve Matter compliance rapidly and at scale.

(LEHI, Utah) – (October 11, 2022) — DigiCert, Inc., the world’s leading provider of digital trust, announced today that its Root Certificate Authority (CA) is approved by the Connectivity Standards Alliance (Alliance) for Matter device attestation. As the first Matter-approved root CA, also known as a Product Attestation Authority (PAA), DigiCert can now provide rapid time to market for smart home manufacturers looking to earn the Matter seal on their products.

A multi-year participant in Matter, DigiCert contributed its expertise to the security and attestation components of the standard and has the scalable technology to enable an efficient path to compliance.

“The introduction of Matter to the smart home industry is an exciting move that improves interoperability between devices and raises the bar for security, creating a more efficient and secure experience for consumers,” said DigiCert VP of IoT Security Mike Nelson. “DigiCert has been involved in building the Matter standard for several years, and we’ve already helped many leading companies evaluate their device attestation procedures using our test Certificate Authority. Now, with our PAA approved for production, we are ready to help customers save time in achieving Matter security compliance.”

Matter participants may gain the following benefits by partnering with DigiCert:

*   Accelerate time to market in achieving Matter compliance.
*   Save money by avoiding the costs of technology, maintenance, staffing and ongoing compliance.
*   Enjoy flexible deployment options, including on-premises, hosted or batch issuance.
*   Simplify management of device attestation certificates and product attestation intermediates through the DigiCert® IoT Device Manager.
*   Gain efficiencies using a scalable platform to sign and secure device updates.

Matter is an industry-led effort of the Alliance bringing together the world’s leading manufacturers to achieve secure, reliable and seamless use of smart home devices. Matter enables IP-based networking and communication across smart home devices, mobile applications and smart home ecosystems. Matter devices offer consumers assurances of secure use through a consortium-led standard for authenticating device identity that only allows Matter-certified devices to connect to the network.

“DigiCert has been an integral part of the development of the attestation policy for the Matter release and its inherent improvements in the security of the IoT space,” said Chris LaPre, Director of Technology at the Connectivity Standards Alliance. “Device attestation allows existing Matter devices to locally confirm new ones when they have been recognized by the local network, and quickly remove non-compliant devices when needed. Consumers are no longer under the burden of ensuring new devices are secure; it happens automatically.”

Manufacturers looking to gain efficiencies of scale, rapid time to market and Matter device attestation expertise may learn more at: https://www.digicert.com/iot/matter-iot-device-certification.

Additional information is available via the following:

Setting the New Standard for Trust in Smart Home with Matter

Becoming Matter Compliant: Why You Shouldn’t DIY PKI

Matter: The Standard of the Future

Matter Compliance: Understanding and Implementing Device Attestation Certificates

**About DigiCert, Inc.**  
DigiCert is the world’s leading provider of digital trust, enabling individuals and businesses to engage online with the confidence that their footprint in the digital world is secure. DigiCert® ONE, the platform for digital trust, provides organizations with centralized visibility and control over a broad range of public and private trust needs, securing websites, enterprise access and communication, software, identity, content and devices. DigiCert pairs its award-winning software with its industry leadership in standards, support and operations, and is the digital trust provider of choice for leading companies around the world. For more information, visit digicert.com or follow @digicert.

Source

DARKReading