In this new episode of Tech Talks, Darktrace's Tony Jarvis and Dark Reading's Terry Sweeney discuss how to protect networks after the death of the perimeter.

The pandemic-propelled shift to work-from-home and bring-your-own-devices accelerated the already expanding move to the cloud. IDC predicts that global cloud spending will grow from $703 billion in 2021 to $1.3 trillion in 2025. Statista reports that the percentage of corporate data stored on the cloud rose from 30% in 2015 to 48% at the beginning of the COVID-19 crisis in 2019; so far in 2022, 60% of corporate data lives in the cloud rather than on-premises networks.

In this installment of Tech Talks, Tony Jarvis, director of enterprise security for Asia Pacific and Japan for Darktrace, and Dark Reading contributing editor Terry Sweeney discuss the rise of the cloud, the decline of on-premises, and the possible death of the traditional perimeter in the wake of those technological shifts. 

"There's a lot of digital transformation that's taken place virtually overnight," Jarvis says. "Some organizations are struggling with this. And for that reason, they're not going to fully abandon on-premise networks anytime soon."

Indeed, a recent InformationWeek report shows that while IT pros widely use cloud services, they believe the cloud is less secure than their traditional on-premises systems. Over half of respondents (55%) would keep sensitive data on-prem if they could, the report indicates.

As on-premises networks decline in favor of cloud resources, however, those IT departments need new security measures to accommodate the new IT environment. 

"There's no real perimeter anymore — not in the traditional sense — and that means that things can get in through a number of different ways. We need to get better at detecting that," Jarvis says.

New incursion paths require new ways to guard against invasion. At the beginning of 2022, the US Office of Management and Budget released a detailed blueprint for security measures it requires government agencies and vendors to implement, and zero-trust policies ranked prominently. Sweeney asked Jarvis whether he thinks zero-trust architectures can keep endpoint devices secure when they're away from VPNs.

"I think of zero trust almost like a new set of rules or a new perimeter. And we want to be looking for anomalies taking place within that perimeter," Jarvis says. That means looking for unusual behaviors that will give away an attacker's motivations, such as lateral movement and living-off-the-land techniques. Artificial intelligence tools can automatically look for deviations from the norm and cut off those actions.

Of course, cloud security means accepting that attackers don't care if they are targeting cloud or on-premises systems. Focusing on one at the expense of the other is a problem. The attacks will focus on wherever they see weakness.

"We're always thinking not in terms of good or bad per se, but more in terms of normal — Does this belong in the environment? — and then, by association, unusual," Jarvis said. "Attackers will always go after the weak spots; they'll go after whatever gives them the greatest chance of getting in, no matter where that is."

Tony Jarvis on Shifting Security Gears as We Move to the Cloud

The annual report is always filled with useful security information. Here are several of the most important lessons from this year's edition.

The data in the new Verizon "Data Breach Investigations Report" (DBIR) offers critical insights into the current state of cybersecurity. After a year of data breaches and cyberattacks consistently dominating headlines, this year's report closely examines what adversaries are looking for when they're trying to infiltrate businesses and organizations. This year's DBIR, the 15th edition, confirms what we assumed: Cyber threats are on the rise and we must work together to better our security posture. The findings collected in the report are timely for the trained security researcher, but here are three takeaways I think are the most important.

**Conducting the Symphony of Disruption**

The most common action that adversaries are taking to disrupt their target's IT ecosystem is launching denial-of-service (DoS) attacks that effectively flood a network with traffic or information in the pursuit of crashing it. The 2022 DBIR says that 46% of all incidents were DoS attacks, followed by remote access–led attacks, including backdoor and command-and-control-based attacks. Distracting and disrupting the IT and security teams in this way can help obfuscate and bury the other adversarial activities in their toolkit as they look for their initial access.

Ransomware, phishing, stolen credentials, and several other types of attacks round out the list, but one attack vector stands out from the rest. More than 60% of security incidents over the past year were conducted through a Web application, consistent with data collected by Verizon in past years.

Because Web applications — closely followed by email — are where your organization most frequently connects to the Internet, it makes sense that they'd be the primary vectors for threat actors trying to breach your environment. While a Web application may fall victim to a hacker proficient with SQL or with an exploit handy, email is the domain of virtually every employee at every organization. That's why social engineering played a role in nearly all 5,212 breaches recorded in the 2022 DBIR.

**Is Your Human Secure?**

The 2022 DBIR highlights the importance of maintaining a strong security awareness program, which I believe is a critical element of securing an organization. Just about 82% of all breaches recorded last year involved social engineering in some form, with threat actors preferring to phish their targets via email more than 60% of the time.

Though the DBIR found just 2.9% of employees actually clicked on phishing emails last year, that's more than enough for hackers to work with, especially if they're able to steal credentials or dump their malware of choice following the phish. For me, the important point is that there is a continuing trend for staff to report more phishing attempts – and even more importantly, to report them after they have responded to a phishing email.

Building an organizational culture that allows staff to be comfortable admitting they were duped is a difficult task because security awareness traditionally is a stick used to punish people and a metric to cover the company's compliance checkboxes.

Security leaders need to create a program that goes of their organization and doesn't just shame them for failing. For example, we need to create programs that don't automatically "fail" someone for clicking a link, because that's why links exist! A program that seeks to trick their own colleagues into failing is generally unproductive in the educational process and does almost nothing for the company's security posture.

A good security awareness training program is consistent, targeted, and limited in scope to allow employees to learn and practice one security skill at a time. Avoiding information overload will keep employees engaged and ready for emerging threats.

And lastly, security awareness is not just a corporate project. Strong awareness and education will help staff be more aware of digital risks in their personal lives as well. Well-implemented security awareness programs take advantage of this blurring to encourage their staff to care about security.

**The Ransomware Business Is Booming**

Ransomware, to nobody's surprise, is increasing in frequency by 13% over the prior year, with almost 70% of malware breaches involving some form of it. The dramatic increase in ransomware attacks — as large as the increases of the last five years combined, according to the report — makes sense, as hackers looking to make a quick buck need only encrypt their target's data rather than seek out specific financial information or credentials within their environment.

The report also states that 40% of ransomware incidents last year involved the use of desktop-sharing software. For example, cybercriminals used this tactic when exploiting vulnerabilities in Microsoft RDP, or just weak or stolen user credentials. On the other hand, 35% of ransomware incidents involved the use of email, leading to researchers recommending that organizations lock down their RDP and ensure their emails are scanned for potential phishing attempts. How we are in 2022 and still suffering from attacks over such a well-known attack vector as email is surely one of the biggest questions to come out of this report.

**Final Thoughts**

The DBIR is an excellent resource for the cybersecurity community to evaluate a tumultuous past 12 months, and the data within can be evaluated to predict the trends in attack types, vectors, and the motivations of hackers throughout the next year. In 2021, adversaries made it clear they were more focused on money than anything else, and with vulnerability exploits doubling from the previous year, it's a safe bet to say that once again the fundamentals of cybersecurity – across both IT hygiene and human engagement – will be the key to reducing the risk of damage and loss.

3 Big Takeaways From the Verizon DBIR 2022

The DoS vulnerability allows an attacker to create a Brotli "zip bomb," resulting in acute performance issues on Envoy proxy servers.

Researchers have discovered a denial-of-service (DoS) vulnerability in Envoy Proxy, which gives attackers the opportunity to crash the proxy server.

This could lead to performance degradation or unavailability of resources handled by the proxy, according to JFrog Security Research, which disclosed the vulnerability (CVE-2022-29225).

Envoy is a widely used open source edge and service proxy server designed for cloud-native applications and high-traffic websites. It can decompress both GZip and Brotli data (two compression formats), but it doesn't implement a size limit for the output buffer for the latter, JFrog found. This means that a near-unlimited amount of data could clog the buffer if attacked by a "zip bomb" — i.e., a malicious archive file designed to crash or render useless a program or system.

The vulnerability could thus be exploited by a malicious actor uploading a Brotli zip bomb to the server, resulting in acute performance issues.

"In most cases the machine's memory will not be able to handle such large amounts of data and the Envoy process will eventually crash," the JFrog blog post warned. "In most cases, before the process crashes, there will be severe performance issues due to the processor allocating a lot of resources to the decompression process."

The blog post advised users to upgrade to Envoy version 1.19.5, 1.20.4, 1.21.3, or 1.22.1, which it said would completely fix the issue. However, organizations that can't make the upgrade are advised to prohibit their configuration from allowing Brotli decompression. This can be done by removing the Brotli decompressor in its entirety, or otherwise replacing it with the Gzip decompressor.

Davis McCarthy, principal security researcher at Valtix, a provider of cloud-native network security services, explains that open source technology is often susceptible to vulnerabilities that can be exploited using older attack vectors — like a zip-bomb for exhausting memory.

“The cloud serves many always-on applications, which often leads to a lack of patching,” McCarthy says. "CVE-2022-29225 highlights the importance of cloud exploitation research, as this attack surface is growing."

He adds that when responsible disclosure occurs, virtual patching becomes an excellent mitigation option for attacks in the cloud.

DoS Vulnerability Allows Easy Envoy Proxy Crashes

Tune into Dark Reading's News Desk interviews with the industry’s leaders, discussing news and hot topics, such as this year’s "Transofrm" theme, at RSA Conference 2022 in San Francisco

RSA CONFERENCE 2022 -- San Francisco -- The tag line for RSA Conference is "Where the world talks security," and security leaders covered a whole gamut of topics at Dark Reading's News Desk last week. From new security frameworks and technologies such as secure service edge, extended detection and response (XDR), and confidential computing; to security best practices such as resilience and risk-based prioritization, these News Desk segments covered a lot of ground. There were conversations about automation and the cloud, as well. Check out the YouTube playlist of all the topics that came out of Dark Reading News Desk during RSA Conference 2022 in San Francisco.

Lookout on Getting It Right at the Secure Service Edge

By implementing Secure Service Edge technology, security pros can consolidate their cloud access security broker, secure Web gateway, and zero-trust offerings on to a single platform, according to Jim Dolce, CEO and chairman of Lookout Security.

Concentric AI on How To Maximize Your AI Returns, In and Out of the SOC

Artificial intelligence has transformed the security landscape and given security professionals powerful tools to do their jobs more efficiently, says Karthik Krishnan, CEO and founder of Concentric AI.

DeepSurface on Risk-Based Prioritization Adds New Depth to Vulnerability Management

DeepSurface’s CTO Tim Morgan talks about how context awareness and risk-based prioritization can fortify vulnerability management. Morgan also encourages security pros to look beyond CVSS scores when performing risk assessments.

Anjuna Security on Tapping ‘Confidential Computing’ to Secure Data, Users, and Organizations

Ayal Yogev, CEO and co-founder of Anjuna Security, describes the emerging model of Confidential Computing, as well as how it leverages enclaves and creates Trusted Execution Environments, which isolates data from unauthorized access. 

Seemplicity on Security Security & Productivity: The New Power Couple

Scanning and remediation are handicapped without some robust automation to power them, says Ravid Circus, co-founder and Chief Product Officer of Seemplicity, who’s looking to accelerate time-to-remediation and reducing risk.

ReliaQuest Bolsters Extended Detection With Threat Intelligence

Customers consistently struggle to get from reactivity to a proactive security strategy, but combining extended detection response (XDR) with threat intelligence is a big step in that direction, says ReliaQuest CTO Joe Partlow. 

Automox Adds Automation to Patching, Vuln Management

Patching and patch management remain among security pros’ biggest pain points; Paul Zimski, VP of product strategy for Automox, believes adding automation to the mix can make a serious dent in the patching equation for most organizations.

Uptycs on Observability Is Key to Cloud Security

Transformation is a key theme at RSAC 2022, and Uptycs founder Ganesh Pai weighs in on how cloud security teams can reduce risk and lock things down more tightly. He also talks about how security observability can drive innovation for organizations. 

Lacework Blends Artificial Intelligence and Automation To Bolster Cloud Security

Artificial intelligence is essential for endowing multicloud environments with greater visibility, insights and actions, according to Mark Nunnikhoven, distinguished cloud strategist for Lacework. 

BAE Systems on Want Better Security? Up Your Collaboration Game

"Information sharing and collaboration are essential to good security, says Peder Jungck, VP and general manager of BAE Systems Inc.’s Intelligence Solutions. That effect is compounded when info is shared across companies and industries, he adds. 

Sophos on Keeping Tabs on the Bad Guys Using Threat Research

John Shier, senior security advisor for Sophos, shares original research data on adversaries and the ongoing scourge of ransomware. Spoiler alert: Things aren’t getting better, as bad actors pivot to more sophisticated tactics to avoid detection. 

Cisco Makes Resilience a Cornerstone of Security Strategy

RSA keynoter and Cisco executive Jeetu Patel talks to the Dark Reading News Desk about the power of information sharing, an integrated approach to security, and how to give users controlled, trusted access to applications and services.

Okta on Identity-First Security Helps Reduce and Neutralize Enterprise Threats

Okta’s Marc Rogers and Auth0’s Jameeka Aaron discuss the biggest threats connected to identity, as well as how the move to hybrid work compounds the challenge of keeping users — and their data — secure. 

Darktrace on Prevent Breaches and Malware With Proactive Defenses

Pressure to reduce and manage risk — internally and externally — is more urgent than ever, according to Mike Beck, global CISO for Darktrace. That’s why organizations require more sophistication and integration in their security management platforms. 

Noname Security: Proactiveness Is the Name of the Game In App Security

Software code has come under attack in innovative and deeply troubling ways, says Noname Security’s Shay Levi. These attacks have altered the security landscape for developers and their organizations, as well as suppliers, partners, and customers. 

Sysdig Takes a Deeper Cut At Cloud Security

Cloud security can challenge security pros like nothing else, including workload security issues arising from app design patterns or DevOps practices, says Sysdig’s VP of research and development Omer Azaria. 

Raytheon on A Few Simple Ways To Transform Your Cybersecurity Hiring  

It was already tough to find good, experienced security professionals, then along the came the Great Resignation to make hiring even tougher, notes Jon Check, executive director of cyber protection solutions for Raytheon Intelligence and Space. 

Panther Labs on Mitigating the Security Skills Shortage

Migrating apps to the cloud has set off a hiring frenzy for security pros with expertise related to data analysis and monitoring, observes Jack Naglieri of Panther Labs. It’s also created a big need to make workloads more manageable, he adds.

Application Security Testing Is On the Mend With Automated Remediation

Software developers and security pros alike struggle with application security, and Arabella Hallawell, CMO of Mend, breaks down how automated remediation can improve software composition analysis and application security testing.

Cisco on How To Secure a High-Profile Event Like the Super Bowl

Whether you’re locking down a network or facing fourth down with mere inches, resilience is key, according to Cisco’s TK Keanini and Tomás Maldonado, CISO for the National Football League. In both cases, protection isn’t optional.

Halcyon on How to Blunt the Virulence of the New Ransomware

COVID’s had some company in the last couple years with another mutating scourge: Ransomware. Thanks to the Dark Web, ransomware has scaled up and become more heavily monetized, says Halcyon CEO and co-founder Jon Miller.

Security Leaders Discuss Industry Drivers at Dark Reading's News Desk at RSAC 2022

Humio for Falcon provides long-term, cost-effective data retention with powerful index-free search and analysis of enriched security telemetry across enterprise environments

**AUSTIN, Texas and RSA Conference 2022, SAN FRANCISCO – June 6, 2022 –** CrowdStrike (Nasdaq: CRWD), a leader in cloud-delivered protection of endpoints, cloud workloads, identity and data, today introduced Humio for Falcon, a new capability that extends data retention of CrowdStrike Falcon telemetry for up to one year or longer, enhancing threat analytics and threat hunting abilities for organizations while helping them meet compliance requirements.

Humio for Falcon brings together an industry-leading security platform in CrowdStrike Falcon, with the powerful search capabilities of CrowdStrike’s centralized logging offering, Humio. The new capability gives security teams the ability to store security and IT telemetry from the Falcon platform, which is enriched and contextualized across endpoints, workloads and identities to address the challenge of operationalizing the ever-growing volumes of data. Humio for Falcon helps security teams analyze and act on all data – both real-time and historical data – in their environment. With longer data retention due to advanced compression of ingested data, security teams can uncover and detect potential threats within their environments with deep, contextual analytics and sub-second search results at any scale through a modern, index-free architecture.

“While the data available to threat hunters and incident responders grows at an exponential rate, they are routinely forced to reduce the duration they can store this information,” said Michael Sentonas, chief technology officer at CrowdStrike. “Humio for Falcon solves this problem by delivering scalable and cost-effective data retention that enables threat hunters and incident responders to look back and see if and when an adversary was active in an IT environment and reconcile every system they touched. It’s truly a game-changer in the industry.”

Humio for Falcon provides:

*   **Threat hunting and troubleshooting at unprecedented scale:** By retaining Falcon data for extended periods of time, security teams can proactively search and uncover hidden threats in the environment with sub second speed, remove advanced persistent threats (APTs) by sifting through the data to detect irregularities that might suggest potential malicious behavior and better prioritize and address vulnerabilities before they can be weaponized.
*   **Longer data retention to help meet compliance requirements and reduced cost:** With scalable storage and advanced compression techniques, customers can store and manage Falcon data for one or multiple years, based on customer requirements. This wealth of real-time and historical data enables completeness and accuracy of investigation and analysis, resulting in faster threat remediation.
*   **New user interface (UI) dashboard visualization for fast and custom search:** Feature-rich query language and index-free searches allows security teams to run queries on Falcon data and get immediate answers. Get the ability to seamlessly ingest, aggregate and search through massive security and IT telemetry and gain valuable, contextual insights with sub-second latency searches for meeting real-world security requirements, including advanced threat and vulnerability investigations.

  
“With Humio for Falcon, we were able to save approximately $150,000 in the first year,” said Tom Sipes, director, IT security and compliance at Tuesday Morning. “Also, the ability to save data for an extended time period is critical. When we detect an indicator of compromise, we can go back in time and analyze the entire attack chain to accelerate investigations and pinpoint issues more quickly.”

**Additional Resources**

*   For more information on Humio for Falcon, please visit our blog.
*   To watch a Humio for Falcon demo, please visit this page.
*   Did you know? Humio can ingest over one petabyte of data per day. Humio was also named “Log Analytics Solution of the Year” by the Data Breakthrough Awards for 2022.

  
**About CrowdStrike**  
CrowdStrike (Nasdaq: CRWD), a global cybersecurity leader, has redefined modern security with one of the world’s most advanced cloud-native platforms for protecting critical areas of enterprise risk – endpoints and cloud workloads, identity and data.

Powered by the CrowdStrike Security Cloud and world-class AI, the CrowdStrike Falcon® platform leverages real-time indicators of attack, threat intelligence, evolving adversary tradecraft and enriched telemetry from across the enterprise to deliver hyper-accurate detections, automated protection and remediation, elite threat hunting and prioritized observability of vulnerabilities.

Purpose-built in the cloud with a single lightweight-agent architecture, the Falcon platform delivers rapid and scalable deployment, superior protection and performance, reduced complexity and immediate time-to-value.

CrowdStrike Introduces Humio for Falcon, Redefining Threat Hunting with Unparalleled Scale and Speed

A Linux-based banking Trojan is a master at staying under the radar.

A stealthy Linux threat called Symbiote is targeting financial institutions in Latin America, with all file, processes, and network artifacts hidden by the malware, making it virtually invisible to detection by live forensics.

The malware was first uncovered in November, according to a blog post by BlackBerry Research. What sets Symbiote apart from other Linux malware is its approach to infecting running processes, rather than using a stand-alone executable file to inflict damage.

It then harvests credentials to provide remote access for the threat actor, exfiltrating credentials as well as storing them locally.

"It operates as a rootkit and hides its presence on the machine. Once it has infected the machine fully, it allows you to see only what it wants you to see," Joakim Kennedy, security researcher at Intezer and author of the BlackBerry blog post, explains. "Essentially, you can't trust what the machine is telling you."

However, it can be detected externally, he says, since it exfiltrates stolen credentials via the DNS requests.

Kennedy says the domain names the malware uses impersonate big banks in Brazil, which also helps it stay under the radar.

"While we couldn't tell based on only what we found, attackers targeting financial institutions are often motivated by potential monetary gain," he says.

**Shared Object Library**

Nicole Hoffman, senior cyber threat intelligence analyst at Digital Shadows, points out that unlike most malware variants, the Symbiote malware is a shared object library, instead of an executable file.

Symbiote uses the LD\_PRELOAD variable that allows it to be pre-loaded by applications before other shared object libraries.

"This is a sophisticated and evasive technique that can help the malware blend in with legitimate running processes and applications, which is one of the reasons Symbiote is difficult to detect," she says.

The malware also has Berkeley Packet Filter (BPF) hooking functionality. Packet capture tools intercept, or capture, network traffic typically for the purposes of an investigation.

BPF is a tool embedded within several Linux operating systems that allows users to filter out certain packets depending on the type of investigation they are performing, which can reduce the overall results, making analysis easier.

"The Symbiote malware is designed to essentially filter its traffic out of the packet capture results," Hoffman explains. "This is just another layer of stealth used by the attackers to cover their tracks and fly under the radar."

Kennedy adds that this is the first time the BPF hooking functionality has been observed operating in this way, and points out that other malware variants have typically used BPF to receive commands from their command-and-control server.

"This malware instead uses this method to hide network activity," he says. "It's an active measure used by the malware to prevent being detected if someone investigates the infected machine — like covering up its footsteps so it's harder to track down.”

**Easier to Attack?**

Mike Parkin, senior technical engineer at Vulcan Cyber, says there may be a perception on the attacker's part that the targets in Latin America have a less mature security infrastructure and would thus be easier to attack.

He explains that the attackers went out of their way to hide their malware from anything that's running on the infected system, leveraging BPF to hide their communications traffic.

"While this will work on the local host, other network-monitoring tools will be able to identify the hostile traffic and the infected source," he says.

He explains that there are several endpoint tools available that should identify changes on a victim system.

"There are also forensic techniques that can use the malware's own behavior against it to reveal its presence," he notes. "The authors who created Symbiote went to great lengths hide their malware. They leveraged a combination of techniques, though in so doing delivered some indicators of compromise that defenders could use to identify an infection in-situ."

Kennedy says that the most important action is to focus on the techniques used by this malware to ensure that you can detect and/or protect against those, whether you're protecting against Symbiote or another attack that uses the same technique.

"I would say Symbiote, and other recently discovered undetected Linux malware, shows that operating systems other than Windows are not immune to highly evasive malware," he says. "Since it doesn’t get as much attention as Windows malware, we don't know what else is out there that hasn’t been discovered yet."

Symbiote Malware Poses Stealthy, Linux-Based Threat to Financial Industry

CrowdStrike Asset Graph provides unprecedented visibility of assets in an IT environment to optimize cyber defense strategies and manage risk.

**AUSTIN, Texas and RSA Conference 2022, SAN FRANCISCO – June 6, 2022 –** CrowdStrike (Nasdaq: CRWD), a leader in cloud-delivered protection of endpoints, cloud workloads, identity and data, today introduced CrowdStrike Asset Graph, a new graph database powered by the CrowdStrike Security Cloud that provides IT and security leaders with a 360-degree view into all assets (both managed and unmanaged) alongside unprecedented visibility into their attack surface across devices, users, accounts, applications, cloud workloads, operational technology (OT) and more to simplify IT operations and stop breaches.

As organizations accelerate their digital transformation, they are expanding their attack surface exponentially. This has dramatically increased their risk exposure to adversaries who are discovering and exploiting these soft targets and vulnerabilities faster than IT and security teams can discover them. Visibility is one of the foundational principles of cybersecurity because you cannot secure and defend the assets you don’t know exist. This, in turn, creates a race between adversaries and companies’ IT and security teams to find these blind spots. According to a 2022 report from Enterprise Strategy Group (ESG), “69% of organizations have experienced a cyberattack in which the attack itself started through the exploit of an unknown, unmanaged, or poorly managed internet-facing asset.”

CrowdStrike Asset Graph solves this problem by dynamically monitoring and tracking the complex interactions between assets, providing a single holistic view of the risks those assets pose. While other solutions simply provide a list of assets without context, Asset Graph provides graphic visualizations of the relationships between all assets such as devices, users, accounts, applications, cloud workloads and OT, along with the rich context necessary for proper security hygiene and proactive security posture management to reduce risk in their organizations.

“Digital transformation has led to an equal and pronounced acceleration of security transformation in the modern enterprise. For companies furthest along on this journey, IT operations and security teams – once distinct silos – are converging, creating a far more proactive posture when it comes to security and risk management,” said Amol Kulkarni, chief product and engineering officer at CrowdStrike. “Built specifically to address this new dynamic, CrowdStrike Asset Graph lets organizations see the assets they have and how they interact with each other, helping them make informed, risk-based decisions – from security to IT performance, utilization, capacity, license management and more – to proactively protect and manage their IT environment.”

**Bridging the gap between IT operations and security**  
The CrowdStrike Falcon platform was purpose-built with a cloud-native architecture to harness vast amounts of high-fidelity security and enterprise data, and deliver solutions through a single, lightweight agent to keep customers ahead of today’s sophisticated adversaries.

CrowdStrike’s groundbreaking graph technologies, which started with the company’s renowned Threat Graph, form a powerful, seamless and distributed data fabric, interconnected into a single cloud – the Security Cloud – that powers the Falcon platform and CrowdStrike’s industry-leading solutions. Using a combination of AI and behavioral pattern-matching techniques to correlate and contextualize information in the vast data fabric, CrowdStrike’s graphs create a “collect data once, reuse it multiple times” approach to solving the biggest problems that customers face. With the introduction of Asset Graph, CrowdStrike is applying this same approach to solving customers’ hardest, unmet challenges with an eye to proactive security, as well as unprecedented IT visibility and risk management.

The three highly-advanced graph technologies underpinning the Falcon platform now include:

*   **Threat Graph:** CrowdStrike’s industry-defining Threat Graph takes trillions of security data points from millions of sensors, enriched by threat intelligence data and third-party sources, to identify and link threat activity together to provide full visibility of attacks and automatically prevent threats in real-time across CrowdStrike’s global customer base.
*   **Intel Graph:** By analyzing and correlating massive amounts of data on adversaries, their victims and their tools, Intel Graph provides unrivaled insights on the shifts in tactics and techniques, powering CrowdStrike’s adversary-focused approach with world-class threat intelligence.
*   **Asset Graph:** With this release, CrowdStrike is solving one of the most complex customer problems today: identifying assets, identities and configurations accurately across all systems including cloud, on-premises, mobile, Internet of Things (IoT) and more, and connecting them together in a graph form. Unifying and contextualizing this information will lead to powerful new solutions that transform how organizations enforce security hygiene and dynamically manage their security posture.

  
CrowdStrike Asset Graph will enable new Falcon modules and features built on top of it to define, monitor and explore the relationships between assets within an organization. The first Falcon module to use Asset Graph is Falcon Discover (Security Hygiene), which includes the following enhancements:

*   **Newly enhanced dashboards, highly customizable filters and sharing options:** IT teams can tailor their experience of Asset Graph’s map visualization and powerful search capabilities, all presented conveniently within the Falcon Discover console.
*   **New third-party data integration with ServiceNow:** Combining this integration with Asset Graph and Falcon Discover, IT teams gain another layer of asset visibility around devices in a single console, providing enhanced monitoring over unmanaged and unsupported assets.

  
“It’s a cliche for a reason. You can’t protect what you can’t see. The first step in wrangling shadow IT or shining a light on blind spots is understanding what assets you have to secure and how those are interacting with unforeseen insecure assets,” said Juan Jose Chang, CISO at Bladex. “We believe that Falcon Discover combined with CrowdStrike Asset Graph will be the difference between using a flashlight versus a row of street lamps to see where you’re going.”

**Additional Resources**

*   For more information on CrowdStrike Asset Graph and enhancements to Falcon Discover, please visit our blog.

  
**About CrowdStrike**  
CrowdStrike (Nasdaq: CRWD), a global cybersecurity leader, has redefined modern security with one of the world’s most advanced cloud-native platforms for protecting critical areas of enterprise risk – endpoints and cloud workloads, identity and data.

Powered by the CrowdStrike Security Cloud and world-class AI, the CrowdStrike Falcon® platform leverages real-time indicators of attack, threat intelligence, evolving adversary tradecraft and enriched telemetry from across the enterprise to deliver hyper-accurate detections, automated protection and remediation, elite threat hunting and prioritized observability of vulnerabilities.

Purpose-built in the cloud with a single lightweight-agent architecture, the Falcon platform delivers rapid and scalable deployment, superior protection and performance, reduced complexity and immediate time-to-value.

CrowdStrike Introduces CrowdStrike Asset Graph to Help Organizations Proactively Identify and Eliminate Blind Spots

New CrowdXDR Alliance partners include Menlo Security, Ping Identity, and Vectra AI.

**AUSTIN, Texas and RSA Conference 2022, SAN FRANCISCO – June 6, 2022 –** CrowdStrike (Nasdaq: CRWD), a leader in cloud-delivered protection of endpoints, cloud workloads, identity and data, today announced it has expanded the CrowdXDR Alliance to include key strategic partners across web and email security (Menlo Security), identity and access management (Ping Identity) and network detection and response (Vectra AI). CrowdStrike also introduced new capabilities for the Falcon XDR (Extended Detection and Response) module to speed up detections for security teams, including an integration with ServiceNow, an existing CrowdXDR Alliance partner, to dramatically simplify security operations workflows with automated ticket creation.

Falcon XDR’s new capabilities include:

*   **Falcon Fusion workflows based on XDR detections:** Natively integrated with Falcon XDR, Falcon Fusion (CrowdStrike’s SOAR framework) now automates numerous workflows directly from a Falcon XDR detection including:
    *   Ticket creation through ServiceNow, a CrowdXDR Alliance partner.
    *   Notifications through email, Slack or webhook.
    *   Incident details from status changes to team assignments and comments.
*   **XDR detections event timeline:** Speed triage and investigation with a timeline view that displays key events of a detection in chronological order to easily understand how activity progressed.
*   **Graph visualization of custom XDR detections:** Create custom XDR detections from queries written to hunt for threats in the environment. Falcon XDR graph explorer visualizes how the events and entities in a custom XDR detection are related, enabling security analysts to rapidly orient and explore connections in cross-domain data.

  
“CrowdStrike continues to bring together the best of both open and native approaches to XDR,” said Michael Sentonas, chief technology officer at CrowdStrike. “For organizations seeking an open approach, we continue to expand third-party support for the CrowdXDR Alliance, which is delivering a standardized schema for data sharing to enrich XDR detections. We welcome Menlo Security, Ping Identity and Vectra AI to the CrowdXDR Alliance and look forward to partnering with them to deliver third-party integrations. For organizations seeking a native approach, we continue to bolster Falcon XDR with new capabilities that speed up threat detection and response efforts across data sources and environments. Ultimately, we are offering a solution that allows customers to choose an XDR approach that best fits their needs.”

**Partner Quotes**

*   **Poornima DeBolle, Menlo Security co-founder and chief product officer:** “The Internet should be safe, seamless, and effective for all workers. However, cybercriminals are making this difficult by deploying increasingly sophisticated malware, including ransomware fueled by Highly Evasive Adaptive Threats. We need to stop such malware and zero-day exploits from ever getting to endpoints. Menlo Security is excited to join CrowdStrike’s CrowdXDR Alliance. Our integration with CrowdStrike Falcon XDR will enable organizations to offer a safe online experience, without having to sacrifice productivity for security.”

*   **Loren Russon, vice president of product management at Ping Identity:** “We are excited to join CrowdStrike’s CrowdXDR Alliance and continue to expand our joint solutions. Customers are demanding expansive partner ecosystems through easy-to-deploy integrations, and this partnership delivers that through enterprise-proven identity security along with comprehensive visibility and protection against threats.”
*   **Michael Porat, senior vice president, corporate and business development at Vectra AI:** “As the scale and intensity of cyberattacks continue to proliferate, it reminds us that prevention alone cannot protect organizations from today’s cultivated attacks. To successfully mitigate modern security threats, organizations must implement more advanced threat detection and response mechanisms that accurately pinpoint attacker behavior and stop attackers from navigating through hybrid clouds. We are excited to join CrowdStrike’s CrowdXDR Alliance and look forward to sharing our threat detection and response expertise with other esteemed security vendors as we all work together with one common goal – detecting and stopping malicious actors.”

  
**Additional Resources**

*   For more information on the CrowdXDR Alliance and Falcon XDR, please visit our blog.
*   CrowdStrike was named a Strong Performer in The Forrester New Wave for Extended Detection and Response (XDR) Providers, Q4 2021.1

  
**About CrowdStrike**  
CrowdStrike (Nasdaq: CRWD), a global cybersecurity leader, has redefined modern security with one of the world’s most advanced cloud-native platforms for protecting critical areas of enterprise risk – endpoints and cloud workloads, identity and data.

Powered by the CrowdStrike Security Cloud and world-class AI, the CrowdStrike Falcon® platform leverages real-time indicators of attack, threat intelligence, evolving adversary tradecraft and enriched telemetry from across the enterprise to deliver hyper-accurate detections, automated protection and remediation, elite threat hunting and prioritized observability of vulnerabilities.

Purpose-built in the cloud with a single lightweight-agent architecture, the Falcon platform delivers rapid and scalable deployment, superior protection and performance, reduced complexity and immediate time-to-value.

1 The Forrester New Wave: Extended Detection and Response (XDR) Providers, Q4 2021

CrowdStrike Adds Strategic Partners to CrowdXDR Alliance and Expands Falcon XDR Capabilities

The commission argues that legislative action is needed to ensure a well-functioning market for AI systems that balances benefits and risks.

The European Commission (EC) is currently debating new rules and actions for trust and accountability in artificial intelligence (AI) technology through a legal framework called the EU AI Act. Its aim is to promote the development and uptake of AI while addressing potential risks some AI systems can pose to safety and fundamental rights.

While most AI systems will pose low to no risk, the EU says, some create dangers that must be addressed. For example, the opacity of many algorithms may create uncertainty and hamper effective enforcement of existing safety and rights laws.

The EC argues that legislative action is needed to ensure a well-functioning internal market for AI systems where both benefits and risks are adequately addressed.

"The EU AI Act aims to be a human centric legal-ethical framework that intends to safeguard and protect human rights and fundamental freedoms from violations of these rights and freedoms by algorithms and smart machines," says Mauritz Kop, Transatlantic Technology Law Forum Fellow at Stanford Law School and strategic intellectual property lawyer at AIRecht.

The right to know whether you are dealing with a human or a machine — which is becoming increasingly more difficult as AI becomes more sophisticated — is part of that vision, he explains.

Kop notes that AI is now mostly unregulated, except for a few sector-specific rules. The act aims to address the legal gaps and loopholes by introducing a product safety regime for AI.

"The risks are too high for nonbinding self-regulation by companies alone," he says.

**Effects on AI Innovation**

Kop admits that regulatory conformity and legal compliance will be a burden, especially for early AI startups developing high-risk AI systems. Empirical research that shows the GDPR – while preserving privacy and data protection and data security – had a negative effect on innovation, he notes.

Risk classification for AI is based on the intended purpose of the system, in line with existing EU product safety legislation. Classification depends on the function the AI system performs and on the specific purpose and modalities for which the system is used.

"The legal uncertainty surrounding \[regulation\] and the lack of budget to hire specialized lawyers or multidisciplinary teams still are significant barriers for a flourishing AI startup and scale-up ecosystem," Kop says. "The question remains whether the AI Act will improve or worsen the startup climate in the EU."

The EC will determine which AI gets classified as "high risk" using criteria that are still under debate, creating a list of examples of high-risk systems to help guide judgment.

"It will be a dynamic list that contains various types of AI applications used in certain high-risk industries, which means the rules get stricter for riskier AI in healthcare and defense than they are for AI apps in tourism," Kop says. "For instance, medical AI is \[classified as\] high risk to prevent direct harm to patients due to AI errors."

He notes there is still controversy about the criteria and definition of AI that the draft uses. Some commentators argue it should be more technology-specific, aimed at certain riskier types of machine learning, such as deep unsupervised learning or deep reinforcement learning.

"Others focus more on the intent of the system, such as social credit scoring, instead of potential harmful results, such as neuro-influencing," Kop added. "A more detailed classification of what 'risk' entails would thus be welcome in the final version of the act."

**Facial Recognition as a High-Risk Technology**

Joseph Carson, chief security scientist and advisory CISO at Delinea, participated in several of the talks around the act, including as a subject matter expert in the use of AI in law enforcement and articulating the concerns around security and privacy.

The EU AI Act, he says, will mainly affect those organizations that already collect and process personal identifiable information. Therefore, it will impact how they use advanced algorithms in processing the data.

"It is important to understand the risks if no regulation or act is in place and what the possible impact \[is\] if organizations abuse the combination of sensitive data and algorithms," Carson says. "The future of the Internet is a scary place, and the enforcement of the EU AI Act allows us to embrace the future of the Internet using AI with both responsibility and accountability."

Regarding facial recognition, he says the technology should be regulated and controlled.

"It has many amazing uses in society, but it must be something you opt in and agree to use; citizens must have a choice," he says. "If no act is in place, we will see a significant increase in deepfakes that will spiral out of control."

Malin Strandell-Jansson, senior knowledge expert at McKinsey & Co, says facial recognition is one of the most debated issues in the draft act, and the final outcome is not yet clear.

In its draft format, the AI Act strictly prohibits the use of real-time remote biometric identification in publicly accessible spaces for law enforcement purposes, as it poses particular risks for fundamental rights – notably human dignity, respect for private and family life, protection of personal data, and nondiscrimination.

Strandell-Jansson points out a few exceptions, including use for law enforcement purposes for the targeted search for specific potential victims of crime, including missing children; the response to the imminent threat of a terror attack; or the detection and identification of perpetrators of serious crimes.

"Regarding private businesses, the AI Act considers all emotion recognition and biometric categorization systems to be high-risk applications if they fall under the use cases identified as such — for example, in the areas of employment, education, law enforcement, migration, and border control," she explains.

As such, potential providers would have to subject such AI systems to transparency and conformity obligations before putting them on the market in Europe.

**The Time to Act on AI Is Now**

Dr. Sohrob Kazerounian, AI research lead at Vectra, an AI cybersecurity company, says the need to create a regulatory framework for AI has never been more pressing.

"AI systems are rapidly being integrated into products and services across wide-ranging markets," he says. "Yet the trustworthiness and interpretability of these systems can be rather opaque, with poorly understood risks to users and society more broadly."

While some existing legal frameworks and consumer protections may be relevant, applications that use AI are sufficiently different enough from traditional consumer products that they necessitate fundamentally new legal mechanisms, he adds.

The overarching goal of the bill is to anticipate and mitigate the most critical risks resulting from the use and failure of AI, with actions ranging from banning systems deemed to have "unacceptable risk" altogether to heavy regulation of "high-risk" systems. Another, albeit less-noted, consequence of the framework is that it could provide clarity and certainty to markets about what regulations will exist and how they will be applied.

"As such, the regulatory framework may in fact result in increased investment and market participation in the AI sector," Kazerounian said.

**Limits for Deepfakes and Biometric Recognition**

By addressing specific AI use cases, such as deepfakes and biometric or emotional recognition, the AI Act is hoping to ameliorate the heightened risks such technologies pose, such as violation of privacy, indiscriminate or mass surveillance, profiling and scoring of citizens, and manipulation, Strandell-Jansson says.  

"Biometrics for categorization and emotion recognition have the potential to lead to infringements of people's privacy and their right to the protection of personal data as well as to their manipulation," she says. "In addition, there are serious doubts as to the scientific nature and reliability of such systems."

The bill would require people to be notified when they encounter deepfakes, biometric recognition systems, or AI applications that claim to be able to read their emotions. Although that's a promising step, it raises a couple of potential issues.

Overall, Kazerounian says it is "undoubtedly" a good start to require increased visibility for consumers when they are being classified by biometric data and when they are interacting with AI-generated content rather than real humans or real content.

"Unfortunately, the AI act specifies a set of application areas within which the use of AI would be considered high-risk, without necessarily discussing the risk-based criteria that could be used to determine the status of future applications of AI," he said. "As such, the seemingly ad-hoc decisions about which application areas are considered high-risk simultaneously appear to be too specific and too vague."

Current high-risk areas include certain types of biometric identification, operation of critical infrastructure, employment decisions, and some law enforcement activities, he explains.

"Yet it isn't clear why only these areas were considered high-risk and furthermore doesn't delineate which applications of statistical models and machine-learning systems within these areas should receive heavy regulatory oversight," he adds.

**Possible Groundwork for Similar US Law**

It is unclear what this act could mean for a similar law in the US, Kazerounian says, noting that it has now been more than half a decade since the passing of GDPR, the EU law on data regulation, without any similar federal laws following in the US — yet.

"Nevertheless, GDPR has undoubtedly influenced the behavior of multinational corporations, which have either had to fracture their policies around data protections for EU and non-EU environments or simply have a single policy based on GDPR applied globally," he said. "In any case, if the US decides to propose legislation on the regulation of AI, at a minimum it will be influenced by the EU act."

EU Debates AI Act to Protect Human Rights, Define High-Risk Uses

Halcyon's Jon Miller joins Dark Reading's Terry Sweeney at Dark Reading News Desk during RSA Conference to discuss how to mitigate ransomware.

COVID's had some company in the last couple years with another mutating scourge: ransomware. Thanks to the Dark Web, ransomware has scaled up and become more heavily monetized, says Halcyon CEO and co-founder Jon Miller. And as ransomware’s gotten more virulent and pervasive, boards of directors are taking more interest in managing the risk. Miller also discusses how better endpoint protections can mitigate the threat of ransomware.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading