Cyber spies are using legitimate apps for DLL sideloading, deploying an updated range of malware, including the new "Logdatter" info-stealer.

A threat group previously associated with the notorious ShadowPad remote access Trojan (RAT) has been observed using old and outdated versions of popular software packages to load malware on systems belonging to multiple target government and defense organizations in Asia.

The reason for using outdated versions of legitimate software is because they allow the attackers to use a well-known method called dynamic link library (DLL) sideloading to execute their malicious payloads on a target system. Most current versions of the same products protect against the attack vector, which basically involves adversaries disguising a malicious DLL file as a legitimate one and putting it in a directory where the application would automatically load and run the file.

Researchers from Broadcom's Software's Symantec Threat Hunter team observed the ShadowPad\-related threat group using the tactic in a cyber-espionage campaign. The group's targets have so far included a prime minister's office, government organizations linked to the finance sector, government-owned defense and aerospace firms, and state-owned telecom, IT, and media companies. The security vendor's analysis showed the campaign has been ongoing since at least early 2021, with intelligence being the primary focus.

**A Well-Known Cyberattack Tactic, but Successful**

"The use of legitimate applications to facilitate DLL sideloading appears to be a growing trend among espionage actors operating in the region," Symantec said in a report this week. It's an attractive tactic because anti-malware tools often don't spot the malicious activity because attackers used old applications for side loading.

"Aside from the age of the applications, the other commonality is that they were all relatively well-known names and thus may appear innocuous." says Alan Neville, threat intelligence analyst with Symantec's threat hunter team.  

The fact that the group behind the current campaign in Asia is using the tactic despite it being well-understood suggests the technique is yielding some success, Symantec said.

Neville says his company has not recently observed threat actors use the tactic in the US or elsewhere. "The technique is mostly used by attackers focusing on Asian organizations," he adds.

Neville says that in most of the attacks in the latest campaign, threat actors used the legitimate PsExec Windows utility for executing programs on remote systems to carry out the sideloading and deploy malware. In each case, the attackers had already previously compromised the systems on which it installed the old, legitimate apps.

"\[The programs\] were installed on each compromised computer the attackers wanted to run malware on. In some cases, it could be multiple computers on the same victim network," Neville says. In other instances, Symantec also observed them deploying multiple legitimate application on a single machine to load their malware, he adds.

"They used quite an array of software, including security software, graphics software, and Web browsers," he notes. In some cases, Symantec researchers also observed the attacker using legitimate system files from the legacy Windows XP OS to enable the attack.  

**Logdatter, Range of Malicious Payloads**

One of the malicious payloads is a new information stealer dubbed Logdatter, which allows the attackers to log keystrokes, take screenshots, query SQL databases, inject arbitrary code, and download files, among other things. Other payloads that the threat actor is using in its Asian campaign include a PlugX-based Trojan, two RATs dubbed Trochilus and Quasar, and several legitimate dual-use tools. These include Ladon, a penetration testing framework, FScan, and NBTscan for scanning victim environments.

Neville says Symantec has been unable to determine with certainty how the threat actors might be gaining initial access on a target environment. But phishing and opportunity targeting of unpatched systems are likely vectors.

"Alternatively, a software supply chain attack is not outside the remit of these attackers as actors with access to ShadowPad are known to have launched supply chain attacks in the past," Neville notes. Once the threat actors have gained access to an environment, they have tended to use a range of scanning tools such as NBTScan, TCPing, FastReverseProxy, and Fscan to look for other systems to target.

To defend against these kinds of attacks, organizations need to implement mechanisms for auditing and controlling what software might be running on their network. They should also consider implementing a policy of only allowing whitelisted applications to run in the environment and prioritize patching of vulnerabilities in public-facing applications. 

"We'd also recommend taking immediate action to clean machines that exhibit any indicators of compromise," Neville advises, "... including cycling credentials and following your own organization's internal process to perform a thorough investigation."

ShadowPad Threat Actors Return With Fresh Government Strikes, Updated Tools

Facebook lead-generation forms are being repurposed to collect passwords and credit card information from unsuspecting Facebook advertisers.

Attackers are piggybacking on the power of the Facebook brand by using emails that look like they're coming from Facebook Ads Manager. The idea is to lure victims into coughing up credentials and credit card information on a Facebook lead generation form.

According to a Tuesday report by the security research team at Avanan, attackers are sending phishing messages that appear to be urgent warnings from Meta's "Facebook AdManager" team. The messages claim the victim is not complying with the company's ad policies and that the ad account will be disabled if the target doesn't appeal the phony violation.

    

The Facebook Ads phishing message. Source: Avanan

The "appeal form" link leads to a credential harvesting site that uses a real Facebook lead-generation form to collect passwords and credit card information.

**Abusing the Facebook Ads System**

An interesting aspect to the campaign is that rather than using a harvesting site hosted on a sketchy IP somewhere, attackers are gaming the Facebook ads system to create lead-generation forms with malicious intent. Doing so kills two birds with one stone: First of all, it fools a lot of automated checks for malicious links used by email platforms. Using legitimate sites is what the Avanan team refers to as the Static Expressway.

"Hackers are leveraging sites that appear on static Allow Lists," explained Jeremy Fuchs, cybersecurity researcher for Avanan, in the report. "That means that email security services have broadly decided that these sites are trustworthy, and thus anything related to them comes through to the inbox."

Additionally, using Facebook Ads forms also offers a high degree of verisimilitude for any of the eight billion advertising users that Facebook works with who are already familiar with the Ads Manager platform and the lead-generation forms it produces.

"For the end user, seeing that their Facebook ad account has been suspended is cause for concern," Fuchs said. "Since it’s a legitimate Facebook link, the user would feel confident continuing on."

**Tell-Tale Signs of 'Brandjacking'**

Fuchs wrote that while the sites used in this credential harvesting campaign appeared to be legitimate, there is a red flag in the phishing messages they uncovered: Typically, these are coming from Outlook accounts such as \[email protected\]look.com.

Additionally, the physical address footer in the emails are wrong. But if users didn't notice these details, they could easily be foiled by this ploy.

According to research released earlier this year, brand impersonations, or brandjackings, like these increased by 274% last year as attackers continue to peddle their scams by looking like they come from reliable sources. Facebook is a particular favorite among phishers to impersonate. A report released by Vade this spring found Facebook was the No. 1 impersonated brand last year, edging out perennial favorite Microsoft for the top spot.

According to Abnormal Security research detailing data from the first half of 2022, email attacks increased by 48% in that timeframe, with more than 1 in 10 attacks impersonating well-known brands. Some 256 individual brands were impersonated, with LinkedIn and Microsoft appearing to be the favorites so far in 2022.

Cyberattackers Abuse Facebook Ad Manager in Savvy Credential-Harvesting Campaign

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

Avast ye! Come up with a cybersecurity-themed caption for the cartoon, above, and if it's Dark Reading editors' favorite, you'll win a $25 Amazon gift card. We offer four convenient ways for you to submit your security-related ideas before the contest closes on Wednesday, Oct. 12, 2022:

*   Email _\[email protected\]_ with the subject line "Dark Reading September Toon."
*   Via social media: Twitter, Facebook, and LinkedIn.

**Last Month's Winner**

Congrats, Brian N., because a $25 Amazon gift card is heading your way. The infosec pro's clever caption for last month's "Vicious Cycle" cartoon contest appears below:.

    

Thanks to all who played!

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Name That Toon: Shiver Me Timbers!

Siemplify veterans introduce Cloud Security Orchestration and Remediation platform, backed by high-profile investors including YL Ventures, Tiger Global, and CEOs of CrowdStrike and CyberArk

**TEL AVIV, Israel - September 13, 2022** -- Opus Security, a Cloud Security Orchestration and Remediation startup, today announced $10 million in seed funding led by YL Ventures with participation from Tiger Global and renowned security executives and serial entrepreneurs, including George Kurtz, co-founder, CEO and President of CrowdStrike; Udi Mokady, co-founder, Chairman and CEO of CyberArk; Dan Plastina, former Head of AWS Security Services; Oliver Friedrichs, co-founder and former CEO of Phantom Cyber, acquired by Splunk; and Alon Cohen, co-founder and former CTO of Siemplify, acquired by Google Cloud, among others.

Opus, the first holistic solution for managing and orchestrating cloud security response and remediation processes, was founded by experienced security professionals, Meny Har, CEO and Or Gabay, CTO, who were part of the founding team and leadership of SOAR pioneer Siemplify (acquired by Google). Customers expressed an acute need for a new security orchestration platform that can empower cloud security teams to reap the value of automation, gain control and lead remediation efforts across the entire organizational cloud environment using best practices and proven methodologies that can be implemented instantly, cutting down the time from detection to mitigation and conserving valuable resources.

“Organizations should not have to prioritize security over business continuity, and already strained SecOps teams are ill-equipped to handle the nuanced decisions demanded of them,” said Dan Plastina, former Head of Security Services at AWS. “Opus’ founders have built a platform that cloud-native security leadership demands — maximizing cloud security automation while retaining and enhancing business benefits.”

In recent years, revolutionary cloud security solutions created a higher level of visibility into potential threats. With more findings and more visibility, security operations had to expand from detection and response, and venture into risk reduction. This expansion and the shift-left mindset necessitated the involvement of a growing number of stakeholders across the organization, including security teams, DevOps/application teams and business owners.

Lacking comprehensive tools, built-in automation, or streamlined processes to remediate risk, security teams are left with manual, time-consuming processes and no clear understanding of who owns this risk, who can mitigate it, when automation is “safe” and how they should delegate tasks accordingly, leaving numerous gaps unresolved.

“When it comes to cloud response and remediation, we’re still stuck with ad-hoc techniques developed on the fly,” said Srinath Kuruvadi, Head of Cloud Security at Netflix. “There is a huge opportunity to bring context-aware standardization to cloud automation that appeals to SecOps and DevOps teams, with precise risk reduction metrics. Opus’ founders have the right skills and an extensive background in SOAR-like technologies to tackle this important space.”

Aware of the concerning challenges and skill gaps in cloud security, Opus is set to transform the way response and remediation are done in the cloud. Opus has built a singular, overarching platform that connects existing cloud and security tools and relevant stakeholders, and orchestrates the entire response and remediation process across all organizational environments based on tried-and-tested, easily deployed guidelines and playbooks. Leveraging automation to the highest degree, Opus knows when sensitive issues demand human involvement and allows automation to resolve the rest. With instant visibility and mapping of remediation metrics, Opus removes blind spots and provides security and business executives with immediate and tangible insights into the state of their risk.

“The massive transition to the cloud has created a need for a new and different type of security orchestration platform, one that minimizes organizational risk and excels at leveraging the countless automation opportunities in the cloud,” said Meny Har, co-founder and CEO of Opus. “The growing number of stakeholders that are now an inherent part of the security operations process should be connected and working together to reduce risk.”

“The proliferation of cloud-focused security solutions has dramatically raised organizational awareness to the scope of their risk surface,” said John Brennan, Senior Partner at YL Ventures. “While visibility in the cloud has greatly improved, customers now express the need for a dedicated solution to address the drastically increasing number of alerts. I cannot imagine a better convergence of an expert team solving a market-wide problem that they understand intimately. Meny and Or have leveraged their unique experience at Siemplify to build the industry’s first cloud-native remediation orchestration and automation platform.”

For more information on how to reimagine your remediation efforts in the cloud, go to opus.security.

**Additional Quotation**

“The shift-left trend has necessitated a revised approach to remediation,” said Gerhard Eschelbeck, former CISO at Google. “Organizations need to bridge skill and resource gaps and create an orchestrated, automated alignment process across all teams. Traditional manual tasks and friction between teams result in heightened risk and jeopardize business continuity.”

**About Opus Security**

Opus is a singular, overarching Cloud Security Orchestration and Remediation platform, transforming the way remediation is conducted in the cloud. Opus empowers cloud security teams to see beyond alerts and threats and gain control, knowledge, and capabilities to resolve them. Opus integrates with existing security tools and orchestrates the entire remediation process across all stakeholders and organizational environments, based on tried-and-tested, easily deployed guidelines and playbooks. Leveraging selective automation, Opus knows when sensitive issues demand human involvement and allows automation to resolve the rest, cutting down the time from detection to mitigation and conserving valuable resources. Finally, Opus provides security and business executives with immediate and tangible insights based on remediation metrics, with comprehensive visibility into the state of their risk. For more information on how to reimagine your remediation in the cloud, visit opus.security.

**About YL Ventures**

YL Ventures funds and supports brilliant Israeli cybersecurity entrepreneurs from seed to lead. Based in Silicon Valley and Tel Aviv, YL Ventures manages five funds with $800M in total assets under management. The firm accelerates the evolution of portfolio companies via a powerful network of Chief Information Security Officers, global industry leaders and a dedicated team of experts, providing tailored guidance and hands-on support on all critical company-building domains. The firm's track record includes investments in Israeli cybersecurity unicorns such as Axonius and Orca Security, as well as successful, high-profile portfolio company acquisitions by major corporations including Palo Alto Networks, Microsoft, CA and Proofpoint. For more information, visit ylventures.com.

Opus Security Emerges from Stealth with $10M in Funding for Cloud SecOps and Remediation Processes

*   _Significant Number of Businesses Experienced Permanent Data Loss_
*   _Businesses Unable to Maintain Business Continuity after Losing Data_
*   _Risk to Businesses as Disaster Recovery Plans Aren't Updated, Tested, and Well Documented_

Eden Prairie, MN – September 13, 2022 – Arcserve, the world's most experienced provider of backup, recovery and immutable storage solutions for unified data resilience against ransomware and disasters, today announced key findings from its annual independent global research study that showed the loss of critical data continues to disrupt businesses and remain an issue for organizations. In the research study of experiences and attitudes of IT decision makers (ITDMs), 76% of respondents reported a severe loss of critical data in their organization. Of that number, 45% had permanent data loss. Data is a priceless commodity, and these findings underscore the importance of building data resilience with a robust data backup and recovery plan with data integrity at the core to prevent severe business disruptions.

The research study also found that many organizations could not maintain business continuity on time once data was lost or compromised. It is vital for businesses to quickly recover data, especially in today's always-on world.

*   83% of respondents said that 12 hours or less is an acceptable level of downtime for critical systems before there is a measurable negative business impact. Still, only 52% could recover from a severe data loss in 12 hours or less.
*   29% of the businesses surveyed couldn't recover data for one day or more.

The research results also revealed that a new approach to disaster recovery is needed. Organizations should continuously update, test, and document their disaster recovery plan to build data resilience. The importance of protecting and recovering data should also be elevated to all company levels with specific goals.

*   95% of respondents in the survey said their company has a disaster recovery plan. However, only 24% have a mature plan that is well documented, tested, and updated.
*   83% said their organizations include data resilience in their strategies. Still, only 23% have a mature approach with associated goals to track progress.

Said Florian Malecki, executive vice president, marketing at Arcserve: "Our annual survey reinforces the business imperative for organizations to implement a data resilience strategy that incorporates mature data backup and disaster recovery plans. We live in a world of growing ransomware attacks and frequent natural disasters. Any downtime from data loss can be destructive for a business from impacting sales to losing customer loyalty." He continued: "Arcserve aims to help businesses avoid costly business disasters and reputational damage from data loss with our best-in-class unified data resilience solutions suite. Our backup and recovery solutions, and immutable storage offering, ensure a near-zero impact on businesses."

**About the research conducted by Dimensional Research:** 1,121 IT decision-makers completed the survey. All participants had a budget or technical decision-making responsibility for data management, data protection, and storage solutions at a company with 100 - 2,500 employees and at least 5 TB of data. The survey was fielded in Australia, New Zealand, Brazil, France, Germany, India, Japan, Korea, the United Kingdom, the United States, and Canada (North America).

**About Arcserve**  

Arcserve, a top 5 data protection vendor and unified data resilience platform provider, offers the broadest set of best-in-class solutions to manage, protect, and recover all data workloads, from SMB to enterprise, regardless of location or complexity. Arcserve solutions eliminate complexity while bringing best-in-class, cost-effective, agile, and massively scalable data protection and certainty across all data environments. This includes on-prem, off-prem (including DRaaS, BaaS, and Cloud-to-Cloud), hyper-converged, and edge infrastructures. The company's nearly three decades of award-winning IP, plus a continuous focus on innovation, means that partners and customers, including MSPs, VARs, LARs, and end-users, are assured of the fastest route to next-generation data workloads and infrastructures. A 100% channel-centric organization, Arcserve has a presence in over 150 countries, with 19,000 channel partners helping to protect 235,000 customers' critical data assets. Explore more at arcserve.com and follow @Arcserve on Twitter.

Arcserve Independent Global Study Finds Businesses Still Losing Mission-Critical Company Data

The ransomware gang has been seen exploiting a Mitel RCE flaw discovered in VoIP devices in April (and patched in July) to perform double-extortion attacks.

A ransomware gang has been seen using a unique initial-access tactic to exploit a vulnerability in voice-over-IP (VoIP) appliances to breach corporate phone systems, before pivoting to corporate networks to commit double-extortion attacks.  

Researchers from Artic Wolf Labs have spotted the Lorenz ransomware group exploiting a flaw in Mitel MiVoice VoIP appliances. The bug (tracked as CVE-2022-29499) was discovered in April and fully patched in July, and is a remote code execution (RCE) flaw affecting the Mitel Service Appliance component of MiVoice Connect.

Lorenz exploited the flaw to obtain a reverse shell, after which the group leveraged Chisel, a Golang-based fast TCP/UDP tunnel that’s transported over HTTP, as a tunneling tool to breach the corporate environment, Arctic Wolf researchers said this week. The tool is "mainly useful for passing through firewalls," according to the GitHub page.

The attacks show an evolution by threat actors to use "lesser known or monitored assets" to access networks and perform further nefarious activity to avoid detection, according to Arctic Wolf.

"In the current landscape, many organizations heavily monitor critical assets, such as domain controllers and web servers, but tend to leave VoIP devices and Internet of Things (IoT) devices without proper monitoring, which enables threat actors to gain a foothold into an environment without being detected," the researchers wrote.

The activity underscores the need for enterprises to monitor all externally facing devices for potential malicious activity, including VoIP and IoT devices, researchers said.

Mitel identified CVE-2022-29499 on April 19 and provided a script for releases 19.2 SP3 and earlier, and R14.x and earlier as a workaround before releasing MiVoice Connect version R19.3 in July to fully remediate the flaw.

**Attack Details**

Lorenz is a ransomware group that has been active since at least February 2021, and, like many of its cohorts, performs double extortion of its victims by exfiltrating data and threatening to expose it online if victims don't pay the desired ransom in a certain time frame.

Over the last quarter, the group has primarily targeted small and medium businesses (SMBs) located in the United States, with outliers in China and Mexico, according to Arctic Wolf.

In the attacks that researchers identified, the initial malicious activity originated from a Mitel appliance sitting on the network perimeter. Once establishing a reverse shell, Lorenz made use of the Mitel device’s command line interface to create a hidden directory and proceeded to download a compiled binary of Chisel directly from GitHub, via Wget.

Threat actors then renamed the Chisel binary to "mem," unzipped it, and executed it to establish a connection back to a Chisel server listening at hxxps\[://\]137.184.181\[.\]252\[:\]8443, researchers said. Lorenz skipped TLS certificate verification and turned the client into a SOCKS proxy.

It's worth noting that Lorenz waited nearly a month after breaching the corporate network to conduct additional ransomware activity, researchers said. Upon returning to the Mitel device, threat actors interacted with a Web shell named "pdf\_import\_export.php." Shortly thereafter, the Mitel device started a reverse shell and Chisel tunnel again so threat actors could jump onto the corporate network, according to Arctic Wolf.

Once on the network, Lorenz obtained credentials for two privileged administrator accounts, one with local admin privileges and one with domain admin privileges, and used them to move laterally through the environment via RDP and subsequently to a domain controller.

Before encrypting files using BitLocker and Lorenz ransomware on ESXi, Lorenz exfiltrated data for double-extortion purposes via FileZilla, researchers said.

**Attack Mitigation**

To mitigate attacks that can leverage the Mitel flaw to launch ransomware or other threat activity, researchers recommend that organizations apply the patch as soon as possible.

Researchers also made general recommendations to avoid risk from perimeter devices as a way to avoid the pathways to corporate networks. One way to do this is to perform external scans to assess an organization's footprint and harden its environment and security posture, they said. This will allow enterprises to discover assets about which administrators may not have known so that they can be protected, as well as help define an organization's attack surface across devices exposed to the Internet, researchers noted.

Once all assets are identified, organizations should ensure that critical ones are not directly exposed to the Internet, removing a device from the perimeter if it doesn't need to be there, researchers recommended.

Artic Wolf also recommended that organizations turn on Module Logging, Script Block Logging, and Transcription Logging, and send logs to a centralized logging solution as part of their PowerShell Logging configuration. They also should store captured logs externally so that they can perform detailed forensic analysis against evasive actions by threat actors in the case of an attack.

Lorenz Ransomware Goes After SMBs via Mitel VoIP Phone Systems

How identity-centric security can support business objectives.

With identity's emergence as the new perimeter, its role in supporting digital transformation, cloud adoption, and a distributed workforce is not being overlooked by today's enterprises. According to a recent report (registration required), 64% of IT stakeholders consider effectively managing and securing digital identities to be either the top priority (16%) of their security program or in the top three (48%). Despite this, businesses continue to struggle with identity-related breaches — 84% of the security and IT pros reported their organization suffered such a breach in the past year.

Getting buy-in for identity-centric security is vital, but making a case for investing in cybersecurity isn't about trafficking in FUD (fear, uncertainty, and doubt). Pushing identity further into strategic discussions requires the ability to demonstrate business value — to showcase how identity-based security aligns with and supports business objectives.

Almost all participants in the survey (98%) said the number of identities in their organization was increasing, with commonly cited causes including cloud adoption, more employees using technology, increasing third-party relationships, and growing numbers of machine identities. In this environment, many of today's enterprises have found themselves under immense pressure to ensure seamless and secure access to data and resources in an environment growing more distributed and complex.

This complexity, combined with motivated attackers and the increasing number of identities that must be managed, makes effective identity management a critical part of enabling business operations. Among the organizations that experienced an identity-related breach in the past year, the common threads were issues such as stolen credentials, phishing, and mismanaged privileges. The direct business impacts of a breach can be significant — with 42% citing a significant distraction from the core business, 44% noting recovery costs, and 35% reporting a negative impact on the organization's reputation. Loss of revenue (29%) and customer attrition (16%) were also reported.

**Translating IT Needs into Business Needs**

The case for focusing on identity is clear, but how do we begin translating IT needs into business needs? Step one is aligning the organization's priorities with where identity-centric security can fit in. Business goals tend to revolve around reducing costs, increasing productivity, and minimizing risk. Conversations about identity-based security, therefore, must demonstrate how that approach can advance some or all these points.

From the standpoint of productivity, for example, tight identity governance simplifies user provisioning and reviews of access rights. That means employees can be onboarded faster, and any departing employees will have their access revoked automatically. Eliminating manual efforts reduces the chance of error, including users with excessive privileges creating an unnecessary risk of exposure. The more streamlined and automated the processes around identity management are, the more efficient the business is — and the more secure.

As noted earlier, some of the driving forces for the growth in identities include cloud adoption and a spike in machine identities. The growth of machine identities is linked in part to Internet of Things (IoT) devices and bots. IoT and cloud are often parts of digital transformation strategies that can easily get hung up by concerns about access and the consistent enforcement of security policies. This reality presents an opportunity to frame discussions about security around how the business can adopt these technologies safely and without sacrificing compliance and security requirements.

**Frame Security Discussions in Breach Context**

Multifactor authentication (MFA), for example, was cited by many IT and security professionals as a measure that could have prevented or minimized the impact of the breaches they experienced. MFA is vital to enforcing access control, particularly for businesses with remote workers or those using cloud applications and infrastructure. Like them or not, passwords are ubiquitous. But they are also an attractive (and relatively easy) target for threat actors looking to access resources and gain a deeper foothold in your environment. Along with other identity-centric best practices that improve security posture, MFA provides another layer of defense that can bolster an organization's security.

In addition to MFA, IT and security pros commonly noted that more timely reviews of privileged access and continuous discovery of all user access rights would have prevented or lessened the effect of a breach. While many of these remain works in progress, overall, it appears organizations are starting to get the message.

When asked if during the past year their organization's identity program was included as an area of investment as part of any of these strategic initiatives — zero trust, cloud adoption, digital transformation, cyber-insurance investments, and vendor management — almost everyone chose at least one. Fifty-one percent said identity had been invested in as part of zero-trust efforts. Sixty-two percent said it was included as part of cloud initiatives, and 42% said it was part of digital transformation.

Getting started with identity-based security need not be overwhelming. However, it does require an understanding of your environment and business priorities. By focusing on how an identity-centric approach to security can support business objectives, IT professionals can get the leadership buy-in they need to implement the technology and processes that will raise the barrier of entry for threat actors.

Business Security Starts With Identity

*   **_Sixty-five percent of organizations consolidate to improve risk posture._**
*   **_Only 29% of organizations consolidate to reduce spending on licensing._**
*   **_SASE and XDR are opportunities for consolidation: 41.5% of organizations plan to have adopted SASE by the end of 2022._**

A recent survey by Gartner, Inc. found that 75% of organizations are pursuing security vendor consolidation in 2022, up from 29% in 2020.

“Security and risk management leaders are increasingly dissatisfied with the operational inefficiencies and the lack of integration of a heterogenous security stack,” said John Watts, VP Analyst at Gartner. “As a result, they are consolidating the number of security vendors they use.”

The survey found that 57% of organizations are working with fewer than 10 vendors for their security needs, as they are looking to optimize to fewer vendors in key areas like secure access service edge (SASE) and extended detection and response (XDR).

The survey was conducted online during March and April 2022 among 418 respondents from North America, Asia Pacific and EMEA. Its objective was to determine organizations’ security vendor consolidation efforts and priorities, and the drivers and benefits of consolidation endeavours.

Gartner analysts are discussing how organizations can shape their security vendor strategy and projects during the Gartner Security & Risk Management Summit, taking place in London through Wednesday.

**Improving Risk Posture Is the No. 1 Benefit of Consolidation**

The survey found that organizations want to consolidate their security vendors to reduce complexity and improve risk posture, not to save on budget or to improve procurement. Sixty-five percent of surveyed organizations expect to improve their overall risk posture, and only 29% of respondents expect reduced spending on licensing.

“Cost optimization should not be the primary driver for vendor consolidation,” said Watts. “Organizations that look to optimize costs must reduce products, licenses and features, or ultimately renegotiate contracts.”

Organizations that have not pursued security vendor consolidation yet indicated that the two primary impediments to consolidation were time constraints and having a vendor partnership that is too rigid (34% of respondents for each answer).

**SASE and XDR Are Opportunities for Consolidation**

Lengthy procurement processes or requests for proposals are allowing for consolidated offerings, such as XDR for endpoints and SASE for edge connectivity and security with integration on the backend.

The survey found that 41.5% of respondents plan to have adopted SASE within their organizations by the end of 2022, while 54.5% of organizations have plans to adopt XDR by the end of 2022.

“Security and risk management leaders must consider XDR and SASE as compelling options to start their consolidation journey,” said Dionisio Zumerle, VP Analyst at Gartner. “SASE provides secure enterprise access, while XDR focuses on detecting and responding to threats through increased visibility on networks, cloud, endpoints and other components.”

In fact, the survey found that 57% of organizations resolved security threats faster after implementing an XDR strategy. More than half of surveyed organizations use SASE projects to simplify network and security policy management and improve security posture.

“While 89% of surveyed organizations want SASE and XDR to work together, security and risk management leaders will often opt to keep them distinct from one another but ensure they can interoperate,” said Zumerle. “This is an approach validated by 46% of surveyed organizations, which allows for flexibility to select best-of-breed functionality.”

“Security and IT leaders should plan at least two years for consolidation as it takes time to effectively consolidate and consider incumbent vendor switching costs,” said Watts. “It is also important to anticipate vendor M&A disruption as the security market is always consolidating but never consolidated.”

Gartner clients can learn more in “Infographic: Top Trends in Cybersecurity 2022 — Vendor Consolidation.”

Learn how to be an effective chief security officer in the complimentary Gartner ebook Four Factors of Effective CISO Leadership.

**Gartner Security & Risk Management Summit**

Gartner analysts are presenting their latest research and advice for security and risk executives at the Gartner Security & Risk Management Summit 2022, taking place from 12-14 September in London. Follow news and updates from the conferences on Twitter using #GartnerSEC.

**About Gartner for Information Technology Executives**

Gartner for Information Technology Executives provides actionable, objective insight to CIOs and IT leaders to help them drive their organizations through digital transformation and lead business growth. Additional information is available at www.gartner.com/en/information-technology.

Follow news and updates from Gartner for IT Executives on Twitter and LinkedIn. Visit the IT Newsroom for more information and insights.

Gartner Survey Shows 75% of Organizations Are Pursuing Security Vendor Consolidation in 2022

An analysis of cloud services finds that known vulnerabilities typically open the door for attackers, while insecure cloud architectures allow them to gain access to the crown jewels.

Companies and their cloud providers often leave vulnerabilities open in their system and services, gifting attackers with an easy path to gain access to critical data.

According to an Orca Security analysis of data collected from major cloud services and released on Sept. 13, attackers only need, on average, three steps to gain access to sensitive data, the so-called "crown jewels," starting most often — in 78% of cases — with the exploitation of a known vulnerability.  

While much of the security discussion has focused on the misconfigurations of cloud resources by companies, cloud providers have often been slow to plug vulnerabilities, says Avi Shua, CEO and co-founder of Orca Security.

"The key is to fix the root causes, which is the initial vector, and to increase the number of steps that they attacker needs to take," he says. "Proper security controls can make sure that even if there is an initial attack vector, you are still not able to reach the crown jewels."

The report analyzed data from Orca's security research team using data from a "billions of cloud assets on AWS, Azure, and Google Cloud," which the company's customers regularly scan. The data included cloud workload and configuration data, environment data, and information on assets collected in the first half of 2022.

**Unpatched Vulnerabilities Cause Most Cloud Risk**

The analysis identified a few main problems with cloud-native architectures. On average, 11% of cloud providers' and their customers' cloud assets were considered "neglected," defined as not having been patched in the last 180 days. Containers and virtual machines, which make up the most common components of such infrastructure, accounted for more than 89% of neglected cloud assets.  

"There is room for improvement on both sides of the shared responsibility model," Shua says. "Critics have always focused on the customer side of the house \[for patching\], but in the past few years, there have been quite a few issues on the cloud-provider end that have not been fixed in a timely manner."  

In fact, fixing vulnerabilities may be the most critical problem, because the average container, image, and virtual machine had at least 50 known vulnerabilities. About three-quarters — 78% — of attacks start with the exploitation of a known vulnerability, Orca stated in the report. Moreover, a tenth of all companies have a cloud asset using software with a vulnerability at least 10 years old.

Yet the security debt caused by vulnerabilities is not evenly distributed across all assets, the report found. More than two-thirds — 68% — of Log4j vulnerabilities were found in virtual machines. However, only 5% of workload assets still have at least one of the Log4j vulnerabilities, and only 10.5% of those could be targeted from the Internet.

**Customer-Side Issues**

Another major problem is that a third of companies have a root account with a cloud provider that is not protected by multifactor authentication (MFA). Fifty-eight percent of companies have disabled MFA for at least one privileged user account, according to Orca's data. Failing to provide the additional security of MFA leaves systems and services open to brute-force attacks and password spraying.

In addition to the 33% of firms lacking MFA protections for root accounts, 12% of companies have an Internet-accessible workload with at least one weak or leaked password, Orca stated in its report.

Companies should look to enforce MFA across their organization (especially for privileged accounts), assess and fix vulnerabilities faster, and find ways to slow down attackers, Shua says.

"The key is to fix the root causes, which is the initial vector, and to increase the number of steps that the attacker needs to take, " he says. "Proper security controls can make sure that even if the attacker has success with the initial attack vector, they are still not able to reach the crown jewels."

Overall, both cloud providers and their business clients have security issues that need to be identified and patched, and both need to find ways to more efficiently close those issues, he adds; visibility and consistent security controls across all aspects of cloud infrastructure is key.

"It is not that their walls are not high enough," Shua says. "It is that they are not covering the entire castle."

Attackers Can Compromise Most Cloud Data in Just 3 Steps

Opswat says its new tool uses neural networks to protect critical environments through AI-assisted asset discovery, network visibility, and risk management.

The goal of neural networking in cybersecurity is to be able to detect unusual behavior and patterns, especially within OT assets and networks. Detecting unusual behaviors often leads to the discovery that you have been compromised or something has been misconfigured.

"Having visibility into your industrial assets and networks is the first step to understanding your overall OT cybersecurity posture," says Pete Lund, vice president of products for OT security at infrastructure cybersecurity specialist Opswat.

To take advantage of such abilities, Opswat unveiled a AI-powered network visibility solution, Neuralyzer. The software tool leverages machine learning (ML) to learn the communication patterns between assets and networks to determine what "normal" activity is. This enables OT workers to remain focused on the primary tasks at hand and only alerted when abnormal activity occurs.

"Neural networks have the ability to learn in a similar way as the human brain, and so they can spot red flags on your behalf like a second set of eyes," Lund explains. "The ML in Neuralyzer can identify the type of device or asset on the network, providing asset visibility."

**Machine Learning Looks for Assets and Anomalies**

One application of ML in Neuralyzer is the ability to identify the type of device/asset on the network, aptly called the asset visibility feature.

For asset visibility, most tools use the device fingerprint (DFP) to discover and/or profile the device. Typical OT devices, unlike IT devices, do not have a browser installed, so a browser fingerprint (an effective approach for DFP in IT) usually will not work for the OT environment.

"Through extensive research and experiments, our team has worked out a selected feature set and ML algorithm that works best — in terms of accuracy, performance, and required inputs — for classifying the device type," explains Lund.

Another application for ML is to detect anomalies on the network connectivity and activity of a particular device or of the whole network, he says.

Neuralyzer can model the device or devices and their network connections as a graph, then use the 1D convolutional neural network for anomalies detection.

"Network traffic dissection and anomaly detection are good use cases for ML and neural networks," Lund says. "Network traffic dissection would be a feasible approach for DFP in the OT."

Anomaly detection is an important aspect in OT environment visibility, he points out.

"An anomaly might not only relate to integrity — for example, a network breach — but it might also relate to the availability or normal operation of the assets, which is crucial to the OT environment," Lund says.

**Neural Networks Offer Multiple Cybersecurity Advantages**

Bud Broomhead, CEO at automated IoT cyber hygiene provider Viakoo, says neural networks, like any other technology, can be used both for improving and for defeating cybersecurity.

"Many examples exist on how neural networks can be trained to produce bad outcomes or be fed data to disrupt systems," he explains. "Yet the massive improvement in efficiency — for example, detecting cyber threats in seconds or finding threat actors within a crowd almost immediately — will be needed for many years ahead to overcome the resource gaps present in cybersecurity."

Neural networks can analyze complex systems and make intelligent decisions on how to present and classify them. In other words, they take a lot of raw data and turn it into meaningful insights.

"Simply having an asset inventory does not show you the combination of them in a tightly coupled workflow — yet that is what businesses need to prioritize the vulnerability and risk of these systems," Broomhead says.

John Bambenek, principal threat hunter at Netenrich, a security and operations analytics SaaS company, adds that neural networks allow for statistical analysis well beyond the capacity of a human.

"Given enough data points and thorough and effective training, they can classify normal and abnormal quickly, allowing an analyst to follow up on events that would not be detected otherwise," he says.

But Bambenek says he doesn't see neural networks as reliable for asset discovery or vulnerability management.

"If an asset isn't visible in DHCP logs, there isn't a good deal of data to otherwise find it," he points out. "Risk management, on the other hand, can find abnormal and then categorize the risky behavior using other available context to give the business risk answers."

Even detecting subtle changes to OT system behavior can enable a neural network to see when maintenance is needed, when cyber threats occur, and how environmental changes cause the system to react, Broomhead says.

"Especially in times like now when there are limited human resources to keep OT systems operating safely and securely, neural networks are a force multiplier that many organizations have some to rely on," he says.

Source

DARKReading