**BOULDER, Colo. – July 6, 2022 –** Swimlane, the low-code security automation company, today announced a $70 million growth funding round led by Activate Capital. Existing investors Energy Impact Partners (EIP) and 3Lines Venture Capital also participated in the round. The new investment will accelerate the company’s ongoing growth and operations on a global scale while continuing to advance its platform innovations in security automation ahead of the competition.

Automation has become a must-have technology for security operations, evident from recent Presidential Executive Orders, an unsolvable talent shortage and an ever-increasing amount of threat telemetry. Swimlane recently launched Turbine as the solution — a breakthrough in low-code automation that captures hard-to-reach telemetry and expands actionability beyond closed extended detection and response (XDR) ecosystems.

As part of the funding, the company also announced that Raj Atluru, Managing Partner at Activate Capital, will join the Swimlane Board of Directors.

“We invested in Swimlane because we believe in the company’s ability to unlock the most valuable product developments customers demand for security automation inside and outside the SOC,” said Atluru. “Swimlane has transcended traditional SOAR and risen to meet the growing need for low-code security automation to help organizations quantify business value, overcome process and data fatigue, and combat chronic staffing shortages.”

Sameer Reddy, Managing Partner at Energy Impact Partners said, “Security operations today is at a critical inflection point. Organizations don’t have enough people, money, or resources to address all of their security workflows across the entire organization, while also responding to threats the moment they happen. Automation will have to play a critical role in addressing these challenges and Swimlane is incredibly well-positioned as the leading independent security automation platform.”

According to Niloofar Razi Howe, Swimlane Board Member and long-time cybersecurity veteran, “The accelerating pace of threat telemetry coupled with a rapidly expanding attack surface is outstripping the ability for humans to act. Swimlane is filling in one of the biggest gaps in cybersecurity today by putting humans back in control with a low-code approach to security automation.”

“We are very proud of the global traction and results we have achieved,” said James Brear, CEO of Swimlane. “Besides our hyper revenue growth, we have achieved over 120% of net retention and product expansion. Our cloud product has seen a 5X increase in adoption over 2021 and our growth over the last four years is over 700%. This is a testament to our customer-first mindset and meeting all the use case requirements our customers demand.”

The new investment will also accelerate the growth of Swimlane’s global partner network and create new market opportunities through partners in all major geographies. This will include technical partner support and enablement to help partners unlock the power of automation beyond just threat response.

“Organizations across industries are facing a more sophisticated and targeted threat landscape than ever before,” said John Vanderzon, CTO of Sun Management, which also joined the growth round of investment. “We invested in Swimlane for its intelligent approach to solving a long-term problem. We see Swimlane as a paradigm shift similar to what we saw with Palo Alto Networks when we ran four of their betas in 2007. We look for technology that solves problems intelligently, and Swimlane's low-code security automation goes above and beyond to give companies the power to stop threats at the point of inception in a rapidly expanding attack surface — without the need to hire more people.”

**About Swimlane**

Swimlane is the leader in cloud-scale, low-code security automation. Swimlane unifies security operations in-and-beyond the SOC into a single system of record that helps overcome process and data fatigue, chronic staffing shortages, and quantifying business value. The Swimlane Turbine platform combines human and machine data into actionable intelligence for security leaders. For more information, visit swimlane.com or join the conversation on LinkedIn, Twitter and YouTube.

Swimlane Secures $70M Growth Round to Fuel Global Expansion of Next Generation Low-Code Security Automation Platform

DUBLIN, July 8, 2022 /PRNewswire/ -- The "Global Enterprise Endpoint Security Market - Forecasts from 2022 to 2027" report has been added to **ResearchAndMarkets.com's** offering.

Endpoint security is the technique of preventing harmful actors and campaigns from exploiting endpoints or entry points of end-user devices such as PCs, laptops, and mobile devices. Endpoint security solutions on a system or cloud protect against cybersecurity threats. Endpoint security has progressed beyond antivirus software to supply comprehensive security against sophisticated malware and new zero-day dangers.

Nation-states, hacktivists, organized crime, and purposeful and unintentional insider threats all pose a hazard to businesses of all sizes. Endpoint security is frequently referred to as cybersecurity's frontline, and it is one of the first places where businesses attempt to defend their networks. Due to several benefits, such as cost savings with cloud storage, compute scalability, and low maintenance requirements, enterprise use of SaaS-based or cloud-delivered endpoint security solutions continues to grow.

**The growing number of enterprise endpoints and mobile devices with access to sensitive data has created a tremendous need for endpoint security solutions, which is expected to drive the market.**

In today's environment, mobile gadgets such as smartphones and tablets have become necessary for both individuals and businesses. The number of employees using their phones for work is fast expanding, and mobile devices and applications have presented a slew of new attack vectors and data security challenges.

These cyber dangers range from Trojans and viruses to botnets and toolkits, and they can have a significant impact on the broader network, putting sensitive and private data at risk. For example, according to the Mobile Security Report 2021 by Check Point, 97 percent of businesses globally were hit by mobile attacks that used several attack vectors. At least one employee in 46 percent of those businesses downloaded a malicious app to their phone.

According to the same report, nearly every firm had at least one smartphone malware assault in 2020. The mobile network was responsible for 93 percent of the attacks. As previously stated, around 40% of all mobile devices are at risk of being targeted by cyber-attacks. As a result, businesses are increasingly implementing endpoint security solutions to secure their networks and give secure access to confidential data to their employees.

As a result, factors such as increased mobile and wireless device usage, advancements in connectivity infrastructure around the world, and dropping mobile device prices are all expected to have a significant impact on the endpoint security industry. For instance, according to Ericsson, there are already over six billion smartphone subscribers worldwide, with several hundred million more expected in the next years.

By 2026, the number of smartphone users is predicted to increase to 7516 million. Employees at firms are increasingly using their personal mobile devices to access corporate data owing to the growing BYOD trend. However, it poses security concerns, necessitating powerful endpoint security solutions to protect sensitive company data, resulting in significant demand.

However, the lack of awareness about endpoint security among the general public, as well as the fact that many enterprises are struggling to deal with security threats and data breaches as a result of a lack of understanding about endpoint security, is expected to limit the market expansion.

**By region, the Asia Pacific and North America are expected to hold a notable share in the global enterprise endpoint security market during the forecast period.**

North America and Asia-Pacific are predicted to have a significant share of the global enterprise endpoint security market. Applying technology to restrict threats on organizational endpoints and the rising penetration of mobile devices that are initially prone to endpoint attacks are two reasons supporting the market expansion in these regions.

For instance, in July 2021, SentinelOne and ConnectWise established a partnership to strengthen their security relationship. MSPs will be able to obtain SentinelOne Control and SentinelOne Complete as standalone products from ConnectWise rather than having to purchase them as part of the SOC-targeted Fortify Endpoint offering.

Similarly, in September 2020, Palo Alto Networks and OPSWAT expanded their partnership to add support for new endpoint platforms and IoT devices in GlobalProtect and Prisma Access for branch offices, retail locations, and mobile users. The integration detects and evaluates the state of the endpoint as well as any third-party security programs installed on it. The Host Information Profile (HIP) gathers data about the network's endpoints' security state, used to implement gateway policies.

**COVID-19 Insights**

The COVID-19 outbreak compelled enterprises all around the world to mobilize swiftly in order to secure large numbers of remote workers and expand their tooling beyond traditional security measures. With the growing number of cybercrimes in 2020, the market for global enterprise endpoint security has been positively impacted by the pandemic.

For instance, the US Department of Health and Human Services (HHS) systems were subjected to a large DDoS attack in March 2020. In the same month, a cyberattack hit databases at the University Hospital in Brno, one of the Czech Republic's main centers for COVID-19 blood testing. As a result, doctors could not complete coronavirus testing and had to postpone several surgical procedures.

**Key Topics Covered:**

**1\. INTRODUCTION**

**2\. RESEARCH METHODOLOGY**

**3\. EXECUTIVE SUMMARY**

**4\. MARKET DYNAMICS**  
4.1. Market Drivers  
4.2. Market Restraints  
4.3. Porter's Five Forces Analysis  
4.3.1. Bargaining Power of Suppliers  
4.3.2. Bargaining Powers of Buyers  
4.3.3. Threat of Substitutes  
4.3.4. Threat of New Entrants  
4.3.5. Competitive Rivalry in Industry  
4.4. Industry Value Chain Analysis

**5\. GLOBAL ENTERPRISE ENDPOINT SECURITY MARKET, BY SOLUTION**  
5.1. Anti-Virus  
5.2. Firewall  
5.3. Endpoint Device Control  
5.4. Anti-Spyware/Anti-Malware  
5.5. Others

**6\. GLOBAL ENTERPRISE ENDPOINT SECURITY MARKET, BY COMPONENT**  
6.1. Application Control  
6.2. Endpoint Encryption

**7\. GLOBAL ENTERPRISE ENDPOINT SECURITY MARKET, BY DEPLOYMENT**  
7.1. Cloud  
7.2. On-Premise

**8\. GLOBAL ENTERPRISE ENDPOINT SECURITY MARKET, BY ORGANIZATION SIZE**  
8.1. Small  
8.2. Medium  
8.3. Large

**9\. GLOBAL ENTERPRISE ENDPOINT SECURITY MARKET, BY INDUSTRY VERTICAL**  
9.1. BFSI  
9.2. Government  
9.3. Aerospace and Defense  
9.4. Healthcare  
9.5. Communication and Technology  
9.6. Others

**10\. GLOBAL ENTERPRISE ENDPOINT SECURITY MARKET, BY GEOGRAPHY**  
10.1. Introduction  
10.2. North America  
10.2.1. United States  
10.2.2. Canada  
10.2.3. Mexico  
10.3. South America  
10.3.1. Brazil  
10.3.2. Argentina  
10.3.3. Others  
10.4. Europe  
10.4.1. Germany  
10.4.2. France  
10.4.3. United Kingdom  
10.4.4. Spain  
10.4.5. Others  
10.5. Middle East and Africa  
10.5.1. Saudi Arabia  
10.5.2. Israel  
10.5.3. Others  
10.6. Asia Pacific  
10.6.1. China  
10.6.2. Japan  
10.6.3. South Korea  
10.6.4. India  
10.6.5. Thailand  
10.6.6. South Korea  
10.6.7. Taiwan  
10.6.8. Indonesia  
10.6.9. Others

**11\. COMPETITIVE ENVIRONMENT AND ANALYSIS**  
11.1. Major Players and Strategy Analysis  
11.2. Emerging Players and Market Lucrativeness  
11.3. Mergers, Acquisition, Agreements, and Collaborations  
11.4. Vendor Competitiveness Matrix

**12\. COMPANY PROFILES**  
12.1. Intel Corporation  
12.2. Broadcom Inc. (Symantec Corporation)  
12.3. Trend Micro Incorporated  
12.4. RSA Security LLC  
12.5. Kaspersky Lab  
12.6. Bitdefender  
12.7. WatchGuard Technologies  
12.8. ESET  
12.9. Sophos Ltd  
12.10. McAfee LLC

For more information about this report visit https://www.researchandmarkets.com/r/fyl26c

Worldwide Enterprise Endpoint Security Industry to 2027: Focus on Antivirus, Firewall, Endpoint Device Control, and Anti-Spyware/Anti-Malware

Funding from Allianz X, Valor Equity Partners, Kinetic Partners, and existing investors will accelerate Coalition’s vision to provide security for all.

SAN FRANCISCO, July 08, 2022 (GLOBE NEWSWIRE) -- Coalition, the world’s first Active Insurance company designed to prevent digital risk before it strikes, today announced it has raised an additional $250 million to accelerate its rapid growth, power international expansion, and broaden the services Coalition offers to help organizations manage digital risk. This funding round closed in June with participation from Allianz X, Valor Equity Partners, Kinetic Partners and other existing investors, increasing Coalition’s valuation from $3.5 billion to $5 billion.  

Coalition’s Active Insurance combines industry-leading cybersecurity tools, access to around-the-clock digital forensics and incident response, and broad insurance coverage to help organizations identify, mitigate, and insure digital risk. Coalition’s technology advantage has allowed the company to build a sustainable, high-performing book of business in a highly-dynamic cyber market, while also helping Coalition customers spot and manage digital risk before it strikes. Coalition now serves over 160,000 customers with Active Cyber Insurance, Active Executive Risks Insurance, P&C insurance, and cybersecurity capabilities.

The new funding comes as Coalition continues its wave of growth at massive scale, exceeding $775 million in run rate GWP (gross written premium) and a nearly 200% increase in revenue growth over the prior year. Coalition partners with brokers in all 50 states to provide active cyber and active executive risks insurance and offers active cyber insurance across Canada. Later this year, Coalition will launch its UK active cyber program in partnership with Allianz, as announced last week.

“Many organizations remain unprotected in the face of rising digital threats, and neither traditional insurance nor cybersecurity alone is well equipped to help them,” said Joshua Motta, CEO and co-founder of Coalition. “Our active approach to underwriting, monitoring, and responding to digital risk has allowed Coalition to achieve market leading underwriting results while demonstrably reducing claims and losses for our customers so they can continue to thrive in the digital economy.”

“Coalition’s active, tech-based approach to cybersecurity and cyber insurance has proven to be profoundly effective, which is also reflected in its outstanding business results,” said Dr. Nazim Cetin, CEO of Allianz X. “The trends driving the importance of cyber defense are irreversible. We see an active approach as the most effective solution for addressing cyberthreats to businesses both now and in the future.”

“Coalition demonstrates clear market and technology leadership with growing network effects,” said Chris Golden, Founder and Chief Investment Officer at Kinetic Partners. “With the company’s high-quality culture and outstanding execution, we believe Coalition’s competitive advantages and value-creation will continue to compound in the coming years.”

Coalition has raised over $755 million in equity funding to date from leading global technology investors, including Durable Capital, T. Rowe Price Associates Inc, Whale Rock Capital, Index Ventures, General Atlantic, Ribbit Capital, Vy Capital and Valor Equity Partners, among others. Founded in 2017 by Joshua Motta and John Hering, Coalition is one of the largest cyber insurance and security providers in the United States and Canada.

To learn more about Coalition, visit coalitioninc.com. To learn more about Coalition cyber insurance in the UK, visit coalitioninc.co.uk

**About Coalition**  
Coalition is the leading provider of cyber insurance and security, combining comprehensive insurance and proactive cybersecurity tools to help businesses manage and mitigate cyber risk. Backed by leading global insurers Allianz, Swiss Re Corporate Solutions, Arch Insurance North America, Lloyd’s of London, and Ascot Group, Coalition offers its insurance products in the US and Canada and its security products to organizations globally. Coalition’s Active Risk Platform provides automated security alerts, threat intelligence, expert guidance, and cybersecurity tools to help businesses remain resilient in the face of cyber attacks. Headquartered in San Francisco, Coalition is a distributed company with a global workforce that collaborates both digitally and in office hubs across the globe.

**About Allianz X**  
Allianz X invests in digital frontrunners in ecosystems relevant to insurance and asset management. In just a few years, it has grown to a portfolio of more than 25 companies and AuM of over 2 billion euros. Allianz X has counted 11 unicorns among its portfolio so far. The heart and brains behind it all is a talented team of around 40 people. As one of the pillars of the Allianz Group’s digital transformation strategy, Allianz X provides an interface between Allianz Operating Entities and the broader digital ecosystem, enabling collaborative partnerships in insurtech, fintech, and beyond. As an investor, Allianz X supports mature digital growth companies to take the next bold leap and reach their full potential.

**About Kinetic Partners**  
Kinetic Partners Management, LP (“Kinetic”) is an investment firm focused on global public and private equities. Kinetic seeks to provide thought partnership, support, and capital to exceptional teams driving innovation. Kinetic was founded by Chris Golden and maintains offices in Miami, Florida and New York, New York.

Coalition Closes $250 Million in Series F Funding, Valuing the Cyber Insurance Provider at $5 Billion

The Colonial Pipeline and JBS attacks, among others, showed us our national resilience is only as strong as public-private sector collaboration.

As our nation's most critical infrastructure faces relentless threats in cyberspace, cybersecurity remains top-of-mind for the federal government. The Colonial Pipeline and JBS attacks, among others, showed us that our national resilience is only as strong as public-private sector collaboration. And as ransomware attacks remain the norm, new collaborative strategies and programs are underway to build and foster cyber resilience.

**Notable Steps in the Right Direction  
**

The State Department's Bureau of Cyberspace and Digital Policy (CDP) serves as a catalyst for building cyber stability, future incident reporting, and cyber-governance regulation. Its mission is to encourage responsible nation-state behavior in cyberspace, advance policies that protect the integrity and security of the Internet, serve US interests, promote competitiveness, and uphold democratic values.

We've also seen progress with the Cybersecurity and Infrastructure Security Agency's (CISA) new Shields Up program, which outlines guidance for public and private organizations to reduce the likelihood of a successful cyber intrusion. CISA's Jen Easterly emphasizes the program is all about "preparation, not panic."

The National Institute of Standards and Technology (NIST) also recently published guidance for securing enterprises against supply chain attacks targeting critical infrastructure. The new guidance stresses the importance of risk monitoring in cyber defense.

**Collaboration Across Sectors  
**

In addition to the above federal mandates and programs, public-private partnerships play a vital role in strengthening cyber intelligence, defense, and protection capabilities. As the world around us grows increasingly interconnected, cyber concerns that threaten to shut down or disrupt private entities also threaten the well-being of the federal government and government operations — and vice versa.

Because of attacks like Colonial Pipeline, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 into law — which laid out new "mandatory reporting requirements for critical infrastructure entities in the event of certain cyber incidents and ransomware payments."

The commitment to public-private partnerships continues to show up at all levels of government and private sector operations. Another proof point: CISA established the Joint Cyber Defense Collaborative (JCDC) in August 2021 to unify defensive actions and mitigate risk in advance of cyber incidents. The goal of this program is to strengthen the nation's cyber defenses through innovative collaboration, advanced preparation, and information sharing and fusion.

Programs and mandates like these are critical steps in bolstering national cyber resiliency. But to achieve herd resilience, we need to work together to shore up our shared cyber defenses, and for many, that starts with adhering to basic cybersecurity protocol.

**Building Cyber Resilience  
**

A pivotal factor in building cyber resilience and proactively preparing for the next attack starts with ensuring your organization maintains good cyber hygiene. In a nutshell, cyber hygiene is the practice of fundamental security behaviors, amplified through the adoption of supporting processes and technical controls. It's nothing revolutionary — back up your data, patch when you're told to patch, segment your networks, micro-segment your applications and workloads, etc.

One proactive security framework that has gained popularity and more widespread adoption over the last several years is zero trust. The Biden Administration's Cyber EO, which recently hit its one-year anniversary, emphasized the immediate need for federal agencies to implement zero trust to bolster national cyber resilience.

A key component of achieving zero trust security is zero-trust segmentation (i.e., microsegmentation). It's designed to stop lateral movement and reduce the attack surface by breaking down the internal infrastructure (think the data center, cloud environment, network, etc.) into smaller segments. In simple terms, think of microsegmentation like a hotel. Just because you're able to get into the hotel (bypassing firewall defenses) doesn't mean you're able to automatically access your room. Because every room has a key, you can only access yours once you're checked in and your access is granted.

Microsegmentation is the critical component of the workload and application pillar of zero trust reference architecture and your zero-trust security strategy; it's designed to stop the spread of cyberattacks and, malware, by isolating workloads and devices across the entire hybrid attack surface. Successfully implementing zero trust takes effort but ensuring your security team has an action plan in place and is taking small steps forward will ultimately better position you and your software supply chain to combat and withstand evolving threats.

**Our Best Defense Against Cyber Threats  
**

When taking steps to improve cyber defenses, agencies and critical infrastructure organizations often first look to legacy solutions: upgrading their networks, focusing on user access, bolstering perimeter defenses, or making sure all devices that connect to the network are approved devices.

While those steps are important, they're only one piece of the puzzle, and they will not stop the lateral movement of cyberattacks. Just think back to SolarWinds, which went undetected in federal systems for more than 14 months. A proactive cyber strategy, coupled with increased public-private partnerships and adherence to strong cyber hygiene practices, are critical components of bolstering our national cybersecurity posture.

Zero Trust Bolsters Our National Defense Against Rising Cyber Threats

Latest campaigns are a break from its usual financially motivated attacks and appear aligned with Russian interests, security researchers say.

In a break from precedent, Russia's hitherto purely financially motivated Trickbot threat group has systematically been attacking targets in Ukraine over the past three months, apparently in support of Russian government interests in the region.

Researchers from IBM's X-Force threat intelligence group this week said they had uncovered two campaigns — and analyzed four others that Ukraine’s Computer Emergency Response Team (CERT-UA) disclosed — where Trickbot went after targets in Ukraine. The campaigns began after Russia’s invasion of Ukraine in February and have targeted Ukrainian state authorities, government organizations, specific individuals, and the general population. Several of the attacks have involved phishing emails with various themes designed to grab the attention of Ukrainian users — included some that are war-related.

The attacks highlight an unprecedented shift for Trickbot, and it's notable because threat groups in former Soviet Union states have typically avoided attacking targets in each other’s countries, IBM said.

Prior to the Russian invasion, ITG23, which is the name by which IBM tracks Trickbot, had not been known to target Ukraine. "Much of the group's malware was even configured to not execute on systems if the Ukrainian language was detected," IBM said in a report summarizing its findings this week. "ITG23's campaigns against Ukraine are notable due to the extent to which this activity differs from historical precedent and the fact that these campaigns appeared specifically aimed at Ukraine with some payloads that suggest a higher degree of target selection."

**Multiple Malware Tools**

IBM said it has observed Trickbot distributing several known malware tools such as IcedID, Cobalt Strike, AnchorMail, and Meterpreter in its attacks on Ukrainian targets. Some of the attacks involved the use of new tools such as a malicious Excel downloader, a self-extracting archive for dropping various malware payloads and a new malware encryption and obfuscation tool.

One of the two Trickbot campaigns that IBM uncovered was in early May. In those attacks, IBM observed the threat actor using a weaponized Excel file to download its AnchorMail backdoor on compromised systems. AnchorMail is a revamped version of Trickbot’s AnchorDNS, a backdoor that members of the closely affiliated Conti group have been using to deploy Conti ransomware. IBM X-Force researchers have previously described the malware as notable for communicating with its command-and-control (C2) server using the DNS protocol.

The second recent Trickbot campaign that IBM X-Force researchers spotted occurred likely in late May or early June. In that campaign, Trickbot actors used an ISO image file — or archive file containing the contents of an optical disk — as part of an attack chain to drop the Cobalt Strike post-exploit attack kit on target system. In June, Trickbot users were observed exploiting the so-called “Follina” zero-day bug in the Windows Microsoft Support Diagnostic Tool (MSDT) to deploy Cobalt Strike.

The campaigns that CERT-UA disclosed, and which IBM X-Force researchers analyzed, involved Trickbot attempts to deploy IcedID, a banking Trojan turned malware distributor; Metasploit attack payload, Meterpreter; and Cobalt Strike. In five of the six observed campaigns, Trickbot actors directly downloaded Cobalt Strike, AnchorMail, or Meterpreter on target systems — another break from their usual habit of deploying these tools as secondary payloads. IBM said the switch suggests "these attacks are part of targeted campaigns during which ITG23 is willing to immediately deploy higher-value backdoors."

IBM described the new malicious Excel downloader that Trickbot is using in the Ukrainian attacks as designed to download malware from a hard-coded URL. The downloader is stored as a macro within the Excel file and runs automatically if the file is opened — provided the user has macros enabled. The new dropper for AnchorMail that IBM observed is in the form of a WinRAR Self Extracting Archive. The dropper is rigged to extract and execute a script for building and configuring AnchorMail on infected systems.

Trickbot is a highly successful threat group that has been around since at least 2016. The group initially used its eponymously named malware to steal credentials to banking accounts. Over the years, the group evolved into a sort of initial access broker and a distributor for several ransomware and malware tools, most notably Conti and Ryuk and Emotet. Trickbot is used variously for stealing data, enabling cryptomining, enumerating systems, and other malicious activities.

Court documents in connection with the arrest of a key member of the group last year showed that nearly 20 cybercriminals — including several malware experts — collaborated in building the malware. A massive 2020 international law enforcement operation to take the threat actor down temporarily disrupted its activities but failed to stop them.

In Switch, Trickbot Group Now Attacking Ukrainian Targets

Acronyms serve as a gatekeeper — if you don't sling the lingo, you don't belong. So here's a quick guide to the letter salad of cloud cybersecurity.

**Question: There are so many cloud security acronyms nobody seems to be spelling out. What do they mean?**

**Answer:** Acronyms are confusing jargon that can often serve as a gatekeeper — if you don't sling the lingo, the thinking goes, you don't belong. But if you're reading this, you _do_ belong in cybersecurity, which has to become more welcoming if we ever hope to close the talent gap. So here's a quick guide to some of the acronyms you may come across when talking about cloud security.

**CDR – Cloud detection and response.** These tools continuously aggregate, normalize, and analyze data provided by SaaS (software-as-a-service) and cloud services about accounts, privileges, configurations, and activity to power insights, situational knowledge, and threat alerts. It provides single-pane visibility into cloud environments while maintaining user context.

**CIEM – Cloud infrastructure entitlement management.** Such tools address the issue of excessive permissions and entitlements to cloud resources. They detect over-permissioned accounts and roles and unused permissions and accounts. Note that this is distinct from SIEM (security information and event management), which analyzes alerts in real time, and CIAM (customer identity and access management), which aims to give users secure access to resources.

**CNAPP – Cloud-native application protection platform.** CNAPP addresses the inevitable increased number of moving parts and interlocking systems in cloud-native applications. Using a modular approach, existing CI/CD (continuous integration and continuous delivery) pipelines and runtime platforms can be extended and updated as better methods are discovered. Leveraging a CNAPP gives you in-depth, multilayered, agent-based, and agentless coverage across all aspects of your environment — everything from proactive validation of workloads to auditing policies on the public cloud platform you're running on. Providing more than just convergence of CIEM, CWPP, and CSPM (read on for more about the latter two), CNAPP allows CISOs (chief information security officers) to see the value that cloud security suites deliver, as opposed to a series of disjoint point solutions needing painstaking integration.

**CSPM – Cloud security posture management.** This refers to a set of controls that detect when your deployed accounts and resources deviate from best practices. CSPM tools embed a variety of standards that allow you to continuously evaluate all cloud accounts and workloads and quickly identify areas of drift and misconfiguration.

**CWPP – Cloud workload protection platform.** These protect workloads and focus on securing the entire application life cycle, providing cloud-based security solutions that protect instances on AWS, Google Cloud Platform, Microsoft Azure, and other cloud vendors' platforms. CWPP focuses on specific application use cases, such as runtime detection, system hardening, vulnerability management, network security, compliance, and incident response.

**SSPM – SaaS security posture management.** Such tools monitor security risks in SaaS applications. SSPM looks for and surfaces misconfigurations, compliance risks, unnecessary or defunct user accounts, excessive user permissions, and other cloud security issues so that security personnel can resolve them.

What Do All of Those Cloud Cybersecurity Acronyms Mean?

Dark Reading's digest of the other don't-miss stories of the week, including a new ransomware targeting QNAP gear, and a destructive attack against the College of the Desert that lingers on.

Cybercrime never sleeps — but editors do. To cap off this short Fourth of July week, Dark Reading's editors are collecting all of the interesting threat intelligence and cyber-incident stories that we just didn't get to earlier but would be remiss to not cover.  

We're talking a critical Cisco vulnerability, a Microsoft alert on upgrades to the Hive ransomware, QNAP issues, and a pair of cyberattacks.

In this week's "in case you missed it" (ICYMI) digest, read on for more about the following:

*   **Critical Cisco Security Vulnerability Allows Root Access to OS**
*   **Hive Ransomware Gets a Rust-y Upgrade**
*   **QNAP Warns on "Checkmate" Ransomware Attacks**
*   **"SHI-eesh": IT Giant Knocked Offline in Coordinated Cyberattack**
*   **California College Remains Offline After Ransomware Hit**

**Critical Cisco Security Vulnerability Allows Root Access to OS**

Cisco has rolled out patches for 10 security bugs, including a critical flaw that could allow cyberattackers to manipulate application source code, or configuration and critical system files.

The critical issue (CVE-2022-20812, CVSS severity score of 9.0) is a path-traversal vulnerability affecting the Cisco Expressway Series software and Cisco TelePresence VCS software, if they are in the default

"A vulnerability in the cluster database API of Cisco Expressway Series and Cisco TelePresence VCS could allow an authenticated, remote attacker with Administrator read-write privileges on the application to conduct absolute path traversal attacks on an affected device and overwrite files on the underlying operating system as a root user," according to the advisory, the latest since Cisco's last bug disclosure in May.

The vulnerability arises thanks to insufficient input validation of user-supplied command arguments, the networking giant noted.

"An attacker could exploit this vulnerability by authenticating to the system as an administrative read-write user and submitting crafted input to the affected command."

**Hive Ransomware Gets a Rust-y Upgrade**

The ransomware-as-a-service (RaaS) offering known as Hive has overhauled its infrastructure, using the programming language Rust.

That's the buzz from Microsoft, whose security researchers noted that Hive is an exemplar of adapting to the rapid change found in the underground economy.

"With its latest variant carrying several major upgrades, Hive also proves it’s one of the fastest-evolving ransomware families, exemplifying the continuously changing ransomware ecosystem," researchers said in a post this week. "The most notable changes include a full code migration to another programming language \[from GoLang to Rust\] and the use of a more complex encryption method."

Rust, a language also used by the BlackCat ransomware, allows advances in coding control, memory usage, resistance to reverse engineering, and access to a range cryptographic libraries, the researchers said.

As for the encryption, "the new Hive variant uses string encryption that can make it more evasive," according to the advisory. “The constants that are used to decrypt the same string sometimes differ across samples, making them an unreliable basis for detection.”

**QNAP Warns on "Checkmate" Ransomware Attacks**

QNAP, the network-attached storage (NAS) vendor, is flagging activity against its devices that results in the execution of the Checkmate ransomware.

The cyberattackers are specifically targeting SMB file-sharing services exposed to the Internet, using a dictionary attack to break accounts with weak passwords.

"Once the attacker successfully logs in to a device, they encrypt data in shared folders and leave a ransom note with the file name '!CHECKMATE\_DECRYPTION\_README' in each folder," according to QNAP's advisory this week. It added, "We are thoroughly investigating the case and will provide further information as soon as possible."

Customers of the Taiwan-based appliance maker have been suffering ongoing, relentless ransomware activity — which Dark Reading broke down earlier this week (along with potential defenses) in an extensive roundtable of experts.

To protect their businesses and avoid a ransomware checkmate, users should avoid exposing the SMB service to the internet and should employ strong passwords in any event.

**"SHI-eesh": IT Giant Knocked Offline in Coordinated Cyberattack**

IT-supplier bigwig SHI International said this week that it was the target of "a coordinated and professional malware attack."

The New Jersey-based vendor, which has 5,000 employees and 15,000 customers around the world, said that it moved quickly to stop the infection and minimize the impact on SHI’s systems and operations. That meant that some systems, such as SHI’s public websites and email, were knocked offline "while the attack was investigated and the integrity of those systems was assessed."

The SHI staff regained access to email, but as of Thursday the main website was still not operational. The company said in a website notice that IT teams continue to work to bring other systems back online.

It's unclear what the cyberattackers' goal was, but some researchers noted that a supply chain compromise attempt is a real possibility.

“Apart from being a large enterprise, SHI is a major software and hardware provider to several Fortune 500 companies, and while there is no evidence regarding third-party suppliers getting breached or customer data getting exfiltrated, this is certainly too close for comfort for many of their customers," Rajiv Pimplaskar, CEO at Dispersive Holdings, said via email.

**California College Remains Offline After Ransomware Hit**

As the latest example of what happens when IT isn't prepared for a hit, the 12,500-student College of the Desert, a community college in Palm Desert, Calif., remains offline after suffering which researchers suspect was a ransomware attack.

The cyberattack brought down the school's online services and campus phone lines on July 4. As of late Thursday, the school's website still returned a notice that it "is currently experiencing a system-wide outage of most services," including the ability for students to request transcripts, add or drop classes, or register for classes.

"Educational institutions have continued to be a prime target for ransomware groups over the last couple of years," says Josh Rickard, senior security solutions architect at Swimlane, noting that this is the second time College of the Desert has been hit with a malware attack; the first incident took place in August 2020. "To prevent similar attacks in the future and ensure that operations continue to run smoothly, education institutions such as College of the Desert need to devote more resources to information security teams, tools, processes, and products."

Rickard suspects the incident was ransomware due to the severe operational disruption, but it should be noted that College of the Desert has not confirmed that, admitting only to a "computer network disruption."

ICYMI: Critical Cisco RCE Bug, Microsoft Breaks Down Hive, SHI Cyberattack

New program offers free tech skills training and paid apprenticeships to make education and career pathways more accessible.

TULSA, OK -- Today Tulsa Community College (TCC) and Tulsa Innovation Labs (TIL), in partnership with edX, the global online learning platform from 2U, Inc. (Nasdaq: TWOU), and Skillstorm, launch the Cyber Skills Center. The new program, based in Tulsa, will develop a diverse talent pipeline for the in-demand and rapidly expanding career fields of cybersecurity and data analytics **at no-cost to Tulsa-area residents**.

Developed with edX’s Access Partnership initiative, Cyber Skills Center model is designed to streamline the skill development and career transition process for underserved communities. The program offers a 24-week online accelerated training boot camp curriculum offered by the Tulsa Community College, in partnership with edX, along with a paid apprenticeship upon graduation, and a suite of wrap-around services to make education and career transitions more accessible. These services, which are offered through the support of the George Kaiser Family Foundation, include childcare, transportation stipends, coaching and job readiness support.

The initial program is estimated to support more than 200 Tulsans over the next three years.

“Tulsa Community College has extensive experience and history of evolving with constant workforce changes and developing individuals with the needed skills for in-demand careers,” said Dr. Leigh Goodson, TCC president & CEO. “Boot camp graduates will not only be able to pursue new career opportunities after program completion, but can also apply credits earned from the boot camp to education opportunities to support additional reskilling and upskilling.”

The Cyber Skills Center will also lead to additional opportunities through college credit towards a 2-year associate degree through TCC, or bachelor’s degree at the University of Tulsa School of Cyber Studies or Oklahoma State University Spears School of Business.

Demand for careers in these fields are at an all-time high, for example, cybersecurity is expected to see a demand of nearly 3.5 million jobs by 2025.

With an average entry-level salary in this field in excess of $63,000 per year, according to the Bureau of Labor Statistics, and hundreds of available jobs in the greater Tulsa metropolitan area, there is an extraordinary opportunity to leverage the demand for cybersecurity talent to create a new pathway to the middle class.

“Our Access Partnerships help provide the infrastructure to bring colleges and universities, local workforce agencies and nonprofits, funding partners, and employers to the table to solve regional skills gaps and empower more working adults to succeed in the digital economy,” said Anant Agarwal, edX Founder and Chief Open Education Officer at 2U. “We are honored to welcome TCC as our first community college partner and look forward to working together with them and TIL to help reskill and upskill Tulsa area learners as the city continues to grow its tech community.”

**Upon completion of the 24-week program, graduates will be eligible to continue learning enterprise-level skills in cybersecurity and data analytics through SkillStorm’s 10-week immersive training program, which also provides potential opportunities to be connected with SkillStorm’s diverse group of commercial and federal clients.**

“Through our work with Fortune 500 companies across the country, we’ve seen rapidly accelerating demand for workers with cybersecurity and data analytics skills in an increasingly competitive labor market,” said Joe Mitchell, Chief Operating Officer at SkillStorm. “We look forward to the opportunity to help upskill individuals in the Tulsa community — and expand access to career pathways both in the region and with major employers nationwide.”

This effort builds on TIL’s strategy to create one of the more inclusive tech ecosystems in the country. By building the foundation for tech sectors where Tulsa has a competitive advantage: energy tech, advanced aerial mobility, virtual health, and cyber and analytics, and building accessible pipelines to each, Tulsa aims to serve as a new model for how tech growth can truly serve residents from diverse backgrounds and prepare the economy for the future.

"TIL is committed to making big investments where opportunities for traditionally underserved Tulsans overlap with industries in which Tulsa has a right to win,” said Nicholas Lalla, Managing Director of Tulsa Innovation Labs. “This initiative is a home run on both counts, and will be a game-changer in how the city leverages its unique competitive advantages to give Tulsans from every background a chance to access a high-paying career in cyber and data analytics."

To ensure the program meets the educational needs of diverse student populations in Tulsa, the Cyber Skills Center is working with nearly 30 nonprofits and community partners to provide feedback on program design and recruit students for the program. One such organization is Black Tech Street, a group advancing the digital transformation of historic Black Wall Street.

“No one should be intimidated by words like cyber and analytics,” said Tyrance Billingsley, the executive director of Black Tech Street. “People who excel in this field will be those who are creative, great at problem solving, and who have an eye for recognizing patterns. Cyber Security may sound scary and "elite" but it's not, and we want to demystify this world by making that clear. That's why this partnership was a no brainer. The Cyber Skills Center will be an incredible and accessible tool for helping Black Tulsans break into the tech world and will be crucial for our mission to rebirth Black Wall Street through technology”

The Cyber Skills Center will launch the first class in Fall 2022. To get started, apply at tulsacc.edu/cybercenter.

**##########**

**About Tulsa Community College**

Tulsa Community College, winner of two national Awards of Excellence from the American Association of Community Colleges in 2021, is a vital link to workforce development for northeast Oklahoma. Serving more Oklahomans than any other higher education institution in the state, TCC has four main campuses with roughly 21,000 students in credit courses each year. For five decades, TCC has provided access to an affordable college education. As one of 30 community colleges selected for the inaugural Pathways Project, a national initiative funded by the Bill and Melinda Gates Foundation, TCC is one of the most comprehensive community colleges in the United States. For more information on TCC, visit www.tulsacc.edu**.**

**About Tulsa Innovation Labs**

Recognizing that the jobs of the future are rooted in a thriving innovation economy, the George Kaiser Family Foundation pioneered Tulsa Innovation Labs to develop a city-wide strategy that positions Tulsa as a tech hub and leader in the future of work. Through a diverse coalition of public and private partners, TIL is creating economic development programs that seek to make Tulsa the nation’s most inclusive tech community. Learn more at tulsainnovationlabs.com.

**About edX**

edX is the education movement for restless learners and a leading global online learning platform from 2U, Inc. (Nasdaq: TWOU). Together with the majority of the world’s top-ranked universities and industry-leading companies, we bring our community of over 44 million learners world-class education to support them at every stage of their lives and careers, from free courses to full degrees. And we're not stopping there — we're relentlessly pursuing our vision of a world where every learner can access education to unlock their potential, without the barriers of cost or location. Learn more at edX.org.

**About SkillStorm**

Founded in 2002, SkillStorm was built on the mission of accelerating careers in high-demand technologies. We create Stormers, the world’s most elite developers. We hire, train, and deploy Stormers from all backgrounds and experience levels in today’s in-demand technologies, including AWS, Appian, Salesforce, PEGA, and ServiceNow. We are committed to hiring and training college graduates and veterans for high-growth technology careers with our Fortune 100 clients. Through these dedicated efforts, we provide our clients with an exclusive pipeline of high-quality, U.S.-based tech talent that is custom trained with the skills required to support our clients’ critical technology initiatives. As a flexible technology workforce partner, we provide fully formed tech teams at every level of experience, skill sets, and clearance. Stormers are deployed either at our clients’ sites or at our U.S.-based delivery centers.

Cyber Skills Center Launches in Tulsa to Develop Diverse, Local Tech Talent Pipeline

The latest criminal use of a legitimate red-teaming tool helps attackers stay under the radar and better access living-off-the-land binaries.

In a fresh campaign that takes a page from the advanced persistent threat known as APT29, hackers are shifting away from the Cobalt Strike post-exploitation toolkit, instead embracing Brute Ratel C4 (BRc4).

BRc4 is the latest upstart in the red-team tooling world; like Cobalt Strike, it's an adversarial attack simulation tool designed for penetration testers. It’s a command-and-control (C2) framework that's not easily detected by endpoint detection and response (EDR) technology or other anti-malware tools.

A report from Palo Alto Networks' Unit 42 research team found evidence of attackers subverting Brute Ratel's free licensing protections and utilizing the tool to run criminal attack campaigns.

The infrastructure they uncovered is extensive, researchers noted.

"In terms of C2, we found that the sample called home to an Amazon Web Services (AWS) IP address located in the United States over port 443," they explained. "Further, the X.509 certificate on the listening port was configured to impersonate Microsoft with an organization name of 'Microsoft' and organization unit of 'Security.'"

Pivoting on the certificate and other artifacts, "we identified a total of 41 malicious IP addresses, nine BRc4 samples, and an additional three organizations across North and South America who have been impacted by this tool so far," they added.

**Living-Off-the-Land Techniques**

Unit 42 said the sample utilizing BRc4 uses known APT29 techniques, including well-known cloud storage and online collaboration applications. In this case, the sample studied was packaged up as a self-contained ISO that included a Windows shortcut LNK file, a malicious payload library, and a legitimate copy of Microsoft OneDrive Updater.

"Attempts to execute the benign application from the ISO-mounted folder resulted in the loading of the malicious payload as a dependency through a technique known as DLL search order hijacking," the report explained.

This technique of using legitimate tools and native utilities is known as "living off the land," and threat actors are increasingly using living-off-the-land binaries (LOLBins) to drop malicious payloads.

Last week for instance, researchers with Cyble reported an uptick in LNK file-based builders growing in popularity on Dark Web marketplaces, as various malware families lean on them for payload delivery.

"We have observed a steadily increasing number of high-profile threat actors shifting back to .LNK files to deliver their payloads," the Cyble researchers wrote. "Typically, threat actors use LOLBins in such infection mechanisms because it makes detecting malicious activity significantly harder."

**Where Red Team Tools Fit In**

Tools like Cobalt Strike and BRc4 aren't purely living-off-the-land approaches, "since you still have to introduce a piece of malware onto the system as opposed to using the operating systems built in tooling," explains Tim McGuffin, director of adversarial engineering at LARES Consulting.

However, these tools are nevertheless popular with attackers for their ability to evade detection mechanisms, fundamentally for the same reason as a living-off-the-land attack works — because they're otherwise viewed as legitimate software.

"Brute Ratel is an otherwise legitimate tool that might be present in victim networks," explains John Bambenek, principal threat hunter at Netenrich. "Since its use is likely whitelisted, it allows for attackers to operate more discretely than they would otherwise be able to do."

This is an unfortunate cycle that the security world has seen occur for a long time, as attackers are drawn to red-team tools like flies to honey.

According to Ivan Righi, senior cyber threat intelligence analyst for Digital Shadows, it's no surprise that BRc4 makes for an attractive tool. Not only does it have offensive security capabilities similar to Cobalt Strike that can be abused for malicious purpose, but it is also less known than Cobalt Strike.

"Many security solutions may not yet detect Brute Ratel as malicious, as opposed to Cobalt Strike, which is generally more well-known for being used for malicious purposes," Righi says.

According to McGuffin, security practitioners should be concerned about all toolkits like these, whether open source, commercial, or custom. But he believes that they shouldn't get caught up in the whack-a-mole game of detecting the framework or the tooling itself. Instead, they should focus on hardening their systems.

"An emphasis on endpoint hardening can be placed on prevention against any C2 tooling. An example is Microsoft's Attack Surface Reduction 'Application Allow-listing' guidance," he says. "The setting prevents unknown binaries from being introduced, and network egress hardening to prevent C2 callbacks to Command-and-Control servers."

Stealthy Cyber-Campaign Ditches Cobalt Strike for Rival 'Brute Ratel' Pen Test Tool

Orlando, FL, July 6, 2022 – Fortress Information Security, the nation’s leading cybersecurity provider for critical infrastructure organizations with digitized assets, today joined the Open Web Application Security Project (OWASP) as a silver sponsor. Fortress has allocated a portion of that sponsorship to support the CycloneDX project focused on promoting a lightweight Software Bill of Materials (SBOM) standard for application security and supply chain component analysis.

OWASP is a nonprofit foundation that works to improve software security by making application security risks visible. OWASP activities include community-led open source software projects, over 250+ local chapters worldwide, tens of thousands of members, and industry-leading educational and training conferences.

“OWASP and the CycloneDX project are critical to making universal SBOM principles and standards a reality,” said Betsy Jones, chief operating officer of Fortress Information Security. “Bringing software developers and cybersecurity professionals together openly and collaboratively will foster the development of trusted SBOM solutions.”

Joined by Tony Turner, Fortress vice president of research and development and an OWASP chapter and project leader for over 10 years, Fortress utilizes multiple OWASP projects such as CycloneDX, SCVS, OWASP Risk Ranking methodology, and many others to secure critical infrastructure.

OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All projects, tools, documents, forums, and chapters are free and open to anyone interested in improving application security.

**About Fortress Information Security**  
Fortress Information Security secures critical industries from cybersecurity and operational threats stemming from vendors, assets, and software in their supply chains. Fortress is the only end-to-end platform that connects intelligence surrounding vendors, information technology and operational technology assets, and software through a holistic, fit-for-purpose approach. Fortress has also partnered with its customers and suppliers to form the Asset-to-Vendor (A2V) network, which facilitates the secure and seamless exchange of asset information and security intelligence, enabling collaborative workflows to better understand and remediate potential issues. Fortress serves critical industries such as energy, government, aerospace & defense, critical manufacturing, industrial automation, automotive, and healthcare.

**About OWASP**  
As the world’s largest non-profit organization concerned with software security, OWASP: supports the building of impactful projects; develops & nurtures communities through events and chapter meetings worldwide; and provides educational publications & resources to enable developers to write better software and security professionals to make the world’s software more secure.

Source

DARKReading