A company's response to a breach is more important than almost anything else. But what constitutes a "good" response following a security incident? (Part 2 of a series.)

_Read Part 1 of this series exploring how to react after a serious security incident._

Security vendors know their products have blind spots. They know that there are areas of the attack surface they cannot protect. Despite this, vendors continue to make promises on which they cannot deliver. That's why companies large and small continue to experience intrusions, incidents, and breaches despite being "protected" by their security vendors. Does this lead us to perpetual defeat in the depths of abysmal despair? Not quite.

In all seriousness, it does call us to reframe our thought process around security and privacy failures. It means thinking about "success" not as creating an incident-free utopia but, rather, creating an organization that can learn from those scary moments, dusting off our knees, and trudging forward even wiser and stronger.

I've said this before but bears repeating: **_Breaches can happen to anyone_**. That's why a company's _response_ to a breach is more important than almost anything else. In fact, a company's response is truly what sets it apart from other brands even after a relatively minor security incident.

So, what constitutes a "good" response following a security incident? At a high level, it's a deliberate, calculated, and well-articulated plan that communicates key details, developed by several key players who are all working toward a common goal.

**Finding the Right Words  
**In security incident response planning, both what you say and how you say it matters. In essence, a security incident response plan puts the right resources in the right place so that challenges such as data loss and reputational damage are kept to a minimum. Security teams utilize an incident response plan to identify, eliminate, and recover from a threat quickly and uniformly.

Incident response plans will look different from company to company, but they should address and provide a structured process for preparation, identification, containment, eradication, recovery, and lessons learned. A response plan is only valuable when it's created ahead of time, of course. So, if you're reading this and your organization doesn't have an incident response plan in place … **stop reading and create one now.**

Or, if you're not the person responsible for building one, send your IT and security leaders an email like the one below:

**_Subject Line:_** Do We Have An _Incident Response Plan?_

_**Body of Email:** Been reading a lot about breaches and how they can happen to anyone. Just curious, do we have an IR plan in place? How can my team help?_

Along the same lines, a breach notification letter is necessary whenever sensitive customer information is involved. The breach notification letter needs to meet different regulatory requirements depending on the industry. Get clear about what you need to disclose and what you shouldn't disclose because it would give too much useful information to your adversaries far in advance.

The tone used to communicate a response is also critical. Executives should show they care for their employees and their customers and own up to their mistakes. Even if the breach was caused by a third party they picked, companies can't ignore, cover up, or deflect blame once they're under fire.

I get it. A breach is embarrassing. Asking customers to change their passwords is like a virtual walk of shame. No one wants to be in that position, especially when every word and decision is sure to be scrutinized and criticized by many. Security incident response, and certainly breach response, goes far beyond technology; it's a pressure test of culture and security leadership. Companies with good culture — one that embodies true collaboration and solidarity — are much more likely to suffer minimal internal damage after a security incident.

Security team members must evaluate the ongoing work required and hold those needed accountable, but it is essential to act as one team rather than attack one another. Security incidents rarely have a singular point of failure, and everyone must come together — from the CISO to the security analyst — to resolve the issue.

**Who Is Going to Help You Say It?  
**There are several departments — outsourced and internal — that should be sitting around the proverbial incident response table. While they will all play different roles, they're all necessary to achieve the end goal: not making a misstep when it matters most. Legal, finance, communications, and security teams are integral during these moments.

Many companies choose to appoint an incident director or team leader who will coordinate incident response activity and move things along at a desirable pace. Their priorities are to make sure that all of the professionals involved are communicating with each other and remain focused on shared goal(s). There also should be a lead investigator who is responsible for collecting and analyzing evidence and determining the initial entry point of the malicious activity. The lead investigator will work with the security team and advise on what details they think will be valuable to customers in combating future security incidents. Acknowledge there will be some things influenced by outside parties they cannot control (even the National Security Agency or FBI at times).

There also should be a concerted communications effort that focuses on messaging to all audiences inside and outside of the company. Breaches can often be a PR nightmare if the people speaking to the media or replying with comments on social media aren't prepared with the right information and what I call "red and green phrases" or rules. Often, communications teams don't know much about IT security, so to avoid having them say things that endanger the investigation or reveal information you don't want revealed, it's wise to put together a list of red and green phrases — red phrases should be avoided; green ones are preferred. You don't want spokespeople revealing too much or an incorrect detail about how the breach occurred and why you were caught flat-footed. You want them to tell the truth and protect the mission and identity of the company but in a way that doesn't reflect poorly on it.

Understand the limitations of your current investments, but more importantly be honest on your ability to detect, disrupt, respond, and recover. Much of this success goes beyond software and depends more on what you've built and how you've trained ahead of time.

_Stay tuned for Part 3, which will provide action advice on how to go forward once stuff hits the fan._

Security Stuff Happens: What Will the Public Hear When You Say You've Been Breached?

Companies see AI-powered cybersecurity tools and systems as the future, but at present nearly 90% of them say they face significant hurdles in making use of them.

Companies are quickly adopting cybersecurity products and systems that incorporate artificial intelligence (AI) and machine learning, but the technology comes with significant challenges, and it can't replace human analysts, experts say.

In a Wakefield Research survey published this week, for example, almost half of IT security professionals (46%) said their AI-based systems create too many false positives to handle, 44% complained that critical events are not properly flagged, and 41% do not know what to do with AI outputs. In total, 89% of companies reported challenges with cybersecurity solutions that claimed to have AI capabilities.  

    

Source: Devo

Not all AI-based projects are created equal, as some technology is more mature, says Gunter Ollmann, chief security officer at Devo, which sponsored the survey.

"When they talk about rolling out AI for cybersecurity ... those are the projects that are commonly failing," he says. "In particular, NLP \[natural language processing\] is being dangled as a technology that can do cool things for your security and as a way to manage your attack surface area, but it has not really been successful."

**The Promised Benefits of AI for Cybersecurity  
**Incorporating machine-learning and AI features into cybersecurity products has been widely heralded as a way for companies to gain more visibility into attacks on their data and infrastructure, and as a way to respond more quickly. In December, for example, business consultancy Deloitte called the trend toward more AI in cybersecurity to be a way of taming the complexities in today's business infrastructure, which includes more devices, more cloud services, and more employees working from home.

"Cyber AI can be a force multiplier that enables organizations not only to respond faster than attackers can move, but also to anticipate these moves and react to them in advance," the consultancy stated.  

The most mature uses of machine learning in cybersecurity products are for the detection of threats on the endpoint and user and entity behavior analytics (UEBA) to pinpoint risky users and compromised devices, says Allie Mellen, security and risk analyst for Forrester Research, a business intelligence firm.

**AI Security Challenges Abound**  
While finding and classifying IT assets topped the list of uses of AI-based cybersecurity — with 79% of companies using the technology for that application — it also topped the list of challenges, with 53% of respondents considering the use case problematic, according to Wakefield Research's survey of 200 IT security professionals.

About a third of companies had challenges in correctly deploying the systems, and a quarter criticized the vendors for not updating the product enough to be valuable.

There are definitely differences in opinions between business executives, who largely consider AI to be a perfect solution, and security analysts on the ground, who have to deal with the day-to-day reality, says Devo's Ollmann.

"In the trenches, the AI part is not fulfilling the expectations and the hopes of better triaging, and in the meantime, the AI that is being used to detect threats is working almost too well," he says. "We see the net volume of alerts and incidents that are making it into the SOC analysts hands is continuing to increase, while the capacity to investigate and close those cases has remained static."

The continuing challenges that come with AI features mean that companies still do not trust the technology. A majority of companies (57%) are relying on AI features more or much more than they should, compared with only 14% who do not use AI enough, according to respondents to the survey.

In addition, few security teams have turned on automated response, partly because of this lack of trust, but also because automated response requires a tighter integration between products that just is not there yet, says Ollman.

**Augmentation, Not Replacement  
**Another dimension of the AI challenge is a lack of clarity on its role vis a vis security staff. While AI applications can deliver real benefits, it's important to understand that they augment the human analyst in the security operations center (SOC) rather than replace them, Forrester's Mellen stresses. That's a conclusion many companies likely do not want to hear, given the problems many have in hiring knowledgeable cybersecurity professionals.

"The most important resource that we have are the people that we have working today in the SOC," Mellen says. "AI helps, of course, for detection ... but we have to recognize that it is not going to be a complete game changer for security. The way that we use machine learning today is not even at the point where it would be able to take over most of the responsibilities of the human analyst."

Devo's Ollman also cautioned that organizations need to have realistic expectations for what AI can and cannot do.  

"I think there is the sci-fi view that AI will be a superhuman that operates at 1,000 times faster than the best human alive; leave that for the sci-fi books," he says. "Augmentation is about how do I make the human faster and more efficient in what they are doing, and also closing skills gaps that they have."

The challenges all suggest that trained human analysts, with expertise in machine learning and AI, are needed to make best use of AI-augmented cybersecurity products. And AI systems that can explain their conclusions will be necessary in the future to augment human analysts and retain trust, Ollmann says.

AI for Cybersecurity Shimmers With Promise, but Challenges Abound

The venerable film franchise shows us how to take threats in STRIDE.

Over years of teaching threat modeling — including the STRIDE mnemonic, which I'll describe here — I've found that people often get stuck when trying to answer "what can go wrong?" My favorite way to help them clear these hurdles is with stories from a long time ago in a galaxy far, far away.

_Star Wars_ offers an accessible and expansive set of examples. It lets us focus on fun rather than fear because fun leads to engagement. Engagement leads to understanding. And understanding leads to better threat modeling.

From a certain point of view, _Star Wars: A New Hope_ is a tutorial in the STRIDE threats. Let's start with the first of those threats, "**Spoofing**."

How does R2-D2 know who Obi-Wan Kenobi is? How can he decide to play the recording of Princess Leia for Obi-Wan, but not Luke? These questions allow us to go investigate concepts of identifiers and authenticity while making them tangible and relatable.

**Questions of Authenticity: "Who Is This? What Is Your Operating Number?"  
**Authenticity first requires an identifier: a statement of who you are. This might be a name ("Han Solo") or a role ("Stormtrooper"). Either might be true or false. Given the risk of impersonation, confusion, or lies, we look for authentication factors, such as an ID, a password, or a uniform. Then we evaluate if the identifier is authentic and grant (or deny) authorization.

There are many forms of authentication to consider, depending on if the authentication is _by_ a person or a computer and _to_ a person or a computer. This gives us a way to look at spoofing in different scenarios, including the offensive mechanisms used and the defensive protections.

**Human Identifiers: "TK421, Do You Copy?"  
**People are exceptionally good at identifying people they know well, even after a long time without seeing them. Not recognizing someone is awkward because we expect to be recognized. Recognizing those you're close to: friends and family, or even co-workers, is implicit and automatic. We don't need authenticators.

But outside that circle, it gets rapidly harder. We use a lot of implicit identifiers: uniforms, knowledge, patterns of speech, and some people even use explicit ones, asking to see your identification.

Most of the heroes pretend to be someone other than themselves. Princess Leia pretends to not be a rebel leader after Darth Vader captures her ship. Old Ben pretends not to be Obi-Wan Kenobi, while lying to Luke about his father Anakin being killed by Darth Vader. Luke and Han pretend to be Stormtroopers.

**Technical Identifiers: "I Am C-3PO, Human Cyborg Relations"**  
Many types of technical identifiers exist for services, machines, files, processes, and users. Some are designed for humans, such as "threatsbook.com," others are designed for computers, such as 172.18.19.20. And of course, there's tools to map between them.

It's hard to say when the first spoofed login screen was created, but it was probably around the time teletypes were replaced with electronic terminals. Someone could easily write a program that worked like this:

*   LOGIN: Accept a name and password.
*   Store them.
*   Display "Login incorrect" and logout, allowing the real login program to run.

Authenticating to remote computers only made this worse with the same pattern of false login prompts — now labeled phishing.

_Star Wars_ also gives us examples of how people and technology interact to authenticate one another. R2-D2 authenticates Obi-Wan Kenobi before showing him the hologram of Leia. R2-D2 is also able to spoof an imperial droid when he plugs into the Death Star to find the main controls for the tractor beam, identify where Leia is being held, and shut down all the garbage smashers on the main detention level.

Clearly the Empire has an authentication problem.

**A Galaxy's Worth of Case Studies  
**Watching Obi-Wan can teach you much about cybersecurity:

*   He **Tampers** with a power converter
*   He **Repudiates** claims about Luke's father
*   He **Exceeds** **his authority** in telling Stormtroopers that "these aren't the droids you're looking for."

Right here, we have most of the elements of the STRIDE mnemonic. There's also information disclosure, and of course, from the crawl through the destruction of the first Death Star, _Star Wars_ is the story of **Information** disclosure (the I in STRIDE). That leaves only **Denial-of-service**, like blowing up a shield generator on a forest moon of Endor.

Enjoyment and stories are both powerful teaching aids. I've been using _Star Wars_ as a hook to get people excited and to give them bits that help them remember for years now. Many engineers want to have a better handle on the question "what can go wrong with this code I'm working on?" They don't want to write insecure code, and they don't want to be exploit writers or security operators.

And maybe they don’t even want to learn about something that sounds abstract, like threat _modeling_. That’s fine – we can be concrete and have fun learning about the _threats_ that motivate our work.

That's why I'm really excited to go in depth and take these lessons to the next level with my next book, _Threats: What Every Engineer Should Learn from Star Wars_, coming this fall. For all the fun, we need engineers to know what threats to consider, and what they mean. If we want people to build more secure systems ... it's our only hope!

What Star Wars Teaches Us About Threats

AutoRABIT intends to direct the funding toward growth initiatives and product development.

SAN FRANCISCO, May 4, 2022 /PRNewswire/ -- AutoRABIT, the leading Salesforce DevSecOps platform provider for regulated industries, today announced $26M in new investment from existing investor Full In Partners, a premier growth equity firm.

Given the surge in cybersecurity threats—and recommendations from the White House to harden infrastructure and tighten security policies—this funding comes at a time of increased demand for DevSecOps solutions and amid a period of aggressive growth achieved by the company. AutoRABIT intends to direct the funding toward growth initiatives and product development focused on continuing to solve the real security and development challenges faced by regulated companies using Salesforce.

"The capital we've raised with this new funding round will enable us to continue developing product capabilities to meet the security and regulatory compliance needs of our customers, while enabling them to develop faster and release more features to their own customers and stakeholders," said Meredith Bell, CEO of AutoRABIT. "As AutoRABIT continues to grow, this investment will enable us to deliver even more value to our customers through an enhanced set of DevSecOps tools that will complement our existing suite of technologies."

As Salesforce persists as the largest CRM provider in the world with market share continuing to climb, the challenges faced by its customers continue to compound—because Salesforce was built to be a CRM, not a development platform.

"Since our initial investment in February 2020, we've been thrilled to be an active partner of AutoRABIT as they build a great organization and momentum for growth," said Maurizio de Franciscis, Managing Director and Head of Portfolio Success at Full In. "Cybersecurity is now more important than ever, and AutoRABIT's DevSecOps platform is enabling Salesforce development teams in regulated industries to ship digital products safely and rapidly."

**About Full In Partners  
**Founded in 2019, Full In Partners is a premier woman-led growth equity firm based in New York City. The firm is focused on backing high-velocity, high-efficiency software and internet businesses while building better outcomes through proactive operational and strategic support. To learn more about Full In Partners, please visit: https://fullinpartners.com.

**About AutoRABIT:  
**AutoRABIT's DevSecOps Platform enables Salesforce development teams to improve the quality of their releases at scale through a suite of CI/CD tools that enable teams to configure, build, test, and manage development environments and deployments. The platform also supports data protection and optimization through a suite of Salesforce DataOps tools that enable development teams to retrieve greater insights from their own data while ensuring robust backup and protection. The addition of CodeScan's code analysis technology adds a code security layer to the existing platform. Visit https://www.autorabit.com for more information.

AutoRABIT Secures $26M in Series B Investment from Full In Partners to Expand DevSecOps Platform

Also adds support for Google Cloud Platform (GCP) and Microsoft Azure, and PCI compliance coverage.

WALTHAM, Mass. , May 4, 2022 /PRNewswire/ -- Uptycs, provider of the first cloud-native security analytics platform enabling cloud and endpoint security from a common solution, announced today new cloud infrastructure entitlement management (CIEM) capabilities that strengthen its cloud security posture management (CSPM) offering. In addition, Uptycs announced CSPM support for Google Cloud Platform (GCP) and Microsoft Azure, and PCI compliance coverage. These new capabilities provide Security and Governance, Risk, and Compliance teams with continuous monitoring of cloud services, identities, and entitlements so they can better reduce their cloud risk.

"Disparate cloud security solutions only deliver pieces of the picture, leaving Security teams unaware of new risks in a fast-changing cloud environment," says Ganesh Pai, CEO and co-founder of Uptycs. "As organizations scale out their cloud footprints—including across multiple public cloud providers—they need new types of security controls, especially in the realm of cloud identity and entitlement. Uptycs provides a unified platform for CSPM and CWPP that gives Security teams a holistic and fully integrated platform for securing their cloud resources, workloads, and infrastructure."

As they add cloud accounts, resources, and infrastructure, the number of user and machine identities grows exponentially. The majority of these identities have more access than they need to do their jobs, posing a serious risk if an attacker is able to steal credentials. According to Gartner, more than 95% of accounts in IaaS use, on average, less than 3% of the entitlements they are granted.1 In addition, Gartner estimates that "by 2023, 75% of security failures will result from inadequate management of identities, access and privileges, up from 50% in 2020."2

With new cloud identity and entitlement analytics capabilities in Uptycs, Security and Governance teams can solve these challenges:

*   **Monitor least privilege -** Continuously monitoring cloud infrastructure to spot identity misconfiguration and permissions gaps so they can move toward least-privilege access, minimizing the damage that can be caused by privilege escalation.
*   **Measure identity risk and governance posture -** Measuring the overall identity risk posture for cloud accounts based on factors such as root account configuration, credentials rotation, possibility of privilege escalation, and credential exposure.
*   **Harden cloud IAM policies -** Continuously analyzing cloud IAM policies and creating risk profiles so that teams can prioritize their efforts on tuning the most risky policies.
*   **Map identities and relationships -** Visually map relationships across accounts, rank connections based on riskiness, and show the impact a user can have on an asset or critical service.
*   **Detect and investigate identity misuse -** Show top cloud IAM principals and services denied based on specific time windows, enabling users to drill down into trends for a specific user/service and spot any anomalies from the regions based on historical data.

The cloud identity and entitlement analytics capabilities are generally available today for AWS as an add-on for the Uptycs CSPM offering. Uptycs' broader CSPM support for GCP and Azure (inventory, audit, compliance, and threat detection) is generally available.

1 Gartner, "Managing Privileged Access in Cloud Infrastructure," Paul Mezzera, December 7, 2021

2 Gartner, "Innovation Insight for Cloud Infrastructure Entitlement Management, Henrique Teixeira, Michael Kelley, Abhyuday Data, June 15, 2021

**About Uptycs  
**Uptycs provides the first cloud-native security analytics platform that enables endpoint and cloud security from a single platform. The solution provides a unique telemetry-powered approach to address multiple use cases—including Extended Detection & Response (XDR), Cloud Workload Protection (CWPP), and Cloud Security Posture Management (CSPM). Uptycs enables security professionals to quickly prioritize, investigate, and respond to potential threats across a company's entire attack surface. A free trial of Uptycs can be requested at www.uptycs.com/free-trial.

Uptycs Announces New Cloud Identity and Entitlement Management (CIEM) Capabilities

Six boxes of paper documents were removed from the facility without authorization in early March.

SAN BERNARDINO, Calif., May 3, 2022 /PRNewswire/ -- Social Action Community Health System ("SAC Health") is providing notice of a recent event that may affect the privacy of certain patient information. This notification provides information about the event, SAC Health's response to it, and resources available to individuals to help protect their information, should they feel it necessary to do so.

**_What Happened?_** On March 4, 2022, SAC Health became aware of a break-in to an off-site storage facility where certain limited patient records were housed. Six boxes of paper documents were removed from the facility without authorization. We immediately began working with local authorities to determine the nature and scope of this event and launched a thorough investigation into this matter. SAC Health was able to confirm that certain limited patient documents were impacted by this theft.

On April 22, 2022, SAC Health determined that the impacted files related to certain patients served by SAC Health in 1997 and between 2006 and 2020. On May 3, 2022, SAC Health began notifying the potentially impacted population.

**_What Information Was Involved?_** SAC Health's analysis revealed that the types of information held by SAC Health and potentially in the stolen storage containers _may_ include name, address, date of birth, and diagnosis codes.

**_How Will Individuals Know If They Are Affected By This Incident_****?** Based on the nature of access to the information, SAC Health concluded that the extent of the access is limited to impacted files related to certain patients served by SAC in 1997 and between 2006 and 2020. Out of an abundance of caution, SAC Health is sending notice to all individuals included in that population.

**_What Is SAC Health Doing?_** Upon learning of this incident, SAC Health moved quickly to investigate and respond. SAC Health is assessing all policies and procedures related to the storage of paper data. Although SAC Health is unaware of any actual or attempted misuse of information as a result of this incident, SAC Health is offering affected individuals access to complimentary credit monitoring through Equifax. In addition, SAC Health is providing notice to appropriate regulatory authorities

**_Has the information been misused_**_?_ At this time, there is **no** evidence that there has been any use, or attempted use of the information potentially exposed in this incident.

**_What You Can Do._** SAC Health encourages individuals to remain vigilant against incidents of identity theft and fraud, to review account statements and explanation of benefits forms, and to monitor free credit reports for suspicious activity and to detect errors. Under U.S. law individuals are entitled to one free credit report annually from each of the three major credit reporting bureaus. To order a free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. Individuals may also contact the three major credit bureaus directly to request a free copy of their credit report, place a fraud alert, or a security freeze. Contact information for the credit bureaus is below:

**Experian**

P.O. Box 9554

Allen, TX 75013

1-888-397-3742

www.experian.com/fraud/

form-minor-child.html

**TransUnion**

P.O. Box 2000

Chester, PA 19016

1-888-909-8872

www.transunion.com/credit-disputes/

child-identity-theft-inquiry-form

**Equifax**

P.O. Box 105788

Atlanta, GA 30348-5788

1-800-685-1111

https://www.equifax.com/person...

request-child-credit-report/

Individuals can further educate themselves regarding identity theft, fraud alerts, security freezes, and steps to protect their information by contacting the Federal Trade Commission or the California Attorney General. Instances of known or suspected identity theft should be reported to law enforcement and the state attorney general.

**_For More Information._** SAC Health regrets any concern this incident may cause. If individuals have questions about the incident, they may contact SAC Health's toll-free dedicated assistance line at 877-839-2553. This toll-free line is available Monday – Friday from 6:00 am to 6:00 pm PDT. Individuals may also write to SAC Health at 250 S. G Street, San Bernardino, CA 92410.

SAC Health System Impacted By Security Incident

The security research partnership will focus on developing new techniques and releasing them as open source.

Aryaka and CyLab, Carnegie Mellon University’s Security and Privacy Institute, announced a strategic partnership to research new threat mitigation techniques and develop new enterprise networking and security solutions.

Under the partnership, Aryaka will provide funding and industry experts to assist more than 100 faculty members and 100 graduate students with research to identify, prioritize, and develop threat mitigation techniques. The hope is to make these techniques available as open source to help enterprises and security vendors to better defend against cyberattacks, CyLab’s Daniel Tkacik wrote.

The modern IT landscape is very different from when users were in offices and applications were in data centers, said Renuka Nadkarni, Aryaka’s chief product officer. Applications are now anywhere and users can access those applications regardless of their geographic location. Security needs to be reconsidered in the case of the application and not the network.

Aryaka is also the founding sponsor of CyLab’s Future Enterprise Security Initiative, a multi-disciplinary approach to making complex security solutions available and accessible. The initiative’s mission is to rethink “security across enterprise ecosystems through innovations in artificial intelligence, computer science, engineering, and human factors research,” Tkacik wrote.

Founded in 2003, CyLab is a public/private collaborative computer security and privacy research institute and is one of the largest security research centers in the US. Aryaka decided to partner with CyLab because of the university’s work in artificial intelligence and machine learning as well as in other fields such as humanities, psychology, and policy, said David Ginsburg, Aaryaka’s VP of product and solutions marketing. A multi-disciplinary approach gives researchers the opportunity to look at problems not just from the technology point of view, but to also consider attacker motivations and intent.

Aryaka will guide research topics, offer industry expertise, provide data sets for building AI models, and give feedback on techniques being developed.

Aryaka, Carnegie Mellon’s CyLab to Research New Threat Mitigation Techniques

The Internet of Things needs to be part of the overall corporate information security policy to prevent adversaries from using these devices as an entry point.

**Question: What do I need to know about defending IoT attack surfaces?**

**Bud Broomhead, CEO at Viakoo:** There are several reasons why it's critical for organizations to defend their IoT attack surface, most importantly being that IoT devices are powerful systems containing compute, storage, and networking that threat actors view as the easiest way to breach an organization or enable exploits. They need to be part of the overall corporate infosec policy unless a specific exemption is given, including policies around firmware patches and using certificates. The impact of not defending the IoT attack surface is massive and tends to fall into two categories. First is realizing that IoT device vulnerabilities are an effective method to breach an organization, and second is preventing IoT devices from being used in broader cyberattacks against multiple organizations.

Let's start with why IoT devices have become a preferred method for cybercriminals to breach an organization. IoT devices are hard to secure; they exist at 5 to 20 times the scale of IT devices, and they are often physically distributed widely across the organization (they are not neatly contained in data centers). Traditional IT security solutions don't work for IoT because they are often agent-based, and IoT devices do not allow agents to be placed on them due to the devices having unique operating systems and communication protocols.

Not only are there more vulnerabilities impacting IoT devices than traditional IT systems, IoT devices offer a wider set of exploits to a threat actor. For example, man-in-the-middle attacks are essentially a solved problem for IT systems, yet still can be effective against IoT systems. These are some of the reasons threat actors view IoT as low-hanging fruit in breaching an organization.

Likewise, many IoT devices are deployed and managed by the line of business (such as physical security, facilities, manufacturing, etc.), and may not be visible to the IT organization. Unless an automated solution is used, updating firmware on IoT devices can be slow, meaning that the window of vulnerability is open far longer for IoT than for IT systems. And because many IoT devices use open source software components (a fast-growing method of delivering vulnerabilities), enabling security fixes across a fleet of IoT devices with different makes and models also allows the attack window to be open for much longer than IT. Despite many organizations deploying IoT devices on networks segmented and firewalled away from the corporate network, over time connections to the corporate network happen, leading to IoT devices being a key method of entering an organization then pivoting to the corporate network (the hacked fish tank in Las Vegas comes to mind).

Another major reason defending the IoT attack surface is a high priority comes from how botnet armies are typically formed using IoT devices (the most famous example being the Mirai botnet, but many other examples exist). These IoT-based botnets deliver a significant percent of spam and phishing attempts (estimates range as high as 90%), which leads directly to planting malware and ransomware and enabling data exfiltration across multiple organizations. Fighting phishing and other attack vectors leads directly to shrinking the IoT attack surface.

I'd like to end on a practical note with a few concrete tips:

*   Make sure IoT devices are covered by corporate infosec policies.
*   Use IoT discovery and threat-assessment solutions to ensure every IoT device is visible.
*   If you have a zero trust initiative underway, extend it to IoT.
*   Use automation for implementing security fixes, and documenting all stages of it, both for compliance and management purposes.

The end result should be every IoT device being visible, secure, and performing its function – and a greatly reduced attack surface.

What Should I Know About Defending IoT Attack Surfaces?

IT Teams can now manage, detect, and secure all endpoints with 100% visibility across desktop, laptop, server, and mobile devices.

  
ALISO VIEJO, Calif. – \[May 3, 2022\] – Syxsense, a global leader in IT and security management solutions, today announced Syxsense Enterprise™, the world’s first IT management and endpoint security solution that delivers real-time vulnerability monitoring and instant remediation for every endpoint across an organization’s entire network environment. Syxsense Enterprise combines Syxsense Secure, Manage, and Mobile Device Manager to deliver a completely unified platform that scans and manages all endpoints, resolves problems in real-time, and reduces the risks associated with system misconfigurations. This enables organizations to better predict, identify, and remediate vulnerabilities.

“As threats get more complex, it’s important that IT teams have consolidated solutions for IT management and endpoint security. Syxsense Enterprise is designed to give them a centralized cloud-based platform for scanning, patching, recognizing, and remediating vulnerabilities that could lead to attack or exploitation of endpoints,” said Ashley Leonard, Founder and CEO at Syxsense. “By offering our customers a unified cloud solution, we enable complete control over every endpoint device on the network so they can secure business-critical resources quickly and streamline security operations.”

Syxsense Enterprise is the industry’s first Unified Security and Endpoint Management (USEM) solution that addresses the three key elements of endpoint security – vulnerabilities, patch, and compliance. It layers on a powerful workflow automation tool called Syxsense Cortex™ that remediates and eliminates endpoint security weaknesses – all through a single cloud-based, drag and drop management interface, with hundreds of prebuilt workflows. This includes the ability to identify software vulnerabilities in both OS and 3rd party applications, misconfigurations from open ports, disabled firewalls, ineffective user account polices and more.

It also includes Syxsense’s recently launched Mobile Device Management (MDM) solution, which allows IT to manage devices running on iOS, iPadOS, and Android, in addition to previously supported Windows, Linux and Mac environments. Syxsense MDM includes all the tools necessary for Device Enrollment, Inventory and Configuration Management, Application Deployment and Rollback, Data Containerization, and Remote Device Lock/Reset/Wipe (making it possible for IT to wipe sensitive data from lost or stolen devices).

“As the market shifts to a hybrid workforce, the number of endpoints is growing exponentially, with corporate network connected mobile endpoints soaring,” said Charles Kolodgy, principal at advisory firm Security Mindsets. “The need to manage and secure an increasing number of endpoints, including desktops, mobile phones and other devices, is becoming more apparent every day as sophisticated threats grow exponentially. Syxsense Enterprise is offering a solution that solves the need to both secure and manage a vast collection of endpoints. The key is the ability to scan for vulnerabilities and patch without losing business continuity.”

The key features of Syxsense Enterprise include:

Vulnerability Scanning – Prevent cyberattacks by identifying scanning authorization issues, security implementation problems, and antivirus status.

Patch Everything – Automatically deploy OS and third-party patches to remediate all endpoint vulnerabilities inside the network and on roaming devices outside the network.

Prove Compliance and Device Health – Document patching with reporting for risk assessments, vulnerable devices, task summaries and more. And scan and prioritize patching relative to risk exposure.

Quarantine Devices – Block communication for an infected device, isolate endpoints, and kill malicious processes before they impact the network.

Control All Mobile Devices – Oversee devices remotely, silently push OTA configurations, applications, and policies from iOS to Android to Windows and more.

Collaborate with Ease – IT and security teams can now collaborate in a single console to identify and close endpoint attack vectors quickly.

For more details or to schedule a demo, visit: https://www.syxsense.com/gc-demo-syxsense

**About Syxsense**

Syxsense is a leading provider of innovative, intuitive endpoint security and management technology that combines the power of artificial intelligence with industry expertise to help customers predict and remove security threats across all devices including mobile. Syxsense is the first unified security and endpoint management platform that centralizes the three key elements of endpoint security management (vulnerabilities, patch and compliance) and layers on a powerful workflow automation tool called Syxsense Cortex,™ all through a single cloud-based platform, enabling greater efficiency and collaboration between teams. The always-on technology performs in real-time so businesses can operate free of disruption from security breaches that cripple productivity and expose them to financial risk and reputational harm. For more information, visit www.syxsense.com

Syxsense Enterprise Unifies Endpoint Security and IT Management for Real-Time Vulnerability Monitoring and Remediation

Latest round led by IVP values the company at $450 million.

SAN FRANCISCO, May 3, 2022 — Traceable AI, the API security & observability company, today announced it has raised $60 million in Series B funding. This new funding values Traceable AI at more than $450 million. This investment round was led by Institutional Venture Partners (IVP), and other investors include Tiger Global Management and existing investors Unusual Ventures and BIG Labs. Traceable AI plans to use this round of funding to accelerate its next phase of growth by further investing in its product development and research efforts, expanding its sales and marketing teams, and expanding global sales.

“API security has become a major security and compliance concern for most companies,” said Steve Harrick, general partner, IVP. “Traceable offers a fundamentally differentiated solution that provides coverage across the full DevSecOps software lifecycle — from API development and testing to runtime protection. The company is led by Jyoti Bansal and Sanjay Nagaraj, proven entrepreneurs who we have been fortunate to work with before. They listen to customer needs and know how to deliver software at scale.”

Traceable was started two years ago by AppDynamics and Harness founder Jyoti Bansal and former AppDynamics VP of Engineering Sanjay Nagaraj through a $20 million Series A in July 2020.

"Widespread use of APIs in cloud-native applications has led to a significantly larger attack surface, intensifying the challenge of protecting these APIs from malicious usage or abuse,” said Bansal. “Bad actors only need one API entry point to access an organization’s data and cause irreparable financial, reputational and service interruptions damage. Traceable AI applies the power of machine learning and distributed tracing to truly understand how an application really works in the context of the business, and therefore, be able to detect anomalies and block threats to keep customers secure and resilient against next-gen attacks.”

By leveraging the team's expertise in distributed tracing and observability, Traceable AI is the only API security platform that discovers, manages and secures APIs for enterprise-level organizations. Their differentiated capabilities provide coverage for the most important API security use cases, including API discovery, sensitive data exfiltration, and detecting and blocking attacks such as account takeover, API abuse and API fraud.

“As we know, all businesses are run by software. Given that APIs are the core engine of any software model today, it’s imperative that we secure them to protect the business”, said John Vrionis, partner at Unusual Ventures. “We are extremely excited to be a part of the Traceable team and their continued efforts to help enterprises secure their most important software asset – APIs.”

**Traceable AI Use Cases**

Traceable AI provides the industry’s leading API security platform that discovers, manages, and secures all APIs against malicious attacks and provides rich analytics to perform threat hunting, so you can make the right decisions regarding your API security posture.

A wide range of companies, including Informatica, Bullish, Digital Ocean, Zolve, Houwzer and many large finance firms utilize Traceable AI’s innovative distributed tracing technology to secure their cloud-native applications.

“We want to detect and respond to breaches in the shortest time possible,” said Pathik Patel, head of cloud security at Informatica. “The most important part is to figure out how much visibility we have into our environment and how quickly we can find the root causes and remediate those items. Traceable AI deploys across any environment, whether it’s your cloud, Kubernetes, or traditional virtual machines. Knowing how our applications behave as a part of API discovery is what created the win for the Traceable AI team at Informatica.”

“Businesses are now API driven and increasingly susceptible to business logic abuse and generic vulnerabilities like Log4Shell/Spring4shell. A holistic approach is needed to protect APIs from known and unknown threats across environments by understanding their production and pre-production environments,” said Nagaraj. “Traceable AI fits into a company’s existing infrastructure quickly and without friction. We offer agentless deployment options, including out-of-band traffic mirroring, to make sure our platform fits the needs of our customers.”

**About Traceable AI**

Traceable protects APIs from the inside by understanding the unique business logic, user attribution, and context of each API – from development through production. With our distributed tracing technology and advanced context-based behavioral analytics, we deliver modern API security to your cloud-native and API-based applications. Learn more at https://traceable.ai.

Source

DARKReading