Security must be precise enough to meet compliance requirements without impeding DevOps and developer productivity. Here's how to strike that balance.

Businesses are moving fast to modernize application development, but Kubernetes security has taken a back seat in many cases. While that deprioritization is increasingly risky, security strategies to mitigate threats to containerized environments must tread a careful path.

On the one hand, security must be precise enough to meet the rigorous compliance requirements — and stand up to audits — across all regulations a given organization must adhere to, whether that's SOC 2, PCI DSS, GPDR, HIPAA, or others. At the same time, whatever security processes are put into place must still ensure that DevOps and developer productivity isn't impeded. It's a delicate balancing act that doesn't leave much room for error on either side.

To ensure continuous compliance in containerized environments without creating obstacles to productivity, adhere to these six practices.

**1\. Get Automated**  
Implementing the right tools — and there are many great fully open source options — delivers the real-time threat responses and always-on monitoring necessary for achieving continuous compliance. For example, automated vulnerability scanning and security policy as code should be integrated into the pipeline. Logs and events should be processed with an automated Kubernetes audit log analyzer. SIEM technologies powered by machine learning can quickly and automatically identify attack patterns. You should also leverage CIS benchmarks and custom compliance checks to inspect Kubernetes configurations continuously.

**2\. Secure Kubernetes Itself**  
It's become absolutely crucial to treat Kubernetes itself as an attack surface — because attackers certainly are. With the sophistication of threats maturing, continuous compliance now requires that the full stack behind your container environments is actively secured. This includes initiating automatic monitoring, hardening against exploits, performing configuration auditing, and preparing automated mitigation. That's not only true for Kubernetes but also any service meshes, hosting VMs, plugins, or other targets that may come under attack.

**3\. Seeing an Attack Is Preventing an Attack**  
Attack kill chains often begin with the launch of an unrecognized container network connection or process, which escalates its own level of access by writing or changing existing files or exploiting unprotected entry points. Such nefarious methods will then utilize network traffic to send captured data to an external IP address, resulting in a data breach. Kill chains may similarly target the Kubernetes API service for man-in-the-middle attacks, and commonly perform zero-day, insider, and cryptomining attacks. Attacks leveraging the Apache Log4j exploit are also on the rise.

Strategies that incorporate data loss prevention (DLP) and web application firewall (WAF) protection can provide the visibility required to detect active kill chains, as well as automated responses ready to put suspicious processes and traffic to a halt before they do harm. In fact, many regulatory compliance frameworks now specifically require organizations to have DLP and WAF capabilities in place to protect their container and Kubernetes environments, including PCI DSS, SOC 2, and GDPR (HIPAA strongly suggests DLP as well).

**4\. Zero in on Zero Trust**  
By implementing a zero-trust model, you're no longer _reactively_ addressing threats recognized in log analysis or signature-based detections. Instead, a zero-trust strategy ensures you'll be blocking all attacks by allowing only approved processes and traffic to be active in your environments. The full cloud-native stack, along with access controls such as RBACs, must feature these zero-trust safeguards. The result is a more assured approach to achieving continuous compliance.

**5\. Take Advantage of Built-In Kubernetes Security**  
Built-in Kubernetes security features include log auditing, RBACs, and system log collection centralized by the Kubernetes API server. Leverage these available capabilities to collect and analyze all activity logs for evidence of attack or misconfigurations. Follow up by addressing any issues or run-time activities that fall short of compliance by implementing security patches or new policy-based protections.

In most cases, you'll want to go further and support existing Kubernetes security with tooling that enables container application security and continuous compliance auditing. The built-in Kubernetes Admission Controller should be used to closely coordinate Kubernetes with external registries and resource requests. This approach will more effectively prevent vulnerabilities and unauthorized behavior in application deployments.

**6\. Verify the Security of Your Cloud Host**  
Cloud platforms hosting Kubernetes handle their own systems and must ensure their continuous compliance. However, the stakes are too high not to check that those cloud hosting practices are indeed well-secured and that they fulfill your own compliance responsibilities. In fact, the shared responsibility model offered by many cloud providers leaves the burden of securing application access, network behavior, and other assets in the cloud squarely on the customer.

**Continuous Compliance in Real-Time Environments**  
Kubernetes and containerized environments are highly dynamic, with containers spinning in and out of existence far more rapidly than manual security checks can possibly safeguard. In addition, traditional security technologies such as network segmentation and firewalling required by many compliance regulations don't work in container networks.

Modern continuous development processes regularly introduce new code and containers as applications are built, shipped, and run in production environments. As a result, regulations require organizations to adopt automated real-time security and auditing measures that provide true continuous compliance.

6 Best Practices to Ensure Kubernetes Security Meets Compliance Regulations

Come up with a clever caption, and our panel of experts will reward the winner with a $25 Amazon gift card.

A few potted plants around the workplace may make for a pleasant environment, but could this employee be taking that notion a bit too far? Therein lie the seeds for The Edge's latest caption content. Come up with a security-themed caption for your chance to win a $25 Amazon gift card. We offer four convenient ways for you to send us your ideas:

*   Email _\[email protected\]_ with the subject line "The Edge May 2022 Toon."
*   Via social media: Twitter, Facebook, and LinkedIn_._

The contest closes on Wednesday, May 25, 2022.

**Last Month's Winner**  
Last month's contest, "In Deep Water," stoked the imaginations of many Dark Reading readers. But in the end only one person can win, and this time the honors go to Braedon Gerdes, whose caption appears below:   

    

Congratulations, Braeden. Your gift card is on the way. And thanks to everyone who participated. We can't wait to see what you come up with next.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Name That Edge Toon: Flower Power

Breaches can happen to anyone, but a well-oiled machine can internally manage and externally remediate in a way that won't lead to extensive damage to a company's bottom line. (Part 1 of a series.)

Wise security professionals understand that threat actors aren't sitting still, and they aren't playing by the same rules as old-school groups. Lapsus$, for example, is gaining notoriety for its unpredictable behavior, using tactics like extortion and bribing insiders for initial access. It has left even the most experienced security pros scratching their heads.

When you find your organization has been breached, will you be scrambling to figure out your security incident response and remediation plan when your team can't think straight, or will your response be as simple as muscle memory? To minimize the damage done when a security incident occurs, it's important to look inward.

**Keep a Tight Ship  
**I would never dare promise to "eliminate cyber threats," but I can provide strong recommendations to improve internal security. Analyzing some of the latest Lapsus$ victims, we can learn a few things.

First, **_credential security is imperative._** Sooner or later, a threat actor will compromise credentials in your organization. It's not realistic for a business to expect all employees to refuse extortion attempts at all costs. Understanding this reality turns the impossible task into a practical solution.

Security teams should shift their focus from purely _preventing_ credential compromise to _tracking_ user behavior so that anomalies can be quickly identified and acted upon.

Lastly, when discussing the Lapsus$ incidents and others like them that are using extortion and bribery to initiate entry, we must discuss the importance of cybersecurity awareness and insider threat training. Many organizations have put some level of end-user security training into practice. But clearly, that isn't enough to stop novel threat groups from breaching the last line of defense.

**Managing Third-Party Companies  
**Organizations can't prepare their own privacy and security practices in a vacuum — we all depend on a large network of products and services to do our jobs.

Repeat after me: _Anyone (or any organization) could easily be a victim of a third-party incident._

If you were to assess the privileges of each of your third-party solutions, would you be proud of what you found? Chances are, there are weak spots in access protocols. Your third-party solutions likely have access to things they shouldn't. Your contractual agreements probably aren't bulletproof either.

While it's important to factor in the balance of manageable risk with return on investment, it's also essential to foster a collaborative yet vigilant relationship with all of your external parties. It's about defining a clear contract with vendors that involves security early on, focusing on shared responsibilities for security, good architecture, and timely communication.

**Check on Cybersecurity Checklists  
**Creating a cybersecurity checklist should be a requirement to do business with any third party. The checklist should include (but is not limited to): thoroughly vetting vendors' privacy and security standards; adding terms and conditions within your contract to address what would happen in the case of an outage and the costs each party would incur; and contingency plans for employees who may depend on technology or software solutions to do their jobs. Take a similar approach whenever your organization is involved in any type of M&A activity, as the risks apply to those scenarios as well.

There will always be risks associated with third-party solutions, but living in a bubble isn't realistic. Managing this risk by having visibility and security capabilities across the entire security incident response life cycle must be the endgame.

**Communicating Gaps  
**Organizations experiencing a security incident must not hide behind a third party and shouldn't blame their employees. They also must not allow lawyers to create smokescreens around what happened. This helps no one in the long term and only saves face until it doesn't anymore.

Communication around current vulnerabilities and threats is constantly flowing in healthy, well-prepared organizations. As a security practitioner, you should be proactive in how you communicate with leadership. It's extremely effective to manage up by sending a notice to leadership about a new breach or vulnerability with your insight added. Security analysts can offer value by proactively showing that they've already checked "XYZ" and that they're running automated queries for indicators of compromise, etc. They can forward that to their CISO for that person to share upward. CISO/SOC leadership can then take action to fill that gap.

Additionally, when a security incident occurs, security analysts should feel comfortable saying "we didn't have the capabilities to identify this incident." Effective operations require reflection on your own security incidents and thought experiments with other shared problems in the security community. Be honest and document everything. From there, they can use these proof points to work with leadership and fill in the gaps.

**Culture Is Key  
**No one with a straight face can deny the importance of security culture when it comes to keeping a tight ship, managing third-party security, and mastering internal communication. Culture weaves through it all. Motivated employees with excellent support from their team members and leadership are less likely to make errors and are also less likely to turn around and give information to a cybercriminal when faced with the temptation of shiny rewards or, worse, revenge.

Fostering a culture of open communication (as opposed to fear of making a mistake) will help your security analysts feel like they can talk to leadership about what gaps need to be filled to properly do their jobs and minimize the impact of future breaches.

Security incidents will happen to everyone, but a well-oiled machine can internally manage and externally remediate in a way that won't lead to extensive damage to a company's bottom line. Many companies are overwhelmed with just the thought of a breach happening — imagine how they panic when a breach actually occurs.

_Stay tuned for Part 2 later this week, which will provide advice on handling the public's response after an incident._

Security Stuff Happens: What Do You Do When It Hits the Fan?

A comprehensive security strategy balances technology, processes, and people — and hiring and retaining security personnel and securing the remote workforce are firmly people priorities.

Almost five months into 2022, acquiring and retaining security personnel and securing the remote workforce are two things top of mind for security leaders.

That's according to analyst firm Info-Tech Research's 2022 Security Priorities report, which lays out both the top priorities and the main obstacles for security leaders. The other three top priorities are digital transformation, zero trust, and ransomware. The priority list is strongly influenced by the COVID-19 pandemic, the increase in cybercrime, and the shift to remote work, according to Info-Tech Research.

Nearly a quarter of the respondents (23%) named securing the remote workforce as their top priority for 2022. That includes both implementing security controls to create a secure environment for users and helping employees build "safe habits," the research firm said.

    

Source: Info-Tech Research

Pandemic-driven changes like the shift to remote work "are largely expected to remain, regardless of the progression of the pandemic itself," Info-Tech Research said in its report. This is consistent with Dark Reading's 2022 Endpoint Security Survey, where 48% of respondents said they made changes to their endpoint security strategy to accommodate the shift to work-from-home in the early days of the pandemic — and 54% don't plan on shifting back to how things were before the pandemic.

Along with remote workforce security, the other top priority in the people category was hiring skilled cybersecurity professionals and creating a good working environment for existing employees. Retention is very important, as being understaffed means new security initiatives are placed on hold and existing security projects may be delayed. In fact, 31% of respondents cited staffing constraints as their biggest obstacle.

"The pandemic has changed how people work as well as how and where they _choose_ work," Info-Tech Research found, noting that "Most smart, talented new hires in 2022 are demanding to work remotely most of the time."

This create a bit of a tangle for security leaders, who want to attract top talent by giving them the flexible work environment they are asking for, but the shift to remote work exposes organizations to more costly cyber incidents, according to Info-Tech Research. The cost of a data breach rose by nearly 10% over the past year, with the average cost at $4.24 million, Info-Tech Research said, citing figures from IBM's Cost of a Data Breach report. The average cost of breaches where remote work is involved is $1.07 million higher, suggesting that ubiquitous remote work will continue to result in more costly security incidents.

Part of the reason for the higher costs may be because "it takes two months longer, on average, to detect and contain a breach when more than 50% of staff are working remotely," the report said, citing IBM.

Security leaders need to reassess the enterprise security strategy to consider the work-from-home attack surface, especially endpoint visibility, and to enable strong authentication requirements, such as multifactor authentication (hardware tokens for high-risk users) and VPNs for restricted sessions.

With remote work, it is even more imperative that security leaders develop a zero trust strategy in order to minimize the blast radius in case of a breach. Zero trust, coincidentally, happens to be one of the top security priorities, which we'll cover next week.

2022 Security Priorities: Staffing and Remote Work

The less-good news: IAM only works for applications your IT department knows about, so watch for "shadow IT" programs installed or written by users that leave a security gap.

Almost every company implements identity access management (IAM) techniques such as single sign-on (SSO) to secure users who access software-as-a-service (SaaS) offerings, and most supplement that with measures like firewalls and cloud access security brokers (CASBs).

That's according to the 2022 SaaS Visibility and Impact Report from SaaS security provider Torii, which surveyed 100 technology executives to see how the pandemic has affected their IT practices and strategies. Nine of out 10 respondents (90%) say they use IAM/SSO to protect their networks, with 70% adding firewalls, antivirus software, and related safeguards. More than 6 out of 10 (61%) implement CASB or other security access guardrails related to secure access service edge, while 16% use SaaS management tools.

SaaS has become an indispensable part of business, especially during the pandemic-impelled push toward remote working. In the recent Dark Reading survey State of the Cloud: A Security Perspective, for example, half of respondents reported having 2 to 9 cloud applications in their organization. This new reality creates a need for tools that protect network resources: A recent study from Reposify showed that almost two-thirds of cybersecurity vendors had their back-office networks directly accessible from the Internet, and half had at least one exposed database.

An extra challenge springs from the decentralized work environment. Employees have started to solve their own problems by writing or installing their own software tools outside of the control of the IT department, a phenomenon known as "shadow IT." These programs, while often useful for solving immediate challenges, can create security holes when IT doesn't even know the tool exists.

Both CASBs and SaaS management tools can plug up shadow IT holes, while IAM and firewalls tend to be blind to uncatalogued software. For more, read the full report here.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Good News! IAM Is Near-Universal With SaaS

QNAP and Synology say flaws in the Netatalk fileserver allow remote code execution and information disclosure.

Network attached storage (NAS) device vendors QNAP and Synology this week disclosed multiple critical vulnerabilities in an open source fileserver technology integrated into their products.

The vulnerabilities — several of which enable remote code execution (RCE) — exist in Netatalk, an open source version of Apple File Protocol fileserver for accessing network shares in multiple operating system environments. Both vendors are still working on updating all versions of their products that contain the vulnerability.

**Unpatched for Months**  
Security researchers working in coordination with the Zero Day Initiative (ZDI) reported a total of six vulnerabilities to the maintainers of Netatalk in December. Three of them are critical RCE bugs tied to buffer-overflow issues (CVE-2022-0194; CVE-2022-23122; CVE-2022-23125). Two of the flaws are medium-severity out-of-bounds information-disclosure vulnerabilities (CVE-2022-23124; CVE-2022-23123), and one is a critical RCE issue tied to improper handling of exceptional conditions (CVE-2022-23121).

Brian Gorenc, senior director of vulnerability research and head of ZDI at Trend Micro, tells Dark Reading that all the Netatalk bugs were first discovered at Pwn2Own Austin in November 2021.

Another flaw, a high-severity buffer-overflow related RCE (CVE-2021-31439), was disclosed to Netatalk's maintainers all the way back in March 2021.

The development team at Netatalk released an updated version of the software (Netatalk 3.1.13) on March 23 that addressed all seven of the vulnerabilities. The updated version is available for all currently supported operating systems: FreeBSD, Linux, OpenBSD, NetBSD, and Solaris and derivates.

However, it's a longer timeline for some vendors to roll the patches into their products. ZDI's Gorenc says that because Netatalk is a third-party component used by many NAS vendors, the vendors are responsible for monitoring for releases of Netatalk and integrating these releases into their products. "We are glad to see the NAS vendors updating their Netatalk deployments to resolve the vulnerabilities that were disclosed and fixed at Pwn2Own Austin," he says.

Western Digital is another vendor whose products were impacted by the flaws in Netatalk. But unlike Synology and QNAP, Western Digital proactively removed Netatalk from its products on Jan. 10, 2022, citing concerns over multiple critical vulnerabilities in the technology.

"Because Netatalk is unmaintained, we have removed Netatalk from our firmware released on January 10, 2022," the company announced in March. "Users can continue to access local network shares and perform Time Machine backup via SMB."

**Affected Devices**  
Synology's advisory described the vulnerabilities as critical and allowing remote attackers to steal sensitive data. Bad actors could potentially execute arbitrary code on NAS devices via a vulnerable version of its DiskStation Manager (DSM) and Synology Router Manager (SRM) technologies.

QNAP identified multiple versions of its QTS operating system as being vulnerable and said it is currently investigating the flaws. The company said that it's working on releasing updates to all impacted products, and it urged customers to install the updates as soon as they become available.

The Taiwan-based NAS manufacturer also outlined steps that organizations can take to mitigate the risk posed by the vulnerabilities while it works on fixes. QNAP's advisory identified CVE-2021-31439 — the flaw from last March — as one of the issues that it still needs to address in its products even though it was disclosed more than one year ago.

Both Synology and QNAP did not immediately respond to requests for comment from Dark Reading.

Critical Vulnerabilities Leave Some Network-Attached Storage Devices Open to Attack

This scale of this month's encrypted DDoS attack over HTTPS suggests a well-resourced operation, analysts say.

A DDoS-over-HTTPS attack targeting an unnamed crypto launchpad company clocked in at a whopping 15.3 million requests-per-second (rps) earlier this month — turning heads at Cloudflare.

It lasted just 15 seconds, but the HTTPS DDoS attack was the largest of its kind the company has ever observed, two analysts from Cloudflare explained in a new blog post.

Cloudflare's researchers noted that HTTPS DDoS attacks require the use of a transport layer security (TLS) encrypted connection, which isn't cheap. That suggests a well-funded operation.

"We've seen very large attacks in the past over (unencrypted) HTTP, but this attack stands out because of the resources it required at its scale," according to the post.

Crypto launchpads are platforms where new cryptocurrencies and decentralized finance (DeFi) projects can launch and attract early investors.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Cloudflare Flags Largest HTTPS DDoS Attack It's Ever Recorded

Encryption will break, so it's important to mix and layer different encryption methods.

Quantum computers may one day break encryption. So might stochastic magnetic tunnel junction machines, also known as spintronics. But we don't need next-generation computing power to break encryption. It’s successfully happening right here and now.

**Why Does Encryption Fail?  
**There are many factors that contribute to encryption weaknesses and create vulnerabilities ready for exploitation by cybercriminals or state-sponsored actors. Chief among them is poorly implemented cryptography – in terms of both the crypto libraries themselves and the way they are used. Bugs such as Heartbleed or the recent implementation error of the Elliptic Curve Digital Signature (ECDS) algorithm in Java versions 15 and above, undermine all programs based on them. The incorrect use of a library, insufficient entropy, or use of weak ciphers is a daily occurrence that impacts specific applications, making bugs even harder to find. Other encryption failings include weak passwords and certificates taken from compromised machines. Combine these techniques with “harvest-now-decrypt-later” attacks, and encryption technology is no longer what it used to be.

**Mathematics, the Cornerstone of Encryption  
**Extremely difficult mathematics underlie our encryption. RSA, the gold standard for public key encryption, is based on the complexity of breaking down a large number into its constituent primes. The forward problem is easy and quick to solve: Take some primes and multiply. But the reverse problem is much harder: Given an integer, which primes were multiplied to make it? Attempts to solve the problem of prime factorization dates back centuries, with Euclid of Alexandria working on specific properties of prime numbers more than 2,000 years ago.

Although no solutions have been found that work on conventional binary computers, that does not mean none exist. After more than 2,000 years of work, most mathematicians agree a prime-factorization algorithm used by a classic computer won’t be here anytime soon. Peter Shor proposed an algorithm that could do composite number decomposition in polynomial time on a quantum computer – breaking RSA and Diffie-Hellman ciphers – but a quantum computer of this kind has not been publicly demonstrated at sufficient scale. Yet.

To prepare for the day when Shor’s algorithm is in play, the National Institute for Standards and Technology (NIST) has sponsored a post-quantum cryptography (PQC) competition. Now in its sixth year, the competition that began with 82 submissions is expected to announce its four finalists this year.

The remaining candidates are asymmetric-key algorithms (similar in concept to RSA) believed to be capable of withstanding the computational power of a stochastic algorithm that might run on a scalable quantum computer. The mathematical problems upon which these newer algorithms are based are much younger and have not been studied extensively.

In the field of complex mathematics _centuries_ are common time frames. For example, Fermat’s last theorem took 358 years to be proven. By that logic, it’s no wonder we have already seen a previously unknown or unforeseen weakness revealed in Rainbow – what had been the most peer-reviewed quantum-resistant algorithm now deemed unsuitable for use by NIST. It’s only a matter of time, then, before new encryption standards are weakened or outright broken. This is why NIST is encouraging organizations to embrace crypto agility in their post-quantum preparedness planning.

What complicates this matter further is that we don't — and won't — know which methods are bearing fruit and which techniques are being used, and by whom, to break the encryption we rely on to secure our digital universe. For all we know, large-scale quantum computers are already in use. If you were a nation state or criminal mastermind and had the ability to factor large numbers into their primes, would you tell the world? This is the fundamental problem with modern encryption: We often don’t know which, when, or how ciphers are compromised. However, we can say with certainty that encryption is being broken – and will be broken.

**Look to Wall Street and Diversify  
**To harden IT environments and digital assets in the face of such uncertainty, we can look to Wall Street for strategic advice. To combat the uncertainties and risks associated with loans and stocks go bad, financial institutions embrace diversification. By diversifying investments across multiple asset classes, geographies, and industries, the risks of an entire portfolio imploding are minimized.

This approach can, and should, be applied by enterprise IT and SOC teams when it comes to encryption. Using and mixing/stacking multiple encryption techniques helps to keep data traveling securely even if a flaw is uncovered in one of the encryption layers. We won’t always know which part of a crypto stack has been defeated and how, but it won’t matter if the cryptography is sufficiently diversified.

As an industry, we need to support the simultaneous use of multiple approaches, anticipating that new crypto methods will come and go. We must mix asymmetric key technology with symmetric key technology, and transmit keys through out-of-band channels. Most importantly, we must develop agreed-on metrics and industrywide benchmarks to measure exactly how diversified our crypto strategy is.

Take a Diversified Approach to Encryption

The AI startup releases new threat signatures to expand the computer vision platform’s ability to identify potential physical security incidents from camera feeds.

A comprehensive cybersecurity strategy should include physical security. Adversaries don't need to worry about compromising a corporate device or breaching the network if they can just walk into the office and connect directly into the network.

CISOs are increasingly including physical security as part of their strategic investments, says Stephanie McReynolds, head of marketing at Ambient.ai. Organizations are spending a lot of money and effort to lock down cybersecurity, but all of those security controls are useless if the adversary can just enter a restricted space and leave with equipment.

"The last mile of cybersecurity is physical location," McReynolds says.

Ambient.ai uses computer vision technology to solve physical security problems, such as monitoring who is entering the building or a restricted area and monitoring all the video feeds coming from the camera network. Computer vision is a subcategory of artificial intelligence dealing with how computers can process images and videos and derive an understanding of what they are seeing. The idea behind computer vision is to provide computers with eyes to see the same things humans see, and training the algorithm to think about what the eyes saw.

In the case of Ambient.ai, the company's computer vision intelligence platform serves as "the brain" behind physical access control systems, such as security cameras and physical sensors (such as door locks and entry pads). This week, the company expanded the catalog of behaviors the computer vision platform can recognize with 25 threat signatures.

**Computers Help Humans See**  
Traditionally, physical security involves staff in the security center monitoring alerts from the sensors and watching video feeds to try to detect when something untoward is happening. They may receive alerts that a door is open, or that a person swiped the access card to get into the building after-hours. There might be camera footage of someone loitering for quite some time in the building lobby, or a person entering a restricted area carrying an unauthorized laptop. Humans are expected to detect and respond to security incidents, but between fatigue and too much information to process, things can get missed.

"One individual is trying to watch 50 camera feeds at once. This doesn't work," McReynolds notes.

There have been three waves in computer vision, McReynolds says. The first wave was basic detection — that there was an object there, but no insight into what it was. The second wave added recognition, so it knew what it was looking at, such as whether it was a person or a dog. But it was a limited form of recognition, and there was a lot that was still unknown about the object it was looking at. The third wave, the current one, takes in context clues from the broader scene to understand what is happening. Just as a human would look at details around the object to understand what is happening, such as whether the person is sitting or if the person is outside, computer vision technology is now capable of collecting those details.

Ambient.ai breaks down the image or video into "primitives" — which refers to components such as interactions, locations, and objects seen — and constructs a signature to understand what is happening. A signature may be something like a person standing in the lobby for a long time not interacting with anyone, for example.

The new threat signatures expand the platform's ability to catalog over 100 behaviors, McReynolds says.

**Recognizing What Is an Incident**  
The Ambient.ai Context Graph assesses three risk factors to determine next steps: the context of the location, the movements that create behavior signatures, and the type of objects interacting in a scene. Based on these factors, the platform can dispatch security personnel to handle the incident, validate risks, or trigger proactive alerts. With the Context Graph, analysts can also tell which alerts are not security incidents, such as a door that didn't latch properly, and close the ones that don't require any action.

"A person holding a knife running in the kitchen isn't a security incident," McReynolds says. "A person holding a knife running in the lobby, on the other hand, is a security incident."

VMware, an Ambient.ai customer, claims that 93% of its alerts each year were false positives. By integrating Ambient.ai's platform with its physical access control systems, VMware's security teams didn't have to deal with those alerts and were able to focus their attention on dealing with the remaining 7% of alerts to stop security incidents on its campus.

McReynolds described a potential workplace violence scenario, where a former employee tried to use their badge to enter the building. The invalid badge in and of itself is not a security threat, but paired with security footage of the former employees sitting in the lobby and not interacting with anyone, there are enough reasons to be concerned. The alert would then be prioritized to send a guard to approach the individual.

"Sometimes it takes just a conversation and the person will stand down," McReynolds says.

All that is accomplished without resorting to facial recognition, which brings a host of privacy implications. Ambient.ai uses machine learning, pattern-matching, and computer vision to make decisions about what is important.

**Computer Vision in Security**  
Computer vision technology is useful in several security contexts because it can be used to detect manipulations that are less visible to the human eye, says Fernando Montenegro, senior principal analyst at Omdia. For example, the technology can be used to identify spoofed logos and websites used in account takeovers and ecommerce fraud. Another interesting use case is to represent binary samples as images, and then using imaging classification techniques to classify them as malicious or not, he says.

One aspect of computer vision is the capability to analyze "datasets that are not originally 'images' themselves, but can be encoded as such," Montenegro says.

Humans have the capacity to say something doesn't look right, even if they can't specifically point to something that is wrong, says Gunter Ollmann, CSO of Devo. An intriguing application of computer vision research is to train the algorithm to be able to detect something is wrong because of the way it looks, he says. By turning source code into an image, the machine can analyze the structure and other patterns to detect potential issues without having to analyze the code line by line. This kind of analysis can be used for malware analysis, by color-coding different categories of function and analyzing the image to get an understanding of what the application is doing.

There are several computer vision startups tackling cybersecurity issues. Hummingbirds AI uses facial biometrics to authenticate users and grant access to the device. When the computer "sees" a person who is not authorized that is close to the screen, the tool blocks access. Pixm relies on computer vision to identify and stop spear-phishing attacks. The platform runs in the browser window and is available from the moment the user clicks on a link until the campaign is disrupted.

"We are now in an exciting era where \[the machine\] can collaborate with the human," Ambient.ai's McReynolds says, regarding advancements in computer vision.

Ambient.ai Expands Computer Vision Capabilities for Better Building Security

Flaws gave attackers a way to access other cloud accounts and databases, security vendor says.

Microsoft has patched a dangerous pair of vulnerabilities in its Azure Database for PostgreSQL Flexible Server that gave attackers unauthorized cross-account access to databases in cloud hosted environments.

The first is a privilege escalation bug in a modification that Microsoft made to the PostgreSQL engine. The second is a bug that leverages the privilege escalation enabled by the former to give attackers cross-account access.

Threat actors could have used the flaws to bypass authentication mechanisms and gain full access to customer data across multiple databases in a region without leaving any trace of their presence, researchers from cloud security vendor Wiz Research recently discovered.

"An attacker could create a full copy of a target database in Azure PostgreSQL \[Flexible Server\], essentially exfiltrating all the information stored in the database," says Ami Luttwak, co-founder and CTO at Wiz. The vulnerabilities would have allowed attackers to bypass firewalls configured to protect the hosted databases unless an organization had configured it for private access only. "But this is not the default configuration," Luttwak says.

In an advisory Thursday, Microsoft described the security issue as impacting organizations that had deployed their PostgreSQL Flexible Server instances using the public access networking option. The company said it mitigated the issue on Jan. 13, 2022, less than 48 hours after Wiz had notified it of the issue. Microsoft said its analysis showed no evidence of attackers having exploited the vulnerabilities to access customer data. Though organizations using the service need not take any action, Microsoft recommended they enable private network access for their Flexible Server instances to minimize exposure to similar issues.

Luttwak says vulnerabilities like these highlight why organizations need to have a defense in depth security model when deploying and running cloud workloads. He says, "Here, a simple developer mistake — a wrong prefix validation — led to a potential ability for attackers to gain access to customer data." The only way to mitigate such risks is to have multiple layers of protection so a single bug does not allow for a compromise, Luttwak says.

The Wiz researchers found the bugs as part of a wider research effort to find cross-account access vulnerabilities in cloud services. These are a class of vulnerabilities that essentially give attackers a way to break through tenant isolation mechanisms in cloud environments to access other customer accounts and data. Wiz's effort follows the company's discovery in August 2021 of a critical vulnerability — dubbed ChaosDB — in Microsoft's Azure Cosmos DB that gave the company unrestricted access to databases and accounts belonging to thousands of customers of the Azure service, many of whom were Fortune 500 companies.

"Following the ChaosDB vulnerability we disclosed last year, we specifically focused on cloud-managed databases as they pose the most risk holding sensitive customer data," Luttwak notes.

**Cross-Account Access Flaws in the Cloud**  
Wiz decided to focus on Azure PostgreSQL Flexible Server because it is a widely used cloud managed database service, where the database instances run in an internal cloud environment owned by the service provider. The researchers began by trying to figure out a way to escalate privileges within their own PostgreSQL Flexible Server instance and discovered a vulnerability in some modifications that Microsoft had made to the engine ostensibly to harden its privilege model.

"The privilege escalation bug is not a PostgreSQL vulnerability, but rather is a result of modifications Azure introduced to the PostgreSQL engine on their end," Luttwak says. "It's likely these modifications were introduced to help Azure better manage customers' instances and reduce friction."

Once the researchers gained code execution privileges on their PostgreSQL Flexible Server instance, they found they had network access to other accounts within the subnet via their internal network interface. To test whether the access would work, the researchers created another PostgreSQL Flexible instance using a separate account and tried accessing it from their first database. When that worked, they looked for a way to similarly use their instance to access other accounts without authenticating to them. This led to the discovery of a vulnerability that allowed them to do just that, using a forged certificate.

Luttwak explains the exploit as leveraging an Azure high availability function that uses PostgreSQL's replication feature to replicate databases between servers.

"The replication service connects to the database instance and has the permissions to replicate it to other nodes" via a shared network, he says. Wiz researchers found they could get complete copies of other databases by authenticating as the replication service to other PostgreSQL instances using a certificate issued to an arbitrary domain rather than Azure's replication service certificate.

"We didn't actually achieve access to the replication service certificate," Luttwak says. "But we found a way to bypass \[it\] since the PostgreSQL was only looking for a private key with a certain prefix."

That allowed Wiz to simply create a legitimate-looking certificate that passed the authentication, Luttwak notes.

He says the two — now patched — vulnerabilities would have needed to be chained to have significant impact. That's because the first vulnerability only provides local access to a database instance. But without it, an attacker would not have the privileges required for cross-account access.

Source

DARKReading