Login
Welcome back to our executive blog series, where we’re sitting down with some of the pivotal players behind McAfee Enterprise to hear their takes on today’s security trends, challenges, and opportunities for enterprises across the globe.
Q: Do you have a role model? If so, who is it? |
Well, there are work and there are more personal role models. At work, I have several past and present role models I’ve met across my career that share the same traits. They’re typically great leaders who lead authentically and with a strong sense of purpose and values. For these, I often think when facing a challenge, “What would he or she do?”
Personally, I have many people who have inspired me. A current, topical favorite is Gareth Southgate – manager of the England national football team. He’s not only achieved great success in getting the team to their first final in over 50 years but has challenged the status quo by focusing on young talent and has played a pivotal role as a visible leader in support of diversity.
Q: What’s the most important thing happening in your field at the moment? |
The pandemic, coupled with the ongoing digitization of society, are probably the two most dominant topics in the cyber domain. Ransomware and cyber threats continue to rise in profile, as does cyber security and information assurance in the macro, geo-political sphere. Our purpose has never been greater as leaders in this field.
Q: Will zero trust be a requirement for agencies? |
Yes. Organizations deliver outcomes through partnerships, both at a human and systems level. Implementing mechanisms to ensure trust is increasingly important as these partnerships increasingly digitize in operation. Thinking of zero trust as an architecture and framework matters. Many suppliers articulate zero trust as a feature. It is not. As a true partner, it’s important to consider its role more broadly, to not trust and always verify, not just a virtual choke point (remember, there is no perimeter), but throughout the data journey.
Q: What was your mindset to build your team and establish the right culture to drive success for the new company and continue to strive for new goals in the future? |
In building a team with the culture to drive growth, the most fundamental attributes I seek in every team member is attitude and energy. Those are the power and velocity needed as a foundation. It’s amazing what people can achieve, and how they find ways to do so, with those fundamental ingredients.
When you combine a group of those people with a common goal and assign each a clear role to play, you end up with a phenomenal team. Rather than offering either no parameters, or parameters that are too narrow, you must empower them with a framework in which they can innovate and find ways to win. This is critical – giving them the scope to use their talent for a positive outcome. Listen to them. Hiring great people who push boundaries brings a lot of intellect and creativity. It’s a waste of intelligence if you don’t take the time to learn from them to continuously improve the business.
The post Executive Spotlight: Q&A with EMEA Senior Vice President, Adam Philpott appeared first on McAfee Blog.
Now more than ever, it’s critical to be mission-ready for the next cyber threat. Our digital-first, post-pandemic world is shifting back to a new normal. But the threats are still here.
And according to many reports, the threats have – and are continuing to – increase. McAfee Enterprise’s Advanced Threat Research recently published a report highlighting some of the biggest cyber stories dominating the year thus far, including recent ransomware attacks. While the topic itself is not new, there is no question that the threat is now truly mainstream. In fact, the June report provides a deep dive into the DarkSide ransomware, which resulted in an agenda item in talks between U.S. President Biden and Russian President Putin.
So how does the DoD approach modern-day threats like this? McAfee Enterprise’s online cyber training program is a great place to start. I’m proud to say the program is complimentary for our DoD partners and provides anywhere from 1-6 Continuing Professional Education (CPE) hours per course. You can login anywhere in the world to access the various trainings. Plus, the digital course are valid for 30 days from your registration date, so you can start and stop at any time. Not surprisingly, the tech industry is seeing a greater acceptance and return on investment from online training programs. Within the DoD for example, the Airforce recently launched Digital University. Airmen are elevating their digital literacy skills with up to 12,000 courses to better serve our country, while discovering new career paths in the process. Everything from leadership and public speaking to cloud computing and cybersecurity are covered, proving this platform may be the future of IT training.
I know the cyber industry that I joined 20+ years ago isn’t the same as it is today. And without access to trainings and CPE courses, my skill set would not be as strong. But if your day is anything like mine, finding time to squeeze in continuing education courses is a challenge. However, after hearing feedback from a long-time DoD partner, I know we’re on to something good. Success stories like these remind me of the importance of staying cyber-resilient in the field.
Don’t forget to reach out to your McAfee Enterprise Account Executive for your unique DoD voucher code!
The post Access Granted: How the DoD Can Stay Cyber-Resilient appeared first on McAfee Blog.
Cyberattacks on medical centers are one of the most despicable forms of cyber threat there is. For instance, on October 28th, 2020, a cyberattack at the University of Vermont Medical Center in Burlington VT led to 75% of the scheduled chemotherapy patients being turned away. Many of us have friends and loved ones who have had to undergo intensive treatments, and the last thing we want in this situation is for their critical care to be delayed due to on-going cyberattacks. Yet, as concerning as ransom attacks can be, what if the process of receiving the treatment was an even bigger threat than a system-wide ransomware event?
McAfee’s Enterprise Advanced Threat Research team, in partnership with Culinda, have discovered a set of vulnerabilities in B. Braun Infusomat Space Large Volume Pump and the B. Braun SpaceStation.
McAfee Enterprise ATR remotely hacks a B.Braun Infusomat Pump
These critical vulnerabilities could allow an attacker to conduct remote network attacks and modify the amount of medication a patient will receive through infusion. This modification could appear as a device malfunction and be noticed only after a substantial amount of drug has been dispensed to a patient, since the infusion pump displays exactly what was prescribed, all while dispensing potentially lethal doses of medication. This attack scenario is made possible through a chain of known and previously unknown vulnerabilities found by McAfee Enterprise ATR. A critical component of this attack is that the pump’s operating system does not verify who is sending commands or data to it, allowing an attacker to carry out remote attacks undetected. For those looking for a more technical analysis of the vulnerabilities, an in-depth blog can be found here.
From the 1960’s to 2000, infusion pumps were mostly electromechanical devices with an embedded operating system, but the turn of the century delivered “smarter” devices with better safety mechanisms and the possibility to program them, which slowly opened the door to computer security challenges. Today, it is estimated that there are over 200 million IV infusions administered globally each year. The infusion pump market is a clear potential target for attackers. The market is valued at an estimated $54 billion in annual revenue, with 2020 sales of IV pumps in the US at $13.5 billion. IV pumps are inherently trusted to be secure and have over time become the mainstay for efficient and accurate infusion delivery of medication. B. Braun is one of the key market share holders in this rapidly growing market, emphasizing the impact of these vulnerability discoveries.
Industry personnel can be the best source of information for determining impact. Shaun Nordeck, M.D, an Interventional Radiology Resident Physician at a Level 1 Trauma Center, prior Army Medic and Allied Health Professional, with more than 20 years in the medical field, states that: “Major vulnerability findings like the ones reported by McAfee’s Enterprise Advanced Threat Research team are concerning for security and safety minded medical staff. The ability to remotely manipulate medical equipment undetected, with potential for patient harm, is effectively weaponizing these point of care devices. This is a scenario previously only plausible in Hollywood, yet now confirmed to be a real attack vector on a critical piece of equipment we use daily. The ransomware attacks that have targeted our industry rely on vulnerabilities just like these; and is exactly why this research is critical to understanding and thwarting attacks proactively.”
These vulnerabilities were reported to B. Braun beginning in January 2021 through McAfee’s responsible disclosure program. Through ongoing dialog, McAfee Enterprise ATR have learned that the latest version of the pump removes the initial network vector of the attack chain. Despite this, an attacker would simply need another network-based vulnerability and all remaining techniques and vulnerabilities reported could be used to compromise the pumps. Additionally, the vulnerable versions of software are still widely deployed across medical facilities and remain at risk of exploitation. Until a comprehensive suite of patches is produced and effectively adopted by B. Braun customers, we recommend medical facilities actively monitor these threats with special attention, and follow the mitigations and compensating controls provided by B. Braun Medical Inc. in their coordinated vulnerability disclosure documentation.
This concludes a research project which took two senior researchers a significant amount of time to showcase a life-threatening risk of a medical device being taken over by a remote attacker. For the time being, ransomware attacks are a more likely threat in the medical sector, but eventually these networks will be hardened against this type of attack and malicious actors will look for other lower-hanging fruits.
The unfortunate reality is that individuals can’t do much to prevent or mitigate these enterprise-level risks, outside of staying mindful of security issues and maintaining awareness of possible threats. However, the good news is that security researchers continue to propel this industry towards a safer future through responsible disclosure. We strongly encourage vendors to embrace vulnerability research and consumers to demand it. The medical industry has lagged severely behind others in the realm of security for many years – it’s time throw away the digital “band-aids” of slow and reactive patching, and embrace a holistic “cure” through a security-first mindset from the early stages of development, combined with a rapid and effective patch solution.
In May 2021, B. Braun Medical Inc. disclosed information to customers and the Health Information Sharing & Analysis Center (H-ISAC) that addressed the potential vulnerabilities raised in McAfee’s report, which were tied to a small number of devices utilizing older versions of B. Braun software. Our disclosure included clear mitigation steps for impacted customers, including the instructions necessary to receive the patch to eliminate material vulnerabilities.
Braun has not received any reports of exploitation or incidents associated with these vulnerabilities in a customer environment.
The post Overmedicated: Breaking the Security Barrier of a Globally Deployed Infusion Pump appeared first on McAfee Blog.
As part of our continued goal to provide safer products for enterprises and consumers, we at McAfee Advanced Threat Research (ATR) recently investigated the B. Braun Infusomat Space Large Volume Pump along with the B. Braun SpaceStation, which are designed for use in both adult and pediatric medical facilities. This research was done with support from Culinda – a trusted leader in the medical cyber-security space. Though this partnership, our research led us to discover five previously unreported vulnerabilities in the medical system which include:
Together, these vulnerabilities could be used by a malicious actor to modify a pump’s configuration while the pump is in standby mode, resulting in an unexpected dose of medication being delivered to a patient on its next use – all with zero authentication.
Per McAfee’s vulnerability disclosure policy, we reported our initial findings to B. Braun on January 11, 2021. Shortly thereafter, they responded and began an ongoing dialogue with ATR while they worked to adopt the mitigations we outlined in our disclosure report.
This paper is intended to bring an overview and some technical detail of the most critical attack chain along with addressing unique challenges faced by the medical industry. For a brief overview please see our summary blog here.
The most important part of any product assessment is a solid understanding of the purpose and function of the product under test. Without this it is simply too easy for research to produce less than meaningful results. Therefore, for this research it is first important to answer these few simple questions. What are infusion pumps? What security research has already been performed?
To start with the basics using a trusted resource – fda.gov says “An infusion pump is a medical device that delivers fluids, such as nutrients and medications, into a patient’s body in controlled amounts.” The FDA goes on to explain they are typically used by a “trained user who programs the rate and duration”. Infusion pumps can be simple, administering a single intravenous (IV) medication in the home setting, or complex, delivering multiple medications simultaneously in the ICU setting. From the 1960’s to 2000 infusion pumps were mostly electromechanical devices with some embedded electronics, but the turn of the century delivered “smarter” devices with better safety mechanisms and the possibility to program them, which slowly opened the door to information security challenges. Cross referencing the specific product we have chosen to look at, the Infusomat® Space® Large Volume Pump (Figure 1), we see that this pump is meant only for a medical setting and not designed for a home user. Infusion pumps exist mostly to remove the need to perform manual infusion, which requires dose conversion into drops per minute and visually counting drops to set a rate which is both time consuming and unreliable. It is estimated that there are over 200 million IV infusions administered globally each year, and 2020 sales of IV pumps in the US were at $13.5 billion. Clearly infusion pumps have cemented their place in the medical world.
Figure 1: B. Braun Infusomat Pump
Since infusion pumps are such a large part of the medical field and there are several different types, it is reasonable to expect our team is not the first to inquire about their security. As expected, there have been many different research projects on infusion pumps over the years. Perhaps the most well-known research was presented in 2018 at Blackhat by Billy Rios and Johnathan Butts. The infusion pump portion of their research was focused on the Medtronic insulin pumps. They found they were able to remotely dose a patient with extra insulin due to cleartext traffic and the ability to issue a replay attack. Even earlier, in 2015 research was published on the Hospira Symbiq Infusion Pump showing that it was possible to modify drug library files and raise dose limits through “unanticipated operations”, although authentication was required.
Of course, for our purpose, the most important question remains – is there any previous research performed on our specific device. Initially the answer was no; however, during our research project a very large study, ManiMed, was released under the aegis of German authorities to examine the security of network-connected medical devices produced or in use in their country. This included research done on the B. Braun Infusomat pump. This is a fantastic piece of work which covers many network-connected devices. We will reference this study and talk about their findings where appropriate throughout this document, as we additionally explore our enhancements to this research and demonstrate a new attack that was previously called impossible.
If we consider the Background section earlier, it becomes apparent there is still a large amount of critical research to be performed in this space. Infusion pumps are a prominent and continuously developing area within the medical device space, where previous research has only scratched the surface. Due to the potential critical impact and the state of medical device security, many previous projects didn’t need to dig very deep to find security issues or concerns. The infusion pump industry has numerous devices which have not been researched publicly at all, and even more that only received a cursory analysis from the information security community. For these reasons, we decided to have an in-depth look at one of the largest infusion pumps vendors, B. Braun, and specifically focus on one of their devices used worldwide to analyze it at a depth never seen before. Tackling every aspect of this pump, we wanted to answer the basic question: In a realistic scenario, leveraging original security vulnerabilities, could a malicious attacker impact human life?
For this research project our system consisted of three main components– a B. Braun Infusomat Large Volume Pump Model 871305U (the actual infusion pump), a SpaceStation Model 8713142U (a docking station holding up to 4 pumps) and a software component called SpaceCom version 012U000050. These models and the corresponding software for the B. Braun Infusomat system were released in 2017. In industries such as consumer electronics, this would be considered obsolete and therefore less relevant to research. However, as discussed above, in the medical field this is simply not the case. Since older devices are still widely used and perhaps originally developed with a less emphasis on security, it increases the importance of investigating them. For due diligence, we consulted and confirmed with our industry partners that this specific model was still actively being used in hospital systems across the country.
SpaceCom is an embedded Linux system that can run either on the pump from within its smart-battery pack or from inside the SpaceStation. However, when the pump is plugged into the SpaceStation, the pump’s SpaceCom gets disabled. We performed most of our research with the pump attached to the SpaceStation as we found this was the most common use case. If a SpaceStation was compromised, it could potentially affect multiple pumps at once. SpaceCom acts as the external communication module for the system and is separated from the pump’s internal operations, regardless of where it is running from.
If we consider the pump attached to the SpaceStation as one system, it has three separate operating systems running on three distinct chipsets. SpaceCom running on the SpaceStation runs a standard version of Linux on a PowerPC chipset. The WIFI module for the SpaceStation also runs a standard version of Linux on an ARM chipset and communicates over a PCI bus with SpaceCom. Lastly, the pump runs its own custom Real Time Operating System (RTOS) and firmware on a M32C microcontroller. An additional microcontroller is used to monitor the M32C microcontroller, but this goes beyond the scope of our research. Due to this modular and isolated design, the Spacecom communication module and the pump need a dedicated path for exchanging data. This is resolved via a CAN bus, shared throughout the SpaceStation, where it allows pumps and accessories to communicate with each other. This is what SpaceCom and any pump docked into the Space Station rely on for their exchange. An architecture diagram below helps demonstrates the system layout and design when a pump is present in the docking station.
Figure 2: System Architecture
SpaceCom contains many different pieces of propriety software and applications to support the many functions of the larger B. Braun and medical facility ecosystem. Our team spent time analyzing each one in great detail; however, for the purpose of this paper we will only touch on key components which are important to the most critical findings mention in the opening summary.
An important function of SpaceCom is to be able to update the drug library and pump configuration stored on the pump. The drug library contains information such as ward and department, a list of pre-configured drugs with their default concentrations, information messages to be printed on the screen when selected, and more importantly, soft, and hard limits to prevent medication error. One of the biggest selling points of the smart infusion pumps is their ability to prevent incorrect dosing of drugs, which is partly done through the limits in the drug library. Another risk the drug library helps mitigate is human error. By having the most common dosage and infusion lengths preprogrammed into the pump, it eliminates errors associated with rate calculations, and drop counting previously mentioned, associated with manual infusion therapy.
The pump RTOS contains a database of over 1500 key/value pairs used during operation. This data consists of everything from status about current components, battery life, motor speed, alarms and values used for tube calibration. As such, this data would be considered extremely sensitive in the context of the pump’s operation and is not intended to have direct user interaction, nor is it presented to the user. A subset of the keys can be indirectly modified via a dedicated servicing software by certified technicians.
To interact with both the drug library and pump configuration on the pump from SpaceCom, a propriety binary called PCS is used. The PCS binary uses the canon binary to interface with the CAN bus to send commands to the pump’s system for both reading and writing values based on the drug library or pump configuration provided to it. The main interface to accomplish this task is via a propriety TCP networking protocol, which by default is sent over port 1500. This protocol is both unauthenticated and unencrypted and we relied heavily on these weaknesses for our research and attacks. Additionally, this resulted in the filing of CVE-2021-33882 and CVE-2021-33883 as stated in the overview above.
What could be the goal of a malicious attacker? Realistically speaking, most attacks have been proven to be financially motivated. When translating this to our infusion pump, the question becomes: What would medical executives, without hesitation, pay large sums of money for? If we look at recent events, in May of 2021, Colonial Pipeline paid hackers 4.4 million dollars to get their oil pipeline running again from ransomware attacks. Attacks on healthcare settings are increasing with the FBI estimating a cyberattack using “Ryuk” ransomware took in $61 million over a 21-month period in 2018 and 2019. Attacks are now showing potential for patient harm with one example beginning on October 28th, 2020. The University of Vermont Health Network was part of a larger coordinated attack on multiple US healthcare which resulted in a complete loss of their electronic medical record system for weeks. The results of the ransomware-based attack led to 75% of active chemotherapy patients being turned away, rerouting of ambulances, and delays in testing and treatment. Considering IV pumps are directly supporting human life in some cases, it is easy to suggest an attacker could demand any “ransom” amount leveraging threats to actual patients. To accomplish this an attacker would therefore need to control the operation of the pump.
This task is easier said than done when considering the design of the pump as outlined above. The traditional “getting root” on the network component (SpaceCom) proves ineffective. To make any changes to the pump itself, an attacker needs to interact with the pump’s RTOS, which is not network connected. In this section we provide an outline on how we were able to accomplish this goal by using the five reported CVEs.
Even though getting root access on SpaceCom will not provide us everything we need to accomplish the ultimate goal, it is still the first step. During our reconnaissance and enumeration of the system we discovered a remote interface listening at https://{ipaddress}/rpc. This interface was connected to a common open source service referred to as “json-dbus-bridge”. As described on GitHub, this service “is a fast-cgi application that provides access to D-Bus. It accepts JSON-RPC calls and translates these into D-Bus calls. Any response is converted back to JSON and sent to the client.” This piqued our interest since external access to the D-Bus subsystem could provide us access to internal communication, which may have a different level of security than typical external networking.
When doing any type of vulnerability research, product security assessment or evaluation it is critical to not forget to search for existing issues in any third-party components. This is even more important since we are working on a software released in 2017. While scouring GitHub pages for the json-dbus-bridge, we noticed a format string vulnerability that was patched in 2015. Of course, we had to test if the version we encountered had the existing vulnerability.
Figure 3: Format String Vulnerability Testing
The tests in Figure 3 confirmed the existence of the format sting vulnerability. While this format string vulnerability had been publicly discovered in 2015 in the json-dbus-bridge code, the update was never included in B. Braun’s software and hence satisfied the condition for a vendor specific zero-day vulnerability disclosure. This was filed as CVE-2021-33886 and was our first reported discovery to B. Braun. Over the next several weeks we were able to leverage this vulnerability and create a working exploit to gain www user level shell access to the device. Due to the potential impact to unpatched devices, the exact technical details of our exploit have not been included.
Although user access is the first step, root access will be needed in order to interact with the CAN bus to communicate with the actual pump. A good target and well-known process for privilege escalation is to find a binary owned by root with the setuid bit enabled. We could not find one ready to use; however, the web interface has an option to backup and export settings which relies on tarring a folder containing a handful of files and encrypting it with AES using a user-provided password. The backup archive can then be downloaded for later restore of the settings. When restoring this backup, root is the user doing the untarring in such a way that file permissions are being preserved from the provided tar file. Thus, if we can tamper with the archive, we might be able to create a privilege escalation scenario.
To use this to our advantage we need to embed a binary in the backup archive owned by root with the “setuid” bit set so we can use it to elevate privileges. Ironically, the code responsible for the import/export of settings is already doing most of the work for us. The “configExport” binary located on the filesystem is a wrapper to call setuid/setgid (and sanitize inputs) which then calls execve on the script “/configExport/configExport.sh.” We can use a hex editor to change which script the “configExport” binary is running and replace “configExport.sh” with an attacker-controlled script, while also patching out the input sanitizing. We could absolutely have compiled our own binary instead, but this approach saves us from a couple of hours of PPC cross-compiling fun.
While we were working through this component of our attack chain, researchers working on the ManiMed project, in coordination with B. Braun, published a report which included this finding, listed as CVE-2020-16238 on B. Braun’s website. As described in section 4.6.2.2 of their report “An authenticated arbitrary file upload vulnerability combined with an unvalidated symbolic link and local privilege escalations enables attackers to execute commands as the root user.” We commend the ManiMed researchers for also discovering this vulnerability and practicing responsible disclosure.
The real work begins once root access is obtained. The challenge becomes how to affect change on the pump RTOS with root access on the SpaceCom communication module. One common approach would be to continue to look for vulnerabilities in the pump’s RTOS that would lead to code execution within its system. This method poses many challenges during black box testing and could lead to damaging our limited number of test devices.
Another approach which we have leveraged in past projects is hijacking the standard functionality of the device to further the attack. This can be more manageable, but it first requires a deep understanding of how the device works and the desired outcome. This also tests the device’s defense in depth and can prove to be very difficult depending on the security measures in place. In our case, this would force the question of how well-protected the area is surrounding the communication between the pump and SpaceCom.
As mentioned in the system description section above, the PCS binary is responsible for communicating with the pump’s system for two critical operations – updating the drug library and updating the pump config. These are key functions that would likely be of interest to an attacker. There are several different approaches which could be taken by an attacker to interact with these key operations, especially given root access. Considering the various alternatives, we chose to leverage our root access on SpaceCom to inject code into PCS’s memory and use existing functions and objects to communicate with the pump’s internal system.
Our chosen path required a deep understanding of the data structures and functions used to facilitate this communication. The key is to find the perfect place in a larger operation call stack where we can modify or inject the data we want, while still utilizing lower-level functions to avoid the need to unnecessarily create objects and data from scratch. To illustrate this point, consider if we want to send a simple signal to power off the pump from within PCS’s memory space. The fact that all data sent from SpaceCom to the pump’s RTOS is done through CAN messages, with root access meant that we could send CAN messages directly on the CAN bus. This would require an extensive knowledge and breakdown of the CAN message structure as the underlying protocol is designed by B. Braun and would have to be reverse engineered. Although possible, it is very difficult, especially with CAN’s data frame field having a lack of strict specifications. Inside PCS there is a call chain which builds this message. If we were to inject and utilize functions very low in the call chain, such as the trySend function which sends a CAN message (as seen in figure 4) , we would need to understand all of its arguments and the data format it uses. We’d essentially have the same problem as before.
Figure 4: trySend function
If we look higher in the call stack for a function that performs the operation we are interested in, switching off the device, we can instead let the rest of the call chain do the heavy lifting for us. Notice in Figure 5 below there is a function for just this purpose, which only requires one parameter to be passed.
Figure 5: switchOffDevice
Leveraging this concept, we are able to use the functions within PCS in a manner similar to an API to perform read and write operations to the pump’s database and force a change.
If we want to send and write data such as the drug library and pump config, we first need to understand the format of the data, how it is processed and any security measures in place which need to be accounted for. Our team spent extensive time reversing both the drug library and pump configuration data. A portion of the pump configuration is referred to as calibration and disposable data. Both can be modified through our attack chain; however, for this paper we will just touch on the more critical of the two the calibration and disposable data.
The calibration and disposable data are usually seen in the form of files that are living in SpaceCom. At a more granular level, they are a collection of key/value pairs that are meant to be read or written to the pump’s database. Each file can also be a large blob of data living on the pump flash. The physical location of each key within this blob is hardcoded in the pump and sometimes in PCS. This representation is relevant when it comes to computing various CRCs that operate on blobs of data rather than key pairs. These checksums are used heavily throughout the pump’s infrastructure with critical data to ensure the integrity of the data. This goes to ensure the safety of patients by ensuring data can’t be accidently modified or corrupted. Figure 6 shows an example of disposable data as contained in files on SpaceCom.
Figure 6: Disposable Data
Looking at the variable names inside the disposable data file and relevant code in the pump firmware led us to one key/value pair that specifies the “head volume” of the tube, which can be seen in the figure above. After extensive analysis, we determined that “head volume” is the parameter dictating the amount of medication being delivered per cycle to the patient. We determined that if this value was to be changed, it could be potentially harmful. We detail this analysis in section “Unique Consideration for Infusion Pump Hacking” below.
With a target key/value pair in mind, the next step would be to understand how to calculate the CRCs. Since the system is constantly checking the integrity of the data, if an attacker wanted to modify any value, they would also need to modify the CRCs which validate the changed data. Through reverse engineering we determined the CRC was a custom implementation of a CRC16, where the initial value is 0xFFFF and relies on a hardcoded polynomial table. We were able to extract this algorithm and write custom python scripts to compute the CRC needed for the disposable data.
With a basic understanding of the critical operational data and the ability to compute the CRCs, we are able to leverage the PCS binary, in an API fashion to send commands to the pump to modify this data. This holds true for both the drug library and the pump configuration data. Although CRCs are great for integrity checking, they provide no security or level of trust of the where the data is coming from. This lack of origin verification is what led to the filing of CVE-2021-33885.
If we review our attack chain, we can gain user-level access to the device without authentication or authorization. We can then escalate our privileges to root and leverage the existing functionality of the PCS binary to make modifications to the pump’s disposable data. Conceptually, the process is complete; however, we can do some additional housekeeping in order to make our attack chain slightly more realistic and efficient.
Since the proprietary protocol for the PCS binary is unauthenticated, there are certain configuration options which can be modified for an attacker to make their job even easier. One of these configuration options tells the pump which server is “trusted” to receive operational data from (such as the drug library). An attacker can send a command to SpaceCom which clears the current trusted server configuration and rewrites it to an attacker-controlled server. This is not required for this attack when leveraging the format string and privilege escalation path outlined above; however, it does provide alternative methods and simplifies the attack process.
Lastly, the pump has an audible and visual notification when any configuration or drug information has been modified on the pump. Once again in the spirit of a realistic attack, a malicious attacker is going to want to be as stealthy as possible. To accomplish this, it was worth determining a method in which to clear these notifications. This process turned out to be as simple as restarting the pump after our modifications were complete. The reboot operation happens in a matter of seconds, so by using this technique, all alerts to the end user were quickly cleared. The complete attack process can be seen outlined in the diagram below.
Figure 7: Complete Attack Chain
Although this attack chain presents a complete method to modify critical pump data, it is important to recognize the conditions required for this attack to be successful. These pumps are designed to be network connected to a local internal network. Therefore, under normal operating conditions an attacker would need to have found a method to gain access to the local network. Could this attack take place over the internet? Technically speaking, yes; however, it would be very unlikely to see a setup where a pump is directly internet-connected.
In addition to being on the local network, the pump does have safeguards in place to ensure no modifications can occur while the pump is operational. From what we discovered during our research, if the pump is actively administering medication, it ignores any request on the CAN bus to modify library or configuration data. This means the attack can only be successful when a pump is idle or in standby mode in between infusions.
The prerequisites for this attack are minimal and are not enough to mitigate the overall threat. In today’s world there are a wide range of documented and utilized methods for attackers to gain access to local networks. If we also consider that hospital or medical facilities are generally public places with little to no barriers to entry, it is easy to see how someone malicious can go unnoticed and obtain network access. Pumps are also not always actively administering mediation. Even in the busiest of hospitals there is downtime between patients or times when pumps are simply not in use.
With the ability to modify disposable and configuration data on the pump, there are a wide range of possibilities for which an attacker could choose to have an impact. An attacker could simply put the device in an unusable state or write arbitrary messages on the screen. We chose to focus on the disposable data, specifically the key/value pair labeled “TUBE_HEADVOLUME_A” since we determined it would demonstrate the greatest impact, bringing harm to a patient. In the below video you will first see the pump under normal operation. After demonstrating the system working as intended, we modify the configuration remotely using the attack chain explained above and then illustrate its effect on the pump when administering medication.
An interesting characteristic of this project is that its impact and consequences are inherently grounded in the physical world. Where common software hacks end with the ability to get root access or kernel privileges, in this project, the way the device is used by medical staff and how it can affect patient safety is crucial to the outcome. The next few sections will focus on various aspects of the project that fall under this umbrella.
As described previously, our attack relies on modifying the disposable data that governs the way the pump is used to deliver medication. But why and how did we decide to go investigate this? An interesting side-effect of the pump being built to be safe is that most of the inputs and outputs it receives from the CAN bus are extensively checked against out-of-range access. From an attacker’s perspective who has already compromised SpaceCom, this would usually be the prime target for memory corruption bugs. Fuzzing and emulating the M32C architecture is cost-heavy in terms of upfront work, so instead, we started looking for a path of least resistance and searched for blind spots in the secure design.
In our case, we wanted to be able to affect the amount of drug being dispensed, preferably without having something on screen as that would indicate a malfunction or abnormality. Our original plan was to tamper with the device drug library, but it turns out that data we could alter would be displayed on screen, which could raise concern as medical staff verify the prescribed drug and rate against the order before, and immediately after starting the infusion. This would not be ideal for an attacker, so we kept investigating. The other files we could modify were the calibration data and the disposable data. These files are interesting as they describe internal parameters; the calibration one specifies the physical parameters of the device itself, while the disposable one is for the specifics regarding the tubing going through the pump. Anyone familiar with precision tools know how important a good calibration is. If the calibration is off it will lead to improper operations or results. From an operational standpoint this makes sense, but from an attacker perspective this has a strong likelihood of fitting the bill for the attack we had in mind: modifying an internal value so the pump thinks it is dispensing the right amount of drug, while it is actually incorrect in its calculations.
Looking at the variable names inside the disposable file and relevant code in the pump firmware led us to one that specifies the “head volume” of the tube. From our understanding, each time the pump pumps, it compresses the IV tubing thereby pushing a small quantity of drug towards the patient. Overall, there are many physical parameters that would govern this volume –the internal tube diameter, the length of the compressed region, how much the tube is being compressed, etc.—but in the end, it seemed that all these values were summed up in one variable. Cutting this value in half would make the pump believe it is pushing half the actual amount, and therefore would have to pump twice as fast to deliver it. We tried our hypothesis, and by doing so, the amount of drug dispensed doubled while the pump assumed everything was normal.
Now that we have an idea of what happens to the device when we alter its internal configuration, we can consider how this could play out in the real world. As mentioned previously, medical staff are expected to be extra-careful when using these devices, ensuring the numbers match the doctor’s order. In the United States, both the Centers for Medicare and Medicaid Services (CMS) and the American Society of Clinical Oncology require standard of practice be followed with high risk or hazardous infusions like blood or chemotherapy. This standard requires two appropriately trained people (usually nurses), one who will be infusing the medication, and the other to verify the order and configuration prior to administration. Looking internationally, we were also able to find this same protocol in use at an Irish hospital. It confirms the attention to detail and the requirement to double-check each value is correct. However, another document describing the adoption of a smart pump system in a Swedish hospital hints at concerns (p. 47) that invalid drug protocols might be followed if a nurse picked the wrong default settings on the pump. These documents are anecdotal, but the overall feeling is that strong checks are in place. Under pressure or with multiple infusions, mistakes can be made, which smart pumps should prevent.
One of our industry partners, Shaun Nordeck, M.D. is an Interventional Radiology Resident Physician at a Level 1 Trauma Center and prior, served as an Army Medic and Allied Health Professional. Leaning on more than 20 years in the medical field. Dr. Nordeck states “A high-pressure environment such as the ICU may be at increased risk for infusion errors since these critical and often medically complex patients have multiple infusions which are being adjusted frequently. Errors, however, are not limited to the ICU and may just as easily occur in the inpatient ward or outpatient settings. Essentially with each increase in variable (patient complexity or acuity, number of medications, rate changes, nurse to patient ratio, etc.) there is an increased risk for error.”
As a measure of safety, it is important to keep in mind that one can visually count the number of drops to verify the infusion rate (there’s even an optional module to do it automatically). However, depending on the parameters, a minor change of speed (e.g., halved or doubled) might not be immediately obvious but could still be deleterious. Dr. Nordeck further stated that “something as routine as correcting a person’s high blood sugar or sodium level too quickly can cause the brain to swell or damage the nerves which can lead to permanent disability or even death.” The FDA’s MAUDE database keeps track of adverse events involving medical devices and can be used to see what type of problems actually occurred in the field. Certain drugs are particularly potent, in which case the speed at which they are delivered matters. In this instance, an over-sedation at 4 times the intended rate led to the death of a patient a few hours after the incident occurred. Under-dosing can also be problematic as the required medication does not reach the patient in the appropriate quantity. These examples highlight that a pump not delivering the correct amount of drug occurs in the field and may remain unnoticed for multiple hours, which can lead to injury or death.
Let’s now take a step back and consider some generic shortcomings that became apparent while looking at the infusion pump ecosystem. We believe these problems are not specific to a brand or a product but rather may be found across the entire medical field. This is because throughout the years, this vertical has only received a limited amount of attention from both malicious actors and the cybersecurity industry. With the increased rate of cyber threats and the constant additions of new smart devices in private networks, new attack surfaces are being exposed and the hardening of many systems may turn into low hanging fruits for the ones lagging. The slower life cycle of smart medical devices means that best security practices and mitigations take longer to be adopted and deployed in the field. Awareness of this may help healthcare organizations, and their supporting IT administration have a more critical eye on the technology deployed in their environments while medical device vendors should remain vigilant of their “legacy” technologies and continually reassess the risk profile associated with legacy products in the current cybersecurity landscape.
Consumer products, both hardware and software are often nimbler than their counterparts in the medical industry. Your web-browser or operating system on your personal computer will auto-update immediately after a patch is released which come on a regular basis. This is radically different for medical devices which are often directly linked to patient safety and therefore need to undergo a more rigorous vetting process before applying updates. This often leads to the need to immobilize devices during updates, perform follow up tests and recalibrations. It is often very expensive and challenging for medical facilities to update products, resulting in deployed devices with firmware that is several years old. Because of this, “table stakes” security measures may never be fully adopted, and corresponding vulnerabilities may have a larger impact than in other industries.
When looking at the general architecture of the pump, it is obvious that it was designed with safety in mind. For instance, it relies on an application processor for the main processing but also has a control processor that makes sure nothing unexpected occurs by monitoring sensors output along with other components. Everything is CRC checked multiple times to flag memory corruption and every range is bounds-checked. All of this suggests that the design was intended to mitigate hardware and software faults, data accidentally being corrupted over the wire, and the flash module degrading which aligns with a high priority on safety.
However, it looks like preventing malicious intent was not given as much attention during the design process. Sometimes the difference between safety and security might be a little blurry. Preventing accidental memory corruption and out of bounds access due to faulty hardware will also make exploitation harder, yet an attacker will always attempt to escape these mitigations. Along the same lines, logic bugs that would be extremely unlikely to occur by chance might be the “keys to the kingdom” for an attacker. Internal audits and offensive security exercises can highlight the attacker mindset and bring valuable insights as how to harden existing safeguards to protect against intentional threats.
When looking at how the pump and its communication module handles communication and file handling, we observed that critical files are not signed (CVE-2021-33885), most of the data exchanges are done in plain-text (CVE-2021-33883), and there is an overall lack of authentication (CVE-2021-33882) for the proprietary protocols being used. There are a few password-protected areas for user facing systems, but not as many for the behind-the-scenes internal systems. This might be because a login page on a website is an “obvious” necessity, along with having a proper authentication mechanism for FTP and SSH, while ad-hoc protocols designed more customized uses are not as obvious. There is also an evolving landscape at play and its related threat assessment; the risk of an unauthorized person tampering with a configuration file (calibration data, drug library, etc.) is fairly low if it also requires dedicated software and physical access to the device. However, if suddenly the device becomes network-connected, the attack surface is extended and the original assumptions may not be refreshed. Defense-in-depth would dictate that in any case, important files should not be easy to tamper with. However, security vs functionality comes with legitimate compromises and when it comes to embedded devices, limited resources and usability also need to be factored into the equation.
Originally, the CAN bus was reserved for communication between trusted components such as a Servicing PC used for maintenance or for connecting multiples devices within an older model of the Space Station that did not have SpaceCom built in. The latter would come as an optional module that could be plugged into the Space Station to offer external connectivity. Hence, the CAN bus was used for “internal” communication between trusted components and an external module, the SpaceCom, could be added for data reporting over the network. Over the following decade, technology improved and miniaturized to the point where everything got merged, so that even a battery module could provide WIFI connectivity and the SpaceCom functionalities. This opened new possibilities, such as having the built-in SpaceCom module provide similar capabilities as the servicing PC. From a user perspective this is great as it simplifies operations, but from a security perspective, this created a situation where a “trusted” internal network suddenly became bridged to an external network that could even be accessed wirelessly. What might have been an acceptable risk, where only a few proprietary devices with physical access could perform privileged operations, became much more questionable when a WIFI-connected Linux device started to offer the same capabilities.
This kind of problem has been faced by nearly every industry vertical that evolved from reliance on trusted physical networks which suddenly got connected to the internet or other untrusted networks. Smart connected devices are a double-edged sword: in the same way they offer greater flexibility and synergy between systems, they can also lead to emergent security issues that need to be considered holistically.
When developing custom protocols and ad-hoc systems it’s natural to incur technical debt. This is even more true when the life cycle of a device is many years and when it is complicated and expensive to deploy patches and upgrades, leading to a heterogeneous customer base and multiple hardware revisions to support. This can cause situations where more obscure features are not looked at for years and their ownership might be lost or perfunctory. An example of this is the format string vulnerability affecting the json-dbus module. Its usage is obscure, and it was forked from an open-source project many years ago. The original repository fixed bugs that were security bugs but were not flagged as such which led them to fly under the radar for multiple years. Likely, at the time it was forked, the code served its purpose and was never revisited afterwards, leaving the security bug unnoticed. The same can be said for custom-designed protocols and file formats. It may be difficult to evolve them in line with the improvement of best security practices while avoiding breaking “legacy” deployments. In this scenario, mitigations might be the way to go; making sure the systems are isolated, unnecessary features can be disabled and their privilege and access limited to what’s needed. Future-proofing a system is a difficult challenge. If anything, transparency on how the system functions and the components it relies on, coupled with regular audits (code source review or black box audit) can help prevent components from falling in the cracks where they’re not checked against best practices for many years.
This concludes a research project which took two senior researchers a significant amount of time to showcase a life-threatening risk of a medical device being taken over by a remote attacker. For the time being, ransomware attacks are a more likely threat in the medical sector, but eventually these networks will be hardened against this type of attacks and malicious actors will look for other lower-hanging fruits. Given the lifespan of medical devices and the difficulties surrounding their updates, it is important to start planning now for tomorrow’s threats. We hope this research will help bring awareness to an area that has been a blind spot for far too long. Dr. Nordeck affirms the importance of this research stating: “The ability to manipulate medical equipment in a way that is potentially harmful to patients, without end-user detection, is effectively weaponizing the device and something only previously conceived by Hollywood yet, McAfee’s ATR team has confirmed is plausible. Device manufactures clearly aim to produce safe and secure products as evidenced by built-in safeguards. However, flaws may exist which allow the device to succumb to a ransom attack or potentially cause harm. Therefore, manufactures should collaborate with security professionals to independently test their products to detect and correct potential threats and thereby preserve patient safety and device security.”
Performing regular security audits, making it easier for medical professionals to keep their devices up to date and offering solid mitigations when this is not possible should really be on every medical vendor’s list of priorities. Medical professionals, policy makers and even the general public should also hold accountable the medical vendors and have them clearly articulate the risk profile of the devices they sell and demand better ways to keep their device secure. We recognize even with this mindset and a holistic approach to security, there will always be flaws that cannot be predetermined. In these cases, vendors should encourage and even seek out industry partners, embrace responsible disclosure and communicate broadly with researchers, stakeholders and customers alike.
From a security research perspective, it is crucial to understand how a device works at a holistic system level, and how each component interacts with each other, which components they can talk to, and so on. For manufacturers, it is important to read between the lines; something may not be in a design document or in the specifications, but sometimes emergent properties will occur as a side-effect of other design decisions.
An offensive project like ours is really meant to highlight structural weaknesses and point out risks. Now, defensive work is necessary to address these concerns. For instance, manufacturers should leverage cheaper and more powerful microcontrollers to implement proper authentication mechanisms. However, it is even more important to study and address the challenges hospitals face when it comes to keeping their devices up to date. This should come as both technical solutions from the vendors and advocacy to promote secure practices and raise awareness on the underlying risks associated with critical devices having outdated software. The FDA tried to lead the way in 2018 with its CyberMed Safety (Expert) Analysis Board (CYMSAB), but so far little progress has been made. The work the German BSI did with the ManiMed project is also extremely encouraging. We see this as an area of cybersecurity with lots of potential and need for attention and look forward to the information security industry taking on this challenge to make this critical sector always more secure.
One goal of the McAfee Advanced Threat Research team is to identify and illuminate a broad spectrum of threats in today’s complex and constantly evolving landscape. As per McAfee’s vulnerability public disclosure policy, McAfee’s ATR team informed and worked directly with the B.Braun team. This partnership resulted in the vendor working towards effective mitigations of the vulnerabilities detailed in this blog. We strongly recommend any businesses using the B.Braun Infusomat devices to update as soon as possible in line with your patch policy and testing strategy.
CVSSv3 Rating: 6.8/8.2
CVSS String: AV:N/AC:H/PR:N/UI:N/ S:C/C:N/I:H/A:N/CR:H/IR:H/AR:M/MAV:A
CVE Description: Missing Authentication for Critical Function vulnerability in BBraun SpaceCom2 prior to 012U000062 allows a remote attacker to reconfigure the device from an unknown source through lack of authentication on proprietary networking commands.
CVSSv3 Rating: 5.9/7.1
CVSS String: AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/CR:H/IR:H/AR:M/MAV:A
CVE Description: Cleartext Transmission of Sensitive Information vulnerability in BBraun SpaceCom2 prior to 012U000062 allows a remote attacker to obtain sensitive information by snooping the network traffic. The exposed data includes critical values for the pumps internal configuration.
CVSSv3 Rating: 7.3/5.8
CVSS String: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/CR:M/IR:M/AR:L/MAV:A
CVE Description: Unrestricted Upload of File with Dangerous Type vulnerability in BBraun SpaceCom2 prior to 012U000062 allows remote attackers to upload any files to the /tmp directory of the device through the webpage API. This can result in critical files being overwritten.
CVSSv3 Rating: 10.0/9.7
CVSS String: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N/CR:H/IR:H/AR:M/MAV:A
CVE Description: Insufficient Verification of Data Authenticity vulnerability in BBraun SpaceCom2 prior to 012U000062 allows a remote unauthenticated attacker to send malicious data to the device which will be used in place of the correct data. This results in execution through lack of cryptographic signatures on critical data sets
CVSSv3 Rating: 8.1/7.7
CVSS String: AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/RL:O/RC:C
CVE Description: Improper sanitization of input vulnerability in BBraun SpaceCom2 prior to 012U000062 allows a remote unauthenticated attacker to gain user level command line access through passing a raw external string straight through to printf statements. The attacker is required to be on the same network as the device.
The post McAfee Enterprise ATR Uncovers Vulnerabilities in Globally Used B. Braun Infusion Pump appeared first on McAfee Blog.
Now that we’ve officially kicked off our journey as McAfee Enterprise, a pure-play enterprise cybersecurity company under the new ownership of Symphony Technology Group (STG), we’re celebrating a lot of new firsts and changes. But one thing remains the same: our passion and commitment to make the world a safer, more secure place. And that passion starts with our people. In this new blog series, you’ll meet some of the executives devoted to tackling today’s most pressing security concerns and innovating for the future.
Q: How did you come into this field of work? |
I didn’t start out in information technology, I graduated from college with a degree in physics at the end of the Cold War. At the time, all the physics jobs had evaporated, so I started out as an intern in programming at EDS. I did that for a few years and then went into management. I eventually became a CTO and then a CIO.
When I was a CIO, I learned that I really didn’t know much about information security, and it was hindering me in the CIO role. My next job was a director of information security at a financial services company, and I never looked back. I found that I had a passion for information security and have been the CISO at two different Fortune 500 companies. My current role as CIO for a company that creates enterprise cybersecurity software is a perfect marriage of both skill sets.
Q: With cybersecurity and AI capabilities expanding at a rapid pace, what will the future look like for companies like McAfee Enterprise in the coming years? |
I think our products like Insights and MVISION XDR are going to change the way we think about security. We have always relied on “after-the-fact” data as opposed to proactively looking at our environment. The days of looking at packet capture and syslogs as our primary defense method are behind us. While they are great for those “after-the-fact” forensic studies, they really don’t do much to proactively defend your enterprise.
Understanding user and device behavior and being able to spot anomalies is the future. Information security leaders need to stop having a negative reaction to new technology and instead embrace it. I also believe blockchain will likely be a good solution for IoT identity and machine learning will take over for the SEIM. You will start to see our tools evolving to meet these new challenges and paradigms.
Q: Since joining the company just over a year ago, how do you feel you’ve been able to help the company grow since last year and the impact you’ve had in your role? |
My team has done a very good job in leading the charge to the cloud while at the same time reducing costs. But we are just at the beginning of the journey, and have a long way to go.
We have also challenged our lack of standards and formed the Enterprise Architecture team to drive these patterns into the organization. As Hamlet said, we must suffer “the slings and arrow of outrageous fortune” for trying to drive that change, but I have been impressed by the dedication of members of our Technology Services team. Our security team has worked in lock step with the rest of the organization to drive our outward facing security vulnerabilities down to zero. That is not where we were when I arrived, but the team took a measured approach to dramatically improve our security posture.
I also enjoy spending time with the sales organization and helping them in supporting our customers. After being in the CISO role for over 12 years, I understand how difficult the role can be. I like to help our sales team understand what pain CISOs are experiencing and how our products can help.
Q: How do you hope to impact change in cybersecurity? |
I have been involved in the clean-up of two major breaches. While it is easy to get caught up in the numbers of records lost or how the breach will affect the organization’s stock price, there is a very human cost. Many security or IT leaders lose their job after a breach where stolen records are used to commit identity theft which is very painful to reconcile if you are victim, as we have seen in some of the ransomware attacks on healthcare systems that may have led to the death of patients. The great thing about being a leader in cybersecurity is that you feel you are doing something for the good of the public.
My teams have worked closely with various law enforcement agencies and have caught attackers. There is no better feeling than knowing you have taken down a criminal. I personally want to look back on my career and believe the field of cybersecurity is in a better place than when I started and that the company I work for played a major role in that change.
The post Executive Spotlight: Q&A with Chief Information Officer, Scott Howitt appeared first on McAfee Blog.
As outlined in Executive Order on Improving the Nation’s Cybersecurity (EO 14028), Section 3: Modernizing Federal Government Cybersecurity, CISA has been tasked with developing a Federal cloud-security strategy to aid agencies in the adoption of a Zero Trust Architecture to meet the EO Requirements. While the government awaits the completion of that effort, I think it’s important to look at the two government reference architectures that have already been published, as they will undoubtedly be considered in the development of CISA’s cloud-security strategy. Both NIST (800-207) and DoD (Version 1.0) have released Zero Trust reference architectures. Both define a Zero Trust telemetry architecture informed by security sensors to dynamically evaluate device and user trust and automatically change access permissions with changes in entity trust. They each accomplish the same goal, even if they take slightly different paths to get there.
Whereas the DoD architecture establishes control planes that each have their own decision point, with data given its own decision point, NIST takes a broader approach to Zero Trust and emphasizes Zero Trust in relation to all resources, not just data. The data control plane within the DoD architecture encompasses data processing resources and applies data-specific context to them. As most networks, applications, storage and services exist to process and store data, it makes sense that access to these resources should be specific to the data contained within them, and not just the access to the resources themselves. Protecting data is central to Zero Trust, and the DoD’s architecture acknowledges this.
Today, most Zero Trust efforts seem to focus on defending the applications, networks and services that contain the data but fall short of building data specific protections. And while protecting network, application, and service resources is certainly important and essential to layered protections, improving protection around the data is imperative to successfully adopt Zero Trust architecture. People with alarm systems on their homes still lock up valuables in a safe to guard against failures in controls, or less than trustworthy house guests and hired workers.
The DoD puts data at the center of its reference architecture. User and entity trust is assessed in relation to the data being accessed, and permission levels are dynamically changed specific to individual data resources. If Zero Trust operates under the assumption that networks and applications are already compromised, then the only logical way to successfully implement Zero Trust is to combine network, application, and service access technologies with a comprehensive data protection platform. In a well-designed Zero Trust architecture, a comprehensive data protection platform serves not only to protect data, but also as a means to inform the analytics layer of potentially malicious insiders or compromised user accounts in order to automatically trigger changes in access permissions.
Imagine a very simple scenario where an organization has classified specific types of data and implemented controls to protect the data. Jane is a contractor, who, because of her contract function, was vetted and cleared for access to critical applications and controlled unclassified data. Jane has a government-issued laptop with data protection software, and she has access to government cloud applications like Office 365 that are protected and governed by the agencies’ CASB solution. Unfortunately, Jane has been having well disguised and undisclosed financial troubles, which have put her in a compromised situation. In order to try to get herself out of it, she has agreed to act as an insider. Jane initially attempts to send sensitive data to herself through her Office 365 email, but the attempt is blocked by the CASB. She then attempts to share the records from SharePoint to an untrusted email domain and again is blocked by the CASB and reported to security. Desperate, she tries to move the data to an external hard drive, and yet again she is blocked. At this point, Jane gives up and realizes the data is well protected.
On the backend of this scenario, each one of these attempts is logged as an incident and reported. These incidents now inform a Zero Trust dynamic access control layer, which determines that Jane’s trust level has changed, resulting in an automatic change to her user access policies and a Security Operations alert. This is one very basic example of how a data protection platform can inform and affect user trust.
Effectively architecting a comprehensive data protection platform requires a multi-vector and integrated approach. The platform should be a combination of control points that leverage a common classification mechanism and a common incident management workflow. Data protection enforcement should facilitate enforcement controls across managed hosts, networks, SaaS, and IaaS resources, and whenever possible restrict sensitive data from being placed into areas where there are no controls.
McAfee enables this today through a Unified DLP approach that combines:
This comprehensive approach enables data protection policies to follow the data throughout the managed environment, ensuring that enterprise data is protected at rest, in transit, and in use. Within the platform, user trust is evaluated conditionally based on policy at each enforcement point, and any change to a user’s group through the Zero Trust architecture automatically modifies policies within the data protection platform.
Data protection has long been a challenge for every enterprise. Successful implementation of data protection technologies requires a programmatic effort that includes data owners to accurately and successfully identify and build protections around sensitive information. If not implemented properly, data protection opens the door to user disruptions that many organizations have very little tolerance for. That’s why so many organizations focus their efforts on improving perimeter and access protections. Adversaries know this, which is why compromising user credentials or the supply chain to gain access remains a highly leveraged entry point for threat actors, because perimeter and access control protections fail to guard against people already inside the network with appropriate access. As enterprises plan for Zero Trust architectures, data protection has to take center stage.
By mandating that agencies quantify the type and sensitivity of their unclassified data, the EO appears to be steering Executive Branch agencies down the path of data centricity. The Executive Order focuses on improving the adoption of encryption best practices around data and implementing multifactor authentication in an effort to protect access to sensitive data from malicious outsiders. It falls short, however, of encouraging broad adoption of data loss prevention architectures to protect against accidental and malicious data leakage.
CISA has an opportunity to prioritize data as an enterprise’s central resource in their upcoming cloud-security strategy, which will drive agency adoption of Zero Trust Architecture. They should take this opportunity to emphasize the importance of designing a comprehensive data protection platform to serve as both a trust identifier and a mechanism of protection.
The post Data Centric Zero Trust for Federal Government Cybersecurity appeared first on McAfee Blog.
This month’s Patch Tuesday brings us a relatively small number of CVEs being patched, but an abnormally high percentage of noteworthy critical vulnerabilities.
One such vulnerability is identified as CVE-2021-34535, which is a remote code execution flaw in the Remote Desktop client software, observed in mstscax.dll, which is used by Microsoft’s built-in RDP client (mstsc.exe). The vulnerability is very closely related to a bug released in July of 2020, CVE-2020-1374, which also came through Microsoft’s Patch Tuesday process and had highly similar characteristics. The vulnerability is an integer overflow due to an attacker-controllable payload size field, which ultimately leads to a heap buffer overflow during memory allocation. The vulnerability can be triggered via the RDP Video Redirection Virtual Channel Extension feature [MS-RDPEV], which is typically deployed on port 3389, and is contained inside of compressed UDP payload and encrypted RDP using TLS.
But does this flaw, despite its impressive 9.9 CVSS score, rise to the level of past RDP vulnerabilities, including the infamous BlueKeep (CVE-2019-0708)? Not so fast – there are a few additional factors to take into consideration.
First and foremost, this is a client-side vulnerability, meaning there is no real ability for self-propagation, or “wormability” from an Internet perspective. The most likely attack scenario would be to convince a user to authenticate to a malicious RDP server, where the server could trigger the bug on the client side. During reproduction of the issue, we were able to easily trigger the crash and observe a later memcpy using the controlled overflow, which should facilitate exploitation. We think it is likely that exploits will be developed for this vulnerability but the availability of a patch prior to any known public exploitation helps to mitigate risks for organizations and individuals.
Secondly, thanks to the widespread proliferation and reach of BlueKeep and other related RDP vulnerabilities, a significant portion of RDP clients and servers have been disabled or moved from the network perimeter. This is less important given the client-side nature of the bug but does help with the overall attack surface.
In addition to Microsoft’s built-in RDP client (mstsc.exe), which is the more common Remote Desktop network connection, we have also confirmed that some lesser- known RDP vectors are affected by this vulnerability. Microsoft Hyper-V Manager “Enhanced Session Mode” and Microsoft Defender’s Application Guard (WDAG) both use RDP to screen share and present the secured browser respectively. This gives the end user a remote view of their isolated instance in the context of the host system. Rather than reimplementing the RDP session sharing capability, Microsoft ported the existing RDP client code base into Hyper-V and WDAG. Since the RDP client code is self-contained in mstscax.dll (an ActiveX COM object) it can simply be loaded into the Hyper-V (vmconnect.exe) and WDAG (hvsirdpclient.exe) processes to avail of the RDP client functionality. There does not appear to have been any attack surface reduction on this code base as the same DLL is loaded within all three processes mstsc.exe, vmconnect.exe and hvsirdpclient.exe. The impacted components are:
Mitigation: Patch
Mitigation: Patch or disable “Enhanced Session Mode”
The built-in RDP client and Hyper-V/WDAG clients communicate over different transport mediums in the form of TCP/IP and VMBus but they both use the same RDP client protocol implementation. Given that the flaw is contained within mstscax.dll, and is self-contained, the vulnerability was ported to these two implementations along with the rest of the code base.
While the urgency for patching remains somewhat lower than past critical vulnerabilities, threat actors will look to weaponize any of these low-hanging fruit that leverage common network protocols. Patching should be a top priority, and furthermore, a comprehensive and ongoing review of internet-facing and internal networked RDP clients and servers would be highly recommended. Eliminating or reducing the attack surface is one of the best counter attacks to vulnerability exploitation.
Microsoft have published a Knowledge Base article for the issue here with corresponding patch information. In the meantime, we are continuing to monitor this vulnerability closely; if exploitation is observed we may release additional content for customers.
For RDP security best practices please see https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rdp-security-explained/
With thanks to Cedric Cochin, McAfee.
The post Critical RDP Vulnerabilities Continue to Proliferate appeared first on McAfee Blogs.
This is the third in a series of blogs on the Cybersecurity EO, and I encourage you to read those you may have missed. (Part 1, Part 2).
Between the initial publication of the Executive Order (EO) for Improving the Nation’s Cybersecurity on May 12 and late July, a flurry of activity by departments and agencies continues to occur on how best to understand and address potential security gaps. Once identified, these analyses will facilitate plans to fulfill the requirements and further augment agencies’ existing preventative measures to improve their cybersecurity posture. Due to numerous far-reaching cybersecurity breaches that have occurred throughout the past year, one of the primary areas of emphasis in the Executive Order is enhancing the Federal Government’s ability to be more proactive in detecting vulnerabilities and preventing cybersecurity incidents throughout an agency’s network. By introducing an Endpoint Detection and Response (EDR) solution into an enterprise environment, the Government will be able to empower agency SOC teams to engage in active cyber hunting, containment, remediation, and incident response activities more universally.
The potential loss and impact of a cyberattack is no longer constrained to a single silo within an agency’s network or a small subset of devices. It can quickly escalate and impact the mission of an agency in seconds. That is why the Executive Order states it is crucial a government-wide initiative is undertaken to begin to get ahead of malicious actors by developing a comprehensive security strategy to prevent attacks before they happen.
Many cyberthreats use multiple attack mechanisms, requiring a different approach to keep our enterprises secure from malicious actors. Endpoint protection platforms still play a critical role in defending agency assets, but they are only one component of a multilayered approach to a robust cybersecurity strategy. Fortunately, McAfee Enterprise’s endpoint protection platform offers a threat detection capability that allows incorporating a next-generation solution (EDR) to track down potential threats if they break through the first layer of countermeasures.
By incorporating endpoint detection and response (EDR), organizations have granular control and visibility into their endpoints to detect suspicious activity. As a cloud service, EDR can incorporate new features and services in much more agile fashion than other solutions. MVISION EDR can discover and block threats in the pre-execution stage, investigate threats through analytics, and help provide an incident response plan. Additionally, by leveraging AI and machine learning to automate the steps in an investigative process, more experienced threat hunters can focus on in-depth analysis of sophisticated attacks, and other members of the SOC team can discover key findings to triage potential threats much faster and with less experience. These new capabilities can learn an agency’s baseline behaviors and use this information, along with a variety of other threat intelligence sources, to interpret findings.
As the attack surface continues to evolve, a far more holistic approach to detection is needed. Although EDR is crucial to surfacing anomalous threats and malicious behavior for workstations, servers, and cloud workloads, their area of influence is confined to the telemetry provided by the endpoint. Realizing EDR is network blind and SIEM is endpoint blind, we integrated McAfee Enterprise EDR and SIEM technologies to enrich investigations. Still, more telemetry sources are needed to reveal all potential threat vectors an enterprise may encounter. This is where Extended Detection and Response (XDR) comes in, supporting agencies in a journey beyond the endpoint and allowing them to close even more gaps.
XDR isn’t a single product or solution but rather a journey, as it refers to compiling multiple security products and technologies that comprise a unified platform. An XDR approach will shift processes and likely merge and encourage tighter coordination between different functions like SOC analysts, hunters, incident responders and IT administrators.
SIEMs are largely data-driven, meaning they need data definitions, custom parsing rules and pre-built content packs to retrospectively provide context based on the data they have ingested. In contrast, XDR is hypothesis driven, harnessing the power of machine learning and artificial intelligence engines to analyze high-fidelity threat data from a multitude of sources across the environment to support specific lines of investigation mapped to the MITRE ATT&CK framework.
Technically speaking, an XDR is a converged platform leveraging a common taxonomy and unifying language. An effective XDR must bring together numerous heterogeneous signals and return a homogenous visual and analytical representation. XDR must clearly show the potential security correlations that the SOC should focus on. Such a solution would de-duplicate information on one hand, but would emphasize the truly high-risk attacks, while filtering out the mountains of noise. The desired outcome would not require excessive amounts of repetitive manual work. Instead, it would allow SOC teams to focus on leading investigations and mitigating attacks. XDR’s presentation of data would be aware of context and content, be advanced technologically, yet be simple enough for analysts to understand and act upon.
As many organizations begin to adopt EDR solutions with the capability to embrace XDR, they also must consider how these solutions enable them to migrate toward a Zero Trust architecture. The wealth of information that will be available in a platform capable of distilling threat telemetry not only from endpoints, the networks they are accessing, and the cloud services they consume will create real advantages. It will greatly improve the granularity, flexibility, and accuracy of the policy engines granting access to enterprise resources and using that degree of trust to determine how much access is granted within the application.
The ideal solution must provide enhanced detection and response capabilities across endpoints, networks, and cloud infrastructures. It needs to prioritize and predict threats that matter before the attack and prescribe necessary countermeasures allowing the organization to proactively harden their environment. The ideal solution also must incorporate Zero Trust, and it should be built on an open security ecosystem.
McAfee Enterprise recognized early on that a multi-vendor security ecosystem is a key requirement to building a defense in depth security practice. One of the key building blocks was the Data Exchange Layer (DXL), which was subsequently made available as an open-source project (OpenDXL) for the community to further develop innovative use cases. This enabled our diverse ecosystem of partners from threat intelligence platforms to orchestration tools to use a common transport mechanism and information exchange protocol, thereby encouraging participating vendors to not only communicate vital threat details but also inform them of actions that all connected security solutions should take.
When you combine XDR and an open security ecosystem for XDR capabilities, agencies will have a solid foundation to advance their visibility and detection capabilities across their entire cyber infrastructure.
The post White House Executive Order – Improving Detection of Cybersecurity Vulnerabilities appeared first on McAfee Blogs.
If you are part of an organization aspiring to evolve and modernize your SecOps practice with greater efficiencies with XDR, this read is for you.
So, what’s all the continuous hype about XDR? Is it for you and what does it mean to your organization? If you haven’t already, I invite you to read our XDR—Please Explain and Unravel to XDR Noise blogs for added context. From here we can begin to ask, what are XDRs and what are they not? What happens once you acquire components that add the “X-factor” to your threat detection and response (TDR) practice? And how can SOC teams use it for investigation, prioritization, remediation and hunting?
I’ll cover the basics in this blog and hopefully by the end I’ve piqued your interest enough to watch our on-demand webinar where we will cover these aspects in detail.
For security practitioners, there’s one question that is top of mind—am I protected against the latest threats? But let’s face it, threats are evolving, adversaries are evolving too and a shortage of talent make it near impossible to keep up with alerts.
In fact, according to the latest XDR research by ESG, The Impact of XDR in the Modern SOC March 2021 [1], the top challenges related to TDR for respondents were:
Advanced threats are now commonplace, challenging most security professionals to detect and respond before damage is done, we know that these attacks leverage multiple attack vectors to gain a foothold and execute. XDR solutions bring together security telemetry across multiple controls, correlating and stitching together complex attacks so analyst can quickly assess and investigate. XDR is seen as having the potential to modernize the SOC with enriched and aggregated security analytics capabilities to accelerate the investigation to a resolution.
What’s more, McAfee Enterprise is here to help you evolve your SecOps practice into the next era of security analytics, threat detection and response. McAfee’s MVISION XDR tools provide visibility across multiple control points to not only detect threats but to help organizations improve their security posture. In addition, MVISION Insights provides relevant threat intel to help customers proactively prevent threats on multiple control points like endpoint.
We invite view our on-demand webinar with Mo Cashman, Enterprise Architect at McAfee Enterprise, and Dave Gruber, Senior Analyst at ESG, as they cover what XDRs are and aren’t, the keys to SOC modernization for XDR with a focus on the SOAPA approach to security, and how McAfee’s MVISION XDR lays out the flexible groundwork for organizations aspiring to evolve with XDR. Here is the link to watch.
Whether you are building a SOC function with limited resources or maturing a well-established SOC, McAfee Enterprise is here to help you simplify and strengthen your security operations with MVISION XDR. With MVISION XDR, you can proactively identify, investigate and mitigate threat actors targeting your organization before they can gain a foothold in the network. By combining the latest machine-learning techniques with human analysis, XDR connects and amplifies the early warning signals from your sensors at the network, endpoint, and cloud to improve situational awareness, drive better and faster decisions, and elevate your SOC. [2]
1 – ESG Research Report: The Impact of XDR in the Modern SOC by Jon Oltsik
2 – Cyber Cyber, Burning Bright: Can XDR Frame Thy Fearful Asymmetry?
The post Evolve With XDR – The Modern Approach to SecOps appeared first on McAfee Blogs.
McAfee Enterprise is pleased to announce that the Network Security Platform (NSP), our industry leading next-gen Intrusion Prevention System (IPS) solution, has been awarded Miercom Certified Secure for superior security and performance.
Miercom has been reviewing network products for over 30 years, forming standardized test programs that have grown into a worldwide evaluation service for the latest technology. Miercom has published hundreds of network product analyses in leading trade periodicals and other publications, thus gaining the reputation of being a leading, independent product test center.
The NSP Next Generation Intrusion Prevention System (NGIPS) solution was independently assessed by Miercom engineers for security, performance, and hands-on use to provide unbiased verification of McAfee Enterprise’s unique qualities. The NGIPS solution was deployed in a real-world environment and subject to performance tests, multiple iterations of attacks from Miercom’s proprietary malware suite, and exploits from Ixia BreakingPoint and other test tools.
Figure 1. Test Bed Diagram
Figure 2. Test Tools
NSP demonstrated security effectiveness in the attack lifecycle detection and protection through its efficient signature engine along with multiple advanced signature-less detection technologies, including file analysis, protocol behavior analysis, and network behavior analysis. The results not only showed NSP continued to hold the highest standard in exploit prevention capability, but also proved its advantage in zero-day malware and malicious URL protection compared to other IPS solutions in the market.
“Based on our findings, the McAfee Network Security Platform with NS9500 sensors demonstrates competitively superior security and performance. The McAfee solution was stressed under real-world known and not yet discovered exploits and heavily loaded conditions and passed these tests with ease. McAfee Network Security Platform has rightfully earned the distinction as Miercom Certified Secure.” – Rob Smithers, CEO, Miercom
McAfee Enterprise’s new appliance offerings, NS9500 and NS7500, are scalable hardware platforms that provide investment protection. They offer multiple throughput options with the inspection throughput being controlled by a software license. This provides customers the flexibility to only buy capacity that is needed, and easily scale inspection throughput as needs increase via a software upgrade license and/or by stacking appliances. The appliances are purpose-built for line speed DPI (Deep Packet Inspection) and its efficient architecture preserves performance regardless of security settings unlike other IPS offerings in the market.
To download a copy of the report, please visit McAfee.com/nsp-Miercom
To learn more about McAfee NSP, please visit McAfee.com/nsp
To learn more about Miercom, please visit https://Miercom.com
The post McAfee NSP Provides Superior Security and Performance appeared first on McAfee Blogs.
In the last week there has been change, but a lot remains the same, too. First, we are now McAfee Enterprise, a pure-play enterprise cybersecurity company under the new ownership of Symphony Technology Group (STG). It’s an exciting change and true focus for our company, allowing us to concentrate on enterprise and commercial business needs. Our partners are an important part of our journey, and together we are excited to continue to win and drive success.
As we start this chapter as a pure-play enterprise security company, my focus is on adding value for our partners at all levels, ensuring our joint customers understand the power of our technology portfolio, and driving profitability and growth through better cybersecurity outcomes for our customers.
Our strategy continues to be Channel First, and we have worked to create continuity in all that we do for our channel partners and customers through the transition. That means our operations as a company will remain very much the same, so there will be no new systems or tools to learn, and our partners will continue to receive the same program benefits. At the same time, we will continue to evaluate and enhance program benefits, enablement and sales engagement.
We look forward to embarking on this journey with our partners as McAfee Enterprise. Our vision cannot be achieved without our partners’ trust and confidence in us.
The post New Company, Same Commitment: Channel First appeared first on McAfee Blogs.
The DotNet based CyaX-Sharp loader, also known as ReZer0, is known to spread commodity malware, such as AgentTesla. In recent years, this loader has been referenced numerous times, as it was used in campaigns across the globe. The tale of CyaX-Sharp is interesting, as the takeaways provide insight into the way actors prefer to use the loader. Additionally, it shines a light onto a spot that is not often illuminated: the inner workings of loaders.
This blog is split up into several segments, starting with a brief preface regarding the coverage of loaders in reports. After that, the origin of the loader’s name is explored. Next, the loader’s capabilities are discussed, as well as the automatic extraction of the embedded payload from the loader. Lastly, the bulk analysis of 513 unique loader samples is discussed.
To conceal the malware, actors often use a loader. The purpose of a loader is, as its name implies, to load and launch its payload, thereby starting the next stage in the process. There can be multiple loaders that are executed sequentially, much like a Russian Matryoshka doll in which the smallest doll, which is hidden inside numerous others, is the final payload. The “smallest doll” generally contains the malware’s main capabilities, such as stealing credentials, encrypting files, or providing remote access to the actor.
While there is a lot of research into the actions of the final payload, the earlier stages are just as interesting and relevant. Even though the earlier stages do not contain the capabilities of the malware that is eventually loaded, they provide insight as to what steps are taken to conceal the malware. Blogs generally mention the capabilities of a loader briefly, if at all. The downside here lies in the potential detection rules that others can create with the blog, as the focus is on the final step in the process, whereas the detection should start as soon as possible.
Per best security practices, organizations should protect themselves at every step along the way, rather than only focusing on the outside perimeter. These threat models are often referred to as the, respectively, onion and egg model. The egg’s hard shell is tough to break, but once inside, an attacker has free roam. The onion model opposes the attacker every step of the way, due to its layered approach. Knowing the behavior of the final payload is helpful to detect and block malware although, ideally, the malware would be detected as early on as possible.
This blog focuses on one specific loader family, but the takeaways are valid in a broader sense. The preferred configurations of the actors are useful to understand how loaders can be used in a variety of attacks.
A recent blog by G Data’s Karsten Hahn provides a more in-depth look into malware families ambiguous naming schemes. This loader’s name is also ambiguous, as it is known by several names. Samples are often named based on distinctive characteristics in them. The name CyaX-Sharp is based upon the recurring string in samples. This is, however, exactly why it was also named ReZer0.
When looking at the most used names within the 513 obtained samples, 92 use CyaX-Sharp, whereas 215 use ReZer0. This would make it likely that the loader would be dubbed ReZer0, rather than CyaX-Sharp. However, when looking at the sample names over time, as can be seen in the graph below, the reason why CyaX-Sharp was chosen becomes apparent: the name ReZer0 was only introduced 8 months after the first CyaX-Sharp sample was discovered. Based on this, McAfee refers to this loader as CyaX-Sharp.
Within the settings, one will find V2 or V4. This is not a reference of the loader’s version, but rather the targeted DotNet Framework version. Within the sample set, 62% of the samples are compiled to run on V4, leaving 38% to run on V2.
Each version of the loader contains all core capabilities, which may or may not be executed during runtime, based on the loader’s configuration. The raw configurations are stored in a string, using two pipes as the delimiting value. The string is then converted into a string array using said delimiter. Based on the values at specific indices, certain capabilities are enabled. The screenshots below show, respectively, the raw configuration value, and some of the used indices in a sample (SHA-256: a15be1bd758d3cb61928ced6cdb1b9fa39643d2db272909037d5426748f3e7a4).
The loader can delay its execution by sleeping for a certain number of seconds, use a mutex to ensure it is not already running, display a message box with a custom message, persist itself as a scheduled task, and/or execute a given payload in several ways. The payload can be downloaded from an external location, after which it is started. Alternatively, or additionally, the embedded payload within the loader can be launched. This can be done directly from the loader’s memory with the help of reflective calls, or by hollowing a newly created process. The flowchart below visualizes the process. Note that the dotted line means the linked step can be skipped, depending on the loader’s configuration.
The newly created process is one of the following: MSBuild.exe, vbc.exe, RegSvcs.exe, or a new instance of the loader. The process hollowing code segment seems to be taken from NYAN-x-CAT’s GitHub, as the for-loop to start the process hollowing method is present in both the loader and the linked repository. The way an error is handled is not a standardized method, making the link between the publicly available code very likely. The first image below shows the original code from the repository, whereas the second image shows the code from the loader (SHA-256: a15be1bd758d3cb61928ced6cdb1b9fa39643d2db272909037d5426748f3e7a4)
The loop calls the process hollowing function several times to more easily handle exceptions. In the case of an exception during the process hollowing, the targeted process is killed and the function returns. To try several times, a loop is used.
Even though the loader has changed over time, it maintained the same core structure. Later versions introduced minor changes to existing features. Below, different loader versions will be described, where the length of the string array that contains the loader’s configuration is used to identify different versions. The graph shows the rise and fall for each of the versions.
There are two notable differences in versions where the config array’s size is larger than 29. Some specific samples have slightly different code when compared with others, but I did not consider these differences sizable enough to warrant a new version.
Firstly, the ability to enable or disable the delayed execution of a sample. If enabled, the execution is delayed by sleeping for a predefined number of seconds. In config_29, the delay functionality is always enabled. The duration of the delay is based on the System.Random object, which is instantiated using the default seed. The given lower and upper limits are 45,000 and 60,000, resulting in a value between these limits, which equals in the number of milliseconds the execution should be delayed.
Secondly, the feature to display a custom message in a prompt has been added. The config file contains the message box’ title, text, button style, and icon style. Prompts can be used to display a fake error message to the victim, which will appear to be legitimate e.g. 43d334c125968f73b71f3e9f15f96911a94e590c80955e0612a297c4a792ca07, which uses “You do not have the proper software to view this document” as its message.
To automatically extract the payload and configuration of a given loader, one can recreate the decryption mechanism in a language of choice, get the encrypted data from the loader, and decrypt it. The downside here is the need for an exact copy of the decryption mechanism. If the key were to change, or a slightly different algorithm were to be used, the copy would also need to reflect those changes. To avoid dealing with the decryption method, a different approach can be taken.
This loader mistakenly uses static variables to store the decrypted payload and configuration in. In short, these variables are initialized prior to the execution of the main function of the loader. As such, it is possible to reflectively obtain the value of the two variables in question. A detailed how-to guide can be found on my personal website. The data that was extracted from the 513 samples in the set is discussed in the next section.
The complete set consists of 513 samples, all of which were found using a single Yara rule. The rule focuses on the embedded resource which is used to persist the loader as a scheduled task on the victim’s system. In some cases, the Yara rule will not match a sample, as the embedded resource is obfuscated using ConfuserEx (one example being SHA-256 0427ebb4d26dfc456351aab28040a244c883077145b7b529b93621636663a812). To deobfuscate, one can use ViRb3’s de4dot-cex fork of de4dot. The Yara rule will match with the deobfuscated binary. The graph below shows the number of unique samples over time.
The dates are based on VirusTotal’s first seen date. Granted, this date does not need to represent the day the malware was first distributed. However, when talking about commodity malware that is distributed in bulk, the date is reliable enough.
The sample set that was used is smaller than the total amount of loaders that have been used in the wild. This loader is often not the first stage, but rather an in-memory stage launched by another loader. Practically, the sample set is sizable enough for this research, but it should be noted that there are more unique loader samples in the wild for the given date range than are used in this report.
It is useful to know what the capabilities of a single sample are, but the main area of interest of this research is based upon the analysis of all samples in the set. Several features will be discussed, along with thoughts on them. In this section, all percentages refer to the total of 513 unless otherwise specified.
The loader’s usage is widespread, without a direct correlation towards a specific group or geographical region. Even though some reports mention a specific actor using or creating this loader, the fact that at least one builder has leaked makes attribution to one or more actors difficult. Coupled with the wide variety of targeted industries, as well as the broad geographic targeted areas, it looks like several actors utilise this loader. The goal of this research is not to dig into the actors who utilise this loader, but rather to look at the sample set in general. Appendix A provides a non-exhaustive list of public articles that (at least) mention this loader, in descending chronological order.
The two options to launch a payload, either reflectively or via process hollowing, are widely apart in usage: 90% of all loaders uses process hollowing, whereas only 10% of the samples are launched via reflection. Older versions of the loader sometimes used to reflectively load a decrypted stager from the loader’s resources, which would then launch the loader’s payload via process hollowing. The metrics below do not reflect this, meaning the actual percentage of direct launches might be slightly lower than is currently stated. The details can be viewed in the graph below.
Note that the reflective loading mechanism will default to the process hollowing of a new instance of the loader if any exception is thrown. Only DotNet based files can be loaded reflectively, meaning that other files that are executed this way will be loaded using a hollowed instance of the loader.
The persistence method, which uses a scheduled task to start the loader once the computer boots, is used by 54% of the loaders. This does not mean that the other 46% of the samples are not persisted on the victim’s machine, as a different stage could provide persistence as well. Notable is the date within the scheduled task, which equals 2014-10-25T14:27:44.8929027. This date is, at the time of writing, nearly 2500 days ago. If any of the systems in an organization encounter a scheduled task with this exact date, it is wise to verify its origin, as well as the executable that it points to.
A third of all loaders are configured to avoid running when an instance is already active using a mutex. Similar to the persistence mechanism, a mutex could be present in a different stage, though this is not necessarily the case. The observed mutexes seem to consist of only unaccented alphabetical letters, or [a-zA-Z]+ when written as a regular expression.
Delayed execution is used by nearly 37% of the samples, roughly half of which are config_29, meaning this setting was not configurable when creating the sample. The samples where the delayed execution was configurable, equal nearly 19% of the total. On average, a 4 second delay is used. The highest observed delay is 600 seconds. The graph below shows the duration of the delay, and the frequency.
Note that one loader was configured to have a delay of 0 seconds, essentially not delaying the execution. In most cases, the delayed time is a value that can be divided by five, which is often seen as a round number by humans.
Prior to launching the payload, the loader can perform several checks. A virtual environment can be detected, as well as a sandbox. Roughly 10% of the samples check for the presence of a virtual machine, whereas roughly 11% check if it is executed in a sandbox. Roughly 8% of the 513 samples check for the presence of both, prior to continuing their execution. In other words, 88% of the samples that try to detect a virtual machine, also attempted to detect a sandbox. Vice versa, 74% of the samples that attempted to detect the sandbox, attempted to detect if they were executed on a virtual machine.
The option to disable Windows Defender was mainly present in the earlier samples, which is why only 15% of the set attempts to disable it.
The loader’s final goal is to execute the next stage on the victim’s machine. Knowing what kind of malware families are often dropped can help to find the biggest pain points in your organization’s additional defensive measures. The chart below provides insight into the families that were observed the most. The segment named other contains all samples that would otherwise clutter the overview due to the few occurrences per family, such as the RedLine stealer, Azorult, or the lesser known MrFireMan keylogger.
The percentages in the graph are based on 447 total payloads, as 66 payloads were duplicates. In other words, 66 of the unique loaders dropped a non-unique payload. Of all families, AgentTesla is the most notable, both in terms of frequency and in terms of duplicate count. Of the 66 duplicates, 48 were related to AgentTesla.
Two functions of the loader that are barely used are the message box and the download of a remote payload. The usage of both is, respectively, 1.3% and 0.8%. All of the remote payloads also contained an embedded payload, although one of the four remotely fetching loaders does not contain a URL to download the remote payload from. The external file can be used as an additional module for a next stage, a separate malicious payload, or it can be used to disable certain defense mechanisms on the victim’s device.
Companies using the aforementioned onion security model benefit greatly from the dissection of such a loader, as their internal detection rules can be improved with the provided details. This stops the malware’s execution in its tracks, as is shown in the sequential diagram of McAfee’s detection below.
The techniques that this loader uses are commonly abused, meaning that the detection of a technique such as process hollowing will also prevent the successful execution of numerous other malware families. McAfee’s Endpoint Security (ENS) and Endpoint Detection & Response (EDR) detect the CyaX-Sharp loader every step of the way, including the common techniques it uses. As such, customers are protected against a multitude of families based on a program’s heuristics.
Below, a non-exhaustive chronologically descending list of relevant articles is given. Some articles contain information on the targeted industries and/or target geographical area.
The hashes that are mentioned in this blog are listed below, in order of occurrence. The SHA-1 and SSDeep hashes are also included. A full list of hashes for all 513 samples and their payloads can be found here.
Sample 1
SHA-256: a15be1bd758d3cb61928ced6cdb1b9fa39643d2db272909037d5426748f3e7a4
SHA-1: 14b1a50c94c2751901f0584ec9953277c91c8fff
SSDeep: 12288:sT2BzlxlBrB7d1THL1KEZ0M4p+b6m0yn1MX8Xs1ax+XdjD3ka:O2zBrB7dlHxv0M4p+b50yn6MXsSovUa
Sample 2
SHA-256: 43d334c125968f73b71f3e9f15f96911a94e590c80955e0612a297c4a792ca07
SHA-1: d6dae3588a2a6ff124f693d9e23393c1c6bcef05
SSDeep: 24576:EyOxMKD09DLjhXKCfJIS7fGVZsjUDoX4h/Xh6EkRlVMd3P4eEL8PrZzgo0AqKx/6:EyycPJvTGVijUDlhfEEIUvEL8PrZx0AQ
Sample 3
SHA-256: 0427ebb4d26dfc456351aab28040a244c883077145b7b529b93621636663a812
SHA-1: 8d0bfb0026505e551a1d9e7409d01f42e7c8bf40
SSDeep: 12288:pOIcEfbJ4Fg9ELYTd24xkODnya1QFHWV5zSVPjgXSGHmI:EEj9E/va
The post See Ya Sharp: A Loader’s Tale appeared first on McAfee Blogs.
Hyperautomation is a process where artificial intelligence (AI), machine learning (ML), event-driven software, and other tools are used to automate as many business and IT processes as possible. Forecasted by Gartner to reach $596.6 billion by 20221, hyperautomation and the global software market that enables it show no signs of slowing.
The myriad of technologies used by a typical organization often are not integrated and exist as siloed disparate tools. Hyperautomation aims to reduce this “organizational debt” to improve value and brand. In the context of cybersecurity, a patchwork of stovepipe solutions not only exposes the environment to risk, but also impacts the cyber defender’s ability to fortify the environment and respond to threats at machine speed. Our target is “shift-left” security — leveraging intelligence to enhance predictability and encourage proactive responses to cyber threats.
The rise of telemetry architectures, combined with cloud adoption and data as the “new perimeter,” pose new challenges to cybersecurity operations. Organizations will be forced to contend with increased “security debt” unless we figure out how to optimize, connect, and streamline the solutions. In some cases, we have technologies available to begin this journey (MVISION Insights, MVISION Extended Detection and Response (XDR), MVISION API). In others, our customers demand more. They challenge us to build next-generation platforms to see themselves, see their cyberspace, and understand their cyberspace. Some cyber defenders need more than traditional cyber threat intelligence telemetry to make critical operational impact decisions.
MVISION Insights and MVISION XDR are great starts. It all begins with the build-up of an appropriate telemetry architecture, and McAfee Enterprise’s billion-sensor global telemetry is unmatched. Insights provides an automated means to fortify the environment against emerging threats, weaponizing threat intelligence to take a proactive stance in reducing your attack surface from device to cloud. Why start engaging at an attack’s point of impact when an organization can begin its own awareness at the same point an attacker would? MVISION XDR brings together the fragmented security solutions accumulated over the years, sharing information and coordinating actions to deliver an effective, unified response across every threat vector. Workflows are effortless to orchestrate. The powerful combination of Insights and XDR provides management and visibility of the complete attack lifecycle. Open architectures reinforce our belief that we are better together and facilitate a cybersecurity ecosystem consistent with the concepts of hyperautomation enablement.
Figure 1 – Attack Lifecycle
Where can we go from here? How do we secure tomorrow? From my perspective, we should expand the definition and scope of cybersecurity.
The answer is to look beyond traditional cyber threat telemetry; external factors (environmental, social media, geolocation, law enforcement, etc.) truly matter and are vital in making business impact decisions. Complete operational visibility, and the ability to investigate, research, and rationalize what matters most to make accurate, critical judgments, is the missing link. This is a Cyber Common Operating Picture (COP). A natural extension of our current initiatives within the industry, a COP answers the growing need to provide an integrated cyber defender’s visualization workbench that manages multiple data telemetry sources (beyond cyber threats) and delivers our customers wisdom – a true understanding – regarding their cyberspace on a local, regional, and global scale.
Telemetry data represents change, and telemetry architectures will require new forms of advanced analytics, AI, and ML to make sense of the vast sea of all-source intelligence flowing in from the environment to enhance observations and take definitive action. If we can “shift-left” for cyber threats, we can leverage that same predictability to identify and prepare for the impact of peripheral threats. Open source, custom, and third-party data feeds are widely available and create integration opportunities with emerging markets and capabilities to solve unique challenges typically not associated with our platform:
Non-traditional sensor telemetry, a multitude of feeds, and threat intelligence must be overlayed across the Cyber COP to provide AI-driven predictability modeling for next-gen systems and actionable conclusions. This is a potential future for how hyperautomation can impact cybersecurity; this is orchestrating beyond standard capabilities and expanding the definition and scope of how our complex environments are secured. AI engineering strategies will continue to expand and deliver data analytics at machine speeds.
McAfee Enterprise has always been a proponent of a platform approach to cybersecurity, creating interoperability and extending the security investments its customers have made. Loosely coupled security systems introduce gaps, and hyperautomation aims to solve that at a much larger scale. As we look toward the future, we can collectively build the requirements for the next generation of security solutions and broaden the scope of how we defend against our common adversaries. I am confident that the technologies currently exist to provide the framework(s) of a COP solution for enhanced cyber situational awareness.
Source: 1Gartner Press Release: Gartner Forecasts Worldwide Hyperautomation-Enabling Software Market to Reach Nearly $600 Billion by 2022 (April 28, 2021)
The post Hyperautomation and Cybersecurity – A Platform Approach to Telemetry Architectures appeared first on McAfee Blogs.
Every organization has data moving to the multi-cloud; digital transformation is occurring rapidly, is here to stay, and is impacting every major industry. Organizations are working hard to adopt Zero Trust architectures as their critical information, trade secrets, and business applications are no longer stored in a single datacenter or location. As a result, there is a rapid shift to cloud resources to support dynamic mission requirements, and the new perimeter to defend is data. At its core, Zero Trust is a data-centric model and is fundamental to what McAfee Enterprise offers. In the Public Sector, data has now been classified as a strategic asset – often referred to as the “crown jewels” of an organization. Reinforced by the publication of the DoD Zero Trust Reference Architecture, we have arrived at a crossroads where demonstrating a sound data strategy will be a fundamental requirement for any organization.
All DoD data is an enterprise resource, meaning data requires consistent and uniform protections wherever it is created or wherever it traverses. This includes data transmitted across multi-cloud services, through custom mission applications, and on devices. Becoming a data-centric organization requires that data be treated as the primary asset. It must also be available so that it can be leveraged by other solutions for discovery and analytics purposes. To achieve this, interoperability and uniform data management are strategic elements that underpin many sections of DoD’s official vision of Zero Trust.
Let us dissect how the DoD plans to create a data advantage and where McAfee Enterprise can support these efforts as we explore the four essential capabilities – Architecture, Standards, Governance, and Talent & Culture:
Figure 1 – DoD Data Strategy Framework
McAfee Enterprise’s open architectural methodology emphasizes the efficiencies that cloud adoption and open frameworks can offer. The ability to leverage agile development and continuously adapt to dynamic mission requirements – faster than our adversaries – is a strategic advantage. Data protection and cloud posture, however, must not take a back seat to innovation.
The rapid pace of cloud adoption introduces new risks to the environment; misconfigurations and mistakes happen and are common. Vulnerabilities leave the environment exposed as DevOps tends to leverage open-source tools and capabilities. Agile development introduces a lot of moving parts as applications are updated and changed at an expedited pace and based on shorter, prescriptive measures. Customers also utilize multiple cloud service providers (CSP) to fit their mission needs, so consistent and uniform data management across all the multi-cloud services is a necessity. We are at a pivotal inflection point where native, built-in CSP protections have introduced too much complexity, overhead, and inconsistency. Our data security solution is a holistic, open platform that enforces standardized protections and visibility across the multi-cloud.
Together with our partners, we support the architecture requirements for data-centric organizations and take charge as the multi-cloud scales. Several items – visibility and control over the multi-cloud, device-to-cloud data protection, cloud posture, user behavior and insider threat – play into our strengths while organic partner integrations (e.g., ZTNA) further bolster the Zero Trust narrative and contribute to interoperability requirements. We are better together and can facilitate an open architecture to meet the demands of the mission.
DoD requires proven-at-scale methods for managing, representing, and sharing data of all types, and an open architecture should be used wherever possible to avoid stovepiped solutions and facilitate an interoperable security ecosystem. Past performance is key, and McAfee Enterprise has a long track record of delivering results, which is crucial as the DoD moves into a hybrid model of management.
Data comes in many forms, and the growth of telemetry architectures requires machines to do more with artificial intelligence and machine learning to make sense of data. How do we share indicators of compromise (IoCs) so multiple environments – internal and external – can leverage intelligence from other organizations? How do we share risks in multi-clouds and ensure data is secured in a uniform manner? How do we weaponize intelligence to shift “left of boom” and eliminate those post-compromise autopsies? Let’s explore how McAfee Enterprise supports data standards.
Made possible by Data Exchange Layer (DXL) and a strategic partner, the sharing of threat intelligence data has proven successful. Multiple environments participate in a security-connected ecosystem where an “attack against one is an attack against all” and advanced threats are detected, stopped, and participants are inoculated in near real-time. This same architecture scales to the hybrid cloud where the workloads in cloud environments can benefit from broad coverage.
Furthermore, DXL was built as open source to foster integrations and deliver cohesive partner solutions to promote interoperability and improve threat-informed intelligence. All capabilities speak the same language, tip and cue, and provide much greater return on investment. Consider the sharing of cloud-derived threats. No longer should we be limited to traditional hashes or IoCs. Perhaps we should share risky or malicious cloud services and/or insider threats. Maybe custom-developed solutions should leverage our MVISION platform via API to take advantage of the rich global telemetry and see what we see.
Our global telemetry is unmatched and can be leveraged to organizations’ advantage to proactively fortify the device-to-cloud environment, effectively shifting security to the “left” of impact. This is all done through the utilization of MVISION Insights. Automated posture assessments pinpoint where potential gaps in an organization’s countermeasures may exist and provide the means to take proactive action before it is hit. Through MVISION Insights, cyber operators can learn about active global campaigns, emerging threats, and whether an organization is in the path – or even the target. Leadership can grasp the all-important risk metric and deliver proof that the security investments are working and operational. Combined with native MITRE ATT&CK Framework mappings – an industry standard being mapped across our portfolio – this proactive hardening is a way we use threat telemetry to customers’ advantage.
Standardized data protection, end-to-end, across all devices and multi-cloud services is a key tenant of the DoD Data Strategy. Protecting data wherever it lives or moves, retaining it within set boundaries and making it available to approved users and devices only, and enforcing consistent controls from a single, comprehensive solution spanning the entire environment is the only data security approach. This is what Unified Cloud Edge (UCE) does. This platform’s converged approach is tailored to support DoD’s digital transformation to the multi-cloud and its journey to a data-centric enterprise.
DoD’s data governance element is comprised of the policies, procedures, frameworks, tools, and metrics to ensure data is managed at all levels, from when it is created to where it is stored. It encompasses increased data oversight at multiple levels and ensures that data will be integrated into future modernization initiatives. Many organizations tend to be driven by compliance requirements (which typically outweigh security innovation) unless there is an imminent mission need; we now have the compliance requirement. Customers will need to demonstrate a proper data protection and governance strategy as multi-cloud adoption matures. What better way to incorporate Zero Trust architectures than by leveraging UCE? Remember, this is beyond the software defined perimeter.
McAfee Enterprise can monitor, discover, and analyze all the cloud services leveraged by users – both approved and unapproved (Shadow IT) – and provide a holistic assessment. Closed loop remediation ensures organizations can take control and govern access to the unapproved or malicious services and use the information to lay the foundation for building effective data protection policies very relevant to mission needs.
Granular governance and control – application-level visibility – by authenticated users working within the various cloud services is just as important as controlling access to them. Tight API integrations with traditional SaaS services guarantee only permitted activities occur. With agile development on the rise, it is just as important that the solution is flexible to control these custom apps in the same way as any commercial cloud service. Legacy mission applications are being redesigned to take advantage of cloud scale and efficiency; McAfee Enterprise will not impose limits.
Governance over cloud posture is equally important, and customers need to ensure the multi-cloud environment is not introducing any additional source of risk. Most compromises are due to misconfigurations or mistakes that leave links, portals, or directories open to the public. We evaluate the multi-cloud against industry benchmarks and best practices, provide holistic risk scoring, and provide the means to remediate these findings to fortify an organization’s cloud infrastructure.
Unified data protection is our end goal; it is at the core of what we do and how we align to Zero Trust. Consistent protections and governance over data wherever it is created, wherever it goes, from device to multi-cloud. The same engine is shared across the environment and provides a single place for incidents and management across the enterprise. Customers can be confident that all data will be tracked and proper controls enforced wherever its destination may be.
Becoming a data-centric organization will require a cultural change. Decision-making capabilities will be empowered by data and analytics as opposed to experienced situations and scenarios (e.g., event response). Machine learning and artificial intelligence will continue to influence processes and procedures, and an open ecosystem is needed to facilitate effective collaboration. Capabilities designed to foster interoperability and collaboration will be the future. As more telemetry is obtained, solutions must support the SOC analyst with reduced noise and provide relevant, actionable data for swift decision-making.
At McAfee Enterprise, we hear this. UCE provides simplified management over the multi-cloud to ensure consistent and unified control over the environment and the data. No other vendor has the past performance at scale for hybrid, centralized management. MVISION Insights ensures that environments are fortified against emerging threats, allowing the cyber operators to focus on the security gaps that can leave an organization exposed. Threat intelligence sharing and an open architecture has been our priority over the past several years, and we will continue to enrich and strengthen that architecture through our platform approach. There is no silver bullet solution that will meet every mission requirement, but what we can collectively do is ensure we are united against our adversaries.
Data and Zero Trust will be at the forefront as we move forward into adopting cloud in the public sector. There is a better approach to security in this cloud-first world. It is a mindset change from the old perimeter-oriented view to an approach based on adaptive and dynamic trust and access controls. McAfee’s goal is to ensure that customers can support their mission objectives in a secure way, deliver new functionality, improved processes, and ultimately give better return on investments.
We are better together.
The post Data as a Strategic Asset – Securing the New Perimeter in the Public Sector appeared first on McAfee Blogs.
The latest guidance in the Executive Order on Improving the Nation’s Cybersecurity (EO), Section 2, discusses removing the barriers to sharing threat information. It describes how security partners and service providers are often hesitant or contractually unable to share information about a compromise. The EO helps ensure that security partners and service providers can share intelligence with the government and requires them to share certain breach data with executive level departments and agencies responsible for investigating and remediating incidents, namely CISA, the FBI, and the IC. This approach will enable better comprehensive threat visibility across the Executive Branch departments and agencies to promote early detection and coordinated response actions. Indeed, the threat information sharing section will help enhance the public-private sector partnership that McAfee, and our colleagues in the cyber security industry are committed to supporting. To achieve this goal the EO requires:
The EO is a positive first step towards improving incident awareness at a macro level, though the EO would be even more impactful if it pushed government agencies to share more threat information with the private sector. The U.S. government represents an incredibly large attack surface and being able to identify threats early in one agency or department may very well serve to protect other agencies by enabling stronger predictive and more proactive defenses. While a government-built threat intelligence data lake is a critical first step, I think a logical next step should be opening the focus of threat intelligence sharing to be both real-time and bi-directional.
The EO focuses on the need for the private sector to improve its information sharing and collaboration with the government. However, the guidance is focused more on “post-breach” and unidirectional threat sharing. Real-time, not just “post-breach,” threat sharing improves the speed and effectiveness of countermeasures and early detection. Bi-directional data sharing opens possibilities for things like cross-sector environmental context, timely and prescriptive defensive actions, and enhanced remediation and automation capabilities. Harnessing real-time sector-based threat intelligence is not a unique concept; companies like McAfee have started to deliver on the promise of predictive security using historical threat intelligence to guide proactive security policy decision making.
Real-time threat sharing will make one of the EO’s additional goals, Zero Trust, ultimately more achievable. Zero Trust requires a dynamic analysis layer that will continuously evaluate user and device trust. As environmental variables change, so should the trust and ultimately access and authorization given. If the intent of threat intelligence sharing is to identify potentially compromised or risky assets specific to emerging campaigns, then it stands to reason that the faster that data is shared, the faster trust can be assessed and modified to protect high-value assets.
McAfee has identified the same benefits and challenges as the government for targeted threat intelligence and has developed a useful platform to enable robust threat sharing. We understand the value of sector specific data acting as an early indicator for organizations to ensure protection. Focusing on our own threat intelligence data lakes, we deliver on the promise of sector-specific intelligence by identifying targeted campaigns and threats and then correlating those campaigns to protective measures. As a result, government agencies now have the advantage of predicting, prioritizing, and prescribing appropriate defense changes to stay ahead of industry-focused emerging campaigns. We call that capability MVISION Insights.
This approach serves to drive home the need for collaborative shared threat intelligence. McAfee’s broad set of customers across every major business sector, combined with our threat research organization and ability to identify sector-specific targeted campaigns as they’re emerging, allows customers to benefit from threat intelligence collected from others in their same line of business. The federal government has a wide range of private sector business partners across healthcare, finance, critical infrastructure, and agriculture, to name a few. Each of these partners extends the government attack surface beyond the government-controlled boundary, and each represents an opportunity for compromise.
Imagine a scenario where an HHS healthcare partner is alerted, in real-time across a public/private sector threat intelligence sharing grid, to a threat affecting either the federal government directly or a healthcare partner for a different government agency. This approach allows them to assess their own environment for attack indicators, make quick informed decisions about defensive changes, and limit access where necessary. This type of real-time alerting not only allows the HHS partner to better prepare for a threat, but ultimately serves to reduce the attack surface of the federal government.
Allowing industry partners to develop and participate in building out cyber threat telemetry enables:
The U.S. government can begin to effectively shift focus from a reactive culture to one that is more proactive, enabling faster action against threats (or something like this). In the next EO, the Administration should bulk up its commitment to sharing cyber threat information with the private sector. The capability to exchange cyber threat intelligence data across the industry in standards-based formats in near real time exists today. The collective “we” just needs to make it a priority.
The post White House Executive Order – Removing Barriers to Sharing Threat Information appeared first on McAfee Blogs.
How much of the global economy is managed from a home network these days? Or, more importantly, what percentage of your company’s most sensitive data passes through employee home networks right now?
If you’re like me, working from a home office, you can’t help but think about all of the cybersecurity tradeoffs that accompanied the widespread shift from on-premises to cloud-delivered services. Better productivity in exchange for deeper vulnerabilities—like man-in-the-middle attacks—wasn’t a choice many cybersecurity pros would make under normal circumstances.
Yet, for better—and worse—there’s no going back to how things were. When Gartner revealed its annual list of top cybersecurity trends last month, we learned that while 64% of employees now work from home, at least 30-40% will continue to do so once the pandemic is over.1 In the foreseeable future, the Wi-Fi streaming your kids’ favorite shows will transport an untold amount of business data, too. All of which must be protected from device to cloud.
In the same report, Gartner said that with so many employees continuing to work from home, “endpoint protection services will need to move to cloud-delivered services.” While the vast majority of our customers made the overnight switch—many still need to adopt a cloud-native architecture.
No doubt the best transformations are the ones you plan for and manage from end-to-end. But the cloud transformation that many didn’t plan for—and most cybersecurity defenses couldn’t handle—turned out to pack the biggest punch. Here are three ways to better prepare for what comes next.
Stopping unauthorized access to corporate assets—and protecting them—is, on the face of it, a never-ending battle. You can’t build a moat, a wall, or a bubble and say, hey, my work here is done. We’ve found our customers need to solve two primary issues:
So, we created the MVISION Device-to-Cloud Suites to protect all of this data coursing through home networks. Among the many types of threats we’ve tracked, one of the biggest threats is viruses infecting browsers and capturing keystrokes to steal sensitive information. We solve this by isolating a browser so that no one can see what information has been entered.
While paradigms may shift, going forward we believe it’s predictive defenses that will enable faster, smarter and more effective data loss prevention. We get there by enabling optimized endpoint threat protection, Extended Detection and Response (EDRs) that improve mean time to detect and respond to threats, and useful analytics that not only empower your SOC but also help inform and engage executives.
Gaining executive and board-level buy-in has long been a topic of concern in the cybersecurity field. Thanks in part to the harsh publicity and severe damage caused by state-sponsored hacks that day is finally in sight. In a recent blog, McAfee’s Steve Grobman indicated SolarWinds is the first major supply chain attack which represents a shift in tactics where a nation state has employed a new weapon for cyber-espionage.”2
Cybersecurity is perceived as the second highest source of risk for enterprises, losing out to regulatory concerns, notes Gartner.3 While today only one in 10 board of directors have a dedicated cybersecurity committee, Gartner projects that percentage will rise to 40% in four years.
One reason why cybersecurity hasn’t been elevated to an ongoing board concern previously is that many executives lack a window into the cybersecurity in their midst. And lacking a window, they have no keen understanding of their organization’s vulnerabilities. Which also makes it difficult to assess the operational value of various cybersecurity investments.
The ability to gain visual insights and predictive assessments of your security posture against dangerous threats is what generates actionable intelligence. A CISO or CSO should be able to look at a single screen and understand in minutes how well protected they are against potential threats. They also need a team that’s ready to take action on these insights and enact appropriate countermeasures to protect corporate assets from imminent attack.
You want to protect your palace from thieves, but when do you finally have too many latches, locks, and bars on your doors? At some point, less is more, particularly if you can’t remember where you put your keys. Consolidation is one of Gartner top five trends this year. Four out of five companies plan to trim their list of cybersecurity vendors in the next three years.4
In fact, Gartner’s 2020 CISO Effectiveness Survey found that 78% of CISOs have 16 or more tools in their cybersecurity vendor portfolio, while 12% have a whopping 46 or more.5 Mind you, we know there is no end-all, be-all Security vendor who does everything. But with our Device-to-Cloud Suites, your security technology resides in one umbrella platform. Without McAfee, you’d need one vendor on the desktop, another in the cloud, and one more on the web gateway.
Consolidation is intended to remove headaches rather than create them. With one SaaS-based suite that addresses your core security issues, you have lower maintenance, plus the ability to visualize where you’re vulnerable and learn what you need to do to protect it.
McAfee is here to help organizations manage the transformation to a predictive cybersecurity defense and we provide the footprint to secure the data, endpoints, web, and cloud. From my vantage point, securing distributed digital assets demands effective security controls from device to cloud.
MVISION Device-to-Cloud Suites provide a simplified way to help accelerate your cloud transformation and adoption, better defend against attacks, and lower your total cost of operations. The suites scale with your security needs to deliver a unified endpoint, web, and cloud solution.
Learn More About McAfee Device-to-Cloud Suites:
Source:
1. Gartner Identifies Top Security and Risk Management Trends for 2021 (Gartner)
2. Why SolarWinds-SUNBURST is a Wakeup Call (McAfee)
3. Gartner Identifies Top Security and Risk Management Trends for 2021 (Gartner)
4. Ibid.
5. Gartner Survey Reveals Only 12% of CISOs Are Considered “Highly Effective” (Gartner)
The post Transforming to a Predictive Cyber Defense appeared first on McAfee Blogs.
The McAfee team is very proud to announce that, for the third year in a row, McAfee was named a 2021 Gartner Peer Insights Customers’ Choice for Secure Web Gateways for its Web Solution.
In its announcement, Gartner explains, “The Gartner Peer Insights Customers’ Choice is a recognition of vendors in this market by verified end-user professionals, taking into account both the number of reviews and the overall user ratings.” To ensure fair evaluation, Gartner applies rigorous methodology for recognizing vendors with a high customer satisfaction rate.
For the distinction, a vendor needs at least 20+ Reviews from Customers with over $50M Annual Review in 18-month timeframe, above Market Average Overall Rating, and above Market Average User Interest and Adoption.
Gartner Peer Insights is a peer review and ratings platform designed for enterprise software and services decision makers. Reviews are organized by products in markets that are defined by Gartner Research in Magic Quadrant and Market Guide documents.
The “Voice of the Customer” is a document that applies a methodology to aggregated Gartner Peer Insights’ reviews in a market to provide an overall perspective for IT decision makers. This aggregated peer perspective, along with the individual detailed reviews, is complementary to expert-generated research such as Magic Quadrants and Market Guides. It can play a key role in your buying process, as it focuses on direct peer experiences of buying, implementing and operating a solution. A complimentary copy of the Peer Insights ‘Voice of the Customer’ report is available on the McAfee Web site.
“We were using an on-prem web gateway and we have been migrated to UCE recently due to the pandemic situations. It gives us the flexibility to manage our Web GW as a SaaS solution. The solution also provides us bunch of rulesets for our daily usage needs.” CIO in the Manufacturing Industry [Link here]
“McAfee Secure web gateway provides the optimum security required for the employees of the Bank surfing the Internet. It also provides the Hybrid capabilities which allows to deploy same policies regardless of the physical location of the endpoint.” [Link here]
MVISION Unified Cloud Edge was specifically designed to enable our customers to make a secure cloud transformation by bringing the capabilities of our highly successful Secure Web Gateway appliance solution to the cloud as part of a unified cloud offering. This way, users from any location or device can access the web and the cloud in a fast and secure manner.
“The McAfee Web Gateway integrated well with existing CASB and DLP solutions. It has been very effective at preventing users from going to malware sites. The professional services we purchased for implementation was the best we’ve ever had from any vendor of any IT security product.” Senior Cybersecurity Professional in the Healthcare Industry [Link here]
McAfee’s Next-Gen Secure Web Gateway technology features tight integration with our CASB and DLP solutions through a converged management interface, which provides unified policies that deliver unprecedented cloud control while reducing cost and complexity. By integrating our SWG, CASB, DLP, and RBI solutions, MVISION Unified Cloud Edge provides a complete SASE security platform that delivers unparalleled data and threat protection.
“We benchmarked against another very well known gateway and there was no comparison. The other gateway only caught a small fraction of what MWG caught when filtering for potentially harmful sites.” Information Security Officer in the Finance Industry [Link here]
As the threat landscape continues to evolve, it’s important for organizations to have a platform that is integrated and seamless. That’s why McAfee provides integrated multi-layer security including global threat intelligence, machine learning, sandboxing, UEBA, and Remote Browser Isolation to block known threats and detect the most elusive attacks.
To learn more about this distinction, or to read the reviews written about our products by the IT professionals who use them, please visit Gartner Peer Insights’ Customers’ Choice announcement for Web. To all of our customers who submitted reviews, thank you! These reviews mold our products and our customer journey, and we look forward to building on the experience that earned us this distinction!
McAfee is named a Customers’ Choice in the June 2021 Gartner Peer Insights “Voice of the Customer”: Secure Web Gateways.
The post McAfee Named a 2021 Gartner Peer Insights Customers’ Choice for SWG appeared first on McAfee Blogs.
The mass migration of employees working from home in the last 14 months has accelerated the digital transformation of businesses. Cloud applications are no longer a “nice to have,” they are now essential to ensure that businesses survive. This introduces new security challenges in being able to locate and control sensitive data across all the potential exfiltration vectors regardless of whether they are in the cloud; on premise via managed or unmanaged machines. Attempting to control these vectors through multiple products results in unnecessary cost and complexity.
McAfee anticipated and responded to this trend, solving all these challenges through the launch of our MVISION Unified Cloud Edge solution in 2020. Unified Cloud Edge doesn’t simply offer data protections controls for endpoints, networks, web and the cloud; rather, Multi-Vector Data Protection provides customers with unified data classification and incident management that enables them to define data workflows once and have policies enforced consistently across each vector. Because of the unified approach and our extensive data protection heritage, we are delighted to be named a Leader in The Forrester Wave: Unstructured Data Security Platforms, Q2 2021. In our opinion, we were the top ranked dedicated cyber security vendor within the report.
We received the highest possible score in nine criteria with Forrester Research commenting on our “cloud-first data security approach” and customer recognition of our “breadth of capabilities (in particular for supporting remote work and cloud use)”.
We continue to innovate within our Unified Cloud Edge solution through the introduction of remote browser isolation to protect against risky web sites (our “heavy focus in supporting security and data protection in the cloud”), which uniquely to the market allows us to continue applying DLP controls even during isolated sessions. Delivering on increased customer value through innovation isn’t just limited to new features, for instance we continue to drive down costs through an unlimited SaaS application bundle.
Click below to read the full report.
: Unstructured Data Security Platforms, Q2 2021McAfee is delighted to be named a Leader in The Forrester Wave Unstructured Data Security Platforms, Q2 2021 report. We received the highest possible score in nine criteria with Forrester Research
The Forrester Wave: Unstructured Data Security Platforms, Q2 2021, 17 May 2021, Heidi Shey with Amy DeMartine, Shannon Fish, Peggy Dostie
The post McAfee a Leader in The Forrester Wave™ Unstructured Data Security Platforms appeared first on McAfee Blogs.
On May 12, the President signed the executive order (EO) on Improving the Nation’s Cybersecurity. As with every executive order, it establishes timelines for compliance and specific requirements of executive branch agencies to provide specific plans to meet the stated objectives.
It is clear from the EO that the Executive Office of the President is putting significant emphasis on cyber threat intelligence and how it will help government agencies make better decisions about responding to cyber threats and incidents. The EO also focuses on how federal agencies will govern resource access through Zero Trust and how to comprehensively define and protect hybrid service architectures. These are critical aspects as government agencies are moving more and more mission-critical applications and services to the cloud.
The call to action in this executive order is long overdue, as modernizing the nation’s cybersecurity approach and creating coordinated intelligence and incident response capabilities should have occurred years ago. Requiring that agencies recognize the shift in the perimeter and start tearing down silos between cloud services and physical data center services is going serve to improve visibility and understanding of how departments and sub-agencies are being targeted by adversaries.
I am sure government leaders have started to review their current capability along with their strategic initiatives to ensure they map to the new EO requirements. Where gaps are identified, agencies will need to update their plans and rethink their approach to align with the new framework and defined capabilities such as endpoint detection and response (EDR) and Zero Trust.
While the objectives outlined are critical, I do believe that agencies need to take appropriate cautions when deciding their paths to compliance. The goal of this executive order is not to add additional complexity to an already complex security organization. Rather, the goal should be to simplify and automate wherever possible. If the right approach is not decided on early, the risk is very real of adding too much complexity in pursuit of compliance, thus eroding the desired outcomes.
On the surface, it would seem that the areas of improvement outlined in the EO can be taken individually – applied threat intelligence, EDR, Zero Trust, data protection, and cloud services adoption. In reality, they should be viewed collectively. When considering solutions and architectures, agency leaders should be asking themselves some critical questions:
The executive order presents a great opportunity for government to evolve their cybersecurity approach to defend against modern threats and enable a more aggressive transition to the cloud and cloud services. There is also significant risk, as the urgency expressed in the EO could lead to hasty decisions that create more challenges than they solve. To capitalize on the opportunity presented in this executive order, federal leaders must embrace a holistic approach to cybersecurity that integrates all the solutions into a platform approach including robust threat intelligence. A standalone Zero Trust or EDR product will not accomplish an improved or modernized cybersecurity approach and could lead to more complexity. A well-thought-out platform, not individual products, will best serve public sector organizations, giving them a clear architecture that will protect and enable our government’s future.
The post The Executive Order – Improving the Nation’s Cyber Security appeared first on McAfee Blogs.
May 2021 has been an extraordinary month in the cybersecurity world, with the DoD releasing its DoD Zero Trust Reference Architecture (DoDZTRA), the Colonial Pipeline being hit with a ransomware attack, and the White House releasing its Executive Order on Improving the Nation’s Cybersecurity (EO). Add to that several major vendors that our government depends on for its critical operations disclosing critical vulnerabilities that could potentially expose our nation’s critical infrastructure to even more risk, ranging from compromised email and cloud infrastructures to very sophisticated supply chain attacks like the SolarWinds hack, which could have started as early as 2019.
If the situation sounds ominous, it is. The words and guidance outlined in the DoDZTRA and EO must be followed up with a clear path to action and all the stakeholders, both public and private, are not held accountable for progress. This should not be another roll-up reporting exercise, time to study the situation, or end up in analysis paralysis thinking about the problem. Our adversaries move at speeds we never anticipated by leveraging automation, artificial intelligence, machine learning, social engineering, and more vectors against us. It’s time for us to catch up and just very possibly think differently to get ahead.
There is no way around it: This time our nation must invest in protecting our way of life today and for future generations.
The collective “we” observed what happened when ransomware hit a portion of the nation’s critical infrastructure at Colonial Pipeline. If the extortion wasn’t bad enough, the panic buying of gasoline and even groceries in many of Eastern U.S. states impacted thousands of people seemingly overnight, with help from social and traditional media. It’s too early to predict what the exact financial and social impacts may have been on this attack. I suspect the $4.4M ransom paid was very small in the greater scheme of the event.
May 2021 has provided a wake-up call for public-private cooperation like we’ve never seen before. Perhaps we need to rethink cybersecurity altogether. During his keynote remarks at the recent RSA Conference, McAfee CTO Steve Grobman talked about how “as humans, we are awful at perceiving risk.” Influenced by media, anecdotal data, and evolutionary biology, we let irrational fears drive decision-making, which leads humans to misperceive actual risks and sub-optimize risk reduction in both the physical and cyber world. To combat these tendencies, Steve encourages us to “be aware of our biases and embrace data and science-based approaches to assess and mitigate risk.”
Enter Zero Trust Cybersecurity, which is an architectural approach – not a single vendor product or solution. The DoDZTRA takes a broader view of Zero Trust than the very narrow access control focus, saying it is “a cybersecurity strategy and framework that embeds security throughout the architecture to prevent malicious personas from accessing our most critical assets.” And our most critical assets are data.
NSA also recently weighed in on Zero Trust, recommending that an organization invest in identifying its critical data, assets, applications, and services. The NSA guidance goes on to suggest placing additional focus on architecting from the inside out; ensuring all paths to data, assets, applications, and services are secure; determining who needs access; creating control policies; and finally, inspecting and logging all traffic before reacting.
These practices require full visibility into all activity across all layers — from endpoints to the network (which includes cloud) — to enable analytics that can detect suspicious activity. The ability to have early or advanced warnings of global and local threat campaigns, indicators of compromise, and the capability to deliver proactive countermeasures is a must-have as part of an organization’s defensive strategies.
The Zero Trust guidance from both DoD and NSA is worth following. It’s also worth reprising the concept of defense in depth – the cybersecurity strategy of leveraging multiple security mechanisms to protect an organization’s assets. Relying on a single vendor for all an organization’s IT and security needs makes it much easier for the adversary.
If you believe in a good conspiracy theory, the month of May 2021 could provide great material for a made-for-TV movie. Earlier I mentioned that the collective “we” needs to be held accountable. Part of that accountability is defining success metrics as we take on a new path to real cybersecurity.
The post Why May 2021 Represents a New Chapter in the “Book of Cybersecurity Secrets” appeared first on McAfee Blogs.
At McAfee, we believe no one person, product or organization can combat cybercrime alone. That is why we continue to build our device-to-cloud security platform on the premise of working together – together with customers, partners and even other cybersecurity vendors. We continue this fight against the greatest challenges of our digital age: cybercrime. As part of our ongoing effort to protect what matters, we have developed breakthrough technologies over the past several years that enable customers to proactively respond to emerging threats and adversaries despite a constantly evolving threat landscape. So, today, we are extremely proud to announce that McAfee is positioned as a “Leader” in the 2021 Gartner Magic Quadrant for Endpoint Protection Platforms (EPP).
This is a monumental development in so many ways, especially when you consider that we were not recognized in the Magic Quadrant a few years ago. This recognition speaks volumes about the innovations we are bringing to market that resonate both with our customers and industry experts. Let me review, from my perspective, why McAfee is recognized in the Leaders Quadrant.
Here are some key innovations in our Endpoint Protection Platform that contributed to our Leader recognition:
We set out with a vision, to create the most powerful endpoint protection platform and we are aggressively executing towards this vision. Over the past 12 months, we have made great strides in developing a market leading product, MVISION Insights, and our cloud delivered MVISION EDR. Looking ahead, our goal is to develop a unified and open eXtended Detection and Response (XDR) solution and strategy that further delivers on our device-to-cloud strategy.
We believe, McAfee’s position as a Leader further acknowledges some of our key differentiators, such as MVISION Insights, and our ability to eclipse the market with an innovative device-to-cloud strategy that spans the portfolio, including web gateway, cloud, and our network security offerings.
We started by redefining our endpoint security offering with the release of MVISION Insights, a game-changing product that functions as the equivalent of an early warning system – effectively delivering preventative security. It’s hard to understate the significance of this innovation; we’re breaking the old paradigm of post-attack detection and analysis and enabling customers to stay ahead of threats. In parallel, we streamlined our EDR capabilities, which now provide AI-driven, guided investigations that ease the burden on already-stretched Security Operations Centers (SOCs).
The bottom line is that we’re the only vendor taking a proactive risk management approach for safer cloud usage while reducing total cost of ownership. In addition, we have improved our licensing structure to fit customer needs and simplify consumption of our endpoint security solutions. We’ve made it easy to choose from a simplified licensing structure allowing customers to buy subscriptions for complete endpoint protection with no add-ons or extra costs. Our user-based licensing agreements provide for 5 devices, thus enabling frictionless expansion to incorporate additional device support in remote work environments.
In just under a year, our latest release of McAfee Endpoint Security (ENS) 10.7 has emerged as our highest deployed version of any McAfee product worldwide and our fastest-ever single-year ramp. More than 15,000 customers comprising tens of millions of nodes are now on ENS 10.7 and are deploying its advanced defenses against escalating threats. Customers get added protected because ENS 10.7 is backed by our Global Threat Intelligence (GTI) service to provide adaptable, defense in-depth capabilities against the techniques used in targeted attacks, such as ransomware or fileless threats. It’s also easier to use and upgrade. All of this means your SOC can be assured that customers are protected with ENS 10.7 on their devices.
Customer input guides our thinking about what to do next. Since the best critics are the people who use our products, let’s give them the last word here.
“We are now positioned to block usage of personal instances of Sanctioned services while allowing the business to move forward with numerous cloud initiatives, without getting in the way. We also now have the visibility that was lacking to ensure that we can allow our user community to work safely from their homes without introducing risks to our corporate environment.”
–Kenn Johnson, Cybersecurity Consultant
Our continued commitment to our customers is to protect what matters. We believe that McAfee’s position in the Leaders Quadrant validates that we are innovating at the pace and scale that meets the most stringent needs of our enterprise customers. We are proud of our product teams and threat researchers who continue to be driven by our singular mission, and who strive to stay ahead of adversaries with their focus on technological breakthroughs, and advancements in researching threats and vulnerabilities.
What we have accomplished over the past several years, and our position as a Leader in the 2021 Gartner Magic Quadrant for EPP, is only the tip of the iceberg for what’s ahead.
McAfee named a Leader in the 2021 Gartner Magic Quadrant for Endpoint Protection Platforms. Download the Magic Quadrant report, which evaluates the 19 vendors based on ability to execute and completeness of vision.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Gartner Magic Quadrant for Endpoint Protection Platforms, 5 May 2021 Paul Webber, Peter Firstbrook, Rob Smith , Mark Harris, Prateek Bhajanka
The post Gartner names McAfee a Leader in 2021 Magic Quadrant for Endpoint Protection Platforms appeared first on McAfee Blogs.
This year’s RSA Conference will look a little different. Instead of booking flights and hotel rooms in the busy city of San Francisco, we’ll be powering up computers in our home office with family in the next room. We’ve all had a tumultuous year and with that comes resilience, which is also this year’s conference theme.
Ahead of the RSA virtual conference, I spoke with a few of my colleagues about the major themes we should expect to see at RSA this year.
Scott Howitt, Senior Vice President and Chief Information Officer – The COVID lockdown has exposed to enterprises that the ability to recover your business (Business Continuity) is important in the face of disaster, but Business Resilience means that your business will be able to adapt to Black Swan events. I’ve seen technology be the catalyst for resilience for most organizations.
Raj Samani, Chief Scientist and McAfee Fellow – For me, it would be ability to continue operations in light of disruption. Whether that disruption originated from digital factors, or indeed physical but to keep the wheels turning.
John Fokker, Principal Engineer and Head of Cyber Investigations for McAfee ATR – Just like Boxing: Isn’t as much about not being hit, because you are in the ring and punches are thrown, but resilience to me is more about how fast you can get back up on your feet once you do get hit. The same is true with security operations, attackers are going to try to hit you, but how good is your defense so you can minimize the impact of the attack and in the case you do get knocked down what controls do you have in place that you can get back up and resume operations.
Amanda House, Data Scientist – Cybersecurity is a unique industry in that new cyberthreats are always improving to avoid detection. A machine learning model made a month ago could now have weakness an adversary has learned to exploit. Machine learning model practitioners need to be resilient in always innovating and improving on past models to outpace new threats. Resilience is constantly monitoring machine learning models so that when we notice decay we can quickly improve them to stop new cyberthreats.
Sherin Mathews, Senior Research Scientist – To me, cyber-resilience implies being able to protect critical assets, maintain operations, and, most importantly, embrace new technologies in the face of evolving threats. The cybersecurity field is an arms race scenario with the threat landscape changing so much. In case of threats like deepfakes, some deepfakes will reach ultra-realism in the coming few years, many will still be more amateurish, and we need to keep advancing towards the best detection methods with newer forms of threats. I feel resiliency doesn’t mean you can survive or defend against all attacks, but it means that if you are compromised, you have a plan that lets us recover quickly after a breach and continue to function. Deepfakes and other offshoots of AI will require businesses to create a transparent, agile, and holistic detection approach to protect endpoints, data, apps, and cloud services.
Samani – I anticipate Zero Trust will play a prominent role, considering the year of remote working, and a myriad of significant threats being realised.
Fokker – Definitely Zero-Trust but also combatting threats that come with working from home, and threat intelligence so organization can better understand the actions of their adversaries even before they step into the ring.
Howitt – I am hoping to see how others have adapted to life with COVID and now that it is receding, what do they think life with look like after. As for my session, I want to highlight the importance of adaptability and stress that this paradigm shift means we will never go back to normal.
House – Cybersecurity is not a career path I ever imagined for myself. As a student I always enjoyed math and computer science and I naturally gravitated toward those topics. My love of both subjects led me to pursue data science and machine learning. My first job out of college was in the cybersecurity industry and that was my first introduction to this career. Since then, I have loved how cybersecurity requires constant innovation and creative ways of using AI to stop new threats.
Mathews – My background and Ph.D. focused on developing novel dictionary learning and deep learning algorithms for classification tasks related to remote health monitoring systems (e.g., activity recognition for wearable sensors and heartbeat classification). With a background in machine learning, deep learning with applications to computer vision areas, I entered the field of cybersecurity during my work at Intel Security/Mcafee in 2016. I contributed towards increasing the effectiveness of cybersecurity products by creating novel machine learning/deep learning models to detect advanced threats(e.g., ransomware & steganography). In my industry work experience, I also had a chance to develop leading-edge research such as eXplainable A.I. (XAI) and deepfakes. Overall, the advent of artificial intelligence can be considered a significant milestone as A.I. is steadily flooding several industries. However, A.I. platforms can also be misused if in the wrong hands, and as research professionals, we need to step up to detect attacks or mishaps before they happen. I feel deeply passionate about XAI, ethical A.I., the opportunity to combat deepfakes and digital misinformation, and topics related to ML and DL with cybersecurity applications. Overall, it is an excellent feeling as a researcher to use your knowledge to combat threats that affect humanity and safeguard humans. Also, I believe that newer A.I. research topics such as GANs, Reinforcement learning, and few-shot learning have a lot to offer to combat advanced cybersecurity threats.
House – I am fortunate to work with a lot of great women in technology at McAfee. Not only are these women on the cutting edge of innovation but they are also great mentors and leaders. We need more smart people pursuing jobs in this industry and in order to recruit new talent, especially young graduates, we need to mentor and encourage them to pursue this career. Every woman I have met in this industry wants to see new talent succeed and will go the extra mile to provide mentorship. I have also noticed women tend to have unique backgrounds in this industry. For example, some of the women I look up to have degrees in biomedical engineering or physics. These unique backgrounds allow these women to bring innovative ideas from outside cybersecurity to solve some of the toughest problems in the cybersecurity industry. We need more talent from diverse backgrounds to bring in fresh ideas.
McAfee is a proud platinum with keynote level sponsor of RSA Conference 2021. Take in the McAfee virtual booth and sessions presented by McAfee industry leaders Here are some of the best ways to catch McAfee at RSA. Can’t wait to see you there!
The post RSA Conference 2021: The Best Place to Strengthen Your Resilience appeared first on McAfee Blogs.
With 2021 approaching, it is a time to both reflect on the outstanding progress we have each made – personally and professionally, and warmly welcome a new chapter in 2021!
2020 has been one of the most unexpected years in our history. However, despite COVID-19, we had some amazing successes.
January brought McAfee our new CEO – Peter Leav. It’s hard to believe it has only been a year under his leadership. What an impact! And, McAfee is back on the stock exchange.
2020 has also seen the rapid acceleration of cloud adoption. Typically, a move like that involves immense planning to minimize complexity. That didn’t always happen. And, as our Advanced Threat Research team has reported, cybercriminals took full advantage of more ransomware, malware, and general bad behavior. In fact, a recent McAfee report estimates global cybercrime losses will exceed $1 Trillion. Fortunately, McAfee customers benefited from the get-go with a robust, award-winning cloud-native portfolio that became even stronger in 2020.
Shortly after Peter joined, we closed our LightPoint Acquisition, enabling us to add Remote Browser Isolation (RBI) to MVISION Unified Cloud Edge (UCE). In March, we delivered multi-vector data protection for unified and comprehensive data protection across endpoints, web, and cloud. In August, we further enhanced our MVISION UCE offering by announcing pivotal SD-WAN Technology integrations. Finally, at MPOWER, we announced the industry first integration of Remote Browser Isolation into our Unified Cloud Edge solution.
To our award-winning and unmatched MVISION Cloud solution which is natively integrated into UCE, we were the first CASB to map cloud threats to MITRE ATT&CK. Introducing MITRE ATT&CK into the MVISION Cloud workflow helps SOC analysts to investigate cloud threats and security managers defend against future attacks with increased precision. Our new MVISION Cloud Security Advisor (CSA) – provides recommendations – broken into visibility and control metrics – to help prioritize cloud security controls implementation. We also delivered MVISION Cloud for Teams, which provides policy and collaboration controls to enable organizations to safely collaborate with partners without having to worry about exposing confidential data to guest users.
MVISION Cloud received its FedRAMP High JAB P-ATO designation and McAfee MVISION for Endpoint achieved FedRAMP Moderate Authorization. Both of those are important to enable our Federal customers to take advantage of the MVISION portfolio.
All of this helps our customers accelerate the easy adoption of a more complete Secure Access Service Edge (SASE) architecture and better defend against advanced web and cloud-based threats. In fact, our MVISION UCE customers can enjoy a nearly 40% annual TCO savings when they go from on-prem to cloud.
For our customers who want cloud native IaaS security while dealing existing on-prem data center deployments, we rolled out our new McAfee MVISION Cloud-Native Application Protection Platform (CNAPP), an integrated hybrid cloud security platform for comprehensive data protection, threat prevention, governance, and compliance for the cloud-native application lifecycle. We also announced native AWS Integrations for MVISION CNAPP.
The team and I are also extremely excited about the progress with our Endpoint portfolio across ENS, EDR and momentum behind MVISION Insights.
The still unfolding SolarWinds supply chain compromise has shown how unprepared SOC teams can be and why it is ever more important to have proactive and actionable threat intelligence at your fingertips. As news of an emerging campaign becomes viral, SOC teams must answer the topical question raised by the C-level or the Board “Are we impacted” which unfortunately till now took weeks if not days of scrambling to answer. We launched MVISION Insights early this summer to solve for exactly this problem. MVISION Insights leverages McAfee’s cutting-edge threat research, augmented with AI applied to real-time telemetry streamed from over a Billion sensors to identify and prioritize threats, before they hit. MVISION Insights can predict the impact on your countermeasures, and then tells you exactly how and where to improve your security posture. In essence, it enables you to “shift left” and anticipate and stop breaches before they happen. As the SolarWinds compromise was unfolding, MVISION Insights delivered actionable threat intelligence to McAfee’s customers within hours. The fact that we now have hundreds of customers who have adopted MVISION Insights as part of their SOC framework within a few months of release is a testament to the real value add they are enjoying. Best part is that it is also free for all our customers who have our integrated EPP+EDR SKUs: MV6 or MV7.
Our latest Endpoint protection product, ENS 10.7, is stronger with the highest quality and customer satisfaction than ever. ENS 10.7 couples all our endpoint protection capabilities with machine learning, behavior monitoring, fileless threat defense and Rollback Remediation. It’s also backed by our Global Threat Intelligence (GTI) to provide adaptable, defense in depth capability against the techniques used in targeted ransomware attacks. ENS 10.7 delivers meaningful value. Rollback Remediation, for instance, can save an average $500 per node in labor and productivity costs by eliminating need to reimage machines. ENS 10.7 became generally available about a year ago and has emerged as our #1 deployed enterprise product worldwide – the fastest ramp of any ENS release.
Equally on the EDR front, we delivered capabilities that make a measurable improvement for the ever tired SOC teams. The included AI Guided investigations can speed threat investigations from greater than 2 hours to as little as 6 minutes per incident. The SolarWinds compromise also showed that Organizations need an integrated platform that delivers complete visibility and control across their infrastructure including their supply chain. The recently announced MVISION XDR builds upon our EDR solution making it easier for our customers to achieve this complete visibility and control. It extends MVISION Insights across endpoints, network and cloud, making it the first proactive XDR platform to manage your risk. MVISION XDR dramatically expands the capabilities of traditional Endpoint Detection and Response (EDR) point solutions by delivering a fully integrated, SaaS-based platform to rapidly discover and mitigate the real threats to your users and data across all threat vectors. And, complementing our MVSION XDR solution is a host of partner solutions available via MVISION Marketplace.
Finally, we rolled out the Device-to-Cloud suites, making it easier for our customers to move to a cloud-native architecture. These three SaaS offerings all feature MVISION Insights and endpoint protection to provide right-sized security solutions in a simple-to-acquire package.
I am so proud that our customers and the industry also recognize the McAfee teams’ hard work. We were able to add a long list of awards and accolades to our portfolio in 2020.
Now that we’ve looked back at our successes, let’s take a moment to look forward and set goals for ourselves in the coming year. My team and I are committed to:
Against today’s increasingly sophisticated adversaries, your success is our success.
As we head into 2021, I want to take a moment to wish each of you peace, good health, and prosperity.
Happy holidays to you and yours!
Thanks, Shishir
The post Bring on 2021! appeared first on McAfee Blogs.
Everyone deserves a break after surviving this past year and I cannot think of better way to celebrate than to share some of our greatest accomplishments from 2020.
1. |
January 2020 Gartner Peer Insights VOC Customers’ Choice for CASB |
McAfee was the only vendor to be named the January 2020 Gartner Peer Insights ‘Voice of the Customer’ Customers’ Choice for Cloud Access Security Brokers (CASBs). The recognition is based on customer feedback and ratings for McAfee MVISION Cloud, which we believe provides a cloud-native and frictionless way for organizations to consistently protect their data and defend from threats across the spectrum of Software-as-a-Service (SaaS), Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS). Everyone at McAfee is extremely proud and honored to be named by customers as a 2020 Gartner Peer Insights Customers’ Choice for CASB.
Disclaimer: Gartner, Gartner Peer Insights ‘Voice of the Customer’: Cloud Access Security Brokers, 13 March 2020
2. |
Coolest Cloud and Coolest Endpoint Security Companies |
CRN, the top news source for solution providers and the IT channel, included McAfee on its Security 100 list and named McAfee one of “The 20 Coolest Cloud Security Companies” and “The 20 Coolest Endpoint Security Companies” of 2020.
3. |
Most Innovative and Scalable Cloud and Endpoint Security Company |
During RSA 2020, Cyber Defense Magazine, the industry’s leading electronic information security magazine, named McAfee the Most Innovative Company in its Cloud Security category for McAfee MVISION Cloud. The magazine also listed McAfee Endpoint Security Most Innovative and McAfee MVISION EDR Most Scalable, both in the Endpoint Security category.
4. |
CASB Category Winner |
Info Security Products Guide, the industry’s leading information security research and advisory guide, named McAfee a winner in the 16th Annual 2020 Info Security PG’s Global Excellence Awards® in its Cloud Access Security Brokers (CASB) category for MVISION Cloud for Container Security.
5. |
2020 Gartner Peer Insights Customers’ Choice VOC for Secure Web Gateways |
We’re thrilled to be named the 2020 Gartner Peer Insights ‘Voice of the Customer’ Customers’ Choice for Secure Web Gateways (SWGs) for the second year in a row. The recognition is based on customer feedback and ratings for the McAfee Web Security portfolio which consists of McAfee Web Protection (MWP), McAfee Web Gateway (MWG) and McAfee Web Gateway Cloud Service (MWGCS). We believe this customer recognition validates our commitment to innovate and invest in technology that aims to reduce the cost and complexity of modern cybersecurity. With the McAfee Web Security portfolio, organizations can enforce their internet policy compliance and extend their perimeter security for a borderless IT environment.” said Ash Kulkarni, executive vice president and chief product officer, McAfee.
Disclaimer: Gartner, Gartner Peer Insights ‘Voice of the Customer’: Secure Web Gateways, 09 April 2020
6. |
MVISION Cloud Wins 2020 Fortress Cyber Security Award |
McAfee MVISION Cloud took top honors in the 2020 Fortress Cyber Security Awards in the data protection category for its cloud access security broker (CASB) technology. The industry awards program seeks to highlight, discuss and reward the creative thinking, engineering, people and projects that are taking proactive steps to thwart cybersecurity attacks.
7. |
2020 Gartner Peer Insights ‘Voice of the Customer’ for Both Enterprise DLP and SIEM Solutions Report |
We’re excited to be named a 2020 Gartner Peer Insights ‘Voice of the Customer’ Customers’ Choice for Enterprise Data Loss Prevention (DLP) and a 2020 Gartner Peer Insights ‘Voice of the Customer’ Customers’ Choice for Security Information Event Management (SIEM). The Gartner Peer Insights Customers’ Choice Recognition is based on feedback and ratings from end-user professionals who purchase, implement and/or use McAfee’s DLP and SIEM solutions. “We think rigorously validated customer reviews are the true mark of value and quality,” said Anand Ramanathan, vice president of enterprise products, McAfee.
Disclaimer: Gartner, Gartner Peer Insights ‘Voice of the Customer’: Enterprise Data Loss Prevention, 01 July 2020 & Gartner, Gartner Peer Insights ‘Voice of the Customer’: Security Information Event Management, 03 July 2020
8. |
Named to the Diversity Best Practices Inclusion Index |
It’s an honor to be recognized as an inclusive workplace by Diversity Best Practices (DBP), a division of Working Mother Media. McAfee was among the 98 organizations that earned a place on the fourth annual Inclusion Index. McAfee’s efforts to create a more inclusive workplace focus on attracting and hiring diverse talent, cultivating an environment where everyone thrives, and igniting change within our industry and community. Read more about McAfee’s strategy and results in the 2019 Impact Report.
9. |
Named a Leader in 2020 Gartner Magic Quadrant for Cloud Access Security Brokers |
This year, we are positioned as a Leader in the 2020 Gartner “Magic Quadrant for Cloud Access Security Brokers” (CASB) for every one of the four years the quadrant has been published. The report, which evaluates vendors based on their ability to execute and on their completeness of vision, positioned McAfee highest and furthest, respectively, for these attributes in the entire Magic Quadrant. A complimentary copy is available on the McAfee web site.
Disclaimer: Gartner, Magic Quadrant for Cloud Access Security Brokers, Steve Riley, Craig Lawson, 30 October 2020.
10. |
Ken McCray Named One of CRN’s 50 Most Influential Channel Chiefs |
Ken McCray, head of channels sales and operations Americas at McAfee, was named to CRN’s exclusive list of the 50 Most Influential Channel Chiefs for 2020. This annual list recognizes the elite vendor executives who lead, influence, innovate, and disrupt the IT channel. We congratulate McCray for his outstanding commitment, ability to lead, and passion for progress within the channel through our partner programs.
The GARTNER PEER INSIGHTS CUSTOMERS’ CHOICE badge is a trademark and service mark of Gartner, Inc., and/or its affiliates, and is used herein with permission. All rights reserved. Gartner Peer Insights Customers’ Choice constitute the subjective opinions of individual end-user reviews, ratings, and data applied against a documented methodology; they neither represent the views of, nor constitute an endorsement by, Gartner or its affiliate.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
The post 10 Reasons to Celebrate 2020 appeared first on McAfee Blogs.
2020 has been a tumultuous and unpredictable year, where we restructured our lives and redefined how we work and interact with each other. In the past nine months, we saw IT security and the digital world challenged and taken to new heights. Although 2020 has undoubtedly been a year of trials and tribulations, I wanted to share some of McAfee’s top highlights.
The list that follows is drawn from some of this year’s greatest accomplishments.
1. |
New Global Managed Detection and Response Platform |
At the RSA Conference in February, we launched our MDR platform and our first strategic partner to leverage our MVISION EDR solution to proactively detect cyber threats faced by customers and resolve security incidents faster. Our MDR service with DXC Technology provides 24/7 critical alert monitoring, managed threat hunting, advanced investigations, and threat disruption 365 days a year.
2. |
Cloud Risk & Adoption Report: Work-from-Home Edition |
With the new work from home environment, we released a report uncovering a correlation between the increased use of cloud services and collaboration tools, such as Cisco WebEx, Zoom, Microsoft Teams and Slack during the COVID-19 pandemic, along with an increase in cyber-attacks targeting the cloud.
3. |
MVISION Cloud Becomes First CASB to Receive U.S. Government’s FedRAMP High JAB P-ATO Designation |
To support today’s U.S. governments race to modernize its IT infrastructure in the constantly evolving threat landscape, McAfee has pursued and received a Federal Risk and Authorization Management Program (FedRAMP) Authorization designation for McAfee MVISION for Endpoint at the moderate security impact level. Learn more here.
4. |
Election Website Security Shortcomings |
Ahead of the 2020 U.S. Presidential election, we released a survey revealing a severe lack of U.S. government .GOV validation and HTTPS encryption among county election websites in 13 states. The January 2020 survey found that as many as 83.3% of these county websites lacked .GOV validation across these states, and 88.9% and 90.0% of websites lacked such certification. Subsequently, reports emerged from the U.S. Federal Bureau of Investigations and the FBI and Department of Homeland Security, which compelled us to conduct a follow-up survey of county election websites in all 50 U.S. states.
5. |
Industry’s First Proactive Security Solution to Help Organizations Stay Ahead of Emerging Threats |
MVISION Insights provides actionable and preemptive threat intelligence by leveraging our cutting-edge threat research, augmented with sophisticated AI applied to real-time threat telemetry streamed from over 1 billion sensors. The integration of MVISION Insights significantly enhances the capabilities of our award winning endpoint security platform by managing the attack surface, preventing ransomware and aiding security teams to easily investigate and respond to advanced attacks.
6. |
Threat Actor Evolution During the Pandemic |
Our McAfee Labs team released a report examining cybercriminal activity related to COVID-19 and the evolution of cyber threats in Q1 2020. The team saw an average of 375 new threats per minute and a surge of cybercriminals exploiting the pandemic through COVID-19 themed malicious apps, phishing campaigns, malware, and more. Read the full report Q1 2020 here, and feel free to enjoy the bumper edition of the McAfee Labs Threats Report: November 2020, here.
7. |
Introducing MVISION CNAPP |
McAfee announced CNAPP, a new security service that combines solutions from Cloud Security Posture Management (CSPM), Cloud Workload Protection Platform (CWPP), Data Loss Prevention (DLP), and Application Protection into a single solution. Now in beta with a target launch date of Q1, 2021, we built CNAPP to provide InfoSec teams broad visibility into their cloud native applications.
8. |
Taking Threat Detection and Response to a New Level |
At MPOWER 2020, we announced McAfee XDR, a complete platform that provides SOCs visibility into how threats are impacting your key business processes, prioritizes response and delivers a full-integrated platform of security technologies. Our AI and Big Data analytics capabilities supplies SOCs with threat and campaign insights before an attack changes course, to avoid wasting time chasing false positives. Defenders get fewer and more meaningful alerts, making it easier to prioritize their response based on the severity and potential impact of a threat.
9. |
Expansions to McAfee’s MVISION Platform |
Continuing on MPOWER’s momentum, we launched MVISION Marketplace, MVISION API and MVISION Developer Portal, allowing customers to quickly and easily integrate McAfee and trusted SIA partner applications as well as privately developed applications within their current security environment. The launch enables security teams to swiftly address security gaps in their architecture and easily improve security posture.
10. |
McAfee Goes Public |
On October 22, 2020, McAfee rang the bell on NASDAQ and officially became a publicly traded company again. It was a momentous occasion for the company and all our dedicated employees and partners. A huge thank you goes out to our employees for their support and invaluable contributions in helping McAfee reach this milestone We’re excited for the future!
Thank you to our wonderful employees, partners and customers for helping us achieve our goals and we look forward to working with everyone in the new year!
The post 2020 Hindsight – Top 10 Highlights from McAfee appeared first on McAfee Blogs.
Today’s U.S. government is in a race to modernize its IT infrastructure to support ever more complicated missions, growing workloads and increasingly distributed teams—and do so facing a constantly evolving threat landscape. To support these efforts, McAfee has pursued and received a Federal Risk and Authorization Management Program (FedRAMP) Authorization designation for McAfee MVISION for Endpoint at the moderate security impact level.
This FedRAMP Moderate designation is equivalent to DoD Impact Level 2 (IL2) and certifies that the McAfee solution has passed rigorous security requirements for the increasingly complex and expanding cloud environments of the U.S. government. The FedRAMP Moderate authorization validates the McAfee solution’s implementation of the baseline 325 NIST 800-53 controls, allowing users from federal agencies, state and local government, and other industries in regulated environments to manage Controlled Unclassified Information (CUI) such as personally identifiable information (PII) and routine covered defense information (CDI).
By achieving FedRAMP Moderate Authorization for MVISION for Endpoint, McAfee can provide the command and control cyber defense capabilities government environments need to enable on-premise and remote security teams, allowing them to maximize time and resources, enhance security efficiency and boost resiliency.
McAfee MVISION for Endpoint consists of three primary components: McAfee MVISION Endpoint Detection and Response (EDR), McAfee MVISION ePolicy Orchestrator (ePO) and McAfee Endpoint Security Adaptive Threat Protection with Real Protect (ENS ATP):
Together, these solutions provide today’s U.S. government agencies the AI-guided endpoint threat detection, investigation and response capabilities they need to confront today’s ever evolving threats across a wide variety of devices. This important FedRAMP milestone is the latest affirmation of McAfee’s long-standing commitment to providing U.S. government agencies advanced, cloud-based cyber defenses to help them meet whatever mission they may confront today and in the future.
Other recent McAfee public sector achievements include:
Please see the following for more information on McAfee’s efforts in the FedRAMP mission:
The post McAfee MVISION Solutions Meet FedRAMP Cloud Security Requirements appeared first on McAfee Blogs.
Change happens – sometimes much faster than expected – like it has in 2020. When the threat landscape shifts suddenly, security professionals must quickly react and change their security posture. This not only means reconfiguring existing security investments but also adding new ones.
But given the number of heterogenous security applications sold by multiple vendors, new security expansions are tough to manage. They not only have to co-exist with the existing security infrastructure, but they must be integrated to avoid leaving security gaps attackers can exploit. User and business experience must be maintained as well. Is it any wonder, then, that CISOs continue to struggle? It’s hard to optimize and manage existing cybersecurity software investments — and expand security capabilities – all the while keeping up with shifting business needs.
It is time you demand more from your security vendors. It’s perfectly reasonable to expect them to do the following:
Here’s where “Composable Security,” a breakthrough architectural extension from McAfee addresses this chronic IT turbulence. In practice, the concept allows MVISION ePO (ePolicy Orchestrator) administrators to add multi-vendor security modules quickly and easily assemble best-in-class solutions that meet your particular needs. Users can compose, and then re-compose, powerful, cloud-based or on-prem security solutions certified to seamlessly plug-and-play. With a few clicks, you can add new capabilities to your existing security infrastructure in minutes.
MVISION ePO now offers Composable Security capabilities. Let’s take a closer look:
The era of monolithic and often disconnected, security solutions has passed. We believe customers want a connected security architecture that can rapidly adopt and implement new tools, sensors and data from a myriad of disparate but innovative solutions. When change occurs seemingly overnight, like we saw with the explosion in the number of people working from home due to Covid-19, executives don’t have the luxury of waiting until the next budget cycle to take action. But with MVISION Marketplace, we are enabling companies to easily scale their security infrastructure.
This new application marketplace enables McAfee and our partners to deliver pre-integrated, best-in-class solutions to customers. The marketplace offers products that expand and extend McAfee solutions. Organized in easy to understand categories, the marketplace features a tile per partner. Each integration is “McAfee Certified” which means that McAfee has certified the integration with that partner.
Clicking on the tile enables you to drill down and understand the value delivered by each integration. When you see something you like, click through and try it out. Here’s where pre-integration makes the combined value proposition easy to understand. The idea is for customers to experience the value quickly before they make a decision.
By utilizing our partners in the MVISION Marketplace, you can not only evolve your security architecture; you also improve your team’s responsiveness to real-time threats—and become less preoccupied with tool integration.
We worked closely with multiple partners to build out this marketplace. These composable solutions are from leaders in their field including Attivo Networks, IBM Security, Seclore, Service Now, Siemplify, and ThreatQ. Their certified solutions extend the capabilities of existing security environments, whether cloud-based or on premise. This new ability to mix and match applications over and over also addresses many pressing business challenges. It helps organizations address technology, time, compliance, and resource constraints in minutes — rather than in hours, days or weeks.
Attivo working with McAfee delivers the best endpoint solution in the industry. Attivo’s blog covers how McAfee + Attivo are better together for customers.
Seclore working with McAfee delivers the best Information security solution in the industry. Read their blog to learn how McAfee + Seclore are better together for customers.
ThreatQuotient, Swimlane, and Siemplify, working with McAfee, deliver one of the best SOC solutions in the industry. Learn more about how ThreatQuotient, Swimlane, and Siemplify are better together with McAfee for our customers.
Our market leading Security Innovation Alliance Program has created the largest integrated security ecosystem in the industry. We’re not done. You can expect us to add new partners quickly. In the meantime, if you find a partner missing that you want us to add to our list, please reach out to me.
We live in an era where more security is automated rather than managed through consoles. MVISION API’s goal is to be the single interface for your non-console interactions with the McAfee portfolio. It’s a powerful capability that delivers a single, web scale, global interface with unparalleled access to your McAfee portfolio. The goal is threefold:
The API, at launch, is tuned towards an Open EDR solution enabling customers to expand and extend MVISION EDR. Top use cases are driven by the need of SOC analysts to build playbooks, manage cases, search for IOCs, synchronize Incidents and build intelligent extensions to the vast amount of control visibility we provide.
We have very ambitious plans. So, watch this space as we make rapid progress.
Opening up the MVISION Developer Portal to all Innovators using the MVISION APIs, application developers and ISVs can build public or private applications. This portal for application developers enables them to build, test, and certify their applications prior to making them available on MVISION Marketplace or for customers to develop and deploy their private apps.
I expect startups will leverage MVISION APIs to build their innovation on top of McAfee products. In fact, we encourage them to do so and deliver their innovations next to McAfee products and deliver them to our customers through the marketplace.
Of course, organizations can also choose to create a variety of custom apps using MVISION APIs from the MVISION Developer Portal. The only limit is your own creativity. You can build new Intelligent apps, automate your current processes, integrate your SIEM, build an OT extension, or just sit back and enjoy a comprehensive dashboard that tracks your security posture.
These capabilities work together to deliver a Composable Security Platform enabling McAfee and its ecosystem to deliver pre-integrated, high-value solutions to customers. This is a big breakthrough that will make your job easier. All it now takes is a few minutes to make a few clicks to add valuable new capability.
Try it out and see for yourself at http://marketplace.mcafee.com/ and https://developer.mcafee.com/. I hope you will find this set of capabilities valuable and welcome your ideas on how to make them even better. And don’t be shy. Drop me a line @ javed_hasan@mcafee.com to tell me what improvements you want to see.
The post Bridge the Gap Between the Security You Have and the Security You Need appeared first on McAfee Blogs.
Corporate boards have many dimensions of responsibility. Cybersecurity can be one of the most nuanced and important areas of focus for a board, but not all board members are well versed in why and what they need to care about related to cybersecurity.
Cybersecurity is a board level topic for three main reasons:
Security breaches can hurt companies financially, negatively impact brand reputation, and result in data loss (both personal and company intellectual property) just to name a few of the impacts. Unfortunately breaches that impact hundreds of millions or even billions of people are more common that we would like. Some of the more notable cybersecurity breaches you may remember are Equifax back in 2017, Adobe in 2013, and Zynga (the company that makes Words with Friends) in 2019. In July 2020, we saw key high-profile Twitter accounts compromised. You don’t want to see your company name in the news headlines due to a breach!
Besides security breaches, governance in cybersecurity is becoming more important. Governance describes the policies and processes which determine how organizations detect, prevent, and respond to cyber incidents. In many organizations, there is a division between the governance and management activities. Board members should be involved in evaluating security related reporting requirements and overall competence of the cybersecurity program, policies and procedures. If you are a US public company, there are additional board requirements from the Securities and Exchange Commission that you should be familiar with such as requiring written disclosure of how the board administers its risk oversight function.
Government regulations and compliance also needs to be considered. However, just being compliant doesn’t mean you are secure. Cyber legislation has been frequently proposed by Congress over the years. Almost all US states have their own laws about what constitutes a security breach and when to disclose the breach. It is important to understand the local, state and federal laws (including international laws) related to cybersecurity for where you do business.
Everyone on the board is responsible and could potentially be held accountable for a breach both legally and financially. It is not only the CISO, CSO or CIO’s responsibility to care and do the right thing. We all have a role to play to ensure the company is protected and set up for success.
When one person doesn’t do their part, things can fall apart for a company. For instance, in August 2020, a former Uber company executive was criminally prosecuted for not disclosing a data breach back in 2016. Uber’s former Chief Security Officer was charged with obstruction of justice and concealing a felony for allegedly failing to report their 2016 breach to the Federal Trade Commission. This is the first direct example in the US of an executive facing criminal charges and jail time over how they responded to a data breach.
As you discuss cybersecurity on the board, how do you evaluate your company’s stance? Here are some tips you can start doing today. This list is by no way complete, but here are things you can start doing today.
Cybersecurity is a very important topic for the boardroom and should not be taken lightly; however, it doesn’t need to be overwhelming. Utilize these tips to get you on the right path for your company, and if you don’t have a cybersecurity expert on your board, there are experts who can provide guidance.
The post Are You Prepared for Cybersecurity in the Boardroom? appeared first on McAfee Blogs.
Network Products Guide, the industry’s leading technology research and advisory guide, recently named the winners in their 15th Annual 2020 Network PG’s IT World Awards. Judges from a broad spectrum of industry voices around the world participated and their average scores determined the 2020 award winners. McAfee took center stage with three wins, including Gold for McAfee MVISION Endpoint Detection and Response (EDR) and Silver for McAfee MVISION Cloud for Containers and McAfee MVISION Unified Cloud Edge (UCE).
The IT World Awards are industry and peer recognitions from Network Products Guide honoring achievements of world’s best in organizational performance, product and service innovations, hot technologies, executives and management teams, successful deployments, product management and engineering, customer satisfaction, and public relations in information technology and cyber security. These wins further validate McAfee’s position as a company poised to successfully help organizations solve for real-time security issues.
McAfee was recognized in the following categories:
For a complete list of McAfee’s accolades and industry recognition, visit: https://www.mcafee.com/enterprise/en-us/about/awards.html
The post McAfee Leapfrogs Competition with trio of awards at 2020 IT World Awards appeared first on McAfee Blogs.
FreshRSS 