Login
Introduction: Knowing the Notions Industrial Internet of Things (IIoT) incorporates technologies such as machine learning, machine-to-machine (M2M) communication, sensor data, Big Data, etc. This article will focus predominantly on the consumer Internet of Things (IoT) and how it relates to Operational Technology (OT). Operational Technology (OT) is a term that defines a specific category of […]
The post IoT Security Fundamentals: IoT vs OT (Operational Technology) appeared first on Infosec Resources.
As Congress prepares to return to Washington in the coming weeks, finalizing the FY2021 National Defense Authorization Act (NDAA) will be a top priority. The massive defense bill features several important cybersecurity provisions, from strengthening CISA and promoting interoperability to creating a National Cyber Director position in the White House and codifying FedRAMP.
These are vital components of the legislation that conferees should work together to include in the final version of the bill, including:
One of the main recommendations of the Cyberspace Solarium Commission’s report this spring was to further strengthen CISA, an agency that has already made great strides in protecting our country from cyberattacks. An amendment to the House version of the NDAA would do just that, by giving CISA additional authority it needs to effectively hunt for threats and vulnerabilities on the federal network.
Bad actors, criminal organizations and even nation-states are continually looking to launch opportunistic attacks. Giving CISA additional tools, resources and funding needed to secure the nation’s digital infrastructure and secure our intelligence and information is a no-brainer and Congress should ensure the agency gets the resources it needs in the final version of the NDAA.
Perhaps now more than ever before, interoperability is key to a robust security program. As telework among the federal workforce continues and expands, an increased variety of communication tools, devices and networks put federal networks at risk. Security tools that work together and are interoperable better provide a full range of protection across these environments.
The House version of the NDAA includes several provisions to promote interoperability within the National Guard, military and across the Federal government. The Senate NDAA likewise includes language that requires the DoD craft regulations to facilitate DoD’s access to and utilization of system, major subsystem, and major component software-defined interfaces to advance DoD’s efforts to generate diverse and effective kill chains. The regulations and guidance would also apply to purely software systems, including business systems and cybersecurity systems. These regulations would also require acquisition plans and solicitations to incorporate mandates for the delivery of system, major subsystem, and major component software defined interfaces.
For too long, agencies have leveraged a grab bag of tools that each served a specific purpose, but didn’t offer broad, effective coverage. Congress has a valuable opportunity to change that and encourage more interoperable solutions that provide the security needed in today’s constantly evolving threat landscape.
The House version of the NDAA would establish a Senate-confirmed National Cyber Director within the White House, in charge of overseeing digital operations across the federal government. This role, a recommendation of the Cyberspace Solarium Commission, would give the federal government a single point person for all things cyber.
As former Rep. Mike Rodgers argued in an op-ed published in The Hill last month, “the cyber challenge that we face as a country is daunting and complex.” We face new threats every day. Coordinating cyber strategy across the federal government, rather than the agency by agency approach we have today, is critical to ensuring we stay on top of threats and effectively protect the nation’s critical infrastructure, intellectual property and data from an attack.
The FedRAMP Authorization Act, included in the House version of the NDAA, would codify the FedRAMP program and give it a formal standing for Congressional review, a critical step towards making the program more efficient and useful for agencies across the government. Providing this program more oversight will further validate the FedRAMP approved products from across the industry as safe and secure for federal use. The FedRAMP authorization bill also includes language that will help focus the Administration’s attention on the need to secure the vulnerable spaces between and among cloud services and applications. Agencies need to focus on securing these vulnerabilities between and among clouds since sophisticated hackers target these seams that too often are left unprotected.
Additionally, the Pentagon has already committed to FedRAMP reciprocity. FedRAMP works – and codifying it to bring the rest of the Federal government into the program would offer an excellent opportunity for wide-scale cloud adoption, something the federal government would benefit greatly from.
We hope that NDAA conferees will consider these important cyber provisions and include them in the final version of the bill and look forward to continuing our work with government partners on important cyber issues like these.
The post NDAA Conference: Opportunity to Improve the Nation’s Cybersecurity Posture appeared first on McAfee Blogs.
In January 2020, McAfee released the results of a survey establishing the extent of the use of .GOV validation and HTTPS encryption among county government websites in 13 states projected to be critical in the 2020 U.S. Presidential Election. The research was a result of my concern that the lack of .GOV and HTTPS among county government websites and election-specific websites could allow foreign or domestic malicious actors to potentially create fake websites and use them to spread disinformation in the final weeks and days leading up to Election Day 2020.
Subsequently, reports emerged in August that the U.S. Federal Bureau of Investigations, between March and June, had identified dozens of suspicious websites made to look like official U.S. state and federal election domains, some of them referencing voting in states like Pennsylvania, Georgia, Tennessee, Florida and others.
Just last week, the FBI and Department of Homeland Security released another warning about fake websites taking advantage of the lack of .GOV on election websites.
These revelations compelled us to conduct a follow-up survey of county election websites in all 50 U.S. states.
Using a .GOV web domain reinforces the legitimacy of the site. Government entities that purchase .GOV web domains have submitted evidence to the U.S. government that they truly are the legitimate local, county, or state governments they claimed to be. Websites using .COM, .NET, .ORG, and .US domain names can be purchased without such validation, meaning that there is no governing authority preventing malicious parties from using these names to set up and promote any number of fraudulent web domains mimicking legitimate county government domains.
An adversary could use fake election websites for disinformation and voter suppression by targeting specific citizens in swing states with misleading information on candidates or inaccurate information on the voting process such as poll location and times. In this way, a malicious actor could impact election results without ever physically or digitally interacting with voting machines or systems.
The HTTPS encryption measure assures citizens that any voter registration information shared with the site is encrypted, providing greater confidence in the entity with which they are sharing that information. Websites lacking the combination of .GOV and HTTPS cannot provide 100% assurance that voters seeking election information are visiting legitimate county and county election websites. This leaves an opening for malicious actors to steal information or set up disinformation schemes.
I recently demonstrated how such a fake website would be created by mimicking a genuine county election website and then inserting misleading information that could influence voter behavior. This was done in an isolated lab environment that was not accessible to the internet as to not create any confusion for legitimate voters.
In many cases, election websites have been set up to provide a strong user experience versus a focus on mitigating concerns that they could be spoofed to exploit the communities they serve. Malicious actors can pass off fake election websites and mislead large numbers of voters before detection by government organizations. A campaign close to election day could confuse voters and prevent votes from being cast, resulting in missing votes or overall loss of confidence in the democratic system.
McAfee’s September survey of county election administration websites in all 50 U.S. states (3089 counties) found that 80.2% of election administration websites or webpages lack the .GOV validation that confirms they are the websites they claim to be.
Nearly 45% of election administration websites or webpages lack the necessary HTTPS encryption to prevent third-parties from re-directing voters to fake websites or stealing voter’s personal information.
Only 16.4% of U.S. county election websites implement U.S. government .GOV validation and HTTPS encryption.
| States | # Counties | # .GOV | % .GOV | # HTTPS | % HTTPS | # BOTH | %BOTH |
| Alabama | 67 | 8 | 11.9% | 26 | 38.8% | 6 | 9.0% |
| Alaska | 18 | 1 | 5.6% | 12 | 66.7% | 1 | 5.6% |
| Arizona | 15 | 11 | 73.3% | 14 | 93.3% | 11 | 73.3% |
| Arkansas | 75 | 18 | 24.0% | 30 | 40.0% | 17 | 22.7% |
| California | 58 | 8 | 13.8% | 45 | 77.6% | 6 | 10.3% |
| Colorado | 64 | 21 | 32.8% | 49 | 76.6% | 20 | 31.3% |
| Connecticut | 8 | 1 | 12.5% | 2 | 25.0% | 1 | 12.5% |
| Delaware | 3 | 0 | 0.0% | 0 | 0.0% | 0 | 0.0% |
| Florida | 67 | 4 | 6.0% | 64 | 95.5% | 4 | 6.0% |
| Georgia | 159 | 40 | 25.2% | 107 | 67.3% | 35 | 22.0% |
| Hawaii | 5 | 4 | 80.0% | 4 | 80.0% | 4 | 80.0% |
| Idaho | 44 | 6 | 13.6% | 28 | 63.6% | 5 | 11.4% |
| Illinois | 102 | 14 | 13.7% | 60 | 58.8% | 12 | 11.8% |
| Indiana | 92 | 28 | 30.4% | 41 | 44.6% | 16 | 17.4% |
| Iowa | 99 | 27 | 27.3% | 80 | 80.8% | 25 | 25.3% |
| Kansas | 105 | 8 | 7.6% | 46 | 43.8% | 2 | 1.9% |
| Kentucky | 120 | 19 | 15.8% | 28 | 23.3% | 15 | 12.5% |
| Louisiana | 64 | 5 | 7.8% | 12 | 18.8% | 2 | 3.1% |
| Maine | 16 | 0 | 0.0% | 0 | 0.0% | 0 | 0.0% |
| Maryland | 23 | 9 | 39.1% | 22 | 95.7% | 8 | 34.8% |
| Massachusetts | 14 | 3 | 21.4% | 5 | 35.7% | 2 | 14.3% |
| Michigan | 83 | 9 | 10.8% | 63 | 75.9% | 9 | 10.8% |
| Minnesota | 87 | 5 | 5.7% | 59 | 67.8% | 5 | 5.7% |
| Mississippi | 82 | 8 | 9.8% | 30 | 36.6% | 5 | 6.1% |
| Missouri | 114 | 8 | 7.0% | 49 | 43.0% | 7 | 6.1% |
| Montana | 56 | 15 | 26.8% | 21 | 37.5% | 8 | 14.3% |
| Nebraska | 93 | 35 | 37.6% | 73 | 78.5% | 32 | 34.4% |
| Nevada | 16 | 3 | 18.8% | 13 | 81.3% | 2 | 12.5% |
| New Hampshire | 10 | 0 | 0.0% | 0 | 0.0% | 0 | 0.0% |
| New Jersey | 21 | 3 | 14.3% | 11 | 52.4% | 2 | 9.5% |
| New Mexico | 33 | 7 | 21.2% | 20 | 60.6% | 6 | 18.2% |
| New York | 62 | 15 | 24.2% | 48 | 77.4% | 14 | 22.6% |
| North Carolina | 100 | 37 | 37.0% | 69 | 69.0% | 29 | 29.0% |
| North Dakota | 53 | 3 | 5.7% | 19 | 35.8% | 2 | 3.8% |
| Ohio | 88 | 77 | 87.5% | 88 | 100.0% | 77 | 87.5% |
| Oklahoma | 77 | 1 | 1.3% | 24 | 31.2% | 1 | 1.3% |
| Oregon | 36 | 1 | 2.8% | 22 | 61.1% | 0 | 0.0% |
| Pennsylvania | 67 | 11 | 16.4% | 40 | 59.7% | 7 | 10.4% |
| Rhode Island | 5 | 2 | 40.0% | 3 | 60.0% | 0 | 0.0% |
| South Carolina | 46 | 15 | 32.6% | 33 | 71.7% | 13 | 28.3% |
| South Dakota | 66 | 2 | 3.0% | 14 | 21.2% | 1 | 1.5% |
| Tennessee | 95 | 23 | 24.2% | 38 | 40.0% | 12 | 12.6% |
| Texas | 254 | 10 | 3.9% | 86 | 33.9% | 6 | 2.4% |
| Utah | 29 | 8 | 27.6% | 16 | 55.2% | 7 | 24.1% |
| Vermont | 14 | 0 | 0.0% | 0 | 0.0% | 0 | 0.0% |
| Virginia | 95 | 33 | 34.7% | 61 | 64.2% | 35 | 36.8% |
| Washington | 39 | 7 | 17.9% | 26 | 66.7% | 6 | 15.4% |
| West Virginia | 55 | 18 | 32.7% | 33 | 60.0% | 16 | 29.1% |
| Wisconsin | 72 | 16 | 22.2% | 61 | 84.7% | 11 | 15.3% |
| Wyoming | 23 | 4 | 17.4% | 15 | 65.2% | 2 | 8.7% |
| Total | 3089 | 611 | 19.8% | 1710 | 55.4% | 507 | 16.4% |
We found that the battleground states were largely in a bad position when it came to .GOV and HTTPS.
Only 29% of election websites used both .GOV and HTTPS in North Carolina, 22% in Georgia, 15.3% in Wisconsin, 10.8% in Michigan, 10.4% in Pennsylvania, and 2.4% in Texas.
While 95.5% of Florida’s county election websites and webpages use HTTPS encryption, only 6% percent validate their authenticity with .GOV.
During the January 2020 survey, only 11 Iowa counties protected their election administration pages and domains with .GOV validation and HTTPS encryption. By September 2020, that number rose to 25 as 14 counties added .GOV validation. But 72.7% of the state’s county election sites and pages still lack official U.S. government validation of their authenticity.
Alternatively, Ohio led the survey pool with 87.5% of election webpages and domains validated by .GOV and protected by HTTPS encryption. Four of Five (80%) Hawaii counties protect their main county and election webpages with both .GOV validation and encryption and 73.3% of Arizona county election websites do the same.
Separate Election Sites. As many as 166 counties set up websites that were completely separate from their main county web domain. Separate election sites may have easy-to-remember, user-friendly domain names to make them more accessible for the broadest possible audience of citizens. Examples include my own county’s www.votedenton.com as well as www.votestanlycounty.com, www.carrollcountyohioelections.gov, www.voteseminole.org, and www.worthelections.com.
The problem with these election-specific domains is that while 89.1% of these sites have HTTPS, 92.2% lack .GOV validation to guarantee that they belong to the county governments they claim. Furthermore, only 7.2% of these domains have both .GOV and HTTPS implemented. This suggests that malicious parties could easily set up numerous websites with similarly named domains to spoof these legitimate sites.
Not on OUR website. Some smaller counties with few resources often reason that they can inform and protect voters simply by linking from their county websites to their states’ official election sites. Other smaller counties have suggested that social media platforms such as Facebook are preferable to election websites to reach Internet-savvy voters.
Unfortunately, neither of these approaches prevents malicious actors from spoofing their county government web properties. Such actors could still set up fake websites regardless of whether the genuine websites link to a .GOV validated state election website or whether counties set up amazing Facebook election pages.
For that matter, Facebook is not a government entity focused on validating that organizational or group pages are owned by the entities they claim to be. The platform could just as easily be used by malicious parties to create fake pages spreading disinformation about where and how to vote during elections.
It’s not OUR job. McAfee found that some states’ voters could be susceptible to fake county election websites even though their counties have little if any role at all in administering elections. States such as Connecticut, Delaware, Maine, Massachusetts, New Hampshire, Rhode Island and Vermont administer their elections through their local governments, meaning that any election information is only available at the states’ websites and those websites belonging to major cities and towns. While this arrangement makes county-level website comparisons with other states difficult for the purpose of our survey, it doesn’t make voters in these states any less susceptible to fake versions of their county website.
There should be one recipe for the security and integrity of government websites such as election websites and that recipe should be .GOV and HTTPS.
Ohio’s leadership position in our survey appears to be the result of a state-led initiative to transition county election-related content to .GOV validated web properties. Ohio’s Secretary of State used “the stick” approach by demanding by official order that counties implement .GOV and HTTPS on their election web properties. If counties couldn’t move their existing websites to .GOV, he offered “the carrot” of allowing them to leverage the state’s domain.
A majority of counties have subsequently transitioned their main county websites to .GOV domains, their election-specific websites to .GOV domains, or their election-specific webpages to Ohio’s own .GOV-validated https://ohio.gov/ domain.
Examples:
While Ohio’s main county websites still largely lack .GOV validation, Ohio does provide a mechanism for voters to quickly assess if the main election website is real or potentially fake. Other states should consider such interim strategies until all county and local websites with election functions can be fully transitioned to .GOV.
Ultimately, the end goal success should be that we are able to tell voters that if they don’t see .GOV and HTTPS, they shouldn’t believe that a website is legitimate or safe. What we tell voters must be that simple, because the general public lacks a technical background to determine real sites from fake sites.
For more information on our .GOV-HTTPS county website research, potential disinformation campaigns, other threats to our elections, and voter safety tips, please visit our Elections 2020 page: https://www.mcafee.com/enterprise/en-us/2020-elections.html
The post US County Election Websites (Still) Fail to Fulfill Basic Security Measures appeared first on McAfee Blogs.
If you are someone who works for a cloud service provider in the business of federal contracting, you probably already have a good understanding of FedRAMP. It is also likely that our regular blog readers know the ins and outs of this program.
For those who are not involved in these areas, however, this acronym may be more unfamiliar. Perhaps you have only heard of it in passing conversation with a few of your expert cybersecurity colleagues, or you are just curious to learn what all of the hype is about. If you fall into this category – read on! This blog is for you.
At first glance, FedRAMP may seem like a type of onramp to an interstate headed for the federal government – and in a way, it is.
FedRAMP stands for the Federal Risk and Authorization Management Program, which provides a standard security assessment, authorization and continuous monitoring for cloud products and services to be used by federal agencies. The program’s overall mission is to protect the data of U.S. citizens in the cloud and promote the adoption of secure cloud services across the government with a standardized approach.
Once a cloud service has successfully made it onto the interstate – or achieved FedRAMP authorization – it’s allowed to be used by an agency and listed in the FedRAMP Marketplace. The FedRAMP Marketplace is a one-stop-shop for agencies to find cloud services that have been tested and approved as safe to use, making it much easier to determine if an offering meets security requirements.
In the fourth year of the program, FedRAMP had 20 authorized cloud service offerings. Now, eight years into the program, FedRAMP has over 200 authorized offerings, reflecting its commitment to help the government shift to the cloud and leverage new technologies.
Any cloud service provider that has a contract with a federal agency or wants to work with an agency in the future must have FedRAMP authorization. Compliance with FedRAMP can also benefit providers who don’t have plans to partner with government, as it signals to the private sector they are committed to cloud security.
Using a cloud service that complies with FedRAMP standards is mandatory for federal agencies. It has also become popular with organizations in the private industry, which are more often looking to FedRAMP standards as a security benchmark for the cloud services they use.
There are two ways for a cloud service to obtain FedRAMP authorization. One is with a Joint Authorization Board (JAB) provisional authorization (P-ATO) and the other is through an individual agency Authority to Operate (ATO).
A P-ATO is an initial approval of the cloud service provider by the JAB, which is made up of the Chief Information Officers (CIOs) from the Department of Defense (DoD), Department of Homeland Security (DHS) and General Services Administration (GSA). This designation means that the JAB has provided a provisional approval for agencies to leverage when granting an ATO to a cloud system.
The head of an agency grants an ATO as part of the agency authorization process. An ATO may be granted after an agency sponsor reviews the cloud service offering and completes a security assessment.
Achieving FedRAMP authorization for a cloud service is a very long and rigorous process, but it has received high praise from security officials and industry experts alike for its standardized approach to evaluate whether a cloud service offering meets some of the strongest cybersecurity requirements.
There are several benefits for cloud providers who authorize their service with FedRAMP. The program allows an authorized cloud service to be reused continuously across the federal government – saving time, money and effort for both cloud service providers and agencies. Authorization of a cloud service also gives service providers increased visibility of their product across government with a listing in the FedRAMP Marketplace.
By electing to comply with FedRAMP, cloud providers can demonstrate dedication to the highest data security standards. Though the process for achieving FedRAMP approval is complex, it is worthwhile for providers, as it signals a commitment to security to government and non-government customers.
At McAfee, we are dedicated to ensuring our cloud services are compliant with FedRAMP standards. We are proud that McAfee’s MVISION Cloud is the first Cloud Access Security Broker (CASB) platform to be granted a FedRAMP High Impact Provisional Authority to Operate (P-ATO) from the U.S. Government’s Joint Authorization Board (JAB).
Currently, MVISION Cloud is in use by ten federal agencies, including the Department of Energy (DOE), Department of Health and Human Services (HHS), Department of Homeland Security (DHS), Food and Drug Administration (FDA) and National Aeronautics and Space Administration (NASA).
MVISION Cloud allows federal organizations to have total visibility and control of their infrastructure to protect their data and applications in the cloud. The FedRAMP High JAB P-ATO designation is the highest compliance level available under FedRAMP, meaning that MVISION Cloud is authorized to manage highly sensitive government data.
We look forward to continuing to work closely with the FedRAMP program and other cloud providers dedicated to authorizing cloud service offerings with FedRAMP.
The post FedRAMP – What’s the Big Deal? appeared first on McAfee Blogs.
Detrimental lies are not new. Even misleading headlines and text can fool a reader. However, the ability to alter reality has taken a leap forward with “deepfake” technology which allows for the creation of images and videos of real people saying and doing things they never said or did. Deep learning techniques are escalating the technology’s finesse, producing even more realistic content that is increasingly difficult to detect.
Deepfakes began to gain attention when a fake pornography video featuring a “Wonder Woman” actress was released on Reddit in late 2017 by a user with the pseudonym “deepfakes.” Several doctored videos have since been released featuring high-profile celebrities, some of which were purely for entertainment value and others which have portrayed public figures in a demeaning light. This presents a real threat. The internet already distorts the truth as information on social media is presented and consumed through the filter of our own cognitive biases.
Deepfakes will intensify this problem significantly. Celebrities, politicians and even commercial brands can face unique forms of threat tactics, intimidation, and personal image sabotage. The risks to our democracy, justice, politics and national security are serious as well. Imagine a dark web economy where deepfakers produce misleading content that can be released to the world to influence which car we buy, which supermarket we frequent, and even which political candidate receives our vote. Deepfakes can touch all areas of our lives; hence, basic protection is essential.
Deepfakes are a cutting-edge advancement of Artificial Intelligence (AI) often leveraged by bad actors who use the technology to generate increasingly realistic and convincing fake images, videos, voice, and text. These videos are created by the superimposition of existing images, audio, and videos onto source media files by leveraging an advanced deep learning technique called “Generative Adversarial Networks” (GANs). GANs are relatively recent concepts in AI which aim to synthesize artificial images that are indistinguishable from authentic ones. The GAN approach brings two neural networks to work simultaneously: one network called the “generator” draws on a dataset to produce a sample that mimics it. The other network, known as the “discriminator”, assesses the degree to which the generator succeeded. Iteratively, the assessments of the discriminator inform the assessments of the generator. The increasing sophistication of GAN approaches has led to the production of ever more convincing and nearly impossible to expose deepfakes, and the result far exceeds the speed, scale, and nuance of what human reviewers could achieve.
To mitigate this threat, McAfee today announced the launch of the McAfee Deepfakes Lab to focus the company’s world-class data science expertise and tools on countering the deepfake menace to individuals, organizations, democracy and the overall integrity of information across our society. The Deepfakes Lab combines computer vision and deep learning techniques to exploit hidden patterns and detect manipulated video elements that play a key role in authenticating original media files.
To ensure the prediction results of the deep learning framework and the origin of solutions for each prediction are understandable, we spent a significant amount of time visualizing the layers and filters of our networks then added a model-agnostic explainability framework on top of the detection framework. Having explanations for each prediction helps us make an informed decision about how much we trust the image and the model as well as provide insights that can be used to improve the latter.
We also performed detailed validation and verification of the detection framework on a large dataset and tested detection capability on deepfake content found in the wild. Our detection framework was able to detect a recent deepfake video of Facebook’s Mark Zuckerberg giving a brief speech about the power of big data. The tool not only provided an accurate detection score but generated heatmaps via the model-agnostic explainability module highlighting the parts of his face contributing to the decision, thereby adding trust in our predictions.
Such easily available deepfakes reiterate the challenges that social networks face when it comes to policing manipulated content. As advancements in GAN techniques produce very realistic looking fake images, advanced computer vision techniques will need to be developed to identify and detect advanced forms of deepfakes. Additionally, steps need to be taken to defend against deepfakes by making use of watermarks or authentication trails.
We realize that news media do have considerable power in shaping people’s beliefs and opinions. As a consequence, their truthfulness is often compromised to maximize impact. The dictum “a picture is worth a thousand words” accentuates the significance of the deepfake phenomenon. Credible yet fraudulent audio, video, and text will have a much larger impact that can be used to ruin celebrity and brand reputations as well as influence political opinion with terrifying implications. Computer vision and deep learning detection frameworks can authenticate and detect fake visual media and text content, but the damage to reputations and influencing opinion remains.
In launching the Deepfakes Lab, McAfee will work with traditional news and social media organizations to identify malicious deepfakes videos during this crucial 2020 national election season and help combat this new wave of disinformation associated with deepfakes.
In our next blog on deepfakes, we will demonstrate our detailed detection framework. With this framework, we will be helping to battle disinformation and minimize the growing challenge of deepfakes.
To engage the services of the McAfee Deepfakes Lab, news and social media organizations may submit suspect video for analysis by sending content links to media@mcafee.com.
The post The Deepfakes Lab: Detecting & Defending Against Deepfakes with Advanced AI appeared first on McAfee Blogs.
For more than 20 years, the cybersecurity industry has been focused on enterprises, not on a larger national integrated security environment – and certainly not on comprehensive home security. Smart devices that make home life more convenient have been growing in acceptance and adoption, but by and large, the industry continues to concentrate on enterprise security. Even from a standards perspective, the National Institute of Standards and Technology (NIST) has focused on enterprises and the federal government, not the home.
The NIST Cybersecurity Framework, for example, a highly regarded security framework, is intended for enterprises, not homes. Yet today, the devices and connectivity in many homes outnumber those in small businesses of 20 years ago. Homes are following along the same path as small businesses, and like them, need more focused attention and protection.
COVID-19 forced organizational change in the blink of an eye, forcing an overnight transition from mostly centralized work environments to a highly distributed work-from-home infrastructure. This rapid shift to working from unsecured and unmanaged environments (IT, IoT, mobile, cloud, etc.), has greatly complicated organizational cybersecurity exposure challenges while creating a massive expansion of the digital attack surface. With many employees having to use personal devices for business purposes, enterprises now need to consider adopting policies that provide them greater management and control over these personal devices. The security challenge once focused on BYOD (bring your own device) has now morphed into BYEH — “Bring Your Enterprise Home.” We need new security standards and practices to address this shift.
While my company and others had the policies, management processes, controls, equipment and software in place to protect this new corporate ecosystem, they did so with the understanding the home is a very inhospitable security environment at present.
In my own home, for instance, there are many different systems of devices (wireless lighting, smart locks, multiple smart TVs, multiple streaming devices, smart plugs, wireless security system, digital assistants, wireless speakers, cameras, thermostats, and other home management connected devices. And this is before we add in the computers, laptops, iPads and smart phones for all its residents. An ever-growing number of IoT devices are helping people to transform their houses into smart homes, but homeowners often don’t know how to secure these devices. Additionally, many of the products don’t communicate or integrate with each other, exacerbating the discovery of security weaknesses.
Today, a bad actor can break into a home and steal things of value – bank account, credentials, sanity (by turning smart lights on and off at 3 am and blasting music from connected speakers) – without even physically walking through the door. This is a major problem for individuals, but it’s an even greater problem for enterprises and governments turning to remote work to continue operations during the COVID-19 pandemic.
Take all of the devices in each home, smart or otherwise, multiplied by all of the federal government employees alone, and you’ll have a vision for how large a threat vector we’ve just created by asking employees to work from home. Then add in government contractors, who may or may not have access to the same level of security as permanent employees. Then realize this is not just a government problem but a whole-of-nation problem, where businesses and other organizations need to assure their staffs’ remote access to their corporate properties are protected and secure.
Cybersecurity is not the only area we need to address. For example, ISPs often give priority to supporting enterprise customers when there are outages. Timelines from reporting-to-fix for enterprises is measured in hours, while timelines for correcting consumer outages is quite often measured in days. Now, however, the lines between what is a remote critical connection and what is not are highly blurred. How does an organization indicate to an ISP that a specific connection needs a critical designation and a priority response? How do we extend the concept of “home-points” being a component in an individual enterprise’s infrastructure?
Relatedly, broadband access and network connection speeds are now more important than ever. It may be time for the Federal Communications Commission to rethink its designation of broadband, as 25/3 Mbps is not really suitable for a family with multiple children engaged in remote learning while Mom and Dad work from home.
The waves of change that COVID-19 has set in motion have turned homes into workspaces, making every connected device in a home a risk to each person’s employer. Now the home isn’t just a smart home; it’s a remote office, as well as a schoolroom, a doctor’s office and the front door to malls and grocery stores.
As we work to adapt our economy and country in the wake of the pandemic, it’s critical that we also rethink the security of our homes to ensure there are standards for protection in place. Our homes are now part of an enterprise environment. It’s time that we as a nation considered the home as such and adopted policies and security practices to meet the new BYEH reality.
The post Home-Point Cybersecurity: Bring Your Enterprise Home appeared first on McAfee Blogs.
Core to any organization is managing cyber risk with a security operations function whether it be in-house or outsourced. McAfee has been and continues their commitment to protecting cyber assets. We are dedicated to empowering security operations and with this dedication comes expertise and passion. Introducing SOCwise a monthly series of blogs, podcasts and talks driven by two highly experienced and devoted security operations professionals. This is an ongoing resource of helpful advice on SOC issues, distinct SOC functional lessons, best practices learned from a range of projects and customers and perspectives on the future of security operations. In addition, we will invite guests to contribute to this series.
From the perspective of a ‘legacy SIEM’ guy I can tell you that there’s nothing more important to a security analyst than intelligence. Notice I didn’t say ‘data’ or ‘information’ – I didn’t even say ‘threat intelligence’. I’m talking about ‘Situational Awareness’. I’m specifically talking about business, user and data context that adds critical understanding and guidance in support of making more timely, accurate or informed decisions related to a given security event. A typical SOC analyst might deal with dozens of incidents each shift – some requiring no more than a few minutes and even fewer clicks to quickly and accurately determine the risk and impact of potential malicious activities. Some incidents require much more effort to triage in hopes to understand intent, impact and attribution.
More often we find the role of SOC analyst to be one of data wrangler – asking and answering key questions of the ‘data’ to determine if an attack is evident and if so, what is the scope and impact of the adversarial engagement. Today’s modern SOC is evolving from one of centralized data collection, information dissemination and coordination of intelligence – one where each stakeholder in security was a part of the pre-determined set of expectations throughout the evaluation and implementation process – to a fully distributed cast of owners/creators (application development, operations, analysts, transformation architects, management) where the lines of authority, expectation and accountability have blurred sometimes beyond recognition.
How can a modern SOC maintain the highest levels of advanced threat detection, incident response and compliance efficacy when they may no longer have all (or sometimes even some) of the necessary context with which to turn data into intelligence? Will Security Operations Centers of the future resemble anything like the ones we built in previous years. From the massive work-from-home migration brought on by an unexpected pandemic to cloud transformation initiatives that are revolutionizing our modern enterprise, the entire premise of a SOC as we know it are being slowly eroded. These are just some of the questions we will try to answer in this blog series.
I have worked for 20 years in this industry that we once used to call, information security. During this time, I have had the opportunity to be both on the offense and the defense side of the cyber security coin, as a practitioner and as a consultant, as an architect and as an engineer, as a student as well as a SANS author & instructor. I want to believe that I have learned a few things along the way. For example, as a penetration tester and a red teamer, I have learned that there is always a way in, that prevention is ideal, and that detection is a must. As a security architect I have learned that a defensible architecture is all about the right balance between prevention, monitoring, detection and response. As an incident responder I learned that containing an adversary is all about timing, planning and strategy. As a security analyst I have learned the power of automation and of human-machine teaming, to do more analysis and less data gathering. As a threat hunter I have learned to be laser focused on adversarial behaviors, and not on vulnerabilities. And as a governance, risk and compliance consultant, that security is all about tradeoffs, about cost and benefit, about being flexible, adaptable and realizing that for most of our customers, security is not their core business, but something they do to stay in business. To summarize 20 years in a few phrases is challenging, but no one has summarized it better than Bruce Schneier in my opinion, who wrote, precisely 20 years ago: “security is a process, not a product”.
And I am sure that you will agree with me that processes have changed a lot over the last 20 years. This transformation that had already started with the adoption of Cloud and DevOps technologies it is now creating an interesting and unforeseen circumstance. Just when security operations barely found its footing, and right when it was finally coming out from under the realm of IT, garnering respect and budget to achieve desired outcomes, just when we felt that we made it, we are told to pack our things, leave the physical boundaries of the SOC and have everyone work remote.
If this didn’t introduce enough uncertainty, I read that Gartner predicts that 85% of data centers will be gone by 2025. So, I can’t help but wonder: is this the end of it? Is the SOC dead as we know it? What is the future of SecOps in this new paradigm? How will roles change? Will developers own security in a ‘you code it, you own it’ fashion? Is it realistic to expect a fully automated SOC anytime soon?
Please join us in this new SOCwise series as Michael and I explore answers to these and more questions on the future and the democratization of SOC and SecOps.
The post SOCwise: A Security Operation Center (SOC) Resource to Bookmark appeared first on McAfee Blogs.
Video conferencing has really taken off this year. With more people working and learning from home than ever before, video calling has rapidly become the mainstream method for remote communication, allowing users to stay connected. But very few may realize that they might be giving away their passwords on video calls through their body language. According to Tom’s Guide, call participants can guess a user’s passwords through the arm and shoulder movements they make while they type.
Let’s unpack how this threat works so you can continue to connect via video calls worry-free.
Keyboard snooping, or a keyboard interference threat, occurs when an attacker is present on a video call and observes the target’s body and physiological features to infer what they are typing. To pull off this attack, the hacker would need to record the meeting or video stream and feed it through a computer program. This program eliminates the visual background and measures the user’s arm and shoulder movements relative to their face. From there, the program analyzes the user’s actions to guess which keys they are hitting on the keyboard – including passwords and other sensitive information.
So, how accurate is this program, anyway? While this shows that the program was only correct 20% of the time when subjects were on their own devices in an uncontrolled environment, the program’s accuracy increased to 75% if their password was one of the one million most commonly used passwords. And suppose the program already knew their email address or name. In that case, it could decipher when the target was typing this information during the video call (and when their password would immediately follow) 90% of the time. The less complex the target makes their password, the easier it is for the program to guess what they’re typing.
Keystroke inference attacks can have potentially dangerous effects, since the text typed can often contain sensitive or private information even beyond passwords, like credit card numbers, authentication codes, and physical addresses. It’s also important to note that any video conferencing tool or videos obtained from public video sharing/streaming platforms are susceptible to this attack.
Therefore, to prevent your meeting attendees from snooping on what you’re typing, follow these tips for greater peace-of-mind:
Avoid giving keyboard snoopers the upper hand by making your password or passphrase as unique as the information it’s protecting. If a hacker does manage to guess your password for one of your online accounts, they will likely check for repeat credentials across multiple sites. By using different passwords or passphrases for your online accounts, you can remain calm and collected knowing that the majority of your data is secure if one of your accounts becomes vulnerable.
Two or multi-factor authentication provides an extra layer of security, as it requires multiple forms of verification like texting or emailing a secure code to verify your identity. Most popular online sites like Gmail, Dropbox, LinkedIn, Facebook, etc. offer multi-factor authentication, and it takes just a few minutes to set it up. This reduces the risk of successful impersonation by criminals who may have uncovered your information by keyboard snooping.
Take your security to the next level with a password manager, like the one included in McAfee Total Protection. A password manager can help you create strong passwords, remove the hassle of remembering numerous passwords, and log you on to websites automatically.
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post How to Prevent Keyboard Snooping Attacks on Video Calls appeared first on McAfee Blogs.
eXtended Detection & Response (XDR) has become an industry buzzword promising to take detection and response to new heights and improving security operations effectiveness. Not only are customers and vendors behind this but industry groups like Open Cybersecurity Alliance (OCA) share this same goal and there are some open projects to leverage for this effort.
Let’s start with an understanding of XDR. There is a range of XDR definitions but at the end of day there are core desired capabilities and outcomes.
Benefit: Remove the siloes and reduce complexity. Empower security operations to respond and protect more quickly.
Benefit: Deliver faster and better security outcomes.
This requires security functions to be connected to create a shared data lake of insights and to synchronize detection and response capabilities across the enterprise. The Open Cybersecurity Alliance (OCA) shares this vision to easily bring interoperability between security products and simplify integration across the threat lifecycle. OCA enables this with several open source projects available to the industry.
In order to connect security solutions a consistent and easy to use pathway is needed. Contributed by McAfee OpenDXL Ontology is a common messaging format to enable real time data exchange and allow disparate security functions to coordinate and orchestrate actions. It builds up on other common open standards for message content (OpenC2, STIX, etc.) Vendors and organizations can use the categorized set of messages to perform actions on cybersecurity products and notifications used to signal when significant security-related events occur. There are multiple communications modes, one to one or one to many. In addition, there is a centralized authentication and authorization model between security functions. Some examples include but are not limited to:
Sample code on OCA site demonstrates how to integrate the ontology into existing security products and related solutions. The whole mantra here is to integrate once and be able to share information with all the tools/products that are leveraging OpenDXL Ontology.
OpenDXL is the open initiative from which OpenDXL Ontology was initially derived. The Data Exchange Layer (DXL) technology developed by McAfee is being used by 3000 organizations today and is the transport layer used to share information in near real time. OpenDXL technology is also the foundation to McAfee’s MVISION Marketplace where organizations may easily compose their security actions and fulfill the XDR promise of working together.
One who has followed DXL may ask what makes OpenDXL onotology different from DXL. DXL is communication bus. OpenDXL ontology is the common language to enable easy and consistent sharing and collaboration between many different tools on the DXL pathway.
To optimize threat intelligence between security tools easier, one needs to homogenize the data so it may be easily read and analyzed. Contributed by IBM, STIX -Shifter is an open-source Python patterning library to normalize data across domains. Structured Threat Information Expression (STIX) is a language and serialization format used to exchange cyber threat intelligence (CTI). Many organizations have adopted STIX to make better sense of cyber threat intelligence.
STIX enables organizations to share CTI with one another in a consistent and machine-readable manner represented with objects and relationships stored in JavaScript Object Notation (JSON). STIX-Shifter uses STIX Patterning to return results as STIX Observations. This allows security communities to better understand what computer-based attacks they are most likely to see, anticipate and/or respond to those attacks faster and more effectively. What is unique is STIX-Shifter’s ability to search for all three data types—network, file, and log. This allows you to create complex queries and analytics across many domains like Security Information and Event Management (SIEM), endpoint, network and file levels.
STIX is designed to improve many different capabilities, such as collaborative threat analysis, automated threat exchange, automated detection and response, and more. Here is a great Introduction to STIX-Shifter video (just under 7 minutes) to watch.
Security Content Automation Protocol Version 2 (SCAP v2) is a data collection architecture to allow continuous real time monitoring for configuration compliance and to detect the presence of vulnerable versions of software on cyber assets. It offers transport protocols to enable secure interoperable communication of security automation information allowing more active responses to the security postures changes as they occur. SCAP v2 was derived from the National Institute of Standards Technology (NIST.)
To fully realize the benefits of an evolving XDR strategy, enterprises must ensure the platform they select is built atop an open and flexible architecture with a broad ecosystem of integrated security vendors. McAfee’s innovation and leadership in the Open Cybersecurity Alliance provides customers the confidence that as their security environment evolves, so too will their ability to effectively integrate all relevant technologies, the telemetry they generate and the security outcomes they provide.
If your organization aspires to XDR, the OCA projects bring the technologies to help unite your security functions. Many vendors are leveraging the OCA in their XDR ecosystems. Leverage the projects and join OCA if you want to influence and contribute to open security working together with ease.
The post How OCA Empowers Your XDR Journey appeared first on McAfee Blogs.
Even the best psychics, science fiction and horror writers could not have predicted or written 2020.
It’s been quite the year. I am thankful that it’s almost over.
The COVID-19 Coronavirus started a global lockdown that sent millions of people to work from home, or wherever they could shelter in place. Personally, working at home didn’t seem like a bad option at the time. But after 8 months, sheltering in place, working from home, and sharing your Internet bandwidth with three others who also need real-time audio and video can be exhausting.
Professionally, it’s another story. It’s hard to understate the magnitude of the change. It was as if someone flipped a switch. One day, most of McAfee’s 7,000+ employees could be found working in McAfee offices. The next day, we had 7,000 “offices” of one person each. They were now voices heard on a phone, logging in from remote locations.
Whereas previously just 2% of workers were remote full time globally, by April 2020, 42% of the workforce was remote according to Stanford University economics professor Nicholas Bloom. By late August, the number of workers at home dropped to 35%. That said, once the pandemic ends, about 55% of employers surveyed by PWC said they expected staff to work from home at least one day a week. And more than 80% of employees said they supported that idea. In fact, Facebook, Microsoft and Twitter have all said remote work would be a permanent option.
Most organizations have found a way to make do with existing infrastructure. Since we’re apparently in it for the long-haul, it’s time to go back and verify that all appropriate security protections are in place. Because – let’s face it – in many organizations, security during this transition had to be prioritized behind keeping the business running. Cyber hygiene had to wait while organizations worldwide raced to the cloud in order to get their teams online and productive again.
Cybercriminals know home networks are often less secure and have leaped at the opportunity to find new and easier ways to access data and systems. In fact, McAfee’s Advanced Threat Research team observed a 630% increase in external attacks on cloud accounts with the greatest concentration on collaboration services (CARR). And, during Q2 of 2020, McAfee’s global network of more than a billion sensors registered a 605% increase in total COVID-19-themed threat detections.
For a security company like McAfee, the pandemic is an opportunity to share some lessons to help protect your people and data without getting in your teams’ way. It will not surprise you to learn we primarily run our own products and relied on them heavily for our WFH transition. I will be touting some of the benefits of our products in this article.
1. Maximize Visibility and Control
For many companies, the rapid transition resulted in less visibility and control than when everyone was in the office behind a web gateway. With WFH, visibility and control across the entire organization – cloud, web as well as both managed and unmanaged devices is imperative.
McAfee MVISION Complete, part of our new Device-to-Cloud suites, provides this visibility and control across endpoint, web and cloud. The solution unifies MVISION Insights, Endpoint, cloud access security broker (CASB), data loss prevention (DLP), cloud-based Secure Web Gateway (SWG) and (soon) remote browser isolation technologies to deliver comprehensive device-to-cloud protection. It enables us to:
2. Run an Effective Threat Management Program
Threat Intelligence programs are designed to answer questions such as:
Questions like these are called Intelligence Requirements, and some threat management programs flounder because they focus on answering the first two questions. Others struggle because they don’t have the resources to answer the last two in a good way. It takes substantial time to walk through indicators of compromise (IOCs) and determine whether you have coverage on your endpoints, your IPS, your Web Gateway, etc. It can take longer to update coverage. Having 95% coverage can sound like a lot, but advanced actors always seem to be able to locate the unprotected 5%.
3. Plan for Increased Threats to Home Workers
WFH has put a premium on making sure employees can depend on the same level of security they received in the office. In a post-pandemic future where WFH continues to be prevalent, cyber adversaries will focus their innovation on WFH users. To get ahead of this trend, we must find ways to increase our protections for WFH users.
4. Future-Proof … with the Right Protections
Enterprise security teams should plan for the likelihood that some of their employees working from home are going to get breached. It may be a compromised computer. It may be a connected IOT device. People will do the wrong thing, so it is important here to mitigate risk.
The technical measures listed earlier are a good start. In addition, you’ll need to make sure WFH users are patched as aggressively as they were when on-site. And, that you have a process for following up with the last 5% who are out of office during patch installation, or who power down their laptop during installation. You’ll also need vulnerability scanning agents installed on user workstations.
Finally, I see a renewed move back to centralizing the data to limit the endpoint exposure.
5. Education Never Ends
There’s no getting around it. People are both a company’s biggest asset … and also a company’s biggest security liability. Many employees are still prone to making silly security mistakes by ignoring best practices. So, any WFH security approach ought to feature a big education component. Spend more time with employees to educate and inform how to improve their security practices. What’s practical guidance for employees? There’s no one-size-fits all but the best advice I can offer is to be realistic. Don’t send out a detailed, 20-page paper on wireless security and expect miracles. The message needs to be brief, clear and simple.
I’d love to hear what you’re doing to secure your distributed teams… leave comments below.
The post Finding the Success Among the Pandemonium that is 2020 appeared first on McAfee Blogs.
Organizations across the country – from the private sector to the federal government – have become more digital, especially following the shift to remote work this year. It’s no surprise that cybercriminals around the world have taken notice. According to a new report by McAfee and the Center for Strategic and International Studies (CSIS), cybercrime is now a nearly trillion-dollar industry, and the government sector is not immune.
Across the board, the issue continues to rise – increasing the cost of cybercrime by nearly 50% since our last report in 2018. The threats to the government from cybercriminals are even greater, leading to potential national security risks as dark actors look to steal U.S. secrets and intellectual property.
All levels of government – from state and local to the federal government here in Washington – are taking steps to mitigate the issues, but they must do so differently than their private sector counterparts. Government respondents to the survey reported the highest number of malicious attacks, highlighting the high-stakes environment in which governments operate.
Unfortunately, the report also found that while government organizations face more attacks than their private-sector counterparts, they also take longer to remediate them, leaving our government services, infrastructure, and other critical aspects of society at risk for longer than they need.
Earlier this week, McAfee’s CTO Steve Grobman joined CSIS for a conversation on the report and how we can continue to prepare for and mitigate the risk of cybercrime and its hidden costs with CSIS’ Jim Lewis and Zhanna Malekos Smith, former Federal CISO Grant Schneider and the FBI’s Jonathan Holmes.
Kicking off the discussion, Schneider highlighted the importance of the workforce and the need to take care of them so organizations can quickly rebound from an incident. Schneider noted that if an office were robbed, no one would blame the team, but with cybercrime, victims are often seen as the issue – leading to reduced employee morale and more issues later down the line.
Instead, Schneider argued on the importance of preparing the workforce and that preparation can take several forms, including risk management through NIST’s risk management framework. He also called for organizations to develop a recovery plan, engaging different departments, leadership and the public to be ready for when an incident occurs.
In his discussion of the report’s findings, McAfee CTO Steve Grobman noted they weren’t shocking. Grobman said that as we adopt new technologies, adversaries will continue to find new attack vectors.
This year was particularly notable as much of the federal government transitioned to a remote work environment overnight. As the workforce went remote – critical government information was accessed from home internet routers that lacked the same level of security as government office networks, increasing adversaries’ ability to successfully launch attacks.
Luckily, as Grobman noted, there are ways lawmakers can mitigate the threat of ransomware against government and the private sector.
Across the country, governments are facing ransomware attacks at an alarming rate, and every one of them – at every level – needs to have a plan in place. There needs to be a data-based discussion with leadership to decide how to balance the daily blocking and tackling of threats with limited complication to the continuation of operations and preparation for big intrusions like we’ve seen happen this year.
There are also policy solutions – many of these criminal groups operate in countries that allow them to do so. When negotiating trade deals with countries, the level of cybercrime and the government’s cooperation with or against those groups must be considered.
The cost of cybercrime is now nearly 1% of the global GDP, and it will only continue to rise, impacting companies and governments around the world unless we come together to stop it through basic cyber hygiene, preparation and policy solutions.
The post The Hidden Costs of Cybercrime on Government appeared first on McAfee Blogs.
Last month, I discussed the FedRAMP program’s basics and why it’s such a big deal for the federal government. In short, the program protects the data of U.S. citizens in the cloud and promotes the adoption of secure cloud services across the government with a standardized approach.
But within the FedRAMP program, there are different authorizations. We’re pleased that McAfee MVISION for Endpoint Access recently achieved FedRAMP Moderate Authorization, which allows users from federal agencies, state and local government, and other industries in regulated environments to manage Controlled Unclassified Information (CUI) such as personally identifiable information (PII) and routine covered defense information (CDI).
As organizations across the country continue to adapt to a remote workforce, the U.S. government is “in a race to modernize its IT infrastructure to support ever more complicated missions, growing workloads and increasingly distributed teams—and do so facing a constantly evolving threat landscape,” Alex Chapin, our VP of DoD and Intelligence notes.
And he’s right – with the 2021 federal fiscal year in full focus, federal agencies are continuing to push cloud computing as the COVID-19 pandemic continues, creating a real need for security in these applications.
The FedRAMP Moderate designation allows MVISION to provide the command and control cyber defense capabilities government environments need to enable on-premises and remote security teams, allowing them to maximize time and resources, enhance security efficiency and boost resiliency.
This is a massive win for the federal government as it continues to build out its remote workforce capabilities at a time when the GAO is continuing to release best practices for telework, highlighting how remote work is here to stay in the federal government.
MVISION Cloud is currently in use by ten federal agencies, including the Department of Energy (DOE), Department of Health and Human Services (HHS), Department of Homeland Security (DHS), Food and Drug Administration (FDA) and National Aeronautics and Space Administration (NASA).
At McAfee, we are dedicated to ensuring our cloud services are compliant with FedRAMP standards to help the federal government secure its digital infrastructure and prepare for an increasingly digital operation. We look forward to working closely with the FedRAMP program and other cloud providers dedicated to authorizing cloud service offerings with FedRAMP.
The post McAfee MVISION for Endpoint is FedRAMP Moderate As Federal Cloud Usage Continues to Rise appeared first on McAfee Blogs.
On December 13, 2020, FireEye announced that threat actors had compromised SolarWinds’s Orion IT monitoring and management software and used it to distribute a software backdoor to dozens of that company’s customers, including several high profile U.S. government agencies.
This campaign is the first major supply chain attack of its kind at scale and represents a shift in tactics where a nation state has employed a new weapon for cyber-espionage. Just as the use of nuclear weapons at the end of WWII changed military strategy for the next 75 years, the use of a supply chain attack will change the way we need to consider defense against cyber-attacks.
This supply chain attack operated at the scale of a worm such as WannaCry in 2017, combined with the precision and lethality of the 2014 Sony Pictures or 2015 U.S. Office of Personnel Management (OPM) attacks.
The impact of this attack shows how a high-volume commercial software product can impact many organizations simultaneously. In the past, cyber-attacks such as WannaCry relied on vulnerabilities, exploiting organizations that failed to install critical patches. In the case of SolarWinds-SUNBURST, any organization that simply updated its software could be vulnerable to attack, which is why we saw the impact across multiple agencies in the federal government and private sector. Furthermore, the backdoor used stealth tactics to monitor if it was being analyzed by looking for the presence of debuggers and network monitors and suppressing communications and alerts of other malicious behavior in those scenarios.
From a U.S. national security perspective, this attack enables the nation’s enemies to steal all manner of information, from inter-governmental communications to national secrets. Attackers can, in turn, leverage this information to influence or impact U.S. policy through malicious leaks.
The attack impacted private companies as well. Unlike government networks which isolate classified information both from the internet and non-classified material, private organizations often have critical intellectual property on the same internet-facing network they store non sensitive information. Exactly what corporate intellectual property or private data on employees has been stolen will be difficult to determine, and the full extent of theft may never be fully known.
These cyber supply chain attacks are a concern for consumers as well. In today’s highly interconnected homes, a breach of consumer electronics companies can result in attackers using their access to smart appliances such as TVs, virtual assistants, and smart phones to steal their information or act as a gateway to attack businesses while users are working remotely from home.
What makes this campaign so insidious is that the attackers used trusted SolarWinds software to infiltrate victim organizations with the SUNBURST backdoor, which then enabled the attacker to take any number of secondary steps. This could involve stealing data, destroying data, holding critical systems for ransom, orchestrating system malfunctions that could result in kinetic damage, or simply implanting additional malicious content throughout the organization to stay in control and maintain access even after the initial threat appears to have passed.
Such an attack is particularly challenging in that it raises concerns around best practices cybersecurity professionals have been trying to communicate for years. For decades, we have been saying that it is critical to patch and keep software updated. In this case, however, it was patching and bringing new software into an environment that opened organizations up to attack.
Organizations must not read into these SolarWinds-SUNBURST revelations that they should not prioritize keeping their environments up to date. Doing so would certainly open them up to a variety of other attacks.
How do we reconcile these two conflicting security viewpoints? Organizations and cybersecurity practitioners must be vigilant in their review and understanding of the software being brought into their environments. Additionally, they must identify their most critical information and data and apply the principles of least privilege to these items, ensuring that sensitive information such as national secrets and intellectual property are protected.
One additional area of concern is when software vendors are impacted. In this scenario, it is possible for there to be a daisy chain effect. The adversary could modify either source code or a development toolchain within a victim’s environment to plant additional backdoors that are then distributed to their customers.
The SolarWinds-SUNBURST campaign is like a “smart bomb” on a crowded landscape of “dumb bomb” cyber threats. WannaCry was a dumb bomb in that it was fully autonomous and indiscriminate in what it attacked. Whereas this SolarWinds-SUNBURST attack is a “precision guided” smart cyber weapon that is being used to target specific organizations in very specific ways. Every organization that is of interest to the attacker might be targeted slightly differently.
McAfee has incorporated technical indicators gleaned from the FireEye and SolarWinds incidents into our cyber defenses and solutions portfolio to protect our environment and customers. The details of these supplemental protections can be found in McAfee’s knowledge base (KB) articles KB89830 and KB93861.
Please also see the following analysis blogs focused on SolarWinds-SUNBURST:
The post Why SolarWinds-SUNBURST is a Wake up Call appeared first on McAfee Blogs.
XDR (eXtended Detection and Response) is a cybersecurity acronym being used by most vendors today. It is not a new strategy. It’s been around for a while but the journey for customers and vendors has been slow for many reasons. For McAfee, XDR has been integral to our vision, strategy and design philosophy that has guided our solution development for many years. Understanding our road to XDR can help your organization map your XDR journey.
Let’s start with why XDR? The cry for XDR reflects where cybersecurity is today with fragmented, cumbersome and ineffective security and where folks want to go. In my CISO conversations it is well noted that security operation centers (SOC) are struggling. Disjointed control points and disparate tools lead to ineffective security teams. It allows adversaries to more easily move laterally across the infrastructure undetected and moving intentionally erratic to avoid detection. Analysts only know this if they manually connect the thousand dots which is time consuming leaving the adversaries with ample dwell time to do damage. It’s no secret. There is a lack of security expertise, and these are regularly tested. Their investigations are cumbersome, highly manual, and riddled with blind spots. It’s nearly impossible to prioritize efforts, leaving the SOC simply buried in reactive cycles and alert fatigue. Bottom line—SOC metrics are getting worse—while adversaries are becoming more sophisticated and creative in carrying out their mission.
XDR has the potential to be a one-stop solution to alleviating these SOC issues and improving operational inefficiencies.
Many cybersecurity providers are trying to offer an XDR capability of some sort. They promise to provide visibility and control across all vectors, and offer more analysis, context and automation to obtain faster and better response when reacting to a threat. Point players are limited to expertise in their domain (endpoint or network) and can’t offer a critical, proven cross-portfolio platform. After all, can your endpoint platform offer true XDR functionality it it’s not also connected to network, cloud and web?
McAfee’s long-time mantra has been Better Together. That mantra underscores our commitment to deliver comprehensive security that works cohesively across all threat vectors – device, network, web and cloud and with non-McAfee products. Industry analysts and customers agree that McAfee is well positioned to deliver a solid XDR offering given our platform strategy and portfolio.
Now, what if you had that same comprehensive XDR capability that not only offered visibility and control across the vectors, but also allows you to get ahead of adversary and empowering you to be more proactive. It could give you a heads up on threats that are likely to attack you based on global and industry trends, based on what your local environment looks like. With this highly credible prediction comes the prescribed guidance on how to counter the threat before it hits you. Imagine it also supplies prescriptive actions you can take to protect your users, data, applications and devices spanning from device to cloud. Other XDR conversations can’t take the conversation to this level of proactivity. McAfee can in our recently announced MVISION XDR.
Not only does McAfee take XDR to the next level, but it also helps you better mitigate cyber risk by enabling you to prioritize and focus on what most matters. What if your threat response was prioritized based on the impact to the organization? You need to understand what the attackers are targeting. How close are they to the most sensitive data based on the users and devices? MVISION XDR offers this context and data-awareness to focus your analysts on what counts. For example, threats that jeopardize sensitive data from a finance executive on his device will automatically be of priority versus a maybe threat on general purpose device with no data. This data-awareness is not noted well in other XDR conversations, but it is with recently announced MVISION XDR.
Let’s look at McAfee’s journey and investment with XDR and how we got to this exceptional XDR approach.
McAfee’s XDR Journey did not simply start up recently because a buzz word appeared that needed to spoke to. As noted earlier, McAfee’s mantra “Together is Better” sets the stage for a unified security approach, which is core to the XDR promise. McAfee recognized early on that multi-vendors security ecosystem is a key requirement to build a defense in depth security practice. OpenDXL the open-source community delivered the data exchange layer or the DXL message bus architecture. This enabled our diverse ecosystem of partners from threat intelligence platforms, to orchestration tools to use a common transport mechanism and information exchange protocol. Most enterprise security architectures will be a heterogenous mix of various security solutions. McAfee is one of the founding members of the Open CyberSecurity Alliance (OCA) where we contributed our DXL ontology – enabling participating vendors to not only communicate vital threat details but inform what to do to all connected multi-vendor security solutions.
Realizing EDR is network blind and SIEM is endpoint blind, we integrated McAfee EDR and SIEM. McAfee continues to deliver XDR capabilities by bringing multiple telemetry sources on a platform from a single console for analytics and investigation, driving remediation decisions with automatic enforcement across the enterprise. When you combine MVISION XDR the first proactive, data-aware and open XDR and released MVISION Marketplace and API further supporting the open security ecosystem for XDR capabilities, organizations have a solid starting point to advance their visibility and control across their entire cyber infrastructure.
Before all the XDR hype, McAfee customers have been on the XDR path. Our customers have already gained XDR capabilities and are positioned to grow with more XDR capabilities. I encourage you to check out the video below.
The post The Road to XDR appeared first on McAfee Blogs.
Seems like the internet follows us wherever we go nowadays, whether it tags along via a smartphone, laptop, tablet, a wearable, or some combination of them all. Yet there’s something else that follows us around as well—our PII, a growing body of “personally identifiable information” that we create while banking, shopping, and simply browsing the internet. And no doubt about it, our PII is terrifically valuable.
What makes it so valuable? It’s no exaggeration to say that your PII is the key to your digital life, along with your financial and civic life as well. Aside from using it to create accounts and logins, it’s further tied to everything from your bank accounts and credit cards to your driver’s license and your tax refund.
Needless to say, your PII is something that needs protecting, so let’s take a look at several ways you can do just that.
What is PII? It’s information about you that others can use to identify you either directly or indirectly. Thus, that info could identify you on its own, or it could identify you when it’s linked to other identifiers, like the ones associated with the devices, apps, tools, and protocols you use.
A prime example of direct PII is your tax ID number because it’s unique and directly associated with your name. Further instances include your facial image to unlock your smartphone, your medical records, your finances, and your phone number because each of these can be easily linked back to you.
Then there are those indirect pieces of PII that act as helpers. While they may not identify you on their own, a few of them can when they’re added together. These helpers include things like internet protocol addresses, the unique device ID of your smartphone, or other identifiers such as radio frequency identification tags.
You can also find pieces of your PII in the accounts you use, like your Google to Apple IDs, which can be linked to your name, your email address, and the apps you have. You’ll also find it in the apps you use. For example, there’s PII in the app you use to map your walks and runs, because the combination of your smartphone’s unique device ID and GPS tracking can be used in conjunction with other information to identify who you are, not to mention where you typically like to do your 5k hill days. The same goes for messenger apps, which can collect how you interact with others, how often you use the app and your location information based on your IP address, GPS information, or both.
In all, there’s a cloud of PII that follows us around as we go about our day online. Some wisps of that cloud are more personally identifying than others. Yet gather enough of it and PII can create a high-resolution snapshot of you—who you are, what you’re doing when you’re doing it, and even where you’re doing it too—particularly if it gets into the wrong hands.
Remember Pig-Pen, the character straight from the old funny pages of Charles Schultz’s Charlie Brown? He’s hard to forget with that ever-present cloud of dust following him around. Charlie Brown once said, “He may be carrying the soil that trod upon by Solomon or Nebuchadnezzar or Genghis Khan!” It’s the same with us and our PII, except the cloud surrounding us, isn’t the dust of kings and conquerors, they’re motes of digital information that are of tremendously high value to crooks and bad actors—whether for purposes of identity theft or invasion of privacy.
With all PII we create and share on the internet, that calls for protecting it. Otherwise, our PII could fall into the hands of a hacker or identity thief and end up getting abused, in potentially painful and costly ways.
Here are several things you can do to help ensure that what’s private stays that way:
Square One is to protect your devices with comprehensive online protection software. This will defend you against the latest virus, malware, spyware, and ransomware attacks plus further protect your privacy and identity. In addition to this, it can also provide strong password protection by generating and automatically storing complex passwords to keep your credentials safer from hackers and crooks who may try to force their way into your accounts.
Further, security software can also include a firewall that blocks unwanted traffic from entering your home network, such as an attacker poking around for network vulnerabilities so that they can “break-in” to your computer and steal information.
Also known as a virtual private network, a VPN helps protect your vital PII and other data with bank-grade encryption. The VPN encrypts your internet connection to keep your online activity private on any network, even public networks. Using a public network without a VPN can increase your cybersecurity risk because others on the network can potentially spy on your browsing and activity.
If you’re new to the notion of using a VPN, check out this article on VPNs and how to choose one so that you can get the best protection and privacy possible.
In the U.S., the Social Security Number (SSN) is one of the most prized pieces of PII as it unlocks the door to employment, finances, and much more. First up, keep a close grip on it. Literally. Store your card in a secure location. Not your purse or wallet.
Certain businesses and medical practices may ask you for your SSN for billing purposes and the like. You don’t have to provide it (although some businesses could refuse service if you don’t), and you can always ask if they will accept some alternative form of information. However, there are a handful of instances where an SSN is a requirement. These include:
Be aware that hackers often get a hold of SSNs because the organization holding that information gets hacked or compromised itself. Minimizing how often you provide your SSN can offer an extra degree of protection.
Protecting your files with encryption is a core concept in data and information security, and thus it’s a powerful way to protect your PII. It involves transforming data or information into code that requires a digital key to access it in its original, unencrypted format. For example, McAfee Total Protection includes File Lock, which is our file encryption feature that lets you lock important files in secure digital vaults on your device.
Additionally, you can also delete sensitive files with an application such as McAfee Shredder, which securely deletes files so that thieves can’t access them. (Quick fact: deleting files in your trash doesn’t actually delete them in the truest sense. They’re still there until they’re “shredded” or otherwise overwritten such that they can’t be restored.)
Which Marvel Universe superhero are you? Does it really matter? After all, such quizzes and social media posts are often grifting pieces of your PII in a seemingly playful way. While you’re not giving up your SSN, you may be giving up things like your birthday, your pet’s name, your first car … things that people often use to compose their passwords or use as answers to common security questions on banking and financial sites. The one way to pass this kind of quiz is not to take it!
A far more direct form of separating you from your PII are phishing attacks. Posing as emails from known or trusted brands, financial institutions, or even a friend or family member a cybercrook’s phishing attack will attempt to trick you into sharing important information like your logins, account numbers, credit card numbers, and so on under the guise of providing customer service.
How do you spot such emails? Well, it’s getting a little tougher nowadays because scammers are getting more sophisticated and can make their phishing emails look nearly legitimate. However, there are several ways you can spot a phishing email and phony web pages as outlined here.
Comprehensive security offers another layer of prevention, in this case by offering browser protection like our own Web Advisor, which will alert you in the event you come across suspicious links and downloads that can steal your PII or otherwise expose you to attacks.
With social engineering attacks that deceive victims by posing as people the victim knows and the way we can sometimes overshare a little too much about our lives, you can see why a social media profile is a potential goldmine for cybercriminals.
Two things you can do to help protect your PII from being at risk via social media: one, think twice about what PII you might be sharing in that post or photo—like the location of your child’s school or the license plate on your car; two, set your profile to private so that only friends can see it. Review your privacy settings regularly to keep your profile information out of the public eye. And remember, nothing is 100% private on the internet. Never post anything you wouldn’t want to see shared.
The “S” stands for secure. Any time you are shopping, banking, or sharing any kind of PII, look for “https” at the start of the web address. Some browsers will also indicate HTTP by showing a small “lock” icon. Doing otherwise on plain HTTP sites exposes your PII for anyone who cares to monitor that site for unsecured connections.
By locking your devices, you protect yourself that much better from PII and data theft in the event your device is lost, stolen, or even left unattended for a short stretch. Use your password, PIN, facial recognition, thumbprint ID, what have you. Just lock your stuff. In the case of your smartphones, read up on how you can locate your phone or even wipe it remotely if you need to. Apple provides iOS users with a step-by-step guide for remotely wiping devices, and Google offers up a guide for Android users as well.
Theft of your PII can of course lead to credit cards and other accounts being opened falsely in your name. What’s more, it can sometimes be some time before you even become aware of it, until perhaps your credit score takes a hit or a bill collector comes calling. By checking your credit, you can address any issues that come up, as companies typically have a clear-cut process for contesting any fraud. You can get a free credit report in the U.S. via the Federal Trade Commission (FTC) and likewise, other nations like the UK have similar free offerings as well.
Consider identity theft protection as well. A strong identity theft protection package pairs well with keeping track of your credit and offers cyber monitoring that scans the dark web to detect for misuse of your PII. With our identity protection service, we help relieve the burden of identity theft if the unfortunate happens to you with $1M coverage for lawyer fees, travel expenses, lost wages, and more.
The post Take It Personally: Ten Tips for Protecting Your Personally Identifiable Information (PII) appeared first on McAfee Blog.
Meet ShinyHunters, a hacker who recently leaked 10 new databases this past month from companies including:
• Pixlr.com
• Bonobos.com
• Wognai.com
• Tesspring.com
• Tunedglobal.com
• Buyucoin.com
• Wappalyzer.com
• Chqbook.com
• Rooter.io
• MeetMindful.com
But this isn’t the first time they’ve made headlines. It all started in May of 2020 when ShinyHunters attempted to sell several stolen databases on the Dark Web. They also leaked several other databases between April and July. In October, they proceeded to leak the database of the meal kit delivery company, HomeChef. Not one to be easily satisfied, ShinyHunters continued their antics by exposing sixteen other databases in November, where personal user records and information were publicly shared. Prominent companies who fell victim to this wave of data breaches include gaming site Animal Jam, online marketplace Minted, and coupon company ShopBack, among others.
Personal data released ranges from contact information and addresses, dates of birth, passwords, and financial information. Not including the latest data breach, a total of 129,406,564 user records were exposed. Given the alarming size of the exposure, this gives way to rising concerns for when ShinyHunters will strike again. What’s more, this group seeks notoriety from their misdeeds, hoping to claim credibility for the number of attacks they can execute—a troubling thought for everyday users like you and me.
You never know when or if a breach will occur, which is why we must take precautions to protect our data in the case of a security breach. In the past year alone, we have seen a record number of data breaches, posing unforeseen security concerns and bringing light to new priorities for data protection. That’s why we must learn from these occurrences by proactively protecting our private information in 2021 and beyond.
There’s no way of knowing whether your personal information will fall into the wrong hands or that it will be used maliciously, but ShinyHunters has indicated that they are on the lookout for opportunities to expose more databases, so we must take the necessary steps to protect our personal information before the damage is done.
Not knowing what data was stolen can make it significantly more difficult to pinpoint what threats you may become subject to. If you realize a company you buy from fell victim to a data breach, start investigating. Use this tool to see if the breach affects you.
Great passwords are usually the first line of defense against personal data exposures, so it’s important to update them as soon as they are compromised. Additionally, use different passwords or passphrases for each of your online accounts which helps protect the majority of your data if one of your accounts becomes vulnerable. One route you can take is to use a password manager that not only lets you create strong passwords but can let you manage them efficiently with added security and peace of mind.
On top of updating your credentials, you’ll want to secure your log-in process by enabling 2-Factor Authentication. So, if a hacker has access to your stolen passwords, they’ll still have to bypass an added security layer that is time sensitive. This makes it even more difficult for them to access your information.
Like regular phishing attempts, spear-phishing attempts will try to steal your information by posing as an authentic entity to target unsuspecting victims. However, spear phishing attempts can be harder to spot because the attempt is modified to target a specific individual, often in the form of a personalized email. If you receive an email, call, or text asking you to download software, app, or pay a certain amount of money, do not click or take any direct action from the message. Instead, go straight to the organization’s website. This will prevent you from downloading malicious content from phishing links or forking over money unnecessarily.
If you find that your credit card information has been exposed, keep an eye on your bank records and validate each transaction. In the above cases for a site like MeetMindful, where Facebook authentication tokens and user IDs were stolen, it’s always best to keep an eye on other social accounts for fraudulent activity.
For maximum financial protection, freeze your credit to prevent hackers from opening new accounts in your name. Placing a freeze on your credit is free for consumers and won’t affect your credit score. Simply contact the three major credit bureaus—Equifax, Experian, and TransUnion—to set up a freeze to secure your credit file until you decide to lift it.
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post ShinyHunters Exposes Over 125 Million Online Credentials appeared first on McAfee Blogs.
This blog is part of our SOCwise series where we’ll be digging into all things related to SecOps from a practitioner’s point of view, helping us enable defenders to both build context and confidence in what they do.
Although there’s been a lot of chatter about supply chain attacks, we’re going to bring you a slightly different perspective. Instead of talking about the technique, let’s talk about what it means to a SOC and more importantly focusing on the SUNBURST attack, where the adversary leveraged a trusted application from SolarWinds.
Below you are going to see the riveting discussion between our very own Ismael Valenzuela and Michael Leland where they’ll talk about the supply chain hacks and the premise behind them. More importantly, why this one in particular was so successful. And lastly, they’ll cover best practices, hardening prevention, and early detection.
Michael: Ismael, let’s start by talking a little bit about what the common types of supply chain attacks. We know from past experience that they’ve primarily been software; though, it’s not unheard of to have hardware-based supply chain attacks as well. But really, it’s about hijacking or masquerading as a vendor or a trusted supplier and objecting malicious code into trusted, authorized applications. Sometimes even hijacking the certificate to make it look legitimate. And this last one was about injecting into third party libraries.
In relation to SUNBURST, it was a long game, right? This was an adversary long game attack where they had over 12 months to plan, stage, deploy, weaponize and reap the benefits. And we’re going to talk more about what they did, but more importantly, also how we as practitioners can leverage the sources of telemetry we have for both detection and hopefully future prevention. The first question that most people ask is, is this new and clearly this is not a new technique or tactic, but let’s talk a little bit about why this one was different.
Ismael: Right! The most interesting piece about SolarWinds is not that much of it is a supply chain attack because as you said, it’s true. It’s not new. We’ve seen similar things in the past. I know there’s a lot of controversy around some of them like Supermicro, we and many others over the last few years and it’s difficult to prove these types of attacks. But to me, the most interesting piece is not just how it got into the environment, but we talked about malicious updates into legitimate applications. For example, we’ve seen some of that in the past with modifying code on GitHub, right? Unprotected reports, attackers, threat actors are modifying the code.
We’re going to talk a little bit about what organizations can do to identify these but what I really want to highlight out of this is about the attackers, they have a plan right? They compromise the environment carefully, they stayed dormant for about two weeks, and after that, as we have seen in recent research, they started to deploy second stage payloads. The way they did that was very, very interesting, and its changing the game. It’s not radically new, but there’s always something new that we may have not seen before. And it’s important for defendants to understand these behaviors so they can start trying to detect them. In summary, they have a plan and we should ask ourselves if we have a plan for these type of attacks? Not only the initial vector but also what happens after that.
Michael: Let’s take a look at the timeline (figure 1 below) and talk about the story arc of what took place. I think the important thing is, again the adversary knew long before the attack long before the weaponization of the application, long before the deployment, they had this planned out. They knew they were going after a very specific vendor. In this case, SolarWinds knew as far back as 2018, early 2019, that they had a registration domain registered for it already. And they didn’t even give it a DNS look up until almost a year later. But the code application 2019 was weaponization in 2020. We’re talking about months almost a year of time passed, and they knew very well going into it what their intent was.
Ismael: Yep, absolutely. And as I mentioned before, even once they have the back door in place, the infamous DLL now stays dormant for two weeks. And then they start a careful reconnaissance discovery trying to find out where they are, what type of information they have around them, the users, and identity management. In some cases, we have seen them pivoting and stealing the tokens and credentials then pivoting to the cloud, all of that takes time. right? Which indicates that the attacker has a lot of knowledge on how to do these in a stealthy way. But if we think in terms of attack chains it also helps us to understand where we could have better opportunities to catch these types of activities.
Michael: We’ve set the stage to understand kind of what exactly took place and a lot of people have talked about the methodology and the attack life cycle. But they had a plan, they weren’t specifically advanced in the way they leveraged the tools. They were very specific about leveraging multiple somewhat novice or novel methods to make use of the vulnerability. More importantly, it was the amount of effort they put into planning also the amount of time they spent trying not to get seen, right. We look at telemetry all the time, whether it’s in a SIEM tool or EDR tool, and we need those pieces of telemetry that tell us what’s happening, and they were very stealthy in the way they were leveraging the techniques.
Let’s talk a little bit about what they did that was unique to this specific attack and then we’ll talk more about how we can better define our defenses and prevention around what we learned.
Ismael: Yep, absolutely! And one of the interesting things that we have seen recently is how they disassociated the stage one and stage two to make sure that stage one, the backdoor/DLL wasn’t going to be detected or burnt. So once again, you were talking about the long game. They were planning, they were architecting their attack for the long game. Even if you would find an artifact from a specific machine, it would be harder for you to trace that back to the original backdoor. So they would maintain persistency in the environment for quite some time. I know that this is not new necessarily. We have been telling defenders for a long time: You need to focus on finding persistency, because attackers, they need to stay in the environment.
We need to look at command and control but obviously these techniques are evolving. They went to great lengths to ensure that the artifacts, the indicators of compromise on each of these different systems for stage two, and at this point we know they use colon strike beacons. Each of these beacons were unique, not just for each organization, which would make sense but also for each computer within each organization. What does that mean for a SOC? Well, imagine you’re doing this and in response you find some odd behavior coming out of the machine, you look at the indicators and what are you going to do next…. scoping, right? Let’s see where else in my network. I’m seeing activity going into that domain to those IPS or those registry keys or that, you know, WMI consumer, for example. But the truth is that those indicators were not used anywhere else, not even in your environment. So that was interesting.
Michael: Given that we don’t have specific indicators that we could attribute to something malicious in that stage, what we do know is that they’re leveraging common protocols in an uncommon way. The majority of this tactic took place from a C2 perspective through the partial exfiltration being done using DNS. To the organizations that aren’t successfully or effectively monitoring the types of DNS traffic, the DNS taking place on non-standard ports or more quarterly, the volume of DNS that’s originating from machines that don’t typically have it and volume metric analysis can tell us a lot. If in fact, there’s some heuristic value that we can leverage to detect. What else should we be thinking about in terms of the protection side of things, an abuse of trust?
We trusted an application; we trusted a vendor. This was a clear abuse of that. Zero trust would be one methodology that can incorporate both micro-segmentation as well as explicit verification and more importantly, least trust methodology that we can ensure. I also think about the fact that we’re giving these applications rights and privileges to our environment and administrative privileges. We need to make sure that we’re monitoring both those accounts and service accounts that are being utilized by these applications; specifically, so that we can prescribe a domain, walls and barriers around what they have access to. What else can we do in terms of detection or providing visibility for these types of attacks?
Ismael: When we’re talking about a complicated or advanced attack, I like to think in terms of frameworks like the new cybersecurity framework, for example that talks about prevention, detection, and response but also identifying the risks and assets first. If you look at it from that perspective and look at an attack chain, even though some of the aspects of these attack were very advanced, there’s always limitations from the attacker perspective. There’s no such thing as the perfect attack, so be aware of the perfect attack fallacy. There’s always something the attacker’s going to do that can help you to detect them. With that in mind, think about putting the MITRE attack behaviors, tactics and the techniques on one side of the matrix and on the other side, like NIST cybersecurity framework identify, protect, detect.
Some of the things I would suggest is identifying the assets of risk, and I always talk about BCP. This is continuity planning. Sometimes we work in silos and we don’t leverage some of the information that can be in your organization that can point you to the crown jewel. You can’t protect everything, but you need to know what to protect and know how the information flows. For example, where are your soft spots, where are your vendors located on the network, your/their products, how do they get updated? It will be helpful for you to determine or define a defensible secure architecture that enforces it by trying to protect that…the flow of the data.
When protection fails, it could be a firewall rule that can be any type of protection. The attempts to bypass the firewalls can be turned into detections. Visibility is very important to have across your environment, that doesn’t mean to just manage devices, it also means the network, and endpoints, and servers. Attackers are going to go after the servers, the main controllers, right? Why? Because they want to steal those credentials, those identities used somewhere else and maybe pivot to the cloud. So having enough visibility across the network is important, which means having the camera’s point to the right places. That is when EDR or XDR can come into play, product that keep that telemetry and give you visibility of what’s going on and potentially detect the attack.
Michael: I think it’s important as we conclude our discussion to chat about the fact that telemetry can come in various flavors; more importantly, both real-time and historical telemetry that’s of significant value, not only in the detection side, but in the forensic investigation/scoping side, and understand exactly where an adversary may have landed. It’s not just having the telemetry accessible, it’s also sometimes the lack of telemetry. That’s the indicator that tells us when logging gets disabled on a device and we stop hearing from it then the SIEM starts seeing a gap in its visibility to a specific asset. That’s why combination of both real-time endpoint protection technologies deployed on both endpoints and servers, as well as the historical telemetry that we’re typically consuming in our analytics frameworks, and technologies like SIEM
Ismael: Absolutely, and to reiterate the point of finding those places where attackers are going to be, can be spotted more easily. If you look at the whole attack chain maybe the initial vector is harder to find, but start looking at how they got privileges, their escalation, and their persistence. Michael, you mentioned cleaning logs apparently were disabling the auditing logs by using auditpol on the endpoint or creating new firewall rules on the endpoints. If you consume these events, why would somebody disable the event logging temporarily by turning it off and then back on again after some time? Well, they were doing this for a reason.
Michael: Right. So we’re going to conclude our discussion, hopefully this was informative. Please subscribe to our Securing Tomorrow blog where you can keep up to date with all things SOC related and feel free to visit McAfee.com/SOCwise for more SOC material from our experts.
The post SOCwise Series: Practical Considerations on SUNBURST appeared first on McAfee Blogs.
Clearly this was a motivated and patient adversary. They spent many months in the planning and execution of an attack that was not incredibly sophisticated in its tactics, but rather used multiple semi-novel attack methods combined with persistent, stealthy and well-orchestrated processes. In a world where we always need to find ways to stay even one step ahead of adversaries, how well is your SOC prepared to bring the same level of consistent, methodical and well-orchestrated visibility and response when such an adversary comes knocking at your door?
Plan, test and continuously improve your SecOps processes with effective purple-teaming exercises. Try to think like a stealthy attacker and predict what sources of telemetry will be necessary to detect suspicious usage of legitimate applications and trusted software solutions.
Assume that your most critical assets are under attack, especially those that leverage third-party applications where elevated privileges are a requirement for their effective operation. Granting service accounts unrestricted administrative privileges sounds like a bad idea – because it is. Least-privilege access, micro segmentation and ingress/egress traffic filtering should be implemented in support of a Zero-Trust program for those assets specifically that allow outside access by a ‘trusted’ 3rd-party.
The threat research world has moved beyond atomic indicators, file hashes and watchlists of malicious IPs and domains upon which most threat intelligence providers still rely. Think beyond Indicators of Compromise. We should rely less on static lists of artifacts but instead focused on heuristics and behavioral indicators. Event-only analysis can easily identify the low-hanging fruit of commodity attack patterns, but more sophisticated adversaries are going to make it more difficult. Ephemeral C2 servers and single-use DNS entries per asset (not target enterprise) were some of the more well-planned (yet relatively simple) behaviors seen in the Sunburst attack. Monitor carefully for changes in asset configuration like logging output/location or even the absence of new audit messages in a given polling period.
All telemetry is NOT created equal. Behavioral analysis of authentication events in support of UEBA detections can be incredibly effective, but that assumes identity data is available in the event stream. Based on my experience, SIEM data typically yields only 15-20% of events that include useful identity data, whereas almost 85% of cloud access events contain this rich contextual data, a byproduct of growing IAM adoption and SSO practices. Events generated from critical assets (crown jewels) are of obvious interest to SecOps analysts for both detection and investigation, but don’t lose sight of those assets on the periphery; perhaps an RDP jump box sitting in the DMZ that also synchronizes trust with enterprise AD servers either on-premises or in the cloud. Find ways to isolate assets with elevated privilege or those running ‘trusted’ third-party applications using micro segmentation where behavioral analysis can more easily be performed. Leverage volumetric analysis of network traffic to identify potentially abnormal patterns; monitor inbound and outbound requests (DNS, HTTP, FTP, etc) to detect when a new session has been made to/from an unknown source/destination – or where the registration age of the target domain seems suspiciously new. Learn what ‘normal’ looks like from these assets by baselining and fingerprinting, so that unusual activity can be blocked or at the very least escalated to an analyst for review.
The only way to gain insight into the attacker behaviors – and any chance of detecting and disrupting attacks of this style – require extensive telemetry from a wide array of sensors. Endpoint sensor grids provide high-fidelity telemetry about all things on-device but are rarely deployed on server assets and tend to be ‘network-blind’. SIEMs have traditionally been leveraged to consume and correlate data from all 3rd-party data sources, but it likely does not have the ability (or scale) to consume all EDR/endpoint events, leaving them largely ‘endpoint-blind’. As more enterprise assets and applications move to the cloud, we have yet a third source of high-value telemetry that must be available to SOC analysts for detection and investigation. Threat hunting can only effectively be performed when SecOps practitioners have access to a broad range of real-time and historical telemetry from a diverse sensor grid that spans the entire enterprise. They need the ability to look for behaviors – not just events or artifacts – across the full spectrum of enterprise assets and data.
Time can be an attacker’s best offense, sometimes because of the speed with which they can penetrate, reconnoiter, locate and exfiltrate sensitive data – a proverbial ‘smash-and-grab’ looting. Hardly subtle and quickly noticed for the highly visible crime that it is. However in the case of Sunburst the adversary used time to their advantage, this time making painstakingly small and subtle changes to code in the software supply chain to weaponize a trusted application, waiting for it to be deployed across a wide spectrum of enterprises and governmental agencies, quietly performing reconnaissance on the affected asset and those around it, and leveraging low-and-slow C2 communications over a trusted protocol like DNS. Any one of these activities might easily be overlooked by even the most observant SOC. This creates an even longer detection cycle, allowing potential attackers a longer dwell time.
This blog is a summary of the SOCwise Conversation on January 25th 2020. Watch for the next one!
For more information on the Sunburst attack, please visit our other resources on the subject:
Blogs:
McAfee Knowledge-base Article (Product Coverage)
McAfee Knowledge-base Article (Insights Visibility)
The post 6 Best Practices for SecOps in the Wake of the Sunburst Threat Campaign appeared first on McAfee Blogs.
Quantum computing is the next frontier in computer science. It can bring untold benefits, allowing the development of new materials, tackling pandemics and making the world a greener, safer place. But it also threatens to break the encryption that keeps our data safe from prying eyes. France’s recent announcement to invest €1.8b into Europe’s quantum computing effort – on top of Germany’s two billion euros and the EU’s one billion euro quantum strategy – will help ensure Europe doesn’t miss the boat on what is set to become the cornerstone of innovation in the coming decades.
In short, quantum computing is an entirely new paradigm for making calculations on computers. Today, all computing relies on sequences of ones and zeroes to make increasingly complex calculations, culminating in the smartphones, cloud services and the supercomputers that exist today.
Quantum computing uses peculiar characteristics of physics to allow machines to perform complex algebra calculations in one fell swoop: “It would take ten thousand years to factor something on the fastest computer today, that could be minutes or seconds given a sufficiently powerful quantum computer,” said McAfee’s chief technology officer Steve Grobman on a recent podcast. “Think about it more as waves than binary,” added John King, a McAfee research fellow also on the podcast. “You reinforce the ones that you want, and dampen the ones that you don’t want,” he said.
To achieve these quirks of physics requires machines operating at temperatures colder than outer space, so it is unlikely that every person will have a quantum computer in their basement anytime soon. However, with the Internet and cloud computing, we will have the ability to harness the power of quantum computing remotely, just like data centres can be used from hundreds of kilometers away at the tap of a few buttons in a web browser today.
Nor is quantum computing always going to be superior to the well-developed binary technologies in place today, which are handsomely suited to making precise calculations. “Quantum computing is not well suited for general purpose computing, but for solving very specific math problems that are well suited to the quantum model,” said Grobman.
But the pattern-recognising abilities of quantum algorithms are uniquely well suited to complex problem. Think how to best distribute COVID-19 vaccines across populations, or even the world, or optimising global shipping networks leading to lower emissions from boats and planes.
On the flipside quantum is also, unfortunately, much better at breaking encryption algorithms than tradiditional computing power . Data that is considered secure today could be rendered public knowledge in the coming decade’s advances in quantum technology, with massive implications for company secrets and national security.
In the US and China, private and public actors are already pouring huge investments into quantum, and without considerable efforts, Europe exposes itself to gaping security holes, and missing out on harnessing the power of quantum to solve pressing problems such as climate change.
This is why France’s recent announcement is not just timely, but necessary, for Europe to continue charting a path of global success in the future. Today, the theory of quantum computers is way ahead of their actual capability. But in 10 years, it will be a different story, and given the scale of the challenge, acting now is of essence.
Making the most of quantum is not just about building the computers themselves. The entire paradigm of computer science is being upended. Europe is already facing a shortage of computer scientists, and its future computer science graduates must have the tools and knowledge needed to harness this new technology. This is why France is right to focusing funding not only on research and equipment, but also talent and skills to power this computer science revolution.
For McAfee, making the digital world safe is a top priority, and naturally our attention gravitates toward the opportunities and threats quantum computing poses to keeping data secure and safe.
But making the world a safer place isn’t just about preventing cyberattacks and encrypting valuable data. It’s equally about making the world greener and using the power of technology to solve our pressing societal and economic challenges. Quantum computing will play a key role in all these goals, provided the technology is in the right hands. Bad actors see the same opportunities in quantum to disrupt and bring chaos as we see in making the world a better place, and the only way to stymie their efforts is ensuring that Europe, along with the US and others determined to make the world a better place, stay one step ahead.
The post Europe’s Quantum Story is Accelerating, and the World Will be Better for it appeared first on McAfee Blogs.
Albert Einstein once said, “We cannot solve our problems with the same thinking we used when we created them”.
Security vendors have spent the last two decades providing more of the same orchestration, detection, and response capabilities, while promising different results. And as the old adage goes, doing the same thing over and over again whilst expecting different results is…? I’ll let you fill in the blank yourself.
SIEM! SOAR! Next Generation SIEM! The names changed, while the same fundamental challenges remained: they all required heavy lifting and ongoing manual maintenance. As noted by ESG Research, SIEM – being a baseline capability within SOC environments – continues to present challenges to organisations by being either too costly, exceedingly resource intensive, requiring far too much expertise, and various other concerns. A common example of this is how SOC teams still must create manual correlation rules to find the “bad” connections between logs from different products, applications and networks. Too often, these rules flooded analysts with information and false alerts and render the product too noisy to effective.
The expanding attack surface, which now spans Web, Cloud, Data, Network and more, has also added a layer of complexity. The security industry cannot only rely on its customers’ analysts to properly configure a security solution with such a wide scope. Implementing only the correct configurations, fine-tuning hundreds of custom log parsers and interpreters, defining very specific correlation rules, developing necessary remediation workflows, and so much more – it’s all a bit too much.
Detections now bubble up from many siloed tools, too, including Intrusion Prevention Systems (IPS) for network protection, Endpoint Protection Platforms (EPP) deployed across managed systems, and Cloud Application Security Broker (CASB) solutions for your SaaS applications. Correlating those detections to paint a complete picture is now an even bigger challenge.
There is also no ‘R’ in SIEM – that is, there is no inherent response built into SIEM. You can almost liken it to a fire alarm that isn’t connected to the sprinklers.
SIEMs have been the foundation of security operations for decades, and that should be acknowledged. Thankfully, they’re now being used more appropriately, i.e. for logging, aggregation, and archiving.
Now, Endpoint Detection and Response (EDR) solutions are absolutely on the right track – enabling analysts to sharpen their skills through guided investigations and streamline remediation efforts – but it ultimately suffers from a network blind spot. Similarly, network security solutions don’t offer the necessary telemetry and visibility across your endpoint assets.
Of Gartner’s Top 9 Security and Risk Trends for 2020, “Extended detection and response capabilities emerge to improve accuracy and productivity” ranked as their #1 trend. They noted, “Extended detection and response (XDR) solutions are emerging that automatically collect and correlate data from multiple security products to improve threat detection and provide an incident response capability…The primary goals of an XDR solution are to increase detection accuracy and improve security operations efficiency and productivity.”
That sounds awfully similar to SIEM, so how is an XDR any different from all the previous security orchestration, detection, and response solutions?
The answer is: An XDR is a converged platform leveraging a common ontology and unifying language. An effective XDR must bring together numerous heterogeneous signals, and return a homogenous visual and analytical representation.. XDR must clearly show the potential security correlations (or in other words, “attack stories”) that the SOC should focus on. Such a solution would de-duplicate information on one hand, but would emphasize the truly high-risk attacks, while filtering out the mountains of noise. The desired outcome would not require exceeding amounts of manual work; allowing SOC analysts to stop serving as an army of “translators” and focus on the real work – leading investigations and mitigating attacks. This normalized presentation of data would be aware of context and content, be advanced technologically, but simple for analysts to understand and act upon.
SIEMs are data-driven, meaning they need data definitions, custom parsing rules and pre-baked content packs to retrospectively provide context. In contrast, XDR is hypothesis driven, harnessing the power of Machine Learning and Artificial Intelligence engines to analyse high-fidelity threat data from a multitude of sources across the environment to support specific lines of investigation mapped to the MITRE ATT&CK framework.
The MITRE ATT&CK framework is effective at highlighting “how bad guys do what they do, and how they do it.” While traditional prevention measures are great at “spot it and stop it” protections, MITRE ATT&CK demonstrates there are many steps taking place in the attack lifecycle that aren’t obvious. These actions don’t trigger sufficient alerting to generate the confidence required to support a reaction.
XDR isn’t a single product. Rather, it refers to an assembly of multiple security products (and services) that comprise a unified platform. An XDR approach will shift processes and likely merge and encourage tighter coordination between different functions like SOC analysts, hunters, incident responders and IT administrators.
The ideal XDR solution must provide enhanced detection and response capabilities across endpoints, networks, and cloud infrastructures. It needs to prioritise and predict threats that matter BEFORE the attack and prescribe necessary countermeasures allowing the organisation to proactively harden their environment.
McAfee’s MVISION XDR solution does just that, by empowering the SOC to do more with unified visibility and control across endpoints, network, and cloud. McAfee XDR orchestrates both McAfee and non-McAfee security assets to deliver actionable cyber threat management and support both guided and automated investigations.
What if you could find out if you’re in the crosshairs of a top threat campaign, by using global telemetry from over 1 billion sensors that automatically tracks new campaigns according to geography and industry vertical? Wouldn’t that be insightful?
“Many firms want to be more proactive but do not have the resources or talent to execute. McAfee can help bridge this gap by offering organisations a global outlook across the entire threat landscape with local context to respond appropriately. In this way, McAfee can support a CISO-level strategy that combines risk and threat operations.”
– Jon Oltsik, ESG Senior Principal Analyst and Fellow
But, hang on… Is this all just another ‘platform’ play?
Take a moment to consider how ‘platform’ offerings have evolved over the years. Initially designed to compensate for the heterogeneity and volume of internal data sources and external threat intelligence feeds, the core objective has predominantly been to manifest data centrally from across a range of vectors in order to streamline security operations efforts. We then saw the introduction of case management capabilities.
Over the past decade, the security industry proposed solving many of the challenges presented in SOC contexts through integrations. You would buy products from a few different vendors, who promised it would all work together through API integration, and basically give you some form of pseudo-XDR outcomes we’re exploring here.
Frankly, there are significant limitations in that approach. There is no data persistence; you basically make requests to the lowest API denominator on a one-to-one basis. The information sharing model was a one-way ‘question and answer’ leveraging a scheduled push-pull methodology. The other big issue was the inability to pull information in whatever form – you were limited to the API available between the participating parties, with the result ultimately only as good as the ‘dumbest’ API.
And what about the lack of any shared ontology, meaning little to no common objects or attributes? There were no shared components, such as UI/UX, incident management, logging, dashboards, policy definitions, user authentication, etc.
What’s desperately been needed is an open underlying platform – essentially like a universal API gateway scaled across the cloud that leverages messaging fabrics like DXL that facilitate easy bi-lateral exchange between many security functions – where vendors and partner technologies create tight integrations and synergies to support specific use cases benefitting SOC ecosystems.
Is XDR, then, a solution or product to be procured? Or just a security strategy to be adopted? Potentially, it’s both. Some vendors are releasing XDR solutions that complement their portfolio strengths, and others are just flaunting XDR-like capabilities.
SIEMs still deliver specific outcomes to organisations and SOCs, which cannot be replaced by XDR. In fact, with XDR, a SIEM can be even more valuable.
For most organisations, XDR will be a journey, not a destination. Their ability to become more effective through XDR will depend on their maturity and readiness to embrace all the required processes. In terms of cybersecurity maturity, if you’d rate your organisation at a medium to high level, the question becomes how and when.
Most organisations using an Endpoint Detection and Response (EDR) solution are likely quite ready to embrace XDR’s capabilities. They are already investigating and resolving endpoint threats and they’re ready to expand this effort to understand how their adversaries move across their infrastructure, too.
If you’d like to know more about how McAfee addresses these challenges with MVISION XDR, feel free to reach out!
The post XDR – Please Explain? appeared first on McAfee Blogs.
What is your organization’s readiness for the emerging eXtended Detection Response (XDR) technology? McAfee just released the first iteration of this technology, MVISION XDR. As XDR capabilities become available, organizations need to think through how to embrace the new security operations technology destined to empower detection and response capabilities. XDR is a journey for people and organizations.
The cool thing about McAfee’s offering is the XDR capabilities is built on the McAfee platform of MVISION EDR, MVISION Insights and is extended to other McAfee products and third-party offerings. This means –— as a McAfee customer — your XDR journey has already begun.
The core value prop behind XDR is to empower the SecOps function which is still heavily burdened with limited staff and resources while the threat landscape roars. This cry is not new. As duly noted in the book, Ten Strategies of World-class Cybersecurity Operations Center, written quite a few moons ago: “With the right tools, one good analyst can do the job of 100 mediocre ones.” XDR is the right tool.
SecOps empowerment means impacting and changing people and process in a positive manner resulting in better security outcomes. Organizations must consider and prepare for this helpful shift. Here are three key considerations organizations need to be aware of and ready for:
A baseline requirement for XDR is to unify and aggregate security controls and data to elevate situation awareness. Now consider what does this mean to certain siloed functions like endpoint, network and web. Let’s say you are analyst who typically pulls telemetry from separate control points (endpoint, network, web) moving from each tool with a login, to another tool with another login and so on. Or maybe you only have access to the endpoint tool. To gain insight into the network you emailed the network folks with artifacts you are seeing on the endpoint and ask if these is anything similar, they have seen on the edge and what they make of it. Often there is a delayed response from network folks given their priorities. And you call the web folks for their input on what they are seeing. Enter XDR. What if this information and insights was automatically given to you on a unified dashboard where situation awareness analysis has already begun. This reduces the manual pivoting of copy and pasting, emailing, and phone calls. It removes the multiple data sets to manage and the cognitive strain to make sense of it. The collection, triaging, and initial investigative analysis are automated and streamlined. This empowers the analysts to get to a quicker validation and assessment. The skilled analyst will also use experience and human intuition to respond to the adversary, but the initial triaging, investigation, and analysis has already been done. In addition, XDR fosters the critical collaboration between the network operations and security operations since adversary movement is erratic across the entire infrastructure.
Imagine if your SecOps gained high priority threat intelligence before the adversary hits and enters your environment. What does it mean to your daily SecOps processes and policy? It removes a significant amount to of hunting, triaging and investigation cycles. It simply prioritizes and accelerates the investigation. It answers the questions that matter. Any associated campaign is bubbled up immediately. You are getting over a hundred high alerts, but one is related to a threat campaign that is likely to hit. It removes the guess work and prioritizes SecOps efforts. It assesses your environment and the likely impact—what is vulnerable. More importantly it suggests counter measures you can take. It moves you from swimming in context to action in minutes.
This brings the SecOps to a decision moment faster—do they have the authority to respond? Are they a participant in prevention efforts? Note this topic is Strategy Three in the Ten Strategies of World-class Cybersecurity Operations Center where it is highly encouraged to empower SecOps to make and/or participate in such decisions. Policies for response decisions and actions vary by organizations, the takeaway here is decision moments come faster and more often with significant research and credible context from MVISION XDR.
XDR is an open, integrated platform. So, what does it mean to people and process if all the pieces are integrated and security functions coordinate efforts? It depends on the pieces that are connected. For example, if SecOps can place a recommendation to update certain systems on the IT service system automatically it removes the necessity to login into the IT system and place a request or in some cases call or email IT (eliminating a time-consuming step.) There is a heightened need for what–if scenario policies driven by Secure Orchestration Automation Response (SOAR) solutions. These policies are typically reflected in a manual playbook or SOAR playbook.
Let’s consider an example, when an email phishing alert is offered the SOAR automatically (by policy/play required) compares the alert against others to see if there are commonalties worth noting. If so, the common artifacts are assigned to one analyst versus distributing separate alerts to many analysts. This streamlines the investigation and response to be more effective and less consuming. There are many more examples, but the point is when you coordinate security functions organization must think through how they want each function to act under specific circumstances—what is your policy for these circumstances.
These are just a few areas to consider when you embrace XDR. I hope this initial discussion started you thinking about what to consider when embracing XDR. We have an online SOC audit where you can assess your SOC maturity and plan where you want to go. Join us for a webinar on XDR readiness where experts will examine how to prepare to optimize XDR capabilities. We also have a SOC best practices series, SOCwise that offers regular advice and tips for your SOC efforts!
The post Are You Ready for XDR? appeared first on McAfee Blogs.
It is near-certain the need for security across the enterprise will never cease – only increase if year-over-year trends are any indication. We constantly see headlines with repetitive buzzwords and phrases calling attention to the complexity of today’s security operations center (SOC) with calls to action to reimagine and modernize the SOC. We’re no different here at McAfee in believing this to be true.
In order for this to happen, however, we need to update our thinking when it comes to the SOC.
Today’s SOC truly serves as an organization’s cybersecurity brain. Breaking it down, the brain and SOC are both the ultimate central nervous system and are extremely complex. While the brain fires neurons, connects synapses, and constantly communicates in order for the body to function, the SOC similarly works as a centralized system where people, processes, and technology must be in-sync to function. The unfortunate reality is though, SOC analysts and staff do not feel empowered to act in this manner. According to the 2021 SANS Cyber Threat Intelligence Report, respondents cited several reasons for not being able to implement cybersecurity holistically across their organization, including lack of trained staff, time, funding, management buy-in, technical capabilities, and more.
The technology that has the power to enable this synchronicity and further modernize enterprise security by taking SOC functionality to the next level is already here – Extended Detection and Response (XDR). It has the ability to provide prevention, detection, analysis, and response in a purposefully orchestrated and cooperative way, with its components operating as a whole. Think of it this way: XDR mimics the brain’s seamlessness in operation, with every element working toward the same goal of maintaining sound security posture across an entire organization.
Put another way, the human brain has approximately 100 trillion synapses, synchronizing and directing to make it possible to walk and chew bubble gum at the very same time with seemingly no effort on the human’s end. However, if one synapse misfires or becomes compromised due to an unknown element – you might end up on the ground.
Similarly, we’re already seeing many enterprises falter, trip, and fall. According to Ernst & Young, 59% of companies experienced a significant breach in the last twelve months – and only 26% of respondents say the SOC identified that event. These statistics show the case for XDR is clear – and that it is time to learn and reap the benefits of taking a proactive approach.
Organizations are still vulnerable to malicious actors attempting to take advantage of disparate remote workforces – and we’re seeing them get craftier, acting faster and more frequently. This is where XDR offers a pivotal differentiator by providing actionable intelligence and integrated functionality across control vectors, resulting in more proactive investigation cycles.
When it comes to analysis, data can quickly become overwhelming, introducing an opportunity to miss critical threats or malicious intent with more manual or siloed processes. Meaningful context is crucial and no industry is exempt from needing it.
This is where McAfee is providing the advantage with MVISION XDR powered MVISION Insights. The ability to know likely and prioritized threat campaigns based on geographical and industry prevalence – and have them correlated and assessed across your local environment – provides the situational awareness and analysis that can allow SOC teams to act before threats occur. Additionally, as endpoints only promise to increase, MVISION XDR works in conjunction with McAfee’s endpoint protection platform (EPP), increasing effectiveness with added safeguards including antivirus, encryption, data loss prevention technologies and more at the endpoint.
Think of the impact and damage that can happen without this crucial and context MVISION Insights can provide. The consequences can be dire when looking at industries that have faced extreme upheaval.
For example, in keeping with our theme, we know the importance of essential healthcare workers and cannot be grateful enough for their contributions. But as the industry faces extreme challenges and an increase in both patient load and data, we also need to be paying close attention to how this data is being managed, who has privilege to it, and what threats exist as even this typical in-person industry shifts virtual due to our updated circumstances. Having meaningful context on potential threats will help this industry avoid added challenges so focus can remain steadfast on creating impact and positive results.
Outside of the tremendous advantage of being less vulnerable to threats and breaches due to proactivity, incredible efficiencies can be gained by freeing cybersecurity staff from those previously manual tasks and management of multiple silos of solutions. The time is definitely now too – according to (ISC)², 65% of organizations already report a shortage of cybersecurity staff.
Coupled with staff shortages and lack of skilled workers, an IBM report also found that the average time to detect and contain a data breach is 280 days. Going back to the view that the SOC serves as an organization’s cybersecurity brain – 280 days can cause massive amounts of damage if an anomaly in the brain were to occur unnoticed or unaddressed.
For the SOC, the longer a breach goes undetected, the more information and data becomes vulnerable or leaked – leading not only to a disruption in business, but ultimately financial losses as well.
XDR is the future of the SOC. We know that simplified, cohesive visualization and control across the entire infrastructure leads the SOC to better situational awareness – the catalyst for faster time to remediation. The improved, holistic viewpoint XDR provides across all vectors from endpoint, network, and cloud helps to eliminate mistakes and isolated endeavors across an organization’s entire IT framework.
With AI-guided investigation, analysts have an automatic exchange of data and information to move faster from validation to decision when it comes to threats. This is promising as organizations not only tackle a shortage in cybersecurity staff, but skilled workers as well. According to the same (ISC)² survey as above, 36% of those polled cite lack of skilled or experienced staff being a top concern.
Knowing the power of data and information, we can confidently assume that malicious actors will never stop their quest to infiltrate and extort enterprises. True to the well-known anecdote, this knowledge brings about great responsibility. Enterprises will face challenges as threats increase while talent and staff decrease – all while dealing with vendor sprawl and choice-overload across the market.
SOC Assessment Tool
Time to schedule a check-up for your SOC. It may not be as healthy as you think and true to both the medical and security industries, proactivity and prevention can lead to optimized functionality.
Want to learn more about McAfee’s investment in XDR and explore its approach? Check out McAfee MVISION XDR.
The post SOC Health Check: Prescribing XDR for Enterprises appeared first on McAfee Blogs.
The human race commonly fears what it doesn’t understand. In a time of war, this fear is even greater if one side understands a weapon or technology that the other side does not. There is a constant war which plagues cybersecurity; perhaps not only in cybersecurity, but in the world all around us is a battle between good and evil. In cyber security if the “evil” side understands or pays more attention to a technology than the “good” side, we see a spike in cyber-attacks.
This course of events demands that both offensively and defensively minded “good guys” band together to remove the unknown from as much technology as possible. One of the most common unknown pieces of technology in cybersecurity that professionals see on a regular basis are proprietary protocols running across their networks. By using both the tactics and perspectives from red and blue teams it is possible to conquer and understand these previously unknown packets. This strategy is exactly what we, Douglas McKee and Ismael Valenzuela, hoped to communicate in our webinar ‘Thinking Red, Acting Blue: Hacking Proprietary Protocols”.
Proprietary protocols are typically a mystery to many practitioners. Vendors across many industries develop them for very specific purposes and technologies. We see them in everything from the Internet of Things (IOT), to Industrial Controls Systems (ICS), to medical devices and more. Since by its nature “proprietary” technology is not shared, there is generally no public Request for Comments (RFC) or public disclosure on how they work. This provides an opportunity for attackers and a challenge for defenders. Attackers are aware these networking protocols are less reviewed and therefore more susceptible to vulnerabilities, while defenders have a hard time understanding what valid or benign traffic looks like. Unfortunately, attackers are generally more financially motivated to spend the time reversing these protocols than defenders, since the rewards can be very substantial.
During the webinar we discussed a two-prong approach to tackling these unknown protocols with the goal of a deeper understanding of this data. A red team’s purpose may be to look for vulnerabilities, while a blue team may be more interested in detecting or flagging unusual behavior in this traffic. We discuss how this can be accomplished through visual inspection using Wireshark to compare the traffic across multiple conversations, and we complemented this analysis with python libraries like pandas, numpy and matplotlib, for data exploration and visualization.
For example, consider the packets in the Wireshark captures side-by-side in Figure 1. An astute reader may notice that the UDP packets are evenly spaced between each other within the same PCAP, yet differently spaced between pcaps.
In protocol analysis this can indicate the use of a status or “heartbeat” packet, which may contain some type of data where the interval it is sent is negotiated for each conversation. We have seen this as a common trait in proprietary protocols. This can be difficult for a cybersecurity professional to discern with a small amount of data, but could be very helpful for further analysis. If we import the same data into pandas dataframes and we add matplotlib visualizations to our analysis, the behavior becomes much clearer as seen in Figure 2.
By using the reverse engineering perspective of a vulnerability researcher combined with the data analysis insight of a defender, we can strengthen and more quickly understand the unknown. If this type of deep technical analysis of proprietary protocols interests you, we encourage you to check out the recording of our presentation below. We have made all of our resources public on this topic, including pcaps and python code in a Jupyter Notebook, which can be found on Github and Binder. It is important as an industry that we don’t give into fear of the unknown or just ignore these odd looking packets on our network, but instead lean in to understand the security challenges proprietary protocols can present and how to protect against them.
The post Hacking Proprietary Protocols with Sharks and Pandas appeared first on McAfee Blogs.
To live our digital lives to the fullest, we rely on a variety of technologies to support our online activities. And while some apps and devices are meant to make certain tasks more convenient or provide us with greater security, others simply offer a false sense of security and could potentially lead to online misfortune. One such platform is SuperVPN. While users may applaud themselves for using a VPN to protect their privacy, this Android app is unfortunately spilling their secrets without their knowledge.
Let’s unpack how SuperVPN works and its recent involvement in a data breach.
VPNs (virtual private networks) are intended to create a secure tunnel between your device and the internet, offering you privacy and freedom from IP-based tracking. It protects your identity and financial information by encrypting, or scrambling, the data that flows through the tunnel, and can mask your true location, making it appear as though you are connecting from somewhere else. VPN apps have become much more popular in recent years as our awareness around privacy and security has grown. But, such is the case with all apps, it’s important to do your research before you select one to install on your phone.
According to Forbes, critical security warnings around the app SuperVPN surfaced last year. They reported research stating that 105 million people might have had their credit card details stolen, and that hackers could intercept messages between the user and provider. As of last Friday, someone leaked three databases on a popular hacking forum that purportedly contained user credentials and device data stolen from three different Android VPN services: SuperVPN, considered one of the most dangerous VPNs on Google Play with 100 million installs, GeckoVPN (10 million installs), and ChatVPN (50,000 installs). This breach exposed the data of 21 million users, including names, email addresses, usernames, payment data, device information, and even location data logs — a major red flag for a VPN.
Although a free VPN might seem like an ideal solution at first, there are multiple consequences that could potentially put your online safety in jeopardy. Since free VPNs are not making money directly from their users, many make revenue indirectly, through advertising. This means that not only will you be bombarded with ads, but you’re also exposed to tracking and malware. In fact, one study of 283 free VPN providers found that 72% included trackers. Beyond the frustration of ads, slowness, and upgrade prompts is the fact that some free VPN tools include malware that can put your sensitive information at risk. The same study found that 38% of the free VPN applications in the Google Play Store were found to have malware and some even stole the data off of users’ devices, similar to SuperVPN.
If you choose a verified, paid VPN service, however, you’ll enjoy a plethora of benefits including unlimited bandwidth, speedy performance, protection across multiple devices, and much more. Aside from choosing a premium VPN service, following these tips will help you stay secure against SuperVPN and others like it and protect your daily online communications:
Delete SuperVPN from your device as soon as possible. There are at least six other apps like SuperVPN, with identical descriptions and logos from different creators on Google Play Store. Steer clear of downloading these apps altogether to avoid any cyber misfortune.
While some malicious apps do make it through the app store screening process, most attack downloads appear to stem from social media, fake ads, and other unofficial app sources. Before downloading an app to your device, do some quick research about the origin and developer.
Reviews and rankings are still a suitable method of determining whether an app is legitimate. However, watch out for assessments that reuse repetitive or straightforward phrases, as this could be a sign of a fraudulent review.
If you suspect that your data might have been compromised, place a fraud alert on your credit. This not only ensures that any new or recent requests undergo scrutiny, but also allows you to have extra copies of your credit report so you can check for suspicious activity.
A comprehensive security suite like McAfee Total Protection includes our McAfee® Safe Connect standalone VPN with auto-renewal and takes the worry out of connecting, so you can focus on what’s important to you.
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our email, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post Attention Android Users: This Free VPN App Leaked the Data of 21 Million Users appeared first on McAfee Blogs.
MITRE ATT&CK enterprise is a “knowledge base of adversarial techniques”. In a Security Operations Center (SOC) this resource is serving as a progressive framework for practitioners to make sense of the behaviors (techniques) leading to system intrusions on enterprise networks. This resource is centered at how SOC practitioners of all levels can craft purposeful defense strategies to assess the efficacy of their security investments against that knowledge base.
To enable practitioners in operationalizing these strategies, the knowledge base provides the “why” and the “what” with comprehensive documentation that includes the descriptions and relational mappings of the behaviors observed by the execution of malware, or even when those weapons were used by known adversaries in their targeting of different victims as reported by security vendors. It goes a step further by introducing the “how” in the form of adversary emulation plans which streamline both the design of threat-models and the necessary technical resources to test those models – i.e., emulating the behavior of the adversary
For scenarios where SOCs may not have the capacity to do this testing themselves, the MITRE Corporation conducts annual evaluations of security vendors and their products against a carefully crafted adversary emulation plan, and it publishes the results for public consumption. The evaluations can help SOC teams assess both strategy concerns and tactical effectiveness for their defensive needs as they explore market solutions.
This approach is transformative for cyber security, it provides an effective way to evolve from constraints of being solely dependent on IOC-centric or signature-driven defense models to now having a behavior-driven capability for SOCs to tailor their strategic objectives into realistic security outcomes measured through defensive efficacy goals. With a behavior-driven paradigm, the emphasis is on the value of visibility surrounding the events of a detection or prevention action taken by a security sensor – this effectively places context as the essential resource a defender must have available to pursue actionable outcomes.
I believe that to achieve meaningful security outcomes our products (defenses) must demonstrate how effective they are (efficacy) at enabling or preserving the security mission we are pursuing in our organizations. For example, to view efficacy in a SOC, let’s see it as a foundation of 5 dimensions:
| Detection | Gives SOC Analysts higher event actionability and alert handling efficiencies with a focus on most prevalent adversarial behaviors – i.e., let’s tackle the alert-fatigue constraint! |
| Prevention | Gives SOC Leaders/Sponsors confidence to show risk reduction with minimized impact/severity from incidents with credible concerns – e.g., ransomware or destructive threats. |
| Response | Gives SOC Responders a capacity to shorten the time between detection and activating the relevant response actions – i.e., knowing when and how to start containing, mitigating or eradicating. |
| Investigative | Gives SOC Managers a capability to improve quality and speed of investigations by correlating low signal clues for TIER 1 staff and streamlining escalation processes to limited but advanced resources. |
| Hunting | Enables SOC Hunters a capacity to rewind-the-clock as much as possible and expand the discovery across environments for high value indicators stemming from anomalous security events. |
Efficacy at the Security and Technical Leadership levels confirms how the portfolio investments are expected to yield the defensive posture of our security strategy, for example, compare your investments today to any of the following:
Strategy (Investment) |
Portfolio Focus |
Efficacy Goals |
|
Balanced Security |
Ability to:
Caveats:
|
|
Detection Focus |
Ability to:
Caveats:
|
|
Prevention Focus |
Ability to:
Caveats:
|
|
Response Focus |
Ability to:
Caveats:
|
MITRE ATT&CK matters as it introduces the practical sense-making SOC professionals need so they can discern attack chains versus security events through visibility of the most prevalent behaviors.
Consequently, it allows practitioners to overcome crucial limitations from the reliance on indicator-driven defense models that skew realistic efficacy goals, thereby maximizing the value of a security portfolio investment.
The post Why MITRE ATT&CK Matters? appeared first on McAfee Blogs.
In the eyes of hackers, scammers, and thieves, your online privacy and identity look like a giant jigsaw puzzle. One that they don’t need every piece to solve. They only need a few bits to do their dirty work, which means protecting every piece you put out there—a sort of holistic view on your personal security. One that protects you, not just your devices.
Here’s what’s at stake: we create and share loads of personal information simply by going about our day online, where each bit of information makes up a piece of that giant jigsaw puzzle. Some pieces directly identify us, like our tax returns, bank account information, or driver’s licenses. Other pieces of information indirectly identify us, like the IP addresses assigned to our computers, tablets, and phones—or device ID numbers, location information, and browsing history. And bad actors only need a few key pieces to do you harm, such as committing identity crime in your name or selling your personal information on sketchy websites or the dark web.
While people show great concern about their personal information, who has it and what’s done with it, our research shows that 70% of people feel like they have little or no control over the data that’s collected about them. However, you have plenty of ways that you can indeed take control—ways that can prevent, detect, and correct attacks on your privacy and identity. That’s where holistic protection comes in.
You can think of holistic protection as layers of shields that protect you and the devices you use. It gives you three layers in all—a Prevention Layer, Detection Layer, and a Correction Layer.
A holistic and comprehensive security solution like McAfee+ combines those three layers in a way that protects your personal information and keep your identity private, showing you how it does it along the way, so you can see exactly how safe you are. Let’s take a quick look of some of the protections you’ll find in each layer …
In the Prevention Layer, you’ll see:
In the Detection Layer, you have …
In the Correction Layer, several other protections have your back …
These are just a few examples of the protections in each layer. And you’ll find our most comprehensive holistic protection in McAfee+ Ultimate, covering your privacy, identity, and devices.
While your online privacy and identity may look a jigsaw puzzle, protecting it shouldn’t be as complicated. With a holistic security solution for your personal protection, you can minimize your exposure with layers of security that do much of the work for you.
Antivirus on your PC is not enough. It has not been enough for many decades now. And this becomes more evident as we continue to spend more time online, with the average person spending 6 hours and 54 minutes online each day, leaving clouds of personal information in their wake.
While standalone apps like a password manager, a VPN app, and an identity solution from different vendors can be piecemealed together with your device security, these are difficult to keep track of and burdensome to maintain.
We have combined the important tools you need into a seamless and comprehensive experience because good security software is something that you use daily to feel safer online. This is why we are working on your behalf to redefine security, so you can enjoy your connected life with confidence.
The post True Security Requires a Holistic Approach appeared first on McAfee Blog.
The connection between cybersecurity and poet Ralph Waldo Emerson is not directly evident, however he once said, “money often costs too much.”
This statement rings true across the financial services industry, as money is a key driver for cybercriminals acting with malicious intent. The always-on eye of Sauron on the financial services industry means there are greater implications to keep this industry safe as a top target – and to keep money where it belongs.
IT teams across these organizations have historically invested heavily in technology stacks to combat fraud and decrease the likelihood of an attack or breach, but attacks keep getting more sophisticated and frequent. This Sisyphean task of keeping up with modern-day breaches is complex, and protecting the money is costly, as Ralph’s quote woefully reminds us.
McAfee’s “Hidden Costs of Cybercrime” report supports this current state of the financial services industry, indicating that these organizations spend up to $3,000 per employee on cybersecurity. Another survey from the Financial Services Information Sharing and Analysis Center (FS-ISAC) found that, depending on company size, financial institutions spend between 6% and 14% of IT budgets for defense.
This spending shows no sign of stopping as organizations will always have the onus to protect data, employees, and their own bottom lines. As long as cybercriminals exist, the need for cybersecurity will be omnipresent. However, there is a major change the financial services industry can implement to manage threats faster with higher efficacy and become more proactive instead of reactive: Extended Detection and Response (XDR).
It’s been less than 10 years since JPMorgan Chase & Co. fell victim to the largest known cyberattack at the time – one that occurred two months after it had vowed to spend a quarter-billion dollars a year on cybersecurity. Due to the breach, they increased the planned spend to half a billion dollars, per Forbes. Similarly, Capital One Financial Corp. more recently agreed to pay an $80 million dollar fine, pledging also to increase its cybersecurity efforts as a result of a breach that disclosed more than 100 million customer records.
Both of these financial institutions present examples where XDR could have provided a benefit and perhaps thwarted these major breaches. With its ability to coordinate systems and processes as well as automatically aggregate threat analysis and remove manual hunting and analysis, XDR acts as a modern-day catalyst for security operations center (SOC) success. This combination of prevention, detection, analysis, and response across the SOC and enterprise allows for better decisions that are made faster.
Taking a closer look at the JPMorgan breach, it was only uncovered due to a routine and typical scan conducted by the SOC team. Hackers were able to infiltrate using custom malware and a previously unknown flaw, entering via a website owned by JPMorgan to then stealthily extract data over the course of months – all without being caught by SOC teams. This is not uncommon, as recent Ernst & Young research cited that only 26% of the SOCs polled identified a threat event.
XDR’s ability to control access across an organization’s entire infrastructure from a unified and coordinated interface, coupled with more interconnected visualization across the SOC, provides the context needed to look at cybersecurity in a holistic manner. This is critical given the erratic lateral movements of advanced threats. This means all vectors are protected together, from endpoint, network, and the cloud; therefore, providing better context and overall awareness of security posture across an entire organization.
This gift of proactivity empowering the SOC to act quicker cannot come at a better time as threat actors are still leveraging the upheaval COVID-19 wrought to take advantage of vulnerabilities created due to the pandemic. Not to mention, companies and employees are not clamoring to return to the office where endpoints are easier to track and manage.
The National Association for Business Economics found that only about 1 in 10 companies expect all employees to return to their pre-pandemic work arrangements. With employees apt to use personal devices, causing an ever-increasing endpoint explosion, hackers may again have an easy entry point to conduct crime. All industries are vulnerable, but the financial services industry remains forever-lucrative due to the monetary gains that could be achieved.
With an increase in virtual transactions and use of personal devices to conduct business, the industry is ripe for phishing attempts, malware, and ransomware attacks. Hackers are taking advantage of these surges, with McAfee and IC3 data indicating that business email compromise (BEC) scams have been increasing. This means, it may not take a zero-day approach or strategy from hackers to infiltrate if existing systems and solutions already prove insecure.
Cost is often a barrier to entry for many industries, but the financial services industry has shown it is committed to investing in cybersecurity, knowing it has the most to lose. There has been success across the industry due to this guarantee, but the breaches that do get thwarted do not make the headlines. Nonetheless, undetected breaches – and the reputation-damaging headlines that appear alongside them – lead to more information and data loss and disruption to business. For financial institutions seeking to eliminate the losses associated with cybercrime, XDR is worth exploring.
Want to learn more about McAfee’s investment in XDR and explore its approach? Check out McAfee MVISION XDR and schedule a check-up for your SOC.
The post More Money, Less Problems: XDR Investment Can Protect the Financial Services Industry appeared first on McAfee Blogs.
“It’s alive! It’s alive!”
Even if you haven’t seen the 1931 film Frankenstein, you are more than likely familiar with the story of the “monster” created by Victor Frankenstein. You may associate this cry from its titular character with the image of what Victor conjured finally opening its eyes and slowly lurching off the table.
While amusing and entertaining, this ongoing trope has a flaw that has tainted most of our memories. The fact is, in Mary Shelley’s classic 1818 novel of the same name, Victor does not excitedly exclaim when that first forward lurch occurs – but rather runs away and hides.
That’s right – fear was the first instinct met when a human, Victor, created and powered a non-human entity. While a work of fiction, was this our first brush with the concept of Artificial Intelligence (AI)? We don’t necessarily align the year 1818 in our minds as a technologically booming era. We have certainly come a long way from shipbuilding patents equaling the heights of technology to the technology that empowers life and business today.
So why are so many of us still fearful like Victor when it comes to AI? Especially since, in its earnest efforts, most AI technology today is designed to better processes, outcomes, and experiences – not to mention ensure greater security and control. We constantly see doom-and-gloom headlines asking whether AI will replace human jobs or touting added expenses associated with implementation. There’s even an entire Wikipedia page devoted to the notion of an “AI Takeover.”
But the truth is, AI – and machine learning – technology has gotten to the point today where it is more of an anomaly if a company or business does not implement it in some form. It is so commonplace that many of us don’t even know it is there. From smart assistants to progressing the healthcare industry at a time where it needs all the efficiencies it can afford, AI is everywhere and the security industry is no stranger when it comes to benefitting from its advances as well.
Our company looks at AI as an enhancement not a replacement. We know AI can improve experiences, create greater efficiencies, and solve complex problems – but at the same time are realistic. We know that humans alone cannot possibly address and respond to the sheer amount of threats businesses face today. But we also know that machines and technology do not currently have the creativity, wit, and wisdom that humans possess.
This is an important factor in the cybersecurity industry. This realism and notion that AI is an enhancement aligns with the concepts and origins of AI itself.
Most AI we see today can be categorized as strong AI, or AGI – artificial general intelligence, and weak AI. The latter means that humans are involved in some facet of programming the technology, whereas with strong AI, technology is able to use algorithms to process, inform, and make decisions independent of human interaction. What we don’t talk about as much is artificial superintelligence (ASI), where technology gains advanced cognitive abilities that can match – or even surpass – a human.
ASI can be ideal for many industries, but we’re not quite there yet. Since most AI today is still in the strong AI stage, AKA the enhancement phase where humans are still needed to process and define what technology currently cannot: emotion. Machines cannot currently replace thinking like a threat actor – imagining scenarios that only humans experience, intuition, motive, and brain power can conjure.
Therefore, we need humans and machines working together as a team. Machines are able to keep pace with the number of emerging threats and help security operation center analysts manage a tremendous amount of data and convert it into actionable intelligence. But human skill is needed to prioritize threats based on context, insight, and consciousness that machines don’t have.
It is increasingly important to remember this as we see adversarial AI on the rise and threat actors use AI to infiltrate AI-powered solutions. With this increase, speed of response is crucial, which is where we see AI have the most impact across the cybersecurity industry when coupled with human strategy to reduce potential damage done to an organization.
We are far from the point where AI needs to invoke fear, but we have a responsibility to know the shortcomings of current AI alongside its benefits.
This open-minded outlook is critical as AI in its truest form is about intelligence – and we can always add to and grow intelligence. The concept of always-on learning levels the playing field for both humans and machines. We’re the same in this aspect in that the possibilities are endless based on what we both can conjure and create based on education, learning, and knowledge.
The post AI Is Alive! But Not Without Our Help appeared first on McAfee Blogs.
In a recent episode of McAfee’s SOCwise Series, guest security expert Chris Crowley revealed findings of his recent survey of security efforts within SOCs. His questions were designed to gain insight into all things SOC, including how SOCs can accomplish their full potential and how they assess their ability to keep up with security technology.
Hosts Ismael Valenzuela and Michael Leland tapped into Chris’ security operations expertise as he told “A Tale of Two SOCs.”
“Chris has a tremendous experience in security operations,” Ismael said. “I always like people who have experience both in the offensive side and the defensive side. Think red, act blue, right? . . . but I think that’s very important for SOCs. Where does ‘A Tale of Two SOCs’ come from?”
In reference to the Charles Dickens’ classic, Chris explained how survey responses fell into two categories: SOCs that had management support or those that did not.
“It’s not just this idea of does management support us. It’s are we effectively aligned with the organization?” Chris said. “And I think that is manifest in the perception of management support of not management support, right? So, I think when people working in a SOC have the sense that they’re doing good things for the organization, their perceptions is that the management is supporting them.”
In this case, Chris explains “A Tale of Two SOCs” also relates to the compliance SOC versus the real security SOC.
“A lot of it has to do with what are the goals when management set up to fund the SOC, right? Maybe the compliance SOC versus the SOC that’s focused on the security outcomes on defending, right? There are some organizations that are funding for basic compliance,” Chris said. [If the] law says we have to do this, we’re doing that. We’re not really going to invest in your training and your understanding and your comprehension. We’re not going to hire really great analysts. We’re just going to buy the tools that we need to buy. We’re going to buy some people to look at monitors and that’s kind of the end of it.”
One of the easiest and telling methods of assessing where an SOC sees itself in this tale is having conversations with staff. Chris recommends asking staff if they feel aligned with management and do they feel empowered?
“If you feel like you’re being turned into a robot and you pick stuff from here and drop it over there, you’re probably in a place where management doesn’t really support you. Because they’re not using the human being’s capability of synthesis of information and that notion of driving consensus and making things work,” Chris said. “They’re looking more for people who are replaceable to put the bits in the bucket and move through.”
Chris shared other survey takeaways including how SOCs gauge their value, metrics and tools.
The survey included hypotheses designed to measure how organizations classify the value of a SOC:
“This showed that as SOC teams met the challenge of skilled staffing, they moved on to their next order of task: Let’s make the computers compute well,” Chris said.
Ismael asked about the tendency for some SOC management not to report any metrics, and those that simply reported number of incidents not reporting the right metrics. Chris reported that most people said they do provide metrics, but a still–surprising number of people said that they don’t provide metrics at all.
Here’s the breakdown of how respondents answered, “Do you provide metrics to your management?”
That roughly a third of respondents either do not report metrics or don’t know if they report metrics was telling to the survey’s author.
“In which case [metrics] obviously don’t have a central place of importance for your SOC,” Chris said.
Regarding the most frequently used metric – number of incidents – Chris speculated that several SOCs he surveyed are attempting to meet a metric goal of zero incidents, even if it means they’re likely not getting a true reading of their cyber security effectiveness.
“You’re allowed to have zero incidents in the environment. And if you consistently meet that then you’re consistently doing a great job,” Chris said. “Which is insane to me, right? Because we want to have the right number of incidents. If you actually have a cyber security problem … you should want to know about it, okay?
Among the group of respondents who said their most common metric is informational, the desired information from their “zero incidents” metrics doesn’t actually have much bearing on the performance or the value of what the SOC is doing.
“The metrics tend to be focused on what can we easily show as opposed to what truly depicts the value that the SOC has been providing for the org,” Chris said. “And at that point you have something you can show to get more funding and more support right over time.”
Chris suggests better use of metrics can truly depict the value that the SOC is providing the organization and justify the desired support it seeks.
“One which I like, which is not an easy metric to develop is actually loss prevention. If I can actually depict quantitatively, which it will not be precise, there will be some speculation in that,” Chris said. “But if I can depict quantitatively what the SOC did this month, or quarter where our efforts actually prevented or intervened in things which were going wrong and we stopped damage that’s loss prevention, right? That’s what the SOC is there for, right? If I just report, we had 13 incidents there’s not a lot of demonstration of value in that. And so always the metrics tend to be focused on what can we easily show as opposed to what truly depicts the value that the SOC has been providing for the org. “
Michael steered the discussion to the value discussion around incident metrics and their relationship with SOC capacity. How many incidents can you handle? Is it a tools issue or a people issue or a combination of both? Chris’ study also revealed a subset of tools that respondents more frequently leveraged and added value to delivery of higher capacity of incident closure.
One question on the survey asked, “Do you use it?
“Not whether you like it or not, but do you use it? And do you use it in a way where you have full coverage or partial coverage? Because another thing about technology, and this is kind of a dirty secret in technology applications, is a lot of people buy it but actually never get it deployed fully,” Chris said.
His survey allowed respondents to reveal their most-used technologies and to grade tools.
The most common used technologies reported in the survey were:
Tools receiving the most A grades:
Tools receiving the most F grades:
Chris pointed out that the reasoning behind the F grades may be less a case of failing and more a case of not meeting their full potential.
“Some of these are newer in this space and some of them just feel like they’re failures for people” Chris said. “Now, whether they’re technology failures or not this is what people are reporting that they don’t like in terms of the tech.”
For more findings read or download Chris Crowley’s 2020 survey here.
Watch this entire episode of SOCwise below.
The post SOCwise Series: A Tale of Two SOCs with Chris Crowley appeared first on McAfee Blogs.
Each year, MITRE Engenuity conducts independent evaluations of cybersecurity products to help government and industry make better decisions to combat security threats and improve industry’s threat detection capabilities. These evaluations are based on MITRE ATT&CK®, which is widely recognized as the de facto framework for tracking adversarial tactics and techniques. At McAfee we know that cybercriminals are always evolving their tradecraft, and we are committed to providing blue teams (cyber defenders) the capabilities needed to win the game. To do so, we believe in the importance of putting our security solutions through rigorous testing. To demonstrate our commitment, McAfee has participated in all MITRE Engenuity Enterprise Evaluations to date, including the previous round 1 (APT3 emulation) and round 2 (APT29 emulation).
Today, MITRE Engenuity released the results of the Carbanak and FIN7 evaluations (round 3) that were conducted over the last few months. McAfee participated in this evaluation, along with 28 other vendors, which tested the capabilities of their cybersecurity solutions, in what has been the most comprehensive ATT&CK Evaluation to date, covering 20 major steps and 174 sub-steps.
For the first time ever, MITRE Engenuity offered an optional extension to the detection evaluations to examine a vendor’s ability to protect against specific adversary techniques utilized by these groups. This was also the first time that the evaluations went beyond Windows systems and addressed techniques aimed at the Linux devices that are often used on networks as file servers or domain controllers.
While it’s important to note that the goal of these ATT&CK Evaluations is not to rank or score products, our analysis of the results found that McAfee’s blue team was able to use MVISION EDR, complemented by McAfee’s portfolio, to obtain a significant advantage over the adversary, achieving:
While prior emulated groups were more focused on espionage, the ATT&CK Evaluations team chose to emulate Carbanak and FIN7 due to the wide range of industries these groups target for financial gain. Both groups carry a firm reputation of using innovative tradecraft. Efficient espionage and stealth are at the forefront of their strategy, as they often rely heavily on scripting, obfuscation, “hiding in plain sight,” and fully exploiting the users behind the machine while pillaging an environment. They also leverage a unique spectrum of operational utilities, spanning both sophisticated malware as well as legitimate administration tools capable of interacting with various platforms.
The ATT&CK Evaluation was conducted over a total of 4 days, including the protection testing. On each day a different version of the attack comprised of 10 steps was executed. On Day 1, MITRE Engenuity emulated an attack carried out by the Carbanak group to a financial institution that starts with the breach of the HR Manager’s workstation, and includes elevation of privileges, credential theft, lateral movement to the CFO’s system, collection of sensitive data on both Windows and Linux systems, and the spoofing of money transfers. On Day 2, MITRE Engenuity emulated an attack carried out by the FIN7 group against a hotel, involving the breach of the hotel manager’s system, persistence, credential theft, discovery, lateral movement to an accounting system and the skim of customer payment data.
The McAfee blue team successfully defended against these two advanced adversaries, demonstrating the power of the McAfee portfolio, including MVISION EDR, complemented by MVISION Endpoint Security (ENS), Advanced Threat Detection (ATD), Network Security Platform (NSP), Data Loss Prevention (DLP), and Enterprise Security Manager (ESM). These products were configured following MITRE Engenuity’s standards:
During these 4 days of extensive purple teaming, McAfee demonstrated that its portfolio provides solid cyber defense across the top 5 capabilities that matter the most to any security operations team: time-based security, alert actionability, detection in depth, protection, and visibility.
Time-Based Security (TBS) is one of the most relevant, effective, and simple security models a defender can apply. It provides a mechanism to determine if a blue teamer would have the necessary, timely, and actionable information to effectively defend against adversarial attacks.
Using the results of the ATT&CK Evaluation, we modeled the data following an attack timeline, grouping the techniques executed by the ATT&CK red team for Days 1 (Carbanak) and 2 (FIN7) into each of the steps (attack milestones) they employed. To represent the data for each evaluation day, we list the detection categories used by MITRE Engenuity. As Figures 1 and 2 show, during the evaluation, McAfee provided the maximum level of visibility, detection and context for every major step in the attack. An analyst that used McAfee’s products would have received a correlated and enriched threat alert for each of the steps of these advanced attacks, including references to MITRE Engenuity’s ATT&CK framework and pivoting points to enriched telemetry, enabling faster detection, investigation and reaction, and therefore resulting in reduced exposure.
Figure 1. Time Based Security for Carbanak (Day 1)
Figure 2. Time Based Security for FIN7 (Day 2)
To be successful as a defender, it is essential to react in the fastest possible way, raising an alarm as early as possible on the attack chain, while correlating, aggregating and summarizing all subsequent activity to preserve actionability. McAfee’s MVISION EDR preserved actionability and reduced alert fatigue during the evaluation providing context and enrichment, resulting in a ratio of 62%1 analytic detections (non-telemetry detections) out of the 274-total count of detections. This was possible due to McAfee’s strong correlation and having all telemetry tagged and labeled as close to the source as possible.
Effective attack technique detection requires certain vantage points. Additional perspective improves context, correlation, and subsequently fidelity. Having diverse data sources for every technique enables coverage quantity and quality.
McAfee demonstrated coverage across a dozen of different data sources during the evaluation with 72% of detections utilizing two or more data sources.
Figure 3. McAfee data source diversity across 274 detections
For the first time in an ATT&CK Evaluation, MITRE Engenuity exercised 10 protection scenarios; a subset of the attack sequences used during the detection assessment. McAfee demonstrated its superior protection efficacy by successfully disrupting all 10 attacks, early in the chain, before any impact occurred. Before the disruption, high context detections and telemetry was produced to alert the analyst.
Figure 4. 100% blocking at every protection test
Many organizations live in an alert driven world where there is not enough data to support key security operations activities, including investigations or threat hunting. During the Carbanak+FIN7 evaluation, McAfee provided visibility across all major steps of the attack, and 87% visibility of the total count of sub-steps across both days. It is worth noting that the remaining 13% does not necessarily represent blind spots, but rather that the minimum criteria selected by MITRE Engenuity was not met, according to the evaluation rules. For example, more visibility was obtained through the automated detonation of samples in our ATD sandbox, which provides additional data context to security analysts during a real attack.
At McAfee, we know how security operations work, and that’s why we designed our detection and response platform with ‘Human Machine Teaming’ in mind. For this latest round of the MITRE Engenuity ATT&CK Evaluation, our Threat Detection Engineering and Applied Countermeasures (AC3) team have delivered 85% more visibility and over 22% more analytic detections than in the previous APT29 evaluation.
During this evaluation, we demonstrated that McAfee delivers best-balanced defense across the top 5 capabilities that matter the most to any security operations team: time-based security, alert actionability, detection in depth, protection, and visibility. Our McAfee detection and response platform offered enhanced meaningful context across the entire attack chain, allowing cyber defenders to disrupt attacks early, before damage occurs.
Stay tuned for upcoming details on how each of these security capabilities played a key role in the Carbanak+FIN7 evaluation as part of our ATT&CK Evaluation blog series.
MITRE ATT&CK and ATT&CK are registered trademarks of the MITRE Corporation.
The post McAfee Provides Max Cyber Defense Capabilities in MITRE’s Carbanak+FIN7 ATT&CK® Evaluation appeared first on McAfee Blogs.
In the working world, there’s a chance you’ve come across your fair share of team-building exercises and workshops. There’s one exercise that comes to mind that often results in worried, and uneasy faces during these seminars: The Trust Fall. This is where you fall backward with the expectation that your colleague will catch you before you hit the ground.
Whether you have been with an organization for many years or just started, the same “pit in stomach” feeling reverberates across bellies as people exchange nervous glances and weigh their odds against whomever they may be paired up with when The Trust Fall is announced. That feeling is doubt, and it isn’t fun. And the problem is, once doubt is introduced, it tends to stealthily expand in its always-on, silent, and transparent ways, either serving as an incessant top-of-mind presence or staying at bay only to rear its troubling head at an unexpected moment until it is addressed.
“I saw Chris drop his stapler once, will he drop me?” “I know Betsy is the Godmother to my children, but what if she sneezes as I’m falling?” “I just started at this company yesterday, I don’t trust anybody I don’t know!”
If you’re wondering what Trust Falls have to do with cybersecurity, we just need to take a deeper look at the concept of trust in its simplest definition. Trust is a concrete concept: it is either there or it is not. Trusting your colleagues is based on multiple parameters; will they be strong enough to catch me, do they look mature enough to take this seriously, how did they behave when the game was announced – trust is not easily won and can also be quickly lost.
This is a necessity in today’s enterprises as computing has moved from private data centers to most everything consumed as a service. There are endless choices to compare, contrast, and comprise a technology stack, but when organizations start leveraging outside infrastructure, tools, and solutions – the sense of trust in these solutions weakens, since integrity can be promised, but should never be assumed.
Examples of this are abundant. As we see organizations explore the concept of trust more and attempt to align practices with the reality of today’s security circumstances, we are seeing an increasing number of trust models being exploited via poor management. Intent and implementation are not enough against today’s threats.
So, my question to security operation center (SOC) staff, IT leaders, and the c-suite is: Do you have complete trust in your current security infrastructure?
In all honesty, can you with no doubt in your mind, say your organization’s data and computing are secure? Is there any area you are unsure about?
If you hesitated when responding, even if for just a moment, keep reading.
Putting guards up, constantly looking over your shoulder, always expecting the worst or for the other shoe to drop – these are not desirable feelings. As a security professional, these are the feelings that cause them to stock up on antacids, with them knowing they are the front-line defense keeping an organization secure and in turn, revenue flowing. For the CIO and CISO, the onus is daunting as they face the challenge to piece together fragmented and disparate infrastructure from a strategic standpoint to best serve the business in an efficient, transparent manner all while simultaneously maintaining compliance and data integrity.
While we want to believe that trust is an intrinsic trait – that we’re born bright-eyed and bushy-tailed ready to spout only the truth – we also unfortunately know the reality is not everybody has good intentions. We constantly see this unfold across the security industry where a company is breached, recognizing the flaw(s) that allowed the breach to occur, to then implement a solution to fix the issue. This break-fix cycle can result in always looking backwards and rushing around to fix yesterday’s problem to quickly get business functions up and running without looking at underlying problems or issues.
And no industry is immune. Hackers are coming after everything from Happy Hours and breakfast routines to our more personal and high-stakes data across the financial services and healthcare industries. They’re more strategic too, and we can only expect them to continue to evolve. Adversaries today are looking for “low-hanging fruit” targets to take advantage of trust models and move laterally within an organization – first finding an avenue to exploit and enter to later gain access to higher-value targets, data, and assets.
The rush to get business–as–usual back on track is made doubly difficult as business momentum doesn’t stop. Organizations are introducing new SaaS services, development teams are writing new code, and even software that you have already reviewed has new features rolled out. The wealth of personal and corporate cloud apps can lead to hasty decisions; increased sprawl of an organization’s tech stack as new tools and solutions are introduced; as well as new policies, updates, and procedures for staff to learn and execute. This can all compound into more time spent addressing and fixing the past with blinders on to the future and other vulnerabilities that may exist.
If this past pandemic-filled year has taught us anything, it is that plans do not always go according to plan.
Organizations that have traditionally leveraged a more piecemeal and solutions-based approach to security were blindsided as the work from home era was thrust upon them. From companies updating or adopting collaboration tools, sharing more data digitally, and opening access to external users to create greater efficiencies – the rule book was thrown out the window and malicious actors started looking at all the data being produced and shared like kids in a candy store.
The impact of these plans gone awry isn’t pretty and perhaps risk could have been mitigated by using a least or earned trust model as a strategic framework to ensure sound security posture. The ‘Zero Trust’ concept coined more than a decade ago outlining a model of restricting access and control across an organization’s infrastructure is only now getting increased attention.
The harsh reality is, cybercrime is up 300% since the pandemic began, according to the FBI’s Internet Crime Complaint Center (IC3). At a time when bottom lines are more important than ever as businesses bounce back, our Hidden Cost of Cybercrime report adds that 35% of those surveyed said security incidents resulting in system downtime cost them between $100,000 and $500,000.
The correlation of a pandemic occurring and malicious actors taking advantage of weaknesses caused by it is crystal clear, leading to increased awareness. In its Responding to COVID-19: What We are Hearing From Legal and Compliance Leaders report, Gartner states that 52% of legal and compliance leaders are concerned about third-party cybersecurity risks since COVID-191. Knowing that the increased number of remote workers and their mobile (and potentially unmanaged) endpoints are leading to more breaches and that these breaches are increasingly costly, organizations need to get a handle on their existing architecture and shift from awareness to action, eliminating assumptions of who is safe or allowed access.
A Zero Trust mentality allows organizations to restrict and compartmentalize access and data manipulation while still maintaining optimal user experience and productivity levels. Guidelines such as those from the National Institute of Standards & Technology (NIST) can provide a practical framework to explore and implement Zero Trust.
With hackers getting more sophisticated to impersonate and infiltrate networks via verified users, it is time to go back to the drawing board – starting at zero and assuming everything is a threat until proven otherwise. This is a mindset shift and strategy, not another tool or solution to plug in. It involves a recognition of the importance of context and control over security posture, which can only be attained with continuous assessment. It is also about acknowledging trust is about risk – and that while risk is sometimes necessary for growth, it cannot outweigh the reward, so must be strategically managed. This line of thinking must be carefully navigated as more and more enterprises seek to define and assign accountability and responsibility across infrastructure.
While the journey to Zero Trust isn’t the same for every organization, the imperative to adopt Zero Trust is, given our collective experiences throughout the last year and cybercrime poised to keep increasing. It is time to stop looking over shoulders and anticipating the worst, acting only in a reactive manner, and instead feel empowered to erase doubt when maintaining security and compliance across an organization.
To learn more and start the journey toward implementing a Zero Trust strategy, I encourage you explore McAfee’ Zero Trust Security hub.
Source: 1 Gartner Press Release, Gartner Says 52% of Legal & Compliance Leaders Are Concerned About Third-Party Cybersecurity Risk Since COVID-19, April 24, 2020. https://www.gartner.com/en/newsroom/press-releases/2020-04-24-gartner-says-52-percent-of-legal-and-compliance-leaders-are-concerned-about-third-party-cybersecurity-risk-rince-covid-19 (URL can be added as a hyperlink in source title)
The post Trust Nobody, Not Even Yourself: Time to Take Zero Trust Seriously appeared first on McAfee Blogs.
Since ransomware’s introduction in 1989 in the form of the AIDS Trojan, also known as PS Cyborg, distributed on diskettes, ransomware has continually increased and evolved into a heinous threat to our national security, public safety, and to our economic and public health. With ransoms paid in 2020 reaching more than $300+ million, it has become a disruptive economic leach on the resources of its victims. Local governments, educational organizations, hospitals, critical infrastructure services, businesses and organizations of all sizes have had to decide what to do when presented with a ransomware demand. These activities are highly disruptive, causing far more costs to the victims than just the cost of the ransom.
Ransomware is highly profitable. Today malicious actors are organized and coordinate their operations. We are seeing Ransomware as a Service (RaaS) businesses making it easy for those without the skills or infrastructure to threaten us as well. The scourge of ransomware must be addressed.
The Institute for Security and Technology (IST) stood up and initiated the Ransomware Task Force (RTF) late last year to address ransomware in a more wholistic fashion. In partnership with a broad coalition of 60+ experts from cybersecurity vendors, financial services, governments, law enforcement, non-profits, and international organizations, the RTF developed and released Combating Ransomware: A Comprehensive Framework for Action.
As you might expect, there were some very tough conversations during the development of the recommendations. For example, prohibiting / outlawing ransomware payments was one area of contention. There are valid reasons to want to prohibit payments. No one wants their corporate funds or governmental tax dollars going to pay for other forms of cybercrime or elicit nation state activities. Sadly, the state of cybersecurity maturity, in the U.S. alone, is not ready for such a step. Consensus was reached that we are really not ready to play that game of chicken.
Ransomware is a global problem and while many of the recommendations in the framework for action are directed at specific U.S. government bodies, it is important our international partners map the recommendations onto their specific governmental structures. Throughout the report it is clear the recommendations are global in nature and that coordinated, international diplomatic and law enforcement efforts are critical. There are 48 recommendations as a part of the report. Most of the recommendations are not technical but rather legal, economic, and diplomatic tools.
It is heartening to see the level of activity focused on addressing ransomware in the new administration. The Department of Justice is standing up a new task force dedicated to dealing with ransomware. The Department of Homeland Security (DHS) recently formed a ransomware task force and launched a 60-day sprint. Participating in the RTF Launch event, DHS Secretary Alejandro Mayorkas said the IST RTF report will help guide a whole-of-government approach to the problem. He also stated the White House is developing a plan to combat ransomware.
While all these efforts are welcomed, my hope is that the great work of the IST RTF described in Combating Ransomware: A Comprehensive Framework for Action is used as a foundation to feed these and future efforts so we can see real progress in the actionable outcomes we all desire.
I’d like to thank IST CEO Philip Reiner and his outstanding team for allowing me to participate as a member of the RTF. To all my fellow RTF members, I hope to work with each of you again.
The post Ransomware Task Force Releases its Comprehensive Framework for Action appeared first on McAfee Blogs.
Of all the pastimes that took off during the pandemic, it’s not surprising that online gaming was one of them. After all, gaming offers excitement, new experiences, and social interaction, all from the comfort of home. It’s no wonder then that the gaming industry saw a 20% increase in revenue in 2020, as new and previously-retired gamers returned to this pastime.
But while the gaming industry was finding a lot of new allies, the players themselves faced growing exposure to malware and threats. Our 2020 Mobile Threat Report found that gamers are being targeted with phishing attacks and malicious apps, aimed at stealing usernames and passwords. With this information, hackers could potentially steal hard-earned in-game collectibles, as well as real-world money and personal information. And PC gamers face similar threats, from viruses and spyware to network attacks that could potentially put their personal information and property at risk.
While 75% of gamers surveyed worry about their security while gaming in the future, some worry they’ll have to compromise performance to be protected. That’s why McAfee® Gamer Security offers robust protection to PC gamers with one of the lowest impacts on system performance in the industry.
To protect the growing number of gamers against increasing threats, we are offering one free year of McAfee Gamer Security for one gaming PC to multi-device McAfee ® Total Protection and McAfee® Live Safe users in the U.S. This powerful software was built from the ground up to address the challenges gamers face, with speedy performance, system optimization, uninterrupted gaming, and no pop-up apps.
But don’t just take it from me. This is what one of our users have to say: “I believe [McAfee Gamer Security] had a positive impact … because it increased the speed of my game as well as gave me peace of mind that I was protected during my gameplay.”
We know that gamers are some of the most tech-savvy and connected users out there, so it’s important that we meet them where they are by giving them the performance and security they need to play at full throttle. After all, many users are seeking stress relief through gaming, not the extra worry over their online security.
With McAfee Gamer Security we made security for players more fun, by including a gamer-centric interface that was inspired by familiar apps like game launchers — you can check the current status of your system and key resources that impact in-game performance, like GPU, CPU, and memory, as well as perform real-time optimization. And of course, we’ve also included monitoring for your all-important FPS (frames per second). You can even access past performance data to better understand your game-by-game trends.
Let’s keep the excitement of gaming while adding the extra confidence of knowing that your digital life is protected. Whether you are new to McAfee or already enjoying our personal protection, you can download McAfee Gamer Security for free in under one minute with a qualifying subscription! In our mission to provide users with personal protection, we are welcoming PC gamers with open arms.
The post PC Gamers (and Parents of Gamers) Rejoice! appeared first on McAfee Blogs.
Music is lovely, isn’t it?
It has the ability to brighten days with upbeat bars or provide a comfortable place of solace and reflection via gentle, soothing notes. Whether you typically opt for Black Sabbath, Shakira, or Bob Marley, music meets our ears in many different ways – and harmony is not always one-size-fits-all. We recognize this when a friend, sibling, partner, or stranger earnestly (yet tonelessly) attempts to mimic Mariah Carey’s five-octave range, resulting in room-clearing screeches that can only be found in a nature documentary.
While I’m not a Grammy-winning artist myself, my point is that harmony is relatable and relevant across any industry, method, measure, or format – even security. Trends and messaging have increasingly pointed to the consolidation of everything across Security Operations Centers (SOC) so they can act in a harmonious manner, not missing a beat to provide protection across the entire enterprise. We’ve seen this as conversations shift from endpoint detection and response (EDR) to extended detection and response (XDR), with the latter promising lower total cost of ownership as well as improved protection and productivity. Who wouldn’t want this!
But the truth is, it isn’t lack of desire for full protection in the most cost-effective and efficient manner, but lack of knowledge or perceived roadblocks. Enterprises across the world have been affected by the global pandemic, uprooting familiar processes. Companies were forced to introduce quick, sometimes temporary solutions for larger systemic issues all without 100 percent certainty where endpoints may lie and what damage this vulnerability presents, especially as bad actors extort the chaos created by COVID-19 to double down on attacks.
This upheaval has started to settle down and enterprises now have more time and energy to audit their businesses and processes with fresh eyes. It isn’t a matter of the pandemic, with hope, nearing its end, to just re-plug in an existing solution stack – but rather looking at how the business has changed and adapting to these changes for now and into the future. This includes changes across staff, solutions, shifting skillsets to manage increased workloads, and yes – increased, and perhaps hasty, consolidation attempts.
According to Enterprise Strategy Group, more than 80 percent of organizations are singing the tune of change with plans to increase spending on threat detection and response. They are hearing the melodious mandate to meet the needs of today’s “new-normal-digitally transformed-modern” enterprise. For many, this means an investment in extended detection and response (XDR) technology.
Enterprises are already feeling the pressure. They have their bottom lines trapped on repeat, looping in their minds. They are seeking counsel, support, and direction – not to be chastised by their choices – but rather guided to create and implement strategies that best fit their business.
That being said, the potential for XDR is tremendous. But you have to crawl before you can walk. I’m sure many of us may feel silly, or even stupid, thinking back to when we carried Walkman and Discmans, clunkily fumbling for them in our pockets or purses, forever tethered to the device if you wanted to listen to music. But at the same time, we recognize the progression from Walkman to iPod to iPhone to Bluetooth and voice-activated technology, and more. The Discman and Walkman crawled so digitized music could walk.
This natural progression is no different in the security industry, and the onus is on vendors to make this connection. Enterprises, after all, are not still storing floppy disks locked in a filing cabinet as a security measure. While XDR is the latest technology, the journey to XDR includes the fundamental need of endpoint detection and response (EDR) capabilities. EDR is a foundational piece in getting XDR right – or put another way, XDR is an efficient evolution of EDR platforms. EDR crawled so XDR could walk. XDR will walk so the next technology can fly.
This is what true innovation is, the constant desire to advance processes, products, and experiences. It is what XDR promises, to improve and streamline processes across enterprise SOCs, providing meaningful context, actionable intelligence, and the visibility and control necessary to connect solutions that orchestrate together in symphonic harmony.
In fact, from a philharmonic standpoint, symphonies by definition are made up of different types of instruments (endpoints) generating music (data) where each requires incredibly specific methods of tuning and expertise by musicians (SOC analysts) in order to ensure they can be harmonious with the group. Musicians are not born with their skillset, but rather they test and learn – and fail – trying to see which instrument is the best fit for them, which notes they can hit, and which notes are best suited for another instrument or musician to manage.
We must be the conductor and connecting point here to show the true benefits and value of XDR. While the journey is different for every enterprise (and vendor), the end goal is a protected society where good prevails over bad. It is our job to guide these choices and take responsibility regardless of where an enterprise is at in their journey – to show how innovation builds on itself, always striving to better experiences and outcomes.
Where are you in the journey to XDR? Check out the on-demand webinar below and start asking questions.
The post Stupid Is as Stupid Does: XDR Is About the Journey, Not the Destination appeared first on McAfee Blogs.
Bottom Line: McAfee stopped the MITRE ATT&CK Evaluation Carbanak and FIN7 threats in their tracks within the first 15% of the major steps of the attack chain (on average), delivering on a critical security operations center (SOC) strategy: Stop the attack as early as possible.
In April 2021, MITRE Engenuity released the results of the Carbanak and FIN7 evaluations that leveraged Tactics, Techniques, and Procedures (TTP’s) from the MITRE ATT&CK framework. McAfee and 28 other vendors tested the capabilities of our cybersecurity solutions across a wide range of attack vectors. These multi-stage simulated attacks leveraged a full range of known TTPs to execute the Carbanak and FIN7 attack campaigns.
The Carbanak attack requires stealth and time. Threat actors count on operating undetected inside your infrastructure long enough to penetrate and own your crown jewel assets and information. They methodically step through complex custom TTPs to achieve their objectives. The sooner an attack can be detected and stopped, the lower the risk of a successful breach, damage to assets, and exfiltration of critical information.
McAfee displayed superior protection by blocking 100% across all 10 tests. On the other hand, several endpoint security providers failed to detect and block all threats. CrowdStrike, for example, was unable to block 30% of protection tests.
Additionally, McAfee was able to block the attacks within the first 15% of attack steps on average across all tests. On the other hand, CrowdStrike allowed 50% of the attack chain steps on average to execute before blocking. The earlier in the attack chain that a threat is detected, the more likely it will be shut down before it causes damage.
McAfee combines data and telemetry with comprehensive analytics-based detections that accelerate the pivot to defensive execution. This Time-Based Security metric determines if a blue team will have meaningful, timely, and actionable information. McAfee scores well on this metric by including specific references to MITRE Engenuity’s ATT&CK framework with centralized incident pivots to enriched telemetry, enabling faster detection, investigation, and reaction, and therefore lower exposure. Prioritizing Time-Based Security* (TBS) contributes to McAfee’s ability to block early and mitigate further damage. McAfee significantly outperformed CrowdStrike on the dimension of Time-Based Security.
How did McAfee achieve this success in the evaluation and against such a sophisticated threat?
Core to McAfee’s success is the alignment of products and capabilities around the ability to “shift left” in the attack cycle. Shifting left, or engaging as early as possible in the kill chain timeline, allows defenders to detect and stop an attack, minimize risk, and achieve these results at the lowest cost.
For scenarios where threats are not blocked, McAfee provides extensive and actionable alerting and intelligence to ensure that responses and remediations are timely. In the case of the MITRE Carbanak+FIN7 testing, McAfee demonstrated clear superiority over CrowdStrike in terms of Alert Actionability*.
(For more information on Time-based Security and Alert Actionability, please review the following blog: SOC vs MITRE APT29 evaluation – Racing with Cozy Bear | McAfee Blogs)
Sophisticated adversaries surround us, and MITRE ATT&CK evaluations emulated their techniques and procedures. It’s time to let your teams know that with the right tools from McAfee and Shift Left best practices, intelligent defenders will prevail.
Sneaky attackers traverse infrastructures and assets opportunistically and unpredictably. The complexity and variability in the attack chains associated with these threat actors make threats challenging to identify. McAfee will continue to evolve extended detection and response capabilities that go beyond the endpoint. The integration of these capabilities with solutions such as McAfee’s MVISION XDR enables the security operations team to benefit from unified visibility and control across the hybrid enterprise: endpoints, network, and the cloud.
Most important is the integration of the ecosystem to fight and defeat attackers. McAfee MVISION XDR orchestrates both McAfee and non-McAfee security assets to deliver actionable cyber threat management and support both guided and automated investigations.
As illustrated by the recent MITRE Carbanak+FIN7 protection tests, the industry recognizes the value of proactive capabilities to detect and block early, reducing reactive cyber defense efforts and damage. This dynamic enables your team to stop these sophisticated attacks earlier and more effectively. McAfee empowers your security operations teams to achieve faster and more effective results.
To find out more about the MITRE ATT&CK Evaluation results, please reach out to sales@mcafee.com.
* These critical capabilities are defined by McAfee algorithms designed to maximize value to SOC and XDR needs. Please see this McAfee MITRE blog for details on these algorithms
Assessments of performance are McAfee’s and not those of MITRE Engenuity.
MITRE Engenuity ATT&CK Evaluations are paid for by vendors and are intended to help vendors and end-users better understand a product’s capabilities in relation to MITRE’s publicly accessible ATT&CKⓇ framework. MITRE developed and maintains the ATT&CK knowledge base, which is based on real word reporting of adversary tactics and techniques. ATT&CK is freely available and is widely used by defenders in industry and government to find gaps in visibility, defensive tools, and processes as they evaluate and select options to improve their network defense. MITRE Engenuity makes the methodology and resulting data publicly available so other organizations may benefit and conduct their own analysis and interpretation. The evaluations do not provide rankings or endorsements.
The post McAfee Proactive Security Proves Effective in Recent MITRE ATT&CK™ appeared first on McAfee Blogs.
Cybercriminals are currently enjoying a golden age, with the volume and severity of attacks growing constantly, and an ability to commit hostile acts with impunity. The EU, in its overhaul of cybersecurity laws dubbed NIS2, is committed to ensuring that what’s illegal offline should also be illegal online. For that to happen, cybersecurity researchers need to have access to all the tools possible to detect, trace and prevent crime online, including access to the Internet’s yellow pages, also known as the WHOIS search.
Cyberthreat research is both an arts and science discipline. Our experts and software detection analysis in the ATR group sift through an enormous amount of data, from a broad range of sources, to detect the signs of a past, ongoing or future cyberattack. Each source of data that is out of reach is one tool less with which to keep up with cybercriminals. Access to the full set of WHOIS data, or lack thereof, is not going to make or break the future of cyber threat research. But it would give criminals an advantage, which is at odds with the core objective of the EU’s cybersecurity review.
The WHOIS search originally contained all the data of a person registering a website, including the contact details of the person responsible for the website. This information is crucial in the event a legitimate website comes under attack from malicious actors
But by continually scanning the registration data, cyber researchers can also pick up patterns that are indicative of malicious activity, such as preparing a botnet or priming a large number of websites ahead of a denial-of-service (DDOS) attack.
Using WHOIS data is particularly useful in preventing future cyber-incidents. Looking at data that indicates that a website or collection of websites are being rigged for a cyberattack can help stop the attack in its cradle. This data can also help cybersecurity researchers minimise the risk of false positives, where the contact data is consistent with a legitimate user, which will minimise the potential disruption for companies and people that have done nothing wrong but whose websites may have been flagged as suspicious.
This data was put out of reach after the EU’s GDPR law came into force, with the unfortunate and clearly unintended consequence of depriving cybersecurity researchers, law enforcement agencies and others from an important pool of data used to fight and prevent cybercrime.
With the review of the EU’s cybersecurity law, NIS2, we have a chance to set things right, by providing a legal basis to access personal data such as the contact details in the WHOIS, for the purpose of fighting crime online, without undermining the important privacy protections introduced in the GDPR. It is now up to lawmakers to ensure that this provision remains intact, as they consider whether to introduce amendments to the cybersecurity legislation text.
The post Defending Cybersecurity Can’t Be Done Blindfolded–The EU’s NIS2 Review Can Set This Right appeared first on McAfee Blogs.
When gyms were forced to close last year, you likely looked for other ways to get some exercise and stay active during quarantine. From investing in a few pairs of dumbbells or perhaps downloading an app or two to help you track your workouts, you found alternatives to help you break a sweat. As an accessible, easy way to release endorphins, running quickly grew in popularity along with the platforms that help runners stay accountable. According to Runner’s World, there was a 34% uptick in outdoor miles logged by common fitness apps between March and September 2020 compared to the same stretch in 2019. But are these tools potentially endangering your privacy?
According to TechCrunch, running apps could potentially threaten your security if the data they collect ends up in the wrong hands. Let’s explore the functionalities of these apps and how they could pose a threat to your online safety.
Running apps are solid companions for advanced and amateur runners alike, allowing you to track the length of your run and set a pace for yourself. These apps learn a lot about you the more you use them by gathering health data like your height and weight and even your location. But similar to the threats that exist when you overshare on other online platforms, this data could pose a serious threat to your privacy. For example, location data could identify where you live or where you work – information that you definitely wouldn’t want in the hands of a stranger. If a cybercriminal is able to hack into your account, they could exploit this information to commit identity theft or craft a phishing email disguised as your employer.
Additionally, many of these apps lack basic security measures to prevent hackers from breaking into accounts or from health and fitness data from spilling out. For example, many popular running apps allow the most basic passwords like “qwerty” and “password.” Oftentimes, hackers automate their attacks by targeting accounts with easy-to-crack passwords like the ones mentioned. This allows them to exploit the most accounts with as little effort as possible. Furthermore, these apps do not have the option to set up two-factor authentication, which creates an additional barrier to prevent hackers from exploiting reused passwords.
No matter where you are in your fitness journey, it is essential to take the necessary precautions to minimize the risks of the platforms you use to hold yourself accountable – running apps included. If you are looking to hit your stride while keeping security and privacy top of mind, follow these tips:
Your password is your first line of defense, so it is important that you use one that is strong and unique to your other account credentials. If a hacker does manage to guess your password for one of your online accounts, it is likely they will check for repeat credentials across multiple sites. By using different passwords or passphrases, you can feel slightly more at ease knowing that the majority of your data is secure if one of your accounts becomes vulnerable.
You can also use a password manager to help you create strong passwords, remove the hassle of remembering numerous passwords, and log on to websites automatically.
Some running apps are configured to publicly share user data by default. After you download an app, spend some time researching how to change these settings so your data is not shared with strangers without your permission.
If your running app of choice does undergo any security updates, make sure that they are installed as soon as possible. Developers actively work to identify and address security issues. Frequently update your operating systems and apps so that they have the latest fixes and security protections. The easiest way to do this is to enable automatic software updates on your mobile device.
Next time you go for a run with your location services on, think again about what risks this poses to your virtual security and your physical safety. Enhance your security by only enabling the features that are necessary to optimize your fitness performance. This will help prevent hackers from using your location as a vehicle to invade your privacy.
Since the data collected on running apps involves sensitive health and location information, it is worth reviewing the privacy policies for all of the fitness platforms you regularly use to see how your data might be affected. To ensure that you can keep moving toward your fitness goals while protecting your online safety, stay educated on the tools you use to track your progress and implement the necessary security measure to do so with security in mind.
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our email, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post How to Remain Secure While Using Running Apps appeared first on McAfee Blogs.
SOCwise Weighs In
When the infamous Carbanak cyberattack rattled an East European bank three years ago this month few would have guessed it would later play a starring role in the MITRE Engenuity enterprise evaluations of cybersecurity products from ourselves and 28 other vendors. We recently shared the results of this extensive testing and in a SOCwise discussion we turn to our SOCwise experts for insights into what this unprecedented exercise may mean for SOC teams assessing both strategy concerns and their tactical effectiveness.
Carbanak is a clever opponent known for innovative attacks on banks. FIN7 uses the similar malware and strategy of effective espionage and stealth to target U.S. retail, restaurant and hospitality sectors, according to MITRE Engenuity, and both were highlighted in this emulation. These notorious actors have reportedly stolen more than $1 billion worldwide over the past five years. An annual event, the four-day ATT&CK Evaluation spanned 20 major steps and 174 sub-steps of the MITRE framework.
The first thing to realize about this exercise is few enterprises could ever hope to match its scope. What do you get when you match up red and blue teams? “I have not been through an exercise like that in an organization with both the red team and blue teams operationally trying to determine what their strengths and weaknesses are,” said Colby Burkett, McAfee XDR architect, a participant in the event, on our recent SOCwise episode. “And that was fantastic.”
A lot of SOC teams conduct vulnerability assessments and penetration testing, but never emulate these types of behaviors, noted Ismael Valenzuela, McAfee’s Sr. Principal Engineer and co-host of SOCwise. And, he adds that many organizations lack the resources and skills to do purple-teaming exercises.
While our SOCwise team raved about the value of conducting broad scale purple-team exercises, they expressed concern that the emphasis on “visibility” is no more valuable than “actionability.” McAfee, which scored 87% on visibility, one of the industry’s best, turned in a remarkable 100% on prevention in the MITRE Engenuity evaluations.
When we think about visibility, we think about how much useful information we can provide to SOC analysts when an attack is underway. There may be a tsunami of attack data entering SOCs, but it’s only actionable when the data that’s presented to analysts is relevant, noted Jesse Netz, Principal Engineer at McAfee.
A well-informed SOC finds a sweet spot on an axis where the number of false positives is low enough and the true positives are high enough “where you can actually do something about it,” added Netz.
He believes that for SOC practitioners, visibility is only part of the conversation. “How actionable is the data you’re getting? How usable is the platform in which that data is being presented to you?”
For example, in the evaluation we saw McAfee’s MVISION EDR preserve actionability and reduce alert fatigue. We excelled in the five capabilities that matter most to SOC teams: time-based security, alert actionability, detection in depth, protection, and visibility.\
If you can’t do anything about the information you obtain, your results aren’t really useful in any way. In this regard, prevention also trumps visibility. “It’s great that we can see and gain visibility into what’s happening,” explained Netz. “But it’s even better at the end of the day as a security practitioner to be able to prevent it.”
The SOCwise team overall applauded the progressively sophisticated approach taken by the MITRE Engenuity enterprise evaluations of cybersecurity products—now in its third year. However, our panel of experts noted that this round of testing was more about defending endpoints, rather than cloud-based operations, which are fairly central to defending today’s enterprise. They expect that focus may change in the future.
The MITRE Engenuity enterprise evaluations provide a lot of useful data, but they should never be the single deciding factor in a cybersecurity product purchase decision. “Use it as a component of your evaluation arsenal,” advises Netz. “It’ll help to provide kind of statistics around visibility capabilities in this latest round, including some detection capabilities as well, but be focused on the details and make sure you’re getting your information from multiple sources.”
For instance, Carbanak and FIN 7 attacks may not be relevant to your particular organization, especially if they’re centered on Cloud-based operations.
While no emulation can perfectly replicate the experience of battling real-time, zero-day threats, McAfee’s Valenzuela believes these evaluations deliver tremendous value to both our customers and our threat content engineers.
The post What the MITRE Engenuity ATT&CK® Evaluations Means to SOC Teams appeared first on McAfee Blogs.
In our last blog about defense capabilities, we outlined the five efficacy objectives of Security Operations, that are most important for a Sec Ops; this blog will focus on Visibility.
The MITRE Engenuity ATT&CK® Evaluation (Round3) focused on the emulation of Carbanak+FIN7 adversaries known for their prolific intrusions impacting financial targets which included the banking and hospitality business sectors. The evaluation’s testing scope lasted 4 days – 3 days were focused on detection efficacy with all products set to detect/monitor mode only, and the remaining day focused on protection mode set for blocking events. This blog showcases the breadth and depth of our fundamental visibility capabilities across the 3 days of detection efficacy.
It is important to note that while the goal of these evaluations by MITRE Engenuity is not to rank or score products, our analysis of the results found that McAfee’s blue team was able to use MVISION EDR, complemented by McAfee’s portfolio, to obtain significant visibility, achieving:
| Scenario | Evaluation Scope | Visibility Outcome |
| Scenario – Carbanak | Across all 10 Major Steps (Attack Phases) | 100% |
| Scenario – FIN7 | Across all 10 Major Steps (Attack Phases) | 100% |
The evaluation when tracked by Sub-steps shows McAfee having 174 sub-steps with a total 87% visibility.
When you seek to defend enterprises, you need to assess your portfolio and ensure it can go the distance by spanning across the endpoint and its diverse context, as well as network visibility stemming from hostile activity executed on the target system. More importantly, your portfolio must closely track the adversary across kill-chain phases (miles-wide) to keep up with their up-tempo. The more phases you track, the better you will be able to orient your defenses in real-time.
The Carbanak emulation consisted of an attack with 10 Major Steps (Kill Chain Phases) on day one, and our portfolio provided visibility across every phase. In these 10 phases, MITRE conducted 96 substeps to emulate the behaviors aligned to the known TTPs attributed to the Carbanak adversary.
McAfee MITRE Engenuity ATT&CK Evaluation 3 Results
The FIN7 emulation consisted of an attack with 10 Major Steps (Kill Chain Phases) on day two, and our portfolio provided visibility across every phase. In these 10 phases, MITRE conducted 78 substeps to emulate the behaviors aligned to the known TTPs attributed to the FIN7 adversary.
McAfee MITRE Engenuity ATT&CK Evaluation 3 Results
Tracking the adversary across all phases of the attack (miles-wide) is significantly strong, but to be really effective at enterprise defense, you also need to stay deep within their operating mode, and keep up with their movement within and across your systems through different approaches (feet-deep). At McAfee, we design our visibility sensors across defensible components to anticipate where adversaries will interact with the system, consequently tracing their activities with diverse data sources (context) that enrich our portfolio. This not only let us track their intentions, but also discover impactful outcomes as they execute hostile actions (sub-steps).
Defensible Components and Telemetry acquired during the evaluation.
If a product is configured differently you can obtain information from each Defensible Component, but this represents telemetry acquired based on the config during the evaluation (not necessarily evidence that was accepted).
Of the 96 Sub-Steps emulating Carbanak, our visibility coverage extends from more than 10 unique data sources including the automated interception of scripted source code used in the attack by our ATD sandbox integration with the DXL fabric.
McAfee MITRE Engenuity ATT&CK Evaluation 3 Results
Of the 78 Sub-Steps emulating FIN7, our visibility coverage extends from more than 10 unique data sources providing higher context in critical phases with Systems/Api Calls Monitoring to preserve the user’s security awareness as advanced behaviors aim for in-memory approaches conducted by the adversary.
McAfee MITRE Engenuity ATT&CK Evaluation 3 Results
Acquiring data from sensors is fundamental, however, to be effective at security outcomes, your portfolio needs to essentially spread its deep coverage of data sources to balance the security visibility blue-teamers need as the progression of the attack is tracked through each phase.
This essential capability provides the blue-teamer a balance of contextual awareness from detection technologies (EDR and SIEM), and decisive disruption of impactful behaviors from protection products (ENS, DLP, ATD, NSP) oriented to neutralize the adversary’s actions on objectives.
In every phase of the attack, McAfee protection fused with detection products would successfully neutralize the adversary and afford blue teamers rich contextual visibility for investigations needing context before and after the block would have occurred.
McAfee MITRE Engenuity ATT&CK Evaluation 3 Results
This chart clearly shows how ENS (in observe mode) would have prevented a successful attack, blocking the Initial Breach, protecting the customers from further damage. For the scope of the evaluation, it’s also important to remark how the products interacted by providing telemetry on each step.
McAfee MITRE Engenuity ATT&CK Evaluation 3 Results
In the impactful kill-chain phase of “steal payment data”, the DLP product kicks into prevention, while being complemented by the ATD sandbox intercepting the payload that attempts to steal the information, as well as EDR having contextual information within the kill-chain for offline investigations the blue teamer needs.
Here, we covered the essentials of visibility and how to determine the power of having a strong telemetry foundation, not only as individual sensors or defensible components that provide information, but when analyzed and contextualized, we enable the next level of actionability required to prioritize cases with enriched detections.
Stay tuned for the next blog series explaining how detections were supported by this telemetry where we produced 274 detections that have more than 2 data sources.
The post Miles Wide & Feet Deep Visibility of Carbanak+FIN7 appeared first on McAfee Blogs.
Cybersecurity and biases are not topics typically discussed together. However, we all have biases that shape who we are and, as a result, impact our decisions in and out of security. Adversaries understand humans have these weaknesses and try to exploit them. What can you do to remove biases as much as possible and improve your cybersecurity posture across all levels of your organization?
Cybersecurity personnel have many things to address and decisions to make every day — from what alerts to investigate, to what systems to patch for the latest vulnerabilities, to what to tell the board of directors. However, our brains don’t give each decision equal attention—we take mental shortcuts. These mental shortcuts are known as biases and they allow us to react quickly.
In this two-part blog series, we’ll explore the types of cognitive biases that could be affecting your company’s security posture and give you tips on how to address these biases.
Do you feel you are biased? We all are to some extent. What do you see when you look at this picture below? Faces or a vase? Some people may see one or the other and some see both. This is representative of what happens in real life. Many of us are at the same meeting together but leave with different perspectives about the discussion. This is our cognitive biases influencing us.
A cognitive bias is a result of our brain’s attempt to simplify processing of information. The formal definition says it is “a systematic pattern of deviation from norms in judgment”. We as individuals create our own “subjective reality” from the perception of the inputs. Our construction of reality, not the input, may dictate how we behave.
Availability bias is a mental shortcut that our brains use based on past examples relating to information that is “available” to us around a specific topic, event, or decision. This information could come from things we saw on the news, heard from a friend, read, or experienced. When we hear information frequently, we can recall it quickly, and our brains feel it is important as a result. With all the urgent interrupts and overall volume of decisions needing to be made by CISOs and other cyber executives, it is very easy to get caught up in decision making based on past or recent information.
Availability bias impacts security in many ways. We often see the impact in the areas of risk assessment, preparedness, decision making and incident response. In the area of risk assessment, availability bias may arise when the company board of directors looks for an updated risk assessment. Rather than focusing on the entire company, data could be presented with respect to an area for which another company had a breach. For example, we have seen SolarWinds in the news a lot throughout the first quarter of this year, and our inclination might be to assess our risk in the context of that incident. However, the assessments should look at all aspects of the business in depth and not just focus on the supply chain risks. Are there issues that require more attention than what is trending in the news?
We also see availability bias in preparedness when organizations prepare for high impact, low probability events instead of preparing for high probability events. What we should worry about doesn’t always align with what we do worry about. Events that have a high impact but low probability of occurring, such as an airplane crash, a shark attack, or volcano eruption, often receive much attention but are less likely to occur. We remember these much more than we remember higher probability events like falling off a ladder or automobile accidents. For instance, can you name the last phishing campaign you heard about or the last time someone’s PII was stolen? Probably not, but these are examples of the high probability events your organization most likely needs to prepare for.
In the area of decision making, your CISO or the cybersecurity analysts may make decisions in favor of hot topics in the news. These topics may overshadow other information they know or is so mundane that it becomes background noise. As a result, decisions made are not well rounded. For example, if there was a recent IoT related issue like Dyn in 2016, your analysts may over focus on IoT related security decisions and neglect things like investing in new security controls for your mobile devices.
Availability bias also surfaces during critical incidents when emotions are typically running high and the focus is on quickly addressing the issue at hand. Focusing on securing the specific area where the incident occurred may leave us blind to another issue waiting in the wings. Let’s pretend someone broke into your home through a window, your first thought may be to secure all the windows quickly; however, if you didn’t look at all your security risks, you may forget that you can shake your garage door lock, and it’ll pop open.
Our analysts are typically exploring data thoroughly though executives may not always see the in-depth information. If you are at the executive level, I would recommend you review all the facts and consciously look beyond what is available quickly so you get the full picture of the incident, how prepared you are, risks, etc. If you are an analyst or in a position of influence, I would recommend summarizing the facts in way that accurately reflects the probability of those events occurring as well as considering all possible events.
Another bias that appears in cybersecurity is confirmation bias. This is when you look for things to “confirm” your own beliefs or you remember things that only conform to your beliefs (similar to availability bias). For example, your news feed may be full of things related to your political beliefs based on what articles you clicked on, shared, or liked. Chances are it’s not filled with things that oppose your beliefs. A few areas where confirmation bias is seen in cybersecurity is in decision making, security hygiene, risk assessment, preparedness, and penetration testing.
When you are making decisions, are you considering different points of view or just looking to your close group of trusted advisors who may think like you? Are you willing to push and challenge your own beliefs to ensure you are making the best decisions for the company?
When was the last time you reviewed your company’s security hygiene? Are you diligent about updating systems or do you believe it won’t happen to you because nothing has happened in the past? Are you using an XDR solution in your environment or do you feel you don’t need it because all your current systems are serving your needs just fine? Do you feel you are more secure when you are in the cloud vs on-prem despite human error affecting both?
How do you approach cybersecurity preparedness? Are you passive, reactive, or progressive? Similar to hygiene, do you feel an incident won’t happen to you so you look for data to confirm that? Or are you the opposite and feel you may repeat incidents if you don’t do everything possible to look for data to confirm those beliefs? If you are an executive, are you reviewing the facts and evidence for all your cyber processes or just those that you personally know well from early on in your career? I’ve seen some analysts ignore some of their alerts because they weren’t quite sure how to deal with them. As a result, they fall back on what they know or information that is readily available.
Sometimes organizations may hire third party companies or employ penetration testing performed on their environments. When you define the scope of work, are you looking for all the gaps or holes or just focusing on the weaknesses and strengths? When the results come in, do you address everything that is recommended or only focus on the items you believe will impact you?
It is hard to look beyond what we believe because in our eyes it is ground truth. It is important in making security decisions that we look beyond what we want to hear or see to ensure we are getting what we need to hear and see.
Unconscious or implicit biases are social stereotypes about certain groups of people that we form outside of our own conscious awareness. Just as you see in the picture, our mind is like an iceberg where the conscious mind is what we can recall quickly and are aware of. The subconscious mind stores our beliefs, previous experiences, memories, etc. When you have an idea, emotion, or memory from the past, it’s recalled from our subconscious by our conscious mind. The third layer – our unconscious mind – is deep inside our brain.
Everyone holds unconscious beliefs about various social groups, and these biases stem from our tendency to organize social worlds by categorizing them quickly. We often think about unconscious bias in the context of negative biases, but there are also positive unconscious biases, for example feeling a connection to someone from your hometown or college alma mater. Unconscious bias impacts security in the areas of decision making, risk assessment, incident response, cyber security policies and procedures, and identity and access management.
In the area of decision making, I’ve seen executives blindly trust the IT team because they are perceived as being the “experts”. While this may be true, they are wrestling with the same unconscious biases and skills shortages many of us are. Just as it’s important to seek out additional information and facts when making your own decisions, it’s equally important to review the data and provide feedback and alternate opinions to others. Often, it’s easy to go with the majority and not rock the boat. If you feel that something needs to change or be addressed differently, don’t be afraid to go against the flow. Mark Twain is quoted, “Whenever you find yourself on the side of the majority, it’s time to pause and reflect.” When was the last time you went against the majority?
Another unconscious bias that sometimes arises is related to age. Some people feel older workers are a greater risk to a company than younger workers because they perceive older workers as not being “up to date” on newer technologies. Conversely, some feel younger people engage in risky behavior like visiting potentially suspect websites or sharing too much information on social media. As a result, security analysts may focus on the wrong areas as the source of a security risk or issue based on their biases.
If you had an incident, how would you respond? Would you blame an unsecure IT environment, incompetent end users or would you look at the facts and evidence in and outside of your beliefs to determine what happened? How would you and your team respond to the incident? If your security operations team felt that IT had not done their part prior to the incident, you may be looking in the wrong area for the source of the incident. You may have heard the acronym PEBKAC. For those that don’t know what it means, it stands for “problem exists between the keyboard and chair”. Are you sure the problem is PEBKAC or does it lie somewhere in your environment?
Implicit trust is another form of unconscious bias. When was the last time your cybersecurity policies and procedures were thoroughly reviewed? Let’s say you feel your SOC analyst is amazing, and you trust everything they say. Because of this implicit trust, you don’t think to dive into the details. As a result, you could have a firewall running without any defined rules but wouldn’t know because you’ve never checked. This doesn’t mean your SOC analyst isn’t trustworthy, just that you shouldn’t allow your unconscious bias to overrule the necessary checks and balances.
We can sometimes also be led to overconfidence by unconscious bias. For example, when writing a paper or an article, we can be certain that there are no mistakes or typos, but often it’s because we’ve read or reviewed it so many times that our unconscious mind reads it as it should be and not what it actually is. Similarly, in the area of identity and access management, security analysts and software developers may blame users for issues and fail to look at the internal infrastructure or their own code because they have a false confidence that leads them to believe they couldn’t possibly be the problem.
To overcome unconscious and implicit bias, ensure you are sticking to the facts and asking all stakeholders, including those you may disagree with for inputs. Also look in the mirror. Did you make a mistake or are you excusing your behavior instead of facing it? Also, don’t be afraid to follow the words of Mark Twain and pause and reflect to ensure you are making the correct decision, addressing the incident in the correct way, or hiring the right person.
Because we all have biases and take mental shortcuts, we need to make a conscious effort to address them. Look beyond what you want to hear or see and what shows up in your news feeds to address availability and confirmation bias. Ensure you are sticking to the facts and asking all stakeholders, including those you disagree with, for inputs to overcome unconscious and implicit bias. You don’t want to be the next company in the news because your biases got in the way.
The post Through Your Mind’s Eye: What Biases Are Impacting Your Security Posture? appeared first on McAfee Blogs.
Imagine this scenario: a CEO, CIO, CTO, CISO walk into a bar…
The CTO has heard about cocktails that go beyond the “pour and shake,” and asks the bartender what they know about molecular gastronomy to take their drink to the next level. The CIO considers the CTO’s choice, weighing the risk versus reward of trying something new. The CEO orders a Long Island iced tea – a bold, ambitious, and challenging choice that incorporates a bit of everything, but they know in their gut it is the right decision and direction. The CISO orders a water.
Why? Because somebody always must be the designated driver, taking the responsibility to protect the integrity of the entire team and organization. They are the eyes and ears, proactively anticipating what may happen, knowing the onus is also on them to respond reactively to anything that may occur.
While in a bar this may mean things getting a bit rowdy, in the security operations center (SOC) it means an entire business can be compromised, creating a catastrophic spiral of events that can have massive impact and implications for customers, not to mention severe cost to the business.
Needless to say, the consequences are more extreme than a hangover. They remain always-on in the mind of the CISO – and this isn’t the only challenge the role faces. It is no secret in the security industry that elevating the role of the CISO to carry equal weight and footing as the rest of the executive or c-suite has been an uphill battle. While progress has certainly been made, there is always more work to be done to thwart and combat the seemingly never-ending barrage of threats that continue to emerge.
Nearly every industry has been impacted in some manner by the events of 2020 and so far, across 2021. Attacks have increased and promise to become even more plentiful, more sophisticated. Enterprises and organizations have struggled against unforeseen challenges, yet at the same time have faced increased pressure and demand to modernize, digitize, and transform.
We’ve seen that with today’s distributed workforce, cloud usage has increased, and enterprises are tasked with maintaining efficiency across even more endpoints – and keeping those endpoints safe. This has presented a tremendous opportunity for CISOs to maximize their full power and impact by proving to be the clear connection and catalyst merging technology and business.
This means today’s CISOs may need to do more with less, convincing fellow c-suite members that integration is more important than introducing new toolsets, applications, or solutions at a time when enterprises may be more vulnerable or susceptible to risk due to staffing constraints or conflicting priorities across the business. With the amount of change rapidly occurring across enterprises, CISOs have an increased impetus, responsibility, and opportunity to show enhanced value to the organization. They must continue to shift the perception that security can be a barrier to business efficiency and success and instead show that security is more than a compliance function, but a true business enabler.
In order for CISOs to be successful, they must stay steadfast in aligning with the CIO, CTO, CEO, and all the way up to the board. They can do this by showing up with data to demonstrate the impact (both past and potential) made to business, including proof points related to vendor sprawl and legacy technologies (and any associated cost or complexity) as well as insight into threats that were prevented and the damage they could have caused.
CISOs will also need to continue the shift on their end, adapting their role and approach from waiting for a compromise to happen to understanding threat actors, their common techniques, and how to get ahead. In short, they need to become what they fight against – proactive threat management means you need to think like a threat actor. Ideally, the CISO should not only be able to articulate business risks and impacts – they also need to show foresight and maturity to suggest controls or process improvements that can improve business efficiencies because security is built in to protect and enable this agility.
Once CISOs truly understand the business side of an organization and can not only relate but prove this value to the rest of the c-suite, they can be viewed as more of a strategic partner. With this line of thinking, the SOC can move from being viewed as a cost center to being a more deliberate and proactive part of the enterprise facilitating business success.
The post Give CISOs a Shot – They Deserve It appeared first on McAfee Blogs.
In Part 1 of our Through Your Mind’s Eye series, we explored how our brains don’t give each decision we make equal attention, and we take mental shortcuts known as biases. These biases allow us to react quickly, but they can also lead to mistakes and oversights. Because we all have biases that shape who we are, our decisions in and out of cybersecurity can be impacted in both good and bad ways.
Safety bias is focusing on shortcomings so as not to take a risk. Many studies have shown that we as humans would prefer not to lose money even more than we’d prefer to gain money. You may have heard about studies where people are offered a lower amount of money now or higher amount in two years. Most participants took the sure thing of money now rather than wait for more. However, this changes when people are faced with a loss decision. For instance, when asked if they would rather definitely lose $100 or take a 50% chance of losing $1000, most say they would take the option to risk losing $1000. Because of safety biases, progress in decision making is slowed and healthy forms of risk taking are held back.
Safety bias is seen in security development operations, risk assessment, policies and procedures, decision making, and identity and access management. For the area of security development operations, is your dev ops team applying traditional network controls to the cloud or are they looking at how they can refactor to help take their organization to the next level? Are they stuck in the past or moving to the future?
When was the last time you reviewed your security products and their capabilities for risk assessment? Are you keeping what you have because you already purchased those solutions, or are you reviewing them to ensure they’re the best at keeping your organization safe? For example, does your current solution have a vulnerability scanner that can identify advanced vulnerabilities? Would you upgrade if it didn’t? If you aren’t evaluating your security products against emerging threats on a regular basis, your risks can be impacted without realizing it.
There are also parallels with our example above where participants took the immediate sure thing. The same thinking causes companies to invest in solutions that may be overkill to address overly specific and high impact/low probability risk factors. They are solving for something with a low probability of happening and, as a result, may be spending much more on policies and procedures than necessary.
When there is an ambiguity in decision making, system owners may be reluctant to upgrade or apply the latest patches. There may also be an unwillingness of end-users to configure security features, and a lack of interest from developers to add new security features to an existing application. As a result, these system owners err on the side of caution so as to not break or change something since they see this as more of a risk than installing the latest patches. Likewise, developers may opt for cost savings rather than add in security features.
As you move from on-prem to cloud solutions, have you considered what software applications need to be retooled for optimization in the cloud for your identity and access management requirements? What new identity analytics solutions need to be put in place to be prepared for the future? Or are you keeping things “as is” because that is the safe thing to do?
Some social scientists lump the ostrich effect with safety bias. The ostrich effect is based on a myth that ostriches bury their head in the sand when they sense danger. Is your team “burying their heads in the sand” when they need to make a risky decision?
To overcome safety bias, get some distance between you and the decision being made. Imagine a past self already having made the choice successfully in order to weaken the perception that there will be loss. Another idea, if you feel this is something happening in your environment, is to balance out your team with both risk-taking and risk adverse team members.
Framing Effect – The framing effect also influences safety bias and relates to how something is “framed” or described. For instance, if something is worded in a negative way to emphasize the potential for loss, the receiver may be afraid to take a risk. You may have seen commercials for cyber services that say, “1 in 5 companies lost their data while using another service”. Instead of focusing on the 4 that did not lose their data, they focused on the 1 that did lose so you’ll think about them protecting you instead of their competition. Another example that drives home the point is related to health. Let’s say you needed an operation. How would you feel if the doctor told you that you had an 80% chance of recovery? Now what if the doctor said you had a 20% chance of death by having this same operation? Would you think differently how you approached the operation? Pay attention to how statements are phrased to overcome gut reactions when deciding.
Affinity Bias – Affinity bias is gravitating to what we know or are comfortable with as opposed to the unknown. For example, when you see a stranger wearing your college alma mater sweatshirt in another city you instantly feel a connection to them even though you have never met. This creates an “in-group” bias. This can manifest in cyber as an aversion to new product offerings. Are you still using the same solutions you’ve been using for the last 20 years because they are familiar and comfortable to you or are you using an XDR solution now? You may also feel your direct team alone has all the right answers and no one else knows how to secure the environment or application better than your team. Is that because it’s true or because you are most comfortable with them?
Similarity Bias – Similarity bias occurs because we as humans are highly motivated to see ourselves and those who are similar to us in a favorable light. We unconsciously create “ingroups” and “outgroups”. These could be related to the city or country where we grew up or live today, where we went to school, areas of interest, etc. Are you hiring people who are similar to who you currently have on the team or are you looking for skills and individuals that bring diverse perspectives or meet your needs in the next 1-2 years?
Loss Aversion – An example of loss aversion can be observed when companies have already invested in their traditional IT infrastructure so why move to the cloud? Moving to the cloud takes time and resources. Instead of modernizing, they keep buying new servers and storage to keep the environment running as it had been for decades.
Distance Bias – Distance bias is prioritizing what is nearby whether it is in physical space, time, or other domains. Prior to the pandemic when we were in conference rooms having conversations, how many times did you observe people in the meeting room failing to gather inputs from their remote colleagues on the phone? Or have you decided based on what you needed to do sooner in time instead of considering the long-term effects of what was best for the company?
As you saw in each of the biases featured in both of our articles, they are not mutually exclusive. There are many overlaps between the different types of cognitive biases. How do we address these?
Awareness of the cognitive biases at play for you and your teams is one of the first steps to ensuring your company is not at risk. After you have acknowledged the possibility of biases and flaws in your environment, examine where you may have biases influencing your cybersecurity posture. This requires personal insight and empathy by all involved.
Begin to educate others on where and how biases could be impacting your cybersecurity posture. Once that is done, have a thorough review of your current cybersecurity posture and adjust as necessary. Over the next few months, work on building habits across the team to ensure you are consciously removing biases that could be influencing your cybersecurity posture.
Our adversaries understand human biases and actively try to exploit them. Removing these biases as much as possible can help you and your team improve your security posture and defend your organization across all levels.
The post Through Your Mind’s Eye: How to Address Biases in Cybersecurity – Part 2 appeared first on McAfee Blogs.
In response to the latest MITRE Engenuity ATT&CK® Evaluation 3, McAfee noted five capabilities that are must-haves for Sec Ops and displayed in the evaluation. This blog will speak to the alert actionability capability which is essential. This critical ability to react in the fastest possible way, as early as possible on the attack chain, while correlating, aggregating and summarizing all subsequent activity while reducing alert fatigue to allow Sec Ops to uphold efficient actionability.
As a Sec Ops practitioner and former analyst, I can remember the days of painstakingly sifting through countless alerts to determine if any of them could be classified as an incident. It was up to me to decide if the alert were a false positive, false alarm, or something the business should take more seriously… was it something we should wake someone up in the middle of the night over?
It’s been years since I sat on the front line, triaging the results of millions of dollars in investments installed on 100’s of 1000’s of systems worldwide. Thank goodness, times have changed. But the concept of “Alert Actionability” is still a very real aspect of SOC tooling, and it seeks to address 3 primary factors: trustworthiness, detail, and reaction capabilities.
When I say “trustworthiness” I’m referring to a quality of fidelity that has two equal, yet opposing, faces of efficacy: false positives and false negatives. Now, it would be very easy for a SOC solution provider to claim that its product offers 100% visibility if it creates an alert for every process activity and artifact recorded. Sure, its coverage is present, but how actionable is the needle in a stack of needle? As a result, the vendor is likely pressured to fine tune it’s alerting and as such introduces the risk of false negatives, or actual malicious events which go undetected. In the zeal of appealing to useability requirements the false positive curve decreases but the false negative volumes have no choice but to rise.
Resulting in a graph like this:
The secret sauce in the vendor’s capabilities lies in its capacity to push the intersection of these as far right as possible: minimize the false positives and maximize true positives while simultaneously attempting to bring false negatives down to zero. The better a vendor’s product can perform these non-trivial goals, the more likely it is to win your trust as a solution! And the more likely you are to trust the results you see on the dashboard.
Endpoint Detection and Response (EDR) tools have a unique property in which they offer both telemetry and alerting. This implies that there are two goals for EDR platforms: to include event level (telemetry) visibility with automated detection and to provide alerting capabilities for triggering action and triage. With telemetry, the concept of “falsing” is negated because it’s used in a post-facto context. After the alert is constructed, the telemetry can be correlated with the alert logic to provide supporting details. Simply, for EDR telemetry, the more the better.
As an analyst, I remember how much I loved putting together the pieces to tell a story. Extracting key artifacts from several disparate data sources and correlating hypothesis allowed me to present a compelling case as to the conclusion of the alert’s disposition. And I knew that I needed as much detail as possible to make my case; this is just as true today. The detail needs to be easily accessible, and it’s even better when the platform provides the detail proactively. In cases where such supporting evidence may not be possible in the alerting, an analyst’s expectation is that the platform makes hunting for those details easy; I’d even venture to say, “a delight.”
Many EDR platforms on the market offer reaction capabilities to address the “Response” moniker of the acronym. How flexible those response capabilities are in the platform provides a domain of options to act in response to the alert. For example, its rather evident that once an alert is convicted, the analyst may want to block the process, or remove a file from disk. But these reactions imply that the conviction is monolithic in that the analyst is absolutely sure of her conclusion. What if the conclusion is that we simply need more data? Having a robust reaction library that allows for further investigation with routines like sending a sample to a running sandbox, interacting with a given endpoint to act as an administrator, view system logs, or check the history of network connections all empower the analyst with further investigatory options. But why stop there? Having any fixed set of reactions would be presumptive. Instead, EDR products with a dynamic library and flexible, customizable, and modular reaction platform is key as every single SOC I’ve ever worked with has unique Incident Management and Standard Operating Procedures.
MITRE ENGINUITY released results for its 3rd round of ATT&CK® Evaluations in April 2021. The industry is certainly fortunate to receive such 3rd party efficacy testing in the EDR market completely free to consumers. It is incredibly important to add that the ATT&CK Evaluations should be used as a single component of your EDR evaluation program. Efficacy helps determine how fit-for-purpose the product is by answering questions like, “Will it detect a threat when I need it to?” or “Can I find what I need, when I need it?”. But practitioners realize there are also pivotal points that need to be addressed around manageability. Understanding that not alerting on everything is just as important as alerting on the right things. And giving you a plethora of alerting response capabilities helps complete the alert investigation and response actions. McAfee’s MVISION EDR embraces all of these key alert actionability factors and will help displace the manual efforts in your analytics processes. McAfee’s MVISION EDR (soon to evolve to MVISION Extended Detection & Response (XDR)) provided insight through detail and reduced alert fatigue during the evaluation providing context and enrichment, resulting in a ratio of 62% analytic detections (non-telemetry detections) out of the 274-total detections.
Check out other McAfee discussion on MITRE (see resources tab.)
The post Alert Actionability In Plain English From a Practitioner appeared first on McAfee Blogs.
Every week it seems there’s another enormous breach in the media spotlight. The attackers may be state-sponsored groups with extensive resources launching novel forms of ransomware. Where does your organization stand on its readiness and engagement versus this type of advanced persistent threat? More importantly, where does it want to go?
We believe that the way your organization uses threat intelligence is a significant difference maker in the success of your cybersecurity program. Just as organizations take the journey toward cyber defense excellence at their own rate of speed, some prioritize other investments ahead of threat intelligence, which may impede their progress. Actionable insights aren’t solely about speed, though fast-emerging threats require prompt intervention, they’re also about gaining quality and thoroughness. And that’s table stakes for advancing in your threat intelligence journey.
A Threat Intelligence program typically spans five organizational needs:
When you disseminate a threat insight, it triggers different responses from various members of your security team. An endpoint administrator will want to automatically invoke counter-measures and security controls to block a threat immediately. A SOC analyst may take actions including looking for signs of a breach and also recommend ways to stiffen your defense posture.
Better threat intelligence provides you with more contextual information — that’s the key. How will this information help your company, in your particular industry, in your region of the world?
The Threat Intelligence journey comes in stages. Where is your program now?
Within this stage most companies want to prevent the latest threats at their endpoint, network and cloud controls. They mostly depend on their security vendors to research and keep products up to date with the latest threat intelligence. However, in this stage companies also receive intelligence from other sources, including government, commercial and their own cyber defense investigations, and can use the extra intelligence to further update controls.
At this stage, organizations advance beyond vendor-provided intelligence and adapt their protection by adding indicators from third-party threat feeds or from other organizational SOC processes such as malware analysis.
Within this stage, companies want to do more than prevent known threats with their tools. They want to understand the adversaries who might target them, improve detection and respond faster by prioritizing investigations.
Organizations with this goal know that their industry faces targeted threats every day and they have already invested significantly in their threat intelligence capability. At this stage they most likely have a team utilizing commercial and open-source tools as well as threat data feeds. They’re looking for specialized analysis services and access to raw data.
These organizations can proactively assess their exposure and determine how to reduce the attack surface. They apply threat intelligence to empower their threat hunting, either on a proactive or reactive basis.
Until recently it was difficult for security managers to know not just whether their organization has been exposed to a particular threat but whether they have a good level of protection against specific campaigns.
McAfee MVISION Insights is helpful at each stage of your threat intelligence journey because it proactively assesses your organization’s exposure to global threats, integrating with your telemetry, and prescribes how to reduce attack services before the attack occurs. For stage one, organizations can proactively assess their exposure and determine how to reduce the attack surface. For stage two and three, organizations can apply threat intelligence to empower their threat hunting and analysis, either on a proactive or reactive basis.
MVISION Insights Dashboard
One way we help is by integrating data from both McAfee Threat Intelligence feeds such as our Global Threat Intelligence and Advanced Threat Defense, and also third-party services via MVISION APIs. While McAfee Global Threat Intelligence is one of the world’s largest sources of this information, with more than 1 billion global threat sensors in 120+ countries, and 54 billion queries each day, the key thing to know is that we have 500 plus McAfee researchers providing this form of threat intelligence as a service. The idea is to help you elevate your threat intelligence at each step of your organization’s journey.
Check out the latest threats from a Preview of MVISION Insights.
The post Finding Success at Each Stage of Your Threat Intelligence Journey appeared first on McAfee Blogs.
What does ‘good customer service’ mean to you in 2021? A friendly greeting when you enter a shop? Quickly fixing any issues with deliveries? Or, perhaps the company you entrust with your data maintaining strong security and privacy practices?
It’s been a long time since digital technology was a special interest topic. Product launches, business deals, and new innovations were once reported on only in industry magazines – now, you’d be hard pressed to find a mainstream newspaper that doesn’t have some kind of technology section. We’ve quickly become used to the fact that when the tech giants talk, everybody listens.
More recently, however, it’s become clear that the internet has taken another step towards the centre of the public conversation. While new devices and technological advancements are still (mostly) kept in separate sections of the media or tagged on to the end of the TV news, problems with technology often land straight on the front page.
Outside observers have spent decades treating hacks and attacks as something arcane, as a distant problem that only the technologists can understand and only they have to deal with. Consumers, meanwhile, were left to hope that any issue would soon be fixed – whether that’s waiting for access to their files to be restored or trying again the next day to get into a website.
A few recent stories have underlined that those days are, or should be, behind us. In just the last two months, ransomware attacks have interrupted the operations of pipelines, food producers and the health sector. For many, this has been followed as a story about the international nature of cybercrime and claims that cryptocurrencies are enabling new types of attack.
For those communities reliant on the targeted organisations, however, these cyber-attacks can mean higher costs when fueling their cars to get to work, or product shortages in their weekly shop. We know that there’s a lot of technical interest in analysing ransomware such as DarkSide, or the many other groups attacking sectors like manufacturing, oil and gas, and healthcare. We always need to remember, however, that the focus is not just how these attacks work, but how we can prevent the real-world impacts they have on people’s daily lives.
These are extreme examples: they are incredibly high-value targets, which criminal groups will go to extraordinary lengths in order to disrupt, and which have national consequences when they are affected. Services like online retail and customer support can be disrupted in just the same way. From the perspective of the people who use these services, however, the fact that these were ransomware attacks doesn’t matter. Whether it’s due to attacks, accidents, or mismanagement, what matters is the betrayal of trust and the knock-on effects of service loss.
Examples like this are why I believe that we should see cybersecurity as a much wider foundation than we do, underpinning not just a business’s IT infrastructure, but its reputation, its revenue and, yes, its customer experience.
In crowded markets, customer experience is often the key differentiator between competing businesses. A lot of the disruption that we’ve seen in many sectors thanks to the growth of digital and online approaches has come down to a better, more premium customer experience. Whole industries have arisen around easier ways to order taxis, listen to music, and buy food.
As consumers continue to seek better, simpler experiences, they will (and, I think, should) also start paying close attention to how businesses respond to such incidents and maximise service levels. Key things that shoppers might want to look for when weighing up their choices include:
Businesses, meanwhile, should be looking at how the efforts they take around cybersecurity can form part of the way they build customer confidence. By communicating clearly about the defensive measures we take – and, vitally, framing them in terms of the outcomes they have on people’s lives, not just the technical details – we can all help to make the public savvier about how they can make sure they truly rely on the services they rely on.
The post Why Security is Now the Foundation of Good Customer Experience appeared first on McAfee Blogs.
How well can you predict, prevent and respond to ever-changing cyberthreats? How do you know that your security efforts measure up? The stakes are high if this is difficult to answer and track. Imagine if you had one place where you found a comprehensive real time security posture that tells you exactly where the looming current cyber risks are and the impact? Let’s consider a recent and relevant cyber threat.
Take, for example, the May 7th DarkSide ransomware attack that shut down Colonial Pipeline’s distribution network. That well-publicized attack spurred considerable interest in cybersecurity assessments. Ransomware doesn’t just cost money—or embarrassment—it can derail careers. As news spread, we fielded numerous calls from executives wondering: Are my systems protected against DarkSide?
Until recently, discovering the answer to such questions has required exercises such as white hat penetration testing or the completion of lengthy or sometimes generic security posture questionnaires. And we know how that goes — your results may vary from the “norm,” sometimes quite a bit.
To empower you to ask and confidently answer the “am I protected” questions, we developed MVISION Insights Unified Posture Scoring to provide real-time assessments of your environment from device to cloud and threat campaigns targeting your industry.
With the score, you’ll know at a glance: Have you done enough to stave off the most likely risks? In general, the better controls you set for your endpoints, networks and clouds, the lower your risk of breaches and data loss—and the better your security posture score. A CISO from a large enterprise recently stated that the “most significant thing for a CISO to solve is to become confident in the security score.”
Assessing risk is about determining the likelihood of an event. A risk score considers where you’re vulnerable and based on those weaknesses how likely is it that a bad actor will exploit it? That scoring approach helps security teams determine whether to apply a specific tool or countermeasures.
However, a posture score goes a step further when it considers your current environment’s risk but also whether you’ve been able to withstand attacks. Where have you applied protections to suppress an attack? It enables you to ask: what’s the state of your defensive posture?
Security posture scoring may answer other critical questions such as:
Knowing these answers also makes security posture scoring useful for compliance risk assessment, producing a benchmark that enables your organization to compare its industry performance and also choose which concerns to prioritize. The score can also serve as an indicator of whether your organization would be approved for cyber insurance or even how much it may have to pay.
Some organizations use security posture scoring to help prepare for security audits. But it can also be used in lieu of third-party assessments—applying recommended assessments instead of expensive penetration testing.
No doubt, the pandemic and working from home have exacerbated security posture challenges. According to Enterprise Strategy Group (ESG), a “growing attack surface” from cloud computing and new digital devices are complicating security posture management. So is managing “inexperienced remote workers,” who may be preyed upon by various forms of malware. This can lead not only to management headaches, says ESG, but also to “vulnerabilities and potential system compromises.”
About one year ago we released the initial version of MVISION Insights posture scoring —focused on endpoint assessments. A security score was assigned based on your preparedness to thwart looming threats and the configuration of your McAfee endpoint security products. It enabled predictive assessments based on security posture aligned to campaign-specific threat intelligence.
Customers are tired of piecing together siloed security and demand a unified security approach reflected in our MVISION XDR powered by MVISION Insights. We expanded the scoring capability to also assess cloud defenses, including your countermeasures and controls. Derived from MVISION Cloud Security Advisor, the cloud security posture is weighted average of visibility and control for IaaS, SaaS,and shadow IT. There is an option to easily pivot to MVISION Cloud Security Advisor. The Unified Security posture score is weighted average of the endpoint and cloud security posture score delivering a more robust and comprehensive assessment with the ability to drill down on specifics to enhance your security from device to cloud. Many endpoint wanna-be XDR vendors cannot provide this critical aggregated security assessment across vectors.
Becoming more robust is what all of us must do. When organizations face the jeopardy of “Ransomware-as-a-Service” payments that may scale up to $2 million, understanding how best to manage your security posture is no longer simply a nice to have, it’s become an operational imperative.
Click here to learn more about Security Posture Scoring from a few practitioners in our LinkedIn Live session.
The post Testing to Ensure Your Security Posture Never Slouches appeared first on McAfee Blogs.
Digital sovereignty and strategic autonomy are phrases that are used almost daily in EU policy circles, loosely framed around the EU’s ability to carve out its own future in the digital sphere, rather than having its terms dictated from abroad. To achieve digital sovereignty in practice, having access to as broad a range of suppliers is key, not unnecessarily restricting the market.
Our ability to self-determine Europe’s digital future is at risk when we become reliant on one source, that much is clear, and has been demonstrated recently in the global supply shortage of microchips. All measures that reduce this dependency will benefit digital sovereignty, which in practice means expanding competition in the market to as many players as possible.
The means to get there are varied, and Europe is rightly seeking to build infrastructure, expand the pool of skilled experts and facilitate market entry. The EU and member states are also putting in place measures to eliminate obvious security risks in supply chains that demand an extra layer of vigilance, such as critical infrastructure, which is in the interest of national security.
But the notion that homegrown European solutions are automatically better than non-European ones – sometimes backed by measures that give European vendors and suppliers undue advantage, or which place additional hurdles for companies that handle customer data outside the EU – is misguided.
In the cybersecurity domain, in particular, limiting interoperability and vendor choice will only reduce Europe’s resilience against cyberattacks, which is a crucial element to ensuring Europe’s digital sovereignty and strategic autonomy. This is as true now as it always has been, in a sector innovating at break neck speed to meet the challenges set by our adversaries.
In this competitive market, best-in-class providers at the cutting edge of security are the ones that will make Europe more cyber-secure, irrespective of where they happen to have their headquarters or data centers. Irrational decisions guided by protectionism should have no place in this debate. Indeed policies or practices requiring forced data localisation can often limit the benefits generated by scale and global reach, and negatively impact cyber security’s operational effectiveness.
A recent seminar organised by ECIS, the European Committee for Interoperable Systems, set out some clear principles that should guide Europe’s quest for digital sovereignty. Ensuring that the market operates as effectively as possible, supplier choice is as broad as possible, and interoperability and ability to switch suppliers is safeguarded, on the basis of clear standards, will be paramount.
That is not to say that all measures being considered are misguided. An industrial policy that improves Europe’s digital infrastructures will boost Europe’s supply of home-grown digital services and products. Countries also have legitimate reasons to safeguard their national security and are well within their rights to set criteria to this end. The real danger lies in confusing protectionism with digital sovereignty.
The post Restricting Supplier Choice Isn’t an Option to Enhance Digital Sovereignty appeared first on McAfee Blogs.
As Ransomware continues to spread and target organizations around the world, it is critical to leverage threat intelligence data. And not just any threat intelligence but actionable intelligence from MVISION Insights. Fortunately, there are several steps you can take to proactively increase your Endpoint Security to help minimize damage from the next Darkside, WannaCry, Ryuk, or REvil
MVISION Insights provides near real time statistics on the prevalence of Ransomware campaigns and threat profiles detections by country, by sector and in your environment.
Above you can see that although 5ss5c is the most detected ransomware worldwide, in France Darkside and Ryuk have been the most detected campaigns in the last 10 days. You can also sort top campaigns by industry sector.
As you can see above, MVISION Insights measures your overall Endpoint Security score and provides recommendations on which McAfee Endpoint Security features should be enabled for maximum protection.
Then, MVISION Insights assesses out-of-the-box the minimum version of your McAfee Endpoint Security AMcore content necessary to protect against each campaign. As you can see above, two devices have an insufficient coverage against the “CISA-FBI Cybersecurity Advisory on the Darkside Ransomware”. You can then use McAfee ePO to update these two devices.
Below, MVISION Insights provides a link to a KB article for the “Darkside Ransomware profile” with detailed suggestions on which McAfee Endpoint Security rules to enable in your McAfee ePO policies. First, the minimum set of rules to better protect against this ransomware campaign. Second, the aggressive set to fully block the campaign. The second one can create false positives and should only be used in major crisis situations.
MVISION Insights can show you whether you have unresolved detections for specific campaigns. Below you can see that you have an unresolved detection linked the “Operation Iron Ore” threat campaign.
MVISION Insights provides IOCs (Indicators of comprises) which your SOC can use with MVISION EDR to look for the presence of these malicious indicators.
If your SOC has experienced threat hunters MVISION Insights also provides information on the MITRE Tactics, Techniques and Tools linked to this threat campaign or threat profile. This data is also available via the MVISION APIs to integrate with your other SOC tools. In fact, several integrations are already available today with other vendors from the McAfee SIA partnership.
Finally, the ultimate benefit from MVISION Insights is that you can use it to show to your management whether your organization is correctly protected against the latest ransomware attacks.
In summary, you can easily leverage MVISION Insights to proactively increase your protection against ransomware by:
The post How to Proactively Increase Your Protection Against Ransomware with Threat Intelligence appeared first on McAfee Blogs.
I’m about to tell you an extraordinary fact about cybercrime. Some of the most significant data breaches in internet history weren’t after bank account numbers, cryptocurrency, or even credit card numbers. They were, in fact, after YOU. That’s right, the most valuable data on the internet is the data that comprises your identity. Let’s take a look at what that data is, how it gets leveraged by cybercriminals, and how you can get the online identity monitoring you deserve.
1 billion is a big number. In the case of a recent CVS database leak, that’s how many user records were accidentally released online, including details like email addresses and even searches about Covid vaccines. This is just one of the dozens of breaches that have occurred recently and will continue to happen as personally, identifiable information becomes more valuable to cybercriminals. Just as remarkable as the huge volume of user data being exposed online is the speed with which compromised data is used by hackers online. Cybersecurity researchers recently discovered that cybercriminals access leaked or stolen credentials within 12 hours to exploit them as soon as possible. These circumstances beg the question, why has your personally identifiable information has become so valuable lately?
While the value of some information, like a credit card number, is obvious, you may think your name and date of birth aren’t that big of a deal. After all, it wasn’t so long ago that you could find all that information in a phone book. In fact, personally identifiable information (PII), also known as data used to identify a specific individual, is what many data breaches are after.
Armed with just a mailing address, a phone number, and a date of birth, a cybercriminal can begin constructing a fake identity to take out loans and disguise many kinds of criminal activities. With a social security number and a few personal details from a social media account, they could take over a bank account. When it comes to your PII, any information is as good as gold to cybercriminals.
If our PII were treated like actual gold and held in a safe location like Fort Knox, I wouldn’t be writing this post. But in fact, it’s the currency we use to obtain many services in our connected lives. Social media sites are massive repositories of PII, and their access to our most personal details and the ability to sell it to marketers is the reason the service remains free. Free email services are the same. Now consider all the other accounts we may have created to, say, try out a streaming service for free, or even old accounts we no longer use. From that perspective, you can see how much of your data is being used by companies, may not be very well protected, and is a tempting target for cybercriminals. Fortunately, there are many things you can do to keep your identity safer online.
When it comes to protecting your PII, knowledge is power. Let’s start by identifying if you’ve been the target of a data breach. Here are a few tell-tale signs:
Okay, now that you know the signs of a data breach, let’s look at how you can take action to protect yourself. The best way to avoid being the victim of identity theft is by limiting the amount of PII you provide. There are some easy ways to do this.
Only a few types of organizations legitimately need your social security number. These include employers or when contracting with a business, group health insurance, financial and real estate transactions, applying for credit cards, car loans, and so forth.
Quizzes, social media games, and other kinds of interactive clickbait are often grifting pieces of your PII in a seemingly playful way. While you’re not giving up your SSN, you may be giving up things like your birthday, your pet’s name, your first car … things that people often use to compose their passwords or use as answers to common security questions on banking and financial sites.
A phishing email poses as a real email from known or trusted brands and financial institutions. These emails attempt to trick you into sharing important information like your logins, account numbers, credit card numbers, and so on under the guise of providing customer service. Here are some more ways to spot a phishing email.
Clearly, we’re in a new era when it comes to securing our identities online. In response, McAfee has created a new kind of identity monitoring.
We knew from the outset Identity monitoring had to be proactive, holistic, and accessible. We also wanted it to follow the timeline for how cybercrime actually affects your identity. When it comes to PII, the breach is just the first step for cybercriminals. The 10 months following a breach is when cybercriminals will use your PII to commit fraudulent acts using your data.
To address this, your identity monitoring looks after more personally identifiable information than other leading competitors. It will also alert you of stolen personal info an average of 10 months ahead of other monitoring services. And it’s accessible anywhere via mobile app, browser, and the web.
In practice, McAfee’s identity monitoring protects all your online accounts by doing the following:
As we spend more of our lives online, we need an approach to security that reflects this new reality. Identity monitoring is part of it. VPN is part of it. Antivirus is part of it. They are all pieces of a puzzle that we solve with products like McAfee Total Protection. Our premier security service is comprehensive, affordable, and, with identity monitoring, an indispensable part of your life online.
The post Identity Protection Service: The Best Solution to a Growing Problem appeared first on McAfee Blog.
Do you usually read what critics say before deciding to see a movie or read a book? We believe these McAfee MVISION XDR reviews were worth the wait. But rather than simply share a few top-tier analyst blurbs with you, we’d like to walk through what these insights mean to our growing set of customers and how their sec operations will evolve with greater efficiencies.
Extended Detection and Response products, better known as XDR, not only extended the capabilities of EDR platforms, but according to Gartner[1] “ XDR products may be able to reduce the complexity of security configuration and incident response to provide a better security outcome than isolated best-of-breed components.”
Our Enterprise Security Manager (ESM)/SecOps team briefed a top-tier analyst firm on ESM product execution and the MVISION XDR platform in particular. His reaction to our use cases? “These are great and it is useful to have examples that cut across different events, which is illustrative more so than anything. The response to the cuts across various tools, and the proactive configuration aspect with the security score type analysis, is also pretty rare in this market.”
The takeaway: Preventing an incident is much better than cleaning up after the fact. MVISION XDR powered by MVISION Insights offers a unified security posture score from endpoint to cloud, delivering a more robust and comprehensive assessment across your environment. It allows you to drill down on specifics to enhance your security.
“The vendor has stolen a march on some of its competitors, at least in the short term, with this offering. A lot of vendors are aiming to get to an offering comprising threat intel + prioritization + recommendations + automation, but few if any have actually reached that point today.” – Omdia
A top-tier analyst firm mentioned that many EDR vendors today call themselves “Open XDR” vendors, but they do not offer a fully effective XDR product. The analyst sees XDR as a significant opportunity for McAfee to expand the breadth of our product portfolio.
The takeaway: A fully effective XDR product unites security controls to detect and assess comprehensively and prevent erratic movement of advanced threats. A robust product portfolio with an integrated service offering from a platform vendor with a proven track record of integrating security (McAfee) is critical to achieve this.
Noted by a top-tier analyst firm, only McAfee and one other offers data-awareness in the XDR offering. This XDR capability alerts the analyst that the threat impact is targeted at sensitive data.
The takeaway: Many SOCs have siloed tools that hinders their ability to detect and respond quickly and appropriately. SOC’s must prioritize threat intelligence to rapidly make critical decisions.
A top-tier analyst firm believes the primary segments for XDR capabilities are in the three groups to solve problems: 1) Workspace 2) Network 3) Cloud workloads. Giving hardening guidance is good for customers, so any vulnerability exposure and threat scoring are good priorities for MVISION Insights.
The takeaway: McAfee MVISION XDR provides automation that eliminates many manual tasks but more importantly, it empowers SOC analysts to prioritize the threats that matter and stay ahead of adversaries.
A top-tier analyst firm likes our product direction. “Where you’re going with XDR, and with the cloud console — that’s the way to go. It feels like we have crossed the Rubicon of cloud-delivered.”
The takeaway: By going cloud-native, MVISION XDR enables more efficient, better, and faster decisions with automated investigations driven by correlation analysis across multiple vectors. We can provide unified visibility and control of threats across endpoints, networks and the cloud.
| To discover why McAfee MVISION XDR earns rave industry reviews, see our resources on XDR to evolve your security operations to be more efficient and effective. |
Resource: [1] Gartner Innovation Insight for Extended Detection and Response, Peter Firstbrook, Craig Lawson , 8 April 2021
The post The Industry Applauds MVISION XDR – Turning Raves into Benefits appeared first on McAfee Blogs.
We all like to think we’d know what to do if an emergency should occur. In split seconds, we try to recall the ratio of chest compressions to breaths of air learned in bygone health classes or that summer spent lifeguarding. We recognize the importance of a “to go” bag those final few days of pregnant pauses and false alarms before a baby arrives. We have seen enough television shows and cooking competitions to know Gordon Ramsey or Guy Fieri will be the first to scold us if we try to put out an erupted kitchen grease fire with anything other than salt and smothering.
We pick up a fair amount of knowledge and traits along the way to employ should disaster strike – and we absolutely take necessary precautions if we are knowingly in harm’s way. For example, those that live within a fault line’s reach are apt to prefer housing with stronger foundations and reinforced windowpanes. If you choose to live close to the warm waters of the Atlantic Ocean’s “hurricane alley,” you most likely know the fastest route to a causeway. An underground storm shelter to escape a tornado’s wily path can certainly come in handy.
We are taught that “hindsight is 20/20,” and that harboring regret is top on the list of feelings to avoid most throughout life. We obey the mantra many scouts learn in youth – being prepared – to the best of our ability. While earth’s natural disasters may never be preventable, it is clear preparation and readiness to face the inevitable can be a key differentiator when it comes to damage that can be incurred.
So far in 2021, we have witnessed major infrastructure impairments, interrupted supply chains, and havoc wreaked on local and federal economies.
This did not happen due to volcanic eruptions, tsunamis, nor mudslides, but rather through security breaches and attacks. And despite headlines shouting and nearly every security vendor urging enterprises the world over that cyberattacks are posed to continue to increase both in frequency and sophistication, especially ransomware threats, organizations have more often than not found themselves on the receiving end of hindsight and regret when it comes to these man-made, modern-day disasters.
So, the question begs to be asked, if the damages mentioned above could have been lessened or avoided through preparation and readiness, why is it still so difficult for CISOs to convince the c-suite that it’s better to be prepared for cyber-disaster, than sorry?
Staying safe and secure is the main goal in any disaster or emergency, but another less-talked-about goal is obviously to avoid what could have been prevented. The phrase, “I told you so,” will never land softly or kindly, especially when you are left surveying the ravaged ruins of what is left in the aftermath.
Many CISOs and SOC workers have encountered this situation recently, mentally kicking themselves or expressing frustration analyzing and evaluating breaches or attacks after they have occurred. Of course, the vulnerabilities are crystal clear when security experts look back on what happened, but muddy and missed when they play out in real time.
Scientists will inform us when a volcanic eruption may be imminent; a tornado will be prefaced with a loud siren meant to be heard throughout the county or immediate area; we often see tropical storms gain momentum and destructive qualities far before they transition to hurricanes and make landfall. This is to say, when it comes to natural disasters, they’re going to happen regardless, but damage prevention is dependent on prediction and experience.
Carefully measured and monitored gaseous pressure under the earth’s surface will indicate when a volcano may be imminent. Because of this, volcanologists can attempt to forewarn residents to vacate an area before disaster hits. This outcome is expected, and systems and processes are in place to thwart damage as much as possible. I imagine along with scientists; we’d be quite surprised if a volcano suddenly started spewing mass quantities of water instead of magma and ash.
We rely on patterns from previous incidents when it comes to geological acts of nature, but in the cybersecurity industry, disasters are man-made, and progressively more dangerous – created with motive, intent, and intelligence.
With cybercriminals, attacks have been unpredictable and indiscriminate. They are infiltrating via multiple attack vectors; sitting unknowingly across networks and systems, leeching data from an organization; and altering entire courses of business as resources are used to bring systems back online, determine causes, and quickly implement solutions. In short, cybercriminals are serving up water when we expect magma nearly every single time and enterprises are struggling to keep up.
The rulebook of what can be planned for and prevented has narrowed. Enterprises need to adopt an updated mindset, knowing that like a natural disaster, damage prevention from a cyber-disaster is dependent on prediction and experience.
We are going to continue to get water when we expect magma, flames when we’re on the lookout for floods, and harsh winds when we anticipate rumbles. Powered by human intelligence, cybercriminals will continue to evolve threats, it will just be a matter of who can stay one step ahead – the good guys or the bad guys. The only constant isn’t a matter of if an attack will happen, but when.
A movement toward proactivity instead of reactivity when addressing a breach or attack after it occurs is crucial against today’s cybercriminals. Organizations must recognize that no industry is immune to cybercriminals and get a better handle on SOC functions and processes, and control over where data travels and lies.
This can mean a massive overhaul of a security stack to streamline solutions and expose manual or siloed processes that can lead to hidden vulnerabilities, evaluating security staff and talent to create better efficiencies, or embracing AI-guided tactics to automate activities and provide quick, actionable next steps should a breach occur.
Early adopters of extended detection and response (XDR) technology are already seeing the benefits this proactivity can hold. The simple, unified visualization XDR provides is a strong vantage point for enterprises seeking greater situational awareness, enhanced insights, and faster time to remediate threats across all vectors from endpoint, network, and the cloud.
Today, the warning siren that disaster is forthcoming has been sounding for a while. Enterprises need to take heed of the alarm to thwart as much damage as possible, as like natural disasters, a cyber-disaster can lead to massive destruction and upheaval.
Want to learn more about McAfee’s XDR technology? Check out McAfee MVISION XDR.
The post Time to Batten the Cyber-Hatches appeared first on McAfee Blogs.
Mobile phones have gone through an incredible transformation since their inception in the 1970s. Now, the sheer number of applications is dizzying, as are their privacy policies; however, smartphone apps can bring hours of fun and belly laughs, and occasionally, a viral app captures the world’s attention. Don’t let potential risks to your personal information safety ruin all smartphone apps for you. All you need to share and play safely is a few tips to help you identify which apps are OK to use and how to navigate them intelligently.
Check out these four viral apps that may be putting your personal information at risk, plus a few tips that’ll help you enjoy smartphone apps safely.
Voilà AI Artist is a trending app that reimagines your face as a cartoon, caricature, or model of fine Renaissance art. Users can snap a selfie with the app or allow the app to access their photo library. According to WIRED, the app says it deletes users’ photos from its database in 24 to 48 hours, though it’s difficult to confirm that they aren’t stored.
Approach any app that could potentially use and store your likeness with caution. Deepfake technology is becoming more sophisticated and common by the day. Deepfakes are fabricated videos, images, or sound clips of every day or famous people based on real videos and images. Fake media impacts the victims whose likenesses are used because often the media is demeaning or incendiary. Voilà AI Artist hasn’t been suspected of any wrongdoing, but it’s best to be aware of how your face could be used to endorse something you don’t agree with.
Another face-altering app that could pose a risk to users’ privacy is FaceApp. Similar to Voilà AI Artist, it’s unclear what the app does with your likeness once you allow it to take your picture. FaceApp’s terms of use agreement outline that the selfies uploaded to the app belong to the app. From there, the app is free “to use, reproduce, modify, adapt, create derivative works from, distribute, perform, and display your User Content.” This line of fine print should make users pause. Again, users’ faces could be used in ways they wouldn’t normally agree to.
While the Pokémon Go craze of 2016 has greatly subsided, the next viral app that sweeps the world could replicate the security vulnerabilities the premise presents. Pokémon Go uses augmented reality, which is the kind of technology that makes it look like a Pokémon is strolling across your living room. The app can access your camera, as well as your contacts, pictures, chats, and location. It’s a blast exploring your neighborhood looking for animated critters and seeing nearby strangers’ profiles pop up on your map; however, be wary of sharing location data and images of the inside of your home with people you don’t know in real life.
TikTok may pose a risk to users’ data privacy. TikTok is under suspicion for using data mining tactics. Data mining is a practice where corporations harvest personal details from user-profiles and share them with advertising, marketing, and analytics companies. According to Business Insider, TikTok collects more than 50 kinds of data from users as young as 13 years old, including age, gender, location, and online habits. These facts are often used to create targeted ads that sometimes border on an invasion of privacy.
Check out these tips to make sure you’re prepared to use apps safely or help you decide to skip trends entirely.
The post 4 Viral Apps Risking Your Personal & Smartphone Security appeared first on McAfee Blog.
T-Mobile, the popular US mobile phone service provider, recently confirmed a data breach affecting 7.8 million current customers and 40 million records from past or prospective customers. The stolen data included customer names, dates of birth, social security numbers, and driver’s license information. Fortunately, subscriber credit card information and other financial details were not affected in the breach.
Even though financial data was spared in the breach, the types of information stolen, along with the vast volume of affected subscribers mean that all T-Mobile subscribers should take immediate action to secure their identities and accounts online.
This is the immediate step all affected subscribers should take.
As part of T-Mobile’s response, they are offering an identity protection service exclusively to all affected customers, free for two years. This identity protection service gives customers the ability to monitor personal info, including your SSN, bank account numbers, debit cards, email addresses, phone numbers, and more. If info is found on the dark web, customers will receive guidance to help secure online accounts. Should identity theft occur, the identity protection service includes fraud resolution support and identity theft insurance for peace of mind. The free 24 months of identity protection will be delivered directly by T-Mobile. The company is also encouraging customers to sign up for their Account Takeover Protection service.
One lesser-known type of data stolen in the breach was International Mobile Equipment Identity (IMEI) numbers, which allow individual devices to be identified on a mobile network. Access to IMEI numbers could enable SIM-swap attacks which make account takeovers possible. With an account takeover, two-factor authentication through text message becomes vulnerable, allowing hackers potential access to bank accounts, among others. App-based multi-factor authentication, using a solution like Google’s Authenticator, allows you to authenticate your identity from other devices, instead of having authentication tied to your mobile phone number.
T-Mobile will be contacting impacted customers directly. However, cybercriminals and scammers may also take advantage of this data breach to scam people using email. They will often pose as major corporations or other trustworthy entities to trick you into willingly providing information like website login credentials or, even worse, your credit card number. We’ve provided additional information here to help you to recognize legitimate emails.
In its simplest form, your digital identity is made up of a whole host of things that can be traced back to you and who you are. This includes email accounts, cell phone numbers, bank accounts, your tax ID, and more. Read our additional tips to protect your digital identity.
For regular updates and official news from T-Mobile, visit their Newsroom blog here.
The post T-Mobile’s data breach exposes the personal data of 40 million appeared first on McAfee Blog.
The security operations center (SecOps) team sits on the front lines of a cybersecurity battlefield. The SecOps team works around the clock with precious and limited resources to monitor enterprise systems, identify and investigate cybersecurity threats, and defend against security breaches.
One of the important goals of SecOps is a faster and more effective collaboration among all personnel involved with security. The team seeks to streamline the security triage process to resolve security incidents efficiently and effectively. For this process to be optimized, we believe that ruthless prioritization is critical at all levels of alert response and triage. This ruthless prioritization requires both the processes and the supporting technical platforms to be predictive, accurate, timely, understandable for all involved, and ideally automated. This can be a tall order.
Most SecOps teams are bombarded with an increasing barrage of alerts each year. A recent IBM report also found that complexity is negatively impacting incident response capabilities. Those surveyed estimated their organization was using more than 45 different security tools on average and that each incident they responded to required coordination across around 19 security tools on average.
Depending on the enterprise size and industry, these tools may generate many thousands of alerts in periods ranging from hours to days, and many of them may be redundant or no value. One vendor surveyed IT professionals at the RSA conference in 2018. The survey results show that twenty-seven% of IT professional’s receive more than 1 million security alerts daily[1].
The cost and effort of reviewing all of these alerts are prohibitive for most organizations, so many are effectively deprioritized and immediately ignored. Some surveyed respondents admit to ignoring specific categories of alerts, and some turn off the security alerts associated with the security controls that generate much of the alert traffic. However, the one alert you ignore may have resulted in a major data breach to the organization.
Tier 1 SecOps analysts have to manage this barrage of alerts. They are surrounded by consoles and monitors tracking many activities within enterprise networks. There is so much data that incident responders cannot process but a fraction of it. Alerts pour in every minute and ratchet up the activity level and the attendant stress throughout the day.
A Tier 1 SecOps analyst processes up to several hundred alerts in a day that require quick review and triage. As the alert is logged, the Tier 1 SecOps analyst usually goes through a checklist to determine further prioritization and determine if further escalation is required. This can vary substantially depending on the automation and tools which support their efforts.
Once the alert is determined to be potentially malicious and requires follow-up it is escalated to a Tier 2 SOC Analyst. Tier 2 SOC Analysts are primarily security investigators. Perhaps only 1% or less are escalated to a Tier 2 SOC analyst for deep investigation. Once again, the numbers can vary substantially depending on the organization and industry.
Security investigators will use a multitude of data, threat intelligence, log files, DNS activity, and much more to identify the exact nature of the potential breach and determine the best response playbook to use. In the case of a severe threat, this response and subsequent remediation must be done in the shortest possible amount of time, ideally measured in minutes if not just a very few hours.
In the most dangerous scenario that a threat actor has executed what is determined to be a zero-day attack, the SOC team works with IT, operations, and the business units to protect, isolate, and even take critical servers offline to protect the enterprise. Zero-day attacks raise the SOC to a war footing, which, if properly and rapidly executed against the team’s playbooks, can help mitigate further damage from what is otherwise previously unknown attack techniques. These require the skill and expertise of advanced security analysts to help assess and mitigate complex ongoing cyberattacks.
Given the barrage of alerts, it is essential to adopt a strategy to fit best the capabilities of your team against a priority-driven process. This allows you to optimize your response to alerts, best manage the resources on the SecOps team, and reduce the risk of a dangerous breach event.
There are several strategic views that SOC leadership can take on how to best approach prioritization. These include data driven strategies using tools like DLP, threat driven strategies to bolster defenses and shorten reaction time to threat vectors active in your industry and geography, and perhaps asset driven strategies, where certain assets will merit enhanced protection and priority driven escalation for alerts. Most organizations find that an integrated mix of these strategies addresses their overall needs.
The first approach to prioritization, consistent with the tenets of zero trust, is to take a data-driven approach. Customer data and intellectual property are often at the center of every organization’s most protected jewels. One way to move this into focus within SecOps would be to implement Data Loss Prevention (DLP). Data loss prevention (DLP), per Gartner, may be defined as technologies that perform both content inspection and contextual analysis of data sent via messaging applications such as email and instant messaging, in motion over the network, in use on a managed endpoint device, and at rest in on-premises file servers or in cloud applications and cloud storage. These solutions execute responses based on policy and rules defined to address the risk of inadvertent or accidental leaks or exposure of sensitive data outside authorized channels.
Enterprise DLP solutions are comprehensive and packaged in agent software for desktops and servers, physical and virtual appliances for monitoring networks and email traffic, or soft appliances for data discovery. Integrated DLP works with secure web gateways (SWGs), secure email gateways (SEGs), email encryption products, enterprise content management (ECM) platforms, data classification tools, data discovery tools, and cloud access security brokers (CASBs).
Threat intelligence focuses on defense and triage priority from the data to external threat actors and the techniques they are most likely to utilize. Threat intelligence can give the SOC the data they need to anticipate threat actors and the Tactics, Techniques, and Procedures (TTPs) these threat actors might use. Further, threat intelligence can provide a path to recognize the often unique Incidents of Compromise (IOCs) that can uniquely identify a type of cyberattack and the threat actor that uses them. The goal, of course, is to identify and prevent these most likely attacks before they occur or stop them rapidly upon detection.
The consolation prize is also a good one. If you cannot prevent an attack, you must be able to identify an unfolding threat. You must identify the attack, break the attacker’s kill chain, and then stop the attack. Threat intelligence can also help you assess your environment, understand the vulnerabilities that would support the execution of a particular kill chain, and then let you move rapidly to mitigate these threats.
In August of 2020, researchers from Dutch and German universities[2] co-presented at the 29th Usenix conference on a survey they conducted. The survey showed that there is less overlap between threat intelligence sources than most of us would expect. This includes both open (free) and paid threat intelligence sources. The moral of the story is that large organizations likely need a wide set of threat intelligence data from multiple sources to gain an advantage over threat actors and the attack vectors they are likely to use. And these sources must be integrated into a common dashboard where SecOps threat investigators can rapidly leverage them.
Of course, certain assets are more valuable than others. This can be a function of the data they may uniquely hold, and the access to network, applications, and information resources frequented by their owners, or the level of criticality of the asset’s function. For example, the chief financial officer’s laptop may be assumed to be in possession of the most sensitive data, or medical device monitor during surgery or command controller for manufacturing production. Hence they may deserve higher priority in terms of protection.
MVISION XDR provides capabilities leveraging all of these prioritization strategies: data-driven, threat-driven, and asset-driven. On top of this MVISION XDR offers predictive assessment based on global threats likely to target your organization with a local assessment of how your environment can counter the threat. This “before the attack” actionable assessment is powered by the distinct MVISION Insights empowering SOC to be more proactive and less reactive. Here is a preview of MVISION Insights top ten threat campaigns. Here are some key prioritization examples delivered in MVISION XDR:
Key MVISION XDR Prioritization Examples
| Priority Strategy (ies) | Capability Description | Benefit & Value |
| Data-driven | Alert based on data-sensitivity | Focus on critical impact activity |
| Threat-driven | Automatic correlated threat techniques to derive at likely next steps | Gain confidence in the alert less false positives |
| Threat-driven | View trends and threat actors targeting your organization | Reduce the universe of threats and actors to those that matter |
| Asset-driven | Tag critical assets for automated prioritization | Address threats to critical assets faster |
MVISION XDR can help you implement and optimize your prioritization strategy. Your SecOps team will have the improved triage time they need with prioritized threats, predictive assessment, and proactive response, and the data awareness to make better and faster decisions. To learn more, please review our Evolve with XDR webpage or reach out to our sales team directly.
[1] https://www.imperva.com/blog/27-percent-of-it-professionals-receive-more-than-1-million-security-alerts-daily/
[2] https://www.usenix.org/system/files/sec20_slides_bouwman.pdf
The post The Art of Ruthless Prioritization and Why it Matters for SecOps appeared first on McAfee Blog.
Take a roll call of all your devices that connect to the internet. These include the obvious ones – laptops, tablets, and your smartphone. But they also include the ones you may not immediately think about, such as routers, smart TVs and thermostats, virtual assistant technology, and connected fitness watches and equipment.
Each of these devices is known as an endpoint to you. To a cybercriminal, they’re an entry point into your online information. It’s important to secure every endpoint so that you can confidently go about your day-to-day without worrying about your security. Here’s the definitive device security checklist to get you on your way confidently and safely.
Laptops and desktops are prime entryways into your online life. Think of all the payment information, passwords, and maybe even tax documents you store on it. The best way to protect the contents of your laptops and desktops is to password-protect your computer with strong passwords or passphrases. Here are a few password and passphrase best practices:
Especially if you work at common spaces like coffee shops, the library, or even your kitchen table, get in the habit of putting your computer to sleep when you step away. Commit the sleep command shortcut to memory to make it less of a hassle. For example, on Mac computers, the keyboard command is command + option + eject, and for Windows, it’s alt + F4.
Speaking of common spaces, whenever you log in from a public Wi-Fi network, always log in with a virtual private network (VPN). A VPN scrambles your data, making it indecipherable to any malicious characters who may be lurking on public networks.
Multifactor authentication is another way to protect your valuable devices and accounts. This means that anyone trying to log in on your device needs to provide at least two forms of identification. Forms of ID could include a text message with a one-time code or a fingerprint or face scan in addition to a correct password.
These two devices are grouped because the security features on them are similar. Just like with computers, put your device to sleep every time you walk away from it. It’s much easier and may already be in your routine to hit the sleep button when you put down your cellphone or tablet.
Always put a passcode on your smartphones and tablets. Choose a collection of numbers that do not have an obvious connection to you, such as important birthdays or parts of your phone number. Even if they’re a random assortment, you’ll get the hang of them quickly. Or to make sure only you can enter your phone, set up a facial or fingerprint ID scan. People have several passwords and account combinations they have to remember. To take the guesswork and trial and error of logging in, consider trusting your passwords to a password manager that can remember them for you!
A great mobile phone and tablet habit you should adopt is backing up your files regularly to the cloud. In the event that you lose your device or if someone steals it, at least it’s valuable — and in some cases, priceless — content is safe. You may be able to remotely “brick” your device to keep a stranger from breaking into your accounts. Bricking a device means remotely wiping a connected device and rendering it unusable.
Your router is the gateway to all the connected devices in your home; thus, it’s key to beef up its security. The best way to do so is to make sure that you customize the router name and password to make it different from the factory settings. Always password-protect your home router! Employing password best practices you use for your online accounts and your devices will prevent strangers from hopping onto your network. Another way to keep your Wi-Fi network out of the hands of strangers is to toggle on the setting to not appear to non-users. While it’s fun seeing the quirky names your neighbors choose for their home networks, it’s best to keep yours completely private.
There have been some unsettling reports about cybercriminals commandeering smart home devices and virtual assistant technology. For example, a cybercriminal hacked a homeowner’s virtual assistant and blasted music through the home’s speakers, and turn the heat up to 90 degrees. The key to securing the connected devices that are responsible for your heating and cooling, shopping lists, and even your home security system is to ensure it is connected to a secure router and protected by a strong password.
Also, keep an eye on software updates, which include security upgrades. If you don’t think you have time to manually update software, set up your devices to automatically update. This will give you peace of mind knowing that you have the latest security patches and bug fixes as soon as they are available.
IoT fitness watches and machines are fun additions to your workout routines. In the case of Peloton bikes, they track your heartbeat and location and offer a huge library of classes. However, cybercriminals may be able to track your workouts if they break their way into your fitness devices. The best way to keep your workouts private is to turn off geolocation and make sure you are up to date with all software releases and protect your accounts with strong passwords.
If you’re looking for a tool to put your mind at ease, consider McAfee Total Protection. It includes antivirus and safe browsing software plus a secure VPN. You can be confident that your personal information is safe, thus allowing you to enjoy the full potential of all your devices.
The post How to Secure All Your Everyday Connected Devices appeared first on McAfee Blog.
The internet’s greatest feat? Fundamentally shifting how we live. Once a revelation, it quickly set our long-standing beliefs about how we work, play, and connect into a whole new context.
Today, the shifts come fast. Video meetings once felt alien. Now, they’re part of our routine. We’ve gone from setting doctor’s appointments online to actually seeing the doctor online—and from family visits to seeing everyone in seconds on a screen.
At McAfee, we’ve seen our share of shifts as well. Looking back across our thirty-plus years, we were among the first to deliver antivirus technology. First to create a biometric password manager. First to give people an intuitive Protection Score, and so much more. And we’re not stopping. We’re protecting people and their ever-changing lives. That means covering all your life online, from security to privacy to identity, in a way that adds to your confidence and enjoyment too.
Confidence and enjoyment. Those two words mark our next shift in online protection. We’re bringing those feelings to life across the McAfee experience. And it’ll redefine the way you stay safe online.
Safety has an unmistakable feeling. As we bring that feeling to online protection, you’ll see a remarkable evolution. It will look and act in bold new ways, guide you, reassure you, and most importantly, keep you safe. In all, it’s a new breed of online protection that’s helpful, even thoughtful, in the ways it looks out for you.
And this evolution is already underway. You’ll find that feeling in everyday moments as we make them simpler, freer, and safer—such as paying your bills at a coffee shop, managing your family’s healthcare from your laptop, and booking flights to catch up with old friends. Across them all, our protection will have your back, and even offer guidance when needed, all while you do you—wherever your day takes you and no matter what “online” looks like next.
There’s simply so much to see out there. And with us by your side, you’ll feel safe and stay that way. Life online will continue to surprise us. In the best of ways. And people have a right to enjoy every moment of it, confident that they’re safe and secure, in ways they can point to and feel.
That’s our next big shift. Giving you the unmistakable feeling of safety. You deserve it. More than that, it’s your right. And we’re proud to bring it to you.
The post The Feeling of Safety appeared first on McAfee Blog.
FreshRSS 