Browsing category

Security Professionals

Incident Response (IR), Security Intelligence & Analytics, Security Operations Center (SOC), Security Professionals, Security Solutions, Threat Intelligence,

Level Up Security Operations With Threat Intelligence Cheat Codes

Few fields have experienced growth over the last two decades like cybersecurity and video gaming. Through the years, both industries have seen the rise and fall of incumbent players and the near-constant shift in consumer preferences. While learning how to embrace their own platform shifts, both fields have had to fundamentally reinvent themselves to adapt and survive.

Arcade-Style Silos Make Way for Plug-and-Play Solutions

For many people, their first memorable experience with video games was at an arcade. Arcade operators made heavy one-off investments for each new game that came out. For example, “Mortal Kombat 2” and its sequels did not build onto or integrate with the existing “Mortal Kombat” games. In many ways, this issue has also plagued cybersecurity, with the average organization deploying 80-plus point products from over 40 vendors.

The advent of the console flipped the gaming industry on its head. Rather than having to buy a new machine for each game, there was a single interface that ran multiple games — classic examples of which include the Super Nintendo Entertainment System (SNES) — where additional functionality was just a cartridge away. Rather than shelling out for singular monolithic solutions, consumers preferred modular platforms that enabled them to add additional games in a snap.

The consumer shift toward unified platforms is true today in security as chief information security officers (CISOs) look more for integrated solutions with the ability to add new features as their organization matures. But even as silos are broken down and security data becomes more unified, how can organizations derive actionable insights from the data to understand their adversary, reduce their investigation time and increase visibility into their environment?

What’s Video Game Design Got to Do With Threat Intelligence?

Threat intelligence is the connecting of specific threat identifiers across many cybersecurity tools and infusing the information into proactive investigation, incident response and remediation workflows. When designing a threat intelligence strategy that allows analysts to detect threats at a rapid pace and developing security operations center (SOC) leadership to make informed decisions, it’s important to consider your organization’s unique needs based on factors such as industry, geography and the nature of your most critical assets.

Similarly, depending on the type of game and its objectives, video game designers choose to focus on varying aspects when developing a game, but three are always constant:

1. The Characters and Players

The good-versus-evil dichotomy is often invoked when talking video game character development; it’s also reflected in the constant game of cat-and-mouse between organizations and threat actors. Whether it’s Mario versus Bowser or analyst versus cyber adversary, it is important to understand the motivation behind attackers to better anticipate their next steps.

Whether that’s kidnapping the princess or exfiltrating sensitive information, security leaders can make informed risk management, organizational and staffing decisions by understanding how the enemy operates. By knowing, for example, that a specific threat actor is targeting their industry, analysts can quickly identify whether they are at risk of an exploit or take proactive steps to patch and protect potentially affected systems.

To invoke Sun Tzu, knowing your enemy is knowing yourself, so having a complete view of which attackers are targeting industry peers or geographic neighbors can give you a window into the mindset of the adversary and help your organization prepare stronger defenses by understanding the vulnerabilities before they become an attack.

2. Narrative and Gameplay

One element that separates some of the best games from the rest is a strong narrative element within a collaborative, multiplayer world. Designers carefully curate decision points for the user, having them make choices that potentially alter how the game unfolds. Threat intelligence guides users in their decision-making process to help inform all levels of the SOC. Tactical threat intelligence can be integrated into the workflow to help reduce false positives, enabling the frontline analyst to quickly decide what is real and what is noise. And for tier-two and -three analysts, who proactively hunt threats and facilitate incident response, having information on the a particular actor’s tactics, techniques and procedures (TTPs) can help them better make day-to-day decisions on task prioritization, threat mitigation and resource allocation.

As the trend has been in recent years, single player modes are being phased out in favor of multiplayer online games. In these games, there is a strong need for communication and collaboration, since most are team-based and the success of the individual depends on the success of the team. Even though analysts may sometimes feel that they’re fighting the battle alone, cybersecurity is a team sport. Threat intelligence is collaborative by nature, with many feeds being driven by a combination of individuals sharing information for others in their industry and validated information from threat researchers.

Threat intelligence can be the unifier for members of the security operations center to collaborate when dealing with investigations and incident response. When teams have identified a validated threat and need to investigate or initiate a response workflow, threat intelligence solutions can integrate with incident response and case management tools to enrich playbooks with specific information about the threat. When it’s all hands on deck, teams can quickly collaborate and add additional indicators as they build the investigation and search threat intelligence for more relevant information.

3. Repeat Playability

The best games are not only fun to play once, but over and over again for years — what gamers refer to as repeat playability. Organizations typically deploy multiple threat intelligence feeds of varying quality for broad and overlapping coverage. While having more data at your teams’ fingertips is generally a good thing, increased visibility often comes at a cost. Gone are the days where security teams could get by with multiple static dumps of comma-separated values (CSVs) with indicators of compromise (IoCs). Even with four threat intelligence sources that provide 300 indicators a day, teams are receiving almost 500,000 indicators a year.

Analysts are overwhelmed, spending hours sifting through data searching for a what feels like a needle in a needle stack to find bits of actionable information. The repetitive nature and sheer volume of their workload, coupled with the cybersecurity skills gap, often leads to analyst burnout. When potential threats are automatically prioritized based on severity, it reduces investigation time and allows analysts to focus on only the most critical threats to their organization.

Up, Up, Down, Down, Left, Right, Left, Right

With actionable and relevant threat intelligence, security teams have the ability to see the previously unseen and significantly accelerate the way they work. Just like the Konami Code did for “Contra,” threat intelligence can provide organizations with security operations cheat codes to gain the competitive advantage they need to combat cybercriminals.

Register for the May 2 webinar to learn how to unlock threat intelligence easter eggs

The post Level Up Security Operations With Threat Intelligence Cheat Codes appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Jeremy Goldstein

Artificial Intelligence (AI), CISO, Collaboration, RSA Conference, Security Conferences, Security Leaders, Security Leadership, Security Operations Center (SOC), Security Products, Security Professionals, Security Solutions, Skills Gap,

Rewrite the Rules to Reduce Complexity in Your Security Architecture

Complexity as it relates to security architecture is attracting a lot of attention. At RSA Conference (RSAC) earlier this year, I saw complexity discussed at multiple vendor booths and in several presentations. But what does it really mean? And is it really that bad?

To get to the root of why complexity is such a challenge, I think you have to take a step back and look at what it is that makes security architecture so complex. One look at the RSAC 2019 exhibit hall provided a clue.

Walking the exhibit floor, I was struck over and over by the sheer number of vendors exhibiting this year. Every inch of space was used to show new products, services, approaches, integrations — you name it. It was noisy and overwhelming for me, and I can only imagine what it must have been like for security directors who were walking around trying to make sense of what was new.

I think the crowded RSAC expo floor is an accurate representation of one of the biggest conundrums in cybersecurity: It is an industry in constant flux. Every day, there are new attacks, updated methods and changing compromise patterns in addition to changing regulatory standards and new business initiatives that need to be evaluated for risk. And since every business has its unique needs and requirements, it’s really no surprise that there are multiple ways to approach a problem, and thus a plethora of products and services available.

Without a doubt, variety is essential for empowering customers to opt for solutions that work best for their unique situations. However, this singular approach to problem solving has created an incredibly complex environment for security organizations to manage, and that has consequences.

“At any given time, the analysts in our security operations center are looking at 10–20 windows open per product,” said Devin Somppi, lead of security operations at BriteSky. “While each of my analysts is an expert in their role, sharing information across these fields is a challenge.”

Somppi referred to his team as the “human glue” binding all of their different security applications. What he means is that many of the individual security solutions produce data that must be analyzed and acted upon. On an individual level, this works great. However, when investigating a multilayered security incident, the data must be shared among the analysts, and that takes time.

“Take, for example, a very common incident: a targeted phishing attack,” said Somppi. “First surfaced through a SIEM, an analyst reviews the situation and kicks off an investigation. This involves multiple parts: checking with your threat intelligence team to run the file against the latest information, getting information from your email security appliance for headers to see if it’s been spoofed, notifying the user of the compromise. This process does work — we make it work — but it can be slow and arduous when that information is spread across multiple teams.”

That kind of delay can be disastrous for end users.

It’s Time to Think Differently About Security

In their RSA Conference session, Somppi and IBM Security Chief Technology Officer Sridhar Muppidi discussed how the biggest hurdle for the security industry — vendors — will be rethinking its approach to security.

“We really have to start looking at security as a team sport,” said Muppidi. An avid cyclist, Muppidi used the example of a peloton from his college cycling days.

“I’m not much of a sprinter, but I’m great at hills,” he said. “There are others in our group where sprinting was their strength. And once we started communicating and leveraging our individual strengths, we not only improved in our race, but as a whole we became much more efficient. The same can be true for security.”

Thinking of security as a team sport shouldn’t be too hard; after all, our adversaries do this very well. Most attackers buy, sell and trade secrets. They share data, swap methodologies and collaborate on processes, all in the name of compromising their targets. So why shouldn’t we defenders adopt the same approach?

The easy answer is that we should. As security vendors, when we communicate better — when we share information and leverage each other’s strengths — we enable organizations to actively defend their networks. More importantly, we empower them to grow their businesses.

The harder question is, how do we do it? In their joint session at RSAC 2019, Muppidi and Somppi laid out three ways the cybersecurity industry can rethink its approach and be more collaborative in its defense.

1. Break Down Silos Among Vendors

In the current environment, each security vendor has its own way of capturing information and it is very hard to integrate that data. While this works to address security issues at an individual level, this siloed approach to using and viewing security data is limiting the potential of not only our clients, but also what we as security vendors can do.

“In order for organizations to really see what cybersecurity can do for their business, we have to break down the silos we’ve built as vendors,” Muppidi said. “This means unifying not only technical capabilities like our APIs or our use of microservices, but also the overall experience. That requires addressing things like different views on data privacy or getting over our ‘competitive’ mindset.”

This is not easy to do, but it ultimately provides a better cybersecurity experience for organizations that are already struggling.

2. Rethink the Role of Security Analysts by Embracing Artificial Intelligence

Artificial intelligence (AI) will play a pivotal role in how we approach security in the coming years. AI will become the connective tissue between products, decreasing the need for the “human glue” Somppi described as the current approach to information sharing between technologies

“We will always need analysts,” said Somppi. “But they’ll be augmented by AI, and we’ll need to rethink the way they work. Analysts need to be the experts, but AI needs to be the glue.”

Ultimately, using AI to reduce the time it takes to connect data insights will make security stronger and our analysts less stressed.

3. Redefine Success as It Relates to Securing the Business

Every organization has a different measure of success when it comes to security. For some, success means speeding up the time it takes to detect a threat. Others are more concerned about how long it takes to remedy the situation, or maybe it’s all about applying lessons learned to make sure it doesn’t happen again. Without a doubt, these are all important, but we need to think differently.

“What if success means getting your SOC analysts home in time for dinner with their families?,” Muppidi asked. When considering the predicted security skills gap, reducing the stress among your security analysts is a critical measure of success.

“Finding resources tends to be a challenge for our industry,” said Somppi. “I can find technology for anything and everything, but to have someone who can utilize that technology is incredibly difficult. I don’t want to burn them out.”

In addition to keeping them engaged and interested in their area of defense, it’s also critical to reduce the rate of analyst burnout. By reducing workload and stress, you can empower your SOC analysts to focus on fewer, but higher-value projects that are more strategic to the organization and are focused on growth.

Less Is More When It Comes to Your Security Architecture

The main takeaway from Somppi and Muppidi’s RSAC session is that it’s time for cybersecurity professionals to collaborate more and compete less. By breaking down silos among security teams and vendors, augmenting human intelligence with AI and machine learning, and empowering analysts to do more impactful work under less pressure, chief information security officers (CISOs) and business leaders can improve security output while also reducing the number of security products needed to protect the enterprise. Put simply, it’s time to make less matter more.

The post Rewrite the Rules to Reduce Complexity in Your Security Architecture appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Jennifer Glenn

Incident Management, Incident Response, Incident Response (IR), Incident Response Plan, Security Information and Event Management (SIEM), Security Operations and Response, Security Operations Center (SOC), Security Products, Security Professionals, Security Solutions, Threat Intelligence,

SOAR: The Second Arm of Security Operations

While security information and event management (SIEM) is rightly considered an indispensable tool for detecting and managing threats, it can only do so much good if you’re just detecting threats to respond to them. Of course, successful threat management demands rapid incident response, and security operations teams tend to overemphasize detection as a result.

How can organizations both empower their responders to remediate threats quickly and strengthen their security posture to prevent data breaches in the first place? The answer is security orchestration, automation and response (SOAR).

SOAR Solutions Add Context to SIEM Data

SIEM solutions are now deployed in virtually every large enterprise, and for very good reason. In the U.K., in fact, the RM3808 regulation precludes any organization from bidding for public sector network services work unless it has a SIEM solution in place. This makes sense: Companies should be monitoring their events and data flows if they expect to detect threats to their information or that of their customers.

SOAR tooling enables security operations teams to automate the tedious and repetitive elements of their workflow that don’t require human oversight and instead focus on more mentally challenging tasks that call for discernment and judgment. The best SOAR solutions enrich and contextualize threats to help analysts quickly triage cases according to the severity of the risk, sensitivity and/or criticality of the business functions under threat.

Many of the remedial tasks that fall under the analyst’s supervision, such as isolating endpoints, can be orchestrated with a SOAR platform via application programming interfaces (APIs). Faster remediation leads to earlier resolution of incidents in the attack chain, which greatly reduces the risk of a data breach.

A Force Multiplier for Understaffed Security Operations Teams

Even if you had an unlimited security budget at your disposal, you would still struggle to hire the caliber and quantity of talent you need to stay on top of the constant barrage of threats to your organization. According to Cybersecurity Ventures, the cyber skills shortfall is expected to hit 3.5 million unfilled positions by 2021. This is one of the reasons why white hats are lagging behind the increasingly sophisticated threat landscape in the cyber arms race.

SOAR solutions can help organizations address the talent gap by lightening analysts’ manual workload and sharpening their ability to prioritize the most pressing threats and remediate them quickly.

Enrichment and Contextualization: Where SIEM Ends and SOAR Begins

There is a degree of overlap in how vendors describe the enrichment and contextualization functionalities of their SIEM and SOAR solutions. It’s common for both products to claim that they enrich, contextualize and help triage threats. But where does SIEM end and SOAR begin?

SIEM is all about detection. The amount of automation and orchestration required for swift incident response cannot be carried out at the detection layer. If a SIEM tool processes between 10,000 and 500,000 events per second — as it does in most cases — the computing resources required are simply not available to enrich this volume of data. So why can’t the enrichment take place once the SIEM tool has generated an offense or incident?

For the average enterprise, only about 80 percent or less of incidents originate from SIEM. It’s important to channel incidents generated by data loss prevention (DLP) tools, managed service alerts, phishing and investigations into one place so your security operations center (SOC) analysts or computer security incident response team (CSIRT) can contextualize and act upon them. SIEM tools are not optimized to support this alongside the mammoth task of analyzing enormous reams of events and data flows according to predefined correlations and indicators of compromise (IoCs). Endpoint detection and response (EDR) and threat intelligence platforms are not integrated, thus the SIEM only assists with part of the investigation process.

Lastly, case management is arguably the most crucial feature set within incident response. Cybersecurity playbooks have become enormously complex, and the level of effort and cost needed to build them into the detection layer is often prohibitive.

Why Detection Alone Is Not Enough

It goes without saying that well-calibrated detection tools give the incident response function the data it needs to remediate threats. But having well-defined incident response plans can also help sharpen and refine the rules and use cases you use to calibrate your SIEM solution. The benefits are bidirectional: What correlations and indicators are you looking for? Why are you looking for them? Once you find them, what is the incident response plan?

One of our clients recently enacted a protocol whereby detection use cases are only written if they have an associated incident response plan. If you want to write SIEM rules for the sole purpose of visibility and metrics, that’s all well and good. However, being deliberate and honest about this will keep your operations more streamlined.

If your function is willing to spend thousands or even millions on SIEM solutions but not prepared to deal efficiently with the alerts being outputted, what is the value of that investment? Why wait until your SIEM tool is churning out alerts before realizing that your team is overwhelmed?

Clients of ours that have run parallel SIEM/SOAR proofs of concept (POCs) have saved significant amounts of time and effort compared to those that have undergone an arduous SIEM POC only to have to follow up with another SOAR POC. In one case, a client even decided to switch off its SIEM solution until it had implemented a SOAR tool to help it deal with the torrent of alerts. Given that SIEM and SOAR are two sides of the coin that comprises security operations, why serve these POCs consecutively when they can be executed concurrently?

The post SOAR: The Second Arm of Security Operations appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Cian Walker

Artificial Intelligence (AI), breach, C-Suite, CISO, Collaboration, Cybercrime, Cybersecurity Jobs, Cyberthreats, Internet of Things (IoT), Malware-as-a-Service (MaaS), Managed Security Services (MSS), New Collar, RSA Conference, Security Professionals, Security Services, Security Spending, Skills Gap, Threat Sharing,

Stressed to Impress: Evolving Threats Raise the Stakes on Shared Security Culture

Cybersecurity experts are working longer hours and tackling more complex challenges as threat landscapes continue to evolve. Survey data from Farsight Security found that more than half of security professionals work weekends and nearly 30 percent work 10 or more hours a day. But companies still face a jobs shortfall: As reported by TechCrunch, research from (ISC)2 suggests a jobs gap of more than 3 million positions worldwide.

The result is no surprise; cybersecurity professionals are tasked to do more with less and deliver better results. One solution to this problem involves a necessary shift to improve security culture across three key areas: intraorganizational, interorganizational and metaorganizational.

Big Spend, Bigger Breaches

Before committing resources to shift culture and solve security problems, enterprises need to know what they’re up against. When it comes to defending against advanced cyberthreats, organizations face multiple areas of concern.

Growing Costs

According to Forbes, companies must be ever-vigilant for the “Big One,” the cybersecurity incident that will have disastrous consequences for a major enterprise, key infrastructure or even society as a whole. Add in the ever-present threat of smaller breaches due to new exploits or existing vulnerabilities, combined with the need to remediate these issues ASAP, and it’s no surprise that the global cost of cybercrime could reach $6 trillion annually by 2021, according to Cybersecurity Ventures.

Increasing Scope

RSA Conference 2019 had a simple theme: “Better.” The notion was a catchall, a way to acknowledge that all areas of cybersecurity — from frontline defenses to detection systems to user access processes — require ongoing support and improvement. As noted by ZDNet, however, this growing emphasis on continual improvement speaks to the ongoing success and increasing scope of new threat vectors; despite the industry’s best efforts, threat actors are still coming out ahead.

Trending Threats

Speaking of IT threats, information security professionals are faced with an evolving marketplace, one in which cybercriminals are willing to collaborate on new projects and cultivate as-a-service alternatives to compromise corporate networks. For example, CSO Online reported that attackers are now targeting enterprise video conferencing systems with internet of things (IoT) botnets, while Futurism spoke to the rise of the industrial safety system-disabling malware Triton — unchecked, this kind of infection could cause both financial and physical harm.

Mind Over Matter?

While C-suites have embraced the notion of cybersecurity as a business driver, effective change demands expert support. As noted by the MIT Techology Review, security professionals are stressed. Cybersecurity conferences now regularly feature community health sessions and tracks dedicated to helping IT experts manage their stress and ensure job demands don’t lead to negative consequences in other areas.

What’s stressing IT right now? A quick rundown includes:

  • Malware-as-a-service (MaaS) — According to Bleeping Computer, MaaS markets are rapidly expanding as malicious code makers recognize the value in selling and supporting threat infrastructure rather than assuming the risk of a direct attack. These markets “provide a huge trove of malicious tools and services.”
  • Missing money — Spending isn’t keeping up with new cyberthreats. As Forbes pointed out, while some institutions such as banks are ramping up their infosec budgets, others — such as government agencies that regulate critical utilities like power and water — aren’t keeping pace. The bottom line is that paltry budgets continue to plague information security efforts.
  • Moving target — Organizations are struggling to close the cybersecurity skills gap. This leaves existing professionals on the hook to do more with less while also finding ways to stay ahead of new IT threats.

The takeaway here is that cybersecurity employees have the right mindset but are often missing the material components required to effectively manage security expectations.

The Organizational Imperative

Evolving threats, employee stress and emerging expectations demand a fundamental shift, one that prioritizes companywide security culture over the siloed approaches of traditional IT infrastructure. Embracing this organizational imperative requires adaptation across three key areas.

1. Intraorganizational

Corporate end users — from frontline staff to managers and stakeholders — are the primary consumers of IT services and solutions. As a result, without intraorganizational support in the form of security-first culture, cybersecurity professionals face a losing battle. According to IBM security experts, making the shift requires “muscle memory” — security processes must be “required, enforceable and, above all, easily incorporated into the daily life of your users.”

Perceptive shifts are also critical; creating a security-first culture that recognizes the role of security spending and solutions in revenue generation rather than cost mitigation.

2. Interorganizational

Historically, organizations have been loathe to share security data, especially when it points to evidence of compromise or network vulnerability. The problem with this is that malicious actors aren’t shy about sharing attack data, putting cybersecurity in the untenable position of facing superior numbers armed with better intelligence. As the Federal News Network noted, this is starting to change — for example, the DoD-backed Security Coordination Center (SCC) focuses on threat sharing and mitigation to reduce attack impact.

Private companies must do the same. Interorganizational cooperation is no longer optional in the fight against opportunistic cybercriminals.

3. Metaorganizational

To reduce IT stress and improve overall defense, enterprises must think outside the box.

When it comes to bridging the skills gap, for example, companies are well-served with a new collar approach — leveraging new or existing staff who may not possess traditional college degrees but have the needed technical skills, aptitudes or passion for cybersecurity. This allows companies to fill critical positions without having to wait for the “perfect” candidate.

Another option? Managed security services designed to strengthen information security defenses and lower total costs. The right third-party partner can help deliver services, such as custom-built firewalls, intelligent log management and cloud-based intrusion detection, allowing cybersecurity specialists to focus on mission-critical initiatives.

Emerging solutions such as artificial intelligence and intelligent orchestration also offer key benefits. By automating essential, data-driven services, such as attack response, data breach notification and real-time productivity measurement, C-suites gain critical transparency while IT professionals get improved access to the information they need, when they need it.

Security Culture Must Adapt

Cybersecurity professionals are stressed, and with good reason: the stakes are higher than ever. They’re tasked with impressing C-suites, evading threats and improving infrastructure, but are hampered by time limitations, budget constraints and personnel gaps.

Bolstering IT and boosting the bottom line demands a critical shift. Security culture must adapt across intraorganizational, interorganizational and metaorganizational lines to empower shared responsibility, encourage honest collaboration and embrace new information security approaches.

The post Stressed to Impress: Evolving Threats Raise the Stakes on Shared Security Culture appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Douglas Bonderud

Artificial Intelligence (AI), breach, C-Suite, CISO, Collaboration, Cybercrime, Cybersecurity Jobs, Cyberthreats, Internet of Things (IoT), Malware-as-a-Service (MaaS), Managed Security Services (MSS), New Collar, RSA Conference, Security Professionals, Security Services, Security Spending, Skills Gap, Threat Sharing,

Stressed to Impress: Evolving Threats Raise the Stakes on Shared Security Culture

Cybersecurity experts are working longer hours and tackling more complex challenges as threat landscapes continue to evolve. Survey data from Farsight Security found that more than half of security professionals work weekends and nearly 30 percent work 10 or more hours a day. But companies still face a jobs shortfall: As reported by TechCrunch, research from (ISC)2 suggests a jobs gap of more than 3 million positions worldwide.

The result is no surprise; cybersecurity professionals are tasked to do more with less and deliver better results. One solution to this problem involves a necessary shift to improve security culture across three key areas: intraorganizational, interorganizational and metaorganizational.

Big Spend, Bigger Breaches

Before committing resources to shift culture and solve security problems, enterprises need to know what they’re up against. When it comes to defending against advanced cyberthreats, organizations face multiple areas of concern.

Growing Costs

According to Forbes, companies must be ever-vigilant for the “Big One,” the cybersecurity incident that will have disastrous consequences for a major enterprise, key infrastructure or even society as a whole. Add in the ever-present threat of smaller breaches due to new exploits or existing vulnerabilities, combined with the need to remediate these issues ASAP, and it’s no surprise that the global cost of cybercrime could reach $6 trillion annually by 2021, according to Cybersecurity Ventures.

Increasing Scope

RSA Conference 2019 had a simple theme: “Better.” The notion was a catchall, a way to acknowledge that all areas of cybersecurity — from frontline defenses to detection systems to user access processes — require ongoing support and improvement. As noted by ZDNet, however, this growing emphasis on continual improvement speaks to the ongoing success and increasing scope of new threat vectors; despite the industry’s best efforts, threat actors are still coming out ahead.

Trending Threats

Speaking of IT threats, information security professionals are faced with an evolving marketplace, one in which cybercriminals are willing to collaborate on new projects and cultivate as-a-service alternatives to compromise corporate networks. For example, CSO Online reported that attackers are now targeting enterprise video conferencing systems with internet of things (IoT) botnets, while Futurism spoke to the rise of the industrial safety system-disabling malware Triton — unchecked, this kind of infection could cause both financial and physical harm.

Mind Over Matter?

While C-suites have embraced the notion of cybersecurity as a business driver, effective change demands expert support. As noted by the MIT Techology Review, security professionals are stressed. Cybersecurity conferences now regularly feature community health sessions and tracks dedicated to helping IT experts manage their stress and ensure job demands don’t lead to negative consequences in other areas.

What’s stressing IT right now? A quick rundown includes:

  • Malware-as-a-service (MaaS) — According to Bleeping Computer, MaaS markets are rapidly expanding as malicious code makers recognize the value in selling and supporting threat infrastructure rather than assuming the risk of a direct attack. These markets “provide a huge trove of malicious tools and services.”
  • Missing money — Spending isn’t keeping up with new cyberthreats. As Forbes pointed out, while some institutions such as banks are ramping up their infosec budgets, others — such as government agencies that regulate critical utilities like power and water — aren’t keeping pace. The bottom line is that paltry budgets continue to plague information security efforts.
  • Moving target — Organizations are struggling to close the cybersecurity skills gap. This leaves existing professionals on the hook to do more with less while also finding ways to stay ahead of new IT threats.

The takeaway here is that cybersecurity employees have the right mindset but are often missing the material components required to effectively manage security expectations.

The Organizational Imperative

Evolving threats, employee stress and emerging expectations demand a fundamental shift, one that prioritizes companywide security culture over the siloed approaches of traditional IT infrastructure. Embracing this organizational imperative requires adaptation across three key areas.

1. Intraorganizational

Corporate end users — from frontline staff to managers and stakeholders — are the primary consumers of IT services and solutions. As a result, without intraorganizational support in the form of security-first culture, cybersecurity professionals face a losing battle. According to IBM security experts, making the shift requires “muscle memory” — security processes must be “required, enforceable and, above all, easily incorporated into the daily life of your users.”

Perceptive shifts are also critical; creating a security-first culture that recognizes the role of security spending and solutions in revenue generation rather than cost mitigation.

2. Interorganizational

Historically, organizations have been loathe to share security data, especially when it points to evidence of compromise or network vulnerability. The problem with this is that malicious actors aren’t shy about sharing attack data, putting cybersecurity in the untenable position of facing superior numbers armed with better intelligence. As the Federal News Network noted, this is starting to change — for example, the DoD-backed Security Coordination Center (SCC) focuses on threat sharing and mitigation to reduce attack impact.

Private companies must do the same. Interorganizational cooperation is no longer optional in the fight against opportunistic cybercriminals.

3. Metaorganizational

To reduce IT stress and improve overall defense, enterprises must think outside the box.

When it comes to bridging the skills gap, for example, companies are well-served with a new collar approach — leveraging new or existing staff who may not possess traditional college degrees but have the needed technical skills, aptitudes or passion for cybersecurity. This allows companies to fill critical positions without having to wait for the “perfect” candidate.

Another option? Managed security services designed to strengthen information security defenses and lower total costs. The right third-party partner can help deliver services, such as custom-built firewalls, intelligent log management and cloud-based intrusion detection, allowing cybersecurity specialists to focus on mission-critical initiatives.

Emerging solutions such as artificial intelligence and intelligent orchestration also offer key benefits. By automating essential, data-driven services, such as attack response, data breach notification and real-time productivity measurement, C-suites gain critical transparency while IT professionals get improved access to the information they need, when they need it.

Security Culture Must Adapt

Cybersecurity professionals are stressed, and with good reason: the stakes are higher than ever. They’re tasked with impressing C-suites, evading threats and improving infrastructure, but are hampered by time limitations, budget constraints and personnel gaps.

Bolstering IT and boosting the bottom line demands a critical shift. Security culture must adapt across intraorganizational, interorganizational and metaorganizational lines to empower shared responsibility, encourage honest collaboration and embrace new information security approaches.

The post Stressed to Impress: Evolving Threats Raise the Stakes on Shared Security Culture appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Douglas Bonderud

Forrester Research, IBM X-Force Command Center, IBM X-Force Incident Response and Intelligence Services (IRIS), Incident Response, Incident Response (IR), Incident Response Plan, Security Professionals, Security Services, Security Training, Threat Intelligence,

Why Cyber Range Training Should Be Top of Mind for Your Security Teams

With breaches making headlines every other week, security teams hardly ever have enough time to ramp up and test their defense strategy before a new and more sophisticated attack surfaces. When reputation, revenue and customer trust is at stake, it’s critical for organizations to detect, respond and manage security incidents effectively. But how can organizations prepare?

Although there is no “magic answer,” incident preparation is key, and testing your incident response (IR) plan can be the difference between success and failure if, or when, a breach occurs. In fact, “The Forrester Wave: Cybersecurity Incident Response Services, Q1 2019,” released earlier this month, mentioned that vendors that provide cyber range services “position themselves to successfully deliver strong incident preparation and breach response to their customers.”

The Value of Cyber Range Training

When I joined IBM Security nearly three years ago to build out the X-Force Incident Response and Intelligence Services (IRIS) team, one of my primary goals was to guide the team to focus on core solutions that deliver value to the enterprise. However, I realized that even though our team focused on embedding threat intelligence into our IR engagements and specialized in comprehensive post-breach remediation, we needed to do more.

We needed to offer the next generation of IR preparation and give our clients access to cyber ranges, where they could practice defending against simulated threats in immersive, real-world training scenarios. We wanted to mature the experience for our clients from PowerPoint-driven tabletop discussions to real-world simulated attacks that test multiple dimensions and stakeholders within environments.

We believed these types of simulations more accurately reflected what responding to a breach was actually like — the feeling of being under pressure 24 hours a day during the event, and the pressure to analyze data quickly, provide status updates, speak with the press, work with internal and external legal counsel, and communicate to clients. We believed that if we could create an environment like this and enable our clients to train in it, each one would leave better prepared than they came in.

Let’s dive deeper into a few key reasons why security teams should consider testing their current response capabilities within a scenario-driven, simulated cyber range.

1. Practice Makes Perfect

Cyberattacks change quickly, so training must test your organization’s ability to adapt its actions and be responsive enough to keep up with new attack methodologies. Cyber ranges enable security teams to practice identifying and responding to threats in a real-world environment using a variety of technologies and runbooks. When security teams actively train in environments that effectively simulate a real-world breach, they are more likely to retain the information learned and respond more quickly when an actual breach occurs.

2. Gain Hands-On Experience

Cyber ranges offer an environment for teams to train collectively, improve their cyberdefense skills and gain critical insight into a variety of stakeholder actions within the organization. This tends to improve communication and teamwork across the enterprise because it gives teams a better understanding of what other departments are responsible for. This is critical to building a successful IR team, and it’s difficult to obtain that experience through conventional training simulations.

3. Advance Organizational Security

Training in an authentic but controlled environment can help security teams deal with crisis situations in a rapid manner. Simply put, the more security-savvy your teams are, the better prepared they will be to implement and execute the most efficient security strategy for today and tomorrow.

Fortifying a Defense Starts With People

Organizations are relying more and more on people as their first line of defense. Although the maturity of effective security technology is growing, it’s still important for cybersecurity teams to train their response in realistic and immersive environments. Cyberthreats won’t stop, so your security teams shouldn’t either. By leveraging cyber range training and bolstering your incident response strategy, your organization can evolve its approach and proactively defend against rapidly evolving threats.

The post Why Cyber Range Training Should Be Top of Mind for Your Security Teams appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Wendi Whitmore

CISO, IBM X-Force Command Center, Incident Response, Incident Response (IR), Professional Development, Security Professionals, Security Services, Security Training, X-Force,

Capture the Flag Competitions Can Help Close the Security Skills Gap

I first learned about gamification in college when I attended a talk about internship opportunities at IBM. Jason Flood and William Bailey, members of the security teams at IBM Collaboration Solutions (ICS) and Industry Solutions, made a great impression on me when they spoke about capture the flag (CTF) events they were building for students and the IT industry.

What really piqued my interest was how gamification and capture the flag events could teach people about security in a learning environment without a lot of pressure. I was what you would describe as a new collar candidate. I hadn’t gone straight into college after my primary education, instead going into the workforce as a laborer and truck driver. But I decided to go back to school to retrain and rewire my brain for new skills in the IT world.

I’ve always had an affinity for electrical things and learning how they worked. I was grounded once as a kid for taking apart the clothes iron and reassembling it in a nonconventional way. IT seemed to be the next logical progression in my career, where I could break stuff intentionally. After an internship at IBM, I was luckily accepted into the ethical hacking team in the Dublin, Ireland lab at the ripe old age of 33. The ethical hacking team at that time was very involved in providing cybersecurity education and CTF frameworks for universities and conferences throughout the U.K. and Ireland. Some members of that team have gone on to join IBM X-Force Red. It was during this time that I really caught the gamification bug.

Gamification and Capture the Flag: What Are They?

Most people interact with some form of gamification in their daily lives. What is it? Gamification — the application of game-design elements and game principles in nongame contexts — taps into that natural human need to play, improve and maybe win sometimes. For example, we use gamification when we collect coupons at the store, participate in loyalty programs and use fitness apps. Gamification is also used in the education system — think student rankings based on GPA, dean’s lists, honor rolls, scholarships, etc.

A capture the flag exercise is a gamified set of challenges designed to teach cybersecurity skills in a variety of categories. CTF events generally have a mixture of professionals and students participating. The types of CTF are Jeopardy-style, attack-defense and mixed.

Jeopardy-Style CTF

In a Jeopardy-style CTF, participants take on challenges in a range of categories, including application security, forensics, reverse engineering, cryptography and more. Teams discover “flags” and submit them for points. Challenges get progressively harder and teams earn more points based on the level of difficulty.

Attack-Defense CTF

In an attack-defense CTF, competitors attempt to compromise systems and services with known vulnerabilities. Once a team has compromised a system, it must then defend that system against opposing teams. Participants perform the actions of a red team (attackers) and switch to the blue team (defenders) seamlessly. This game can be continuous and run for many days.

A mixed CTF is a combination of both Jeopardy and attack-defense.

Many of the challenges in CTFs are built around the OWASP Top 10 Application Security Risks or the SANS Top 25 Most Dangerous Software Errors, which give participants a feel for real-world vulnerabilities that many industries have to contend with.

How CTF Events Can Help Recruit and Train Cybersecurity Experts

The value of CTFs in terms of cybersecurity awareness, training and education is evidenced by the number of CTF events out in the wild today and the caliber of participants. CTFs are valuable for sharpening the skills of technical operators. Just like athletes who constantly train to stay in top shape, cybersecurity experts need to keep on top of their game.

From attending and building CTFs myself, I have seen how they can be used to train new hires and employees and as a tool for recruitment. Given the impending global cybersecurity skills gap that’s expected to reach approximately 3.5 million unfilled jobs by 2021 and attacks rising year after year, as a community we need to engage people sooner in the career pipeline. This is why the new collar approach — considering job candidates who lack a college degree or cybersecurity background — is so vital.

I’ve also seen how CTFs can provide an opportunity for a company to interview large numbers of people in a safe and controlled environment. I’ve observed recruiters from many companies walk the CTF floor asking people questions during an event. The benefit for recruiters is that they can witness participants showcasing their technical, social and teamwork skills in person. Recruits can discuss vulnerabilities and demonstrate how they compromised systems, how the team broke down tasks and how they solved them.

The environment of a CTF is relaxed and fun, which enables people to show their social side. This environment removes the pressure of an interview, where you’re sitting in a chair in a small room, slumping awkwardly in an ill-fitting suit and hoping you don’t answer any of the questions wrong. The CTF is the place where you can make mistakes, hone your skills and become a better professional.

Engaging and Training the Next Wave of Cyber Professionals

I am lucky enough to have been part of many CTF events over the years, and I’ve seen the concept evolve into an amazing platform for engaging employees, raising awareness and training the future cyber workforce. I am also lucky to be part of IBM’s world-class X-Force Command special forces team as a gamification engineer.

IBM Security is at the forefront in the gamification space, as is evident from the unique facilities we have in the X-Force Command Cyber Range in Cambridge, Massachusetts and the X-Force Command Cyber Tactical Operations Center (C-TOC), a security operations center (SOC) and cyber range aboard an 18-wheeler tractor trailer, now touring Europe.

Our gamified breach simulations immerse participants in a scenario that brings them as close to the endgame as possible. In this high-pressure scenario, clients can test their processes, identify gaps in their security plan and train the muscle memory that is required for when worst happens.

My small part in this well-oiled machine is to provide the technical aspects of the cyber range offerings, building out attack scenarios in the attack-defense challenge we call Cyber Wargame. I also work on developing CTF events within IBM’s own CTF framework, doing my part to help engage and train the next wave of cyber professionals here at IBM.

It’s exciting to do this work for IBM, but I also enjoy taking my experience creating CTFs outside of my job. Last month, I was honored to have the opportunity, along with the Irish branch of the nonprofit security organization Honeynet Project, to support the inaugural cybersecurity competition at the Ireland Skills Live event. WorldSkills competitions have been running since 1950, but this was the first event in Ireland, with teams from universities across the country competing for a chance to represent the nation at a future event in a global WorldSkills competition.

The upcoming graduates’ passion for cybersecurity and vast array of knowledge was clear. Participants told me they had played in many CTFs and that they feel it gives them a better chance at employment. The interest from spectators was very high too, which was one of my main goals for this event. I really wanted to raise awareness among the public and remove some of the mystique around cybersecurity, while correcting the Hollywood notion some people have of cybersecurity.

The event was a success from a recruitment perspective, with many colleges and schools requesting an on-site event for their students. Parents and their kids asked for resources and locations where they could get more information and participate.

The security community offers many opportunities for information sharing, learning and networking, and none more so than a CTF event. Events like this can only help in tackling the cybersecurity skills gap going forward.

Discover How IBM X-Force Command Helps Teams Prepare for a Breach

The post Capture the Flag Competitions Can Help Close the Security Skills Gap appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: John Clarke

Advanced Threats, Security Information and Event Management (SIEM), Security Professionals, threat hunting,

Security Analyst Files Workman’s Comp Claim for ‘Seriously Fatigued Fingers’

At 8:30 a.m. this morning, a level 3 security analyst, Mikey “The Jedi” Allbright of [COMPANY NAME REDACTED], announced he’ll be leaving for the next six months due to “seriously fatigued fingers” and “a wonky eye” resulting from viewing and traversing too many screens in the course of his daily activities to ensure data security and compliance at [COMPANY NAME REDACTED].

We sat down with Allbright after this grandiose proclamation for further details. “All security analysts have it tough,” Allbright mused as he gingerly held his Darth Vader mug with his three fully operational fingers. “We’re ingesting data all day, every day, from a multitude of sources so we can detect the events that seem to be anomalous in nature, analyze those events to see if they’re actual threats and, finally, stop the threat if it’s an actual attack.”

When asked if the problem is on equal footing for junior or level 1 and 2 analysts, Allbright had this to say: “Security information and event management (SIEM) offerings have grown leaps and bounds since I moved from Windows tech support to the security desk eight years ago. Back then, if we pulled data from the firewall, for instance, we might only get an IP address sent back, all the other DNA of the event was sitting in unstructured logs.

“Today, the new kids have it relatively easy. SIEM providers have really upped the game on integrations and the correlation engines to give a full picture view of brute-force attacks. I mean, they still have their own challenges as the business grows and our data leaves the building, trying to secure let’s say mobile devices, but it’s nothing to the level I deal with each day. No one will be getting seriously fatigued fingers or a wonky eye.”

Physician’s Diagnosis Points to ‘Extreme’ Repetitive Stress Disorder

For further context, we continued the conversation with Allbright and his physician, Moonstone Riverbeam.

“This is a case of repetitive stress disorder taken to the extreme,” Riverbed chanted.

Allbright interjected, “I’m responsible for finding the truly unknown threats, the ones that are coordinated and complex, that need the SIEM and a host of other systems to fully identify and ferret out. In a low and slow attack, the hackers will start their intrusion with a spear phishing email to an unsuspecting user within our company. To simply see if spear phising is taking place, I’m sifting through data across packet capture, web proxy, email gateway, detonation chambers, SSL/TLS inspection, DNS records and mail servers. Just culling the information is a ludicrous amount of clicks that whittles away the marrow of my finger bones. Now, imagine I have to collate and analyze that information in a spreadsheet. Welp, that’s many, many more clicks.”

Riverbeam provided no further comment, but we could hear mild weeping in the background before he hung up the phone. We then received a notice that Allbright’s phone card minutes were almost depleted, so he concluded with the following:

“That example above assumes we can stop a possible attack at intrusion, which is rarely the case. When you look at this from the lens of the MITRE ATT&CK framework, there is a multitude of other steps that occur before your company makes the news about being breached. Each of those steps from hackers performing data discovery, to lateral moves across systems, to exfiltration of data requires a whole other set of IT systems we need data from to provide a thorough investigation and hopefully stop the bad guys. I’m lucky to still have three working fingers.”

Company Leans on Design Thinking Approach in Security Analyst’s Absence

To bring balance to the acting forces in this story, we reached out to Allbright’s direct superior, the chief information officer (CIO) of [COMPANY NAME REDACTED], who asked to remain nameless. They said:

“While of course we have concerns about Mikey’s ‘condition,’ what scares me more is the time it’s taking our analysts to find these threats. I believe in the fortitude of the human finger, but each click that has affected Mikey is extra time we’re allowing rogue agents to run amuck in our environment.”

When I asked what the plan was moving forward while Mikey was healing, she said, “We built our security tools like a castle, adding new bricks each time an outside force came up with a new weapon in their arsenal. With Mikey gone, we need to add the same design thinking to security we used to build the rest of our infrastructure. Begin with the security outcomes we hope to achieve and integrate or add technology from there. Start with new rules, then we’ll add the tools. Also, I think Mikey is faking it. I wanted that out there since I doubt my sarcasm will come through in text.”

When I asked Allbright his plans during his convalescence, his eyes brightened.

“While I may be a Jedi and master threat hunter in IT security, I’m still only a Padawan (as recognized by the official Jedi Council of America). I plan to spend the next six months honing my lightsaber skills.”

When asked if he plans to wield the Jedi weapon of choice given his “condition,” Allbright wryly smiled and said, “I believe the Force will be with me.”

The post Security Analyst Files Workman’s Comp Claim for ‘Seriously Fatigued Fingers’ appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Rob Patey

Android Pentesting, Android security, Security Penetration Testing, Security Professionals, Tools,

Most Important Android Penetration Testing Tools for Hackers & Security Professionals

Android Security

Android security testing is more often used by security industries to test the vulnerabilities in Android applications. Here you can find the Comprehensive Android Penetration testing tools and resource list that covers Performing Penetration testing Operation in Android Mobiles. Online Analyzers AndroTotal Tracedroid Visual Threat Mobile Malware Sandbox Appknox – not free IBM Security AppScan Mobile […]

The post Most Important Android Penetration Testing Tools for Hackers & Security Professionals appeared first on GBHackers On Security.

bitcoin, Blockchain, cryptocurrency, Penetration Testing, Professional Development, Security Professionals, Security Services, X-Force,

How Chris Thomas Paired His Passion for Blockchain With Pen Testing

Chris Thomas, X-Force Red’s blockchain security expert, has always had an interest in understanding how technologies are built and operated. As a young child, Chris’ father thought it would be enjoyable for the two to build a computer instead of buying a premanufactured one. After two attempts, the father-and-son duo successfully built Chris’ first computer. Little did they know the project would ignite Chris’ future career as a penetration tester.

At just 11 years old, Chris performed his first penetration test, hacking into his school’s network. The content of his school’s information technology class wasn’t challenging for Chris, giving him plenty of time to teach himself how to program and code. Using his self-taught knowledge, he was able to scan the school’s network and access window shares that allowed him to log in as a domain administrator. Because he has a strong moral compass, Chris communicated his findings with the school’s system administrator, who became a close ally and supported Chris’ work. Through this experience, Chris knew he wanted to become a penetration tester.

Starting a Career in Penetration Testing

After secondary school, Chris pursued and completed an undergraduate degree in programming and a graduate degree in cybersecurity. He then began his first full-time job working as a system administrator for a large technology company in Manchester, England. Chris’ knowledge was second to none, but his employer would not let him begin his career as a penetration tester with the company. It was not until Chris alpha tested and passed the CREST CRT exam that his company moved him to a junior penetration tester position.

Over the next 10 years, Chris excelled in his role as a penetration tester and became a principal consultant, serving as the technical lead on a project for a large financial institution. He and his team managed the company’s global penetration testing network and built the network access controls from scratch. In the midst of that project, Chris met Thomas MacKenzie, who is now X-Force Red’s associate partner in Europe, the Middle East and Africa.

Joining the X-Force Red Team

Chris has always been infatuated with blockchain technology since its inception and initial ties to cryptocurrency. With a passion for understanding how systems work and function, he immediately educated himself on all things blockchain and bitcoin and has continued researching and tinkering with the technologies ever since.

When Thomas joined X-Force Red, he contacted Chris about his interest in joining the team as well. Thomas knew Chris had a strong interest in blockchain and reminded him that IBM was one of the industry leaders in developing new blockchain technology. Thomas suggested that Chris become X-Force Red’s leading blockchain testing expert, an opportunity Chris accepted without hesitation.

In his current role, leading X-Force Red’s blockchain testing services, Chris combines his passion for penetration testing with his love for blockchain. The team works with clients to find weaknesses not only in the implementation and use of blockchain technology itself, but also in the connected infrastructure.

Alongside X-Force Red’s veteran hackers, who are also developers and engineers, Chris is excited to help shape the adoption and implementation of blockchain across various industries.

Learn more about X-Force Red Blockchain Testing

The post How Chris Thomas Paired His Passion for Blockchain With Pen Testing appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Carter Garrison