Browsing category

Automation

Artificial intelligence, Artificial Intelligence (AI), Authentication, Automation, Biometric Security, Blockchain, cryptocurrency, Machine Learning, Social Engineering, Threat Detection,

Don’t Believe Your Eyes: Deepfake Videos Are Coming to Fool Us All

In 2017, an anonymous Reddit user under the pseudonym “deepfakes” posted links to pornographic videos that appeared to feature famous mainstream celebrities. The videos were fake. And the user created them using off-the-shelf artificial intelligence (AI) tools.

Two months later, Reddit banned the deepfakes account and related subreddit. But the ensuing scandal revealed a range of university, corporate and government research projects under way to perfect both the creation and detection of deepfake videos.

Where Deepfakes Come From (and Where They’re Going)

Deepfakes are created using AI technology called generative adversarial networks (GANs), which can be used broadly to create fake data that can pass as real data. To oversimplify how GANs work, two machine learning (ML) algorithms are pitted against each other. One creates fake data and the other judges the quality of that fake data against a set of real data. They continue this contest at massive scale, continually getting better at making fake data and judging it. When both algorithms become extremely good at their respective tasks, the product is a set of high-quality fake data.

In the case of deepfakes, the authentic data set consists of hundreds or thousands of still photographs of a person’s face, so the algorithm has a wide selection of images showing the face from different angles and with different facial expressions to choose from and judge against to experimentally add to the video during the learning phase.

Carnegie Mellon University scientists even figured out how to impose the style of one video onto another using a technique called Recycle-GAN. Instead of convincingly replacing someone’s face with another, the Recycle-GAN process enables the target to be used like a puppet, imitating every head movement, facial expression and mouth movement in the exact way as the source video. This process is also more automated than previous methods.

Most of these videos today are either pornography featuring celebrities, satire videos created for entertainment or research projects showing rapidly advancing techniques. But deepfakes are likely to become a major security concern in the future. Today’s security systems rely heavily on surveillance video and image-based biometric security. Since the majority of breaches occur because of social engineering-based phishing attacks, it’s certain that criminals will turn to deepfakes for this purpose.

Deepfake Videos Are Getting Really Good, Really Fast

The earliest publicly demonstrated deepfake videos tended to show talking heads, with the subjects seated. Now, full-body deepfakes developed in separate research projects at Heidelberg University and the University of California, Berkeley are able to transfer the movements of one person to another. One form of authentication involves gait analysis. These kinds of full-body deepfakes suggest that the gait of an authorized person could be transferred in video to an unauthorized person.

Here’s another example: Many cryptocurrency exchanges authenticate users by making them photograph themselves holding up their passport or some other form of identification as well as a piece of paper with something like the current date written on it. This can be easily foiled with Photoshop. Some exchanges, such as Binance, found many attempts by criminals to access accounts using doctored photos, so they and others moved to video instead of photos. Security analysts worry that it’s only a matter of time before deepfakes will become so good that neither photos nor videos like these will be reliable.

The biggest immediate threat for deepfakes and security, however, is in the realm of social engineering. Imagine a video call or message that appears to be your work supervisor or IT administrator, instructing you to divulge a password or send a sensitive file. That’s a scary future.

What’s Being Done About It?

Increasingly realistic deepfakes have enormous implications for fake news, propaganda, social disruption, reputational damage, evidence tampering, evidence fabrication, blackmail and election meddling. Another concern is that the perfection and mainstreaming of deepfakes will cause the public to doubt the authenticity of all videos.

Security specialists, of course, will need to have such doubts as a basic job requirement. Deepfakes are a major concern for digital security specifically, but also for society at large. So what can be done?

University Research

Some researchers say that analyzing the way a person in a video blinks, or how often they blink, is one way to detect a deepfake. In general, deepfakes show insufficient or even nonexistent blinking, and the blinking that does occur often appears unnatural. Breathing is another movement usually not present in deepfakes, along with hair (it often looks blurry or painted on).

Researchers from the State University of New York (SUNY) at Albany developed a deepfake detection method that uses AI technology to look for natural blinking, breathing and even a pulse. It’s only a matter of time, however, before deepfakes make these characteristics look truly “natural.”

Government Action

The U.S. government is also taking precautions: Congress could consider a bill in the coming months to criminalize both the creation and distribution of deepfakes. Such a law would likely be challenged in court as a violation of the First Amendment, and would be difficult to enforce without automated technology for identifying deepfakes.

The government is working on the technology problem, too. The National Science Foundation (NSF), Defense Advanced Research Projects Agency (DARPA) and Intelligence Advanced Research Projects Agency (IARPA) are looking for technology to automate the identification of deepfakes. DARPA alone has reportedly spent $68 million on a media forensics capability to spot deepfakes, according to CBC.

Private Technology

Private companies are also getting in on the action. A new cryptographic authentication tool called Amber Authenticate can run in the background while a device records video. As reported by Wired, the tool generates hashes — “scrambled representations” — of the data at user-determined intervals, which are then recorded on a public blockchain. If the video is manipulated in any way, the hashes change, alerting the viewer to the probability that the video has been tampered with. A dedicated player feature shows a green frame for portions of video that are faithful to the origina, and a red frame around video segments that have been altered. The system has been proposed for police body cams and surveillance video.

A similar approach was taken by a company called Factom, whose blockchain technology is being tested for border video by the Department of Homeland Security (DHS), according to Wired.

Security Teams Should Prepare for Anything and Everything

The solution to deepfakes may lie in some combination of education, technology and legislation — but none of these will work without the technology part. Because when deepfakes get really good, as they inevitably will, only machines will be able to tell the real videos from the fake ones. This deepfake technology is coming, but nobody knows when. We should also assume that an arms race will arise with malicious deepfake actors inventing new methods to overcome the latest detection systems.

Security professionals need to consider the coming deepfake wars when analyzing future security systems. If they’re video or image based — everything from facial recognition to gait analysis — additional scrutiny is warranted.

In addition, you should add video to the long list of media you cannot trust. Just as training programs and digital policies make clear that email may not come from who it appears to come from, video will need to be met with similar skepticism, no matter how convincing the footage. Deepfake technology will also inevitably be deployed for blackmail purposes, which will be used for extracting sensitive information from companies and individuals.

The bottom line is that deepfake videos that are indistinguishable from authentic videos are coming, and we can scarcely imagine what they’ll be used for. We should start preparing for the worst.

The post Don’t Believe Your Eyes: Deepfake Videos Are Coming to Fool Us All appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Mike Elgan

Automation, Internet of Things, IoT, smart buildings, smart homes,

Exposed IoT Automation Servers and Cybercrime

by: Stephen Hilt, Numaan Huq, Martin Rösler, and Akira Urano

In our latest research “Cybersecurity Risks in Complex IoT Environments: Threats to Smart Homes, Buildings and Other Structures,” we tested possible threat scenarios against complex IoT environments such as in smart homes and smart buildings. A significant part of the research also involved a look into exposed automation platforms or servers, which are integral components of complex IoT environments.

We define Complex IoT Environments (CIEs) as being made up of enough IoT devices — 10 from our experience — to create a web of dynamic interactions based on set rules. In these environments, an automation server functionally chains the devices together and enables functional interactions of devices that characterize such environments. There are two types of automation servers an IoT environment could have: the open-source server and the commercial server. Both not only have great control over devices but also hold important information. These servers are critical for such an environment – with each additional device added, the number of possible interactions and rules grows exponentially.

If a server is unknowingly exposed online, it could allow attackers to reprogram automation rules or steal hardcoded information. As the automation rules get more and more complex with more devices added, an administrator will have a hard time noticing attacker’s logic changes even after inspection. Checking if an automation server is exposed online is therefore a significant aspect of CIE security. For our research, we used Shodan to see if there were indeed any exposed automation servers and share details on those that we found in this post.

General findings

We searched through Shodan, a search engine for internet-connected devices, and came across a number of open-source automation servers. What sets open-source automation servers apart is their programmable logic layer, which allows users to change rules and add devices to a CIE. Compared to commercial automation servers we will discuss later, open-source servers are a lot more versatile.

The most common exposed open-source IoT automation servers that we found were Domoticz, Home Assistant, openHAB, and Fibaro Home Center. Countries that had the most number of exposed servers were mostly industrial nations in Europe, North America, Australia, and Japan. Of note are the automation servers we found in Thailand, Vietnam, Chile and Argentina, which could be an indication that although IoT automation is still in its early stages, it is quickly spreading globally.

Figure 1. Exposed IoT servers found using Shodan

Figure 1. Exposed IoT servers found using Shodan

The count is based purely on servers found in Shodan, so we need to point out certain considerations: 1) Shodan data does not include all exposed servers, 2) not all automation servers are exposed on the internet, and 3) daily results are constantly changing because of dynamic IP addresses. Therefore, the actual total number of exposed automation servers could be greater.

Whatever the actual number is, the fact that it is in the tens of thousands is concerning. Exposed systems can contain sensitive information and provide access to anyone who finds them. This is demonstrated by the exposed open-source servers Home Assistant, FHEM, and Node RED, which we will discuss further.

Open-source home automation servers

As can be seen in Figure 1, we found thousands of Home Assistant servers exposed in Shodan. Home Assistant is an open-source home automation server that allows users to run all their connected home devices from a single, mobile-friendly interface. Home Assistant runs on a dedicated server, whether RPi or local, so all device data is stored locally and not in the cloud. Home Assistant out-of-the-box supports many of the popular IoT devices, rules can be programmed via the GUI as well as written in YAML.

We found more than 6,200 exposed Home Assistant servers online, most of which were from the U.S. and Europe. Home Assistant has a history feature that shows the operational status of devices and, once accessed, could indicate when the inhabitants are away from home. In some exposed homes, their Home Assistant configuration file contained important credentials, like hardcoded router username and password. It is good to note however, that Home Assistant enforces password protection and most of the exposed home servers were password protected.

Figure 2. Exposed history of devices

Figure 2. Exposed history of devices

On the other hand, we found fewer exposed smart homes using FHEM servers. FHEM is a home automation server popular in Europe, a fact that coincides with our findings as most of the exposed FHEM servers were from Austria and Germany. It’s a Perl server that can be used to automate repetitive day-to-day tasks at home, like controlling the thermostat, switching lights on and off, and regulating power consumption. Like Home Assistant, its program runs on a dedicated device and can be controlled using the web, a smartphone, Telnet, or TCP/IP.

Information on the exposed FHEM servers included configuration files and device activities. Configuration files contain a wealth of information, like hardcoded credentials, lists of all devices in the home, and each device’s location. Exposed FHEM servers could also show others details from the devices connected to it, like device status, sensor readings, and even electricity usage.

Open-source home and industrial servers

Another type of automation server we found exposed online was Node-RED, a flow-based programming tool for chaining together devices, APIs, and online services. What sets Node-Red apart is its support for both smart homes and industrial processes. This crossover support for IoT and IIoT spaces is a capability that we think will eventually be possible for other IoT automation platforms.

Figure 3. Exposed detailed log files recording all events triggered, found in the same location as the configuration file

Figure 3. Exposed detailed log files recording all events triggered, found in the same location as the configuration file

We found around 880 exposed Node-RED servers online. Most of these were located in the U.S., Germany, Japan, U.K., and the Netherlands. Since Node-RED can be used for both home and industrial applications, these servers came from a wide variety of settings. Examples that we found that were not smart homes included a greenhouse and a parking garage flow in Japan.

Figure 4. Exposed automation flow for a parking garage in Japan

Figure 4. Exposed automation flow for a parking garage in Japan

Commercial automation servers

We’re adding in this discussion the few commercial home automation servers we came across in our Shodan search. Commercial automation servers offer a lot less flexibility than open-source servers. This means they can’t integrate as wide a range of IoT devices in their systems. However, they are still capable of some level of control over households since they can be used to operate preinstalled devices.

Potential attackers would not be able to conduct significant smart attacks against exposed commercial automation servers using the logic layer — commercial ones do not have a user-programmable logic. However, these exposed servers freely share information and access to anyone querying them without requiring proper authentication. Some of the controls that we found included those for the intercom, cameras, lights, and alarm systems.

Figure 5. Exposed controls for a home alarm system

Figure 5. Exposed controls for a home alarm system

Security and control

Exposure of automation servers opens smart homes and even smart buildings to several attack scenarios. For open-source automation servers, attackers can reprogram rules which, in turn, lead to a slew of different other attacks — from secretly adding devices to the system to turning off all security setups. Even exposed commercial servers can give attackers physical control over a household by allowing them to interact with controls like alarm systems. Exposed automation servers in buildings and industrial settings could impede business operations should their setups be tampered with. In addition, attackers can monitor and note patterns in resident behaviors using the information readily available in the exposed server.

In securing a CIE, a good place to start is its automation server. Since automation servers do not alert users if there had been a change in its rules, users should frequently check the logic layer for any changes. In this regard, using version control software would help users track changes in their code, as well as revert their code quickly to its original version in case of compromise. Users should also filter the information their automation servers hold. An automation server is a powerful tool that makes CIEs run smoothly and efficiently. As such, it is crucial for its control to remain in the right hands and not fall into the hands of unforeseen attackers.

To get a fuller understanding of other threat scenarios, you can read the rest of our findings in our paper “Cybersecurity Risks in Complex IoT Environments: Threats to Smart Homes, Buildings and Other Structures.” We also detail best practices to help build safer CIEs.

The post Exposed IoT Automation Servers and Cybercrime appeared first on .

This post appeared first on Trend Macro Blog
Author: Trend Micro

Artificial Intelligence (AI), Automation, Cognitive Security, Data Protection, Incident Response (IR), Security Information and Event Management (SIEM), Security Intelligence & Analytics, Security Operations Center (SOC), threat hunting, Threat Intelligence,

Maturing Your Security Operations Center With the Art and Science of Threat Hunting

Your organization has fallen prey to an advanced persistent threat (APT) after being targeted by a state-sponsored crime collective. Six million records were lost over 18 months of undetected presence on your network. While your security operations center (SOC) is fully staffed with analysts, your threat hunting capabilities failed to detect the subtle signs of threat actors moving laterally through your network and slowly exfiltrating customer data.

How did this happen?

It all started with a highly targeted spear phishing attack on your director of communications. He failed to notice the carefully disguised symbols in an email he thought was sent by the IT department and logged in to a spoofed domain. This credential theft resulted in the spread of zero-day malware and slowly escalated account privileges. While some of the criminals’ behavior triggered alerts in the SOC, your analysts categorized the incidents as benign positives. Your organization is now facing a multimillion-dollar cleanup and a serious loss of customer trust.

Why you need to master threat hunting

Why You Should Hunt Advanced Threats Before They Strike

Situations like the one described above are all too common in our industry. The majority of successful exploits attributed to human error fit a small series of predictable patterns that exploit known vulnerabilities in an organization’s network. As a result, many data breaches can be prevented with effective cyber hygiene tactics.

Advanced threats are a smaller proportion of incidents, but they are typically undetected and cause the most damage. In addition, the rise in state-sponsored crime and criminal activity on the dark web has created an ecosystem that fosters open exchange between the world’s most sophisticated and skilled criminals.

The cost of a serious breach is also trending upward. According to Ponemon, the average cost of a megabreach that results in the loss of more than 1 million customer records is $40 million. And more than 60 percent of data breaches have links to either state actors or advanced, organized crime groups, according to Verizon. APTs that evade detection can result in dwell times that range from three to 24 months, further increasing the total cleanup cost for a data breach.

How can security teams fight these kinds of threats? The majority of enterprise SOCs are now at least three years old, according to a recent study from Exabeam, and are increasing in maturity. While human analysts and manual research methodologies can act as a firewall against many risks, there’s a need to scale SOC intelligence and threat hunting capabilities to safeguard against APTs.

What Is Threat Hunting?

Threat hunting can be defined as “the act of aggressively intercepting, tracking and eliminating cyber adversaries as early as possible in the Cyber Kill Chain.” The practice uses techniques from art, science and military intelligence, with internal and external data sources informing the science of statistical and cognitive analysis. Human intelligence analyzes the results and informs the art of a response. Last year, 91 percent of security leaders reported improved response speed and accuracy as a result of threat detection and investigation, according to the SANS Institute.

Threat hunting is not defined by solutions, although tools and techniques can significantly improve efficiency and outcomes. Instead, it’s defined by a widely accepted framework from Sqrrl. These are the four stages of Sqrrl’s Threat Hunting Loop:

  1. Create a hypothesis.
  2. Investigate via tools and techniques.
  3. Discover new patterns and adversary tactics, techniques and procedures (TTPs).
  4. Inform and enrich automated analytics for the next hunt.

The goal for any security team should be to complete this loop as efficiently as possible. The quicker you can do so, the quicker you can automate new processes that will help find the next threat.

The 4 Characteristics of a Comprehensive Threat Hunting Capability

A mature threat hunting capability is closely associated with SOC maturity. The least mature SOCs have human analysts who act as a firewall. As SOCs approach maturity and adopt security information and event management (SIEM) tools, their capacity to reactively investigate indicators of compromise (IoCs) increases. The most mature SOCs take a proactive approach to investigating IoCs, with researchers, analysts, solutions and a clearly defined methodology to orchestrate both investigation and response. A comprehensive capacity for hunting threats is defined by four key characteristics:

  1. Data handling: The ability to handle a deluge of data across siloed networks, including insight into internal risks, advanced activities from external threat actors and real-time threat intelligence from third-party sources.
  2. Data analysis: The ability to correlate a high volume and velocity of disparate data sources into information and, ultimately, intelligence.
  3. Informed action: Resources to increase threat hunters’ skills and easily feed threat intelligence through training, policy and cognitive capabilities.
  4. Orchestrated action: Defined processes and methodologies to hunt threats in a repeatable and orchestrated way that informs proactive security capabilities throughout the organization.

Organizations that fail to increase SOC maturity and adopt the solutions and processes for hunting threats face a number of risks. Relying on manual research methodologies can lead to costly data breaches and permanent brand damage when APTs evade detection. A lack of solutions and methods for an orchestrated IoC investigation process means less efficient and accurate operations. The absence of SOC orchestration encourages heavily manual processes.

The Diverse Business Benefits of Hunting Threats

Using cognitive intelligence tools to enhance SOC capabilities, Sogeti Luxembourg successfully reduced the average time of root cause determination and threat investigation from three hours to three minutes. In the process, the financial institution sped up their threat investigation process by 50 percent and saw a tenfold increase in actionable threat indicators.

Hunting threats can offer a number of benefits to both the business and the security operations center. The outcomes include greater protection of reputation, a more intelligent SOC and orchestrated security response.

Reputation Protection

Falling prey to an APT can cause lasting damage to a brand. One core benefit of implementing a more sophisticated threat hunting capability is the potential to guard against the most costly data breaches, which typically result in millions of lost records or permanent data deletion.

SOC Maturity

SOC analyst stress and falsely assigned benign positives are at record highs. APTs can easily go unnoticed due to the sheer volume of noise, which creates a culture of alert fatigue.

Achieving mature threat detection capabilities can change how analysts work and allow organizations to implement a cognitive SOC. Security analytics platforms enhance human intelligence and reduce manual research, and correlation tools provide real-time insight from a variety of structured and unstructured third-party data sources.

Orchestrated Security Response

With the technological capabilities to outthink adversaries, organizations can inform a proactive, unified approach to incident response (IR) that begins in the SOC. Internal and external data sources augment the intelligence of human analysts, allowing real-time, informed decision-making. Investigations and response can inform action as soon as anomalous behaviors or patterns are detected. The result is a defined process that allows your organization to mitigate threats earlier in the Cyber Kill Chain.

Intelligent Response to Sophisticated Threats

The majority of threats your organization faces each day will fit predictable patterns. While APTs make up a statistically small percentage of incidents investigated by an SOC, sophisticated threat actors use unique tactics and techniques to evade detection in a noisy SOC. These threats are the most likely to evade detection and result in highly expensive cybercrime.

State-sponsored criminal activity and attacks launched by sophisticated crime collectives are increasing. To guard against these increasingly complex threat vectors, organizations need to proactively prepare their defenses. Implementing cognitive tools in the SOC can enable organizations to adopt proactive threat hunting capabilities that leverage both art and science. By combining repeatable processes for threat investigation with intelligent solutions and skilled analysts, organizations can respond to threats earlier in the kill chain and protect their most critical assets.

Read the e-book: Master threat hunting

The post Maturing Your Security Operations Center With the Art and Science of Threat Hunting appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Rob Patey

Artificial intelligence, Artificial Intelligence (AI), Automation, CISO, Cloud Adoption, Compliance, Cybersecurity, Data Breach, Data Privacy, General Data Protection Regulation (GDPR), Incident Response, Incident Response (IR), Internet of Things (IoT), IoT Security, Machine Learning, privacy regulations, Risk Management, Security Intelligence & Analytics, Security Professionals, Security Trends,

Top 2019 Cybersecurity Predictions From the Resilient Year-End Webinar

2018 was another significant year for the cybersecurity industry, with sweeping changes that will impact security professionals for years to come.

The General Data Protection Regulation (GDPR) finally went into effect, dramatically reshaping the way companies and consumers manage data privacy. Security teams stepped up their battle against technology complexity by increasingly migrating to the cloud and adopting security platforms. And several emerging security technologies — such as incident response automation and orchestration, artificial intelligence (AI), and machine learning — continued to evolve and saw increased adoption as a result.

As security teams continue pushing to get ahead of adversaries, these trends will almost certainly have long-term impacts. But what do they mean for 2019?

Bold Cybersecurity Predictions for 2019

Recently, I was fortunate to host a panel of cybersecurity experts for IBM Resilient’s sixth annual end-of-year and predictions webinar, including Bruce Schneier, chief technology officer (CTO) at IBM Resilient and special advisor to IBM Security; Jon Oltsik, senior principal analyst at Enterprise Strategy Group; Ted Julian, co-founder and vice president of product management at IBM Resilient; and Gant Redmon, program director of cybersecurity and privacy at IBM Resilient.

During the webinar, the team discussed and debated the trends that defined 2018 and offered cybersecurity predictions on what the industry can expect in 2019. In the spirit of keeping our experts honest, below are the four boldest predictions from the panel.

Bruce Schneier: There Will Be a Major IoT Cyberattack … or Not

Last year, Bruce predicted that a major internet of things (IoT) cyberattack would make the news, perhaps targeting automobiles or medical devices. Fortunately, that wasn’t the case in 2018. But could it happen in 2019?

Bruce’s prediction: maybe (yes, he’s hedging his bet). There are certainly many risks and vulnerabilities associated with the rise of IoT devices. Regardless of whether a major attack is imminent, IoT security needs to be a top priority for security teams in 2019. This prediction is in line with Bruce’s latest book, “Click Here to Kill Everybody.”

Ted Julian: Security Automation Will Create Unintended Negative Consequences

Incident response automation and orchestration is an increasingly popular way for security teams to streamline repetitive processes and make analysts more efficient, but automating poorly defined processes could create bigger issues.

Automated processes accidentally taking down systems is a familiar problem in the IT space. In 2019, we will see an example of security automation hurting an organization in unforeseen ways.

To avoid this, organizations need to consider how they employ technology when orchestrating incident response processes. They should focus on aligning people, processes and technology and methodically employ automation to further empower their security employees.

Jon Oltsik: Continuous Risk Management Will Help Organizations Better Understand Risks

Today, risk assessments and vulnerability scans give organizations a point-in-time look at their security posture and threat landscape. But in 2019, that won’t be enough. Security leadership — as well as executives and board members — need real-time information about the risks they face and what needs to be done to improve. Establishing a system of continuous risk management will help security teams enable this reality.

Gant Redmon: New Laws Will Provide Safe Harbor to Compliant Organizations

A pending law in Ohio would provide a first in U.S. data privacy regulations: Providing safe harbor from tort claims to organizations that are in compliance with their security regulations. In other words, if an organization suffers a data breach but is in compliance with its regulatory obligations, it will be protected from lawsuits related to that breach.

While the Ohio law is the first of its kind, we will no doubt start to hear of similar regulations emerging throughout 2019.

What are your cybersecurity predictions for 2019? Tweet to us at @IBMSecurity and let us know!

Watch the complete webinar

The post Top 2019 Cybersecurity Predictions From the Resilient Year-End Webinar appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Maria Battaglia

Automation, Incident Response, Incident Response (IR), Incident Response Plan, orchestration, Skills Gap,

3 Keys to Building a Scalable Incident Response Automation and Orchestration Plan

Incident response (IR) automation and orchestration is crucial to operationalizing cybersecurity, giving overburdened security professionals relief by streamlining processes, maximizing the efficiency of their resources and increasing their organization’s overall security posture. As the volume of security alerts skyrockets and the skills gap widens, security teams are rapidly implementing IR automation and orchestration technologies to keep up: Nearly 85 percent of businesses have adopted or are currently adopting these solutions, according to Enterprise Strategy Group.

Craft a Robust Incident Response Plan That Works for You

Despite this growth, successfully implementing automation and orchestration isn’t as simple as deploying technology. Security teams need to start with a robust IR plan; if you’re going to streamline processes, you first need to define what those processes are.

The playbook — the exact tasks and actions your organization will take in response to various incident types — is the heart of the IR plan. Whether your organization is building an IR program from scratch or implementing advanced orchestration tools, your documented IR processes are the foundation. And with a few key considerations, your team can build IR playbooks that continue to pay dividends long into the future.

Here are three keys to building a robust, consistent incident response plan:

1. Build Your Initial Playbook Around Manual Actions

A good incident response playbook should be functional regardless of the efficiency afforded by external technologies. Focus on capturing and documenting the full extent of tasks analysts may need to perform during the IR process, and plan for future orchestration and automation that will aid and assist human analysts’ decisions and actions during an incident.

While creating these manual tasks, make them action-oriented and include a measured purpose and outcome for each. Give the analyst the “why” when you can, and make the task instructions as descriptive and detailed as possible. Doing so will allow for easy verification and validation and enable processes to be transferable up and down the team. You’ll also end up creating training opportunities and allowing for smooth internal and external audits.

2. Enable Continual Process Assessment and Refinement

Incident response is a process of continual improvement, and IR playbooks should enable maintenance and growth — such as the replacement or removal of certain tasks based on learnings from simulations and real-world experience.

Consider how your playbooks are stored, referenced and maintained. No matter the format — paper, electronic, tribal knowledge — updating and disseminating IR playbooks can be challenging. A centralized and secured platform, such as an internal wiki or document share, can enable better collaborative management, whereas an IR platform enables seamless collaboration before, during and after an incident.

A feedback loop, also known as a post-incident analysis process or an after-action review (AAR), is critical to the success and continual improvement of the organization’s response time and operational effectiveness. Additionally, to orchestrate and automate certain user tasks and actions to streamline response, you’ll need tried-and-true metrics to understand which of those processes should be automated and the ability to measure the impact and return on investment (ROI) of that automation. We’ll outline examples of these metrics in a future blog post.

3. Design Your Playbooks to Be Iterative and Scalable

As your incident response program grows, you’ll want the ability to quickly develop new playbooks for additional incident types or scenarios to both account for changes in the threat landscape and to change the scope of existing playbooks.

Try to identify common processes and tasks to group into modules and share across your playbooks, allowing for greater flexibility of their application and maintenance. Of course, where applicable, create and maintain the very specific and detailed work effort related to a discrete process. As there are changes in technologies, skills, requirements and resources, you can quickly adapt your now modular processes to account for them without the need to make finite edits to multiples of unrelated and potentially duplicate tasks.

Reuse these common tasks and modular processes to avoid the cumbersome and inefficient effort of developing new playbooks from scratch.

Build Today for Future Success

A robust, documented incident response plan is the foundation of a successful automation and orchestration program. By focusing on the right details today and enabling agility and growth, your solid and scalable IR playbooks will deliver benefits for years.

Six Steps for Building a Robust Incident Response Function

The post 3 Keys to Building a Scalable Incident Response Automation and Orchestration Plan appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Brenden Glynn

Automation, Gartner Magic Quadrant, Security Information and Event Management (SIEM), Security Intelligence & Analytics, Security Operations Center (SOC), Security Services, Security Solutions, Threat Detection, Threat Intelligence,

3 Security Business Benefits From a 2018 Gartner Magic Quadrant SIEM Leader

Last week Gartner published its 2018 Magic Quadrant for Security Information and Event Management (SIEM). As in past years, the report supports the steady evolution of SIEM technology and the growing demand from customers for simple SIEM functionality with an architecture built to scale that meets both current and future use cases.

So how do we interpret from Gartner what it means to be a SIEM leader in 2018? Based on a quick dissection, the main characteristics of a leading SIEM tool are centered around innovation in early threat detection, adaptation to customer environments and strong market presence.

Read the 2018 Gartner Magic Quadrant for SIEM

What Separates a SIEM Leader From the Rest of the Market?

The first element, early detection via analytics — more clearly stated as efficacy in threat detection and response — remains the centerpiece of any effective SIEM solution. Security analysts and security operations center (SOC) leaders today need to detect both known and unknown threats in real time. By applying analytics to a combination of threat intelligence, behavioral analytics and a wide variety of security monitoring data, organizations can improve both their time to detection and total alert volumes. While these two basic outcomes — reduced dwell time and fewer alerts — sound tactical, they can ultimately help security teams become less distracted and more effective at managing threats, which helps reduce business risks and liabilities and maintain a positive brand reputation.

IBM is a leader in the 2018 Gartner Magic Quadrant for SIEM

The second element of Gartner’s definition of a leader, rapid adaptation to customer environments, is becoming a core factor in how much return on investment (ROI) customers realize and how quickly they realize it. Ad hoc content, add-on applications and flexibility in upgrading the platform are all required to mature a SIEM system in an affordable way once it’s installed.

Also included in this element is the ability to scale the platform in terms of both network coverage and security capabilities. By using out-of-the-box content to automate and streamline more security workflows, organizations can better combat challenges related to the shortage of skills and headcount and better enable the business to adopt new technologies that can help increase its competitive position.

The third element of a leading SIEM is strong market presence and easy access to services. Growth rates around the world still vary based on local security maturity, regulations and specific geographic needs. Customers are looking for access to local resources to help meet their unique requirements and learn lessons from a local community that has already gone through SIEM deployment. It is not uncommon for customers to first select a SIEM platform and then find a local managed service provider or systems integrator for operational support or oversight. Support for this approach provides SIEM users with multiple options to help optimize operating expenses without cutting into expertise.

Take Your SIEM Deployment to the Next Level

IBM was named a SIEM leader in the 2018 Gartner Magic Quadrant report. The IBM QRadar platform has demonstrated continuous innovation that has expanded its value, from its origins in network behavior anomaly detection to real-time threat detection to more recent developments that help automate investigations and streamline orchestrated response processes.

Unique to QRadar is the simplified approach to provide a continuous evolution of use cases and deployment options via optimized content packs, easily downloadable apps from IBM Security App Exchange and flexible deployment options that support organizations regardless of where they are on their cloud journey.

Market presence also contributed to IBM’s leadership; a community of thousands of customers worldwide, a strong business partner network and a wealth of services options allows QRadar customers to easily find knowledgeable local resources that can help them maintain and scale their platform.

To learn more about Gartner’s full review of QRadar, SIEM market trends and vendor evaluation criteria, download your complimentary copy of the 2018 Gartner Magic Quadrant for SIEM. We also invite you to register forour upcoming webinar, “Stay Ahead of Threat Detection & Response with a Scalable SIEM Platform.” The webinar will take place Dec. 18 at 11 a.m. ET and will be available to watch on-demand thereafter.

Register for the webinar

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

The post 3 Security Business Benefits From a 2018 Gartner Magic Quadrant SIEM Leader appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: John Burnham

Automation, Gartner Magic Quadrant, Security Information and Event Management (SIEM), Security Intelligence & Analytics, Security Operations Center (SOC), Security Services, Security Solutions, Threat Detection, Threat Intelligence,

3 Security Business Benefits From a 2018 Gartner Magic Quadrant SIEM Leader

Last week Gartner published its 2018 Magic Quadrant for Security Information and Event Management (SIEM). As in past years, the report supports the steady evolution of SIEM technology and the growing demand from customers for simple SIEM functionality with an architecture built to scale that meets both current and future use cases.

So how do we interpret from Gartner what it means to be a SIEM leader in 2018? Based on a quick dissection, the main characteristics of a leading SIEM tool are centered around innovation in early threat detection, adaptation to customer environments and strong market presence.

Read the 2018 Gartner Magic Quadrant for SIEM

What Separates a SIEM Leader From the Rest of the Market?

The first element, early detection via analytics — more clearly stated as efficacy in threat detection and response — remains the centerpiece of any effective SIEM solution. Security analysts and security operations center (SOC) leaders today need to detect both known and unknown threats in real time. By applying analytics to a combination of threat intelligence, behavioral analytics and a wide variety of security monitoring data, organizations can improve both their time to detection and total alert volumes. While these two basic outcomes — reduced dwell time and fewer alerts — sound tactical, they can ultimately help security teams become less distracted and more effective at managing threats, which helps reduce business risks and liabilities and maintain a positive brand reputation.

IBM is a leader in the 2018 Gartner Magic Quadrant for SIEM

The second element of Gartner’s definition of a leader, rapid adaptation to customer environments, is becoming a core factor in how much return on investment (ROI) customers realize and how quickly they realize it. Ad hoc content, add-on applications and flexibility in upgrading the platform are all required to mature a SIEM system in an affordable way once it’s installed.

Also included in this element is the ability to scale the platform in terms of both network coverage and security capabilities. By using out-of-the-box content to automate and streamline more security workflows, organizations can better combat challenges related to the shortage of skills and headcount and better enable the business to adopt new technologies that can help increase its competitive position.

The third element of a leading SIEM is strong market presence and easy access to services. Growth rates around the world still vary based on local security maturity, regulations and specific geographic needs. Customers are looking for access to local resources to help meet their unique requirements and learn lessons from a local community that has already gone through SIEM deployment. It is not uncommon for customers to first select a SIEM platform and then find a local managed service provider or systems integrator for operational support or oversight. Support for this approach provides SIEM users with multiple options to help optimize operating expenses without cutting into expertise.

Take Your SIEM Deployment to the Next Level

IBM was named a SIEM leader in the 2018 Gartner Magic Quadrant report. The IBM QRadar platform has demonstrated continuous innovation that has expanded its value, from its origins in network behavior anomaly detection to real-time threat detection to more recent developments that help automate investigations and streamline orchestrated response processes.

Unique to QRadar is the simplified approach to provide a continuous evolution of use cases and deployment options via optimized content packs, easily downloadable apps from IBM Security App Exchange and flexible deployment options that support organizations regardless of where they are on their cloud journey.

Market presence also contributed to IBM’s leadership; a community of thousands of customers worldwide, a strong business partner network and a wealth of services options allows QRadar customers to easily find knowledgeable local resources that can help them maintain and scale their platform.

To learn more about Gartner’s full review of QRadar, SIEM market trends and vendor evaluation criteria, download your complimentary copy of the 2018 Gartner Magic Quadrant for SIEM. We also invite you to register forour upcoming webinar, “Stay Ahead of Threat Detection & Response with a Scalable SIEM Platform.” The webinar will take place Dec. 18 at 11 a.m. ET and will be available to watch on-demand thereafter.

Register for the webinar

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

The post 3 Security Business Benefits From a 2018 Gartner Magic Quadrant SIEM Leader appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: John Burnham

Analytics, Artificial intelligence, Artificial Intelligence (AI), Automation, Chief Information Security Officer (CISO), CISO, Cybersecurity Jobs, Security Leader, Security Leadership, Security Professionals, Security Strategy, Skills Gap,

Soft Skills, Solid Benefits: Cybersecurity Staffing Shifts Gears to Bring in New Skill Sets

With millions of unfilled cybersecurity jobs and security experts in high demand, chief information security officers (CISOs) are starting to think outside the box to bridge the skills gap. Already, initiatives such as outsourced support and systems automation are making inroads to reduce IT stress and improve efficiency — but they’re not enough to drive long-term success.

Enter the next frontier for forward-thinking technology executives: Soft skills.

How Important Are Soft Skills in the Enterprise?

Soft skills stem from personality traits and characteristics. Common examples include excellent communication, above-average empathy and the ability to demystify tech jargon, as opposed to the certifications and degrees associated with traditional IT skills.

Historically, IT organizations have prioritized harder skills over their softer counterparts — what good is empathy in solving storage problems or improving server uptime? However, as noted by Forbes, recent Google data revealed measurable benefits when teams contain a mix of hard and soft skills. The search giant found that the “highest-performing teams were interdisciplinary groups that benefited heavily from employees who brought strong soft skills to the collaborative process.”

How Can Companies Quantify Qualitative Skill Sets?

Soft skills drive value, but how can organizations quantify qualitative characteristics? Which skill sets offer the greatest value for corporate objectives?

When it comes to prioritization, your mileage may vary; depending on the nature and complexity of IT projects, different skills provide different value. For example, long-term projects that require cross-departmental collaboration could benefit from highly communicative IT experts, while quick-turnaround mobile application developments may require creative thinking to identify potential security weaknesses.

According to Tripwire, there is some industry consensus on the most sought-after skills: Analytical thinking tops the list at 65 percent, followed by good communication (60 percent), troubleshooting (59 percent) and strong ethical behavior (58 percent). CIO calls out skills such as in-house customer service, a collaborative mindset and emotional intelligence.

Start Your Search for Soft Cybersecurity Skills

The rise of soft skills isn’t happening in a vacuum. As noted by a recent Capgemini study, “The talent gap in soft digital skills is more pronounced than in hard digital skills,” with 51 percent of companies citing a lack of hard digital skills and 59 percent pointing to a need for softer skill sets. CISOs must strive to create hiring practices that seek out soft-skilled applicants and a corporate culture that makes the best use of these skills.

When it comes to hiring, start by identifying a shortlist of skills that would benefit IT projects — these might include above-average communication, emotional aptitude or adaptability — then recruit with these skills in mind. This might mean tapping new collar candidates who lack formal certifications but have the drive and determination to work in cybersecurity. It also means designing an interview process that focuses on staff interaction and the ability of prospective employees to recognize and manage interpersonal conflict.

It’s also critical to create a plan for long-term retention. Enterprises must create IT environments that maximize employee autonomy and give staff the ability to implement real change. Just like hard skills, if soft skills aren’t used regularly they can decay over time — and employees won’t wait around if companies aren’t willing to change.

Cultivate Relationships Between Humans and Hardware

Just as IT certifications are adapting to meet the demands of new software, hardware and infrastructure, soft skills are also changing as technology evolves. Consider the rise of artificial intelligence (AI): Often portrayed positively as a key component of automated processes and negatively as an IT job stealer, there’s an emerging need for IT skills that streamline AI interaction and fill in critical performance gaps.

As noted by HR Technologist, tasks that require emotional intelligence are naturally resistant to AI. These include everything from delivering boardroom presentations to analyzing qualitative user feedback or assisting staff with cybersecurity concerns. Here, the human nature of soft skills provides their core value: Over time, these skills will set employees apart from their peers and organizations apart from the competition. Enterprises must also court professionals capable of communicating with AI tools and human colleagues with equal facility. These soft-centric characteristics position new collar employees as the bridge between new technologies and existing stakeholder expectations.

It’s Time to Prioritize Softer Skill Sets

There’s obviously solid value in soft skills — according to a study from the University of Michigan, these skills offer a 256 percent return on investment (ROI). For CISOs, the message is clear: It’s time to prioritize softer skill sets, re-evaluate hiring and recruitment practices, and prepare for a future where the hard skills of AI-enhanced technology require a soft balance to drive cybersecurity success.

The post Soft Skills, Solid Benefits: Cybersecurity Staffing Shifts Gears to Bring in New Skill Sets appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Douglas Bonderud

Automation, Compliance, Data Protection, Endpoint, Endpoint Management, Endpoint Security, Endpoint Security Solutions, Integrated Security, Patch Management, Security Information and Event Management (SIEM), Vulnerabilities, Vulnerability Management,

How to Reduce Hidden Endpoint Management Costs and Increase Efficiency

This is the second blog in a two-part series about the hidden costs of endpoint management and how to avoid them. Be sure to read part 1 for the full story.

We all want faster, better endpoint management solutions at a reduced cost — but how? In part one of this series, we broke down the SANS Institute report, “Understanding the (True) Costs of Endpoint Management,” and identified the top five factors that increase endpoint management costs, from an overabundance of tools to deficient compliance enforcement.

Now that we’ve acknowledged these challenges, how can security teams address and overcome them? The good news is that there’s no big secret; it simply comes down to following well-established security best practices. Let’s dive in to some steps you can follow to avoid these incremental expenses while also reducing complexity and improving agility.

Consolidate the Number of Endpoint Management Tools in Use

Begin by evaluating your current tools: If they don’t help you reduce hidden costs, consider alternative solutions. Too many tools can impact agility and cause slowdowns within the endpoint management process. As analysts and administrators have to sift through more data and dashboards, the ability to effectively manage endpoints becomes more complex, subject to inaccuracies, and susceptible to response delays and other inefficiencies.

Let’s face it: It’s hard to manage multiple tools. To avoid these incremental expenses, consolidate the number of tools your organization uses with a single endpoint management solution across all operating systems (OSs). A single solution saves time and effort because you only have to go to one dashboard to determine how many endpoints are at risk or push patches.

This also helps reduce infrastructure costs because you won’t need as many management servers — and all their associated software — to gain visibility into your endpoints. This helps reduce software, maintenance, support and assurance costs. Finally, with fewer tools to manage, your IT staff will be able to quickly remediate threats and respond to information requests — and have more confidence in their answers.

Watch the on-demand webinar to learn more

Garner Visibility Across Your Endpoint Landscape

Access to timely, accurate endpoint information across the enterprise starts with comprehensive endpoint visibility — but it’s not always available or easy to obtain. Seeing only part of the picture is not enough, because you can’t fix what you can’t see.

Improve visibility by using a single solution that gives you the real-time information you need across all OSs throughout the enterprise. Make sure it provides up-to-date information on all endpoints, including those not currently on the corporate network at the time of query.

Next, verify the level of accuracy your endpoint security solution provides so you can be confident in your information and make sound decisions based on actual vulnerability exposure and risk.

Finally, make sure your solution provides endpoint information quickly so the data you collect is relevant and high-value. Together, these factors will enable you to effectively prioritize and respond to the most critical vulnerabilities in a timely manner.

Improve Patching Efficiency

Keeping up with the number and frequency of patching demands across mobile devices, servers and/or automated teller machines (ATMs) can be a struggle — one that is exacerbated by the sheer number of devices, OSs, dispersed locations, intermittent network connectivity and even slow bandwidth. Suboptimal first-pass patching success rates also tend to complicate things.

According to the SANS report, 68 percent of respondents had first-pass patch success rates below 90 percent, with 16 percent acknowledging rates below 60 percent and 12 percent admitting they didn’t know how successful they were on their first attempt to patch endpoints. Inefficient patching increases both costs and security risks by leaving endpoints open to attack. This impacts IT response time and consumes scarce resources.

To improve patching efficiency, follow a “build once, use many” methodology and look for a single endpoint management solution that enables you to create and apply patches, regardless of OS, across all your endpoints simultaneously — even those not on a corporate network or in locations with low bandwidth. Use a tool with as few patch dependencies as possible to further improve efficiency. The fewer the dependencies, the fewer things that can go wrong, and the more stable your patch agents and efforts will be in the long term.

Patch verification is another way to improve efficiency. Use a tool that not only checks to see if a patch was installed, but also performs a deeper inspection to see if the vulnerabilities the patch was supposed to update were in fact updated. For example, was the dynamic-link library (DLL) version updated, and is it now at the correct version level?

Drive Consistent Compliance Throughout the Enterprise

IT and security teams want to execute their company’s security mission, improve its security posture, and adhere to regulatory and corporate mandates. But achieving a steady state of compliance can sometimes be challenging.

To better enforce compliance and consistently remediate drift, use an endpoint management solution that supports relevant industry standards. Leverage prepackaged content for these standards, but also ensure that the tool can be customized for your unique environment. This will help simplify and shorten compliance efforts.

Verify that your solution actively and consistently enforces your endpoint compliance policies and make sure it automates the process of deploying or re-implementing your golden image consistently across all endpoints. In addition, use tools that can quickly and accurately verify endpoint compliance status to better understand your current attack surface and reduce risk. Finally, evaluate the reporting and trending analysis capabilities of your tool to ensure that you can adequately track compliance performance over time.

Automate and Integrate Endpoint Management and Security Tools

Let’s not forget about the importance of integration and automation. IT infrastructure and security teams have different responsibilities, are typically siloed and use different, nonintegrated tools. Over time, most organizations purchase multiple point products to address multiple emerging threats.

Security teams are typically responsible for identifying endpoint vulnerabilities and prioritizing remediation efforts, but they usually can’t make changes on endpoints and often don’t have the visibility to make well-informed decisions. On the other side, infrastructure teams, who are tasked with making changes on endpoints, can be overwhelmed by the number of tools and endpoints and the constant volume of required changes. Additionally, these teams often lack insight into risk rankings, so it’s hard to prioritize activities such as patching. This exacerbates the lack of visibility, inefficient processes, sporadic endpoint hygiene and inconsistent compliance problems we’ve previously outlined, and can also delay your ability to respond to potential threats and active attacks.

So where do you begin? Look for an endpoint security solution that enables automated and repeatable processes across OSs. Leverage a tool that enables you to build once and use many times, so you don’t have to re-engineer multiple times for different tools and OSs. Different tools provide data in different formats, which can impact your ability to quickly and accurately collate meaningful information and share data between systems. An endpoint management tool should support industry-standard application programming interfaces (APIs) such as Simple Object Access Protocol (SOAP) and Representational State Transfer (REST). This will enable easier, faster data collation and sharing since the data will be available in compatible formats and require less engineering effort to reformat into a common data set.

If you need custom integration work, understand the level of effort needed to share endpoint data with other applications. For example, does your existing tool incorporate common vulnerability information so you can evaluate and prioritize where to start when it comes to patching? How easily does your endpoint data integrate with your configuration management database (CMDB)?

If you are going down the custom integration path, start with integrations between your security information and event management (SIEM) and endpoint management tools. This will enable your security teams to have the visibility they need to assess endpoint vulnerability risk and prioritize patching for your operations teams. It will also reduce your attack surface and help ensure that your teams focus on the most important security risks first.

Reduce Costs With the Right Endpoint Management Solution

Endpoint management comes with its fair share of hidden, inherent costs. To reduce these costs, look for solutions with discovery capabilities that enable fast, accurate and comprehensive visibility into your endpoint landscape, regardless of whether endpoints are connected to a network. Regularly evaluate your endpoint management capabilities and consider options that enable you to consolidate tools and increase efficiency. Finally, look for an endpoint management solution that enhances security by constantly monitoring and enforcing security and compliance policies across all your endpoints.

Watch the on-demand webinar to learn more

The post How to Reduce Hidden Endpoint Management Costs and Increase Efficiency appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Teresa Worth

Application Security, Artificial Intelligence (AI), Automation, Machine Learning, Penetration Testing, Security Services, Security Testing, Software & App Vulnerabilities, Vulnerabilities, Vulnerability Management, X-Force,

How Dimitry Snezhkov Balances the Yin and Yang of Penetration Testing

Would you believe that one of the IBM X-Force Red team’s “celebrity hackers” had never physically touched a computer until he was 18 years old?

Dimitry Snezhkov grew up in Ukraine in the 1990s, and his early education didn’t include access to real computers. His “informatics” class consisted of the teacher drawing a keyboard on a whiteboard and showing the class various commands. When they were ready, they graduated to the lab where the teacher would let students watch as he used a single computer.

When Dimitry moved to the U.S. almost 20 years ago and took an English as a second language class at community college, he experienced a major culture shock. Upon handing in his first essay, his teacher rebuked the “handwritten note,” telling him to go to the lab and type it out. Dimitry had to give himself a crash course not only in Microsoft Word, but also in the basics of typing, deleting, saving and more — things we in the U.S. take for granted having grown up around technology.

“I chuckle because I have to teach my grandma the same thing now,” he said.

Today Dimitry believes that learning a system incrementally can feed your curiosity. After teaching himself the fundamentals, he started to think about how the computer itself operated, how to get online, how to chat with people and more.

“Sometimes you want to have more functionality out of that system, so you start tinkering to see how you get there,” he explained. “And this is what you face with security: restrictions, access control, things that prevent you from accomplishing your goal. This is where the true sense of security starts coming out and you’re actually tinkering with things and getting answers. We see a limitation and start lifting those limitations to try to learn more about them.”

IBM X-Force Red team member Dimitry Snezhkov

Why Penetration Testing Is Becoming Mainstream

Dimitry takes this same approach to testing customer security as part of the X-Force Red offensive security services team. With his teammates, he is responsible for everything from initial scoping all the way to client-facing delivery of the test and resulting documentation. He enjoys bridging the gap between his customers’ limited understanding of security and what the testing entails.

“I think over the years, pen testing has become a little bit more mainstream,” he says. “Before it was maybe more esoteric, only employed by companies who had a lot to lose. Also, the attacker would usually have direct monetization interests in penetrating and compromising systems.”

Today, though, as companies move more and more to digital systems, they must protect intellectual property, customer data and more from an increasingly automated onslaught of attacks. Dimitry believes that anything his team can do to illuminate the path of least resistance to a compromise can help customers hone in on their vulnerabilities — especially when they may be dealing with legacy systems they’ve forgotten about or processes that have become second nature to those in-house.

“I think learning on your feet is a big deal,” he said. “When we’re faced with an unknown system, we don’t have any knowledge as to what production mechanism it has, who’s watching our steps, what the context may be. We use tools in our team as a litmus test on how applications or networks — or even humans, as we do a fair bit of social engineering in our testing — how those entities that we operate with respond when you probe. We probe and we get a response and we move further.”

A Delicate Dance of Offensive and Defensive Security

Dimitry spends his time probing systems to figure out how they are put together, then prodding further to see what’s wrong with them. But even with an increasing amount of automation — on both the offensive and defensive sides — he stressed that you still need to have an analyst watching and collaborating.

“Automation is something that has to be natural to a team like ours because there’s just no way we can test everything manually from the start,” he said. “We need to cast a wide net to be able to probe where the vulnerabilities are, because in today’s day and age, if you are testing a system and you have come up with a way to compromise that system, it’s almost guaranteed that somebody else on the other side of the world has already done that or is working toward doing the same thing.”

The automation helps testers keep up with attackers and put up defenses more quickly and effectively. It’s a delicate dance — a balance of push and shove, thrust and parry. Even knowing that, you may not have guessed that this logically minded, technology-driven tester is also a partner in a holistic medicine school.

“I have to balance things, and I do think that the idea of yin and yang is very powerful,” he said. “You have to be able to balance and draw on different sides of experiences in life.”

Dimitry uses meditation to help him see the bigger picture, reflect and remain calm in a very demanding role where he’s constantly thinking on his feet.

“I would like people to be open to an alternative mindset,” he said, “be open to looking under the hood, be open to collaboration and be open to full-scope testing.”

To Dimitry, a little mindfulness can go a long way toward helping security professionals and penetration testing experts like himself stay focused on the most pressing threats and think creatively to stay one step ahead of ever-evolving attackers.

Listen to the podcast: Spotlight on penetration testing

The post How Dimitry Snezhkov Balances the Yin and Yang of Penetration Testing appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Security Intelligence Staff