Category Archives: Cybersecurity

Acquisitions & Partnerships, Cybersecurity

HelpSystems Acquires Vera to Broaden Data Security Portfolio

Proven data security solution enables businesses to secure sensitive IP by tightly managing access to information as it’s shared

HelpSystems announced today the acquisition of Vera, a leading cloud-based data protection solution provider. Vera empowers customers in financial services, manufacturing, media & entertainment, and other industries to achieve the fine balance between strong security and productive collaboration by giving users the ability to secure, track, audit, and revoke data access at any time. HelpSystems is acquiring Vera to extend its data security portfolio and meet the increased demand for solutions that protect information throughout the full data lifecycle, from data classification and secure file transfer to data loss prevention and encryption.

Data is always on the move, not only within an organization, but also as it’s shared with customers, partners, and ever-growing remote workforces relying on both on-premises and cloud-based technology. This means the once-impenetrable corporate IT perimeter no longer exists, and managing sensitive files that contain valuable IP, financial data, or customer details requires a new way of thinking.

Vera solves this challenge by attaching military-grade encryption, access controls, security, and policy directly to data, giving companies granular control and audit capabilities over their information. It offers powerful risk mitigation for entities relying on the cloud to store sensitive IP such as products plans, manufacturing designs, financial strategies & results, and security operations audits.  It also covers data subject to regulation such as credit card numbers, social security numbers, and patient medical records.

“The market for data security is evolving fast to require a comprehensive approach to discovery, detection, classification and dynamic encryption,” said Kate Bolseth, CEO, HelpSystems. “Vera seamlessly integrates and expands HelpSystems data security solution offerings and we welcome the Vera employees and their expertise to the global HelpSystems family.”

“I’m pleased Vera is joining a global company with a comprehensive set of solutions empowering customers to strengthen their approach to data security,” said Shri Dodani, President and CEO, Vera. “Vera solutions extend HelpSystems’ existing data security portfolio meeting the needs of our combined customers and partners.  We have been working together at some of our largest customers and have proven the joint value proposition and look forward to expanding our go-to-market leveraging HelpSystems global footprint and resources.”

 

About HelpSystems

HelpSystems is a software company focused on helping exceptional organizations Build a Better IT™. Our cybersecurity and automation software simplifies critical IT processes to give our customers peace of mind. We know IT transformation is a journey, not a destination. Let’s move forward. Learn more at https://www.fortra.com.

 

About Vera

Vera is the data-centric security solution leader enabling businesses of all sizes to secure, track and share any kind of data, no matter where it’s stored or located. With robust policy enforcement, strong encryption, and strict access controls, Vera’s data-centric security solution enables employees to collaborate freely while ensuring a high level of security, visibility, and control. Learn more at www.Vera.com.

Cybersecurity, News

Tom Kellerman: Countering Cybercrime in the Next Normal

By Tom Kellermann, Head of Cybersecurity Strategy, VMware Carbon Black

COVID-19 has reshaped the global cyberthreat landscape. While cyberattacks have been on the rise, the surge in frequency and increased threat sophistication is notable. The latest VMware Carbon Black Global Incident Threat Report, Extended Enterprise Under Threat – Global Threat Report series, found cybercriminals have seized the opportunity, taking advantage of the global disruption to conduct nefarious activity.

 

COVID-19 has exacerbated pre-existing cyberthreats

The VMware Carbon Black latest global survey of Incident Response (IR) professionals found that COVID-19 has exacerbated pre-existing cyberthreats. From counter incident response and island hopping to destructive attacks. Remote work then compounds this bringing additional cybersecurity challenges as employees access critical data and applications from their home networks or with personal devices outside of the corporate perimeter. Cybercriminals are also targeting the cloud, which organisations rely on to enable remote work. If you’re a cybercriminal, the pool of people you can trick now is exponentially larger, simply because we are in a global disaster.

As the threat landscape transforms and expands, the underlying methodologies behind the attacks have remained relatively consistent. Attackers have just nuanced their threat strategies. For example, last Christmas, the number one consumer purchase was smart devices, now they’re in homes that have fast become office spaces. Cybercriminals can use those family environments as a launchpad to compromise and conduct attacks on organizations. In other words, attackers are still island hopping – but instead of starting from an organisation’s network and moving along the supply chain, the attack may now originate in home infrastructures.

 

Next-generation cyberattacks require next-generation IR

While more than half (53%) of the IR professionals reported encountering or observing an increase in cyberattacks exploiting COVID-19, this isn’t a one-sided battle and there is much security teams can do to fight back.

Next-generation cyberattacks – with adversaries increasingly working to maintain persistence on systems – call for next-generation IR, especially as corporate perimeters across the world breakdown.  To this point, here are seven key steps that security teams can take to fight back:

 

  1. Gain better visibility into your system’s endpoints: Doing so can empower security teams to be proactive in their IR – rather than merely responding to attacks once they come, they can hunt out prospective threats. This is increasingly important in today’s landscape, with more attackers seeking to linger for long periods on a network and more vulnerable endpoints online via remote access.
  2. Establish digital distancing practices: People working from home should have two routers, segmenting traffic from work and home devices. They should have a room free of smart devices for holding potentially sensitive conversations. And they should restrict sensitive file sharing across insecure applications, like video conferencing tools.
  3. Enable real-time updates, policies and configurations across the network: This may include updates to VPNs, audits or fixes to configurations across remote endpoints and other security updates – even when outside the corporate network. It’s important to keep in mind the security architecture when making these changes, otherwise, things get changed without having the proper controls in place to react.
  4. Enhance collaboration between IT and security teams – and make IT teams more cybersecurity savvy: As noted, 92 percent of IR professionals agree that a culture of collaboration between IT and security teams will improve enterprise security and response to cyber risks. This is especially true under the added stress of the pandemic. Alignment should also help elevate IT personnel to become experts on their own systems, whether it’s training them to threat hunt on a Windows box or identify anomalous configurations on certain SaaS applications.
  5. Expand Cyber-Threat Hunting: Threat hunting provides ground truth and context which is essential for defence. Situational awareness is dependent on ground truth which is based in the assumption of breach. One must proactively explore their environment for abnormal activity. The cadence of threat hunting must be increased, and the scope should extend to the information supply chain as well as Senior Executives laptops as they work from home.
  6. Integrate Security Controls: Integration allows organisations to uniquely see across traditional boundaries/silos providing richer telemetry and allowing for defenders to react seamlessly.
  7. Remember to communicate: Now more than ever, organizations must motivate IT and SECops to get on the same page and prioritize change management while maintaining clear lines of communication – about new risk factors (application attacks, OS exploitation, smart devices, file-sharing applications, etc.), protocols and security resources.

As we move into the next normal, the workforce will largely remain remote and distributed. Organisations will need to prioritise sharpening their security defences and gaining a clearer picture of the evolving threat landscape to inform today, tomorrow and the challenging months to come.

Cybersecurity, News

On average, the British lose £726 per case to online shopping fraud

The lockdown-accelerated online shopping paves the way for scams

According to Adobe Analytics, online shopping is expected to grow by 33% this holiday season because of the lockdowns. On average, there was a loss of £726 per incident to online shopping fraud over last year’s Christmas shopping period, and e-commerce is only booming during the pandemic. Fraudsters also capitalize on this occasion, leaving people’s wallets wiped out.

Britons in their 20s, making up 29% of the total cases in 2020, are the most likely to become victims of online shopping fraud. Overall, 80% of all online shopping fraud victims were under the age of 50. Altogether, £29.7 million was lost to online shopping and auction fraud in the first half of 2020, which is up by over 11,000 cases (37%) compared to the same first half of 2019.

According to the Cyber Risk Index calculated by NordVPN, residents of developed countries are more likely to become victims of cybercrime despite the fact that they consider themselves tech-savvy and well-protected. For example, the United Kingdom ranks 10th globally with a CRI score of 0.647, which is considered as high risk. Developed countries offer better access to the internet and higher wages, which translates to more smartphones and heavy usage of online services.

How do fraudsters find their victims?

“Emails and online banners are often the mediums for cybercriminal outreach. Very often, fraudsters use the same methods legitimate advertisers do. They rely on advertising engines like Facebook and Google to push their banners on users. Although these companies have strong safeguards in place, some banners still slip in”, explains Daniel Markuson, a digital privacy expert at NordVPN.

Alternatively, some scammers study their potential future victims and analyze their online behavior, which can be easily done if the victim is browsing the web unprotected. That’s why it’s important to remember that secure websites have HTTPS in their address.

Additionally, users should protect themselves with a VPN connection. It prevents eavesdropping and would make it harder for scammers to intercept their payment.

However, whenever indulging in a shopping spree, e-shoppers should watch out for certain red flags, like offers that look too good to be true or links received from financial institutions, as those might be fake.

Daniel Markuson, a digital privacy expert at NordVPN, has listed 10 key rules to avoid online fraud during this Christmas shopping period:

Only shop on HTTPS websites.

This means that your details are covered by basic TLS encryption all the way from your browser to the site you’re shopping on.

Make sure you’re visiting a legitimate online store.

Before entering any personal information to complete your purchase, make sure you’re in the right online store.

Be careful around URL shorteners.

When you see an ad with a URL shortener for a great deal, consider navigating to the brand’s website yourself simply by using your address bar.

Avoid email links.

Another technique scammers might use to get your credit card information is phishing. It’s a very popular and effective way to hack someone by using carefully crafted emails.

Never shop on public Wi-Fi.

Public Wi-Fi is the perfect place for scammers and hackers to do their work. These networks feature poor security and can be scanned by hackers looking for weak connections.

Monitor your debit card and credit card statements.

You should always keep track of your purchases and their prices. This can help you spot potential hacks or dishonest business practices so you can respond ASAP.

Consider using a virtual credit card.

A virtual credit card is a purely digital credit card that you can only use online. By linking it to a real credit card or debit card you own, you can shop online without ever revealing your actual credit card information.

Keep your browser updated.

It’s important to keep your browser updated and upgraded with the best security and privacy extensions. It will protect your personal information from leaking.

Practice good password security.

Creating unique and secure passwords for every site (and remembering them) can be a tall order if you plan on doing a lot of shopping. But there are tools, such as password managers like NordPass, that will help you.

The less information you give, the better. If a website asks you for additional personal information that isn’t optional, turn around and leave. Some websites will ask for additional information for marketing purposes, but it won’t be mandatory.

ABOUT NORDVPN

NordVPN is the world’s most advanced VPN service provider used by over 14 million internet users worldwide. NordVPN provides double VPN encryption, malware blocking, and Onion Over VPN. The product is very user-friendly, offers one of the best prices on the market, has over 5,000 servers in 60 countries worldwide, and is P2P-friendly. One of the key features of NordVPN is the zero-log policy. For more information: nordvpn.com.

Cybersecurity, News

We’re in a cyber cold war but data science brings new hope

Cyber threats are constantly evolving, meaning attackers are always one step ahead. However new research from Nyenrode Business University brings hope to the fight against online crime.

The research, conducted by PhD candidate Scott Mongeau, reveals that cybersecurity data science can fight cyber threats, but that we can only utilize the benefits of these methods with investment.

“My research observes that hostile countries and criminal networks are already utilizing machine learning to stage attacks. We will need to apply these same methods to defend. Detecting and counteracting threats through analytics and machine learning requires focused research.”

“To realize effective data-driven defence, organizations must invest in the orchestration of people, processes, and technology. This trinity cannot be treated in isolation. If we wish to arm ourselves against the risks of increasingly sophisticated cyberthreats, we must accept and commit the costs involved.” Says Mongeau

Mongeau’s advice is to start by examining where data-driven cyber defence already works well. He explains that a simple example is filtering for phishing emails. Popular email platforms already use machine learning to detect and filter-out dangerous emails from your inbox. The same methods can be used to identify suspicious network traffic and device behaviour.

The research emphasizes the urgency of embracing data-driven security. While data science is a popular topic, best practices for realizing the benefits are lagging. The field of cybersecurity data science has emerged in the last three years. However, the methods are already being adopted by adversaries. We are already seeing the effects, for instance, in the automation of fake news and misinformation campaigns. The researcher believes that we can expect to see increasingly sophisticated attacks utilizing machine learning and AI in the coming years.

According to Mongeau “cyber risks will evolve and expand. The risks relate not only to digital infrastructure, but physical infrastructure, health, and safety. Consider, for example, water management, healthcare, and traffic control. As the digital world increasingly manages the physical world, we must be increasingly cautious concerning digital defence. By investing in research and development for cybersecurity data science we can defend national interests and improve preventative measures.”

The research is particularly important for policy makers as it reveals that structured planning is required in order to provide the best data-driven defence.

The research is published in: “Cybersecurity Data Science: Best Practices in an Emerging Profession”.

Cybersecurity, News, Tech Thought Leadership

The Cognitive Attack Loop of a Cybercriminal

By Tom Kellermann, Head of Cybersecurity Strategy, VMware Carbon Black

While organisations spend enormous amounts of their cybers budget on preparing for a data breach and determining how a breach occurred, there’s an important element they need to take into account – understanding the actual minds and motivations of the attackers.

A clear understanding of attacker motivation lets organisations better anticipate, prepare for and build a proactive advantage against threats. VMware Carbon Black’s recent 2020 Cybersecurity Outlook Report found that attacker behaviour continues to become more evasive, and organisations must respond accordingly. Offense should inform defence, and it is important to uncover ground truth. Once organisations have the full picture, they can effectively shift thinking, people, processes, and technologies to account for new attacker behaviours. Let us consider the security practices that can help better understand the motivations of these attackers.

The Cognitive Attack Loop

There are three phases of cybercriminal behaviour:

Recon and infiltrate. In this initial stage of cybercriminal behaviour, the attacker prepares the operation. This can include selection of the target, determining the best means to gain access to the target and actually gaining that access.

Maintain and manipulate. When attackers have accessed your network, they work to maintain a foothold in this environment while continuing to improve their position to move forward with their goals. Often, to achieve whatever ends the attacker has in mind, they need additional access levels or to circumvent existing controls.

Execute and exfiltrate. Entering this final stage means the attackers now can execute on their end goals, which could include lateral movement-island hopping, and therefore compromising the integrity, confidentiality, or availability of information.

Studying this attack loop and using it to build a cognitive defence approach allows for greater precision in remediation steps and drives consistent and positive security changes. Really understanding these behaviours offers unique insight into the motivations behind an attack, helping to guide the prevention and detection of a breach and the appropriate response.

Robust cyber testing and pro-active threat hunting

Organisations need to go beyond traditional penetration testing. They should not limit testing to outside-in, it should expand to inside-out to better understand attack paths. Island hopping and lateral movement has exploded, creating a greater need to understand the escalation of adversaries when they choose to commandeer digital transformation efforts. For example, recent research among incident response professionals found that island hopping was a feature in 41 percent of the breach attempts they encountered.

Red team exercises offer a human element as well as an understanding of the nexus between facility security and cybersecurity. It’s imperative to get a baseline understanding of where vulnerabilities lie. A baseline red team (using third party plus in-house security experts) audit and/or cyber hunt exercise can help expose where systems are vulnerable and where the organisation needs to increase controls. Fielding an in-house threat hunting team helps organisations identify behavioural anomalies, which present a harbinger of criminality.

Intrinsic and continuous threat intelligence 

Security teams require threat intelligence to build a strong security posture – better outlining a cyber attacker’s motivation. It helps organisations discover new threats and proactively put up barriers to defend against them. Without threat intelligence, organisations become reactive. Threat intelligence feeds must get integrated into endpoint detection and response (EDR) and made relevant to the specific threats facing an organisation’s industry.

Consider threat intelligence an intrinsic part of a continuous cyber strategy that includes weekly threat hunting. The security team must also standardise on a best-of-breed EDR. In today’s mass shift to a remote workforce, threat hunting needs to go beyond traditional intelligence and include process injection, the misuse of Windows Management Instrumentation and exploitation of non-persistent virtual desktop infrastructures. Given that cybercriminals fight back by leveraging counter-incident response and destructive attacks, organisations must stay vigilant to escalation when hunting and focus on the following:

  • Identify what new threats have arisen.
  • Test systems for vulnerabilities to these new threats.
  • Take steps to defend against these potential attacks.
  • Improve internal communications, combat re-entry

Take action

Organisations must stand up a secondary line of secure communications because it’s vital to discuss the ongoing incident. Assume that hackers can intercept as well as view, modify and otherwise compromise all internal communications. These communications should allow for talk, text, and file transfer. Security teams should also assume that the adversary has multiple means of gaining access into the environment. Shutting off one entry point may not actually remove attackers from an organisation’s network. This will likely have the opposite effect by notifying the attackers that you’re on to them.

Next, organisations need to watch and wait. Do not immediately start blocking malware activity and shutting off access or terminating the C2. To understand all avenues of re-entry, organisations must monitor the situation to fully grasp the scope of the intrusion to effectively develop a means of successfully removing the adversary from the environment. Another action to consider includes deploying agents (if necessary) in monitor-only mode. If organisations begin blocking or otherwise impeding their activities, attackers will catch on and change tactics, potentially leaving an organisation blind to added means of re-entry. Finally, organisations can deploy honey tokens or deception grids – especially on attack paths that are difficult to harden.

Take action to really understand a cyber attacker and why they act the way they do will make the organisation better prepared for a data breach. It’s only when their methods are understood through practices such as cyber testing, the use of threat intelligence and communication can an organisation fully prepare for the next impending cyber threat.

Cybersecurity, News

We’re in a cyber cold war but data science brings new hope

Cyber threats are constantly evolving, meaning attackers are always one step ahead. However new research from Nyenrode Business University brings hope to the fight against online crime.

The research, conducted by PhD candidate Scott Mongeau, reveals that cybersecurity data science can fight cyber threats, but that we can only utilize the benefits of these methods with investment.

“My research observes that hostile countries and criminal networks are already utilizing machine learning to stage attacks. We will need to apply these same methods to defend. Detecting and counteracting threats through analytics and machine learning requires focused research.”

“To realize effective data-driven defence, organizations must invest in the orchestration of people, processes, and technology. This trinity cannot be treated in isolation. If we wish to arm ourselves against the risks of increasingly sophisticated cyberthreats, we must accept and commit the costs involved.” Says Mongeau

Mongeau’s advice is to start by examining where data-driven cyber defence already works well. He explains that a simple example is filtering for phishing emails. Popular email platforms already use machine learning to detect and filter-out dangerous emails from your inbox. The same methods can be used to identify suspicious network traffic and device behaviour.

The research emphasizes the urgency of embracing data-driven security. While data science is a popular topic, best practices for realizing the benefits are lagging. The field of cybersecurity data science has emerged in the last three years. However, the methods are already being adopted by adversaries. We are already seeing the effects, for instance, in the automation of fake news and misinformation campaigns. The researcher believes that we can expect to see increasingly sophisticated attacks utilizing machine learning and AI in the coming years.

According to Mongeau “cyber risks will evolve and expand. The risks relate not only to digital infrastructure, but physical infrastructure, health, and safety. Consider, for example, water management, healthcare, and traffic control. As the digital world increasingly manages the physical world, we must be increasingly cautious concerning digital defence. By investing in research and development for cybersecurity data science we can defend national interests and improve preventative measures.”

The research is particularly important for policy makers as it reveals that structured planning is required in order to provide the best data-driven defence.

The research is published in: “Cybersecurity Data Science: Best Practices in an Emerging Profession”.

Cybersecurity, News

Guy Lloyd: The ugly truth – the real cost of cyber breaches to SMEs

Cyber security preparedness is more than a nice to have, an SME’s survival can depend on it. Guy Lloyd at CySure explains why.

Small and medium sized enterprises (SMEs) rarely trigger national headlines for breaches in data security and compliance, not because they aren’t a target but because the monetary impact is small compared to the big corporations. However, breaches are all too common and the while the cost of cyber breaches to SMEs, including the impact to business operations, remediation work and resultant fines, may not run into millions, it can do untold damage. SMEs are agile and lean in their business operations, and so unbudgeted costs can severely impact finances.

Such is the concern about the UK economy’s resilience to cyber attacks that the UK Government recently commissioned a study[i] to analyse the cost of cyber breaches. It found that organisations are being hampered from managing and mitigating cyber risks by a lack of transparency, awareness and understanding of the costs. UK businesses tend to overlook indirect and long-term costs when assessing the impact of a cyber breach. This leaves organisations woefully unprepared for the financial impact, which in the most extreme cases, can spell an end to the business. SME’s in particular are most likely to underestimate the costly impact from non-compliance with cyber security breach-related laws and regulations, therefore leaving them unprepared for any potential fines.

Bumper year for cyber crime

The Coronavirus pandemic has provided cyber criminals with a fertile ground to execute scams and reap a bounty of riches. Attacks designed to steal valuable company and customer information have skyrocketed in 2020. Interpol[ii] reported that in a four-month period some 907,000 spam messages, 737 incidents related to malware and 48,000 malicious URLs, all related to COVID-19 were detected. With many of us working/schooling from home, our concentration levels have been tested to the max. When under pressure and distracted it is easy to click on a phishing email or unknowingly visit a scam website. The rush to remote working has opened up opportunities for hackers and any company with lax security measures makes easy pickings.

Work smarter, not harder

In today’s GDPR world no company can afford to be naïve or negligent about regulatory compliance. Cyber Essentials is the UK Government-backed scheme that aims to help organisations protect themselves against common cyber threats. It offers organisations a way to demonstrate to customers and suppliers a commitment towards cyber security and data protection by achieving an accredited and registered certification standard. It lays the foundation to developing policies and procedures to mitigate against threats that can impact business operations.

Getting started can seem daunting but achieving certification doesn’t have to be. Using an online compliance risk management system that incorporates GDPR and Cyber Essentials Plus is a simple and cost-effective way to achieve certification. SMEs should look for a solution that can guide them through a gap analysis to highlight the business areas to focus on.

Cyber security doesn’t need to be complex, costly or confusing. A low cost, simple set of actions as defined in Cyber Essentials can go a long way to protect against common attacks.

Preparedness in uncertain times

Business confidence comes from understanding the risks involved and the knowledge that should the worse happen it is possible to keep calm and carry on. Being certified with a creditable scheme delivers the assurance that SMEs can demonstrate their commitment and attention to bolstering cyber defences.

Uncertain times can hit when we least expect but the benefit of certification through with help from an information security management system (ISMS) is knowing your business is prepared. Now more than ever we should be celebrating business resilience and preparedness.

[i] Analysis of the full cost of cyber security breaches Report
[ii] Interpol report shows alarming rate of cyberattacks during COVID-19

Cybersecurity, News

ThreatQuotient Launches Operations in Iberia with New Office in Madrid

Continued global expansion makes ThreatQuotient the first threat intelligence platform provider offering local support from Spain

ThreatQuotient™, a leading security operations platform innovator, today announced the company’s expansion into Iberia. To complement existing operations in Europe, ThreatQuotient has opened an office in Madrid, Spain, where a local team will support customers in the region beginning January 2021. ThreatQuotient is the first threat intelligence platform (TIP) provider to offer services directly from Spain.

“ThreatQuotient takes pride in our consultative approach to serving customers and partners, and we are committed to hiring experts with knowledge of the local culture whenever possible. We are pleased to launch operations in Spain to better support customers in their local language,” said Cyrille Badeau, VP of Europe, ThreatQuotient. “Iberia stands among the most mature regions in Europe regarding threat intelligence, including a multi-regional CERT and intelligence sharing history, as well as strong global MSS partners. We look forward to supporting the security operation and global SOC management needs for this key region.”

ThreatQuotient’s offerings – including the ThreatQ™ platform and the industry’s first cybersecurity situation room, ThreatQ Investigations – are uniquely positioned to help organisations address increasingly complex cybersecurity challenges. Recently, ThreatQuotient was listed as a representative vendor in the 2020 Gartner Market Guide for Security Orchestration, Automation and Response (SOAR) Solutions. Serving as a full featured security operations platform, ThreatQ is designed to provide companies the relevant, contextual intelligence and automation needed to support multiple teams and capabilities, and optimise an organisation’s existing technology investments.

“Continued global expansion remains an objective for ThreatQuotient, and in the midst of a global pandemic, it is more important than ever to grow our international presence by deploying team members who are as local to our customers as possible,” said John Czupak, CEO, ThreatQuotient. “This current global health crisis has only exacerbated the risk of the evolving threats facing organisations, and the need for threat intelligence platform capabilities continues to grow. We look forward to hiring new roles based in Iberia, which will accelerate our impact on the market.”

Candidates interested in applying to work for ThreatQuotient as a Threat Intelligence Engineer in Madrid should visit the company’s careers page. For more information about ThreatQuotient’s market leading solutions built for threat-centric security operations, please visit www.threatq.com/.

 

About ThreatQuotient

ThreatQuotient’s mission is to improve the efficiency and effectiveness of security operations with a platform that accelerates and simplifies investigations and collaboration within and across teams and tools. Integrating an organisation’s existing processes and technologies into a unified workspace, ThreatQuotient’s solutions reduce noise, highlight top priority threats and automate processes to provide greater focus and decision support while maximising limited resources. ThreatQuotient’s threat-centric approach supports multiple use cases including incident response, threat hunting, spear phishing, alert triage and vulnerability management, and also serves as a threat intelligence platform. ThreatQuotient is headquartered in Northern Virginia with international operations based out of Europe and APAC. For more information, visit www.threatquotient.com.

Cybersecurity, News, Tech Thought Leadership

Steve Rivers: The Evolution of Threat Intelligence Platforms

Written by Steve Rivers, Technical Director International, ThreatQuotient

Initially designed to compensate for the heterogeneity and volume of external threat intelligence sources, cyber threat intelligence management platforms first focused on normalising data from external threat feeds and automating the use of that data in Security Operations Centres (SOCs), and particularly in SIEMs. Over time, this initial and very operational use case continued to develop, and intelligence management platforms now play a much more global and cross-functional role.

There are several reasons for this, but a primary driver has been higher awareness that a company’s greatest sources of threat intelligence are internal, and correspond to the data generated by the various services used (detection, response, vulnerability management, SecOps, risk, fraud, etc.). Consideration of these sources has given companies new perspectives and a new function to threat intelligence management platforms. Specifically, enabling all internal parties to take advantage of all these sources of threat intelligence to make better decisions and mitigate risk.

Enter the “fusion centre” concept

In most organisations, security teams work in silos with different charters: detection (within one or more SOCs, sometimes external), incident response (within a CSIRT or CERT), vulnerability management, endpoint security, perimeter protection (reputation-policy management), etc. Each department has its own tools, teams, and processes, but communication between them is limited. This fundamental approach of distributing roles by silos tends to generate information loss.

The fusion centre concept is an innovative and highly effective means to reduce information loss. It ensures that each lesson learned by a human or machine in each of these departments can feed through to all humans or machines in other departments in real-time for decision making and prioritising actions.

This isn’t a question of breaking down silos, but implementing a structured, automatic information sharing process between them. Each department already leverages its own work; here it is a question of sharing those insights globally and cross-functionally to improve overall security effectiveness. Each element exploited by a department is considered to be internally derived cyber intelligence (SOC, DSIRT, SecOps, etc.). Using this information to filter external threat data helps give context so that companies can prioritise intelligence and focus on what is most important based on their security profile. In addition, security leaders can more effectively manage daily dissemination of relevant, high-priority intelligence to all the necessary channels and reports.

Within a fusion centre, the intelligence management platform plays a dual role, operationally as a communication system between silos and, strategically, as a central repository for threats observed by the company. Analysing the content of this repository potentially enables other uses, which we will examine next.

Orchestration projects are more effective with threat intelligence

Many organisations now adopt the Security Orchestration, Automation and Response (SOAR) framework to defend their infrastructure against cyber-attacks more efficiently. They use orchestration and automation tools to execute known and repetitive tasks, allowing analysts in the detection and response teams to focus on tasks that require human thought and judgement. The processing of large volumes of phishing emails is a good example of how this concept can be applied.

The orchestrator can process hundreds of phishing emails in a few minutes and roll out the company’s dedicated phishing playbooks without requiring human intervention. This saves analysts a lot of time, which is of course the goal.

However, using an intelligence management platform together with an orchestrator allows companies to roll out their playbooks based on the intelligence they have collected, resulting in greater effectiveness against a specific campaign. The intelligence management platform can identify the campaign associated with phishing emails, identify the adversary, realise if a single department within the company has been targeted or if the scope is wider, understand the schedule of the emails being sent, highlight the techniques and tactics associated with the initial phishing intrusion, and display this information in a dashboard to alert analysts to these attacks. All of this is fully automated up to this point and ready for human analysis.

When used in combination, orchestration and intelligence management maximise the value of the SOAR framework and the two functions feed each other. Incident response orchestration projects become dramatically more effective and tend to accelerate the cross-functional use of cyber intelligence management platforms.

Intelligence management platform: a threat hunting springboard

As security teams continue to mature and increasingly engage in threat hunting, intelligence management platforms are now being applied to support this use case as well. Fed by external and internal intelligence sources from various departments, the intelligence management platform becomes an important tool to carry out precise analysis of the key threat to the company. Facilitated by the integration of specialist frameworks (MITRE ATT&CK being the most commonly used), analysts gain access to detailed techniques and tactics used by the adversaries detected. The platform thus becomes the threat-hunting springboard for the company, allowing it to make the necessary decisions to optimise its resources before beginning any threat-hunting campaign.

Threat intelligence has become the lifeblood of security operations. As new use cases emerge, it has become integral to leveraging teams, tools and processes more efficiently and effectively. The intelligence management platform itself has also evolved to enable communication and collaboration across a small team or multiple teams. With relevant and prioritised threat intelligence flowing through all security departments as needed, companies are making more informed decisions and taking the right actions faster.

Acquisitions & Partnerships, Cybersecurity, Industry News

Gemserv and Trilliant Partner to Ensure Cyber Security and the Protection of Customer Data

Gemserv Ltd, an expert provider of professional services, helping clients develop, embed and secure complex digital solutions and Trilliant, a global provider of smart communications solutions in the Industrial Internet of Things (IIoT), smart energy and smart city space, today announce a partnership to provide enhanced security assurance for Trilliant Head End Software deployments.

With products and service platforms now becoming fully connected, Gemserv has stepped in as a leader in the preparation of security assurance processes and procedures to ensure the robustness of all connection points, be they device components, additional enterprise interfaces or third-party systems.

“We are delighted to be working with Trilliant to ensure that customers, wherever they are, can reap the benefits of smart grid technology in a secure and integrated way” says Alex Goody, Gemserv Chief Executive.  “From enabling net zero to become a reality, to improving patient care in their own homes and improving the customer experience for all, Gemserv and Trilliant are delivering a smart future”.

As customer connected smart devices become increasingly available, the expectation is for interoperability between systems and devices that provide, for example, better control of energy usage, remote healthcare provision and property monitoring. Ensuring the compatibility of such systems with proven security credentials is becoming a key business driver, although implementation can be complex.

This partnership combines Gemserv’s expertise in IoT, smart metering and cyber security with Trilliant’s globally proven communications solution. Together, the organizations will provide a turnkey solution that reduces the pain points of IoT system implementation and is backed by the extensive experience of two of the leading industry experts in the fields of IoT, smart grid, and smart metering.

“The Trilliant Head End Software is designed to seamlessly connect power grids, distribution networks, smart meters, smart city, and smart home connected devices, often expanding from the initial platform provider to new service providers,” said Andy White, Chairman and CEO for Trilliant. “We put security and data privacy at the heart of our solution and have developed an ethos throughout our business of putting security first. Trilliant welcomes the partnership with Gemserv to provide enhanced security assurance to our customers.”

The agreed partnership between Trilliant and Gemserv covers strategy, planning, system implementation, security assurance for design, build and testing phases, as well as continued implementation throughout the long-term deployment and horizontal expansion into new business sectors.