Tag Archives: beyond

Ping adds AI-driven API protection with Elastic Beam acquisition

BOSTON — Ping Identity is moving beyond single sign-on and further into API security with its latest acquisition.

At the Identiverse 2018 conference on Tuesday, the Denver-based identity and access management (IAM) provider announced the acquisition of Elastic Beam, a Redwood City, Calif., cybersecurity startup that uses artificial intelligence to monitor and protect APIs. Terms of the deal were not disclosed.

Ping CEO Andre Durand discussed the importance of API protection in the past as part of the company’s “intelligent identity” strategy. The company, which specializes in IAM services such as single sign-on, had previously introduced PingAccess for API management and security.

Elastic Beam, which was founded in 2014, will become part of Ping’s new API protection offering, dubbed PingIntelligence for APIs. Elastic Beam’s API Behavioral Security (ABS) automatically discovers an organization’s APIs and monitors the activity using AI-driven behavioral analysis.

“The moment it detects abnormal activity on an API, it automatically blocks that API,” said Bernard Harguindeguy, founder of Elastic Beam.

Harguindeguy, who joined Ping as its new senior vice president of intelligence, said ABS’ use of AI is ideal for API monitoring and defense, because there are simply too many APIs and too much data around them for human security professionals to effectively track and analyze on their own.

“API security is a very hard problem. You cannot rely on roles and policies and attacker patterns,” he said. “We had to use AI in a very smart way.”

Durand said the explosion of APIs in both cloud services and mobile applications has expanded the attack surface for enterprises and demanded a new approach to managing and securing APIs. While Durand acknowledged the potential for AI systems to make mistakes, he said improving API protection can’t be done without the help of machine learning and AI technology.

“We’re in the early stages of applying AI to the enormity of traffic that we have access to today,” he said. “We want to limit the space and time that users have access to, but there’s no policy that can do that. I don’t think there’s a way to have that breakthrough without machine learning, big data and AI.”

PingIntelligence for APIs is currently in private preview, and it will be generally available in the third quarter this year.

The Best Infrastructure Management Services of 2018

IT management suites have evolved beyond on-premises equipment, spanning to virtualized cloud infrastructure, cloud services, mobile devices, and even Internet of Things mechanisms. We test the top network infrastructure management services to see how well they can handle their rapidly evolving mission.

North Korea’s Lazarus Group sets sights on cryptocurrency

The North Korean state-sponsored hacking outfit known as Lazarus Group has moved beyond ransomware attacks and shifted its focus to cryptocurrency.

Lazarus Group stands accused of perpetrating the widespread WannaCry ransomware attacks earlier this year. Several private companies and governments, including the U.S., have attributed the attacks to the North Korean hacker group. Now, researchers from cybersecurity vendors Proofpoint, Inc., and RiskIQ say Lazarus Group has initiated attacks on cryptocurrency exchanges and owners in at least two different countries.

“Earlier this year, the activities of the Lazarus group in South Korea were discussed and analyzed, as they managed to compromise accounts on various South Korean cryptocurrency exchanges,” wrote Yonathan Klijnsma, threat researcher at RiskIQ, in a blog post. “More recently, they were seen targeting a United Kingdom-based cryptocurrency exchange.”

Several cryptocurrency exchanges have been hit by cyberattacks in recent weeks including South Korean exchange Youbit, which declared bankruptcy after it lost 17% of its assets in a breach last week. While the Youbit attack hasn’t been attributed to the Lazarus Group or other North Korean nation-state hackers, others incidents, including a massive spearphishing campaign targeting a UK-based cryptocurrency business, have been connected to the group.

“The Lazarus Group has increasingly focused on financially motivated attacks and appears to be capitalizing on both the increasing interest and skyrocketing prices for cryptocurrencies,” wrote Darien Huss, senior security researcher at Proofpoint, in the company’s report.

While Proofpoint and RiskIQ don’t name the organizations victimized by the Lazarus Group, researchers from the two vendors outlined the group’s new techniques for stealing cryptocurrency from both exchanges and owners. Proofpoint, for example, described several “multistage attacks” that lure victims into downloading malware, including a backdoored version of PyInstaller, a free application that bundles Python programs into a single executable package, and PowerShell malware known as “PowerRatankba” used for reconnaissance. After the initial infections are completed, Huss said, the attackers hit victims with a second wave of malware that harvests credentials for both individual cryptocurrency wallets and exchange accounts.

RiskIQ, meanwhile, identified a large phishing campaign that claimed to be bitcoin wallet software and featured links that impersonated the domain of Bitcoin Gold. According to RiskIQ researchers, Lazarus Group hackers abused internalized domain name registration to trick victims into believing the malicious site was genuine. In addition, Proofpoint’s report highlights a new type of point-of-sale (POS) malware, dubbed “RatankbaPOS,” that targets the POS framework of KSNET, a major South Korean payment provider.

Huss warned the Lazarus Group has a financially-motivated arm that has branched out beyond typical nation-state activity and is targeting individuals the same way that organized cybercrime outfits have.

“This group now appears to be targeting individuals rather than just organizations: individuals are softer targets,” Hess wrote, “often lacking resources and knowledge to defend themselves and providing new avenues of monetization for a state-sponsored threat actor’s toolkit.”

VirtualWisdom brings visibility to the cloud

Expanding beyond storage, Virtual Instruments has integrated the analytics and performance management technology from its Xangati acquisition into its VirtualWisdom platform.

VirtualWisdom 5.4 includes tools that give administrators deeper visibility between the application and infrastructure for performance management. The product now includes a new NetFlow Probe tool that discovers and maps LAN traffic flow among the applications, hosts, virtual machines, NAS controllers and software-defined-storage (SDS) nodes.

VirtualWisdom now supports additional protocols such Fibre Channel over Ethernet (FCoE) within its SAN Switch Probe and SMB within its NAS Performance Probe, which previously only monitored the NFS protocol. Virtual Instruments also added monitoring of VMware vSAN, Dell EMC ScaleIO and Nutanix hyper-converged appliances  for application-centric performance management.

“For us, these are different sources to evaluate the health of the infrastructure,” said Len Rosenthal, chief marketing officer at Virtual Instruments. “We are collecting more sources of data to analyze the infrastructure so you can understand the infrastructure that the application is running on. Previously, we were 100% storage-based.”

The new capabilities come from virtualization infrastructure performance monitoring vendor Xangati, which Virtual Instruments acquired in November 2016.

Steve Brasen, research director of systems and storage management at Enterprise Management Associates, said the cloud has reduced visibility between applications and the infrastructure for administrators. That makes Virtual Instruments’ application performance management a valuable tool, he said.

“If you have a performance problem, all you see is that it has something to do with the cloud,” Brasen said. “VirtualWisdom can see through the virtualization, cloud and grid layers. It provides visibility from the application through the virtualization layer to the infrastructure.

“The product can map down to the storage, network and server levels,” he said. “And it can move applications to a location where it works better. It can dynamically place workloads. Virtual Instruments has the broadest visibility into the infrastructure.”

Virtual Instruments initially did performance monitoring of SANs with its SAN Performance Probe appliances for Fibre Channel (FC) storage but expanded to include network attached storage (NAS) with a NAS probe after merging with Load Dynamix.

VirtualWisdom has an analytics layer with tools that target performance optimization. A storage port balancer analytics tool performs workload and capacity optimization at the array level while the collaboration investigation runbooks helps debug problems that are hindering performance.

“In the past in was a manual process for customers to debug problems, such as which array do I use and what sequence of events do I implement to solve problems,” Rosenthal said. “What we have done is taken all our knowledge and we built a runbook or workflow that sets the sequence to solve a problem. Now it’s all automated.”

VirtualWisdom’s storage port analyzer helps fine-tune performance at the array level.

“This means you can look at the storage port utilization on the arrays,” Rosenthal said. “And look at the traffic patterns across those ports. We had this for the virtual servers for a number of years, but we did not have it on the arrays.”

Office 365 admin roles give users the power of permissions

When a business moves to the Office 365 platform, its collaborative capabilities can go beyond joint efforts on…

team projects — it also extends into the IT department by letting users handle some tasks traditionally reserved for administrators.

Office 365 admin roles let IT teams deputize trusted users to perform certain business functions or administrative jobs. While it can be helpful to delegate some administrative work to an end user to reduce help desk tickets, it’s important to limit the number of end users with advanced capabilities to reduce security risks.

Organizations that plan to move to Office 365 should explore the administrative options beforehand. Companies already on the platform should review administrative rights and procedures on a regular basis.

Two levels of administrative permissions

By default, new accounts created in the Office 365 admin center do not have administrative permissions. An Office 365 user account can have two levels of administrative permissions: customized administrator role and global administrator role.

In a customized administrator role, the user account has one or more individual administrator roles. Available Office 365 admin roles include billing administrator, compliance administrator, Dynamics 365 administrator, Exchange administrator, password administrator, Skype for Business administrator, Power BI service administrator, service administrator, SharePoint administrator and user management administrator.

Some Office 365 admin roles provide application-specific permissions, while others provide service-specific permissions. For example, end users granted an Exchange administrator role can manage Exchange Online, while users with the password administrator role can reset passwords, monitor service health and manage service requests.

Customized administrator configurations benefit both large and small organizations. In large organizations, it’s common for separate administrators to manage different services, such as Exchange, Skype for Business and SharePoint. Conversely, small organizations typically have fewer administrators who manage multiple — if not all — systems. In either scenario, if additional help is needed for certain tasks, you can assign appropriate administrative roles to the most qualified users, allowing them to make modifications to the tenancy.

The global administrator role provides complete control over Office 365 services. It’s the only administrator role that can assign users with Office 365 admin roles. The first account created in a new Office 365 tenancy automatically gets the global administrator role. An organization can give the global administrator role to multiple user accounts, but it’s best to restrict this role to as few accounts as possible.

Managing Yammer requires careful planning because it’s separate in the Yammer admin center. The highest level of administrative permissions in Yammer is the verified admin role. An organization can give all Office 365 global administrators this role, but regular users with a Yammer verified role shouldn’t have it.

Security and compliance permissions

An organization must also decide how to configure permissions in the Security & Compliance Center. These permissions use the same role-based access control (RBAC) permissions model that on-premises Exchange and Exchange Online use.

The Security & Compliance Center features eight role groups that allow a user to perform administrative tasks related to security and compliance. For example, members of the eDiscovery Manager role group receive case management and compliance search roles that allow the user to create, delete and edit eDiscovery cases. These users also can perform search queries across mailboxes.

Office 365 provides 29 different roles that an organization can add to role groups, and each role holds different security and compliance permissions. This comprehensive range of role groups and available roles means that an organization must determine the most appropriate security and compliance permissions model.

It’s important to understand differences in role groups and plan permissions accordingly. For example, both the Security & Compliance Center and Exchange Online have role groups named organization management, but they are separate entities and serve different permissions purposes.

Multifactor authentication matters

Enabling Azure multifactor authentication adds another layer of protection around Office 365 accounts with administrator access. Administrators provide proof of their identity via a second authentication factor, such as a phone call acknowledgement, text message verification code or phone app notification, each time they log into the Office 365 account.

If the business uses Azure multifactor authentication, it should educate administrators and service desk staff to ensure everyone knows operational and service desk procedures involved with the security service.

Keep tabs on administrator actions

As administrators make changes to the systems and grant or revoke permissions to users and other administrators, you’ll need a way to review these actions.

In the Office 365 Security & Compliance Center, an organization can enable audit logging and search the log for details of administrator activities from the last 90 days. This log tracks a wide range of administrator actions, such as user deletion, password resets, group membership changes and eDiscovery activities.

Powered by WPeMatico