Tag Archives: Security

Cloudflare battles malicious bots with ‘fight mode’

Cloudflare is taking aim at malicious bots attacking its customers with a new security measure scheduled to go live for all by the end of the year.

The new Bot Fight Mode is rolling out now as an opt-in only feature to help Cloudflare customers avoid damage caused by malicious bots. John Graham-Cumming, chief technology officer for Cloudflare, described the new mode as a way to “frustrate” and disincentivize bots through tarpitting.

“If our models show that the traffic is coming from a bot, and it’s on a hosting or a cloud provider, we’ll deploy CPU-intensive code to make the bot writer expend more CPU and slow them down. By forcing the attacker to use more CPU, we increase their costs during an attack and deter future ones,” Graham-Cumming wrote in a blog post. “Every minute we tie malicious bots up is a minute they’re not harming the Internet as a whole.”

However, Cloudflare won’t just to waste the resources of malicious bots through computationally intensive challenges. The company also plans to share the IP addresses of bots with its Bandwidth Alliance partners in order to get those bots taken offline. 

Cloudflare said that of the 750 billion HTTP requests it handles per day, 3 billion are made by bots. A company spokesperson could not estimate how many individual bots are making those requests.

The spokesperson did note that how much effort it will take to stop bots will depend on “a number of factors.”

“The persistence of the bot is generally correlated to the value of the target,” the spokesperson told SearchSecurity. “A bot gives up quickly if the site is common and the value of a successful attack is low, but for bots that do things like inventory hoarding, the attacks are persistent.”

According to Graham-Cumming in the blog post, adopting tactics like this is important, because “malicious bots harm legitimate web publishers and applications, hurt hosting providers by misusing resources, and they doubly hurt the planet through the cost of electricity for servers and cooling for their bots and their victims.”

Graham-Cumming acknowledged that Bot Fight Mode lead to even higher electricity and cooling costs, so Cloudflare will be donating to One Tree Planted in order to offset the carbon costs.

Cloudflare also noted that this is just the first step in plans to fight malicious bots.

“Blocking outright is effective in preventing one bot from attacking one website, but the bot will just move on to a softer target. Bot Fight Mode makes that bot spend more time and resources before being able to move on,” the spokesperson said. “We have a number of other ideas we are working on that we’re not quite ready to share yet.”

However, there may be unintended consequences to Bot Fight Mode. Jean-Philippe Paradis, a programmer living near Montreal, shared a note from the Cloudflare Dashboard that warns: “Defeating Bots may affect some actions on your website and/or non-automated traffic. For example, it may block access to your APIs and prevent access from mobile applications.”

Cloudflare did not respond to requests for comment on this warning at the time of this post. Graham-Cumming noted in the blog post that the company’s model “spots the behavior of bots based on past traffic and blocks them,” and he said on Twitter that, “We look at how humans behave on the web vs. how bots behave. Bots behave differently (think how fast they click, or when they click, or what they click etc.)”. But it is unclear what recourse customers will have if access issues arise.

Go to Original Article

Salesforce rolls out new security add-on for Quip

Salesforce today rolled out Quip Shield, a HIPAA-certified security add-on to its Quip platform. The new service includes enterprise key management, event monitoring and antivirus scanning, intended to increase trust compliance and governance in collaboration and promises minimal services disruption.

Quip is an integrated productivity platform from Salesforce that offers real-time collaboration with docs, spreadsheets, slides and chat that companies can embed directly into Salesforce records. Quip Shield is a security add-on intended to protect business data in Quip.

Salesforce said that Quip Shield offers encryption and customization capabilities according to companies’ particular security and compliance demands, such as secure infrastructure services, granular permissions and external sharing controls. The new product is HIPAA-certified, promising to provide appropriate security for healthcare organizations to collaborate around protected health information while staying compliant.

The new security add-on touts uninterrupted service in CRM; the product works in the background, with little impact on the end-user experience, the company said. When there is an incident, users would experience minimal disruption, while admins work to isolate and secure data, according to Salesforce.

Services offered in Quip Shield include:

  • Enterprise key management: Controls access to certain data by monitoring all encryption key usages in a locked audit log, and revoking access to the business’ encrypted data when potential threats are identified.
  • Event monitoring: Enables the enterprise to set custom rules to flag and address suspicious behaviors and to log events, which will then be processed through security information and event monitoring systems and cloud access security brokers to identify malicious activity, threats and take immediate action.
  • Antivirus scanning: Scans files uploaded to Quip Shield for malicious content, and prevents users from downloading potentially infected files.

Quip Shield is available to customers as of today. The company said organizations can choose to add Quip Shield to Quip Enterprise, Quip for Salesforce and Quip Virtual Private Cloud licenses for an additional cost and pricing varies based on usage.

Quip for Salesforce competes with Slack, Skype and Cisco, among other vendors. Slack also offers security features for teamwork and collaboration, including data encryption and Slack Enterprise Key Management, which enables bringing your own keys for data access. Skype for Business advertises itself as a low-cost collaboration product for business of varied sizes, offering its service on a range of devices. Cisco Jabber offers instant messaging and soft-phone features, including HD voice and video, and more.

Go to Original Article

Oracle Cloud Infrastructure updates hone in on security

SAN FRANCISCO — Oracle hopes a focus on advanced security can help its market-lagging IaaS gain ground against the likes of AWS, Microsoft and Google.

A new feature called Maximum Security Zones lets customers denote enclaves within their Oracle Cloud Infrastructure (OCI) environments that have all security measures turned on by default. Resources within the zones are limited to configurations that are known to be secure. The system will also prevent alterations to configurations and provide continuous monitoring and defenses against anomalies, Oracle said on the opening day of its OpenWorld conference.

Through Maximum Security Zones, customers “will be better protected from the consequences of misconfigurations than they are in other cloud environments today,” Oracle said in an obvious allusion to recent data breaches, such as the Capital One-AWS hack, which have been blamed on misconfigured systems that gave intruders a way in.

“Ultimately, our goal is to deliver to you a fully autonomous cloud,” said Oracle executive chairman and CTO Larry Ellison, during a keynote. 

“If you spend the night drinking and get into your Ford F-150 and crash it, that’s not Ford’s problem,” he said. “If you get into an autonomous Tesla, it should get you home safely.”

Oracle wants to differentiate itself and OCI from AWS, which consistently promotes a shared responsibility model for security between itself and customers. “We’re trying to leapfrog that construct,” said Vinay Kumar, vice president of product management for Oracle Cloud Infrastructure.

“The cloud has always been about, you have to bring your own expertise and architecture to get this right,” said Leo Leung, senior director of products and strategy at OCI. “Think about this as a best-practice deployment automatically. … We’re going to turn all the security on and let the customer decide what is ultimately right for them.”

Security is too important to rely solely on human effort.
Holger MuellerVice president and principal analyst, Constellation Research.

Oracle’s Autonomous Database, which is expected to be a big focal point at this year’s OpenWorld, will benefit from a new service called Oracle Data Safe. This provides a set of controls for securing the database beyond built-in features such as always-on encryption and will be included as part of the cost of Oracle Database Cloud services, according to a statement.

Finally, Oracle announced Cloud Guard, which it says can spot threats and misconfigurations and “hunt down and kill” them automatically. It wasn’t immediately clear whether Cloud Guard is a homegrown Oracle product or made by a third-party vendor. Security vendor Check Point offers an IaaS security product called CloudGuard for use with OCI.

Starting in 2017, Oracle began to talk up new autonomous management and security features for its database, and the OpenWorld announcements repeat that mantra, said Holger Mueller, an analyst at Constellation Research in Cupertino, Calif. “Security is too important to rely solely on human effort,” he said.

OCI expansions target disaster recovery, compliance

Oracle also said it will broadly expand OCI’s global cloud footprint, with the launch of 20 new regions by the end of next year. The rollout will bring Oracle’s region count to 36, spread across North America, Europe, South America, the Middle East, Asia-Pacific, India and Australia.

This expansion will add multiple regions in certain geographies, allowing for localized disaster recovery scenarios as well as improved regulatory compliance around data location. Oracle plans to add multi-region support in every country it offers OCI and claimed this approach is superior to the practice of including multiple availability zones in a single region.

Oracle’s recently announced cloud interoperability partnership with Microsoft is also getting a boost. The interconnect that ties together OCI and Azure, now available in Virginia and London, will also be offered in the Western U.S., Asia and Europe over the next nine months, according to a statement. In most cases, Oracle is leasing data center space from providers such as Equinix, according to Kumar.

Holger MuellerHolger Mueller

SaaS vendors are another key customer target for Oracle with OCI. To that end, it announced new integrated third-party billing capabilities for the OCI software marketplace released earlier this year. Oracle also cited SaaS providers who are taking advantage of Oracle Cloud Infrastructure for their own underlying infrastructure, including McAfee and Cisco.

There’s something of value for enterprise customers in OCI attracting more independent software vendors, an area where Oracle also lags against the likes of AWS, Microsoft and Google, according to Mueller.

“In contrast to enterprises, they bring a lot of workloads, often to be transferred from on-premises or even other clouds to their preferred vendor,” he said. “For the IaaS vendor, that means a lot of scale, in a market that lives by economies of scale: More workloads means lower prices.”

Go to Original Article

IBM z15 mainframe secures data across multi-cloud environments

IBM today premiered the latest member of its mainframe lineup, containing improved security software that builds on its existing Pervasive Encryption offering, improved methods of building cloud-native applications and added processing power that can support 2.4 million Linux containers on a single system.

The IBM z15 mainframe features the newly minted Data Privacy Passports technology, which provides IT mainframe administrators with more control over how data is stored and shared. It also offers the ability to provision data and revoke access to that data across hybrid multi-cloud environments, no matter where that data travels.

Addressing the issue of data increasingly either constantly moving around or residing in siloed environments, IBM introduced Trusted Data Objects (TDO) features designed to provide data-centric protection by staying attached to the data whenever it travels from point to point. The offering builds on the Pervasive Encryption technology that came bundled with the z14 mainframe over two years ago.

Middleware that controls and travels with data

It is this constant movement of data circulating among a user’s business partners and other third parties that causes a majority of the recent data breaches, along with the growing adoption of multi-cloud environments, IBM said.

With Data Privacy Passports, users can enforce a companywide data privacy policy capable of surfacing different views of data to different sets of users on a need-to-know basis. The TDO technology can also be used to prevent collusion among data owners, which could lead to critical data falling into the hands of hackers.

“Think of it [Data Privacy Passports and TDO] as middleware that controls and travels with the data,” said Ross Mauri, general manager of IBM Z. “Our clients might need to access data and analytic insights not in minutes, but maybe in a fraction of a second, along with the ability to control the privacy of that data at a very granular level.”

Most analysts believe IBM is taking a step in the right direction by offering added protection for increasingly complicated cloud-based environments.

“A week doesn’t go by when there’s yet another security disaster exposing the data of millions of people,” said Charles King, president and principal analyst at Pund-IT. “Data Privacy Passport appears to be a way to extend the security [of the z14’s Pervasive Encryption scheme] to sensitive information like intellectual property or data subject to compliance protocols and regulations.”

Reinforcing loyalty

Is it a quantum leap ahead of the z14? No. But the message should resonate with C-level executives. It assures them they are still investing in the system.
Mike ChubaManaging vice president, Infrastructure and Operations group, Gartner

Another analyst agreed that enhancing IBM’s existing security technology is a good, if not necessary, thing to keep long-time mainframe users loyal to the platform — particularly in a time when there are alternative technologies offered by a number of cloud-based competitors.

“The mainframe has long been a platform where security and transactional integrity has been paramount,” said Mike Chuba, managing vice president in Gartner’s Infrastructure and Operations group. “With this announcement, they continue to innovate, but is it a quantum leap ahead of the z14? No. But the message should resonate with C-level executives. It assures them they are still investing in the system.”

Capable of carrying out 1 trillion web transactions a day, the IBM z15 mainframe performs 14% faster per core and offers 25% more system capacity than the z14, Mauri noted. The system also has 25% more memory, 20% more I/O connectivity and an availability of 99.999999%, the equivalent of three seconds of downtime per year, he added.

This combination of added raw processing power, increased reliability and the ability to handle millions of containers across multiple environments could help keep the mainframe relevant in the voraciously competitive hybrid cloud market, a key area of focus for the newly merged IBM and Red Hat.

Depending on the success the combined company has in delivering compelling cloud-based products and services over the next year, it could help stimulate mainframe sales and take shares away from the dominant share Intel-based servers have among large corporate data centers.

But Gartner’s Chuba is not optimistic that whatever success IBM-Red Hat has will result in many net-new zOS-based mainframe sales, that most of the z15’s potential success will be among users interested in Linux.

“Almost all of the new accounts over the past couple of years are users running Linux,” Chuba said. “They are not attracting many zOS users in any meaningful way. It is clearly an uphill battle to win more of those users.”

What could draw interest among both Linux and zOS-based mainframe users is Red Hat’s OpenShift, expected to be available on the new system by the end of this year. Given the improved speed and capacity of the IBM z15 mainframe, some analysts said it might serve as a showpiece for how well it can run OpenShift and other strategically important software in the hybrid cloud.

“[The z15] will be positioned as the performance platform to run the Red Hat software stack,” said Frank Dzubeck, president of Communications Network Architects Inc. “This system gives mainframe users a valid alternative to the Power series, which has grabbed a lot of attention lately because of its higher performance.”

IBM’s Sierra and Summit supercomputers, both powered by IBM’s Power 9 chip, are currently the first and third fastest supercomputers in the world.

Besides improving the z15’s chip speed, IBM has come up with a new compression technology that allows corporate users to get huge amounts of data on and off the mainframe. The new compression offering, called the Integrated Accelerator for z Enterprise Data Compression, delivers 30 times lower latency and up to 28 times less processor utilization by compressing web transaction data before it is encrypted.

“It’s not unusual for significant cost to be incurred as data is moved on and off mainframes,” Pund-IT’s King said. “If you can dramatically reduce the size of the files you are sending, you can take a big bite out of the time it takes to move those huge chunks of data from one place to another.”

Go to Original Article

Security, management updates made to LogMeIn Bold360

The LogMeIn Bold360 suite has been updated to include new security controls and management tools and an updated workload organization feature. According to LogMeIn, the updates are meant to enable customer service teams to work faster and improve overall performance.

The full list of updates includes the following:

  • Knowledge management tools: The latest version of Bold360’s search optimizer has search and filter features on customer intents, the capability to create articles for unresolved intents within the search optimizer, and can add phrasings to an article from an unresolved intent. It also has a task-driven interface so users can manage unanswered, answered, channeled and muted intents.
  • Monitor view: Administrators can now see the content of live chats, chatbot engagements, emails, SMS texts and messaging channels such as Facebook Messenger.
  • Workload organization: There is a new chat flagging feature that will let agents mark an engagement in case they need to refer back to it for any reason. Supervisors can also filter the monitor view by agent flags to keep track of open engagements.
  • Security updates: Bold360 received ISO 27001 certification, meaning it met requirements for managing sensitive company information so that it remains secure. Additionally, LogMeIn added IP Whitelisting for Agent Logins, which enables admins to restrict which networks agents can log into the Bold360 web workspace from.

This is the latest in a series of updates to LogMeIn Bold360, including improvements to the chatbot in April and the addition of AI features for bots and agents in June. LogMeIn also has a portfolio of unified communication products, including GoToMeeting, GoToWebinar, Grasshopper, Grasshopper Connect and Jive.

LogMeIn Bold360 competes in a crowded costumer experience market, going head-to-head with tech giants such as Salesforce, which will release CRM platform Salesforce Customer 360 in November.

Go to Original Article

Automated incident response in Office 365 ATP now generally available

Security teams responsible for investigating and responding to incidents often deal with a massive number of signals from widely disparate sources. As a result, rapid and efficient incident response continues to be the biggest challenge facing security teams today. The sheer volume of these signals, combined with an ever-growing digital estate of organizations, means that a lot of critical alerts miss getting the timely attention they deserve. Security teams need help to scale better, be more efficient, focus on the right issues, and deal with incidents in a timely manner.

This is why I’m excited to announce the general availability of Automated Incident Response in Office 365 Advanced Threat Protection (ATP). Applying these powerful automation capabilities to investigation and response workflows can dramatically improve the effectiveness and efficiency of your organization’s security teams.

A day in the life of a security analyst

To give you an idea of the complexity that security teams deal with in the absence of automation, consider the following typical workflow that these teams go through when investigating alerts:

Infographic showing these steps: Alert, Analyze, Investigate, Assess impact, Contain, and Respond.

And as they go through this flow for every single alert—potentially hundreds in a week—it can quickly become overwhelming. In addition, the analysis and investigation often require correlating signals across multiple different systems. This can make effective and timely response very difficult and costly. There are just too many alerts to investigate and signals to correlate for today’s lean security teams.

To address these challenges, earlier this year we announced the preview of powerful automation capabilities to help improve the efficiency of security teams significantly. The security playbooks we introduced address some of the most common threats that security teams investigate in their day-to-day jobs and are modeled on their typical workflows.

This story from Ithaca College reflects some of the feedback we received from customers of the preview of these capabilities, including:

“The incident detection and response capabilities we get with Office 365 ATP give us far more coverage than we’ve had before. This is a really big deal for us.”
—Jason Youngers, Director and Information Security Officer, Ithaca College

Two categories of automation now generally available

Today, we’re announcing the general availability of two categories of automation—automatic and manually triggered investigations:

  1. Automatic investigations that are triggered when alerts are raisedAlerts and related playbooks for the following scenarios are now available:
    • User-reported phishing emails—When a user reports what they believe to be a phishing email, an alert is raised triggering an automatic investigation.
    • User clicks a malicious link with changed verdict—An alert is raised when a user clicks a URL, which is wrapped by Office 365 ATP Safe Links, and is determined to be malicious through detonation (change in verdict). Or if the user clicks through the Office 365 ATP Safe Links warning pages an alert is also raised. In both cases, the automated investigation kicks in as soon as the alert is raised.
    • Malware detected post-delivery (Malware Zero-Hour Auto Purge (ZAP))—When Office 365 ATP detects and/or ZAPs an email with malware, an alert triggers an automatic investigation.
    • Phish detected post-delivery (Phish ZAP)—When Office 365 ATP detects and/or ZAPs a phishing email previously delivered to a user’s mailbox, an alert triggers an automatic investigation.
  1. Manually triggered investigations that follow an automated playbook—Security teams can trigger automated investigations from within the Threat Explorer at any time for any email and related content (attachment or URLs).

Rich security playbooks

In each of the above cases, the automation follows rich security playbooks. These playbooks are essentially a series of carefully logged steps to comprehensively investigate an alert and offer a set of recommended actions for containment and mitigation. They correlate similar emails sent or received within the organization and any suspicious activities for relevant users. Flagged activities for users might include mail forwarding, mail delegation, Office 365 Data Loss Prevention (DLP) violations, or suspicious email sending patterns.

In addition, aligned with our Microsoft Threat Protection promise, these playbooks also integrate with signals and detections from Microsoft Cloud App Security and Microsoft Defender ATP. For instance, anomalies detected by Microsoft Cloud App Security are ingested as part of these playbooks. And the playbooks also trigger device investigations with Microsoft Defender ATP (for malware playbooks) where appropriate.

Let’s look at each of these automation scenarios in detail:

User reports a phishing email—This represents one of the most common flows investigated today. The alert is raised when a user reports a phish email using the Report message add-in in Outlook or Outlook on the web and triggers an automatic investigation using the User Reported Message playbook.

Screenshot of a phishing email being investigated.

User clicks on a malicious linkA very common vector used by attackers is to weaponize a link after delivery of an email. With Office 365 ATP Safe Links protection, we can detect such attacks when links are detonated at time-of-click. A user clicking such links and/or overriding the Safe Links warning pages is at risk of compromise. The alert raised when a malicious URL is clicked triggers an automatic investigation using the URL verdict change playbook to correlate any similar emails and any suspicious activities for the relevant users across Office 365.

Image of a clicked URL being assigned as malicious.

Email messages containing malware removed after delivery—One of the critical pillars of protection in Office 365 Exchange Online Protection (EOP) and Office 365 ATP is our capability to ZAP malicious emails. Email messages containing malware removed after delivery alert trigger an investigation into similar emails and related user actions in Office 365 for the period when the emails were present in a user’s inbox. In addition, the playbook also triggers an investigation into the relevant devices for the users by leveraging the native integration with Microsoft Defender ATP.

Screenshot showing malware being zapped.

Email messages containing phish removed after deliveryWith the rise in phishing attack vectors, Office 365 EOP and Office 365 ATP’s ability to ZAP malicious emails detected after delivery is a critical protection feature. The alert raised triggers an investigation into similar emails and related user actions in Office 365 for the period when the emails were present in a user’s inbox and also evaluates if the user clicked any of the links.

Screenshot of a phish URL being zapped.

Automated investigation triggered from within the Threat Explorer—As part of existing hunting or security operations workflows, Security teams can also trigger automated investigations on emails (and related URLs and attachments) from within the Threat Explorer. This provides Security Operations (SecOps) a powerful mechanism to gain insights into any threats and related mitigations or containment recommendations from Office 365.

Screenshot of an action being taken in the Office 365 Security and Compliance dash. An email is being investigated.

Try out these capabilities

Based on feedback from our public preview of these automation capabilities, we extended the Office 365 ATP events and alerts available in the Office 365 Management API to include links to these automated investigations and related artifacts. This helps security teams integrate these automation capabilities into existing security workflow solutions, such as SIEMs.

These capabilities are available as part of the following offerings. We hope you’ll give it a try.

Bringing SecOps efficiency by connecting the dots between disparate threat signals is a key promise of Microsoft Threat Protection. The integration across Microsoft Threat Protection helps bring broad and valuable insights that are critical to the incident response process. Get started with a Microsoft Threat Protection trial if you want to experience the comprehensive and integrated protection that Microsoft Threat Protection provides.

Go to Original Article
Author: Microsoft News Center

USBAnywhere vulnerabilities put Supermicro servers at risk

Security researchers discovered a set of vulnerabilities in Supermicro servers that could allow threat actors to remotely attack systems as if they had physical access to the USB ports.

Researchers at Eclypsium, based in Beaverton, Ore., discovered flaws in the baseboard management controllers (BMCs) of Supermicro servers and dubbed the set of issues “USBAnywhere.” The researchers said authentication issues put servers at risk because “BMCs are intended to allow administrators to perform out-of-band management of a server, and as a result are highly privileged components.

“The problem stems from several issues in the way that BMCs on Supermicro X9, X10 and X11 platforms implement virtual media, an ability to remotely connect a disk image as a virtual USB CD-ROM or floppy drive. When accessed remotely, the virtual media service allows plaintext authentication, sends most traffic unencrypted, uses a weak encryption algorithm for the rest, and is susceptible to an authentication bypass,” the researchers wrote in a blog post. “These issues allow an attacker to easily gain access to a server, either by capturing a legitimate user’s authentication packet, using default credentials, and in some cases, without any credentials at all.”

The USBAnywhere flaws make it so the virtual USB drive acts in the same way a physical USB would, meaning an attacker could load a new operating system image, deploy malware or disable the target device. However, the researchers noted the attacks would be possible on systems where the BMCs are directly exposed to the internet or if an attacker already has access to a corporate network.

Rick Altherr, principal engineer at Eclypsium, told SearchSecurity, “BMCs are one of the most privileged components on modern servers. Compromise of a BMC practically guarantees compromise of the host system as well.”

Eclypsium said there are currently “at least 47,000 systems with their BMCs exposed to the internet and using the relevant protocol.” These systems would be at additional risk because BMCs are rarely powered off and the authentication bypass vulnerability can persist unless the system is turned off or loses power.

Altherr said he found the USBAnywhere vulnerabilities because he “was curious how virtual media was implemented across various BMC implementations,” but Eclypsium found that only Supermicro systems were affected.

According to the blog post, Eclypsium reported the USBAnywhere flaws to Supermicro on June 19 and provided additional information on July 9, but Supermicro did not acknowledge the reports until July 29.

“Supermicro engaged with Eclypsium to understand the vulnerabilities and develop fixes. Supermicro was responsive throughout and worked to coordinate availability of firmware updates to coincide with public disclosure,” Altherr said. “While there is always room for improvement, Supermicro responded in a way that produced an amicable outcome for all involved.”

Altherr added that customers should “treat BMCs as a vulnerable device. Put them on an isolated network and restrict access to only IT staff that need to interact with them.”

Supermicro noted in its security advisory that isolating BMCs from the internet would reduce the risk to USBAnywhere but not eliminate the threat entirely . Firmware updates are currently available for affected Supermicro systems, and in addition to updating, Supermicro advised users to disable virtual media by blocking TCP port 623.

Go to Original Article

Carbon Black acquisition is ‘compelling’

SAN FRANCISCO — VMware’s acquisition of Carbon Black is “the most compelling security story” Steve Athanas has heard in a while.

“I don’t know any other vendor in the ecosystem that has more visibility to more business transactions happening than VMware does,” said Athanas, VMware User Group president and associate CIO at the University of Massachusetts Lowell.

At its annual user conference, VMware announced new features within Workspace One, its digital workspace product that enables IT to manage virtual desktops and applications, and talked up the enhanced security features the company will gain through its $2.1 billion Carbon Black acquisition. Like Athanas, VMworld attendees welcomed the news.

VMware CEO Pat Gelsinger
At the opening keynote for VMworld, VMware CEO Pat Gelsinger speaks about the recent Carbon Black acquisition.

In this podcast, Athanas said Carbon Black could provide endpoint security across an entire organization once the technology is integrated, a promise he said he’s still thinking through.

“Are [chief security officers] going to buy into this model of wanting security from one vendor? I’ve heard CSOs in the past say you don’t do that because if one fails, you want another application to be able to detect something,” he said. “I don’t know where the balance and benefit is between being able to see more through that single view from Carbon Black or to have multiple vendors.”

Aside from the Carbon Black acquisition, Athanas was drawn to newly unveiled features for Workspace One that are aimed at making day-to-day processes for end users, IT and HR admins easier. For IT admins, a new Employee Experience Management feature enables IT to proactively diagnose if an end user’s device has been compromised by a harmful email or cyberattack. The feature can prevent the employee from accessing more company applications, preventing the spread of a cyberattack.

Another feature is called Virtual Assistant, which can help automate some of the onboarding and device management aspects of hiring a new employee.

“The Virtual Assistant stuff is cool, but I’m going to reserve judgement on it, because there is a ton of work that needs to go into getting that AI to give you the right answer,” Athanas said.

Go to Original Article

Carbon Black acquisition bolsters VMware’s security play

VMware is continuing a string of acquisitions with the purchase of Carbon Black, an endpoint security company, with the aim of providing more secure cloud offerings.

The Carbon Black acquisition will be an all-cash transaction for $26 per share, which is a company valuation of $2.1 billion. VMware expects the acquisition to close in the second half of VMware’s fiscal year 2020, ending Jan. 31.

In VMware’s Q2 2020 earnings call, CEO Patrick Gelsinger noted that his company has been working with Carbon Black for the past two years on VMware’s AppDefense product, and said that time has been a way of “de-risking this acquisition” and “building a shared go-to-market with them.”

Gelsinger told reporters during the earnings call that the Carbon Black acquisition will address security challenges “as businesses move applications to the cloud and access it over distributed networks and from a diversity of endpoints.” He added that the acquisition will lead to integration through VMware’s “extensive endpoint footprint” and create a unified workspace solution covering both endpoint management and endpoint security. VMWare also plans to leverage partnerships with Dell and SecureWorks to “accelerate the adoption of Carbon Black in the enterprise.”

Gelsinger acknowledged that part of the impetus for the Carbon Black acquisition is due to VMWare’s plan to build a security cloud platform.

“Together VMware and Carbon Black we think will uniquely provide customers advanced threat detection, in-depth app behaviors, insight to prevent sophisticated attacks and accelerate responses across that platform,” Gelsinger said. “This idea of individual products that are bolted on and patched on is just ineffective for customers.”

The Carbon Black acquisition follows other moves by VMware to strengthen its presence in the security industry. Earlier this week, the company acquired Intrinsic, a startup focused on application runtime security, for an undisclosed amount and also confirmed its $1.45 billion purchase of software development firm Pivotal.

In addition to those deals and other security acquisitions this year, VMware introduced its Service-defined Firewall at RSA Conference 2019; the product is designed to secure traffic within a distributed environment by permitting only “known good” behavior of applications while blocking all other activity. At the conference, Gelsinger hinted at a larger cybersecurity play for VMware while criticizing the “nightmare” state of the market, which he said was overwhelmed with too many products that were chasing specific threats instead of reducing attack surfaces.

Gelsinger echoed those comments during VMware’s earnings call Thursday evening and said his company plans to fundamentally “fix” the security market. “As enterprises increasingly become digital, cyber security and protection of enterprise apps, data network endpoints and identity … is a primary concern across the C-suite and boards,” he said. “Yet, as I have said before, the current cyber security industry is simply broken and ineffective with a plethora of fragmented tools, bloatware agents and no cohesive platform architecture.”

Gelsinger added that current market disruptions, which are affecting “legacy players,” have opened up an opportunity for VMware. “We’re out to change the security industry,” he said.

Analyst response

Josh Zelonis, principal analyst serving security and risk professionals at Forrester, said rather than changing the security industry, VMWare’s Carbon Black acquisition was confirmation of a larger trend already under way.

“EDR is traditionally endpoint detection and response and traditional endpoints are workstations and laptops. This acquisition is part of a growing trend in the industry to make it something much bigger than that,” Zelonis told SearchSecurity. “What VMWare is doing is they’re now allowing you to build EDR products by default in all your virtual machines. So all your workloads that you’re managing through VMWare can now instantly be benefitting from what is essentially the logging and detection of an EDR product.”

J. Craig Lowery, a vice president analyst at Gartner, said the Carbon Black acquisition aligns with the strategy VMware set out on several years ago.

“[VMWare is] moving from a legacy virtualization business to a new business in cloud management software and services, specifically with an eye towards cloud-native solutions built on containers,” Lowery told SearchSecurity. “However, there are serious challenges to this strategy, as even these new additions to VMware’s portfolio will not likely significantly increase VMware’s appeal to developers. It will, however, be meaningful for those VMware customers that are looking for a more conservative path to cloud-native outcomes.”

Zelonis pointed out that both Palo Alto Networks and Trend Micro have recently started using the XDR branding to imply EDR plus integration with all of their other technologies. He also pointed out that Microsoft has the Intelligent Security Graph, which Zelonis described as tying together “all the intelligence that’s coming in from all their EDR products, all their email products and the Office products, [which] all have application level capabilities for detecting misuse.”

“Big picture is everything is moving toward leveraging this type of detection in every environment in your organization,” Zelonis said. “The bigger trend that everybody needs to look at is how we’re going to be moving forward with the security analytics and the SIEM space to be integrating these point solutions in a better fashion. My hope is to see that these SIEM products become so heavily focused on being able to ingest anything that we’re able to treat everything like a portfolio solution and not a bolt-on.”

Go to Original Article

CloudKnox Security adds privileged access features to platform

CloudKnox Security, a vendor in identity privilege management, introduced new features to its Cloud Security Platform, including Privilege-on-Demand, Auto-Remediation for Machine Identities and Anomaly Detection.

The offerings intend to increase enterprise protection from identity and resource risks in hybrid cloud environments. According to CloudKnox Security, the new release is an improvement on its existing Just Enough Privileges Controller, which enables enterprises to reduce overprovisioned identity privileges to appropriate levels across VMware, AWS, Azure and Google Cloud.

Privileged accounts are often targets for attack, and a successful hacking attempt can result in full control of an organization’s data and assets. The 2019 Verizon Data Breach Investigations Report highlighted privileged account misuse as the top threat for security incidents and the third-leading cause of security breaches.

The Privilege-on-Demand feature from CloudKnox Security enables companies to grant privileges to users for a certain amount of time and on a specific resource on an as-needed basis. The options include Privilege-on-Request, Privilege Self-Grant or Just-in-Time Privilege that give users access to a specific resource within a set time to perform an action.

The Auto-Remediation feature can frequently and automatically dismiss unused privileges of machine identities, according to the vendor. For example, the feature can be useful dealing with service accounts that perform repetitive tasks with limited privileges, because when these accounts are overprovisioned, organizations will be particularly vulnerable to privilege misuse.

The Anomaly Detection feature creates risk profiles for users and resources based on data obtained by CloudKnox’s Risk Management Module. According to the vendor, the software intends to detect abnormal behaviors from users, such as a profile carrying out a high-risk action for the first time on a resource they have never accessed.

The company will demonstrate the new features at Black Hat USA in Las Vegas this year for the first time. CloudKnox’s update to its Cloud Security Platform follows competitor CyberArk‘s recent updates to its own privileged access management offering, including zero-trust access, full visibility and control of privileged activities for customers, biometric authentication and just-in-time provisioning. Other market competitors that promise insider risk reduction, identity governance and privileged access management include BeyondTrust and One Identity.

Go to Original Article