Tag Archives: threats

Managed security services, professional services to top $35B

Escalating cybersecurity threats and a shortage of in-house talent are driving double-digit growth rates in the managed security services and professional security services market.

Market research firm Frost & Sullivan expects the global market to expand from $21 billion in 2018 to $35.6 billion in 2023, growing at a 11.1% compound annual growth rate. The top five providers are already experiencing even higher growth. Accenture, Deloitte, EY, IBM and PwC — a group which accounts for 42% of the global market — grew 27.6% year-over-year in 2018, according to Frost & Sullivan.

The market researcher’s report cited an “overdue need for a new chapter in security practices” along with rising risk levels and staffing limitations as the main factors propelling the demand for managed and professional security services. Digital transformation and customers’ heightened recognition of cyberthreats also contribute to increasing demand.

High growth services

Detection and response are the fastest growing offerings in the managed security services market, followed by DDoS protection and threat intelligence, research, detection and mitigation (TIRDM), noted Jarad Carleton, global program leader of cybersecurity information and communication technologies at Frost & Sullivan.

“We are noticing a strong demand across several areas in the managed security services space from our clients globally,” said Harpreet Sidhu, managing director and managed security services lead at Accenture. “One of those areas is definitely for detection and response as companies seek to add next-generation solutions to their security capabilities.”

Cybersecurity skills shortage chart
The cybersecurity skills shortage has helped fuel demand for managed security services.

Sidhu said managed detection and response (MDR) capabilities include security automation and orchestration and come with predefined playbooks. MDR, which uses technology to scale, “can help drive significantly faster analysis and improved responses,” he noted.

Chris Gerritz, chief product officer at Infocyte, a cybersecurity incident response platform provider in Austin, Texas, said detection and incident response is becoming more important for managed security services providers (MSSPs), which traditionally have focused on network monitoring.

“Generally, they are starting to add on endpoint capabilities and starting to add on response capabilities,” he said.

Gerritz said customers are telling MSSPs “I don’t want just 100 notifications that I have been attacked. I want you to actually do something about that.”

Infocyte this week launched its Response Ready program for its certified incident response partners. The program aims to help those partners scale up their incident response businesses and boost recurring revenue.

Assessment and advisory offerings, meanwhile, stand out in the professional security services market segment, according to the Frost & Sullivan report. Professional security services represent the biggest slice of the security services market, overall, with a 61% share.

Sidhu said Accenture is seeing consulting and professional services demand across several areas such as identity, cloud, cyber defense and application security, along with strong demand for assessment of those capabilities.

Breaking into the market

The market’s five largest players are generating considerable revenue growth, which Frost & Sullivan attributes to “their massive size, global reach, consultative strength, industry expertise, and established relationships with large enterprises and government agencies.”

Yet, smaller service providers also have the potential to grow — with a few caveats. Managed service providers are looking to add security services as more customers expect them to provide protection from cyberattacks.

The key for MSPs trying to break into the MSSP market is providing right-sized security services for small- and medium- sized enterprises.
Jarad CarletonGlobal program leader, cybersecurity information and communication technologies, Frost & Sullivan

“The key for MSPs trying to break into the MSSP market is providing right-sized security services for small- and medium- sized enterprises,” Carleton said.

Regional MSSPs, as well as MSPs offering security services, will find demand for security services among regionally-focused SMBs, he noted.

MSPs, however, must take care to properly scope their services and keep their own security house in order.

“What we have seen is that far too many MSPs are promising more than they can actually deliver in terms of managed security services, and that is damaging to the industry,” Carleton said. “What is even more damaging to MSPs trying to break into the MSSP market is that MSPs themselves have become targets of cybercriminals. If you cannot manage your own security, frankly you have no business selling managed security services to a customer.”

HCL unveils Google Cloud unit

HCL Technologies, a global technology company based in Noida, India, has launched a Google Cloud business unit, which will eventually house more than 5,000 Google Cloud specialists.

HCL currently has more than 1,300 Google Cloud platform professionals. The company’s Google initiative targets a range of fields, from containerization to machine learning. The HCL business unit will also build Google Cloud-specific Cloud Native Labs in Dallas, London and in India’s national capital region.

Google and HCL said joint investments to support customers’ digital transformation projects will cover several areas:

  • SAP workload and application migration to Google Cloud Platform. In August, Google launched a partnership with DXC Technology that also focuses on enterprise migration of SAP applications to public cloud.
  • Hybrid and multi-cloud deployments using Google Cloud’s Anthos. Google partners cited Anthos as a business opportunity and one of the key developments during Google’s Next ’19 conference.
  • Adoption of Google Cloud data, AI and machine learning offerings in areas such as e-commerce, supply chain and marketing.
  • Application and data center modernization.
  • Workplace transformation and collaboration via G Suite.
  • DevSecOps and service orchestration.

Tech Data buys government channel partner DLT Solutions

Tech Data has agreed to purchase DLT Solutions, a Herndon, Va., company that aggregates technology for public sector clients and channel partners.

The deal, expected to close by Jan. 31, would make DLT a wholly owned subsidiary of Tech Data, a distributor based in Clearwater, Fla. DLT’s government contract vehicles include the General Services Administration Schedule 70, the Defense Department’s Enterprise Software Initiative, The National Institutes of Health’s Chief Information Officers — Commodities and Solutions and NASA’s Solutions for Enterprise-Wide Procurement V.

DLT had been a Millstein & Co. portfolio company. The private equity firm acquired DLT in 2015. TZP Group owned DLT prior to that deal, having acquired the company in 2009.

The DLT transaction will expand Tech Data’s value proposition, “especially in government solutions,” according to a bulletin from Martinwolf, a merger and acquisition advisory firm based in Scottsdale, Ariz. Martinwolf advised DLT on the TZP deal and then advised TZP on the Millstein acquisition.

Evercore, an M&A advisory firm based in New York, is representing DLT on the Tech Data deal.

Axcient launches X360 backup platform

Data protection company Axcient unveiled Axcient X360, a converged backup platform for MSPs.

The Axcient X360 platform offers single sign-on and centralized management of Office 365 backup, sync and share, and business continuity and disaster recovery. The platform also provides unlimited storage and retention and supporting services such as billing, training and certification, co-branded collateral and market development funds, the company said.

David Bennett, CEO of Axcient, speaking with SearchITChannel at MSP software vendor ConnectWise’s IT Nation conference, said the platform is designed to ease the backup burdens of MSPs. “Anything that puts a burden on an MSP’s business in terms of people and time is costly,” he said.

Bennett said Axcient X360 aims to be easy to learn, to the extent an MSP’s tier-1 technician could quickly train and operate the platform.

The X360 platform also documents backups for customers in regulated industries such as healthcare and financial services, Bennett added.

Axcient currently works with about 3,000 MSPs and integrates with ConnectWise.

Other news

  • Cloud distributor Pax8 inked a deal with Nerdio, an Azure solution provider for MSPs. Under the agreement, Pax8 will offer Nerdio for Azure in three packages: Core, Professional and Enterprise.
  • Intermedia, a cloud communications provider, joined ConnectWise’s Invent partner program for integrating with the ConnectWise MSP platform.
  • Webroot said ConnectWise partners can buy licenses for its security awareness training offering at 50% off from Oct. 30 to Nov. 30. The offer is available only through ConnectWise and to partners that are not currently purchasing Webroot’s security awareness training.
  • MSP360, formerly CloudBerry Lab, said MSP interest in its multi-cloud data backup and recovery portfolio helped boost Q3 revenue 60% over the same period last year.
  • Synechron Inc., a digital consulting firm based in New York, launched Digital Ecosystem Accelerators for the financial sector. The company described the accelerators as “solution prototypes” targeting such fields as retail banking, wealth management, corporate banking and capital markets.

Market Share is a news roundup published every Friday.

Go to Original Article
Author:

Gen Z in the workforce both want and fear AI and automation

For Gen Z in the workforce, AI and automation are useful and time-saving tools, but also possible threats to job security.

Typically characterized as the demographic born between the mid-1990s and mid-2000s, Generation Z  is the first generation to truly grow up exclusively with modern technologies such as smart phones, social media and digital assistants.

Many Gen Z-ers first experienced Apple’s Siri, released in 2011, and then Amazon’s Alexa, introduced in 2014 alongside Amazon Echo, at a young age.

The demographic as a whole tends to have a strong understanding of the usefulness of AI and automation, said Terry Simpson, technical evangelist at Nintex, a process management and automation vendor

Gen Z in the workforce

Most Gen Z employees have confidence in AI and automation, Nintex found in a September 2019 report about a survey of 500 current and 500 future Gen Z employees. Some 88% of the survey takers said AI and automation can make their jobs easier.

This generation understands AI technology, Simpson said, and its members want more of it in the workplace.

“For most organizations, almost 68 percent of processes are not automated,” Simpson said. Automation typically replaces menial, repetitive tasks, so lack of automation leaves those tasks to be handled by employees.

Gen Z, Gen Z in the workforce, AI and automation
Gen Z wants more automation in the workplace, even as they fear it could affect job security.

For Gen Z in the workforce, a lack of automation can be frustrating, Simpson said, especially when Gen Z-ers are so used to the ease of digital assistants and automated programs in their personal lives. Businesses generally haven’t caught up to the AI products Gen Z-ers are using at home, he said.

Yet, even as Gen Z-ers have faith that AI and automation will help them in the workplace, they fear it, too.

Job fears

According to the Nintex report, 57% of those surveyed expressed concern that AI and automation could affect their job security.

“A lot of times you may be a Gen Z employee that automation could replace what you’re doing as a job function, and that becomes a risk,” Simpson said.

Everybody says I don’t want to lose my job to a robot, and then Outlook tells you to go to a meeting and you go.
Anthony ScriffignanoChief data scientist, Dun & Bradstreet

Still, he added, automation can help an organization as a whole, and can ease the employees’ workloads.

“Everybody says I don’t want to lose my job to a robot, and then Outlook tells you to go to a meeting and you go,” said Anthony Scriffignano, chief data scientist at Dun & Bradstreet.

Jobs that can be easily automated may eventually be given to an automated system, but AI will also create jobs, Scriffignano said.

As a young generation, Gen Z-ers may have less to fear than other generations, however.

Younger generations are coachable and more open to change than the older generations, Scriffignano said. They will be able to adapt better to new technologies, while also helping their employers adapt, too.

“Gen Z have time in their career to reinvent themselves and refocus” their skills and career goals to better adapt for AI and automation, Scriffignano said.

Go to Original Article
Author:

SaaS activity alerts can mitigate manual misconfigurations

External threats can actually be the easier security issue to combat compared to the potential of an insider stealing data, which makes access management and awareness vital for IT.

More and more sensitive data is being stored in the cloud and improper access controls or limited visibility can lead to unintended data exposures or even insider theft. However, better SaaS activity alerts can help mitigate these issues.

BetterCloud CEO and founder David Politis spoke with SearchSecurity about the dangers of cloud misconfigurations and having too many admins, as well as how SaaS activity can be monitored automatically to avoid security breaches.

Editor’s note: This conversation has been edited for length and clarity.

You have said that it is functionally impossible to monitor SaaS activity manually, so what are the programmatic options for security?

David Politis: The most important thing we have is this framework that we recreated with our customers. The first step is centralizing all of the data that you have across these applications because data sprawl is one of the biggest issues.

David Politis, CEO and founder, BetterCloudDavid Politis

Once you’ve centralized that data, programmatically you have to go into all the different APIs that are available from these applications and you need to bring all the settings and the configuration and the entitlements and everything into a single place because part of the problem is going app by app. That’s not scalable.

Once you’ve centralized all of that, you need to be able to go and discover against that centralized repository of all the entitlements and settings you have, because once you centralize, what you’ll find is you have, depending on the size of your organization, millions — I’m not exaggerating — millions of data points that you’re having to report against or audit.

So you centralize then you do discovery and discovery means: Let me look at all my groups or email distribution lists that are set like this, or I have a rule in my organization where I need to be able to see all the files that are shared in this way. Now, still, that’s a massive data set and somehow you need that to be surfaced more real time because the changes in the settings and the entitlements are changing all the time. They’re literally changing every day, all day. People are working in these applications; they’re sharing files; they’re creating Slack channels; they’re adding folders in Dropbox; they’re doing X, Y, Z in Salesforce. It’s changing on a regular basis.

So after centralizing and being able to discover — that really helps you retroactively — then you need something that surfaces the insights on a more regular basis that says, ‘Hey, when we catch this needle in the haystack, surface that.’

The last step is you want to be able to do something about that because if you’re just surfacing data all day long, what we hear from IT is that they have this kind of fatigue of alerts, they have a fatigue of trying to put out fires all day long. And so there needs to be a system that not only brings all the data, centralizes it, makes it discoverable, surfaces insight and the items that need to get the exposures, the risk, and then ultimately be able to remediate that and take some kind of an action against that and enforce that.

What are the new features BetterCloud is introducing to enable SaaS activity monitoring?

Politis: The new service that we’re launching now, that we just started layering into the product, is our activity-based alerting. Basically, all the things that you and I just talked about the last 20 minutes, that’s all based on what I would call ‘state-based’ settings or configurations are entitlements — is a user set as an end user or an admin? Is this email distribution set to public or is it set to private? — that’s the state that is in.

We are now starting to do ‘activity-based’ monitoring and alerting and triggers for our workflows, and that is at a completely different level. If somebody just downloads 500 files in a matter of 30 minutes, that’s a next level deeper in terms of looking at user behavior and user activities within these platforms. Did somebody just create 100 users that are all super admin? Were there suspicious logins to this platform outside of the IP range?

So, you start getting more into the activity-based stuff, which is either a faster indicator of misconfigurations that are mistakes, or that’s actually a faster indication — and probably more likely, frankly — of malicious behavior. And so we really extended the platform to start looking at user behavior, user activity in these platforms.

The number one request I’ve gotten for the last year from customers is: I want to know when people are downloading files from Dropbox, Box, Slack, Salesforce [and/or] Google. File downloads has been the number one requested activity to monitor since I can’t even remember because as you can imagine, that starts to be a little bit more malicious. And that’s when IT can really be taken out of an organization.

I think the Uber/Waymo example is a great one. That is just someone at Waymo, at Google downloading a bunch of files out of Google Drive and leaving. Now, if you were looking at their activity in Google Drive, you would have noticed that they downloaded all the files from the confidential folder, and you can flag that, you could block, you could follow up with security.

It’s as it’s happening versus the states that things are in. File download is not a state the file has. So by looking at all the states of the file, you don’t know that it was downloaded 100 times by this person in a 30-minute window by seeing that someone successfully logged in, you don’t see that has 100 failed logins from 100 different IP addresses.

What platforms do you support with these SaaS activity alerts?

Politis: We have it fully integrated for Okta, Dropbox and Google. We’re layering it in for Box and Salesforce, so over the next couple months we’ll have the same functionality available across all the applications that we support.

And, this is actually an interesting indication because a lot of the SaaS platforms that we work with, five years ago, three years ago, they didn’t make this kind of activity streams available via their API. Now they’re making it available because how do companies protect themselves against this stuff? The only way is for the platforms themselves to make this information available via API, make this information available programmatically to their customers, to their partners. And so we’re taking advantage of that. Dropbox’s API that we’re using is a new API available for their enterprise customers for exactly this purpose, but their customers don’t know how to utilize that. What we’re doing is we’re doing that for the customer, we’re going out to the different SaaS platforms connecting to these activity streams, and then making sense of them. Otherwise, it’s just a stream of data.

But to that first part of the discussion: People keying in on this is what I’ve been waiting for, for many years. Because people have been [saying], ‘OK, I don’t see this problem in the news. And now it’s starting.’

I think it’s only the beginning. I think you’re going to see what I’m seeing with some of our really large organizations that these misconfigurations are going to come out more and more and more and the impact that they’re having on organizations is bigger than people know yet.

McAfee details rise in blockchain threats, cryptocurrency attacks

A new McAfee report on blockchain threats shows

cryptomining
malware grew more than 600% in the first

quarter
this year.

McAfee’s “Blockchain Threat Report” details the massive increase in

cyberattacks
against cryptocurrency owners, exchanges and other companies leveraging blockchain as the value of those cryptocurrencies has surged over the last year. Steve Povolny, head of advanced threat research at McAfee, said the intent of the report is to create a baseline for the industry as it deals with increased blockchain threats that use many of the same attack techniques and methods of the last five to 10 years.

“We’ve seen an explosion in cryptocurrency value recently,” Povolny said. “Hundreds of them were created in a very short time, and now we’re seeing threat actors trying to capitalize on that value.”

While attackers have learned to adopt different attack methods that target both consumers and businesses, according to McAfee researchers, the four major attack vectors include familiar threats like phishing, malware, implementation vulnerabilities

and
technology. Phishing is the most familiar blockchain attack due to its prevalence and success rate, the researchers wrote. Malware, meanwhile, has exploded over the last year; the report shows the total

cryptomining
malware
samples increased 629% quarter-over-quarter in Q1 of this year. The report also notes that malware developers began to shift from ransomware to cryptocurrency mining in the last six months with “ransomware attacks declining 32% in Q1 2018 from Q4 2017 while coin mining increased by 1,189%.”

Technology attacks, as explained by the researchers, are threats like dictionary attacks that are used against cryptocurrency private keys. Lastly, implementation vulnerabilities refer to flawed deployments of blockchain technology; the report cites examples such as the 2017 attack on blockchain startup Iota, where attackers exploited cryptographic vulnerabilities to created hash collisions and forged signatures, which enabled the hackers to steal coins from users’ digital wallets. Povolny stressed these vulnerabilities are not flaws with blockchain itself, which has proved to be secure so far.

The “Blockchain Threat Report” states, “In most cases, the consumers of blockchain technology are the easiest targets. Due to a widespread start-up mentality, in which security often takes a backseat to growth, cryptocurrency companies often fall in this category.”

Povolny said the issue of security within cryptocurrency and blockchain creates a two-sided problem. The first side revolves around the companies that initially rushed to capitalize on cryptocurrency but didn’t complete basic security checks and risk assessments; those shortcomings, which include a lack of proper access controls,

make
them easy targets for threat actors, he said. The second side is the financial motivation, as many cryptocurrencies’ values reached all-time highs in late 2017, when Bitcoin was valued at almost $20,000 per coin, thus catching the attention of hackers. This two-sided cryptocurrency problem created a continuous cycle that resulted in the development of wallets and ledgers being built without a complete understanding of security risks or an implementation of security around the programs, McAfee researchers claim.

The report also notes that “recovering from cryptocurrency theft is more difficult and complicated than with most other currencies due to their decentralized nature.” In order to secure a network, a tailored risk assessment should be conducted.

As industries begin to implement their own blockchain technology, users should prepare for continued development of new technologies by cybercriminals to further compromise them, McAfee researchers wrote. However, since there is not a clear understanding of where these risks are,

trust
may be placed in unwarranted blockchain applications. In order to keep cryptocurrency wallets safe, Povolny recommends storing them locally on a computer that lacks network accessibility and notes that we may not see people flock to a currency like this again.

Despite the increase in threats, Povolny said the surge in cryptocurrency startups and blockchain deployments is expected to continue.

Microsoft announces new intelligent security innovations to help businesses manage threats from cloud to edge

Amid evolving digital threats, an innovative IoT security solution, integrated threat intelligence and advanced protection in Microsoft 365 help simplify cybersecurity for businesses

SAN FRANCISCO — April 16, 2018 At a news conference on Monday, Microsoft Corp. announced several new intelligent security tools and technologies to help enterprises more easily secure their data and networks against today’s biggest threats as well as address emerging threats aimed at IoT and edge devices. These new solutions build on Microsoft’s longstanding approach to delivering innovation that customers and partners can build upon to strengthen the broader ecosystem against cyberattacks from the cloud to the edge.

“As last year’s devastating cyberattacks demonstrated, security threats are evolving and becoming even more serious,” said Brad Smith, president of Microsoft. “The tech sector’s innovations need to accelerate to outpace security threats. Today’s steps bring important security advances not just to the cloud, but to the billions of new devices that are working on the edge of the world’s computer networks.”

Securing a new generation of connected devices: announcing Azure Sphere

Microsoft is harnessing the power of the intelligent cloud to address emerging threats against a new class of connected devices, those relying on a chip the size of a thumbnail called a microcontroller unit (MCU). MCU-powered devices are already the most populous area of computing with roughly 9 billion new devices every year. They are found in everything from toys and household appliances to industrial equipment — and attackers are starting to target them. To bring security to this next generation of connected devices, Microsoft is introducing Azure Sphere, the industry’s first holistic platform for creating highly secured, connected MCU devices on the intelligent edge. Featuring an entirely new class of MCUs with more than five times the power of legacy MCUs, an OS custom built for IoT security, and a turnkey cloud security service that guards every Azure Sphere device. With Azure Sphere, Microsoft extends the boundaries of the intelligent edge, to power and secure an entirely new category of devices.

“As our homes become more connected, we place significant value on the security of connected devices, so we can focus on continuing to deliver an exceptional customer experience,” said Brian Jones, director of Product Strategy and Marketing at Sub-Zero Group Inc. “Microsoft’s approach with Azure Sphere is unique in that it addresses security holistically at every layer.”

Microsoft 365 Intelligent Security Solutions: Simplifying Security

As security threats become more complex, companies are increasingly finding that the intelligence and threat protection tools they need to remain a step ahead of attackers are in the cloud. Today, Microsoft introduced several new intelligent security features for its Microsoft 365 commercial cloud offering designed to help IT and security professionals simplify how they manage security across their enterprises:

Advanced tools that make it easier to prevent threats before they happen

  • To help teams stay prepared and ahead of threats, Microsoft today released Microsoft Secure Score and Attack Simulator. Secure Score makes it easier for organizations to determine which controls to enable to help protect users, data and devices by quickly assessing readiness and providing an overall security benchmark score. It will also let organizations compare their results to those with similar profiles using built-in machine learning. Attack Simulator, a part of Office 365 Threat Intelligence, lets security teams run simulated attacks — including mock ransomware and phishing campaigns — to event-test their employees’ responses and tune configurations accordingly.

Automated threat detection and remediation to free up security operations teams

  • With the latest Windows 10 update, now in preview, Windows Defender Advanced Threat Protection (ATP) works across other parts of Microsoft 365 to include threat protection and remediation spanning Office 365, Windows and Azure. Also available today in preview, and with the upcoming Windows 10 update, are new automated investigation and remediation capabilities in Windows Defender ATP, leveraging artificial intelligence and machine learning to quickly detect and respond to threats on endpoints, within seconds, at scale.
  • Conditional Access provides real-time risk assessments to help ensure that access to sensitive data is appropriately controlled, without getting in the way of users’ productivity. Microsoft 365 is now adding the device risk level set by Windows Defender ATP to Conditional Access in preview to help ensure that compromised devices can’t access sensitive business data.

Stronger partnerships to give customers more integrated solutions

  • The intelligence data used to quickly detect and respond to threats improves as more relevant signals are added. Machine learning tools are only as good as the data they receive. Microsoft’s security products are informed by the trillions of diverse signals feeding into the Microsoft Intelligent Security Graph. Today, Microsoft announced a preview of a new security API for connecting Microsoft Intelligent Security Graph-enabled products as well as intelligence from solutions built by customers and technology partners to greatly enhance the fidelity of intelligence.

Most security tools report an attack from a single limited perspective, offering insight into one piece of a potentially larger threat. By connecting individual tools to the Intelligent Security Graph, security teams get new perspectives and more meaningful patterns of data to speed up threat investigation and remediation. The new API is in early testing with a select group of cybersecurity industry leaders that are collaborating with Microsoft to shape its development. The group, which includes Anomali, Palo Alto Networks and PwC, joined Microsoft today to share their own early exploration of the API and how it may improve each company’s ability to protect their mutual customers.

  • Microsoft also is announcing a new Microsoft Intelligent Security Association for security technology partners so they can benefit from, and contribute to, the Intelligent Security Graph and Microsoft security products. Members of the association will be able to create more integrated solutions for customers that provide greater protection and detect attacks more quickly. Palo Alto Networks and Anomali join PwC and other existing partners as founding members of the new association.

Microsoft is partnering with customers through their digital transformation by making it easier for them to help keep assets secure from the cloud to the edge.

More information on Microsoft’s security announcements can be found at the Microsoft Security News site.

Microsoft (Nasdaq “MSFT” @microsoft) enables digital transformation for the era of an intelligent cloud and an intelligent edge. Its mission is to empower every person and every organization on the planet to achieve more.

For more information, press only:

Microsoft Media Relations, WE Communications, (425) 638-7777,

[email protected]

Note to editors: For more information, news and perspectives from Microsoft, please visit the Microsoft News Center at http://news.microsoft.com. Web links, telephone numbers and titles were correct at time of publication, but may have changed. For additional assistance, journalists and analysts may contact Microsoft’s Rapid Response Team or other appropriate contacts listed at http://news.microsoft.com/microsoft-public-relations-contacts.

 

The post Microsoft announces new intelligent security innovations to help businesses manage threats from cloud to edge appeared first on Stories.

Juniper Junos Space Security Director gets automation boost

SAN FRANCISCO — Juniper Networks has made its security products more responsive to threats, thereby reducing the amount of manual labor required to fend off attacks.

On Tuesday at the Juniper NXTWORK conference, the company introduced “dynamic policy management” in the Junos Space Security Director. The central software console for Juniper network security manages the vendor’s firewalls and enforces security policies on Juniper’s EX and QFX switches.

The latest improvement to Junos Space Security Director lets security pros define variables that will trigger specific rules in Juniper SRX Series next-generation firewalls. For example, if a company is under a ransomware attack that has planted malware in employees’ PCs, then Director could activate rules restricting access to critical applications that handle sensitive data. The rules could also tell firewalls to cut off internet access for those applications.

The new Junos Space Security Director features can lower the response time to security threats from hours to minutes, said Mihir Maniar, vice president of security product management at Juniper, based in Sunnyvale, Calif. “It’s completely dynamic, completely user-intent-driven.”

Vendors trending toward automated security threat response

Automating the response to security threats is a trend among vendors, including Juniper rival Cisco. Companies can configure products to take specific actions against threats, which removes the time security pros would have to spend deploying new firewall rules manually.

Automation means 10 different things to 10 different people.
Dan Condeanalyst at Enterprise Strategy Group

“You have to mitigate very quickly and not just inform somebody and hope for the best,” said Dan Conde, an analyst at Enterprise Strategy Group, based in Milford, Mass. “Manual procedures do not work very quickly.”

But the ultimate goal, which eludes vendors today, is to have products that detect and mitigate threats on their own and then continue to monitor the network to ensure the steps taken were successful.

Vendor marketing tends to play down the fact that the level of automation is rudimentary, which has led to confusion over the definition of automation across different products. “Automation means 10 different things to 10 different people,” Conde said.

Juniper network security stronger with new SRX4600 firewall

Juniper has integrated a new firewall with the latest iteration of Junos Space Security Director. The SRX4600 is designed to protect data flowing in multi-cloud environments found in an increasing number of companies. The SRX4600 is a 1RU appliance with a throughput of 80 Gbps.

Juniper also unveiled at NXTWORK an on-premises malware detection appliance that uses analytics and remediation technology built by Cyphort, which Juniper acquired this year. Cyphort has developed security analytics that spots malware based on its abnormal activity in the network.

The new Advanced Threat Prevention Appliance in Juniper’s network security portfolio is designed for companies with “strict data sovereignty requirements,” the company said. The on-premises hardware has been certified by ISCA Labs, which is an independent division of Verizon that conducts testing and certification of security and health IT products.

Configuration Manager tool regulates server updates to stop attacks

Business workers face a persistent wave of online threats — from malicious hacking techniques to ransomware –…

“;
}
});

/**
* remove unnecessary class from ul
*/
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);

/**
* Replace “errorMessageInput” class with “sign-up-error-msg” class
*/
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {
$(this).removeClass(“errorMessageInput”).addClass(“sign-up-error-msg”);
}
});
}

/**
* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
*/
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
renameErrorMsgClass();
return validateReturn;
}

/**
* DoC pop-up window js – included in moScripts.js which is not included in responsive page
*/
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {
window.open(this.href, “Consent”, “width=500,height=600,scrollbars=1”);
e.preventDefault();
});

and it’s up to the administrator to lock down Microsoft systems and protect the company.

Administrators who apply Microsoft’s security updates in a timely fashion thwart many attacks effectively. IT departments use both System Center Configuration Manager and Windows Server Update Services to roll out patches, but the Configuration Manager tool’s scheduling and deployment options make it the preferred utility for this task. Admins gain control and automation over software updates to all managed systems with the Configuration Manager tool, which also monitors compliance and reporting.

Why we wait to update

An organization bases its security update deployment timeline on several factors, including internal policies, strategies, staff and skill sets. Some businesses roll patches out to production servers as soon as Microsoft makes them available on Patch Tuesday, the second Tuesday each month. Other companies wait a week or even a couple months to do the same, due to stringent testing procedures.

Here’s one example of a deployment timeline:

  • Week 1: Handful of test systems (pilot)
  • Week 2: Larger pool of test systems
  • Week 3: Small pool of production servers
  • Week 4: Larger pool of production servers
  • Week 5: All systems

This scenario leaves many endpoints unpatched and vulnerable to security risks for several weeks. Microsoft has a cumulative update model for all supported Windows OSes; the company packages each month’s patches and supersedes the previous month’s release. In some cases, systems won’t be fully patched — or will remain unpatched — if a business fails to deploy the previous month’s security fixes before Microsoft releases the new updates. To avoid this situation, IT organizations should roll out the current month’s updates before the next Patch Tuesday arrives just a few weeks later.

Automatic deployment rule organizes the patch process

An automatic deployment rule (ADR) in the Configuration Manager tool coordinates the patch rollout process. An ADR provides settings to download updates, package them into software update groups, create deployments of the updates for a collection of devices and roll out the updates when it’s most appropriate.

Find the ADR feature in the Configuration Manager tool under the Software Updates menu within the Software Library module. Figure 1 shows its options.

Create a software update group
Figure 1. The automatic deployment rule feature in the Configuration Manager tool builds a deployment package to automate the update procedure.

Settings to configure specific update criteria

The admin sets the ADR options to download and package software updates with the following criteria, which is also shown in Figure 2:

  • released or revised within the last month;
  • only updates that are required by systems evaluated at the last scan;
  • updates that are not superseded; and
  • updates classified as Critical Updates, Security Updates, Feature Packs, Service Packs, Update Rollups or Updates.
Build an automatic deployment rule
Figure 2. The administrator builds the criteria for a software update group in the ADR component.

The property filter — also seen in Figure 2 — packages software updates on a granular scale to best suit the organization’s needs. In the example shown, the admin uses the property filter to only deploy updates released in the last month.

In the evaluation schedule shown in Figure 3, the admin configures an ADR to assess and package software updates at 11 p.m. on the second Tuesday of each month.

ADR custom schedule
Figure 3. The admin builds a schedule to evaluate and package software updates every month at a certain time in the ADR feature of the Configuration Manager tool.

Set a maintenance window to assist users

To patch servers, use maintenance windows, which control the deployment of software updates to clients in a collection at a specific time. This meets the preferences of server owners, who cannot take certain machines down at particular times for a software update and the consequent reboot. In most cases, admins set maintenance windows to run updates overnight to minimize disruption and effects on end users.

Some businesses roll patches out to production servers as soon as Microsoft makes them available on Patch Tuesday, the second Tuesday each month. Other companies wait a week or even a couple months to do the same, due to stringent testing procedures.

Admins can set the deployment schedule in a maintenance window to As soon as possible since the maintenance window controls the actual rollout time. For example, assume the IT staff configured the following maintenance windows for a collection of servers:

  1. Servers-Updates-GroupA: maintenance window from 12 a.m. to 2 a.m.
  2. Servers-Updates-GroupB: maintenance window from 2 a.m. to 4 a.m.
  3. Servers-Updates-GroupC: maintenance window from 4 a.m. to 6 a.m.

If the admin sets these collections to deploy software updates with the As soon as possible flag, the servers download the Microsoft updates when they become available — it could be right in the middle of a busy workday. Instead, the update process waits until 12 a.m. for Servers-Updates-GroupA, 2 a.m. for the next group and so on. Without any deployment schedule, collections install the software updates as soon as possible and reboot if necessary based on the client settings in the Configuration Manager tool.

To create a maintenance window for a collection, click on the starburst icon under the Maintenance Windows tab in the collection properties. Figure 4 shows a maintenance window that runs daily from 2 a.m. to 4 a.m.

Maintenance window schedule
Figure 4. Configure a maintenance window for a collection with a recurring schedule.

In this situation, admins should configure an ADR to deploy updates with the Available flag at a specific date and time, but not make the installation mandatory until later. Users apply patches and reboot the system at their convenience. Always impress upon users why they should implement the updates quickly.

Microsoft refines features to maximize uptime

Microsoft added more flexibility to coordinate maintenance and control server uptime in version 1606 of the Configuration Manager tool. The server group settings feature the following controls:

  • the percentage of machines that update at the same time;
  • the number of the machines that update at the same time;
  • the maintenance sequence; and
  • PowerShell scripts that run before and after deployments.

[embedded content]

How to use System Center Configuration
Manager to plan and execute a patching regimen
for applications and OSes.

A server group uses a lock mechanism to ensure only the machines in the collection execute and complete the update before the process moves to the next set of servers. An admin can release the deployment lock manually if a patch gets stuck before it completes. Microsoft provides more information on updates to server groups.

To develop server group settings, select the All devices are part of the same server group option in the collection properties, and then click on Settings, as seen in Figure 5.

 Set server group configuration
Figure 5. Select the
All devices are part of the same server group option to configure a collection’s server group settings.

Select the preferred option for the group. In Figure 6, the admin sets the maintenance sequence. Finally, click OK, and the server group is ready.

Maintenance sequence
Figure 6. The administrator uses the server group settings to maintain control over uptime and coordinate the maintenance schedule.

For additional guidance on software update best practices, Microsoft offers pointers for the deployment process.

Next Steps

Secret Service: Culture change needed to boost security

Reduce patching headaches with these tools

Find the right patching software

Ransomware 1H 2017 review: Global outbreaks reinforce the value of security hygiene

In the first six months of 2017, ransomware threats reached new levels of sophistication. The same period also saw the reversal of a six-month downward trend in ransomware encounters. New ransomware code was released at a higher rate with increasing complexity. Two high-profile ransomware incidents brought cybersecurity to the forefront of mainstream conversations as the impact of attacks was felt around the world by organizations and individuals alike.

The recently released Microsoft Security Intelligence Report summarizing movements in different areas of the threat landscape in the first quarter of the year showed the continued global presence of ransomware. The highest encounter rates, defined as the percentage of computers running Microsoft real-time security products that report blocking or detecting ransomware, were registered in the Czech Republic, Korea, and Italy from January to March 2017.

Sustained ransomware campaigns and high-profile attacks continued to highlight the need for advanced comprehensive cybersecurity strategy. In this blog entry, we share our key observations on the ransomware landscape and offer insights on what can be learned from trends and developments so far in 2017.

Ransomware growth rallies

In March of 2017, the volume of ransomware encounters started to pick up again after several months of decline. The growth is driven to a certain extent by sustained activities from established ransomware operations like Cerber, with an onslaught of attacks powered by ransomware-as-a-service.

Figure 1. Total ransomware encounters by month, July 2016-June 2017 (source: Ransomware FAQ page)

In part, this surge is also driven by the emergence of new ransomware families, which are being released into the wild at a faster rate. In the first half of 2017, we discovered 71 new ransomware families, an increase from the 64 new families we found in the same period in 2016.

Some of these new ransomware families stand out because they exhibit new behaviors that make them more complex. For instance, the latest Microsoft Security Intelligence Report shows that in March 2017, two-month old Spora overtook Cerber as the most prevalent ransomware family.

Figure 2. Trends for several commonly encountered ransomware families in 1Q17, by month (source: Microsoft Security Intelligence Report 22)

Spora’s quick rise to the top may be traced to its capability to spread via network drives and removable drives, such as USB sticks. Initial versions targeted Russia and featured a ransom note in the local language. It has since gone global, spreading to other countries with a ransom note in English.

Other notable new ransomware families in 2017 include Jaffrans, Exmas, and Ergop. While these families have not quite achieved the prevalence of Spora, they show signs of persistence and periodic improvements that are observed in older, successful families.

Microsoft protects customers from new and emerging ransomware like Spora using a combination of advanced heuristics, generics, and machine learning, which work together to deliver predictive, real-time protection. In a recent blog post, we demonstrated how we could better protect from never-before-seen ransomware with enhancements to the Windows Defender Antivirus cloud protection service.

The rise of global ransomware outbreaks

WannaCrypt (also known as WannaCry) is one of the most well-known new ransomware to surface so far this year. It emerged in May carrying an exploit for a patched vulnerability and quickly spread to out-of-date Windows 7 computers in Europe and later the rest of the world (the exploit did not affect Windows 10). The attack left several impacted organizations, high-tech facilities, and other services affected in its aftermath.

Only a few weeks after the WannaCrypt outbreak, a new variant of Petya wreaked havoc in June. This Petya variant applied some of the propagation techniques used by WannaCrypt, but incorporated more methods to spread within a network. The outbreak started in Ukraine, where a compromised supply-chain delivered the ransomware through a software update process. The Petya infections swiftly spread to other countries in the course of a few hours. Petya’s impact was not as widespread as the WannaCrypt outbreak; however, as our in-depth analysis of Petya revealed, its upgrades made it so much more complex and caused more damage to organizations affected.

WannaCrypt and Petya defied the trend of more targeted and localized attacks and became the first global malware attacks in quite a while. They generated worldwide mainstream interest. Interestingly, this attention might have added more challenges for attackers. For instance, the Bitcoin wallets used in these attacks were closely monitored by security researchers.

WannaCrypt and Petya showed that ransomware attacks powered by sophisticated exploits on a global scale can be particularly catastrophic. Global attacks emphasize the need to avert ransomware epidemics by enabling responders to detect, respond to, and investigate attacks so infections can be contained and not allowed to swell. Security patches need to be applied as soon as they become available.

Figure 3. Global distribution of ransomware encounters by month, January-June 2017

Increasing sophistication

The trend of global outbreaks is likely a result of more techniques incorporated by ransomware. WannaCrypt, Petya, Spora, and other new ransomware variants sported new capabilities that allowed them to spread faster and wreak more havoc than other malware.

Lateral movement using exploits

Spora’s aforementioned ability to spread via network drives and removable drives made it one of the most widespread ransomware. Though it was not the first ransomware family to integrate a worm-like spreading mechanism, it was able to use this capability to infect more computers.

With worm capabilities, ransomware attacks can have implications beyond endpoint security, introducing challenges to enterprise networks. This was particularly true for WannaCrypt, which spread by exploiting a vulnerability (CVE-2017-0144, dubbed EternalBlue, previously patched in security update MS17-010), affecting networks with out-of-date computers.

Petya expanded on WannaCrypt’s spreading mechanism by exploiting not one, but two vulnerabilities. Apart from CVE-2017-0144, it also exploited CVE-2017-0145 (known as EternalRomance, and fixed in the same security update as EternalBlue), affecting out-of-date systems.

These two attacks highlighted the importance of applying security patches as they become available. They likewise highlight the importance of immediately detecting and stopping malicious behavior related to exploits.

It is important to note that the EternalBlue and EternalRomance exploits did not affect Windows 10, underscoring the benefits of upgrading to the latest, most secure version of platforms and software. Even if the exploits were designed to work on Windows 10, the platform has multiple mitigations against exploits, including zero-days. In addition, Windows Defender Advanced Threat Protection (Windows Defender ATP) detects malicious activities resulting from exploits without the need for signature updates.

Credential theft

One of Petya’s more noteworthy behaviors is its credential-stealing capability, which it does either by using a credential dumping tool or by stealing from the Credential Store. This capability poses a significant security challenge for networks with users who sign in with local admin privileges and have active sessions opens across multiple machines. In this situation, stolen credentials can provide the same level of access the users have on other machines.

The Petya outbreak is testament to the importance of credential hygiene. Enterprises need to constantly review privileged accounts, which have unhampered network access and access to corporate secrets and other critical data. Credential Guard uses virtualization-based security to protect derived domain credentials and stop attempts to compromise privileged accounts.

Network scanning

Armed with exploits or stolen credentials, ransomware can spread across networks through network scanning. For example, Petya scanned affected networks to establish valid connections to other computers. It then attempted to transfer copies of the malware using stolen credentials. Petya also scanned for network shares in an attempt to spread through those shares.

WannaCrypt, on the other hand, ran massive scanning of IP addresses to look for computers that are vulnerable to the EternalBlue exploit. This gave it the ability to spread to out-of-date computers outside the network. Network defenders can uncover and stop unauthorized network scanning behaviors.

Destructive behavior

In most ransomware cases, the attacker motivation is clear: victims need to pay the ransom or never gain back access to encrypted files. While there is no guarantee that files are decrypted after payment is made, most ransomware infections make their intention clear through a ransom note. In August, WannaCrypt actors wrapped up their campaign by withdrawing ransom pain in Bitcoins from online wallets.

Petya behaved like other ransomware in this aspect. Attackers emptied the Petya online wallets earlier in July. However, Petya had far more destructive routines: it overwrote or damaged the Master Boot Record (MBR) and Volume Boot Record (VBR), rendering affected computers unusable. This started a conversation about whether this Petya variant was primarily a ransomware like WannaCrypt or a destructive cyberattack like Depriz (also known as Shamoon).

Figure 4. Petya incorporated complex behaviors not typical of ransomware

The debate is not settled, but the Petya attack does raise an important point—attackers can easily incorporate other payloads into ransomware code to facilitate targeted attacks and other types of destructive cyberattacks. As the threat of ransomware escalates, enterprises and individuals alike need a sound cybersecurity strategy and a protection suite that will defend against the end-to-end ransomware infection process.

Integrated end-to-end security suite against ransomware

With high-profile global outbreaks and other notable trends, the first six months of 2017 can be considered one of the more turbulent periods in the history of ransomware. The observations we summarized in this blog highlight the potency of the ransomware threat. Unfortunately, given the trends, we may see similarly sophisticated or even more complex attacks in the foreseeable future. More importantly, however, we should learn from these attacks and developments, because they highlight the areas of cybersecurity that need to be improved and reevaluated.

At Microsoft, we’re always hard at work to continuously harden Windows 10 against ransomware and other attacks. In the upcoming Windows 10 Fall Creators Update, we will integrate Microsoft security solutions into a powerful single pane of glass—centralized management that will allow customers to consume, manage, and integrate security for devices in the network. Windows Defender ATP will be expanded to include seamless integration across the entire Windows protection stack. The suite of tools will include the new Windows Defender Exploit Guard and Windows Defender Application Guard, as well as the enhanced Windows Defender Device Guard and Windows Defender AV.

Today, Windows 10 Creators Update has next-gen technologies that protect against ransomware attacks.

Figure 5. Windows 10 end-to-end protection stack (source: Next-gen ransomware protection with Windows 10 Creators Update)

Windows 10 has multiple exploit mitigations, including control flow-guard for kernel (kFCG), kernel mode code integrity (KMCI), better kernel address space layout randomization (KASLR), NX HAL, and PAGE POOL (non-executable kernel regions). These mitigations help make Windows 10 resilient to exploit attacks, such as those used by WannaCrypt and Petya.

Intelligent Security Graph and machine learning

Security built into Windows 10 is powered by the Microsoft Intelligent Security Graph, which correlates signals from billions of sensors. Unique insights from this vast security intelligence enable Microsoft to deliver real-time protection through Windows Defender AV, Windows Defender ATP, and other next-gen security technologies.

The increasing magnitude and complexity of ransomware require advanced real-time protection. Windows Defender AV uses precise machine learning models as well as generic and heuristic techniques, improved detection of script-based ransomware, and enhanced behavior analysis to detect common and complex ransomware code. Using the cloud protection service, Windows Defender AV provides real-time protection. In recent enhancements, the cloud protection service can make a swift assessment of new and unknown files, allowing Windows Defender AV to block new malware the first time it is seen.

Windows Defender Advanced Threat Protection empowers SecOps personnel to stop ransomware outbreaks in the network. Both WannaCrypt and Petya showed how critical it is to detect, investigate, and respond to ransomware attacks and prevent the spread. Windows Defender ATP’s enhanced behavioral and machine learning detection libraries flag malicious behavior across the ransomware infection process. The new process tree visualization and improvements in machine isolation further help security operations to investigate and respond to ransomware attacks.

Online safety with Microsoft Edge and Office 365 Advanced Threat Protection

Microsoft Edge can help block ransomware infections from the web by opening pages within app container boxes. It uses reputation-based blocking of downloads. Its click-to-run feature for Flash can stop ransomware infections that begin with exploit kits.

To defend against ransomware attacks that begin with email, Microsoft Exchange Online Protection (EOP) uses built-in anti-spam filtering capabilities that help protect Office 365 customers. Office 365 Advanced Threat Protection helps secure mailboxes against email attacks by blocking emails with unsafe attachments, malicious links, and linked-to files leveraging time-of-click protection. Outlook.com anti-spam filters also provide protection against malicious emails.

Virtualization-based security and application control

Credential Guard can protect domain credentials from attacks like Petya, which attempted to steal credentials for use in lateral movement. Credential Guard uses virtualization-based security to protect against credential dumping.

Enterprises can implement virtualization-based lockdown security, which can block all types of unauthorized content. Windows Defender Device Guard combines virtualization-based security and application control to allow only authorized apps to run. Petya, whose first infections were traced back to a compromised software update process, was blocked on devices with Device Guard enabled.

Microsoft-vetted security with Windows 10 S and more security features in Windows 10 Fall Creators Update

Devices can achieve a similar lockdown security with Windows 10 S, which streamlines security and performance by working exclusively with apps from the Windows Store, ensuring that only apps that went through the Store onboarding, vetting, and signing process are allowed to run.

All of these security features make Windows 10 our most secure platform. Next-gen security technologies in Windows 10 provide next-gen protection against ransomware.

Figure 6. Windows 10 next-gen security

But the work to further harden Windows 10 against ransomware and other threats continues. Expect more security features and capabilities in the upcoming Windows 10 Fall Creators Update.

Tanmay Ganacharya (@tanmayg)

Principal Group Manager, Windows Defender Research


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community.

Follow us on Twitter @MMPC and Facebook Microsoft Malware Protection Center

Cloud App Security new auto-remediation feature

Immediate session log off for suspicious users

Real-time remediation for security threats is a key challenge for companies, where attackers can move quickly to access critical data. The Cloud App Security team is excited to introduce a new feature for threat protection through integration with Azure Active Directory: when a suspicious activity is identified in Cloud App Security portal, you can now initiate an auto-remediation action logging off these users and requiring users to sign in again to Office 365 as well as all apps accessed through Azure Active Directory.

Let’s explore two key reaction capabilities of this feature:

Respond to anomalous behavior

External sharing of sensitive files, download of sensitive files from unrecognized locations, or any activity that’s considered abnormal can trigger alerts in Cloud App Security portal. These alerts provide immediate notification of potential security incidents and assist admins with proactive investigation.

In the event of suspicious user behavior, the new auto-remediation feature allows the security admin to take immediate action, triggering a revocation of all user sessions, and requiring the user to sign-in again to all apps.

React to account takeover

When an attacker gains unauthorized access to an account, a common industry practice is to disable the account. But this is not enough! If the account is actively being used to exfiltrate data, gain elevated privileges in the organization, or any other method that keeps the attacker’s session active, they can still use the compromised account.

The new Cloud App Security capability allows an admin to revoke the compromised account’s sessions and fully mitigate the attack. Cloud App Security invalidates all the user’s refresh tokens issued to cloud apps.

How to implement this feature

Requiring the user to sign in again can be set during the policy creation phase, or initiated directly from an alert as part of the resolution options for a user. Initiating governance actions directly from the policy allow for automatic remediation. In this case, the admin needs only to select this option and it will be enforced.

image

Policy setting: require user to sign-in again

Alternatively, an admin can select to require another sign in as part of the reactive investigation of an alert as seen below. In either case, to ensure secure productivity, the user is protected and can continue working with minimal interruption.

image

Require user to sign in again during investigation of a specific alert

Better together

Our goal is to provide a holistic and innovative security approach with Enterprise Mobility + Security. Cloud App Security and Azure Active Directory together offer unique value that help you gain better control over your cloud, by identifying suspicious activities which may be indicative of a breach and then respond immediately.

Learn more and give us feedback

We know how important visibility, control and threat protection are for you, especially when it comes to cloud apps. Our goal is to continuously innovate to provide a top-notch user experience, visibility, data control and threat protection for your cloud apps. If you would like to learn more about our solution, please visit our technical documentation page.

We’d also love to hear your feedback. If you have any questions, comments or feedback, please leave a comment or visit our Microsoft Cloud App Security Tech Community page.