Tag Archives: reports

Rapid7 MDR Delivered 549% ROI via Headcount Avoidance, Time Savings, and Breach Risk Reduction

Post Syndicated from Jake Godgart original https://blog.rapid7.com/2022/06/23/rapid7-mdr-delivered-549-roi-via-headcount-avoidance-time-savings-and-breach-risk-reduction/

Rapid7 MDR Delivered 549% ROI via Headcount Avoidance, Time Savings, and Breach Risk Reduction

In-house security organizations these days are operating at an extreme deficit. Skeleton crews are running entire security operations centers (SOCs). A constant barrage of alerts is making it difficult for these teams to detect and investigate every alert and stay ahead of today’s evolving threats. The odds are heavily in favor of the attacker.

But there is hope. Managed security service providers (MSSPs) – and more specifically, managed detection and response (MDR) providers – enable access to specialized detection and response expertise and headcount, bypassing the talent- and skill-gap challenges that plague the industry.

MDR offers a way for internal security teams to extend their capabilities in threat detection, alert triage, malware analysis, incident investigation, and response capabilities quickly and at scale. For under-resourced teams, MDR is a turnkey solution for a fully operational SOC at a fraction of the cost to build one out internally. How much, exactly?

A June 2022 Total Economic Impact™ study by Forrester Consulting commissioned by Rapid7 found that Rapid7’s “secret sauce” – a blend of extended detection and response (XDR) technology, improved visibility, and SOC expertise – enabled a composite Rapid7 MDR customer to capture an estimated 549% return on their investment (ROI) over three years and to see a payback for that investment in less than 3 months! That’s almost a 5.5x ROI!

The analysis was conducted using a hypothetical composite organization created for the purposes of the study, using insights gleaned from four real-life MDR customers. This composite reflects a security team profile we see often: a small team of two security professionals tasked with protecting 1,800 employees and 2,100 assets. A tall order, and one that (unfortunately) represents the state of security operations today.

The study concluded that Rapid7 MDR services experts integrate with an existing security organization to quickly cut down on detection and response times. Subsequently, the interviewed customers saw substantial returns from working alongside the MDR team as a trusted partner to mature their program.

Here are four key takeaways from the Forrester Consulting study.

Rapid7 MDR offered improved visibility through XDR technology

Detection can only be as good as the visibility the technology provides and what’s being monitored. In the words of an interviewed director of information security for a financial services company, “I didn’t have full visibility into the security activity of all devices across my enterprise. It was a ‘fingers-crossed’ [hope] that there isn’t something going on within my network.”

Luckily, MDR as a partner can ensure complete monitoring and visibility across the entire environment – comprehensive coverage to detect across all endpoints, user accounts, network traffic, deception technologies, the cloud, and more – offering a winning strategy.

In the study, Forrester found that Rapid7 MDR utilizes XDR capabilities to help customers see beyond the confines of a traditional security information and event management (SIEM) and endpoint detection and response (EDR) tools, with coverage across the entire modern environment.

Combined with the latest threat intelligence and machine learning to continuously analyze attacker activity, the MDR provider can help you anticipate that threat and form a more proactive response. That’s a winning strategy.

Rapid7 MDR saved time for security teams

Alerts can fire constantly. Each of them needs triaging and investigation. Every confirmed incident then needs a response plan, remediation, mitigation actions, and a post-incident report. The challenge is, all of this takes time.

With MDR, those alerts are handled without spending countless cycles from the customer’s internal teams. Investigation, response, and reporting are, too. This frees up the security team to focus on other aspects of their program.

Going from understaffed to capably staffed can be an incredible time saver. As a director of information security in financial services said to Forrester, “If we didn’t acquire MDR, I would have had to do a lot more manual work and it would have kept me from other tasks.”

The Forrester study concluded that Rapid7 MDR – by providing improved focus and outsourcing of detection and response activities – reduced the amount of time spent by:

  • 87.5% on alert investigation
  • 97.5% on response, remediation, and recovery
  • 83.3% on research and reporting

Rapid7 MDR helped avoid the hefty costs of hiring security talent

The Gartner® 2021 SOC Model Guide report suggests that “by 2025, 33% of organizations that currently have internal security functions will attempt and fail to build an effective internal SOC due to resource constraints, such as lack of budget, expertise, and staffing.” This is partially because of the difficulty to hire and retain top detection and response talent.

Hiring a full SOC team is incredibly expensive. For example, the Gartner SOC Model Guide suggested an industry benchmark closer to “at least 10-12 personnel for 24/7 coverage,” with the Forrester TEI study placing one full-time employee (FTE) at $135,000 annually.

Because of this, many teams are turning to MDR to implement a hybrid-SOC model that integrates an MDR SOC alongside an internal SOC team. Gartner suggests, “By 2025, 90% of SOCs in the G2000 will use a hybrid model by outsourcing at least 50% of the operational workload.” This approach has certainly become the most optimal and economic option.

Partnering with an MDR provider is certainly one way to avoid prohibitive time and hiring costs. According to the Forrester Consulting study, Rapid7 was able to save the composite organization $1.5 million over the course of three years by avoiding the need to hire five full-time security analysts in order to achieve 24×7 coverage (in year 1). And those numbers might be low compared to other industry SOC FTE benchmarks.

Rapid7 MDR greatly reduced the risk of a security breach

There will always be new zero-days, new TTPs, and emerging threats that make it impossible to prevent (and stop) every breach. The Forrester Consulting Cost Of A Cybersecurity Breach Survey from 2020 Q4 estimated that an organization will have an average of 2.5 significant security breaches each year with an average cost of $654,846 per breach.

That’s where partnering with an MDR provider can help reduce that number. In fact, the Forrester study notes that Rapid7 MDR reduced the likelihood of a major security breach by 90% for the composite organization!

At Rapid7, some of our MDR capabilities that help prevent breaches from occurring are:

  • XDR technology to see complete visibility across your attack surface (with an ability for customers to have full access to InsightIDR for log search, data storage, reporting, and more)
  • 24x7x365 monitoring of the environment from a global, follow-the-sun SOC team of detection and response experts
  • Proactive, hypothesis-driven threat hunts from human MDR analysts
  • Active Response to contain assets and users instantly when there’s a validated incident

What about the 10% of incidents that get through? We at Rapid7 offer an industry-first, unlimited Incident/Breach Response baked into our MDR service, leveraging our integrated Digital Forensics and Incident Response (DFIR) team to ensure we’re able to assist customers with any security incident, no matter how minor or major.

All of this is why a director of information security in financial services who was interviewed for the Forrester study said, “I’d say we’re 100% more prepared to handle a security incident with Rapid7 MDR.”

MDROI

Ultimately, the goal of the security department is to invest in technology and services that help protect the organization. But when that investment is able to positively impact the company’s bottom line, it’s a win-win.

It’s not just about alleviating some of the stress on the security team. It’s also about having access to that MDR provider’s technology, their library of advanced detection methodologies and resources, and the collaboration that can lead to strengthening your security posture.

You can read the entire Forrester TEI study to get the full breakdown on Rapid7 MDR alongside the numbers and stories from customers.

But what the study does not quantify is our commitment to partnering with our customers to improve their security maturity, providing expertise that drives returns for your detection and response program where and when you need it.

Considering MDR but don’t know where to start? We put together an MDR Buyer’s Guide that includes the questions to ask and what to look for to help the decision-making process.

Forrester Consulting Study, “The Total Economic Impact™ Of Rapid7 Managed Detection And Response (MDR)” commissioned by Rapid7.

The Gartner® 2021 SOC Model Guide, 19 October 2021, John Collins, Mitchell Schneider, Pete Shoard

Gartner® is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

New Report Shows What Data Is Most at Risk to (and Prized by) Ransomware Attackers

Post Syndicated from Rapid7 original https://blog.rapid7.com/2022/06/16/new-report-shows-what-data-is-most-at-risk-to-and-prized-by-ransomware-attackers/

New Report Shows What Data Is Most at Risk to (and Prized by) Ransomware Attackers

Ransomware is one of the most pressing and diabolical threats faced by cybersecurity teams today. Gaining access to a network and holding that data for ransom has caused billions in losses across nearly every industry and around the world. It has stopped critical infrastructure like healthcare services in its tracks, putting the lives and livelihoods of many at risk.

In recent years, threat actors have upped the ante by using “double extortion” as a way to inflict maximum pain on an organization. Through this method, not only are threat actors holding data hostage for money – they also threaten to release that data (either publicly or for sale on dark web outlets) to extract even more money from companies.

At Rapid7, we often say that when it comes to ransomware, we may all be targets, but we don’t all have to be victims. We have means and tools to mitigate the impact of ransomware — and one of the most important assets we have on our side is data about ransomware attackers themselves.

Reports about trends in ransomware are pretty common these days. But what isn’t common is information about what kinds of data threat actors prefer to collect and release.

A new report from Rapid7’s Paul Prudhomme uses proprietary data collection tools to analyze the disclosure layer of double-extortion ransomware attacks. He identified the types of data attackers initially disclose to coerce victims into paying ransom, determining trends across industry, and released it in a first-of-its-kind analysis.

“Pain Points: Ransomware Data Disclosure Trends” reveals a story of how ransomware attackers think, what they value, and how they approach applying the most pressure on victims to get them to pay.

The report looks at all ransomware data disclosure incidents reported to customers through our Threat Command threat intelligence platform (TIP). It also incorporates threat intelligence coverage and Rapid7’s institutional knowledge of ransomware threat actors.

From this, we were able to determine:

  • The most common types of data attackers disclosed in some of the most highly affected industries, and how they differ
  • How leaked data differs by threat actor group and target industry
  • The current state of the ransomware market share among threat actors, and how that has changed over time

Finance, pharma, and healthcare

Overall, trends in ransomware data disclosures pertaining to double extortion varied slightly, except in a few key verticals: pharmaceuticals, financial services, and healthcare. In general, financial data was leaked most often (63%), followed by customer/patient data (48%).

However, in the financial services sector, customer data was leaked most of all, rather than financial data from the firms themselves. Some 82% of disclosures linked to the financial services sector were of customer data. Internal company financial data, which was the most exposed data in the overall sample, made up just 50% of data disclosures in the financial services sector. Employees’ personally identifiable information (PII) and HR data were more prevalent, at 59%.

In the healthcare and pharmaceutical sectors, internal financial data was leaked some 71% of the time, more than any other industry — even the financial services sector itself. Customer/patient data also appeared with high frequency, having been released in 58% of disclosures from the combined sectors.

One thing that stood out about the pharmaceutical industry was the prevalence of threat actors to release intellectual property (IP) files. In the overall sample, just 12% of disclosures included IP files, but in the pharma industry, 43% of all disclosures included IP. This is likely due to the high value placed on research and development within this industry.

The state of ransomware actors

One of the more interesting results of the analysis was a clearer understanding of the state of ransomware threat actors. It’s always critical to know your enemy, and with this analysis, we can pinpoint the evolution of ransomware groups, what data the individual groups value for initial disclosures, and their prevalence in the “market.”

For instance, between April and December 2020, the now-defunct Maze Ransomware group was responsible for 30%. This “market share” was only slightly lower than that of the next two most prevalent groups combined (REvil/Sodinokibi at 19% and Conti at 14%). However, the demise of Maze in November of 2020 saw many smaller actors stepping in to take its place. Conti and REvil/Sodinokibi swapped places respectively (19% and 15%), barely making up for the shortfall left by Maze. The top five groups in 2021 made up just 56% of all attacks with a variety of smaller, lesser-known groups being responsible for the rest.

Recommendations for security operations

While there is no silver bullet to the ransomware problem, there are silver linings in the form of best practices that can help to protect against ransomware threat actors and minimize the damage, should they strike. This report offers several that are aimed around double extortion, including:

  • Going beyond backing up data and including strong encryption and network segmentation
  • Prioritizing certain types of data for extra protection, particularly for those in fields where threat actors seek out that data in particular to put the hammer to those organizations the hardest
  • Understanding that certain industries are going to be targets of certain types of leaks and ensuring that customers, partners, and employees understand the heightened risk of disclosures of those types of data and to be prepared for them

To get more insights and view some (well redacted) real-world examples of data breaches, check out the full paper.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Complimentary GartnerⓇ Report “How to Respond to the 2022 Cyberthreat Landscape”: Ransomware Edition

Post Syndicated from Tom Caiazza original https://blog.rapid7.com/2022/06/15/complimentary-gartner-report-how-to-respond-to-the-2022-cyberthreat-landscape-ransomware-edition/

Complimentary GartnerⓇ Report

First things first — if you’re a member of a cybersecurity team bouncing from one stressful identify vulnerability, patch, repeat cycle to another, claim your copy of the GartnerⓇ report “How to Respond to the 2022 Cyberthreat Landscape” right now. It will help you understand the current landscape and better plan for what’s happening now and in the near term.

Ransomware is on the tip of every security professional’s tongue right now, and for good reason. It’s growing, spreading, and evolving faster than many organizations can keep up with. But just because we may all be targets doesn’t mean we have to be victims.

The analysts at Gartner have taken a good, long look at the latest trends in security, with a particular eye toward ransomware, and they had this to say about attacker trends in their report.

Expect attackers to:

  • “Diversify their targets by pursuing lower-profile targets more frequently, using smaller attacks to avoid attention from well-funded nation states.”
  • “Attack critical CPS, particularly when motivated by geopolitical tensions and aligned ransomware actors.”
  • “Optimize ransomware delivery by using ‘known good’ cloud applications, such as enterprise productivity software as a service (SaaS) suites, and using encryption to hide their activities.”
  • “Target individual employees, particularly those working remotely using potentially vulnerable remote access services like Remote Desktop Protocol (RDP) services, or simply bribe employees for access to organizations with a view to launching larger ransomware campaigns.”
  • “Exfiltrate data as part of attempts to blackmail companies into paying ransom or risk data breach disclosure, which may result in regulatory fines and limits the benefits of the traditional mitigation method of ‘just restore quickly.'”
  • “Combine ransomware with other techniques, such as distributed denial of service (DDoS) attacks, to force public-facing services offline until organizations pay a ransom.”

Ransomware is most definitely considered a “top threat,” and it has moved beyond just an IT problem but one that involves governments around the globe. Attackers recognize that the game got a lot bigger with well-funded nations joining the fray to combat it, so their tactics will be targeted, small, diverse, and more frequent to avoid poking the bear(s). Expect to see smaller organizations targeted more often and as part of ransomware-as-a-service campaigns.

Gartner also says that attackers will use RaaS to attack critical infrastructure like CPS more frequently:

“Attackers will aim at smaller targets and deliver ‘ransomware as a service’ to other groups. This will enable more targeted and sophisticated attacks, as the group targeting an organization will have access to ransomware developed by a specialist group. Attackers will also target critical assets, such as CPS.”

Mitigating ransomware

But there are things we can do to mitigate ransomware attacks and push back against the attackers. Gartner suggests several key recommendations, including:

  • “Construct a pre-incident strategy that includes backup (including a restore test), asset management, and restriction of user privileges.”
  • “Build post-incident response procedures by training staff and scheduling regular drills.”
  • “Expand the scope of ransomware protection programs to CPS.”
  • “Increase cross-team training for the nontechnical aspects of a ransomware incident.
  • “Remember that payment of a ransom does not guarantee erasure of exfiltrated data, full recovery of encrypted data, or immediate restoration of operations.”
  • “Don’t rely on cyber insurance only. There is frequently a disconnect between what executive leaders expect a cybersecurity insurance policy to cover and what it actually does cover.”

At Rapid7, we have the risk management, detection and response, and threat intelligence tools your organization needs to not only keep up with the evolution in ransomware threat actors, but to implement best practices of the industry.

If you want to learn more about what cybersecurity threats are out there now and on the horizon, check out the complimentary Gartner report.

Gartner, How to Respond to the 2022 Cyberthreat Landscape, 1 April 2022, by Jeremy D’Hoinne, John Watts, Katell Thielemann

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Additional reading:

ICE Is a Domestic Surveillance Agency

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2022/05/ice-is-a-domestic-surveillance-agency.html

Georgetown has a new report on the highly secretive bulk surveillance activities of ICE in the US:

When you think about government surveillance in the United States, you likely think of the National Security Agency or the FBI. You might even think of a powerful police agency, such as the New York Police Department. But unless you or someone you love has been targeted for deportation, you probably don’t immediately think of Immigration and Customs Enforcement (ICE).

This report argues that you should. Our two-year investigation, including hundreds of Freedom of Information Act requests and a comprehensive review of ICE’s contracting and procurement records, reveals that ICE now operates as a domestic surveillance agency. Since its founding in 2003, ICE has not only been building its own capacity to use surveillance to carry out deportations but has also played a key role in the federal government’s larger push to amass as much information as possible about all of our lives. By reaching into the digital records of state and local governments and buying databases with billions of data points from private companies, ICE has created a surveillance infrastructure that enables it to pull detailed dossiers on nearly anyone, seemingly at any time. In its efforts to arrest and deport, ICE has — without any judicial, legislative or public oversight — reached into datasets containing personal information about the vast majority of people living in the U.S., whose records can end up in the hands of immigration enforcement simply because they apply for driver’s licenses; drive on the roads; or sign up with their local utilities to get access to heat, water and electricity.

ICE has built its dragnet surveillance system by crossing legal and ethical lines, leveraging the trust that people place in state agencies and essential service providers, and exploiting the vulnerability of people who volunteer their information to reunite with their families. Despite the incredible scope and evident civil rights implications of ICE’s surveillance practices, the agency has managed to shroud those practices in near-total secrecy, evading enforcement of even the handful of laws and policies that could be invoked to impose limitations. Federal and state lawmakers, for the most part, have yet to confront this reality.

EDITED TO ADD (5/13): A news article.

What’s Changed for Cybersecurity in Banking and Finance: New Study

Post Syndicated from Jesse Mack original https://blog.rapid7.com/2022/05/10/whats-changed-for-cybersecurity-in-banking-and-finance-new-study/

What's Changed for Cybersecurity in Banking and Finance: New Study

Cybersecurity in financial services is a complex picture. Not only has a range of new tech hit the industry in the last 5 years, but compliance requirements introduce another layer of difficulty to the lives of infosec teams in this sector. To add to this picture, the overall cybersecurity landscape has rapidly transformed, with ransomware attacks picking up speed and high-profile vulnerabilities hitting the headlines at an alarming pace.

VMware recently released the 5th annual installment of their Modern Bank Heists report, and the results show a changing landscape for cybersecurity in banking and finance. Here’s a closer look at what CISOs and security leaders in finance said about the security challenges they’re facing — and what they’re doing to solve them.

Destructive threats and ransomware attacks on banks are increasing

The stakes for cybersecurity are higher than ever at financial institutions, as threat actors are increasingly using more vicious tactics. Banks have seen an uptick in destructive cyberattacks — those that delete data, damage hard drives, disrupt network connections, or otherwise leave a trail of digital wreckage in their wake.

63% of financial institutions surveyed in the VMware report said they’ve seen an increase in these destructive attacks targeting their organization — that’s 17% more than said the same in last year’s version of the report.

At the same time, finance hasn’t been spared from the rise in ransomware attacks, which have also become increasingly disruptive. Nearly 3 out of 4 respondents to the survey said they’d been hit by at least one ransomware attack. What’s more, 63% of those ended up paying the ransom.

Supply chain security: No fun in the sun

Like ransomware, island hopping is also on the rise — and while that might sound like something to do on a beach vacation, that’s likely the last thing the phrase brings to mind for security pros at today’s financial institutions.

IT Pro describes island hopping attacks as “the process of undermining a company’s cyber defenses by going after its vulnerable partner network, rather than launching a direct attack.” The source points to the high-profile data breach that rocked big-box retailer Target in 2017. Hackers found an entry point to the company’s data not through its own servers, but those of Fazio Mechanical Services, a third-party vendor.

In the years since the Target breach, supply chain cybersecurity has become an even greater area of focus for security pros across industries, thanks to incidents like the SolarWinds breach and large-scale vulnerabilities like Log4Shell that reveal just how many interdependencies are out there. Now, threats in the software supply chain are becoming more apparent by the day.

VMware’s study found that 60% of security leaders in finance have seen an increase in island hopping attacks — 58% more than said the same last year. The uptick in threats originating from partners’ systems is clearly keeping security officers up at night: 87% said they’re concerned about the security posture of the service providers they rely on.

The proliferation of mobile and web applications associated with the rise of financial technology (fintech) may be exacerbating the problem. VMware notes API attacks are one of the primary methods of island hopping — and they found a whopping 94% of financial-industry security leaders have experienced an API attack through a fintech application, while 58% said they’ve seen an increase in application security incidents overall.

How financial institutions are improving cybersecurity

With attacks growing more dangerous and more frequent, security leaders in finance are doubling down on their efforts to protect their organizations. The majority of companies surveyed in VMware’s study said they planned a 20% to 30% boost to their cybersecurity budget in 2022. But what types of solutions are they investing in with that added cash?

The number 1 security investment for CISOs this year is extended detection and response (XDR), with 24% listing this as their top priority. Closely following were workload security at 22%, mobile security at 21%, threat intelligence at 15%, and managed detection and response (MDR) at 11%. In addition, 51% said they’re investing in threat hunting to help them stay ahead of the attackers.

Today’s threat landscape has grown difficult to navigate — especially when financial institutions are competing for candidates in a tight cybersecurity talent market. In the meantime, the financial industry has only grown more competitive, and the pace of innovation is at an all-time high. Having powerful, flexible tools that can streamline and automate security processes is essential to keep up with change. For banks and finance organizations to attain the level of visibility they need to innovate while keeping their systems protected, these tools are crucial.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Microsoft Issues Report of Russian Cyberattacks against Ukraine

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2022/04/microsoft-issues-report-of-russian-cyberattacks-against-ukraine.html

Microsoft has a comprehensive report on the dozens of cyberattacks — and even more espionage operations — Russia has conducted against Ukraine as part of this war:

At least six Russian Advanced Persistent Threat (APT) actors and other unattributed threats, have conducted destructive attacks, espionage operations, or both, while Russian military forces attack the country by land, air, and sea. It is unclear whether computer network operators and physical forces are just independently pursuing a common set of priorities or actively coordinating. However, collectively, the cyber and kinetic actions work to disrupt or degrade Ukrainian government and military functions and undermine the public’s trust in those same institutions.

[…]

Threat groups with known or suspected ties to the GRU have continuously developed and used destructive wiper malware or similarly destructive tools on targeted Ukrainian networks at a pace of two to three incidents a week since the eve of invasion. From February 23 to April 8, we saw evidence of nearly 40 discrete destructive attacks that permanently destroyed files in hundreds of systems across dozens of organizations in Ukraine.

NASA’s Insider Threat Program

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2022/03/nasas-insider-threat-program.html

The Office of Inspector General has audited NASA’s insider threat program:

While NASA has a fully operational insider threat program for its classified systems, the vast majority of the Agency’s information technology (IT) systems — including many containing high-value assets or critical infrastructure — are unclassified and are therefore not covered by its current insider threat program. Consequently, the Agency may be facing a higher-than-necessary risk to its unclassified systems and data. While NASA’s exclusion of unclassified systems from its insider threat program is common among federal agencies, adding those systems to a multi-faceted security program could provide an additional level of maturity to the program and better protect agency resources. According to Agency officials, expanding the insider threat program to unclassified systems would benefit the Agency’s cybersecurity posture if incremental improvements, such as focusing on IT systems and people at the most risk, were implemented. However, on-going concerns including staffing challenges, technology resource limitations, and lack of funding to support such an expansion would need to be addressed prior to enhancing the existing program.

Further amplifying the complexities of insider threats are the cross-discipline challenges surrounding cybersecurity expertise. At NASA, responsibilities for unclassified systems are largely shared between the Office of Protective Services and the Office of the Chief Information Officer. In addition, Agency contracts are managed by the Office of Procurement while grants and cooperative agreements are managed by the Office of the Chief Financial Officer. Nonetheless, in our view, mitigating the risk of an insider threat is a team sport in which a comprehensive insider threat risk assessment would allow the Agency to gather key information on weak spots or gaps in administrative processes and cybersecurity. At a time when there is growing concern about the continuing threats of foreign influence, taking the proactive step to conduct a risk assessment to evaluate NASA’s unclassified systems ensures that gaps cannot be exploited in ways that undermine the Agency’s ability to carry out its mission.

Friday Squid Blogging: The Costs of Unregulated Squid Fishing

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2022/03/friday-squid-blogging-the-costs-of-unregulated-squid-fishing.html

Greenpeace has published a report, “Squids in the Spotlight,” on the extent and externalities of global squid fishing.

News article.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Read my blog posting guidelines here.

On the Irish Health Services Executive Hack

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2022/02/on-the-irish-health-services-executive-hack.html

A detailed report of the 2021 ransomware attack against Ireland’s Health Services Executive lists some really bad security practices:

The report notes that:

  • The HSE did not have a Chief Information Security Officer (CISO) or a “single responsible owner for cybersecurity at either senior executive or management level to provide leadership and direction.
  • It had no documented cyber incident response runbooks or IT recovery plans (apart from documented AD recovery plans) for recovering from a wide-scale ransomware event.
  • Under-resourced Information Security Managers were not performing their business as usual role (including a NIST-based cybersecurity review of systems) but were working on evaluating security controls for the COVID-19 vaccination system. Antivirus software triggered numerous alerts after detecting Cobalt Strike activity but these were not escalated. (The antivirus server was later encrypted in the attack).
  • There was no security monitoring capability that was able to effectively detect, investigate and respond to security alerts across HSE’s IT environment or the wider National Healthcare Network (NHN).
  • There was a lack of effective patching (updates, bug fixes etc.) across the IT estate and reliance was placed on a single antivirus product that was not monitored or effectively maintained with updates across the estate. (The initial workstation attacked had not had antivirus signatures updated for over a year.)
  • Over 30,000 machines were running Windows 7 (out of support since January 2020).
  • The initial breach came after a HSE staff member interacted with a malicious Microsoft Office Excel file attached to a phishing email; numerous subsequent alerts were not effectively investigated.

PwC’s crisp list of recommendations in the wake of the incident ­ as well as detail on the business impact of the HSE ransomware attack ­ may prove highly useful guidance on best practice for IT professionals looking to set up a security programme and get it funded.

An Examination of the Bug Bounty Marketplace

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2022/01/an-examination-of-the-bug-bounty-marketplace.html

Here’s a fascinating report: “Bounty Everything: Hackers and the Making of the Global Bug Marketplace.” From a summary:

…researchers Ryan Ellis and Yuan Stevens provide a window into the working lives of hackers who participate in “bug bounty” programs­ — programs that hire hackers to discover and report bugs or other vulnerabilities in their systems. This report illuminates the risks and insecurities for hackers as gig workers, and how bounty programs rely on vulnerable workers to fix their vulnerable systems.

Ellis and Stevens’s research offers a historical overview of bounty programs and an analysis of contemporary bug bounty platforms — ­the new intermediaries that now structure the vast majority of bounty work. The report draws directly from interviews with hackers, who recount that bounty programs seem willing to integrate a diverse workforce in their practices, but only on terms that deny them the job security and access enjoyed by core security workforces. These inequities go far beyond the difference experienced by temporary and permanent employees at companies such as Google and Apple, contend the authors. The global bug bounty workforce is doing piecework — they are paid for each bug, and the conditions under which a bug is paid vary greatly from one company to the next.

The 2021 OWASP Top 10 Have Evolved: Here’s What You Should Know

Post Syndicated from Bria Grangard original https://blog.rapid7.com/2021/09/30/the-2021-owasp-top-10-have-evolved-heres-what-you-should-know/

The 2021 OWASP Top 10 Have Evolved: Here's What You Should Know

Late last week, the Open Web Application Security Project (OWASP) released its top 10 list of critical web application security risks. The last OWASP Top 10 came out in 2017, and in the intervening 4 years, we’ve seen a fundamental shift in application security that includes greater emphasis on securing web applications during the ever-evolving development process.

In this post, we’re going to discuss the 2021 OWASP Top 10, how the list is evolving alongside the web application security discussion, and what you should take away from this year’s Top 10. And if you want to learn more, stay tuned in the coming weeks for deeper dives into several of the main recommendations this year’s OWASP team has identified.

What is the OWASP Top 10?

The OWASP Top 10 is an awareness document that highlights the top 10 most critical web application security risks. The risks are in a ranked order based on frequency, severity, and magnitude for impact.

OWASP has maintained this list since 2003, and every few years, they update the list based on advancements in both application development and application security. Many organizations look to the OWASP Top 10 as a guide for minimizing risk.

So, what’s changed?

As mentioned above, OWASP and their Top 10 have evolved to focus more on helping developers build secure applications and work with security teams. After partnering with organizations and once again taking into consideration frequency, severity, and magnitude for risk that these vulnerabilities introduce, OWASP recently released their new OWASP Top 10 for 2021. Check out the changes below:

The 2021 OWASP Top 10 Have Evolved: Here's What You Should Know

Some of the notable changes include the introduction of new categories, consolidation, and scope changes to categories. Examples of these changes include:

  • The introduction of insecure design — We’ve seen this repeatedly highlighted as an area to watch, as the pressure mounts to continuously deliver new apps and features. An application’s architecture must take thoughtful security principles into account from the very beginning of the design process.
  • Broadened focus of injections — The new injection vulnerability category now includes 33 CWEs and many common injection types, such as SQL and NoSQL. The notable consolidation that took place this year was the inclusion of Cross-Site Scripting (XSS) into the injection category.
  • Vulnerable and outdated components replace “using components with known vulnerabilities” This is an example of an expanded scope of category to include using outdated open-source libraries and their associated vulnerabilities.

What do these changes mean?

The changes to the OWASP Top 10 reflect the shifts we’ve witnessed in application development and security. As the pressure mounts for teams to deliver high-quality products faster than ever, and we see the introduction of many cloud-native technologies to facilitate the acceleration of development cycles, developers must focus on scalable security from the start.

The 2021 OWASP Top 10 highlights a strategic approach to security that includes the architecture that supports the application, as well as the APIs, data, and so much more. The methodologies for testing and monitoring your applications through development to production are also critical in this framework. The 2021 OWASP Top 10 highlights many of these changes with the adoption of best-in-class tools and practices such as shifting left, DevSecOps, and a focus on preventing risk through a combination of both testing and monitoring.

Want to learn more? Stay tuned for our follow-up blogs, where we’ll take a deeper dive into some of the OWASP Top 10 to discuss what’s changed and why these updates are important.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

SANS 2021 Threat Hunting Survey: How Organizations’ Security Postures Have Evolved in the New Normal

Post Syndicated from Margaret Wei original https://blog.rapid7.com/2021/09/17/sans-2021-threat-hunting-survey-how-organizations-security-postures-have-evolved-in-the-new-normal/

SANS 2021 Threat Hunting Survey: How Organizations' Security Postures Have Evolved in the New Normal

It’s that time of year once again: The SANS Institute — the most trusted resource for cybersecurity research — has conducted its sixth annual Threat Hunting Survey, sponsored by Rapid7. The goal of this survey is to better understand the current threat hunting landscape and the benefits provided to an organization’s security posture as a result of threat hunting.

This year’s survey, “A SANS 2021 Survey: Threat Hunting in Uncertain Times,” has a unique focus, one that’s taken into consideration the impact of COVID-19 and how it’s affected organizations’ threat hunting. The findings indicate that the global pandemic has had a relatively mixed impact on the organizations surveyed, with many respondents unsure of what type of impact it’s had — and will have — on their threat hunting efforts.

Here’s a preview of the survey’s findings and its takeaways for organizations navigating today’s cybersecurity landscape.

Fewer organizations are performing threat hunting in 2021

According to the survey results, 12.6% fewer organizations are performing threat hunting in 2021 when compared to those surveyed in 2020. This is concerning, as threat hunting is an ever-evolving field, and organizations that don’t dedicate resources to it won’t be able to keep pace with the changes in tactics and techniques needed to find threat actors.

But what caused this dip? It seems to be a combination of organizations reducing their external spend with third parties and their overall internal staff in response to COVID-19. That said, this reduction cannot be fully accounted for by the pandemic.

Despite this decrease, there is good news: 93.1% of respondents indicated they have dedicated threat hunting staff, and the majority of respondents plan to increase spending on staffing and tools for threat hunting in the near future. Over the year to come, we’ll likely see an extended detection and response (XDR) approach leveraging tools like InsightIDR playing a key role in these efforts.

The threat hunting toolbox is evolving

The tools organizations are using to conduct threat hunting are evolving — but have they advanced enough to keep up with the modern cybersecurity landscape?

The output of threat hunting depends on three factors: visibility, skills, and threat intelligence. To achieve this output, threat hunters need the right tools. After asking respondents about their organizations’ tool chests, SANS found that over 75% of respondents are using a tool set that includes EDRs, SIEMs, and IDS/IPS.

It should come as no surprise that these tools are at the top — these are essential to establishing visibility. What is interesting, however, is the second-place spot taken by customizable tools, followed by threat intelligence platforms. This indicates there’s room for improvement for solutions vendors regarding threat hunting — and users are looking for deep insights. Tools like Rapid7’s cloud SIEM solution that cut through the noise and surface the threats that really matter are key in today’s complex IT environments.

Overall security posture has improved — but there’s room to grow

The improvements seen in organizations’ overall security posture as a result of threat hunting continue to show steady numbers. According to the study, organizations have seen anywhere from a 10-25% improvement in their security posture from threat hunting over the last year. In addition, 72.3% of respondents claimed threat hunting had a positive improvement on their organization over time.

These are brilliant results to see, and they reinforce the positive impact threat hunting can have, even in the face of today’s extraordinary challenges.

That said, while there are clear benefits to threat hunting, there are some barriers to success for organizations, namely:

  • Over half (51.3%) of all respondents indicated the primary barrier for them as threat hunters is a lack of skilled staff and training.
  • This was closely followed (43%) by an even split of challenges between the limitations of tools or technologies and a lack of defined processes.

Organizations can start addressing these challenges in a variety of ways, including adopting best-in-class detection and response tooling and owning documentation, education, and maintenance at scale. These are manageable barriers that will come down with time, and despite a global pandemic, the overall outlook is good, as the general trend to more threat hunting appears to sustain with this year’s survey.

Hopefully, these numbers continue to increase next year, and more organizations will reap the benefits of threat hunting.

To take a deeper dive into the survey’s findings, download the full report: A SANS 2021 Survey: Threat Hunting in Uncertain Times.

Learn more about how Rapid7’s Incident Detection and Response solutions can help you protect your organization and boost your ability to swiftly thwart attackers.

Cloud Challenges in the Age of Remote Work: Rapid7’s 2021 Cloud Misconfigurations Report

Post Syndicated from Shelby Matthews original https://blog.rapid7.com/2021/09/09/cloud-challenges-in-the-age-of-remote-work-rapid7s-2021-cloud-misconfigurations-report/

Cloud Challenges in the Age of Remote Work: Rapid7’s 2021 Cloud Misconfigurations Report

A lot changed in 2020, and the way businesses use the cloud was no exception. According to one study, 90% of organizations plan to increase their use of cloud infrastructure following the COVID-19 pandemic, and 61% are planning to optimize the way they currently use the cloud. The move to the cloud has increased organizations’ ability to innovate, but it’s also significantly impacted security risks.

Cloud misconfigurations have been among the leading sources of attacks and data breaches in recent years. One report found the top causes of cloud misconfigurations were lack of awareness of cloud security and policies, lack of adequate controls and oversight, and the presence of too many APIs and interfaces. As employees started working from home, the problem only got worse. IBM’s 2021 Cost of a Data Breach report found the difference in cost of a data breach involving remote work was 24.2% higher than those involving non-remote work.

What’s causing misconfigurations?

Rapid7 researchers found and studied 121 publicly reported cases of data exposures in 2020 that were directly caused by a misconfiguration in the organization’s cloud environment. The good news is that 62% of these cases were discovered by independent researchers and not hackers. The bad news? There are likely many more data exposures that hackers have found but the impacted organizations still don’t know about.

Here are some of our key findings:

  • A lot of misconfigurations happen because an organization wants to make access to a resource easier
  • The top three industries impacted by data exposure incidents were information, entertainment, and healthcare.
  • AWS S3 and ElasticSearch databases accounted for 45% of the incidents.
  • On average, there were 10 reported incidents a month across 15 industries.
  • The median data exposure was 10 million records.

Traditionally, security has been at the end of the cycle, allowing for vulnerabilities to get missed — but we’re here to help. InsightCloudSec is a cloud-native security platform meant to help you shift your cloud security programs left to allow security to become an earlier part of the cycle along with increasing workflow automation and reducing noise in your cloud environment.

Check out our full report that goes deeper into how and why these data breaches are occurring.

Insurance and Ransomware

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2021/07/insurance-and-ransomware.html

As ransomware becomes more common, I’m seeing more discussions about the ethics of paying the ransom. Here’s one more contribution to that issue: a research paper that the insurance industry is hurting more than it’s helping.

However, the most pressing challenge currently facing the industry is ransomware. Although it is a societal problem, cyber insurers have received considerable criticism for facilitating ransom payments to cybercriminals. These add fuel to the fire by incentivising cybercriminals’ engagement in ransomware operations and enabling existing operators to invest in and expand their capabilities. Growing losses from ransomware attacks have also emphasised that the current reality is not sustainable for insurers either.

To overcome these challenges and champion the positive effects of cyber insurance, this paper calls for a series of interventions from government and industry. Some in the industry favour allowing the market to mature on its own, but it will not be possible to rely on changing market forces alone. To date, the UK government has taken a light-touch approach to the cyber insurance industry. With the market undergoing changes amid growing losses, more coordinated action by government and regulators is necessary to help the industry reach its full potential.

The interventions recommended here are still relatively light, and reflect the fact that cyber insurance is only a potential incentive for managing societal cyber risk.They include: developing guidance for minimum security standards for underwriting; expanding data collection and data sharing; mandating cyber insurance for government suppliers; and creating a new collaborative approach between insurers and intelligence and law enforcement agencies around ransomware.

Finally, although a well-functioning cyber insurance industry could improve cyber security practices on a societal scale, it is not a silver bullet for the cyber security challenge. It is important to remember that the primary purpose of cyber insurance is not to improve cyber security, but to transfer residual risk. As such, it should be one of many tools that governments and businesses can draw on to manage cyber risk more effectively.

Basically, the insurance industry incents companies to do the cheapest mitigation possible. Often, that’s paying the ransom.

News article.

Banning Surveillance-Based Advertising

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2021/06/banning-surveillance-based-advertising.html

The Norwegian Consumer Council just published a fantastic new report: “Time to Ban Surveillance-Based Advertising.” From the Introduction:

The challenges caused and entrenched by surveillance-based advertising include, but are not limited to:

  • privacy and data protection infringements
  • opaque business models
  • manipulation and discrimination at scale
  • fraud and other criminal activity
  • serious security risks

In the following chapters, we describe various aspects of these challenges and point out how today’s dominant model of online advertising is a threat to consumers, democratic societies, the media, and even to advertisers themselves. These issues are significant and serious enough that we believe that it is time to ban these detrimental practices.

A ban on surveillance-based practices should be complemented by stronger enforcement of existing legislation, including the General Data Protection Regulation, competition regulation, and the Unfair Commercial Practices Directive. However, enforcement currently consumes significant time and resources, and usually happens after the damage has already been done. Banning surveillance-based advertising in general will force structural changes to the advertising industry and alleviate a number of significant harms to consumers and to society at large.

A ban on surveillance-based advertising does not mean that one can no longer finance digital content using advertising. To illustrate this, we describe some possible ways forward for advertising-funded digital content, and point to alternative advertising technologies that may contribute to a safer and healthier digital economy for both consumers and businesses.

Press release. Press coverage.

I signed their open letter.

The Future of Machine Learning and Cybersecurity

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2021/06/the-future-of-machine-learning-and-cybersecurity.html

The Center for Security and Emerging Technology has a new report: “Machine Learning and Cybersecurity: Hype and Reality.” Here’s the bottom line:

The report offers four conclusions:

  • Machine learning can help defenders more accurately detect and triage potential attacks. However, in many cases these technologies are elaborations on long-standing methods — not fundamentally new approaches — that bring new attack surfaces of their own.
  • A wide range of specific tasks could be fully or partially automated with the use of machine learning, including some forms of vulnerability discovery, deception, and attack disruption. But many of the most transformative of these possibilities still require significant machine learning breakthroughs.
  • Overall, we anticipate that machine learning will provide incremental advances to cyber defenders, but it is unlikely to fundamentally transform the industry barring additional breakthroughs. Some of the most transformative impacts may come from making previously un- or under-utilized defensive strategies available to more organizations.
  • Although machine learning will be neither predominantly offense-biased nor defense-biased, it may subtly alter the threat landscape by making certain types of strategies more appealing to attackers or defenders.

The Problem with Treating Data as a Commodity

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2021/02/the-problem-with-treating-data-as-a-commodity.html

Excellent Brookings paper: “Why data ownership is the wrong approach to protecting privacy.”

From the introduction:

Treating data like it is property fails to recognize either the value that varieties of personal information serve or the abiding interest that individuals have in their personal information even if they choose to “sell” it. Data is not a commodity. It is information. Any system of information rights­ — whether patents, copyrights, and other intellectual property, or privacy rights — ­presents some tension with strong interest in the free flow of information that is reflected by the First Amendment. Our personal information is in demand precisely because it has value to others and to society across a myriad of uses.

From the conclusion:

Privacy legislation should empower individuals through more layered and meaningful transparency and individual rights to know, correct, and delete personal information in databases held by others. But relying entirely on individual control will not do enough to change a system that is failing individuals, and trying to reinforce control with a property interest is likely to fail society as well. Rather than trying to resolve whether personal information belongs to individuals or to the companies that collect it, a baseline federal privacy law should directly protect the abiding interest that individuals have in that information and also enable the social benefits that flow from sharing information.

On Chinese-Owned Technology Platforms

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2021/02/on-chinese-owned-technology-platforms.html

I am a co-author on a report published by the Hoover Institution: “Chinese Technology Platforms Operating in the United States.” From a blog post:

The report suggests a comprehensive framework for understanding and assessing the risks posed by Chinese technology platforms in the United States and developing tailored responses. It starts from the common view of the signatories — one reflected in numerous publicly available threat assessments — that China’s power is growing, that a large part of that power is in the digital sphere, and that China can and will wield that power in ways that adversely affect our national security. However, the specific threats and risks posed by different Chinese technologies vary, and effective policies must start with a targeted understanding of the nature of risks and an assessment of the impact US measures will have on national security and competitiveness. The goal of the paper is not to specifically quantify the risk of any particular technology, but rather to analyze the various threats, put them into context, and offer a framework for assessing proposed responses in ways that the signatories hope can aid those doing the risk analysis in individual cases.

Router Security

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2021/02/router-security.html

This report is six months old, and I don’t know anything about the organization that produced it, but it has some alarming data about router security.

Conclusion: Our analysis showed that Linux is the most used OS running on more than 90% of the devices. However, many routers are powered by very old versions of Linux. Most devices are still powered with a 2.6 Linux kernel, which is no longer maintained for many years. This leads to a high number of critical and high severity CVEs affecting these devices.

Since Linux is the most used OS, exploit mitigation techniques could be enabled very easily. Anyhow, they are used quite rarely by most vendors except the NX feature.

A published private key provides no security at all. Nonetheless, all but one vendor spread several private keys in almost all firmware images.

Mirai used hard-coded login credentials to infect thousands of embedded devices in the last years. However, hard-coded credentials can be found in many of the devices and some of them are well known or at least easy crackable.

However, we can tell for sure that the vendors prioritize security differently. AVM does better job than the other vendors regarding most aspects. ASUS and Netgear do a better job in some aspects than D-Link, Linksys, TP-Link and Zyxel.

Additionally, our evaluation showed that large scale automated security analysis of embedded devices is possible today utilizing just open source software. To sum it up, our analysis shows that there is no router without flaws and there is no vendor who does a perfect job regarding all security aspects. Much more effort is needed to make home routers as secure as current desktop of server systems.

One comment on the report:

One-third ship with Linux kernel version 2.6.36 was released in October 2010. You can walk into a store today and buy a brand new router powered by software that’s almost 10 years out of date! This outdated version of the Linux kernel has 233 known security vulnerabilities registered in the Common Vulnerability and Exposures (CVE) database. The average router contains 26 critically-rated security vulnerabilities, according to the study.

We know the reasons for this. Most routers are designed offshore, by third parties, and then private labeled and sold by the vendors you’ve heard of. Engineering teams come together, design and build the router, and then disperse. There’s often no one around to write patches, and most of the time router firmware isn’t even patchable. The way to update your home router is to throw it away and buy a new one.

And this paper demonstrates that even the new ones aren’t likely to be secure.