As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear.

What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks.

Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive) and healthcare. These devices, often running on Android Open Source Project (AOSP) and non-GMS (non-Google Mobile Services) platforms, are tailored to specific tasks and environments and can enhance productivity and streamline operations. However, managing and supporting these devices can pose a unique set of difficulties.

For the enterprise, investing in applications to manage these devices may seem like the only viable option. However, with the rapid advancements in Unified Endpoint Management (UEM) solutions, organizations can effectively manage and protect purpose-built devices without purchasing a separate, specialized app.

How can a modern UEM app seamlessly integrate and support purpose-built devices across various industries?

The power of a modern UEM app: Key benefits

A UEM solution is a comprehensive platform designed to manage and secure all types of devices. This includes smartphones, tablets, laptops and IoT devices, regardless of their operating system. UEM apps have evolved to support purpose-built devices and can be managed and protected just as efficiently as traditional devices.

Leveraging a wide range of powerful features and capabilities, organizations can address the unique challenges that purpose-built devices pose while streamlining their management processes.

Reduced costs are the most obvious benefit of a UEM app. However, businesses can also take advantage of these ten key benefits and functionalities.

Comprehensive device support: UEM apps support a wide variety of devices and operating systems, including Android Open Source Project (AOSP) and non-GMS platforms. This helps eliminate the need for additional specialized apps.

Customizable profiles and policies: A UEM app allows IT administrators to create custom profiles and policies tailored to specific device types and use cases, enabling them to fine-tune device configurations, security settings and access controls.

Enhanced security: Purpose-built devices often hold sensitive data and are used in critical operations. A UEM app enables IT administrators to implement robust security measures, such as encryption, secure data storage and advanced authentication, to protect from potential threats.

Device compliance: A modern UEM app can help ensure purpose-built devices adhere to industry-specific regulations. By automating device configuration and policy enforcement, a UEM app minimizes the risk of non-compliance and associated penalties.

Simplified updates and maintenance: A UEM app can automate software updates, patches and maintenance tasks for purpose-built devices. This ensures they remain up-to-date and secure — reducing downtime and maximizing device efficiency.

Reduced costs: By consolidating device management into a single UEM app, organizations can eliminate the need for multiple specialized apps, resulting in a lower total cost of ownership (TCO).

Remote monitoring and troubleshooting: Modern UEM apps provide IT administrators with real-time visibility into the status and performance of purpose-built devices, including monitoring device health, network connectivity and battery life. UEM apps can also enable remote troubleshooting and diagnostics.

App management and distribution: A UEM app simplifies the process of deploying, updating and managing apps on purpose-built devices. IT administrators can centrally manage app catalogs, so devices have access to the latest versions of critical apps. IT teams can remotely install, update or remove apps on devices to streamline app management across the organization.

Context-aware management: By incorporating context-aware capabilities, UEM apps allow IT administrators to apply policies and configurations based on factors such as device location, network connectivity or user roles.

Scalability and future-proofing: A UEM app can scale and adapt to the evolving needs of an organization. As businesses grow and adopt new purpose-built devices, a UEM app can easily expand its support to accommodate these devices.

Integration with other IT systems: Current UEM apps seamlessly integrate with other IT systems and platforms, such as enterprise mobility management (EMM) solutions, identity and access management (IAM) systems and IT service management (ITSM) tools.

Which industries can benefit from UEM apps?

A modern UEM app can support purpose-built devices across a diverse set of industries. Here are the most common:

Travel and transportation: Purpose-built devices here often include ticketing machines, fleet management devices and navigation systems. A UEM app manages these devices efficiently, keeping them updated and protected from security threats.

Retail: Retailers rely on devices such as point-of-sale (POS) systems, inventory scanners and digital signage. A UEM app can manage these devices, secure payment transactions and streamline device deployment and updates.

Warehouse and distribution: Purpose-built devices such as barcode scanners, inventory management systems and forklift-mounted tablets are essential in a warehouse environment.

Manufacturing (including automotive): Manufacturers use purpose-built devices for quality control, production line automation and inventory management. Like in warehouse and distribution, a UEM app can help manage these devices, ensure they comply with industry standards and protect sensitive data.

Healthcare: Healthcare providers use purpose-built devices such as patient monitoring systems, medical imaging equipment and electronic health record (EHR) systems. A UEM app can help secure patient data, keep devices compliant with HIPAA and other regulations and simplify device management across the healthcare ecosystem.

How the enterprise can best leverage UEM

The increasing use of purpose-built devices across various industries requires a robust and flexible management solution. UEM apps have evolved to meet this challenge, providing a comprehensive platform that can effectively manage and protect purpose-built devices alongside traditional devices.

IBM commissioned Forrester Consulting to conduct a Total Economic Impact™ study to help IT and security leaders realize, demonstrate and justify the tangible value of their investment in unified endpoint management.

This study applied Forrester’s TEI methodology to examine the potential return on investment enterprises may capture by deploying IBM MaaS360 with Watson UEM.

Forrester interviewed and surveyed several customers with years of experience using MaaS360 to help key decision-makers identify the cost, benefit, flexibility and risk factors that affect their UEM investment decision.

Conclusion

By adopting a UEM app, organizations can centralize device management, enhance security, ensure compliance, streamline updates and maintenance and reduce costs. This allows businesses to fully leverage the benefits of purpose-built devices without the need for additional specialized applications.

Ultimately, that increased operational efficiency can give your organization the competitive advantage it needs.

The post Unified endpoint management for purpose-based devices appeared first on Security Intelligence.

In today’s rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.

IBM Security Trusteer recently observed a new trend in a Spanish retail bank with the creation of virtual credit cards for fraudulent purposes, which turned out to be a little-protected service of the offering bank. Fraudsters exploited it to defraud victims of their entire account balance, reinventing a known and effective scam.

The fraud, step by step

Each security attack has a unique anatomy and flow. We will examine the flow of this specific fraud here.

1. Fraudsters initiate the attack by sending an SMS to the victim. The SMS will appear under the same section as previous messages from the bank. This is done using a tactic called SMS spoofing. The topic of SMS spoofing is outside the scope of this blog but is indeed a facilitator of this fraud flow.
2. The fraudsters, appearing to be the bank, inform the victim via SMS of a security issue with their banking account. They further explain that a bank representative will call the victim soon and provide a numeric code to identify themselves. The code is provided in the message as well.
3. Next, a fraudster calls the victim, providing the code from the SMS sent earlier to “identify” themselves and elaborate on the security issue: they often claim that the victim’s banking account was compromised and that to protect the money, they will need to move it to a new banking account that was created for them.
4. Note that the fraudster established reliability via the SMS and by providing the code at this point. The stressed victim provides the fraudster(s) with their credentials, allowing them to log into the banking account.
5. At this point, fraudsters have two options. They can try to empty the banking account using traditional wire transfers. However, these are often capped at a specific daily limit, are monitored for fraudulent activity by the bank, and require a fraudulent destination account (otherwise known as a mule account). The second option is to create virtual credit cards, which is a convenient alternative for the following reasons:
6. • No daily limit: The virtual cards’ limit is several thousand euros, but the fraudster can create as many virtual cards as the victim’s account balance allows. For example, if the victim has 10,000 euros in the account, the fraudster could create multiple virtual cards with a limit of several thousand euros each. This action requires authentication, but the victims provide the 2FA under pressure.
   • No need for a mule account: Once the credit card is created, fraudsters use it to buy cryptocurrency and disappear from the traditional banking system.

This MO surfaced in early 2023 and slowly grew in popularity. It now compromises 41-48% of the fraudulent “transaction” attempts.

Trusteer’s solution

The virtual credit card creation is, for now, exclusively available via the browser (and not the banking app). As such, we addressed this fraud by analyzing the user flow data (URLs) and transactional data.

In general, user flow data can provide valuable insights into potentially risky and unauthorized actions in the account. This includes, but is not limited to:

• Reset passwords — an action that occurs before the actual login
• Change of contact details, such as phone numbers
• Change of transaction limits
• Enrolling a new device to receive soft tokens (2FAs)

The prerequisite for user flow analysis is complete visibility into all flows of the banking application and a risk assessment at the correct time during the session (pre-login or post-login).

Once the data is available in Trusteer’s systems, our fraud prevention solutions can incorporate the data into the security policy.

In this specific case, Trusteer alerts the bank to suspicious virtual credit card creations, allowing them to take action.

What banks must keep in mind

As banks continuously innovate and introduce new services to meet their clients’ expectations, they simultaneously open new opportunities for fraud. End-to-end visibility and robust data collection are key to creating security controls for new offerings.

By using Trusteer’s risk assessment, banks have the essential resources to stay ahead of the curve and promptly identify and prevent developing fraud trends. This approach safeguards both the banks and the trust of their valued clients.

The post Virtual credit card fraud: An old scam reinvented appeared first on Security Intelligence.

Cloud security is a buzzword in the world of technology these days — but not without good reason. Endpoint security is now one of the major concerns for businesses across the world. With ever-increasing incidents of data thefts and security breaches, it has become essential for companies to use efficient endpoint security for all their endpoints to prevent any loss of data. Security breaches can lead to billions of dollars worth of loss, not to mention the negative press in the business world.

This is why it is vital for companies to use cutting-edge endpoint security technology for their cloud computing systems. If you are working with cloud systems in any capacity, you must also use cloud security to safeguard data breaches.

However, before you develop a good understanding of cloud security, the first and most important step is learning about cloud computing and its essential properties.

What is cloud computing?

Cloud computing can be best described as a range of hosted services offered through the internet. It replaces the need to store all computing infrastructure in a physical server environment, a physical computer or an on-premises data center. Cloud computing works with off-site hardware for hosting different types of services and encompasses software systems and storage solutions.

This flexible cloud model offers a range of strategic benefits for the users, including:

• Easy scalability
• Quick start deployment
• Reduced costs for initial setup and long-term use.

When an organization has extensive privacy and compliance requirements, it can work with hybrid cloud infrastructure, which makes use of both cloud and physical computing ecosystems.

Because cloud computing works very differently from on-site hosting systems, it is necessary to protect the cloud environment using cloud security infrastructure. Through cloud security, it is possible to deal with the privacy and cybersecurity challenges posed by the cloud environment.

Cloud security involves everything used to safeguard sensitive data stored within the cloud. Using a variety of techniques, procedures, methods and controls, cloud security protects cloud applications and infrastructure from any kind of online abuse or unauthorized access.

Some cloud security aspects require more effort by the cloud customer than what cloud service providers can offer. This is particularly true for zero trust cloud architecture.

Endpoint security

Endpoint security has to do with the processes used for securing endpoints like desktops, laptops, servers and mobile devices from possible malware, unauthorized access and all other kinds of cybersecurity threats. As more and more companies work with cloud computing, endpoint security has increased in importance as it allows users to protect their cloud-based applications and data.

Endpoint security in a cloud environment is something that most modern organizations need to think about when they start adopting cloud-based services. Through endpoint security, it is possible to implement practices for protecting endpoint devices, like laptops, mobile devices and desktops. Within the cloud environment, the tools of endpoint security help to secure the devices connecting to the cloud-based services and applications.

Endpoint security for the cloud infrastructure involves multifaceted and complex processes that use different types of technologies and practices to ensure application and data security.

These are some essential features of cloud-based endpoint security:

• Endpoint protection. Cloud endpoint protection is carried out with security software like firewalls, antivirus tools and systems for intrusion detection and prevention. These programs help to protect the endpoints from numerous security threats. Endpoint protection in the cloud is often provided by cloud-based security experts who are trained mainly to protect the cloud-based endpoints.
• Data encryption. Through data encryption, it is possible to convert plain text into an unreadable format so that it is only possible to decrypt it with a secret key. Data encryption in the cloud is vital for protecting all kinds of sensitive data from being accessed by unauthorized parties. The endpoint security solutions for cloud systems often use data encryption as a standard security feature.
• Identity and access management (IAM). IAM functions as a critical element of endpoint security for cloud computing. IAM includes tools for managing user identities and access to cloud-based resources. It includes authorization, authentication and access control. Such functions are essential for ensuring the protection of sensitive applications and data in the cloud.
• Threat intelligence. Threat intelligence is a process that uses information about cyber threats to identify and prevent security breaches. Threat intelligence can help identify potential security vulnerabilities and threats in cloud-based endpoints. Endpoint security solutions for the cloud typically include threat intelligence features that offer real-time detection and prevention of threats.
• Compliance and governance. Compliance and governance functions are crucial aspects of cloud-based endpoint security. Organizations need to comply with different industry standards and regulations to ensure the privacy and security of cloud-based data systems and applications. The endpoint security solutions for cloud platforms typically include governance and compliance features to help organizations meet such requirements.

Endpoint security for the cloud is an essential feature of the cloud security infrastructure that organizations must implement for better security. By using endpoint security measures and systems in the cloud, organizations can ensure the privacy and security of cloud-based applications and data. It also helps to comply with the regulatory requirements and ensures protection against cyber threats.

Challenges and solutions to cloud-based endpoint security

As companies try to migrate their diverse data and operations into the cloud, the importance of endpoint security has increased for all kinds of cloud applications. Cloud infrastructure offers cost efficiency, flexibility and scalability and also presents a fresh range of challenges for securing the endpoints.

The following challenges are associated with cloud-based endpoint security:

1. Absence of physical control. A major difficulty in securing the endpoints within the cloud system is an absence of physical control over the devices. The cloud system is a completely virtual environment, and organizations cannot secure their devices physically as they are able to do with the traditional endpoints. As a result, it can be challenging for them to implement and preserve security controls.
2. The complexity of handling security requirements. Another distinct challenge associated with endpoint security in a cloud environment is the complexity and difficulty of maintaining security across numerous cloud services and providers. Organizations that work with multiple cloud providers and services have to make sure that each service is properly secured. This can be an arduous and time-consuming task.
3. Different risks. Cloud-based endpoints involve different risks compared to traditional endpoints and are typically more vulnerable to data breaches, malware infections and account takeover attacks. This is because the cloud-based systems and endpoints are highly accessible to attackers since they are based in a cloud environment.

Here are some solutions for endpoint security in the cloud:

1. Using endpoint protection platforms (EPPs). EPPs protect endpoints from different types of cyber threats. The EPPs are often deployed within the cloud environment. They can be integrated with many other cloud security solutions to provide complete endpoint security.
2. Implementing IAM systems. IAM systems can help organizations easily manage user identities and monitor access to cloud applications and services. In this way, IAM tools can prevent unauthorized access to the cloud-based endpoints.
3. Deploying cloud access security brokers (CASBs). CASBs serve as security solutions that can provide control and visibility over cloud-based services. The CASBs make it easier for organizations to monitor and secure cloud-based endpoints through the implementation of access controls and security policies.
4. Educating employees. It is important to invest in employee training and education when it comes to maintaining robust and strong endpoint security in the cloud. Organizations need to educate employees regarding the best practices for securing data and devices in the cloud environment. Such practices include installing security software, updating it regularly and avoiding risky online behavior.

Crucial components of cloud-based endpoint security

Implementing endpoint security solutions for cloud systems is a major challenge for organizations. Nevertheless, by consulting with the right cloud security service providers, businesses can mitigate risks and ensure robust endpoint security.

Organizations should leverage solutions such as EPPs, CASBs and IAM tools, and also educate employees regarding the best practices for securing their data and devices in the cloud environment. Having such tools and measures in place can make it easier for organizations to protect their diverse cloud-based endpoints and critical operations and data.

It is important to implement the following endpoint security systems in the cloud:

1. Robust protection against cyber threats. More often than not, cloud-based endpoints are vulnerable to cyber threats such as phishing attacks, malware and data breaches. Endpoint security in the cloud can make it easier for organizations to protect themselves by systematically monitoring malicious activities and preventing unauthorized access.
2. Compliance with regulations. Numerous industries have regulations for monitoring and protecting sensitive data, such as financial information and health care data. Using endpoint security in the cloud makes it easier for organizations to meet such regulations and steer clear of costly fines.
3. Maintaining optimum business continuity. If a data breach or cyberattack occurs, compromised cloud-based endpoints can result in lost revenue and significant downtime. Endpoint security systems within the cloud ensure smooth maintenance of business continuity by minimizing or preventing the impact of security breaches.

Best practices for endpoint security in the cloud

When implementing your organization’s endpoint security in the cloud, keep the following best practices in mind:

1. Implementing strong and reliable authentication measures. Having strong authentication measures like two-factor authentication can make it easier to prevent unauthorized access to cloud-based endpoints. Organizations must update their endpoint security systems regularly and patch the systems to address vulnerabilities.
2. Using endpoint detection and response (EDR) solutions. EDR systems and solutions are created to easily detect and systematically respond to various forms of advanced endpoint threats. By identifying and regulating threats before they spread through the whole cloud environment, EDR solutions can help keep your endpoints safe.
3. Managing and monitoring user activity. Through careful monitoring of user activity on cloud-based endpoints, it is possible to detect malicious activities and unauthorized access. Efficient user activity monitoring can assist in identifying the areas where it is necessary to implement additional security controls.
4. Updating and patching software regularly. Regularly patching cloud-based endpoints helps address vulnerabilities and ensures protection against known threats. Organizations need to implement a systematic and regular patching schedule as well as test the patches prior to deploying them within the production environments.
5. Educating employees. It is important to invest in employee training and education to maintain proper endpoint security in the cloud. Organizations need to educate employees regarding the best practices on cloud security to secure their data and devices. This involves installing security software, avoiding risky online behavior and reporting suspicious activity.

Organizations that regularly store and manage their applications and data in a cloud environment must focus on implementing endpoint security best practices. This can protect them against possible cyber threats, maintain business continuity and comply with regulations. Organizations can implement practices having strong authentication measures, monitoring all user activity, using high-end EDR solutions, regularly updating and patching security software and educating employees regarding strong endpoint security within the cloud. Following such endpoint security best practices can ensure the protection of the cloud-based endpoints so that critical operations and data can be safeguarded.

Critical security risks in the cloud environment?

The importance of cloud security has increased over the years. In that time, numerous enterprises have opted for cloud adoption when managing their data and applications. Unfortunately, many types of security challenges emerge while companies invest in cloud solutions. Some of these challenges include:

A more widespread threat landscape

Since many people use public cloud environments nowadays, this has increased the vulnerability of the cloud environment to data breaches as well as other critical security risks. When business entities fail to do their due diligence for security needs, they may leave their data open to criminal exploitation. In many instances, companies may not even realize their data has been stolen.

Lack of control over cloud security services

A major reason for the popularity of cloud adoption is that cloud service providers often handle security management, maintenance and upgrades. Even though this is a major benefit, it can severely limit the scope of an organization to exercise control over the way security is implemented and monitored.

Automation in DevOps

Cloud hosting brings with it the option to automate most of the continuous integration/continuous delivery (CI/CD) processes and DevOps that organizations employ to streamline their operations.

Weak access management

When organizations opt for cloud adoption, it is vital that they have a dedicated framework for managing access control. In most cases, they use a standard free-for-all arrangement that allows users more access than they actually need for their work. This can enhance the chances of security risks both internally and externally as cyber criminals may have access to the privileges of the users.

Inconsistent security features in complex environments

Numerous organizations work with a hybrid cloud environment or a multi-cloud environment, which uses several public and private cloud providers along with on-premise solutions. Such a situation can give rise to inconsistent use of security protocols, thus enhancing the chances of successful cyberattacks.

Compliance requirements

Even though a majority of the well-known cloud providers have tried to get security certifications for well-known cybersecurity frameworks, customers are still accountable for ensuring that their security systems and processes comply with major security protocols.

Six pillars of cloud security

Even though there are numerous differences between traditional security and cloud security, organizations can boost their security parameters against cyber threats in the cloud. This is why companies need to exercise due diligence when securing their cloud systems, just like in on-premises environments.

These six pillars of cloud security are crucial for securing the cloud:

1. Secure access controls. Implementing secure IAM protocols creates a robust security framework. Team members should only have the level of access to assets, systems and application programming interfaces they need to carry out their job responsibilities. When privileges increase, there should be higher levels of authentication needed to gain access. The employees need to take ownership of security and also use better password policies.
2. Zero trust network security controls. The mission-critical applications and assets used by the organization should be kept within strategically isolated parts of the cloud network. These can be virtual private cloud systems. By segregating the sensitive workloads from the ones that do not need data security protocols, it is possible to enforce micro-segmentation with strict security policies.
3. Change management. By working with change management protocols offered by the cloud security providers, it is possible to manage change and use compliance controls whenever changes are requested. This should also be done when new servers are provisioned or sensitive assets get changed or moved. Change management applications offer auditing functionality to users, which can help in monitoring unusual behavior and possible deviations from the protocol. This means the organization can investigate the problem and trigger automatic mitigation to correct the issue.
4. Web application firewall. A web application firewall (WAF) makes it easier to scrutinize traffic going in and out of servers and web applications. By monitoring and alerting administrators regarding any suspicious behavior, a WAF can strengthen endpoint security to avoid breaches.
5. Data protection. Enhanced data security is possible when an organization encrypts its data at all layers. There should also be security protocols for communication applications, file sharing and other areas within the environment where the organization stores, uses and transmits data.
6. Continuous monitoring. Numerous cloud security providers offer valuable insight into cloud-native logs, enabling comparison with internal logs taken from other security tools like asset management tools, vulnerability scanners, change management tools and insights from external threat intelligence. Such efforts increase the chances for rapid incident response and make it easier to implement remediation workflows.

Cloud-based endpoint security keeps your business secure

Cyber criminals are always looking for ways to attack endpoints and infiltrate servers while avoiding notice. Therefore, it is crucial that businesses invest in endpoint security so that they are able to prevent breaches.

Through endpoint security, it is possible to benefit from better data protection and encryption features that prevent criminals from achieving their nefarious purposes. Implementing cloud security features can secure data access, prevent infiltration and deliver benefits like better monitoring of user activity.

The post Endpoint security in the cloud: What you need to know appeared first on Security Intelligence.

Piecemeal Detection and Response (PDR) can manifest in various ways. The most common symptoms of PDR include:

• Multiple security information and event management (SIEM) tools (e.g., one on-premise and one in the cloud)
• Spending too much time or energy on integrating detection systems
• An underperforming security orchestration, automation and response (SOAR) system
• Only capable of taking automated responses on the endpoint
• Anomaly detection in silos (e.g., network separate from identity)

If any of these symptoms resonate with your organization, it’s time to address PDR.

I know what you’re thinking, PDR isn’t really a thing. While the security industry already has an overloaded number of “DR” terms, like EDR, NDR, CDR, MDR, XDR, TDIR, etc., you’re right — there’s no industry PDR term, but the sentiment behind our playful acronym is certainly real. Case in point: look at the number of “DR” acronyms in our previous sentence. The industry as a whole is fragmented and this has resulted in many enterprises suffering from PDR.

Why PDR happens

PDR side effects often include malaise, restlessness, a sense of unmanaged risk, a willingness to get distracted by generative AI, a compulsion to attend conferences outside of the office and an uncharacteristic joyfulness when attending budget meetings. This all results from the fact that the road to recovery from PDR can often be difficult. How did you get PDR anyway?

PDR may have snuck into your security program. You were happy with your SIEM and then extended detection and response (EDR) came along and demanded to run “outside the SIEM” and you thought, “That’s not so bad.”

Then attack surface management (ASM) came along and didn’t integrate with anything, but you knew you couldn’t detect and respond to threats in assets that you don’t know about, so you needed to buy that stand-alone ASM tool.

Identity threat management came along but that was only available from your current identity vendor and didn’t integrate with your user behavior analytics (UBA) system. Next thing you know you’ve got PDR.

Five treatment goals for PDR

1. Consolidation

We’re not just talking about vendors, but tool and workflow consolidation. Most of the new security technologies you bought as an independent capability over the last 3-5 years have been paired or integrated by a vendor looking to capture market share by adding adjacent capabilities. Make sure you understand what can be “good enough” versus “best in class” when looking to consolidate capabilities. If you’re consolidating vendors, select vendors that first and foremost commit to extensibility and integration.

2. Proactive security

Instead of merely reacting to threats, focus on proactive measures. Reduce your attack surface by investing in exposure management. Establish a program that includes services such as code analysis, attack surface management, enterprise detection engineering, penetration testing, adversary simulation, threat hunting, and vulnerability management.

3. Zero trust in the cloud

You might be wondering how zero trust earned a spot in a detection and response to-do list. I recognize that distributed (aka federated) enterprise threat detection and response (TDR) is still maturing.

A common current security scenario is one where a hybrid cloud environment exists, utilizing cloud-native capabilities, but due to the cost-prohibitive nature of extracting data from cloud hyperscalers, security teams are supporting two disconnected environments. Until federated detection and response tooling improves, the best universal strategy is to use the cloud detection and response tooling needed to support the business transition to cloud, but focus more security attention on prevention when adopting cloud-native security capabilities. Ensure all the zero trust concepts you worked so hard to define and implement in your legacy environment also extend to your cloud environments.

4. Strategic planning

Take an inventory of your current PDR capabilities and define your future state. Realize that your strategy may need to play out over multiple years.

5. Threat management architect

Appoint a threat management architect with both technical expertise and the ability to evangelize security principles. They should understand the holistic concept of cyber resilience, which encompasses more than just backups and recovery but also anticipates and prepares for threats while maintaining business continuity.

Seeking help from a PDR professional

If PDR is deeply embedded in your organization, consider enlisting the expertise of a PDR professional. Look for a professional with advanced capabilities who can enhance your existing investments rather than pushing for new software adoption. They should offer a range of services, including application and database security, and be well-versed in cloud environments. Ensure your chosen PDR professional can provide a comprehensive portfolio of services, spanning threat prevention to incident response.

Overcome PDR with threat detection and response services

IBM Consulting has services professionals who are certified PDR recovery professionals. The new Threat Detection and Response (TDR) service from IBM’s Cyber Threat Management Services is designed with many of the principles covered here. You don’t need to make a massive investment in AI; we’ve been doing that for years. You don’t need to rip and replace any of the investments you’ve made; we support the broadest ecosystem of vendors.

Starting with TDR is as simple as joining us for the webinar on November 1 to learn more, or reading the press release to learn how you can reduce cyber risk and lower incident costs by 65% with the Threat Detection and Response service. You can also check out our recent managed detection and response (MDR) market leadership in this KuppingerCole Report.

We’ll get you on the road to PDR recovery in no time.

The post Does your security program suffer from piecemeal detection and response? appeared first on Security Intelligence.

Endpoint protection platform (EPP) and endpoint detection and response (EDR) tools are two security products commonly used to protect endpoint systems from threats. EPP is a comprehensive security solution that provides a range of features to detect and prevent threats to endpoint devices. At the same time, EDR is specifically designed to monitor, detect and respond to endpoint threats in real-time. EPP and EDR have some similarities, as they both aim to protect endpoints from threats, but they also have some key differences. Let’s dive into it.

EPPs are a critical component of an organization’s endpoint security strategy. The platforms typically include features such as host intrusion prevention, host web protection, log inspection and integrity monitoring. These features provide a foundational level of protection against known threats. However, their reliance on traditional antivirus components leveraging signatures limits their effectiveness in detecting and blocking new and emerging threats. While nowadays, enterprise EPP players offer some level of heuristic and machine-learning threat detection, they do not match EDR capabilities.

This is where EDR tools come into play. They utilize machine learning and behavioral analysis to detect and respond to cyber threats in real-time. By analyzing endpoint behavior, EDR tools can identify and block unknown malware and advanced threats that traditional antivirus software is unable to detect.

While EPPs provide a strong foundation for endpoint protection, their limitations in detecting and blocking new and emerging threats highlight the need for additional layers of protection, such as EDR tools. By combining the strengths of EPPs and EDR tools, organizations can create a more comprehensive approach to endpoint security that leverages the strengths of both tools.

Pros and cons of EPP and EDR tools

Many of the main players in the endpoint security market provide integrated EPP and EDR suites combining the capabilities of both within a single agent and console to provide a comprehensive overview of an organization’s security threat posture.

Both EPP and EDR have the following components (either individually or combined):

1. Endpoint agent: An agent is installed on the endpoint to monitor and collect data on endpoint activity, including system logs, network traffic and file activity.
2. Management console: The collected data is sent to a central server for storage and analysis. Typically available both in on-premise and Software-as-a-Service (SaaS) options:
   • On-Premise: For deployments that don’t allow data to leave a local data center from a regulatory and compliance perspective; it comes with extra cost to maintain infrastructure hosting applications (typically virtual machine and database servers) which are required.
   • SaaS: Hosted by a vendor with increased resiliency and availability; all regulatory and compliance impacts are maintained by vendor service level agreements within the license agreement.

EPP modules include:

• Host intrusion prevention: Companies often struggle with patching their operating system (OS) and application vulnerabilities, leaving them with tens of thousands of exploitable gaps. This module helps companies to implement patches in accordance with their processes, typically on server-type endpoints.
• Host firewall: Controls network traffic to and from the endpoint, blocking unauthorized access and limiting the spread of malware, typically via the use of stateful rules.
• Host web protection (URL filtering, web reputation): This module blocks access to known malicious websites and limits access to non-work-related websites to improve productivity. Client endpoints like workstations, laptops and mobile devices are typical target areas.
• Log inspection: This module helps to identify important events that might be buried in OS and application logs, typically for further ingestion by security information and event management (SIEM) solutions.
• File integrity monitoring: Monitors scans for unexpected changes to registry values, registry keys, services, processes, installed software, ports and files to identify violations.
• Device control: Controls access to USB and other external devices, preventing the spread of malware via removable media, specifically for client endpoints and for preventing end-user use of unsanctioned flash drives.
• Disk encryption: Encrypts data on the endpoint, ensuring that sensitive information remains secure even if the device is lost or stolen.
• Endpoint data loss prevention (DLP): Monitors and controls the movement of sensitive data on endpoints, preventing data leaks and unauthorized access. While there are many standalone DLP enterprise solutions, the benefit of using an EPP-integrated one comes with reduced agent footprint and environment complexity.
• Application/change control: Restricts unauthorized software from running until explicitly permitted or permits software until explicitly restricted, allowing companies to choose the level of control aligned to environment specifics.

Pros of EPPs:

• Enhanced protection: EPP modules provide additional layers of protection against a variety of cyber threats. The main benefit is that each module can be enabled individually on a group of systems or individual systems with custom combinations driven by tailored configurations within defined policies.
• Centralized management: By integrating these modules into the EPP, organizations can manage endpoint security more efficiently from a central console, reducing management and infrastructure costs.
• Improved visibility: The data collected by these modules can be used to gain better visibility into endpoint activity, improving the organization’s ability to detect and respond to security incidents.
• Simplified deployment: Since these modules are integrated into the EPP, they can be deployed and managed more easily than standalone security tools.

Cons of EPPs:

• Limited effectiveness in detecting and blocking new and emerging threats
• A reactive approach to security, relying on signature updates to detect new threats
• Can be costly for on-prem deployments and more complex to deploy and manage with add-on modules
• May produce a high number of false positives, which can be time-consuming to investigate
• Integrating additional modules can make the EPP more complex, requiring more resources and expertise to manage it effectively
• Some modules may have a performance impact on the endpoint, potentially affecting productivity.

Despite these potential drawbacks, the benefits of using EPPs come with integrated add-on modules that can outweigh the costs. By providing additional layers of protection, improving visibility and centralizing management, these modules can enhance an organization’s endpoint security posture.

Ultimately, organizations should carefully consider their specific security needs and budget when deciding which modules to integrate with their EPP. By selecting the right combination of modules, organizations can achieve a more comprehensive approach to endpoint security that addresses their unique needs and mitigates cyber risks. Companies should start with a phased approach, gradually enabling additional modules and features as needs expand.

EDR tools, on the other hand, utilize machine learning and behavioral analysis to detect and respond to cyber threats in real-time. By analyzing endpoint behavior, EDR tools are able to identify and block unknown malware and advanced threats that traditional antivirus components are unable to detect. EDR can be considered an add-on to the core EPP suite for comprehensive security protection, detection and response.

EDR modules include:

• Behavioral analysis: EDR tools monitor endpoint activity for suspicious behavior that may indicate a threat. This can include detecting unusual network traffic, file activity and system changes.
• Machine learning: EDR tools use machine learning algorithms to identify patterns and anomalies in endpoint activity that may indicate a security threat. This enables EDR tools to identify and respond to new and unknown threats.
• Threat intelligence: EDR tools use threat intelligence feeds to stay up-to-date on the latest known threats and indicators of compromise. This helps EDR tools identify and respond to known threats more effectively.
• Response and forensics: EDR tools allow for remote containment of endpoints, cutting them out of the network with a single click and opening a remote shell for threat hunter investigation, minimizing the impact of an attack spreading across the environment.

Pros of EDR tools:

• Can detect and block unknown and advanced threats in real-time
• Continuously learn and adapt to new and emerging threats
• Can provide deeper visibility into endpoint activity and behavior
• Enable faster detection and response to security incidents, reducing the mean time to respond.

Cons of EDR tools:

• Can be complex to deploy and manage
• Typically introduce additional agents on protected endpoints
• May require more resources and expertise than EPPs to understand and triage threats
• Can produce a high number of alerts, which can be time-consuming to investigate.

Combining EPPs and EDR tools provides a more comprehensive approach to endpoint security that leverages the strengths of both tools. EPPs can provide a foundational level of protection against known threats, while EDR tools can detect and block unknown and advanced threats in real-time.

To mitigate the gaps in each tool’s capabilities, organizations can implement the following:

• Integration: Integrating EPPs and EDR tools can provide a more holistic view of endpoint activity and enable faster detection and response to security incidents.
• Automation: Automating the investigation and response to security incidents can reduce the workload on security teams and help ensure faster response times.
• Threat intelligence: Incorporating threat intelligence feeds into EPPs and EDR tools can help identify and block emerging threats.

Conclusion

EPP and EDR are both important components of a comprehensive security strategy, and they can work together to provide a more robust defense against threats. Combining EPPs and EDR tools provides a more comprehensive approach to endpoint security that leverages the strengths of both tools. By integrating the two tools and implementing automation and threat intelligence feeds, organizations can mitigate the gaps in each tool’s capabilities and achieve truly comprehensive endpoint security.

Furthermore, the combination of EPPs and EDR tools can lead to the implementation of an extended detection and response (XDR) platform.

XDR platforms integrate data from multiple security tools, including EPPs and EDR tools, proxies, firewalls, SIEM and many other solutions to provide a holistic view of an organization’s security posture. This enables security teams to effectively detect and respond to threats across the entire environment, reducing the risk of successful cyberattacks.

With its Endpoint Security Management Services, IBM Security Services can help organizations design, configure and deploy endpoint protection, align policies with regulatory compliance to protect sensitive data, install the latest endpoint encryption technologies and use security analysts and centralized consoles to monitor, maintain and update security operations.

The post Combining EPP and EDR tools can boost your endpoint security appeared first on Security Intelligence.

Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum impact.

However, the move to cloud and the associated expansion of the attack surface is now substantially adding to the complexities of the landscape. The 2022 IBM Security X-Force Cloud Threat Landscape Report found the continued expansion of hybrid cloud environments to be a significant challenge for security teams. X-Force observed a 28% increase in new cloud vulnerabilities compared to the year prior. Further, vulnerable public-facing applications running in a cloud environment have become common targets for attackers, and it can be difficult for organizations to catalogue all applications running in the environment to ensure that all remained patched.

This in turn causes three things to happen:

1. More data: The need to collect more security telemetry data to provide the necessary visibility. As most of this data is being generated in cloud platforms, it is driving up costs and complexity, especially as shifting data between clouds isn’t free.
2. More tools: The deployment and use of even more security tooling to provide protection, visibility and response into the new cloud infrastructure (e.g., CWPP, ITDR, CDR, etc.). In many cases, security teams are literally handed new security tools from DevSecOps or the CIO due to expediency (“Hey, this works for technology X”), or for financial reasons (“Hey, this is free for cloud Y”).
3. More UX complexity and more alerts: More tools, more data, more moving parts result in more headwinds for security teams to keep ahead of the attackers. They are faced with additional integration and configuration work, as well as new UXs to become experts in, as they pivot from one to the other to chase down threats. According to the 2023 IBM Global Security Operations Center Study, surveyed SOC professionals said they only review 49% of alerts they should during a typical workday, and nearly two-thirds of those are low priority or false positives. Further, 81% of those surveyed say they are slowed down by manual investigation — their most common drag on threat response time.

Finally, cost is increasingly a factor in decisioning. All organisations are looking for ways to control costs by leveraging existing investments and leveraging capabilities that are ‘included,’ as well as increasing the productivity of their teams. Unfortunately, exponentially increasing data volumes, additional security tooling, and traditional tooling with complex and costly licensing models are providing significant headwinds.

It’s of no surprise 63% of organizations seek to improve their security operation center’s ability to detect and respond.

The DNA needed in a modernized SOC for the hybrid cloud

To address these challenges we need to rethink some of the priorities that drove our decisions to where we are today.

Firstly, we need to design for the analyst experience. Historically, our industry has been very tool driven, which was the priority at the time. But now we need to focus on our teams, their productivity, their job satisfaction. We need to reduce the UX complexity they have to deal with (variety, languages, vocabulary).

Secondly, we need to leverage built-in AI, automation and expertise to scale the experts and heroes we have in our security teams today. You know the ones — they just make everything work, they can chase down threats across all the complex infrastructure. They are the ones you rely on when urgent actions and answers are needed. Automation and AI sit at the core of what’s needed to achieve this. AI-enabled technology can do the heavy lifting for analysts, supporting everything from threat investigation to recommended remediation actions. Both the days to detection and hours to investigation of a cybersecurity incident can be dramatically reduced with AI adoption, by as much as 50% and 29%, respectively, according to the IBM Institute for Business Value.

Finally, we need to enable open systems and community collaboration. The reality of the cloud world is that security is going to be federated across multiple systems. Organisations need the choice as to what security systems they will leverage, in a way that doesn’t add complexity or burden their teams with proprietary ecosystems and content. Open standards that foster collaboration integration and threat detection content is increasingly an absolute must. According to the SANS Institute, 66% of security teams surveyed say they are prioritising integrations to help improve their security operations.

Announcing IBM Security QRadar Suite

QRadar has been a market-leading SIEM for over 15 years now with numerous innovations in analytics with NDR, UEBA, AI (Watson for Cyber). Now, the new IBM Security QRadar Suite has been extended to also include EDR/XDR and SOAR, as well as new cloud-native log analytics capabilities (Log Insights) to enable cost-effective collection, analysis, visualisation, and blazingly fast search of data at cloud scale and ease. Unifying these capabilities onto a single, modular platform, enabling step-wise adoptions, to provide users with a complete TDIR system. As each solution is adopted it adds capabilities, context, insights and automation to the analyst experience with little incremental training or integrations.

In addition to enabling all the core capabilities security teams need, the new QRadar Suite has been designed specifically around the DNA needs we discussed previously required for a modernized SOC securing the hybrid cloud:

Open systems and community collaboration

The new QRadar Suite is not only built on an open hybrid cloud platform (OpenShift) that enables a cloud-native elastic, resilient architecture and choice of where and how to (e.g., Licensed software or SaaS), but also leverages open standards throughout.

For example, all the products in the QRadar Suite support correlating security findings from third parties as well as federated search, enabling organisations to leverage tools they have today and the choice of what ones they leverage in the future, all without having to move their data. The suite also leverages MITRE and SIGMA natively in threat detection, investigation and response — enabling security teams to move seamlessly at the speed of the community to keep up with attackers.

Built-in AI, automation and expertise

The suite is embedded with AI and automation innovations that have been shown to speed alert and prioritisation by 55% in the first year, on average, improve response times by x8, and speed up investigations by x60. In addition, the suite also includes continuously updated threat detection and response content from the X-Force team with insights gathered from working with thousands of customers globally.

The suite also includes a new innovative automated investigation capability that will automatically investigate an alert across multiple systems (leveraging federated search, threat intelligence and SIGMA), no matter where it came from, and bring together the findings, as well as recommended response actions onto a single, easily consumable timeline for an analyst to review and execute quickly.

Designed for the analyst experience

The QRadar Suite has been architected around a unified analyst experience that assists security analysts throughout their investigation, response and threat hunting workflows across EDR/XDR, SIEM, SOAR and Security Log Management (SLM). This new unified experience works across not only the IBM QRadar Suite but also over 40 third-party technologies as it is based on open standards and federated search. The experience has been designed alongside our security teams and experts and is infused with their expertise and insights to bring them the ‘What?’, ‘Who?’, ‘Where?’, ‘When?’, and the important ‘What should I do next?’ they need in a simple, easy-to-consume workflow.

Built specifically for the demands of today’s and tomorrow’s security operations and hybrid cloud environments, the QRadar Suite helps SOC analysts make better decisions quicker while strengthening their threat detection and response capabilities. Organizations looking to modernize their SOCs can feel more confident and supported in the face of uncertainty and complexity.

Learn more about the QRadar Suite here.

The post The needs of a modernized SOC for hybrid cloud appeared first on Security Intelligence.

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series.

As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace.

The need to ensure the security and safety of these technologies has never been more pressing.

So, let’s discover a range of measures to secure the space systems.

Security by design

Security by design is an approach to designing systems, products, or applications with security as a primary consideration from the outset, rather than adding it as an afterthought.

Security by design is an important consideration in the New Space industry because New Space companies are often startups or smaller companies that are developing innovative solutions to space-related challenges, and security by design is essential to ensure the safety, reliability and security of these new technologies and satellites.

One of the key components used in the New Space industry is the software defined radio (SDR).

Let’s dive deeper into the application of a security by design approach for an SDR architecture.

Secure SDR architecture

Software defined radio is the new groundbreaking technology leading this new space era.

Thus, securing the SDR architecture is an essential step in preventing cyberattacks.

The European Secure Software Defined Radio (ESSOR) is a project created by nine European countries. It seeks to develop mutual technologies for European military radios and provide a secure communication system.

NASA also developed a Space Telecommunications Radio System (STRS) architecture standard.

The purpose is to develop an SDR architecture security by design.

SDR architecture is composed of a software part and a hardware part. There were many proposals to secure the SDR architecture addressing the software part as well as the hardware part.

On the one hand, a proposed secure SDR architecture focusing on hardware is the new spectrum management architecture. This design is based on an automatic and calibration & certification unit (ACU), a radio security module (RSM) and a built-in GPS receiver.

Proposed SDR hardware architecture

The ACU is a hardware radio frequency (RF) manager. It checks output power spectrum compliance with the local radio regulation parameters. The ACU is integrated between the programmable physical layer and the RF modules.

RSM is the security manager of the hardware; the local radio regulation parameters are securely downloaded to the hardware and stored in the RSM. It manages the software life cycle — downloading, installation, operation and termination.

This architecture relies on a security module, based on software or tamper-proof hardware, to secure the software operations (download and installation) or the radio frequency configuration parameters.

On the other hand, a proposal for securing SDR based on software architecture looks as follows.

There are some software SDR architecture components that need to be secured.

The new proposed architecture is based on two key concepts. The first key is the separation between the application environment and the radio operating environment so that the compromise of one does not affect the other.

The second key is the check against security policies of all the SDR reconfiguration parameters created by the application environment before they result in impact on the radio environment.

Traditional (a) and proposed (b) secure architecture of SDR

The defined SDR secured architecture includes a secure radio middleware (SRM) layer. It contains the components that need to be secured: radio applications (RA) and the radio operation environment (ROE).

RA is a software component in SDR that controls the radio by implementing the air interface and modulation and communication protocols. RA needs to be protected because a hacker can reconfigure it with erroneous parameters (frequency, modulation, etc.).

ROE contains the fundamental core components for the radio platform operation.

The SRM layer is built under the user application environment (UAE) layer (OS); thus, it’s immune to UA and UAE compromises.

This secure layer contains verification mechanisms that ensure the radio reconfigurations compliance with the security policies.

Proactive defense

Proactive defense in cybersecurity refers to the measures and strategies designed to prevent a potential cyber threat to assets and systems before they can cause harm.

By taking a proactive approach in space systems, New Space companies can better protect themselves against potential cyberattacks and minimize the impact of any security breaches that do occur.

Proactive defense in space systems may include measures like:

• Risk assessments
• Vulnerability management
• Patch management to apply software patches and updates with the aim to fix flaws and vulnerabilities
• Threat modeling by identifying potential threats and attack vectors
• Attack surface management
• Endpoint protection with behavioral analysis and machine learning capabilities
• Security awareness training for space system operators to educate potential space security risks and best practices
• Offensive security assessments including pentest and red team campaigns to apply an adversarial approach and determine the weaknesses in the space system components.

A proactive approach can help to ensure the safe and effective operation of space-based assets and systems and can also help to maintain the integrity of critical space-based infrastructure.

Reactive defense

Reactive defense refers to the approach of responding to cyber threats and attacks after they have already occurred.

The reactive cyber defense measures may include:

• Forensic analysis to determine the root cause of a security incident after it has occurred
• Security Information and Event Management (SIEM) solutions to collect, analyze and respond to security events and alerts from various sources within the space system components
• Incident response with the development of plans and procedures to respond to security incidents, such as a data breach or a cyberattack on a satellite or ground station
• Disaster recovery plan.

A reactive approach is very important to minimize the damage caused by a cyberattack and restore normal operations as quickly as possible.

However, by combining proactive and reactive defense measures, space industry actors can create a comprehensive security strategy that addresses both the prevention and response to cyberattacks.

Identity and access management

Identity and access management (IAM) for space assets is an essential measure to improve security posture and streamline how users and consumers access resources and services.

In the ground segment, command and control centers require IAM controls.

Ground station components like the payload control station, flight control station and SDR need to be secured by strict access control policies.

Regarding space vehicles, access control needs to be implemented for SDR, data handler and flight computer components to authorize only legitimate users to access sensitive data and satellite commands.

Space industry actors need to adopt an identity and access management strategy as a part of building an enduring security program using a zero trust approach so that they can:

• Establish a state of least privilege so no user has any more access than what’s needed
• Verify continuously, as users access data and tools
• Always assume a breach.

Signal authentication

Signal authentication is one of the essential mechanisms that can protect satellite communication from attacks like jamming, eavesdropping or spoofing.

Most of the satellites use broadcast flow to send data downlink to the ground station — GNSS data is one such example.

According to research developed by Qascom company, the GNSS Authentication protocols can be categorized into three domains: data level, signal Level, and hybrid level.

Data level authentication

In data level authentication schemes, we talk about cryptography.

To ensure the integrity, authentication and non-repudiation of exchanged data, we need a broadcast data authentication scheme.

The simplest broadcast data authentication schemes are based on message authentication codes (MACs), which provide data integrity and data authentication, and digital signatures (DSs), which address integrity, authentication and non-repudiation.

These schemes include three main families: block hashing, hash chaining and MAC-based source authentication schemes.

Timed Efficient Stream Loss-Tolerant Authentication (TESLA) is an example of an authentication protocol using MAC-based source authentication schemes. TESLA protocol is known for its robustness to Denial-of-Service attacks.

Navigation Message Authentication (NMA) is also a concept of data-level authentication introduced in 2005 to provide authenticity and integrity to the navigation message stream.

Signal level authentication

Signal level schemes refer to the spread of spectrum signal properties. Leveraging these signal level schemes, it’s hard for an attacker to demodulate the signal without knowledge of the secret code.

Spread spectrum security codes (SSSCs) and signal authentication sequences (SAS) are schemes that were proposed as signal level authentication.

Hybrid level authentication

Hybrid authentication is a solution that combined both data and signal level authentication. Hence, the concept of supersonic codes is introduced.

The supersonic codes are block ciphered and in code phase with open codes, and the same code is repeated for a predefined security period. This allows direct authentication without time dependency, as opposed to stream-cipher-based solutions.

The protocol focused to deliver a very fast authentication scheme that does not require time knowledge.

The supersonic authentication scheme is robust against known GNSS attacks such as spoofing and replay.

Cryptography

Quantum key distribution

Quantum Key Distribution (QKD) is an emerging technique that relies on the unique properties of quantum mechanics and provides tamper-evident communication used to deploy new cryptographic keys with unconditional post-quantum security and without direct physical contact.

In 2016, China launched a satellite-based quantum cryptography: Micius Satellite.

The satellite had successfully demonstrated the feasibility of satellite-based quantum cryptography and has been used for communication between a fiber-based QKD backbone and remote areas of China.

Post-quantum cryptography

Post-Quantum Cryptography (PQC) is an alternative approach to secure communication and data exchange between satellites and ground stations. Unlike QKD, PQC uses cryptography and mathematical calculation to develop secure cryptosystems for both classical and quantum computers.

In July 2022, The US National Institute of Standards and Technology (NIST) announced the first quantum-safe cryptography protocol standards for cybersecurity in the quantum computing era.

In 2016, contenders from all over the world submitted 69 cryptographic schemes for potential standardization. NIST later narrowed down the list of candidates over three stages, eventually shortlisting seven finalists — four for public key encryption and three for digital signatures. At the end of a six-year-long process, three of the four chosen standards were developed by the IBM team, in collaboration with several industries and academic partners. They include the CRYSTALS-Kyber public-key encryption and the CRYSTALS-Dilithium digital signature algorithms, which were chosen as primary standards. The Falcon digital signature algorithm was chosen as a standard to be used in situations where the use of Dilithium would be space prohibitive.

Security protocols and standards

As discussed earlier in this series, satellite communications are very exposed to adversary cyberattacks. Many errors and vulnerabilities exist and have been exploited.

Security against communication attacks has become a major issue. The need for safe and correct communication protocols is necessary.

The Consultative Committee for Space Data Systems (CCSDS) has developed a recommendation standard for the Space Data Link Security Protocol (SDLS).

The CCSDS protocols were developed specifically for space use tackling the use of packet telemetry.

The SDLS Protocol is a data processing method for space missions that need to apply authentication and/or confidentiality to the contents of transfer frames used by Space Data Link Protocols over a space link. The Security Protocol is provided only at the data link layer (Layer 2) of the OSI Basic Reference Model.

The purpose of the Security Protocol is to provide a secure standard method, with associated data structures, for performing security functions on octet-aligned user data within Space Data Link Protocol transfer frames over a space link.

Regarding CubeSats, a communication implementation in open source is preferable. CubeSat Space Protocol (CSP) is a lightweight, small network-layer delivery protocol designed for CubeSats communications. CSP ensures encryption and integrity.

The National Institute of Standards and Technology published in December 2022 an interagency report (NIST IR 8401): a cybersecurity framework for the satellite ground segment of space operations.

The purpose of this framework is to assist the operators of the commercial ground segment in providing cybersecurity for their systems, managing cyber risks, and addressing the Space Policy Directive 5 (SPD-5) goals for space cybersecurity. SPD-5 is the nation’s first comprehensive cybersecurity policy for space systems.

Conclusion

The development and deployment of space technology in the New Space age bring with it a new set of cybersecurity challenges. With the increasing number of satellites and spacecraft being launched, it is essential that we ensure their secure design, operation and communication to prevent cyberattacks that could compromise sensitive data or disrupt satellite services.

Looking forward, the future development of New Space technology holds great promise, with the potential for even more significant discoveries and advancements in various areas. So, what are the future development areas and challenges for the New Space industry? The next article in this series will bring the answer to that question.

The post Cybersecurity in the next-generation space age, pt. 3: Securing the new space appeared first on Security Intelligence.

Working as a cybersecurity engineer for many years, and closely following the rapid evolution of the space ecosystem, I wholeheartedly believe that space systems today are targets of cyberattacks more than ever.

The purpose of this article is to give you a glimpse of cybersecurity threats and challenges facing the New Space economy and ecosystem, with a focus on smallsats in Low Earth Orbit (LEO), as well as some technologies to assess space cybersecurity risks.

The article series is divided into four parts: Introduction to New Space, Threats in the New Space, Secure the New Space, and finally New Space Future Development and Challenges.

Introduction

The Aerospace and Defense industry is a global industry composed of many companies that design, manufacture, and service commercial and military aircraft, ships, spacecraft, weapons systems, and related equipment.

The Aerospace and Defense industry is composed of different key segments: large defense prime contractors/system integrators, commercial aerospace prime contractors or system integrators, first-tier subcontractors, second-tier subcontractors, and finally third-tier and fourth-tier subcontractors.

The industry is facing enormous challenges that stem from the COVID-19 pandemic, concerns over sustainability, disruptions from new technologies, heightened regulatory forces, radically transforming ecosystems, and, above all, the cyber threats and attacks that are getting more and more worrisome.

The increase of space cyberattacks and cybersecurity risks is stemming from the evolution of the space ecosystem to the New Space Age.

In this first article of the series, we will focus on the New Space notion and the definition of space system architecture.

From old space to new space

Earlier, the space industry was a nation-level domain — and not just any nation; the United States of America and the Union of Soviet Socialist Republics dominated the industry. Space was related to governments and defense departments, and the objectives were essentially political and strategic ones.

Now, there is more involvement in space globally than ever before in history. This new era, led by private space efforts, is known as “New Space Age” — a movement that views space not as a location or metaphor, but as well of resources, opportunities, and mysteries yet to be unlocked.

New Space is evolving rapidly with industry privatization and the birth of new ventures to achieve greater space accessibility for different parties.

Nevertheless, this development in technologies and the fast growth of New Space projects make the space attack surface larger and increase the threat risks in terms of cyberattacks.

Space and satellite systems

LEO and CubeSats

LEO is a circular orbit around the earth with an altitude of 2,000Km or less (1,200 miles).

Most LEO Space Vehicles (SV) are small satellites, also known as CubeSats or Smallsats.

A CubeSat is a small, low-cost satellite that can be developed and launched by colleges, high schools, and even individuals. The 1U (Unit) size of a CubeSat is (10cm x 10cm x 10cm) and weighs about 1Kg. A CubeSat can be used alone (1U) or in groups (up to 24 U).

CubeSats represent paradigm shifts in developing space missions in the New Space Age.

Nowadays, CubeSats, and all the other SV types, are facing different challenges: environmental challenges, operational challenges, and cybersecurity challenges.

Space system design

Any space system is composed of three main segments: ground segment, space segment, and link segment. In addition, we have the user segment.

Space System Design (Source: Space Security Info)

Ground segment: The ground segment includes all the terrestrial elements of the space systems and allows the command, control, and management of the satellite itself and the data coming from the payload and transmitted to the users.

Space segment: The space segment includes the satellites, tracking, telemetry, command, control, monitoring, and related facilities and equipment used to support the satellite’s operations.

Link/communication segment: The link or communication segment is the data and signals exchanged between the ground and space segments.

User segment: The user segment includes user terminals and stations that can launch operations with the satellite in the form of signal transmissions and receptions.

Conclusion

The New Space age makes the space field more accessible to everyone on this planet. It’s about democratizing access to space.

This new age was characterized by the increase of Smallsats development and especially CubeSats in LEO. These types of satellites are part of the space architecture in addition to the ground, communication, and user segments. Nevertheless, is this space system design threatened by cyberattacks?

In the next article in the series, we will explore the answer to this question.

The post Cybersecurity in the next-generation space age, pt. 1: Introduction to new space appeared first on Security Intelligence.

Over the years, endpoint security has evolved from primitive antivirus software to more sophisticated next-generation platforms employing advanced technology and better endpoint detection and response.

Because of the increased threat that modern cyberattacks pose, experts are exploring more elegant ways of keeping data safe from threats.

Signature-based antivirus software

Signature-based detection is the use of footprints to identify malware. All programs, applications, software and files have a digital footprint. Buried within their code, these digital footprints or signatures are unique to the respective property. With signature-based detection, traditional antivirus products can scan a computer for the footprints of known malware.

These malware footprints are stored in a database. Antivirus products essentially search for the footprints of known malware in the database. If they discover one, they’ll identify the malware, in which case they’ll either delete or quarantine it.

When new malware emerges and experts document it, antivirus vendors create and release a signature database update to detect and block the new threat. These updates increase the tool’s detection capabilities, and in some cases, vendors may release them multiple times per day.

With an average of 350,000 new malware instances registered daily, there are a lot of signature database updates to keep up with. While some antivirus vendors update their programs throughout the day, others release scheduled daily, weekly or monthly software updates to keep things simple for their users.

But convenience comes at the risk of real-time protection. When antivirus software is missing new malware signatures from its database, customers are unprotected against new or advanced threats.

Next-generation antivirus

While signature-based detection has been the default in traditional antivirus solutions for years, its drawbacks have prompted people to think about how to make antivirus more effective. Today’s next-generation anti-malware solutions use advanced technologies like behavior analysis, artificial intelligence (AI) and machine learning (ML) to detect threats based on the attacker’s intention rather than looking for a match to a known signature.

Behavior analysis in threat prevention is similar, although admittedly more complex. Instead of only cross-checking files with a reference list of signatures, a next-generation antivirus platform can analyze malicious files’ actions (or intentions) and determine when something is suspicious. This approach is about 99% effective against new and advanced malware threats, compared to signature-based solutions’ average of 60% effectiveness.

Next-generation antivirus takes traditional antivirus software to a new level of endpoint security protection. It goes beyond known file-based malware signatures and heuristics because it’s a system-centric, cloud-based approach. It uses predictive analytics driven by ML and AI as well as threat intelligence to:

• Detect and prevent malware and fileless attacks
• Identify malicious behavior and tactics, techniques and procedures (TTPs) from unknown sources
• Collect and analyze comprehensive endpoint data to determine root causes
• Respond to new and emerging threats that previously went undetected.

Countering modern attacks

Today’s attackers know precisely where to find gaps and weaknesses in an organization’s network perimeter security, and they penetrate these in ways that bypass traditional antivirus software. These attackers use highly developed tools to target vulnerabilities that leverage:

• Memory-based attacks
• PowerShell scripting language
• Remote logins
• Macro-based attacks.

To counter these attackers, next-generation antivirus focuses on events – files, processes, applications and network connections – to see how actions in each of these areas are related. Analysis of event streams can help identify malicious intent, behaviors and activities; once identified, the attacks can be blocked.

This approach is increasingly important today because enterprises are finding that attackers are targeting their specific networks. The attacks are multi-stage and personalized and pose a significantly higher risk; traditional antivirus solutions don’t have a chance of stopping them.

Explore IBM Security QRadar Solutions  

Endpoint detection and response

Endpoint detection and response (EDR) software flips that model, relying on behavioral analysis of what’s happening on the endpoint. For example, if a Word document spawns a PowerShell process and executes an unknown script, that’s concerning. The file will be flagged and quarantined until the validity of the process is confirmed. Not relying on signature-based detection enables the EDR platform to react better to new and advanced threats.

Some of the ways EDR thwarts advanced threats include the following:

• EDR provides real-time monitoring and detection of threats that may not be easily recognized by standard antivirus
• EDR detects unknown threats based on a behavior that isn’t normal
• Data collection and analysis determine threat patterns and alert organizations to threats
• Forensic capabilities can determine what happened during a security event
• EDR can isolate and quarantine suspicious or infected items. It often uses sandboxing to ensure a file’s safety without disrupting the user’s system.
• EDR can include automated remediation and removal of specific threats.

EDR agent software is deployed to endpoints within an organization and begins recording activity on these endpoints. These agents are like security cameras focused on the processes and events running on the devices.

EDR platforms have several approaches to detecting threats. Some detect locally on the endpoint via ML, some forward all recorded data to an on-premises control server for analysis, some upload the recorded data to a cloud resource for detection and inspection and others use a hybrid approach.

Detections by EDR platforms are based on several tools, including AI, threat intelligence, behavioral analysis and indicators of compromise (IOCs). These tools also offer a range of responses, such as actions that trigger alerts, isolate the machine from the network, roll back to a known good state, delete or terminate threats and generate forensic evidence files.

Managed detection and response

Managed detection and response (MDR) is not a technology, but a form of managed service, sometimes delivered by a managed security service provider. MDR provides value to organizations with limited resources or the expertise to continuously monitor potential attack surfaces. Specific security goals and outcomes define these services. MDR providers offer various cybersecurity tools, such as endpoint detection, security information and event management (SIEM), network traffic analysis (NTA), user and entity behavior analytics (UEBA), asset discovery, vulnerability management, intrusion detection and cloud security.

Gartner estimates that by 2025, 50% of organizations will use MDR services. There are several reasons to support this prediction:

• The widening talent shortage and skills gap: Many cybersecurity leaders confirm that they cannot use security technologies to their full advantage due to a global talent crunch.
• Cybersecurity teams are understaffed and overworked: Budget cuts, layoffs and resource diversion have left IT departments with many challenges.
• Widespread alert fatigue: Security analysts are becoming less productive due to “alert fatigue” from too many notifications and false positives from security applications. This results in distraction, ignored alerts, increased stress and fear of missing incidents. Many alerts are never addressed when, ideally, they should be studied and acted upon.

The technology behind an MDR service can include an array of options. This is an important thing to understand when evaluating MDR providers. The technology stack behind the service determines the scope of attacks they have access to detect.

Cybersecurity is about “defense-in-depth” — having multiple layers of protection to counter the numerous possible attack vectors. Various technologies provide complete visibility, detection and response capabilities. Some of the technologies offered by MDR services include:

• SIEM
• NTA
• Endpoint protection platform
• Intrusion detection system.

Extended detection and response

Extended detection and response (XDR) is the next phase in the evolution of EDR. XDR provides detection and protection across various environments, including networks and network components, cloud infrastructure and Software-as-a-Service (SaaS).

Features of XDR include:

• Visibility into all network layers, including the entire application stack
• Advanced detection, including automated correlation and ML processes capable of detecting events often missed by SIEM solutions
• Intelligent alert suppression filters out the noise that typically reduces the productivity of cybersecurity staff.

Benefits of XDR include:

• Improved analysis to help organizations collect the correct data and transform that data with contextual information
• Identify hidden threats with the help of advanced behavior models powered by ML algorithms
• Identify and correlate threats across various application stacks and network layers
• Minimize fatigue by providing prioritized and precise alerts for investigation
• Provide forensic capabilities needed to integrate multiple signals. This helps teams to construct the big picture of an attack and complete investigations promptly with high confidence in their findings.

XDR is gaining in popularity. XDR provides a single platform that can ingest endpoint agent data, network-level information and, in many cases, device logs. This data is correlated, and detections occur from one or many sources of telemetry.

XDR streamlines the functions of the analysts’ role by allowing them to view detections and respond from a single console. The single-pane-of-glass approach offers faster time to value, a shortened learning curve and quicker response times since the analysts no longer need to pivot between windows. Another advantage of XDR is its ability to piece multiple sources of telemetry together to achieve a big-picture view of detections. These tools are able to see what occurs not only on the endpoints but also between the endpoints.

The future of antivirus software

Security is constantly evolving, and future threats may become much more dangerous than we are observing now. We cannot ignore these recent changes in the threat landscape. Rather, we need to understand them and stop these increasingly destructive attacks.

The post The evolution of antivirus software to face modern threats appeared first on Security Intelligence.

Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces.

Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications and policy creation to define what communications are permitted. In effect, microsegmentation restricts lateral movement, isolates breaches and thwarts attacks.

Given the spotlight on breaches and their impact across industries and geographies, how can segmentation address the changing security landscape and client challenges? IBM and its partners can help in this space.

Breach landscape and impact of ransomware

Historically, security solutions have focused on the data center, but new attack targets have emerged with enterprises moving to the cloud and introducing technologies like containerization and serverless computing. Not only are breaches occurring and attack surfaces expanding, but also it has become easier for breaches to spread. Traditional prevention and detection tools provided surface-level visibility into traffic flow that connected applications, systems and devices communicating across the network.  However, they were not intended to contain and stop the spread of breaches.

Ransomware is particularly challenging, as it presents a significant threat to cyber resilience and financial stability. A successful attack can take a company’s network down for days or longer and lead to the loss of valuable data to nefarious actors. The Cost of a Data Breach 2022 report, conducted by the Ponemon Institute and sponsored by IBM Security, cites $4.54 million as the average ransomware attack cost, not including the ransom itself.

In addition, a recent IDC study highlights that ransomware attacks are evolving in sophistication and value. Sensitive data is being exfiltrated at a higher rate as attackers go after the most valuable targets for their time and money. Ultimately, the cost of a ransomware attack can be significant, leading to reputational damage, loss of productivity and regulatory compliance implications.

Organizations want visibility, control and consistency

With a focus on breach containment and prevention, hybrid cloud infrastructure and application security, security teams are expressing their concerns. Three objectives have emerged as vital for them.

First, organizations want visibility. Gaining visibility empowers teams to understand their applications and data flows regardless of the underlying network and compute architecture.

Second, organizations want consistency. Fragmented and inconsistent segmentation approaches create complexity, risk and cost. Consistent policy creation and strategy help align teams across heterogeneous environments and facilitate the move to the cloud with minimal re-writing of security policy.

Finally, organizations want control. Solutions that help teams target and protect their most critical assets deliver the greatest return. Organizations want to control communications through selectively enforced policies that can expand and improve as their security posture matures towards zero trust security.

Microsegmentation restricts lateral movement to mitigate threats

Microsegmentation (or simply segmentation) combines practices, enforced policies and software that provide user access where required and deny access everywhere else. Segmentation contains the spread of breaches across the hybrid attack surface by continually visualizing how workloads and devices communicate. In this way, it creates granular policies that only allow necessary communication and isolate breaches by proactively restricting lateral movement during an attack.

The National Institute of Standards and Technology (NIST) highlights microsegmentation as one of three key technologies needed to build a zero trust architecture, a framework for an evolving set of cybersecurity paradigms that move defense from static, network-based perimeters to users, assets and resources.

Suppose existing detection solutions fail and security teams lack granular segmentation. In that case, malicious software can enter their environment, move laterally, reach high-value applications and exfiltrate critical data, leading to catastrophic outcomes.

Ultimately, segmentation helps clients respond by applying zero trust principles like ‘assume a breach,’ helping them prepare in the wake of the inevitable.

IBM launches segmentation security services

In response to growing interest in segmentation solutions, IBM has expanded its security services portfolio with IBM Security Application Visibility and Segmentation Services (AVS). AVS is an end-to-end solution combining software with IBM consulting and managed services to meet organizations’ segmentation needs. Regardless of where applications, data and users reside across the enterprise, AVS is designed to give clients visibility into their application network and the ability to contain ransomware and protect their high-value assets.

AVS will walk you through a guided experience to align your stakeholders on strategy and objectives, define the schema to visualize desired workloads and devices and build the segmentation policies to govern network communications and ring-fence critical applications from unauthorized access. Once the segmentation policies are defined and solutions deployed, clients can consume steady-state services for ongoing management of their environment’s workloads and applications. This includes health and maintenance, policy and configuration management, service governance and vendor management.

IBM has partnered with Illumio, an industry leader in zero trust segmentation, to deliver this solution.  Illumio’s software platform provides attack surface visibility, enabling you to see all communication and traffic between workloads and devices across the entire hybrid attack surface. In addition, it allows security teams to set automated, granular and flexible segmentation policies that control communications between workloads and devices, only allowing what is necessary to traverse the network. Ultimately, this helps organizations to quickly isolate compromised systems and high-value assets, stopping the spread of an active attack.

With AVS, clients can harden compute nodes across their data center, cloud and edge environments and protect their critical enterprise assets.

Start your segmentation journey

IBM Security Services can help you plan and execute a segmentation strategy to meet your objectives. To learn more, register for the on-demand webinar now.

The post Contain breaches and gain visibility with microsegmentation appeared first on Security Intelligence.