SOPHOS, a leading global provider of managed security solutions, has recently released its annual MSP Perspectives report for 2024. This most recent report provides insights from 350 different managed service providers (MSPs) across the United States, United Kingdom, Germany and Australia on modern cybersecurity tools solutions. It also documents newly discovered risks and challenges in the industry.

Among the many findings of this most recent report, one of the most concerning trends is the difficulties MSPs face when adapting their service offerings to combat the latest surge of next-generation cyberattacks. When scaling infrastructure to support more advanced security preparedness, MSPs must consider how to navigate these pitfalls.

The 3 largest challenges MSPs face

The most recent MSP Perspectives report released by SOPHOS in May 2024 has shined light on several unique challenges currently being faced in the managed services industry.

Despite having access to numerous scalable IT solutions at their disposal, MSPs are still running into the following critical issues.

1. Keeping up with the latest cybersecurity technologies and solutions

For MSPs to keep up with the regularly evolving state of cybersecurity, they must keep their organizations incredibly agile. However, the reality is that considering the amount of time and resources required for research, development and staff training, they’re often unable to keep up.

This is further complicated by:

• Complex solutions requiring in-depth knowledge
• An overwhelming number of potential solutions to research
• Not knowing the best options for their client’s needs

Many MSPs have already invested in industry-backed security solutions. However, the speed at which these tools are being improved or replaced means having dedicated internal resources to coordinate critical changes is becoming increasingly unmanageable.

2. Securing adequate cybersecurity talent

For years, the demand for skilled cybersecurity analysts has been outpacing the available supply of workers. With more businesses becoming highly dependent on MSPs to manage many of their cybersecurity needs, this has created a significant human resources backlog.

The challenge is that while this gap is slowly starting to close, there is still considerable competition in the market. This not only makes it harder to find qualified cybersecurity workers but also makes it more difficult for MSPs to manage staff retention.

However, when not dealing with a shortage of workers, MSPs also need to make sure they can find qualified analysts with specific skill sets that align with their clients’ needs. This can be likened to finding a needle in a haystack while wearing a blindfold.

3. Mitigating risks by emerging threats

The way organizations need to approach cybersecurity is much different today than it was ten years ago. Lack of awareness in any branch of security planning can mean opening the doors for several emerging threats.

MSPs are constantly bombarded with this fact and face challenges when addressing areas such as:

• The evolving threat landscape: As technology continues to evolve, the threat landscape shifts along with it. The more investments are made in new cloud-based services and solutions, the harder it is to diagnose and address potential vulnerabilities they introduce.

• Increase in sophisticated attack formats: Cyber criminals aren’t just relying on static attack methods to exploit businesses. They now regularly use sophisticated ransomware attacks and next-generation AI-driven tools to scale their distribution methods and increase the severity of security breaches.

• Putting a high focus on security planning: Lacking the necessary internal resources to manage many cybersecurity initiatives, many MSPs are forced to adopt more reactive controls than proactive ones.

What are the primary cybersecurity risk factors for MSPs today?

The SOPHOS report continues to highlight two of the primary risk factors that MSPs are facing based on the current state of new emerging threats:

Compromised access credentials and stolen data

Cyber criminals often target the digital environments facilitated by MSP relationships. Considering modern businesses’ heavy dependence on third-party platforms and cloud-based applications, malicious sources invest much of their time in planning and executing social engineering and brute-force attack campaigns to gather compromised user credentials.

Once a user’s credentials are obtained, cyber criminals may be able to give themselves privileged access to multiple connected systems, leading to major data breaches and the facilitation of devastating ransomware attacks.

Lack of in-house cybersecurity expertise

As cyber threats become more sophisticated, the need for specialized cybersecurity expertise grows. However, with MSPs struggling to attract and retain qualified cybersecurity professionals, they’re becoming more unable to offer the level of protection their clients need.

Lack of in-house experience can also hinder their ability to proactively identify and mitigate vulnerabilities before they can be exploited. This leaves MSPs in a compromising position, potentially opening them and their clients up to larger risks.

Top 3 benefits of managed detection and response (MDR) service adoption

In response to these issues, MSPs are looking outside their own walls for the cybersecurity support necessary to facilitate their clients’ ongoing needs.

According to the SOPHOS report, 66% of MSPs are now relying on third-party vendors to deliver their Managed Detection and Response (MDR) services. This is helping them to fill the necessary gap in their security offerings and provide a comprehensive suite of cybersecurity tools and solutions for themselves and the clients they service.

This is providing benefits in the following areas:

1. Immediate access to advanced security tools and intelligence

MDR providers specialize in all areas of cybersecurity and have an advanced knowledge of emerging security threats and effective mitigation strategies to address them.

These providers also have immediate access to advanced monitoring tools and solutions like Qradar SIEM powered by enterprise-grade AI-driven threat intelligence. Having these solutions readily available and ready for deployment, MSPs can continue to scale other parts of their businesses while having more confidence in their cybersecurity readiness state.

2. Regularly updated cybersecurity protocols

MDR solutions specialists can provide MSPs with the cybersecurity awareness they need to ensure their internal protocols remain up-to-date and meet the guidelines necessary to adhere to strict regulatory requirements.

Incident response planning is another important element that MSPs need to master. By using an MDR solutions provider, MSPs can recognize and prevent vulnerabilities before they occur and make proactive strides to improve their security posture.

3. Accessible security talent pool

While MSPs need to balance their hiring efforts across multiple specialties, MDR providers have teams of dedicated security personnel already in place, with years of experience managing highly complex cybersecurity initiatives.

By engaging with MDR providers, MSPs have a wide pool of cybersecurity talent at the ready to help them address their client’s security needs and stay ahead of modern-day cyber threats.

Building a more comprehensive suite of client services

MSPs have a large responsibility when it comes to helping organizations scale their operations while staying secure. While managing cybersecurity initiatives in-house continues to be challenging for many organizations, investments in managed detection and response solutions are proving to be the way forward for progressive organizations looking to enhance their client service offerings.

The post 39% of MSPs report major setbacks when adapting to advanced security technologies appeared first on Security Intelligence.

The cyberattack landscape has seen monumental shifts and enormous growth in the past decade or so.

I spoke to Michelle Alvarez, X-Force Strategic Threat Analysis Manager at IBM, who told me that the most visible change in cybersecurity can be summed up in one word: scale. A decade ago, “’mega-breaches’ were relatively rare, but now feel like an everyday occurrence.”

A summary of the past decade in global cyberattacks

The cybersecurity landscape has been impacted by major world events, especially in recent years. These include the COVID-19 pandemic, as well as recent military conflicts between Russia and Ukraine and between Israel and Hamas.

These events activated both financially motivated threat actors looking to profit from these crises, as well as state-sponsored activity, according to Alvarez. Social engineering attacks exploited public anxiety about global geopolitical events, such as in email campaigns that aimed to spread malware. Supply chains became more vulnerable during the pandemic.

While the major national targets for the biggest attacks remained North America, Europe and Asia, Alvarez also stated that the decade saw big new increases in Latin America.

2013: Cloud computing

Global context: The year 2013 was attended by the rise of cloud computing, which expanded the attack surface for cyber criminals. The Snowden revelations began in June 2013.

In 2013, ransomware began to gain traction as a significant threat, and data breaches became more prevalent.

The Target data breach compromised 40 million credit and debit card accounts and 70 million customer records. Adobe Systems also suffered a breach that exposed 38 million user accounts. Additionally, the New York Times was attacked by the Syrian Electronic Army, taking its website offline for almost two hours. And the Yahoo data breach compromised 500 million user accounts, although it would not be reported for three years.

In 2013, more than half a billion records of personally identifiable information, including names, emails, credit card numbers and passwords—were stolen.

2014: IoT attack vectors

Global context: In 2014, the complexity of cyberattacks was on the rise, as was the overall sophistication of internationally coordinated operations of law enforcement and security vendors.

As with the previous year, data breaches were a significant issue, with notable breaches in finance and insurance, information and communication and also the manufacturing sector. Advanced Persistent Threats (APTs) became more sophisticated, and the Internet of Things (IoT) emerged as a new attack vector.

The Sony Pictures hack exposed sensitive corporate data and unreleased films. The Home Depot breach compromised 56 million credit card numbers and 53 million email addresses. The Heartbleed bug, a critical vulnerability in the OpenSSL cryptographic software library, also made headlines.

2015: Protecting critical infrastructure

Global context: The year saw a focus on critical infrastructure protection and the rise of cyber-physical systems. The increasing sophistication of cyber incidents highlighted the need for better threat intelligence.

Unauthorized access incidents skyrocketed. Some 60% of attacks were carried out by insiders, either maliciously or accidentally. Attackers sped up the exploitation of zero-day flaws. Ransomware continued to grow, targeting both individuals and organizations. IoT vulnerabilities increased and phishing remained a prevalent attack vector.

The Anthem breach exposed the personal information of 78.8 million people. The Ashley Madison hack leaked sensitive user data from the dating site. And the TalkTalk data breach involved sophisticated phishing attacks. Major impacted industries included healthcare, retail, financial services and the pharmaceuticals industry.

2016: State-sponsored cyberattacks

Global context: Marked by significant geopolitical tensions, including the U.S. presidential election, which saw extensive cyber interference.

State-sponsored groups targeted political entities and ransomware became more targeted and sophisticated. Distributed Denial of Service (DDoS) attacks increased in frequency and scale.

The Democratic National Committee (DNC) hack exposed emails and documents. And the Mirai botnet launched massive DDoS attacks, disrupting major websites.

Over 4 billion records were leaked in 2016, more than the two previous years combined. In one case, a single source leaked more than 1.5 billion records.

2017: Cryptocurrency boosts cyber crime

Global context: The year saw continued geopolitical tensions and the rise of cryptocurrency, which boosted cyber criminal activities.

Ransomware attacks like WannaCry and NotPetya caused widespread disruption. Cryptojacking emerged as a real threat, leveraging compromised systems to mine cryptocurrency. Supply chain attacks increased.

The WannaCry ransomware affected over 200,000 computers across 150 countries. The Equifax breach exposed the personal information of 147 million people. The NotPetya attack caused significant disruption to businesses globally.

2018: Tightening regulations

Global context: Increased regulatory scrutiny, such as the implementation of GDPR, made 2018 a difficult one for some large organizations.

Ransomware continued to evolve with ever more sophisticated tactics. Phishing remained a significant threat, with more targeted spear-phishing attacks. Cloud security became a focus.

The Marriott breach exposed the data of 500 million guests. The Facebook-Cambridge Analytica scandal highlighted issues of data privacy and misuse. The SingHealth breach in Singapore compromised the personal data of 1.5 million patients.

Cryptojacking attacks increased by 450% from Q1 to Q4 in 2018.

2019: Attacks on healthcare

Global context: The year saw a focus on securing critical infrastructure and addressing the growing threat of ransomware and phishing.

Ransomware dominated the cybersecurity field, with attacks on municipalities and healthcare. Phishing evolved with more sophisticated techniques. IoT security saw increased attacks on connected devices.

The Capital One breach exposed the data of 100 million customers. The Baltimore ransomware attack disrupted city services for weeks. The Quest Diagnostics breach (which began in 2018 but didn’t end until March 2019) affected 11.9 million patients.

2020: Cybersecurity in the pandemic

Global context: The COVID-19 pandemic drastically changed the cybersecurity landscape. A surge in remote work took cybersecurity pros off guard and increased the attack surface. Plus, the year saw increased attacks on healthcare systems.

Ransomware primarily targeted healthcare and critical infrastructure. Phishing exploited pandemic-related fears. Remote work vulnerabilities saw increased attacks on remote work infrastructure.

The SolarWinds hack, which took place in both 2019 and 2020, compromised multiple US government agencies and private companies. A Twitter hack saw high-profile accounts hijacked to promote a cryptocurrency scam. The Magellan Health ransomware attack affected 365,000 patients. And the Accellion breach started impacting multiple organizations.

2021: The Colonial Pipeline attack

Global context: The pandemic continued to influence cyber threats.

Ransomware remained the top threat, with even more sophisticated attacks. Supply chain attacks increased. Phishing continued to be a significant threat.

The Colonial Pipeline ransomware attack disrupted fuel supply in the US. The Kaseya VSA ransomware attack affected hundreds of businesses globally. And the Log4j vulnerability was widely exploited, affecting numerous organizations.

2022: Supply chain threats

Global context: The year saw continued geopolitical tensions, particularly the Russia-Ukraine conflict.

Ransomware continued to dominate, with more targeted attacks. Supply chain attacks remained a significant threat. AI and machine learning were increasingly used by both attackers and defenders.

The Costa Rica ransomware attack disrupted government services. The Nvidia data breach exposed sensitive employee information.

2023: AI shifts the discussion

Global context: The ongoing geopolitical tensions and the rise of AI and quantum computing posed new challenges.

Ransomware saw a resurgence in attacks with more sophisticated tactics. AI-powered attacks increased, automating and accelerating attacks. Supply chain attacks continued to be a significant threat.

The MOVEit Transfer vulnerability was exploited to steal data from multiple organizations. The Microsoft Exchange Server vulnerability was widely exploited, affecting numerous organizations. The T-Mobile data breach exposed the data of 37 million customers.

A decade of major cybersecurity trends

What’s clear in this summary is that the major trends are the rise in the sophistication and severity of ransomware attacks (which have grown radically since 2013) and also general exploitation of the pandemic and remote work phenomena. Alvarez said that a decade ago, ransomware was known mainly by security professionals. Now, the threat is widespread enough to be generally known by the public.

Two other trends were the rise of cloud vulnerability exploitation attacks and business email compromise (BEC) attacks, according to Alvarez. These trends are due in part to the exploitation of security misconfigurations or cloud security gaps, misuse of passwords and usernames and inadequate training.

Who knows what will happen in the next decade? But if history is any guide, the threat landscape will continue to rise, threat actors will grow increasingly sophisticated (with the help of AI) and malicious and financially motivated and state-sponsored actors will go after increasingly bigger payoffs and prizes.

Get details on the current cyber security situation by downloading the IBM X-Force Threat Intelligence Index 2024 and watching the associated webcast.

The post A decade of global cyberattacks, and where they left us appeared first on Security Intelligence.

As deepfake attacks on businesses dominate news headlines, detection experts are gathering valuable insights into how these attacks came into being and the vulnerabilities they exploit.

Between 2023 and 2024, frequent phishing and social engineering campaigns led to account hijacking and theft of assets and data, identity theft, and reputational damage to businesses across industries.

Call centers of major banks and financial institutions are now overwhelmed by an onslaught of deepfake calls using voice cloning technology in efforts to break into customer accounts and initiate fraudulent transactions. Internal help desks and staff have likewise been inundated with social engineering campaigns via calls and messages, often successfully, as was the case in the attack on internal software developer company Retool, which led to tens of millions of dollars in losses for the company’s clients.  A financial worker was duped into transferring funds to fraudsters. Speaker-based authentication systems are now being finessed and circumvented with deepfake audio.

The barrier to entry for bad actors is lower now than before. Tools allowing the creation of deepfakes are cheaper and more accessible than ever, giving even the users with no technical know-how the chance to engineer sophisticated, AI-fueled fraud campaigns.

Given the increasing proliferation and methods used by cyber criminals, real-time detection that leverages AI to catch AI will be essential in protecting the financial and reputational interests of businesses.

Deepfakes across modalities

A deepfake is a piece of synthetic media—an image, video, audio or text—that appears authentic, but has been made or manipulated with generative AI models.

Deepfake audio refers to synthetically generated sound that has been created or altered using deep learning models. A common method behind deepfake audio is voice cloning, involving fake speech created with less than a minute of voice samples of real people. Voice cloning is a particular concern in industries that use voice biometric verification to access customer accounts. Companies that receive a high volume of phone calls as part of their business report constant deepfake attacks on their infrastructure via voice cloning efforts.

The creation of a deepfake video typically involves training a deep neural network on a large dataset of videos and images featuring the target individual(s). The model learns their facial features, expressions and mannerisms, enabling it to generate new video content that looks authentic. Cyber criminals utilize deepfake videos to impersonate executives, bypass biometric verification and create false advertising, among many other uses. Meanwhile, deepfake images can be used to alter documents and bypass the efforts of Know Your Customer (KYC) and Anti-Money Laundering (AML) teams in curbing the creation of accounts under false identities.

Deepfake text refers to artificially generated content meant to mimic the style, structure and tone of human writing. These deepfake models are trained on large datasets of text to learn patterns and relationships between words, teaching them to generate sentences that appear coherent and contextually relevant. These deepfakes aid cyber criminals in large-scale social engineering and phishing attacks by producing massive volumes of convincing text, and are just as useful in document forgery.

The impact of deepfakes across industries

Audio deepfakes are one of the biggest risk factors for modern businesses, especially financial institutions. Bank call centers are increasingly inundated with deepfake voice clone calls attempting to access customer accounts, and AI-fueled fraud has become the leading security concern for the majority of banks as fraudsters submit AI-altered documents to open fake accounts. Finance workers are manipulated into moving tens of millions with deepfake meetings cloning the CEO’s voice and likeness. Following the Retool phishing attack, just one of the company’s cryptocurrency clients lost $15 million in assets.

But the damage caused by deepfake cyber crime goes far beyond voice clones and can impact any industry. Insurance companies are facing significant losses as fraudsters submit deepfake evidence for illegitimate claims. Competitors can create fake customer testimonials or deepfake videos and images of a supposedly faulty product to damage a brand. While the average cost of creating a deepfake is $1.33, the expected global cost of deepfake fraud in 2024 is $1 trillion. Deepfakes are a threat to markets and the economy at large: the deepfake of a Pentagon explosion caused panic on the stock market before officials could refute it. A more sophisticated attack could easily lead to massive losses in company value and damage to global economies.

For media companies, reputational damage caused by deepfakes can quickly lead to loss of viewers and ad revenue. At a time when audiences are already skeptical of all content they encounter, deepfakes raise the stakes for accurate reporting and fact-checking. If a piece of audiovisual media that serves as the basis or evidence for a news report is found to be a deepfake, unverified and unlabeled, the damage to the newsroom and the company’s relationship with its audience could be irreparable.

Social media platforms are just as vulnerable, especially because they’ve become the leading news source for the majority of Americans. Malicious actors spend a mere 7 cents to reach 100,000 social media users with a weaponized deepfake. Allowing the unchecked spread of AI-manipulated news stories can lead to serious audience and advertiser losses and shareholder unrest, not to mention the corrosive effects on society at large.

Deepfake disinformation campaigns can impact the integrity of elections, causing civic unrest and chaos within government institutions. Such unrest can rattle the markets, weaken the economy, and erode the trust between voters and the electoral system. Over 40,000 voters were affected by the deepfake Biden robocall in New Hampshire. But these campaigns are not limited to elections. State-sponsored actors can create synthetic videos of leaders making false claims to damage diplomatic and trade relations, incite conflict and manipulate stocks. The World Economic Forum’s Global Risks Report 2024 ranks AI-fueled disinformation as the number one threat the world faces in the next two years.

Deepfake detection solutions

How do organizations combat this urgent threat? It all comes down to detection.

The ability to detect AI-generated voices, videos, images and text—accurately, swiftly and at scale—can help organizations stay ahead of the threat actors attempting to use deepfakes to execute their fraud or disinformation campaigns.

Those working to secure call centers, customer-facing teams and internal help desks will want to seek out a solution that can detect AI-generated voices in real time. As these points of contact are highly vulnerable and susceptible to fraud, real-time voice deepfake detection should fit neatly into existing voice authentication or biometric platform workflows, affording companies seamless integration without retraining employees on a wholly new tech stack.

One in 6 banks struggle to identify their customers at any stage in the customer journey, and finance workers cited customer onboarding as the workflow process most vulnerable to fraud. Text and image detectors are a powerful deterrent to fake documents, identity theft and phishing efforts. A comprehensive deepfake detection toolset should fortify the onboarding and re-authentication flow of KYC and anti-fraud teams to defend against presentation and injection attacks.

Journalists should feel empowered to report on the news with confidence that their sources are authentic. Image, video and text detection models help ensure reporters don’t consider fake evidence in legitimate reports. 53% of Americans get their news from social media. A well-equipped detection solution should help content moderation teams—who cannot be expected to verify onslaught of content at scale—protect social media platforms against becoming unwitting channels for fake content.

Sophisticated audio deepfake detection tools are built to flag the newest popular tool of political manipulation: misleading robocalls using voice clones of political candidates. State-sponsored attackers can now easily masquerade as heads of state and other political figures. Today’s detection solutions can catch synthesized impersonations in critical moments, ensuring the public can be warned. Text detection helps government institutions catch harmful AI-generated documents and communications to help prevent identity and fraud before it can impact citizens’ lives and livelihoods.

Reality Defender is one such solution to detect and protect against advanced deepfakes of all mediums. Its platform-agnostic API allows organizations to upload a firehose of content and scale detection capabilities on demand, using a multi-model approach to look at every uploaded file from multiple angles and with the newest deepfake creation models in mind. This creates a more complete and robust result score, which reflects the probability of AI manipulation. With multiple models across multiple modalities, organizations can take informed and data-driven next steps in protecting their clients, assets, and reputations from complex deepfake attacks of today and tomorrow.

The post How a new wave of deepfake-driven cyber crime targets businesses appeared first on Security Intelligence.

The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.

In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.

The report identified six action items:

1. Remove identity silos
2. Reduce the risk of credential harvesting
3. Know your dark web exposure
4. Establish secure AI and models
5. Implement a DevSecOps approach to planning and testing
6. Reduce the impact of an incident

I’m going to focus on the first three. Why? Because the last three are things you should be doing now irrespective of the results of the 2024 Threat Intelligence Index report and are much larger than the SOC. While the first three action items involve more than just the SOC, the call to action for the SOC is clear: focus on identity risk.

Remove identity silos

The report notes that 30% of all observed entry points to incidents in 2023 used valid credentials. The use of valid credentials is more damaging when accounts do not use enterprise identity systems with built-in controls. We need to make sure our insider risk capabilities are up to date. The SOC checklist includes:

• Centralized monitoring: Ensure the SOC continuously monitors user activities and access controls through a centralized identity management system. For high-risk systems off the enterprise identity platform, capture authentication activity. Ensure user and entity behavior analytics are in place with the appropriate use cases in the SOC detection platforms. Validate your identity visibility in the cloud, where abuse of permissions and privileges is more prevalent.
• Incident response: Establish protocols and playbooks for rapid response to incidents related to suspected insider risk, unauthorized access or compromised identities.
• Threat intelligence integration: Integrate threat intelligence sources into SOC workflows for threats targeting identity silos.
• Identity threat detection and response: If your organization doesn’t have identity threat detection and response (ITDR) capabilities, 2024 would be a great time to implement this additional control. The SOC should have telemetry, use cases, analytics and response playbooks in place for ITDR.

Reduce the risk of credential harvesting

The best way to prevent attackers from using valid credentials for malicious activities is to prevent those credentials from being compromised in the first place. The SOC checklist includes:

• Authentication failures: The Identity and Access Management team should have controls in place to limit login attempts and even lockout accounts that repeatedly fail authentication. The SOC needs to have visibility into account status and logs and/or alerts noting accounts being disabled for failed authentication attempts. Ideally, those accounts are placed on SOC temporary watch lists even after accounts have been re-enabled.
• Multifactor authentication: The SOC needs visibility into multifactor authentication (MFA) failures. Additionally, the SOC should have the ability to force users to re-authenticate as part of response playbooks and/or the ability to invalidate sessions.
• Privileged access management: SOC visibility to privileged identity activity is key, especially changes of account entitlements to move from standard user access to privileged user status. This is especially important for systems not connected to Privileged Account Management (PAM) tools. Revisit your lateral movement use cases.
• Phishing incident response: Develop and conduct regular training exercises for SOC analysts to identify and respond to phishing attempts effectively.

Know your dark web exposure

SOC analysts aren’t going to spend time poking around the dark web. Their threat intelligence counterparts, however, are on the dark web and what they find can be invaluable for the SOC team.  The SOC checklist here includes:

• Dark web monitoring: Intelligence on compromised credentials, session keys and leaked sensitive information needs to be incorporated into the appropriate watch lists. If the incident in which the account information was stolen is not evident, an immediate post-incident analysis should be launched, including threat hunting, digital forensics and other analysis to identify when and how the account data was compromised.  Once the tactics, techniques and procedures (TTPs) used in the compromise are identified, detection analytics need to be updated to enhance future threat detection.
• Executive digital identity protection: Executive accounts, as well as accounts directly supporting executives, need to be on account lists used in high-risk identity use cases. Specific response playbooks for these accounts need to be in place.

The fact that valid credential misuse tied with phishing as the initial point of access to incidents in 2023 is a call to action for SOC teams to revisit their detection and response capabilities related to identities and insider risk. If the checklist in this blog puts some items on your to-do list, we have resources that can help.

To implement any of the actions above, you can request a no-cost threat management workshop for your organization.

If you’d like to get more details on these insights, check out the full 2024 Threat Intelligence Index report.

For help preparing for when, not if, a cyberattack occurs, learn more about our X-Force Cyber Range immersive simulations.

If you’re already in a great place for each of the checklist items, even better!

The post What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index? appeared first on Security Intelligence.

When the Cerberus code was leaked in late 2020, IBM Trusteer researchers projected that a new Cerberus mutation was just a matter of time. Multiple actors used the leaked Cerberus code but without significant changes to the malware. However, the MalwareHunterTeam discovered a new variant of Cerberus — known as Ermac (also known as Hook) — in late September of 2022.

To better understand the new version of Cerberus, we can attempt to shed light on the behind-the-scenes operations of the actor maintaining Ermac. While a new version of the malware has been released, we will focus on the original version.

Gaining insight into the backstage operations of the malware is not simply a case of reverse engineering malware samples that were released into the wild. Once that reverse engineering was complete, however, unique and interesting aspects of the inner workings of the malware were revealed.

The Cerberus connection

As a Cerberus descendent, Ermac shares the same source code and fraud capabilities, including stealing a user’s bank credentials and second-factor authentication (2FA) messages that are delivered to the user via SMS or notification.

Here is an example of the shared preferences file created by Cerberus and Ermac. We can easily see that Ermac malware has the same elements as Cerberus, and there are also new entries representing new capabilities in Ermac.

Figure 1: Cerberus shared preference.

Figure 2: Ermac shared preference.

How Ermac is unique

The capabilities of Ermac were already discussed in depth. However, it is worth mentioning that Ermac malware contains a different packer than Cerberus. The Ermac packer is open source and can be found online.

This is yet more evidence that Ermac could be a new operator and that the threat actor is actively maintaining the leaked Cerberus code and constantly evolving Ermac’s code base.

Figure 3: This is the first page presented once connecting to the Ermac command and control server.

A deep dive into the Ermac command and control server (C&C) user interface (UI) reveals the differences between Cerberus and Ermac and provides a unique glimpse into the Ermac functionality, monetization scheme and features under development. IBM Trusteer researchers have discovered two new beta capabilities in the Ermac malware: ransomware and a virtual private network (VPN) connection.

Wide-ranging capabilities

These images taken from the C&C demonstrate Ermac’s different capabilities.

Figure 4: ERMAC C&C bot management page.

The data that the C&C manages is organized in a structured table with multiple columns.

The first column shows the ID that is generated for each bot. We can also see the different actions and device modes: for example, if the user is currently watching the screen, whether different models are loaded and so on.

The next column stores information about the victim’s device and operating system version.

Column three stores different tags regarding the bot’s status; for example, “favorite,” “blacklist” and “trash.”

The next column is called GEO and stores information about the country and device location of the bot.

Next, there is information regarding the malware installation date and time and the last time the bot was successfully connected to the C&C.

The “injection” column contains the different applications on which the malware can perform overlay attacks.

The “action” column lists the different actions the C&C operator can command the bot to perform on the victim’s device. These actions include open inject, forward calls, clear application data and more (see Figures 8-13).

The logs column contains the raw data exfiltrated from the victim’s device, including the contact list, 2FA, list of installed applications, application notifications, keystrokes log and more.

Figure 5: Ermac capabilities.

One of the most interesting screens is the “Auto command,” which is still in beta mode. On the screen, we can see capabilities like sending SMS, opening inject (overlay screen), grabbing the contacts list and the killbot, which is an Ermac self-destruct switch. We can also see unique commands such as “Clear app data” and “Get Accounts.”

Visibility to the C&C exposes new commands still under development: “beta Ransomware” and “beta Set bot VPN.”

Figure 6: Ermac events.

Here, we can see Ermac events. All activities of the bots can be seen in this figure.

Figure 7: Devices list screen (in development).

Another capability that is still under development is the ability to upload or download files from the bot itself. In production, this allows the bot operator to have more control over the victim’s machine and opens the door to new attack tactics.

Figure 8: Bot commands.

The malware operator can choose any of the infected devices, initiate a call from that device and even pick which SIM to use for the call. The “lock screen” checkbox can be turned on or off. While on, Ermac shows the victim a fake screen during the entire duration of the call, thus hiding the ongoing call from the victim while preventing any other use of the device.

Figure 9: Calling command.

Figure 10: SMS command.

The clear cache command can be used to clear all the data of an app. When the malware clears the data, it also clears the cache.

Figure 11: Clear Cache command.

The fraudster can lure victims to open their bank application by sending a push notification with a text from the “bank.”

Figure 12: Send Push command.

The fraudsters can steal the seed phrase from the user’s device used for the crypto wallet and later use it to log in to the victim’s account without having to prove their identity.

Figure 13: Get Seed Phrase command.

In the C&C user management panel, we can see all the users and roles that exist in the system. This demonstrates that Ermac is built to be operated in a fraud-as-a-service (FaaS) model. The Ermac operator, “root,” can create a new user and password from this screen that can later be used by a fraudster client to manage their bots by logging into the C&C using this new user.

Figure 14: C&C user management panel.

Figure 15: C&C user management panel “Create New User” screen.

When the admin creates a new user, they can pick a token (password) for the user to log in with and can assign a role to the user.

Figure 16: C&C user management panel “Create New User” screen defines a role.

Figure 17: Permissions screen.

Each role has its own permission profile that is managed on the permissions screen.

Fraud as a service continues to evolve

Although Ermac’s risk is very similar to Cerberus, Ermac has some new capabilities that have not been seen before. This is one of the more sophisticated Cerberus mutants because of the new capabilities that it offers, such as “ransomware” and “set bot VPN.”

We expect to see more mutations with new capabilities using Cerberus’s leaked code. It is interesting and rare to have a look from “the other side” of malware, as we have done in this article, to see the C&C and how fraudsters manage and control bots all over the world.

 IBM Trusteer researchers will continue to monitor changes in the malware and keep you updated.

The author would like to thank Nethanella Messer and James Kilner for their contribution to this article.

The post Ermac malware: The other side of the code appeared first on Security Intelligence.

In today’s quickly evolving cybersecurity landscape, organizations constantly seek the most effective ways to secure their digital assets. Penetration testing (pentesting) has emerged as a leading solution for identifying potential system vulnerabilities while closing security gaps that can lead to an attack.

At the same time, a newer entrant into the security arena is Pentesting as a Service (PTaaS). Although PTaaS shares some similarities with pentesting, distinct differences make them two separate solutions.

This article will discuss how these methodologies function, their applicability in different contexts and how they can enhance an organization’s cyber readiness.

What is involved with penetration testing (pentesting)?

Penetration testing, popularly known as pentesting, is a proactive and authorized effort to evaluate the security of an IT infrastructure. However, the process of pentesting is not just about finding loopholes and reporting them. Pentesting services like IBM’s X-Force Red apply a comprehensive process that involves several stages:

1. Planning and reconnaissance. This is the initial stage, where the pentesting team defines the scope and goals of the test, including the systems to be addressed and the testing methods to be used. They also gather intelligence (like domain names and mail servers) to understand how the target works and identify potential areas of vulnerability.
2. Scanning. This step involves using automated tools to understand how the target application will respond to different intrusion attempts. This can be done through static analysis (inspecting an application’s code to estimate its behavior while running) or dynamic analysis (inspecting an application’s code in a running state).
3. Gaining access. Here, the pentester uses web application attacks, such as cross-site scripting, SQL injection and backdoors, to uncover a target’s vulnerabilities. The aim is to exploit these vulnerabilities by escalating privileges, stealing data, intercepting traffic, etc., to understand the damage they can cause.
4. Maintaining access. This stage aims to see if the vulnerability can be used to achieve a persistent presence in the exploited system, mimicking the activities of advanced persistent threats (APTs).
5. Analysis and reporting. The final step involves compiling a detailed report with the vulnerabilities discovered, the data accessed and how long the pentester could remain in the system unnoticed. This report can provide valuable insights into potential damages in an actual attack and recommendations for preventing them.

Types of penetration testing

Pentesting can cover various areas and can be deployed for different purposes. Some of the most popular types include:

Application testing

Application testing is specialized penetration testing targeting software applications like web-based, mobile and desktop applications. Its main goal is to uncover any vulnerabilities in an application’s architecture or code to protect it from cyberattacks.

Through a meticulous testing process, several vulnerabilities can start to show. These vulnerabilities may include SQL injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF) and other critical risks identified by the Open Web Application Security Project (OWASP).

Network testing

Here, the focus shifts to an organization’s network infrastructure. Network pentesting aims to identify weak spots in internal and external networks that attackers could leverage.

This type of testing can reveal vulnerabilities related to insecure protocols, misconfigured firewalls, unpatched network devices or weak network device passwords. The insights from network testing can be invaluable in fortifying the organization’s first line of digital defense.

Personnel testing

Often overlooked, personnel testing is a vital aspect of a comprehensive pentesting strategy. Also known as social engineering testing, this approach targets the human element within an organization.

It involves simulated phishing attacks, pretexting, baiting and other tactics designed to trick employees into revealing sensitive information or granting unauthorized access. The results of personnel testing can inform targeted cybersecurity training and awareness programs.

Hardware testing

Last but not least, hardware testing involves probing physical devices such as servers, workstations, network routers and switches for vulnerabilities. This could mean exploiting firmware vulnerabilities, USB ports or other physical access points. In an age where IoT devices are proliferating, hardware testing is becoming increasingly important to ensure the security of all interconnected devices.

How is Pentesting as a Service (PTaaS) different?

Pentesting as a Service (PTaaS) is an emerging cybersecurity concept quickly gaining traction. With its innovative approach and numerous advantages, PTaaS enables organizations to efficiently and effortlessly carry out penetration tests.

By harnessing the power of the cloud and offering on-demand accessibility, PTaaS streamlines the testing process, enhances scalability and provides more flexibility for organizations.

So, how is PTaaS different from traditional pentesting? Below are some key distinctions:

Continuous testing

Traditional pentesting provides a snapshot of your security posture at a specific moment. However, with the ever-evolving nature of cyber threats, this approach may not accurately assess ongoing security risks. In contrast, PTaaS offers continuous testing capabilities, allowing you to constantly monitor your systems for vulnerabilities. This ensures that your defenses are always up-to-date and effective.

Scalability and flexibility

With PTaaS, you can scale your testing efforts up or down based on your current needs. This flexibility is particularly beneficial for businesses with fluctuating demand or those undergoing rapid growth. Traditional pentesting, with its more rigid structure, may not offer the same level of scalability.

Real-time reporting and collaboration

One of the standout features of PTaaS is its real-time reporting capabilities. Through a dedicated platform, stakeholders can view test results in real-time, track progress and even collaborate directly with testers. This level of transparency and collaboration is rarely found in traditional pentesting.

Cost-effectiveness

PTaaS operates on a subscription model, which can be more cost-effective than hiring external pentesters or maintaining an in-house team. You pay for what you use, making it an affordable option for many businesses.

Integration with DevOps

PTaaS solutions can often integrate seamlessly with existing DevOps workflows. This integration allows for regular code scanning in the development phase, enabling early detection and remediation of vulnerabilities.

Are there any disadvantages of PTaaS when compared to traditional pentesting?

As with any technology or service, PTaaS has potential drawbacks. While it offers numerous advantages over traditional pentesting, there are a few considerations that organizations should bear in mind:

1. Potential for oversights. Automated scanning tools used in PTaaS are great for identifying common vulnerabilities quickly, but they may miss complex or business logic-based vulnerabilities that a human pentester might catch. Traditional pentesting, particularly when carried out by experienced professionals, can sometimes provide a deeper, more nuanced understanding of your security posture.
2. Less customization. While PTaaS offers scalability and flexibility, it may not meet the specific security requirements of every organization. A one-size-fits-all approach may not be effective for addressing unique security needs.
3. Data security concerns. Given that PTaaS operates in a cloud-based environment, there could be concerns about the security of sensitive data. While most providers have stringent security measures in place, it’s important to understand how your data will be handled and protected.
4. Limited scope. Some PTaaS solutions might only focus on certain security aspects, such as web application testing, and may not comprehensively evaluate all potential attack vectors. In contrast, traditional pentesting can cover many areas, from network and application testing to social engineering and physical security tests.

Choose the right solution for your organization

Ultimately, the decision between traditional pentesting and PTaaS will depend on the organization’s specific needs and budget. A combination of both approaches can provide the best outcome for most businesses.

While specific tasks may be best suited to a traditional pentesting approach, others can benefit from the cost-effectiveness and scalability of PTaaS. The key is identifying where you need the most help and choosing the option that best meets your security requirements.

The post Pentesting vs. Pentesting as a Service: Which is better? appeared first on Security Intelligence.

As the threat landscape multiplies in sophistication and complexity, new roles in cybersecurity are presenting themselves more frequently than ever before. For example, attack surface management.

These cybersecurity professionals are responsible for identifying, mapping and securing all external digital assets an organization owns or is connected to. This includes servers, domains, cloud assets and any other digital points that could be exploited by cyber criminals. Their role involves continuously monitoring these assets for vulnerabilities, misconfigurations or other potential security risks and implementing measures to mitigate these risks. They also work to reduce the organization’s overall attack surface by eliminating unnecessary access points and ensuring that all remaining ones are properly secured.

In this exclusive and informative Q&A, we spoke with Sara Lipala, lead technologist, attack surface management for Booz Allen Hamilton. Lipala is an accomplished cybersecurity professional with over five years of experience in the manufacturing and consulting industries, with a focus on vulnerability management, patch management and comprehensive attack surface management.

Did you go to college? What did you go to school for? If not, what certifications did you obtain?

I attended Montclair State University, where I completed a Bachelor of Science in Information Technology with a Computer Science minor. On top of my university education, I’ve obtained industry certifications, including the GIAC Enterprise Vulnerability Assessor Certification (GEVA), Harvard’s Managing Risk in the Information Age, ITILv3 Foundations Certificate and vendor-specific certifications including Qualys: VMDR, Scanning Strategies and Best Practices, Vulnerability Management, Web Application Scanning and Container Security.

What was your first role in IT? If it wasn’t in security, what pushed you to pursue security?

My first role in IT was at my university’s IT Service Desk, where I provided tech support to students and staff. My next role was an IT Operations Analyst Intern, where I primarily focused on change management activities. It was within this role that I had the opportunity to shadow and work directly with the cybersecurity team, which really sparked my interest in the field. I was excited by how rapidly things change and the prospect of building a strong defense for an organization, which then led to further excitement about how much information there was to learn!

A blue team defensive role requires a strong understanding of a variety of topics in order to ensure you’re approaching cybersecurity risks from a holistic view while being aware of where exactly the vulnerability lies and how to manage it. I found myself enjoying the challenge of staying ahead of attackers. I completed my internship and then transitioned to working on the cyber team full-time post-graduation.

What is the most valuable skill you learned in your role?

The most valuable skill I’ve learned in my role is risk prioritization. It’s easy to become overwhelmed by the attack surface of an organization — there’s data coming from a multitude of sources that all have “top priority” findings. Due to resource restraints, it’s often impossible to address all top-priority findings at once. Prioritizing vulnerabilities means that you focus on the most critical findings based on risk likelihood and the potential impact of exploitation.

For example, a high-severity internet-facing vulnerability carries a much greater remediation urgency over a high-severity vulnerability on a well-protected sandbox server on the internal network.

Risk prioritization also adds meaningful and impactful context to a vulnerability report. This allows the audience to understand what the vulnerability findings actually mean in terms of risk to the organization rather than a solely quantitative metrics report. Prioritizing security risk also provides visibility to leadership for the effective allocation of resources to mitigate and/or remediate the findings. Developing this skill helps create clarity out of chaos.

What soft skills do you think make a person successful in cybersecurity, and specifically in attack surface management?

A few soft skills I believe are required for success in cybersecurity are determination, organization, levelheadedness, attention to detail and the ability to communicate clearly and confidently.

Cybersecurity, by nature, can present stressful situations in response to threats or attacks. In those circumstances, it’s important to be able to seek out and review a lot of information, summarize it and then deliver findings in a comprehensive, polished way.

Specific to attack surface management, I’d elaborate on the ability to effectively communicate to a variety of teams and levels within the organization. Vulnerability findings may point you to a less technical application owner within the business, and it’s imperative to convey the security risk and next steps in a digestible format. Other times, you’ll need to deliver metric reports to business leaders with a different focus and set of requirements.

Additionally, attack surface management requires working with various remediation teams to address specific findings. You’re also regularly working with different teams within cybersecurity, such as incident response, security architecture and GRC. It’s helpful to learn who’s responsible for specific areas of the business in order to effectively work with appropriate teams.

Any parting thoughts or final advice to someone interested in your type of role?

Attack surface management utilizes a lot of open-source intelligence data that is readily available online. I’d recommend checking out Zero Day Initiative, Internet Storm Center, CISA’s Known Exploited Vulnerabilities Catalog, the OWASP Risk Rating Methodology and the NIST Cybersecurity Framework to learn more about what goes into the role. There are also community editions available from tools like Qualys and Tenable, in addition to forums and online training certificate courses, all for free! It’s crucial to stay on top of industry innovations and cybersecurity news.

I’d also advise someone to not be overwhelmed by the breadth of topics related to attack surface management. Operational knowledge across multiple domains such as cloud computing, penetration testing, security architecture, security compliance, networking, operating system and application level patching and web application security is all very useful, but you don’t need to be an expert in every area when starting out.

I’ve learned a lot from mentors and coworkers on different teams, in addition to seeking out information on my own. Every time you come across something new, there’s an opportunity to learn even more. Don’t be afraid to ask questions or admit that you need additional information to gain a better understanding. We’ve all been there! I’d also advise women to not get discouraged by being the only female at the table, in the room or on the team. The gender disparity in cybersecurity is improving but still very much exists, and it’s important that we continue to challenge it together.

The post How I got started: Attack surface management appeared first on Security Intelligence.

Piecemeal Detection and Response (PDR) can manifest in various ways. The most common symptoms of PDR include:

• Multiple security information and event management (SIEM) tools (e.g., one on-premise and one in the cloud)
• Spending too much time or energy on integrating detection systems
• An underperforming security orchestration, automation and response (SOAR) system
• Only capable of taking automated responses on the endpoint
• Anomaly detection in silos (e.g., network separate from identity)

If any of these symptoms resonate with your organization, it’s time to address PDR.

I know what you’re thinking, PDR isn’t really a thing. While the security industry already has an overloaded number of “DR” terms, like EDR, NDR, CDR, MDR, XDR, TDIR, etc., you’re right — there’s no industry PDR term, but the sentiment behind our playful acronym is certainly real. Case in point: look at the number of “DR” acronyms in our previous sentence. The industry as a whole is fragmented and this has resulted in many enterprises suffering from PDR.

Why PDR happens

PDR side effects often include malaise, restlessness, a sense of unmanaged risk, a willingness to get distracted by generative AI, a compulsion to attend conferences outside of the office and an uncharacteristic joyfulness when attending budget meetings. This all results from the fact that the road to recovery from PDR can often be difficult. How did you get PDR anyway?

PDR may have snuck into your security program. You were happy with your SIEM and then extended detection and response (EDR) came along and demanded to run “outside the SIEM” and you thought, “That’s not so bad.”

Then attack surface management (ASM) came along and didn’t integrate with anything, but you knew you couldn’t detect and respond to threats in assets that you don’t know about, so you needed to buy that stand-alone ASM tool.

Identity threat management came along but that was only available from your current identity vendor and didn’t integrate with your user behavior analytics (UBA) system. Next thing you know you’ve got PDR.

Five treatment goals for PDR

1. Consolidation

We’re not just talking about vendors, but tool and workflow consolidation. Most of the new security technologies you bought as an independent capability over the last 3-5 years have been paired or integrated by a vendor looking to capture market share by adding adjacent capabilities. Make sure you understand what can be “good enough” versus “best in class” when looking to consolidate capabilities. If you’re consolidating vendors, select vendors that first and foremost commit to extensibility and integration.

2. Proactive security

Instead of merely reacting to threats, focus on proactive measures. Reduce your attack surface by investing in exposure management. Establish a program that includes services such as code analysis, attack surface management, enterprise detection engineering, penetration testing, adversary simulation, threat hunting, and vulnerability management.

3. Zero trust in the cloud

You might be wondering how zero trust earned a spot in a detection and response to-do list. I recognize that distributed (aka federated) enterprise threat detection and response (TDR) is still maturing.

A common current security scenario is one where a hybrid cloud environment exists, utilizing cloud-native capabilities, but due to the cost-prohibitive nature of extracting data from cloud hyperscalers, security teams are supporting two disconnected environments. Until federated detection and response tooling improves, the best universal strategy is to use the cloud detection and response tooling needed to support the business transition to cloud, but focus more security attention on prevention when adopting cloud-native security capabilities. Ensure all the zero trust concepts you worked so hard to define and implement in your legacy environment also extend to your cloud environments.

4. Strategic planning

Take an inventory of your current PDR capabilities and define your future state. Realize that your strategy may need to play out over multiple years.

5. Threat management architect

Appoint a threat management architect with both technical expertise and the ability to evangelize security principles. They should understand the holistic concept of cyber resilience, which encompasses more than just backups and recovery but also anticipates and prepares for threats while maintaining business continuity.

Seeking help from a PDR professional

If PDR is deeply embedded in your organization, consider enlisting the expertise of a PDR professional. Look for a professional with advanced capabilities who can enhance your existing investments rather than pushing for new software adoption. They should offer a range of services, including application and database security, and be well-versed in cloud environments. Ensure your chosen PDR professional can provide a comprehensive portfolio of services, spanning threat prevention to incident response.

Overcome PDR with threat detection and response services

IBM Consulting has services professionals who are certified PDR recovery professionals. The new Threat Detection and Response (TDR) service from IBM’s Cyber Threat Management Services is designed with many of the principles covered here. You don’t need to make a massive investment in AI; we’ve been doing that for years. You don’t need to rip and replace any of the investments you’ve made; we support the broadest ecosystem of vendors.

Starting with TDR is as simple as joining us for the webinar on November 1 to learn more, or reading the press release to learn how you can reduce cyber risk and lower incident costs by 65% with the Threat Detection and Response service. You can also check out our recent managed detection and response (MDR) market leadership in this KuppingerCole Report.

We’ll get you on the road to PDR recovery in no time.

The post Does your security program suffer from piecemeal detection and response? appeared first on Security Intelligence.

As careers in cybersecurity become increasingly more specialized, Security Information and Event Management (SIEM) engineers are playing a more prominent role. These professionals are like forensic specialists but are also on the front lines protecting sensitive information from the relentless onslaught of cyber threats. SIEM engineers meticulously monitor, analyze and manage security events and incidents within an organization. They leverage SIEM tools to aggregate and correlate data, enabling them to detect anomalies, identify potential threats and respond swiftly to security incidents.

In their arsenal of tools, SIEM engineers also employ Security Orchestration, Automation, and Response (SOAR) and Extended Detection and Response (XDR) products. SOAR is a suite of solutions that allow organizations to collect data about security threats from multiple sources and respond to low-level security events without human assistance. It streamlines and automates the response process, enabling SIEM engineers to focus on more complex tasks. XDR solutions unify control and visibility across multiple security layers — endpoints, network and servers, extending detection and response capabilities beyond the traditional perimeter, providing a holistic view of the threat landscape. By integrating SOAR and XDR into their workflows, SIEM engineers can enhance their threat detection capabilities, automate repetitive tasks and respond to incidents more efficiently and effectively.

This article aims to help aspiring SIEM engineers on their career journey, shedding light on the skills, qualifications and experiences that will equip them for this challenging yet rewarding profession.

In this exclusive Q&A, we spoke with Rod Soto, a senior principal security research engineer for a leading SIEM solution provider. He has years of experience as a SIEM engineer and is a regular presenter at many cybersecurity conferences, researcher for HackMiami and founder of Silicon Valley’s Pacific Hackers Meetup group.

What is SIEM?

Did you go to college?

Yes, I went to college. I have a bachelor’s degree in Psychology.

What did you go to school for? If not, what certifications did you obtain?

Psychology. I did obtain several IT Security certifications such as CISSP, Security+, Pentest+, GIAC, INE, etc.

What was your first role in IT?

System administrator.

If it wasn’t in security, what pushed you to pursue security?

I was always interested in information security and the hacking culture.

What is the most valuable skill you learned in your role?

Learn to think outside the box.

What soft skills do you think make a person successful a) in cybersecurity and b) specifically in SIEM engineering?

You have to have the ability to communicate and put yourself in someone else’s shoes, the ability to learn new things and technologies that will work with or integrate with SIEM.

Operating SIEM usually involves operators being able to pick up on abnormal signals, which then need to be triaged and discussed with teams of peers and superiors. The ability to spot and communicate the reasoning behind chosen alerts or incidents is fundamental to maintaining efficient operations. Also, many times when in SIEM, operators will have to communicate with either internal clients (other departments or users) or external clients.

Any parting thoughts or final piece of advice to someone looking into becoming a SIEM engineer?

Learning the fundamentals of manipulating texts and logs. Operation and knowledge of *nix operating systems are very important. Networking skills and knowledge of TCP/IP are also necessary, and this will also include packet analysis skills (Wireshark, tcpdump). Some security certifications, such as Security+ or CCNA Cyber, can help a lot in understanding security fundamentals, data labels and security operations center fundamentals.

Become familiar with SIEM technology vendors as well, download free versions of them and practice; many of them have free training and certifications — take them.

The post How I got started: SIEM engineer appeared first on Security Intelligence.

More than 15 million tennis fans around the world visited the US Open app and website this year, checking scores, poring over statistics and watching highlights from hundreds of matches over the two weeks of the tournament. To help develop this world-class digital experience, IBM Consulting worked closely with the USTA, developing powerful generative AI models that transform tennis data into insights and original content. Using IBM watsonx, a next-generation AI and data platform, the team built and managed the entire lifecycle of the AI models that produced key app features such as Match Insights and AI Commentary, which used large language models to generate spoken commentary for US Open match highlights. (Click here to learn more about how IBM used watsonx to build the AI models behind the US Open digital experience.) And a team of IBM cybersecurity experts ensured the entire digital operation was safe and secure, ensuring a seamless, uninterrupted experience for fans.

Preparing the surface network

During a typical tournament, the US Open digital platform can be on the receiving end of millions of security attacks. Because a single cybersecurity event can disrupt the digital experience, keeping data safe and networks operational is a top priority.

To do it, the IBM Security team begins work long before the tournament begins, using IBM Security Randori Recon to strengthen cyber defenses across the entire US Open digital network. Like checking for open windows or unlocked doors, this reconnaissance software seeks out any vulnerabilities that may be attractive to hackers, such as expired SSL certificates and outdated copyrights. Additionally, Randori Recon checks third-party vendors and tools used as part of the tournament’s digital experience, some of which can increase the attack surface area of the network and introduce new security risks for the tournament.

Once the tool finds areas at risk, the IBM team works to fix the issues, such as patching vulnerabilities. Because Randori Recon ranks the vulnerabilities, the team knows which issues are the highest priority and need attention first. The IBM team also works with the third parties as needed to make sure their issues are solved before the tournament.

Monitoring potential threats in real-time with QRadar

After the tournament begins, the activity picks up both in terms of cybersecurity incidents and monitoring. As with previous tournaments, the IBM team uses IBM Security QRadar for threat detection. The tool uses AI to determine a threat level, triage which incidents need human intervention and even help remediate some issues. For example, the team may decide to shut down a port or analysts may closely monitor a specific IP address based on QRadar recommendations.

To add more context, QRadar uses AI to cross-reference attack data against global threat intelligence databases, like the IBM X-Force Exchange. The tool can correlate seemingly harmless incidents with similar activity that together may constitute a more coordinated, global attack, prompting a much different response.

The future of the US Open

By setting up the workflow and infrastructure with Randori Recon and QRadar, IBM keeps the action focused where it needs to be — on the courts. As the USTA adds new digital features, such as AI Commentary, IBM ensures the necessary processes and technology are in place to protect the overall digital experience.

The post How IBM secures the U.S. Open appeared first on Security Intelligence.