esw237

Enterprise Security Weekly Episode #237 – August 04, 2021

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. Cyber Hat Trick: How Ransomware Gangs Exfiltrate, Encrypt & Exploit – 06:00 PM-07:00 PM

Sponsored By

sponsor
Visit https://securityweekly.com/extrahop for more information!

Announcements

  • Security Weekly Unlocked will be held IN PERSON this December 5-8 at the Hilton Lake Buena Vista!

    We are excited to announce our first round of speakers: David Kennedy, Alyssa Miller, O’Shea Bowens, Marina Ciavatta, Patrick Coble, Chris Eng, Eric Escobar, Kevin Johnson, and Justin Kohler!

    Visit https://securityweekly.com/unlocked to register and check out our rockstar lineup!

Description

Exfiltrate. Encrypt. Exploit. In 2021, ransomware attackers moved beyond exfiltrating and encrypting data to extract a ransom, working to compromise the victim’s build server to introduce an exploit through which to launch large scale attacks. VP of Cloud Security Matt Cauthorn joins Security Weekly to walk through the lateral movements these attackers use to pull off the Cyber Hat Trick.

This segment is sponsored by ExtraHop Networks.

Visit https://securityweekly.com/extrahop-rsac to learn more about them!

– encrypting data is one way – they have a portfolio of attacks, they do whatever they can do to extort and make money

– too many ways to hide the money! – Moving towards the Internet of ownership, bad actors can just own our stuff.

– ransomware is the ultimate disruption, tech debt is real! – predatory lending scheme.

– More decentralization is needed to help combat attackers, not have one point of failure.

– Are we just moving the problem to the cloud? – Does it help with RBAC and permissions? permissions to network interfaces? Lifting and shifting has to evolve, its available, you just have to learn it.

– if there is no one central thing to encrypt, but its distributed somehow?

– how do you really own and protect your accounts? Map it back to blockchain?

Guest(s)

Matt Cauthorn

Matt Cauthorn – VP Cloud Security at ExtraHop

Matt Cauthorn is responsible for all security implementations and leads a team of technical security engineers who work directly with customers and prospects. A passionate technologist and evangelist, Matt is often on site with customers working to solve the complex and mission-critical business problems that Fortune 1,000 and global 2,000 companies face. After years spent helping customers tap into the value offered by network-based analytics, Matt has been able to bring fresh thinking to security threat detection. Prior to ExtraHop, Matt was a Sales Engineering Manager at F5 and before that he started his career in the trenches as a practitioner where he oversaw application hosting, infrastructure, and security for five international data centers.

Hosts

AdrianSanabria

Adrian Sanabria

@sawaba

Senior Research Engineer at CyberRisk Alliance

AprilWright

April Wright

@aprilwright

Preventative Security Specialist at Architect Security

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

2. The State of CyberSecurity Ops in a Ransomware Filled Hybrid Work World – 07:00 PM-08:00 PM

Sponsored By

sponsor
Visit https://securityweekly.com/fortinet for more information!

Announcements

  • SC Media debuts its all-new SC digital experience, fully integrated with Security Weekly podcast content and more. The new site increases the scope and scale of original content resources from editorial staff, contributors, and the far-reaching CyberRisk Alliance network. Visit www.scmagazine.com to check out the new look!

Description

Ransomware is flourishing and our endpoints are scattered outside the corporate network. Visibility is a challenge in this age of decentralized corporate assets.

Our discussion today will explore the problem from two sides. On the endpoint, where much of the battle against ransomware tends to be fought, is prevention a lost battle? Regardless of hopes for better prevention, it is clear that the ability to detect and respond is as important as ever, so we’ll discuss how security operations should be positioning themselves.

This segment is sponsored by Fortinet.

Visit https://securityweekly.com/fortinet to learn more about them!

Guest(s)

David Finger

David Finger – VP Product Marketing at Fortinet

David Finger has spent more than 14 years in the enterprise security space, currently at Fortinet and previously with Trend Micro, ProofPoint and Sana Security among others. His direct customer engagement spans security challenges and solutions from endpoint and server through gateway and cloud, for both threat and data protection, all around the world.

Hosts

AdrianSanabria

Adrian Sanabria

@sawaba

Senior Research Engineer at CyberRisk Alliance

AprilWright

April Wright

@aprilwright

Preventative Security Specialist at Architect Security

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

3. Corelight Smart PCAPs, Shifting Left, Tenable AD Security, & Tube Vulns – 08:00 PM-09:00 PM

Announcements

  • CyberRisk Alliance, in partnership with InfraGard, has launched the Critical Infrastructure Resilience Benchmark study. Measure your readiness for ransomware by completing the survey and getting your score. Visit https://securityweekly.com/CIRB to take the survey

  • If you missed any of our previously recorded webcasts or technical trainings, they are available for your viewing pleasure at https://securityweekly.com/ondemand

Description

In the Enterprise News, Armis Identifies Nine Vulnerabilities in pneumatic tubes, Corelight Introduces Smart PCAPs, SolarWinds disputes lawsuit, Code42 and Rapid7 Partner, and more news from this week at BlackHat 2021!

Hosts

AdrianSanabria

Adrian Sanabria

@sawaba

Senior Research Engineer at CyberRisk Alliance

  1. SentinelOne Unveils Storyline Active Response (STAR) To Transform XDR – Struggling a bit through the word salad in this one also. This article is about “SentinelOne Storyline Active Response” (STAR), which is going to “transform XDR” Does that mean it isn’t XDR? Is it supplemental?

    It integrates with SentinelOne’s ActiveEDR.
    Replaces the need for manual and one-off EDR activities… by allowing customers to manually create automated rulesets?

    But then, SentinelOne’s Singularity XDR platform is built on top of STAR, apparently. So EDR + STAR = XDR, sounds like. EDR pulls the data and performs the actions, while STAR enables practitioners to create detection rules and pair them with automated responses.

    Oh, no – STAR is actually one of a pile of XDR “power tools”, so this is more like a module that plugs into Singularity XDR. They also have:
    – Extended Data Retention (which sounds more like extra hard drives, not a feature or tool)
    – Binary Vault (analyze new, unknown binaries – like WildFire or VirusTotal)
    – Remote Script Orchestration (collection of pre-made scripts for various stuff
    – Cloud Funnel (redirect EDR data to a different tool)

  2. NEW PRODUCT: Optiv Security Launches Next-Gen Managed XDR to Stop Threats Earlier in Attack Lifecycle, Minimize Business Impact – The overall trend of XDR is strong, and as we’ve mentioned on previous episodes is evolutionary, not revolutionary. A somewhat newer trend, however, is XDR offerings from MSSPs and in general, MSSPs trying to move towards valuations that look more like software companies than services companies. This started with the move from MSSP (we’ll keep it running) to MDR (we’ll find the attackers) and now to XDR (we’ll find the attackers better).

    SecureWorks built an XDR offering out of their Red Cloak EDR product, Arctic Wolf is being valued at software startup multiples, and Bishop Fox has taken funding from Forgepoint to create and market a subscription product. The big question is: can they do a better job of running security than we can? Should we welcome this change?

    Optiv is using Devo as the back end for its XDR product, which also begs the question: when a reseller gets into the software/ARR game, is it going to hurt their relationship with competing products that they sell? How does SentinelOne feel about Optiv’s XDR offering?

    Also, get a load of this word soup and what it takes to make a qualifying statement that’s unique in this insanely crowded market: “Optiv MXDR is the only managed cloud-based, next-gen advanced threat detection and response service that ingests data across various layers of technologies to correlate, normalize, enrich, and enable automated responses to malicious activity in real-time”

  3. FUNDING: DNSFilter Raises $30 Million in Series A Funding – $30m Series A is healthy, especially with names like Dmitri Alperovich attached to it. It’s apparently using a number of different methods, including AI, to determine if a DNS entry is malicious or not. If it’s a website, they do image analysis on it, like PIXM. They analyze the website content. They look at where the IP is hosted, who owns the domain, age of domain, etc. Some of that isn’t new, some of it is, but a DNS firewall still seems like an approach worth investing in. At least, as long as it doesn’t impact performance or run into too many false positives.

    Also, through this article, I learned that GCHQ’s National Cyber Security Center runs something called “Active Cyber Defense”, or ACD. The idea is that they’ll run secure services for the whole nation (including secure DNS), but it’s only available to government institutions so far. Read more about ACD here: https://www.securityweek.com/inside-uks-active-cyber-defense-program

  4. FUNDING: Bug Bounty and VDP Platform YesWeHack Raises $18.8 Million – YesWeHack isn’t new, it’s a bug bounty platform provider that has actually been around for a while. Because it caters specifically to Europe and European challenges (researcher residency) and constraints (GDPR), we don’t hear about it as much over here in the US. The $18.8m raise is a series B, which sounds about right for this market. I’m still not sure if the jury is in on whether these platforms can be profitable or how to value them properly. We haven’t seen an exit in this market and I’m not even sure what an exit would look like – I’ve struggled to imagine who an acquirer might be.
  5. FUNDING: Cyber Risk Management Firm Safe Security Raises $33 Million – This one is yet another scorecard vendor – the 7th on my list so far. The interesting bit here is that BT Group led the round, which got them exclusive rights to resell it.
  6. LEADING THOUGHTS: The Presenting Vendor Paradox – Daniel Miessler always has good pieces to make you think and this one is no exception. Talk content is often full of boring stuff from vendors and people generally want better content. The paradox lies in that a lot of the best experts that you want to hear from work for vendors. TL;DR here, in my opinion, is that the problem isn’t vendors giving talks, it’s vendors giving BAD talks. It’s not so much a vendor issue as a quality issue. Personally, I’ve probably seen more crappy talks given by non-vendors than vendors and this is always a challenge for event planners – how do you pick the best talks based on a 350-word abstract?
  7. Robo-Lawyer Valued at $210 Million With Backing From Andreessen
  8. FUNDING: Managed cybersecurity startup SolCyber emerges from stealth with $20M – SolCyber was founded by ForgePoint and was kicked off with a $20M round. They’re an MSSP and seem like they’re aimed squarely at some of that giant ArcticWolf valuation!
AprilWright

April Wright

@aprilwright

Preventative Security Specialist at Architect Security

PaulAsadoorian

Paul Asadoorian

@securityweekly

Founder at Security Weekly

  1. Tenable Helps Organisations Disrupt Attacks with New Active Directory Security Readiness Checks – ” Organisations can immediately use the checks to assess their exposure to a range of risks, including Kerberoasting attacks, poorly configured or managed passwords and vulnerable encryption protocols. From there, security teams can take remedial action to close these potential attack paths before they are used against them.” – This is great but 1) I want to automate fixing them as best I can 2) I want to know once the control has drifted back to a vulnerable state 3) I still need lots of monitoring as some things in AD can’t be easily fixed (This is not Tenable’s problem or fault, though I think they can do better in #1 and #2).
  2. Join the panel: Shifting security left with DevSecOps – The concept is pretty simple: You can’t just “Shift left” and magically have a secure application. Security testing and remediation must be applied to all stages of software development and application deployment stages. Wow, I made that sound easy, it’s not. You need automation and workflow processes and tools. For example, each time a new version of code is submitted (let’s say via Git), you should build the application, then scan it, then send the results back to someone who can fix it. The complicated parts: How many code commits should trigger a build? What should the application be scanned for and how? What results stop the build from going to production?
  3. Armis Identifies Nine Vulnerabilities in Critical Infrastructure Used by Over 80% of Major Hospitals in North America – And here I thought these were just used in banks: “nine critical vulnerabilities in the Nexus Control Panel, which powers all current models of Translogic’s pneumatic tube system (PTS) stations by Swisslog Healthcare. The Translogic PTS system is a critical infrastructure for healthcare used in more than 3,000 hospitals worldwide. The system is responsible for delivering medications, blood products, and various lab samples across multiple departments of a hospital. The discovered vulnerabilities can enable an unauthenticated attacker to take over PTS stations and gain full control over the tube network of a target hospital. This type of control could enable sophisticated ransomware attacks that can range from denial-of-service of this critical infrastructure to full-blown man-in-the-middle attacks that can alter the paths of the networks’ carriers, resulting in deliberate sabotage of the workings of the hospital.”
  4. Qualys : To Lead Four Sessions At Black Hat And DEF CON 2021 – This session: “Taming Vulnerability Management Overload” is described as “unpacks the importance of vulnerability patching to discuss why companies fail to patch promptly – even when patches are available – and other barriers companies face that delay patching.”. I really thought we’d be done talking about this, but we’re not. Also, Qualys has done a great job of enabling you to just apply the patch when a vulnerability is found. So, yea, you should just do that.
  5. Corelight Introduces Smart PCAP to Give Security Teams Immediate Access to the Right Network Evidence – “Smart PCAP is a new licensed feature that offers a cost-effective alternative to full packet capture, delivering weeks to months of packet visibility interlinked with Corelight logs, extracted files, and security insights for fast pivots and investigation. Unlike other solutions that offer selective PCAP capabilities, Corelight Smart PCAP is encryption-aware, tracks protocol activity across ports, and directly integrates with the security gold standard for network evidence, Zeek. With Corelight, analysts can configure and selectively capture packets based on:” – So are Smart PCAPs full PCAPs, or just the most significant bits?
  6. SolarWinds says shareholders’ cyber disclosure lawsuit fails – Do you believe this case should just be thrown out?
  7. Code42 : and Rapid7 Partner to Deliver Enhanced Detection and Investigation of Insider Threat Events – “Code42® Incydr™ product with Rapid7 InsightIDR. Security teams using InsightIDR with the Code42 Incydr integration will have the ability to identify, prioritize and triage the most critical insider threat events – data leakage, theft or malicious attempts to conceal file exfiltration. Code42 Incydr is the first data source dedicated to insider threat events to be accessible to InsightIDR users.”
  8. Ivanti Buys RiskSense To Boost Risk Assessment and Patch Intelligence Capabilities — Redmondmag.com
  9. SentinelOne Unveils Storyline Active Response (STAR) To Transform XDR
  10. Optiv Security Launches Next-Gen Managed XDR to Stop Threats Earlier in Attack Lifecycle, Minimize Business Impact
  11. WhiteSource Launches Cure, the Industry’s First Self-Fixing Software – Light on details, but I like where this is going: “Application security testing tools today are too often focused on finding issues, rather than fixing them, generating a constant flow of security alerts that overwhelms organizations. Meanwhile, processes for deciding what security issues to address first, and then fixing these issues are manual and time-intensive. This also requires security knowledge that even experienced developers, who are at the heart of the shift left revolution, might lack — let alone novice ones. WhiteSource Cure relieves the application security workload through automation, providing developers with code they can trust.”