As we dig into vulnerability management we uncover both old and new challenges. We still struggle with developing and maintaining an accurate asset inventory. We also, still, struggle to prioritize and execute remediation. There are many new approaches to solving these problems, from ad-hoc scanning to automation of all the things. Get our take on vulnerability management in this segment!
CyberRisk Alliance, in partnership with InfraGard, has launched the Critical Infrastructure Resilience Benchmark study. Measure your readiness for ransomware by completing the survey and getting your score. Visit https://securityweekly.com/CIRB to take the survey
SC Media debuts its all-new SC digital experience, fully integrated with Security Weekly podcast content and more. The new site increases the scope and scale of original content resources from editorial staff, contributors, and the far-reaching CyberRisk Alliance network. Visit www.scmagazine.com to check out the new look!
This week in the Enterprise News: Latent AI, Optiv Security Launches Next-Gen Managed XDR, An Intriguing Update to Mandiant Advantage, ReversingLabs raises $56M to combat software supply chain, Morphisec Announces New Incident Response Services, & more!
Interestingly, they’re Cambridge-based and have been around since 2009. They got an investment from In-Q-Tel in 2011, but nothing after that until their Series A in 2017. This suggests they must have been fairly bootstrapped and self-sufficient but then decided to take funding and scale, or just have eyes on an exit.
ReversingLabs is best known for scanning files for threats, from many different sources, at a massive scale.
NortonLifeLock and Avast to Merge to Lead the Transformation of Consumer Cyber Safety – 10 or even 5 years ago, this might be huge news, but it seems like this is less about dominance in 2021 and more about survival, as the market share for traditional AV companies continues to wane. According to OPSWAT’s monthly market share reports (which does have a limited sample size, so take with a grain of salt), AVAST was tops back in 2017, McAfee took the top spot in 2019 as Symantec was going through changes and splitting up into NortonLifeLock, with the rest of the company going to Broadcom (I’m assuming the also recently-acquired Computer Associates would absorb the Symantec assets and staff). These days, Symantec and AVAST seem to have almost equal market share, which combined is only about 26%.
But that’s 26% of what OPSWAT can SEE, and they have a few HUGE blind spots: Microsoft and all the NGAV companies (SentinelOne, Blackberry Cylance, Carbon Black, Crowdstrike, etc.).
ThreatX API Catalog enables enterprises to reduce risk and protect critical APIs – “ThreatX’s API Catalog gives enterprises visibility into legitimate, suspicious and malicious requests that hit their APIs. By analyzing and profiling actual traffic, ThreatX discovers and profiles API endpoints, providing users with enhanced visibility into legitimate, rogue and zombie APIs in production.” – Zombie APIs sound awesome, do you kill them with a headshot?
Qualys scans Red Hat Enterprise Linux CoreOS on Red Hat OpenShift to reduce risk – “Teaming with Red Hat, Qualys is offering a unique approach providing a containerized Qualys Cloud Agent that extends security to the operating system. The Cloud Agent for Red Hat Enterprise Linux CoreOS on OpenShift combined with the Qualys solution for Container Security provides continuous discovery of packages and vulnerabilities for the complete Red Hat OpenShift stack. Built on the Qualys Cloud Platform, Qualys’ solution seamlessly integrates with customers’ vulnerability management workflows, reporting and metrics to help reduce risk.” – Great enterprise feature.
Black Hat 2021: What we don’t know may be the greatest cybersecurity threat – So much this: “Who is responsible for security when everyone is responsible for security,” Wyler said, in reference to the platform vendors….I heard this sentiment echoed numerous times in different briefings throughout the show, and it definitely isn’t the first time I’ve heard this during my relatively short time in the industry. Without a definitive answer to the question, “whose job is security?,” we’re left to determine what the answer is for our own organizations.”
Morphisec Announces New Incident Response Services as Enterprise Attacks Escalate – “Morphisec’s new IR services aims to assist these organizations with containing in-progress incidents, reducing damage, providing recommendations for long-term risk reduction, and auditing critical infrastructure to ensure the lowest possible risk exposure to a cyberattack. The company’s highly experienced and on-demand IR team will be led under the direct supervision of the CTO’s office.”
Automate Validation of Your Security Controls with SafeBreach & Cortex XSOAR – I really like this concept: “By automatically executing thousands of attacks, safely and continuously, SafeBreach helps identify high-priority weaknesses in your security defenses. The data-driven simulation results are mapped to an interactive heat map of the MITRE ATT&CK? framework for automated remediation of high-priority exposures with Cortex XSOAR. Following remediation, Cortex XSOAR triggers SafeBreach to rerun the attack simulations to validate that hardening of your defenses was successful across your network and endpoint controls.”
Risk Scoring is the Secret to a Successful Risk-Based Vulnerability Management Program – I’m not big on industry comparisons, but the rest is sound: “Impact – If this vulnerability was to be exploited, how severe would it’s impact be? Likelihood – How likely is it that an attacker can and will attack this space? Environmental Modifiers – Think broadly about the asset and the environment in which the vulnerability is located. Temporal Modifiers – Focuses on exploit code maturity, confidence, and remediation requirements. Temporal modifiers bring your risk score to life. Industry Comparisons – How does your risk compare to other organizations or peers in your sector? Threat Actors – Are threat actors actively exploiting vulnerabilities present in your environment? Remediation Risk – Using the remediation SLAs available through PTaaS, all vulnerabilities are automatically assigned customizable due dates. Use remediation risk to determine your aggregates that require attention from a compliance perspective.”
CMO at JupiterOne
3. Automate Hacker Knowledge & Community in Learning InfoSec – Carolin Solskär, TJ Null – 02:00 PM-02:30 PM
The reason our founder started Detectify is that they wanted to automate hacker knowledge and make it scalable. This is very different from how most hackers work today and what we believe will revolutionize hacking.
Tony “TJ Null” from Offensive Security will discuss the role of the community in learning infosec, particularly pentesting, and also in continuing education. Additionally, he will offer some practical tips on learning pentesting with help from the community.
Carolin Solskär – Community Manager, Detectify Crowdsource at Detectify
Carolin is the Community Manager for Detectify Crowdsource; an invite-only platform for ethical hackers. Detectify Crowdsource works differently from most bug bounty platforms; instead of hacking one company at a time, we focus on commonly used technologies, so that all companies using that technology can be protected.
Tony ‘TJ Null’ Punturiero – Community Manager at Offensive Security
Tony Punturiero (aka @tjnull) to the OffSec is an experienced pentester and red teamer for a government contractor and is known for his great passion for educating and
mentoring others. TJ is also an Adjunct Professor for a Local Community
College teaching cybersecurity courses and coaches one of the top
Community College’s cyber team in the State of Maryland.