Cyber Security Institute

Tuesday, July 26, 2016

IR News Security - 2017-07-26

Table of Contents

  • DEFCON CYBER™ Joins FireEye Cyber Security Coalition
  • Digital Forensics – A Presentation In The Courts
  • California sets cybersecurity example for states to follow
  • California sets cybersecurity example for states to follow
  • Joint Task Force: Forensics and Anti-Forensics
  • Digital response teams need full access to data to prevent threats
  • Attivo Networks Launches Attack Path Vulnerability Assessments for Continuous Threat Management at Black Hat
  • EVVO launches automated Security Operations Centre in Singapore
  • Former Splunk Security Executive Fred Wilmot Joins PacketSled as Chief Technology Officer
  • Spy Game: The Emerging Cybersecurity Realm of Threat Intelligence
  • AlienVault Unveils Latest Edition of Open Threat Exchange
  • ThreatQuotient Recognized on CRN’s 2016 Emerging Vendors List



DEFCON CYBER™ Joins FireEye Cyber Security Coalition 
MANASSAS, Va., July 25, 2016 /PRNewswire/—DEFCON CYBER™ offers a proactive cybersecurity solution cloud service that prioritizes incidents, automates the response workflow process, and measures activity responses across operations to produce a cybersecurity risk posture score.
DEFCON CYBER™ operationalizes the National Institute of Standards and Technology (NIST) Cybersecurity Framework to be the business risk driver for incident prioritization and mitigation.
DEFCON CYBER™ enables an organization and its supply chain to significantly reduce priority incident response times and measure the cybersecurity risk posture through the successful execution of their respective cybersecurity risk management strategies.
DEFCON CYBER™ is offered as a hosted cloud service, on-premise cloud service (VMWare and Hyper-V), or an application plug-in to an existing Microsoft SharePoint enterprise platform. 
Rofori Corporation today announced its partnership with FireEye, as a member of the FireEye® Cyber Security Coalition—an ecosystem designed to simplify customers' complex security environments via the intelligence-led FireEye Global Threat Management Platform.
Joint customers will benefit from enhanced threat detection and faster, more efficient correlation and response.
Rofori Corporation has applied its patented collaboration technology to the application of cybersecurity best practice outcomes to precisely manage the incident prioritization, automated initialization and tracking the response activity, and closing mitigated incidents.
DEFCON CYBER™ continuously measures the activities across asset management, threat intelligence, and operations to calculate the organization's cybersecurity posture.
DEFCON CYBER™ makes full use of the output of FireEye's leading iSight Intelligence to provide instant correlation between actionable threat intelligence and indicators. "In today's environment, resources are limited to analyze and correlate vast amounts of information," said Chuck O'Dell, Rofori Corporation CEO. "The combination of DEFCON CYBER™ and FireEye's iSIGHT Intelligence enables automated and continuous correlation of threat intelligence data to priority incidents."
Link: http://www.marketwatch.com/story/defcon-cybertm-joins-fireeye-cyber-security-coalition-2016-07-25



Digital Forensics – A Presentation In The Courts 
In an exclusive interview with EITN at RSA Conference 2016, Singapore- Digital Forensics expert Stephen McCombie lists the 3 biggest challenges in Digital Forensics are as follows: 
1) Sheer amount of data
2) High complexity of data
3) Legalizing digital evidence
The biggest myth of Digital Forensics is that it is a technical process.
But the reality is it more about the PRESENTATION (of digital evidence) to the courts.
If the digital evidence is not admissible, useable and ‘case law tested‘, then what forensics is even about at all?
Link: http://www.enterpriseitnews.com.my/digital-forensics-a-presentation-in-the-courts/



California sets cybersecurity example for states to follow 
Once again, California has positioned itself as a leader in the effort to make U.S. business more cyber-secure.
California’s Attorney General Kamala Harris recently released the California Data Breach Report, which discusses the types of breaches that companies face in California and the frequency of those breaches.
Due to the personal privacy implications of a breach for any company’s customers, AG Harris argues in the report that state governments need to do much more to ensure that companies are providing reasonable security.
The report proposes that, in order to better protect company data and customers’ privacy, businesses operating both in California and across the country adopt the Center for Internet Security’s list of 20 controls for effective cybersecurity defense, the CIS 20. 
CSC 4: Continuous vulnerability assessment
It is critical for companies to regularly adapt to evolving threats and to continuously test their systems for cybersecurity weaknesses. 
CSC 6: Maintenance, monitoring, and analysis of audit logs
Similar to vulnerability assessment, analyzing audit logs to better understand the potential threats to a network is a full-time commitment. 
CSC 13: Data protection
CSC 13 recommends password protections and data encryption, popular ways to protect data in the cloud that your business may already utilize.
Most importantly, these protection mechanisms should include automated tools to periodically check if data is presented in clear text. 
CSC 19: Incident response and management  
Honest incident response and management is critical.
Without these, customers’ data is not truly safe, and CSC 19 offers a system for businesses to identify breaches, control the damage and move forward after the fact. 
For smaller businesses that lack the internal capacity to create a breach communication chain, partnering with an outside incident response team could be a huge benefit.
Having additional eyes to watch over the network could make the difference between responding to a breach right away and minimizing damage and letting an attack go unnoticed, burying your business with the high costs of taking care of the incident later.
Link: http://thehill.com/blogs/congress-blog/technology/289099-california-sets-cybersecurity-example-for-states-to-follow



California sets cybersecurity example for states to follow 
Once again, California has positioned itself as a leader in the effort to make U.S. business more cyber-secure.
California’s Attorney General Kamala Harris recently released the California Data Breach Report, which discusses the types of breaches that companies face in California and the frequency of those breaches.
Due to the personal privacy implications of a breach for any company’s customers, AG Harris argues in the report that state governments need to do much more to ensure that companies are providing reasonable security.
The report proposes that, in order to better protect company data and customers’ privacy, businesses operating both in California and across the country adopt the Center for Internet Security’s list of 20 controls for effective cybersecurity defense, the CIS 20. 
CSC 4: Continuous vulnerability assessment
It is critical for companies to regularly adapt to evolving threats and to continuously test their systems for cybersecurity weaknesses. 
CSC 6: Maintenance, monitoring, and analysis of audit logs
Similar to vulnerability assessment, analyzing audit logs to better understand the potential threats to a network is a full-time commitment. 
CSC 13: Data protection
CSC 13 recommends password protections and data encryption, popular ways to protect data in the cloud that your business may already utilize.
Most importantly, these protection mechanisms should include automated tools to periodically check if data is presented in clear text. 
CSC 19: Incident response and management  
Honest incident response and management is critical.
Without these, customers’ data is not truly safe, and CSC 19 offers a system for businesses to identify breaches, control the damage and move forward after the fact. 
For smaller businesses that lack the internal capacity to create a breach communication chain, partnering with an outside incident response team could be a huge benefit.
Having additional eyes to watch over the network could make the difference between responding to a breach right away and minimizing damage and letting an attack go unnoticed, burying your business with the high costs of taking care of the incident later.
Link: http://thehill.com/blogs/congress-blog/technology/289099-california-sets-cybersecurity-example-for-states-to-follow



Joint Task Force: Forensics and Anti-Forensics 
Looking at the field of digital forensics, we can go back to this old CSO article, entitled The Rise Of Antiforensics.
The article details information security professionals who have written software that “fools” (author’s words) industry standard computer/digital forensics tools and the article’s early tone seems to indicate a bias against antiforensics and it’s tools as they would be harmful to business and law enforcement.
The article itself comes around to a more nuanced view towards these tools; however, I want to explore a different nuance here: antiforensics has, in itself, an intrinsic value to a business organization’s information security program, just as forensics does. 
Incorporating digital forensics into your operations is, from a reasoning standpoint, fairly simple: in the event something happens – being able to identify a root cause.
Just as senior managers would be interested in why a marketing campaign was failing, not investing in digital forensic capabilities for your disaster recovery or incident response staff can not only properly identify root cause scenarios but can be built in to processes going forward to mitigate it from occurring again.
Some of this can be as simple as change management rules, system event logging and monitoring, while more specific software, tools or personnel can be brought in to augment in the event of an incident that requires it. 
There are two areas in which we should look for when we consider the term antiforensics –  prevention and destruction. 
In one hand, we have preservation of data used for root cause analysis and in the other, we have methods to destroy data.
At first glance, the two seem opposed and there is room for only one in organizational security policies.
Indeed, one might argue that according to the CIA Triangle model of Information Security (weighing the trade-offs to ensure the Confidentiality, Integrity and Availability of data),  only the preservation of data through encryption to mitigate forensic threats best fits the model, leaving data destruction out of the model at all. 
The CIA model runs of the premise that information needs to be accessible though.
In the event of where information must remain confidential with near-zero chance of data or information being accessible or recoverable from a piece of media.
However, some business cases might require data to be inaccessible.
Equipping your operations staff with the right tools and training is essential for making sure your organization is prepared for an event where data needs to be secured for retrieval later or destroyed beyond any recognition.
While information security professionals are entrusted to safeguard information, it’s equally important to have options to be able to act quickly in the event either solution is needed.
Link: https://dasseclabs.wordpress.com/2016/07/25/joint-task-force-forensics-and-anti-forensics/



Digital response teams need full access to data to prevent threats
In order to handle digital threats, experts are saying that governments or companies must be able to establish their respective incident response teams with clear frameworks, as well as the ability to have access to absolutely every kind of data in a system. 
As Indonesia, a country where breaches are rampant, prepares to establish its own National Cybersecurity Agency (BCN) in August, observers have given recommendations about how prevention teams would be able to fully deal with particular matters. 
Clear frameworks in this case hinge on the aspects of proper governance, an outline to what threats are present and have occurred before and the technical methods of solving them.
Observers note that such coordinated guidelines can make a difference in the way companies and governments train their response teams and yield more effective results. 
“Incident response teams need hunters, pure and simple.
They can be centralized or even partly outsourced — it doesn’t matter.
The crucial aspect of it is to develop a clear framework on prevention so that these hunters can easily learn what the problems and solutions are.
It will be easier for these hunters to also pass what they learned down to newer ones,” he added. 
Indonesia itself currently has an internet incident response team (ID SIRTII) that had recently been integrated into the National Cybersecurity Agency. 
According to data from Microsoft Indonesia, cybersecurity attacks and breaches, especially in the banking sector, have cost the country up to Rp 33.29 billion (US$2.54 million), as Indonesia holds a 50 percent infection rate for malware viruses, the highest in Southeast Asia. 
About 22 percent of all crimes conducted in Indonesia in 2014 were cybercrimes, though the figure decreased to 18.26 percent in 2015.
Between 2012 and 2015, the police arrested 571 individuals in connection with cybercrimes, with the vast majority — 529 of them — foreign nationals operating in Indonesia.
Link: http://www.thejakartapost.com/news/2016/07/25/digital-response-teams-need-full-access-data-prevent-threats.html



Attivo Networks Launches Attack Path Vulnerability Assessments for Continuous Threat Management at Black Hat 
FREMONT, CA—(Marketwired - Jul 25, 2016) - Attivo Networks®, the award-winning leader in deception for cyber security threat detection, today announced that the Attivo ThreatMatrix™ Deception and Response Platform has been enhanced to provide an organization's visibility and assessment of vulnerable attack paths that a cyber attacker would take to reach critical assets.
Attivo is empowering organizations with insight into how an attacker would target misconfigured systems or misused credentials and then automating the response actions to isolate these systems from causing additional infection, exfiltrating data or harming critical infrastructure.
Additionally, the company announced that its next generation software has enhanced its deception technology to misdirect and detect attackers seeking to begin their attack by targeting Microsoft Active Directory, which is a favored target for attackers seeking credentials for attack escalation.
The new release will also include an expansion of the ThreatMatrix Platform to support routed networks, for micro-segmented datacenters and enterprises networked across multiple locations and branch offices. 
The ThreatMatrix Deception and Response Platform provides real-time threat detection and attack forensic analysis for accelerated incident response and remediation.
The platform is designed to provide early detection of cyberattacks from all threat vectors including zero-day, stolen credential, ransomware and phishing attacks that are renowned for bypassing traditional prevention systems.
The platform is aligned to Gartner's Adaptive Security Architecture of Predict, Block/Prevent, Detect and Respond (Gartner, February 2016)* and is designed for early Detection of threats, accelerated incident Response and strengthening of Prevention systems based on attack information gathered while deceiving and engaging attackers.
The company's announcement expands the ThreatMatrix Platform into the pillar of Prediction and enhances its Detection capabilities. 
ThreatPath™: Provides an attack path vulnerability assessment based on likely attack paths that an attacker would have traversed through misconfigured systems or credential misuse. 
Active Directory Deception and Detection: Organizations running the Microsoft Windows Server platform are susceptible to attacks where attackers exploit and gain un-authorized access to Active Directory. 
Routed Network Support: ThreatMatrix BOTsink engagement servers can now engage with deceptive IP addresses and networks on routers over Layer 3 GRE tunnels, which is ideal for micro-segmented datacenters, enterprises networked across multiple locations and branch offices.
Link: http://www.marketwired.com/press-release/attivo-networks-launches-attack-path-vulnerability-assessments-continuous-threat-management-2144878.htm



EVVO launches automated Security Operations Centre in Singapore
EVVO Cybersecurity, a Singapore cybersecurity vendor and cloud solutions provider, has launched a Security Operations Centre (SOC) to extend cybersecurity services to SMEs.
The SOC is also the first in Singapore to leverage automation software. 
The new SOC will leverage automation software for level one tasks for security analysts such as assigning automated, playbook-based workflows to incidents for immediate and scalable response.
This will also enable EVVO Cybersecurity to increase productivity and accuracy enabling them to track and improve processes over time. 
The SOC will function as EVVO Cybersecurity’s threat defence and mitigation facility, catering to SMEs, empowering them to go beyond the traditional SOC functions of merely monitoring perimeter security. 
By integrating EVVO360, a cybersecurity analytics platform, and a suite of cybersecurity intelligence solutions, EVVO Cybersecurity aims to provide customers with a 360-degree view of all the endpoints and network traffic across the organisation.
This will greatly enhance the ability of organisations to detect, response and recover from incidents of compromise.
Link: http://www.networksasia.net/article/evvo-launches-automated-security-operations-centre-singapore.1469497028



Former Splunk Security Executive Fred Wilmot Joins PacketSled as Chief Technology Officer
SAN DIEGO, July 26, 2016 /PRNewswire/—PacketSled, Inc., the company that democratizes security investigations and response by providing its customers with automated network visibility, detection, incident response and forensics in the cloud, announced today that Fred Wilmot will be joining the company as its Chief Technology Officer, effective immediately.
In this role, he will be responsible for all aspects of the company's technology strategy, including software engineering, security research and development, and cloud operations. 
Fred brings more than 20 years of cybersecurity expertise to PacketSled.
Most recently, he served as Vice President, Solutions Engineering at Context Relevant, where he implemented a real-time transaction fraud platform for financial markets, weaponizing security use cases with data science automation and machine learning. 
During his tenure at Splunk, Fred was responsible for the company's ascension to a market leader in the security industry, placing the company in the Gartner SIEM magic quadrant.
As the founder and director of the global security practice, Fred prototyped innovation in the field, and built platform applications that were utilized in responding to some of the most major breaches in Internet history.
Fred and his team were responsible for architecting and delivering the first version of Splunk's enterprise security product.
Link: http://www.prnewswire.com/news-releases/former-splunk-security-executive-fred-wilmot-joins-packetsled-as-chief-technology-officer-300304209.html



Spy Game: The Emerging Cybersecurity Realm of Threat Intelligence 
While Watson might be the most famous cyberpersonality to take on the challenge of defending networks against attacks, it isn’t the first.
This is the latest development in the emerging field of cyberthreat intelligence (CTI), a discipline dedicated to applying military-style intelligence techniques to the collection, analysis and use of information about cybersecurity threats. 
CTI providers do the heavy lifting of cybersecurity analysis that most enterprises simply don’t have the resources to undertake.
They typically combine information from at many different categories of sources to generate products that help their clients better understand and react to the evolving cybersecurity threat landscape.
Some of hese sources include: 
- Gathering threat information from deployed security tools. 
- Deploying their own sensors. 
- Gathering intelligence from public sources. 
- Recruiting spies. 
After CTI providers gather information from all of these sources, they feed it to a team of analysts who have the job of transforming it into actionable intelligence.
One of the most common products offered by CTI vendors is a real-time feed of known malicious hosts on the Internet.
Link: http://www.gocertify.com/articles/spy-game-the-emerging-cybersecurity-realm-of-threat-intelligence



AlienVault Unveils Latest Edition of Open Threat Exchange 
-  Launched in 2012, Open Threat Exchange (OTX) has grown to more than 47,000 users who contribute approximately 4 million artifacts each day to the OTX community.
-  With the latest version, OTX members can now create private communities and discussion groups, where they can share content and selected pulses with members.
-  OTX data works hand-in-hand with security platforms, such as AlienVault Unified Security Management, to ensure users have the latest intelligence to identify threats. 
With this release, OTX members can now create private communities and discussion groups, where they can share threat information with only members of the group.
This capability enables more targeted, in-depth discussion and threat information distribution related to specific industries, particular regions and types of threats.
This new feature supports the mission of Information Sharing and Analysis Centers (ISACs) pursuant to Presidential Decision Directive-63 (PDD-63) by providing a platform for information sharing and risk mitigation for specific groups and teams.
In addition, managed service providers can use this feature to distribute threat data to their subscribers. 
OTX data works hand-in-hand with security platforms, such as AlienVault USM, to ensure users have the latest intelligence to identify, respond to and mitigate threats.
As part of AlienVault's commitment to continually innovating and enabling even the smallest IT departments to detect and respond to threats more effectively, a new version of USM, with enhanced capabilities like USB detection, will also be available in early August.
Link: http://finance.yahoo.com/news/alienvault-unveils-latest-edition-open-130000037.html



ThreatQuotient Recognized on CRN’s 2016 Emerging Vendors List 
RESTON, Va.—(BUSINESS WIRE)—ThreatQuotient™, a leading provider of enterprise-class threat intelligence platforms, announced today that CRN®, a brand of The Channel Company, has named ThreatQuotient to its 2016 list of Emerging Vendors.
This annual list recognizes recently founded, up-and-coming technology suppliers who are shaping the future of the IT channel through unique technological innovations.
In addition to celebrating these standout companies, the Emerging Vendors list also serves as a valuable resource for solution providers looking to expand their portfolios with cutting-edge technology.
Link: http://www.businesswire.com/news/home/20160726005486/en/ThreatQuotient-Recognized-CRN%E2%80%99s-2016-Emerging-Vendors-List