Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Sunday, October 27, 2019

Incident Response Newsalert - 27-Oct-2019

  • OWASP Top 10 Vulnerabilities List — You’re Probably Using It Wrong 
  • CPDoS attack can poison CDNs to deliver error pages instead of legitimate sites 
  • 4 steps to RPA success 
  • JSON tools you don’t want to miss 
  • Slack rolls out new Salesforce integrations, launches Workflow Builder 
  • Windows 10 security: Microsoft reveals ‘Secured-core’ to block firmware attacks 
  • ACSC warns of Windows malware Emotet spreading in Australia Featured 
  • Microsoft Office Bug Remains Top Malware Delivery Vector 
  • Cisco Networking Trends Report: ‘Intent-Based Networking Is Coming’ 
  • Nasty PHP7 remote code execution bug exploited in the wild 
  • Huawei: Banned and Permitted In Which Countries? List and FAQ 
  • Heed 5 security operations center best practices before outsourcing 
  • SOC Operations: 6 Vital Lessons & Pitfalls 
  • The Global Security Orchestration Automation and Response (SOAR) Market size is expected to reach $2.3 billion by 2025, rising at a market growth of 16.3% CAGR during the forecast period 
  • Secureworks Welcomes Steve Hardy as Chief Marketing Officer 
  • The Secret To 5G Security? Turn The Network Into A Sensor 
  • inSOC Unveils Start-Up SOC Service for MSPs 
  • CYFIRMA Announces Its Separation From Antuit Group and Consolidates Its Intelligence Driven Product Offering 
  • Delta Risk’s New ActiveEye 2.0 Reduces 95 Percent of False Positives to Find and Resolve Cyber Threats Faster 
  • Managing Non-Security Incidents with Security Tools and Policies 
  • ALTR Hires Cylance Veteran Brian Stoner for Data Security Partner Push 
  • Beachhead Solutions Adds Encryption-as-a-Service for MSPs 
  • Trial Before the Fire: How to Test Your Incident Response Plan to Ensure Consistency and Repeatability 
  • Splunk’s Mission Control sends security operations center into new orbit 
  • Recorded Future Teams Up With ServiceNow on Integrated Security Intelligence Offering for Reducing Organizational Risk 
  • Nuspire upgrades its Managed Endpoint service that leverages SentinelOne’s endpoint technology 
  • Splunk enhances its Security Operations Suite to modernize and unify the SOC 
  • AttackIQ and The Chertoff Group help enterprise customers build and sustain security programs 
  • Kaspersky Allows Privileged Access to Curated Features of its Threat Intelligence Portal OWASP Top 10 Vulnerabilities List — You’re Probably Using It Wrong
Gabriel Avner 
White Source 
Gabriel AvnerFirst issued in 2004 by the Open Web Application Security Project, the now-famous OWASP Top 10 Vulnerabilities list (included at the bottom of the article) is probably the closest that the development community has ever come to a set of commandments on how to keep their products secure.
Unfortunately, as the OWASP Top 10 Vulnerabilities list has reached a wider audience, its real intentions as a guide have been misinterpreted, hurting developers instead of helping.
So how should we understand the purpose of this list and actually encourage developers to code more securely?   
In a recent interview, OWASP’s chairman Martin Knobloch voiced his disappointment at the list being used as a sort of checklist for a final run through before a release, serving more as a validation mechanism than a guide.
The OWASP Top 10 is not set up to resolve every attack in the book, but to help teams avoid the common mistakes which are far more likely to get their applications breached.
A determined attacker can find many avenues to breach their target.
However, the smart risk management advisories do not focus on the minority of cases but instead seek to address the issues facing the widest audience.
Security teams that do not engage with their developers, making the effort to understand how they can empower them to have security be an inherent element of their workflow, will quickly find themselves sidelined.
If you want to stay relevant, become an enabler, and use the OWASP Top 10 list as a way to start conversations, not to threaten.
In the end, you might find that you catch more (O)WASPS with honey than vinegar.
Link: CPDoS attack can poison CDNs to deliver error pages instead of legitimate sites
Catalin Cimpanu 
ZD Net 
Two academics from the Technical University of Cologne (TH Koln) have disclosed this week a new type of web attack that can poison content delivery networks (CDNs) into caching and then serving error pages instead of legitimate websites.
The new attack has been named CPDoS (Cache-Poisoned Denial-of-Service), has three variants, and has been deemed practical in the real world (unlike most other web cache attacks).
According to the research team, three variants of the CPDoS attack exist, depending on how attackers decide to structure the malformed header.
The names are self-explanatory, with using oversized header fields, meta characters that trigger errors, or instructions that override normal server responses.
Mitigations against CPDoS attacks, fortunately, exist.
The simplest solution is that website owners configure their CDN service to not cache HTTP error pages by default.
Link: 4 steps to RPA success
Eth Stackpole 
insider Pro 
Amidst the hype and promise of artificial intelligence (AI) and machine learning (ML), their less-familiar counterpart, RPA, is starting to gain traction, especially among banks, insurance companies, telecommunications firms and utilities.
The technology employs AI and ML to handle rules-driven, high-volume and repeatable business tasks such as queries, calculations and copying and pasting data across systems without any coding requirement.
According to Gartner, RPA software revenue spiked 63.1 percent in 2018 to $846 million with projections calling for $1.3 billion in sales this year.
By the end of 2022, Gartner expects 85 percent of large and very large organizations will have deployed some form of RPA, fueling a $2.4 billion market.
While initial RPA use cases are aimed at automating back-office functions such as reconciliations and accounts receivable and payables, experts in the field say it’s only a matter of time before RPA is deployed to automate middle office and front-office activities, including customer call centers where there is a lot of behind-the-scenes manual work to share data between multiple systems.
As companies move beyond limited RPA pilots to full-blown implementations, there are four practices to keep in mind to ensure things stay on track:
1) Don’t rush to automate
2) Governance is key, but don’t let it grind things to a halt
3) Align business and IT
4) Embrace change management

http://blank.ico/ JSON tools you don’t want to miss
Paul Krill 
infoworld, from IDG 

  • JSONLint
  • JSONCompare
  • jtc  
  • ijson
  • JSON Formatter and Validator
  • Altova XMLSpy JSON and XML Editor
  • Code Beautify JSON Tools
  • Visual Studio Code
  • Eclipse JSON Editor Plugin

Link:’t%20want%20to%20miss&utm_campaign=ID Slack rolls out new Salesforce integrations, launches Workflow Builder
Matthew Finnegan 
Slack has added new integrations with Salesforce’s customer relationship management (CRM) and customer service apps, part of its ongoing push to bolster connections with other “best of breed” cloud apps.
Slack now lets users search and preview Salesforce Sales Cloud and Service Cloud records such as accounts and opportunities in app by using a slash command to pull up details.  
Other features include the ability to send Salesforce records relating to an account or case directly to an individual Slack user or a channel, such as #customer-support, for instance.
In addition, sales and service reps using Salesforce will be able to see Slack conversations related to a Salesforce record.
Also this week, Slack announced that its Workflow Builder tool is now generally available.
The feature lets all users automate routine processes; they can, for instance, create messages sent to new members of a channel, set up their own automations or select a pre-built template from Slack.
Link: Windows 10 security: Microsoft reveals ‘Secured-core’ to block firmware attacks
Liam Tung 
ZD Net 
The new layer of security is for high-end PCs and the first Windows 10 ‘Secured-core’ PC is the Arm-powered Surface Pro X.
At its heart, the new firmware protection comes from a Windows Defender feature called System Guard.
That feature is intended to protect Windows 10 PCs from new attacks used by the likes of state-sponsored hacking group APT28 or Fancy Bear, which was caught late last year using a novel Unified Extensible Firmware Interface (UEFI) rootkit to target Windows PCs.   
“It’s pretty similar to what other manufacturers might be doing with a specific security chip, but we are doing this across all different manners of CPU architectures and OEMs, so we can bring this to a much broader audience, and they can select the form factor or product that matches them but with the same security guarantees as if Microsoft created it.” 
Microsoft already has Secure Boot.
However, that feature assumes the firmware is trusted to verify bootloaders, meaning attackers can exploit trusted firmware.
APT28’s rootkit was not properly signed, which meant Windows PCs with Windows Secure Boot enabled were not vulnerable because the system only permits signed firmware to load.
Matt Shipman 
A new open-source tool called VisibleV8 allows users to track and record the behavior of JavaScript programs without alerting the websites that run those programs.
The tool runs in the Chrome browser and is designed to detect malicious programs that are capable of evading existing malware detection systems.
VisibleV8 saves all of the data on how a site is using JavaScript, creating a “behavior profile” for the site.
Researchers can then use that profile, and all of the supporting data, to identify both malicious websites and the various ways that JavaScript can compromise web browsers and user information.
You can download VisibleV8 from Kapravelos’ site.
Link: ACSC warns of Windows malware Emotet spreading in Australia Featured
Sam Varghese 
IT Wire 
An infection of Windows systems by the Emotet malware was the precursor to the recent ransomware attack on Victorian hospitals, the Australian Cyber Security Centre says, as part of a warning that Emotet, which has been around since 2014, is being spread in Australia by malicious emails.
The ACSC named the ransomware as being Ryuk.
According to the Israeli firm Check Point, Ryuk is used only for tailored attacks.
In a statement, the ACSC said it had received numerous reports of confirmed Emotet infections from different industries, including critical infrastructure providers and government agencies.
The ACSC has asked anyone who requires assistance to contact .(JavaScript must be enabled to view this email address).
Link: Microsoft Office Bug Remains Top Malware Delivery Vector
Kelly Sheridan 
Dark Reading 
CVE-2017-11882 has been attackers’ favorite malware delivery mechanism throughout the second and third quarters of 2019.

The third quarter of 2019 brought the rise of keylogger Agent Tesla, the decline of phishing-delivered ransomware-as-a-service (RaaS), and attackers’ continued preference for exploiting the CVE-2017-11882 Microsoft Office vulnerablity to deliver phishing campaigns.
Throughout the second and third quarters, researchers saw little change in the significant delivery mechanisms used to spread malware.
The most common method, as seen in more than 600 incidents, is Microsoft Office vulnerability CVE-2017-11882, which remains a “prolific technique” for attackers to spread malware through phishing attacks, researchers report.
Following CVE-2017-11882, the other two most common delivery mechanisms were Office macros and Windows Script Component (WSC) downloaders.
Attackers’ consistent use of the same delivery mechanisms could change as the holidays approach and Emotet reemerges, driving innovation among cybercriminals who may start using new variants and tactics.
Another notable trend third quarter was the drop in RaaS, which has decreased as attackers swap large-scale campaigns for narrowly focused ones.
GandCrab was taken offline; Sodinokibi, the ransomware that shares some of its code base, has seen a low rate of dissemination.
Targeted attacks let cybercriminals keep a lower profile and benefit from a higher return ratio.
Link: Cisco Networking Trends Report: ‘Intent-Based Networking Is Coming’
Sydney Sawaya 
sdX Central 
Winter is coming, and according to Cisco’s 2020 Global Networking Trends Report, so is intent-based networking (IBN).
Cisco conducted a web-based survey of 505 IT leaders and 1,566 network strategists across 13 countries about the current state of their networks, their network aspirations over the next two years, and their network operational and talent readiness. 
The survey found maximizing business value to be IT’s No. 1 priority with 40% of respondents naming it their top concern.
But seeing the top of the mountain is one thing, and getting up there is another.
In order to maximize business value, IT teams will require greater insight into data along with the right tools.
Still, Cisco’s findings suggest IBN will be the next “IT girl” of networking in the coming years — essentially the second phase of SDN.
Some 41% of those surveyed claim to have at least one instance of SDN in at least one of their network domains.
SDN has given network operators a way to design, build, and operate their networks through a centralized view. 
However, only 28% of respondents indicated having reached SDN or IBN on Cisco’s Digital Network Readiness Model, yet 78% expect to their networks to move beyond SDN or IBN within the next two years.
Likewise, only 4% indicated that their currently deployed networks are intent-based, and 35% plan to be within two years.
Link: Nasty PHP7 remote code execution bug exploited in the wild
Catalin Cimpanu 
ZD Net 
Exploiting the bug is trivial, and public proof-of-concept exploit code has been published on GitHub earlier this week.
“The PoC script included in the GitHub repository can query a target web server to identify whether or not it is vulnerable by sending specially crafted requests,” says Satnam Narang, Senior Security Response Manager at Tenable. “Once a vulnerable target has been identified, attackers can send specially crafted requests by appending ‘?a=’ in the URL to a vulnerable web server.”
Fortunately, not all PHP-capable web servers are impacted.
Only NGINX servers with PHP-FPM enabled are vulnerable.
PHP-FPM, or FastCGI Process Manager, is an alternative PHP FastCGI implementation with some additional features.
This blog post from Wallarm, the company that found the PHP7 RCE, includes instructions on how webmasters can use the standard mod_security firewall utility to block %0a (newline) bytes in website URLs, and prevent any incoming attacks.
Due to the availability of public PoC code and the simplicity of exploiting this bug, website owners are advised to check server settings and update PHP as soon as possible if they run the vulnerable configuration.
Link: Huawei: Banned and Permitted In Which Countries? List and FAQ
Joe Panettieri 
Here’s an FAQ explaining the Huawei controversy, along with a list of countries, organizations and technology companies, and their current business status with the China-based technology giant.
Link: Heed 5 security operations center best practices before outsourcing
Johna Till Johnson 
Tech Target - Security 
Research showed highly successful cybersecurity organizations, as measured by mean total time to contain, are 52% more likely to have deployed an SOC than their less successful peers.  
In fact, merely deploying a SOC can improve an organization’s mean time to contain a breach by almost half.  
But, as always, the devil is in the details in terms of assessing security operations center best practices: Should cybersecurity pros outsource the SOC function or develop one in-house.
And, if they outsource, what should the selection criteria be?
First is the operational model: Is the SOC provider primarily focused on event notification, or does it work in a team extension mode and proactively take steps to respond to events?  
Second is the SOC run book itself.
Regardless of who executes it—the internal team or the SOC provider—how is the run book developed.
Does the SOC provider have a standardized run book that can be customized to each client, or should the client plan to develop it?  
The third step to ensure security operations center best practices is to examine the portfolio of services the SOC provider offers.  
Fourth is the set of tools and technologies the SOC provider relies on.  
Finally, as counterintuitive as it sounds, there’s the question of how the relationship will be terminated.
Link: SOC Operations: 6 Vital Lessons & Pitfalls
Todd Thiemann 
Dark Reading 
Lesson #1: Locate and Retain High-Quality SOC Talent
Lesson #2: Improve Your SOC Incrementally
Lesson #3: Coordinate SOC and Network Operations
Lesson #4: Realistic Goals
Lesson #5: Staffing Delusions
Lesson #6: The “AI Cure-All” Fallacy
Link: The Global Security Orchestration Automation and Response (SOAR) Market size is expected to reach $2.3 billion by 2025, rising at a market growth of 16.3% CAGR during the forecast period
Cision PR Newswire 
NEW YORK, Oct. 21, 2019 /PRNewswire/— The Global Security Orchestration Automation and Response (SOAR) Market size is expected to reach $2.3 billion by 2025, rising at a market growth of 16.3% CAGR during the forecast period.
Market growth is influenced by factors like growing cyber-attacks, absence of staff availability, strict laws and compliance, absence of centralized views on threats, and a large amount of false alerts that contribute significantly to the SOAR ecosystem.
Market players are taking step-by-step approaches to leverage market possibilities.
Companies focus on innovative market-space competitive strategies.
For instance, in August 2019, Splunk integrated with Deloitte in order to provide automated security monitoring and response capabilities which helps in driving higher fidelity and greater consistency into security workflows and outputs for organizations.
The same month, FireEye launched FireEye® Network Security 8.3 and FireEye Endpoint Security 4.8; are used for enhanced detection and investigation related to advanced attacks.
Similarly, Tufin collaborated with Cisco in order to launch Tufin Orchestration Suite R19-2 for helping the customers to increase the mitigation process to Cisco ACI.
Link:—rising-at-a-market-growth-of-16-3-cagr-dur Secureworks Welcomes Steve Hardy as Chief Marketing Officer
Business Wire 
Yahoo - Finance 
Secureworks® (SCWX), a leading global cybersecurity company that protects organizations in a digitally connected world, announced the appointment of Steve Hardy as its new Chief Marketing Officer, effective today.
As CMO, Steve will lead Secureworks’ global marketing strategy, including product marketing, demand generation, corporate communications and field marketing.
He will report directly to Secureworks President and CEO Mike Cote and will be based at the company’s Atlanta headquarters.
Steve most recently served as Vice President, Head of Marketing at PerkinElmer, Inc. where he aligned go-to-market activities with product-focused business units to effect double-digit marketing-sourced revenue growth.
An experienced B2B leader in both global and growth technology firms, he has held marketing leadership roles at Automatic Data Processing (ADP) and at Gartner, Inc., where he led customer-focused strategies that increased awareness, drove revenue, and increased customer retention.
Link: The Secret To 5G Security? Turn The Network Into A Sensor
Enrique Vale 
With 5G, there will be more networks doing more complex things and delivering more kinds of services than we’re used to. “Slicing” will become the norm: virtualization that allows network resources to be shared with third parties, with guaranteed quality of service (QoS) and isolation.
Having end-to-end slices that terminate in private networks will increase the attack surface service providers need to protect: beyond securing the network as a whole, they will have to protect every individual slice, each with its own distinct requirements.
Another change that will require providers to fundamentally shift how they think about security is the nature of the services themselves.
Today’s network services tend not to change once they’ve been designed, and they operate more or less in isolation from each other.
They’re static and siloed.
But sliced-based 5G network services will be incredibly dynamic, responding to evolving conditions in real time.
What does flexible, adaptive, end-to-end security look like in a 5G scenario — and how can service providers build it in from the start?
The first prerequisite is visibility from the device up through the network and into the cloud.  
5G security operations also need to be predictive and automated.  
While firewalls and other defenses will still be important to help stop hackers before they access the network, attacks will inevitably get through.
This is especially true in 5G because the network will not have conventional boundaries: it will be an open ecosystem in which all kinds of unmanaged third-party devices are connected.
he job of security teams in the 5G era will be to limit how and where hackers can attack networks and services.
Link: inSOC Unveils Start-Up SOC Service for MSPs
Dan Kobialka 
MSSP Alert 
inSOC unveiled Start-Up SOC at this week’s DattoCon Paris conference.
The Start-Up SOC announcement comes after the company unveiled its One Stop SOC turnkey SOC solution at the DattoCon19 conference in San Diego, California earlier this year.
Start-Up SOC allows MSPs and MSSPs to select a subset of One Stop SOC security services, according to inSOC.
In doing so, Start-Up SOC enables MSPs and MSSPs to offer specific security services to small and medium-sized businesses (SMBs) or provide security services as part of existing managed services contracts.
A growing list of technology companies, distributors and service providers offer SOCaaS-type solutions to MSPs and MSSPs.
Here’s a list of SOCaaS options for MSPs and MSSPs.
Link: CYFIRMA Announces Its Separation From Antuit Group and Consolidates Its Intelligence Driven Product Offering
Business Wire 
SINGAPORE & TOKYO—(BUSINESS WIRE)—CYFIRMA, a predictive cyber threat visibility and intelligence analytics platform company, backed by Goldman Sachs Merchant Banking Division and Zodius Capital, announces its separation from Antuit Group, receives additional funding towards its growth aspirations.
CYFIRMA helps organisations to keep their cybersecurity posture up-to-date, resilient, and ready against upcoming attacks, through the use of proprietary AI/ML deep technology.
Link: Delta Risk’s New ActiveEye 2.0 Reduces 95 Percent of False Positives to Find and Resolve Cyber Threats Faster
Business Wire 
Yahoo - Finance 
Delta Risk, a leading provider of SOC-as-a-Service and security services, announced the release today of version 2.0 of its cloud-native Security Orchestration and Automation (SOAR) platform, ActiveEye.
With a focus on advanced security automation, the ActiveEye 2.0 platform eliminates more than 95 percent of false positives from thousands of daily security alerts generated by next-generation endpoint detection and response solutions, security information and event management (SIEM) devices and software, cloud applications, and cloud infrastructure.
New ActiveEye 2.0 features include: Managing Non-Security Incidents with Security Tools and Policies
Matt Petrosky 
Info Security Magazine 
Not every security incident is a disaster, but many can easily become one.
User friendly, auto-fill features can easily send sensitive data unintentionally to the wrong recipients with just a few keystrokes.
Emails mistakenly sent to the wrong person also pose a real danger to corporate information so it is important to manage messages at every step within the email lifecycle. 
This is why comprehensive email security strategies should incorporate tools and processes capable of managing email post-delivery in addition to preventing phishing and social engineering. 
One of the most important metrics in incident response is the time it takes to contain an event.
Pre- and post- message delivery protection is key.
From automated removal to easy bulk remediation, integrated incident response capabilities can speed response times making it easier for security analysts to perform bulk removal on “mistake” emails that have already made it to employee mailboxes.
Link: ALTR Hires Cylance Veteran Brian Stoner for Data Security Partner Push
Joe Panettieri 
MSSP Alert 
ALTR, which focuses on programmable data security and governance, has hired Cylance veteran Brian Stoner as VP of channels and alliances, MSSP Alert has confirmed.
Link: Beachhead Solutions Adds Encryption-as-a-Service for MSPs
Dan Kobialka 
MSSP Alert 
Beachhead Solutions, a company that specializes in cloud-managed PC and mobile device encryption, security and data access control, has added encryption-as-a-service capabilities to its SimplySecure management system for MSPs and MSSPs.
MSPs and MSSPs now can use SimplySecure to deliver encryption-as-a-service, according to Beachhead.
In doing so, MSPs and MSSPs can help organizations secure their data and comply with European Union (EU) General Data Protection Regulation (GDPR) requirements.

SimplySecure provides a web-based management tool that allows MSPs and MSSPs to remotely secure mobile devices, Beachhead noted.
It is delivered as a service and enables MSPs and MSSPs to add SimplySecure modules as needed.
Beachhead is also developing a SimplySecure integration module for the Datto Autotask PSA, a professional services automation (PSA) platform for MSPs.
Link: Trial Before the Fire: How to Test Your Incident Response Plan to Ensure Consistency and Repeatability
Nimmy Reichenberg 
CPO Magazine 
Fifty-nine percent of incident response (IR) professionals admit that their organizations follow a reactive approach, according to a report from Carbon Black.
Essentially, teams assume their processes work reasonably well to address the incident at hand … until they don’t.
While organizations must have IR plans in place, it’s even more important that they a) work consistently and b) are updated and improved over time.
Once you have a clear, documented plan in place, you should periodically test it through simulations to assess effectiveness and make continuous improvements.
So, how can you put your processes to the test.
Most security operations teams today use three methods:
1)     Paper tests
2)     Tabletop exercises
3)     Simulated attacks
Simulated attacks are often still done tabletop style, but an increasing number of security orchestration tools – via playbooks for common use cases –  help teams automate the response to attacks,  
As an added benefit, playbooks will help you identify opportunities to apply automation to your IR processes to expedite remediation and free up your analysts to focus on higher-value tasks.
Link: Splunk’s Mission Control sends security operations center into new orbit
Mark Albertson 
Silicon Angle 
Splunk Inc.’s newly launched enhancement for the Security Operations Suite is called Mission Control.
Secure management of the entire stack has landed.  
Song spoke with John Furrier (@furrier), host of theCUBE, SiliconANGLE Media’s mobile livestreaming studio, during the Splunk .conf19 event in Las Vegas.
She was joined by Oliver Friedrichs (pictured, right), vice president of security automation and orchestration at Splunk, and they discussed the need for cross-platform observability and a number of security enhancements announced by the company today (  
In addition to the launch of Mission Control, Splunk also rolled out a number of new enhancements for its Security Operations Suite.
These included the latest version of Enterprise Security (ES) 6.0, a User Behavior Analytics release to help security teams build machine-learning models and Splunk Phantom 4.6 for security orchestration, response and automation.
Link: Recorded Future Teams Up With ServiceNow on Integrated Security Intelligence Offering for Reducing Organizational Risk
Cision PR Newswire 
BOSTON, Oct. 22, 2019 /PRNewswire/— Recorded Future, the leading provider of security intelligence, today announced a new relationship with ServiceNow to expedite security professionals’ decision-making processes across security operations programs.
Two new integrations are designed to reduce risk, while empowering ServiceNow users by delivering contextual security intelligence for faster incident response and continuous vendor risk analysis.
The Recorded Future ServiceNow integration allows customers to bring external enrichment into the tools they currently work with today, helping to reduce incremental costs and increase the ROI of existing investments.
Users will be able to efficiently triage and prioritize alerts based on the severity of risk tied to each threat.
By incorporating real-time intelligence, organizations reduce uncertainty and can thereby reduce overall operational risk.
Link: Nuspire upgrades its Managed Endpoint service that leverages SentinelOne’s endpoint technology
Help Net Security 
Nuspire, a Managed Security Services Provider (MSSP), announced that it has upgraded its Managed Endpoint service to include Endpoint Protection that leverages SentinelOne’s endpoint security platform that actively blocks threats on a business’ endpoints.
This managed endpoint service includes unlimited research and investigation for indicators of compromise (IoC) by security engineers at Nuspire’s Security Operations Center along with full remediation support of threats identified.
In addition, this service includes flexible deployment options, where it can operate in endpoint detection and response mode (passive detection and behavior logging) or endpoint protection mode (adds active quarantine/process termination and device isolation).
Link: Splunk enhances its Security Operations Suite to modernize and unify the SOC
Help Net Security 
Anchored by the newly launched Splunk Mission Control, the Splunk Security Operations Suite makes it easier than ever for security analysts to turn data into doing by managing security across the entire threat lifecycle.
Splunk Mission Control is a new, cloud solution that connects Splunk SIEM (Splunk Enterprise Security), SOAR (Splunk Phantom) and UEBA (Splunk UBA) products into a single unified analyst experience.
Combined, these powerful innovations form the Splunk Security Operations Suite, which allows customers to act on threats and other high-priority security issues through the entire event lifecycle.
Splunk Enterprise Security (ES) 6.0: The latest version of Splunk’s flagship security offering, Splunk ES, builds upon its industry-leading SIEM platform.
Splunk User Behavior Analytics (UBA) 5.0: Splunk UBA enables SOC teams to build advanced, customized Machine Learning (ML) models for baselining and tracking deviations, based on their security environment and use cases.
Splunk Phantom 4.6: Splunk Phantom brings the power of security orchestration, automation and response (SOAR) to your mobile phone.
Phantom on Splunk Mobile allows customers to automate repetitive, manual tasks from the palm of their hand, enabling analysts to focus on mission-critical security threats that fuel security operations.
And More: Splunk also announced today several new security apps and updates to Splunk ES Content Update, which delivers pre-packaged Security Content to Splunk ES customers.
Link: AttackIQ and The Chertoff Group help enterprise customers build and sustain security programs
Help Net Security 
AttackIQ, the largest independent leader of the continuous security validation market, announced a partnership with The Chertoff Group, a leading global security risk management firm, to offer a joint solution to help organizations measure security risk, train security staff and justify security investments.
The service, called the ATT&CK Diagnostic, is designed to help enterprise customers build and sustain security programs that are strategic, risk-based and focused on proven effectiveness.
Leveraging AttackIQ’s automated testing platform which operationalizes the MITRE ATT&CK framework1, the industry’s most authoritative approach to mapping threat actors to tactics, techniques and procedures (TTPs), the ATT&CK Diagnostic measures the effectiveness of an organization’s defensive countermeasures with unparalleled transparency and precision.
The ATT&CK Diagnostic creates a risk-based threat model, maps a customer’s current defenses to TTPs in the threat model, clearly identifying what technologies and standards are addressing what TTPs, and identifying holes in coverage.
Link: Kaspersky Allows Privileged Access to Curated Features of its Threat Intelligence Portal
Business Wire 
WOBURN, Mass.—(BUSINESS WIRE)—Driven by the goal of building a safer world, Kaspersky today announces new access to its threat intelligence portal offering its revered threat analysis to a wider audience of incident responders and Security Operation Center (SOC) analysts working in-house and at Managed Security Service Providers (MSSPs).
Kaspersky Threat Intelligence Portal is a single point of access for the company’s threat intelligence and provides all cyberattack data and insights gathered by Kaspersky, allowing enterprises to investigate and respond to threats in a timely manner.
In addition to advanced threat detection technologies, information about submitted files, URLs, IP addresses or hashes, the portal is also enriched with threat intelligence aggregated from fused, heterogeneous and highly reliable sources.
This includes information from the Kaspersky Security Network which is made up of the company’s own web crawlers, spam traps, research findings, partner information and more.
The heavily anonymized data is carefully inspected and refined using several preprocessing techniques and technologies such as statistical systems, similarity tools, sandboxing, behavioral profiling, whitelisting verification and analyst validation.


Posted on 10/27